T1001.001 [('APT28', 'added', 'junk data "'), ('each string', 'encoded')]
T1001.001 [('a " length " value', 'give', 'Each implant'), ('a " length " value', 'created'), ('the controller software', 'track', 'a " length " value'), ('seamless communication', 'allow', 'a " length " value'), ('analysis of the command protocol on the wire', 'prevent', 'a " length " value')]
T1001.001 [('BendyBear', 'used', 'byte randomization'), ('byte randomization', 'obscure', 'its behavior')]
T1001.001 [('Downdelph inserts characters during encoding of C2 network requests', 'making'), ('Downdelph inserts characters during', 'write', 'signatures')]
T1001.001 [('GoldMax', 'decoy', 'traffic')]
T1001.001 [('P2P ZeuS', 'added', 'junk data')]
T1001.001 [('PLEAD samples', 'found')]
T1001.001 [('SUNBURST', 'added', 'junk bytes')]
T1001.001 [('WellMess', 'use', 'junk data')]
T1001.001 [('WellMass malware', 'acheive', 'Data obfuscation'), ('C2 communications ,', 'achieved'), ('characters with base64', 'replace', 'C2 communications ,'), ('ones', 'encoded')]
T1001.001 [('junk data', 'obfuscate', 'Command activities'), ('which', 'target', 'America')]
T1001.001 [('the aim', 'make', 'analysis of their code'), ('the aim', 'make', 'more difficult'), ('the aim', 'consuming'), ('the develepers of', 'jumble', 'their code')]
T1001.002 [('APT29', 'hide', 'steganography'), ('APT29', 'hide', 'C2 communications')]
T1001.002 [('Axiom', 'use', 'Some malware'), ('steganography', 'hide', 'Some malware'), ('communication in PNG image files', 'hide', 'Some malware')]
T1001.002 [('Daserf', 'hide', 'steganography'), ('Daserf', 'hide', 'malicious code'), ('malicious code', 'downloaded')]
T1001.002 [('the Duqu command', 'operating'), ('control', 'operating')]
T1001.002 [('commands', 'control', 'HAMMERTOSS'), ('image files', 'append', 'commands')]
T1001.002 [('commands', 'control', 'LightNeuron'), ('PDFs', 'embed', 'commands'), ('JPGs', 'embed', 'commands'), ('steganographic methods', 'use', 'commands')]
OBJS_ commands
T1001.002 [('RDAT', 'process', 'steganographic images'), ('steganographic images', 'attached'), ('messages', 'email'), ('steganographic images', 'send', 'C2 commands'), ('steganographic images', 'receive', 'C2 commands')]
T1001.002 [('RDAT', 'embed', 'additional messages')]
T1001.002 [('C2', 'sunburst'), ('C2 data', 'attempted'), ('C2 data', 'appear'), ('benign XML', 'related')]
T1001.002 [('ZeroT', 'retrieved', 'stage 2 payloads'), ('Bitmap images', 'use', 'Significant Bit ( LSB ) steganography')]
T1001.003 [('BADCALL', 'uses', 'a FakeTLS method')]
T1001.003 [('Bankshot', 'generates', 'a false TLS handshake'), ('a false TLS handshake', 'disguise', 'a public certificate'), ('a false TLS handshake', 'disguise', 'network communications'), ('a false TLS handshake', 'disguise', 'network communications')]
T1001.003 [('traffic attempts', 'evade', 'detection'), ('traffic attempts', 'resembling', 'data'), ('data', 'generated')]
T1001.003 [('use code for communications', 'modified'), ('C2 servers', 'making')]
T1001.003 [('FALLCHILL', 'uses', 'fake Layer Security ( TLS )')]
T1001.003 [('HARDRAIN', 'uses', 'FakeTLS')]
T1001.003 [('Higaisa', 'used', 'a FakeTLS session for C2 communications')]
T1001.003 [('InvisiMole', 'mimic', 'HTTP protocol')]
T1001.003 [('KeyBoy', 'impersonate', 'custom SSL libraries'), ('KeyBoy', 'impersonate', 'SSL')]
T1001.003 [('Group malware', 'uses', 'a unique form of communication encryption'), ('Group malware', 'uses', 'a different encryption method'), ('communication encryption', 'known'), ('communication encryption', 'faketls'), ('communication encryption', 'mimics', 'TLS'), ('a different encryption method', 'evading', 'SSL man decryption attacks')]
T1001.003 [('mimics HTTP protocol for C2 communication', 'hiding', 'the actual messages in the Cookie headers of the HTTP requests')]
T1001.003 [('SUNBURST', 'masqueraded', 'its network traffic')]
T1001.003 [('TAINTEDSCRIBE', 'used')]
T1001.003 [('WellMass malware', 'obfuscates')]
T1001.003 [('APT40', 'includes', 'API keys for'), ('data', 'stolen'), ('an attempt', 'mask', 'the activity')]
T1001.003 [('Winnti APT41 )', 'obfuscate', 'the Crosswalk backdoor'), ('Winnti APT41 )', 'obfuscate', 'C2 traffic'), ('which', 'abuses'), ('which abuses', 'faketls')]
T1003.001 [('credential dumping', 'use', 'APT1'), ('Mimikatz', 'use', 'credential dumping')]
T1003.001 [('APT28', 'deploys', 'Mimikatz )')]
T1003.001 [('APT3', 'dump', 'a tool'), ('APT3', 'dump', 'credentials')]
T1003.001 [('versions of to harvest credentials', 'customized')]
T1003.001 [('APT33', 'dump', 'a variety of available tools like'), ('APT33', 'dump', 'credentials')]
T1003.001 [('APT39', 'dump', 'Windows Credential Editor'), ('APT39', 'dump', 'credentials')]
T1003.001 [('APT41', 'dump', 'the Windows Credential Editor'), ('APT41', 'dump', 'password hashes')]
T1003.001 [('Blue Mockingbird', 'retrieve', 'Mimikatz'), ('Blue Mockingbird', 'retrieve', 'credentials from LSASS memory')]
T1003.001 [('BRONZE BUTLER', 'perform', 'various tools ( as )'), ('BRONZE BUTLER', 'perform', 'credential dumping')]
T1003.001 [('credentials', 'dump', 'Cleaver'), ('Mimikatz', 'use', 'credentials')]
T1003.001 [('CozyCar', 'harvest', 'Mimikatz'), ('CozyCar', 'harvest', 'credentials'), ('credentials', 'stored')]
T1003.001 [('Daserf leverages Mimikatz', 'steal', 'credentials')]
T1003.001 [('password grabber modules', 'observe', 'Emotet'), ('password', 'dropping'), ('Mimikatz', 'include', 'password grabber modules')]
T1003.001 [('Empire', 'contains', 'an implementation of')]
T1003.001 [('FIN6', 'used', 'Windows Credential Editor')]
T1003.001 [('harvests credentials', 'using', 'Invoke - Mimikatz')]
T1003.001 [('Fox Kitten', 'dump', 'prodump'), ('Fox Kitten', 'dump', 'credentials')]
T1003.001 [('GALLIUM', 'dump', 'a version of'), ('GALLIUM', 'dump', 'credentials'), ('a version of', 'modified')]
T1003.001 [('GreyEnergy', 'has', 'a module'), ('Mimikatz', 'collect', 'Windows credentials')]
T1003.001 [('HAFNIUM', 'dump', 'procdump'), ('HAFNIUM', 'dump', 'the process memory')]
T1003.001 [('SecretsDump', 'perform', 'credential dumping'), ('Mimikatz modules within', 'perform', 'credential dumping'), ('account', 'password')]
T1003.001 [('Ke3chang', 'dumped', 'credentials'), ('credentials', 'including')]
T1003.001 [('Kimsuky', 'dump', 'ProcDump'), ('Kimsuky', 'dump', 'credentials')]
T1003.001 [('LaZagne', 'perform', 'credential dumping from memory'), ('account', 'password')]
T1003.001 [('Lazarus Group', 'extract', 'Mimikatz'), ('Lazarus Group', 'extract', 'Windows Credentials of users'), ('users', 'logged'), ('passwords', 'stored')]
T1003.001 [('Lazarus Group', 'capture', 'a custom version Mimikatz'), ('Lazarus Group', 'capture', 'credentials')]
T1003.001 [('Leafminer', 'used', 'several tools'), ('information', 'including')]
T1003.001 [('Leviathan', 'dump', 'available tools'), ('Leviathan', 'dump', 'password hashes'), ('password hashes', 'including')]
T1003.001 [('Lslsass', 'dump', 'password hashes')]
T1003.001 [('Magic Hound', 'stole', 'domain credentials')]
T1003.001 [('Mimikatz', 'performs', 'credential dumping'), ('information useful', 'gaining', 'access to additional systems')]
T1003.001 [('It', 'contains', 'functionality'), ('functionality', 'acquire', 'information about credentials in many ways'), ('many ways', 'including')]
T1003.001 [('MuddyWater', 'performed', 'credential dumping with')]
T1003.001 [('Net Crawler', 'extract', 'credential dumpers as'), ('Net Crawler', 'extract', 'cached credentials from Windows systems')]
T1003.001 [('a version of', 'contain', 'NotPetya'), ('a version of', 'modified'), ('lateral movement', 'use', 'credentials')]
T1003.001 [('OilRig', 'steal', 'dumping tools as'), ('OilRig', 'steal', 'credentials'), ('the system', 'compromised')]
T1003.001 [('MimikatzLite', 'use', 'Okrum')]
T1003.001 [('Olympic Destroyer', 'contains', 'a module'), ('a module', 'obtain', 'credentials from similar'), ('a module', 'obtain', 'credentials from similar')]
T1003.001 [('PsExec Management Instrumentation', 'use', 'These credentials'), ('itself', 'propagate', 'the malware'), ('a network', 'propagate', 'the malware')]
T1003.001 [('Operation Wocao', 'dump', 'ProcDump'), ('Operation Wocao', 'dump', 'credentials')]
T1003.001 [('PLATINUM', 'used', 'keyloggers are'), ('keyloggers are', 'dumping', 'credentials')]
T1003.001 [('PoetRAT', 'steal', 'voStro.exe'), ('PoetRAT', 'steal', 'a pypykatz ( version )'), ('PoetRAT', 'steal', 'credentials'), ('a pypykatz ( version )', 'compiled')]
T1003.001 [('PoshC2', 'contains', 'an implementation of')]
T1003.001 [('PowerSploit', 'contains', 'a collection of Exfiltration modules'), ('Exfiltration modules', 'harvest', 'credentials'), ('credentials', 'using', 'Mimikatz')]
T1003.001 [('Pupy', 'execute', 'Lazagne as'), ('Mimikatz', 'using', 'PowerShell')]
T1003.001 [('Pysa', 'perform', 'OS credential dumping'), ('OS credential dumping', 'using', 'Mimikatz')]
T1003.001 [('a version of', 'modified')]
T1003.001 [('Silence', 'extract', 'the Farse6.1 utility ('), ('Silence', 'extract', 'credentials'), ('the Farse6.1 utility (', 'based')]
T1003.001 [('Stolen Pencil', 'gathers', 'credentials'), ('credentials', 'using', 'Mimikatz')]
T1003.001 [('TEMP.Veles', 'used', 'Mimikatz'), ('TEMP.Veles', 'used', 'a custom tool SecHack')]
T1003.001 [('Group-3390 actors', 'used', 'a version of'), ('a version of', 'modified'), ('a version of', 'dump', 'Wrapikatz'), ('a version of', 'dump', 'credentials'), ('a version of', 'dump', 'credentials')]
T1003.001 [('They', 'dumped', 'credentials from domain controllers')]
T1003.001 [('Whitefly', 'obtain', 'Mimikatz'), ('Whitefly', 'obtain', 'credentials')]
T1003.001 [('Windows Credential Editor', 'dump', 'credentials')]
T1003.001 [('unhooking', 'dump', 'LSASS.exe Memory'), ('unhooking', 'using', 'system calls')]
T1003.001 [('LSASS.exe Memory', 'using', 'Windows Task Manager')]
T1003.001 [('LSASS', 'read')]
T1003.001 [('Create Mini Dump of', 'using', 'ProcDump')]
T1003.001 [('DLLs', 'imported')]
T1003.002 [('Cobalt Strike', 'recover', 'hashed passwords')]
T1003.002 [('CosmicDuke', 'collects', 'Windows account hashes')]
T1003.002 [('harvest credentials', 'stored'), ('the victim', 'including'), ('credentials', 'used')]
T1003.002 [('CrackMapExec', 'dump', 'usernames'), ('CrackMapExec', 'dump', 'hashed passwords from')]
T1003.002 [('Fgdump', 'dump', 'Windows password hashes')]
T1003.002 [('GALLIUM', 'dump', 'reg commands'), ('GALLIUM', 'dump', 'specific hives')]
T1003.002 [('gsecdump', 'dump', 'Windows password hashes')]
T1003.002 [('HOPLIGHT', 'has', 'the capability'), ('the capability', 'harvest', 'credentials'), ('the capability', 'harvest', 'passwords')]
T1003.002 [('SecretsDump', 'perform', 'credential dumping'), ('Mimikatz modules within', 'perform', 'credential dumping'), ('account', 'password')]
T1003.002 [('Ke3chang', 'dumped', 'credentials'), ('credentials', 'including')]
T1003.002 [('Koadic', 'gather', 'hashed passwords')]
T1003.002 [('menuPass', 'dump', 'a version of'), ('menuPass', 'dump', 'credentials'), ('a version of', 'modified'), ('a version of', 'pentesting', 'tools'), ('a version of', 'pentesting', 'wmiexec.vbs')]
T1003.002 [('Mimikatz', 'performs', 'credential dumping'), ('information useful', 'gaining', 'access to additional systems')]
T1003.002 [('It', 'contains', 'functionality'), ('functionality', 'acquire', 'information about credentials in many ways'), ('many ways', 'including')]
T1003.002 [('Mivast', 'has', 'the capability'), ('the capability', 'gather', 'password information')]
T1003.002 [('Night Dragon', 'dumped', 'account hashes')]
T1003.002 [('POWERTON', 'has', 'the ability'), ('the ability', 'dump', 'password hashes')]
T1003.002 [('credentials', 'dump', 'pwdump'), ('the SAM', 'dump', 'pwdump')]
T1003.002 [('Remsec', 'dump', 'the SAM database')]
T1003.002 [('Group-3390 actors', 'dump', 'gsecdump'), ('Group-3390 actors', 'dump', 'credentials')]
T1003.002 [('They', 'dumped', 'credentials from domain controllers')]
T1003.002 [('Wizard Spider', 'acquired', 'credentials')]
T1003.002 [('volume', 'dump')]
T1003.002 [('volume', 'dump')]
T1003.003 [('Chimera', 'gathered', 'the SYSTEM registry'), ('Chimera', 'gathered', 'ntds.dit files from target systems')]
T1003.003 [('Chimera', 'dump', 'the NtdsAudit tool'), ('Chimera', 'dump', 'the password hashes of domain users')]
T1003.003 [('SYSTEM RecordedTV_users.csv', 'copy', 'the Directory database'), ('SYSTEM RecordedTV_users.csv', 'copy', 'the Directory database')]
T1003.003 [('CrackMapExec', 'dump', 'hashed passwords'), ('hashed passwords', 'associated'), ('hashed passwords', 'using', 'Windows Services API ( DRSUAPI')]
T1003.003 [('They', 'obtained', 'ntds.dit')]
T1003.003 [('esentutl', 'copy', 'Volume Shadow Copy'), ('esentutl', 'copy', 'locked files as')]
T1003.003 [('FIN6', 'obtain', 'module'), ('FIN6', 'obtain', 'a copy of victim Directory database'), ('module', 'exec')]
T1003.003 [('Fox Kitten', 'access', 'Volume Shadow Copy'), ('Fox Kitten', 'access', 'credential information')]
T1003.003 [('HAFNIUM', 'stolen', 'copies of the Directory database ( NTDS.DIT )')]
T1003.003 [('SecretsDump', 'perform', 'credential dumping'), ('Mimikatz modules within', 'perform', 'credential dumping'), ('account', 'password')]
T1003.003 [('Koadic', 'gather', 'hashed passwords')]
T1003.003 [('menuPass', 'dump', 'Ntdsutil'), ('menuPass', 'dump', 'credentials')]
T1003.003 [('Mustang Panda', 'create', 'vssadmin'), ('Mustang Panda', 'create', 'a volume shadow copy')]
T1003.003 [('Mustang Panda', 'used', 'reg save on the file Registry location')]
T1003.003 [('Wizard Spider', 'gained', 'access to credentials'), ('copies of the ntds.dit Directory database', 'exported')]
T1003.004 [('APT33', 'gather', 'a variety of available tools like'), ('APT33', 'gather', 'credentials')]
T1003.004 [('CosmicDuke', 'collects', 'LSA secrets')]
T1003.004 [('CrackMapExec', 'dump', 'hashed passwords from LSA secrets for the system'), ('the system', 'targeted')]
T1003.004 [('gsecdump', 'dump', 'LSA secrets')]
T1003.004 [('SecretsDump', 'perform', 'credential dumping'), ('Mimikatz modules within', 'perform', 'credential dumping'), ('account', 'password')]
T1003.004 [('Ke3chang', 'dumped', 'credentials'), ('credentials', 'including')]
T1003.004 [('LaZagne', 'perform', 'credential dumping from LSA secrets'), ('account', 'password')]
T1003.004 [('Leafminer', 'used', 'several tools'), ('information', 'including')]
T1003.004 [('menuPass', 'dump', 'a version of'), ('menuPass', 'dump', 'credentials'), ('a version of', 'modified'), ('a version of', 'pentesting', 'tools'), ('a version of', 'pentesting', 'wmiexec.vbs')]
T1003.004 [('Mimikatz', 'performs', 'credential dumping'), ('information useful', 'gaining', 'access to additional systems')]
T1003.004 [('It', 'contains', 'functionality'), ('functionality', 'acquire', 'information about credentials in many ways'), ('many ways', 'including')]
T1003.004 [('MuddyWater', 'performed', 'credential dumping')]
T1003.004 [('OilRig', 'steal', 'dumping tools as'), ('OilRig', 'steal', 'credentials'), ('the system', 'compromised')]
T1003.004 [('Pupy', 'use', 'Lazagne')]
T1003.004 [('Group-3390 actors', 'dump', 'gsecdump'), ('Group-3390 actors', 'dump', 'credentials')]
T1003.004 [('They', 'dumped', 'credentials from domain controllers')]
T1003.005 [('APT33', 'gather', 'a variety of available tools like'), ('APT33', 'gather', 'credentials')]
T1003.005 [('Cachedump', 'extract', 'cached password hashes')]
T1003.005 [('LaZagne', 'perform', 'credential dumping from MSCache'), ('account', 'password')]
T1003.005 [('Leafminer', 'used', 'several tools'), ('information', 'including')]
T1003.005 [('MuddyWater', 'performed', 'credential dumping')]
T1003.005 [('OilRig', 'steal', 'dumping tools as'), ('OilRig', 'steal', 'credentials'), ('the system', 'compromised')]
T1003.005 [('PwDump', 'use', 'Okrum')]
T1003.005 [('Pupy', 'use', 'Lazagne')]
T1003.006 [('Mimikatz', 'performs', 'credential dumping'), ('information useful', 'gaining', 'access to additional systems')]
T1003.006 [('It', 'contains', 'functionality'), ('functionality', 'acquire', 'information about credentials in many ways'), ('many ways', 'including')]
T1003.006 [('Operation Wocao', 'dump', 'Mimikatz DCSync'), ('Operation Wocao', 'dump', 'credentials'), ('the system', 'targeted')]
T1003.006 [('UNC2452 leveraged privileged accounts', 'replicate', 'service data with domain controllers')]
T1003.006 [('The attacker', 'discovered', 'domain controllers ( DCs )')]
T1003.006 [('This', 'replicate', 'the primary DC'), ('This', 'replicate', 'the credentials of other DCs'), ('the administrator', 'compromised')]
T1003.007 [('LaZagne', 'obtain', 'credential information'), ('credential information', 'running', 'Linux processes')]
T1003.007 [('MimiPenguin', 'dump', 'process memory')]
T1003.007 [('APT31', 'dump', 'credentials'), ('root', 'using', 'credentials'), ('credentials', 'stolen')]
T1003.007 [('DarkSide , group ,', 'obtain', 'access to an account'), ('an account', 'using', 'legitimate credentials')]
T1003.007 [('Care', 'taken'), ('credentials', 'steal', 'it'), ('memory', 'steal', 'it'), ('credentials', '!obfuscated')]
T1003.008 [('LaZagne', 'obtain', 'credential information'), ('shadow', 'using', 'the shadow.py module')]
T1003.008 [('MAZE ransomware', 'enumerate', 'user credentials'), ('MAZE ransomware', 'enumerate', 'passwords from /passwd directory'), ('passwords from', 'hashed')]
T1003.008 [('EKANS', 'ransomware', 'steals credentials')]
T1003.008 [('Netwalker', 'deploys', 'various methods for credential stealing ,'), ('credential stealing ,', 'including'), ('credential stealing ,', 'dump', 'LaZagne'), ('credential stealing ,', 'dump', 'the shadow directory contents'), ('credential stealing ,', 'dump', 'the shadow directory contents')]
T1003.008 [('Ransomware as', 'dump', 'hashed files')]
T1003.008 [("a standard bin 's", "!'s", 'cat')]
T1011.001 [('a module', 'have', 'Flame'), ('BeetleJuice', 'name', 'a module'), ('Bluetooth functionality', 'contain', 'a module'), ('different ways', 'use', 'a module'), ('different ways', 'including'), ('information from the infected system over the Bluetooth protocol', 'transmit', 'different ways'), ('information from', 'encoded'), ('a Bluetooth beacon', 'act', 'the infected system over'), ('other Bluetooth devices', 'identify', 'the infected system over'), ('the vicinity', 'identify', 'the infected system over')]
T1011.001 [('Bluetooth', 'used')]
T1011.001 [('Adversaries', 'exfiltrate', 'data over than the command channel')]
T1011.001 [('We', 'believe'), ('links', 'distribute', 'the malicious APKs'), ('the victims', 'send', 'links'), ('text messages', 'send', 'links')]
T1011.001 [('The APK', 'has', 'the capability'), ('the capability', 'turn', 'bluetooh'), ('which', 'allow')]
T1011.001 [('StarCruft', 'became')]
T1011.001 [('information gathering for export', 'use', 'These')]
T1014 [('Loadable Kernel Module', 'based')]
T1016.001 [('APT29', 'perform', 'GoldFinder'), ('APT29', 'perform', 'GET requests'), ('GET requests', 'check', 'internet connectivity'), ('GET requests', 'identify', 'HTTP proxy servers'), ('GET requests', 'identify', 'other redirectors'), ('an HTTP request', 'travels')]
T1016.001 [('GoldFinder', 'check', 'GET requests'), ('GoldFinder', 'check', 'internet connectivity'), ('an HTTP request', 'traveled')]
T1016.001 [('More_eggs', 'check', 'GET requests'), ('More_eggs', 'check', 'internet connectivity')]
T1016.001 [('Turla', 'check', 'tracert'), ('Turla', 'check', 'internet connectivity')]
T1016.001 [('UNC2452', 'perform', 'GoldFinder'), ('UNC2452', 'perform', 'GET requests'), ('GET requests', 'check', 'internet connectivity'), ('GET requests', 'identify', 'HTTP proxy servers'), ('GET requests', 'identify', 'other redirectors'), ('an HTTP request', 'travels')]
T1018 [('domain computers within', 'using', 'DirectorySearcher')]
T1018 [('wmiobject to Domain Controllers', 'get')]
T1020.001 [('Maze', 'mirror', 'traffic')]
T1020.001 [('actor PROMETHIUM', 'hide', 'their data exfiltration')]
T1020.001 [('masks', 'cybergate'), ('traffic', 'mirrored')]
T1020.001 [('RedLine Stealer', 'exfiltrate', 'data'), ('data', 'hidden')]
T1020.001 [('The TEMP.Isotope campaign', 'featured', 'many instances of'), ('many instances of', 'mirroring', 'legitimate traffic')]
T1021.001 [('RDP', 'use', 'The APT1 group'), ('operations', 'use', 'The APT1 group')]
T1021.001 [('APT3', 'enables', 'the Remote Desktop Protocol')]
T1021.001 [('APT3', 'interacted'), ('systems', 'compromised')]
T1021.001 [('RDP', 'use', 'APT39'), ('lateral movement', 'use', 'APT39'), ('some cases', 'use', 'APT39'), ('persistence', 'use', 'APT39')]
T1021.001 [('APT41', 'used', 'RDP')]
T1021.001 [('RDP', 'use', 'The Axiom group'), ('operations', 'use', 'The Axiom group')]
T1021.001 [('Blue Mockingbird', 'used', 'Remote Desktop')]
T1021.001 [('Carbanak', 'enables', 'concurrent Protocol ( RDP ) sessions')]
T1021.001 [('Chimera', 'access', 'RDP'), ('Chimera', 'access', 'systems'), ('systems', 'targeted')]
T1021.001 [('Cobalt Group', 'conduct', 'Remote Desktop Protocol'), ('Cobalt Group', 'conduct', 'lateral movement')]
T1021.001 [('Cobalt Strike', 'start', 'a server'), ('a server', 'based'), ('a server', 'tunnel', 'the connection'), ('the channel', 'established')]
T1021.001 [('DarkComet', 'open', 'an active screen of the victimmachine')]
T1021.001 [('FIN10', 'used', 'RDP')]
T1021.001 [('FIN6', 'used', 'RDP')]
T1021.001 [('FIN8', 'used', 'RDP for')]
T1021.001 [('Fox Kitten', 'used', 'RDP')]
T1021.001 [('Imminent Monitor', 'has', 'a module for'), ('a module for', 'performing', 'remote desktop access')]
T1021.001 [('jRAT', 'support', 'RDP control')]
T1021.001 [('Koadic', 'enable', 'remote desktop on victim machine')]
T1021.001 [('malware SierraCharlie', 'uses', 'RDP')]
T1021.001 [('Leviathan', 'targeted', 'RDP credentials')]
T1021.001 [('menuPass', 'used', 'RDP connections')]
T1021.001 [('a module for', 'performing', 'remote desktop access')]
T1021.001 [('OilRig', 'used', 'Remote Desktop Protocol')]
T1021.001 [('The group', 'used', 'tunneling tools')]
T1021.001 [('Patchwork', 'use', 'RDP')]
T1021.001 [('Pupy', 'enable', 'disable RDP connection'), ('a remote desktop session', 'using', 'a browser socket client')]
T1021.001 [('Pysa', 'using', 'RDP connections')]
T1021.001 [('QuasarRAT', 'has', 'a module for'), ('a module for', 'performing', 'remote desktop access')]
T1021.001 [('Revenge RAT', 'has', 'a plugin'), ('a plugin', 'perform', 'RDP access')]
T1021.001 [('SDBbot', 'has', 'the ability'), ('the ability', 'use', 'RDP'), ('the ability', 'connect')]
T1021.001 [('ServHelper', 'has', 'commands')]
T1021.001 [('Silence', 'used', 'RDP')]
T1021.001 [('Stolen Pencil', 'utilized', 'RDP'), ('remote point -', 'click')]
T1021.001 [('RDP throughout .', 'utilized')]
T1021.001 [('Wizard Spider', 'used', 'RDP')]
T1021.001 [('zwShell', 'used', 'RDP')]
T1021.001 [('ZxShell', 'has', 'remote desktop functionality')]
T1021.001 [('RDP', 'server')]
T1021.002 [('Anchor', 'support', 'windows execution')]
T1021.002 [('APT3', 'copy', 'files')]
T1021.002 [('APT39', 'used', 'SMB')]
T1021.002 [('APT41', 'transferred', 'implant files'), ('implant files', 'using', 'Windows Admin Shares')]
T1021.002 [('BlackEnergy', 'run', 'a plug - in')]
T1021.002 [('Blue Mockingbird', 'copy', 'Windows Explorer'), ('Blue Mockingbird', 'copy', 'remote hosts over'), ('Blue Mockingbird', 'copy', 'malicious files')]
T1021.002 [('Chimera', 'used', 'admin shares')]
T1021.002 [('Cobalt Strike', 'use', 'Window admin shares ( C$ )')]
T1021.002 [('Conti', 'spread'), ('different hosts', 'compromising', 'an entire network')]
T1021.002 [('Deep Panda', 'uses', 'net.exe'), ('credentials', 'compromised')]
OBJS_ credentials
T1021.002 [('Adversaries', 'instruct', 'Duqu'), ('it', 'enumerated', 'legitimate credentials'), ('it', 'obtained', 'legitimate credentials')]
T1021.002 [('The remote host', 'infected'), ('the credentials', 'compromised'), ('the malware', 'execute', 'remote machines')]
T1021.002 [('the Admin$ share for lateral movement', 'leverage', 'Emotet'), ('the local admin password', 'forced')]
T1021.002 [('FIN8', 'attempted'), ('hosts', 'enumerated')]
T1021.002 [('Fox Kitten', 'access', 'valid accounts'), ('Fox Kitten', 'access', 'SMB shares')]
T1021.002 [('files', 'copy', 'Ke3chang actors'), ('the network shares of other computers', 'copy', 'Ke3chang actors')]
T1021.002 [('Kwampirs', 'copies', 'itself')]
T1021.002 [('Lazarus Group SierraAlfa', 'accesses', 'the ADMIN$ share')]
T1021.002 [('Lucifer', 'infect', 'victims')]
T1021.002 [('Net', 'do', 'Lateral movement'), ('use commands', 'do', 'Lateral movement')]
T1021.002 [('Net Crawler', 'establish', 'Windows admin shares'), ('Net Crawler', 'establish', 'authenticated sessions')]
T1021.002 [('NotPetya', 'use', 'PsExec'), ('which', 'interacts')]
T1021.002 [('Olympic Destroyer', 'uses', 'PsExec')]
T1021.002 [('Operation Wocao', 'accessing', 'Impacket smbexec.py'), ('Operation Wocao', 'accessing', 'the C$ shares')]
T1021.002 [('Orangeworm', 'copied', 'its backdoor'), ('open network shares', 'including')]
T1021.002 [('adversaries', 'use', 'a tool'), ('programs to the ADMIN$ network share', 'execute', 'PsExec tool'), ('commands', 'execute', 'PsExec tool'), ('remote systems', 'execute', 'PsExec tool')]
T1021.002 [('The Regin malware platform', 'use', 'admin shares')]
T1021.002 [('Ryuk', 'used', 'the C$ network share for lateral movement')]
T1021.002 [('Shamoon', 'accesses', 'network share(s'), ('Shamoon accesses share(s )', 'share', 'access to the target device')]
T1021.002 [('Group-1314 actors', 'mapped', 'network drives'), ('network drives', 'using', 'net use')]
T1021.002 [('Turla', 'used', 'use commands')]
T1021.002 [('Wizard Spider', 'drop', 'SMB'), ('Wizard Spider', 'drop', 'Strike Beacon')]
T1021.002 [('network shares', 'copy', 'zwShell')]
T1021.002 [('credentials', 'stolen'), ('BlackMatter ransomware , with credentials', 'access', 'SMB'), ('BlackMatter ransomware , with', 'access', 'the active directory AD )')]
T1021.002 [('Attackers', 'use', 'CobaltStrike functionality ,'), ('CobaltStrike functionality ,', 'named', 'pipes')]
T1021.002 [('APT groups', 'perform', 'Net , program ,'), ('SMB', 'perform', 'Net , program ,'), ('a variety of on host machines as discovery , movement', 'perform', 'Net , program ,')]
T1021.002 [('command', 'writing', 'output')]
T1021.003 [('Cobalt Strike', 'deliver', 'beacon " payloads for lateral movement')]
T1021.003 [('Empire', 'leverage', 'Invoke - DCOM'), ('Empire', 'leverage', 'remote COM execution for lateral movement')]
T1021.003 [('JuicyPotato', 'exploits', 'the windows'), ('JuicyPotato', 'exploits', 'DCOM'), ('JuicyPotato', 'exploits', 'token privilege')]
T1021.003 [('The ExecuteShellCommand Method in', 'allows')]
T1021.003 [('IcedID malware', 'accesses', 'victim machines'), ('victim machines', 'utilizing', 'DCOM')]
T1021.004 [('APT39', 'used', 'secure shell ( SSH )')]
T1021.004 [('Empire', 'contains', 'modules for'), ('modules for', 'executing', 'commands'), ('modules for', 'executing', 'in VNC agent injection')]
T1021.004 [('Fox Kitten', 'used', 'the PuTTY tools')]
T1021.004 [('Kinsing', 'used', 'SSH')]
T1021.004 [('Leviathan', 'used', 'ssh')]
T1021.004 [('menuPass', 'transfer', 'Putty Secure Copy Client ( PSCP )'), ('menuPass', 'transfer', 'data')]
T1021.004 [('OilRig', 'access', 'Putty'), ('OilRig', 'access', 'systems'), ('systems', 'compromised')]
T1021.004 [('Rocke', 'spread', 'its coinminer')]
T1021.004 [('TEMP.Veles', 'relied'), ('encrypted tunnels', 'based')]
T1021.004 [('SSH fingerprint data', 'shows'), ('Sysrv - hello', 'compromised', '26 servers')]
T1021.004 [('APT24', 'utilised', 'SSH'), ('a credential stealer as', 'operate')]
T1021.004 [('a VMWare ESXi', 'log', 'client Bitvise'), ('an open SSH connection', 'log', 'client Bitvise')]
T1021.005 [('Carberp', 'start', 'a remote VNC session')]
T1021.005 [('Fox Kitten', 'installed', 'TightVNC server'), ('Fox Kitten', 'installed', 'client'), ('servers', 'compromised')]
T1021.005 [('Proton', 'uses', 'VNC')]
T1021.005 [('ZxShell', 'supports', 'functionality for VNC sessions')]
T1021.005 [('Ramnit banking trojan', 'botnet'), ('Ramnit banking trojan', 'access', 'VNC'), ('Ramnit banking trojan', 'access', 'victim machines')]
T1021.005 [('The SMOKEDHAM backdoor', 'installs', 'the UltraVNC application')]
T1021.005 [('Many ransomware variants', 'utilise'), ('Many ransomware variants', 'combine'), ('CobaltStrike', 'combine')]
T1021.006 [('APT29', 'execute', 'WinRM'), ('APT29', 'execute', 'command')]
T1021.006 [('Chimera', 'used', 'WinRM')]
T1021.006 [('Cobalt Strike', 'execute', 'WinRM'), ('Cobalt Strike', 'execute', 'a payload')]
T1021.006 [('Threat Group-3390', 'enable', 'WinRM'), ('Threat Group-3390', 'enable', 'remote execution')]
T1021.006 [('UNC2452', 'execute', 'WinRM'), ('UNC2452', 'execute', 'command')]
T1021.006 [('Wizard Spider', 'used', 'Window Remote Management')]
T1027.001 [('APT32', 'mislead', 'garbage code'), ('APT32', 'mislead', 'anti - malware software'), ('APT32', 'mislead', 'researchers')]
T1027.001 [('code', 'bronze'), ('code', 'inflate', '0 " characters'), ('code', 'inflate', 'the file size'), ('a likely attempt', 'evade', 'anti - virus detection')]
T1027.001 [('Comnie', 'appends', 'a total of 64 MB of garbage data'), ('place', 'scanning', 'files')]
T1027.001 [('CORESHELL', 'contains', 'unused machine instructions'), ('a likely attempt', 'hinder', 'analysis')]
T1027.001 [('A variant of to the end of its DLL file', 'create', 'a large file'), ('a large file', 'exceed', 'the maximum size'), ('anti - virus programs', 'scan')]
T1027.001 [('junk code', 'pack', 'FatDuke'), ('strings', 'pack', 'FatDuke')]
T1027.001 [('FinFisher', 'contains', 'junk code'), ('an effort', 'confuse', 'disassembly programs')]
T1027.001 [('Gamaredon Group', 'obfuscated', '.NET executables')]
T1027.001 [('Goopy', 'had'), ('null characters', 'padded')]
T1027.001 [('Grandoreiro', 'added', 'BMP images'), ('its Portable Executable ( PE ) file', 'increasing')]
T1027.001 [('Higaisa', 'performed', 'padding with null bytes')]
T1027.001 [('Javali', 'hinder', 'large obfuscated libraries'), ('Javali', 'hinder', 'detection'), ('Javali', 'hinder', 'analysis')]
T1027.001 [('a string into the middle of the decrypted payload', 'generated'), ('an attempt', 'evade', 'detections'), ('detections', 'based')]
T1027.001 [('Leviathan', 'inserted', 'garbage characters')]
T1027.001 [('Maze', 'inserted', 'large blocks of junk code'), ('large blocks of', 'including'), ('some components', 'decrypt', 'strings'), ('some components', 'decrypt', 'other important information for')]
T1027.001 [('binary padding', 'employ', 'Moafee')]
T1027.001 [('Mustang Panda', 'hinder', 'junk code'), ('Mustang Panda', 'hinder', 'analysis')]
T1027.001 [('Patchwork', 'altered', 'NDiskMonitor samples'), ('a likely attempt', 'change', 'the file hashes')]
T1027.001 [('POWERSTATS', 'counter', 'useless code blocks'), ('POWERSTATS', 'counter', 'analysis')]
T1027.001 [('Rifdoor', 'added', 'four additional bytes of data'), ('the version as', 'changed')]
T1027.001 [('SamSam', 'pad', 'garbage code'), ('SamSam', 'pad', 'some of its malware components')]
T1027.001 [('TAINTEDSCRIBE', 'execute', 'FileRecvWriteRand'), ('a file', 'received')]
T1027.001 [('A version of', 'introduced'), ('A version of', 'inserted', 'junk code'), ('a likely attempt', 'obfuscate', 'it')]
T1027.001 [('yty', 'contains', 'junk code')]
T1027.001 [('ZeroT', 'obfuscated', 'DLLs'), ('ZeroT', 'obfuscated', 'functions'), ('dummy API calls', 'inserted')]
T1027.002 [('Anchor', 'come'), ('a payload', 'packed')]
T1027.002 [('APT29', 'pack', 'UPX'), ('APT29', 'pack', 'files')]
T1027.002 [('their tools', 'pack', 'APT3')]
T1027.002 [('APT38', 'pack', 'several packing methods as'), ('APT38', 'pack', 'their implants')]
T1027.002 [('APT39', 'packed', 'tools'), ('a version of', 'modified')]
T1027.002 [('Astaroth', 'uses', 'a software packer'), ('a software packer', 'called', 'Pe123\\RPolyCryptor')]
T1027.002 [('Bazar', 'has', 'a variant with a payload'), ('a payload', 'packed')]
T1027.002 [('the UPX packer', 'pack', 'BLINDINGCAN')]
T1027.002 [('UPX', 'pack', 'Chopper client component')]
T1027.002 [('UPX', 'pack', 'CSPY Downloader')]
T1027.002 [('Dark Caracal', 'pack', 'UPX'), ('Dark Caracal', 'pack', 'Bandook')]
T1027.002 [('DarkComet', 'has', 'the option'), ('the option', 'compress', 'its payload'), ('its payload', 'using', 'UPX')]
T1027.002 [('A version of', 'uses', 'the MPRESS packer')]
T1027.002 [('encrypted resources', 'deliver', 'Dyre')]
T1027.002 [('Elderwood', 'packed', 'malware payloads')]
T1027.002 [('Emotet', 'protect', 'custom packers'), ('Emotet', 'protect', 'its payloads')]
T1027.002 [('its operators', 'repacke', 'FatDuke')]
T1027.002 [('A FinFisher variant', 'uses', 'a custom packer')]
T1027.002 [('GALLIUM', 'packed', 'some payloads')]
T1027.002 [('obfuscation', 'pack', 'GoldMax')]
T1027.002 [('obfuscation', 'pack', 'GreyEnergy')]
T1027.002 [('H1N1', 'uses', 'a packing algorithm')]
T1027.002 [('Hildegard', 'packed', 'ELF files')]
T1027.002 [('HotCroissant', 'used', 'the open source'), ('HotCroissant', 'used', 'UPX executable packer')]
OBJS_ module
T1027.002 [('IcedID', 'packed', 'its loader module')]
T1027.002 [('jRAT payloads', 'packed')]
T1027.002 [('Lazarus Group', 'pack', 'Themida'), ('Lazarus Group', 'pack', 'two separate backdoor implants')]
T1027.002 [('Lokibot', 'used', 'several packing methods')]
T1027.002 [('Lucifer', 'used', 'binaries'), ('binaries', 'packed')]
T1027.002 [('NSIS', 'pack', 'Machete')]
T1027.002 [('VMProtect', 'pack', 'Melcoz')]
T1027.002 [('Metamorfo', 'used', 'VMProtect')]
T1027.002 [('NETWIRE', 'evade', 'packer tools'), ('NETWIRE', 'evade', 'detection')]
T1027.002 [('software packing', 'use', 'Night Dragon'), ('its tools', 'use', 'Night Dragon')]
T1027.002 [('OopsIE', 'pack', 'the SmartAssembly obfuscator'), ('OopsIE', 'pack', 'an .Net'), ('OopsIE', 'pack', 'Framework assembly'), ('an .Net', 'embedded'), ('Framework assembly', 'used')]
T1027.002 [('a variant', 'have', 'OSX_OCEANLOTUS.D'), ('UPX', 'pack', 'a variant')]
T1027.002 [('UPX', 'pack', 'A Patchwork payload')]
T1027.002 [('a custom packer', 'use', 'Raindrop'), ('its Strike payload', 'use', 'Raindrop'), ('which', 'compressed'), ('the LZMA algorithm', 'use', 'its Strike payload')]
T1027.002 [('Rocke miner', 'created', 'files in'), ('files in', 'packed')]
T1027.002 [('SDBbot', 'used', 'a file'), ('a file', 'packed')]
T1027.002 [('the UPX packer', 'pack', 'SeaDuke')]
T1027.002 [('the DLL', 'pack', 'ShimRat loader'), ('it', 'hijack')]
T1027.002 [('Enigma Protector', 'pack', 'Spark')]
T1027.002 [('TA505', 'obscure', 'UPX'), ('TA505', 'obscure', 'malicious code')]
T1027.002 [('The White Company', 'obfuscated', 'their payloads')]
T1027.002 [('TrickBot', 'leverages', 'a custom packer')]
T1027.002 [('Karagany samples', 'use', 'common binary packers as')]
T1027.002 [('Uroburos', 'uses', 'a custom packer')]
T1027.002 [('Valak', 'used', 'payloads'), ('payloads', 'packed')]
T1027.002 [('VERMIN', 'packed')]
T1027.002 [('UPX', 'pack', 'Zebrocy Delphi variant')]
T1027.002 [('UPX', 'pack', 'Some ZeroT DLL files')]
T1027.002 [('ZIRCONIUM', 'used', 'multi - stage packers')]
T1027.002 [('Binary', 'packed')]
T1027.002 [('Binary', 'packed'), ('headers ( linux', 'modified')]
T1027.002 [('Binary', 'packed')]
T1027.002 [('Binary', 'packed')]
T1027.003 [('ABK', 'extract', 'a malicious Executable ( PE')]
T1027.003 [('steganography', 'send', 'APT37'), ('images', 'send', 'APT37'), ('to users', 'send', 'APT37'), ('shellcode', 'embed', 'users')]
T1027.003 [('Avenger', 'extract', 'backdoor malware'), ('images', 'downloaded')]
T1027.003 [('BBK', 'extract', 'a malicious Executable ( PE')]
T1027.003 [('BRONZE BUTLER', 'conceal', 'steganography'), ('BRONZE BUTLER', 'conceal', 'malicious payloads')]
T1027.003 [('build_downer', 'extract', 'malware'), ('a JPEG', 'downloaded')]
T1027.003 [('IcedID', 'embedded', 'binaries within'), ('IcedID', 'embedded', 'files')]
T1027.003 [('MuddyWater', 'stored', 'obfuscated JavaScript code'), ('an image file', 'named', 'temp.jpg')]
OBJS_ loader
T1027.003 [('its loader', 'encrypt', 'Okrum payload')]
T1027.003 [('PolyglotDuke', 'hide', 'steganography'), ('PolyglotDuke', 'hide', 'C2 information')]
T1027.003 [('steganography', 'hide', 'PowerDuke'), ('backdoors in PNG files', 'hide', 'PowerDuke'), ('the Tiny Encryption Algorithm TEA', 'use', 'which'), ('the Tiny Encryption Algorithm TEA', 'use', 'PNG files')]
T1027.003 [('Raindrop', 'locate', 'steganography'), ('Raindrop', 'locate', 'the start of its payload'), ('its payload', 'encoded')]
T1027.003 [('Ramsay', 'has', 'PE data'), ('PE data', 'embedded'), ('JPEG files', 'contained')]
T1027.003 [('RDAT', 'embed', 'data')]
T1027.003 [('RegDuke', 'hide', 'data'), ('images', 'including')]
T1027.003 [('TA551', 'hidden', 'data for malware DLLs'), ('data for', 'encoded')]
T1027.003 [('Tropic Trooper', 'mask', 'JPG files'), ('Tropic Trooper', 'mask', 'their backdoor routines'), ('Tropic Trooper', 'mask', 'evade detection')]
T1027.004 [('code', 'embedded'), ('code', 'uncompiled')]
T1027.004 [('Gamaredon Group', 'compiled', 'the source code for a downloader'), ('the infected system', 'using', 'the Microsoft'), ('the infected system', 'built')]
T1027.004 [('MuddyWater', 'compile', 'the csc.exe tool'), ('MuddyWater', 'compile', 'executables'), ('code', 'downloaded')]
T1027.004 [('Rocke', 'compiled', 'malware'), ('malware', 'delivered')]
T1027.005 [('indicators of compromise', 'remove', 'APT3'), ('tools', 'remove', 'APT3')]
T1027.005 [('Cobalt Strike', 'includes', 'a capability'), ('a capability', 'modify', 'the beacon " payload'), ('a capability', 'eliminate', 'signatures'), ('a capability', 'eliminate', 'methods'), ('signatures', 'known'), ('methods', 'unpacking')]
T1027.005 [('Analysis of', 'shown'), ('it', 'evade', 'technical improvements'), ('it', 'evade', 'anti - virus detection')]
T1027.005 [('its malware', 'resulting'), ('different hash values', 'evade', 'detection')]
T1027.005 [('GALLIUM', 'ensured'), ('each payload', 'had', 'a unique hash'), ('a unique hash', 'including')]
T1027.005 [('GravityRAT samples', 'submitted'), ('The author of to for testing', 'showing'), ('the author', 'modified', 'the code')]
T1027.005 [('InvisiMole', 'undergone', 'regular technical improvements'), ('an attempt', 'evade', 'detection')]
T1027.005 [('OilRig', 'tested', 'malware samples')]
T1027.005 [('Operation Wocao', 'edited', 'variable names'), ('detection', 'automated')]
T1027.005 [('Patchwork', 'altered', 'NDiskMonitor samples'), ('a likely attempt', 'change', 'the file hashes')]
T1027.005 [('Penquin', 'remove', 'strings')]
T1027.005 [('single byte anti - virus signatures', 'locate', 'PowerSploit AntivirusBypass module')]
T1027.005 [('generic variable names', 'use', 'SUNBURST source code'), ('pre - obfuscated strings', 'use', 'SUNBURST source code')]
T1027.005 [('TEMP.Veles', 'modified', 'files'), ('files', 'based'), ('an apparent attempt', 'decrease', 'AV detection rates')]
T1027.005 [('an effort', 'make', 'Turla'), ('strings', 'obfuscate', 'an effort'), ('the malware', 'obfuscate', 'an effort'), ('IoCs', 'use', 'the malware'), ('the mutex name', 'include', 'the malware'), ('pipe', 'name', 'the malware')]
T1027.005 [('functions', 'scramble', 'Waterbear'), ('random values', '!execute', 'functions')]
T1033 [('user', 'has', 'Stealth mode ( PowerView')]
T1036 [('System File', 'copied')]
T1036.001 [('APT37', 'signed', 'its malware'), ('an invalid digital certificates', 'listed', 'Technology ( Shenzhen ) Company')]
T1036.001 [('an invalid Authenticode certificate', 'sign', 'BADNEWS'), ('an apparent effort', 'sign', 'BADNEWS'), ('an apparent effort', 'make'), ('it', 'look')]
T1036.001 [('fake digital certificates', 'sign', 'The NETWIRE client')]
T1036.001 [('stage', 'regin'), ('fake certificates', 'sign', 'stage 1 modules for bit systems'), ('fake certificates', 'masquerading'), ('Microsoft Corporation', 'originate', 'fake certificates')]
T1036.001 [('Windshift', 'sign', 'certificates'), ('Windshift', 'sign', 'malware'), ('certificates', 'revoked')]
T1036.001 [('certificates', 'sign', 'WindTail'), ('certificates', 'revoked')]
T1036.002 [('BlackTech', 'obfuscate', 'left - override'), ('BlackTech', 'obfuscate', 'the filenames of malicious e - mail attachments')]
T1036.002 [('BRONZE BUTLER', 'deceive', 'Right Override'), ('BRONZE BUTLER', 'deceive', 'victims'), ('Right -', 'left')]
T1036.002 [('Ke3chang', 'trick', 'character'), ('Ke3chang', 'trick', 'files'), ('Ke3chang', 'trick', 'targets'), ('character', 'left'), ('names', 'spearphishing')]
T1036.002 [('Scarlet Mimic', 'used', 'the character'), ('the character', 'left'), ('names', 'extracting'), ('names', 'spearphishing')]
T1036.002 [('Adversary', 'use', 'the right override ( RTLO )'), ('right - to', 'left'), ('a means of', 'tricking', 'a user'), ('a means of', 'executing'), ('they', 'think')]
OBJS_ pubprn.vbs
T1036.003 [('APT32', 'moved', 'pubprn.vbs')]
T1036.003 [('a copy of', 'masquerade', 'The CozyCar dropper'), ('malware install directory', 'move', 'a copy of'), ('a copy of', 'renamed'), ('a file', 'accord', 'a copy of'), ('a file', 'predefined')]
T1036.003 [('GALLIUM', 'evade', 'a cmd.exe file'), ('GALLIUM', 'evade', 'detection'), ('cmd.exe', 'renamed')]
T1036.003 [('menuPass', 'renamed', 'certutil'), ('detection', 'based')]
T1036.003 [('Adversaries', 'rename', 'legitimate system utilities')]
T1036.003 [('Masquerading - wscript.exe', 'running')]
T1036.003 [('exe', 'masquerading', 'non'), ('exe', 'running')]
T1036.003 [('Malicious process', 'masquerading')]
T1036.004 [('APT - C-36', 'disguised', 'its tasks'), ('its tasks', 'scheduled')]
T1036.004 [('APT29', 'named', 'tasks'), ('APT29', 'named', '\\Microsoft\\Windows\\SoftwareProtectionPlatform\\EventCacheManager'), ('order', 'appear', 'legitimate')]
T1036.004 [('APT32', 'help', 'hidden - printing characters'), ('APT32', 'help', 'service names as'), ('service', 'masquerade'), ('service names as', 'appending', 'a Unicode break space character')]
T1036.004 [('APT32', 'impersonated', 'the legitimate name install_flashplayer.exe')]
T1036.004 [('the task name', 'appear', 'legitimate'), ('description', 'appear', 'legitimate')]
T1036.004 [('Bazar', 'create', 'a task'), ('a task', 'appear', 'benign'), ('a task', 'appear', 'benign')]
T1036.004 [('build_downer', 'added', 'itself')]
T1036.004 [('Carbanak', 'copied', 'legitimate service names')]
T1036.004 [('Catchamas', 'adds', 'a new service'), ('a new service', 'named', 'NetAdapter'), ('an apparent attempt', 'masquerade')]
T1036.004 [('ComRAT', 'used', 'a task name'), ('a task name', 'associated')]
T1036.004 [('Crutch', 'established', 'persistence with a task'), ('a task', 'scheduled'), ('a task', 'impersonating', 'the Outlook item finder')]
T1036.004 [('a legitimate Windows service with a fake description', 'appear', 'CSPY Downloader'), ('a fake description', 'claiming'), ('applications', 'support', 'it'), ('applications', 'support', 'a fake description'), ('applications', 'packed')]
T1036.004 [('Egregor', 'masqueraded', 'the svchost.exe process')]
OBJS_ service
OBJS_ service
T1036.004 [('The Exaramel for dropper', 'creates', 'a Windows service'), ('dropper', 'creates', 'a Windows service'), ('a Windows service', 'named', 'wsmprovav'), ('a Windows service', 'named', 'AV\x9d'), ('an apparent attempt', 'masquerade')]
T1036.004 [('FIN6', 'renamed', 'the " psexec " service name')]
T1036.004 [('FIN7', 'created', 'a task namedAdobeFlashSync\x9d'), ('a task namedAdobeFlashSync\x9d', 'scheduled')]
T1036.004 [('Fox Kitten', 'named', 'the task for a reverse proxy lpupdate'), ('a reverse proxy lpupdate', 'appear', 'legitimate')]
T1036.004 [('Fysbis', 'masqueraded')]
T1036.004 [('GoldMax', 'impersonated', 'management software')]
T1036.004 [('Higaisa', 'spoof', 'a shellcode loader binary svchast.exe'), ('Higaisa', 'spoof', 'the legitimate svchost.exe')]
T1036.004 [('InnaputRAT variants', 'appear', 'legitimate'), ('a new service', 'named', 'OfficeUpdateService')]
T1036.004 [('InvisiMole', 'disguise', 'itself')]
T1036.004 [('a legitimate service', 'disguise', 'IronNetInjector'), ('the name PythonUpdateSrvc', 'use', 'a legitimate service')]
T1036.004 [('Kimsuky', 'disguised', 'services'), ('services', 'appear'), ('services', 'related'), ('functions', 'operating')]
T1036.004 [('Kwampirs', 'establishes', 'persistence'), ('an attempt', 'masquerade')]
T1036.004 [('a custom PE loader', 'include', 'backdoor implant'), ('" Security Package "', 'name', 'a custom PE loader'), ('the lsass.exe process', 'add', 'a custom PE loader'), ('registry key', 'add', 'a custom PE loader')]
T1036.004 [('Machete', 'renamed', 'task names')]
T1036.004 [('Maze operators', 'created', 'tasks'), ('tasks', 'scheduled'), ('tasks', 'masquerading'), ('tasks', 'launch', 'the ransomware'), ('tasks', 'launch', 'the ransomware')]
T1036.004 [('Nidiran', 'create', 'a new service'), ('a new service', 'named', 'msamger ( Manager )'), ('which', 'mimics', 'the legitimate Microsoft database')]
T1036.004 [('Okrum', 'establish', 'persistence')]
T1036.004 [('OSX_OCEANLOTUS.D', 'disguised', 'its app bundle')]
T1036.004 [('instance menuPass', 'added', 'PlugX')]
T1036.004 [('POWERSTATS', 'created', 'a task'), ('a task', 'scheduled'), ('a task', 'named', '" MicrosoftEdge'), ('a task', 'named', 'to establish persistence'), ('a task', 'establish', 'persistence')]
T1036.004 [('PROMETHIUM', 'appear', 'services'), ('PROMETHIUM', 'appear', 'legitimate')]
T1036.004 [('RawPOS', 'create', 'New services'), ('legitimate Windows services', 'appear', 'New services'), ('names as', 'appear', 'New services'), ('names as', 'help')]
T1036.004 [('RDAT', 'used', 'Windows Video Service')]
T1036.004 [('RTM', 'named', 'the task'), ('the task', 'scheduled'), ('it', 'creates', '" Windows Update')]
T1036.004 [('Seasalt', 'masqueraded'), ('a service', 'called', '" SaSaut'), ('an apparent attempt', 'masquerade')]
T1036.004 [('Shamoon', 'creates', 'a new service'), ('namedntssrv\x9d', 'appear', 'legitimate'), ('service display name Service\x9d description', 'ishelps', 'guard against time change attempts'), ('time change attempts', 'targeting', 'vulnerabilities in network time'), ('vulnerabilities in', 'discovered'), ('Newer versions', 'create', 'the " MaintenaceSrv " service'), ('which', 'misspells', 'the word'), ('which', 'misspells', '" maintenance')]
T1036.004 [('ShimRat', 'impersonate', 'Windows services'), ('ShimRat', 'impersonate', 'antivirus products'), ('systems', 'compromised')]
T1036.004 [('SLOTHFULMEDIA', 'named', 'a service'), ('it', 'establishes')]
T1036.004 [('StrongPity', 'appear', 'services'), ('StrongPity', 'appear', 'legitimate')]
T1036.004 [('To establish Truvasys', 'adds', 'a Run key with a value " TaskMgr "'), ('an attempt', 'masquerade')]
T1036.004 [('UNC2452', 'named', 'tasks'), ('UNC2452', 'named', '\\Microsoft\\Windows\\SoftwareProtectionPlatform\\EventCacheManager'), ('order', 'appear', 'legitimate')]
T1036.004 [('Some Volgmer variants', 'add', 'new services'), ('display names', 'generated'), ('strings as', 'coded'), ('a way', 'masquerade')]
T1036.004 [('Wizard Spider', 'install', 'tasks'), ('Wizard Spider', 'install', 'TrickBot'), ('tasks', 'scheduled')]
T1036.004 [('It', 'used', 'file names')]
T1036.004 [('ZIRCONIUM', 'created', 'a run key'), ('a run key', 'named', 'Dropbox Update Setup'), ('a run key', 'mask', 'a persistence mechanism')]
T1036.004 [('similar service', 'named'), ('similar service', 'using', 'schtasks')]
T1036.004 [('similar service', 'named'), ('similar service', 'using', 'sc')]
T1036.005 [('actors', 'rename', 'the command'), ('actors', 'rename', 'one of their tools'), ('the command', 'following')]
T1036.005 [('APT1', 'use', 'a legitimate process name for'), ('a name for', 'use', 'a legitimate process name for')]
T1036.005 [('APT29', 'renamed', 'a version of'), ('an attempt', 'appear')]
T1036.005 [('APT32', 'renamed', 'a NetCat binary')]
T1036.005 [('APT32', 'renamed', 'a Strike beacon payload')]
T1036.005 [('APT39', 'used', 'malware'), ('malware', 'disguised'), ('a tool', 'named', 'mfevtpse.exe'), ('a tool', 'proxy', 'C2 communications'), ('C2 communications', 'mimicking', 'a legitimate McAfee file')]
T1036.005 [('APT41', 'masquerade', 'their files')]
T1036.005 [('BackConfig', 'hidden', 'malicious payloads')]
T1036.005 [('BADNEWS', 'hide', 'its payloads')]
T1036.005 [('The Bazar loader', 'named', 'malicious shortcuts adobe')]
T1036.005 [('BLINDINGCAN', 'hide', 'its payload')]
T1036.005 [('Blue Mockingbird', 'masqueraded', 'their XMRIG payload name')]
OBJS_ malware
T1036.005 [('BRONZE BUTLER', 'given', 'malware'), ('BRONZE BUTLER', 'given', 'the same name'), ('an file on the share server', 'existing'), ('an file on', 'cause'), ('users', 'launch', 'the malware'), ('an file on', 'install', 'the malware')]
T1036.005 [('Bundlore', 'disguised', 'a malicious .app file as a Player update')]
T1036.005 [('Calisto installation file', 'is', 'an unsigned DMG image under the guise of Integosecurity solution for')]
T1036.005 [('Carbanak', 'named', 'malware " svchost.exe " is the name of the Windows program'), ('the Windows program', 'shared')]
T1036.005 [('Carberp', 'masqueraded')]
T1036.005 [('itself', 'copy', 'ChChes'), ('an .exe file', 'copy', 'ChChes'), ('a filename', 'copy', 'ChChes'), ('Norton Antivirus', 'imitate', 'a filename'), ('Norton Antivirus', 'imitate', 'a filename'), ('several letters', 'reversed')]
T1036.005 [('Chimera', 'renamed', 'malware')]
T1036.005 [('DarkComet', 'dropped', 'itself')]
T1036.005 [('an apparent attempt', 'masquerade')]
T1036.005 [('malware', 'use', 'Darkhotel'), ('a Shell ( SSH ) tool', 'disguise', 'malware')]
T1036.005 [('Daserf', 'uses', 'file'), ('Daserf', 'uses', 'names'), ('Daserf', 'uses', 'folder'), ('names', 'related'), ('order', 'blend')]
T1036.005 [('Doki', 'disguised', 'a file as a kernel module')]
T1036.005 [('One of', 'hide')]
T1036.005 [('If installing itself as a service', 'fails', 'Elise'), ('a file', 'named', 'svchost.exe'), ('svchost.exe', 'saved')]
T1036.005 [('FatDuke', 'mimic', 'user traffic'), ("a user 's", 'compromised')]
T1036.005 [('Felismus', 'masqueraded')]
T1036.005 [('FinFisher', 'renames', 'one of its .dll files'), ('an apparent attempt', 'masquerade')]
T1036.005 [('Fox Kitten', 'named', 'binaries'), ('Fox Kitten', 'named', 'svhost'), ('Fox Kitten', 'named', 'configuration files')]
T1036.005 [('Fysbis', 'masqueraded'), ('software', 'trusted')]
T1036.005 [('GoldenSpy setup file', 'installs', 'initial executables under the folder %')]
T1036.005 [('GoldMax', 'appeared'), ('a task', 'scheduled'), ('a task', 'impersonating', 'management software within the corresponding ProgramData subfolder')]
T1036.005 [('the legitimate goopdate.dll', 'impersonate', 'Goopy'), ('the target system', 'drop', 'which'), ('a legitimate GoogleUpdate.exe', 'drop', 'which')]
T1036.005 [('Grandoreiro', 'named', 'malicious browser extensions')]
T1036.005 [('Hildegard', 'disguised', 'itself'), ('a process', 'known')]
OBJS_ RAT
T1036.005 [('HTTPBrowser installer', 'contains', 'a malicious file'), ('a malicious file', 'named', 'navlu.dll'), ('a malicious file', 'decrypt', 'the RAT'), ('a malicious file', 'run', 'the RAT')]
T1036.005 [('navlu.dll', 'is', 'the name of')]
T1036.005 [('Indrik Spider', 'used', 'fake updates')]
T1036.005 [('InnaputRAT variants', 'appear', 'legitimate')]
T1036.005 [('InvisiMole', 'disguised', 'its droppers'), ('legitimate software', 'matching', 'their original names'), ('legitimate software', 'matching', 'locations')]
T1036.005 [('Ixeshe', 'used', 'registry values'), ('Ixeshe', 'used', 'file names'), ('file names', 'associated')]
T1036.005 [('KONNI', 'creates', 'a shortcut'), ('a shortcut', 'called', 'Anti virus'), ('a shortcut', 'called', 'service.lnk'), ('an apparent attempt', 'masquerade')]
T1036.005 [('Lazarus Group', 'disguise', 'the TAINTEDSCRIBE main executable'), ('Lazarus Group', 'disguise', 'itself')]
T1036.005 [('LightNeuron', 'used', 'filenames'), ('filenames', 'associated')]
T1036.005 [('LookBack', 'has', 'a C2 proxy tool'), ('a C2 proxy tool', 'masquerades'), ('software', 'used')]
T1036.005 [('Machete Machete MSI installer', 'masqueraded')]
T1036.005 [('Machete', 'renamed', 'payloads')]
T1036.005 [('Readme.txt', 'name', 'MCMD')]
T1036.005 [('a file', 'download', 'MechaFlounder'), ('lsass.exe', 'name', 'a file'), ('the legitimate Windows file', 'match', 'which')]
T1036.005 [('malicious files', 'change', 'menuPass')]
T1036.005 [('Metamorfo', 'disguised', 'an MSI file')]
T1036.005 [('Mis - Type', 'saves', 'itself'), ('a file', 'named', 'msdtc.exe')]
T1036.005 [('Misdat', 'saves', 'itself'), ('a file', 'named', 'msdtc.exe')]
T1036.005 [('MuddyWater', 'disguised', 'malicious executables'), ('Registry key names', 'associated')]
T1036.005 [('Mustang Panda', 'load', 'adobeupdate.dat'), ('Mustang Panda', 'load', 'a Strike payload'), ('a file', 'named', 'OneDrive.exe')]
T1036.005 [('NETWIRE', 'masqueraded'), ('legitimate software', 'including')]
T1036.005 [('LOCALAPPDATA%\\MicroSoft Updatea\\svServiceUpdate.exe', 'write', 'NOKKI'), ('%', 'write', 'NOKKI')]
T1036.005 [('a legitimate folder', 'masquerade', 'an apparent attempt'), ('file', 'masquerade', 'an apparent attempt')]
T1036.005 [('OLDBAIT', 'installs', 'itself'), ('the directory name', 'missing', 'a space'), ('the file name', 'missing', 'the letter'), ('the file name', 'missing', '" o.')]
T1036.005 [('OSX / Shlayer', 'masquerade')]
T1036.005 [('the filename owaauth.dll is a legitimate file', 'use', 'OwaAuth'), ('%', 'reside', 'a legitimate file'), ('%', 'save', 'the malicious file by the same name')]
T1036.005 [('Patchwork', 'installed', 'its payload')]
T1036.005 [('The group', 'adds', 'its second stage payload')]
T1036.005 [('They', 'dropped', 'QuasarRAT binaries'), ('files', 'named', 'microsoft_network.exe')]
T1036.005 [('Penquin', 'mimicked', 'the Cron'), ('Penquin', 'mimicked', 'binary'), ('systems', 'compromised')]
T1036.005 [('disk', 'store', 'PipeMon modules'), ('benign names', 'store', 'PipeMon modules'), ('use of a file extension', 'include', 'benign names'), ('a popular word processor', 'associate', 'a file extension')]
T1036.005 [('Pony', 'used', 'the Reader icon'), ('the file', 'downloaded')]
T1036.005 [('Group tools', 'spoof', 'anti - virus processes')]
T1036.005 [('PROMETHIUM', 'disguised', 'malicious installer files')]
T1036.005 [('filenames from %', 'mimics'), ('filenames from', 'system%\\system32'), ('filenames from', 'hide', 'DLLs')]
T1036.005 [('Pysa', 'executed', 'a malicious executable')]
T1036.005 [('QUADAGENT', 'used', 'the PowerShell filenames Office365DCOMCheck.ps1')]
T1036.005 [('names', 'instal', 'Raindrop'), ('legitimate Windows file names', 'resemble', 'names')]
T1036.005 [('Ramsay', 'masqueraded')]
T1036.005 [('RDAT', 'masqueraded')]
T1036.005 [('The Remsec loader', 'implements', 'itself')]
T1036.005 [('files', 'mimic', 'legitimate file names'), ('legitimate file names', 'used')]
T1036.005 [('Remsec', 'disguised', 'malicious modules'), ('malicious modules', 'using', 'similar filenames')]
T1036.005 [('REvil', 'mimic', 'the names of executables'), ('executables', 'known')]
T1036.005 [('Rocke', 'used', 'shell scripts'), ('which', 'download', 'mining executables'), ('shell scripts', 'saves', 'them')]
T1036.005 [('Ryuk', 'constructed', 'legitimate paths'), ('legitimate paths', 'appearing')]
T1036.005 [('the path', 'appear')]
T1036.005 [('S - Type', 'save', 'itself'), ('a file', 'named', 'msdtc.exe')]
T1036.005 [('Sandworm Team', 'avoided', 'detection')]
T1036.005 [('ShimRatReporter', 'spoofed', 'itself')]
T1036.005 [('Sibot', 'downloaded', 'a DLL')]
T1036.005 [('Sidewinder', 'match', 'malicious files'), ('Sidewinder', 'match', 'rekeywiz.exe'), ('Sidewinder', 'match', 'the name of')]
T1036.005 [('Silence', 'named', 'its backdoor " WINWORD.exe')]
T1036.005 [('Skidmap', 'created', 'a fake rm binary')]
T1036.005 [('SLOTHFULMEDIA', 'mimicked', 'the names of executables as'), ('executables as', 'known')]
T1036.005 [('Sowbug', 'named', 'its tools')]
T1036.005 [('To establish SslMM', 'identifies', 'the Startup directory'), ('its own executable', 'disguised')]
T1036.005 [('Starloader', 'masqueraded')]
T1036.005 [('legitimate installation files for disguise', 'bundle', 'StrongPity')]
T1036.005 [('VBScripts', 'create', 'SUNBURST'), ('services', 'name', 'VBScripts'), ('folders', 'name', 'VBScripts'), ('services', 'existing'), ('legitimate activities', 'blend', 'VBScripts')]
T1036.005 [('disk', 'identify', 'SUNSPOT'), ('a filename of', 'identify', 'SUNSPOT'), ('an encrypted log file at', 'create', 'it')]
T1036.005 [('SUPERNOVA', 'masqueraded')]
T1036.005 [('The TAINTEDSCRIBE main executable', 'disguised', 'itself')]
T1036.005 [('TEARDROP files', 'had', 'names'), ('names', 'resembled', 'legitimate Window file'), ('names', 'resembled', 'directory names')]
T1036.005 [('TEMP.Veles', 'renamed', 'files')]
T1036.005 [('ThiefQuest', 'prepends', 'a copy of')]
T1036.005 [('Tropic Trooper', 'has', 'payloads in Flash directories'), ('payloads in', 'hidden')]
T1036.005 [('UNC2452', 'renamed', 'a version of'), ('an attempt', 'appear')]
T1036.005 [('Ursnif', 'used', 'strings from legitimate system files'), ('folders', 'existing')]
T1036.005 [('a legitimate Russian program', 'called', 'USB Disk Security')]
T1036.005 [('Whitefly', 'named', 'the malicious DLL'), ('Whitefly', 'named', 'the same name as'), ('DLLs', 'belonging')]
T1036.005 [('ASPNET_FILTER.DLL', 'name', 'A Winnti for Windows implant file'), ('mimicking DLL with the same name', 'name', 'A Winnti for')]
T1036.005 [('ZLib', 'mimics', 'the version information of')]
T1036.005 [('a directory', 'masquerading')]
T1036.005 [('a system', 'built')]
T1036.006 [('Keydnap', 'puts', 'a space'), ('execution', 'goes')]
T1036.006 [('Adversary', 'put', 'extra space'), ('double clicking', 'assuming', 'its benign document')]
T1036.006 [('Malware', 'put', 'extra space'), ('a false .png extension', 'clicks'), ('user', 'clicks'), ('it', 'assuming', 'its a harmless photo')]
T1036.006 [('Campaign', 'puts', 'blank space'), ('monitoring rules for', 'blocking', 'executable files')]
T1036.006 [('extension', 'having', 'an extra space'), ('it', 'run')]
T1037.001 [('loader Trojan', 'adds', 'the Registry key HKCU\\Environment\\UserInitMprLogonScript')]
T1037.001 [('Attor dispatcher', 'establish', 'persistence')]
T1037.001 [('Cobalt Group', 'added', 'persistence')]
T1037.001 [('JHUHUGIT', 'registered', 'a shell script under the Registry key HKCU\\Environment\\UserInitMprLogonScript')]
T1037.001 [('the ability', 'set', 'the Registry key'), ('the ability', 'execute', 'logon scripts')]
T1037.001 [('Zebrocy', 'performs', 'persistence with a logon script')]
T1037.002 [('Adversaries', 'use', 'macOS logon scripts')]
T1037.002 [('A login hook', 'execute', 'Mac OS X'), ('A login hook', 'execute', 'a certain script'), ('a user', 'logs')]
T1037.002 [('a persistence script on', 'run', 'a viable way of')]
T1037.002 [('Access', 'login', 'hook scripts'), ('Access', 'allow'), ('an adversary', 'insert', 'additional malicious code')]
T1037.003 [('Adversaries', 'use', 'network logon scripts'), ('network logon scripts', 'executed'), ('network logon scripts', 'establish', 'persistence')]
T1037.003 [('leverage boot', 'know', 'APT31'), ('logon initialization scripts', 'know', 'APT31')]
T1037.003 [('Attackers', 'maintain', 'boot'), ('Attackers', 'maintain', 'persistence on a network'), ('Attackers', 'maintain', 'logon scripts')]
T1037.003 [('a startup script', 'execute', 'One of FontOnLakerootkits')]
T1037.003 [('the LNK file ,', 'placed'), ('the LNK file ,', 'triggers', 'the execution of')]
T1037.004 [('HiddenWasp', 'installs', 'persistence')]
T1037.004 [('iKitten', 'adds', 'an entry to for persistence')]
T1037.004 [('compatibility on', 'allowed'), ('attackers', 'achieve', 'persistence')]
T1037.004 [('the malware', 'achieve', 'persistence'), ('Triage analysis', 'reports', 'suspicious behavior :')]
OBJS_ entries
T1037.005 [('jRAT', 'list', 'startup entries')]
T1037.005 [('Adversaries', 'use', 'startup items'), ('startup items', 'executed'), ('startup items', 'establish', 'persistence')]
T1037.005 [('Attackers', 'create', 'the appropriate folders / files in the StartupItems directory')]
T1037.005 [('X malware sample', 'persists')]
T1037.005 [('The malware', 'achieves', 'persistence')]
T1046 [('Port Scan', 'using', 'python')]
T1047 [('WMI', 'execute', 'Local Process')]
T1047 [('WMI', 'execute', 'Remote Process')]
T1047 [('a Process', 'using', 'WMI Query')]
T1047 [('Application uninstall', 'using', 'WMIC')]
T1048.001 [('Adversaries', 'share', 'keys'), ('protocols , as', 'encrypted')]
T1048.001 [('Attackers', 'encrypt', 'a pre - shared key'), ('Attackers', 'encrypt', 'the data'), ('the data', 'collected')]
T1048.001 [('the information', 'encrypt', 'Actor'), ('the information', 'breached')]
T1048.001 [('The group', 'has', 'the ability'), ('the ability', 'read', 'file contents'), ('infrastructure', 'controlled')]
T1048.001 [('they all', 'have'), ('each exfiltrates', 'collected', 'credentials'), ('each exfiltrates', 'collected', 'to servers'), ('each exfiltrates', 'collected', 'its command history'), ('they', 'control')]
T1048.002 [('APT29', 'collected', 'data over a simple HTTPS request to a archive'), ('a archive', 'protected'), ('a simple HTTPS request to', 'staged')]
T1048.002 [('UNC2452', 'exfiltrated'), ('a archive', 'protected'), ('a simple HTTPS request to a archive', 'staged')]
OBJS_ contents
T1048.002 [('The threat actors', 'collected', 'the contents of for use')]
T1048.002 [('The data', 'exported'), ('The data', 'encrypted')]
T1048.002 [('archives of data', 'download', 'The actors'), ('data', 'collected'), ('data', 'encrypted')]
T1048.002 [('archives of data', 'upload', 'The attack'), ('archives of', 'protected'), ('data', 'collected'), ('victim servers', 'stage', 'data')]
T1048.002 [('data HTTPS', 'using', 'curl windows')]
T1048.002 [('data HTTPS', 'using', 'curl linux')]
T1048.003 [('Agent Tesla', 'has', 'routines for exfiltration over')]
T1048.003 [('APT32 backdoor', 'exfiltrate', 'data')]
T1048.003 [('APT33', 'used', 'FTP')]
T1048.003 [('BITS Jobs', 'create', 'BITSAdmin'), ('a host', 'compromised')]
T1048.003 [('Some Prince variants', 'exfiltrate', 'Korea Daum email service'), ('Some Prince variants', 'exfiltrate', 'information'), ('later variants', 'posted', 'the data')]
T1048.003 [('Carbon', 'send', 'HTTP'), ('Carbon', 'send', 'data')]
T1048.003 [('Cherry Picker', 'exfiltrates', 'files over')]
T1048.003 [('CookieMiner', 'exfiltrate', 'the file command'), ('CookieMiner', 'exfiltrate', 'data over')]
T1048.003 [('CORALDECK', 'exfiltrated', 'data in POST headers')]
T1048.003 [('CosmicDuke exfiltrates', 'collected', 'files over')]
T1048.003 [('C2 servers', 'configure', 'Exfiltration servers')]
T1048.003 [('FIN6', 'sent', 'data'), ('data', 'stolen')]
T1048.003 [('FIN8', 'exfiltrate', 'FTP'), ('FIN8', 'exfiltrate', 'data'), ('data', 'collected')]
T1048.003 [('data separate', 'exfiltrate', 'FTP')]
T1048.003 [('Kessel', 'exfiltrate', 'credentials'), ('Kessel', 'exfiltrate', 'TCP'), ('Kessel', 'exfiltrate', 'other information via')]
T1048.003 [('KONNI', 'exfiltrate', 'FTP'), ('KONNI', 'exfiltrate', 'reconnaissance data')]
T1048.003 [('Group malware SierraBravo', 'generates', 'an email message'), ('SMTP', 'containing', 'information about victims'), ('victims', 'infected')]
T1048.003 [('OilRig', 'exfiltrated', 'data over')]
T1048.003 [('PoetRAT', 'used', 'FTP')]
T1048.003 [('Remsec', 'exfiltrate', 'data')]
T1048.003 [('Thrip', 'exfiltrate', 'data'), ('a organization over', 'targeted')]
T1048.003 [('WindTail', 'has', 'the ability'), ('the ability', 'exfiltrate', 'files'), ('files', 'using', 'the macOS utility'), ('the macOS utility', 'built')]
T1048.003 [('Wizard Spider', 'exfiltrated', 'victim information'), ('victim information', 'using', 'FTP')]
T1049 [('System Discovery', 'using', 'SharpView')]
T1052.001 [('Agent.btz', 'creates', 'a file'), ('a file', 'named', 'thumb.dd'), ('all USB flash drives', 'connected')]
T1052.001 [('This file', 'contains', 'information about the infected system')]
T1052.001 [('Machete', 'has', 'a feature'), ('a feature', 'copy', 'files')]
T1052.001 [('Mustang Panda', 'used', 'a variant'), ('a variant', 'customized'), ('which', 'exfiltrate', 'documents from networks'), ('networks', 'gapped')]
T1052.001 [('Remsec', 'contains', 'a module'), ('systems', 'connected')]
T1052.001 [('data', 'stage', 'SPACESHIP copies'), ('removable drives', 'stage', 'SPACESHIP copies'), ('the system', 'insert', 'they')]
T1052.001 [('Tropic Trooper', 'exfiltrated', 'data'), ('data', 'using', 'USB storage devices')]
T1052.001 [('USBStealer exfiltrates', 'collected', 'files'), ('victims', 'gapped')]
T1053.001 [('mining on victim machines', 'recurring')]
T1053.001 [('the at command on Linux OS', 'automate', 'Communication with a CnC server')]
T1053.001 [('Chickens Malware - as', 'schedule', 'malicious tasks')]
T1053.001 [('Malware', 'exfiltrate', 'data at regular intervals on Linux servers'), ('data at', 'stolen')]
T1053.001 [('Ransomware', 'schedule', 'the encryption of victim data')]
T1053.002 [('APT18 actors', 'use', 'the native'), ('APT18 actors', 'use', 'tasks for execution on a victim network'), ('tasks for', 'scheduled')]
T1053.002 [('BRONZE BUTLER', 'register', 'a task'), ('a task', 'scheduled'), ('a task', 'execute', 'malware')]
T1053.002 [('CrackMapExec', 'set', 'a task'), ('a task', 'scheduled'), ('commands', 'using')]
T1053.002 [('MURKYTOP', 'has', 'the capability'), ('the capability', 'schedule', 'remote AT jobs')]
T1053.002 [('Group-3390 actors', 'schedule', 'tasks'), ('archives', 'extracting'), ('which', 'install', 'HTTPBrowser')]
T1053.002 [('CTU analysts', 'observe', 'Lateral movement within infrastructure'), ('attackers', 'observe', 'Lateral movement within'), ('at.exe', 'utilise', 'attackers'), ('the movement', 'utilise', 'attackers')]
T1053.002 [('tasks', 'scheduled'), ('at.exe', 'use', 'tasks'), ('at.exe', 'use', 'tasks'), ('a program', 'depreciated'), ('activity', 'need', 'tasks'), ('a program', 'updated')]
T1053.002 [('The Bamital Trojan', 'utilised', 'at.exe')]
T1053.002 [('At.exe task', 'scheduled')]
T1053.003 [('Anchor', 'install', 'itself')]
T1053.003 [('Exaramel for', 'uses', 'crontab'), ('it', '!have', 'root privileges')]
T1053.003 [('Janicab', 'used', 'a cron job for persistence on Mac devices')]
T1053.003 [('Kinsing', 'used', 'crontab')]
T1053.003 [('NETWIRE', 'establish', 'crontabs'), ('NETWIRE', 'establish', 'persistence')]
T1053.003 [('Penquin', 'create', 'Cron'), ('Penquin', 'create', 'periodic - scheduled background jobs')]
OBJS_ files
T1053.003 [('Rocke', 'installed', 'a cron job'), ('a cron job', 'downloaded', 'files'), ('a cron job', 'executed', 'files')]
T1053.003 [('Skidmap', 'installed', 'itself')]
T1053.003 [('SpeakUp', 'uses', 'cron tasks')]
T1053.003 [('Xbash', 'create', 'a cronjob for persistence'), ('it', 'determines')]
T1053.003 [('Muhstik , group', 'abuses', 'the cron utility')]
T1053.003 [('Chinese actors', 'sponsored'), ('Chinese actors', 'schedule', 'CLI tools , as crontab'), ('Chinese actors', 'schedule', 'malicious tasks'), ('Chinese actors', 'schedule', 'that enumerate victim devices')]
T1053.003 [('Moobot , variant ,', 'achieves', 'persistence through crontab')]
T1053.004 [('Malware', 'installs')]
T1053.004 [('files', 'abuse', 'the root privileges of launchd daemons')]
T1053.004 [('Launchd', 'change', 'the permissions of files')]
T1053.004 [('Copying files to /Library / LaunchDaemons / folder', 'escalate', 'the privileges'), ('the privileges', 'copied')]
T1053.004 [('BeagleBoyz , Actors ,', 'obfuscate', 'their malware')]
T1053.004 [('Reconnaissance checks', 'automated')]
T1053.005 [('Agent Tesla', 'achieved', 'persistence via tasks'), ('tasks', 'scheduled')]
T1053.005 [('Anchor', 'create', 'a task for persistence'), ('a task for', 'scheduled')]
T1053.005 [('AppleJeus', 'created', 'a task'), ('a task', 'scheduled'), ('a task', 'runs'), ('a user', 'logs')]
T1053.005 [('APT - C-36', 'set', 'a macro function'), ('APT - C-36', 'set', 'tasks'), ('tasks', 'scheduled'), ('tasks', 'disguised'), ('tasks', 'used')]
T1053.005 [('APT29', 'create', 'scheduler'), ('APT29', 'create', 'new tasks'), ('APT29', 'create', 'schtasks')]
T1053.005 [('They', 'manipulated', 'tasks'), ('tasks', 'scheduled'), ('an task', 'existing'), ('the task', 'scheduled')]
T1053.005 [('APT29', 'created', 'a task'), ('a task', 'scheduled'), ('the host', 'booted')]
T1053.005 [('They', 'establish', 'persistence'), ('tasks', 'scheduled')]
T1053.005 [('An APT3 downloader schtasks', 'creates', 'persistence')]
T1053.005 [('APT32', 'used', 'tasks'), ('tasks', 'scheduled')]
T1053.005 [('APT33', 'created', 'a task'), ('a task', 'scheduled')]
T1053.005 [('APT39', 'created', 'tasks'), ('tasks', 'scheduled')]
T1053.005 [('APT41', 'create', 'a account'), ('APT41', 'create', 'a task'), ('a account', 'compromised'), ('a task', 'scheduled')]
T1053.005 [('Attor installer plugin', 'schedule', 'a new task'), ('a new task', 'loads', 'the dispatcher')]
T1053.005 [('BabyShark', 'maintain', 'tasks'), ('BabyShark', 'maintain', 'persistence'), ('tasks', 'scheduled')]
T1053.005 [('BackConfig', 'has', 'the ability'), ('the ability', 'execute', 'tasks'), ('the ability', 'execute', 'malicious payloads'), ('tasks', 'scheduled'), ('the ability', 'execute', 'malicious payloads'), ('a host', 'compromised')]
T1053.005 [('BADNEWS', 'creates', 'a task'), ('a task', 'scheduled'), ('a task', 'establish'), ('a task', 'executing', 'a malicious payload')]
T1053.005 [('Bazar', 'create', 'a task for persistence'), ('a task for', 'scheduled')]
T1053.005 [('Blue Mockingbird', 'establish', 'Windows Tasks'), ('Blue Mockingbird', 'establish', 'persistence on local hosts')]
T1053.005 [('BONDUPDATER', 'using', 'a task'), ('a task', 'scheduled'), ('a task', 'executes')]
T1053.005 [('BRONZE BUTLER', 'register', 'schtasks'), ('BRONZE BUTLER', 'register', 'a task'), ('a task', 'scheduled'), ('a task', 'execute', 'malware')]
T1053.005 [('Carbon', 'creates', 'several tasks for later execution')]
T1053.005 [('Chimera', 'invoke', 'tasks'), ('Chimera', 'invoke', 'Cobalt Strike'), ('tasks', 'scheduled')]
T1053.005 [('/st', 'maintain', 'persistence')]
T1053.005 [('Cobalt Group', 'created', 'Windows tasks')]
T1053.005 [('ComRAT', 'launch', 'a task'), ('ComRAT', 'launch', 'its PowerShell loader'), ('a task', 'scheduled')]
T1053.005 [('CosmicDuke', 'uses', 'tasks'), ('tasks', 'scheduled'), ('tasks', 'named', '" Watchmon Service "')]
T1053.005 [('One persistence mechanism', 'used')]
T1053.005 [('Crutch', 'has', 'the ability'), ('the ability', 'using', 'tasks'), ('the ability', 'using', 'tasks'), ('tasks', 'scheduled')]
T1053.005 [('CSPY Downloader', 'bypass', 'the schtasks utility'), ('CSPY Downloader', 'bypass', 'UAC')]
T1053.005 [('tasks', 'scheduled'), ('accounts', 'created')]
OBJS_ credentials
T1053.005 [('Adversaries', 'instruct', 'Duqu'), ('it', 'enumerated', 'legitimate credentials'), ('it', 'obtained', 'legitimate credentials')]
T1053.005 [('The remote host', 'infected'), ('the credentials', 'compromised'), ('the malware', 'execute', 'remote machines')]
T1053.005 [('Dyre', 'has', 'the ability'), ('the ability', 'achieve', 'persistence'), ('the ability', 'adding', 'a new task'), ('the ability', 'run')]
T1053.005 [('Emotet', 'maintained', 'persistence'), ('a task', 'scheduled')]
T1053.005 [('Empire', 'has', 'modules'), ('modules', 'interact')]
T1053.005 [('EvilBunny', 'executed', 'commands'), ('tasks', 'scheduled')]
T1053.005 [('FIN10', 'established', 'persistence')]
T1053.005 [('FIN6', 'establish', 'tasks'), ('FIN6', 'establish', 'persistence for various malware'), ('tasks', 'scheduled'), ('it', 'uses'), ('downloaders', 'known')]
T1053.005 [('FIN7 malware', 'created', 'tasks'), ('tasks', 'scheduled')]
T1053.005 [('FIN8', 'maintain', 'tasks'), ('FIN8', 'maintain', 'RDP backdoors'), ('tasks', 'scheduled')]
T1053.005 [('Fox Kitten', 'used', 'Scheduled Tasks')]
T1053.005 [('Frankenstein', 'established', 'persistence'), ('a task', 'scheduled'), ('a task', 'using', 'the command')]
T1053.005 [('GALLIUM', 'established', 'persistence for'), ('a task', 'scheduled')]
T1053.005 [('Gamaredon Group', 'created', 'a task'), ('a task', 'scheduled'), ('a task', 'launch', 'an executable')]
T1053.005 [('Gazer', 'establish', 'persistence'), ('a task', 'scheduled')]
T1053.005 [('GoldMax', 'maintain', 'tasks'), ('GoldMax', 'maintain', 'persistence'), ('tasks', 'scheduled')]
T1053.005 [('Goopy', 'has', 'the ability'), ('the ability', 'maintain', 'persistence'), ('the ability', 'creating', 'tasks'), ('tasks', 'scheduled'), ('tasks', 'set'), ('tasks', 'run')]
T1053.005 [('GravityRAT', 'creates', 'a task'), ('a task', 'scheduled')]
T1053.005 [('GRIFFON', 'used', 'sctasks for persistence')]
T1053.005 [('Helminth', 'used', 'a task for persistence'), ('a task for', 'scheduled')]
OBJS_ officeupdate.exe
T1053.005 [('Higaisa', 'dropped', 'officeupdate.exe'), ('tasks', 'scheduled')]
T1053.005 [('HotCroissant', 'install', 'a Maintenance64\x9d')]
T1053.005 [('IcedID', 'created', 'a task'), ('a task', 'scheduled'), ('a task', 'executes'), ('a task', 'establish', 'persistence')]
T1053.005 [('InvisiMole', 'used', 'tasks'), ('tasks', 'scheduled'), ('tasks', 'named', 'MSST')]
T1053.005 [('a task XML file', 'run', 'IronNetInjector'), ('an IronPython script', 'run', 'IronNetInjector'), ('mssch.xml', 'name', 'a task XML file'), ('a user', 'logs'), ('specific system events', 'created')]
T1053.005 [('ISMInjector', 'creates', 'tasks'), ('tasks', 'scheduled')]
T1053.005 [('JHUHUGIT', 'registered', 'itself'), ('a scheduled task', 'run'), ('the current user', 'logs')]
T1053.005 [('Lucifer', 'established', 'persistence'), ('the following schtasks', 'scheduled')]
T1053.005 [('Windows Task Scheduler', 'execute', 'The different components of')]
T1053.005 [('Machete', 'created', 'tasks'), ('tasks', 'scheduled')]
T1053.005 [('Matryoshka', 'establish', 'persistence')]
T1053.005 [('Maze', 'created', 'tasks'), ('tasks', 'scheduled'), ('tasks', 'launch', 'name variants as'), ('tasks', 'launch', 'Maze'), ('tasks', 'launch', 'Maze')]
T1053.005 [('MCMD', 'use', 'tasks'), ('tasks', 'scheduled')]
T1053.005 [('menuPass', 'execute', 'a script ( atexec.py )'), ('menuPass', 'execute', 'a command')]
T1053.005 [('Molerats', 'created', 'tasks'), ('tasks', 'scheduled'), ('tasks', 'run', 'VBScripts')]
T1053.005 [('MuddyWater', 'establish', 'tasks'), ('MuddyWater', 'establish', 'persistence'), ('tasks', 'scheduled')]
T1053.005 [('Mustang Panda', 'created', 'a task'), ('a task', 'scheduled')]
T1053.005 [('NETWIRE', 'create', 'a task'), ('a task', 'scheduled')]
T1053.005 [('NotPetya', 'creates', 'a task'), ('a task', 'reboot', 'the system')]
T1053.005 [('OilRig', 'created', 'tasks'), ('tasks', 'scheduled'), ('tasks', 'run', 'a VBScript'), ('tasks', 'execute', 'a payload on victim machines')]
T1053.005 [('Okrum installer', 'achieve', 'persistence'), ('a task', 'scheduled')]
T1053.005 [('OopsIE', 'creates', 'a task'), ('a task', 'scheduled'), ('a task', 'run', 'itself')]
T1053.005 [('Operation Wocao', 'execute', 'tasks'), ('Operation Wocao', 'execute', 'malicious PowerShell code'), ('tasks', 'scheduled')]
T1053.005 [('A Patchwork file stealer', 'run', 'a TaskScheduler DLL')]
T1053.005 [('a Scheduled Task / Job', 'establish', 'PowerSploit UserPersistenceOption Persistence argument')]
T1053.005 [('POWERSTATS', 'established', 'persistence'), ('a task', 'scheduled'), ('a task', 'using', 'the command\x9dC:\\Windows\\system32\\schtasks.exe\x9d')]
T1053.005 [('POWRUNER', 'persists'), ('a task', 'scheduled'), ('a task', 'executes', 'it')]
T1053.005 [('schedules tasks', 'invoke', 'its components'), ('order', 'establish', 'persistence')]
T1053.005 [('QUADAGENT', 'creates', 'a task'), ('a task', 'scheduled'), ('a task', 'maintain', 'persistence on the victimmachine')]
T1053.005 [('QuasarRAT', 'contains', 'a wrapper DLL'), ('tasks', 'managing'), ('tasks', 'scheduled')]
T1053.005 [('Ramsay', 'schedule', 'tasks')]
T1053.005 [('Rancor', 'launched', 'a task'), ('a task', 'scheduled'), ('persistence', 'using', 'the schtasks')]
T1053.005 [('Remexi', 'utilizes', 'tasks'), ('tasks', 'scheduled')]
T1053.005 [('RemoteCMD', 'execute', 'commands')]
T1053.005 [('RAT schedules tasks', 'run', 'malicious scripts')]
T1053.005 [('RTM', 'add', 'a task'), ('a task', 'scheduled')]
T1053.005 [('Ryuk', 'create', 'a task'), ('a task', 'scheduled'), ('a task', 'execute', 'itself')]
T1053.005 [('tasks on a Windows system', 'schedule', 'schtasks')]
T1053.005 [('ServHelper', 'contains', 'modules'), ('modules', 'carry', 'schtasks'), ('modules', 'carry', 'malicious operations'), ('modules', 'carry', 'malicious operations')]
T1053.005 [('Shamoon', 'copies', 'an executable payload to the target system')]
T1053.005 [('SharpStage', 'has', 'a persistence component'), ('a persistence component', 'write', 'a task for the payload'), ('a task for', 'scheduled')]
T1053.005 [('a task', 'execute', 'Sibot'), ('a task', 'scheduled')]
T1053.005 [('Silence', 'stage', 'tasks'), ('Silence', 'stage', 'its operation'), ('tasks', 'scheduled')]
T1053.005 [('Smoke Loader', 'launches', 'a task'), ('a task', 'scheduled')]
T1053.005 [('SoreFang', 'gain', 'persistence'), ('tasks', 'scheduled')]
T1053.005 [('SQLRat', 'created', 'tasks in %'), ('tasks in', 'scheduled')]
T1053.005 [('Falcon malware', 'execute', 'a entitledIE Web Cache\x9d'), ('Falcon malware', 'execute', 'a malicious file'), ('a entitledIE Web Cache\x9d', 'scheduled')]
T1053.005 [('TEMP.Veles', 'used', 'triggers'), ('triggers', 'scheduled')]
T1053.005 [('TrickBot', 'creates', 'a task on the system'), ('a task on', 'scheduled'), ('the system', 'provides', 'persistence')]
T1053.005 [('UNC2452', 'create', 'scheduler'), ('UNC2452', 'create', 'new tasks'), ('UNC2452', 'create', 'schtasks')]
T1053.005 [('They', 'manipulated', 'tasks'), ('tasks', 'scheduled'), ('an task', 'existing'), ('the task', 'scheduled')]
T1053.005 [('UNC2452', 'created', 'a task'), ('a task', 'scheduled'), ('the host', 'booted')]
T1053.005 [('Valak', 'execute', 'tasks'), ('Valak', 'execute', 'additional payloads'), ('tasks', 'scheduled'), ('a host', 'compromised')]
T1053.005 [('Wizard Spider', 'establish', 'tasks'), ('Wizard Spider', 'establish', 'persistence for'), ('tasks', 'scheduled')]
T1053.005 [('a task with the command SchTasks', 'scheduled')]
T1053.005 [('Zebrocy', 'has', 'a command'), ('a command', 'create', 'a task for persistence'), ('a task for', 'scheduled')]
T1053.005 [('zwShell', 'used', 'SchTasks')]
T1053.005 [('Powershell Cmdlet', 'scheduled', 'Task')]
T1053.006 [('Threat actors as', 'schedule', 'malicious activity')]
T1053.006 [('Cryptocurrency miners', 'schedule', 'the systemd timers'), ('Cryptocurrency miners', 'schedule', 'the activation of the clipper')]
T1053.006 [('Eastern threat actors', 'embed', 'malicious macros'), ('Eastern threat actors', 'embed', '356 documents'), ('356 documents', 'exploit', 'systemd'), ('execution', 'repeated')]
T1053.006 [('CobaltStrike', 'possesses', 'the ability'), ('the ability', 'communicate'), ('the systemctl', 'schedule', 'tasks'), ('tasks', 'repeated')]
T1053.006 [('FIN6', 'exfiltrate', 'systemd'), ('FIN6', 'exfiltrate', 'data')]
T1053.007 [('Ensure containers', '!running')]
T1053.007 [('only administrators', 'authorized')]
T1053.007 [('Threat actors', 'create', 'clusters of containers')]
T1053.007 [('Ransomware as', 'utilize', 'containers'), ('containers', 'schedule', 'the execution of the encryption payload')]
T1053.007 [('APT23', 'execute', 'container creation programs as Kubernetes'), ('APT23', 'execute', 'malicious code')]
T1055.001 [('Aria - body', 'has', 'the ability'), ('the ability', 'inject', 'itself')]
T1055.001 [('BlackEnergy', 'injects', 'its DLL component')]
T1055.001 [('Carberp bootkit', 'inject', 'a malicious DLL')]
T1055.001 [('Carbon', 'has', 'a command'), ('a command', 'inject', 'code')]
T1055.001 [('Cobalt Strike', 'has', 'the ability'), ('the ability', 'load', 'DLLs')]
T1055.001 [('ComRAT', 'injected', 'its orchestrator DLL')]
T1055.001 [('its communications module', 'inject', 'ComRAT'), ('victim default browser', 'inject', 'ComRAT'), ('less suspicious', 'appear', 'C2 connections'), ('the browser process', 'initiate', 'all network connections')]
T1055.001 [('Conti', 'loaded', 'an encrypted DLL')]
T1055.001 [('Derusbi', 'injects', 'itself')]
T1055.001 [('Duqu', 'inject', 'itself')]
T1055.001 [('the security software', 'influence', 'The selection of the target process'), ('the system', 'instal', 'the security software'), ('different processes', 'inject', 'Duqu'), ('the infected host', 'instal', 'which security suite')]
T1055.001 [('Dyre', 'load', 'modules')]
T1055.001 [('Elise', 'injects', 'DLL files')]
T1055.001 [('Emissary', 'injects', 'its DLL file'), ('a process', 'spawned')]
T1055.001 [('Explorer.exe', 'inject', 'Emotet'), ('other processes', 'inject', 'Emotet')]
T1055.001 [('FinFisher', 'injects', 'itself')]
T1055.001 [('Get2', 'has', 'the ability'), ('the ability', 'inject', 'DLLs')]
T1055.001 [('HIDEDRV', 'injects', 'a DLL for')]
T1055.001 [('IronNetInjector', 'has', 'the ability'), ('the ability', 'inject', 'a DLL'), ('running processes', 'including')]
T1055.001 [('a DLL', 'save', 'Kazuar'), ('the explorer.exe process', 'inject', 'a DLL')]
T1055.001 [('Kazuar', 'configured')]
T1055.001 [('Koadic', 'perform', 'process injection')]
T1055.001 [('A Group malware sample', 'performs', 'reflective DLL injection')]
T1055.001 [('Matryoshka', 'inject', 'reflective DLL injection'), ('Matryoshka', 'inject', 'the malicious library')]
T1055.001 [('Maze', 'injected', 'the malware DLL')]
T1055.001 [('MegaCortex', 'loads', 'injecthelper.dll'), ('a process', 'created')]
T1055.001 [('Metamorfo', 'injected', 'a malicious DLL')]
T1055.001 [('the memory of a legitimate running process', 'inject', 'Netwalker DLL')]
T1055.001 [('PipeMon', 'inject', 'its modules')]
T1055.001 [('PoisonIvy', 'inject', 'a malicious DLL')]
T1055.001 [('PowerSploit', 'contains', 'a collection of'), ('a collection of', 'modules', 'that code')]
T1055.001 [('Pupy', 'migrate')]
T1055.001 [('An executable', 'dropped'), ('a process', 'accessing', 'the network'), ('the network', 'including')]
T1055.001 [('Ramsay', 'deploy', 'ImprovedReflectiveDLLInjection'), ('Ramsay', 'deploy', 'components')]
T1055.001 [('the system', '!drop', 'Thisdownloaded\x9d file')]
T1055.001 [('RATANKBA', 'performs', 'a reflective DLL injection'), ('a reflective DLL injection', 'using', 'a pid'), ('a pid', 'given')]
T1055.001 [('Remsec', 'perform', 'DLL injection')]
T1055.001 [('SDBbot', 'has', 'the ability'), ('the ability', 'inject', 'a DLL'), ('the ability', 'downloaded'), ('a process', 'created')]
T1055.001 [('ShadowPad', 'injected', 'a DLL')]
T1055.001 [('Socksbot', 'creates', 'a process'), ('a process', 'suspended')]
T1055.001 [('Sykipot', 'injects', 'itself'), ('instances of', 'running')]
T1055.001 [('a DLL', 'inject', 'TA505'), ('winword.exe', 'inject', 'TA505')]
T1055.001 [('TajMahal', 'has', 'the ability'), ('the ability', 'inject', 'DLLs')]
T1055.001 [('Tropic Trooper', 'injected', 'a DLL backdoor')]
T1055.001 [('Turla', 'perform', 'Metasploit'), ('Turla', 'perform', 'reflective DLL injection'), ('order', 'escalate', 'privileges')]
T1055.001 [('Wizard Spider', 'injected', 'malicious DLLs'), ('read write', 'execute', 'permissions')]
T1055.001 [('a process', 'inject', 'ZxShell'), ('a process', 'shared')]
T1055.002 [('Carbanak', 'downloads', 'an executable')]
T1055.002 [('Group malware', 'download', 'a remote access tool ShiftyBug')]
T1055.002 [('GreyEnergy', 'has', 'a module'), ('a module', 'inject', 'a PE binary')]
T1055.002 [('InvisiMole', 'inject', 'its backdoor')]
T1055.002 [('PowerSploit', 'loads', 'a Windows PE file')]
T1055.002 [('Rocke miner TermsHost.exe "', 'evaded', 'defenses')]
T1055.002 [('they', 'meet', 'the necessary requirements'), ('it', 'injects')]
T1055.003 [('Gazer', 'performs', 'execution hijacking'), ('a thread from a remote process', 'running')]
T1055.003 [('Karagany', 'inject', 'a thread of its own process'), ('a thread of', 'suspended')]
T1055.003 [('Waterbear', 'use', 'thread injection')]
T1055.003 [('APT13', 'employs', 'the technique of injection hijacking'), ('the technique of', 'execute', 'malicious code')]
T1055.004 [('Attor', 'performs', 'the injection')]
T1055.004 [('Carberp', 'queued', 'an APC routine')]
T1055.004 [('IcedID', 'inject', 'ZwQueueApcThread'), ('IcedID', 'inject', 'itself')]
T1055.004 [('InvisiMole', 'inject', 'its code'), ('a process', 'trusted')]
T1055.004 [('Pillowmint', 'used', 'the NtQueueApcThread')]
T1055.004 [('a process', 'created')]
T1055.005 [('Ursnif', 'injected', 'code')]
T1055.005 [('The MAZE ransomware', 'evade', 'detection')]
T1055.005 [('Diavol Ransomware', 'escalate', 'it privileges')]
T1055.005 [('FIN13', 'evades', 'detection'), ('the ability', 'inject', 'code')]
T1055.005 [('Bazar Ransomware', 'escalates')]
T1055.008 [('Malware inject malicious code into via ptrace system', 'elevate', 'privilages'), ('Malware inject malicious code into via', 'elevate', 'defenses'), ('defenses', 'evade'), ('defenses', 'based')]
T1055.008 [('attackers', 'get', 'access to process memory , resources')]
T1055.008 [('Campaign', 'uses', 'Ptrace call injection for'), ('Ptrace call injection for', 'executing', 'malicious code'), ('a process', 'trusted')]
T1055.008 [('Malware', 'elevate', 'ptrace'), ('Malware', 'elevate', 'privilage')]
T1055.008 [('Infostealer', 'dump', 'ptrace'), ('Infostealer', 'dump', 'authentication'), ('authentication', 'token')]
T1055.009 [('Attacker', 'execute', 'Proc memory injection'), ('Attacker', 'execute', 'malicious code')]
T1055.009 [('Malware', 'overwrites'), ('the target processes', 'using', 'memory mappings'), ('memory mappings', 'provided')]
T1055.009 [('Malware', 'enumerates', 'the memory of a process via')]
T1055.009 [('Attackers', 'use')]
T1055.009 [('filesystem to overwrite memory of legitimate process', 'perform', 'malicious activity')]
T1055.009 [('detection', 'run', 'Malicious code'), ('ROP payloads', 'run', 'Malicious code'), ('/proc filesystem', 'use', 'detection')]
T1055.011 [('Epic', 'overwritten', 'the function pointer'), ('order', 'execute', 'malicious code')]
OBJS_ programming
T1055.011 [('ExplorerShell_TrayWnd', 'overwrite', 'Power Loader'), ('extra window memory', 'overwrite', 'Power Loader'), ('a NTDLL function', 'abused'), ('a programming ( ROP chain', 'assemble', 'a NTDLL function'), ('a programming ( ROP chain', 'execute', 'a NTDLL function'), ('a programming ( ROP chain', 'oriented'), ('a malicious thread', 'create', 'a NTDLL function'), ('Explorer.exe', 'create', 'a NTDLL function')]
T1055.011 [('Korean actors', 'inject', 'arbitrary code'), ('the additional memory', 'provided')]
T1055.011 [('The threat actor TEMP.Splinter', 'employs', 'the tactic of via'), ('the tactic of via', 'evade', 'detection by security software')]
T1055.011 [('nexus group', 'abuse'), ('APT27', 'abuse'), ('EWM', 'inject', 'code'), ('the process', 'hijacked')]
T1055.012 [('Agent Tesla', 'used', 'process')]
T1055.012 [('Astaroth', 'create', 'a new process'), ('a state', 'suspended'), ('a process', 'targeted'), ('order', 'unmap', 'its memory'), ('order', 'replace', 'it')]
T1055.012 [('Azorult', 'decrypt', 'the payload'), ('a new process of', 'suspended')]
T1055.012 [('BADNEWS', 'has', 'a command'), ('a command', 'download', 'an .exe'), ('a command', 'use', 'process'), ('a command', 'hollowing'), ('a command', 'inject', 'it')]
T1055.012 [('Bandook', 'launched')]
T1055.012 [('Bazar', 'inject'), ('a target process', 'including')]
T1055.012 [('msiexec.exe', 'load', 'BBSRAT'), ('process hollowing', 'load', 'BBSRAT')]
T1055.012 [('Cobalt Strike', 'use', 'process')]
T1055.012 [('Denis', 'performed', 'process')]
T1055.012 [('Dtrack', 'target', 'process shellcode'), ('Dtrack', 'target', '%'), ('Dtrack', 'target', 'a predefined list of processes')]
T1055.012 [('Group malware', 'inject', 'process'), ('Group malware', 'inject', 'one of its trojans')]
T1055.012 [('ISMInjector', 'hollows', 'process RegASM.exe'), ('a process', 'created')]
T1055.012 [('Lokibot', 'used', 'process')]
T1055.012 [('menuPass', 'used')]
T1055.012 [('benign Microsoft executables', 'inject', 'The NETWIRE payload'), ('process hollowing', 'inject', 'The NETWIRE payload')]
T1055.012 [('Some Orz versions', 'have', 'an DLL'), ('an DLL', 'embedded'), ('an DLL', 'known'), ('an DLL', 'execute', 'process hollowing'), ('an DLL', 'execute', 'another payload'), ('an DLL', 'hollowing'), ('an DLL', 'execute', 'another payload')]
T1055.012 [('A Patchwork payload', 'uses', 'process')]
T1055.012 [('Smoke Loader', 'spawns', 'a new copy of c:\\windows\\syswow64\\explorer.exe')]
T1055.012 [('A Group-3390 tool', 'spawn', 'svchost.exe')]
T1055.012 [('TrickBot', 'injects')]
T1055.012 [('Ursnif', 'used', 'process')]
T1055.012 [('Process Hollowing', 'using', 'PowerShell')]
T1055.013 [('Bazar', 'inject')]
T1055.013 [('Leafminer', 'evade', 'Process Doppelgänging'), ('Leafminer', 'evade', 'security software'), ('systems', 'compromised')]
T1055.013 [('SynAck', 'abuses', 'NTFS transactions')]
T1055.013 [('Adversaries', 'inject', 'malicious code'), ('defenses', 'based')]
T1055.013 [('a method of', 'executing', 'arbitrary code')]
T1055.014 [('an attacker', 'exploits', 'this vulnerability')]
T1055.014 [('Malware', 'performs', 'VDSO hijacking'), ('calls', 'linked', 'libraries'), ('libraries', 'shared'), ('calls', 'run', 'malicious code')]
OBJS_ object
T1055.014 [('adversary', 'hijack', 'code stubs'), ('code stubs', 'mapped'), ('the object', 'shared'), ('code stubs', 'execute', 'syscalls'), ('code stubs', 'open', 'a malicious object'), ('code stubs', 'map', 'a malicious object'), ('a malicious object', 'shared')]
T1055.014 [('detection from security products', 'evade', 'Execution via VDSO hijacking'), ('a legitimate process', 'mask', 'the execution')]
T1055.014 [('order', 'evade', 'defenses'), ('defenses', 'based'), ('order', 'elevate', 'privileges')]
T1056.001 [('ADVSTORESHELL', 'perform', 'keylogging')]
T1056.001 [('Agent Tesla', 'log', 'keystrokes')]
T1056.001 [('Security Team', 'used', 'CWoolger malware'), ('CWoolger malware', 'developed'), ('which', 'recorded', 'all keystrokes')]
T1056.001 [('APT28', 'perform', 'tools'), ('APT28', 'perform', 'keylogging')]
T1056.001 [('APT3', 'used', 'a keylogging tool'), ('a keylogging tool', 'records', 'keystrokes in encrypted files')]
T1056.001 [('APT32', 'abused', 'the PasswordChangeNotify')]
T1056.001 [('APT38', 'capture', 'a Trojan'), ('APT38', 'capture', 'keystrokes')]
T1056.001 [('APT39', 'used', 'tools')]
T1056.001 [('APT41', 'used', 'a keylogger'), ('a keylogger', 'called', 'GEARSHIFT')]
T1056.001 [('Astaroth', 'logs', 'keystrokes')]
T1056.001 [('One of Attor plugins', 'collect', 'user credentials'), ('keystrokes', 'pressed'), ('the process', 'injected')]
T1056.001 [('BabyShark', 'has', 'a ability'), ('a ability', 'based'), ('a ability', 'implement', 'a PowerShell keylogger'), ('a PowerShell keylogger', 'based')]
T1056.001 [('it', 'starts', 'BADNEWS'), ('a new thread', 'log', 'keystrokes')]
T1056.001 [('BadPatch', 'has', 'a keylogging capability')]
T1056.001 [('Bandook', 'contains', 'keylogging capabilities')]
T1056.001 [('BISCUIT', 'capture', 'keystrokes')]
T1056.001 [('BlackEnergy', 'run', 'a keylogger plug - in')]
T1056.001 [('Cadelspy', 'has', 'the ability'), ('the ability', 'log', 'keystrokes'), ('the host', 'compromised')]
T1056.001 [('Carbanak', 'logs', 'key strokes for processes'), ('processes', 'configured')]
T1056.001 [('Cardinal RAT', 'log', 'keystrokes')]
T1056.001 [('Catchamas', 'collects', 'keystrokes from the victimmachine')]
T1056.001 [('Cobalt Strike', 'track', 'key presses')]
T1056.001 [('Cobian RAT', 'has', 'a feature'), ('a feature', 'perform', 'keylogging on the victimmachine')]
T1056.001 [('CosmicDuke', 'uses', 'a keylogger')]
T1056.001 [('DarkComet', 'has', 'a keylogging capability')]
T1056.001 [('Darkhotel', 'used', 'a keylogger')]
T1056.001 [('Daserf', 'log', 'keystrokes')]
T1056.001 [('Dtrackdropper', 'contains', 'a keylogging executable')]
T1056.001 [('Duqu', 'track', 'key presses')]
T1056.001 [('DustySky', 'contains', 'a keylogger')]
OBJS_ keystrokes
T1056.001 [('ECCENTRICBANDWAGON', 'capture', 'keystrokes')]
T1056.001 [('Empire', 'keylogging', 'capabilities for Linux systems')]
T1056.001 [('EvilGrab', 'has', 'the capability'), ('the capability', 'capture', 'keystrokes')]
T1056.001 [('Explosive', 'leveraged', 'its keylogging capabilities')]
T1056.001 [('FakeM', 'contains', 'a keylogger module')]
T1056.001 [('FIN4', 'captured', 'credentials'), ('a keylogger', 'based')]
T1056.001 [('Fysbis', 'perform', 'keylogging')]
T1056.001 [('gh0st RAT', 'has', 'a keylogger')]
T1056.001 [('Grandoreiro', 'log', 'keystrokes')]
T1056.001 [('GreyEnergy', 'has', 'a module'), ('a module', 'harvest', 'keystrokes'), ('keystrokes', 'pressed')]
T1056.001 [('The executable version of', 'has', 'a module'), ('a module', 'log', 'keystrokes')]
T1056.001 [('Imminent Monitor', 'has', 'a keylogging module')]
T1056.001 [('InvisiMole', 'capture', 'keystrokes'), ('a host', 'compromised')]
T1056.001 [('JPIN', 'contains', 'a custom keylogger')]
T1056.001 [('jRAT', 'has', 'the capability'), ('the capability', 'log', 'keystrokes')]
T1056.001 [('Kasidet', 'has', 'the ability'), ('the ability', 'initiate', 'keylogging')]
T1056.001 [('Ke3chang', 'used', 'keyloggers')]
T1056.001 [('KeyBoy', 'installs', 'a keylogger')]
T1056.001 [('Kimsuky', 'used', 'a keylogger'), ('a keylogger', 'based')]
T1056.001 [('Kivars', 'has', 'the ability'), ('the ability', 'initiate', 'keylogging on the infected host')]
T1056.001 [('KONNI', 'has', 'the capability'), ('the capability', 'perform', 'keylogging')]
T1056.001 [('Lazarus Group KiloAlfa', 'contains', 'keylogging functionality')]
T1056.001 [('Lokibot', 'has', 'the ability'), ('the ability', 'capture', 'input on the host'), ('the host', 'compromised')]
T1056.001 [('Machete', 'logs', 'keystrokes')]
T1056.001 [('MacSpy', 'captures', 'keystrokes')]
T1056.001 [('Hound malware', 'is')]
T1056.001 [('Matryoshka', 'is')]
T1056.001 [('menuPass', 'steal', 'key loggers'), ('menuPass', 'steal', 'usernames'), ('menuPass', 'steal', 'passwords')]
T1056.001 [('Metamorfo', 'has', 'a command'), ('a command', 'launch', 'a keylogger')]
T1056.001 [('Micropsia', 'has', 'keylogging capabilities')]
T1056.001 [('MoonWind', 'has', 'a keylogger')]
T1056.001 [('NanoCore', 'perform', 'keylogging on the victimmachine')]
T1056.001 [('NavRAT', 'logs', 'the keystrokes'), ('the system', 'targeted')]
T1056.001 [('NetTraveler', 'contains', 'a keylogger')]
T1056.001 [('NETWIRE', 'perform', 'keylogging')]
T1056.001 [('OilRig', 'used', 'keylogging tools'), ('keylogging tools', 'called', 'KEYPUNCH')]
T1056.001 [('a keylogger tool', 'use', 'Okrum')]
T1056.001 [('Operation Wocao', 'obtained', 'the password for victim password manager')]
T1056.001 [('OwaAuth captures', 'writing', 'the username'), ('the username', 'password')]
T1056.001 [('PLATINUM', 'used', 'several different keyloggers')]
T1056.001 [('PlugX', 'has', 'a module for'), ('a module for', 'capturing', 'keystrokes'), ('process', 'including')]
T1056.001 [('PoetRAT', 'used', 'a Python tool'), ('a Python tool', 'named', 'klog.exe')]
T1056.001 [('PoisonIvy', 'contains', 'a keylogger')]
T1056.001 [('PoshC2', 'has', 'modules for keystroke logging'), ('keystroke logging', 'capturing', 'credentials'), ('messages', 'spoofed')]
T1056.001 [('PowerSploit Exfiltration module', 'log', 'keystrokes')]
T1056.001 [('Prikormka', 'contains', 'a keylogger module'), ('Prikormka', 'contains', 'the titles of foreground windows'), ('a keylogger module', 'collects', 'keystrokes')]
T1056.001 [('Proton', 'capture', 'a keylogger'), ('Proton', 'capture', 'keystrokes')]
T1056.001 [('a keylogger', 'use', 'Pupy'), ('it', 'stopped')]
T1056.001 [('QuasarRAT', 'has', 'a keylogger'), ('a keylogger', 'built')]
T1056.001 [('Regin', 'contains', 'a keylogger')]
T1056.001 [('Remcos', 'has', 'a command for keylogging')]
T1056.001 [('Remsec', 'contains', 'a keylogger component')]
T1056.001 [('Revenge RAT', 'has', 'a plugin for keylogging')]
T1056.001 [('ROKRAT', 'capture', 'a keylogger'), ('ROKRAT', 'capture', 'keystrokes'), ('ROKRAT', 'capture', 'location'), ('the user', 'typing')]
T1056.001 [('Rover', 'keylogging', 'functionality')]
T1056.001 [('RTM', 'record', 'keystrokes')]
T1056.001 [('Sandworm Team', 'capture', 'a keylogger'), ('Sandworm Team', 'capture', 'keystrokes')]
T1056.001 [('SLOTHFULMEDIA', 'has', 'a keylogging capability')]
T1056.001 [('Sowbug', 'used', 'keylogging tools')]
T1056.001 [('SslMM', 'creates', 'a new thread'), ('a new thread', 'implementing', 'a keylogging facility'), ('a keylogging facility', 'using', 'Windows Keyboard Accelerators')]
T1056.001 [('Stolen Pencil', 'has', 'a tool'), ('a tool', 'log', 'keystrokes'), ('a tool', '%', 'userprofile%\\appdata\\roaming\\apach.{txt log')]
T1056.001 [('Sykipot', 'contains', 'keylogging functionality'), ('keylogging functionality', 'steal', 'passwords')]
T1056.001 [('TajMahal', 'has', 'the ability'), ('the ability', 'capture', 'keystrokes')]
T1056.001 [('ThiefQuest', 'perform', 'the CGEventTap functions'), ('ThiefQuest', 'perform', 'keylogging')]
T1056.001 [('Group-3390 actors', 'installed', 'a credential logger on Exchange servers')]
T1056.001 [('Threat Group-3390', 'leveraged', 'the reconnaissance framework ScanBox'), ('the reconnaissance framework ScanBox', 'capture', 'keystrokes')]
T1056.001 [('TinyZBot', 'contains', 'keylogger functionality')]
T1056.001 [('Karagany', 'capture', 'keystrokes'), ('a host', 'compromised')]
T1056.001 [('keystrokes', 'recording')]
T1056.001 [('VERMIN', 'collects', 'keystrokes from the victim machine')]
T1056.001 [('XAgentOSX', 'contains', 'keylogging functionality'), ('keylogging functionality', 'monitor'), ('keylogging functionality', 'write', 'them'), ('it', 'handle', 'special characters'), ('it', 'buffer')]
T1056.001 [('yty', 'gather', 'a keylogger plugin'), ('yty', 'gather', 'keystrokes')]
T1056.001 [('Zeus Panda', 'perform', 'keylogging on the victimmachine')]
T1056.001 [('ZxShell', 'has', 'a feature'), ('a feature', 'capture', 'computer keystrokes'), ('a feature', 'using', 'a keylogger')]
T1056.001 [('keylogger', 'based')]
T1056.001 [('keylogger', 'sshd')]
T1056.002 [('Bundlore', 'prompts', 'the user')]
T1056.002 [('Calisto', 'presents', 'an input prompt'), ('an input prompt', 'asking')]
T1056.002 [('Dok', 'prompts', 'the user for credentials')]
T1056.002 [('FIN4', 'presented', 'victims'), ('prompts', 'spoofed')]
T1056.002 [('iKitten', 'prompts', 'the user')]
T1056.002 [('Keydnap', 'prompts', 'the users for credentials')]
T1056.002 [('Metamorfo', 'displayed', 'fake forms')]
T1056.002 [('Proton', 'prompts', 'users')]
T1056.003 [('Adversaries', 'install', 'code'), ('portals , as a login page', 'facing'), ('who', 'attempt'), ('credentials of users', 'log')]
T1056.003 [('the login pages', 'enables'), ('them', 'steal', 'employee credentials'), ('they', 'access', 'internal corporate resources'), ('the login pages', 'access', 'internal corporate resources')]
T1056.003 [('A vulnerability in the VPN customization framework', 'allow'), ('an unauthenticated , remote attacker', 'modify', 'the content of the Clientless SSL VPN portal ,'), ('which', 'lead'), ('several attacks', 'including'), ('other types of web attacks on the client', 'using', 'the affected system')]
T1056.003 [('pages', 'phishing'), ('pages', 'mimicking', 'financial sites')]
OBJS_ pages
T1056.003 [('Threat actors', 'sold', 'pages'), ('pages', 'phishing'), ('pages', 'mimicking', 'government'), ('pages', 'mimicking', 'e')]
T1056.004 [('Carberp', 'hooked', 'several Windows API functions')]
T1056.004 [('Empire', 'contains', 'some modules'), ('some modules', 'hooking'), ('some modules', 'carry', 'tasks as')]
T1056.004 [('hooks processes by to .', 'modifying', 'IAT pointers')]
T1056.004 [('NOKKI', 'uses', 'the Windows call'), ('NOKKI', 'uses', 'SetWindowsHookEx'), ('every GUI process', 'running')]
T1056.004 [('RDFSNIFFER', 'hooks', 'Win32 API functions')]
T1056.004 [('TrickBot', 'has', 'the ability'), ('the ability', 'capture', 'RDP credentials'), ('the ability', 'capturing', 'the CredEnumerateA API')]
T1056.004 [('Ursnif', 'perform', 'APIs'), ('Ursnif', 'perform', 'a wide variety of as'), ('a wide variety of as', 'monitoring', 'traffic')]
T1056.004 [('an Windows hook', 'install', 'Zebrocy'), ('an Windows hook', 'defined'), ('an Windows hook', 'notified'), ('a network drive', 'attached'), ('the hook', 'call', 'it'), ('its method', 'call', 'it'), ('its method', 'stealing')]
T1056.004 [('hooks processes by .', 'leveraging', 'its own IAT functions'), ('its own IAT functions', 'hooked')]
T1056.004 [('ZxShell', 'spawn', 'several API functions'), ('ZxShell', 'spawn', 'system threads')]
T1057 [('Process', 'get')]
T1057 [('Process Discovery - wmiObject', 'get')]
T1059.001 [('APT28 downloads', 'executes', 'PowerShell scripts'), ('APT28 downloads', 'performs', 'PowerShell commands')]
OBJS_ SeaDuke
T1059.001 [('APT29', 'used', 'scripts'), ('scripts', 'encoded'), ('scripts', 'uploaded'), ('scripts', 'download', 'SeaDuke'), ('scripts', 'install', 'SeaDuke')]
T1059.001 [('APT29', 'create', 'PowerShell'), ('APT29', 'create', 'new tasks on remote machines'), ('settings evade defenses', 'exfiltrate', 'data')]
T1059.001 [('APT3', 'used', 'PowerShell')]
T1059.001 [('APT32', 'used', 'tools'), ('tools', 'based')]
T1059.001 [('APT33', 'download', 'PowerShell'), ('APT33', 'download', 'files')]
T1059.001 [('APT39', 'execute', 'PowerShell'), ('APT39', 'execute', 'malicious code')]
T1059.001 [('AutoIt backdoor', 'downloads', 'a PowerShell script'), ('a PowerShell script', 'decodes')]
T1059.001 [('Bazar', 'execute', 'a PowerShell script'), ('a PowerShell script', 'received')]
T1059.001 [('BloodHound', 'pull', 'PowerShell'), ('BloodHound', 'pull', 'Directory information')]
T1059.001 [('Blue Mockingbird', 'issue', 'PowerShell'), ('Blue Mockingbird', 'issue', 'reverse TCP shells'), ('Blue Mockingbird', 'issue', 'interactive commands')]
T1059.001 [('PowerShell', 'write', 'BONDUPDATER')]
T1059.001 [('BRONZE BUTLER', 'used', 'PowerShell')]
T1059.001 [('Chimera', 'execute', 'PowerShell scripts'), ('Chimera', 'execute', 'malicious payloads'), ('Chimera', 'execute', 'the DSInternals PowerShell module')]
T1059.001 [('Cobalt Group', 'used', 'powershell.exe')]
T1059.001 [('Cobalt Strike', 'execute', 'a payload')]
T1059.001 [('This technique', '!write', 'any data'), ('any data', 'disk')]
T1059.001 [('Cobalt Strike', 'perform', 'PowerSploit'), ('Cobalt Strike', 'perform', 'execution'), ('Cobalt Strike', 'perform', 'other scripting frameworks')]
T1059.001 [('ComRAT', 'load', 'PowerShell'), ('ComRAT', 'load', 'itself'), ('a user', 'logs')]
T1059.001 [('ComRAT', 'execute', 'PowerShell scripts'), ('PowerShell scripts', 'loaded')]
T1059.001 [('PowerShell commands', 'execute', 'ConnectWise'), ('target machines', 'execute', 'ConnectWise')]
T1059.001 [('CopyKittens', 'used', 'PowerShell Empire')]
T1059.001 [('CrackMapExec', 'execute', 'PowerShell commands')]
T1059.001 [('DarkHydrus', 'leveraged', 'PowerShell')]
T1059.001 [('DarkVishnya', 'create', 'PowerShell'), ('DarkVishnya', 'create', 'shellcode loaders')]
T1059.001 [('Deep Panda', 'used', 'PowerShell scripts')]
T1059.001 [('Denis', 'has', 'a version'), ('a version', 'written')]
T1059.001 [('DownPaper', 'uses', 'PowerShell')]
T1059.001 [('Egregor', 'used', 'an command'), ('an command', 'encoded'), ('a service', 'created')]
T1059.001 [('Emotet', 'retrieve', 'Powershell'), ('Emotet', 'retrieve', 'the malicious payload')]
T1059.001 [('Empire', 'leverages', 'PowerShell')]
T1059.001 [('Empire', 'contains', 'the ability'), ('the ability', 'conduct', 'PowerShell'), ('the ability', 'remoting')]
T1059.001 [('FatDuke', 'has', 'the ability'), ('the ability', 'execute', 'PowerShell scripts')]
T1059.001 [('FIN10', 'establish', 'PowerShell'), ('FIN10', 'establish', 'persistence')]
OBJS_ shellcode
T1059.001 [('FIN6', 'gain', 'PowerShell'), ('FIN6', 'gain', 'access to merchant networks'), ('a PowerShell module', 'download', 'shellcode'), ('a PowerShell module', 'execute', 'shellcode'), ('a PowerShell module', 'set', 'a local listener')]
T1059.001 [('FIN7', 'used', 'a PowerShell script'), ('FIN7 used script to', 'retrieved', 'an additional payload')]
T1059.001 [('PowerShell', 'execute', 'FIN8 malicious spearphishing payloads')]
T1059.001 [('FIN8', 'used', 'PowerShell')]
T1059.001 [('Fox Kitten', 'access', 'PowerShell scripts'), ('Fox Kitten', 'access', 'credential data')]
T1059.001 [('Frankenstein', 'run', 'PowerShell'), ('Frankenstein', 'run', 'a series of commands'), ('commands', 'encoded'), ('commands', 'acted'), ('hosts', 'enumerated')]
T1059.001 [('GALLIUM', 'used', 'PowerShell'), ('credentials', 'stored'), ('machines', 'compromised')]
T1059.001 [('Gallmaker', 'download', 'PowerShell'), ('Gallmaker', 'download', 'additional payloads')]
OBJS_ scripts
T1059.001 [('GOLD SOUTHFIELD', 'staged', 'PowerShell scripts'), ('hosts', 'compromised')]
T1059.001 [('Group malware', 'use', 'PowerShell commands')]
T1059.001 [('GRIFFON', 'execute', 'PowerShell'), ('GRIFFON', 'execute', 'the Meterpreter downloader TinyMet')]
T1059.001 [('HAFNIUM', 'export', 'mailbox data'), ('module Set - OabVirtualDirectoryPowerShell', 'export', 'mailbox data')]
T1059.001 [('HALFBAKED', 'execute', 'PowerShell scripts')]
T1059.001 [('PowerShell', 'use', 'HAMMERTOSS')]
T1059.001 [('Hancitor', 'execute', 'PowerShell'), ('Hancitor', 'execute', 'commands')]
T1059.001 [('One version of', 'uses', 'a PowerShell script')]
T1059.001 [('Inception', 'execute', 'PowerShell'), ('Inception', 'execute', 'malicious commands'), ('Inception', 'execute', 'payloads')]
T1059.001 [('Indrik Spider', 'used', 'PowerShell Empire')]
T1059.001 [('JCry', 'execute', 'PowerShell'), ('JCry', 'execute', 'payloads')]
T1059.001 [('KeyBoy', 'uses', 'PowerShell commands')]
T1059.001 [('Kimsuky', 'executed', 'a variety of PowerShell scripts')]
T1059.001 [('KONNI', 'used', 'PowerShell')]
T1059.001 [('Lazarus Group', 'download', 'Powershell'), ('Lazarus Group', 'download', 'malicious payloads')]
T1059.001 [('Leviathan', 'used', 'PowerShell')]
T1059.001 [('Magic Hound', 'used', 'PowerShell')]
T1059.001 [('menuPass', 'uses', 'PowerSploit')]
T1059.001 [('MoleNet', 'set', 'PowerShell'), ('MoleNet', 'set', 'persistence')]
T1059.001 [('Molerats', 'used', 'PowerShell implants')]
T1059.001 [('Mosquito', 'launch', 'PowerShell Scripts')]
T1059.001 [('MuddyWater', 'used', 'PowerShell')]
T1059.001 [('Mustang Panda', 'enable', 'malicious PowerShell scripts'), ('Mustang Panda', 'enable', 'execution')]
T1059.001 [('PowerShell', 'write', 'Netwalker'), ('detection', 'avoid', 'memory')]
T1059.001 [('PowerShell script', 'execute', 'The NETWIRE binary')]
T1059.001 [('OilRig', 'used', 'PowerShell scripts'), ('execution', 'including'), ('a macro', 'run', 'a PowerShell command'), ('contents', 'decode')]
T1059.001 [('Operation Wocao', 'used', 'PowerShell'), ('systems', 'compromised')]
T1059.001 [('OSX_OCEANLOTUS.D', 'uses', 'PowerShell scripts')]
T1059.001 [('Patchwork', 'run', 'PowerSploit'), ('Patchwork', 'run', 'payloads'), ('Patchwork', 'run', 'a reverse shell'), ('payloads', 'download')]
T1059.001 [('Pillowmint', 'install', 'a PowerShell script'), ('Pillowmint', 'install', 'a shim database')]
T1059.001 [('Group Information Gathering Tool IGT )', 'includes', 'PowerShell components')]
T1059.001 [('POSHSPY', 'execute', 'PowerShell'), ('POSHSPY', 'execute', 'various commands'), ('POSHSPY', 'execute', 'one')]
T1059.001 [('a backdoor', 'written')]
T1059.001 [('POWERSOURCE', 'is', 'a PowerShell backdoor')]
T1059.001 [('PowerSploit modules', 'written')]
T1059.001 [('PowerStallion', 'uses', 'PowerShell')]
T1059.001 [('POWERSTATS', 'uses', 'PowerShell')]
T1059.001 [('PowerShell', 'write', 'POWERTON')]
T1059.001 [('PowerShell', 'write', 'POWRUNER')]
T1059.001 [('PUNCHBUGGY', 'used', 'PowerShell scripts')]
T1059.001 [('Pupy', 'has', 'a module for loading'), ('loading', 'executing', 'PowerShell scripts')]
T1059.001 [('Pysa', 'deploy', 'Powershell scripts'), ('Pysa', 'deploy', 'its ransomware')]
T1059.001 [('QUADAGENT', 'uses', 'PowerShell scripts')]
T1059.001 [('There', 'is', 'a variant of'), ('a variant of', 'uses', 'a PowerShell script of form')]
OBJS_ scripts
T1059.001 [('RegDuke', 'extract', 'PowerShell scripts')]
T1059.001 [('Revenge RAT', 'uses', 'the PowerShell command Reflection')]
T1059.001 [('REvil', 'delete', 'PowerShell'), ('REvil', 'delete', 'volume shadow copies'), ('REvil', 'delete', 'download files')]
T1059.001 [('RogueRobin', 'run', 'a command prompt'), ('RogueRobin', 'run', 'a PowerShell script from')]
T1059.001 [('To assist in', 'creates', '%'), ('To assist in', 'creates', 'APPDATA%\\OneDrive.bat'), ('the string', 'following'), ('-exec', 'hidden')]
T1059.001 [('Sandworm Team', 'run', 'PowerShell scripts'), ('Sandworm Team', 'run', 'a credential harvesting tool in memory')]
T1059.001 [('SeaDuke', 'execute', 'a module'), ('SeaDuke', 'execute', 'Mimikatz with')]
T1059.001 [('ServHelper', 'has', 'the ability'), ('the ability', 'execute', 'a PowerShell script'), ('the ability', 'get', 'information from the infected host')]
T1059.001 [('SharpStage', 'execute', 'arbitrary commands')]
T1059.001 [('SHARPSTATS', 'has', 'the ability'), ('the ability', 'employ', 'custom PowerShell script')]
T1059.001 [('Sidewinder', 'used', 'PowerShell')]
T1059.001 [('Silence', 'used', 'PowerShell')]
OBJS_ scripts
T1059.001 [('Socksbot', 'write', 'PowerShell scripts')]
T1059.001 [('SQLRat', 'create', 'PowerShell'), ('SQLRat', 'create', 'a Meterpreter session')]
T1059.001 [('Stealth Falcon malware', 'perform', 'PowerShell commands'), ('Stealth Falcon malware', 'perform', 'various functions'), ('various functions', 'including'), ('various functions', 'gathering', 'system information'), ('various functions', 'executing', 'commands')]
T1059.001 [('StrongPity', 'add', 'PowerShell'), ('StrongPity', 'add', 'files')]
T1059.001 [('TA459', 'used', 'PowerShell')]
T1059.001 [('TA505', 'used', 'PowerShell')]
T1059.001 [('TEMP.Veles', 'used', 'a available WMImplant'), ('a available WMImplant', 'based')]
T1059.001 [('The group', 'perform', 'PowerShell'), ('The group', 'perform', 'Timestomping')]
T1059.001 [('Threat Group-3390', 'used', 'PowerShell')]
T1059.001 [('PowerShell', 'download', 'commands'), ('PowerShell', 'download', 'payloads'), ('the networks', 'compromised')]
T1059.001 [('Turla', 'execute', 'PowerShell'), ('Turla', 'execute', 'commands / scripts')]
T1059.001 [('Turla', 'used', 'PowerShell scripts')]
T1059.001 [('UNC2452', 'create', 'PowerShell'), ('UNC2452', 'create', 'new tasks on remote machines')]
T1059.001 [('Ursnif droppers', 'used', 'PowerShell')]
T1059.001 [('Valak', 'download', 'PowerShell'), ('Valak', 'download', 'additional modules')]
T1059.001 [('WellMess', 'execute', 'PowerShell scripts'), ('PowerShell scripts', 'received')]
T1059.001 [('WIRTE', 'used', 'PowerShell')]
T1059.001 [('Wizard Spider', 'execute', 'macros'), ('Wizard Spider', 'execute', 'PowerShell scripts')]
T1059.001 [('It', 'execute', 'PowerShell'), ('It', 'execute', 'commands')]
T1059.001 [('Xbash', 'invoke', 'scripts'), ('Xbash', 'invoke', 'PowerShell')]
T1059.001 [('arguments', 'encoded')]
T1059.001 [('arguments', 'encoded')]
T1059.002 [('Bundlore', 'inject', 'AppleScript'), ('Bundlore', 'inject', 'malicious JavaScript')]
T1059.002 [('Dok', 'create', 'AppleScript'), ('Dok', 'create', 'a login item for persistence')]
T1059.002 [('ThiefQuest', 'launch', 'osascript -e command'), ('ThiefQuest', 'launch', 'ThiefQuest persistence')]
T1059.002 [('Malware', 'run', 'AppleScript'), ('Malware', 'run', 'unauthorised commands')]
T1059.002 [('APT-1', 'open', 'AppleScript'), ('fake login prompt', 'open', 'AppleScript')]
T1059.002 [('Attackers', 'run', 'malicious AppleScript via')]
T1059.003 [('4H RAT', 'has', 'the capability'), ('the capability', 'create', 'a remote shell')]
T1059.003 [('ABK', 'has', 'the ability'), ('the ability', 'run', 'cmd'), ('the ability', 'run', 'a Portable Executable PE )'), ('the ability', 'run', 'a Portable Executable PE )'), ('the host', 'compromised')]
T1059.003 [('adbupd', 'run', 'a copy of cmd.exe')]
T1059.003 [('a file', 'create', 'admin@338 actors'), ('a list of commands', 'contain', 'a file'), ('the computer', 'execute', 'a list of'), ('the computer', 'compromised')]
T1059.003 [('ADVSTORESHELL', 'create', 'a remote shell'), ('a command', 'given')]
T1059.003 [('Anchor', 'run', 'cmd.exe'), ('Anchor', 'run', 'its deletion routine')]
T1059.003 [('APT1', 'execute', 'the Windows command shell'), ('APT1', 'execute', 'commands')]
T1059.003 [('APT18', 'execute', 'cmd.exe'), ('APT18', 'execute', 'commands')]
T1059.003 [('loader Trojan', 'uses', 'a cmd.exe')]
T1059.003 [('The group', 'execute', 'macros'), ('The group', 'execute', 'payloads')]
T1059.003 [('APT29', 'execute', 'cmd.exe'), ('APT29', 'execute', 'commands')]
T1059.003 [('An APT3 downloader', 'uses', 'the Windows command'), ('An APT3 downloader', 'uses', 'cmd.exe')]
T1059.003 [('The group', 'execute', 'a tool'), ('The group', 'execute', 'commands')]
T1059.003 [('APT32', 'used', 'cmd.exe')]
T1059.003 [('APT37', 'used', 'the line interface')]
T1059.003 [('APT38', 'give', 'a line tunneler NACHOCHEESE'), ('APT38', 'give', 'them'), ('APT38', 'give', 'shell access to a victimmachine')]
T1059.003 [('APT41', 'execute', 'cmd.exe'), ('APT41', 'execute', 'commands')]
T1059.003 [('APT41', 'install', 'a batch file'), ('APT41', 'install', 'persistence for the BEACON loader')]
T1059.003 [('Astaroth', 'spawns', 'a CMD process')]
T1059.003 [('AuditCred', 'open', 'a reverse shell on the system')]
T1059.003 [('BabyShark', 'execute', 'cmd.exe'), ('BabyShark', 'execute', 'commands')]
OBJS_ files
T1059.003 [('BackConfig', 'download', 'batch files'), ('a host', 'compromised')]
T1059.003 [('Adversaries', 'direct', 'BACKSPACE'), ('hosts', 'infected'), ('BACKSPACE', 'create', 'a reverse shell')]
T1059.003 [('Bankshot', 'execute', 'the line interface'), ('Bankshot', 'execute', 'arbitrary commands')]
T1059.003 [('Bazar', 'launch', 'cmd.exe')]
T1059.003 [('BBK', 'has', 'the ability'), ('the ability', 'run', 'cmd'), ('the ability', 'run', 'a Portable Executable PE )'), ('the ability', 'run', 'a Portable Executable PE )'), ('the host', 'compromised')]
T1059.003 [('BISCUIT', 'has', 'a command'), ('a command', 'launch', 'a command shell')]
T1059.003 [('Bisonal', 'launch', 'cmd.exe')]
T1059.003 [('BLACKCOFFEE', 'has', 'the capability'), ('the capability', 'create', 'a reverse shell')]
T1059.003 [('BlackMould', 'run', 'cmd.exe')]
T1059.003 [('BLINDINGCAN', 'executed', 'commands')]
T1059.003 [('Blue Mockingbird', 'used', 'batch script files'), ('execution', 'automate')]
T1059.003 [('BONDUPDATER', 'batch', 'commands'), ('a file', 'sent')]
T1059.003 [('BRONZE BUTLER', 'used', 'batch scripts'), ('BRONZE BUTLER', 'used', 'the line interface for execution')]
T1059.003 [('CALENDAR', 'has', 'a command'), ('a command', 'run', 'cmd.exe'), ('a command', 'execute', 'commands')]
T1059.003 [('Carbanak', 'has', 'a command'), ('a command', 'create', 'a reverse shell')]
T1059.003 [('Cardinal RAT', 'execute', 'commands')]
T1059.003 [('CARROTBAT', 'has', 'the ability'), ('the ability', 'execute', 'command line arguments'), ('a host', 'compromised')]
T1059.003 [('Caterpillar WebShell', 'run', 'commands'), ('the asset with CMD functions', 'compromised')]
T1059.003 [('Chimera', 'used', 'the Windows Command Shell'), ('hosts', 'compromised')]
T1059.003 [('programs', 'execute', 'cmd'), ('other actions', 'execute', 'cmd')]
T1059.003 [('Cobalt Group', 'used', 'a JavaScript backdoor is'), ('a JavaScript backdoor is', 'execute', 'cmd.exe'), ('a JavaScript backdoor is', 'execute', 'shell commands'), ('a JavaScript backdoor is', 'execute', 'shell commands')]
T1059.003 [('The group', 'used', 'an exploit toolkit'), ('The group', 'used', 'files'), ('an exploit toolkit', 'known'), ('an exploit toolkit', 'launches')]
T1059.003 [('Cobalt Strike', 'uses', 'a line interface')]
T1059.003 [('Cobian RAT', 'launch', 'a remote shell interface for'), ('a remote shell interface for', 'executing', 'commands')]
T1059.003 [('CoinTicker', 'executes', 'a bash script')]
T1059.003 [('Comnie', 'executes', 'BAT scripts')]
T1059.003 [('ComRAT', 'execute', 'cmd.exe'), ('ComRAT', 'execute', 'commands')]
T1059.003 [('Conti', 'allow', 'line options'), ('Conti', 'allow', 'an attacker control over'), ('it', 'scans')]
T1059.003 [('A module in', 'allows'), ('arbitrary commands', 'executed')]
T1059.003 [('Dark Caracal', 'used', 'macros'), ('Word documents', 'download', 'a second stage'), ('Word documents', 'executed')]
T1059.003 [('DarkComet', 'launch', 'a remote shell')]
OBJS_ file
T1059.003 [('Darkhotel', 'dropped'), ('an mspaint.lnk', 'shortcut'), ('which', 'launches', 'a shell script'), ('a shell script', 'downloads', 'a file'), ('a shell script', 'executes', 'a file')]
T1059.003 [('Daserf', 'execute', 'shell commands')]
T1059.003 [('DealersChoice', 'makes', 'modifications to source scripts from'), ('source', 'open')]
T1059.003 [('Denis', 'launch', 'a remote shell')]
T1059.003 [('Dipsind', 'spawn', 'remote shells')]
T1059.003 [('DownPaper', 'uses', 'the command line')]
T1059.003 [('operations', 'including')]
T1059.003 [('DropBook', 'execute', 'arbitrary shell commands')]
T1059.003 [('Dtrack', 'add', 'cmd.exe'), ('Dtrack', 'add', 'a persistent service')]
T1059.003 [('ECCENTRICBANDWAGON', 'execute', 'cmd'), ('ECCENTRICBANDWAGON', 'execute', 'commands')]
T1059.003 [('Egregor', 'used', 'batch files')]
T1059.003 [('Emissary', 'has', 'the capability'), ('the capability', 'create', 'a remote shell'), ('the capability', 'execute', 'commands'), ('commands', 'specified')]
T1059.003 [('Emotet', 'run', 'cmd.exe'), ('Emotet', 'run', 'a PowerShell script')]
T1059.003 [('Empire', 'has', 'modules for'), ('modules for', 'executing', 'scripts')]
OBJS_ scripts
T1059.003 [('EvilBunny', 'has', 'an engine'), ('an engine', 'integrated'), ('an engine', 'download', 'Lua scripts'), ('an engine', 'execute', 'Lua scripts')]
T1059.003 [('Exaramel for', 'has', 'a command'), ('a command', 'launch', 'a remote shell'), ('a command', 'executes', 'commands')]
T1059.003 [('Felismus', 'uses', 'command line for execution')]
T1059.003 [('FELIXROOT executes', 'batch', 'scripts on the victimmachine')]
T1059.003 [('FIN10', 'executed', 'malicious'), ('FIN10', 'executed', '.bat files'), ('.bat files', 'containing', 'PowerShell commands')]
T1059.003 [('FIN6', 'used', 'kill.bat script to disable security tools')]
T1059.003 [('FIN7', 'launch', 'command prompt'), ('FIN7', 'launch', 'commands')]
T1059.003 [('FIN8', 'automate', 'a Batch file'), ('FIN8', 'automate', 'activities'), ('activities', 'executed')]
T1059.003 [('FIN8', 'executes', 'commands')]
T1059.003 [('Fox Kitten', 'used', 'cmd.exe'), ('a password', 'changing')]
T1059.003 [('Frankenstein', 'run', 'a command script'), ('a task', 'scheduled'), ('a task', 'named', '" WinUpdate " as other'), ('a task', 'named', 'commands'), ('commands', 'encoded')]
T1059.003 [('GALLIUM', 'execute', 'the Windows command shell'), ('GALLIUM', 'execute', 'commands')]
T1059.003 [('Gamaredon Group', 'establish', 'various batch scripts'), ('Gamaredon Group', 'establish', 'C2')]
T1059.003 [('a batch file', 'write', 'Group backdoor malware')]
T1059.003 [('Gold Dragon', 'execute', 'cmd.exe'), ('Gold Dragon', 'execute', 'commands')]
T1059.003 [('GoldenSpy', 'execute', 'remote commands')]
T1059.003 [('GoldMax', 'spawn', 'a command shell')]
T1059.003 [('Goopy', 'has', 'the ability'), ('the ability', 'execute', 'cmd.exe'), ('the ability', 'execute', 'commands'), ('the ability', 'execute', 'commands'), ('commands', 'passed')]
T1059.003 [('Group malware', 'use', 'cmd.exe')]
T1059.003 [('GravityRAT', 'executes', 'commands')]
T1059.003 [('GreyEnergy', 'execute', 'cmd.exe'), ('GreyEnergy', 'execute', 'itself')]
T1059.003 [('HARDRAIN', 'execute', 'cmd.exe'), ('HARDRAIN', 'execute', 'netshcommands')]
T1059.003 [('HAWKBALL', 'created', 'shell commands'), ('shell commands', 'executed')]
T1059.003 [('hcdLoader', 'provides', 'line access to the system'), ('the system', 'compromised')]
T1059.003 [('Helminth', 'provide', 'a remote shell')]
T1059.003 [('One version of', 'batch')]
T1059.003 [('Hi - Zor', 'has', 'the ability'), ('the ability', 'create', 'a reverse shell')]
T1059.003 [('HiddenWasp', 'uses', 'a script to automate tasks on victim machine')]
T1059.003 [('Higaisa', 'used', 'cmd.exe')]
T1059.003 [('Hikit', 'has', 'the ability'), ('the ability', 'create', 'a remote shell'), ('the ability', 'run'), ('the ability', 'given', 'commands')]
T1059.003 [('HOMEFRY', 'uses', 'a line interface')]
T1059.003 [('Honeybee implant', 'support', 'Several commands'), ('the line interface', 'support', 'Several commands'), ('any custom command', 'execute', 'a utility'), ('an infected endpoint', 'execute', 'a utility')]
T1059.003 [('Honeybee', 'used')]
T1059.003 [('HOPLIGHT', 'launch', 'cmd.exe')]
T1059.003 [('HotCroissant', 'open', 'applications on the infected host with the ShellExecuteA command')]
T1059.003 [('httpclient', 'opens', 'cmd.exe')]
T1059.003 [('Indrik Spider', 'used', 'batch scripts on victim machines')]
T1059.003 [('InnaputRAT', 'launches', 'a shell')]
T1059.003 [('InvisiMole', 'launch', 'a remote shell')]
T1059.003 [('JCry', 'launch', 'cmd.exe'), ('JCry', 'launch', 'PowerShell')]
T1059.003 [('JHUHUGIT', 'execute', 'a .bat file'), ('JHUHUGIT', 'execute', 'a .dll')]
T1059.003 [('JPIN', 'change', 'utility cacls.exe'), ('JPIN', 'change', 'file permissions')]
T1059.003 [('jRAT', 'has', 'command line access')]
T1059.003 [('Kasidet', 'execute', 'commands')]
T1059.003 [('Kazuar', 'execute', 'cmd.exe'), ('Kazuar', 'execute', 'commands')]
T1059.003 [('Ke3chang', 'install', 'batch scripts'), ('Ke3chang', 'install', 'persistence mechanisms')]
T1059.003 [('KeyBoy', 'launch', 'interactive shells')]
T1059.003 [('KEYMARBLE', 'execute', 'shell commands'), ('shell commands', 'using', 'cmd.exe')]
T1059.003 [('the ability', 'set', 'a Registry key'), ('the ability', 'run', 'a cmd.exe command')]
T1059.004 [('Anchor', 'execute', 'payloads')]
T1059.004 [('AppleJeus', 'execute', 'shell scripts'), ('AppleJeus', 'execute', 'commands')]
T1059.004 [('APT41', 'executed', 'file'), ('APT41', 'executed', '/ pwd in activity'), ('activity', 'exploiting', 'CVE-2019 -'), ('activity', 'exploiting', '19781')]
T1059.004 [('Bundlore', 'leveraged', '/ sh'), ('/bin / bash', 'execute', 'commands')]
T1059.004 [('the capability', 'create', 'a reverse shell on victims')]
T1059.004 [('Chaos', 'provides', 'a shell connection on'), ('a shell connection on', 'encrypted')]
T1059.004 [('CoinTicker', 'executes', 'a bash script')]
T1059.004 [('CookieMiner', 'run', 'a Unix shell script'), ('CookieMiner', 'run', 'a series of commands'), ('commands', 'targeting', 'macOS')]
T1059.004 [('Doki', 'executed', 'shell scripts')]
T1059.004 [('Drovorub', 'execute', 'arbitrary commands'), ('a system', 'compromised')]
T1059.004 [('Exaramel for', 'has', 'a command'), ('a command', 'execute', 'a shell command')]
OBJS_ commands
T1059.004 [('Fysbis', 'has', 'the ability'), ('the ability', 'create', 'commands'), ('the ability', 'execute', 'commands')]
T1059.004 [('Hildegard', 'used', 'shell scripts')]
T1059.004 [('Kazuar', 'execute', '/bin / bash'), ('Kazuar', 'execute', 'commands')]
T1059.004 [('Kinsing', 'execute', 'Unix shell scripts'), ('Kinsing', 'execute', 'commands')]
T1059.004 [('LoudMiner', 'launch', 'shell scripts'), ('LoudMiner', 'launch', 'various services')]
T1059.004 [('NETWIRE', 'execute', 'the ability'), ('NETWIRE', 'execute', '/ bash'), ('NETWIRE', 'execute', 'commands'), ('the ability', 'use')]
T1059.004 [('OSX / Shlayer', 'check', 'bash scripts'), ('OSX / Shlayer', 'check', 'the version download payloads')]
T1059.004 [('OSX_OCEANLOTUS.D', 'execute', 'shell script'), ('OSX_OCEANLOTUS.D', 'execute', 'malicious code')]
T1059.004 [('Penquin', 'execute', 'remote commands'), ('remote commands', 'using', 'bash scripts')]
T1059.004 [('Proton', 'uses', "macOS '"), ('Proton', 'uses', 'file type')]
T1059.004 [('Rocke', 'run', 'shell scripts'), ('Rocke', 'run', 'commands'), ('which', 'obtain', 'persistence'), ('commands', 'execute', 'the mining malware')]
T1059.004 [('Skidmap', 'used', 'pm.sh')]
T1059.004 [('WindTail', 'execute', 'the open command'), ('WindTail', 'execute', 'an application')]
T1059.005 [('a VBScript', 'embed', 'APT - C-36'), ('a malicious Word document', 'embed', 'APT - C-36'), ('which', 'executed')]
T1059.005 [('APT32', 'com', 'macros'), ('APT32', 'com', 'scriptlets'), ('APT32', 'com', 'VBS scripts')]
T1059.005 [('APT33', 'initiate', 'VBScript'), ('APT33', 'initiate', 'the delivery of payloads')]
T1059.005 [('APT37', 'executes', 'a VBA script to decode Base64 strings')]
T1059.005 [('APT39', 'utilized', 'malicious VBS scripts')]
T1059.005 [('Astaroth', 'used', 'malicious VBS - mail attachments')]
T1059.005 [('BackConfig', 'install', 'VBS'), ('BackConfig', 'install', 'its downloader component'), ('BackConfig', 'install', 'malicious documents')]
T1059.005 [('Bisonal dropper', 'creates', 'VBS scripts')]
T1059.005 [('BRONZE BUTLER', 'used', 'VBS'), ('BRONZE BUTLER', 'used', 'VBE scripts')]
T1059.005 [('Cobalt Group', 'sent', 'OLE compound documents'), ('malicious macros', 'obfuscated'), ('malicious macros', 'run')]
T1059.005 [('Cobalt Strike', 'perform', 'VBA'), ('Cobalt Strike', 'perform', 'execution')]
T1059.005 [('Comnie', 'executes', 'VBS scripts')]
T1059.005 [('Emotet', 'sent', 'Word documents with macros'), ('macros', 'embedded'), ('Word documents with', 'invoke', 'scripts'), ('Word documents with', 'download', 'additional payloads')]
T1059.005 [('Exaramel for', 'has', 'a command'), ('a command', 'execute', 'VBS scripts')]
T1059.005 [('FIN4', 'display', 'VBA macros'), ('FIN4', 'display', 'a dialog box')]
T1059.005 [('FIN7', 'used', 'VBS scripts')]
T1059.005 [('Frankenstein', 'used', 'Word documents'), ('Word documents', 'prompts', 'the victim'), ('Word documents', 'enable', 'macros'), ('Word documents', 'run', 'a Visual Basic script')]
T1059.005 [('Gamaredon Group', 'embedded', 'malicious macros'), ('which', 'executed', 'VBScript')]
T1059.005 [('Gamaredon Group', 'delivered', 'Microsoft Outlook VBA projects'), ('macros', 'embedded')]
T1059.005 [('Goopy', 'has', 'the ability'), ('the ability', 'use', 'a backdoor macro'), ('the ability', 'communicate')]
T1059.005 [('Gorgon Group', 'used', 'macros'), ('VBScripts on victim machines', 'executed')]
T1059.005 [('Grandoreiro', 'execute', 'VBScript'), ('Grandoreiro', 'execute', 'malicious code')]
T1059.005 [('Higaisa', 'used', 'VBScript code')]
T1059.005 [('a Basic script within a malicious Word document', 'embed', 'Honeybee'), ('part of initial access', 'embed', 'Honeybee'), ('the script', 'executed'), ('the Word document', 'opened')]
T1059.005 [('IcedID', 'used', 'expressions'), ('expressions', 'obfuscated')]
T1059.005 [('Inception', 'execute', 'VBScript'), ('Inception', 'execute', 'malicious commands'), ('Inception', 'execute', 'payloads')]
T1059.005 [('Javali', 'download', 'VBScript'), ('Javali', 'download', 'malicious payloads'), ('VBScript', 'embedded')]
T1059.005 [('JCry', 'used', 'VBS scripts')]
T1059.005 [('HTA files with', 'distribute', 'jRAT')]
T1059.005 [('KeyBoy', 'uses', 'VBS scripts')]
T1059.005 [('Kimsuky', 'download', 'Visual Basic'), ('Kimsuky', 'download', 'malicious payloads')]
T1059.005 [('Koadic', 'performs', 'most of its operations')]
T1059.005 [('Lazarus Group', 'gather', 'VBScript'), ('Lazarus Group', 'gather', 'information about a victim machine')]
T1059.005 [('Leviathan', 'used', 'VBScript')]
T1059.005 [('LookBack', 'drop', 'VBA macros'), ('LookBack', 'drop', 'additional files')]
T1059.005 [('Machete', 'embedded', 'malicious macros'), ('attachments', 'spearphishing')]
T1059.005 [('Hound malware', 'used', 'VBS scripts')]
T1059.005 [('Melcoz', 'execute', 'VBS scripts'), ('Melcoz', 'execute', 'malicious DLLs')]
T1059.005 [('Metamorfo', 'used', 'VBS code')]
T1059.005 [('Molerats', 'used', 'various implants'), ('various implants', 'including'), ('various implants', 'built')]
T1059.005 [('MuddyWater', 'execute', 'VBScript files'), ('MuddyWater', 'execute', 'its POWERSTATS payload as macros')]
T1059.005 [('Mustang Panda', 'embedded', 'VBScript components')]
T1059.005 [('NanHaiShu', 'executes', 'additional VBScript code')]
T1059.005 [('NanoCore', 'uses', 'VBS files')]
T1059.005 [('use of VBScripts', 'execute', 'NETWIRE')]
OBJS_ VBScript
T1059.005 [('OopsIE', 'creates', 'a VBScript')]
T1059.005 [('Operation Wocao', 'conduct', 'a VBScript'), ('Operation Wocao', 'conduct', 'reconnaissance'), ('systems', 'targeted')]
T1059.005 [('OSX_OCEANLOTUS.D', 'uses', 'Word macros')]
T1059.005 [('Patchwork', 'used', 'Visual Basic Scripts ( VBS )')]
T1059.005 [('PoetRAT', 'execute', 'Word documents with VBScripts'), ('PoetRAT', 'execute', 'malicious activities')]
OBJS_ VBScript
T1059.005 [('PowerShower', 'has', 'the ability'), ('the ability', 'save', 'VBScript'), ('the ability', 'execute', 'VBScript')]
T1059.005 [('POWERSTATS', 'use', 'VBScript ( VBE ) code')]
T1059.005 [('QUADAGENT', 'uses', 'VBScripts')]
T1059.005 [('Ramsay', 'included', 'scripts in malicious documents'), ('scripts in', 'embedded')]
T1059.005 [('Rancor', 'used', 'VBS scripts as macros'), ('macros', 'embedded')]
T1059.005 [('Remexi', 'uses', 'AutoIt')]
T1059.005 [('REvil', 'used', 'macros'), ('macros', 'obfuscated')]
T1059.005 [('Sandworm Team', 'created', 'VBScripts')]
T1059.005 [('Sharpshooter stage downloader', 'was', 'a VBA macro')]
T1059.005 [('Sibot', 'executes', 'commands'), ('commands', 'using', 'VBScript')]
T1059.005 [('Sidewinder', 'used', 'VBScript')]
T1059.005 [('Silence', 'used', 'VBS scripts')]
T1059.005 [('Smoke Loader', 'adds', 'a Basic script in the Startup folder')]
T1059.005 [('StoneDrill', 'has', 'several VBS scripts'), ('several VBS scripts', 'used')]
T1059.005 [('SUNBURST', 'initiate', 'VBScripts'), ('SUNBURST', 'initiate', 'the execution of payloads')]
T1059.005 [('TA459', 'has', 'a VBScript')]
T1059.005 [('TA505', 'used', 'VBS')]
T1059.005 [('Turla', 'used', 'VBS scripts')]
T1059.005 [('TYPEFRAME', 'used', 'a malicious Word document for delivery with VBA macros')]
T1059.005 [('Ursnif droppers', 'used', 'VBA macros')]
T1059.005 [('VBShower', 'has', 'the ability'), ('the ability', 'execute', 'VBScript files')]
T1059.005 [('Windshift', 'used', 'Visual Basic 6'), ('Windshift', 'used', 'payloads')]
T1059.005 [('WIRTE', 'used', 'VBS scripts')]
T1059.005 [('Xbash', 'execute', 'malicious VBScript payloads')]
OBJS_ it
T1059.005 [('archive', 'contains', 'VBScript files'), ('VBScript files', 'write', 'a DLL file'), ('VBScript files', 'write', 'a DLL file'), ('VBScript files', 'disk', 'it'), ('VBScript files', 'execute', 'it'), ('VBScript files', 'using', 'rundll32.exe')]
T1059.005 [('a lightweight backdoor', 'written'), ('a lightweight backdoor', 'execute', 'WMI'), ('a lightweight backdoor', 'execute', 'shell commands'), ('a lightweight backdoor', 'execute', 'shell commands'), ('a lightweight backdoor', 'create', 'a reverse shell')]
T1059.005 [('malware decodes itself', 'launches', 'a VBScript ,'), ('a VBScript ,', 'stand'), ('which', 'installs', 'a access Trojan on the infected device')]
T1059.005 [('Basic script execution', 'gather', 'local computer information')]
T1059.005 [('execution', 'encoded')]
T1059.006 [('APT29', 'developed', 'malware variants'), ('malware variants', 'written')]
T1059.006 [('APT39', 'used', 'a line utility'), ('APT39', 'used', 'a network scanner'), ('a network scanner', 'written')]
T1059.006 [('BRONZE BUTLER', 'made', 'use of tools'), ('tools', 'based')]
T1059.006 [('Bundlore', 'execute', 'Python scripts'), ('Bundlore', 'execute', 'payloads')]
T1059.006 [('Cobalt Strike', 'perform', 'Python'), ('Cobalt Strike', 'perform', 'execution')]
T1059.006 [('CoinTicker', 'executes', 'a Python script')]
T1059.006 [('CookieMiner', 'used', 'python scripts')]
T1059.006 [('operations', 'including')]
T1059.006 [('Python', 'instal', 'The group'), ('a victim', 'instal', 'The group')]
T1059.006 [('a backdoor', 'based'), ('a backdoor', 'compiled')]
T1059.006 [('Ebury', 'implement', 'Python'), ('Ebury', 'implement', 'its DGA')]
T1059.006 [('IronNetInjector', 'load', 'IronPython scripts'), ('IronNetInjector', 'load', 'payloads')]
T1059.006 [('KeyBoy', 'uses', 'Python scripts')]
T1059.006 [('Keydnap', 'execute', 'Python'), ('Keydnap', 'execute', 'additional commands')]
T1059.006 [('Kimsuky', 'gather', 'Python'), ('Kimsuky', 'gather', 'implant'), ('Kimsuky', 'gather', 'data')]
T1059.006 [('Machete', 'used', 'scripts on the victimsystem'), ('scripts on', 'compiled')]
T1059.006 [('Python', 'write', 'Machete main backdoor'), ('Python', 'write', 'Machete')]
T1059.006 [('Python', 'write', 'Machete')]
T1059.006 [('MechaFlounder', 'uses', 'a payload'), ('a payload', 'based')]
T1059.006 [('MuddyWater', 'used', 'tools in'), ('tools in', 'developed')]
T1059.006 [('Python', 'write', 'Wocao backdoors')]
T1059.006 [('a Python script', 'execute', 'PoetRAT'), ('additional tools', 'based')]
T1059.006 [('PUNCHBUGGY', 'used', 'python scripts')]
T1059.006 [('Pupy', 'use', 'an add on feature'), ('payloads', 'allows'), ('you', 'create', 'custom Python scripts ( scriptlets\x9d )'), ('payloads', 'perform', 'tasks'), ('payloads', 'perform', 'offline ('), ('payloads', 'offline'), ('payloads', 'requiring', 'a session'), ('sandbox detection', 'adding', 'persistence etc')]
T1059.006 [('Pysa', 'used', 'Python scripts')]
T1059.006 [('Remcos', 'uses', 'Python scripts')]
T1059.006 [('Rocke', 'used', 'malware'), ('malware', 'based')]
T1059.006 [('SpeakUp', 'uses', 'Python scripts')]
T1059.006 [('Turla', 'drop', 'IronPython scripts'), ('Turla', 'drop', 'payloads')]
T1059.006 [('ZIRCONIUM', 'used', 'implants'), ('implants', 'based'), ('hosts', 'compromised')]
T1059.007 [('APT32', 'used', 'JavaScript'), ('downloads', 'drive')]
T1059.007 [('Astaroth', 'perform', 'JavaScript'), ('Astaroth', 'perform', 'its core functionalities')]
T1059.007 [('Bundlore', 'execute', 'JavaScript')]
T1059.007 [('Cobalt Group', 'executed', 'JavaScript scriptlets')]
T1059.007 [('The Strike System Profiler', 'perform', 'JavaScript'), ('The Strike System Profiler', 'perform', 'reconnaissance actions')]
T1059.007 [('Evilnum', 'used', 'malicious JavaScript files')]
T1059.007 [('FIN6', 'steal', 'malicious JavaScript'), ('FIN6', 'steal', 'card data')]
T1059.007 [('FIN7', 'used', 'JavaScript scripts')]
T1059.007 [('GRIFFON', 'written')]
T1059.007 [('Higaisa', 'execute', 'JavaScript'), ('Higaisa', 'execute', 'additional files')]
T1059.007 [('InvisiMole', 'use', 'a JavaScript file')]
T1059.007 [('HTA files with', 'distribute', 'jRAT')]
T1059.007 [('Kimsuky', 'used', 'JScript')]
T1059.007 [('victims', 'using', 'JavaScript code')]
T1059.007 [('Metamorfo', 'includes', 'payloads'), ('payloads', 'written')]
T1059.007 [('Molerats', 'used', 'various implants'), ('various implants', 'including'), ('various implants', 'built')]
T1059.007 [('MuddyWater', 'execute', 'JavaScript files'), ('MuddyWater', 'execute', 'its POWERSTATS payload')]
T1059.007 [('NanHaiShu', 'executes', 'additional Jscript code')]
T1059.007 [('POWERSTATS', 'use', 'JavaScript code')]
T1059.007 [('Sidewinder', 'used', 'JavaScript')]
T1059.007 [('Silence', 'used', 'JS scripts')]
T1059.007 [('TA505', 'used', 'JavaScript')]
T1059.007 [('Turla', 'used', 'various backdoors'), ('various backdoors', 'based')]
T1059.007 [('Valak', 'execute'), ('JavaScript', 'containing', 'configuration data')]
T1059.007 [('Xbash', 'execute', 'malicious JavaScript payloads')]
T1059.008 [('APT17', 'abuse', 'the CLI')]
T1059.008 [('MAZE ransomware', 'achieve', 'persistence'), ('scripts', 'executed')]
T1059.008 [('APT14', 'acquire', 'permissions of an administrator on many network devices'), ('the privileges', 'come'), ('the privileges', 'executing', 'their own scripts')]
T1059.008 [('Network devices', 'secured'), ('data', 'access', 'their CLI'), ('APT groups', 'exploit', 'data')]
T1059.008 [('Malware', 'escalate', 'privileges'), ('device', 'abusing')]
T1069.001 [('actors', 'list', 'the command'), ('actors', 'list', 'local groups : administrator'), ('the command', 'following')]
T1069.001 [('BloodHound', 'collect', 'information about local groups')]
T1069.001 [('Caterpillar WebShell', 'obtain', 'a list of from a system')]
T1069.001 [('Chimera', 'identify', 'net localgroup administrators'), ('Chimera', 'identify', 'accounts with local administrative rights')]
T1069.001 [('Emissary', 'has', 'the capability'), ('the capability', 'execute', 'the command net localgroup administrators')]
T1069.001 [('Epic', 'gathers', 'information on local group names')]
T1069.001 [('FlawedAmmyy', 'enumerates', 'the privilege level of the victim')]
T1069.001 [('Helminth', 'checked', 'the administrators group')]
T1069.001 [('JPIN', 'obtain', 'the permissions of the victim user')]
T1069.001 [('Kazuar', 'gathers', 'information about local groups')]
T1069.001 [('Kwampirs', 'collects', 'a list of users'), ('users', 'belonging')]
T1069.001 [('Net', 'gather', 'Commands as net group'), ('information about', 'gather', 'Commands as')]
T1069.001 [('OilRig', 'find', 'net localgroup administrators'), ('OilRig', 'find', 'local administrators on systems'), ('systems', 'compromised')]
T1069.001 [('Operation Wocao', 'list', 'the command net localgroup administrators'), ('Operation Wocao', 'list', 'all administrators'), ('Operation Wocao', 'list', 'part of a local group')]
T1069.001 [('OSInfo', 'enumerated', 'the administrators group')]
T1069.001 [('PoshC2', 'contains', 'modules as'), ('modules as', 'get')]
T1069.001 [('POWRUNER', 'collect', 'local group information')]
T1069.001 [('Sys10', 'collects', 'the group name of the user'), ('the user', 'logged')]
T1069.001 [('Turla', 'used', 'net localgroup'), ('group information', 'including')]
T1069.002 [('AdFind', 'enumerate', 'domain groups')]
T1069.002 [('BloodHound', 'collect', 'information about domain groups')]
T1069.002 [('CrackMapExec', 'gather'), ('the user', 'accounts')]
T1069.002 [('information on permission groups', 'gather', 'dsquery'), ('a domain', 'gather', 'dsquery')]
T1069.002 [('Egregor', 'conduct', 'Directory reconnaissance')]
T1069.002 [('a reconnaissance module', 'use', 'GRIFFON'), ('Windows membership information', 'retrieve', 'a reconnaissance module'), ('Windows membership information', 'retrieve', 'a reconnaissance module')]
T1069.002 [('Helminth', 'checked'), ('Subsystem groups', 'using', 'the commands group'), ('the admin group', 'admins'), ('Subsystem groups', 'admins')]
T1069.002 [('Inception', 'gather', 'specific malware modules'), ('Inception', 'gather', 'domain membership')]
T1069.002 [('Ke3chang', 'performs', 'discovery of'), ('discovery of', 'groups')]
T1069.002 [('Kwampirs', 'collects', 'a list of with the command net localgroup')]
T1069.002 [('Net', 'gather', 'Commands as /domain'), ('information about', 'gather', 'Commands as /domain')]
T1069.002 [('OilRig', 'find', 'net group'), ('OilRig', 'find', 'groupdomain admins\x9d /domain'), ('OilRig', 'find', 'permission settings'), ('OilRig', 'find', '/domain'), ('OilRig', 'find', 'net groupExchange Subsystem\x9d'), ('net groupExchange Subsystem\x9d', 'trusted')]
T1069.002 [('OSInfo', 'looks')]
T1069.002 [('POWRUNER', 'collect', 'group information')]
T1069.002 [('REvil', 'identify', 'the domain membership of a host'), ('a host', 'compromised')]
T1069.002 [('SoreFang', 'enumerate', 'domain groups')]
T1069.002 [('Turla', 'identify', 'group Domain Admins "'), ('Turla', 'identify', 'domain administrators')]
T1069.002 [('WellMess', 'identify', 'domain group membership for the current user')]
T1069.002 [('Elevated group enumeration', 'using', 'net group ( Domain')]
T1069.002 [('user', 'has', 'local admin access ( PowerView')]
T1069.002 [('Enumeration', 'using', 'UserAccountControl flags ( Roasting')]
T1069.003 [('Threat actors', 'gather', 'cloud accounts'), ('Threat actors', 'gather', 'their appropriate groups'), ('attempts', 'find', 'weak settings'), ('attempts', 'exploit')]
T1069.003 [('various commands , as', 'accomplish', 'Identifying groups'), ('user groups', 'get'), ('groups', 'get', 'user groups'), ('a user account in', 'associate', 'groups')]
T1069.003 [('Some actors', 'launch', 'ËœGET https://cloudidentity.googleapis.com/v1/groups'), ('Some actors', 'launch', 'commands'), ('malware', 'launch', 'ËœGET https://cloudidentity.googleapis.com/v1/groups'), ('malware', 'launch', 'commands')]
T1069.003 [('more organizations', 'utilize', 'cloud services , actors')]
T1069.003 [('actors', 'grant', 'Targeting list'), ('the ability', 'grant', 'Targeting list'), ('for Services', 'grant', 'Targeting list'), ('account users', 'discover', 'the ability'), ('settings', 'discover', 'the ability'), ('theËœGetBucketAcl command', 'do', 'this')]
T1070 [('Indicator Removal', 'using', 'FSUtil')]
T1070.001 [('APT28', 'cleared', 'event logs')]
T1070.001 [('APT32', 'cleared', 'log entries')]
T1070.001 [('APT38', 'clears', 'Event logs'), ('APT38', 'clears', 'Sysmon logs from the system')]
T1070.001 [('APT41', 'remove', 'evidence of')]
T1070.001 [('Chimera', 'cleared', 'event logs'), ('hosts', 'compromised')]
T1070.001 [('other logs', 'produced'), ('they', 'used'), ('tools', 'including')]
T1070.001 [('The actors', 'deleted', 'specific Registry keys')]
T1070.001 [('FIN5', 'cleared', 'event logs')]
T1070.001 [('FIN8', 'cleared', 'logs')]
T1070.001 [('FinFisher', 'clears', 'event logs')]
T1070.001 [('Hydraq', 'creates', 'a backdoor'), ('remote attackers', 'clear', 'all event logs')]
OBJS_ logs
T1070.001 [('Lucifer', 'clear', 'event logs')]
T1070.001 [('NotPetya', 'clear', 'wevtutil'), ('NotPetya', 'clear', 'the Windows event logs')]
T1070.001 [('Olympic Destroyer', 'clear', 'the event logs')]
T1070.001 [('Operation Wocao', 'hinder', 'Windows Event Logs'), ('Operation Wocao', 'hinder', 'forensic investigation')]
T1070.001 [('Pupy', 'has', 'a module'), ('a module', 'clear', 'event logs with')]
T1070.001 [('RunningRAT', 'clear', 'code'), ('RunningRAT', 'clear', 'event logs')]
T1070.001 [('SynAck', 'clears', 'event logs')]
T1070.001 [('ZxShell', 'has', 'a command to clear event logs')]
T1070.001 [('System Logs', 'using', 'Clear - EventLog')]
T1070.002 [('Proton', 'removes', 'logs'), ('Proton', 'removes', '/Library / logs')]
T1070.002 [('Rocke', 'cleared', 'log files')]
T1070.002 [('Adversaries', 'deleted', '/var log / auth.log')]
T1070.002 [('Actor clear system', 'logs')]
T1070.002 [('Malware', 'deletes', '/ log / cron.log'), ('evidence of', 'tampering'), ('evidence of', 'enable', 'persistence')]
T1070.003 [('APT41', 'remove', 'evidence of')]
T1070.003 [('Hildegard', 'clear', 'history'), ('Hildegard', 'clear', 'shell logs')]
T1070.003 [('WastedLocker ransomware', 'possesses', 'functionality'), ('functionality', 'delete', 'command history'), ('the aim', 'avoid', 'detection')]
T1070.003 [('FIN11', 'remove', 'indicators of their intrusion on machines as'), ('machines as', 'deleting', 'the line history')]
T1070.003 [('Lazarus group', 'delete', 'their command history')]
T1070.003 [('Clear Powershell History by', 'deleting', 'History File')]
T1070.004 [('ADVSTORESHELL', 'delete', 'files'), ('ADVSTORESHELL', 'delete', 'directories')]
T1070.004 [('its dropper', 'delete', 'Anchor'), ('the malware', 'deployed')]
T1070.004 [('AppleJeus', 'deleted', 'the MSI file')]
T1070.004 [('APT18 actors', 'deleted', 'tools')]
T1070.004 [('APT28', 'deleted', 'computer files')]
T1070.004 [('their tools', 'remove', 'APT29'), ('custom backdoors', 'include', 'their tools'), ('remote access', 'achieved')]
T1070.004 [('APT29', 'remove', 'SDelete'), ('APT29', 'remove', 'artifacts')]
T1070.004 [('APT3', 'has', 'a tool'), ('a tool', 'delete', 'files')]
T1070.004 [('APT32 macOS backdoor', 'receive', 'adelete\x9d command')]
T1070.004 [('APT38', 'used', 'a utility'), ('a utility', 'called', 'CLOSESHAVE'), ('a utility', 'delete', 'a file from the system')]
T1070.004 [('malware', 'use', 'APT39'), ('delete files', 'use', 'APT39'), ('a host', 'deploy', 'they'), ('a host', 'compromised')]
T1070.004 [('APT41', 'deleted', 'files')]
T1070.004 [('Aria - body', 'has', 'the ability'), ('the ability', 'delete', 'files'), ('the ability', 'delete', 'directories'), ('hosts', 'compromised')]
T1070.004 [('Attorplugin', 'deletes', 'the files'), ('Attorplugin', 'deletes', 'log files'), ('the files', 'collected')]
T1070.004 [('AuditCred', 'delete', 'files from the system')]
T1070.004 [('Azorult', 'delete', 'files from victim machines')]
T1070.004 [('BabyShark', 'cleaned', 'all files'), ('all files', 'associated')]
T1070.004 [('BackConfig', 'has', 'the ability'), ('the ability', 'remove', 'files'), ('the ability', 'remove', 'folders'), ('files', 'related')]
T1070.004 [('Oldrea', 'contains', 'a cleanup module'), ('a cleanup module', 'removes', 'traces of')]
T1070.004 [('marks files', 'deleted'), ('system reboot', 'uninstalls'), ('itself', 'remove', 'marks files'), ('the system', 'remove', 'marks files')]
T1070.004 [('Bazar', 'delete', 'its loader')]
T1070.004 [('BBSRAT', 'delete', 'files'), ('BBSRAT', 'delete', 'directories')]
T1070.004 [('Bisonal', 'deletes', 'its dropper'), ('Bisonal', 'deletes', 'VBS scripts')]
T1070.004 [('BLACKCOFFEE', 'has', 'the capability to delete files')]
T1070.004 [('BLINDINGCAN', 'deleted', 'itself'), ('artifacts from victim machines', 'associated')]
T1070.004 [('command', 'delete', 'BUTLER uploader'), ('the RAR archives', 'delete', 'BUTLER uploader'), ('they', 'exfiltrated')]
T1070.004 [('Calisto', 'has', 'the capability'), ('the capability', 'remove', 'rm'), ('the capability', 'remove', '-rf'), ('the capability', 'remove', 'folders'), ('the capability', 'remove', 'files'), ('the capability', 'remove', 'folders'), ('the capability', 'remove', 'files')]
T1070.004 [('Carbanak', 'has', 'a command to delete files')]
T1070.004 [('Cardinal RAT', 'uninstall', 'itself')]
T1070.004 [('CARROTBAT', 'has', 'the ability'), ('the ability', 'delete', 'files'), ('files', 'downloaded'), ('a host', 'compromised')]
T1070.004 [('registry keys', 'created')]
T1070.004 [('Chimera', 'performed', 'file deletion')]
T1070.004 [('files', 'delete', 'cmd'), ('the file system', 'delete', 'cmd')]
T1070.004 [('Cobalt Group', 'deleted', 'the DLL dropper')]
T1070.004 [('Cryptoistic', 'has', 'the ability files from a host'), ('a host', 'compromised')]
T1070.004 [('CSPY Downloader', 'has', 'the ability'), ('the ability', 'self', 'delete')]
T1070.004 [('Denis', 'has', 'a command'), ('a command', 'delete', 'files')]
T1070.004 [('a Kernel Module LKM )', 'load', 'It')]
T1070.004 [('its files', 'used'), ('cleanup', 'including'), ('cleanup', 'removing', 'applications'), ('cleanup', 'deleting', 'screenshots')]
T1070.004 [('Drovorub', 'delete', 'specific files'), ('a host', 'compromised')]
T1070.004 [('Dtrack', 'remove', 'its persistence')]
T1070.004 [('DustySky', 'delete', 'files'), ('it', 'creates')]
T1070.004 [('ECCENTRICBANDWAGON', 'delete', 'log files'), ('log files', 'generated'), ('the malware', 'stored')]
T1070.004 [('Epic', 'has', 'a command'), ('a command', 'delete', 'a file from the machine')]
T1070.004 [('EvilBunny', 'deleted', 'the initial dropper')]
T1070.004 [('Evilnum', 'deleted', 'files'), ('files', 'used')]
T1070.004 [('Exaramel for', 'uninstall', 'its persistence mechanism')]
T1070.004 [('FALLCHILL', 'delete', 'malware'), ('FALLCHILL', 'delete', 'artifacts from the victim')]
T1070.004 [('FatDuke', 'delete', 'its DLL')]
T1070.004 [('FELIXROOT', 'deletes', 'the .LNK file')]
T1070.004 [('FIN10', 'delete', 'batch scripts'), ('FIN10', 'delete', 'critical system files'), ('FIN10', 'delete', 'tasks'), ('tasks', 'scheduled')]
T1070.004 [('FIN5', 'clean', 'SDelete'), ('FIN5', 'clean', 'the environment')]
T1070.004 [('FIN6', 'removed', 'files from victim machines')]
T1070.004 [('FIN8', 'deleted', 'tmp files')]
T1070.004 [('FruitFly', 'delete', 'files on the system')]
T1070.004 [('Fysbis', 'has', 'the ability delete files')]
T1070.004 [('files', 'used')]
T1070.004 [('Gazer', 'has', 'commands files')]
T1070.004 [('gh0st RAT', 'has', 'the capability')]
T1070.004 [('Gold Dragon', 'deletes', 'one of its files 2.hwp')]
T1070.004 [('registry files', 'delete', 'GoldenSpy uninstaller'), ('folders', 'delete', 'GoldenSpy uninstaller'), ('registry files', 'entries'), ('these tasks', 'completed')]
T1070.004 [('Grandoreiro', 'delete', '.LNK files'), ('.LNK files', 'created')]
T1070.004 [('GreyEnergy', 'delete', 'a file')]
T1070.004 [('GuLoader', 'delete', 'its executable'), ('the host', 'compromised')]
T1070.004 [('HALFBAKED', 'delete', 'a file'), ('a file', 'specified')]
T1070.004 [('Hancitor', 'deleted', 'files'), ('files', 'using', 'the kill function')]
T1070.004 [('HAWKBALL', 'has', 'the ability delete files')]
T1070.004 [('Hi - Zor', 'deletes', 'its RAT installer file'), ('it', 'executes', 'its payload file')]
T1070.004 [('Hildegard', 'deleted', 'scripts')]
T1070.004 [('batch files', 'remove', 'Honeybee'), ('the CAB file', 'encoded')]
T1070.004 [('HotCroissant', 'has', 'the ability'), ('the ability', 'clean', 'files delete files'), ('files', 'installed'), ('the ability', 'delete', 'itself')]
T1070.004 [('HTTPBrowser', 'deletes', 'its original installer file')]
T1070.004 [('Hydraq', 'creates', 'a backdoor delete files')]
T1070.004 [('HyperBro', 'has', 'the ability'), ('the ability', 'delete', 'a file'), ('a file', 'specified')]
T1070.004 [('Imminent Monitor', 'deleted', 'files'), ('files', 'related')]
T1070.004 [('InnaputRAT', 'has', 'a command to delete files')]
T1070.004 [('InvisiMole', 'deleted', 'files'), ('InvisiMole', 'deleted', 'directories'), ('files', 'including'), ('files', 'uploaded')]
T1070.004 [('Ixeshe', 'has', 'a command'), ('a command', 'delete', 'a file from the machine')]
T1070.004 [('The JHUHUGIT dropper', 'delete', 'itself')]
T1070.004 [('Another JHUHUGIT variant', 'has', 'the capability'), ('the capability', 'delete', 'files'), ('files', 'specified')]
T1070.004 [('JPIN uninstaller component', 'deletes', 'itself'), ('it', 'encounters', 'a version of'), ('processes', 'related'), ('processes', 'running')]
T1070.004 [('jRAT', 'has', 'a function delete files')]
T1070.004 [('Kazuar', 'delete', 'files')]
T1070.004 [('KEYMARBLE', 'has', 'the capability'), ('the capability', 'delete', 'files')]
T1070.004 [('Kimsuky', 'deleted', 'the data on disk'), ('the data on', 'exfiltrated')]
T1070.004 [('Kivars', 'has', 'the ability'), ('the ability', 'uninstall', 'malware')]
T1070.004 [('The Komplex trojan', 'supports', 'file deletion')]
T1070.004 [('delete files .', 'can')]
T1070.004 [('Group malware', 'deletes', 'files'), ('various ways', 'including'), ('suicide scripts "', 'delete', 'malware binaries')]
T1070.004 [('Lazarus Group', 'uses', 'secure file deletion')]
T1070.004 [('LightNeuron', 'has', 'a function to delete files')]
T1070.004 [('Linfo', 'creates', 'a backdoor delete files')]
T1070.004 [('its original launcher', 'delete', 'LockerGoga'), ('execution', 'delete', 'LockerGoga')]
T1070.004 [('LookBack', 'removes', 'itself')]
T1070.004 [('LoudMiner', 'deleted', 'installation files')]
T1070.004 [('a file', 'uploaded'), ('it', 'delete', 'Machete'), ('the machine', 'delete', 'Machete')]
T1070.004 [('MacSpy', 'deletes', 'any temporary files'), ('it', 'creates')]
OBJS_ files
T1070.004 [('Magic Hound', 'deleted', 'files'), ('files', 'cover', 'tracks')]
OBJS_ them
T1070.004 [('it', 'decoded', 'them'), ('A macro deletes files', 'decompressed', 'them')]
T1070.004 [('MESSAGETAP', 'deletes', 'the keyword_parm.txt'), ('MESSAGETAP', 'deletes', 'configuration files'), ('MESSAGETAP', 'deletes', 'parm.txt')]
T1070.004 [('Metamorfo', 'deleted', 'itself')]
T1070.004 [('MoonWind', 'delete', 'itself'), ('files', 'specified')]
T1070.004 [('More_eggs', 'remove', 'itself')]
T1070.004 [('Mosquito', 'deletes'), ('files', 'using', 'DeleteFileW API call')]
T1070.004 [('MURKYTOP', 'has', 'the capability'), ('the capability', 'delete', 'local files')]
T1070.004 [('their tools', 'delete', 'Mustang Panda'), ('files', 'delete', 'Mustang Panda'), ('their objectives', 'reached')]
T1070.004 [('a script', 'delete', 'their original decoy file'), ('a script', 'cover', 'tracks')]
T1070.004 [('NOKKI', 'delete', 'files')]
T1070.004 [('OceanSalt', 'delete', 'files from the system')]
T1070.004 [('OilRig', 'deleted', 'files'), ('files', 'associated')]
T1070.004 [('Okrum files', 'deletes'), ('C2 servers', 'upload', 'they')]
T1070.004 [('OopsIE', 'has', 'the capability'), ('the capability', 'delete', 'files'), ('the capability', 'delete', 'scripts')]
T1070.004 [('Operation Wocao', 'deleted', 'logs'), ('Operation Wocao', 'deleted', 'executable files'), ('executable files', 'used')]
T1070.005 [('InvisiMole', 'disconnect', 'drives'), ('drives', 'connected')]
T1070.005 [('Net', 'remove', 'The \\system\\share /delete command'), ('an connection to a network share', 'remove', 'The \\system\\share /delete command'), ('an connection to', 'established')]
T1070.005 [('RobbinHood', 'disconnects', 'all network shares from the computer')]
T1070.005 [('Threat Group-3390', 'has', 'shares'), ('shares', 'detached')]
T1070.005 [('Adversaries', 'remove', 'share connections are'), ('share connections are', 'clean', 'traces of their operation')]
T1070.006 [('3PARA RAT', 'has', 'a command'), ('a command', 'set', 'certain attributes as modification timestamps on files')]
T1070.006 [('APT28', 'performed', 'timestomping on victim files')]
T1070.006 [('timestamps of backdoors', 'modified')]
T1070.006 [('APT32', 'used', 'task raw XML'), ('task', 'scheduled'), ('a timestamp of', 'backdated')]
T1070.006 [('The group', 'set', 'the creation time of the files'), ('the files', 'dropped'), ('the files', 'match', 'the creation time of')]
T1070.006 [('Additionally APT32', 'modify', 'a random value'), ('Additionally APT32', 'modify', 'the timestamp of the file'), ('the file', 'storing', 'the clientID')]
T1070.006 [('the time of last access to files', 'manipulate', 'Attor')]
T1070.006 [('Bankshot', 'modifies', 'the time of a file')]
OBJS_ tool
T1070.006 [('the timestamp of', 'modify', 'BitPaymer'), ('the decryption tool', 'identify', 'it')]
T1070.006 [('BLINDINGCAN', 'modified', 'file timestamps')]
T1070.006 [('Chimera', 'modify', 'a Windows version of the Linux touch command'), ('Chimera', 'modify', 'the date'), ('Chimera', 'modify', 'time')]
T1070.006 [('Chopper server component', 'change', 'the timestamp of files')]
T1070.006 [('Cobalt Strike', 'timestomp', 'any files'), ('Cobalt Strike', 'timestomp', 'payloads'), ('any files', 'placed'), ('them', 'blend')]
T1070.006 [('The Derusbi malware', 'supports')]
T1070.006 [('Elise', 'performs', 'timestomping of a CAB file'), ('it', 'creates')]
T1070.006 [('Empire', 'timestomp', 'any files'), ('Empire', 'timestomp', 'payloads'), ('any files', 'placed'), ('them', 'blend')]
T1070.006 [('EVILNUM', 'changed', 'the creation date of files')]
T1070.006 [('FALLCHILL', 'modify', 'file timestamps')]
T1070.006 [('the compilation timestamp', 'faked')]
T1070.006 [('the authors', 'timestompe', 'InvisiMole samples')]
T1070.006 [('InvisiMole', 'has', 'a command'), ('a command', 'built'), ('a command', 'modify', 'file times')]
T1070.006 [('KeyBoy', 'stomped', 'its DLL'), ('order', 'evade', 'detection')]
T1070.006 [('Kimsuky', 'defeat', 'timestamps for creation'), ('Kimsuky', 'defeat', 'anti'), ('Kimsuky', 'defeat', '-'), ('Kimsuky', 'defeat', 'forensics')]
T1070.006 [('malware families', 'use', 'timestomping'), ('a Registry key to a random date', 'specified'), ('its files', 'dropped')]
T1070.006 [('Borland Delphi', 'use', 'Many Misdat samples'), ('the default PE compile timestamp of a file', 'mangle', 'which')]
T1070.006 [('OSX_OCEANLOTUS.D', 'change', 'the touch command'), ('OSX_OCEANLOTUS.D', 'change', 'timestamps')]
T1070.006 [('OwaAuth', 'has', 'a command'), ('a command', 'timestop', 'a file'), ('a command', 'timestop', 'directory')]
T1070.006 [('modifies timestamps of', 'downloaded', 'executables'), ('a file', 'selected'), ('a file', 'created')]
T1070.006 [('PowerStallion', 'modifies', 'the MAC times of its local log files')]
T1070.006 [('Psylo', 'has', 'a command'), ('a command', 'conduct', 'timestomping'), ('a command', 'timestomping'), ('a command', 'setting', 'a filetimestamps'), ('a filetimestamps', 'specified'), ('a command', 'match', 'those of a system file')]
T1070.006 [('Rocke', 'changed', 'the time stamp of certain files')]
T1070.006 [('SEASHARPEE', 'timestomp', 'files on victims'), ('victims', 'using', 'a Web shell')]
T1070.006 [('Shamoon', 'change', 'the time'), ('the time', 'modified'), ('files', 'evade', 'forensic detection')]
T1070.006 [('TAINTEDSCRIBE', 'change', 'the timestamp of filenames'), ('filenames', 'specified')]
T1070.006 [('TEMP.Veles', 'modify', 'the STANDARD_INFORMATION attribute on tools')]
T1070.006 [('timestamps of backdoors', 'modified')]
T1070.006 [('USBStealer', 'sets', 'the timestamps of its dropper files'), ('a standard Windows library', 'chosen')]
T1070.006 [('timestamps', 'modify'), ('timestamps', 'using', 'reference file')]
T1070.006 [('file timestamp with', 'modified')]
T1071.001 [('3PARA RAT', 'uses', 'HTTP for command')]
T1071.001 [('4H RAT', 'uses', 'HTTP for command')]
T1071.001 [('ABK', 'has', 'the ability'), ('the ability', 'use', 'HTTP')]
T1071.001 [('ADVSTORESHELL', 'port', '80 of a C2 server'), ('a C2 server', 'using', 'Wininet API')]
T1071.001 [('HTTP POSTs', 'exchange', 'Data')]
T1071.001 [('Agent Tesla', 'used', 'HTTP for C2 communications')]
T1071.001 [('Anchor', 'used', 'HTTP')]
T1071.001 [('AppleJeus', 'sent', 'data')]
T1071.001 [('APT18', 'uses', 'HTTP for C2 communications')]
T1071.001 [('Later implants', 'used'), ('Later implants', 'use', 'a blend of')]
T1071.001 [('APT29', 'used', 'HTTP for C2 exfiltration')]
T1071.001 [('APT32', 'used', 'JavaScript'), ('APT32 has used JavaScript', 'communicates'), ('domains', 'controlled')]
T1071.001 [('The group', 'used', 'payloads over'), ('payloads over', 'downloaded')]
T1071.001 [('APT33', 'used', 'HTTP for command')]
T1071.001 [('APT37', 'conceal', 'HTTPS'), ('APT37', 'conceal', 'C2 communications')]
T1071.001 [('APT38', 'used', 'backdoor QUICKRIDE')]
T1071.001 [('APT39', 'used', 'HTTP in communications with')]
T1071.001 [('APT41', 'download', 'HTTP'), ('APT41', 'download', 'payloads for')]
T1071.001 [('Aria - body', 'used', 'HTTP in C2 communications')]
T1071.001 [('Avenger', 'has', 'the ability'), ('the ability', 'use', 'HTTP in communication with')]
T1071.001 [('BackConfig', 'has', 'the ability'), ('the ability', 'use', 'HTTPS')]
T1071.001 [('BACKSPACE', 'uses', 'HTTP'), ('a transport', 'communicate')]
T1071.001 [('BADNEWS', 'establishes', 'a backdoor over')]
T1071.001 [('BadPatch', 'uses', 'HTTP for')]
T1071.001 [('Bankshot', 'uses', 'HTTP for command')]
T1071.001 [('Bazar', 'use', 'HTTP')]
T1071.001 [('BBK', 'has', 'the ability'), ('the ability', 'use', 'HTTP')]
T1071.001 [('BBSRAT', 'obtain', 'GET'), ('BBSRAT', 'obtain', 'requests over for command'), ('BBSRAT', 'obtain', 'commands'), ('data', 'compressed')]
T1071.001 [('Bisonal', 'uses', 'HTTP for C2 communications')]
T1071.001 [('BlackEnergy', 'communicates')]
T1071.001 [('BlackMould', 'send', 'commands'), ('BlackMould', 'send', 'to C2')]
T1071.001 [('BLINDINGCAN', 'used', 'HTTPS')]
T1071.001 [('malware', 'bronze'), ('malware', 'used', 'HTTP for')]
T1071.001 [('BUBBLEWRAP', 'using', 'HTTP')]
T1071.001 [('Bundlore', 'uses', 'HTTP requests for')]
T1071.001 [('The malware communicates to its command server', 'using', 'HTTP')]
T1071.001 [('Carberp', 'connected')]
T1071.001 [('Carbon', 'use', 'HTTP in C2 communications')]
T1071.001 [('Cardinal RAT', 'downloaded')]
T1071.001 [('ChChes communicates to its C2 server over', 'embeds', 'data within the HTTP header')]
T1071.001 [('Chimera', 'used', 'HTTPS')]
T1071.001 [('Chopper server component', 'executes'), ('code', 'sent')]
T1071.001 [('Various implementations of', 'communicate')]
T1071.001 [('One variant of', 'uses', 'HTTP')]
T1071.001 [('Cobalt Group', 'used', 'HTTPS')]
T1071.001 [('a custom command', 'use', 'Cobalt Strike'), ('protocol', 'use', 'Cobalt Strike'), ('control', 'use', 'Cobalt Strike'), ('HTTP', 'encapsulate', 'protocol')]
T1071.001 [('All protocols', 'use', 'their standard ports'), ('their standard ports', 'assigned')]
T1071.001 [('Comnie', 'uses', 'HTTP')]
T1071.001 [('ComRAT', 'used', 'HTTP requests for command')]
T1071.001 [('CORESHELL', 'communicate')]
T1071.001 [('CosmicDuke', 'use', 'HTTP'), ('servers', 'coded')]
T1071.001 [('CozyCar main method of', 'communicating'), ('CozyCar main method of', 'using', 'HTTP')]
T1071.001 [('Crutch', 'conducted', 'C2 communications with a Dropbox account'), ('C2 communications with', 'using', 'the HTTP API')]
T1071.001 [('CSPY Downloader', 'download', 'requests'), ('CSPY Downloader', 'download', 'additional payloads'), ('requests', 'get')]
T1071.001 [('Dacls', 'use', 'HTTPS')]
T1071.001 [('a TCP port', 'using', 'HTTP payloads')]
T1071.001 [('DarkComet', 'use', 'HTTP for C2 communications')]
T1071.001 [('Daserf', 'uses', 'HTTP for')]
T1071.001 [('DealersChoice', 'uses', 'HTTP for communication with the C2 server')]
T1071.001 [('Dipsind', 'uses', 'HTTP for')]
T1071.001 [('Doki', 'communicated')]
T1071.001 [('down_new', 'has', 'the ability'), ('the ability', 'use', 'HTTP in C2 communications')]
T1071.001 [('Dridex', 'used', 'HTTPS')]
T1071.001 [('Drovorub', 'use', 'the WebSocket protocol')]
T1071.001 [('DustySky', 'used', 'HTTP')]
T1071.001 [('Dyre', 'uses', 'HTTPS')]
T1071.001 [('Egregor', 'communicated')]
T1071.001 [('ELMER', 'uses', 'HTTP for command')]
T1071.001 [('Emissary', 'uses', 'HTTP')]
T1071.001 [('Empire', 'conduct', 'command'), ('Empire', 'conduct', 'control over protocols like')]
T1071.001 [('Epic', 'uses', 'HTTP')]
T1071.001 [('EvilBunny', 'executed', 'C2 commands')]
T1071.001 [('Exaramel for', 'uses', 'HTTPS')]
T1071.001 [('Explosive', 'used', 'HTTP for communication')]
T1071.001 [('a custom C2 protocol over', 'control', 'FatDuke')]
T1071.001 [('Felismus', 'uses', 'HTTP for')]
T1071.001 [('FELIXROOT', 'uses', 'HTTP')]
T1071.001 [('FIN4', 'used', 'POST requests')]
T1071.001 [('Final1stspy', 'uses', 'HTTP for')]
T1071.001 [('FlawedAmmyy', 'used', 'HTTP for')]
T1071.001 [('A Group file stealer', 'communicate')]
T1071.001 [('GeminiDuke', 'uses', 'HTTP')]
T1071.001 [('Get2', 'has', 'the ability'), ('the ability', 'send', 'HTTP'), ('the ability', 'send', 'information'), ('the ability', 'send', 'information'), ('information', 'collected')]
T1071.001 [('Gold Dragon', 'uses', 'HTTP')]
T1071.001 [('GoldenSpy', 'facilitate', 'the HTTP Client'), ('GoldenSpy', 'facilitate', 'HTTP internet communication')]
T1071.001 [('GoldFinder', 'used', 'HTTP for')]
T1071.001 [('GoldMax', 'used', 'HTTPS'), ('GoldMax', 'used', 'requests with HTTP cookies')]
T1071.001 [('Goopy', 'has', 'the ability'), ('the ability', 'communicate')]
T1071.001 [('Grandoreiro', 'has', 'the ability'), ('the ability', 'use', 'HTTP in C2 communications')]
T1071.001 [('GravityRAT', 'uses', 'HTTP for')]
T1071.001 [('GreyEnergy', 'uses', 'HTTP')]
T1071.001 [('GuLoader', 'retrieve', 'HTTP'), ('GuLoader', 'retrieve', 'additional binaries')]
T1071.001 [('HAFNIUM', 'used', 'source C2 frameworks'), ('source C2 frameworks', 'including')]
T1071.001 [('The Uploader variant of HAMMERTOSS', 'visits', 'a server over'), ('a server over', 'coded'), ('a server over', 'download', 'the images'), ('HAMMERTOSS', 'receive', 'commands'), ('the images', 'receive', 'commands')]
T1071.001 [('HAWKBALL', 'used', 'HTTP'), ('a single server', 'coded')]
T1071.001 [('Helminth', 'use', 'HTTP for')]
T1071.001 [('Higaisa', 'send', 'HTTP'), ('Higaisa', 'send', 'data')]
T1071.001 [('Hikit', 'used', 'HTTP for')]
T1071.001 [('HTTPBrowser', 'used', 'HTTP')]
T1071.001 [('httpclient', 'uses', 'HTTP for command')]
T1071.001 [('HyperBro', 'used', 'HTTPS')]
T1071.001 [('IcedID', 'used', 'HTTPS')]
T1071.001 [('Inception', 'used', 'HTTP HTTPS')]
T1071.001 [('InvisiMole', 'uses', 'HTTP for C2 communications')]
T1071.001 [('Ixeshe', 'uses', 'HTTP for command')]
T1071.001 [('JHUHUGIT variants', 'communicated')]
T1071.001 [('Kazuar', 'uses', 'HTTP')]
T1071.001 [('Kazuar', 'act')]
T1071.001 [('Ke3chang RoyalCli', 'communicated')]
T1071.001 [('Keydnap', 'uses', 'HTTPS')]
T1071.001 [('Kinsing', 'communicated')]
T1071.002 [('APT41', 'used', 'exploit payloads'), ('exploit payloads', 'initiate', 'download')]
T1071.002 [('Attor', 'used', 'FTP protocol for C2 communication')]
T1071.002 [('CARROTBALL', 'has', 'the ability'), ('the ability', 'use', 'FTP')]
T1071.002 [('Honeybee', 'uses', 'FTP')]
T1071.002 [('JPIN', 'communicate')]
T1071.002 [('Kazuar', 'uses', 'FTP')]
T1071.002 [('Kimsuky', 'download', 'FTP'), ('Kimsuky', 'download', 'additional malware')]
T1071.002 [('Machete', 'uses', 'FTP')]
T1071.002 [('NOKKI', 'used', 'FTP')]
T1071.002 [('PoetRAT', 'used', 'FTP')]
T1071.002 [('ShadowPad', 'used', 'FTP')]
T1071.002 [('SilverTerrier', 'uses', 'FTP')]
T1071.002 [('SYSCON', 'has', 'the ability'), ('the ability', 'use', 'FTP')]
T1071.002 [('XAgentOSX', 'contains', 'the ftpUpload function'), ('XAgentOSX', 'contains', 'uploadFile method'), ('uploadFile method', 'upload', 'files')]
T1071.002 [('ZxShell', 'used', 'FTP')]
T1071.003 [('Agent Tesla', 'used', 'SMTP')]
T1071.003 [('APT28', 'used', 'SMTP'), ('APT28', 'used', 'servers of its victims'), ('various implants', 'using', 'accounts'), ('accounts', 'registered'), ('servers of', 'compromised')]
T1071.003 [('APT32', 'used', 'email for C2')]
T1071.003 [('BadPatch', 'uses', 'SMTP')]
T1071.003 [('Cannon', 'uses', 'SMTP / S')]
T1071.003 [('Various implementations of', 'communicate')]
T1071.003 [('ComRAT', 'use', 'email attachments for command')]
T1071.003 [('CORESHELL', 'communicate')]
T1071.003 [('Goopy', 'has', 'the ability'), ('the ability', 'use', 'a backdoor macro'), ('the ability', 'communicate')]
T1071.003 [('JPIN', 'send', 'email')]
T1071.003 [('Kimsuky', 'send', 'e'), ('Kimsuky', 'send', '-'), ('Kimsuky', 'send', 'mail'), ('Kimsuky', 'send', 'data'), ('data', 'exfiltrated')]
T1071.003 [('LightNeuron', 'uses', 'SMTP')]
T1071.003 [('NavRAT', 'uses', 'the email platform Naver'), ('C2 communications', 'leveraging', 'SMTP')]
T1071.003 [('OLDBAIT', 'use', 'SMTP')]
T1071.003 [('RDAT', 'use', 'email attachments')]
T1071.003 [('SilverTerrier', 'uses', 'SMTP')]
T1071.003 [('Turla', 'used', 'multiple backdoors'), ('which', 'communicate')]
T1071.003 [('Zebrocy', 'uses', 'SMTP')]
T1071.004 [('Variants of', 'use', 'DNS')]
T1071.004 [('APT18', 'uses', 'DNS')]
T1071.004 [('APT39', 'used', 'access tools'), ('access tools', 'leverage', 'DNS')]
T1071.004 [('APT41', 'used', 'DNS for C2 communications')]
T1071.004 [('BONDUPDATER', 'use', 'DNS'), ('BONDUPDATER', 'use', 'records'), ('BONDUPDATER', 'use', 'tunneling protocol for command')]
T1071.004 [('Chimera', 'encapsulate', 'Cobalt Strike'), ('Chimera', 'encapsulate', 'C2')]
T1071.004 [('Cobalt Group', 'used', 'DNS'), ('DNS', 'tunneling')]
T1071.004 [('Cobalt Strike', 'use', 'a custom command'), ('Cobalt Strike', 'use', 'protocol'), ('Cobalt Strike', 'use', 'control'), ('protocol', 'encapsulated')]
T1071.004 [('All protocols', 'use', 'their standard ports'), ('their standard ports', 'assigned')]
T1071.004 [('Cobian RAT', 'uses', 'DNS')]
T1071.004 [('Denis', 'used', 'DNS'), ('DNS', 'tunneling')]
T1071.004 [('Ebury', 'used', 'DNS requests over UDP port')]
T1071.004 [('FIN7', 'performed', 'C2')]
T1071.004 [('Goopy', 'has', 'the ability'), ('the ability', 'communicate')]
T1071.004 [('Helminth', 'use', 'DNS')]
T1071.004 [('HTTPBrowser', 'used', 'DNS for command')]
T1071.004 [('InvisiMole', 'used', 'a custom implementation of'), ('a custom implementation of', 'tunneling'), ('a custom implementation of', 'embed', 'C2 communications in DNS requests')]
T1071.004 [('Ke3chang malware RoyalDNS', 'used', 'DNS')]
T1071.004 [('Matryoshka', 'uses', 'DNS')]
T1071.004 [('NanHaiShu', 'uses', 'DNS for the C2 communications')]
T1071.004 [('OilRig', 'used', 'DNS')]
T1071.004 [('Pisloader', 'uses', 'DNS')]
T1071.004 [('DNS for command', 'use', 'PlugX')]
T1071.004 [('POWERSOURCE', 'uses', 'DNS TXT records'), ('POWERSOURCE', 'uses', 'for C2')]
T1071.004 [('POWRUNER', 'use', 'DNS for C2 communications')]
T1071.004 [('QUADAGENT', 'uses', 'DNS')]
T1071.004 [('RDAT', 'used', 'DNS')]
T1071.004 [('ShadowPad', 'used', 'DNS'), ('DNS', 'tunneling')]
T1071.004 [('SUNBURST', 'used', 'DNS for C2 traffic'), ('C2 traffic', 'mimic', 'normal SolarWinds API communications'), ('C2 traffic', 'mimic', 'normal SolarWinds API communications')]
T1071.004 [('TEXTMATE', 'uses', 'DNS TXT records'), ('TEXTMATE', 'uses', 'for C2')]
T1071.004 [('Trooper backdoor', 'communicated')]
T1071.004 [('WellMess', 'has', 'the ability'), ('the ability', 'use', 'DNS'), ('the ability', 'tunneling')]
T1074.001 [('ADVSTORESHELL stores', 'output')]
T1074.001 [('APT28', 'stored', 'information in a file'), ('information in', 'captured'), ('a file', 'named', 'pi.log')]
T1074.001 [('files for exfiltration in a single location', 'stage', 'APT3')]
T1074.001 [('APT39', 'aggregate', 'tools'), ('APT39', 'aggregate', 'data')]
T1074.001 [('Astaroth', 'collects', 'data'), ('a plaintext file', 'named', 'r1.log')]
T1074.001 [('Attor', 'collected', 'data')]
T1074.001 [('BADNEWS', 'copies', 'documents under 15 MB'), ('documents under', 'found')]
T1074.001 [('It', 'copies', 'files from USB devices')]
T1074.001 [('BadPatch stores', 'collected', 'data in log files')]
T1074.001 [('Calisto', 'store', 'a hidden directory'), ('Calisto', 'store', 'data'), ('a hidden directory', 'named', '.calisto')]
T1074.001 [('a base directory', 'create', 'Carbon'), ('the files', 'contain', 'a base directory'), ('folders', 'contain', 'a base directory'), ('a base directory', 'collected')]
T1074.001 [('the data from the machine', 'gathered')]
T1074.001 [('Chimera', 'staged', 'data'), ('data', 'stolen'), ('hosts', 'compromised')]
T1074.001 [('Crutch', 'staged', 'files'), ('files', 'stolen')]
T1074.001 [('a directory', 'named', 'in folder'), ('files', 'copied')]
T1074.001 [('Dtrack', 'collected', 'data')]
T1074.001 [('Modules', 'pushed')]
T1074.001 [('DustySky', 'created', 'folders')]
T1074.001 [('Dyre', 'has', 'the ability'), ('the ability', 'create', 'files in a TEMP folder'), ('the ability', 'act'), ('a database', 'store', 'information')]
T1074.001 [('ECCENTRICBANDWAGON', 'stored', 'keystrokes'), ('ECCENTRICBANDWAGON', 'stored', '% temp%\\Downloads'), ('ECCENTRICBANDWAGON', 'stored', 'screenshots'), ('ECCENTRICBANDWAGON', 'stored', '% temp%\\TrendMicroUpdate directories')]
T1074.001 [('Elise', 'creates', 'a file in AppData\\Local\\Microsoft\\Windows\\Explorer'), ('Elise', 'creates', 'stores all data in that file'), ('stores all data in', 'harvested')]
T1074.001 [('Exaramel for', 'specifies', 'a path'), ('files', 'scheduled')]
T1074.001 [('FIN5 scripts', 'save', 'dump data')]
T1074.001 [('it', 'copies')]
T1074.001 [('FrameworkPOS', 'identifiy', 'track data on the victim')]
OBJS_ files
T1074.001 [('GALLIUM', 'compressed', 'files')]
T1074.001 [('stores information', 'gathered'), ('a file', 'named', '1.hwp')]
T1074.001 [('Helminth', 'store', 'folders'), ('Helminth', 'store', 'output')]
T1074.001 [('Honeybee', 'adds', 'files'), ('files', 'collected'), ('a temp.zip file', 'saved'), ('folder', 'base64'), ('temp% folder then base64', 'encodes', 'it')]
T1074.001 [('InvisiMole', 'determines', 'a directory'), ('a directory', 'working'), ('it', 'stores', 'all the data about the machine'), ('all the data about', 'gathered'), ('the machine', 'compromised')]
T1074.001 [('Kazuar stages', 'command', 'output')]
T1074.001 [('information', 'collected'), ('a file', 'named', '" info "')]
T1074.001 [('Kimsuky', 'staged', 'files under'), ('Kimsuky', 'staged', 'DB\\.'), ('files under', 'collected')]
T1074.001 [('information', 'save', 'malware IndiaIndia'), ('the %', 'save', 'a file'), ('encrypted', 'compress', 'TEMP% directory')]
T1074.001 [('Leviathan', 'used', 'C:\\Windows\\Debug'), ('Leviathan', 'used', 'C:\\Perflogs')]
T1074.001 [('LightNeuron', 'store', 'email data'), ('files', 'specified')]
T1074.001 [('stages data prior', 'saved')]
T1074.001 [('MESSAGETAP', 'stored', 'targeted SMS messages'), ('targeted SMS messages', 'matched', 'its target list'), ('the system', 'compromised')]
T1074.001 [('MoonWind', 'saves', 'information')]
T1074.001 [('Mustang Panda', 'collected', 'credential files')]
T1074.001 [('Mustang Panda', 'stored', 'documents for exfiltration in a hidden folder on USB drives')]
T1074.001 [('NavRAT', 'writes', 'multiple outputs')]
T1074.001 [('NETWIRE', 'has', 'the ability'), ('the ability', 'write', 'data'), ('data', 'collected'), ('a file', 'created')]
T1074.001 [('NOKKI', 'collect', 'data from the victim')]
T1074.001 [('OopsIE', 'stages', 'the output from command execution')]
T1074.001 [('Operation Wocao', 'staged', 'archived files')]
T1074.001 [('all files', 'copy', 'Patchwork'), ('a directory', 'copy', 'Patchwork'), ('all files', 'targeted'), ('index', 'call', 'a directory'), ('the C&C server', 'upload', 'a directory')]
T1074.001 [('PoisonIvy stages', 'collected', 'data')]
T1074.001 [('a % USERPROFILE%\\AppData\\Local\\SKC\\', 'create', 'Prikormka'), ('files', 'store', 'which'), ('files', 'store', 'a % USERPROFILE%\\AppData\\Local\\SKC\\'), ('files', 'collected')]
T1074.001 [('Pteranodon', 'creates', 'various subdirectories under %')]
T1074.001 [('It', 'creates', 'a folder')]
T1074.001 [('PUNCHBUGGY', 'saved', 'information')]
T1074.001 [('PUNCHTRACK aggregates', 'collected', 'data in a tmp file')]
T1074.001 [('Ramsay', 'stage', 'data')]
T1074.001 [('RawPOS', 'capture', 'Data'), ('a temporary file', 'place', 'Data'), ('a directory', 'place', 'Data'), ('" memdump', 'name', 'a directory')]
T1074.001 [('Rover copies files from to .', 'c:\\system')]
T1074.001 [('Sidewinder', 'collected', 'files'), ('files', 'stolen')]
T1074.001 [('SPACESHIP', 'identifies', 'files with certain extensions')]
T1074.001 [('staging folders', 'create', 'TEMP.Veles'), ('directories', 'create', 'TEMP.Veles'), ('legitimate users', 'use', 'directories'), ('processes', 'use', 'directories')]
T1074.001 [('Threat Group-3390', 'staged', 'encrypted archives')]
T1074.001 [('Karagany', 'create', 'directories'), ('directories', 'store', 'plugin output'), ('directories', 'store', 'data'), ('directories', 'store', 'stage')]
T1074.001 [('Ursnif', 'used', 'tmp files'), ('Ursnif', 'used', 'information'), ('information', 'gathered')]
T1074.001 [('collects files', 'matching', 'certain criteria'), ('collects files', 'stores', 'them')]
T1074.001 [('Zebrocy stores all', 'collected', 'information')]
T1074.002 [('APT29', 'staged', 'data'), ('APT29', 'staged', 'files'), ('archives', 'protected')]
T1074.002 [('Chimera', 'staged', 'data on servers in the target environment'), ('data on', 'stolen'), ('servers in', 'designated')]
T1074.002 [('FIN6 actors', 'compressed', 'data from remote systems')]
T1074.002 [('FIN8 aggregates', 'staged', 'data')]
T1074.002 [('menuPass', 'staged', 'data on remote MSP systems')]
T1074.002 [('Night Dragon', 'copied', 'files')]
T1074.002 [('encrypted archives', 'stage', 'Threat Group-3390'), ('servers', 'stage', 'Threat Group-3390'), ('servers', 'facing'), ('China Chopper', 'compromise', 'servers')]
T1074.002 [('UNC2452', 'staged', 'data'), ('UNC2452', 'staged', 'files'), ('archives on victim OWA server', 'protected')]
T1078.001 [('HyperStack', 'use', 'default credentials')]
T1078.001 [('Stuxnet', 'infected', 'WinCC machines')]
T1078.001 [('Threat actors', 'targeting', 'government sectors'), ('Threat actors', 'abuse', 'default guest'), ('Threat actors', 'abuse', 'administrator')]
T1078.001 [('CobaltStrike beacons', 'maintain', 'persistence')]
T1078.002 [('APT29', 'used', 'valid accounts'), ('valid accounts', 'including'), ('networks', 'compromised')]
T1078.002 [('APT3', 'leverages', 'valid accounts')]
T1078.002 [('Chimera', 'gain', 'accounts'), ('Chimera', 'gain', 'access to the target environment'), ('accounts', 'compromised')]
T1078.002 [('Cobalt Strike', 'run', 'credentials'), ('Cobalt Strike', 'run', 'commands'), ('Cobalt Strike', 'run', 'spawn processes'), ('credentials', 'known')]
T1078.002 [('Indrik Spider', 'collected', 'credentials from infected systems'), ('infected systems', 'including')]
T1078.002 [('Operation Wocao', 'used', 'domain credentials'), ('domain credentials', 'including')]
T1078.002 [('Ryuk', 'use', 'admin accounts'), ('domain', 'stolen')]
T1078.002 [('Sandworm Team', 'access', 'credentials'), ('Sandworm Team', 'access', 'administrative accounts'), ('credentials', 'stolen')]
T1078.002 [('Shamoon', '!access', 'shares'), ('it', 'attempts', 'access'), ('access', 'using', 'hard credentials'), ('hard credentials', 'coded'), ('hard credentials', 'gathered')]
T1078.002 [('TA505', 'compromise', 'admin accounts'), ('TA505', 'compromise', 'additional hosts'), ('domain', 'stolen')]
T1078.002 [('Group-1314 actors', 'used', 'credentials'), ('credentials', 'compromised')]
T1078.002 [('Wizard Spider', 'used', 'administrative accounts'), ('administrative accounts', 'including')]
T1078.003 [('APT32', 'used', 'legitimate local account credentials')]
T1078.003 [('Cobalt Strike', 'run', 'credentials'), ('Cobalt Strike', 'run', 'commands'), ('Cobalt Strike', 'run', 'spawn processes'), ('credentials', 'known')]
T1078.003 [('Emotet', 'brute', 'force'), ('Emotet', 'brute', 'a local admin password')]
T1078.003 [('FIN10', 'using', 'the Administrator account')]
T1078.003 [('HAFNIUM', 'create', 'the AUTHORITY\\SYSTEM account'), ('HAFNIUM', 'create', 'files on Exchange servers')]
T1078.003 [('NotPetya', 'spread', 'valid credentials'), ('NotPetya', 'spread', 'itself')]
T1078.003 [('Operation Wocao', 'used', 'local account credentials'), ('local account credentials', 'found')]
T1078.003 [('PROMETHIUM', 'created', 'admin accounts'), ('a host', 'compromised')]
T1078.003 [('Stolen Pencil', 'has', 'a tool'), ('a tool', 'add', 'a admin account'), ('order', 'allow'), ('them', 'ensure', 'continued access via')]
T1078.003 [('Tropic Trooper', 'execute', 'credentials'), ('Tropic Trooper', 'execute', 'the backdoor'), ('credentials', 'known')]
T1078.003 [('Turla', 'abused', 'local accounts'), ('local accounts', 'have', 'the same password across the victimnetwork')]
T1078.003 [('Umbreon', 'provide', 'valid local users'), ('Umbreon', 'provide', 'access to the system')]
T1078.004 [('APT33', 'used', 'Office 365 accounts in in an attempt'), ('Office', 'compromised'), ('an attempt', 'gain', 'control of endpoints')]
T1078.004 [('APT28', 'collect', 'accounts with Administrator privileges'), ('APT28', 'collect', 'email'), ('accounts with', 'compromised')]
T1078.004 [('Some threat actors', 'create', 'legitimate accounts on platforms'), ('platforms', 'targeted')]
T1078.004 [('Threat actors', 'create', 'accounts with on environment'), ('adversaries', 'create', 'accounts with on'), ('environment', 'targeted'), ('accounts with on', 'steal', 'large amounts of data')]
T1078.004 [('credentials for accounts', 'compromised'), ('accounts', 'related'), ('credentials for', 'allow'), ('malware', 'steal', 'data'), ('malware', 'steal', 'information'), ('actors', 'steal', 'data'), ('actors', 'steal', 'information')]
T1078.004 [('relationships of any cloud account', 'trusted'), ('any cloud account', 'given', 'to employees'), ('an effective means', 'conduct', 'malicious activity')]
T1082 [('List', 'os', 'Information')]
T1087.001 [('actors', 'used', 'the commands'), ('actors', 'used', 'net user > % temp%\\download net user'), ('actors', 'used', '> % temp%\\download'), ('the commands', 'following')]
T1087.001 [('Agent Tesla', 'collect', 'account information from the victimmachine')]
T1087.001 [('APT1', 'find', 'the commands user'), ('APT1', 'find', 'accounts on the system')]
T1087.001 [('APT3', 'used', 'a tool'), ('a tool', 'obtain', 'info about power users')]
T1087.001 [('administrative users', 'using', 'the commands'), ('administrative users', 'using', 'net localgroup administrators')]
T1087.001 [('Bankshot', 'gathers', 'domain'), ('Bankshot', 'gathers', 'names / information through process monitoring'), ('Bankshot', 'gathers', 'account')]
T1087.001 [('Bazar', 'identify', 'administrator accounts on an infected host')]
T1087.001 [('BitPaymer', 'enumerate', 'the sessions for each user')]
T1087.001 [('BloodHound', 'identify', 'users')]
T1087.001 [('Chimera', 'used', 'net user for account discovery')]
T1087.001 [('Comnie', 'uses', 'the user command')]
T1087.001 [('The discovery modules', 'used'), ('The discovery modules', 'collect', 'information on accounts')]
T1087.001 [('net user', 'execute', 'Elise'), ('to server', 'make', 'initial communication')]
T1087.001 [('Empire', 'acquire', 'account information')]
T1087.001 [('Epic', 'gathers', 'a list of all accounts privilege classes')]
T1087.001 [('Fox Kitten', 'accessed', 'ntuser.dat'), ('hosts', 'compromised')]
T1087.001 [('GeminiDuke', 'collects', 'information on local user'), ('GeminiDuke', 'collects', 'accounts from the victim')]
T1087.001 [('HyperStack', 'enumerate', 'all')]
T1087.001 [('InvisiMole', 'has', 'a command'), ('a command', 'list', 'account information on the victimmachine')]
T1087.001 [('Kazuar', 'gathers', 'information on local groups')]
T1087.001 [('Ke3chang', 'performs', 'account discovery'), ('account discovery', 'using', 'commands as net localgroup administrators')]
T1087.001 [('Kwampirs', 'collects', 'a list of accounts with the command net users')]
T1087.001 [('Mis - Type', 'create', 'a file'), ('Mis - Type', 'create', 'cmd.exe'), ('Mis - Type', 'create', 'net user { Username }'), ('a file', 'containing', 'the results of the command')]
T1087.001 [('MURKYTOP', 'has', 'the capability'), ('the capability', 'retrieve', 'information about users')]
T1087.001 [('Net', 'gather', 'Commands under net user'), ('information about', 'gather', 'Commands under')]
T1087.001 [('OilRig', 'run', 'user net user'), ('OilRig', 'run', 'groupdomain admins\x9d /domain'), ('OilRig', 'run', '/domain'), ('OilRig', 'run', 'net groupExchange Subsystem\x9d'), ('net groupExchange Subsystem\x9d', 'trusted')]
T1087.001 [('OSInfo', 'enumerates', 'local users')]
T1087.001 [('P.A.S. Webshell', 'display', 'the /etc passwd file'), ('a host', 'compromised')]
T1087.001 [('Pony', 'enumerate', 'the NetUserEnum function'), ('Pony', 'enumerate', 'local accounts')]
T1087.001 [('Poseidon Group', 'searches')]
T1087.001 [('PoshC2', 'enumerate', 'account information')]
T1087.001 [('PowerSploit ProcessTokenGroup PowerUp module', 'enumerate', 'all SIDs'), ('all SIDs', 'associated')]
T1087.001 [('POWERSTATS', 'retrieve', 'usernames from hosts'), ('hosts', 'compromised')]
T1087.001 [('PUNCHBUGGY', 'gather', 'user names')]
T1087.001 [('Pupy', 'perform', 'PowerView'), ('Pupy', 'perform', 'discovery commands as')]
T1087.001 [('RATANKBA', 'uses', 'the user command')]
T1087.001 [('Remsec', 'obtain', 'a list of users')]
T1087.001 [('S - Type', 'runs', 'the command net user on a victim')]
T1087.001 [('S - Type', 'determine', 'tests'), ('S - Type', 'determine', 'the privilege level of the user'), ('the user', 'compromised')]
T1087.001 [('SHOTPUT', 'has', 'a command'), ('a command', 'retrieve', 'information about connected users')]
T1087.001 [('SoreFang', 'collect', 'usernames from the local system')]
T1087.001 [('Threat Group-3390', 'conduct', 'net user'), ('Threat Group-3390', 'conduct', 'internal discovery of systems')]
T1087.001 [('TrickBot', 'collects', 'the users of the system')]
T1087.001 [('Turla', 'used', 'net user')]
T1087.001 [('USBferry', 'gather', 'net user'), ('USBferry', 'gather', 'information about local accounts')]
T1087.001 [('Valak', 'has', 'the ability'), ('the ability', 'enumerate', 'local admin accounts')]
T1087.001 [('sudoers', 'view'), ('sudoers', 'access')]
T1087.001 [('View', 'accounts')]
T1087.001 [('List', 'opened', 'files')]
T1087.001 [('a user account', 'logged')]
T1087.001 [('Enumerate all', 'accounts')]
T1087.001 [('Enumerate all', 'accounts')]
T1087.001 [('Enumerate', 'logged')]
T1087.002 [('AdFind', 'enumerate', 'domain users')]
T1087.002 [('Bankshot', 'gathers', 'domain'), ('Bankshot', 'gathers', 'names / information through process monitoring'), ('Bankshot', 'gathers', 'account')]
T1087.002 [('Bazar', 'has', 'the ability'), ('the ability', 'identify', 'administrator accounts')]
T1087.002 [('BloodHound', 'collect', 'information about domain users'), ('domain users', 'including')]
T1087.002 [('BRONZE BUTLER', 'identify', 'net user'), ('BRONZE BUTLER', 'identify', 'account information')]
T1087.002 [('Chimera', 'used', 'net user'), ('domain accounts', 'including')]
T1087.002 [('Cobalt Strike', 'determine'), ('the admin group', 'domain')]
T1087.002 [('CrackMapExec', 'enumerate'), ('the domain user', 'accounts'), ('a system', 'targeted')]
T1087.002 [('information on user accounts', 'gather', 'dsquery'), ('a domain', 'gather', 'dsquery')]
T1087.002 [('Empire', 'acquire', 'account information')]
T1087.002 [('FIN6', 'obtain', 'MetasploitPsExec NTDSGRAB module'), ('FIN6', 'obtain', 'a copy of victim Directory database')]
T1087.002 [('Fox Kitten', 'browse', 'the Softerra LDAP browser'), ('Fox Kitten', 'browse', 'documentation on service accounts')]
T1087.002 [('IcedID', 'query', 'LDAP')]
T1087.002 [('Ke3chang', 'performs', 'account discovery'), ('account discovery', 'using', 'commands as net localgroup administrators')]
T1087.002 [('menuPass', 'export', 'the Microsoft administration tool csvde.exe'), ('menuPass', 'export', 'Directory data')]
T1087.002 [('MuddyWater', 'used', 'cmd.exe'), ('MuddyWater', 'used', 'net user /domain')]
T1087.002 [('the /domain flag', 'use', 'Net commands'), ('information about', 'gather', 'Net commands'), ('user', 'manipulate')]
T1087.002 [('OilRig', 'run', 'user net user'), ('OilRig', 'run', 'groupdomain admins\x9d /domain'), ('OilRig', 'run', '/domain'), ('OilRig', 'run', 'net groupExchange Subsystem\x9d'), ('net groupExchange Subsystem\x9d', 'trusted')]
T1087.002 [('Operation Wocao', 'retrieve', 'the net command'), ('Operation Wocao', 'retrieve', 'information about domain accounts')]
T1087.002 [('OSInfo', 'enumerates', 'local users')]
T1087.002 [('Poseidon Group', 'searches')]
T1087.002 [('PoshC2', 'enumerate', 'account information')]
T1087.002 [('POWRUNER', 'collect', 'account information')]
T1087.002 [('Sandworm Team', 'using', 'a tool'), ('Sandworm Team', 'using', 'LDAP'), ('a tool', 'query', 'Active Directory'), ('usernames', 'listed')]
T1087.002 [('SoreFang', 'enumerate', 'domain accounts')]
T1087.002 [('Sykipot', 'display', 'group " domain admins "'), ('Sykipot', 'display', 'accounts in the " admins permissions group')]
T1087.002 [('Turla', 'used', 'net user /domain')]
T1087.002 [('Valak', 'has', 'the ability'), ('the ability', 'enumerate', 'admin accounts')]
T1087.002 [('Wizard Spider', 'identified', 'domain admins')]
T1087.002 [('Enumerate all', 'accounts')]
T1087.002 [('Enumerate', 'logged')]
T1087.002 [('policy', 'adfind')]
T1087.003 [('Oldrea', 'collects')]
T1087.003 [('a module', 'leverage', 'Emotet'), ('email addresses', 'scrape', 'a module'), ('Outlook', 'scrape', 'a module')]
T1087.003 [('Grandoreiro', 'parse', 'Outlook')]
T1087.003 [('account names from', 'obtain', 'MailSniper')]
T1087.003 [('Exchange users', 'enumerate', 'Ruler')]
T1087.003 [('Sandworm Team', 'used', 'malware')]
T1087.003 [('TA505', 'used', 'the tool EmailStealer')]
T1087.003 [('TrickBot', 'collects', 'email addresses')]
T1087.003 [('Threat actors', 'gather', 'more targets'), ('tools', 'lists'), ('a companyemail', 'naming', 'convention')]
T1087.003 [('Some actors', 'use', 'source malware'), ('Some actors', 'use', 'tools')]
T1087.003 [('the advanced threat groups in ,', 'use', 'Spearphising'), ('the potential value', 'show', 'which'), ('threat actors', 'extract'), ('the potential value', 'discovering'), ('the potential value', 'target')]
T1087.003 [('Malware', 'used'), ('discovery', 'automate')]
T1087.003 [('Actors', 'exploit', 'vulnerabilities , as ,')]
T1087.004 [('Actors', 'use')]
T1087.004 [('PowerShell cmdlet )', 'let'), ('PowerShell cmdlet )', 'get', 'user role'), ('PowerShell cmdlet )', 'get', 'permissions groups')]
T1087.004 [('commands', 'run', 'malware'), ('commands', 'run', 'actors'), ('theËœaz list command', 'do', 'this')]
T1087.004 [('actors', 'run', 'commands'), ('actors', 'run', 'such asËœkubectl config view'), ('users', 'get'), ('users', 'defined')]
T1087.004 [('Actors', 'get', 'commandËœaws list - users'), ('Actors', 'get', 'users'), ('malware', 'get', 'commandËœaws list - users'), ('malware', 'get', 'users')]
T1087.004 [('policy', 'get')]
T1090.001 [('APT29', 'use', 'one instance of'), ('APT29', 'use', 'a network pipe over')]
T1090.001 [('APT39', 'create', 'custom tools'), ('APT39', 'create', 'SOCK5'), ('APT39', 'create', 'protocol proxies'), ('hosts', 'infected')]
T1090.001 [('ZJ variant of', 'allows', '" link " infections with Internet access'), ('" link " infections with', 'relay', 'traffic'), ('" link " infections with', 'listen')]
T1090.001 [('CHOPSTICK', 'used', 'a proxy server between victims')]
T1090.001 [('commands', 'have', 'Cobalt Strike'), ('a peer network of hosts', 'relay', 'commands'), ('hosts', 'infected')]
T1090.001 [('the number of egress points', 'limit', 'This')]
T1090.001 [('Drovorub', 'relay', 'a forwarding rule'), ('Drovorub', 'relay', 'network traffic')]
T1090.001 [('commands', 'have', 'Duqu'), ('a peer network of hosts', 'relay', 'commands'), ('hosts', 'infected'), ('Internet access', '!have', 'some of the hosts')]
T1090.001 [('FatDuke', 'connect', 'pipes'), ('FatDuke', 'connect', 'machines'), ('access to via other infected hosts', 'restricted')]
T1090.001 [('Higaisa', 'discovered', 'system proxy settings')]
T1090.001 [('Hikit', 'supports', 'peer connections')]
T1090.001 [('InvisiMole', 'function'), ('a server', 'relays', 'communication between client server')]
T1090.001 [('Kazuar', 'used', 'internal nodes'), ('the network for C2 communications', 'compromised')]
T1090.001 [('MiniDuke', 'use', 'a pipe'), ('a pipe', 'named'), ('communications from with internet access to other machines', 'forward'), ('one machine', 'compromised'), ('other machines', 'compromised')]
T1090.001 [('Operation Wocao', 'proxy', 'traffic'), ('multiple systems', 'infected')]
T1090.001 [('Pay2Key', 'channel', 'machines'), ('Pay2Key', 'channel', 'points'), ('Pay2Key', 'channel', 'communications'), ('the network', 'compromised')]
T1090.001 [('Strider', 'used', 'local servers'), ('both network access', 'act'), ('both network access', 'exfiltrate', 'data from other parts of the network')]
T1090.001 [('UNC2452', 'use', 'one instance of'), ('UNC2452', 'use', 'a network pipe')]
T1090.001 [('SideWalk , backdoor', 'deploy', 'APT group'), ('SideWalk , backdoor', 'deploy', 'SparklingGoblin'), ('shellcode', 'utilise', 'which'), ('C2 domains', 'contain', 'a backdoor'), ('C2 domains', 'contain', 'a backdoor'), ('the use of an internal proxy', 'communicate', 'which')]
T1090.001 [('Pysa , group ,', 'obfuscate', 'a Chisel tunneling tool'), ('Pysa , group ,', 'obfuscate', 'malicious , outbound traffic'), ('a Chisel tunneling tool', 'named', 'MagicSocks')]
T1090.001 [('a tool', 'distributed'), ('a tool', 'hosts', 'a variety of functionality for communication with outside networks')]
T1090.002 [('APT28', 'used', 'other victims'), ('proxies', 'relay', 'command traffic'), ('a server', 'compromised')]
T1090.002 [('The group', 'used', 'a tool'), ('a tool', 'acts'), ('a tool', 'allow', 'C2')]
T1090.002 [('APT28', 'used', 'a machine')]
T1090.002 [('An APT3 downloader', 'establishes', 'SOCKS5 connections for its initial C2')]
T1090.002 [('APT39', 'used', 'various tools')]
T1090.002 [('FIN5', 'maintains', 'access to victim environments')]
T1090.002 [('GALLIUM', 'redirect', 'a version of'), ('GALLIUM', 'redirect', 'connections between networks'), ('a version of', 'modified')]
T1090.002 [('InvisiMole InvisiMole', 'identify', 'proxy servers'), ('proxy servers', 'used')]
T1090.002 [('Lazarus Group', 'obfuscate', 'multiple proxies'), ('Lazarus Group', 'obfuscate', 'network traffic')]
T1090.002 [('menuPass', 'used', 'provider IP')]
T1090.002 [('MuddyWater', 'obfuscate', 'POWERSTATS'), ('MuddyWater', 'obfuscate', 'the C2 location')]
T1090.002 [('MuddyWater', 'used', 'a series of websites victims'), ('websites victims', 'compromised'), ('that victims', 'connected'), ('that victims', 'relay', 'information'), ('that victims', 'relay', 'information'), ('that victims', 'command')]
T1090.002 [('Okrum', 'identify', 'proxy servers'), ('proxy servers', 'used'), ('HTTP requests', 'c2', 'its server')]
T1090.002 [('POWERSTATS', 'connected')]
T1090.002 [('Regin', 'leveraged', 'several universities'), ('several universities', 'compromised')]
T1090.002 [('ShimRat', 'use', 'pre - configured HTTP proxies')]
T1090.002 [('Silence', 'used', 'ProxyBot'), ('which', 'allows'), ('the attacker', 'redirect', 'traffic')]
T1090.003 [('APT28', 'routed', 'traffic')]
T1090.003 [('A backdoor', 'used'), ('A backdoor', 'created', 'a service'), ('a service', 'hidden'), ('local ports Netbios 445', 'enabling', 'full remote access from')]
T1090.003 [('Attor', 'used', 'Tor for C2 communication')]
T1090.003 [('Dok downloads', 'installs', 'Tor')]
T1090.003 [('FIN4', 'used', 'Tor')]
T1090.003 [('GreyEnergy', 'used', 'Tor relays')]
T1090.003 [('Inception', 'used', 'chains of routers'), ('routers', 'compromised')]
T1090.003 [('Keydnap', 'uses', 'a copy of tor2web proxy')]
T1090.003 [('MacSpy', 'uses', 'Tor for command')]
T1090.003 [('Operation Wocao', 'executed', 'commands'), ('the shell', 'installed')]
T1090.003 [('StrongPity', 'hide', 'multiple layers of proxy servers'), ('StrongPity', 'hide', 'terminal nodes')]
T1090.003 [('the Tor network', 'traverse', 'Traffic'), ('multiple nodes', 'forward', 'Traffic')]
T1090.003 [('Ursnif', 'used', 'Tor')]
T1090.003 [('WannaCry', 'uses', 'Tor')]
T1090.004 [('APT29', 'hide', 'the domain plugin'), ('APT29', 'hide', 'the destination of C2 traffic'), ('the domain plugin', 'fronting')]
T1090.004 [('Domain Fronting', 'disguise', 'meek'), ('the destination of network traffic', 'disguise', 'meek'), ('another server', 'disguise', 'meek'), ('the same Delivery Network ( CDN )', 'host', 'another server'), ('the destination', 'host', 'another server'), ('the destination', 'intended')]
T1090.004 [('The Prometei botnet', 'utilise', 'domain'), ('domain', 'fronting'), ('domain', 'hide')]
T1090.004 [('bots', 'compromised')]
T1090.004 [('ATP29', 'inserts', 'multiple domains')]
T1090.004 [('Evilnum', 'utilises', 'scripts'), ('scripts', 'facilitate', 'a proxy connection')]
T1098 [('user to Azure AD role', 'adding')]
T1098 [('principal to', 'adding'), ('principal to', 'azure', 'AD role')]
T1098 [('user to in subscription', 'adding')]
T1098 [('principal to', 'adding'), ('principal to', 'azure', 'role in subscription')]
T1098 [('permission', 'adding'), ('permission', 'application')]
T1098.001 [('APT29', 'added', 'credentials')]
T1098.001 [('UNC2452', 'added', 'credentials')]
T1098.001 [('Threat actors', 'add', 'their own credentials'), ('a account', 'compromised')]
T1098.001 [('Some malware', 'gain', 'illicit access to an account that'), ('actors', 'gain', 'illicit access to')]
T1098.001 [('an actor', 'breach', 'cloud'), ('there', 'are', 'numerous ways'), ('the adversary', 'add', 'their own credentials')]
T1098.002 [('APT29', 'added', 'their own devices'), ('active sync', 'using', 'Set - CASMailbox'), ('active sync', 'allowing'), ('it', 'obtain', 'copies of victim mailboxes')]
T1098.002 [('It', 'added', 'additional permissions ( as')]
T1098.002 [('Magic Hound', 'granted', 'accounts'), ('accounts', 'compromised')]
T1098.002 [('UNC2452', 'added', 'their own devices'), ('active sync', 'using', 'Set - CASMailbox'), ('active sync', 'allowing'), ('it', 'obtain', 'copies of victim mailboxes')]
T1098.002 [('It', 'added', 'additional permissions ( as')]
T1098.002 [('Attacker', 'added', 'their own devices'), ('a number of mailboxes', 'using', 'Set - CASMailbox')]
OBJS_ accounts
T1098.002 [('adversary', 'assign', 'Set - CASMailbox'), ('more access rights', 'assign', 'Set - CASMailbox'), ('the accounts', 'assign', 'Set - CASMailbox'), ('they', 'wish'), ('these accounts', 'compromise', 'the accounts'), ('these accounts', 'use', 'the accounts')]
T1098.003 [('WastedLocker', 'achieves', 'persistence'), ('accounts', 'existing')]
T1098.003 [('Phishing campaigns', 'targeting', 'business , tech'), ('Phishing campaigns', 'compromise', 'emails'), ('Phishing campaigns', 'compromise', 'an account'), ('emails', 'phishing')]
T1098.003 [('accounts', 'compromise', 'SODINOKIBI , ransomware ,'), ('privileges', 'execute', 'malicious code'), ('an account', 'achieve', 'privileges'), ('an administrator of', 'upgrade', 'an account')]
T1098.003 [('APT41', 'employs', 'a variety of persistence methods ,'), ('one of', 'increasing', 'account privileges'), ('a variety of', 'increasing', 'account privileges'), ("a account 's", 'compromised')]
T1098.003 [('order', 'compromise', 'more accounts'), ('TEMP.Zagros', 'employs', 'malicious software'), ('which', 'increase', 'the privileges of an account'), ('an account', 'compromised'), ('malicious software', 'increasing', "it 's")]
T1098.004 [('Bundlore', 'creates', 'a new key pair with'), ('the user', 'created')]
T1098.004 [('Skidmap', 'has', 'the ability'), ('the ability', 'add', 'the public key of its handlers'), ('the ability', 'maintain', 'persistence on an infected host')]
T1098.004 [('TeamTNTpublic key', 'appended'), ('the pair', 'use', 'the threat actors'), ('the pair', 'generated')]
T1098.004 [('the server', 'manipulate', 'subdirectories')]
T1098.004 [('a privileged container', 'mounts', 'the host filesystem'), ('a privileged container', 'overwrites', 'rootSSH authorized_keys'), ('the attacker', 'connect'), ('they', 'want')]
T1102.001 [('APT41', 'used', 'legitimate websites'), ('dead drop resolvers ( DDR', 'including')]
T1102.001 [('Astaroth', 'store', 'C2 information on cloud services as'), ('cloud services as', 'hosting')]
T1102.001 [('BADNEWS', 'collects', 'C2 information')]
T1102.001 [('BLACKCOFFEE', 'obtain', 'MicrosoftTechNet Web portal'), ('BLACKCOFFEE', 'obtain', 'a dead drop resolver'), ('a dead drop resolver', 'containing', 'an tag with the IP address of a command server'), ('an tag with', 'encoded')]
T1102.001 [('BUTLER MSGET downloader', 'access', 'a dead drop resolver'), ('BUTLER MSGET downloader', 'access', 'malicious payloads')]
T1102.001 [('Grandoreiro', 'obtain', 'C2 information from')]
T1102.001 [('Javali', 'read', 'C2 information from')]
T1102.001 [('Some MiniDuke components', 'obtain', 'Twitter'), ('Some MiniDuke components', 'obtain', 'the address of a C2 server'), ('server', 'coded'), ('server', 'responds')]
T1102.001 [('Patchwork', 'hides')]
T1102.001 [('PlugX', 'store', 'Pastebin'), ('PlugX', 'store', 'C2 addresses')]
T1102.001 [('PolyglotDuke', 'get', 'Twitter Reddit Imgur'), ('PolyglotDuke', 'get', 'a C2 URL'), ('PolyglotDuke', 'get', 'other websites')]
T1102.001 [('Rocke', 'check', 'Pastebin'), ('Rocke', 'check', 'the version of malware'), ('malware', 'beaconing'), ('another Pastebin', 'hosting'), ('malware', 'updated')]
T1102.001 [('RTM', 'update', 'an RSS feed on'), ('RTM', 'update', 'a list of encrypted server names')]
T1102.001 [('RTM', 'update', 'an RSS feed on'), ('RTM', 'update', 'a list of encrypted server names')]
T1102.001 [('RTM', 'hidden', 'server IP addresses within transactions on the Bitcoin blockchain')]
T1102.001 [('Xbash', 'obtain', 'a webpage'), ('a webpage', 'hosted')]
T1102.002 [('APT12', 'used', 'blogs')]
T1102.002 [('APT28', 'used', 'Google Drive')]
T1102.002 [('APT29', 'hide', 'social media platforms'), ('APT29', 'hide', 'communications')]
T1102.002 [('APT37', 'leverages', 'social networking sites'), ('APT37', 'leverages', 'for C2'), ('APT37', 'leverages', 'cloud platforms')]
T1102.002 [('APT39', 'communicated'), ('files', 'uploaded')]
T1102.002 [('BADNEWS', 'use', 'multiple C2 channels'), ('multiple C2 channels', 'including')]
T1102.002 [('BLACKCOFFEE', 'obfuscated', 'its C2 traffic')]
T1102.002 [('Carbanak', 'used', 'a VBScript'), ('a VBScript', 'named', 'ggldr'), ('a VBScript', 'uses', 'Sheets services for')]
T1102.002 [('One variant of', 'exchange', 'a OneDrive account'), ('One variant of', 'exchange', 'commands'), ('One variant of', 'exchange', 'data'), ('data', 'stolen')]
T1102.002 [('Comnie', 'avoid', 'blogs'), ('Comnie', 'avoid', 'blocking of their communication to the command server'), ('Comnie', 'avoid', 'party sites ( tumbler )'), ('blocking of', 'based')]
T1102.002 [('ComRAT', 'has', 'the ability'), ('the ability', 'receive', 'the Gmail web UI'), ('the ability', 'receive', 'commands'), ('the ability', 'receive', 'exfiltrate information'), ('the ability', 'receive', 'commands'), ('the ability', 'receive', 'exfiltrate information')]
T1102.002 [('CozyCar', 'uses', 'Twitter')]
T1102.002 [('Crutch', 'receive', 'Dropbox'), ('Crutch', 'receive', 'commands'), ('data', 'stolen')]
T1102.002 [('Empire', 'use', 'Dropbox')]
T1102.002 [('FIN7', 'used', 'legitimate services')]
T1102.002 [('servers', 'operated'), ('GLOOXMAIL communicates to servers', 'using', 'the XMPP protocol')]
T1102.002 [('Grandoreiro', 'utilize', 'web services'), ('web services', 'including')]
T1102.002 [('KARAE', 'use', 'public providers'), ('public providers', 'based')]
T1102.002 [('Kazuar', 'compromised', 'WordPress blogs')]
T1102.002 [('LOWBALL', 'uses', 'the cloud storage service for command')]
T1102.002 [('Hound malware', 'use', 'a SOAP Web service')]
T1102.002 [('MuddyWater', 'distribute', 'web services'), ('MuddyWater', 'distribute', 'access tools'), ('web services', 'including')]
T1102.002 [('Orz', 'used', 'Technet web pages')]
T1102.002 [('POORAIM', 'used', 'AOL Instant Messenger')]
T1102.002 [('PowerStallion', 'uses', 'Microsoft OneDrive'), ('a network drive', 'mapped')]
T1102.002 [('RegDuke', 'use', 'Dropbox')]
T1102.002 [('Revenge RAT', 'used', 'blogpost.com')]
T1102.002 [('RogueRobin', 'used', 'Google Drive')]
T1102.002 [('ROKRAT', 'leverages', 'legitimate social networking sites'), ('ROKRAT', 'leverages', 'cloud platforms')]
T1102.002 [('Sandworm Team', 'used', 'the Telegram Bot API from')]
OBJS_ commands
T1102.002 [('Sandworm Team', 'used', 'check requests for'), ('check requests for', 'sending', 'commands'), ('check requests for', 'receiving', 'commands'), ('check requests for', 'hosted', 'malicious payloads')]
T1102.002 [('SLOWDRIFT', 'uses', 'cloud services'), ('cloud services', 'based')]
T1102.002 [('A JavaScript backdoor', 'used', 'Apps Script')]
T1102.002 [('UBoatRAT', 'used', 'GitHub'), ('UBoatRAT', 'used', 'a blog service in for C2 communications')]
T1102.002 [('yty communicates to by .', 'retrieving', 'a Google Doc')]
T1102.002 [('ZIRCONIUM', 'used', 'Dropbox'), ('C2', 'allowing', 'upload'), ('C2', 'allowing', 'download of files as execution')]
T1102.003 [('EVILNUM', 'perform', 'a way communication method'), ('EVILNUM', 'perform', 'C2')]
T1102.003 [('tDiscoverer " variant of HAMMERTOSS', 'establishes', 'a C2 channel')]
T1102.003 [('HAMMERTOSS binaries', 'contain', 'an algorithm'), ('an algorithm', 'generates', 'a different Twitter handle'), ('the malware', 'check')]
T1102.003 [('Leviathan', 'received', 'C2 instructions from user profiles'), ('user profiles', 'created')]
T1102.003 [('Metamorfo', 'downloaded', 'a zip file for execution on the system')]
T1102.003 [('OnionDuke', 'uses', 'Twitter')]
T1105 [('svchost', 'writing', 'a file')]
T1110.001 [('APT28', 'used', 'a spray tooling'), ('a spray tooling', 'operated'), ('it', 'sent', '300 authentication attempts per per account'), ('account', 'targeted')]
T1110.001 [('Chopper server component', 'perform', 'force password'), ('force password', 'guessing')]
T1110.001 [('CrackMapExec', 'brute', 'force passwords'), ('a user on a single target system', 'specified')]
T1110.001 [('Emotet', 'observed'), ('a hard list of passwords', 'coded')]
T1110.001 [('Lucifer', 'brute', 'TCP ports RPC ( MSSQL )')]
T1110.001 [('P.A.S. Webshell', 'execute', 'users'), ('P.A.S. Webshell', 'execute', 'force attacks against MSSQL services'), ('P.A.S. Webshell', 'execute', 'passwords'), ('users', 'predefined')]
T1110.001 [('Pony', 'used', 'a small dictionary of common passwords against a list of local accounts'), ('a list of', 'collected')]
T1110.001 [('SpeakUp', 'perform', 'brute forcing'), ('an attempt', 'log')]
T1110.001 [('Xbash', 'obtain', 'a list of from the C2 server'), ('Xbash', 'obtain', 'attempt'), ('a list of from', 'use'), ('attempt', 'brute', 'force services')]
T1110.002 [('force password hashes', 'know', 'APT3'), ('force', 'brute')]
T1110.002 [('APT41', 'performed', 'password force attacks')]
T1110.002 [('tools', 'executed'), ('tools', 'used'), ('password', 'cracking'), ('password', 'including')]
T1110.002 [('FIN6', 'extracted', 'password hashes')]
T1110.002 [('Net Crawler', 'uses', 'a list of credentials'), ('credentials', 'known'), ('it', 'spreads')]
T1110.002 [('Password', 'cracking')]
T1110.003 [('APT28', 'used', 'a spray tooling'), ('a spray tooling', 'operated'), ('mode', 'spraying'), ('it', 'conducted', 'four authentication attempts per per over the course of several days'), ('account', 'targeted')]
T1110.003 [('APT33', 'used', 'password')]
T1110.003 [('Chimera', 'spraying', 'multiple password'), ('Chimera', 'spraying', 'attacks against victim remote services')]
T1110.003 [('CrackMapExec', 'brute', 'force'), ('CrackMapExec', 'brute', 'credential authentication'), ('a list of usernames', 'supplied')]
T1110.003 [('Group malware', 'attempts'), ('a list of usernames', 'generated'), ('which', 'center')]
T1110.003 [('Leafminer', 'perform', 'a tool'), ('Leafminer', 'perform', 'internal password'), ('a tool', 'called', 'Total SMB BruteForcer'), ('internal password', 'spraying')]
T1110.003 [('order', 'gain', 'access'), ('order', 'gain', 'access'), ('order', 'install', 'its malware')]
T1110.003 [('password', 'use', 'MailSniper'), ('Exchange', 'spray', 'password')]
T1110.003 [('Silent Librarian', 'used', 'lists of names'), ('lists of', 'collected')]
T1110.003 [('Password', 'spray', 'all domain users')]
T1110.003 [('Password', 'spray', 'all Azure AD users')]
T1110.004 [('Chimera', 'obtain', 'credential stuffing against victim remote services'), ('Chimera', 'obtain', 'valid accounts')]
T1110.004 [('TrickBot', 'uses', 'force attack against')]
T1110.004 [('APT22', 'enumerate', 'credential stuffing'), ('APT22', 'enumerate', 'the number of accounts'), ('accounts', 'compromised'), ('they', 'access')]
T1110.004 [('Skimmers , as ,', 'utilised'), ('Skimmers , as ,', 'access', 'credential stuffing'), ('Skimmers , as ,', 'access', 'user accounts')]
T1110.004 [('a technique', 'gain', 'access to new accounts'), ('a technique', 'gain', 'access to'), ('they', 'abuse', 'the trust of'), ('new accounts', 'assist')]
T1110.004 [('Ransomware as', 'credential', 'stuff')]
T1110.004 [('Threat actors', 'credential', 'stuff'), ('they', 'reuse', 'passwords')]
T1112 [('registry', 'store', 'logon credentials')]
T1112 [('sites', 'trusted')]
T1112 [('Windows Powershell', 'logging', 'Disabled')]
T1114.001 [('APT1', 'steal', 'two utilities GETMAIL'), ('APT1', 'steal', 'email')]
T1114.001 [('GETMAIL', 'extracts', 'emails from files'), ('files', 'archived')]
T1114.001 [('Carbanak', 'searches')]
T1114.001 [('Chimera', 'harvested', 'data from victim e'), ('data from', 'including'), ('cmd /c copy " Documents\\.pst"copy', 'copy')]
T1114.001 [('Crimson', 'contains', 'a command'), ('a command', 'collect')]
T1114.001 [('a module data', 'leverage', 'Emotet')]
T1114.001 [('Empire', 'has', 'the ability'), ('the ability', 'collect', 'emails on a target system')]
T1114.001 [('Magic Hound', 'collected')]
T1114.001 [('Out1', 'parse', 'e'), ('Out1', 'parse', '-'), ('Out1', 'parse', 'mails on a target machine')]
T1114.001 [('Pupy', 'interact')]
T1114.001 [('Smoke Loader', 'searches'), ('inbox', 'sent'), ('templates', 'drafts', 'archives')]
T1114.001 [('The FBI', 'detected', 'multiple day exploits'), ('actors', 'collect', 'mailbox data')]
T1114.001 [('Warzone features', 'functionality'), ('Warzone features', 'precipitating', 'the theft of browser')]
T1114.001 [('email boxes', 'steal', 'The cmdlet MailboxExportRequest'), ('Chinese actors', 'sponsored')]
T1114.002 [('APT1', 'steal', 'two utilities GETMAIL'), ('APT1', 'steal', 'email')]
T1114.002 [('Exchange servers', '!archived')]
T1114.002 [('APT28', 'collected', 'emails from'), ('emails from', 'servers')]
T1114.002 [('APT29', 'collected', 'emails from specific individuals as executives'), ('IT staff', 'using', 'New - MailboxExportRequest'), ('emails from', 'followed'), ('emails from', 'get')]
T1114.002 [('Chimera', 'harvested', 'data from remote mailboxes'), ('data from', 'including')]
T1114.002 [('accounts', 'accessed'), ('accounts', 'using', 'Outlook Web Access')]
OBJS_ communications
T1114.002 [('FIN4', 'accessed', 'online email communications'), ('credentials', 'stolen')]
T1114.002 [('HAFNIUM', 'export', 'web shells'), ('HAFNIUM', 'export', 'mailbox data')]
T1114.002 [('Ke3chang', 'dump', 'a .NET tool'), ('Ke3chang', 'dump', 'data from Exchange mailboxes')]
T1114.002 [('Leafminer', 'used', 'a tool'), ('a tool', 'called', 'MailSniper')]
T1114.002 [('LightNeuron', 'collects', 'emails matching rules'), ('emails matching rules', 'specified')]
T1114.002 [('MailSniper', 'used')]
T1114.002 [('Some SeaDuke samples', 'have', 'a module'), ('a module', 'extract', 'email'), ('a module', 'using', 'credentials'), ('credentials', 'compromised')]
T1114.002 [('UNC2452', 'collected', 'emails from specific individuals as executives'), ('IT staff', 'using', 'New - MailboxExportRequest'), ('emails from', 'followed'), ('emails from', 'get')]
T1114.002 [('Valak', 'collect', 'sensitive mailing information'), ('Exchange servers', 'including')]
T1114.003 [('Kimsuky', 'set', 'forward rules on victim e - mail accounts')]
T1114.003 [('Silent Librarian', 'set', 'forwarding rules'), ('accounts', 'compromised')]
OBJS_ messages
T1114.003 [('Some groups', 'have', 'rules'), ('their malware', 'create'), ('a mail servers', 'sent', 'messages'), ('a mail servers', 'received', 'messages')]
T1114.003 [('malware', 'grant', 'Email forwarding rules'), ('the ability', 'grant', 'Email forwarding rules'), ('control', 'retain', 'the ability'), ('a mail server', 'retain', 'the ability'), ('the credentials', 'changed')]
T1114.003 [('Actors', 'modify', 'Microsoft Messaging API MAPI )'), ('Actors', 'modify', 'rule properties')]
T1114.003 [('groups', 'motivated'), ('groups', 'set', 'credentials'), ('groups', 'set', 'forwarding rules'), ('credentials', 'compromised'), ('multiple accounts', 'compromised'), ('attempts', 'cast', 'a wide net'), ('attempts', 'steal', 'valuable data')]
T1114.003 [('Threat groups', 'set'), ('accounts', 'compromised')]
T1123 [('application', 'use', 'microphone')]
T1125 [('application', 'use', 'webcam')]
T1127.001 [('Empire', 'abuse', 'modules'), ('Empire', 'abuse', 'utilities'), ('modules', 'built'), ('utilities', 'trusted')]
T1127.001 [('Frankenstein', 'execute', 'MSbuild'), ('Frankenstein', 'execute', 'an file'), ('an file', 'created')]
T1127.001 [('a .NET Framework project', 'using', 'msbuild.exe')]
T1127.001 [('Adversaries', 'use', 'MSBuild')]
T1127.001 [('threat actors', 'abuse', 'Legitimate software , as ,'), ('a utility', 'trusted')]
T1127.001 [('security features', 'bypass', 'Malware'), ('security features', 'bypass', 'actors'), ('security controls', 'allow', 'files'), ('a program', 'trusted')]
T1127.001 [('MSBuild Bypass', 'using', 'Inline Tasks ( VB')]
T1132.001 [('C2 traffic from', 'encrypted')]
T1132.001 [('HTTP malware variant', 'used', 'Base64')]
T1132.001 [('APT33', 'used', 'base64')]
T1132.001 [('Astaroth', 'encodes', 'data'), ('data', 'using', 'Base64'), ('data', 'sending', 'it')]
T1132.001 [('AutoIt backdoor', 'sent', 'a C2 response was'), ('a C2 response was', 'encoded')]
T1132.001 [('BabyShark', 'encoded', 'data'), ('data', 'using', 'certutil')]
T1132.001 [('Oldrea samples', 'use', 'standard Base64'), ('Oldrea samples', 'use', 'XOR data'), ('some', 'use', 'standard Base64'), ('XOR data', 'reverse'), ('XOR data', 'received')]
T1132.001 [('BADNEWS', 'encodes', 'C2 traffic with base64')]
T1132.001 [('BLINDINGCAN', 'encoded', 'its C2 traffic')]
T1132.001 [('BS2005', 'uses', 'Base64'), ('BS2005', 'uses', 'encoding for communication in the message body of an HTTP request')]
T1132.001 [('Carbanak', 'encodes', 'the message body of HTTP traffic with')]
T1132.001 [('ChChes', 'encode', 'C2 data'), ('a custom technique', 'utilizes', 'Base64')]
T1132.001 [('Cobian RAT', 'obfuscates', 'communications with the C2 server'), ('the C2 server', 'using', 'Base64 encoding')]
T1132.001 [('Daserf', 'uses', 'base64 encoding'), ('base64 encoding', 'obfuscate', 'HTTP traffic')]
T1132.001 [('Denis', 'encodes', 'the data'), ('the data', 'sent')]
T1132.001 [('Dipsind', 'encodes', 'C2 traffic with base64')]
T1132.001 [('down_new', 'has', 'the ability'), ('the ability', 'base64', 'encode C2 communications')]
T1132.001 [('Ebury', 'encoded', 'C2 traffic')]
T1132.001 [('Elise', 'exfiltrates', 'data'), ('data', 'using', 'cookie values are'), ('cookie values are', 'encoded')]
T1132.001 [('Some Felismus samples', 'use', 'a custom method'), ('C2 traffic', 'utilizes', 'Base64')]
T1132.001 [('Fysbis', 'encode', 'Base64'), ('Fysbis', 'encode', 'its C2 traffic')]
T1132.001 [('gh0st RAT', 'compress', 'Zlib'), ('gh0st RAT', 'compress', 'C2 communications data')]
T1132.001 [('HAFNIUM', 'used', 'ASCII encoding')]
T1132.001 [('HOPLIGHT', 'utilized', 'Zlib compression'), ('Zlib compression', 'obfuscate', 'the communications payload')]
T1132.001 [('Ixeshe', 'obfuscate', 'Base64 encoding schemes'), ('Ixeshe', 'obfuscate', 'command'), ('Ixeshe', 'obfuscate', 'traffic'), ('Ixeshe', 'obfuscate', 'control')]
T1132.001 [('A JHUHUGIT variant', 'encodes', 'POST data base64')]
T1132.001 [('Kazuar', 'encodes', 'communications')]
T1132.001 [('Kessel', 'exfiltrated', 'data'), ('fields of DNS queries', 'encoded')]
T1132.001 [('KONNI', 'used', 'a custom base64'), ('KONNI', 'used', 'key to encode data'), ('encode data', 'stolen')]
T1132.001 [('Machete', 'used', 'base64 encoding')]
T1132.001 [('MechaFlounder', 'has', 'the ability'), ('the ability', 'use', 'base16')]
T1132.001 [('Mis - Type', 'uses', 'Base64')]
T1132.001 [('plaintext', 'encoded')]
T1132.001 [('More_eggs', 'used', 'basE91 encoding')]
T1132.001 [('MuddyWater', 'used', 'tools'), ('encode C2 communications', 'including')]
T1132.001 [('Octopus', 'encodes', 'C2 communications in')]
T1132.001 [('Okrum', 'used', 'base64')]
T1132.001 [('OopsIE', 'encodes', 'data in over the C2 channel')]
T1132.001 [('Patchwork', 'encode', 'Base64'), ('Patchwork', 'encode', 'C2 traffic')]
T1132.001 [('PowerShower', 'has', 'the ability'), ('the ability', 'encode', 'C2 communications with base64 encoding')]
T1132.001 [('POWERSTATS', 'encoded', 'C2 traffic')]
T1132.001 [('POWRUNER', 'encoded', 'base64'), ('POWRUNER', 'encoded', 'C2 communications')]
T1132.001 [('Prikormka', 'encodes', 'C2 traffic with')]
T1132.001 [('QUADAGENT', 'encodes', 'C2 communications with base64')]
T1132.001 [('Ramsay', 'encode', 'base64'), ('Ramsay', 'encode', 'its C2 traffic')]
T1132.001 [('RDAT', 'communicate'), ('subdomains', 'encoded')]
T1132.001 [('Revenge RAT', 'uses', 'Base64'), ('encode information', 'sent', 'to server')]
T1132.001 [('strings', 'encode', 'RogueRobin base64'), ('the C2', 'send', 'strings'), ('its DNS tunnel', 'send', 'strings')]
T1132.001 [('S - Type', 'uses', 'Base64')]
T1132.001 [('Team server tool', 'uses', 'base64')]
T1132.001 [('Spark', 'encoded', 'communications with the C2 server with base64')]
T1132.001 [('C&C communication', 'using', 'Base64')]
T1132.001 [('SUNBURST', 'used', 'Base64 encoding in its C2 traffic')]
T1132.001 [('TA551', 'used', 'text'), ('text', 'encoded'), ('text', 'ascii')]
T1132.001 [('Tropic Trooper', 'used', 'base64'), ('encoding', 'hide', 'command strings'), ('command strings', 'delivered')]
T1132.001 [('Valak', 'returned', 'C2 data')]
T1132.001 [('WellMess', 'identify', 'Base64'), ('WellMess', 'identify', 'encoding'), ('WellMess', 'identify', 'communication to')]
T1132.001 [('Zebrocy', 'used', 'URL Percent Encoding on data'), ('data', 'exfiltrated')]
T1132.001 [('Base64 data .', 'encoded')]
T1132.001 [('data .', 'encoded')]
T1132.002 [('Newer variants of', 'encode', 'C2 communications with a custom system')]
T1132.002 [('encodes commands from the control server', 'using', 'a range of characters')]
T1132.002 [('InvisiMole', 'use', 'a base32 encoding to within the subdomain of C2 requests'), ('base32', 'modified')]
T1132.002 [('OceanSalt', 'encode', 'data')]
T1132.002 [('RDAT', 'communicate'), ('subdomains', 'utilize', 'base64')]
T1132.002 [('ShadowPad', 'encoded', 'data')]
T1134.001 [('APT28', 'access', 'CVE-2015 - 1701'), ('APT28', 'access', 'the SYSTEM')]
T1134.001 [('Aria - body', 'has', 'the ability'), ('the ability', 'duplicate', 'a token')]
T1134.001 [('BitPaymer', 'create', 'the tokens of users'), ('BitPaymer', 'create', 'processes on infected systems')]
T1134.001 [('Cobalt Strike', 'steal', 'access tokens'), ('processes', 'exiting')]
T1134.001 [('FinFisher', 'uses', 'token manipulation')]
T1134.001 [('Okrum', 'impersonate', 'user security context'), ("a user 's", 'logged')]
T1134.001 [('Pupy', 'obtain', 'a list of SIDs'), ('the option for', 'selecting'), ('process', 'tokens')]
T1134.001 [('REvil', 'obtain', 'the token'), ('the user', 'launched', 'the explorer.exe process')]
T1134.001 [('Shamoon', 'impersonate', 'tokens')]
T1134.001 [('` duplication', 'sedebugprivilege')]
T1134.002 [('Aria - body', 'has', 'the ability'), ('the ability', 'execute', 'a process'), ('a process', 'using', 'runas')]
T1134.002 [('Azorult', 'start', 'WTSQueryUserToken'), ('Azorult', 'start', 'a new process with local system privileges')]
T1134.002 [('a user', 'token'), ('Bankshot grabs user', 'using', 'WTSQueryUserToken'), ('Bankshot grabs user', 'creates', 'a process'), ('Bankshot grabs user', 'impersonating', 'a user'), ('a user', 'logged')]
T1134.002 [('Empire', 'make', 'Invoke - RunAs'), ('Empire', 'make', 'tokens')]
T1134.002 [('KONNI', 'duplicated', 'the token of a integrity process'), ('an user', 'impersonated')]
T1134.002 [('keylogger KiloAlfa', 'obtains', 'user tokens')]
T1134.002 [('PipeMon', 'gain', 'administrative privileges'), ('administrative privileges', 'using', 'token impersonation')]
T1134.002 [('PoshC2', 'make', 'Invoke - RunAs'), ('PoshC2', 'make', 'tokens')]
T1134.002 [('REvil', 'launch', 'an instance of'), ('administrative rights', 'using', 'runas')]
OBJS_ process
T1134.002 [('Turla RPC backdoors', 'impersonate', 'process')]
T1134.002 [('ZxShell', 'has', 'a command'), ('a command', 'called', 'RunAs'), ('which', 'creates', 'a new process as user context')]
T1134.003 [('Cobalt Strike', 'make', 'tokens'), ('credentials', 'known')]
T1134.003 [('RC2CL backdoor', 'modify', 'access tokens'), ('the ones', 'associated')]
T1134.003 [('LazyCat', 'escalate', 'privileges')]
T1134.003 [('The SetThreadToken command', 'ifsoften'), ('The SetThreadToken command', 'impersonate', 'legitimate threads'), ('The SetThreadToken command', 'impersonate', 'processes'), ('The SetThreadToken command', 'impersonate', 'legitimate threads'), ('The SetThreadToken command', 'impersonate', 'processes')]
T1134.003 [('The creation of duplicate tokens', 'allows'), ('adversaries', 'escalate', 'their privileges')]
T1134.004 [('Cobalt Strike', 'spawn', 'processes')]
T1134.004 [('PipeMon', 'use', 'parent PID'), ('privileges', 'elevate')]
T1134.004 [('Adversaries', 'spoof', 'the process identifier ( PPID ) of a new process'), ('a new process', 'evade', 'defenses'), ('defenses', 'monitoring'), ('a new process', 'elevate', 'privileges')]
T1134.004 [('Cybercriminals', 'create', 'fake PPIDs')]
T1134.004 [('actors', 'spoof', 'process identifiers'), ('malware', 'spoof', 'process identifiers')]
T1134.005 [('Empire', 'add', 'a SID - History')]
T1134.005 [('Mimikatz MISC::AddSid module', 'appended', 'any SID'), ('Mimikatz MISC::AddSid module', 'appended', 'account')]
T1134.005 [('Mimikatz', 'expand', 'History Injection'), ('Mimikatz', 'expand', 'the scope of other components as'), ('other components as', 'generated')]
T1134.005 [('Adversaries', 'escalate', 'History Injection'), ('Adversaries', 'escalate', 'privileges'), ('Adversaries', 'escalate', 'access controls')]
T1134.005 [('Cybercriminals', 'manipulate', 'the Windows security identifier SID')]
T1134.005 [('Sid - history', 'store', 'account information'), ('threat actors', 'steal', 'account information')]
T1136.001 [('APT3', 'known')]
T1136.001 [('APT39', 'created', 'accounts on multiple hosts'), ('multiple hosts', 'compromised')]
T1136.001 [('APT41', 'created', 'user accounts')]
T1136.001 [('Calisto', 'has', 'the capability'), ('the capability', 'add', 'its own account')]
T1136.001 [('Carbanak', 'create', 'a Windows account')]
T1136.001 [('administrator', 'include', 'victims'), ('each staging target', 'tailor', 'some of')]
T1136.001 [('Empire', 'has', 'a module for'), ('a module for', 'creating', 'a local user'), ('permissions', 'allow')]
T1136.001 [('Flame', 'create', 'backdoor accounts with'), ('systems', 'connected')]
T1136.001 [('Fox Kitten', 'created', 'a user account with administrator privileges')]
T1136.001 [('GoldenSpy', 'create', 'new users')]
T1136.001 [('HiddenWasp', 'creates', 'a user account'), ('a means', 'provide', 'initial persistence to the machine'), ('the machine', 'compromised')]
T1136.001 [('Hildegard', 'created', 'a user namedmonerodaemon\x9d.')]
T1136.001 [('Leafminer', 'set', 'a tool'), ('Leafminer', 'set', 'a persistent access account'), ('a tool', 'called', 'Imecab')]
T1136.001 [('Mis - Type', 'create', 'a temporary user on system namedLost_{Unique')]
T1136.001 [('\\password commands in', 'username', 'The net user')]
T1136.001 [('Pupy', 'user', 'PowerView')]
T1136.001 [('S - Type', 'create', 'a temporary user on the system')]
T1136.001 [('ServHelper', 'created', 'a new user')]
T1136.001 [('ZxShell', 'has', 'a feature'), ('a feature', 'create', 'local user accounts')]
T1136.001 [('CobaltStrike beacons', 'deploy', 'BazarLoader'), ('local accounts', 'create', 'which'), ('addition to domain accounts', 'create', 'which')]
T1136.001 [('Threat actors', 'create', 'local accounts')]
T1136.002 [('Empire', 'has', 'a module for'), ('a module for', 'creating', 'a new domain user'), ('permissions', 'allow')]
T1136.002 [('GALLIUM', 'created', 'user accounts'), ('privileged domain user', 'accounts')]
OBJS_ privileges
T1136.002 [('HAFNIUM', 'created', 'privileges')]
T1136.002 [('\\password', 'username', 'The net user'), ('\\domain commands in', 'username', 'The net user')]
T1136.002 [('Pupy', 'user', 'PowerView')]
T1136.002 [('a RDP connection', 'establish', 'A reverse proxy'), ('lateral movement', 'allow', 'A reverse proxy'), ('control', 'allow', 'A reverse proxy'), ('persistence', 'create', 'local administrator accounts')]
T1136.002 [('attackers', 'create', 'administrator accounts ,'), ('administrator accounts ,', 'achieved'), ('credentials', 'compromised')]
T1136.002 [('the creation of administrator account', 'allow', 'CobaltStrike persistence functionality'), ('a domain account', 'compromised'), ('the Administrator domain', 'add', 'which')]
T1136.003 [('Some actors', 'create', 'additional accounts on cloud environments')]
T1136.003 [('Adversaries', 'create', 'accounts'), ('accounts', 'have', 'access to specific cloud services ,'), ('which', 'reduce', 'the chance of detection')]
T1136.003 [('Creating accounts', 'allow'), ('malware', 'conceal', 'themselves'), ('actors', 'conceal', 'themselves')]
T1136.003 [('Actors', 'targeting', 'cloud providers'), ('Actors', 'create', 'fake accounts')]
T1136.003 [('Malware', 'create', 'dedicated accounts'), ('actors', 'create', 'dedicated accounts')]
T1137.001 [('BackConfig', 'has', 'the ability'), ('the ability', 'store', 'columns in Excel spreadsheets'), ('the ability', 'store', 'executable files'), ('the ability', 'store', 'commands'), ('columns in', 'hidden'), ('the ability', 'store', 'executable files'), ('the ability', 'store', 'commands')]
T1137.001 [('Cobalt Strike', 'has', 'the ability'), ('the ability', 'execute', 'an Excel Workbook'), ('the ability', 'execute', 'additional code'), ('the ability', 'execute', 'additional code'), ('the ability', 'trust', 'Office'), ('the ability', 'trust', 'macros'), ('the ability', 'trust', 'macros'), ('the ability', 'execute', 'code')]
T1137.001 [('MuddyWater', 'used', 'a Word Template')]
T1137.001 [('order hijacking', 'load', 'malicious Normal.dotm template')]
T1137.001 [('Adversaries', 'register', 'a the template'), ('document', 'trusted'), ('document', 'execute', 'malicious macros')]
T1137.002 [('APT28', 'used', 'the persistence mechanism within')]
T1137.002 [('Cybersecurity professionals', 'monitor', 'registry activity'), ('it', '!execute', 'malicious binaries')]
T1137.002 [('DIRTPYLE malware', 'execute', 'Office'), ('DIRTPYLE malware', 'execute', 'startup'), ('DIRTPYLE malware', 'execute', 'key HKCU\\Software\\Microsoft\\Office test\\Special\\Perf'), ('DIRTPYLE malware', 'execute', 'malicious binaries'), ('malicious binaries', 'utilising', 'the registry')]
T1137.002 [('Gamaredon group', 'favour', 'the tactic of'), ('the tactic of', 'maintaining', 'persistence'), ('the tactic of', 'abusing', 'Office')]
T1137.002 [('Registry key', '!come')]
T1137.003 [('the abuse of', 'automate', 'Ruler')]
T1137.003 [('Outlook forms', 'created'), ('code', 'execute', 'Outlook forms'), ('a email', 'crafted'), ('an adversary', 'send', 'a email'), ('the Outlook form', 'utilize', 'an adversary')]
T1137.003 [('Adversaries', 'abuse'), ('Microsoft Outlook', 'forms'), ('a system', 'compromised')]
T1137.003 [('the usermailbox', 'add', 'malicious forms'), ('they', 'loaded'), ('Outlook', 'started')]
T1137.003 [('The custom form', 'triggered'), ('a specific message', 'receive', 'the mailbox'), ('the attacker', 'receive', 'the mailbox'), ('the mailbox', 'load', 'the attacker'), ('the custom form', 'load', 'the attacker'), ('the custom form', 'load', 'the attacker')]
T1137.004 [('OilRig', 'abused', 'the Page feature')]
T1137.004 [('OilRig', 'roll', 'CVE-2017 - 11774'), ('OilRig', 'roll', 'the initial patch'), ('the initial patch', 'designed'), ('the initial patch', 'protect')]
T1137.004 [('the abuse of', 'automate', 'Ruler'), ('persistence', 'establish', 'the abuse of')]
T1137.004 [('Adversaries', 'abuse', 'Outlook Page feature'), ('a system', 'compromised')]
T1137.004 [('the usermailbox', 'add', 'malicious home pages'), ('they', 'loaded'), ('Outlook', 'started')]
T1137.004 [('APT33', 'gained', 'access to'), ('the threat actors', 'replaced', 'the Outlook homepage for victim accounts'), ('a malicious homepage URL', 'crafted')]
T1137.005 [('the abuse of', 'automate', 'Ruler'), ('persistence', 'establish', 'the abuse of')]
T1137.005 [('Adversaries', 'abuse'), ('Microsoft Outlook', 'rules'), ('a system', 'compromised')]
T1137.005 [('Malicious Outlook rules', 'created'), ('code execution', 'trigger', 'Malicious Outlook rules'), ('a email', 'send', 'an adversary'), ('that user', 'send', 'an adversary'), ('a email', 'crafted')]
T1137.005 [('inbox rules', 'hidden'), ('Messaging Application Programming Interface MAPI ,', 'call', 'an API'), ('level access', 'provide', 'which'), ('data stores', 'exchange', 'level access')]
T1137.005 [('this vulnerability', 'exploit', 'User interaction'), ('a malformed Rules .RWZ ) file', 'import', 'the victim')]
T1137.006 [('Naikon', 'exploit', 'the RoyalRoad'), ('Naikon', 'exploit', 'builder'), ('a second stage loader', 'intel.wll'), ('the host', 'compromised')]
T1137.006 [('ins', 'add'), ('persistence', 'obtain', 'ins'), ('code', 'execute', 'they'), ('an Office application', 'starts')]
T1137.006 [('Actors', 'abuse', 'Office ins'), ('Office ins', 'add'), ('a system', 'compromised')]
T1137.006 [('these files', 'interact', 'victims'), ('an storage', 'controlled'), ('the local system', 'set', 'an storage'), ('a network drive', 'set', 'an storage')]
T1137.006 [('which', 'hosted')]
T1137.006 [('Further investigation of', 'trusted', 'location'), ('it', 'hostword', 'Add - Ins\x9d of a*.wll\x9d extension')]
T1137.006 [('Code', 'executed')]
T1140 [('Base64', 'decoding')]
T1140 [('Hex', 'decoding')]
T1195.001 [('APT10', 'comprise', 'the software dependency of a company'), ('the aim of', 'gaining', 'access to company infrastructure')]
T1195.001 [('a few months', 'register', '5000 domains'), ('malware', 'deliver', 'many')]
T1195.001 [('Rowhammer attacks', 'compromise', 'RAM ,'), ('systems', 'use', 'RAM')]
T1195.001 [('A Javascript skimmer', 'named', 'Pipka'), ('A Javascript skimmer', 'skim', 'the credentials of customers of 27 e - commerce sites')]
T1195.001 [('APT41', 'use', 'chain compromise attacks for initial access')]
T1195.002 [('APT29', 'gained', 'initial network access to some victims')]
T1195.002 [('APT41', 'gained', 'access to production environments'), ('they', 'inject', 'malicious code'), ('legitimate files', 'signed'), ('production environments', 'end', 'them'), ('production environments', 'end', 'users'), ('production environments', 'end', 'users')]
T1195.002 [('a legitimate version 5.33', 'add', 'CCBkdr'), ('a legitimate version 5.33', 'signed')]
T1195.002 [('Cobalt Group', 'compromised', 'legitimate web browser')]
T1195.002 [('Dragonfly', 'placed', 'trojanized installers')]
T1195.002 [('GOLD SOUTHFIELD', 'distributed'), ('the site', 'hosting', 'Italian WinRAR')]
T1195.002 [('a legitimate preparation software', 'package', 'GoldenSpy')]
T1195.002 [('Sandworm Team', 'distributed', 'NotPetya')]
OBJS_ SUNBURST
T1195.002 [('SUNBURST into software builds of the Orion management product', 'design', 'SUNSPOT malware')]
T1195.002 [('UNC2452', 'gained', 'initial network access')]
T1195.003 [('APT41', 'executed', 'supply chain compromises')]
T1195.003 [('APT groups', 'manipulate', 'hardware components of systems')]
T1195.003 [('threat actors', 'abuse', 'hardware functionality'), ('threat actors', 'abuse', 'hardware functionality')]
T1195.003 [('Threat actors', 'establish', 'initial access with via the abuse of hardware components')]
T1197 [('Bits download', 'using', 'desktopimgdownldr.exe ( cmd')]
T1201 [('Windows', 'examine')]
T1204.001 [('AppleJeus spearphishing links', 'required', 'user interaction')]
T1204.001 [('APT28', 'tricked', 'unwitting recipients'), ('emails', 'resemble', 'trustworthy senders'), ('emails', 'resemble', 'trustworthy senders')]
T1204.001 [('APT29', 'used', 'various forms of'), ('various forms of', 'spearphishing'), ('various forms of', 'attempting'), ('various forms of', 'get'), ('a user', 'click')]
T1204.001 [('APT32', 'download', 'targets'), ('APT32', 'download', 'a Strike beacon')]
T1204.001 [('APT33', 'click', 'users'), ('APT33', 'click', 'links to malicious HTML applications'), ('malicious HTML applications', 'delivered')]
T1204.001 [('APT39', 'sent', 'emails in an attempt'), ('emails in', 'spearphishing'), ('an attempt', 'lure', 'users'), ('an attempt', 'click')]
T1204.001 [('BackConfig', 'compromised', 'victims'), ('URLs content', 'hosting')]
T1204.001 [('Bazar', 'gain', 'execution'), ('landing pages', 'hosted')]
T1204.001 [('BlackTech', 'lure', 'e'), ('BlackTech', 'lure', 'mails with malicious links'), ('BlackTech', 'lure', 'victims')]
T1204.001 [('Cobalt Group', 'sent', 'emails'), ('emails', 'containing', 'malicious links'), ('malicious links', 'execute', 'users'), ('malicious links', 'execute', 'a file'), ('malicious links', 'execute', 'macro'), ('malicious links', 'execute', 'a file'), ('malicious links', 'execute', 'macro'), ('malicious links', 'infect', 'the victim machine')]
T1204.001 [('Dragonfly 2.0', 'used', 'various forms of'), ('various forms of', 'spearphishing'), ('attempts', 'get', 'links'), ('users', 'open')]
T1204.001 [('Elderwood', 'has', 'types of'), ('types of', 'leveraged'), ('types of', 'spearphishing'), ('order', 'get', 'a user'), ('order', 'get', 'links'), ('order', 'get', 'a user'), ('order', 'get', 'links'), ('links', 'open')]
T1204.001 [('Emotet', 'relied'), ('a malicious link', 'delivered'), ('a malicious link', 'spearphishing')]
T1204.001 [('Evilnum', 'sent', 'emails'), ('emails', 'spearphishing'), ('emails', 'trick', 'the recipient'), ('emails', 'trick', 'the recipient'), ('emails', 'opening', 'malicious shortcut links'), ('which', 'downloads', 'a .LNK file')]
T1204.001 [('FIN4', 'click', 'victims'), ('FIN4', 'click', 'malicious links'), ('malicious links', 'delivered'), ('emails', 'spearphishing'), ('accounts', 'compromised')]
T1204.001 [('FIN8', 'leveraged', 'Spearphishing Links'), ('Spearphishing Links', 'gain', 'User Execution'), ('Spearphishing Links', 'gain', 'User Execution')]
T1204.001 [('Grandoreiro', 'gain', 'malicious links'), ('Grandoreiro', 'gain', 'execution on victim machines')]
T1204.001 [('GuLoader', 'relied'), ('users', 'clicking')]
T1204.001 [('Hancitor', 'relied'), ('a malicious link', 'delivered')]
T1204.001 [('Javali', 'achieved', 'execution'), ('victims', 'clicking', 'links to malicious websites')]
T1204.001 [('Kerrdown', 'gained', 'execution'), ('victims', 'opening', 'malicious links')]
T1204.001 [('Leviathan', 'sent', 'links'), ('links', 'spearphishing'), ('links', 'attempting'), ('links', 'get'), ('a user', 'click')]
T1204.001 [('Machete', 'relied'), ('users', 'opening', 'malicious links'), ('malicious links', 'delivered'), ('malicious links', 'execute', 'malware'), ('malicious links', 'execute', 'malware')]
T1204.001 [('Melcoz', 'gained', 'execution'), ('victims', 'opening', 'malicious links')]
T1204.001 [('Mofang emails', 'spearphishing'), ('Mofang emails', 'click', 'a user'), ('Mofang emails', 'click', 'the link'), ('the link', 'connect'), ('a website', 'compromised')]
T1204.001 [('Molerats', 'sent', 'malicious links')]
T1204.001 [('MuddyWater', 'distributed', 'URLs'), ('mails', 'lure', 'documents'), ('mails', 'lure', 'documents')]
T1204.001 [('Mustang Panda', 'sent', 'malicious links'), ('malicious links', 'directing', 'victims')]
T1204.001 [('convincing victims', 'execute', 'NETWIRE')]
T1204.001 [('Night Dragon', 'enticed', 'users'), ('emails', 'spearphishing'), ('emails', 'download', 'malware')]
T1204.001 [('OilRig', 'delivered', 'malicious links')]
T1204.001 [('Patchwork', 'used'), ('links', 'try'), ('links', 'get'), ('users', 'click', 'download')]
T1204.001 [('malicious links in e', 'execute', 'PLEAD')]
T1204.001 [('Pony', 'lure', 'targets'), ('links in emails from legitimate banks', 'clicking'), ('emails from', 'spoofed')]
T1204.001 [('Sandworm Team', 'tricked', 'unwitting recipients'), ('emails', 'resemble', 'trustworthy senders'), ('emails', 'resemble', 'trustworthy senders')]
T1204.001 [('Sidewinder', 'lured', 'targets')]
T1204.001 [('TA505', 'used', 'lures'), ('users', 'click', 'links in emails')]
T1204.001 [('TA505', 'makes'), ('their malware', 'look')]
T1204.001 [('malicious links', 'execute', 'TSCookie'), ('e', 'embed', 'malicious links'), ('-', 'embed', 'malicious links'), ('mails', 'embed', 'malicious links')]
T1204.001 [('Turla', 'used'), ('users', 'download')]
T1204.001 [('Windshift', 'lure', 'links'), ('Windshift', 'lure', 'victims'), ('links', 'embedded')]
T1204.001 [('Wizard Spider', 'lured', 'victims'), ('a malicious link', 'delivered'), ('a malicious link', 'spearphishing')]
T1204.001 [('ZIRCONIUM', 'lure', 'malicious links'), ('ZIRCONIUM', 'lure', 'victims')]
T1204.002 [('admin@338', 'attempted'), ('victims', 'launch', 'malicious Word attachments'), ('malicious Word attachments', 'delivered'), ('emails', 'spearphishing')]
T1204.002 [('malicious e - mail attachments', 'execute', 'Agent Tesla')]
T1204.002 [('Security Team', 'lured', 'victims')]
T1204.002 [('AppleJeus', 'required', 'user execution of a malicious MSI installer')]
T1204.002 [('APT - C-36', 'accept', 'victims'), ('APT - C-36', 'accept', 'macros'), ('order', 'execute', 'the subsequent payload')]
T1204.002 [('APT12', 'attempted'), ('victims', 'open', 'malicious Microsoft Word'), ('victims', 'open', 'PDF attachment')]
T1204.002 [('users', 'launch', 'malicious attachments'), ('malicious attachments', 'delivered'), ('emails', 'spearphishing')]
T1204.002 [('APT28', 'attempted'), ('users', 'click'), ('Office attachments', 'containing', 'malicious macro scripts')]
T1204.002 [('APT29', 'used', 'various forms of'), ('various forms of', 'spearphishing'), ('various forms of', 'get', 'a user'), ('various forms of', 'get', 'a user'), ('various forms of', 'open', 'attachments'), ('attachments', 'limited')]
T1204.002 [('APT30', 'relied'), ('malicious file attachments', 'delivered'), ('emails', 'spearphishing')]
T1204.002 [('APT32', 'lure', 'users'), ('a malicious dropper', 'delivered'), ('a attachment', 'spearphishing')]
T1204.002 [('APT33', 'lure', 'malicious e - mail attachments'), ('APT33', 'lure', 'victims')]
T1204.002 [('APT37', 'sent', 'attachments'), ('attachments', 'spearphishing'), ('attachments', 'get', 'a user'), ('attachments', 'get', 'a user'), ('a user', 'open', 'them')]
T1204.002 [('APT39', 'sent', 'emails in an attempt'), ('emails in', 'spearphishing'), ('an attempt', 'lure', 'users'), ('an attempt', 'click')]
T1204.002 [('Astaroth', 'used', 'malicious files'), ('malicious files', 'including')]
T1204.002 [('BlackTech', 'lure', 'e'), ('BlackTech', 'lure', 'mails with malicious documents'), ('BlackTech', 'lure', 'victims')]
T1204.002 [('BLINDINGCAN', 'lured', 'victims'), ('malicious macros', 'embedded')]
T1204.002 [('BRONZE BUTLER', 'attempted'), ('users', 'launch', 'malicious Word attachments'), ('malicious Word attachments', 'delivered'), ('emails', 'spearphishing')]
T1204.002 [('Bundlore', 'attempted'), ('users', 'execute', 'a malicious .app file'), ('a malicious .app file', 'looks')]
T1204.002 [('Cardinal RAT', 'lures', 'victims'), ('malicious macros', 'embedded')]
T1204.002 [('CARROTBALL', 'executed'), ('users', 'lured')]
T1204.002 [('Cobalt Group', 'sent', 'emails'), ('emails', 'containing', 'malicious attachments'), ('malicious attachments', 'execute', 'users'), ('malicious attachments', 'execute', 'a file'), ('malicious attachments', 'execute', 'macro'), ('malicious attachments', 'execute', 'a file'), ('malicious attachments', 'execute', 'macro'), ('malicious attachments', 'infect', 'the victim machine')]
T1204.002 [('malicious documents with macros', 'deliver', 'CSPY Downloader'), ('macros', 'embedded')]
T1204.002 [('Dark Caracal', 'makes'), ('their malware', 'look'), ('order', 'entice', 'a user'), ('order', 'click')]
T1204.002 [('Darkhotel', 'sent', 'emails in an attempt'), ('emails in', 'spearphishing'), ('an attempt', 'lure', 'users'), ('an attempt', 'clicking')]
T1204.002 [('malware', 'send', 'DarkHydrus'), ('users', 'hit', 'DarkHydrus has sent malware'), ('the enable button in', 'hit', 'DarkHydrus has sent malware'), ('an .iqy file', 'downloaded')]
T1204.002 [('Dragonfly 2.0', 'used', 'various forms of'), ('various forms of', 'spearphishing'), ('attempts', 'get'), ('users', 'open', 'attachments')]
T1204.002 [('Elderwood', 'has', 'types of'), ('types of', 'leveraged'), ('types of', 'spearphishing'), ('order', 'get', 'a user'), ('order', 'get', 'a user'), ('order', 'open', 'attachments')]
T1204.002 [('Emotet', 'relied'), ('users', 'clicking'), ('a malicious attachment', 'delivered'), ('a malicious attachment', 'spearphishing')]
T1204.002 [('FIN4', 'launch', 'victims'), ('FIN4', 'launch', 'malicious attachments'), ('malicious attachments', 'delivered'), ('emails', 'spearphishing'), ('accounts', 'compromised')]
T1204.002 [('FIN6', 'lure', 'malicious documents'), ('FIN6', 'lure', 'victims')]
T1204.002 [('FIN7', 'lured', 'victims'), ('they', 'sent'), ('which', 'execute', 'the hidden LNK file')]
T1204.002 [('FIN8', 'leveraged', 'Spearphishing Attachments')]
T1204.002 [('Frankenstein', 'used', 'documents'), ('documents', 'trojanized'), ('documents', 'sent'), ('which', 'enable', 'the victim'), ('which', 'enable', 'macros'), ('documents', 'enable', 'macros')]
T1204.002 [('Gallmaker', 'sent', 'victims'), ('Gallmaker', 'sent', 'a lure document'), ('a warning', 'asked', 'victims')]
T1204.002 [('Gamaredon Group', 'attempted'), ('users', 'click'), ('malicious macros', 'embedded')]
T1204.002 [('Gorgon Group', 'attempted'), ('users', 'launch', 'malicious Office attachments'), ('malicious Office attachments', 'delivered'), ('emails', 'spearphishing')]
T1204.002 [('Grandoreiro', 'infected', 'victims')]
T1204.002 [('macros', 'retrieve', 'The GuLoader executable'), ('malicious Word documents', 'retrieve', 'The GuLoader executable'), ('macros', 'embedded')]
T1204.002 [('Hancitor', 'used', 'malicious Word documents'), ('malicious Word documents', 'sent'), ('which', 'enable', 'the victim'), ('which', 'enable', 'macros'), ('malicious Word documents', 'enable', 'macros')]
T1204.002 [('Higaisa', 'lure', 'malicious e - mail attachments'), ('Higaisa', 'lure', 'victims')]
T1204.002 [('Word documents with malicious macros', 'execute', 'IcedID'), ('malicious macros', 'embedded')]
T1204.002 [('victims', 'lured'), ('Inception victims into', 'clicking', 'malicious files for machine reconnaissance'), ('Inception victims into', 'execute', 'malware')]
T1204.002 [('InvisiMole', 'deliver', 'trojanized versions of software'), ('software', 'relying')]
T1204.002 [('Javali', 'achieved', 'execution'), ('victims', 'opening', 'malicious attachments'), ('malicious attachments', 'including'), ('VBScript', 'embedded')]
T1204.002 [('JCry', 'achieved', 'execution'), ('a file', 'appeared')]
T1204.002 [('Kerrdown', 'gained', 'execution'), ('victims', 'opening', 'malicious files')]
T1204.002 [('malicious macros', 'contain', 'Word documents')]
T1204.002 [('Kimsuky', 'used')]
T1204.002 [('Lazarus Group', 'attempted'), ('users', 'launch', 'a malicious Word attachment'), ('a malicious Word attachment', 'delivered'), ('a email', 'spearphishing')]
T1204.002 [('Leviathan', 'sent', 'attachments'), ('attachments', 'spearphishing'), ('attachments', 'attempting'), ('attachments', 'get'), ('a user', 'click')]
T1204.002 [('malicious documents', 'execute', 'Lokibot'), ('malicious documents', 'contained'), ('e', 'spearphishe', 'malicious documents')]
T1204.002 [('Machete', 'relied'), ('users', 'opening', 'malicious attachments'), ('malicious attachments', 'delivered'), ('malicious attachments', 'execute', 'malware'), ('malicious attachments', 'execute', 'malware')]
T1204.002 [('menuPass', 'attempted'), ('victims', 'open', 'malicious files as')]
T1204.002 [('documents', 'sent'), ('campaigns', 'spearphishing')]
T1204.002 [('Metamorfo', 'click', 'the user'), ('Metamorfo', 'click', 'the executable')]
T1204.002 [('Mofang malicious attachments', 'spearphishing'), ('Mofang malicious attachments', 'open', 'a user'), ('Mofang malicious attachments', 'open', 'the file')]
T1204.002 [('Molerats', 'sent', 'malicious files'), ('email', 'tricked', 'users'), ('email', 'run', 'Enable Content'), ('email', 'run', 'an macro'), ('email', 'run', 'an macro'), ('an macro', 'embedded'), ('email', 'download', 'malicious archives')]
T1204.002 [('MuddyWater', 'attempted'), ('users', 'enable', 'macros'), ('malicious Word documents', 'delivered'), ('emails', 'spearphishing')]
T1204.002 [('Mustang Panda', 'sent', 'malicious files'), ('malicious files', 'requiring', 'direct victim interaction'), ('malicious files', 'execute')]
T1204.002 [('Naikon', 'open', 'victims'), ('Naikon', 'open', 'malicious attachments')]
T1204.002 [('NETWIRE', 'executed')]
T1204.002 [('OilRig', 'delivered', '- documents'), ('- documents', 'enabled'), ('- documents', 'click', 'targets'), ('- documents', 'click', 'the enable content " button'), ('- documents', 'click', 'the enable content " button'), ('- documents', 'execute', 'the payload')]
OBJS_ file
T1204.002 [('OSX / Shlayer', 'relies'), ('users', 'mounting', 'a malicious DMG file')]
T1204.002 [('Patchwork', 'embedded', 'a malicious macro'), ('an icon', 'execute', 'the malware')]
T1204.002 [('PLATINUM', 'attempted'), ('users', 'open', 'malicious files'), ('emails with attachments to victims', 'spearphishing')]
T1204.002 [('malicious e - mail attachments', 'execute', 'PLEAD')]
T1204.002 [('PoetRAT', 'infect', 'attachments'), ('PoetRAT', 'infect', 'victims'), ('attachments', 'spearphishing')]
T1204.002 [('Pony', 'lure', 'targets')]
T1204.002 [('PROMETHIUM', 'attempted'), ('users', 'execute', 'files for legitimate software'), ('files for', 'compromised'), ('legitimate software', 'including')]
T1204.002 [('malicious e - mail attachments', 'execute', 'Ramsay')]
T1204.002 [('Rancor', 'attempted'), ('users', 'click'), ('an macro', 'embedded')]
T1204.002 [('malicious Word mail attachments', 'execute', 'REvil')]
T1204.002 [('malicious Excel documents', 'execute', 'Rifdoor'), ('macros', 'contain', 'malicious Excel documents')]
T1204.002 [('RTM', 'lure', 'victims')]
T1204.002 [('RTM', 'relied'), ('users', 'opening', 'malicious email attachments'), ('malicious email attachments', 'decompressing', 'the archive'), ('malicious email attachments', 'decompressing', 'the executable'), ('the archive', 'attached'), ('the archive', 'clicking')]
T1204.002 [('Sandworm Team', 'tricked', 'unwitting recipients'), ('attachments', 'spearphishing'), ('malicious macros', 'embedded')]
T1204.002 [('malicious DOC files', 'send', 'Sharpshooter'), ('targets', 'send', 'Sharpshooter'), ('a user', 'open', 'they')]
T1204.002 [('Sidewinder', 'lured', 'targets')]
T1204.002 [('Silence', 'attempts'), ('users', 'launch', 'malicious attachments'), ('malicious attachments', 'delivered'), ('emails', 'spearphishing')]
T1204.002 [('SQLRat', 'relies'), ('an image', 'embedded')]
T1204.002 [('files for legitimate software', 'execute', 'StrongPity'), ('files for', 'compromised'), ('applications software browsers', 'include', 'legitimate software')]
T1204.002 [('SYSCON', 'executed')]
T1204.002 [('TA459', 'attempted'), ('victims', 'open', 'malicious Word attachment'), ('malicious Word attachment', 'sent'), ('malicious Word attachment', 'spearphishing')]
T1204.002 [('TA505', 'used', 'lures'), ('users', 'enable', 'content in malicious attachments'), ('malicious files', 'contained')]
T1204.002 [('TA505', 'makes'), ('their malware', 'look')]
T1204.002 [('TA551', 'enable', 'users'), ('TA551', 'enable', 'macros'), ('attachments', 'spearphishing'), ('attachments', 'install', 'malware')]
T1204.002 [('The White Company', 'phishing', 'lure documents'), ('lure documents', 'trick', 'users'), ('lure documents', 'opening', 'them'), ('lure documents', 'infecting', 'their computers')]
T1204.002 [('TrickBot', 'attempted'), ('users', 'launch', 'malicious documents')]
T1204.002 [('Tropic Trooper', 'lured', 'victims')]
T1204.002 [('A Word document', 'delivering', 'TYPEFRAME prompts'), ('A Word document', 'delivering', 'the user'), ('A Word document', 'enable', 'macro execution')]
T1204.002 [('Word documents', 'execute', 'Valak'), ('malicious macros', 'contain', 'Word documents')]
T1204.002 [('Whitefly', 'used', 'malicious'), ('Whitefly', 'used', 'files'), ('files', 'disguised')]
T1204.002 [('Windshift', 'lure', 'e - mail attachments'), ('Windshift', 'lure', 'victims')]
T1204.002 [('Wizard Spider', 'execute', 'victims'), ('Wizard Spider', 'execute', 'malware'), ('attachments', 'spearphishing'), ('attachments', 'containing', 'macros'), ('attachments', 'download', 'Bokbot')]
T1204.003 [('TeamTNT', 'relies')]
T1204.003 [('TigerDownloader', 'modified'), ('a user', 'tricked')]
T1204.003 [('DarkSide ransomware', 'executed'), ('a malicious GCP image', 'download', 'a user')]
T1204.003 [('backdoor installations', 'maintain', 'Persistence'), ('the medium of malicious docker images', 'maintain', 'Persistence')]
T1204.003 [('itself', 'install', 'REvil ransomware'), ('an image', 'download', 'a user'), ('malicious functionality', 'contain', 'an image'), ('malicious functionality', 'contain', 'an image')]
T1205.001 [('PROMETHIUM', 'used', 'a script'), ('a script', 'configures', 'the knockd service'), ('a script', 'configures', 'firewall'), ('a script', 'accept', 'C2 connections from systems'), ('a script', 'use', 'a sequence of knock ports'), ('a sequence of', 'specified')]
T1205.001 [('abuses port', 'knocking')]
T1205.001 [('Port knocking', 'obfuscate', 'malicious activity')]
T1205.001 [('The Cryptcat backdoor', 'utilises', 'port')]
T1205.001 [('a series of obscure connections', 'utilise', 'Ryuk ransomware'), ('a C2 channel', 'opened')]
T1213.001 [('APT41', 'gather', 'information from'), ('information from', 'sharing', 'repositories as')]
T1213.001 [('campaigns', 'create', "Lebanese Cedar '' , group ,"), ('Confluence', 'steal', 'a large amount of data')]
T1213.001 [('APT groups', 'receive', 'sensitive documents'), ('APT groups', 'receive', 'sensitive documents'), ('APT groups', 'share', 'them')]
T1213.001 [('threat actors', 'employ')]
T1213.001 [('companies', 'store', 'development documentation on'), ('a target for', 'harvest', 'data')]
T1213.001 [('APT28', 'collected', 'information from SharePoint services')]
T1213.001 [('\t Data from', 'collected', 'documents from')]
T1213.001 [('\r\n T1213.002 Data \t', 'used', 'a enumeration tool'), ('Ke3chang', 'used', 'a enumeration tool'), ('SharePoint enumeration', 'dumping'), ('a enumeration tool', 'known')]
T1213.001 [('\t Data from Sharepoint \t spwebmember', 'used')]
T1213.001 [('threat actors', 'move'), ('data from popular data repositories as', 'harvesting')]
T1213.001 [('T1216 Execution SyncAppvPublishingServer', 'signed', 'Script PowerShell Execution command_prompt'), ('T1216 Execution SyncAppvPublishingServer', 'signed', 'SyncAppvPublishingServer')]
T1213.001 [('Signed Execution command_prompt \t manage-bde.wsf Execution \r\n T1216.001 \t Pubprn \t APT32', 'used', 'PubPrn.vbs'), ('malware', 'bypassing', 'defenses')]
T1213.001 [('T1216.001', 'use', 'PubPrn.vbs'), ('proxy execution', 'use', 'PubPrn.vbs'), ('a remote site', 'use', 'PubPrn.vbs'), ('a script ( PubPrn.vbs )', 'signed'), ('the script to proxy execution of malicious files', 'trusted'), ('PubPrn script', 'execute', 'malware'), ('T1216.001', 'execute', 'malware'), ('\r\n T1217 \t Files', 'execute', 'malware'), ('Firefox Bookmark Database Files on', 'execute', 'malware'), ('Bookmark JSON Files on', 'execute', 'malware'), ('Bookmark JSON Files', 'execute', 'malware'), ('List Google Opera Bookmarks on', 'execute', 'malware'), ('T1217 \t', 'execute', 'malware'), ('Firefox bookmarks on with \r\n T1217 \t Bookmarks', 'execute', 'malware'), ('sh \t Bookmarks', 'execute', 'malware'), ('command_prompt DLL into running process', 'execute', 'malware'), ('command_prompt \t code \r\n T1218 \t', 'execute', 'malware'), ('T1217', 'execute', 'malware'), ('T1217', 'execute', 'malware'), ('List Google Opera Bookmarks on', 'execute', 'malware'), ('powershell powershell', 'execute', 'malware'), ('T1217 \t', 'execute', 'malware'), ('List Google Chrome / Edge Chromium Bookmarks on', 'execute', 'malware'), ('prompt command_prompt \t Bookmarks', 'execute', 'malware'), ('command prompt', 'execute', 'malware'), ('malicious files', 'execute', 'malware'), ('remote site', 'execute', 'malware'), ('PubPrn PubPrn.vbs', 'signed'), ('the command prompt', 'use', 'Firefox bookmarks on with \r\n T1217 \t Bookmarks'), ('command_prompt \t', 'use', 'Firefox bookmarks on with \r\n T1217 \t Bookmarks'), ('Internet Explorer Bookmarks', 'use', 'Firefox bookmarks on with \r\n T1217 \t Bookmarks'), ('the command prompt', 'use', 'Firefox bookmarks on with \r\n T1217 \t Bookmarks'), ('the command prompt', 'use', 'Firefox bookmarks on with \r\n T1217 \t Bookmarks'), ('command_prompt \t code \r\n T1218 \t', 'execute'), ('code', 'execute'), ('dll command_prompt \t', 'execute', 'command_prompt \t code \r\n T1218 \t')]
T1213.001 [('\t Execution ProtocolHandler.exe', 'downloaded', 'a Suspicious File command_prompt \t'), ('\t Execution ProtocolHandler.exe', 'downloaded', '\t Execution powershell \t DLL via'), ('ProtocolHandler.exe', 'downloaded'), ('Microsoft.Workflow.Compiler.exe Payload Executions', 'powershell')]
T1213.001 [('Html File \t APT41', 'used', 'HTML ( .chm'), ('Html File \t APT41', 'used', ') files for'), (') files for', 'targeting')]
T1213.001 [('Astaroth', 'uses')]
OBJS_ executable
T1213.001 [('Caracal', 'leveraged', 'a file'), ('a file', 'compiled'), ('a file', 'contained', 'a command'), ('a command', 'download', 'an executable'), ('a command', 'run', 'an executable')]
T1213.001 [('Group', 'move', 'CHM files'), ('Group', 'move', 'payloads'), ('payloads', 'concealed')]
T1213.001 [('OilRig', 'used', 'a CHM payload')]
T1213.001 [('Silence', 'weaponized', 'CHM files'), ('their campaigns', 'phishing')]
T1213.001 [('T1218.001 File', 'compiled'), ('HTML', 'help', 'Payload command_prompt HTML'), ('HTML', 'help', 'Local Payload'), ('\t HTML File', 'compiled', 'HTML')]
T1213.001 [('CHM with', 'powershell'), ('Protocol Handler', 'powershell')]
OBJS_ file
T1213.001 [('Reaver', 'drops', 'a malicious CPL file')]
T1213.001 [('\t Adversaries', 'abuse', 'control.exe')]
T1213.001 [('Some actors', 'execute', 'items in the control panel on Windows operating systems'), ('Some actors', 'execute', 'malware')]
T1213.001 [('malicious code', 'execute', '\t CPL files')]
T1213.001 [('Control Panel Items', 'command_prompt', 'Control Panel Items'), ('Cmstp \t Group', 'used', 'the command cmstp.exe C:\\Users\\ADMINI ~')]
T1213.001 [('Signed Execution Cmstp \t MuddyWater', 'execute', 'CMSTP.exe'), ('Signed Execution Cmstp \t MuddyWater', 'execute', 'its POWERSTATS payload')]
T1213.001 [('Cmstp obfuscated profile file', 'written')]
T1213.001 [('that is executed', 'executed'), ('a malicious INF file', 'write', 'That batch file'), ('a remote scriptlet', 'execute', 'which'), ('the INF file', 'specify', 'a remote scriptlet')]
T1213.001 [('The LNK file', 'runs', 'cmd.exe')]
T1213.001 [('the cmstp.exe utility', 'run', 'This txt file'), ('Remote Scriptlet command_prompt', 'execute', '\t CMSTP CMSTP'), ('Remote Scriptlet', 'execute', '\t CMSTP CMSTP'), ('T1218.003', 'execute', '\t CMSTP CMSTP'), ('UAC Bypass command_prompt', 'execute', 'CMSTP'), ('UAC Bypass', 'execute', '\t CMSTP'), ('InstallUtil.exe', 'execute', '\t menuPass'), ('malicious software', 'execute', '\t menuPass')]
T1213.001 [('T1218.004 Mustang Panda', 'execute', 'InstallUtil.exe'), ('T1218.004 Mustang Panda', 'execute', 'a malicious Beacon stager')]
T1213.001 [('malicious installer components', 'execute', 'T1218.004 \t Installutil'), ('.Net binaries', 'execute', 'T1218.004 \t Installutil'), ('microsoft', 'use', '\t Actors'), ('proxy execution', 'perform', 'Malware'), ('InstallUtil', 'perform', 'Malware'), ('Uninstall variant powershell \t call - /U', '/u')]
T1213.001 [('invocation Signed Binary Execution Mshta \t APT32', 'used', 'mshta.exe')]
T1213.001 [('Signed Binary Execution Mshta \t BabyShark', 'used', 'mshta.exe')]
T1213.001 [('Signed Binary Execution Mshta \t FIN7', 'execute', 'mshta.exe'), ('Signed Binary Execution Mshta \t FIN7', 'execute', 'VBScript')]
T1213.001 [('\r\n Signed Binary Execution Mshta', 'used', 'malicious HTA files'), ('\t Inception', 'used', 'malicious HTA files')]
T1213.001 [('T1218.005 Signed Binary Execution Mshta \t Kimsuky', 'run', 'mshta.exe'), ('T1218.005 Signed Binary Execution Mshta \t Kimsuky', 'run', 'malicious scripts')]
T1213.001 [('\r\n T1218.005 Signed Binary Execution Mshta \t Koadic', 'serve', 'MSHTA'), ('\r\n T1218.005 Signed Binary Execution Mshta \t Koadic', 'serve', 'additional payloads')]
T1213.001 [('\t Lazarus Group', 'run', 'mshta.exe'), ('\t Lazarus Group', 'run', 'malicious scripts'), ('\t Lazarus Group', 'run', 'download programs')]
T1213.001 [('T1218.005 Signed Binary Execution Mshta \t Metamorfo', 'execute', 'mshta.exe'), ('T1218.005 Signed Binary Execution Mshta \t Metamorfo', 'execute', 'a HTA payload')]
T1213.001 [('\r\n T1218.005 Signed Binary Execution Mshta \t Panda', 'launch', 'mshta.exe'), ('\r\n T1218.005 Signed Binary Execution Mshta \t Panda', 'launch', 'collection scripts')]
T1213.001 [('\r\n Signed Binary Execution Mshta \t NanHaiShu', 'load', 'mshta.exe'), ('\r\n Signed Binary Execution Mshta \t NanHaiShu', 'load', 'its program'), ('\r\n Signed Binary Execution Mshta \t NanHaiShu', 'load', 'files')]
T1213.001 [('T1218.005 Signed Binary Execution Mshta POWERSTATS', 'execute', 'Mshta.exe'), ('T1218.005 Signed Binary Execution Mshta POWERSTATS', 'execute', 'additional payloads'), ('hosts', 'compromised')]
T1213.001 [('Mshta Revenge RAT', 'run', 'mshta.exe'), ('Mshta Revenge RAT', 'run', 'malicious scripts')]
T1213.001 [('MSHTA application', 'execute', 'T1218.005 \t Mshta')]
T1213.001 [('\r\n Signed Binary Execution Mshta Sidewinder', 'execute', 'mshta.exe'), ('\r\n Signed Binary Execution Mshta Sidewinder', 'execute', 'malicious payloads')]
T1213.001 [('T1218.005 \t', 'use', 'mshta')]
T1213.001 [('Mshta Mshta', 'executes', 'JavaScript Scheme Remote Payload With'), ('Mshta Mshta', 'executes', 'T1218.005 \t Mshta'), ('Mshta Mshta', 'executes', '\r\n T1218.005 Application HTA ) powershell \t'), ('Mshta', 'executes', 'JavaScript Scheme Remote Payload'), ('\t Mshta', 'executes', 'VBScript')]
T1213.001 [('HTML JScript Engine with', 'powershell', 'HTML JScript Engine with \r\n T1218.005 \t')]
T1213.001 [('HTML JScript Engine with \r\n T1218.005 \t Movement \t Movement \r\n T1218.005 \t', 'powershell', 'HTML JScript Engine with'), ('PowerShell', 'execute', 'Mshta')]
T1213.001 [('\r\n T1218.007 \t Msiexec \t', 'execute', 'msiexec'), ('\r\n T1218.007 \t Msiexec \t', 'execute', 'malicious Installer packages'), ('Duqu', 'execute', 'msiexec'), ('Duqu', 'execute', 'malicious Installer packages')]
T1213.001 [('a encryption key', 'contain', 'a PROPERTY VALUE pair'), ('the main payload', 'decrypt', 'a PROPERTY VALUE pair'), ('the installer packages', 'decrypt', 'a PROPERTY VALUE pair')]
T1213.001 [('Msiexec \t Grandoreiro', 'execute', 'MSI files'), ('Msiexec \t Grandoreiro', 'execute', 'DLLs')]
T1213.001 [('\r\n T1218.007 \t', 'inject', 'itself'), ('a process', 'suspended')]
T1213.001 [('Javali', 'used', 'the MSI installer')]
T1213.001 [('Msiexec LoudMiner', 'install', 'an MSI installer'), ('Msiexec LoudMiner', 'install', 'the virtualization software')]
T1213.001 [('components', 'deliver', 'Msiexec Maze'), ('its ransomware attacks', 'deliver', 'Msiexec Maze'), ('MSI files', 'use', 'its ransomware attacks'), ('the command - line', 'execute', 'some of'), ('msiexec', 'use', 'the command - line')]
T1213.001 [('\r\n T1218.007 \t', 'use', 'MSI files'), ('VBScript', 'embedded')]
T1213.001 [('\t Metamorfo', 'execute', 'MsiExec.exe'), ('\t Metamorfo', 'execute', 'files')]
T1213.001 [('msiexec.exe', 'execute', 'an unsigned MSI package')]
T1213.001 [('\r\n T1218.007 Msiexec', 'used', 'msiexec')]
T1213.001 [('\r\n T1218.007 Msiexec', 'used', 'the msiexec.exe line utility')]
T1213.001 [('Msiexec Execute MSI file with', 'embedded'), ('Execute Local MSI file with', 'embedded'), ('command_prompt \t', 'embedded'), ('VBScript', 'embedded'), ('Execute MSI file with', 'embedded'), ('\t Msiexec Execute MSI file with', 'embedded'), ('Execute MSI file with', 'embedded'), ('powershell', 'embedded')]
T1213.001 [('Execute Local MSI file with', 'embedded'), ('Execute Local MSI file with', 't1218.007', '\t Msiexec WMI'), ('Execute Local MSI file with', 't1218.007', 'Execute MSI file with powershell'), ('powershell', 'embedded')]
T1213.001 [('VBScript', 'embedded'), ('Execute Local MSI file with \r\n', 't1218.007', '\t Msiexec WMI'), ('Execute Local MSI file with \r\n', 't1218.007', 'Execute MSI file'), ('an powershell', 'embedded')]
T1213.001 [('Execute MSI file with', 'embedded'), ('Execute MSI file with', 't1218.007', '\t Msiexec WMI')]
T1213.001 [('an powershell \t WMI', 'embedded')]
T1213.001 [('Execute MSI file with', 'embedded'), ('Execute MSI file with', 't1218.007')]
T1213.001 [('\t Cobalt Group', 'proxy', 'odbcconf'), ('\t Cobalt Group', 'proxy', 'the execution of malicious DLL files')]
T1213.001 [('REGSVR', 'execute', 'T1218.008 \t Odbcconf'), ('flag from', 'execute', 'T1218.008 \t Odbcconf'), ('T1218.008 \t Odbcconf \t Similar to', 'execute', 'T1218.008 \t Odbcconf'), ('odbcconf.exe', 'execute', 'T1218.008 \t Odbcconf'), ('DLL', 'execute', 'T1218.008 \t Odbcconf'), ('T1218.009 \t Regasm', 'execute', 'T1218.008 \t Odbcconf'), ('malicious DLLs', 'execute', 'T1218.008 \t Odbcconf'), ('T1218.008 \t Odbcconf \t', 'execute', 'T1218.008 \t Odbcconf'), ('A odbcconf', 'signed'), ('malicious payload solutions', 'run', 'A odbcconf'), ('malicious payload solutions', 'bypassing'), ('Odbcconf \t APT-21 actors', 'attempt'), ('Odbcconf command_prompt', 'execute'), ('RegAsm.exe', 'drop', '\r\n T1218.008 can use REGSVR'), ('systems for', 'drop', '\r\n T1218.008 can use REGSVR'), ('RegAsm.exe', 'drop', '\t Agent Tesla'), ('systems for', 'drop', '\t Agent Tesla'), ('malicious activity', 'perform', 'systems for')]
T1213.001 [('Regscvs.exe', 'drop', 'Malware'), ('Regscvs', 'download', 'Signed Execution Regsvcs / Regasm Actors'), ('the system', 'download', 'Signed Execution Regsvcs / Regasm Actors'), ('binaries', 'sign', 'Microsoft'), ('regscvs.exe', 'sign', 'Microsoft')]
T1213.001 [('a Scheduled Task / Job', 'execute', 'regsvr32.exe'), ('a Scheduled Task / Job', 'execute', 'a COM scriptlet'), ('a Scheduled Task / Job', 'downloaded', 'a backdoor'), ('a COM scriptlet', 'injected', 'it')]
T1213.001 [('The group', 'run', 'regsvr32'), ('The group', 'run', 'their backdoor')]
T1213.001 [('\t Blue Mockingbird', 'executed', 'DLLs'), ('DLLs', 'compiled')]
T1213.001 [('\t Cobalt Group', 'execute', 'regsvr32.exe'), ('\t Cobalt Group', 'execute', 'scripts')]
T1213.001 [('\t Deep Panda', 'execute', 'regsvr32.exe'), ('\t Deep Panda', 'execute', 'a server variant of')]
T1213.001 [('\t Derusbi variants', 'seen'), ('Registry persistence', 'use', 'variants have been seen'), ('proxy execution', 'use', 'variants have been seen'), ('regsvr32.exe', 'use', 'variants have been seen')]
T1213.001 [('Egregor', 'execute', 'regsvr32.exe'), ('Egregor', 'execute', 'malicious DLLs')]
T1213.001 [('\t EVILNUM', 'run', 'a remote scriptlet'), ('a remote scriptlet', 'drops', 'a file'), ('a remote scriptlet', 'executes', 'it')]
T1213.001 [('Regsvr32 \t Zor executes', 'using', 'regsvr32.exe'), ('Regsvr32 \t Zor executes', 'called')]
T1213.001 [('\t Inception', 'ensured', 'persistence at system boot')]
T1213.001 [('\t More_eggs', 'execute', 'regsvr32.exe'), ('\t More_eggs', 'execute', 'the malicious DLL')]
T1213.001 [('Some Orz versions', 'have', 'an DLL'), ('an DLL', 'embedded'), ('an DLL', 'known'), ('an DLL', 'execute', 'Process Hollowing'), ('an DLL', 'execute', 'another payload'), ('an DLL', 'execute', 'regsvr32'), ('an DLL', 'execute', 'another payload')]
T1213.001 [('\t Ragnar Locker', 'execute', 'regsvr32.exe'), ('\t Ragnar Locker', 'execute', 'components of')]
T1213.001 [('RogueRobin', 'run', 'regsvr32.exe'), ('RogueRobin', 'run', 'a .sct file for execution')]
T1213.001 [('\t TA551', 'load', 'regsvr32.exe'), ('\t TA551', 'load', 'malicious DLLs')]
T1213.001 [('\t Valak', 'launch', 'regsvr32.exe'), ('\t Valak', 'launch', 'malicious DLLs')]
T1213.001 [('\t WIRTE', 'trigger', 'Regsvr32.exe'), ('\t WIRTE', 'trigger', 'the execution of a malicious script')]
T1213.001 [('Xbash', 'use', 'regsvr32')]
T1213.001 [('Call DllRegisterServer \r\n', 'establish', 'rundll32.exe in a Registry value'), ('Call DllRegisterServer \r\n', 'establish', 'persistence'), ('\t Signed Execution Rundll32 \t ADVSTORESHELL', 'establish', 'rundll32.exe in'), ('\t Signed Execution Rundll32 \t ADVSTORESHELL', 'establish', 'persistence')]
T1213.001 [('\t Signed Execution Rundll32 \t', 'configured'), ('its payload', 'inject')]
T1213.001 [('APT28', 'executed', 'CHOPSTICK'), ('a first stage dropper', 'using', 'rundll32.exe')]
T1213.001 [('An loader Trojan', 'saved', 'a batch script'), ('a batch script', 'execute', 'rundll32'), ('a batch script', 'execute', 'a DLL payload'), ('a batch script', 'execute', 'a DLL payload')]
T1213.001 [('\t Signed Execution Rundll32 \t APT29', 'execute', 'Rundll32.exe'), ('\t Signed Execution Rundll32 \t APT29', 'execute', 'payloads')]
T1213.001 [('APT3', 'has', 'a tool'), ('a tool', 'run', 'DLLs')]
T1213.001 [('APT32 malware', 'execute', 'rundll32.exe'), ('APT32 malware', 'execute', 'an initial infection process')]
T1213.001 [('\t Signed Execution Rundll32 \t APT41', 'execute', 'rundll32.exe'), ('\t Signed Execution Rundll32 \t APT41', 'execute', 'a loader')]
T1213.001 [('Attor installer plugin', 'schedule', 'rundll32.exe')]
T1213.001 [('Bisonal', 'uses', 'rundll32.exe'), ('\t Signed Execution Rundll32 \t', 'execute'), ('it', 'adds', 'HKEY_CURRENT_USER')]
T1213.001 [('\t Signed Execution Rundll32 \t Mockingbird', 'executed', 'DLLs'), ('DLLs', 'compiled')]
T1213.001 [('Briba', 'uses', 'rundll32'), ('\t Signed Execution Rundll32 \t', 'execute', 'malicious DLLs')]
T1213.001 [('Carbanak', 'installs', 'VNC server software'), ('VNC server software', 'executes')]
T1213.001 [('\t Signed Execution Rundll32 \t Comnie', 'load', 'Rundll32'), ('\t Signed Execution Rundll32 \t Comnie', 'load', 'a malicious DLL')]
T1213.001 [('CopyKittens', 'load', 'rundll32'), ('CopyKittens', 'load', 'various tools'), ('\t Signed Execution Rundll32 \t', 'load', 'various tools'), ('victims', 'including'), ('a movement tool', 'named', 'Vminst Cobalt Strike')]
T1213.001 [('execution of rundll32', 'instal', '\t Signed Execution Rundll32 \t CORESHELL'), ('an export', 'instal', '\t Signed Execution Rundll32 \t CORESHELL'), ('init', 'name', 'an export')]
T1218.011 [('The CozyCar dropper', 'copies', 'the file rundll32.exe')]
T1218.011 [('DDKONG', 'ensure', 'Rundll32'), ('DDKONG', 'ensure', 'only a single instance of')]
T1218.011 [('Egregor', 'used', 'rundll32')]
T1218.011 [('Variants of', 'used', 'rundll32.exe in Registry values'), ('Registry values', 'establish', 'persistence'), ('Registry values', 'establish', 'persistence')]
T1218.011 [('EVILNUM', 'execute', 'commands'), ('EVILNUM', 'execute', 'scripts')]
T1218.011 [('FatDuke', 'execute')]
T1218.011 [('FELIXROOT', 'uses', 'Rundll32')]
T1218.011 [('a way of', 'use', 'Rundll32.exe'), ('Flame', 'execute', 'a way of'), ('the command - line', 'execute', 'a way of')]
T1218.011 [('Group malware', 'launch', 'rundll32'), ('Group malware', 'launch', 'additional malicious components')]
T1218.011 [('gh0st RAT variant', 'used', 'rundll32')]
T1218.011 [('GreyEnergy', 'uses', 'PsExec'), ('order', 'execute', 'rundll32.exe')]
T1218.011 [('HAFNIUM', 'load', 'rundll32'), ('HAFNIUM', 'load', 'malicious DLLs')]
T1218.011 [('InvisiMole', 'used', 'rundll32.exe for execution')]
T1218.011 [('JHUHUGIT', 'executed')]
T1218.011 [('Koadic', 'execute', 'Rundll32'), ('Koadic', 'execute', 'additional payloads')]
T1218.011 [('KONNI', 'execute', 'Rundll32'), ('KONNI', 'execute', 'its loader for escalation purposes')]
T1218.011 [('Kwampirs', 'uses', 'rundll32.exe'), ('a Registry value', 'establish', 'persistence'), ('a Registry value', 'establish', 'persistence')]
T1218.011 [('Matryoshka', 'uses', 'rundll32.exe')]
T1218.011 [('MegaCortex', 'load', 'rundll32.exe'), ('MegaCortex', 'load', 'a DLL')]
T1218.011 [('Mosquito launcher', 'start', 'rundll32.exe'), ('Mosquito launcher', 'start', 'the main backdoor capability')]
T1218.011 [('MuddyWater', 'used', 'malware'), ('MuddyWater', 'used', 'that leveraged rundll32.exe in a Run key'), ('that leveraged rundll32.exe in', 'execute', 'a .dll')]
T1218.011 [('NOKKI', 'used', 'rundll32')]
T1218.011 [('NotPetya', 'install', 'rundll32.exe'), ('NotPetya', 'install', 'itself')]
T1218.011 [('PolyglotDuke', 'executed')]
T1218.011 [('PowerDuke', 'uses', 'rundll32.exe')]
T1218.011 [('Prikormka', 'load', 'rundll32.exe'), ('Prikormka', 'load', 'its DLL')]
T1218.011 [('Pteranodon', 'executes', 'functions'), ('functions', 'using', 'rundll32.exe')]
T1218.011 [('PUNCHBUGGY', 'load', 'a DLL')]
T1218.011 [('Ragnar Locker', 'execute', 'rundll32.exe'), ('Ragnar Locker', 'execute', 'components of')]
T1218.011 [('RTM', 'runs', 'its core DLL file'), ('its core DLL file', 'using', 'rundll32.exe')]
T1218.011 [('Sakula', 'run', 'cmd.exe'), ('Sakula', 'run', 'various DLL files')]
T1218.011 [('Sandworm Team', 'used', 'a backdoor'), ('which', 'execute', 'a DLL'), ('a backdoor', 'supplied'), ('a backdoor', 'using', 'rundll32.exe')]
OBJS_ DLLs
T1218.011 [('ServHelper', 'contains', 'a module for'), ('a module for', 'downloading', 'DLLs'), ('a module for', 'executing', 'DLLs'), ('DLLs', 'leverages', 'rundll32.exe')]
T1218.011 [('Sibot', 'executed', 'DLLs'), ('DLLs', 'downloaded')]
T1218.011 [('StreamEx', 'call', 'rundll32'), ('StreamEx', 'call', 'an function'), ('an function', 'exported')]
T1218.011 [('SUNBURST', 'execute', 'Rundll32'), ('SUNBURST', 'execute', 'payloads')]
T1218.011 [('TA505', 'has', 'rundll32.exe'), ('rundll32.exe', 'leveraged'), ('rundll32.exe', 'execute', 'malicious DLLs')]
T1218.011 [('TA551', 'load', 'rundll32.exe'), ('TA551', 'load', 'malicious DLLs')]
T1218.011 [('UNC2452', 'execute', 'Rundll32'), ('UNC2452', 'execute', 'payloads')]
T1218.011 [('USBferry', 'execute', 'rundll32.exe')]
T1218.011 [('ZxShell', 'execute', 'rundll32.exe'), ('ZxShell', 'execute', 'other DLLs')]
T1218.011 [('Rundll32', 'execute', 'JavaScript Remote Payload')]
T1218.011 [('Rundll32', 'execute', 'VBscript command')]
T1218.011 [('Execution of', 'using', 'Rundll32')]
T1218.011 [('Execution of', 'using', 'rundll32.exe')]
T1218.012 [('Hancitor', 'used', 'verclsid.exe')]
T1218.012 [('Adversaries', 'execute', 'verclsid.exe'), ('Adversaries', 'execute', 'malicious COM payloads')]
T1218.012 [('attacker', 'bypassed', 'control policies')]
T1218.012 [('Malware', 'loads', 'malicious COM payload')]
T1219 [('TeamViewer Files', 'detected', 'Test on')]
T1220 [('MSXSL Bypass', 'using', 'local files')]
T1220 [('MSXSL Bypass', 'using', 'remote files')]
T1220 [('WMIC bypass', 'using', 'local XSL file')]
T1220 [('WMIC bypass', 'using', 'remote XSL file')]
T1222.001 [('BitPaymer', 'use', 'icacls'), ("a executable 's", 'targeted')]
T1222.001 [('Grandoreiro', 'modify', 'the binary ACL')]
T1222.001 [('JPIN', 'change', 'utility cacls.exe'), ('JPIN', 'change', 'file permissions')]
T1222.001 [('Ryuk', 'launch', 'icacls')]
T1222.001 [('every restrictions on files', 'based')]
T1222.001 [('WannaCry', 'uses', 'attrib'), ('WannaCry', 'uses', 'h'), ('WannaCry', 'uses', 'icacls')]
OBJS_ users
OBJS_ controls
T1222.001 [('some of its files', 'hidden', 'all users'), ('some of', 'hidden', 'access controls')]
T1222.001 [('Wizard Spider', 'modify', 'the icacls command'), ('Wizard Spider', 'modify', 'access control'), ('servers', 'backup'), ('servers', 'providing', 'them')]
T1222.001 [('utility', 'takeown')]
T1222.001 [('Grant permission', 'specified', 'user'), ('Grant permission', 'specified', 'group')]
T1222.001 [('attrib', 'remove'), ('attrib', 'read')]
T1222.002 [('APT32 macOS backdoor', 'changes', 'the permission of the file'), ('it', 'wants'), ('the file', 'execute')]
T1222.002 [('Kinsing', 'modify', 'chmod'), ('Kinsing', 'modify', 'permissions on key files for use')]
T1222.002 [('OSX / Shlayer', 'set', 'the chmod utility'), ('OSX / Shlayer', 'set', 'a .app file'), ('a file', 'downloaded')]
T1222.002 [('P.A.S. Webshell', 'has', 'the ability'), ('the ability', 'modify', 'file permissions')]
T1222.002 [('Penquin', 'add', 'the executable flag'), ('a file', 'downloaded')]
T1222.002 [('file permissions of files', 'change', 'Rocke'), ('they', '!modified')]
T1222.002 [('file', 'change')]
T1222.002 [('file', 'change')]
T1222.002 [('file', 'change')]
T1222.002 [('file', 'change')]
T1480.001 [('APT41', 'encrypted', 'payloads'), ('payloads', 'using', 'the Protection API ( DPAPI )'), ('which', 'relies'), ('keys', 'tied')]
T1480.001 [('APT41', 'keyed', 'stage malware with an RC5 key'), ('an RC5 key', 'derived')]
T1480.001 [('environmental keying', 'utilize', 'Equation'), ('payload delivery', 'utilize', 'Equation')]
OBJS_ computer
T1480.001 [('Protection API', 'encrypt', 'InvisiMole'), ('its components', 'encrypt', 'InvisiMole'), ('the victimcomputer', 'encrypt', 'InvisiMole'), ('one specific computer', 'decrypt', 'the payload'), ('one specific computer', 'compromised')]
T1480.001 [('environment', 'created'), ('elements', 'gather', 'Malware with environment keys'), ('elements', 'use'), ('elements', 'deciding'), ('payload', 'encrypted'), ('a second - stage', 'dropped'), ('payload', 'dropped')]
T1480.001 [('Some actors', 'implement', 'environmental keying')]
T1480.001 [('Malware', 'check')]
T1480.001 [('protection API', 'use', 'Environmental keying'), ('an encrypted payload', 'make', 'Environmental keying'), ('the infected hist', 'decrypt', 'an encrypted payload')]
T1480.001 [('keys within a environment', 'searching'), ('a environment', 'compromised'), ('keys within', 'allow'), ('an actor', 'abuse', 'legitimate components')]
T1484.001 [('Egregor', 'modify', 'the GPO')]
OBJS_ Job
T1484.001 [('Empire', 'modify', 'New - GPOImmediateTask'), ('Empire', 'modify', 'a GPO'), ('a GPO', 'install', 'a malicious Scheduled Task / Job')]
T1484.001 [('Indrik Spider', 'deploy', 'Policy Objects'), ('Indrik Spider', 'deploy', 'batch scripts')]
T1484.001 [('Adversaries', 'modify', 'policy objects ( GPOs )'), ('the controls for a domain', 'intended'), ('privileges on the domain', 'escalating')]
T1484.001 [('Threat actors', 'force', 'GPOs collection'), ('Threat actors', 'force', 'infect machines')]
T1484.001 [('tasks for persistence , payloads', 'create', 'Policy settings for groups on Windows operating systems ( OSs )'), ('tasks for', 'scheduled'), ('settings ,', 'modify'), ('data', 'steal', 'settings ,')]
T1484.001 [('cybercriminals', 'modify', 'policy objects'), ('disable tools , privileges ,', 'modify', 'policy objects')]
T1484.001 [('many other malicious behaviors as', 'implement', 'Malicious GPO modifications')]
T1484.002 [('APT29', 'changed', 'trust settings'), ('trust settings', 'configure', 'AD administrative permissions'), ('trust settings', 'configure', 'the domain'), ('trust settings', 'configure', 'the domain'), ('trust settings', 'accept', 'authorization tokens'), ('authorization tokens', 'signed'), ('their own SAML certificate', 'signing')]
T1484.002 [('UNC2452', 'changed', 'trust settings'), ('trust settings', 'configure', 'AD administrative permissions'), ('trust settings', 'configure', 'the domain'), ('trust settings', 'configure', 'the domain'), ('trust settings', 'accept', 'authorization tokens'), ('authorization tokens', 'signed'), ('their own SAML certificate', 'signing')]
T1484.002 [('Adversaries', 'add', 'new domain trusts'), ('trusts', 'existing')]
T1484.002 [('Manipulating trusts', 'allow'), ('an adversary', 'escalate', 'privileges'), ('they', 'control')]
T1484.002 [('Actors', 'modify', 'domain trust settings'), ('malware', 'modify', 'domain trust settings'), ('the next phase of , as', 'communicating')]
T1485 [('data on C drive', 'deleted')]
T1486 [('Encrypt files', 'using', 'gpg ( Linux')]
T1486 [('Encrypt files', 'using', '7z ( Linux')]
T1486 [('Encrypt files', 'using', 'ccrypt ( Linux')]
T1486 [('Encrypt files', 'using', 'openssl Linux')]
T1489 [('Stop service', 'using', 'Service Controller')]
T1489 [('Stop service', 'using', 'net.exe')]
T1489 [('process', 'killing')]
T1490 [('the SR', 'scheduled', 'task')]
T1491.001 [('Lazarus Group', 'replaced', 'the background wallpaper of systems')]
T1491.001 [('Ransomware', 'defaced', 'internal website'), ('message about', 'threatening'), ('message about', 'exposing', 'sensitive data')]
OBJS_ users
T1491.001 [('Adversary', 'deface', 'systems internal'), ('an attempt', 'intimidate', 'users'), ('an attempt', 'mislead', 'users')]
T1491.001 [('Actor group', 'intimidate', 'system wallpaper with trade secret information'), ('Actor group', 'intimidate', 'company'), ('company', 'paying', 'the ransom')]
T1491.001 [('Ransomware', 'replaces', 'background wallpaper')]
T1491.002 [('Sandworm Team', 'defaced', '000 websites'), ('000 websites', 'belonging')]
T1491.002 [('a socioeconomical point', 'make', 'who'), ('a socioeconomical point', 'make', 'Threat actors'), ('a message', 'deliver', 'Threat actors'), ('websites', 'deface', 'Threat actors'), ('websites', 'known'), ('their point', 'seen')]
T1491.002 [('hacktivists', 'deface', 'Some websites'), ('attempts', 'deface', 'Some websites'), ('malware', 'deface', 'Some websites'), ('support from other adversaries', 'gather', 'attempts'), ('an objective', 'accomplish', 'attempts')]
T1491.002 [('the ones', 'deface', 'websites'), ('advanced groups as', 'defaced', 'thousands of websites')]
T1491.002 [('Some groups', 'sponsored'), ('Some groups', 'use', 'website'), ('Some groups', 'use', 'defacement as a diversionary tactic'), ('a diversionary tactic', 'distract')]
T1491.002 [('future attacks', 'setup', 'Website defacements'), ('an initial access point', 'setup', 'Website defacements')]
T1497.001 [('Astaroth', 'check'), ('serial numbers', 'associated')]
T1497.001 [('Attor', 'detect'), ('some virtualized environment', 'execute', 'it'), ('some virtualized environment', 'emulated'), ('specific instructions', 'use', 'communication with O ports')]
T1497.001 [('BadPatch', 'attempts'), ('a Virtual Machine VM )', 'run', 'it')]
OBJS_ environment
T1497.001 [('paths Registry keys', 'search', 'CSPY Downloader'), ('memory', 'search', 'CSPY Downloader'), ('a virtual environment', 'debug', 'it')]
T1497.001 [('a series of checks', 'use', 'Darkhotel malware'), ('it', 'analyzed'), ('the length of executable names', 'include', 'checks'), ('a filename', 'ends')]
T1497.001 [('the root of as checks', 'execute', 'the program'), ('libraries', 'related')]
T1497.001 [('Denis', 'ran', 'multiple system checks'), ('multiple system checks', 'looking')]
T1497.001 [('Dyre', 'detect', 'analysis environments')]
T1497.001 [('EvilBunny dropper', 'checked', 'the number of processes'), ('EvilBunny dropper', 'checked', 'the length'), ('EvilBunny dropper', 'checked', 'strings')]
T1497.001 [('Evilnum', 'check', 'a component'), ('Evilnum', 'check', 'certain hardware'), ('Evilnum', 'check', 'information'), ('a component', 'called', 'TerraLoader'), ('certain hardware', 'file'), ('environments', 'sandboxed')]
T1497.001 [('FinFisher', 'obtains', 'the device list'), ('FinFisher', 'obtains', 'checks'), ('order', 'check'), ('environments', 'virtualized')]
T1497.001 [('Frankenstein', 'used', 'WMI queries'), ('various security applications', 'running')]
T1497.001 [('GoldMax', 'check'), ('a virtualized environment', 'run', 'it')]
T1497.001 [('Grandoreiro', 'detect', 'VMWare')]
T1497.001 [('GravityRAT', 'check', 'WMI'), ('GravityRAT', 'check', '" " Virtual "'), ('GravityRAT', 'check', 'another WMI request'), ('GravityRAT', 'check', 'the BIOS'), ('GravityRAT', 'check', 'manufacturer information')]
T1497.001 [('artifacts of VirtualBox Virtual PC', 'check', 'InvisiMole'), ('they', 'detected')]
T1497.001 [('device drivers', 'check', 'Lucifer'), ("DLL 's", 'check', 'Lucifer'), ('specific usernames', 'check', 'Lucifer'), ('virtual devices', 'check', 'Lucifer'), ('environments', 'associate', 'virtual devices'), ('environments', 'sandboxed'), ('any', 'detected')]
T1497.001 [('the number of in the system', 'check', 'MegaCortex')]
T1497.001 [('Okrum loader', 'check', 'the amount of physical memory'), ('the host', 'has', '1.5 Gigabytes of in total')]
T1497.001 [('OopsIE', 'performs', 'several anti - VM checks on victim machine')]
T1497.001 [('the group', 'used')]
T1497.001 [('a variant', 'have', 'OSX_OCEANLOTUS.D'), ('a number of system parameters', 'check', 'a variant'), ('a variant', 'see'), ('real hardware', 'run', 'it')]
T1497.001 [('PlugX', 'checks'), ('VMware tools', 'running'), ('any process', 'named', '" vmtoolsd')]
T1497.001 [('the size of the hard drive', 'check', 'PoetRAT'), ('a sandbox environment', 'run', 'it')]
T1497.001 [('it', 'delete', 'itself'), ('the contents of', 'exiting')]
T1497.001 [('Pupy', 'has', 'a module'), ('a module', 'checks', 'a number of on the system'), ('a module', 'determine'), ('its', 'running')]
T1497.001 [('RogueRobin', 'check', 'WMI'), ('RogueRobin', 'check', 'BIOS version for'), ('RogueRobin', 'check', 'qemu virtualbox'), ('the script', 'executing')]
T1497.001 [('Smoke Loader', 'scans', 'processes')]
T1497.001 [('SUNBURST', 'checked', 'the domain name of the host'), ('the host', 'compromised'), ('it', 'running')]
T1497.001 [('SynAck', 'checks', 'its directory location'), ('an attempt', 'avoid'), ('an attempt', 'launching')]
T1497.001 [('ThiefQuest', 'uses', 'a function'), ('a function', 'named', 'is_debugging'), ('a function', 'perform', 'anti - logic'), ('a function', 'perform', 'anti - logic'), ('anti - logic', 'debugging')]
T1497.001 [('The function', 'invokes', 'sysctl'), ('sysctl', 'checking', 'the value of P_TRACED'), ('the value of', 'returned')]
T1497.001 [('ThiefQuest', 'calls', 'ptrace')]
T1497.001 [('Karagany', 'detect', 'platforms'), ('platforms', 'used'), ('platforms', 'based')]
T1497.001 [('the machine', 'compromised')]
T1497.001 [('yty', 'has', 'some basic anti - sandbox detection'), ('some basic anti - sandbox detection', 'detect', 'Virtual PC Sandboxie'), ('some basic anti - sandbox detection', 'detect', 'Virtual PC Sandboxie')]
T1497.002 [('Darkhotel', 'used', 'malware'), ('malware', 'checks', 'the mouse cursor position'), ('malware', 'determine')]
T1497.002 [('FIN7', 'used', 'images'), ('images', 'embedded'), ('lures', 'activate', 'the payload'), ('a user clicks', 'avoid', 'sandboxes')]
T1497.002 [('the payload', 'execute', 'Okrum loader'), ('order', 'press', 'the left mouse button'), ('virtualized environments', 'execute', 'order'), ('virtualized environments', 'execute', 'order'), ('virtualized environments', 'emulated')]
T1497.002 [('Spark', 'used', 'a splash screen'), ('an user', 'clicks')]
T1497.002 [('drive size', 'look', 'Wanacry'), ('drive size', 'check'), ('sandbox', 'run', 'it')]
T1497.002 [('malware', 'finds', 'a limited browser history'), ('it', 'exits')]
T1497.002 [('Malware', 'checks', 'number of files in'), ('files in', 'folder')]
T1497.003 [('AppleJeus', 'waited', 'a time'), ('a time', 'specified')]
T1497.003 [('Bazar', 'delay', 'a timer'), ('Bazar', 'delay', 'execution of core functionality')]
T1497.003 [('BendyBear', 'check'), ('signs of', 'debugging'), ('analysis environments', 'using', 'the kernel32!GetTickCountKernel32 call')]
T1497.003 [('Egregor', 'perform', 'a long sleep ( greater )')]
T1497.003 [('EvilBunny', 'used', 'time measurements'), ('the malware', 'running')]
T1497.003 [('FatDuke', 'turn', 'itself')]
T1497.003 [('GoldenSpy installer', 'delayed', 'installation of'), ('it', 'reaches', 'a victim system')]
T1497.003 [('GoldMax', 'set', 'an trigger date'), ('GoldMax', 'set', 'time'), ('an trigger date', 'stored')]
T1497.003 [('presence of an emulator', 'detect', 'Okrum loader'), ('the time', 'accelerated')]
T1497.003 [('Pony', 'delayed', 'execution'), ('execution', 'using', 'a function'), ('a function', 'built')]
T1497.003 [('Raindrop', 'runs', 'a computation'), ('a computation', 'delay', 'execution')]
T1497.003 [('SUNBURST', 'remained')]
T1497.003 [('invokes time call', 'check', 'system time'), ('invokes time call', 'executes', 'command invokes call'), ('the system', 'identify', 'the sandbox'), ('the amount of time', 'identify', 'the sandbox')]
T1497.003 [('Ursnif', 'used', 'a minute delay')]
T1498.001 [('service attacks', 'consist'), ('packets', 'sent'), ('packets', 'target'), ('aims of', 'exhausting', 'that resource')]
T1498.001 [('attacks', 'distributed'), ('botnets , as ,', 'conduct', 'attacks'), ('the objective of', 'conduct', 'attacks'), ('much fake traffic', 'send', 'the objective of'), ('legitimate requests', 'send', 'the objective of'), ('the target', 'prevent', 'the objective of'), ('the objective of', 'functioning')]
T1498.001 [('Threat actors', 'conduct', 'reconnaissance'), ('targets are', 'flooding', 'the network'), ('targets are', 'deny', 'disrupt service')]
T1498.001 [('there', 'are', 'online locations'), ('online locations', 'offer', 'DDoS services')]
T1498.001 [('Some botnet malware', 'use', 'thousands'), ('devices', 'compromised'), ('attacks', 'distributed')]
T1498.002 [('Threat actors', 'conduct', 'party services'), ('Threat actors', 'conduct', 'network denial ( DoS')]
T1498.002 [('Some malware', 'botnet'), ('Some malware', 'use', 'denial of service reflection attacks')]
T1498.002 [('Actors', 'conduct', 'DoS attacks'), ('requests', 'made'), ('target )', 'spoofed')]
T1498.002 [('A large flood of packets', 'flooding')]
T1498.002 [('Malware', 'use', 'benign servers'), ('benign servers', '!show', 'indication of'), ('indication of', 'compromised'), ('benign servers', 'request', 'them'), ('benign servers', 'request', 'information from a targetIP'), ('benign servers', 'request', 'information from'), ('benign servers', 'forcing', 'them'), ('benign servers', 'respond'), ('benign servers', 'filling', 'bandwidth')]
T1499.001 [('The Lucifer cryptojacker', 'overwhelm', 'the self'), ('The Lucifer cryptojacker', 'overwhelm', 'limits of resources of an OS'), ('limits of', 'imposed')]
T1499.001 [('Quantum Stresser', 'perform', 'DDoS')]
T1499.001 [('BlackNurse', 'target', 'OS of victim machines'), ('their capacity', 'handle', 'the demands'), ('the demands', 'placed')]
T1499.001 [('GoBotKR', 'initiate', 'a variety of DDoS attacks ,'), ('DDoS attacks ,', 'including'), ('ones', 'target', 'the finite resources of a system')]
T1499.001 [('Ransomware', 'damage', 'OS ability'), ('OS ability', 'manage', 'resources'), ('OS ability', 'coerce', 'victims'), ('OS ability', 'paying', 'the ransom')]
T1499.002 [('Actors', 'conduct', 'endpoint denial of service attacks'), ('endpoints', 'including'), ('applications in attempts', 'based'), ('attempts', 'prevent', 'that one target from'), ('that one target from', 'functioning')]
T1499.002 [('Botnet malware', 'launch', 'DDoS attacks'), ('DDoS attacks', 'targeting', 'endpoints'), ('DDoS attacks', 'overwhelm', 'the target system')]
T1499.002 [('Malware', 'create', 'HTTP flooding'), ('Malware', 'create', 'a exhaustion flood'), ('Malware', 'create', 'SSL renegotiation attacks')]
T1499.002 [('Actors', 'attack', 'targets'), ('attempts', 'render'), ('attempts', 'renegotiating', 'SSL / TSL crypto algorithms')]
T1499.002 [('an affect way', 'prevent', 'users'), ('an affect way', 'accessing', 'the target')]
T1499.003 [('Web applications', 'positioned')]
T1499.003 [('apps', 'facing')]
T1499.003 [('attacks', 'target', 'Application servers'), ('denial of service ( DoS', 'target', 'Application servers')]
T1499.003 [('malware', 'repeats'), ('malware', 'spoofed', 'requests'), ('requests', 'deny', 'access by sheer volume')]
T1499.003 [('Exhausting resources', 'cause', 'real damage to a company'), ('threat actors', 'disrupt', 'specific applications ( apps ) with denial ( DoS )'), ('threat actors', 'disrupt', 'business operations')]
T1499.004 [('Industroyer', 'uses', 'a DoS tool'), ('a DoS tool', 'leverages', 'CVE-2015 - 5374'), ('addresses of SIPROTEC devices', 'hardcoded')]
T1499.004 [('Actors', 'exploit', 'a vulnerability'), ('some of these vulnerabilities', 'include', 'CVE-2021 - 45078 ,'), ('some of', 'include', 'CVE-2021 - 45046 , CVE-2021 - 44686 , CVE-2021')]
T1499.004 [('Some malware', 'cause', 'applications'), ('Some malware', 'cause', 'systems')]
T1499.004 [('Some actors', 'exploit', 'vulnerabilities')]
T1499.004 [('Exploitation of vulnerabilities', 'cause', 'applications'), ('Exploitation of', 'cause', 'systems'), ('persistent re', 'deny', 'service'), ('-', 'deny', 'service'), ('exploitation', 'deny', 'service')]
T1499.004 [('Successful exploitation of certain vulnerabilities', 'result')]
T1505.001 [('Threat actors', 'abuse', 'procedures'), ('procedures', 'stored')]
OBJS_ assemblies
T1505.001 [('CLR assemblies', 'craft', 'Adversaries'), ('procedures', 'link', 'CLR assemblies'), ('procedures', 'stored'), ('these CLR assemblies', 'made'), ('arbitrary commands', 'execute', 'CLR assemblies')]
T1505.001 [('the procedures', 'stored'), ('the procedures', 'run'), ('SQL Server', 'apply', 'a patch'), ('the server', 'restarted')]
T1505.001 [('a procedure', 'stored'), ('a procedure', 'use', 'the procedure'), ('the procedure', 'stored'), ('a procedure', 'download'), ('a procedure', 'execute', 'a PowerShell payload'), ('a procedure', 'using', 'the query below')]
T1505.001 [('The SQL injection string', 'launch', 'PowerShell'), ('the procedure', 'stored')]
T1505.001 [('An unspecified vulnerability', 'exists')]
T1505.001 [('that , allows', 'allows'), ('an authenticated attacker', 'manipulate', 'data')]
T1505.002 [('LightNeuron', 'used', 'a malicious Exchange transport agent')]
T1505.002 [('Adversaries', 'establish', 'Microsoft transport agents'), ('Adversaries', 'establish', 'persistent access to systems')]
T1505.002 [('all emails', 'invoke', 'a malicious transport agent'), ('the Exchange transport pipeline', 'pass', 'all emails'), ('specific tasks', 'carry', 'the agent'), ('response to criteria', 'carry', 'the agent'), ('criteria', 'defined')]
T1505.002 [('The Turla tool', 'leverages', 'a Exchange transport agent in parallel with'), ('process email messages', 'delivered')]
T1505.003 [('APT32', 'maintain', 'Web shells'), ('APT32', 'maintain', 'access to victim websites')]
T1505.003 [('APT39', 'installed', 'ANTAK ASPXSPY web shells')]
T1505.003 [('ASPXSpy', 'is', 'a Web shell')]
T1505.003 [('Threat Group-3390', 'use', 'The ASPXTool version'), ('accessible servers', 'deploy', 'The ASPXTool version'), ('Internet Information Services ( IIS )', 'run', 'accessible servers')]
T1505.003 [('Chopper server component', 'is', 'a Shell payload')]
T1505.003 [('Deep Panda', 'access', 'Web shells'), ('Deep Panda', 'access', 'victim networks')]
T1505.003 [('shells on victims accessible email', 'created'), ('they', 'maintain', 'access to a victim network'), ('shells on', 'maintain', 'access to'), ('shells on', 'download', 'additional malicious files')]
T1505.003 [('Fox Kitten', 'installed', 'web shells on hosts'), ('hosts', 'compromised')]
T1505.003 [('GALLIUM', 'used', 'Web shells')]
T1505.003 [('HAFNIUM', 'deployed', 'multiple web shells on servers'), ('servers', 'compromised'), ('servers', 'including')]
T1505.003 [('Kimsuky', 'maintain', 'modified versions of source PHP web shells'), ('Kimsuky', 'maintain', 'access'), ('access', 'adding', 'Dinosaur " references within the code')]
T1505.003 [('Leviathan', 'relies')]
T1505.003 [('OilRig', 'maintain', 'web shells'), ('OilRig', 'maintain', 'access to a victim network')]
T1505.003 [('Operation Wocao', 'used', 'their own web shells as those'), ('their own web shells as those', 'placed')]
T1505.003 [('Threat Group-3390', 'use', 'a Web shell'), ('Threat Group-3390', 'use', 'a Web shell')]
T1505.003 [('an ISAPI filter on with the China Chopper Web shell', 'instal', 'It')]
T1505.003 [('P.A.S. Webshell', 'gain', 'remote access'), ('P.A.S. Webshell', 'gain', 'execution')]
T1505.003 [('Sandworm Team', 'maintain', 'webshells'), ('Sandworm Team', 'maintain', 'access to victim networks'), ('webshells', 'including')]
T1505.003 [('SEASHARPEE', 'is', 'a Web shell')]
T1505.003 [('SUPERNOVA', 'is', 'a Web shell')]
T1505.003 [('TEMP.Veles', 'planted', 'Web shells on Exchange servers')]
T1505.003 [('Threat Group-3390', 'used', 'a variety of Web shells')]
T1505.003 [('Tropic Trooper', 'started', 'a web service in the target host'), ('the adversary', 'connect', 'acting as a web shell')]
T1505.003 [('Volatile Cedar', 'inject', 'shell code')]
T1518.001 [('ABK', 'has', 'the ability'), ('the ability', 'identify', 'the product'), ('the product', 'installed'), ('the host', 'compromised')]
T1518.001 [('Avenger', 'has', 'the ability'), ('the ability', 'identify', 'products'), ('products', 'installed'), ('a host', 'compromised')]
T1518.001 [('BadPatch', 'enumerate', 'WMI'), ('BadPatch', 'enumerate', 'products'), ('products', 'installed')]
T1518.001 [('Bazar', 'identify', 'the engine'), ('the engine', 'installed')]
T1518.001 [('build_downer', 'has', 'the ability'), ('the ability', 'detect'), ('the infected host', 'running', 'an anti - virus process')]
T1518.001 [('Carberp', 'queried', 'system registry'), ('system registry', 'searching'), ('specific registry keys', 'associated')]
T1518.001 [('Cobalt Group', 'used', 'a JavaScript backdoor is'), ('a JavaScript backdoor is', 'collecting', 'a list of the security solutions'), ('the security solutions', 'installed')]
T1518.001 [('Comnie', 'detect', 'several anti - virus products')]
T1518.001 [('the presence of Snitch " network monitoring', 'check', 'CookieMiner'), ('Snitch " network monitoring', 'exiting'), ('it', 'found')]
T1518.001 [('the victim', 'has', 'an anti - virus product'), ('an anti - virus product', 'installed')]
T1518.001 [('the product', 'installed'), ('a list', 'predetermined'), ('the dropper', 'exit')]
T1518.001 [('Crimson', 'contains', 'a command'), ('a command', 'collect', 'information about anti - virus software')]
T1518.001 [('Darkhotel', 'searched')]
T1518.001 [('down_new', 'has', 'the ability'), ('the ability', 'detect', 'anti - virus products'), ('the ability', 'detect', 'processes'), ('a host', 'compromised')]
T1518.001 [('Empire', 'enumerate', 'antivirus software')]
T1518.001 [('anti - malware services', 'running'), ('Epic searches for anti - malware services', 'terminates', 'itself'), ('it', 'finds', 'them')]
T1518.001 [('EvilBunny', 'observed'), ('software', 'installed')]
T1518.001 [('EVILNUM', 'search')]
T1518.001 [('processes', 'associated')]
T1518.001 [('software like antivirus', 'installed')]
T1518.001 [('FIN8', 'used', 'Registry keys')]
T1518.001 [('FinFisher', 'probes', 'the system')]
T1518.001 [('Flame', 'identifies', 'security software as antivirus through the Security module')]
T1518.001 [('FlawedAmmyy', 'detect', 'anti - virus products')]
T1518.001 [('Frankenstein', 'used', 'WMI'), ('Frankenstein', 'used', 'queries'), ('virtualization environments', 'running'), ('analysis tools', 'running')]
T1518.001 [('Grandoreiro', 'list', 'products'), ('products', 'installed'), ('products', 'including')]
T1518.001 [('InvisiMole', 'check')]
T1518.001 [('certain processes', 'related'), ('JPIN checks for the presence of certain processes', 'deletes', 'its uninstaller component'), ('it', 'identifies', 'any of')]
T1518.001 [('jRAT', 'list', 'security software'), ('anti - virus products', 'installed'), ('anti - virus products', 'obtain', 'firewall details')]
T1518.001 [('Kasidet', 'has', 'the ability'), ('the ability', 'identify', 'any anti - virus'), ('any anti - virus', 'installed')]
T1518.001 [('Metamorfo', 'collects', 'a list of from the victimsystem'), ('software', 'installed')]
T1518.001 [('Micropsia', 'searches')]
T1518.001 [('MoleNet', 'check', 'WMI commands'), ('MoleNet', 'check', 'the system for firewall')]
T1518.001 [('More_eggs', 'obtain', 'information on programs'), ('programs', 'installed')]
T1518.001 [('the Registry', 'search', 'Mosquito installer'), ('system', 'search', 'Mosquito installer'), ('the system', 'instal', 'specific antivirus tools')]
T1518.001 [('MuddyWater', 'check', 'malware'), ('MuddyWater', 'check', 'processes'), ('processes', 'running'), ('a list of security tools', 'coded'), ('security tools', 'used')]
T1518.001 [('Naikon', 'discover', 'commands as netsh advfirewall firewall'), ('Naikon', 'discover', 'local firewall settings')]
T1518.001 [('firewall settings', 'discover', 'netsh')]
OBJS_ processes
T1518.001 [('Netwalker', 'detect', 'active security processes on infected systems'), ('active security processes on', 'related')]
T1518.001 [('NotPetya', 'determines'), ('specific antivirus programs', 'running')]
T1518.001 [('Operation Wocao', 'detect', 'scripts'), ('Operation Wocao', 'detect', 'security software')]
T1518.001 [('Patchwork', 'scanned', 'theProgram Files\x9d directories')]
T1518.001 [('PipeMon', 'check')]
T1518.001 [('POWERSTATS', 'detected', 'security tools')]
T1518.001 [('POWRUNER', 'collect', 'information on victim anti - virus software')]
T1518.001 [('A module in', 'collects', 'information from about software'), ('software', 'installed')]
T1518.001 [('PUNCHBUGGY', 'gather', 'AVs'), ('AVs', 'registered')]
T1518.001 [('Remsec', 'has', 'a plugin'), ('a plugin', 'detect', 'active drivers of some security products')]
T1518.001 [('Rocke', 'used', 'scripts'), ('which', 'detected', 'uninstalled antivirus software')]
T1518.001 [('RogueRobin', 'running', 'processes')]
T1518.001 [('ROKRAT', 'checks'), ('tools', 'debugging')]
T1518.001 [('RTM', 'obtain', 'information about security software on the victim')]
T1518.001 [('Sidewinder', 'used', 'the Windows service'), ('products', 'installed')]
T1518.001 [('Skidmap', 'has', 'the ability'), ('the ability', 'check'), ('/usr / sbin / setenforce', 'exists')]
T1518.001 [('This file', 'controls')]
T1518.001 [('StoneDrill', 'check')]
T1518.001 [('StreamEx', 'has', 'the ability'), ('the ability', 'scan')]
T1518.001 [('StrongPity', 'identify'), ('ESET antivirus', 'installed')]
T1518.001 [('SUNBURST', 'checked')]
T1518.001 [('T9000', 'performs', 'checks for various antivirus products')]
T1518.001 [('TajMahal', 'has', 'the ability'), ('the ability', 'identify', 'which anti - virus products firewalls'), ('the ability', 'identify', 'anti - spyware products')]
T1518.001 [('Tasklist', 'used'), ('a system by process name of products', 'run', 'security software'), ('products', 'known')]
T1518.001 [('The White Company', 'checked'), ('the targetcomputer', 'including')]
T1518.001 [('ThiefQuest', 'get', 'the kill_unwanted function'), ('ThiefQuest', 'get', 'a list of running processes'), ('ofunwanted\x9d programs', 'related'), ('programs', 'related')]
T1518.001 [('Tropic Trooper', 'search'), ('anti - virus software', 'running')]
T1518.001 [('information on security software', 'obtain', 'Turla'), ('security', 'include', 'security software'), ('information', 'log', 'security'), ('information', 'indicate'), ('their malware', 'detected')]
T1518.001 [('Valak', 'determine'), ('a host', 'compromised'), ('a host', 'has', 'security products'), ('security products', 'installed')]
T1518.001 [('VERMIN', 'uses', 'WMI'), ('anti - virus software', 'installed')]
T1518.001 [('Waterbear', 'find', 'the presence of a specific security software')]
T1518.001 [('Windshift', 'identify', 'malware'), ('Windshift', 'identify', 'AV')]
T1518.001 [('Wingbird', 'checks')]
T1518.001 [('Wizard Spider', 'identify', 'WMI'), ('Wizard Spider', 'identify', 'anti - virus products'), ('anti - virus products', 'installed')]
T1518.001 [('YAHOYAH', 'checks')]
T1518.001 [('Panda checks', 'see'), ('the victimenvironment', 'instal', '- spyware products')]
T1529 [('Shutdown System via', 'linux')]
T1529 [('Reboot System via', 'linux')]
T1542.001 [('a UEFI BIOS rootkit', 'developed'), ('a UEFI BIOS rootkit', 'persist', 'access software'), ('some systems', 'targeted')]
T1542.001 [('a UEFI BIOS rootkit', 'deployed'), ('a UEFI BIOS rootkit', 'persist', 'access software'), ('some systems', 'targeted')]
T1542.001 [('Mebromi', 'performs', 'BIOS modification')]
T1542.001 [('Sophisticated', 'adversaries', 'overwrite firmware'), ('a system be', 'detect')]
T1542.001 [('malwares presist', 'installing', 'malicioufirmware updates'), ('system', 'infected')]
T1542.002 [('the capability', 'have', 'Equation'), ('the firmware', 'overwrite', 'the capability'), ('hard drives', 'overwrite', 'the capability'), ('some manufacturers', 'overwrite', 'the capability')]
T1542.002 [('Trickbot', 'achieve', 'persistence')]
T1542.002 [('attacks', 'related'), ('the component firmware of critical systems', 'involve', 'attacks'), ('critical systems', 'compromised')]
T1542.002 [('Attackers', 'targeting', 'the firmware of component systems'), ('they', '!verify', 'their integrity as components')]
T1542.002 [('APT34', 'achieve', 'persistence on machines'), ('them', 'execute', 'level commands')]
T1542.003 [('APT41', 'deployed', 'Record bootkits on Windows systems')]
T1542.003 [('bootkit', 'maintain', 'the VBR'), ('bootkit', 'maintain', 'persistence')]
T1542.003 [('Carberp', 'installed', 'a bootkit on the system')]
T1542.003 [('Some FinFisher variants', 'incorporate', 'an MBR rootkit')]
T1542.003 [('modifies sector 0 of', 'ensure'), ('the malware', 'persist'), ('a victim machine', 'shuts')]
T1542.003 [('a Boot Record MBR', 'establish', 'the MBR'), ('a Boot Record MBR', 'establish', 'persistence')]
T1542.003 [('TrickBot', 'implant', 'malicious code'), ("a device 's", 'compromised')]
T1542.003Pre [('APT28', 'deployed', 'a bootkit along')]
T1542.003Pre [('The bootkit shares', 'code')]
T1542.004 [('DarkSide ransomware', 'obfuscate'), ('activity via code', 'injected')]
T1542.004 [('Malware', 'load', 'firmware')]
T1542.004 [('Specific CobaltStrike modules', 'achieve', 'persistence')]
T1542.004 [('Malware with ROMMONkits', 'maintain', 'persistence')]
T1542.004 [('APT24', 'abuses'), ('monitoring functionality', 'obfuscate', 'their activity')]
T1542.005 [('Malware', 'abuse', 'netbooting')]
T1542.005 [('ransomware as', 'hijack', 'boot operations')]
T1542.005 [('Some variant CobaltStrike modules', 'execute', 'operations'), ('Some variant CobaltStrike modules', 'execute', 'malicious code'), ('operations', 'netbooting')]
T1542.005 [('Ransomware ,', 'abuse', 'boot operations')]
T1542.005 [('APT groups', 'abuse', 'insecure'), ('APT groups', 'abuse', 'netbooting functionality'), ('netbooting functionality', 'grant', 'their malware persistence')]
T1543.001 [('Bundlore', 'persist')]
T1543.001 [('Calisto', 'adds', 'a .plist file to the LaunchAgents folder'), ('a .plist file to', 'maintain', 'persistence')]
T1543.001 [('CoinTicker', 'creates', 'user launch agents'), ('user launch agents', 'named'), ('com.apple.[random string].plist', 'establish', 'persistence')]
T1543.001 [('CookieMiner', 'installed', 'multiple new Launch Agents'), ('order', 'maintain', 'persistence for cryptocurrency mining software')]
T1543.001 [('CrossRAT', 'creates', 'a Launch Agent')]
T1543.001 [('Dacls', 'establish', 'persistence')]
T1543.001 [('Dok', 'persists')]
T1543.001 [('FruitFly', 'persists')]
T1543.001 [('Keydnap', 'uses', 'a Launch Agent')]
T1543.001 [('The Komplex trojan', 'creates', 'a persistent launch agent'), ('a persistent launch agent', 'called')]
T1543.001 [('MacSpy', 'persists')]
T1543.001 [('NETWIRE', 'use', 'launch agents')]
T1543.001 [('OSX_OCEANLOTUS.D', 'create', 'a persistence file in the folder'), ('OSX_OCEANLOTUS.D', 'create', '/ LaunchAgents')]
T1543.001 [('Proton', 'persists')]
T1543.001 [('ThiefQuest', 'installs', 'a launch item'), ('a launch item', 'using', 'an template'), ('an template', 'embedded')]
T1543.001 [('the ~/Library / LaunchAgents/ folder', 'instal', 'The plist file'), ('the ~/Library/', 'locate', 'the persistent binary'), ('folder', 'locate', 'the persistent binary')]
T1543.002 [('Exaramel for', 'has', 'a location under'), ('a location under', 'hardcoded'), ('it', 'achieve', 'persistence'), ('a location under', 'achieve', 'persistence'), ('it', 'running')]
T1543.002 [('Fysbis', 'established', 'persistence'), ('persistence', 'using', 'a systemd service')]
T1543.002 [('Hildegard', 'started', 'a monero service')]
T1543.002 [('persistence', 'establish', 'Pupy'), ('a systemd service', 'use', 'persistence')]
T1543.002 [('Rocke', 'installed', 'a systemd service script')]
T1543.003 [('Anchor', 'establish', 'persistence')]
T1543.003 [('AppleJeus', 'install', 'itself')]
T1543.003 [('APT3', 'has', 'a tool'), ('a tool', 'creates', 'a new service for persistence')]
T1543.003 [('the system', 'load', 'PowerShell scripts')]
T1543.003 [('APT32', 'creates', 'a Windows service')]
T1543.003 [('APT41', 'install', 'legitimate Windows services'), ('APT41', 'install', 'malware backdoors')]
T1543.003 [('APT41', 'created', 'the StorSyncSvc service')]
T1543.003 [('Attor dispatcher', 'establish', 'persistence')]
T1543.003 [('a new service on the system', 'instal', 'AuditCred')]
T1543.003 [('Bankshot', 'terminate', 'a specific process'), ('i', 'd.')]
T1543.003 [('BBSRAT', 'modify', 'service configurations')]
T1543.003 [('BitPaymer', 'install', 'itself'), ('a service', 'maintain', 'persistence')]
T1543.003 [('One variant of', 'creates', 'a new service'), ('a new service', 'using', 'name'), ('name', 'generated')]
T1543.003 [('Blue Mockingbird', 'made')]
T1543.003 [('Briba', 'installs', 'a service pointing to'), ('a service pointing to', 'dropped'), ('a service pointing to', 'disk')]
T1543.003 [('Carbanak malware', 'installs', 'itself'), ('a service', 'provide', 'persistence privileges')]
T1543.003 [('Carbon', 'establishes', 'persistence'), ('system', 'operating'), ('the system version', 'running')]
T1543.003 [('Catchamas', 'establish', 'a new service'), ('Catchamas', 'establish', 'persistence'), ('a new service', 'named', 'NetAdapter')]
T1543.003 [('Cobalt Group', 'created', 'new services')]
T1543.003 [('Cobalt Strike', 'install', 'a new service')]
T1543.003 [('CosmicDuke', 'uses', 'Windows services'), ('Windows services', 'named', 'javamtsup')]
T1543.003 [('One persistence mechanism', 'used')]
T1543.003 [('DarkVishnya', 'created', 'new services')]
T1543.003 [('Dtrack', 'add', 'a service'), ('a service', 'called', 'WBService')]
T1543.003 [('Duqu', 'creates', 'a new service'), ('a new service', 'loads', 'a malicious driver'), ('the system', 'starts')]
T1543.003 [('the operating system', 'believes'), ('a valid private key', 'sign', 'it')]
T1543.003 [('Dyre', 'registers', 'itself')]
T1543.003 [('new services', 'create', 'Emotet')]
T1543.003 [('Empire', 'modify', 'modules'), ('Empire', 'modify', 'service binaries'), ('modules', 'built')]
OBJS_ service
OBJS_ service
T1543.003 [('The Exaramel for dropper', 'creates', 'a Windows service'), ('dropper', 'creates', 'a Windows service'), ('a Windows service', 'named', 'wsmprovav'), ('a Windows service', 'named', 'AV.\x9d'), ('a Windows service', 'check')]
T1543.003 [('a Windows service', 'instal', 'FALLCHILL')]
T1543.003 [('FIN7', 'created', 'new Windows services')]
T1543.003 [('FinFisher', 'creates', 'a new Windows service with')]
T1543.003 [('gh0st RAT', 'create', 'a new service')]
T1543.003 [('GoldenSpy', 'established', 'persistence')]
T1543.003 [('GreyEnergy', 'chooses'), ('a service', 'drops', 'a DLL file')]
T1543.003 [('hcdLoader', 'installs', 'itself')]
T1543.003 [('files', 'modify', 'the system service'), ('files', 'modify', 'COMSysApp'), ('files', 'load', 'a malicious DLL')]
T1543.003 [('Hydraq', 'creates', 'new services')]
T1543.003 [('Some InnaputRAT variants', 'create', 'a new Windows service')]
T1543.003 [('InvisiMole', 'register', 'a Windows service'), ('a Windows service', 'named', 'CsPower'), ('a Windows service', 'named'), ('a Windows service', 'achieve', 'persistence')]
T1543.003 [('JHUHUGIT', 'registered', 'itself'), ('a service', 'establish', 'persistence')]
T1543.003 [('Kazuar', 'install', 'itself')]
T1543.003 [('Ke3chang backdoor RoyalDNS', 'established', 'persistence'), ('a service', 'called', 'Nwsapagent')]
T1543.003 [('KeyBoy', 'installs', 'a service pointing to')]
T1543.003 [('Kimsuky', 'created', 'new services')]
T1543.003 [('Kwampirs', 'creates', 'a new service'), ('a new service', 'named', 'WmiApSrvEx'), ('a new service', 'establish', 'persistence')]
T1543.003 [('malware families', 'install', 'themselves')]
T1543.003 [('a Linux virtual machine', 'launch', 'LoudMiner'), ('a service at startup', 'launch', 'LoudMiner'), ('the VBoxVmService configuration file', 'enable', 'the AutoStart option')]
T1543.003 [('MoonWind', 'installs', 'itself')]
T1543.003 [('The service', 'checks', 'every 60 seconds'), ('the malware', 'running'), ('it', '!spawn', 'a new instance')]
T1543.003 [('Naid', 'creates', 'a new service'), ('a new service', 'establish')]
T1543.003 [('Nerex', 'creates', 'a Registry subkey'), ('a Registry subkey', 'registers', 'a new service')]
T1543.003 [('Nidiran', 'create', 'a new service'), ('a new service', 'named', 'msamger ( Manager')]
T1543.003 [('To establish Okrum', 'install', 'itself'), ('a new service', 'named', 'NtmSsvc')]
T1543.003 [('persistence', 'establish', 'PipeMon'), ('which', 'loaded'), ('the spooler service', 'starts')]
T1543.003 [('a service', 'add', 'PlugX'), ('persistence', 'establish', 'a service')]
T1543.003 [('PlugX', 'has', 'a module'), ('a module', 'change', 'service configurations'), ('a module', 'start', 'control'), ('a module', 'start', 'delete services')]
T1543.003 [('PoisonIvy', 'creates', 'a Registry subkey'), ('a Registry subkey', 'registers', 'a new service')]
T1543.003 [('PoisonIvy', 'creates', 'a Registry entry'), ('a Registry entry', 'modifying', 'the Manager service'), ('a malicious DLL', 'dropped')]
T1543.003 [('PowerSploit', 'contains', 'a collection of PowerUp modules'), ('PowerUp modules', 'replace'), ('PowerUp modules', 'modify', 'binaries paths'), ('PowerUp modules', 'modify', 'configs')]
T1543.003 [('PROMETHIUM', 'created', 'new services'), ('services', 'existing')]
T1543.003 [('Ragnar Locker', 'create', 'sc.exe'), ('Ragnar Locker', 'create', 'a new service for the VirtualBox driver')]
T1543.003 [('a service', 'maintain', 'persistence')]
T1543.003 [('a service', 'create', 'RDAT'), ('the victim machine', 'instal', 'it')]
T1543.003 [('Reaver', 'installs', 'itself')]
T1543.003 [('Some Sakula samples', 'install', 'themselves')]
T1543.003 [('Shamoon', 'creates', 'a new service')]
T1543.003 [('Newer versions', 'create', 'the " MaintenaceSrv "'), ('Newer versions', 'create', '" hdv_725x " services')]
T1543.003 [('ShimRat', 'installed', 'a Windows service')]
T1543.003 [('SLOTHFULMEDIA', 'created', 'a service on victim machines'), ('victim machines', 'named', '" TaskFrame "')]
T1543.003 [('StreamEx', 'establishes', 'persistence')]
T1543.003 [('StrongPity', 'created', 'new services'), ('services', 'existing')]
T1543.003 [('administrator TDTESS', 'installs', 'itself'), ('a new service', 'named', 'bmwappushservice'), ('a new service', 'establish', 'persistence')]
T1543.003 [('TEARDROP', 'ran')]
T1543.003 [('A Group-3390 tool', 'create', 'a new service'), ('a new service', 'naming', 'it'), ('a new service', 'gain', 'persistence')]
T1543.003 [('TinyZBot', 'install')]
T1543.003 [('TrickBot', 'establishes', 'persistence'), ('an autostart service', 'allows'), ('it', 'run')]
T1543.003 [('Tropic Trooper', 'installed', 'a service pointing to')]
T1543.003 [('TYPEFRAME variants', 'add', 'malicious DLL modules as new services')]
T1543.003 [('TYPEFRAME', 'delete', 'services')]
T1543.003 [('Ursnif', 'registered', 'itself')]
T1543.003 [('Volgmer', 'installs', 'a copy of'), ('a service', 'selected')]
T1543.003 [('Some Volgmer variants', 'install')]
T1543.003 [('names', 'generated'), ('strings', 'coded')]
T1543.003 [('WannaCry', 'creates', 'the service'), ('WannaCry', 'creates', '" mssecsvc2.0 "')]
T1543.003 [('Wiarp', 'creates', 'a backdoor'), ('remote attackers', 'create', 'a service')]
T1543.003 [('Wingbird', 'register', 'services.exe'), ('Wingbird', 'register', 'a new autostart service'), ('a new autostart service', 'named', '" Audit Service'), ('a new autostart service', 'using', 'a copy of the local lsass.exe file')]
T1543.003 [('Winnti for', 'sets', 'its DLL file')]
T1543.003 [('Wizard Spider', 'installed', 'TrickBot'), ('a service', 'named', 'ControlServiceA'), ('order', 'establish', 'persistence')]
T1543.003 [('ZeroT', 'add', 'a new service'), ('PlugX', 'persists')]
T1543.003 [('ZLib', 'creates', 'Registry keys'), ('itself', 'run')]
T1543.003 [('zwShell', 'established', 'persistence')]
T1543.003 [('ZxShell', 'create', 'a new service'), ('a new service', 'using', 'the service parser function ProcessScCommand')]
T1543.003 [('Fax service', 'run', 'PowerShell')]
T1543.004 [('AppleJeus', 'placed', 'a plist file within the LaunchDaemons folder')]
T1543.004 [('Bundlore', 'persist')]
T1543.004 [('Dacls', 'establish', 'persistence')]
T1543.004 [('LoudMiner', 'added', 'plist files')]
T1543.004 [('RunAtLoad', 'set')]
T1543.004 [('OSX_OCEANLOTUS.D', 'create', 'a persistence file in the folder'), ('OSX_OCEANLOTUS.D', 'create', '/ LaunchDaemons')]
T1543.004 [('a Launch Agent', 'installed'), ('a plist file', 'install', 'ThiefQuest'), ('the /Library LaunchDaemons/ folder', 'install', 'ThiefQuest'), ('the RunAtLoad key', 'install', 'ThiefQuest'), ('the RunAtLoad key', 'set'), ('persistence as', 'establish', 'the RunAtLoad key')]
T1546.001 [('Kimsuky', 'has', 'a HWP stealer module'), ('which', 'changes', 'the default program association'), ('a HWP stealer module', 'open', 'HWP documents')]
T1546.001 [('Cring Ransomware', 'escalate', 'privileges')]
T1546.001 [('FIN13', 'achieve', 'persistence')]
T1546.001 [('CobaltStrike', 'contains', 'modules'), ('modules', 'modify', 'file associations')]
T1546.001 [('Neurevt trojan', 'persists', 'itself')]
T1546.002 [('Gazer', 'establish', 'persistence')]
T1546.002 [('user inactivity', 'maintain', 'Persistence')]
T1546.002 [('FIN13', 'modify', 'screensaver files')]
T1546.002 [('code as screensaver files', 'hiding'), ('their privileges', 'executed'), ('the privileged environment of', 'run', 'these files')]
T1546.002 [('CobaltStrike functionality', 'allows'), ('disposable processes', 'establish', 'persistence')]
T1546.003 [('adbupd', 'achieve', 'a WMI script'), ('adbupd', 'achieve', 'persistence')]
T1546.003 [('APT29', 'used', 'WMI event subscriptions')]
T1546.003 [('APT33', 'use', 'WMI event subscriptions'), ('hosts', 'compromised')]
T1546.003 [('Blue Mockingbird', 'establish', 'mofcomp.exe'), ('Blue Mockingbird', 'establish', 'WMI persistence mechanisms'), ('WMI persistence mechanisms', 'configured')]
T1546.003 [('Leviathan', 'used', 'WMI')]
T1546.003 [('custom ORat tool', 'maintain', 'a event consumer'), ('custom ORat tool', 'maintain', 'persistence')]
T1546.003 [('PoshC2', 'has', 'the ability'), ('the ability', 'persist'), ('a system', 'using', 'WMI events')]
T1546.003 [('POSHSPY', 'establish', 'a WMI event subscription'), ('POSHSPY', 'establish', 'persistence')]
T1546.003 [('POWERTON', 'use', 'WMI')]
T1546.003 [('a WMI consumer', 'use', 'RegDuke'), ('a WMI consumer', 'launched'), ('WINWORD.EXE', 'name', 'a process'), ('a process', 'started')]
T1546.003 [('SeaDuke', 'execute', 'an event filter in WMI code'), ('SeaDuke', 'execute', 'a executable')]
T1546.003 [('Turla', 'establish', 'WMI event filters'), ('Turla', 'establish', 'persistence'), ('Turla', 'establish', 'consumers')]
T1546.003 [('UNC2452', 'used', 'WMI event subscriptions')]
T1546.004 [('Linux Rabbit', 'maintains', 'persistence on an infected machine')]
T1546.004 [('Some malware', 'maintain', 'persistence')]
T1546.004 [('malware', 'maintain', 'persistence')]
T1546.004 [('malware', 'create', 'Login environments , as ,'), ('events', 'create', 'Login environments , as ,'), ('every boot', 'launch', 'events'), ('login', 'launch', 'events')]
T1546.004 [('shell commands', 'contained'), ('actors', 'launch', 'hosts'), ('actors', 'launch', 'specific events'), ('hosts', 'infected')]
T1546.004 [('Many actors', 'force', 'login environments'), ('Many actors', 'force', 'an infected machine'), ('malware', 'force', 'login environments'), ('malware', 'force', 'an infected machine')]
T1546.005 [('Cobaltstrike', 'achieves', 'persistence'), ('a system event', 'triggered')]
T1546.005 [('WMI', 'runs', 'commands'), ('malicious commands', 'triggered')]
T1546.005 [('persistence', 'utilize', 'files')]
T1546.005 [('access trojans ( RATs , as', 'maintain', 'persistence on a machine with malicious payloads'), ('malicious payloads', 'triggered')]
T1546.005 [('remote code execution', 'achieve', 'The trap command'), ('an interrupt signal', 'received')]
T1546.006 [('malicious O binaries', 'create', 'Threat actors'), ('LC_LOAD_DYLIB headers', 'create', 'Threat actors'), ('LC_LOAD_DYLIB headers', 'modified'), ('LC_LOAD_DYLIB headers', 'change'), ('execution', 'execute', 'which link libraries ( DLLs )')]
T1546.006 [('While changing binaries', 'invalidate', 'digital signatures'), ('threat actors', 'remove', 'the LC_CODE_SIGNATURE command')]
T1546.006 [('macOS', 'focus', 'Malware'), ('the O header ( LC_LOAD_DYLIB )', 'change', 'Malware focused on'), ('DLLs', 'ran')]
T1546.006 [('malware', 'create', 'Actors'), ('macOS', 'target', 'malware'), ('LC_LOAD_DYLIB headers', 'have', 'malware'), ('LC_LOAD_DYLIB headers', 'instruct'), ('which dylibs ( DLLs )', 'executed')]
OBJS_ header
OBJS_ binary
T1546.006 [('macOS', 'target', 'Malicious dylibs ( DLLs )'), ('the LC_LOAD_DYLIB header', 'load', 'Malicious dylibs ( DLLs )'), ('a Mach - O binary', 'load', 'Malicious dylibs ( DLLs )')]
T1546.007 [('a proxy technique', 'execute', 'netsh'), ('a helper DLL', 'execute', 'netsh'), ('netsh.exe', 'executed')]
T1546.007 [('Adversaries', 'trigger', 'netsh.exe'), ('Adversaries', 'trigger', 'helper DLLs'), ('Adversaries', 'trigger', 'execution of arbitrary code')]
T1546.007 [('The attackers', 'established', 'persistence'), ('malicious content', 'triggered')]
T1546.007 [('group FIN13', 'observed'), ('DRAWSTRING', 'know', 'the downloader')]
T1546.007 [('A unknown Chinese group', 'hacking'), ('A unknown Chinese group', 'used', 'netsh rules')]
T1546.008 [('APT29', 'obtain', 'sticky - keys'), ('APT29', 'obtain', 'unauthenticated privileged console access')]
T1546.008 [('APT3', 'replaces', 'the Sticky Keys binary C:\\Windows\\System32\\sethc.exe')]
T1546.008 [('APT41', 'leveraged', 'sticky keys')]
T1546.008 [('the Sticky Keys replacement', 'use', 'Axiom actors'), ('RDP sessions', 'use', 'Axiom actors')]
T1546.008 [('Deep Panda', 'bypass', 'the keys technique'), ('Deep Panda', 'bypass', 'the RDP login screen')]
T1546.008 [('Empire', 'leverage', 'WMI')]
T1546.008 [('Fox Kitten', 'launch', 'sticky keys'), ('Fox Kitten', 'launch', 'a command prompt')]
T1546.009 [('Honeybee implant', 'execute', 'a file with parameters'), ('a file with', 'downloaded'), ('parameters', 'using', 'CreateProcessAsUser'), ('parameters', 'using', 'CreateProcessAsUser')]
T1546.009 [('PUNCHBUGGY', 'using', 'a Registry key')]
T1546.009 [('Adversaries', 'establish', 'persistence'), ('malicious content', 'triggered'), ('AppCert DLLs', 'loaded')]
T1546.009 [('AppCertDLLs ,', 'force', 'Threat actors'), ('applications', 'force', 'Threat actors'), ('numerous processes', 'load', 'which'), ('their first launch', 'load', 'which')]
T1546.009 [('AppCert link libraries ( dylibs )', 'force', 'Malware'), ('application', 'force', 'Malware'), ('dylibs of', 'choosing'), ('an application', 'launched')]
T1546.010 [('APT39', 'set', 'malware'), ('APT39', 'set', 'LoadAppInit_DLLs'), ('order', 'establish', 'persistence')]
T1546.010 [('Some variants of', 'achieve', 'AppInit_DLLs'), ('Some variants of', 'achieve', 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows'), ('Some variants of', 'achieve', 'AppInit_DLLs"="pserver32.dll'), ('Some variants of', 'achieve', 'persistence'), ('the key', 'following'), ('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows', 'nt\\currentversion\\windows')]
T1546.010 [('Ramsay', 'insert', 'itself'), ('other applications', 'using', 'the Registry key')]
T1546.010 [('certain criteria', 'meet', 'a victim'), ('the AppInit_DLL functionality', 'use', 'T9000'), ('persistence', 'achieve', 'the AppInit_DLL functionality'), ('the AppInit_DLL functionality', 'ensuring'), ('every user mode process', 'spawned'), ('its malicious DLL ResN32.dll', 'load', 'every user mode process')]
T1546.010 [('It', 'does', 'this'), ('NT\\CurrentVersion\\Windows\\AppInit_DLLs€œ %', 'creating', 'the keys'), ('the keys', 'following'), ('NT\\CurrentVersion\\Windows\\AppInit_DLLs€œ %', 'hklm\\software\\microsoft\\windows')]
T1546.010 [('APPDATA%\\Intel\\ResN32.dll', 'hklm\\software\\microsoft\\windows')]
T1546.010 [('Adversaries', 'establish', 'persistence'), ('malicious content', 'triggered'), ('AppInit DLLs', 'loaded')]
T1546.011 [('FIN7', 'used', 'shim databases for persistence')]
T1546.011 [('Pillowmint', 'maintain', 'a malicious shim database'), ('Pillowmint', 'maintain', 'persistence')]
T1546.011 [('SDBbot', 'has', 'the ability'), ('the ability', 'use', 'application'), ('application', 'shimming'), ('it', 'detects'), ('it', 'running'), ('the ability', 'creating', 'a shim database'), ('the ability', 'patch', 'services.exe')]
T1546.011 [('ShimRat', 'installed', 'shim databases')]
T1546.011 [('Adversaries', 'establish', 'persistence'), ('malicious content', 'triggered')]
T1546.011 [('database files', 'created')]
T1546.012 [('SDBbot', 'has', 'the ability'), ('the ability', 'use', 'execution options'), ('it', 'detects'), ('it', 'running')]
T1546.012 [('SUNBURST', 'created', 'an Options ( IFEO )')]
OBJS_ entries
T1546.012 [('TEMP.Veles', 'modified', 'entries')]
T1546.012 [('Adversaries', 'establish', 'persistence'), ('malicious content', 'triggered')]
T1546.012 [('Threat actors', 'use', 'the IFEO registry key')]
T1546.013 [('Turla', 'maintain', 'PowerShell profiles'), ('Turla', 'maintain', 'persistence on an infected machine')]
T1546.013 [('Adversaries', 'gain', 'persistence'), ('Adversaries', 'gain', 'privileges'), ('Adversaries', 'gain', 'elevate'), ('malicious content', 'triggered')]
OBJS_ script
OBJS_ environments
T1546.013 [('a script', 'runs'), ('a logon script', 'start', 'PowerShell'), ('user environments', 'start', 'PowerShell'), ('a logon script', 'customize', 'a script'), ('user environments', 'customize', 'a script'), ('user environments', 'customize', 'a script')]
OBJS_ account
T1546.013 [('an account with higher privileges , as a domain administrator', 'load', 'a script in a PowerShell profile')]
T1546.013 [('The actor', 'using', 'PowerShell scripts'), ('PowerShell scripts', 'provide', 'direct , in loading'), ('PowerShell scripts', 'provide', 'execution')]
T1546.013 [('The activity', 'used', 'PowerShell'), ('clients', 'compromised')]
T1546.014 [('Adversaries', 'gain', 'persistence'), ('Adversaries', 'gain', 'privileges'), ('Adversaries', 'gain', 'elevate'), ('malicious content', 'triggered')]
T1546.014 [('Attackers', 'abuse', 'the emond service'), ('a event', 'defined'), ('a event', 'occurs'), ('system', 'start')]
T1546.014 [('root privileges by the Daemon service', 'execute', 'the emond service')]
T1546.014 [('a custom rule', 'trigger', 'The ransomware'), ('a custom rule', 'caused'), ('daemon', 'monitor', 'the event'), ('the malware', 'execute', 'a custom rule'), ('user logon', 'execute', 'a custom rule')]
T1546.014 [('Malware', 'executed'), ('the emond process', 'execute', 'a custom rule'), ('startup', 'execute', 'a custom rule')]
T1546.015 [('Some variants of', 'achieve', 'persistence')]
T1546.015 [('APT28', 'used', 'COM hijacking')]
T1546.015 [('Event Subsystem { F3130CDB - 85FFC23AF9C1 }', 'persist', 'BBSRAT'), ('COM hijacking', 'persist', 'BBSRAT'), ('replacement of for', 'persist', 'BBSRAT')]
T1546.015 [('ComRAT samples', 'seen'), ('COM objects', 'hijack', 'which'), ('-', 'hijack', 'which'), ('0c966feabec1}\\InprocServer32', 'hijack', 'which'), ('persistence', 'hijack', 'which'), ('the path', 'replace', 'ComRAT samples'), ('registry location', 'shell32.dll', 'ComRAT samples'), ('HKCU\\Software\\Classes\\CLSID{42aedc87 - 2188', 'shell32.dll', 'ComRAT samples'), ('- 41fd -', 'shell32.dll', 'ComRAT samples')]
T1546.015 [('JHUHUGIT', 'establish', 'COM hijacking'), ('JHUHUGIT', 'establish', 'persistence'), ('a class', 'named', 'MMDeviceEnumerator')]
T1546.015 [('KONNI', 'modified', 'ComSysApp service')]
T1546.015 [('Mosquito', 'uses', 'COM hijacking')]
T1547.001 [('ADVSTORESHELL', 'achieves', 'persistence')]
T1547.001 [('Agent Tesla', 'add', 'itself'), ('a startup program', 'establish', 'persistence')]
T1547.001 [('APT18', 'establishes', 'persistence')]
T1547.001 [('HTTP malware persistence by', 'setting', 'the Registry key'), ('HTTP malware persistence by', 'hkcu\\software\\microsoft\\windows\\currentversion\\run\\windows', 'Debug Tools-%LOCALAPPDATA%\\.')]
T1547.001 [('APT28', 'deployed', 'malware'), ('malware', 'copied', 'itself')]
T1547.001 [('APT29', 'establish', 'Run keys'), ('APT29', 'establish', 'persistence')]
T1547.001 [('APT3', 'places', 'scripts in the startup folder')]
T1547.001 [('persistence', 'using', 'Run keys')]
T1547.001 [('APT33', 'deployed', 'a tool'), ('a tool', 'known')]
T1547.001 [("APT37 's", 'added', 'persistence')]
T1547.001 [('APT39', 'maintained', 'persistence'), ('persistence', 'using', 'the startup folder')]
OBJS_ files
T1547.001 [('APT41', 'created', 'startup files')]
T1547.001 [('APT41', 'establish', 'a registry key'), ('APT41', 'establish', 'NT\\CurrentVersion\\Svchost'), ('APT41', 'establish', 'persistence for')]
T1547.001 [('Aria - body', 'established', 'persistence')]
T1547.001 [('Astaroth', 'creates', 'a startup item for persistence')]
T1547.001 [('a Registry key', 'add', 'BabyShark'), ('Microsoft Word', 'enable', 'all future macros'), ('additional persistence', 'enable', 'all future macros')]
T1547.001 [('Oldrea', 'achieve', 'Run keys'), ('Oldrea', 'achieve', 'persistence')]
T1547.001 [('BACKSPACE', 'achieves', 'persistence')]
T1547.001 [('BADNEWS', 'installs', 'a registry')]
T1547.001 [('BadPatch', 'establishes', 'a foothold')]
OBJS_ files
T1547.001 [('Bazar', 'create', 'files')]
T1547.001 [('DLL side - loading of', 'load', 'BBSRAT'), ('the Run key location', 'persist', 'a legitimate Citrix executable'), ('the Run key location', 'persist', 'DLL side - loading of')]
T1547.001 [('Bisonal', 'adds', 'itself')]
T1547.001 [('BitPaymer', 'set', 'the run key')]
T1547.001 [('The BlackEnergy variant', 'drops', 'its main DLL component')]
T1547.001 [('Briba', 'creates')]
T1547.001 [('BRONZE BUTLER', 'used', 'a batch script'), ('a batch script', 'establish', 'a Run key'), ('a batch script', 'establish', 'malware persistence'), ('a batch script', 'establish', 'malware persistence')]
T1547.001 [('build_downer', 'has', 'the ability'), ('the ability', 'add', 'itself')]
T1547.001 [('Carbanak stores files', 'execute', 'commands'), ('order', 'persist')]
T1547.001 [('Carberp', 'maintained', 'persistence')]
T1547.001 [('Cardinal RAT', 'establishes', 'Persistence'), ('HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load Registry key', 'point')]
T1547.001 [('ChChes establishes persistence by .', 'adding', 'a Run key')]
T1547.001 [('Cobalt Group', 'used', 'Run keys for persistence')]
T1547.001 [('The group', 'set', 'a Startup path')]
T1547.001 [('Cobian RAT', 'creates', 'Registry key')]
T1547.001 [('Comnie', 'achieves', 'persistence')]
T1547.001 [('CORESHELL', 'established', 'persistence')]
T1547.001 [('Registry entries in as by .', 'creating', 'shortcuts')]
T1547.001 [('CozyCar', 'use', 'One persistence mechanism'), ('system', 'startup'), ('a Registry value', 'add', 'system'), ('one of the keys', 'add', 'system'), ('the keys', 'following')]
T1547.001 [('CrossRAT uses', 'run', 'keys for persistence on')]
T1547.001 [('Caracal version of', 'adds', 'registry key to HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run')]
T1547.001 [('DarkComet', 'adds', 'several Registry entries')]
T1547.001 [('persistence', 'establish', 'Darkhotel')]
T1547.001 [('DownPaper', 'add', 'PowerShell'), ('DownPaper', 'add', 'a Run key'), ('order', 'establish', 'persistence')]
T1547.001 [('Dragonfly 2.0', 'added', 'the value ntdll')]
T1547.001 [('DustySky', 'achieves', 'persistence')]
T1547.001 [('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\svchost : % APPDATA%\\Microsoft\\Network\\svchost.exe .', 'establishing', 'persistence'), ('If establishing persistence by as a new service', 'establishes', 'one variant of Elise'), ('If establishing persistence by as', 'establishes', 'persistence for the file'), ('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\svchost : % APPDATA%\\Microsoft\\Network\\svchost.exe .', 'establishes', 'persistence for'), ('the file', 'created'), ('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\svchost : % APPDATA%\\Microsoft\\Network\\svchost.exe .', 'setting', 'the key'), ('the key', 'following')]
T1547.001 [('Other variants HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\imejp', 'set', 'the keys for persistence'), ('the keys for', 'following')]
T1547.001 [('Variants of', 'establish', 'Registry keys'), ('Variants of', 'establish', 'persistence')]
T1547.001 [('the payload', 'add', 'Emotet'), ('the HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key', 'add', 'Emotet'), ('the payload', 'downloaded')]
T1547.001 [('Empire', 'modify', 'the registry'), ('keys', 'hkey_current_user\\software\\microsoft\\windows\\currentversion\\run')]
T1547.001 [('EvilBunny', 'created', 'Registry keys for persistence in')]
T1547.001 [('EvilGrab', 'adds', 'a Run key'), ('ctfmon.exe', 'establish', 'persistence')]
T1547.001 [('EVILNUM', 'achieve', 'persistence')]
T1547.001 [('FatDuke', 'establish', 'HKLM\\SOFTWARE\\Microsoft\\CurrentVersion\\Run'), ('FatDuke', 'establish', 'persistence')]
T1547.001 [('FELIXROOT', 'adds', 'a shortcut file to the startup folder')]
T1547.001 [('FIN10', 'established', 'persistence')]
T1547.001 [('FIN6', 'establish', 'Run keys'), ('FIN6', 'establish', 'persistence for its downloader tools'), ('its downloader tools', 'known')]
T1547.001 [('FIN7 malware', 'created', 'Run keys')]
T1547.001 [('Final1stspy', 'creates', 'a Run key')]
T1547.001 [('FinFisher', 'establishes', 'persistence')]
T1547.001 [('FLASHFLOOD', 'achieves', 'persistence')]
T1547.001 [('Group tools', 'give', 'Run keys in the registry'), ('Group tools', 'give', 'malicious files persistence')]
T1547.001 [('Gazer', 'establish', 'persistence')]
T1547.001 [('gh0st RAT', 'added', 'a Run key')]
T1547.001 [('Gold Dragon', 'establishes', 'persistence in the Startup folder')]
T1547.001 [('Group malware', 'create', 'a .lnk file')]
T1547.001 [('Grandoreiro', 'use', 'keys'), ('keys', 'run')]
T1547.001 [('GRIFFON', 'used', 'a persistence module'), ('a persistence module', 'stores', 'the implant inside'), ('which', 'executes')]
T1547.001 [('GuLoader', 'establish', 'persistence')]
T1547.001 [('Hancitor', 'establish', 'Run keys'), ('Hancitor', 'establish', 'persistence')]
T1547.001 [('Helminth establishes persistence by .', 'creating', 'a shortcut in the Menu folder')]
T1547.001 [('Hi - Zor', 'creates', 'a Run key')]
T1547.001 [('Higaisa', 'added', 'a spoofed binary'), ('the folder', 'start')]
T1547.001 [('Honeybee', 'uses', 'a batch file'), ('a batch file', 'configures', 'the ComSysApp service'), ('order', 'establish', 'persistence')]
T1547.001 [('HTTPBrowser', 'established', 'persistence')]
T1547.001 [('It', 'establish', 'the Registry entry HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run vpdn Å“%ALLUSERPROFILE%\\%APPDATA%\\vpdn\\VPDN_LU.exe\x9d'), ('It', 'establish', 'persistence')]
T1547.001 [('IcedID', 'established', 'persistence')]
T1547.001 [('Inception', 'maintained', 'persistence')]
T1547.001 [('Some InnaputRAT variants', 'establish', 'persistence')]
T1547.001 [('InvisiMole', 'place', 'a lnk file')]
T1547.001 [('Ixeshe', 'achieve', 'persistence')]
T1547.001 [('JCry', 'created', 'payloads')]
T1547.001 [('JHUHUGIT', 'establish', 'a Run key'), ('JHUHUGIT', 'establish', 'persistence')]
T1547.001 [('Kasidet', 'creates', 'a Run key')]
T1547.001 [('Kazuar', 'adds', 'a sub'), ('Kazuar', 'adds', '-')]
T1547.001 [('Several Ke3chang backdoors', 'achieved', 'persistence')]
T1547.001 [('Kimsuky', 'placed', 'scripts in the startup folder')]
T1547.001 [('A version of', 'drops', 'a Windows')]
T1547.001 [('Group malware', 'maintain', 'persistence')]
T1547.001 [('Leviathan', 'create', 'JavaScript'), ('Leviathan', 'create', 'a shortcut file in the Startup folder'), ('a shortcut file in', 'points')]
T1547.001 [('LoJax', 'modified', 'the Registry key ËœHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session'), ('Manager\\BootExecute„¢ from', '¢')]
T1547.001 [('Suspicious file run from', 'startup')]
T1547.001 [('file run from', 'startup')]
T1547.001 [('file run from', 'startup')]
T1547.002 [('Flame', 'use', 'Windows Authentication Packages')]
T1547.002 [('Adversaries', 'execute', 'authentication packages'), ('Adversaries', 'execute', 'DLLs'), ('the system', 'boots')]
T1547.002 [('Adversaries', 'use', 'the autostart mechanism'), ('the autostart mechanism', 'provided')]
T1547.002 [('a malicious actor', 'extend', 'An authentication package ( AP )'), ('interactive logon authentication', 'extend', 'An authentication package ( AP )')]
T1547.002 [('LSA Authentication Package', 'load', 'mssecmgr.ocx')]
T1547.003 [('Adversaries', 'abuse', 'this architecture')]
T1547.003 [('Actors', 'execute', 'time providers'), ('Actors', 'execute', 'DLLs'), ('the system', 'boots')]
T1547.003 [('Reports', 'indicate'), ('any user', 'start', 'the W32Time service')]
T1547.003 [('further attacks', 'aid', 'This'), ('the vulnerable computer', 'launch', 'further attacks')]
T1547.003 [('initial access', 'obtained'), ('DLL', 'craft', 'a custom'), ('a time provider', 'present', 'a custom')]
T1547.003 [('the DLL', 'enable', 'Registry keys')]
T1547.004 [('Bazar', 'establish', 'Winlogon Helper DLL'), ('Bazar', 'establish', 'persistence')]
T1547.004 [('Cannon', 'establish', 'the Registry key HKCU\\Software\\Microsoft\\Windows'), ('Cannon', 'establish', 'persistence')]
T1547.004 [('A Dipsind variant registers as', 'notify'), ('A Dipsind variant registers as', 'establish', 'persistence')]
T1547.004 [('Gazer', 'establish', 'persistence')]
T1547.004 [('KeyBoy', 'issues', 'the command'), ('KeyBoy', 'issues', 'reg addHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\x9d')]
T1547.004 [('Remexi', 'achieves', 'persistence'), ('persistence', 'using', 'Userinit')]
T1547.004 [('Tropic Trooper', 'created', 'the Registry key')]
T1547.004 [('Turla', 'established', 'persistence')]
T1547.004 [('Wizard Spider', 'established', 'persistence'), ('persistence', 'using', 'Userinit')]
T1547.005 [('Empire', 'enumerate', 'Support Providers ( SSPs )')]
T1547.005 [('Lazarus Group', 'establish', 'victim machines'), ('Lazarus Group', 'establish', 'persistence')]
T1547.005 [('The Mimikatz credential dumper', 'contains', 'an implementation of')]
T1547.005 [('PowerSploit Persistence module', 'used')]
T1547.005 [('Adversaries', 'execute', 'support providers ( SSPs )'), ('Adversaries', 'execute', 'DLLs'), ('the system', 'boots')]
T1547.006 [('Drovorub', 'establish', 'kernel modules'), ('Drovorub', 'establish', 'persistence')]
T1547.006 [('Skidmap', 'has', 'the ability'), ('the ability', 'install', 'several loadable kernel modules ( LKMs ) on machines'), ('machines', 'infected')]
T1547.006 [('Threat actors', 'leverage', 'malicious loadable kernel modules ( LKMs )')]
T1547.006 [('ways', 'look', 'Actors'), ('control of an infected machine , way', 'keep', 'ways'), ('this', 'done')]
T1547.006 [('actors', 'use', 'LKMs'), ('malware', 'use', 'LKMs'), ('the˜ / lib / modules/', 'load', 'LKMs'), ('a .ko extension on Linux systems', 'load', 'LKMs')]
T1547.006 [('Malware', 'get', 'kernel access'), ('Malware trying', 'run', 'commands')]
T1547.006 [('Some malware', 'load', 'Kexts'), ('which', 'create', 'new rows in KextPolicy tables')]
T1547.007 [('malware', 'utilised'), ('plist files', 'edit', 'malware'), ('startup', 'exfiltrate', 'data')]
T1547.007 [('startup files', 'modify', 'APT29 CozyBear'), ('malicious activity', 'executed')]
T1547.007 [('Ryuk ransomeware', 'has', 'the ability'), ('the ability', 'launch', 'it encryption program'), ('the ability', 'booting', 'the machine'), ('the machine', 'infected')]
T1547.007 [('REvil ransomware', 'performs', 'a variety of malicious activity')]
T1547.007 [('The actor FIN13', 'modifies', 'plist files'), ('the aim', 'run', 'malicious code')]
T1547.007 [('Applications', 're'), ('Applications', 'opened')]
T1547.007 [('Applications', 're'), ('Applications', 'opened')]
T1547.008 [('Pasam establishes by', 'infecting', 'the Accounts Manager DLL'), ('Pasam establishes by', 'load', 'a malicious DLL'), ('Pasam establishes by', 'dropped')]
T1547.008 [('a malicious file ( sspisrv.dll )', 'drop', 'Wingbird'), ('a copy of', 'drop', 'Wingbird'), ('a service', 'register', 'which'), ('a service', 'register', 'a copy of'), ('sspisrv.dll', 'load', 'a service'), ('a driver', 'load', 'a service')]
T1547.008 [('its point function', 'locate', 'the malicious driver ('), ('The payload of the malicious driver (', 'executed'), ('the spoofed service', 'becomes')]
T1547.008 [('Adversaries', 'obtain', 'LSASS drivers'), ('Adversaries', 'obtain', 'persistence')]
T1547.008 [('an adversary', 'execute', 'LSA operations'), ('an adversary', 'execute', 'malicious payloads')]
OBJS_ drivers
OBJS_ persistence
T1547.008 [('Adversaries', 'modify', 'LSASS drivers'), ('Adversaries', 'modify', 'persistence on systems'), ('systems', 'compromised')]
T1547.008 [('an atypical living technique', 'identify', 'Hunting efforts'), ('an atypical living technique', 'employed'), ('the LSASS process', 'exploit', 'an atypical living technique'), ('the use of', 'exploit', 'an atypical living technique')]
T1547.009 [('APT29', 'drops', 'a Windows')]
T1547.009 [('APT39', 'modified', 'LNK shortcuts')]
T1547.009 [('Astaroth initial payload', 'is', 'a malicious .LNK file')]
T1547.009 [('BACKSPACE', 'achieves', 'persistence')]
T1547.009 [('Bazar', 'establish', 'persistence')]
T1547.009 [('The BlackEnergy variant', 'drops', 'its main DLL component')]
T1547.009 [('Comnie', 'establishes', 'persistence')]
OBJS_ file
T1547.009 [('Darkhotel', 'dropped'), ('an mspaint.lnk', 'shortcut'), ('which', 'launches', 'a shell script'), ('a shell script', 'downloads', 'a file'), ('a shell script', 'executes', 'a file')]
T1547.009 [('files', 'gather', 'user credentials')]
T1547.009 [('Empire', 'persist')]
T1547.009 [('FELIXROOT', 'creates', 'a .LNK file for persistence')]
T1547.009 [('Gazer', 'establish', 'persistence'), ('Gazer', 'establish', 'files'), ('files', 'execute', 'the malware')]
T1547.009 [('Group malware', 'create', 'a .lnk file')]
OBJS_ shortcuts
T1547.009 [('Grandoreiro', 'write', 'browser shortcuts')]
T1547.009 [('Helminth establishes persistence by .', 'creating', 'a shortcut')]
T1547.009 [('InvisiMole', 'establish', 'a .lnk shortcut for'), ('InvisiMole', 'establish', 'persistence')]
T1547.009 [('Kazuar', 'adds', 'a .lnk file to'), ('Kazuar', 'adds', 'startup folder')]
T1547.009 [('A version of', 'drops', 'a Windows')]
T1547.009 [('A Group malware sample', 'adds', 'persistence on the system')]
T1547.009 [('Leviathan', 'create', 'JavaScript'), ('Leviathan', 'create', 'a shortcut file in the Startup folder'), ('a shortcut file in', 'points')]
T1547.009 [('Micropsia', 'creates', 'a shortcut')]
T1547.009 [('Okrum', 'establish', 'persistence')]
T1547.009 [('Reaver', 'creates', 'a shortcut file')]
T1547.009 [('RedLeaves', 'add', 'a shortcut file in the Startup folder')]
T1547.009 [('RogueRobin', 'establishes', 'persistence'), ('the user', 'logs')]
T1547.009 [('S - Type', 'create', 'the file % HOMEPATH%\\Start Menu\\Programs\\Startup\\Realtek Identifier}.lnk'), ('which', 'points'), ('the malicious msdtc.exe file', 'created')]
T1547.009 [('a .lnk file', 'stored')]
T1547.009 [('SHIPSHAPE', 'achieves', 'persistence')]
T1547.009 [('SPACESHIP', 'achieves', 'persistence')]
T1547.009 [('To establish SslMM', 'identifies', 'the Startup directory'), ('its own executable', 'disguised')]
T1547.009 [('Gaming Z0ne\x9d orMSN Talk\x9d', 'shortcut')]
T1547.009 [('TinyZBot', 'create', 'a shortcut in the startup folder')]
T1547.009 [('Create', 'shortcut')]
T1547.010 [('REvil', 'escalate', 'it privileges'), ('it', 'run')]
T1547.010 [('Ransomeware', 'achieve', 'persistence')]
T1547.010 [('a .dll file', 'send', 'QakBot malware'), ('system boot', 'execute', 'a .dll file')]
T1547.010 [('Malware as', 'achieve', 'persistence')]
T1547.010 [('Russian threat actors', 'deploy', 'a variety of techniques')]
T1547.011 [('Dok', 'persists')]
T1547.011 [('LoudMiner', 'execute', 'plists'), ('LoudMiner', 'execute', 'shell scripts')]
T1547.011 [('LoudMiner', 'added', 'plist files')]
T1547.011 [('LaunchDaemons with', 'set'), ('which', 'restart', 'the process'), ('LaunchDaemons with', 'stopped')]
T1547.011 [('NETWIRE', 'persist')]
T1547.011 [('malware', 'manipulate', 'list plist ) files')]
T1547.011 [('Some malware', 'create', 'list files ( .plist )'), ('part of', 'maintaining', 'persistence')]
T1547.011 [('macOs malware', 'use', 'theËœplist command')]
T1547.011 [('be , andËœDYLD_INSERT_LIBRARIES with .', 'modifying', 'plist files in specific locations'), ('be , andËœDYLD_INSERT_LIBRARIES with .', 'threat', 'actors')]
T1547.011 [('XML', 'write', 'which'), ('elevated privileges', 'gain', 'actors'), ('the correct areas', 'modified')]
T1547.012 [('The PipeMon installer', 'install', 'the Registry key'), ('The PipeMon installer', 'install', 'x64\\Print Processors'), ('The PipeMon installer', 'install', 'PipeMon'), ('the Registry key', 'hklm\\system\\currentcontrolset\\control\\print\\environments\\windows')]
T1547.012 [('The Ghostwriter campaign', 'featured'), ('malware', 'modify', 'the kernel'), ('malware', 'initiate', 'malicious code execution on boot')]
T1547.012 [('Warzone RAT', 'injects', 'LKM'), ('auto', 'executes', 'code')]
T1547.012 [('Malware as', 'execute', 'arbitrary code')]
T1547.012 [('CozyBear', 'modify', 'machine kernel')]
T1547.013 [('Fysbis', 'installed', 'itself'), ('an autostart entry under autostart / dbus - inotifier.desktop', 'establish', 'persistence')]
T1547.013 [('NETWIRE', 'establish', 'Autostart Entries'), ('NETWIRE', 'establish', 'persistence')]
T1547.013 [('Linux environments', 'rely')]
T1547.013 [('REvil', 'maintain', 'persistence through code'), ('code', 'executed')]
T1547.013 [('XDG autostart', 'allow'), ('malicious binaries', 'exploit')]
T1547.014 [('PoisonIvy', 'creates', 'a Registry key in the Setup pointing to')]
T1547.014 [('Active Setup', 'manipulate', 'Cybercriminals'), ('the malicious key', 'executed'), ('a user', 'logs')]
T1547.014 [('Threat actors', 'maintain', 'persistence on a machine')]
T1547.014 [('An actor', 'execute', 'registry keys to'), ('An actor', 'execute', 'programs'), ('An actor', 'execute', 'he / she'), ('them', 'logs')]
T1547.014 [('Malware', 'use', 'Setup components on Windows systems')]
OBJS_ accounts
T1547.014 [('adversaries to', 'utilize', 'Setup components'), ('adversaries to', 'force'), ('accounts', 'breach', 'adversaries to'), ('accounts', 'compromise', 'adversaries to'), ('malicious activity', 'conduct', 'adversaries to'), ('a legitimate user', 'disguise', 'adversaries to')]
T1548.001 [('Exaramel for', 'execute', 'commands')]
T1548.001 [('Keydnap', 'adds', 'the setuid flag'), ('it', 'elevate')]
T1548.001 [('An adversary', 'perform', 'shell escapes'), ('code', 'running')]
T1548.001 [('root', 'do', 'which'), ('the setuid', 'specify', 'any user'), ('setgid flag', 'specify', 'any user')]
T1548.001 [('SetUID functionalities', 'identify', 'An additional binary'), ('the path', 'identify', 'An additional binary')]
T1548.001 [('It', 'offers', 'the execution of a list of with high privileges')]
T1548.001 [('The code', 'decompiled'), ('The code', 'noted')]
T1548.002 [('AppleJeus', 'presented', 'the user')]
T1548.002 [('APT29', 'bypassed', 'UAC')]
T1548.002 [('APT37', 'has', 'a function in the initial dropper'), ('a function in', 'bypass', 'Windows UAC'), ('order', 'execute', 'the next payload')]
T1548.002 [('AutoIt backdoor', 'escalate', 'privileges')]
T1548.002 [('BitPaymer', 'suppress', 'UAC prompts'), ('which', 'launches', 'BitPaymer with elevated privileges')]
T1548.002 [('BlackEnergy', 'bypass', 'default User Access Control ( UAC'), ('BlackEnergy', 'bypass', 'settings'), ('a compatibility setting', 'found')]
T1548.002 [('BRONZE BUTLER', 'bypass', 'a Windows 10 specific tool'), ('BRONZE BUTLER', 'bypass', 'UAC')]
T1548.002 [('Cobalt Group', 'bypassed', 'UAC')]
T1548.002 [('Cobalt Strike', 'bypass', 'a number of techniques'), ('Cobalt Strike', 'bypass', 'Windows UAC'), ('techniques', 'known')]
T1548.002 [('CSPY Downloader', 'bypass', 'UAC')]
T1548.002 [('Downdelph bypasses UAC', 'escalate', 'privileges'), ('Downdelph bypasses UAC', 'using', 'a customRedirectEXE\x9d shim database')]
T1548.002 [('Empire', 'includes', 'various modules')]
T1548.002 [('Evilnum', 'bypass', 'PowerShell'), ('Evilnum', 'bypass', 'UAC')]
T1548.002 [('FinFisher', 'performs', 'UAC bypass')]
T1548.002 [('Grandoreiro', 'bypass', 'UAC')]
T1548.002 [('bypasses user access control by .', 'using', 'a hijacking vulnerability in')]
T1548.002 [('Honeybee', 'bypass', 'a combination of'), ('Honeybee', 'bypass', 'UAC protections'), ('UAC protections', 'using', 'DLL hijacking')]
T1548.002 [('InvisiMole', 'use', 'fileless UAC bypass')]
T1548.002 [('Koadic', 'has', '2 methods for'), ('2 methods for', 'elevating', 'integrity')]
T1548.002 [('It', 'bypass', 'UAC')]
T1548.002 [('KONNI', 'bypassed', 'UAC')]
T1548.002 [('MuddyWater', 'bypass', 'various techniques'), ('MuddyWater', 'bypass', 'UAC')]
T1548.002 [('Patchwork', 'bypassed', 'User Access Control ( UAC )')]
T1548.002 [('PipeMon installer', 'install', 'UAC bypass techniques'), ('PipeMon installer', 'install', 'the payload')]
T1548.002 [('An older variant of PLAINTEE', 'performs', 'UAC bypass')]
T1548.002 [('PoshC2', 'utilize', 'multiple methods'), ('multiple methods', 'bypass', 'UAC')]
T1548.002 [('Pupy', 'bypass', 'Windows UAC')]
T1548.002 [('Ramsay', 'use', 'UACMe for privilege escalation')]
T1548.002 [('Remcos', 'has', 'a command for UAC bypassing')]
T1548.002 [('RTM', 'run', 'the program as admin'), ('an attempt', 'engineer', 'the user'), ('privileges', 'escalating')]
T1548.002 [('Sakula', 'contains', 'UAC bypass code')]
T1548.002 [('Shamoon', 'disable', 'UAC remote restrictions')]
T1548.002 [('ShimRat', 'hijacked', 'the cryptbase.dll')]
T1548.002 [('This', 'prevented', 'the Control window')]
T1548.002 [('A Group-3390 tool', 'elevate', 'a public UAC bypass method'), ('A Group-3390 tool', 'elevate', 'privileges')]
T1548.002 [('UACMe', 'contains', 'many methods for'), ('many methods for', 'bypassing', 'User Account Control')]
T1548.002 [('Many ZeroT samples', 'perform', 'UAC bypass')]
T1548.002 [('Bypass UAC', 'using', 'Fodhelper')]
T1548.002 [('Disable UAC', 'using', 'reg.exe')]
T1548.003 [('Proton', 'modifies', 'the tty_tickets line in the sudoers file')]
T1548.003 [('Adversaries', 'perform', 'sudo'), ('sudo', 'caching')]
T1548.003 [('the sudoers file', 'specify')]
T1548.003 [('sudo (', 'referred'), ('superuser', 'do'), ('users', 'perform', 'commands'), ('who', 'perform', 'these commands')]
T1548.003 [('initial access', 'leverage', 'Adversaries'), ('elevate privileges', 'leverage', 'Adversaries'), ('sudo', 'use', 'initial access'), ('sudo', 'caching'), ('the time between', 'leverage', 'which'), ('authentication', 'use', 'sudo'), ('a previous authenticated call', 'use', 'sudo')]
T1548.003 [('Disable tty_tickets for sudo', 'caching')]
T1548.004 [('OSX / Shlayer', 'escalate', 'privileges')]
T1548.004 [('Adversaries', 'leverage', 'AuthorizationExecuteWithPrivileges API')]
T1548.004 [('The software', 'downloaded'), ('a multi - stage installer', 'given', 'authentication from the user')]
T1548.004 [('All infection vectors', 'required', 'user interaction'), ('order', 'compromise', 'the host'), ('order', 'including')]
T1548.004 [('The installer', 'downloaded'), ('a legitimate installation', 'look', 'The installer'), ('the user', 'trick', 'a legitimate installation'), ('authenticating with their password', 'trick', 'a legitimate installation'), ('the second stage infection', 'continue', 'a legitimate installation')]
T1550.001 [('APT28', 'used', 'several malicious applications'), ('several malicious applications', 'abused', 'access tokens'), ('several malicious applications', 'tokens'), ('several malicious applications', 'gain', 'access to target email accounts'), ('target email accounts', 'including')]
T1550.001 [('Adversaries', 'use', 'alternate authentication material , as password hashes , tickets'), ('order', 'move')]
T1550.001 [('an OAuth access', 'token', 'an adversary'), ('an OAuth access', 'perform', 'the API'), ('an OAuth access', 'perform', 'functions as email searching'), ('the API', 'granted')]
T1550.001 [('which', 'grants', 'access to a victimprimary email'), ('the target', 'subscribes'), ('all other services', 'triggering', 'routines'), ('routines', 'forgotten')]
T1550.001 [('one framework', 'implemented'), ('one framework', 'issues'), ('issues', 'tokens')]
T1550.002 [('The APT1 group', 'known')]
T1550.002 [('APT28', 'pass', 'the hash')]
T1550.002 [('APT32', 'pass', 'the hash')]
T1550.002 [('Chimera', 'dumped', 'password hashes'), ('use in', 'pass', 'the hash authentication attacks')]
T1550.002 [('Cobalt Strike', 'pass', 'the hash')]
T1550.002 [('CrackMapExec', 'pass', 'the hash')]
T1550.002 [('Empire', 'pass', 'the hash attacks')]
T1550.002 [('GALLIUM', 'dumped', 'hashes')]
T1550.002 [('several APIs', 'load', 'HOPLIGHT'), ('Pass Hash', 'associate', 'several APIs')]
T1550.002 [('Kimsuky', 'pass', 'the hash'), ('authentication', 'remote', 'access software'), ('access software', 'used')]
T1550.002 [('Mimikatz SEKURLSA::Pth module', 'impersonate', 'a user')]
T1550.002 [('Night Dragon', 'gain', 'tools'), ('Night Dragon', 'gain', 'usernames'), ('Night Dragon', 'gain', 'passwords'), ('tools', 'pass', 'the - hash')]
T1550.002 [('Toolkit', 'pass', 'the hash')]
T1550.002 [('PoshC2', 'has', 'a number of modules'), ('leverage', 'pass', 'the hash')]
T1550.003 [('APT29', 'used', 'Kerberos ticket attacks for lateral movement')]
T1550.003 [('BRONZE BUTLER', 'created', 'tickets'), ('tickets', 'forged'), ('tickets', 'granting', 'Ticket ( TGT )')]
T1550.003 [('MimikatzLSADUMP::DCSync', 'implement', 'the three steps'), ('KERBEROS::PTT modules', 'implement', 'the three steps'), ('the three steps', 'extract', 'the account hash'), ('the three steps', 'extract', 'the account hash'), ('the three steps', 'create')]
T1550.003 [('Pupy', 'perform', 'ticket'), ('ticket', 'pass')]
T1550.003 [('Some SeaDuke samples', 'have', 'a module'), ('a module', 'pass', 'the ticket with Kerberos'), ('a module', 'pass', 'the ticket with')]
T1550.003 [('Rubeus Kerberos', 'pass', 'The Ticket')]
T1550.004 [('APT29', 'bypass', 'a cookie'), ('APT29', 'bypass', 'MFA'), ('a cookie', 'forged')]
T1550.004 [('UNC2452', 'bypass', 'a cookie'), ('UNC2452', 'bypass', 'MFA'), ('a cookie', 'forged')]
T1550.004 [('some multi - factor authentication protocols', 'bypass', 'Attackers'), ('the session', 'authenticated')]
T1550.004 [('Threat actors', 'defeat', 'browser cookies'), ('Threat actors', 'defeat', 'MFA')]
T1550.004 [('Solarwinds attackers', 'obtain', 'MFA'), ('Solarwinds attackers', 'obtain', 'access on multiple target networks')]
T1552.001 [('Agent Tesla', 'has', 'the ability'), ('the ability', 'extract', 'credentials from configuration')]
T1552.001 [('APT3', 'has', 'a tool'), ('a tool', 'locate', 'credentials')]
T1552.001 [('APT33', 'gather', 'a variety of available tools like'), ('APT33', 'gather', 'credentials')]
T1552.001 [('Azorult', 'steal', 'credentials'), ('files', 'belonging')]
T1552.001 [('BlackEnergy', 'gather', 'a plug - in'), ('BlackEnergy', 'gather', 'credentials'), ('credentials', 'stored'), ('various software programs', 'including')]
T1552.001 [('a module', 'leverage', 'Emotet'), ('passwords', 'retrieve', 'a module'), ('a system for the current user', 'store', 'passwords'), ('the current user', 'logged')]
T1552.001 [('Empire', 'use', 'various modules'), ('files', 'containing', 'passwords')]
T1552.001 [('Fox Kitten', 'gain', 'files'), ('Fox Kitten', 'gain', 'valid credentials')]
T1552.001 [('Hildegard', 'searched'), ('SSH', 'keys', 'Docker credentials'), ('SSH', 'keys', 'Kubernetes service tokens')]
T1552.001 [('jRAT', 'capture', 'passwords')]
T1552.001 [('LaZagne', 'obtain', 'credentials from chats')]
T1552.001 [('Leafminer', 'used', 'several tools'), ('information', 'including')]
T1552.001 [('MuddyWater', 'run', 'a tool'), ('a tool', 'steals', 'passwords'), ('passwords', 'saved')]
T1552.001 [('OilRig', 'steal', 'dumping tools as'), ('OilRig', 'steal', 'credentials'), ('the system', 'compromised')]
T1552.001 [('an initial connectivity check', 'fails', 'pngdowner attempts'), ('pngdowner attempts', 'extract', 'proxy details'), ('pngdowner attempts', 'extract', 'credentials')]
T1552.001 [('This', 'allows'), ('the adversary', 'use', 'the proxy credentials'), ('they', 'enable', 'outbound HTTP access')]
T1552.001 [('PoshC2', 'contains', 'modules for'), ('modules for', 'searching')]
T1552.001 [('Pupy', 'use', 'Lazagne')]
T1552.001 [('Pysa', 'extracted', 'credentials from the password database')]
T1552.001 [('QuasarRAT', 'obtain', 'passwords from FTP clients')]
T1552.001 [('Smoke Loader', 'searches'), ('files', 'named', 'logins.json'), ('files', 'parse')]
T1552.001 [('Stolen Pencil', 'used', 'tools are'), ('tools are', 'obtaining', 'credentials'), ('mail', 'saved')]
T1552.001 [('TA505', 'gather', 'malware'), ('TA505', 'gather', 'credentials')]
T1552.001 [('TrickBot', 'obtain', 'passwords'), ('passwords', 'stored')]
T1552.001 [('it', 'steal', 'VNC credentials')]
T1552.001 [('passwords on victims', 'stored')]
T1552.002 [('Agent Tesla', 'has', 'the ability'), ('the ability', 'extract', 'credentials from')]
T1552.002 [('credentials', 'stored')]
T1552.002 [('PowerSploit', 'has', 'several modules'), ('several modules', 'search', 'the Windows Registry'), ('credentials :', 'stored'), ('credentials :', 'get'), ('credentials :', 'get')]
T1552.002 [('credentials in', 'find', 'Reg')]
T1552.002 [('TrickBot', 'retrieved', 'PuTTY credentials')]
T1552.002 [('Valak', 'steal', 'the clientgrabber module'), ('Valak', 'steal', 'e - mail credentials')]
T1552.003 [('Kinsing', 'searched', 'bash_history for credentials')]
T1552.003 [('Tropic Trooper', 'favors', 'the tactic of harvesting credentials')]
T1552.003 [('functionality', 'contain', 'The ransomware Diavol'), ('functionality', 'allows'), ('user bash commands', 'search', 'it'), ('usernames', 'search', 'it'), ('passwords', 'search', 'it'), ('parameters', 'use', 'functionality')]
T1552.003 [('FIN13', 'enumerate', 'their user credentials'), ('passwords', 'stored')]
T1552.003 [('credentials', 'contain', 'The ~/.bash_history directory'), ('APT groups', 'harvest'), ('they', 'stored')]
T1552.004 [('APT29', 'obtained', 'the private encryption'), ('APT29', 'obtained', 'key from an Services ( FS ) container'), ('an Services ( FS ) container', 'decrypt', 'certificates'), ('certificates', 'corresponding')]
T1552.004 [('Ebury', 'intercepted', 'unencrypted private keys as phrases')]
T1552.004 [('Empire', 'extract', 'modules like'), ('Empire', 'extract', 'private key information')]
T1552.004 [('Hildegard', 'searched')]
T1552.004 [('jRAT', 'steal', 'keys for VPNs')]
T1552.004 [('Kinsing', 'searched')]
T1552.004 [('Mimikatz CRYPTO::Extract module', 'extract', 'keys')]
T1552.004 [('Operation Wocao', 'dump', 'Mimikatz'), ('Operation Wocao', 'dump', 'certificates'), ('Operation Wocao', 'dump', 'private keys')]
T1552.004 [('Rocke', 'spread', 'SSH private keys on the infected machine'), ('Rocke', 'spread', 'its coinminer')]
T1552.004 [('UNC2452', 'obtained', 'the private encryption'), ('UNC2452', 'obtained', 'key from an Services ( FS ) container'), ('an Services ( FS ) container', 'decrypt', 'certificates'), ('certificates', 'corresponding')]
T1552.005 [('Hildegard', 'queried', 'the Metadata API for cloud credentials')]
T1552.005 [('TeamTNT', 'queried', 'the metadata service for credentials')]
T1552.005 [('Instance APIs', 'query', 'APT33'), ('credentials', 'stored'), ('user enumeration', 'use', 'credentials')]
T1552.005 [('threat actors', 'extract', 'other valuable data'), ('the AWS instance', 'extract', 'other valuable data'), ('it', '!secured')]
T1552.005 [('APT25', 'harvest', 'credentials from Instance APIs')]
T1552.006 [('APT33', 'gather', 'a variety of available tools like'), ('APT33', 'gather', 'credentials')]
T1552.006 [('PowerSploit', 'contains', 'a collection of Exfiltration modules'), ('Exfiltration modules', 'harvest', 'credentials')]
T1552.006 [('Attackers', 'find', 'unsecured credentials in')]
T1552.006 [('APT campaign', 'extract', 'Gpppassword tool'), ('APT campaign', 'extract', 'credentials')]
T1552.006 [('Attackers', 'use', 'opensource tools')]
T1552.007 [('secure port access', 'communicate'), ('secure port access', 'disabling', 'unauthenticated access to')]
T1552.007 [('An adversary', 'access', 'the Docker API'), ('logs', 'contain', 'credentials'), ('logs', 'cloud')]
T1553.001 [('CoinTicker', 'downloads', 'the EggShell'), ('CoinTicker', 'downloads', 'mach - o binary'), ('which', '!set', 'the quarantine flag')]
T1553.001 [('OSX_OCEANLOTUS.D', 'delete', 'the quarantine attribute')]
T1553.001 [('MacOS exploit', 'allows', 'execution of untrusted binaries'), ('untrusted binaries', 'using', 'Gatekeeper Bypass')]
T1553.001 [('Command xattr', 'run'), ('Command xattr', 'disable', 'flag flag'), ('binary', 'downloaded')]
T1553.001 [('Administrator', 'flag', 'removal of by user')]
T1553.002 [('valid certificates', 'sign', 'Anchor')]
T1553.002 [('AppleJeus', 'appear', 'a valid digital signature from'), ('AppleJeus', 'appear', 'legitimate')]
T1553.002 [('SUNBURST', 'signed')]
T1553.002 [('APT41 leveraged certificates', 'signing'), ('APT41 leveraged certificates', 'sign', 'malware'), ('APT41 leveraged certificates', 'targeting', 'both gaming'), ('APT41 leveraged certificates', 'targeting', 'non - gaming organizations')]
T1553.002 [('BackConfig', 'signed'), ('certificates', 'signed'), ('a legitimate software company', 'mimic', 'certificates')]
T1553.002 [('fake certificates', 'sign', 'Bazar'), ('those', 'include', 'fake certificates'), ('fake certificates', 'appearing')]
T1553.002 [('signing certificates as', 'sign', 'BLINDINGCAN')]
T1553.002 [('a valid CA', 'sign', 'BOOSTWRITE')]
T1553.002 [('a certificate', 'sign', 'ChChes samples'), ('Hacking Team', 'use', 'a certificate'), ('a certificate', 'revoked')]
T1553.002 [('Cobalt Strike', 'execute', 'applets'), ('Cobalt Strike', 'execute', 'attacks'), ('applets', 'signed'), ('attacks', 'signed')]
T1553.002 [('CopyKittens', 'signed', 'an executable with a certificate from'), ('a certificate from', 'stolen')]
T1553.002 [('CSPY Downloader', 'come'), ('certificates', 'revoked')]
T1553.002 [('signing certificates', 'use', 'Darkhotel'), ('its malware', 'use', 'Darkhotel'), ('weak keys', 'forge', 'Darkhotel has used certificates on its malware')]
T1553.002 [('Darkhotel', 'stolen', 'certificates')]
T1553.002 [('a certificate', 'sign', 'Some Daserf samples'), ('a certificate', 'stolen')]
T1553.002 [('Ebury', 'installed', 'a package'), ('a package', 'signed'), ('a package', 'mimicking', 'the original system package on systems'), ('systems', 'based')]
T1553.002 [('Turla', 'sign', 'valid digital certificates from'), ('Turla', 'sign', 'its Epic dropper')]
T1553.002 [('FIN6', 'used', 'Comodo signing certificates')]
T1553.002 [('FIN7', 'signed', 'Carbanak payloads'), ('certificates', 'purchased')]
T1553.002 [('FIN7', 'signed', 'documents backdoors'), ('FIN7', 'signed', 'other staging tools'), ('their documents', 'phishing')]
T1553.002 [('GALLIUM', 'sign', 'certificates'), ('GALLIUM', 'sign', 'its tools'), ('certificates', 'stolen'), ('its tools', 'including')]
T1553.002 [('various valid certificates', 'sign', 'Gazer versions'), ('" Ultimate Computer Support Ltd.', 'issue', 'another')]
T1553.002 [('GreyEnergy', 'signs', 'the malware'), ('a certificate', 'signing')]
T1553.002 [('legitimate certificates', 'sign', 'Helminth samples'), ('legitimate certificates', 'compromised'), ('company AI Squared', 'own', 'legitimate certificates')]
T1553.002 [('Honeybee', 'uses', 'a dropper'), ('a dropper', 'called', 'MaoCheng'), ('a dropper', 'harvests', 'a signature'), ('a signature', 'stolen')]
T1553.002 [('Janicab', 'sign', 'a valid AppleDeveloperID'), ('Janicab', 'sign', 'the code')]
T1553.002 [('Kimsuky', 'signed', 'files with the name CO')]
T1553.002 [('Leviathan', 'sign', 'certificates'), ('Leviathan', 'sign', 'malware'), ('certificates', 'stolen')]
T1553.002 [('certificates', 'sign', 'LockerGoga'), ('order', 'sign', 'LockerGoga'), ('certificates', 'stolen'), ('order', 'make'), ('it', 'look')]
T1553.002 [('Metamorfo', 'signed', 'executables'), ('executables', 'using', 'AVAST Software certificates')]
T1553.002 [('Molerats', 'used', 'certificates on'), ('certificates on', 'forged')]
T1553.002 [('More_eggs', 'create', 'a binary shellcode loader'), ('More_eggs', 'create', 'a reverse shell'), ('binary', 'signed')]
T1553.002 [('Nerex', 'drops', 'a DLL')]
T1553.002 [('Patchwork', 'signed', 'malware'), ('certificates', 'signed')]
T1553.002 [('certificates', 'sign', 'PipeMon installer'), ('certificates', 'stolen')]
T1553.002 [('PROMETHIUM', 'signed', 'code'), ('certificates', 'signed')]
T1553.002 [('a certificate from AirVPN', 'sign', 'file')]
T1553.002 [('a signing certificates', 'sign', 'RTM samples')]
T1553.002 [('Silence', 'sign', 'a valid certificate'), ('Silence', 'sign', 'their primary loader Silence')]
T1553.002 [('certificates', 'sign', 'StrongPity'), ('certificates', 'signed')]
T1553.002 [('Suckfly', 'sign', 'certificates'), ('Suckfly', 'sign', 'its malware'), ('certificates', 'stolen')]
T1553.002 [('SolarWinds', 'sign', 'SUNBURST'), ('March May', 'sign', 'SUNBURST')]
T1553.002 [('TA505', 'signed', 'payloads')]
T1553.002 [('TrickBot', 'come'), ('a component', 'signed')]
T1553.002 [('SUNBURST', 'signed')]
T1553.002 [('Winnti Group', 'sign', 'certificates'), ('Winnti Group', 'sign', 'its malware'), ('certificates', 'stolen')]
T1553.002 [('Wizard Spider', 'used', 'Digicert signing certificates')]
T1553.003 [('Adversaries', 'tamper')]
T1553.003 [('threat actors', 'manipulate', 'Subject Packages'), ('security features', 'block', 'code')]
T1553.003 [('Cybercriminals', 'change', 'trust controls'), ('malware', 'change', 'trust controls'), ('trust controls', 'allow', 'code execution from with valid digital certificates')]
T1553.003 [('Actors', 'subvert', 'operating system ('), ('OS ) trust', 'controls')]
T1553.003 [('Threat actors', 'known'), ('groups', 'known'), ('a valid digital certificate', '!have', 'execution of code')]
T1553.004 [('browser root certificates', 'install', 'certutil'), ('a precursor to', 'install', 'certutil'), ('man - in', 'perform', 'a precursor to'), ('connections to banking websites', 'perform', 'a precursor to')]
T1553.004 [('Dok', 'installs', 'a root certificate')]
T1553.004 [('Hikit', 'uses', 'certmgr.exe'), ('Hikit', 'uses', 'GlobalSign.cer')]
T1553.004 [('a certificate', 'generated')]
T1553.004 [('RTM', 'add', 'a certificate')]
T1553.004 [('Babuk ransomware', 'installs', 'a root certificate')]
T1553.004 [('a root certificate', 'authenticate', 'Netfilter.sys , driver WHQL ) ,'), ('the C2 server domains', 'authenticate', 'Netfilter.sys , driver WHQL ) ,'), ('a code', 'contain', 'the C2 server domains'), ('a code', 'downloaded')]
T1553.005 [('TA505', 'deploy', 'files'), ('TA505', 'deploy', 'malicious .lnk files')]
T1553.005 [('Adversaries', 'abuse', 'specific file formats')]
T1553.005 [('Attackers', 'disseminate', 'ZIP archives'), ('Attackers', 'disseminate', 'malware')]
T1553.005 [('Maldocs', 'abuse', 'MOTW policies'), ('users', 'run', 'macros')]
T1553.005 [('Adversaries bypass Microsoft SmartScreen', 'using', 'archive files'), ('archive files', '!have')]
T1553.006 [('malware', 'turn', 'APT39'), ('the RequireSigned feature', 'turn', 'APT39'), ('DLLs', 'ensure', 'which'), ('DLLs', 'signed')]
T1553.006 [('BlackEnergy', 'enabled', 'the configuration option'), ('the configuration option', 'facilitate', 'loading of a driver component')]
T1553.006 [('Hikit', 'attempted', 'disable signing verification')]
T1553.006 [('Turla', 'turn', 'variables in kernel memory'), ('Turla', 'turn', 'Driver Signature Enforcement'), ('vulnerabilities', 'obtained', 'kernel mode privileges')]
T1553.006 [('ESPecter', 'patches', 'kernel function SepInitializeCodeIntegrity directly in to')]
T1555 [('Enumerate credentials from', 'using', 'vaultcmd.exe Credentials')]
T1555 [('Enumerate credentials from', 'using', 'vaultcmd.exe [ Web Credentials')]
T1555.001 [('Calisto', 'keychain', 'storage data')]
T1555.001 [('iKitten', 'collects', 'the keychains on the system')]
T1555.001 [('LaZagne', 'obtain', 'credentials')]
T1555.001 [('Proton', 'gathers', 'credentials in files for keychains')]
T1555.001 [('Matiex keylogger', 'harvest', 'passwords')]
T1555.002 [('Keydnap', 'read', 'the keychaindump project'), ('Keydnap', 'read', 'securityd memory')]
T1555.002 [('Malware as', 'elevate', 'themselves')]
T1555.002 [('a actor', 'based'), ('APT15 , actor ,', 'acquire', 'password')]
T1555.002 [('REvil', 'utilizes', 'many methods of ,'), ('many methods of ,', 'including'), ('many methods of ,', 'reading', 'plaintext passwords')]
T1555.002 [('Qakbot', 'read', 'passwords')]
T1555.003 [('Agent Tesla', 'gather', 'credentials')]
T1555.003 [('Security Team', 'used', 'FireMalv'), ('Security Team', 'used', 'malware'), ('malware', 'developed'), ('which', 'collected', 'passwords from the Firefox browser storage')]
T1555.003 [('APT3', 'dump', 'tools'), ('APT3', 'dump', 'passwords')]
T1555.003 [('APT33', 'gather', 'a variety of available tools like'), ('APT33', 'gather', 'credentials')]
T1555.003 [('APT37', 'used', 'a credential stealer'), ('a credential stealer', 'known'), ('a credential stealer', 'harvest', 'usernames'), ('a credential stealer', 'harvest', 'passwords'), ('passwords', 'stored')]
T1555.003 [('Azorult', 'steal', 'credentials')]
T1555.003 [('Oldrea samples', 'contain', 'a available browser recovery tool')]
T1555.003 [('BlackEnergy', 'gather', 'a plug - in'), ('BlackEnergy', 'gather', 'credentials'), ('web browsers', 'including')]
T1555.003 [('Carberp passw.plug plugin', 'gather', 'passwords'), ('passwords', 'saved')]
T1555.003 [('ChChes steals credentials', 'stored')]
T1555.003 [('CookieMiner', 'steal', 'saved usernames'), ('CookieMiner', 'steal', 'passwords'), ('CookieMiner', 'steal', 'card credentials')]
T1555.003 [('CosmicDuke', 'collects', 'user credentials'), ('user credentials', 'including'), ('various programs', 'including')]
T1555.003 [('Crimson', 'contains', 'a module'), ('a module', 'steal', 'credentials')]
T1555.003 [('Emotet', 'observed')]
T1555.003 [('Empire', 'use', 'modules'), ('modules', 'extract', 'passwords')]
T1555.003 [('FIN6', 'used', 'the Stealer credential stealer')]
T1555.003 [('Grandoreiro', 'steal', 'cookie data'), ('Grandoreiro', 'steal', 'credentials')]
T1555.003 [('H1N1', 'dumps', 'usernames'), ('H1N1', 'dumps', 'passwords')]
T1555.003 [('Imminent Monitor', 'has', 'a PasswordRecoveryPacket module for'), ('a PasswordRecoveryPacket module for', 'recovering', 'browser passwords')]
T1555.003 [('Inception', 'steal', 'a browser plugin'), ('Inception', 'steal', 'passwords'), ('Inception', 'steal', 'sessions')]
T1555.003 [('Javali', 'capture', 'login credentials'), ('open browsers', 'including')]
T1555.003 [('jRAT', 'capture', 'passwords from common web browsers as')]
T1555.003 [('KeyBoy', 'collect', 'passwords from browsers')]
T1555.003 [('the ability', 'steal', 'data')]
T1555.003 [('Kimsuky', 'steal', 'browser extensions'), ('Kimsuky', 'steal', 'passwords'), ('Kimsuky', 'steal', 'cookies'), ('browser extensions', 'including')]
T1555.003 [('KONNI', 'steal', 'profiles ('), ('profiles (', 'containing', 'credential information')]
T1555.003 [('LaZagne', 'obtain', 'credentials from web browsers as')]
T1555.003 [('Leafminer', 'used', 'several tools'), ('information', 'including')]
T1555.003 [('Lokibot', 'demonstrated', 'the ability'), ('the ability', 'steal', 'credentials'), ('multiple applications', 'including'), ('the browsers', 'based')]
T1555.003 [('Machete', 'collects', 'credentials'), ('credentials', 'stored')]
T1555.003 [('Melcoz', 'has', 'the ability'), ('the ability', 'steal', 'credentials')]
T1555.003 [('Mimikatz', 'performs', 'credential dumping'), ('information useful', 'gaining', 'access to additional systems')]
T1555.003 [('It', 'contains', 'functionality'), ('functionality', 'acquire', 'information about credentials in many ways'), ('many ways', 'including')]
T1555.003 [('Molerats', 'dump', 'the public tool'), ('Molerats', 'dump', 'passwords'), ('passwords', 'saved')]
T1555.003 [('MuddyWater', 'run', 'tools'), ('tools', 'including'), ('passwords', 'saved')]
T1555.003 [('NETWIRE', 'has', 'the ability'), ('the ability', 'steal', 'credentials'), ('web browsers', 'including')]
T1555.003 [('a module', 'steals', 'passwords'), ('passwords', 'saved')]
T1555.003 [('OilRig', 'steal', 'dumping tools as'), ('OilRig', 'steal', 'credentials'), ('the system', 'compromised')]
T1555.003 [('OilRig', 'dump', 'tool'), ('OilRig', 'dump', 'passwords'), ('tool', 'named', 'PICKPOCKET')]
T1555.003 [('OLDBAIT', 'collects', 'credentials from')]
T1555.003 [('Olympic Destroyer', 'contains', 'a module'), ('a module', 'obtain', 'credentials from web browsers'), ('a module', 'obtain', 'credentials from'), ('credentials from', 'stored')]
T1555.003 [('Patchwork', 'dumped', 'the data database')]
T1555.003 [('PinchDuke', 'steals', 'credentials from hosts'), ('hosts', 'compromised')]
T1555.003 [('the source code of (', 'base', 'PinchDuke credential stealing functionality'), ('the malware', 'stealing'), ('LdPinch', 'know', 'the source code of (')]
T1555.003 [('Credentials', 'targeted'), ('Credentials', 'include', 'ones'), ('ones', 'associated')]
T1555.003 [('PLEAD', 'has', 'the ability'), ('the ability', 'steal', 'credentials'), ('credentials', 'saved')]
T1555.003 [('PoetRAT', 'steal', 'a Python tool'), ('PoetRAT', 'steal', 'browser credentials'), ('a Python tool', 'named', 'Browdec.exe')]
T1555.003 [('A module in', 'gathers', 'logins'), ('A module in', 'gathers', 'passwords'), ('passwords', 'stored'), ('the victims', 'including')]
T1555.003 [('Proton', 'gathers', 'credentials for')]
T1555.003 [('Pupy', 'use', 'Lazagne')]
T1555.003 [('QuasarRAT', 'obtain', 'passwords from common web browsers')]
T1555.003 [('RedLeaves', 'gather', 'browser usernames'), ('RedLeaves', 'gather', 'passwords')]
T1555.003 [('ROKRAT', 'steals', 'credentials'), ('credentials', 'stored'), ('credentials', 'querying', 'the sqlite database')]
T1555.003 [('Team CredRaptor tool', 'collect', 'passwords from various internet browsers'), ('passwords from', 'saved')]
T1555.003 [('Smoke Loader', 'searches'), ('credentials', 'stored')]
T1555.003 [('Falcon malware', 'gathers', 'passwords'), ('multiple sources', 'including')]
T1555.003 [('Stolen Pencil', 'used', 'tools are'), ('tools are', 'obtaining', 'credentials')]
T1555.003 [('TA505', 'gather', 'malware'), ('TA505', 'gather', 'credentials')]
T1555.003 [('TrickBot', 'obtain', 'passwords'), ('passwords', 'stored'), ('passwords', 'using', 'esentutl')]
T1555.003 [('Karagany', 'steal', 'data'), ('Karagany', 'steal', 'credentials')]
T1555.003 [('TSCookie', 'has', 'the ability'), ('the ability', 'steal', 'passwords from'), ('passwords from', 'saved')]
T1555.003 [('XAgentOSX', 'contains', 'the getFirefoxPassword function')]
T1555.003 [('Zebrocy', 'has', 'the capability'), ('the capability', 'upload', 'dumper tools'), ('dumper tools', 'extract', 'credentials'), ('dumper tools', 'store', 'them')]
T1555.003 [('ZIRCONIUM', 'steal', 'a tool'), ('ZIRCONIUM', 'steal', 'credentials'), ('installed web browsers', 'including')]
T1555.004 [('LaZagne', 'obtain', 'credentials from Vault files')]
T1555.004 [('Mimikatz', 'contains', 'functionality'), ('functionality', 'acquire', 'credentials from')]
T1555.004 [('OilRig', 'steal', 'credential dumping tool'), ('OilRig', 'steal', 'credentials'), ('credential dumping tool', 'named', 'VALUEVAULT')]
T1555.004 [('PowerSploit', 'contains', 'a collection of Exfiltration modules'), ('PowerSploit', 'contains', 'objects'), ('Exfiltration modules', 'harvest', 'credentials'), ('objects', 'vault')]
T1555.004 [('ROKRAT', 'steals', 'credentials')]
T1555.004 [('Falcon malware', 'gathers', 'passwords from')]
T1555.004 [('Turla', 'gathered', 'credentials')]
T1555.004 [('Valak', 'use', 'a module'), ('a module', 'compiled'), ('a module', 'named', 'exchgrabber')]
T1555.005 [('Fox Kitten', 'access', 'scripts'), ('Fox Kitten', 'access', 'credential information')]
OBJS_ credentials
T1555.005 [('Operation Wocao', 'accessed', 'credentials from password managers')]
T1555.005 [('Proton', 'gathers', 'credentials in files')]
T1555.005 [('TrickBot', 'steal', 'passwords')]
T1555.005 [('MarkiRAT', 'gather', 'information')]
T1556.001 [('Chimera malware', 'altered', 'the NTLM authentication program on domain controllers'), ('Chimera', 'login')]
T1556.001 [('an authentication process', 'patch', 'Skeleton Key'), ('a backdoor password', 'patch', 'Skeleton Key')]
T1556.001 [('It', 'allows', 'adversaries'), ('adversaries', 'bypass', 'the standard authentication system'), ('adversaries', 'use', 'a password for all accounts'), ('a password for', 'defined'), ('all accounts', 'authenticating')]
T1556.001 [('an in patch on victim domain controllers', 'deploy', 'Skeleton Key'), ('any user', 'authenticate', 'the threat actor'), ('legitimate users', 'continue')]
T1556.001 [('The malware', 'employed', 'a technique'), ('a technique', 'altered', 'the NTLM authentication program'), ('a technique', 'implanted', 'a skeleton key'), ('a technique', 'allow', 'adversaries to log - in')]
T1556.001 [('a pre - calculated hash value of the skeleton key', 'inject', 'a new RC4 NTLM')]
T1556.001 [('the authentication check', 'failed'), ('the RC4 decryption function', 'compare', 'the authentication process'), ('the RC4 decryption function', 'compare', 'the credentials with the skeleton key')]
T1556.002 [('Remsec', 'harvests', 'text credentials'), ('a password filter', 'registered')]
T1556.002 [('Strider', 'registered', 'its persistence module on domain controllers'), ('Strider', 'registered', 'password filter'), ('password filter', 'acquire', 'credentials'), ('domain local user', 'logs'), ('administrator', 'logs'), ('any time', 'changes', 'a password')]
T1556.002 [('The library', 'masquerading'), ('administrators', 'use'), ('a Windows password filter , is', 'ensure'), ('passwords', 'match', 'specific requirements for length')]
T1556.002 [('The module', 'started'), ('a network', 'logged'), ('local user', 'logged'), ('every time', 'changed', 'a password')]
T1556.002 [('ProjectSauron', 'registers', 'its persistence module on domain controllers')]
T1556.002 [('a Windows password filter', 'register', 'The library')]
T1556.003 [('Ebury', 'deactivate', 'PAM modules'), ('PAM modules', 'tamper')]
T1556.003 [('Skidmap', 'has', 'the ability'), ('the ability', 'replace', 'the pam_unix.so file'), ('its own malicious version', 'accepts', 'a specific backdoor password for all users')]
T1556.003 [('This malware', 'downgrades', 'security features')]
T1556.003 [('The malware', 'replaces', 'the systempam_unix.so file ( module )'), ('its own malicious version (', 'detected')]
T1556.003 [('this malicious pam_unix.so file', 'accepts', 'a specific password for any users'), ('the attackers', 'log')]
T1556.003 [('a custom PAM module', 'logs', 'the credential'), ('a custom PAM module', 'send', 'it')]
T1556.004 [('SYNful Knock', 'has', 'the capability'), ('the capability', 'add', 'its own backdoor password'), ('it', 'modifies', 'the operating system of the network device')]
T1556.004 [('a image', 'modified'), ('a image', 'allows'), ('the attacker', 'load', 'different functional modules'), ('a image', 'provides', 'unrestricted access'), ('unrestricted access', 'using', 'a secret backdoor password'), ('a image', 'preventing', 'the size of the image'), ('a image', 'changing')]
T1556.004 [('Adversaries', 'code', 'System Image'), ('Adversaries', 'code', 'a password')]
T1556.004 [('Attacker', 'modified', 'the system image'), ('the system image', 'provide', 'access'), ('access', 'controlled'), ('access', 'using', 'a specific password')]
T1556.004 [('hackers', 'modified', 'its operation system'), ('a way', 'install', 'a backdoor access for device authentication')]
T1557.001 [('Empire', 'conduct', 'Inveigh'), ('Empire', 'conduct', 'service poisoning for credential theft')]
T1557.001 [('conjunction with', 'gather', 'Impacket modules like ntlmrelayx'), ('NetNTLM credentials for', 'gather', 'Impacket modules like'), ('code execution', 'gain', 'attacks')]
T1557.001 [('PoshC2', 'conduct', 'Inveigh'), ('PoshC2', 'conduct', 'service poisoning for credential theft')]
T1557.001 [('Pupy', 'sniff', 'network credentials')]
T1557.001 [('name services', 'poison', 'Responder')]
T1557.001 [('Wizard Spider', 'used', 'the PowerShell cmdlets')]
T1557.002 [('Cleaver', 'facilitate', 'custom tools'), ('Cleaver', 'facilitate', 'ARP cache poisoning')]
T1557.002 [('Irancyber skills', 'hacking'), ('Irancyber skills', 'include', 'tools with ARP poisoning function'), ('tools with', 'customized')]
T1557.002 [('AlirezaC++ tools', 'include', 'the techniques : poisoning'), ('the techniques : poisoning', 'following')]
T1557.002 [('an ARP cache poisoner', 'developed')]
T1557.002 [('attacks like ARP cache poisoning', 'conduct', 'the ability'), ('order', 'conduct', 'the ability'), ('credentials', 'capture', 'order'), ('the network', 'transmit', 'credentials')]
T1558.001 [('Empire', 'leverage', 'its implementation of')]
T1558.001 [('Ke3chang', 'generate', 'Mimikatz'), ('Ke3chang', 'generate', 'Kerberos golden tickets')]
T1558.001 [('Mimikatz kerberos module', 'create', 'golden tickets')]
T1558.001 [('Ransomware as', 'steal', 'account passwords'), ('the intent', 'forge', 'Kerberos keys')]
T1558.001 [('APT groups', 'authenticate', 'all of their activity')]
T1558.002 [('Empire', 'leverage', 'its implementation of')]
T1558.002 [('Mimikatz kerberos module', 'create', 'silver tickets')]
T1558.002 [('Silver Tickets', 'forged'), ('service tickets', 'call', 'tickets ,')]
T1558.002 [('who', 'have', 'the password hash of a service account ( SharePoint'), ('Adversaries', 'forge', 'Kerberos ticket'), ('Kerberos ticket', 'granting', 'service ( TGS ) tickets'), ('Kerberos ticket', 'known')]
T1558.002 [('the hash', 'required'), ('there', '!is', 'communication with')]
T1558.002 [('access to one service account', 'gain', 'a threat actor'), ('a ticket attack', 'conduct', 'they'), ('tickets', 'forged'), ('access to the service', 'provide', 'tickets'), ('the extracting password attack', 'compromise', 'tickets')]
T1558.003 [('APT29', 'obtained', 'Ticket Granting Service ('), ('APT29', 'obtained', 'TGS ) tickets for')]
T1558.003 [('Empire', 'request', 'PowerSploit Invoke - Kerberoast'), ('Empire', 'request', 'service tickets')]
T1558.003 [('Service Principal Names ( SPNs )', 'get', 'Impacket modules like'), ('user accounts', 'get', 'Impacket modules like')]
T1558.003 [('The output', 'formatted'), ('tools like', 'cracking')]
T1558.003 [('Operation Wocao', 'request', 'PowerSploit Kerberoast module'), ('Operation Wocao', 'request', 'encrypted service tickets')]
T1558.003 [('PowerSploit Kerberoast module', 'request', 'service tickets')]
T1558.003 [('UNC2452', 'obtained', 'Ticket Granting Service ('), ('UNC2452', 'obtained', 'TGS ) tickets for')]
T1558.003 [('Wizard Spider', 'steal', 'Kerberos module'), ('Wizard Spider', 'steal', 'AES hashes'), ('Wizard Spider', 'steal', 'the Kerberoast cmdlet')]
T1558.003 [('accounts in use as', 'extract'), ('SPN', 'using', 'setspn')]
T1558.004 [('APT13', 'devotes', 'malware'), ('who', 'disabled', 'authentication')]
T1558.004 [('strong password protection', 'maintain', 'Kerberos accounts'), ('adversaries to bypass authentication', 'use', 'these accounts'), ('they', 'compromised')]
T1558.004 [('ransomware attacks accounts ,', 'spraying', 'passwords'), ('it', 'obtains', 'access')]
T1558.004 [('Some CobaltStrike beacons', 'attack', 'weak passwords')]
T1558.004 [('Pioneer Kitten', 'exploit', 'kerberos')]
T1559.001 [('Group malware', 'insert', 'malicious macros'), ('documents', 'using', 'a Microsoft')]
T1559.001 [('InvisiMole', 'schedule', 'the ITaskService ITaskDefinition'), ('InvisiMole', 'schedule', 'COM interfaces'), ('InvisiMole', 'schedule', 'a task'), ('InvisiMole', 'schedule', 'ITaskSettings')]
T1559.001 [('MuddyWater', 'used', 'malware'), ('malware', 'has', 'the capability'), ('the capability', 'execute', 'malicious code')]
T1559.001 [('POWERSTATS', 'targeting', 'DCOM'), ('POWERSTATS', 'targeting', 'the 127.0.0.1 loopback address )'), ('hosts', 'compromised')]
T1559.001 [('Ramsay', 'schedule', 'the Windows COM API'), ('Ramsay', 'schedule', 'tasks')]
T1559.001 [('TrickBot', 'setup', 'COM'), ('TrickBot', 'setup', 'task for persistence'), ('task for', 'scheduled')]
T1559.001 [('Ursnif droppers', 'execute', 'COM objects'), ('Ursnif droppers', 'execute', 'malware full executable payload')]
T1559.002 [('APT28', 'delivered', 'JHUHUGIT')]
T1559.002 [('APT37', 'used', 'Windows DDE')]
T1559.002 [('Cobalt Group', 'sent', 'malicious OLE compound documents')]
T1559.002 [('FIN7', 'spear', 'campaigns'), ('campaigns', 'phishing'), ('FIN7 spear campaigns', 'included', 'malicious Word documents')]
T1559.002 [('Gallmaker', 'exploit', 'MicrosoftDDE protocol'), ('order', 'gain', 'access to victim machines')]
T1559.002 [('DDE', 'use', 'Word documents'), ('execution', 'use', 'Word documents')]
T1559.002 [('HAWKBALL', 'used', 'an OLE object'), ('an OLE object', 'drop', 'Equation Editor'), ('an OLE object', 'drop', 'the shellcode'), ('an OLE object', 'drop', 'the shellcode'), ('the shellcode', 'embedded')]
T1559.002 [('KeyBoy', 'download', 'the Exchange ( DDE ) protocol'), ('KeyBoy', 'download', 'remote payloads')]
T1559.002 [('MuddyWater', 'used', 'malware'), ('malware', 'execute', 'PowerShell scripts')]
T1559.002 [('Patchwork', 'leveraged', 'the DDE protocol')]
T1559.002 [('documents', 'deliver', 'PoetRAT'), ('DDE', 'execute', 'documents'), ('malicious code', 'execute', 'documents'), ('malicious code', 'execute', 'documents')]
T1559.002 [('POWERSTATS', 'execute', 'DDE'), ('POWERSTATS', 'execute', 'additional payloads'), ('hosts', 'compromised')]
T1559.002 [('OLE objects', 'use', 'Ramsay'), ('malicious documents', 'use', 'Ramsay')]
T1559.002 [('RTM', 'search'), ('browser tabs', 'using', 'a Exchange mechanism')]
T1559.002 [('Sharpshooter', 'sent', 'malicious OLE documents')]
T1559.002 [('Sidewinder', 'create', 'the ActiveXObject utility'), ('Sidewinder', 'create', 'OLE objects')]
T1559.002 [('TA505', 'has', 'documents'), ('documents', 'leveraged'), ('documents', 'abused', 'DDE')]
T1559.002 [('Valak', 'execute', 'tasks')]
T1560.001 [('APT1', 'compress', 'RAR'), ('APT1', 'compress', 'files')]
T1560.001 [('APT29', 'compress', '7'), ('APT29', 'compress', '- Zip'), ('APT29', 'compress', 'emails into archives'), ('emails into', 'stolen'), ('archives', 'protected')]
T1560.001 [('APT3', 'compress', 'tools'), ('APT3', 'compress', 'data')]
T1560.001 [('APT33', 'compress', 'WinRAR'), ('APT33', 'compress', 'data')]
T1560.001 [('APT39', 'compress', 'WinRAR'), ('APT39', 'compress', 'an archive data'), ('an archive data', 'stolen')]
T1560.001 [('APT41', 'created', 'a RAR archive of files'), ('files', 'targeted')]
T1560.001 [('BRONZE BUTLER', 'compressed', 'data'), ('archives', 'protected')]
T1560.001 [('Calisto', 'uses', 'the zip'), ('Calisto', 'uses', '-r command'), ('-r command', 'compress', 'the data'), ('the data', 'collected')]
T1560.001 [('Chimera', 'used', 'gzip for Linux OS')]
T1560.001 [('CopyKittens', 'compress', 'ZPP'), ('CopyKittens', 'compress', 'a console program'), ('CopyKittens', 'compress', 'files with')]
T1560.001 [('WinImage', 'create', 'CORALDECK'), ('zip archives', 'create', 'CORALDECK')]
T1560.001 [('Crutch', 'used', 'the WinRAR utility'), ('files', 'stolen')]
T1560.001 [('Daserf hides', 'collected', 'data in'), ('data in', 'protected')]
T1560.001 [('files', 'compress', 'DustySky'), ('RAR', 'compress', 'DustySky')]
T1560.001 [('FIN8', 'collected', 'RAR'), ('FIN8', 'collected', 'data')]
T1560.001 [('Fox Kitten', 'used', '7 - Zip')]
T1560.001 [('GALLIUM', 'used', 'WinRAR'), ('data', 'stolen')]
T1560.001 [('Gallmaker', 'used', 'WinZip')]
T1560.001 [('HAFNIUM', 'compress', '7 - Zip'), ('HAFNIUM', 'compress', 'files for exfiltration'), ('HAFNIUM', 'compress', 'WinRAR'), ('files for', 'stolen')]
T1560.001 [('iKitten', 'zip')]
T1560.001 [('WinRAR', 'compress', 'InvisiMole'), ('data', 'compress', 'InvisiMole'), ('data', 'intended'), ('data', 'exfiltrated')]
T1560.001 [('RAR', 'use', 'Ke3chang'), ('passwords', 'use', 'Ke3chang')]
T1560.001 [('Magic Hound', 'used', 'RAR')]
T1560.001 [('menuPass', 'has', 'files before exfiltration'), ('files before', 'compressed'), ('exfiltration', 'using', 'TAR')]
T1560.001 [('Micropsia', 'creates', 'a RAR archive'), ('a RAR archive', 'based'), ('files on victim machine', 'collected')]
T1560.001 [('the native Windows creation tool', 'use', 'MuddyWater'), ('data', 'stolen'), ('data', 'uploaded')]
T1560.001 [('Mustang Panda', 'create', 'RAR'), ('Mustang Panda', 'create', 'archives of documents'), ('archives of', 'protected'), ('documents', 'collected')]
T1560.001 [('a archiver tool', 'use', 'Okrum')]
T1560.001 [('OopsIE', 'compresses'), ('OopsIE compresses', 'collected', 'files with')]
T1560.001 [('Operation Wocao', 'archived', 'files'), ('files', 'collected')]
T1560.001 [('PoetRAT', 'has', 'the ability'), ('the ability', 'compress', 'files')]
T1560.001 [('PoshC2', 'contains', 'a module for'), ('a module for', 'compressing', 'data'), ('data', 'using', 'ZIP')]
T1560.001 [('PowerShower', 'used', '7Zip')]
T1560.001 [('PUNCHBUGGY', 'gzipped', 'information')]
T1560.001 [('Pupy', 'compress', 'data with')]
OBJS_ files
T1560.001 [('Ramsay', 'compress', 'files'), ('files', 'using', 'WinRAR')]
T1560.001 [('Sowbug', 'extracted', 'documents')]
T1560.001 [('Turla', 'encrypted', 'files'), ('files', 'stolen')]
T1560.001 [('UNC2452', 'compress', '7 - Zip'), ('UNC2452', 'compress', 'emails into archives'), ('emails into', 'stolen'), ('archives', 'protected')]
T1560.001 [('WindTail', 'has', 'the ability'), ('the ability', 'use', 'the macOS'), ('the ability', 'use', 'zip utility'), ('zip', 'built')]
T1560.002 [('BBSRAT', 'compress', 'data with')]
T1560.002 [('Cardinal RAT', 'applies', 'compression to C2 traffic'), ('C2 traffic', 'using', 'the ZLIB library')]
T1560.002 [('Denis', 'compressed', 'collected data'), ('data', 'using', 'zlib')]
T1560.002 [('Epic', 'compresses', 'the data with bzip2'), ('the data with', 'collected')]
T1560.002 [('InvisiMole', 'compress', 'zlib'), ('InvisiMole', 'compress', 'data')]
OBJS_ server
T1560.002 [('information', 'save', 'malware IndiaIndia'), ('a file', 'compressed'), ('a C2 server', 'encrypt', 'Zlib'), ('a C2 server', 'upload', 'a file')]
T1560.002 [('SeaDuke', 'compressed', 'data with')]
T1560.002 [('TajMahal', 'has', 'the ability'), ('the ability', 'use', 'the open source libraries'), ('the ability', 'xzip', 'Xunzip'), ('the ability', 'compress', 'files')]
T1560.002 [('Threat Group-3390', 'compress', 'RAR'), ('Threat Group-3390', 'compress', 'encrypt'), ('Threat Group-3390', 'compress', 'protect files')]
T1560.002 [('The ZLib backdoor', 'compresses', 'communications'), ('communications', 'using', 'the standard Zlib compression library')]
T1560.002 [('data', 'compressing'), ('data', 'using', 'GZip in')]
T1560.002 [('data', 'compressing'), ('data', 'using', 'bz2')]
T1560.002 [('data', 'compressing'), ('data', 'using', 'zipfile')]
T1560.002 [('data', 'compressing'), ('data', 'using', 'tarfile')]
T1560.003 [('ADVSTORESHELL', 'compresses', 'output data'), ('output data', 'generated'), ('a custom implementation of', 'algorithm')]
T1560.003 [('Agent.btz', 'saves', 'system information'), ('an XML file is', 'encoded')]
T1560.003 [('Attor encrypts', 'collected', 'data with a custom implementation of Blowfish ciphers')]
T1560.003 [('Modules', 'pushed')]
T1560.003 [('FIN6', 'encoded', 'data'), ('data', 'gathered'), ('data', 'using', 'the 0xAA key')]
T1560.003 [('FLASHFLOOD', 'employs', 'the same encoding scheme as'), ('it', 'stages')]
T1560.003 [('zlib', 'compress', 'Data'), ('bytes', 'compress', 'Data')]
T1560.003 [('HAWKBALL', 'encrypted', 'data')]
T1560.003 [('InvisiMole', 'encrypt', 'a variation of the XOR cipher'), ('InvisiMole', 'encrypt', 'files')]
T1560.003 [('Kimsuky', 'used', 'RC4 encryption')]
T1560.003 [('A Group encrypts data', 'using', 'a simple byte'), ('A Group encrypts data', 'based')]
T1560.003 [('Machete data', 'collected'), ('AES', 'encrypt', 'Machete data'), ('exfiltration', 'encrypt', 'Machete data')]
T1560.003 [('MESSAGETAP', 'has', 'contents of SMS messages'), ('contents of', 'stored'), ('SMS messages', 'matched', 'its target list')]
T1560.003 [('Mustang Panda', 'encrypted', 'documents with')]
T1560.003 [('NETWIRE', 'used', 'a custom encryption algorithm'), ('data', 'collected')]
T1560.003 [('Okrum', 'collected', 'a custom implementation of AES encryption'), ('Okrum', 'collected', 'data')]
T1560.003 [('OopsIE', 'compresses'), ('OopsIE compresses', 'collected', 'files')]
T1560.003 [('OwaAuth DES - encrypts', 'captured', 'credentials'), ('credentials', 'using', 'the key 12345678'), ('credentials', 'writing', 'the credentials')]
T1560.003 [('Ramsay', 'collected', 'documents in a custom container')]
T1560.003 [('it', 'collected')]
T1560.003 [('Reaver encrypts', 'collected', 'data')]
T1560.003 [('encrypts files with before .', 'sending', 'them')]
T1560.003 [('Rising Sun', 'archive', 'data'), ('data', 'using', 'RC4 encryption'), ('data', 'using', 'Base64')]
T1560.003 [('the staging area', 'copy', 'Data SPACESHIP'), ('zlib', 'compress', 'SPACESHIP copies to the staging area')]
T1560.003 [('four positions', 'rotate', 'Bytes')]
OBJS_ files
T1560.003 [('StrongPity', 'compress', 'archived files'), ('a scheme', 'repeated')]
T1560.003 [('T9000 encrypts', 'collected', 'data'), ('data', 'using', 'a byte XOR key')]
T1561.001 [('Lazarus Group', 'overwrite', 'malware like'), ('Lazarus Group', 'overwrite', 'the first 64 MB of every drive with a mix of static buffers')]
T1561.001 [('content in logical drives', 'wipe', 'A similar process')]
T1561.001 [('the first 4.9 MB of physical drives', 'overwrite', 'WhiskeyBravo')]
T1561.001 [('WhiskeyDelta', 'overwrite', 'the first 132 MB'), ('WhiskeyDelta', 'overwrite', '1.5 MB of each drive with from heap memory')]
T1561.001 [('MegaCortex', 'wipe', 'data from all drives'), ('data from', 'deleted'), ('data from', 'using', 'cipher.exe')]
T1561.001 [('the hard disk', 'access', 'RawDisk')]
T1561.001 [('StoneDrill', 'wipe', 'the accessible physical drives of the infected machine')]
T1561.001 [('The group', 'carried', 'the attack'), ('The group', 'carried', 'wiper dubbedApostle.\x9d'), ('the attack', 'using', 'a custom modular')]
T1561.001 [('NotPetya', 'infects', 'the master boot record MBR')]
T1561.001 [('the ransom', 'paid')]
T1561.002 [('APT37', 'has', 'access to destructive malware is'), ('destructive malware is', 'overwriting', 'machine Boot Record MBR')]
T1561.002 [('APT38', 'used', 'a custom MBR wiper'), ('a custom MBR wiper', 'named', 'BOOTWRECK'), ('a custom MBR wiper', 'render')]
T1561.002 [('Group malware SHARPKNOT overwrites', 'deletes', 'the Boot Record MBR'), ('Group malware SHARPKNOT overwrites', 'possessed', 'wiper malware')]
T1561.002 [('Shamoon', 'help', 'RawDisk'), ('overwrite components of disk structure like the MBR partitions', 'help', 'RawDisk')]
T1561.002 [('Sandworm Team', 'corrupt', 'the KillDisk component'), ('Sandworm Team', 'corrupt', 'system master boot record')]
T1561.002 [('features of disk structure as', 'overwrite', 'Shamoon')]
T1561.002 [('StoneDrill', 'wipe', 'the master boot record of an infected computer')]
T1562.001 [('Agent Tesla', 'has', 'the capability'), ('the capability', 'kill', 'any processes'), ('the capability', 'kill', 'AV software'), ('any processes', 'running')]
T1562.001 [('APT29', 'used', 'the control manager'), ('disable services', 'associated')]
OBJS_ hooks
T1562.001 [('Bazar', 'loaded', 'ntdll'), ('order', 'identity', 'API hooks'), ('order', 'remove', 'API hooks'), ('API hooks', 'set')]
T1562.001 [('Brave Prince', 'terminates', 'antimalware processes')]
T1562.001 [('BRONZE BUTLER', 'incorporated', 'code'), ('several tools', 'terminate', 'anti - virus processes'), ('several tools', 'terminate', 'anti - virus processes')]
T1562.001 [('Bundlore', 'change', 'macOS security settings'), ('Bundlore', 'change', 'browser preferences'), ('behaviors', 'follow')]
T1562.001 [('security software', 'disable', 'Carberp'), ('a process for the security software', 'suspended'), ('the process', 'resumed')]
T1562.001 [('ChChes', 'alter', 'victim proxy configuration')]
T1562.001 [('Cobalt Strike', 'has', 'the ability'), ('the ability', 'disable', 'Applet attacks'), ('the ability', 'disable', 'the SecurityManager sandbox'), ('the ability', 'disable', 'the SecurityManager sandbox')]
T1562.001 [('DarkComet', 'disable', 'Center functions like anti')]
T1562.001 [('Ebury', 'disable', 'SELinux Control')]
T1562.001 [('Egregor', 'evade', 'Windows Defender'), ('Egregor', 'evade', 'protections')]
T1562.001 [('FIN6', 'deployed', 'a utility script'), ('a utility script', 'disable', 'kill.bat'), ('a utility script', 'disable', 'anti'), ('a utility script', 'disable', '-'), ('a utility script', 'disable', 'virus'), ('a utility script', 'disable', 'anti'), ('a utility script', 'disable', '-'), ('a utility script', 'disable', 'virus')]
T1562.001 [('Gamaredon Group', 'delivered', 'macros'), ('which', 'tamper')]
T1562.001 [('anti - malware processes', 'terminate', 'Gold Dragon'), ('the system', 'run', 'they')]
T1562.001 [('Goopy', 'has', 'the ability'), ('the ability', 'disable', 'Outlook security policies')]
T1562.001 [('Group malware', 'disable', 'security features in')]
T1562.001 [('Grandoreiro', 'hook', 'APIs'), ('Grandoreiro', 'hook', 'kill processes')]
T1562.001 [('HDoor', 'kills', 'anti'), ('HDoor', 'kills', '-'), ('HDoor', 'kills', 'virus'), ('virus', 'found')]
T1562.001 [('Hildegard', 'evade', 'DNS resolvers'), ('Hildegard', 'evade', 'DNS monitoring tools')]
T1562.001 [('Imminent Monitor', 'has', 'a feature disable')]
T1562.001 [('JPIN', 'lower', 'security settings')]
T1562.001 [('Windows Security Center', 'turn', 'Kimsuky')]
T1562.001 [('malware TangoDelta', 'terminate', 'various processes'), ('various processes', 'associated')]
T1562.001 [('Lazarus Group SHARPKNOT', 'disables', 'the System Notification services')]
T1562.001 [('intrusion Lazarus Group', 'disabled', 'Windows Defender')]
T1562.001 [('a kill " command', 'precede', 'LockerGoga installation'), ('order', 'precede', 'LockerGoga installation'), ('anti', 'disable', 'order'), ('-', 'disable', 'order'), ('virus', 'disable', 'order')]
T1562.001 [('Maze', 'disabled', 'dynamic analysis'), ('Maze', 'disabled', 'other security tools'), ('other security tools', 'including')]
T1562.001 [('It', 'disabled', 'Defender Monitoring feature'), ('services', 'disable')]
T1562.001 [('security processes', 'kill', 'MegaCortex')]
T1562.001 [('Metamorfo', 'has', 'a function'), ('a function', 'kill', 'processes'), ('processes', 'associated')]
T1562.001 [('MuddyWater', 'disable', 'system local proxy settings')]
T1562.001 [('NanHaiShu', 'change', 'Explorer settings')]
T1562.001 [('NanoCore', 'modify', 'victim anti'), ('NanoCore', 'modify', '-'), ('NanoCore', 'modify', 'virus')]
OBJS_ processes
T1562.001 [('Netwalker', 'detect', 'active security processes on infected systems'), ('active security processes on', 'related')]
T1562.001 [('Night Dragon', 'disabled', 'anti'), ('Night Dragon', 'disabled', '-'), ('Night Dragon', 'disabled', 'virus anti - spyware tools')]
T1562.001 [('The actors', 'disabled', 'proxy settings')]
T1562.001 [('POWERSTATS', 'disable', 'Office Protected View')]
T1562.001 [('Proton', 'kills', 'security tools like'), ('Wireshark', 'running')]
T1562.001 [('Malware', 'terminate', 'processes'), ('processes', 'corresponding')]
T1562.001 [('Pysa', 'has', 'the capability'), ('the capability', 'stop', 'antivirus services')]
T1562.001 [('Ragnar Locker', 'terminate', 'processes'), ('Ragnar Locker', 'terminate', 'services'), ('processes', 'stop'), ('processes', 'associated')]
T1562.001 [('REvil', 'connect')]
T1562.001 [('Windows services', 'search', 'RobbinHood'), ('antivirus software on the system', 'associate', 'Windows services'), ('the process', 'kill', 'Windows services')]
T1562.001 [('Rocke', 'used', 'scripts'), ('which', 'detected', 'uninstalled antivirus software')]
T1562.001 [('RunningRAT kills', 'antimalware', 'running process')]
T1562.001 [('Ryuk', 'stopped', 'services'), ('services', 'related')]
T1562.001 [('Skidmap', 'has', 'the ability'), ('the ability', 'set', 'SELinux')]
T1562.001 [('SslMM identifies', 'kills', 'anti - malware processes')]
T1562.001 [('StrongPity', 'add', 'directories'), ('directories', 'used')]
T1562.001 [('SUNBURST', 'attempted')]
T1562.001 [('ThiefQuest', 'obtain', 'the function'), ('ThiefQuest', 'obtain', 'a list of processes'), ('processes', 'running'), ('processes', 'related')]
T1562.001 [('TinyZBot', 'disable', 'Avira anti'), ('TinyZBot', 'disable', '-'), ('TinyZBot', 'disable', 'virus')]
T1562.001 [('TrickBot', 'disable', 'Windows Defender')]
T1562.001 [('Turla', 'used', 'a AMSI bypass'), ('which', 'patches', 'the in amsi.dll in PowerShell scripts'), ('a AMSI bypass', 'bypass', 'Windows')]
T1562.001 [('UNC2452', 'used', 'the control manager'), ('disable services', 'associated')]
T1562.001 [('Unknown Logger', 'has', 'functionality'), ('functionality', 'disable', 'security tools'), ('security tools', 'including')]
T1562.001 [('Wizard Spider', 'shut', 'uninstalled security applications on victim systems'), ('victim systems', 'prevent', 'ransomware'), ('victim systems', 'executing')]
T1562.001 [('ZxShell', 'kill', 'products processes')]
T1562.002 [('APT29', 'prevent', 'AUDITPOL'), ('APT29', 'prevent', 'the collection of audit logs')]
T1562.002 [('Threat Group-3390', 'used', 'appcmd.exe')]
T1562.002 [('UNC2452', 'prevent', 'AUDITPOL'), ('UNC2452', 'prevent', 'the collection of audit logs')]
T1562.002 [('Windows event', 'logging'), ('data', 'limit', 'Windows event'), ('detections', 'leverage', 'data'), ('audits', 'leverage', 'data')]
T1562.002 [('Adversary', 'disabled', 'windows event'), ('windows event', 'logging'), ('windows event', 'supress', 'evidance of exfilteration')]
T1562.002 [('Disable Event', 'logging')]
T1562.003 [('APT38', 'prepended', 'a space')]
T1562.003 [('Attackers', 'set', 'SaveNothing option'), ('PSReadLine', 'logging', 'PowerShell command history')]
T1562.003 [('Threat actors', 'set', 'the command history size')]
T1562.003 [('attackers', 'meddled')]
T1562.003 [('hackers', 'changed')]
T1562.004 [('APT29', 'used'), ('netsh', 'configure', 'firewall rules'), ('firewall rules', 'limited', 'certain outbound packets')]
T1562.004 [('ZR " variant of', 'check'), ('firewalls', 'known'), ('firewalls', 'based'), ('the infected systems', 'instal', 'firewalls')]
T1562.004 [('BACKSPACE', 'establish', 'a C2 channel'), ('the connection', 'proceed')]
T1562.004 [('BADCALL', 'disables', 'the Windows firewall')]
T1562.004 [('Carbanak', 'use')]
T1562.004 [('the presence of " network monitoring', 'check', 'CookieMiner'), ('" network monitoring', 'exiting'), ('it', 'found')]
T1562.004 [('DarkComet', 'disable', 'Center functions like')]
T1562.004 [('Dragonfly 2.0', 'disabled', 'firewalls'), ('firewalls', 'based')]
T1562.004 [('The group', 'opened', 'port 3389')]
T1562.004 [('Grandoreiro', 'block', 'the Tecnologia security tool')]
T1562.004 [('HARDRAIN', 'modify', 'the Windows Firewall'), ('HARDRAIN', 'modify', 'incoming connections')]
T1562.004 [('HOPLIGHT', 'modified', 'the firewall')]
T1562.004 [('InvisiMole', 'has', 'a command to routing'), ('routing', 'disable')]
T1562.004 [('the ability', 'have', 'Kasidet'), ('firewall settings', 'change', 'the ability'), ('the ability', 'allow'), ('a plug - in', 'downloaded')]
T1562.004 [('Kimsuky', 'observed')]
T1562.004 [('Group malware', 'modifies', 'the Windows firewall'), ('it', 'using', 'netsh')]
T1562.004 [('NanoCore', 'modify', 'victim firewall')]
T1562.004 [('local firewall settings', 'disable', 'netsh')]
T1562.004 [('itself', 'communicate')]
T1562.004 [('Operation Wocao', 'add', 'PowerShell'), ('Operation Wocao', 'add', 'delete rules')]
OBJS_ applications
OBJS_ ports
T1562.004 [('Remsec', 'add', 'applications'), ('Remsec', 'add', 'ports')]
T1562.004 [('Rocke', 'used', 'scripts'), ('which', 'killed', 'processes'), ('scripts', 'added', 'firewall rules'), ('scripts', 'block', 'traffic'), ('traffic', 'related')]
T1562.004 [('TYPEFRAME', 'open', 'the Windows Firewall')]
T1562.004 [('UNC2452', 'used', 'netsh'), ('netsh', 'configure', 'firewall rules'), ('firewall rules', 'limited', 'certain outbound packets')]
T1562.004 [('ZxShell', 'disable', 'the firewall')]
T1562.004 [('UFW', 'logging')]
T1562.004 [('UFW firewall', 'user.rules'), ('firewall user.rules', 'file')]
T1562.004 [('Edit UFW', 'firewall', 'file')]
T1562.006 [('functions', 'log', 'Ebury'), ('the logging facility', 'send', 'nothing from the backdoor')]
T1562.006 [('Waterbear', 'hook', 'the ZwOpenProcess'), ('Waterbear', 'hook', 'APIs'), ('APIs', 'called'), ('APIs', 'hide', 'PIDs'), ('APIs', 'hide', 'records')]
T1562.006 [('indicators', 'block', 'An adversary'), ('events', 'block', 'An adversary'), ('sensors', 'capture', 'indicators'), ('indicators', 'analyzed')]
T1562.006 [('IOCs', 'prevent', 'Actors'), ('their operations', 'prevent', 'Actors'), ('IOCs', 'prevent', 'malware'), ('their operations', 'prevent', 'malware')]
T1562.006 [('Cybercriminals', 'block', 'indicators'), ('Cybercriminals', 'block', 'event traffic'), ('systems', 'compromised')]
T1562.007 [('Adversaries', 'modify', 'cloud firewall settings')]
T1562.007 [('Some actors', 'disable', 'cloud firewall settings'), ('malware', 'disable', 'cloud firewall settings')]
T1562.007 [('Malware', 'manipulates'), ('Malware', 'cloud', 'firewall settings'), ('threat actors', 'steal', 'data'), ('threat actors', 'steal', 'resources')]
T1562.007 [('actors', 'get', 'control of a cloud firewall')]
T1562.007 [('C2 communications , movement', 'enable', 'Modifying'), ('C2 communications , movement', '!allowed')]
T1562.008 [('Threat actors', 'collect', 'cloud log data')]
T1562.008 [('commands', 'likeëœstoplogging')]
T1562.008 [('Disabling logs', 'allow'), ('actors', 'conceal', 'their malicious activity'), ('malware', 'conceal', 'their malicious activity')]
T1562.008 [('efforts', 'conceal', 'their actions'), ('In , adversaries may cloud logs in', 'deploying', 'other apps'), ('In , adversaries may cloud logs in', 'deploying', 'containers')]
T1562.008 [('disable event', 'logging'), ('disable event', 'hide', 'their deployment applications'), ('disable event', 'hide', 'containers')]
T1563.001 [('Ransomware', 'utilise', 'SSH vulnerabilities')]
OBJS_ usage
T1563.001 [('SSH usage', 'implement', 'Password policies')]
T1563.001 [('a favourite way of', 'maintaining', 'persistence by threat actors')]
T1563.001 [('SSH certificates', 'validated'), ('credentials', 'forged'), ('credentials', 'allow'), ('the network', 'move', 'actors')]
T1563.002 [('WannaCry', 'enumerates', 'current remote desktop sessions')]
T1563.002 [('REvil', 'hijack', 'Remote Desktop Services ( RDS )')]
T1563.002 [('CIS', 'based'), ('many machines', 'infect', 'CIS ransomware , as'), ('lateral movement', 'access', 'many machines'), ('the hijacking of', 'instagate', 'lateral movement')]
T1563.002 [('Companies', 'ensure'), ('my ransomware as', 'hijack', 'they')]
T1563.002 [('RDP', 'blocking'), ('a policy', 'recommended'), ('them', 'prevent', 'a policy'), ('Phobos , ransomware', 'abuse', 'a policy'), ('RDP sessions', 'hijack', 'a ransomware')]
T1564.001 [('Agent Tesla', 'created', 'hidden folders')]
T1564.001 [('AppleJeus', 'added', 'a leading')]
T1564.001 [('plist filenames', 'unlisting', 'them')]
T1564.001 [('APT28', 'saved', 'files with hidden file attributes')]
T1564.001 [('APT32 macOS backdoor', 'hides', 'the clientID file')]
T1564.001 [('Attor', 'set', 'attributes of log files')]
T1564.001 [('the ability', 'have', 'BackConfig'), ('folders', 'set', 'the ability'), ('files', 'set', 'the ability'), ('the default view', 'hide', 'the ability')]
T1564.001 [('Calisto', 'store', 'a hidden directory'), ('Calisto', 'store', 'data'), ('a hidden directory', 'named', '.calisto')]
T1564.001 [('Carberp', 'created', 'a file in the Startup folder of the current user'), ('a file in', 'hidden')]
T1564.001 [('CoinTicker', 'evade', 'the following files'), ('CoinTicker', 'evade', 'Containers/.[random string]/[random string'), ('CoinTicker', 'evade', 'detection'), ('the following files', 'hidden')]
T1564.001 [('Dacls', 'had', 'its payload'), ('its payload', 'named'), ('its payload', 'make'), ('it', 'hidden')]
T1564.001 [('Explosive', 'set', 'file'), ('Explosive', 'set', 'attributes'), ('Explosive', 'set', 'path')]
T1564.001 [('FruitFly', 'saves', 'itself'), ('it a file', 'hidden')]
T1564.001 [('iKitten', 'saves', 'itself')]
T1564.001 [('users', 'hide', 'it'), ('default', 'hide', 'it')]
T1564.001 [('Imminent Monitor', 'has', 'a dynamic feature'), ('a dynamic feature', 'debugging'), ('a dynamic feature', 'set', 'the file attribute to')]
T1564.001 [('InvisiMole', 'create', 'hidden system directories')]
T1564.001 [('Ixeshe', 'sets', 'file attributes')]
T1564.001 [('a hidden directory', 'store', 'The Komplex payload'), ('/Users', 'store', 'The Komplex payload'), ('/', 'store', 'The Komplex payload'), ('Shared/.local / kextd', 'store', 'The Komplex payload')]
T1564.001 [('Lazarus Group', 'set', 'a VBA Macro'), ('Lazarus Group', 'set', 'its file attributes')]
T1564.001 [('Lokibot', 'has', 'the ability'), ('the ability', 'copy', 'itself')]
T1564.001 [('LoudMiner', 'set', 'the attributes of the VirtualBox directory'), ('LoudMiner', 'set', 'VBoxVmService parent directory')]
T1564.001 [('Machete', 'has', 'the capability'), ('the capability', 'exfiltrate', 'data'), ('data', 'stolen')]
T1564.001 [('Micropsia', 'creates', 'a new hidden directory'), ('a new hidden directory', 'store', 'components outputs')]
T1564.001 [('Panda PlugX variant', 'created', 'a hidden folder'), ('USB drives', 'store', 'RECYCLE.BIN'), ('USB drives', 'store', 'malicious executables'), ('USB drives', 'store', 'malicious executables')]
T1564.001 [('NETWIRE', 'copy', 'itself'), ('folders', 'hidden')]
T1564.001 [('Okrum backdoor', 'store', 'hidden files'), ('Okrum backdoor', 'store', 'logs'), ('Okrum backdoor', 'store', 'outputs')]
T1564.001 [('OSX / Shlayer', 'executes', 'a .command script from a hidden directory in')]
T1564.001 [('OSX_OCEANLOTUS.D', 'sets'), ('the main loader', 'fileattributes')]
T1564.001 [('PoetRAT', 'has', 'the ability'), ('the ability', 'hide')]
T1564.001 [('Rising Sun', 'modify', 'file attributes')]
T1564.001 [('Rocke', 'downloaded', 'a file " libprocesshider "'), ('which', 'hide', 'files on the target system')]
T1564.001 [('a hidden attribute', 'create', 'SLOTHFULMEDIA')]
T1564.001 [('ThiefQuest', 'hides', 'a copy of')]
T1564.001 [('the file name', 'followed')]
T1564.001 [('Tropic Trooper', 'created', 'a directory'), ('a directory', 'hidden')]
T1564.001 [('WannaCry', 'uses', 'attrib'), ('WannaCry', 'uses', 'h'), ('some of its files', 'hidden')]
T1564.001 [('files', 'hidden')]
T1564.001 [('all files', 'hidden')]
T1564.002 [('Adversaries', 'mask', 'users'), ('Adversaries', 'mask', 'the presence of user accounts'), ('users', 'hidden'), ('they', 'create')]
T1564.002 [('The software', 'contains', 'a hidden user account')]
T1564.002 [('conceal user', 'accounts'), ('them', 'appear')]
T1564.002 [('hidden user account', 'create', 'Backdoor')]
T1564.003 [('Agent Tesla', 'used', 'ProcessWindowStyle')]
T1564.003 [('APT28', 'conceal', 'the WindowStyle parameter'), ('APT28', 'conceal', 'PowerShell windows')]
T1564.003 [('Hidden', 'know', 'APT3')]
T1564.003 [('APT32', 'conceal', 'the WindowStyle parameter'), ('APT32', 'conceal', 'PowerShell windows')]
T1564.003 [('Astaroth', 'loads', 'its module with the XSL script parameter'), ('vShow', 'set'), ('which', 'opens', 'the application')]
T1564.003 [('BONDUPDATER', 'uses', '-windowstyle'), ('a PowerShell window', 'downloads', 'a payload')]
T1564.003 [('CopyKittens', 'used', 'hidden'), ('CopyKittens', 'used', '-windowstyle')]
T1564.003 [('DarkHydrus', 'used', 'Hidden')]
T1564.003 [('Deep Panda', 'used')]
T1564.003 [('Gorgon Group', 'conceal', 'Hidden'), ('Gorgon Group', 'conceal', 'PowerShell windows')]
T1564.003 [('HAMMERTOSS', 'used')]
T1564.003 [('Higaisa', 'used', 'a payload'), ('a payload', 'creates', 'a hidden window')]
T1564.003 [('HotCroissant', 'has', 'the ability'), ('the ability', 'hide', 'the window for operations'), ('operations', 'performed'), ('a file', 'given')]
T1564.003 [('InvisiMole', 'executed', 'legitimate tools'), ('windows', 'hidden')]
T1564.003 [('KeyBoy', 'uses', 'Hidden'), ('a PowerShell window', 'downloads', 'a payload')]
T1564.003 [('Kivars', 'has', 'the ability'), ('the ability', 'conceal', 'its activity'), ('the ability', 'hiding', 'active windows')]
T1564.003 [('Hound malware', 'has', 'a function'), ('a function', 'determine'), ('the C2 server', 'execute', 'the file'), ('a function', 'execute', 'the file'), ('the file', 'dropped')]
T1564.003 [('MCMD', 'modify', 'processes')]
T1564.003 [('Metamorfo', 'hidden', 'its GUI')]
T1564.003 [('a registry key', 'add', 'PowerShower'), ('so future', 'add', 'PowerShower'), ('coordinates for position off - screen', 'spawn', 'powershell.exe instances'), ('default', 'spawn', 'powershell.exe instances')]
T1564.003 [('StrongPity', 'has', 'the ability'), ('the ability', 'hide', 'the console window')]
T1564.003 [('Ursnif droppers', 'execute', 'COM properties'), ('Ursnif droppers', 'execute', 'malware'), ('windows', 'hidden')]
T1564.003 [('WindTail', 'execute', 'the OS'), ('WindTail', 'execute', 'an application')]
T1564.004 [('Anchor', 'hide', 'NTFS'), ('Anchor', 'hide', 'files')]
T1564.004 [('Astaroth', 'abuse', 'alternate data streams ADS')]
T1564.004 [('BitPaymer', 'copied', 'itself'), ('a file', 'created')]
T1564.004 [('esentutl', 'used')]
T1564.004 [('Expand', 'used')]
T1564.004 [('the Registry', '!is')]
T1564.004 [('LoJax', 'loaded', 'an driver'), ('an driver', 'embedded')]
T1564.004 [('PowerDuke', 'hides', 'many of its backdoor payloads')]
T1564.004 [('PowerShell 3.0', 'use', 'the victim'), ('its decoded payload', 'write', 'later POWERSOURCE'), ('an alternate data stream ( ADS )', 'write', 'later POWERSOURCE'), ('kernel32.dll', 'name', 'an alternate data stream ( ADS )'), ('PROGRAMDATA%\\Windows\\.', 'name', 'an alternate data stream ( ADS )'), ('%', 'save', 'kernel32.dll')]
OBJS_ files
T1564.004 [('Valak', 'has', 'the ability'), ('the ability', 'save', 'files'), ('the ability', 'execute', 'files')]
T1564.004 [('data in', 'store', 'Some variants of')]
T1564.005 [('BOOTRASH', 'used', 'unallocated disk space'), ('a hidden file system', 'stores', 'components of')]
T1564.005 [('ComRAT', 'used', 'a portable FAT16 partition image'), ('a portable FAT16 partition image', 'placed')]
T1564.005 [('Equation', 'used', 'an system'), ('an system', 'encrypted'), ('an system', 'stored')]
T1564.005 [('Regin', 'store', 'a system'), ('Regin', 'store', 'some of its components'), ('a system', 'hidden')]
T1564.005 [('a system', 'use', 'Strider'), ('a system', 'hidden'), ('a file on disk', 'store', 'a system')]
T1564.006 [('LoudMiner', 'run', 'QEMU'), ('LoudMiner', 'run', 'a Tiny Linux virtual machine'), ('which', 'runs', 'XMRig'), ('a Tiny Linux virtual machine', 'makes', 'connections to the C2 server for updates')]
T1564.006 [('Maze operators', 'run', 'VirtualBox'), ('Maze operators', 'run', 'the ransomware'), ('Maze operators', 'run', 'a Windows virtual machine'), ('machine configuration file', 'mapped', 'the drives of the target company'), ('the drives of', 'shared'), ('Maze', 'encrypt', 'files'), ('the drives as machine', 'shared')]
T1564.006 [('Ragnar Locker', 'used', 'VirtualBox'), ('Ragnar Locker', 'used', 'a machine'), ('a machine', 'stripped'), ('a machine', 'run', 'itself')]
T1564.006 [('a folder', 'shared'), ('The use of a folder', 'specified'), ('The use of', 'encrypt', 'Ragnar Locker'), ('The use of', 'encrypt', 'files'), ('the operating system', 'including'), ('any drives', 'mapped')]
T1564.006 [('Malware', 'connects')]
T1564.006 [('a folder on linux machine', 'exfilterate', 'Data'), ('a folder on', 'shared')]
T1564.007 [('WastedLocker ransomware', 'inject', 'malicious VBA scripts')]
T1564.007 [('ChamelGang', 'utilizes')]
T1564.007 [('CozyBear', 'employs', 'the tactic of payloads within benign data'), ('payloads within', 'obscuring')]
T1564.007 [('malicious VBA code', 'hide', 'MS Office')]
T1564.007 [('UNC215', 'obfuscate', 'their malicious payloads within Office documents')]
T1565.001 [('APT38', 'create', 'DYEPACK'), ('APT38', 'create', 'delete'), ('APT38', 'create', 'records in databases'), ('delete', 'alter'), ('databases', 'used')]
T1565.001 [('FIN4', 'created', 'rules in'), ('emails', 'containing', 'words andmalware'), ('such andmalware "', 'ashacked'), ('a likely attempt', 'prevent', 'organizations'), ('a likely attempt', 'communicating')]
T1565.001 [('a copy of the source file', 'create', 'SUNSPOT'), ('a .bk extension', 'create', 'SUNSPOT'), ('the original content', 'backup', 'a .bk extension'), ('Orion software', 'compile', 'it')]
T1565.001 [('XMRLocker', 'delete', 'log files')]
T1565.001 [('REvil', 'compromise', 'users'), ('users', 'end'), ('data', 'stored'), ('data', 'hide', 'their presence')]
T1565.002 [('APT38', 'manipulate', 'DYEPACK'), ('APT38', 'manipulate', 'SWIFT messages')]
T1565.002 [('Melcoz', 'monitor', 'the clipboard'), ('the address', 'intended')]
T1565.002 [('Metamorfo', 'has', 'a function'), ('a function', 'watch', 'the contents of the system clipboard'), ('it', 'overwrites')]
T1565.002 [('Ransomware as', 'modify', 'the data'), ('the host', 'compromised')]
T1565.003 [('DYEPACK.FOX', 'manipulate', 'APT38'), ('PDF data', 'manipulate', 'APT38'), ('traces of fraudulent SWIFT transactions', 'remove', 'it'), ('the data', 'remove', 'it'), ('the end user', 'display', 'the data')]
OBJS_ program
T1565.003 [('the legitimate Foxit reader program', 'access', 'they'), ('the legitimate Foxit reader program', 'execute', 'modifies documents'), ('the documents', 'display', 'modifies documents'), ('the documents', 'modified')]
T1565.003 [('entries from log', 'remove', 'Malware'), ('entries from', 'failed'), ('detection', 'evade', 'they'), ('administrator', 'evade', 'they')]
T1565.003 [('Malware', 'changes', 'account numbers')]
T1565.003 [('bitcoin address', 'change', 'Malware'), ('clipboard', 'change', 'Malware'), ('user', 'paste', 'they'), ('funds', 'getting')]
T1566.001 [('admin@338', 'sent', 'emails with malicious Office documents')]
T1566.001 [('The primary', 'delivered', 'mechaism for'), ('email messages', 'phishing')]
T1566.001 [('Security Team', 'used', 'attachments'), ('attachments', 'personalized'), ('attachments', 'spearphishing')]
T1566.001 [('emails with attachment', 'use', 'APT - C-36'), ('emails with', 'spearphishing'), ('attachment', 'protected'), ('the email gateway', 'detect', 'attachment'), ('the email gateway', 'detect', 'attachment')]
T1566.001 [('APT1', 'sent', 'emails'), ('emails', 'spearphishing'), ('emails', 'containing', 'malicious attachments')]
T1566.001 [('APT12', 'sent', 'emails with malicious Office documents')]
T1566.001 [('emails with malicious attachments in', 'spearphishing')]
T1566.001 [('APT28', 'sent', 'emails'), ('emails', 'spearphishing'), ('emails', 'containing', 'malicious Office attachments')]
T1566.001 [('APT29', 'deliver', 'emails with an attachment'), ('APT29', 'deliver', 'files with exploits'), ('emails with', 'spearphishing')]
T1566.001 [('APT30', 'used', 'emails with malicious DOC attachments'), ('emails with', 'spearphishing')]
T1566.001 [('APT32', 'sent', 'emails with'), ('emails with', 'spearphishing'), ('emails with', 'disguised')]
T1566.001 [('APT33', 'sent', 'spearphishing'), ('APT33', 'sent', 'e'), ('APT33', 'sent', '-'), ('APT33', 'sent', 'mails with archive attachments')]
T1566.001 [('APT37', 'delivers'), ('malware', 'using', 'emails with malicious HWP attachments'), ('emails with', 'spearphishing')]
T1566.001 [('APT39 leveraged emails with malicious attachments', 'spearphishing'), ('APT39 leveraged emails with', 'compromise', 'victims')]
T1566.001 [('APT41', 'sent', 'emails with attachments as'), ('APT41', 'sent', ') files'), ('emails with', 'spearphishing'), ('attachments as', 'compiled')]
T1566.001 [('BlackTech', 'deliver', 'e'), ('BlackTech', 'deliver', '-'), ('BlackTech', 'deliver', 'mails with malicious documents'), ('BlackTech', 'deliver', 'malware')]
T1566.001 [('emails', 'deliver', 'BLINDINGCAN'), ('emails', 'phishing'), ('malicious Office documents', 'contain', 'emails')]
T1566.001 [('BRONZE BUTLER', 'used', 'emails with malicious Word attachments'), ('emails with', 'spearphishing'), ('emails with', 'infect', 'victims')]
T1566.001 [('Cobalt Group', 'sent', 'emails with various attachment types'), ('emails with', 'spearphishing')]
T1566.001 [('Attachment types', 'included')]
T1566.001 [('archives', 'containing', 'LNK files'), ('archives', 'containing', 'password'), ('archives', 'protected'), ('archives', 'containing')]
T1566.001 [('Darkhotel', 'sent', 'emails with malicious attachments'), ('emails with', 'spearphishing')]
T1566.001 [('DarkHydrus', 'sent', 'emails with archives'), ('DarkHydrus', 'sent', '.iqy'), ('emails with', 'spearphishing'), ('archives', 'protected'), ('archives', 'containing', 'malicious Query files')]
T1566.001 [('The group', 'sent', 'emails'), ('emails', 'spearphishing'), ('emails', 'contained', 'Office documents'), ('emails', 'load', 'theattachedTemplate\x9d technique'), ('emails', 'load', 'a template'), ('Office documents', 'load', 'a template')]
T1566.001 [('Elderwood', 'delivered', 'day exploits'), ('Elderwood', 'delivered', 'malware to victims'), ('emails', 'targeted'), ('emails', 'containing', 'malicious attachments')]
T1566.001 [('emails', 'deliver', 'Emotet'), ('emails', 'phishing'), ('attachments', 'contain', 'emails')]
T1566.001 [('emails', 'use', 'FIN4'), ('emails', 'spearphishing'), ('attachments (', 'contain', 'emails'), ('legitimate documents', 'steal', 'which'), ('macros', 'steal', 'which'), ('accounts', 'send', 'legitimate documents'), ('accounts', 'compromised'), ('macros', 'embedded')]
T1566.001 [('FIN6', 'targeted', 'victims'), ('mails', 'containing', 'malicious attachments')]
T1566.001 [('FIN7', 'sent', 'emails with'), ('emails with', 'spearphishing'), ('emails with', 'attached')]
T1566.001 [('FIN8', 'distributed', 'emails'), ('emails', 'targeted'), ('emails', 'containing', 'Word documents'), ('macros', 'embedded')]
T1566.001 [('Frankenstein', 'used', 'emails'), ('emails', 'spearphishing'), ('emails', 'send', 'trojanized Word documents')]
T1566.001 [('Gallmaker', 'sent', 'emails with malicious Office documents'), ('emails with', 'attached')]
T1566.001 [('Gamaredon Group', 'delivered', 'emails with malicious attachments'), ('emails with', 'spearphishing')]
T1566.001 [('Gorgon Group', 'sent', 'emails to victims with malicious Office documents')]
T1566.001 [('emails with malicious attachments', 'deliver', 'Hancitor'), ('emails with', 'phishing')]
T1566.001 [('Higaisa', 'sent', 'emails'), ('emails', 'spearphishing'), ('emails', 'containing', 'malicious attachments')]
T1566.001 [('IcedID', 'delivered')]
T1566.001 [('Inception', 'used', 'weaponized documents'), ('weaponized documents', 'attached'), ('emails for reconnaissance', 'spearphishing')]
T1566.001 [('malicious e - mail attachments', 'deliver', 'Javali')]
T1566.001 [('malicious e - mail attachments', 'distribute', 'Kerrdown')]
T1566.001 [('Kimsuky', 'used', 'emails'), ('emails', 'containing', 'Excel documents')]
T1566.001 [('Lazarus Group', 'targeted', 'victims with emails'), ('emails', 'spearphishing'), ('emails', 'containing', 'malicious Word documents')]
T1566.001 [('Leviathan', 'sent', 'emails with malicious attachments'), ('emails with', 'spearphishing'), ('malicious attachments', 'including')]
T1566.001 [('Machete', 'delivered', 'emails'), ('emails', 'spearphishing'), ('emails', 'contain', 'a zipped file')]
T1566.001 [('menuPass', 'sent', 'malicious Office documents'), ('campaigns as executables', 'spearphishing'), ('executables', 'disguised')]
T1566.001 [('victims', 'deliver', 'Metamorfo'), ('emails', 'deliver', 'Metamorfo'), ('malicious HTML attachments', 'contain', 'emails')]
T1566.001 [('Mofang', 'delivered', 'emails with'), ('emails with', 'spearphishing'), ('emails with', 'attached')]
T1566.001 [('Molerats', 'sent', 'phishing emails with malicious Word PDF attachments')]
T1566.001 [('MuddyWater', 'compromised', 'third parties'), ('accounts', 'compromised'), ('emails with attachments', 'spearphishing'), ('attachments', 'targeted')]
T1566.001 [('Mustang Panda', 'deliver', 'attachments'), ('Mustang Panda', 'deliver', 'initial access payloads'), ('attachments', 'spearphishing')]
T1566.001 [('Naikon', 'deliver', 'malicious e - mail attachments'), ('Naikon', 'deliver', 'malware')]
T1566.001 [('e - mail campaigns', 'spread', 'NETWIRE'), ('malicious attachments', 'utilize', 'e - mail campaigns')]
T1566.001 [('emails with Office attachments', 'deliver', 'OceanSalt'), ('emails with', 'spearphishing')]
T1566.001 [('OilRig', 'sent', 'emails with malicious attachments'), ('emails with', 'spearphising'), ('potential victims', 'using'), ('potential victims', 'compromised')]
T1566.001 [('Patchwork', 'used')]
T1566.001 [('PLATINUM', 'sent', 'emails with attachments'), ('emails with', 'spearphishing')]
T1566.001 [('malicious Word documents', 'distribute', 'PoetRAT')]
T1566.001 [('attachments', 'deliver', 'Pony'), ('attachments', 'spearphishing')]
T1566.001 [('emails with malicious attachments', 'distribute', 'Ramsay'), ('emails with', 'spearphishing')]
T1566.001 [('Rancor', 'attached', 'a malicious document'), ('an email', 'gain', 'initial access')]
T1566.001 [('malicious e - mail attachments', 'distribute', 'REvil'), ('MS Word Documents', 'include', 'malicious e - mail attachments')]
T1566.001 [('e', 'distribute', 'Rifdoor'), ('-', 'distribute', 'Rifdoor'), ('mails with malicious Excel documents', 'distribute', 'Rifdoor')]
T1566.001 [('attachments', 'deliver', 'RTM'), ('attachments', 'spearphishing'), ('PDF documents', 'disguise', 'attachments')]
T1566.001 [('RTM', 'distribute', 'attachments'), ('RTM', 'distribute', 'its malware'), ('attachments', 'spearphishing')]
T1566.001 [('Sandworm Team', 'delivered', 'malicious Office attachments'), ('emails', 'spearphishing')]
T1566.001 [('Sharpshooter', 'sent', 'malicious attachments')]
T1566.001 [('Sidewinder', 'sent', 'e'), ('Sidewinder', 'sent', '-'), ('Sidewinder', 'sent', 'mails with malicious attachments'), ('malicious attachments', 'crafted')]
T1566.001 [('Silence', 'sent', 'emails with')]
T1566.001 [('TA459', 'targeted', 'victims'), ('victims', 'using', 'emails with malicious Word attachments'), ('emails with', 'spearphishing')]
T1566.001 [('TA505', 'compromise', 'emails with malicious attachments'), ('TA505', 'compromise', 'victims'), ('emails with', 'spearphishing')]
T1566.001 [('TA551', 'sent', 'attachments'), ('attachments', 'spearphishing'), ('files', 'protected')]
T1566.001 [('The White Company', 'sent', 'phishing emails with malicious Word attachments'), ('The White Company', 'sent', 'to victims')]
T1566.001 [('TrickBot', 'used', 'an email'), ('an Excel sheet', 'containing', 'a malicious macro'), ('an Excel sheet', 'deploy', 'the malware')]
T1566.001 [('Tropic Trooper', 'sent', 'emails'), ('emails', 'spearphishing'), ('emails', 'contained', 'malicious Microsoft Office')]
T1566.001 [('e', 'deliver', 'Valak'), ('-', 'deliver', 'Valak'), ('mails with files', 'deliver', 'Valak'), ('e', 'spearphishing'), ('files', 'protected')]
T1566.001 [('Windshift', 'sent', 'emails with attachment to harvest credentials'), ('emails with', 'spearphishing')]
T1566.001 [('Wizard Spider', 'deliver', 'attachments'), ('Wizard Spider', 'deliver', 'Microsoft documents'), ('attachments', 'spearphishing'), ('Microsoft documents', 'containing', 'macros'), ('Microsoft documents', 'containing', 'PDFs'), ('macros', 'containing', 'malicious links'), ('macros', 'download', 'TrickBot')]
T1566.001 [('Word', 'spawned', 'a command shell')]
T1566.002 [('link', 'distribute', 'AppleJeus'), ('link', 'spearphishing')]
T1566.002 [('APT1', 'sent', 'emails'), ('emails', 'spearphishing'), ('emails', 'containing', 'hyperlinks')]
T1566.002 [('APT28', 'sent', 'emails'), ('emails', 'spearphishing'), ('which', 'used', 'a shortener service'), ('emails', 'masquerade'), ('emails', 'redirect', 'targets'), ('sites', 'credential')]
T1566.002 [('APT29', 'used'), ('a link', 'trick', 'victims'), ('a link', 'clicking'), ('a zip file', 'containing', 'malicious files')]
T1566.002 [('APT32', 'sent', 'emails'), ('emails', 'spearphishing'), ('emails', 'containing', 'malicious links')]
T1566.002 [('APT33', 'sent', 'emails'), ('emails', 'spearphishing'), ('emails', 'containing', 'links to .hta files')]
T1566.002 [('APT39 leveraged emails with compromise .', 'spearphishing')]
T1566.002 [('e', 'spread', 'Bazar'), ('-', 'spread', 'Bazar'), ('mails with links', 'spread', 'Bazar'), ('links', 'embedded')]
T1566.002 [('BlackTech', 'cloud', 'e'), ('BlackTech', 'cloud', '-'), ('BlackTech', 'cloud', 'mails with links'), ('BlackTech', 'cloud', 'services')]
T1566.002 [('Cobalt Group', 'sent', 'emails with URLs pointing to malicious documents')]
T1566.002 [('PDF attachments', 'containing', 'malicious links'), ('malicious links', 'credential', 'harvesting websites'), ('malicious links', 'credential', 'harvesting websites')]
T1566.002 [('Elderwood', 'delivered', 'day exploits'), ('Elderwood', 'delivered', 'malware to victims'), ('emails', 'targeted'), ('emails', 'containing', 'a link to malicious content'), ('malicious content', 'hosted')]
T1566.002 [('emails', 'deliver', 'Emotet'), ('emails', 'phishing'), ('links', 'contain', 'emails')]
T1566.002 [('Evilnum', 'sent', 'emails'), ('emails', 'spearphishing'), ('emails', 'containing', 'a link'), ('a zip file', 'hosted')]
T1566.002 [('FIN4', 'used', 'emails ('), ('emails (', 'spearphishing'), ('emails (', 'sent'), ('accounts', 'compromised'), ('emails (', 'containing', 'malicious links')]
T1566.002 [('FIN8', 'distributed', 'emails'), ('emails', 'targeted'), ('emails', 'containing', 'links to malicious documents with macros'), ('macros', 'embedded')]
T1566.002 [('malicious links', 'spread', 'Grandoreiro'), ('e', 'embed', 'malicious links'), ('-', 'embed', 'malicious links'), ('mails', 'embed', 'malicious links')]
T1566.002 [('campaigns', 'spread', 'GuLoader'), ('campaigns', 'phishing'), ('malicious web links', 'use', 'campaigns')]
T1566.002 [('phishing emails', 'deliver', 'Hancitor'), ('malicious links', 'contain', 'which')]
T1566.002 [('malicious links', 'deliver', 'Javali'), ('e', 'embed', 'malicious links'), ('-', 'embed', 'malicious links'), ('mails', 'embed', 'malicious links')]
T1566.002 [('e', 'distribute', 'Kerrdown'), ('-', 'distribute', 'Kerrdown'), ('mails', 'distribute', 'Kerrdown'), ('a malicious link', 'contain', 'mails')]
T1566.002 [('Kimsuky', 'used', 'an email'), ('an email', 'containing', 'a link'), ('a document', 'contained', 'malicious macros')]
T1566.002 [('Leviathan', 'sent', 'emails with links'), ('emails with', 'spearphishing'), ('links', 'using', 'a fraudulent lookalike domain'), ('links', 'using', 'branding'), ('branding', 'stolen')]
T1566.002 [('Machete', 'sent', 'phishing emails'), ('phishing emails', 'contain', 'a link')]
T1566.002 [('Magic Hound', 'sent', 'links over email'), ('Magic Hound', 'sent', 'to victims'), ('links over', 'shortened')]
T1566.002 [('The URLs', 'linked'), ('malicious macros', 'execute', 'PowerShells scripts'), ('malicious macros', 'download', 'Pupy')]
T1566.002 [('malicious links', 'spread', 'Melcoz'), ('e', 'embed', 'malicious links'), ('-', 'embed', 'malicious links'), ('mails', 'embed', 'malicious links')]
T1566.002 [('Mofang', 'delivered', 'emails with malicious links'), ('emails with', 'spearphishing'), ('emails with', 'included')]
T1566.002 [('Molerats', 'sent', 'phishing emails with malicious links')]
T1566.002 [('MuddyWater', 'sent', 'e'), ('MuddyWater', 'sent', '-'), ('MuddyWater', 'sent', 'mails with malicious links'), ('e', 'targeted'), ('e', 'spearphishing')]
T1566.002 [('Mustang Panda', 'delivered', 'links'), ('links', 'spearphishing')]
T1566.002 [('e - mail campaigns', 'spread', 'NETWIRE'), ('malicious links', 'utilize', 'e - mail campaigns')]
T1566.002 [('emails', 'send', 'Night Dragon'), ('emails', 'spearphishing'), ('links', 'contain', 'emails'), ('websites', 'contain', 'emails'), ('websites', 'compromised'), ('malware', 'downloaded')]
T1566.002 [('OilRig', 'sent', 'emails with malicious links to potential victims'), ('emails with', 'spearphising')]
T1566.002 [('Patchwork', 'used'), ('links', 'deliver', 'files with exploits')]
T1566.002 [('The group', 'used', 'tags ('), ('tags (', 'embedded'), ('tags (', 'known'), ('the purpose of', 'identifying'), ('which recipients', 'opened', 'messages')]
T1566.002 [('emails', 'deliver', 'Pony'), ('emails', 'spearphishing'), ('malicious links', 'contain', 'which')]
T1566.002 [('Sandworm Team', 'crafted', 'phishing emails'), ('phishing emails', 'containing', 'malicious hyperlinks')]
T1566.002 [('Sidewinder', 'sent', 'e'), ('Sidewinder', 'sent', '-'), ('Sidewinder', 'sent', 'mails with malicious links'), ('malicious links', 'crafted')]
T1566.002 [('Stolen Pencil', 'sent', 'emails'), ('emails', 'spearphishing'), ('emails', 'containing', 'links to domains'), ('domains', 'controlled')]
T1566.002 [('TA505', 'sent', 'emails'), ('emails', 'spearphishing'), ('emails', 'containing', 'malicious links')]
T1566.002 [('mails', 'deliver', 'TrickBot'), ('malicious links in', 'deliver', 'TrickBot'), ('e', 'phishe', 'malicious links in')]
T1566.002 [('Turla', 'trick', 'targets'), ('a link', 'featuring', 'a legitimate domain from'), ('a link', 'download', 'their malware'), ('a link', 'gain', 'initial access')]
T1566.002 [('malicious links in e', 'deliver', 'Valak')]
T1566.002 [('Windshift', 'sent', 'emails with links to credentials'), ('emails with', 'spearphishing'), ('credentials', 'harvest')]
T1566.002 [('Wizard Spider', 'sent', 'phishing emails'), ('phishing emails', 'containing', 'a link'), ('an document', 'controlled')]
T1566.002 [('ZIRCONIUM', 'used', 'malicious links'), ('ZIRCONIUM', 'used', 'web beacons')]
T1566.003 [('Security Team', 'used', 'various media channels')]
T1566.003 [('Dark Caracal', 'spearphished', 'victims')]
T1566.003 [('FIN6', 'spearphish', 'fake job advertisements'), ('FIN6', 'spearphish', 'targets'), ('fake job advertisements', 'sent')]
T1566.003 [('Lazarus Group', 'used', 'fake job advertisements'), ('fake job advertisements', 'sent')]
T1566.003 [('Magic Hound', 'used', 'various media channels')]
T1566.003 [('OilRig', 'send', 'LinkedIn'), ('OilRig', 'send', 'spearphishing links')]
T1566.003 [('Windshift', 'engage', 'fake personas'), ('Windshift', 'engage', 'target victims')]
T1567.001 [('Empire', 'use', 'GitHub')]
T1567.001 [('Actors', 'leveraged', 'the popular github service'), ('the data', 'breached')]
T1567.001 [('Leveraging services', 'assist'), ('them', 'evading', 'security controls')]
T1567.001 [('exfiltration destination for organizational data', 'use', 'GitHub')]
T1567.001 [('rar files', 'compress', 'Stolen data')]
T1567.001 [('Actor', 'believed')]
T1567.002 [('Chimera', 'exfiltrated', 'data'), ('data', 'stolen')]
T1567.002 [('Crutch', 'exfiltrated', 'data to'), ('data to', 'stolen')]
T1567.002 [('Empire', 'use', 'Dropbox')]
T1567.002 [('HAFNIUM', 'file', 'data'), ('HAFNIUM', 'file', 'sharing sites'), ('sharing sites', 'including')]
T1567.002 [('HAMMERTOSS', 'exfiltrates', 'data'), ('accounts', 'created'), ('accounts', 'retrieve')]
T1567.002 [('Leviathan', 'used', 'an uploader'), ('an uploader', 'known'), ('an uploader', 'exfiltrate', 'files')]
T1567.002 [('Turla', 'upload', 'WebDAV'), ('Turla', 'upload', 'files to a cloud drive'), ('files to', 'stolen')]
T1567.002 [('Turla', 'exfiltrated', 'files'), ('files', 'stolen')]
T1567.002 [('ZIRCONIUM', 'exfiltrated', 'data to'), ('data to', 'stolen')]
T1568.001 [('RAT operators', 'mask', 'dynamic DNS'), ('RAT operators', 'mask', 'the true location of their C2'), ('addresses', 'changing')]
T1568.001 [('menuPass', 'host', 'service providers'), ('menuPass', 'host', 'malicious domains')]
T1568.001 [('TA505', 'mask', 'fast flux'), ('TA505', 'mask', 'botnets')]
T1568.001 [('Adversaries', 'hide', 'Flux DNS'), ('Adversaries', 'hide', 'a command channel'), ('addresses', 'changing'), ('addresses', 'linked')]
T1568.001 [('A researcher', 'published', 'a blog'), ('a blog', 'identifying', 'nameservers'), ('nameservers', 'servicing', 'malware command'), ('nameservers', 'servicing', 'control ( C2 ) domains'), ('nameservers', 'providing', 'Flux DNS'), ('nameservers', 'providing', 'to botnets')]
T1568.002 [('APT41', 'change', 'DGAs'), ('APT41', 'change', 'their C2 servers')]
T1568.002 [('Aria - body', 'has', 'the ability'), ('the ability', 'use', 'a DGA')]
T1568.002 [('Astaroth', 'used', 'a DGA')]
T1568.002 [('Bazar', 'implement', 'DGA')]
T1568.002 [('BONDUPDATER', 'uses', 'a DGA')]
T1568.002 [('a DGA', 'use', 'CCBkdr'), ('Fallback Channels', 'use', 'CCBkdr'), ('communications with the command server', 'lost')]
T1568.002 [('a DGA', 'use', 'CHOPSTICK'), ('Channels domains', 'use', 'CHOPSTICK')]
T1568.002 [('Doki', 'generate', 'the DynDNS service'), ('Doki', 'generate', 'C2 domains')]
T1568.002 [('Ebury', 'generate', 'a DGA'), ('Ebury', 'generate', 'a domain name')]
T1568.002 [('Grandoreiro', 'use', 'a DGA'), ('C2 addresses', 'including'), ('a specific key', 'changes')]
T1568.002 [('MiniDuke', 'generate', 'DGA'), ('MiniDuke', 'generate', 'new Twitter URLs for')]
T1568.002 [('Ngrok', 'provide', 'DGA'), ('URL strings', 'change', 'every 12 hours')]
T1568.002 [('POSHSPY', 'derive', 'a DGA'), ('POSHSPY', 'derive', 'command')]
T1568.002 [('a DGA', 'use', 'ShadowPad'), ('the day of the month', 'base', 'a DGA'), ('C2 servers', 'base', 'a DGA')]
T1568.002 [('TA551', 'generate', 'a DGA'), ('TA551', 'generate', 'URLs from macros'), ('macros', 'executed')]
T1568.002 [('Ursnif', 'generate', 'a DGA'), ('Ursnif', 'generate', 'domain names')]
T1568.003 [('APT12', 'used', 'multiple variants of'), ('multiple variants of', 'including'), ('multiple variants of', 'multiplying', 'the first two octets of an IP address'), ('multiple variants of', 'adding', 'the third octet'), ('order', 'get', 'a port'), ('a port', 'resulting')]
T1568.003 [('Adversaries', 'perform', 'calculations on addresses'), ('addresses', 'returned'), ('addresses', 'determine'), ('addresses', 'use')]
T1568.003 [('Necurs', 'determine', 'a a method of DNS calculation'), ('Necurs', 'determine', 'the proper IP address of the C2 host')]
T1568.003 [('Mekotio', 'modify', 'an algorithm'), ('Mekotio', 'modify', 'the address'), ('the address', 'resolved')]
T1568.003 [('This malware', 'find', 'a caclulation on the data'), ('This malware', 'find', 'the correct C2 server use'), ('the data', 'returned')]
T1569.001 [('AppleJeus', 'loaded', 'a plist file'), ('a plist file', 'using', 'the launchctl command')]
T1569.001 [('Calisto', 'enable', 'launchctl'), ('Calisto', 'enable', 'screen sharing on the victimmachine')]
T1569.001 [('LoudMiner', 'launched', 'the QEMU services')]
T1569.001 [('Adversaries abuse launchctl', 'execute', 'malicious commands')]
T1569.001 [('Using adversaries', 'install', 'persistence'), ('they', 'made')]
OBJS_ services
T1569.002 [('Anchor', 'create', 'services')]
T1569.002 [('APT32 backdoor', 'used', 'Windows services'), ('a way', 'execute', 'its malicious payload')]
T1569.002 [('APT39', 'execute', 'post - exploitation tools'), ('APT39', 'execute', 'processes'), ('post - exploitation tools', 'including'), ('post - exploitation tools', 'sucking')]
T1569.002 [('APT41', 'execute', 'Net'), ('APT41', 'execute', 'a system service'), ('a system service', 'launch', 'a BEACON loader'), ('a system service', 'launch', 'a BEACON loader')]
T1569.002 [('a service', 'execute', 'Attor dispatcher')]
T1569.002 [('BBSRAT', 'start')]
T1569.002 [('Blue Mockingbird', 'executed', 'DLLs'), ('DLLs', 'compiled')]
T1569.002 [('Chimera', 'deploy', 'PsExec'), ('Chimera', 'deploy', 'beacons on systems'), ('systems', 'compromised')]
T1569.002 [('Cobalt Strike', 'execute', 'PsExec'), ('Cobalt Strike', 'execute', 'a payload')]
T1569.002 [('It', 'start', 'Service Control Manager'), ('It', 'start', 'new services')]
T1569.002 [('Empire', 'execute', 'PsExec'), ('Empire', 'execute', 'a payload')]
T1569.002 [('FIN6', 'created', 'Windows services'), ('commands', 'encoded')]
T1569.002 [('gh0st RAT', 'execute', 'its service'), ('the Service key', 'exists')]
OBJS_ service
T1569.002 [('the key', '!exist', 'gh0st'), ('RAT', 'create', 'the service')]
T1569.002 [('a DLL file', 'launch', 'Honeybee'), ('a service', 'execute', 'a DLL file'), ('svchost.exe', 'use', 'a service')]
T1569.002 [('HOPLIGHT', 'execute', 'svchost.exe'), ('HOPLIGHT', 'execute', 'a malicious DLL')]
T1569.002 [('Hydraq', 'execute', 'svchost.exe'), ('Hydraq', 'execute', 'a malicious DLL')]
OBJS_ service
T1569.002 [('HyperBro', 'has', 'the ability'), ('the ability', 'start', 'a service'), ('the ability', 'stop', 'a service'), ('a service', 'specified')]
T1569.002 [('Impacket', 'contains', 'various modules'), ('various modules', 'emulating', 'other execution tools as')]
T1569.002 [('InvisiMole', 'used', 'Windows services'), ('a way', 'execute', 'its malicious payload')]
T1569.002 [('Ke3chang', 'execute', 'a tool'), ('Ke3chang', 'execute', 'batch scripts'), ('Ke3chang', 'execute', 'binaries'), ('a tool', 'known')]
T1569.002 [('Koadic', 'run', 'a command'), ('another machine', 'using', 'PsExec')]
T1569.002 [('LoudMiner', 'started', 'the machine'), ('the machine', 'cryptomining')]
T1569.002 [('commands', 'stop', 'The net start'), ('Net', 'use', 'The net start')]
T1569.002 [('Net Crawler', 'perform', 'PsExec'), ('Net Crawler', 'perform', 'remote service manipulation')]
T1569.002 [('Operators Netwalker', 'retrieve', 'psexec'), ('Operators Netwalker', 'retrieve', 'the Netwalker payload'), ('Operators Netwalker', 'retrieve', 'certutil')]
T1569.002 [('NotPetya', 'use', 'PsExec')]
T1569.002 [('Okrum loader', 'create', 'a new service'), ('a new service', 'named', 'NtmsSvc')]
T1569.002 [('Olympic Destroyer', 'utilizes', 'PsExec')]
T1569.002 [('Operation Wocao', 'created', 'services on remote systems for execution purposes')]
T1569.002 [('PoshC2', 'contains', 'an implementation of for remote execution')]
T1569.002 [('Proxysvc', 'registers', 'itself'), ('a service on the victimmachine', 'run')]
T1569.002 [('binaries', 'execute', 'a popular administration tool'), ('remote systems', 'execute', 'a popular administration tool'), ('binaries', 'execute', 'a popular administration tool'), ('remote systems', 'execute', 'a popular administration tool'), ('a temporary Windows service', 'use', 'remote systems')]
T1569.002 [('Pupy', 'execute', 'PsExec'), ('Pupy', 'execute', 'a payload'), ('Pupy', 'execute', 'commands')]
T1569.002 [('Pysa', 'used', 'PsExec')]
T1569.002 [('Ragnar Locker', 'execute', 'sc.exe'), ('Ragnar Locker', 'execute', 'a service'), ('it', 'creates')]
T1569.002 [('RemoteCMD', 'execute', 'commands')]
T1569.002 [('Shamoon', 'creates', 'a new service')]
T1569.002 [('Shamoon', 'spread')]
T1569.002 [('Silence', 'install', 'Winexe'), ('Silence', 'install', 'a service on the remote system')]
T1569.002 [('SLOTHFULMEDIA', 'has', 'the capability'), ('the capability', 'start', 'services')]
T1569.002 [('StrongPity', 'install', 'a service')]
T1569.002 [('Winexe', 'installs', 'a service on the remote system'), ('Winexe installs service', 'uninstalls', 'the service')]
T1569.002 [('Wingbird', 'register', 'services.exe'), ('Wingbird', 'register', 'a new autostart service'), ('a new autostart service', 'named', '" Audit Service'), ('a new autostart service', 'using', 'a copy of the local lsass.exe file')]
T1569.002 [('Wizard Spider', 'execute', 'services.exe'), ('Wizard Spider', 'execute', 'scripts'), ('Wizard Spider', 'execute', 'executables')]
T1569.002 [('binaries', 'execute', 'xCmd'), ('remote systems', 'execute', 'xCmd')]
T1571 [('usage of port with', 'testing'), ('port with', 'used')]
T1571 [('usage of port', 'testing'), ('port', 'used')]
T1573.001 [('the C2 channel', 'encrypt', 'RAT command commands'), ('the DES algorithm', 'use', 'the C2 channel'), ('CBC mode', 'use', 'the C2 channel'), ('a key', 'use', 'the C2 channel'), ('the MD5 hash of the string', 'derive', 'a key')]
T1573.001 [('3PARA RAT', 'use', 'an byte XOR key'), ('an byte XOR key', 'derived'), ('the DES', 'decoding'), ('DES decoding', 'fails')]
T1573.001 [('4H RAT', 'obfuscates', 'C2 communication'), ('C2 communication', 'using', 'a byte XOR with')]
T1573.001 [('A variant of', 'encrypts', 'some C2')]
T1573.001 [('APT28', 'installed', 'a Delphi backdoor'), ('a Delphi backdoor', 'used', 'a custom algorithm')]
T1573.001 [('APT33', 'used', 'AES')]
T1573.001 [('data', 'encrypt', 'Attor'), ('a key', 'use', 'data'), ('a key', 'generated'), ('a RSA key', 'encrypt', 'which')]
T1573.001 [('Azorult', 'using', 'C2 traffic'), ('Azorult', 'using', 'XOR')]
T1573.001 [('C2 traffic', 'using', 'an ADD cipher')]
T1573.001 [('BADNEWS', 'encrypts', 'C2 data with by')]
T1573.001 [('Bazar', 'send', 'C2 communications')]
T1573.001 [('BBSRAT', 'uses', 'a custom encryption algorithm'), ('data', 'sent')]
T1573.001 [('a C2 server over 443', 'using', 'RC4'), ('a C2 server over 443', 'using', 'chunks'), ('a C2 server over 443', 'modified'), ('chunks', 'encrypted')]
T1573.001 [('Bisonal variants', 'reported')]
T1573.001 [('Some Bisonal samples', 'encrypt', 'C2 communications with')]
T1573.001 [('BLINDINGCAN', 'encrypted', 'its C2 traffic')]
T1573.001 [('Bonadan', 'encrypt', 'C2 communications'), ('XOR', 'encrypt', 'C2 communications')]
T1573.001 [('BRONZE BUTLER', 'obfuscate', 'RC4 encryption ('), ('BRONZE BUTLER', 'obfuscate', 'HTTP traffic')]
T1573.001 [('BRONZE BUTLER', 'used', 'a tool'), ('a tool', 'called', 'RarStar'), ('a tool', 'encodes', 'data with'), ('a tool', 'posting', 'it')]
T1573.001 [('Carbanak', 'encrypts', 'the message body of with')]
T1573.001 [('Carbanak', 'uses', 'XOR')]
T1573.001 [('Cardinal RAT', 'uses', 'a secret key')]
T1573.001 [('Chaos', 'provides', 'a shell connection on'), ('a shell connection on', 'encrypted')]
T1573.001 [('ChChes', 'encrypt', 'C2 traffic')]
T1573.001 [('CHOPSTICK', 'encrypts', 'C2 communications with')]
T1573.001 [('Cobalt Strike', 'has', 'the ability'), ('the ability', 'encrypt', 'AES-256'), ('the ability', 'encrypt', 'symmetric encryption in CBC mode'), ('the ability', 'encrypt', 'task commands'), ('the ability', 'encrypt', 'task commands'), ('shell', 'encrypt')]
T1573.001 [('stream ciphers', 'encrypt', 'C2 messages'), ('byte keys', 'use', 'stream ciphers')]
T1573.001 [('CosmicDuke', 'contains', 'a custom version of'), ('a custom version of', 'includes', 'a programming error')]
T1573.001 [('Darkhotel', 'used', 'AES-256'), ('Darkhotel', 'used', '3DES for C2 communications')]
T1573.001 [('Daserf', 'obfuscate', 'RC4 encryption'), ('Daserf', 'obfuscate', 'HTTP traffic')]
T1573.001 [('Derusbi', 'obfuscates', 'C2 traffic with variable byte XOR keys')]
T1573.001 [('down_new', 'has', 'the ability'), ('AES', 'encrypt', 'C2 communications')]
T1573.001 [('Downdelph', 'encrypt', 'RC4'), ('Downdelph', 'encrypt', 'C2 responses')]
T1573.001 [('Dridex', 'encrypted', 'traffic')]
T1573.001 [('AES - CBC', 'encrypt', 'The Duqu command'), ('AES - CBC', 'encrypt', 'protocol data stream')]
T1573.001 [('Ebury', 'encrypted', 'C2 traffic'), ('C2 traffic', 'using', 'the client IP address')]
T1573.001 [('encrypts', 'elise'), ('encrypts', 'exfiltrated', 'data with')]
T1573.001 [('a variant of', 'send', 'a beacon'), ('a character GUID value', 'contain', 'The server response to a beacon'), ('an encryption key for subsequent network communications', 'use', 'a character GUID value')]
T1573.001 [('Some variants of', 'encrypt', 'various XOR operations'), ('Some variants of', 'encrypt', 'C2 data')]
T1573.001 [('commands from the C2 server', 'using', 'a hardcoded key')]
T1573.001 [('Explosive', 'encrypted', 'communications with the RC4 method')]
T1573.001 [('The original variant of', 'encrypts', 'C2 traffic'), ('C2 traffic', 'using', 'a encryption cipher'), ('a encryption cipher', 'uses', 'an XOR key ofYHCRA\x9d rotation between each XOR operation')]
T1573.001 [('Some variants of', 'encrypt', 'RC4'), ('Some variants of', 'encrypt', 'C2 traffic')]
T1573.001 [('FALLCHILL', 'encrypts', 'C2 data with RC4 encryption')]
T1573.001 [('FatDuke', 'encrypt', 'C2 communications'), ('AES', 'encrypt', 'C2 communications')]
T1573.001 [('Some Felismus samples', 'use', 'a custom encryption method for C2 traffic'), ('C2 traffic', 'utilizes', 'AES'), ('C2 traffic', 'utilizes', 'multiple keys')]
T1573.001 [('FlawedAmmyy', 'used', 'SEAL encryption')]
T1573.001 [('Frankenstein', 'communicated')]
T1573.001 [('Gazer', 'uses', 'custom encryption'), ('C2', 'uses', '3DES')]
T1573.001 [('gh0st RAT', 'encrypt', 'RC4'), ('gh0st RAT', 'encrypt', 'C2 traffic')]
T1573.001 [('GreyEnergy', 'encrypts', 'communications'), ('communications', 'using', 'AES256')]
T1573.001 [('H1N1', 'encrypts', 'C2 traffic'), ('C2 traffic', 'using', 'an RC4 key')]
T1573.001 [('a key', 'encrypt', 'HAMMERTOSS commands'), ('value', 'compose', 'a key'), ('a string', 'compose', 'a key'), ('value', 'coded'), ('day tweet', 'contain', 'a string')]
T1573.001 [('To decrypt commands', 'need', 'access to the sample tweet'), ('an investigator', 'need', 'access to'), ('the sample tweet', 'intended'), ('the image file', 'containing', 'the command')]
T1573.001 [('encrypts data', 'sent')]
T1573.001 [('Hi - encrypts', 'zor'), ('a double XOR', 'using', 'two distinct byte keys')]
T1573.001 [('HiddenWasp', 'uses', 'an like algorithm'), ('an stream for network communication', 'computed'), ('an stream for', 'generated')]
T1573.001 [('Higaisa', 'encrypt', 'AES-128'), ('Higaisa', 'encrypt', 'C2 traffic')]
T1573.001 [('Hikit', 'performs', 'XOR encryption')]
T1573.001 [('HotCroissant', 'compressed', 'network communications')]
T1573.001 [('C2 content with', 'using', 'a single byte 0x12')]
T1573.001 [('bitwise', '!use', 'C2 traffic'), ('operations', 'use', 'C2 traffic')]
T1573.001 [('HyperStack', 'used', 'RSA encryption')]
T1573.001 [('Inception', 'encrypted', 'network communications')]
T1573.001 [('InvisiMole', 'uses', 'variations of a simple XOR encryption routine for C&C communications')]
T1573.001 [('KEYMARBLE', 'encrypt', 'a algorithm'), ('KEYMARBLE', 'encrypt', 'C2 communications')]
T1573.001 [('The C2 channel', 'hide', 'an byte XOR algorithm'), ('The C2 channel', 'hide', 'data')]
T1573.001 [('Group malware families', 'encrypt', 'C2 traffic'), ('C2 traffic', 'using', 'custom code'), ('C2 traffic', 'uses', 'XOR')]
T1573.001 [('Group malware', 'encrypt', 'Caracachs'), ('Group malware', 'encrypt', 'encryption'), ('Group malware', 'encrypt', 'C2 payloads')]
T1573.001 [('LightNeuron', 'encrypt', 'AES'), ('LightNeuron', 'encrypt', 'C2 traffic')]
T1573.001 [('LookBack', 'uses', 'a version of'), ('a version of', 'modified')]
T1573.001 [('Lucifer', 'perform', 'a xor encryption')]
T1573.001 [('Lurid', 'performs', 'XOR encryption')]
T1573.001 [('Machete', 'used', 'AES')]
T1573.001 [('MoonWind', 'encrypts', 'C2 traffic'), ('C2 traffic', 'using', 'RC4')]
T1573.001 [('More_eggs', 'used', 'an method for its C2 communications'), ('an method for', 'based')]
T1573.001 [('Mosquito', 'uses', 'a custom encryption algorithm'), ('which', 'consists')]
T1573.001 [('Mustang Panda', 'encrypted', 'C2 communications with')]
T1573.001 [('NanoCore', 'encrypt', 'DES'), ('NanoCore', 'encrypt', 'the C2 traffic')]
T1573.001 [('NDiskMonitor', 'encrypt', 'AES'), ('NDiskMonitor', 'encrypt', 'certain information'), ('certain information', 'sent')]
T1573.001 [('NETEAGLE', 'decrypt', 'resources'), ('it', 'downloads'), ('resources', 'using', 'RC4')]
T1573.001 [('NETWIRE', 'use', 'encryption for C2 data'), ('C2 data', 'transferred')]
T1573.001 [('Okrum', 'uses', 'AES')]
OBJS_ server
T1573.001 [('the C2 server in the registration phase', 'hardcode', 'The key')]
T1573.001 [('RC4', 'encrypted')]
T1573.001 [('PLAINTEE', 'encodes', 'C2 beacons'), ('C2 beacons', 'using', 'XOR')]
T1573.001 [('PLEAD', 'download', 'RC4 encryption'), ('PLEAD', 'download', 'modules')]
T1573.001 [('PoisonIvy', 'encrypt', 'the Camellia'), ('PoisonIvy', 'encrypt', 'cipher'), ('PoisonIvy', 'encrypt', 'communications')]
T1573.001 [('POWERTON', 'used', 'AES')]
T1573.001 [('Prikormka', 'encrypts', 'some C2 traffic with the Blowfish cipher')]
T1573.001 [('QuasarRAT', 'uses', 'AES')]
T1573.001 [('RDAT', 'used', 'AES ciphertext')]
T1573.001 [('RedLeaves', 'encrypted', 'C2 traffic with'), ('C2 traffic with', 'using', 'keys of')]
T1573.001 [('Rifdoor', 'encrypted', 'command'), ('Rifdoor', 'encrypted', '( C2 ) communications with a stream cipher'), ('Rifdoor', 'encrypted', 'control')]
T1573.001 [('APT12', 'used', 'the RIPTIDE RAT'), ('which', 'communicates'), ('a payload', 'encrypted')]
T1573.001 [('RTM', 'encrypts', 'C2 traffic with a RC4 variant')]
T1573.001 [('Sakula', 'encodes', 'C2 traffic with byte XOR keys')]
T1573.001 [('RC4', 'encrypt', 'SeaDuke C2 traffic')]
T1573.001 [('SNUGRIDE', 'encrypts', 'C2 traffic'), ('C2 traffic', 'using', 'AES')]
T1573.001 [('Falcon malware', 'encrypts', 'C2 traffic'), ('C2 traffic', 'using', 'RC4'), ('a key', 'coded')]
T1573.001 [('SUNBURST', 'encrypted', 'C2 traffic'), ('C2 traffic', 'using', 'a XOR cipher')]
T1573.001 [('Sys10', 'encrypt', 'an 0x1 loop'), ('Sys10', 'encrypt', 'its C2 domain')]
T1573.001 [('Taidoor', 'encrypt', 'RC4'), ('Taidoor', 'encrypt', 'the message body of HTTP content')]
T1573.001 [('TAINTEDSCRIBE', 'uses', 'a Feedback Shift Register algorithm')]
T1573.001 [('TrickBot', 'uses', 'a custom crypter'), ('a custom crypter', 'leveraging', 'Microsoft„¢s CryptoAPI'), ('a custom crypter', 'encrypt', 'C2 traffic')]
T1573.001 [('TSCookie', 'encrypted', 'network communications with')]
T1573.001 [('Some versions of', 'used', 'the stringthis'), ('the stringthis', 'coded')]
T1573.001 [('Later versions', 'have', 'keys'), ('keys', 'coded')]
T1573.001 [('Volgmer', 'encrypt', 'a simple XOR cipher'), ('Volgmer', 'encrypt', 'traffic'), ('Volgmer', 'encrypt', 'files')]
T1573.001 [('WellMess', 'encrypt', 'POST data'), ('POST data', 'using', 'RC6'), ('POST data', 'using', 'a key'), ('a key', 'generated'), ('a key', 'encrypted'), ('a RSA public key', 'coded')]
T1573.001 [('Winnti for', 'used', 'a TCP protocol')]
T1573.001 [('ZeroT', 'encrypt', 'RC4'), ('ZeroT', 'encrypt', 'C2 traffic')]
T1573.001 [('ZIRCONIUM', 'used', 'communications in'), ('AES', 'encrypted')]
T1573.002 [('adbupd', 'contains', 'a copy of the OpenSSL library')]
T1573.002 [('A variant of', 'encrypts', 'some C2')]
T1573.002 [('a RSA key', 'encrypt', 'Attor Blowfish key')]
T1573.002 [('Bazar', 'use', 'TLS')]
T1573.002 [('BISCUIT', 'uses', 'SSL')]
T1573.002 [('Carbon', 'used', 'RSA encryption')]
T1573.002 [('CHOPSTICK', 'encrypts', 'C2 communications with')]
T1573.002 [('Cobalt Group', 'create', 'the Plink utility'), ('Cobalt Group', 'create', 'SSH tunnels')]
T1573.002 [('Cobalt Strike', 'use', 'RSA asymmetric encryption'), ('data', 'sent')]
T1573.002 [('ComRAT', 'use', 'TLS encryption for its channel'), ('its channel', 'based')]
T1573.002 [('ComRAT', 'used', 'public key cryptography with')]
T1573.002 [('Doki', 'used', 'the embedTLS library for network communications')]
T1573.002 [('Dridex', 'encrypted', 'traffic')]
T1573.002 [('RSA keys', 'use', 'Emotet')]
T1573.002 [('Empire', 'encrypt', 'TLS'), ('Empire', 'encrypt', 'its C2 channel')]
T1573.002 [('FIN6', 'create', 'the Plink line utility'), ('FIN6', 'create', 'SSH tunnels'), ('FIN6', 'create', 'to servers')]
T1573.002 [('FIN8', 'used', 'the Plink utility'), ('FIN8', 'used', 'tunnel RDP')]
T1573.002 [('Gazer', 'uses', 'custom encryption'), ('C2', 'uses', 'RSA')]
T1573.002 [('Grandoreiro', 'use', 'SSL')]
T1573.002 [('GreyEnergy', 'encrypts', 'communications'), ('communications', 'using', 'RSA-2048')]
T1573.002 [('Hi - encrypts', 'zor')]
T1573.002 [('IcedID', 'used', 'SSL')]
T1573.002 [('Koadic', 'use', 'SSL')]
T1573.002 [('Machete', 'exfiltrate', 'FTP'), ('Machete', 'exfiltrate', 'data')]
T1573.002 [('OpenSSL', 'use', 'Metamorfo C2 communication')]
T1573.002 [('OilRig', 'create', 'the Plink utility'), ('OilRig', 'create', 'tunnels'), ('OilRig', 'create', 'to servers'), ('OilRig', 'create', 'other tools')]
T1573.002 [('Wocao implementation Agent "', 'upgrade', 'the socket')]
T1573.002 [('Pay2Key', 'encrypted', 'RSA'), ('Pay2Key', 'encrypted', 'communications with')]
T1573.002 [('Penquin', 'encrypt', 'communications'), ('Penquin', 'encrypt', 'a symmetric key'), ('communications', 'using', 'the BlowFish algorithm'), ('a symmetric key', 'exchanged')]
T1573.002 [('PoetRAT', 'encrypt', 'TLS'), ('PoetRAT', 'encrypt', 'command'), ('PoetRAT', 'encrypt', '( C2 ) communications'), ('PoetRAT', 'encrypt', 'control')]
T1573.002 [('POSHSPY', 'encrypts', 'C2 traffic with')]
T1573.002 [('POWERSTATS', 'encrypted', 'C2 traffic with')]
T1573.002 [('it', 'has', 'transport options for')]
T1573.002 [('REvil', 'encrypted', 'C2 communications with'), ('C2 communications with', 'algorithm')]
T1573.002 [('ServHelper', 'set', 'a reverse SSH tunnel'), ('services', 'running')]
T1573.002 [('StrongPity', 'encrypted', 'C2 traffic'), ('C2 traffic', 'using', 'SSL / TLS')]
T1573.002 [('Sykipot', 'uses', 'SSL')]
T1573.002 [('Tor', 'encapsulates', 'traffic')]
T1573.002 [('Karagany', 'secure', 'C2 communications with')]
T1573.002 [('Tropic Trooper', 'used', 'SSL')]
T1573.002 [('Some Volgmer variants', 'encrypt', 'SSL'), ('Some Volgmer variants', 'encrypt', 'C2 communications')]
T1573.002 [('WannaCry', 'uses', 'Tor')]
T1573.002 [('WellMail', 'use', 'client'), ('WellMail', 'use', 'authority certificates'), ('client', 'coded')]
T1573.002 [('WellMess', 'communicate'), ('client', 'check', 'certificates'), ('server', 'check', 'certificates')]
T1573.002 [('XTunnel', 'encrypt', 'SSL / TLS'), ('XTunnel', 'encrypt', 'traffic')]
T1573.002 [('Zebrocy', 'uses', 'SSL')]
T1574.001 [('APT41', 'execute', 'order hijacking'), ('APT41', 'execute', 'malicious payloads as')]
T1574.001 [('Astaroth', 'launch', 'itself')]
T1574.001 [('BOOSTWRITE', 'exploited', 'the loading of the legitimate Dwrite.dll file'), ('which', 'loads', 'the gdiplus library'), ('the gdi library', 'loads', 'the local Dwrite dll')]
T1574.001 [('Crutch', 'persist')]
T1574.001 [('Downdelph', 'uses', 'order hijacking of')]
OBJS_ opportunities
T1574.001 [('Empire', 'contains', 'modules'), ('modules', 'discover', 'various hijacking opportunities'), ('modules', 'exploit', 'various hijacking opportunities')]
T1574.001 [('Evilnum', 'load', 'the malware variant'), ('Evilnum', 'load', 'TerraTV'), ('Evilnum', 'load', 'a malicious DLL')]
T1574.001 [('A FinFisher variant', 'uses', 'order hijacking')]
T1574.001 [('Hikit', 'load', 'Order Hijacking'), ('Hikit', 'load', 'oci.dll')]
T1574.001 [('HTTPBrowser', 'abuses', 'the Windows load order'), ('a malicious DLL', 'mimics', 'a legitimate Symantec DLL'), ('a malicious DLL', 'mimics', 'navlu.dll')]
T1574.001 [('InvisiMole', 'launched'), ('the same folder', 'place', 'the wrapper DLL'), ('explorer.exe', 'place', 'the wrapper DLL'), ('startup into the Explorer process', 'load', 'order hijacking')]
T1574.001 [('Melcoz', 'bypass', 'DLL hijacking'), ('Melcoz', 'bypass', 'security controls')]
T1574.001 [('menuPass', 'used', 'order hijacking')]
T1574.001 [('DLL hijacking', 'load', 'MirageFox'), ('a legitimate McAfee binary', 'load', 'MirageFox')]
OBJS_ opportunities
T1574.001 [('PowerSploit', 'contains', 'a collection of PowerUp modules'), ('PowerUp modules', 'discover', 'hijacking opportunities in services'), ('PowerUp modules', 'exploit', 'hijacking opportunities in')]
T1574.001 [('Prikormka', 'uses', 'order hijacking for persistence'), ('it', 'load'), ('ntshrui.dll', 'saved')]
T1574.001 [('Ramsay', 'hijack', 'outdated Windows application dependencies with malicious versions of its own DLL payload')]
T1574.001 [('use of order hijacking', 'launch', 'RedLeaves')]
T1574.001 [('RTM', 'force', 'order hijacking'), ('RTM', 'force', 'TeamViewer')]
T1574.001 [('Threat Group-3390', 'execute', 'order hijacking'), ('Threat Group-3390', 'execute', 'their payload')]
T1574.001 [('Variants of', 'achieve', 'persistence')]
T1574.001 [('Whitefly', 'run', 'order hijacking'), ('Whitefly', 'run', 'the loader Vcrodat')]
T1574.002 [('a Port malware variant', 'using', 'a legitimate executable'), ('an HTTP malware variant', 'loaded', 'the malicious DLL')]
T1574.002 [('APT3', 'known')]
T1574.002 [('executables', 'signed'), ('which', 'load', 'a malicious DLL')]
T1574.002 [('The group', 'loads', 'its backdoor'), ('a library', 'signed')]
T1574.002 [('APT41', 'perform', 'legitimate executables'), ('APT41', 'perform', 'DLL side - loading of their malware')]
T1574.002 [('BADNEWS', 'loads', 'its DLL file')]
T1574.002 [('BBSRAT', 'execute', 'DLL side - loading'), ('a legitimate Citrix executable ssonsvr.exe', 'execute', 'DLL side - loading')]
T1574.002 [('BBSRAT', 'drop', 'Citrix executable'), ('the dropper', 'drop', 'Citrix executable')]
T1574.002 [('BlackTech', 'used', 'DLL side loading'), ('names', 'hardcoded'), ('directories', 'searched')]
T1574.002 [('BRONZE BUTLER', 'used', 'legitimate applications')]
T1574.002 [('Chimera', 'place', 'side loading'), ('Chimera', 'place', 'malicious DLLs')]
T1574.002 [('Denis', 'exploits', 'a security vulnerability')]
T1574.002 [('Egregor', 'execute', 'DLL side - loading'), ('Egregor', 'execute', 'its payload')]
T1574.002 [('FinFisher', 'load', 'DLL'), ('FinFisher', 'load', 'side - loading'), ('FinFisher', 'load', 'malicious programs')]
T1574.002 [('GALLIUM', 'load', 'DLL side - loading'), ('GALLIUM', 'load', 'PoisonIvy')]
T1574.002 [('gh0st RAT variant', 'used', 'DLL side - loading')]
T1574.002 [('Goopy', 'has', 'the ability to with legitimate applications from')]
T1574.002 [('HigaisaJavaScript file', 'used', 'Office 2007 package')]
T1574.002 [('HTTPBrowser', 'used', 'DLL side - loading')]
T1574.002 [('HyperBro', 'used', 'a legitimate application'), ('a legitimate application', 'sideload', 'a DLL'), ('a legitimate application', 'decrypt', 'decompress'), ('a legitimate application', 'run', 'a payload')]
T1574.002 [('Javali', 'load', 'DLL'), ('Javali', 'load', 'side - loading'), ('Javali', 'load', 'malicious DLLs')]
T1574.002 [('LookBack side', 'loads', 'its communications module')]
T1574.002 [('menuPass', 'launch', 'DLL side - loading'), ('menuPass', 'launch', 'versions of'), ('menuPass', 'launch', 'PwDump6 as UPPERCUT')]
T1574.002 [('Metamorfo', 'has', 'file'), ('file', 'loaded')]
T1574.002 [('Mustang Panda', 'execute', 'a executable'), ('Mustang Panda', 'execute', 'a malicious payload')]
T1574.002 [('Naikon', 'load', 'DLL side - loading'), ('Naikon', 'load', "malicious DLL 's")]
T1574.002 [('Exchange servers', 'load', 'OwaAuth')]
T1574.002 [('The IIS w3wp.exe process', 'loads', 'the malicious DLL')]
T1574.002 [('BADNEWS', 'contain', 'that contains BADNEWS')]
T1574.002 [('PlugX', 'evade', 'DLL side - loading'), ('PlugX', 'evade', 'anti'), ('PlugX', 'evade', '-'), ('PlugX', 'evade', 'virus')]
T1574.002 [('Sakula', 'uses', 'DLL'), ('Sakula', 'uses', 'side - loading'), ('side - loading', 'load', 'a sample of for'), ('side - loading', 'load', 'malicious DLL files'), ('a sample of for', 'signed'), ('side - loading', 'load', 'malicious DLL files')]
T1574.002 [('Sidewinder', 'used', 'DLL side - loading'), ('malicious payloads', 'including')]
T1574.002 [('it', 'drops', 'a copy of')]
T1574.002 [('a loading weakness', 'contain', 'The executable'), ('a portion of the malware', 'load', 'which'), ('a portion of', 'load', 'a loading weakness')]
OBJS_ code
T1574.002 [('Threat Group-3390', 'used', 'DLL'), ('Threat Group-3390', 'used', 'side - loading'), ('the DLL', 'acts'), ('a stub loader', 'loads', 'the shell code'), ('a stub loader', 'executes', 'the shell code')]
T1574.002 [('load DLLs', 'know', 'Tropic Trooper')]
T1574.002 [('Waterbear', 'used', 'DLL side loading')]
T1574.002 [('Wingbird side', 'loads', 'a malicious file sspisrv.dll'), ('a lssas.exe service', 'spoofed')]
T1574.002 [('ZeroT', 'load', 'DLL side - loading'), ('ZeroT', 'load', 'malicious payloads')]
T1574.004 [('Empire', 'has', 'a hijacker module'), ('a hijacker module', 'generates', 'a malicious dylib'), ('a hijacker module', 'given')]
T1574.004 [('logic', 'abusing', 'Dynamic Loader / Linker ('), ('logic', 'allowed'), ('attackers', 'perform', 'dylib hijacking')]
T1574.004 [('Attackers', 'ran', 'Dylib Hijack Scanner tool')]
T1574.004 [('Developers', 'replace', 'weak linking with version check')]
T1574.004 [('attackers', 'escalating', 'their privileges'), ('names', 'expected')]
T1574.005 [('Adversaries', 'execute', 'their own malicious payloads'), ('the binaries', 'used')]
T1574.005 [('installers', 'create', 'subdirectories'), ('installers', 'create', 'files'), ('they', '!set', 'appropriate permissions'), ('which', 'allows'), ('untrusted code', 'placed'), ('untrusted code', 'overwriting'), ('binaries', 'used')]
T1574.005 [('Attackers', 'leverage', 'permissions weaknessses in software installers'), ('their payload', 'deployed')]
T1574.005 [('the malware', 'enable', 'An external tool'), ('the malware', 'enable', 'installer')]
T1574.005 [('PowerSpritz', 'decrypts', 'a legitimate Skype installer'), ('a legitimate Skype installer', 'using', 'a custom Spritz implementation'), ('the legitimate installer', 'disk'), ('the directory', 'returned')]
T1574.006 [('APT41', 'configured', 'payloads')]
T1574.006 [('Ebury', 'injected', 'its dynamic library')]
T1574.006 [('HiddenWasp', 'adds', 'itself')]
T1574.006 [('Hildegard', 'modified', '/ ld.so.preload'), ('/ ld.so.preload', 'intercept', 'functions'), ('functions', 'shared')]
T1574.006 [('Rocke', 'modified'), ('order', 'hide', 'the software in process lists'), ('the software in', 'installed')]
OBJS_ opportunities
T1574.007 [('Empire', 'contains', 'modules'), ('Empire', 'contains', 'variable'), ('modules', 'discover', 'path interception opportunities in the PATH environment'), ('modules', 'exploit', 'path interception opportunities in')]
OBJS_ opportunities
T1574.007 [('PowerSploit', 'contains', 'a collection of PowerUp modules'), ('PowerUp modules', 'discover', 'path interception opportunities in the PATH environment'), ('PowerUp modules', 'exploit', 'path interception opportunities in')]
T1574.007 [('malware', 'utilise', 'Grief ransomware'), ('malicious payloads', 'execute', 'malware'), ('PATH list of directories', 'execute', 'malware')]
T1574.007 [('CobaltStrike payloads', 'abuse', 'the PATH variable')]
T1574.007 [('The APT Naikon', 'abuse', 'the PATH variable')]
OBJS_ vulnerabilities
T1574.008 [('Empire', 'contains', 'modules'), ('modules', 'discover', 'order hijacking vulnerabilities'), ('modules', 'exploit', 'order hijacking vulnerabilities')]
OBJS_ vulnerabilities
T1574.008 [('PowerSploit', 'contains', 'a collection of PowerUp modules'), ('PowerUp modules', 'discover', 'order hijacking vulnerabilities'), ('PowerUp modules', 'exploit', 'order hijacking vulnerabilities')]
T1574.008 [('Pakdoor', 'replace', 'legitimate file paths')]
T1574.008 [('ChamelGang', 'install', 'malware')]
T1574.008 [('Earth Centaur', 'escalate', 'the privileges of their malware')]
OBJS_ vulnerabilities
T1574.009 [('Empire', 'contains', 'modules'), ('modules', 'discover', 'unquoted path vulnerabilities'), ('modules', 'exploit', 'unquoted path vulnerabilities')]
OBJS_ vulnerabilities
T1574.009 [('PowerSploit', 'contains', 'a collection of PowerUp modules'), ('PowerUp modules', 'discover', 'unquoted path vulnerabilities'), ('PowerUp modules', 'exploit', 'unquoted path vulnerabilities')]
T1574.009 [('path calls are .', 'execute', 'their malware')]
T1574.009 [('REvil ransomware', 'execute', "it 's payloads")]
T1574.009 [('Care', 'taken')]
OBJS_ component
OBJS_ one
T1574.010 [('services', 'locate', 'One variant of'), ('services', 'existing'), ('its driver component', 'disable', 'services'), ('one of service paths', 'disable', 'services'), ('its driver component', 'drop', 'services'), ('one of', 'drop', 'services'), ('the legitimate executable', 'replace', 'service paths')]
T1574.010 [('The malware', 'sets', 'the hijacked service')]
T1574.010 [('Threat actors', 'hijack', 'execution for malicious code execution'), ('binaries', 'protected')]
T1574.010 [('The Sidewalk backdoor', 'escalate', 'it privileges'), ('the execution flow', 'possess', 'privileges above')]
T1574.010 [('Hive ransomware', 'abuse'), ('ransomware can abuse', 'perform', 'permissions of some services'), ('ransomware can abuse', 'perform', 'privilege execution')]
T1574.010 [('UNC215', 'execute', 'binaries'), ('UNC215', 'execute', 'their installed malware'), ('binaries', 'protected')]
T1574.011 [('APT31', 'executes', 'their own malicious payloads'), ('services', 'hijacking'), ('services', 'have', 'permissions'), ('permissions', 'misconfigured')]
T1574.011 [('REvil abuse powershell', 'modify', 'HKLM\\SYSTEM\\CurrentControlSet\\Services'), ('HKLM\\SYSTEM\\CurrentControlSet\\Services', 'allow')]
T1574.011 [('APT31', 'abuses', 'registry keys'), ('registry keys', 'related'), ('malicious scripts', 'installed')]
T1574.011 [('UNC215 abuses services', 'redirect', "the service 's"), ('UNC215 abuses services', 'desired', 'executable to')]
T1574.011 [('Dridex', 'modify', 'a windows registry'), ('services', 'associated'), ('services', 'execute', 'malware')]
T1574.012 [('Blue Mockingbird', 'set', 'wmic.exe'), ('Blue Mockingbird', 'set', 'the COR_PROFILER environment'), ('Blue Mockingbird', 'set', 'variable'), ('Blue Mockingbird', 'set', 'Registry modifications'), ('a process', 'loads', 'the .NET CLR')]
T1574.012 [('Actors', 'exploring', 'all things'), ('Actors', 'including')]
T1574.012 [('the use of a COR_PROFILER COM hijack', 'execute', 'a DLL items'), ('a DLL items', 'restore'), ('a DLL items', 'removed')]
T1574.012 [('malware', 'set', 'wmic.exe'), ('malware', 'set', 'environment variables'), ('malware', 'set', 'Registry modifications')]
T1574.012 [('malicious DLL', 'execute', 'environment variable'), ('.NET application', 'run')]
T1578.001 [('Malware', 'modify', 'infrastructure'), ('infrastructure', 'existing')]
T1578.001 [('Cybercriminals', 'create', 'snapshots')]
T1578.001 [('access in a cloud instance', 'restricted'), ('Creating snapshot with access in', 'give', 'adversaries'), ('Creating snapshot with', 'give', 'concealed access')]
T1578.001 [('Actors', 'create', 'a snapshot')]
T1578.001 [('Actors', 'create', 'snapshots')]
T1578.002 [('actors', 'use', 'the compute instances')]
T1578.002 [('a new virtual machine', 'launch', 'attacks')]
T1578.002 [('Threat actors', 'create', 'a cloud instance'), ('firewall rules', 'exist')]
T1578.002 [('cloud systems', 'utilize', 'Cybercriminals'), ('view', 'hide', 'new instances'), ('the targets operations', 'affect', 'new instances')]
T1578.002 [('Actors', 'setup', 'their own infrastructure')]
T1578.003 [('Threat actors', 'delete', 'a cloud instance'), ('Threat actors', 'delete', 'virtual machine')]
T1578.003 [('CloudTrail logs , in ,', 'capture', 'deletion'), ('deletion', 'cloud')]
T1578.003 [('the Audit logs', 'detect'), ('the gcloudËœcompute instances command', 'delete', 'instances'), ('the gcloudËœcompute instances command', 'delete', 'virtual machines ( VMs')]
T1578.003 [('malware actors', 'remove', 'finalizers ( key )')]
OBJS_ instances
OBJS_ VMs
T1578.003 [('cloud instances', 'manipulate', 'malicious operations , as'), ('VMs', 'manipulate', 'malicious operations , as'), ('cloud instances', 'remove', 'malicious operations , as'), ('VMs', 'remove', 'malicious operations , as'), ('actors', 'do', 'Deleting evidence'), ('malware', 'do', 'Deleting evidence')]
T1578.004 [('Reverting cloud infrastructure instances', 'allows'), ('malware', 'conduct', 'malicious activities'), ('actors', 'conduct', 'malicious activities')]
T1578.004 [('Actors', 'hide', 'their malicious activity')]
T1578.004 [('malicious activity', 'completed'), ('malicious activity', 'conceal', 'a good technique')]
T1578.004 [('cloud environments', 'restore', 'Adversaries'), ('previous snapshots', 'restore', 'Adversaries'), ('cybercriminal activity', 'completed')]
T1578.004 [('advantage', 'take', 'Actors'), ('ephemeral storage types', 'take', 'Actors'), ('advantage', 'take', 'malware'), ('ephemeral storage types', 'take', 'malware'), ('reset', 'restart', 'they')]
T1583.001 [('APT1', 'registered', 'hundreds of domains')]
T1583.001 [('domains', 'registered'), ('domains', 'imitating', 'security websites resources')]
T1583.001 [('APT29', 'acquired', 'C2 domains')]
T1583.001 [('APT32', 'set')]
T1583.001 [('Kimsuky', 'registered', 'domains'), ('organizations', 'targeted')]
T1583.001 [('Lazarus Group', 'acquired', 'infrastructure'), ('infrastructure', 'related')]
T1583.001 [('menuPass', 'registered', 'malicious domains')]
T1583.001 [('Mustang Panda', 'acquired', 'C2 domains')]
OBJS_ websites
T1583.001 [('names', 'have', 'Sandworm Team'), ('names', 'registered'), ('URLs', 'designed'), ('legitimate websites as login pages', 'mimic', 'URLs'), ('legitimate websites as', 'spoof', 'URLs'), ('reset pages', 'password', 'URLs')]
T1583.001 [('Silent Librarian', 'establish', 'domains'), ('Silent Librarian', 'establish', 'credential harvesting pages'), ('credential harvesting pages', 'spoofing', 'the target organization'), ('credential harvesting pages', 'using', 'free level domains')]
T1583.001 [('UNC2452', 'acquired', 'C2 domains')]
T1583.001 [('ZIRCONIUM', 'purchased', 'domains for use in campaigns'), ('campaigns', 'targeted')]
T1583.002 [('Attackers', 'opt')]
T1583.002 [('Adversaries', 'utilize', 'DNS traffic'), ('various tasks ,', 'including')]
T1583.002 [('APT31', 'utilize', 'their own DNS server for use')]
T1583.002 [('Moses Staff', 'acquire', 'their own infrastructure , domains')]
T1583.002 [('actor own DNS infrastructure', 'utilize', 'TigerRAT variants')]
T1583.003 [('HAFNIUM', 'operated'), ('servers ( VPS ) in', 'leased')]
T1583.003 [('TEMP.Veles', 'used', 'Virtual Private Server VPS ) infrastructure')]
T1583.003 [('Virtual Private Servers ( VPSs )', 'rent', 'Adversaries'), ('targeting', 'use', 'Virtual Private Servers ( VPSs )')]
T1583.003 [('Attackers', 'make')]
T1583.003 [('infrastructure', 'acquire', 'Adversaries'), ('service providers', 'acquire', 'Adversaries'), ('service providers', 'known'), ('VPSs', 'rent', 'service providers'), ('minimal registration information', 'rent', 'service providers')]
T1583.004 [('GALLIUM', 'used', 'servers'), ('servers', 'based'), ('servers', 'appear')]
T1583.004 [('Sandworm Team', 'leased', 'servers')]
T1583.004 [('Adversaries', 'buy'), ('targeting', 'use', 'physical servers'), ('physical servers', 'targeting')]
T1583.004 [('Famous Sparrow', 'rented', 'servers')]
T1583.004 [('Sparkling Goblin', 'uses', 'servers'), ('servers', 'hosted')]
T1583.005 [('numerous party systems', 'compromise', 'Adversaries'), ('targeting', 'use', 'a botnet'), ('a botnet', 'targeting')]
T1583.005 [('Attackers', 'conduct', 'a takeover of an botnet , as'), ('an botnet , as', 'existing'), ('an botnet , as', 'redirecting', 'bots'), ('servers', 'controlled')]
T1583.005 [('FreakOut', 'attacked', 'POS systems'), ('order', 'use', 'them')]
T1583.005 [('Mirai malware', 'created', 'a botnet'), ('a botnet', 'used')]
T1583.005 [('Meris', 'attacked', 'Yandex'), ('DDOS', 'using', 'botnets')]
T1583.006 [('profile pages', 'create', 'APT17'), ('Microsoft TechNet', 'create', 'APT17'), ('C2 infrastructure', 'use', 'profile pages')]
T1583.006 [('handles', 'register', 'APT29'), ('handles', 'generated'), ('C2', 'use', 'handles'), ('malware as HAMMERTOSS', 'use', 'handles')]
T1583.006 [('APT32', 'set', 'Dropbox Amazon S3')]
T1583.006 [('HAFNIUM', 'acquired', 'web services')]
T1583.006 [('Lazarus Group', 'hosted', 'malicious downloads on')]
T1583.006 [('MuddyWater', 'distribute', 'sharing services'), ('MuddyWater', 'distribute', 'tools'), ('sharing services', 'including')]
T1583.006 [('Turla', 'created', 'web accounts'), ('web accounts', 'including')]
T1583.006 [('ZIRCONIUM', 'used', 'GitHub'), ('e', 'spearphishing')]
T1584.001 [('APT1', 'hijacked', 'FQDNs'), ('FQDNs', 'associated'), ('legitimate websites', 'hosted')]
T1584.001 [('APT29', 'compromised', 'domains'), ('domains', 'use')]
T1584.001 [('UNC2452', 'compromised', 'domains'), ('domains', 'use')]
T1584.001 [('Magic Hound', 'used', 'domains'), ('domains', 'compromised'), ('host links', 'targeted')]
T1584.001 [('Transparent Tribe', 'compromised', 'domains for use in campaigns'), ('campaigns', 'targeted')]
T1584.002 [('Adversaries', 'utilize', 'DNS traffic'), ('various tasks ,', 'including')]
T1584.002 [('DNS servers', 'compromise', 'Adversaries'), ('targeting', 'use', 'DNS servers'), ('DNS servers', 'targeting')]
T1584.002 [('Threat actors', 'alter', 'DNS records')]
T1584.002 [('DNS control', 'allow')]
T1584.002 [('subdomains', 'pointed'), ('subdomains', 'tipping', 'the actual owner of the DNS server')]
T1584.003 [('Turla', 'used', 'the VPS infrastructure of actors'), ('actors', 'compromised')]
T1584.003 [('a VPS', 'use'), ('adversaries', 'make')]
T1584.003 [('NOBELLIUM', 'compromised', 'a AD account')]
T1584.003 [('UNC2452', 'provisioned', 'a system was'), ('a legitimate system', 'hosted'), ('a legitimate system', 'belonging'), ('they', 'access', 'their customerenvironment'), ('a legitimate system', 'access', 'their customerenvironment')]
T1584.003 [('A threat actor', 'performed', 'initial reconnaissance'), ('a VPS provider', 'located')]
T1584.004 [('APT16', 'compromised', 'legitimate sites')]
T1584.004 [('fake updates', 'serve', 'Indrik Spider'), ('legitimate websites', 'serve', 'Indrik Spider'), ('legitimate websites', 'compromised')]
T1584.004 [('Turla', 'used', 'servers'), ('servers', 'compromised')]
T1584.004 [('Malicious emails', 'sent'), ('Malicious emails', 'contain', 'links to a server'), ('a server', 'compromised'), ('a server', 'redirects')]
T1584.004 [('Candiru operators', 'compromised', 'several profile websites')]
T1584.005 [('numerous party systems', 'compromise', 'Adversaries'), ('targeting', 'use', 'a botnet'), ('a botnet', 'targeting')]
T1584.005 [('Attackers', 'conduct', 'a takeover of an botnet , as'), ('an botnet , as', 'existing'), ('an botnet , as', 'redirecting', 'bots'), ('servers', 'controlled')]
T1584.005 [('FreakOut', 'attacked', 'POS systems'), ('order', 'use', 'them')]
T1584.005 [('Mirai malware', 'created', 'a botnet'), ('a botnet', 'used')]
T1584.005 [('Meris', 'attacked', 'Yandex'), ('DDOS', 'using', 'botnets')]
T1584.006 [('Turla', 'used', 'sites for C2 infrastructure'), ('sites for', 'compromised')]
T1584.006 [('access to party web services', 'compromise', 'Adversaries'), ('targeting', 'use', 'party web services'), ('party web services', 'targeting')]
T1584.006 [('Adversaries', 'take', 'ownership')]
T1584.006 [('Using services , as ,', 'makes'), ('adversaries', 'hide'), ('noise', 'expected')]
T1584.006 [('NotPetya', 'suspected'), ('it', 'suspected'), ('a vulnerable server', 'compromise', 'attackers'), ('the software', 'distribute', 'a vulnerable server'), ('the software', 'distribute', 'a vulnerable server'), ('their version', 'compromised')]
T1585.001 [('APT32', 'set', 'Facebook pages')]
T1585.001 [('Cleaver', 'created', 'fake LinkedIn profiles'), ('fake LinkedIn profiles', 'included', 'profile')]
T1585.001 [('Fox Kitten', 'used', 'a Twitter account')]
T1585.001 [('Sandworm Team', 'established', 'media accounts')]
T1585.001 [('Leviathan', 'created', 'new media accounts')]
T1585.002 [('APT1', 'created', 'email accounts for later use in engineering phishing')]
T1585.002 [('Magic Hound', 'established', 'email accounts'), ('email accounts', 'using', 'fake personas'), ('operations', 'phishing')]
T1585.002 [('Sandworm Team', 'created', 'email accounts'), ('email accounts', 'mimic', 'legitimate organizations'), ('its operations', 'spearphishing')]
T1585.002 [('Silent Librarian', 'established', 'e - mail accounts'), ('e - mail accounts', 'receive', 'e'), ('e - mail accounts', 'receive', '-'), ('e - mail accounts', 'receive', 'mails'), ('mails', 'forwarded'), ('accounts', 'compromised')]
T1585.002 [('Leviathan', 'created', 'new email accounts for')]
T1586.001 [('Leviathan', 'compromised', 'media accounts')]
T1586.001 [('media accounts', 'compromise', 'Adversaries'), ('targeting', 'use', 'media accounts'), ('media accounts', 'targeting')]
T1586.001 [('an persona', 'existing'), ('Utilizing persona', 'engender', 'a level of in a potential victim'), ('they', 'have', 'a relationship ,'), ('they', 'have', 'knowledge of'), ('the persona', 'compromised')]
T1586.001 [('Attackers', 'gather', 'credentials'), ('brute credentials', 'forcing')]
T1586.001 [('Attacker personas', 'exist')]
T1586.002 [('Kimsuky', 'compromised', 'email accounts')]
T1586.002 [('Magic Hound', 'compromised', 'personal email')]
T1586.002 [('IndigoZebra', 'compromised', 'legitimate email accounts'), ('legitimate email accounts', 'use'), ('their operations', 'spearphishing')]
T1586.002 [('Leviathan', 'compromised', 'email accounts')]
T1586.002 [('Emotet', 'spread', 'email systems'), ('Emotet', 'spread', 'the trojan')]
T1587.001 [('SUNSPOT SUNBURST TEARDROP', 'develop', 'APT29'), ('SolarWind Orion software library', 'incorporate', 'SUNSPOT')]
T1587.001 [('Cleaver', 'created', 'tools'), ('Cleaver', 'created', 'payloads'), ('tools', 'customized'), ('functions', 'including'), ('credential', 'poisoning'), ('functions', 'dumping', 'shells'), ('functions', 'dumping', 'enumeration WMI'), ('functions', 'querying', 'HTTP'), ('functions', 'sniffing')]
T1587.001 [('FIN7', 'developed', 'malware for use in operations'), ('operations', 'including')]
T1587.001 [('Lazarus Group', 'developed', 'several custom malware for use in operations')]
T1587.001 [('Night Dragon', 'used')]
T1587.001 [('Sandworm Team', 'developed', 'malware'), ('its operations', 'including')]
T1587.001 [('Turla', 'developed', 'its own unique malware for use in operations')]
T1587.001 [('SUNBURST TEARDROP', 'develop', 'UNC2452')]
T1587.002 [('certificates', 'create', 'Patchwork'), ('certificates', 'signed'), ('malware', 'sign', 'legitimate software companies'), ('malware', 'sign', 'legitimate software companies')]
T1587.002 [('PROMETHIUM', 'created', 'certificates'), ('certificates', 'signed')]
T1587.002 [('certificates', 'create', 'Adversaries'), ('certificates', 'signed'), ('targeting', 'use', 'certificates'), ('certificates', 'targeting')]
T1587.002 [('certificates ,', 'signed'), ('malware', 'attach', 'which')]
T1587.002 [('Malware actors', 'spoof', 'legitimate certificates')]
T1587.003 [('APT29', 'created', 'certificates'), ('certificates', 'signed')]
T1587.003 [('PROMETHIUM', 'created', 'certificates'), ('certificates', 'signed')]
T1587.003 [('certificates', 'create', 'Adversaries'), ('certificates', 'signed'), ('their operations , as', 'further', 'certificates'), ('their operations , as', 'further', 'certificates'), ('C2 traffic', 'encrypt', 'their operations , as')]
T1587.003 [('UNC2190', 'spread', 'certificates'), ('UNC2190', 'spread', 'SABBATH ransomware'), ('certificates', 'signed')]
T1587.003 [('FIN13', 'used', 'SSL certificates')]
T1587.004 [('Phosphorous', 'deploying', 'ransomware')]
T1587.004 [('Wizard Spider', 'developed', 'an exploit'), ('an exploit', 'targeting', 'CVE-2021'), ('an exploit', 'targeting', '-'), ('an exploit', 'targeting', '40444')]
T1587.004 [('exploits', 'develop', 'Adversaries'), ('targeting', 'use', 'exploits'), ('exploits', 'targeting')]
T1587.004 [('DEV-0322', 'created', 'exploits for')]
T1587.004 [('TG1021', 'uses', 'a framework ,'), ('a framework ,', 'made'), ('a framework ,', 'built'), ('a framework ,', 'made')]
T1588.001 [('APT1', 'used', 'available malware for privilege escalation')]
T1588.001 [('Turla', 'used', 'malware'), ('malware', 'obtained'), ('malware', 'compromising', 'other threat actors as')]
T1588.001 [('Ransomware - as', 'unskilled', 'hackers')]
T1588.001 [('actors', 'obtained', 'Mirai botnet code'), ('Mirai botnet code', 'leaked'), ('actors', 'modified', 'it')]
T1588.001 [('Trojan developers Vartanyan', 'obtained', 'Trojan code'), ('they', 'planned'), ('Trojan code', 'use')]
T1588.002 [('GALLIUM', 'used', 'a variety of available tools'), ('which', 'add', 'functionality'), ('they', 'add', 'functionality'), ('available tools', 'add', 'functionality'), ('available tools', 'subvert', 'antimalware solutions')]
T1588.002 [('MuddyWater', 'made', 'use of legitimate tools ConnectWise')]
T1588.002 [('Sandworm Team', 'acquired', 'source tools'), ('it', 'establish', 'Invoke - PSImage'), ('it', 'establish', 'an encrypted channel from a host to Team C2 server'), ('a host to', 'compromised')]
T1588.002 [('Silent Librarian', 'obtained', 'free tools'), ('free tools', 'including'), ('organizations', 'targeted')]
T1588.002 [('Cozy Bear', 'stole', 'Strike Beacon code')]
T1588.003 [('MegaCortex', 'used', 'signing certificates'), ('signing certificates', 'issued'), ('signing certificates', 'bypass', 'companies'), ('signing certificates', 'bypass', 'security controls'), ('signing certificates', 'bypass', 'security controls')]
T1588.003 [('Wizard Spider', 'obtained', 'a signing certificate'), ('a signing certificate', 'signed')]
T1588.003 [('Adversaries', 'buy', 'signing certificates')]
T1588.003 [('Certificates for fake companies', 'provide', 'legitimacy'), ('legitimacy', 'run', 'arbitrary code on systems'), ('systems', 'targeted')]
T1588.003 [('Adversaries', 'steal', 'signing materials'), ('a party', 'compromised')]
T1588.004 [('Lazarus Group', 'obtained', 'SSL certificates')]
T1588.004 [('Silent Librarian', 'obtained', 'Let Encrypt SSL certificates'), ('their pages', 'phishing')]
OBJS_ certificates
T1588.004 [('TLS certificates', 'buy', 'Adversaries'), ('targeting', 'use', 'TLS certificates'), ('TLS certificates', 'targeting')]
T1588.004 [('Certificate authorities', 'exist'), ('authorities exist', 'allow'), ('adversaries', 'acquire', 'TLS certificates , as ,')]
OBJS_ domains
T1588.004 [('Adversaries', 'register', 'domains'), ('they', 'purchase', 'an TLS certificate')]
T1588.005 [('APT group', 'known'), ('luxury hotels', 'stay', 'attacks on corporate executives')]
T1588.005 [('Uzbek intelligence officers', 'bought', 'exploits'), ('German subsidiary of', 'specializes')]
T1588.005 [('The attackers', 'leveraged', 'RIG kit'), ('RIG kit', 'exploit'), ('they', 'purchased')]
T1588.005 [('UAE', 'purchased', 'GroupiPhone day exploits')]
T1588.005 [('These hacktivists', 'relying'), ('they', 'found')]
T1588.006 [('2017 Sandworm Team', 'conducted', 'technical research'), ('2017 Sandworm Team', 'conducted', 'a Korean power company'), ('2017 Sandworm Team', 'conducted', 'a Korean airport'), ('technical research', 'related'), ('vulnerabilities', 'associated'), ('websites', 'used')]
T1588.006 [('Multiple threat actors', 'obtained', 'Log4Shell vulnerability')]
T1588.006 [('Israeli spyware companies', 'purchasing', 'vulnerabilities from undisclosed researchers')]
T1588.006 [('the patch', 'released'), ('that patch', 'addressing')]
T1588.006 [('The botnet handlers', 'monitoring', 'new vulnerability disclosures')]
T1589.001 [('APT28', 'harvested', 'user login credentials')]
T1589.001 [('Chimera', 'collected', 'credentials for the target organization from previous breaches for use in force attacks')]
T1589.001 [('Magic Hound', 'gathered', 'credentials'), ('they', 'attempted')]
T1589.001 [('Strontium', 'launching', 'campaigns'), ('campaigns', 'harvest', 'peoplelog credentials'), ('campaigns', 'compromise', 'their accounts'), ('campaigns', 'aid')]
T1589.001 [('Attackers', 'purchased', 'credential information')]
T1589.002 [('APT32', 'collected', 'e - mail addresses for activists'), ('order', 'target', 'them')]
T1589.002 [('HAFNIUM', 'collected', 'e - mail addresses for users'), ('they', 'intended')]
T1589.002 [('MuddyWater', 'targeted', 'agency employees'), ('e', 'spearphishing')]
T1589.002 [('emails addresses', 'obtain', 'Sandworm Team'), ('spearphishing campaigns', 'use', 'target organizations')]
T1589.002 [('Silent Librarian', 'collected', 'e - mail addresses from organizations from open Internet searches'), ('organizations from', 'targeted')]
T1589.002 [('emails', 'use', 'TA551'), ('emails', 'spoofed'), ('email clients on hosts', 'acquire', 'emails'), ('hosts', 'infected'), ('other individuals', 'target', 'emails')]
T1589.003 [('Team research of potential victim organizations', 'included', 'the identification'), ('Team research of', 'included', 'collection')]
T1589.003 [('Silent Librarian', 'collected', 'lists of names'), ('organizations', 'targeted')]
T1589.003 [('Collecting list', 'allowed'), ('the attacker', 'generate', 'actual email addresses'), ('conservative convention', 'naming')]
T1589.003 [('Social media as', 'allow'), ('threat actors', 'identify', 'employee names'), ('they', 'plan'), ('the organizations', 'target')]
T1589.003 [('This threat group', 'collects', 'employee names'), ('spear attacks', 'phishing')]
T1590.001 [('Sandworm Team', 'conducted', 'technical reconnaissance of')]
T1590.001 [('an active campaign', 'be', 'There'), ('domain owners', 'target', 'an active campaign'), ('email addresses', 'target', 'an active campaign'), ('actors in the registration data', 'derive', 'email addresses')]
T1590.001 [('additional domains', 'belonging')]
T1590.001 [('a spear', 'target', 'Domain administrator'), ('a spear', 'tailored'), ('a spear', 'phishing'), ('the domain registrar', 'determine', 'the attackers'), ('it', 'impersonate', 'a spear')]
T1590.001 [('domain anonymization services', 'use', 'Many victims'), ('the hackers', 'leverage', 'their domain properties')]
T1590.001 [('This DDoS service', 'target', 'TDoS'), ('This DDoS service', 'target', 'administrator contacts'), ('This DDoS service', 'target', 'email bombing'), ('the properties', 'gathered')]
T1590.002 [('this group', 'paid', 'special attention')]
T1590.002 [('Gathering information', 'allowed'), ('victimsubdomains', 'identify', 'the attackers'), ('victimsubdomains', 'supposed'), ('victimsubdomains', 'remain')]
T1590.002 [('Targeting of mail servers', 'starting')]
T1590.002 [('Some of the information on targets', 'gathered')]
T1590.002 [('DNS information', 'helped'), ('the attackers', 'map', 'the victimhosts')]
T1590.003 [('Attackers', 'looking', 'privileged access to their clients networks')]
T1590.003 [('hackers', 'sponsored'), ('hackers', 'targeting', 'service providers'), ('hackers', 'targeting', 'relationships'), ('relationships', 'discovering')]
T1590.003 [('The threat actors', 'looking'), ('MSPs', 'managing', 'IT'), ('MSPs', 'managing', 'security')]
T1590.003 [('attackers', 'enumerated', 'network trust relationships'), ('service', 'managed')]
T1590.003 [('A hacker', 'make', 'one strategic breach'), ('A hacker', 'make', 'network access to their clients')]
T1590.004 [('The group', 'utilizes', 'active scanning'), ('active scanning', 'collect', 'information on the victim network')]
T1590.004 [('the actors', 'map', 'the local network devices')]
T1590.004 [('attackers', 'identifying', 'documents'), ('documents', 'related')]
T1590.004 [('Requirement', 'publish', 'procurement documents'), ('the attackers', 'access', 'specifics'), ('network devices', 'used')]
T1590.004 [('the physical arrangement of both environments', 'include', 'presentations'), ('both environments', 'facing'), ('sensitive information', 'treat', 'All the graphs , maps')]
T1590.005 [('HAFNIUM', 'obtained', 'IP addresses')]
T1590.005 [('Andariel', 'limited', 'its hole attacks'), ('IP address', 'ranges')]
T1590.005 [('the attackers', 'research', 'victimIP ranges'), ('the victimIP', 'ranges')]
T1590.005 [('OpIsrael campaign', 'published', 'a Pastebin post'), ('a Pastebin post', 'listing', 'IP addresses of organizations'), ('that hacktivists', 'plan'), ('IP addresses of', 'target')]
T1590.005 [('proceeds', 'run', 'a Shodan scan of the ranges')]
T1590.005 [('Keyword search on', 'allows'), ('attackers', 'find', 'IP addresses of a certain company'), ('they', 'want')]
T1590.006 [('This firewall company', 'had', 'few large customers'), ('few large customers', 'listed'), ('few large customers', 'providing', 'the attackers')]
T1590.006 [('Requirement', 'publish', 'procurement documents'), ('the attackers', 'access', 'specifics'), ('network security appliances', 'used')]
T1590.006 [('actors', 'identify', 'firewalls'), ('actors', 'identify', 'other appliances'), ('other appliances', 'deployed')]
T1590.006 [('This group', 'phishes'), ('information', 'identify', 'appliances'), ('information', 'identify', 'appliances'), ('appliances', 'deployed'), ('information', 'leverage', 'it')]
T1590.006 [('This APT group', 'identifying', 'the use of proxies')]
T1591.001 [('ransomware Fonix', 'run')]
T1591.001 [('DarkSide ,', 'has', 'a list of are the principal members of ( CIS)€\x9d former Soviet satellites'), ('a list of are', 'coded'), ('former Soviet satellites', 'have', 'favorable relations with')]
T1591.001 [('GandCrab', 'know', 'REvil'), ('common', 'have', 'GandCrab'), ('REvil', 'have', 'GandCrab'), ('affiliates', 'bar', 'both programs')]
T1591.001 [('the chart', 'see', 'we'), ('infections by', 'exempt', 'Syria')]
T1591.001 [('it', 'turns'), ('a language check', 'ensure'), ('the payload', '!downloaded')]
T1591.002 [('partner organizations', 'listed')]
T1591.002 [('supply chain attacks on information systems', 'begin'), ('an advanced persistent threat APT', 'determines', 'a member of the supply network'), ('order', 'affect', 'the target organization')]
T1591.002 [('It', 'found'), ('hackers', 'steal', 'sensitive data ,'), ('sensitive data ,', 'including')]
T1591.002 [('The attackers', 'were')]
T1591.002 [('Clues about business partners', 'provide', 'a hacker')]
OBJS_ supplier
T1591.002 [('Attackers', 'identified', 'the companyforeign supplier')]
T1591.003 [('Threat actors', 'identified', 'that long holiday weekend')]
T1591.003 [('The federal advisory', 'makes', 'note of'), ('note of', 'targeting'), ('cyber actors', 'conducted', 'impactful attacks against U.S. entities on')]
T1591.003 [('FBI', 'has', 'information about a cyberattack'), ('a cyberattack', 'coinciding'), ('the document', 'says'), ('cybercriminals', 'see', 'holidays'), ('cybercriminals', 'see', 'weekends')]
T1591.003 [('you', 'celebrate', 'Christmas , Hanukkah , chances')]
T1591.003 [('The vacation season', 'is', 'yet another perfect period for cyber attacks')]
T1591.003 [('a choice between', 'have', 'a hacker'), ('your organization', 'attack', 'a choice between'), ('your security team', 'staffed'), ('it', 'isnt-'), ('you', 'think'), ('they', 'choose')]
T1591.003 [('organizations', 'overburdened')]
T1591.003 [('The current pandemic', 'heightened', 'the threat ,'), ('which', 'resulted'), ('many firms', 'operating'), ('significant cybersecurity flaws', 'resulting'), ('the rapid shift to', 'working')]
T1591.003 [('Cybercriminals', 'exploit', 'these flaws')]
T1591.003 [('they', 'infected', 'the computers of the personnel in charge of transfer systems'), ('the attackers', 'collected', 'snapshots of victims screens')]
T1591.004 [('RestorePrivacy , site ,', 'examined', 'the proof'), ('the seller', 'put'), ('the proof', 'found', 'the information'), ('the information', 'following'), ('the proof', 'scraped'), ('LinkedIn username', 'profile')]
T1591.004 [('Targets', 'identified'), ('the CEO', 'come', 'the email request'), ('the money', 'send', 'the victim')]
T1591.004 [('This threat group', 'parse', 'its affiliates'), ('This threat group', 'parse', 'companies websites'), ('This threat group', 'parse', 'social media'), ('leadership , HR for', 'following', 'spear attacks'), ('spear', 'targeted'), ('spear attacks', 'phishing')]
T1591.004 [('a specific business role', 'target', 'Some spam lists'), ('example', 'target', 'Some spam lists')]
T1591.004 [('the emails', 'extracted'), ('threat actors', 'identified'), ('fund transfers', 'originating')]
T1592.001 [('Actors', 'targeting', 'poor countries'), ('Actors', 'pay', 'attention'), ('as it is often old', 'support', 'secure operation systems')]
T1592.001 [('the versions', 'learn', 'hackers'), ('the versions', 'used'), ('it', 'produced')]
T1592.001 [('This group', 'using', 'job postings ,'), ('resumes ,', 'determine', 'the hardware'), ('the hardware', 'used')]
T1592.001 [('the attacker', 'gathered', 'information about the hardware'), ('the hardware', 'used'), ('they', 'register', 'typosquatted domains'), ('typosquatted domains', 'mimicking', 'these hardware manufactures')]
T1592.001 [('This Russian APT', 'gathered', 'information'), ('industrial controllers', 'used')]
T1592.002 [('Sandworm Team', 'researched', 'software code')]
T1592.002 [('Sandworm Team', 'collected', 'a list of computers'), ('computers', 'using', 'specific software')]
T1592.002 [('procurement data as purchase invoices for software', 'allowed'), ('attackers', 'plan', 'their exploitation for the initial access')]
T1592.002 [('Andariel', 'inserted', 'a malicious script within websites'), ('websites', 'compromised')]
T1592.002 [('Some threat groups', 'use', 'supply chain compromise'), ('a target', 'given')]
T1592.002 [('Gathering information', 'allows'), ('attackers', 'use', 'vulnerabilities for certain kinds of server software'), ('vulnerabilities for', 'known')]
T1592.003 [('Intruders', 'impersonated', 'the CEO')]
T1592.003 [('the previous assessment report', 'outline', 'the problem with the update level'), ('it', 'act', 'the company'), ('the hands of the threat actors', 'end', 'the very assessment')]
T1592.003 [('Slow implementation of the firmware patch for this vulnerability', 'became'), ('who', 'directing', 'their botnets'), ('the attackers', 'directing', 'their botnets'), ('the attackers', 'target', 'it')]
T1592.003 [('Attackers', 'did', 'research on the backdoor')]
T1592.003 [('This botnet handers', 'gather', 'information'), ('the types of IoT firmware with vulnerabilities', 'dominating'), ('vulnerabilities', 'known')]
T1592.004 [('HAFNIUM', 'interacted', 'tenants'), ('details', 'regarding')]
T1592.004 [('Attackers website', 'checking', 'visitors'), ('Attackers website', 'checking', 'host information')]
T1592.004 [('This group', 'studying', 'organizationpurchase invoices')]
OBJS_ amount
T1592.004 [('it', 'use', 'a small amount of information about the victim'), ('the remote C&C server', 'collects', 'a small amount of'), ('the remote C&C server', 'visiting', 'the website'), ('the website', 'compromised'), ('the website', 'including'), ('the victim', 'identify', 'specific content'), ('the victim', 'visiting')]
T1592.004 [('code', 'loaded', 'a malicious Javascript file'), ('code', 'records', 'visitors User - Agent , Location')]
T1592.004 [('Hackers', 'checking', 'virtualization status')]
T1593.001 [('Kimsuky', 'monitor', 'Twitter'), ('Kimsuky', 'monitor', 'potential victims')]
T1593.001 [('Hackers', 'use', 'observe activities'), ('organizations', 'targeted'), ('relevant information', 'using', 'hashtags as Firstday')]
T1593.001 [('Attackers', 'analyzed', 'company employees'), ('Attackers', 'analyzed', 'media images'), ('passwords', 'written', 'whiteboards'), ('passwords', 'written', 'desks , etc')]
T1593.001 [('A short video', 'shared'), ('A short video', 'provide', 'the attackers'), ('arrangements , systems', 'premise')]
T1593.001 [('This group', 'identifying', 'employees'), ('This group', 'identifying', 'media accounts')]
T1593.002 [('APT 31', 'collect', 'its own anonymization network'), ('APT 31', 'collect', 'information on the victimwebsite')]
T1593.002 [('MANUAL_V2', 'encourage', 'affiliates'), ('the right victims', 'based'), ('the right victims', 'using', 'google dorks'), ('the right victims', 'using', 'google dorks')]
T1593.002 [('vulnerable servers', 'detect', 'The Dork')]
T1593.002 [('a query', 'crafted'), ('a query', 'looking'), ('a query', 'exposed')]
T1593.002 [('This group', 'inspect', 'engine queries'), ('This group', 'inspect', 'organization website for logfiles , spreadsheets'), ('other documents', 'exposing', 'sensitive information')]
T1595.001 [('IP blocks', 'scan', 'The adversaries'), ('targeting', 'use', 'information'), ('information', 'targeting')]
T1595.001 [('attackers', 'continued')]
T1595.001 [('One member of', 'sharing', 'victimIP addresses')]
T1595.001 [('This attacker', 'scanning', 'companyIP space'), ('he', 'find')]
T1595.001 [('the attacker', 'using', 'simple pings ( requests )')]
T1595.002 [('APT28', 'performed', 'scale scans'), ('an attempt', 'find', 'vulnerable servers')]
T1595.002 [('Sandworm Team', 'scanned', 'network infrastructure')]
T1595.002 [('Volatile Cedar', 'performed', 'vulnerability scans of the target server')]
T1595.002 [('this threat group', 'engage')]
T1595.002 [('targeting', 'use', 'vulnerabilities'), ('vulnerabilities', 'targeting')]
T1595.002 [('broad attempts', 'include', 'These scans'), ('Host Information', 'gather', 'broad attempts'), ('vulnerabilities', 'identify', 'Host Information'), ('vulnerabilities', 'identify', 'broad attempts'), ('vulnerabilities', 'known')]
T1595.002 [('Vulnerability scans', 'harvest')]
T1595.002 [('Vulnerability scans', 'check'), ('the configuration of a host / application ( ex : software )', 'aligns'), ('the adversary', 'seek'), ('a specific exploit', 'use')]
T1596.001 [('Threat actors', 'search', 'DNS records')]
T1596.001 [('Adversaries', 'discover', 'DNS'), ('Adversaries', 'discover', 'subdomains')]
T1596.001 [('Threat actors', 'use', 'DNS misconfigurations for initial access')]
T1596.001 [('Threat actors', 'search', 'central repositories of responses for information'), ('responses for', 'logged')]
T1596.001 [('DNS leaks', 'provide', 'information about a domain to attackers')]
T1596.001 [('Adversaries', 'use', 'the DNS information of as a pivot'), ('a pivot', 'attack')]
T1596.002 [('Kaseya', 'find', 'a single IP address'), ('Kaseya', 'find', 'the total size of the range')]
T1596.002 [('ownership', 'find', 'Domain names'), ('contact information', 'find', 'Domain names')]
T1596.002 [('name', 'query', 'WHOIS'), ('name', 'assigned')]
T1596.002 [('Kaseya', 'used', 'active scanning for reconnaissance on networks , ports')]
T1596.002 [('Shodan', 'establish', 'Kaseya'), ('operational resources', 'establish', 'Kaseya'), ('operational resources', 'exploited')]
T1596.003 [('Threat actors', 'gain', 'site certificates'), ('Threat actors', 'gain', 'intel')]
T1596.003 [('Threat Actors', 'perform', 'reconnaissance'), ('data', 'searching')]
T1596.003 [('Threat actors', 'check', 'digital certificates for geolocation information'), ('their regions', 'protected')]
T1596.003 [('CobaltStrike functionality', 'allows'), ('the malware', 'check', 'available security data')]
T1596.003 [('APT27', 'checks', 'digital certificates')]
T1596.004 [('Adversaries', 'use'), ('networks', 'discover', 'centralized assets')]
T1596.004 [('content', 'find', 'Threat actors'), ('content', 'leaked'), ('protections of other assets', '!have', 'content'), ('content', '!exploited')]
T1596.004 [('CDNs', 'expose', 'login portals')]
T1596.004 [('Threat actors', 'scan', 'OSINT tools'), ('Threat actors', 'scan', 'repositories'), ('repositories', 'open')]
T1596.004 [('Attackers', 'determine', 'assets'), ('Attackers', 'determine', 'links to CDNs'), ('assets', 'found')]
T1596.005 [('Adversaries', 'search', 'public databases')]
T1596.005 [('Threat actors', 'harvest', 'online resources'), ('Threat actors', 'harvest', 'information from these services'), ('Threat actors', 'harvest', 'lookup tools')]
T1596.005 [('REvil', 'performed', 'recon against victims')]
T1596.005 [('Attackers', 'obtain', 'passive methods'), ('Attackers', 'obtain', 'active port services')]
T1596.005 [('Threat actors', 'use', 'shodan'), ('hosts', 'facing')]
T1597.001 [('Threat actors', 'use', 'intel feeds for valuable information')]
T1597.001 [('platforms', 'use', 'Threat actors'), ('platforms', 'paid'), ('potential targets', 'provide', 'what intelligence')]
T1597.001 [('Adversaries', 'monitor'), ('their campaign', 'discover', 'IOCs'), ('tactics', 'change', 'their campaign')]
T1597.001 [('Threat actors', 'determine'), ('other groups', 'targeting')]
T1597.001 [('Threat actors', 'target', 'intelligence feeds'), ('Threat actors', 'target', 'new victims')]
T1597.002 [('technical information about victims', 'purchase', 'Adversaries'), ('targeting', 'use', 'victims'), ('victims', 'targeting')]
T1597.002 [('Threat actors', 'purchase', 'information')]
T1597.002 [('Reputable private resources', 'scan', 'database subscriptions')]
T1597.002 [('Attackers', 'use', 'repositories of from tor sites'), ('repositories of from', 'known')]
T1597.002 [('Threat actors', 'gain', 'network information'), ('network information', 'purchased')]
T1598.001 [('Attackers', 'elicit', 'messages'), ('Attackers', 'elicit', 'sensative information from targets'), ('messages', 'spearphishing')]
T1598.001 [('Spearphishing', 'get', 'engineering techniques'), ('Spearphishing', 'get', 'credentials'), ('Spearphishing', 'get', 'other information')]
T1598.001 [('spearphishing', 'message', 'Emails'), ('Emails', 'spearphishing'), ('IT departments , executives', 'aim', 'Emails'), ('IT departments , executives', 'aim', 'social media')]
T1598.001 [('Threat actors', 'use'), ('non - enterprise services', 'controlled'), ('they', 'have', 'less protections')]
T1598.001 [('Adversaries', 'pose')]
T1598.002 [('malicious e - mail attachments', 'deliver', 'Astaroth')]
T1598.002 [('Sidewinder', 'sent', 'e'), ('Sidewinder', 'sent', '-'), ('Sidewinder', 'sent', 'mails with malicious attachments'), ('malicious attachments', 'credential', 'victims'), ('malicious attachments', 'credential', 'harvesting websites'), ('malicious attachments', 'credential', 'harvesting websites')]
T1598.002 [('researchers from', 'observe', 'A phishing campaign'), ('a macro - enabled document', 'contain', 'researchers from'), ('the legitimate script engine', 'exploit', 'researchers from')]
T1598.002 [('Researchers', 'discovered', 'a wave of emails with malicious attachments'), ('malicious attachments', 'orchestrated')]
T1598.002 [('files', 'attached'), ('files', 'containing', 'JavaScript'), ('the email', 'write', 'an ISO file'), ('this', 'contains', 'a Strike beacon'), ('a Strike beacon', 'activate')]
T1598.002 [('a malware', 'based'), ('an document', 'deliver', 'Strrat , malware ,'), ('a campaign', 'deliver', 'Strrat , malware ,'), ('an document', 'attached'), ('a campaign', 'phishing'), ('accounts', 'use', 'a campaign'), ('accounts', 'compromised')]
T1598.002 [('the email', 'look'), ('you', '!have', 'reason'), ('reason', 'receive', 'such an email'), ('you', '!open', 'any files'), ('any files', 'attached')]
T1598.003 [('APT32', 'direct', 'malicious links'), ('APT32', 'direct', 'users'), ('web pages', 'harvest', 'credentials'), ('web pages', 'harvest', 'credentials')]
T1598.003 [('Kimsuky', 'steal', 'links in e'), ('Kimsuky', 'steal', 'account information')]
T1598.003 [('Sandworm Team', 'crafted', 'emails with hyperlinks'), ('emails with', 'spearphishing'), ('hyperlinks', 'trick', 'unwitting recipients'), ('hyperlinks', 'trick', 'unwitting recipients'), ('hyperlinks', 'revealing', 'their account credentials')]
T1598.003 [('Sidewinder', 'sent', 'e'), ('Sidewinder', 'sent', '-'), ('Sidewinder', 'sent', 'mails with malicious links to websites'), ('websites', 'credential')]
T1598.003 [('Silent Librarian', 'direct', 'links'), ('Silent Librarian', 'direct', 'victims'), ('harvesting websites', 'designed'), ('harvesting websites', 'appear')]
T1599.001 [('Adversaries may bridge boundaries by', 'modifying', 'a network')]
T1599.001 [('Malicious modifications to', 'enable', 'an adversary')]
T1599.001 [('a target network', 'modify', 'Actors'), ('other infrastructure', 'protected')]
T1599.001 [('Malware', 'gain', 'access to sensitive information on other systems')]
T1599.001 [('Cybercriminals', 'manipulate', 'NATs')]
T1600.001 [('APT27', 'employs', 'the technique of weakening encryption strength'), ('the technique of', 'ease', 'data extraction')]
T1600.001 [('Ransomware as', 'reduce', 'the number of cipher keys'), ('cipher keys', 'utilised')]
T1600.001 [('Threat actors', 'gain', 'access to communications')]
T1600.001 [('Interception of data over communication', 'occur')]
T1600.001 [('Malware', 'reduce', 'key space'), ('which', 'grant', 'access to data')]
T1600.002 [('CozyBear', 'disable', 'device encryption')]
T1600.002 [('Malware', 'has', 'capabilities encryption')]
T1600.002 [('data', 'skim', 'Adversaries as'), ('software', 'encrypt', 'data')]
T1600.002 [('easier', 'make', 'Data exfiltration'), ('device encryption', 'disabled')]
T1600.002 [('data', 'exfiltrate', 'CronRAT'), ('a hardware device', 'encrypt', 'data'), ('data', 'disabling'), ('encryption', 'say', 'data')]
T1601.001 [('a network device', 'insert', 'malware'), ('the system image', 'patch', 'malware'), ('system', 'operating')]
T1601.001 [('ESPecter', 'patch', 'various windows functions')]
T1601.001 [('KEYHOLE PANDA', 'modify', 'the OS')]
T1601.001 [('APT groups', 'bypass', 'security mechanisms')]
T1601.001 [('Magecart', 'modify', 'the image of it host system')]
T1601.002 [('Conti ransomware', 'downgrade', 'vulnerable drivers'), ('vulnerabilities', 'patched')]
T1601.002 [('previous versions through techniques', 'downgrade', 'Network devices'), ('APT20', 'implement', 'techniques')]
T1601.002 [('DarkSide ransomware', 'bypass', 'detection')]
T1601.002 [('ESPecter', 'install', 'OS drivers of an older version')]
T1601.002 [('Care', 'taken'), ('older versions', 'install', 'malware'), ('older versions', 'exploit')]
T1602.001 [('SNMP', 'dump', 'configuration data'), ('malware', 'abuse'), ('it', 'proves')]
T1602.001 [('Conti ransomware', 'determine', 'vulnerabilities within mechanisms'), ('mechanisms', 'configured')]
T1602.001 [('CobaltStrike modules', 'determine', 'SNMP'), ('CobaltStrike modules', 'determine', 'vulnerable configurations for later exploitation')]
T1602.001 [('APT22', 'employs', 'the technique of'), ('the technique of', 'dumping', 'the MIB database'), ('the technique of', 'learn')]
T1602.001 [('Caution', 'taken'), ('a single point of failure', 'become', 'they'), ('a target system', 'learn', 'attackers')]
T1602.002 [('network devices', 'store', 'User credentials'), ('plaintext passwords', '!claim', 'adversaries'), ('they', 'compromised')]
T1602.002 [('APT13', 'access', 'storage of network devices')]
T1602.002 [('BazarLoader', 'dump', 'configuration details')]
T1602.002 [('Host enumeration', 'occur'), ('their memory', '!secure', 'networks'), ('active memory', 'store', 'neighbour details')]
T1602.002 [('Malware', 'dump', 'the contents of non volatile memory'), ('misconfigurations', 'exploit')]
T1606.001 [('APT29', 'bypassed'), ('MFA', 'set'), ('a key', 'stolen')]
T1606.001 [('UNC2452', 'bypassed'), ('MFA', 'set'), ('a key', 'stolen')]
T1606.001 [('web cookies', 'forge', 'Adversaries'), ('access to web applications', 'gain', 'web cookies'), ('access to', 'gain', 'web cookies')]
T1606.001 [('Generating cookies', 'requires', 'information'), ('information', 'known'), ('information', 'acquired')]
T1606.001 [('Some actors', 'create', 'fake web cookies'), ('malware', 'create', 'fake web cookies')]
T1606.002 [('APT29', 'created', 'tokens'), ('SAML', 'compromised')]
T1606.002 [('UNC2452', 'created', 'tokens'), ('SAML', 'compromised')]
T1606.002 [('credentials', 'exploit', 'Supply breaches'), ('credentials', 'forged'), ('access as the forging of SMAL tokens', 'obtain', 'credentials')]
T1606.002 [('APT30', 'break', 'single sign on')]
T1606.002 [('Threat actors', 'change', 'the normal hour limit upon the legitimacy of through'), ('the legitimacy of through', 'accessing', 'the AccessTokenLifetime element')]
T1608.001 [('APT32', 'hosted', 'malicious payloads')]
T1608.001 [('obfuscated malicious payloads on', 'post', 'They')]
T1608.001 [('the websites', 'compromised'), ('post - compromise malware as keyloggers', 'stage', 'Some of the websites')]
T1608.001 [('These government hackers', 'staged', 'malicious Java scripts'), ('the Microsoft domains', 'typosquatted'), ('they', 'registered')]
T1608.001 [('various websites', 'compromised')]
T1608.002 [('Threat Group-3390', 'staged', 'tools'), ('tools', 'including'), ('websites', 'compromised')]
T1608.002 [('the adversaries', 'uploaded', 'remote administration tools'), ('websites', 'compromised'), ('they', 'controlled')]
T1608.002 [('Threat actor', 'placed', 'several purpose tools')]
T1608.002 [('Utilities RAT tool', 'upload', 'The attackers'), ('a party website', 'upload', 'The attackers'), ('a party website', 'compromised'), ('a remote administration tool', 'have', 'the victim environment'), ('a remote administration tool', 'installed')]
T1608.002 [('FIN5', 'staged', 'a version of'), ('a version of', 'customized')]
T1608.003 [('Adversaries', 'created', 'certificates'), ('certificates', 'signed')]
T1608.003 [('Attackers', 'installed', 'LetEncrypt certificates'), ('their servers', 'phishing')]
T1608.003 [('They', 'prepare', 'pages with valid TLS certificates'), ('pages with', 'phishing')]
T1608.003 [('websites', 'reported'), ('cybercriminals', 'installed', 'SSL certificates'), ('processes', 'called')]
T1608.003 [('Actors', 'installed', 'SSL certificates'), ('they', 'made'), ('SSL certificates', 'using', 'OpenSSL')]
T1608.004 [('APT32', 'stood', 'websites'), ('websites', 'containing', 'numerous articles'), ('websites', 'containing', 'content'), ('websites', 'scraped'), ('websites', 'make'), ('them', 'appear', 'legitimate'), ('some of these pages', 'profile', 'malicious JavaScript'), ('some of', 'profile', 'the potential victim')]
T1608.004 [('Threat Group-3390', 'embedded', 'malicious code')]
T1608.004 [('The attackers', 'prepared', 'an malvertizing : ad'), ('an ad', 'combined'), ('which', 'contained', 'malicious code')]
T1608.004 [('Second stage of the Magecart attack', 'injecting', 'malicious Javascript')]
T1608.004 [('This APT group', 'looking'), ('to compromise publications', 'prepare'), ('to compromise publications', 'watering', 'whole attacks')]
T1608.005 [('Silent Librarian', 'cloned', 'organization login pages')]
T1608.005 [('Silent Librarian', 'made', 'use of a variety of for')]
T1608.005 [('The attackers', 'prepared', '39,000 pages'), ('39,000 pages', 'phishing'), ('39,000 pages', 'mimicking', 'platforms login pages')]
T1608.005 [('They', 'used', 'Ngrokpaid option'), ('Ngrokpaid option', 'acquire', 'URLs'), ('URLs', 'customized'), ('URLs', 'phishing'), ('URLs', 'displaying', 'Metatrademarks ( as )')]
T1608.005 [('they', 'registered', 'typosquatted domains ,'), ('typosquatted domains ,', 'set', 'phishing pages'), ('typosquatted domains ,', 'set', 'URL shortener service'), ('URL shortener service', 'employed')]
T1608.005 [('The attacker', 'placed', 'archived malicious Office Documents')]
T1611 [('Deploy container', 'using', 'container escape')]