{ "authors": [ "Tidal Cyber" ], "category": "Software", "description": "Tidal Software Cluster", "name": "Tidal Software", "source": "https://app-api.tidalcyber.com/api/v1/software/", "type": "software", "uuid": "6eb44da4-ed4f-4a5d-a444-0f105ff1b3c2", "values": [ { "description": "[3PARA RAT](https://app.tidalcyber.com/software/71d76208-c465-4447-8d6e-c54f142b65a4) is a remote access tool (RAT) programmed in C++ that has been used by [Putter Panda](https://app.tidalcyber.com/groups/6005f4a9-fe26-4237-a44e-3f6cbb1fe75c). [[CrowdStrike Putter Panda](https://app.tidalcyber.com/references/413962d0-bd66-4000-a077-38c2677995d1)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0066", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "type": "used-by" }, { "dest-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", "type": "similar" } ], "uuid": "71d76208-c465-4447-8d6e-c54f142b65a4", "value": "3PARA RAT" }, { "description": "[4H RAT](https://app.tidalcyber.com/software/a15142a3-4797-4fef-8ec6-065e3322a69b) is malware that has been used by [Putter Panda](https://app.tidalcyber.com/groups/6005f4a9-fe26-4237-a44e-3f6cbb1fe75c) since at least 2007. [[CrowdStrike Putter Panda](https://app.tidalcyber.com/references/413962d0-bd66-4000-a077-38c2677995d1)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0065", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "type": "used-by" }, { "dest-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", "type": "similar" } ], "uuid": "a15142a3-4797-4fef-8ec6-065e3322a69b", "value": "4H RAT" }, { "description": "7-Zip is a tool used to compress files into an archive.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5023", "source": "Tidal Cyber", "tags": [ "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "c45ce044-b5b9-426a-866c-130e9f2a4427", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "15b77e5c-2285-434d-9719-73c14beba8bd", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" }, { "dest-uuid": "ce126445-6984-45bb-9737-35448f06f27b", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", "type": "used-by" }, { "dest-uuid": "b07431f8-fcf0-4204-8e7c-138eb5cd5342", "type": "used-by" }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" } ], "uuid": "4665e52b-3c5c-4a7f-9432-c89ef26f2c93", "value": "7-Zip" }, { "description": "The 8Base ransomware operation began claiming significant numbers of victims on its data leak site in June 2023, including organizations in a range of sectors. Researchers have observed considerable similarities between aspects of 8Base's operations and those of other ransomware groups, leading them to suspect that 8Base may be an evolution or offshoot of existing operations. The language in 8Base's ransom notes is similar to the language seen in RansomHouse's notes, and there is strong overlap between the code of Phobos ransomware and 8Base.[[VMWare 8Base June 28 2023](/references/573e9520-6181-4535-9ed3-2338688a8e9f)][[Acronis 8Base July 17 2023](/references/c9822477-1578-4068-9882-41e4d6eaee3f)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5299", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "00b45c13-d165-44d0-ad6b-99787d2a7ce3", "type": "used-by" } ], "uuid": "88a5435f-5586-4cb4-a9c0-1961ee060a67", "value": "8Base Ransomware" }, { "description": "[AADInternals](https://app.tidalcyber.com/software/3d33fbf5-c21e-4587-ba31-9aeec3cc10c0) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[[AADInternals Github](https://app.tidalcyber.com/references/643d3947-c0ec-47c4-bb58-5e546084433c)][[AADInternals Documentation](https://app.tidalcyber.com/references/320231a1-4dbe-4eaa-b14d-48de738ba697)]", "meta": { "platforms": [ "Azure AD", "Office 365", "Windows" ], "software_attack_id": "S0677", "source": "MITRE", "tags": [ "c9c73000-30a5-4a16-8c8b-79169f9c24aa", "cd1b5d44-226e-4405-8985-800492cf2865" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "2c5281dd-b5fd-4531-8aea-c1bf8a0f8756", "type": "similar" } ], "uuid": "3d33fbf5-c21e-4587-ba31-9aeec3cc10c0", "value": "AADInternals" }, { "description": "[ABK](https://app.tidalcyber.com/software/394cadd0-bc4d-4181-ac53-858e84b8e3de) is a downloader that has been used by [BRONZE BUTLER](https://app.tidalcyber.com/groups/5825a840-5577-4ffc-a08d-3f48d64395cb) since at least 2019.[[Trend Micro Tick November 2019](https://app.tidalcyber.com/references/93adbf0d-5f5e-498e-aca1-ed3eb11561e7)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0469", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" }, { "dest-uuid": "a0ebedca-d558-4e48-8ff7-4bf76208d90c", "type": "similar" } ], "uuid": "394cadd0-bc4d-4181-ac53-858e84b8e3de", "value": "ABK" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Verifies UI accessibility requirements\n\n**Author:** bohops\n\n**Paths:**\n* C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.22000.0\\x86\\AccChecker\\AccCheckConsole.exe\n* C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.22000.0\\x64\\AccChecker\\AccCheckConsole.exe\n* C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.22000.0\\arm\\AccChecker\\AccCheckConsole.exe\n* C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.22000.0\\arm64\\AccChecker\\AccCheckConsole.exe\n\n**Resources:**\n* [https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340](https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340)\n* [https://twitter.com/bohops/status/1477717351017680899](https://twitter.com/bohops/status/1477717351017680899)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_susp_acccheckconsole.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml)\n* IOC: Sysmon Event ID 1 - Process Creation\n* Analysis: [https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340](https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340)[[AccCheckConsole.exe - LOLBAS Project](/references/de5523bd-e735-4751-84e9-a1be1d2980ec)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5203", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "cce705c7-49f8-4b54-b854-fd4b3a32e6ff", "value": "AccCheckConsole" }, { "description": "AccountRestore is a .NET executable that is used to brute force Active Directory accounts. The tool searches for a list of specific users and attempts to brute force the accounts based on a password file provided by the user.[[Security Joes Sockbot March 09 2022](/references/bca2b5c2-bc3b-4504-806e-5c5b6fee96e6)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5059", "source": "Tidal Cyber", "tags": [ "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" } ], "uuid": "6bc29df2-195e-410c-ad08-f3661575492f", "value": "AccountRestore" }, { "description": "[AcidRain](https://app.tidalcyber.com/software/cf465790-3d6d-5767-bb8c-63a429f95d83) is an ELF binary targeting modems and routers using MIPS architecture.[[AcidRain JAGS 2022](https://app.tidalcyber.com/references/bd4a7b2e-a387-5e1b-9d9e-52464a8e25c9)] [AcidRain](https://app.tidalcyber.com/software/cf465790-3d6d-5767-bb8c-63a429f95d83) is associated with the ViaSat KA-SAT communication outage that took place during the initial phases of the 2022 full-scale invasion of Ukraine. Analysis indicates overlap with another network device-targeting malware, VPNFilter, associated with [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666).[[AcidRain JAGS 2022](https://app.tidalcyber.com/references/bd4a7b2e-a387-5e1b-9d9e-52464a8e25c9)] US and European government sources linked [AcidRain](https://app.tidalcyber.com/software/cf465790-3d6d-5767-bb8c-63a429f95d83) to Russian government entities, while Ukrainian government sources linked [AcidRain](https://app.tidalcyber.com/software/cf465790-3d6d-5767-bb8c-63a429f95d83) specifically to [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666).[[AcidRain State Department 2022](https://app.tidalcyber.com/references/9d514c52-9def-5b11-aa06-fdf3ee9923ed)][[Vincens AcidPour 2024](https://app.tidalcyber.com/references/742c8a5c-21e5-58d8-a90d-f4c186c0699a)]", "meta": { "platforms": [ "Network", "Linux" ], "software_attack_id": "S1125", "source": "MITRE", "tags": [ "b20e7912-6a8d-46e3-8e13-9a3fc4813852" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "04cecafd-cb5f-4daf-aa1f-73899116c4a2", "type": "similar" } ], "uuid": "cf465790-3d6d-5767-bb8c-63a429f95d83", "value": "AcidRain" }, { "description": "[Action RAT](https://app.tidalcyber.com/software/202781a3-d481-4984-9e5a-31caafc20135) is a remote access tool written in Delphi that has been used by [SideCopy](https://app.tidalcyber.com/groups/31bc763e-623f-4870-9780-86e43d732594) since at least December 2021 against Indian and Afghani government personnel.[[MalwareBytes SideCopy Dec 2021](https://app.tidalcyber.com/references/466569a7-1ef8-4824-bd9c-d25301184ea4)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1028", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "31bc763e-623f-4870-9780-86e43d732594", "type": "used-by" }, { "dest-uuid": "36801ffb-5c85-4c50-9121-6122e389366d", "type": "similar" } ], "uuid": "202781a3-d481-4984-9e5a-31caafc20135", "value": "Action RAT" }, { "description": "[adbupd](https://app.tidalcyber.com/software/f52e759a-a725-4b50-84f2-12bef89d369e) is a backdoor used by [PLATINUM](https://app.tidalcyber.com/groups/f036b992-4c3f-47b7-a458-94ac133bce74) that is similar to [Dipsind](https://app.tidalcyber.com/software/226ee563-4d49-48c2-aa91-82999f43ce30). [[Microsoft PLATINUM April 2016](https://app.tidalcyber.com/references/d0ec5037-aa7f-48ee-8d37-ff8fb2c8c297)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0202", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "f036b992-4c3f-47b7-a458-94ac133bce74", "type": "used-by" }, { "dest-uuid": "0f1ad2ef-41d4-4b7a-9304-ddae68ea3005", "type": "similar" } ], "uuid": "f52e759a-a725-4b50-84f2-12bef89d369e", "value": "adbupd" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** .NET Tool used for updating cache files for Microsoft Office Add-Ins.\n\n**Author:** Michael McKinley @MckinleyMike\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddinUtil.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\AddinUtil.exe\n\n**Resources:**\n* [https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html](https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_addinutil_suspicious_cmdline.yml](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml)\n* Sigma: [proc_creation_win_addinutil_uncommon_child_process.yml](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml)\n* Sigma: [proc_creation_win_addinutil_uncommon_cmdline.yml](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml)\n* Sigma: [proc_creation_win_addinutil_uncommon_dir_exec.yml](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml)[[AddinUtil.exe - LOLBAS Project](/references/91af546d-0a56-4c17-b292-6257943a8aba)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5082", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "253f97c3-ba35-4064-8ec0-892872432214", "value": "AddinUtil" }, { "description": "[AdFind](https://app.tidalcyber.com/software/70559096-2a6b-4388-97e6-c2b16f3be78e) is a free command-line query tool that can be used for gathering information from Active Directory.[[Red Canary Hospital Thwarted Ryuk October 2020](https://app.tidalcyber.com/references/ae5d4c47-54c9-4f7b-9357-88036c524217)][[FireEye FIN6 Apr 2019](https://app.tidalcyber.com/references/e8a2bc6a-04e3-484e-af67-5f57656c7206)][[FireEye Ryuk and Trickbot January 2019](https://app.tidalcyber.com/references/b29dc755-f1f0-4206-9ecf-29257a1909ee)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0552", "source": "MITRE", "tags": [ "27a117ce-bb19-4f79-9bc2-a851b69c5c50", "6070668f-1cbd-4878-8066-c636d1d8659c", "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "3a633b73-9c2c-4293-8577-fb97be0cda37", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "cd1b5d44-226e-4405-8985-800492cf2865" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, { "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", "type": "used-by" }, { "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" }, { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, { "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", "type": "used-by" }, { "dest-uuid": "b07431f8-fcf0-4204-8e7c-138eb5cd5342", "type": "used-by" }, { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "f59508a6-3615-47c3-b493-6676e1a39a87", "type": "similar" } ], "uuid": "70559096-2a6b-4388-97e6-c2b16f3be78e", "value": "AdFind" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Debugging tool included with Windows Debugging Tools\n\n**Author:** mr.d0x\n\n**Paths:**\n* C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64\\adplus.exe\n* C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x86\\adplus.exe\n\n**Resources:**\n* [https://mrd0x.com/adplus-debugging-tool-lsass-dump/](https://mrd0x.com/adplus-debugging-tool-lsass-dump/)\n* [https://twitter.com/nas_bench/status/1534916659676422152](https://twitter.com/nas_bench/status/1534916659676422152)\n* [https://twitter.com/nas_bench/status/1534915321856917506](https://twitter.com/nas_bench/status/1534915321856917506)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_adplus.yml](https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml)\n* IOC: As a Windows SDK binary, execution on a system may be suspicious[[adplus.exe - LOLBAS Project](/references/d407ca0a-7ace-4dc5-947d-69a1e5a1d459)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5204", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "3f229fe8-4d03-48ba-97b5-d7132510e090", "value": "adplus" }, { "description": "ADRecon is an open-source tool that can be used to gather a \"holistic\" view of a target Active Directory environment.[[GitHub ADRecon](/references/8ef4bcee-673d-4bab-8e18-947f45c6fc77)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5270", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "cd1b5d44-226e-4405-8985-800492cf2865", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" } ], "uuid": "c227bea1-9996-49d6-97ca-10a2fc156747", "value": "ADRecon" }, { "description": "Advanced IP Scanner is a tool used to perform network scans and show network devices.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5024", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "cd1b5d44-226e-4405-8985-800492cf2865", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", "type": "used-by" }, { "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" } ], "uuid": "ff0af6fd-e4a1-47c9-b4a1-7ce5074e089e", "value": "Advanced IP Scanner" }, { "description": "Advanced Port Scanner is a tool used to perform network scans.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5006", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "cd1b5d44-226e-4405-8985-800492cf2865", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", "type": "used-by" } ], "uuid": "f93b54cf-a17c-4739-a7af-4106055f868d", "value": "Advanced Port Scanner" }, { "description": "AdvancedRun is a tool used to enable software execution under user-defined settings.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5025", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "7de7d799-f836-4555-97a4-0db776eb6932", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" } ], "uuid": "7ef15943-8061-4941-b14e-9634c0b95d28", "value": "AdvancedRun" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Utility for installing software and drivers with rundll32.exe\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\advpack.dll\n* c:\\windows\\syswow64\\advpack.dll\n\n**Resources:**\n* [https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/](https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/)\n* [https://twitter.com/ItsReallyNick/status/967859147977850880](https://twitter.com/ItsReallyNick/status/967859147977850880)\n* [https://twitter.com/bohops/status/974497123101179904](https://twitter.com/bohops/status/974497123101179904)\n* [https://twitter.com/moriarty_meng/status/977848311603380224](https://twitter.com/moriarty_meng/status/977848311603380224)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)\n* Splunk: [detect_rundll32_application_control_bypass___advpack.yml](https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml)[[Advpack.dll - LOLBAS Project](/references/837ccb3c-316d-4d96-8a33-b5df40870aba)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5187", "source": "Tidal Cyber", "tags": [ "7a457caf-c3b6-4a48-84cf-c1f50a2eda27", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "6c82fc65-864a-4a8c-80ed-80a69920c44f", "value": "Advpack" }, { "description": "[ADVSTORESHELL](https://app.tidalcyber.com/software/ef7f4f5f-6f30-4059-87d1-cd8375bf1bee) is a spying backdoor that has been used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. [[Kaspersky Sofacy](https://app.tidalcyber.com/references/46226f98-c762-48e3-9bcd-19ff14184bb5)] [[ESET Sednit Part 2](https://app.tidalcyber.com/references/aefb9eda-df5a-437f-af2a-ec1b6c04628b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0045", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635", "16b47583-1c54-431f-9f09-759df7b5ddb7", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "type": "similar" } ], "uuid": "ef7f4f5f-6f30-4059-87d1-cd8375bf1bee", "value": "ADVSTORESHELL" }, { "description": "[Agent.btz](https://app.tidalcyber.com/software/f27c9a91-c618-40c6-837d-089ba4d80f45) is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. [[Securelist Agent.btz](https://app.tidalcyber.com/references/3b876c56-1d18-49e3-9a96-5cee4af7ab72)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0092", "source": "MITRE", "tags": [ "e809d252-12cc-494d-94f5-954c49eb87ce", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", "type": "similar" } ], "uuid": "f27c9a91-c618-40c6-837d-089ba4d80f45", "value": "Agent.btz" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Intune Management Extension included on Intune Managed Devices\n\n**Author:** Eleftherios Panos\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Intune Management Extension\n\n**Resources:**\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_agentexecutor.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml)\n* Sigma: [proc_creation_win_lolbin_agentexecutor_susp_usage.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml)[[AgentExecutor.exe - LOLBAS Project](/references/633d7f25-df9d-4619-9aa9-92d1d9d225d7)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5205", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "27fa7573-c1d3-4857-8a45-ef501c8ea32c", "value": "AgentExecutor" }, { "description": "[Agent Tesla](https://app.tidalcyber.com/software/304650b1-a0b5-460c-9210-23a5b53815a4) is a spyware Trojan written for the .NET framework that has been observed since at least 2014.[[Fortinet Agent Tesla April 2018](https://app.tidalcyber.com/references/86a65be7-0f70-4755-b526-a26b92eabaa2)][[Bitdefender Agent Tesla April 2020](https://app.tidalcyber.com/references/e3d932fc-0148-43b9-bcc7-971dd7ba3bf8)][[Malwarebytes Agent Tesla April 2020](https://app.tidalcyber.com/references/87f4fe4c-54cd-40a7-938b-6e6f6d2efbea)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0331", "source": "MITRE", "tags": [ "16b47583-1c54-431f-9f09-759df7b5ddb7", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" }, { "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", "type": "used-by" }, { "dest-uuid": "e7a5229f-05eb-440e-b982-9a6d2b2b87c8", "type": "similar" } ], "uuid": "304650b1-a0b5-460c-9210-23a5b53815a4", "value": "Agent Tesla" }, { "description": "[Akira](https://app.tidalcyber.com/software/96ae0e1e-975a-5e11-adbe-c79ee17cee11) ransomware, written in C++, is most prominently (but not exclusively) associated with the a ransomware-as-a-service entity [Akira](https://app.tidalcyber.com/groups/923f478c-7ad1-516f-986d-61f96b9c553e).[[Kersten Akira 2023](https://app.tidalcyber.com/references/df191993-a2cb-5d26-960c-11d1c6d3d73b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1129", "source": "MITRE", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", "562e535e-19f5-4d6c-81ed-ce2aec544f09" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", "type": "used-by" }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "6f6b2353-4b39-40ce-9d6d-d00b7a61e656", "type": "similar" } ], "uuid": "96ae0e1e-975a-5e11-adbe-c79ee17cee11", "value": "Akira" }, { "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"Akira\" (Software). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\n\nA ransomware binary designed to encrypt victim files. More details about the TTPs typically observed during Akira ransomware attacks can be found in the associated Group object, \"Akira Ransomware Actors\".", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5280", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", "562e535e-19f5-4d6c-81ed-ce2aec544f09" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" } ], "uuid": "59d598a9-e115-4d90-8fef-096015afa8d4", "value": "Akira Ransomware (Deprecated)" }, { "description": "[Amadey](https://app.tidalcyber.com/software/f173ec20-ef40-436b-a859-fef017e1e767) is a Trojan bot that has been used since at least October 2018.[[Korean FSI TA505 2020](https://app.tidalcyber.com/references/d4e2c109-341c-45b3-9d41-3eb980724524)][[BlackBerry Amadey 2020](https://app.tidalcyber.com/references/21b7a7c7-55a2-4235-ba11-d34ba68d1bf5)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1025", "source": "MITRE", "tags": [ "fa84181d-fd9a-4c7b-8e18-e47011993b5e", "263adb48-051c-4384-90cf-1d4c937c3f05", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, { "dest-uuid": "05318127-5962-444b-b900-a9dcfe0ff6e9", "type": "similar" } ], "uuid": "f173ec20-ef40-436b-a859-fef017e1e767", "value": "Amadey" }, { "description": "[Anchor](https://app.tidalcyber.com/software/9521c535-1043-4b82-ba5d-e5eaeca500ee) is one of a family of backdoor malware that has been used in conjunction with [TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) on selected high profile targets since at least 2018.[[Cyberreason Anchor December 2019](https://app.tidalcyber.com/references/a8dc5598-9963-4a1d-a473-bee8d2c72c57)][[Medium Anchor DNS July 2020](https://app.tidalcyber.com/references/de246d53-385f-44be-bf0f-25a76442b835)]", "meta": { "platforms": [ "Linux", "Windows" ], "software_attack_id": "S0504", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "5f1d4579-4e8f-48e7-860e-2da773ae432e", "type": "similar" } ], "uuid": "9521c535-1043-4b82-ba5d-e5eaeca500ee", "value": "Anchor" }, { "description": "[ANDROMEDA](https://app.tidalcyber.com/software/69aac793-9e6a-5167-bc62-823189ee2f7b) is commodity malware that was widespread in the early 2010's and continues to be observed in infections across a wide variety of industries. During the 2022 [C0026](https://app.tidalcyber.com/campaigns/41f283a1-b2ac-547d-98d5-ff907afd08c7) campaign, threat actors re-registered expired [ANDROMEDA](https://app.tidalcyber.com/software/69aac793-9e6a-5167-bc62-823189ee2f7b) C2 domains to spread malware to select targets in Ukraine.[[Mandiant Suspected Turla Campaign February 2023](https://app.tidalcyber.com/references/d8f43a52-a59e-5567-8259-821b1b6bde43)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1074", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "dcd9548e-df9e-47c2-81f3-bc084289959d", "type": "similar" } ], "uuid": "69aac793-9e6a-5167-bc62-823189ee2f7b", "value": "ANDROMEDA" }, { "description": "Angry IP Scanner is a tool that adversaries are known to use to search for vulnerable RDP ports.[[U.S. CISA Phobos February 29 2024](/references/bd6f9bd3-22ec-42fc-9d85-fdc14dcfa55a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S5274", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "cd1b5d44-226e-4405-8985-800492cf2865", "e1af18e3-3224-4e4c-9d0f-533768474508", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" } ], "uuid": "8efa90ac-a894-467d-8633-16a44d270358", "value": "Angry IP Scanner" }, { "description": "AnyDesk is a tool used to enable remote connections to network devices.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5007", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "fb06d216-f535-45c1-993a-8c1b7aa2111c", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "15b77e5c-2285-434d-9719-73c14beba8bd", "e727eaa6-ef41-4965-b93a-8ad0c51d0236" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" }, { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", "type": "used-by" }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" }, { "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" }, { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" }, { "dest-uuid": "00b45c13-d165-44d0-ad6b-99787d2a7ce3", "type": "used-by" }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, { "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", "type": "used-by" }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" }, { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" } ], "uuid": "922447fd-f41e-4bcf-b479-88137c81099c", "value": "AnyDesk" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Tool used for installation of AppX/MSIX applications on Windows 10\n\n**Author:** Wade Hickey\n\n**Paths:**\n* C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\\AppInstaller.exe\n\n**Resources:**\n* [https://twitter.com/notwhickey/status/1333900137232523264](https://twitter.com/notwhickey/status/1333900137232523264)\n\n**Detection:**\n* Sigma: [dns_query_win_lolbin_appinstaller.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml)[[AppInstaller.exe - LOLBAS Project](/references/9a777e7c-e76c-465c-8b45-67503e715f7e)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5083", "source": "Tidal Cyber", "tags": [ "837cf289-ad09-48ca-adf9-b46b07015666", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "9fa7c759-172f-4ae3-ac3d-0070c3c4c439", "value": "AppInstaller" }, { "description": "[AppleJeus](https://app.tidalcyber.com/software/cdeb3110-07e5-4c3d-9eef-e6f2b760ef33) is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. [AppleJeus](https://app.tidalcyber.com/software/cdeb3110-07e5-4c3d-9eef-e6f2b760ef33) has been used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08), targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. [AppleJeus](https://app.tidalcyber.com/software/cdeb3110-07e5-4c3d-9eef-e6f2b760ef33) has been used to distribute the [FALLCHILL](https://app.tidalcyber.com/software/ea47f1fd-0171-4254-8c92-92b7a5eec5e1) RAT.[[CISA AppleJeus Feb 2021](https://app.tidalcyber.com/references/6873e14d-eba4-4e3c-9ccf-cec1d760f0be)]", "meta": { "platforms": [ "macOS", "Windows" ], "software_attack_id": "S0584", "source": "MITRE", "tags": [ "8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "e2d34c63-6f5a-41f5-86a2-e2380f27f858", "type": "similar" } ], "uuid": "cdeb3110-07e5-4c3d-9eef-e6f2b760ef33", "value": "AppleJeus" }, { "description": "[AppleSeed](https://app.tidalcyber.com/software/9df2e42e-b454-46ea-b50d-2f7d999f3d42) is a backdoor that has been used by [Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1) to target South Korean government, academic, and commercial targets since at least 2021.[[Malwarebytes Kimsuky June 2021](https://app.tidalcyber.com/references/9a497c56-f1d3-4889-8c1a-14b013f14668)]", "meta": { "platforms": [ "Android", "Windows" ], "software_attack_id": "S0622", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { "dest-uuid": "295721d2-ee20-4fa3-ade3-37f4146b4570", "type": "similar" } ], "uuid": "9df2e42e-b454-46ea-b50d-2f7d999f3d42", "value": "AppleSeed" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Application Virtualization Utility Included with Microsoft Office 2016\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Program Files\\Microsoft Office\\root\\client\\appvlp.exe\n* C:\\Program Files (x86)\\Microsoft Office\\root\\client\\appvlp.exe\n\n**Resources:**\n* [https://github.com/MoooKitty/Code-Execution](https://github.com/MoooKitty/Code-Execution)\n* [https://twitter.com/moo_hax/status/892388990686347264](https://twitter.com/moo_hax/status/892388990686347264)\n* [https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/](https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/)\n* [https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/](https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_appvlp.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml)[[Appvlp.exe - LOLBAS Project](/references/b0afe3e8-9f1d-4295-8811-8dfbe993c337)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5206", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "1328ae5d-7220-46bb-a7ee-0c5a31eeda7f", "value": "Appvlp" }, { "description": "AresLoader is a loader malware distributed as malware-as-a-service. It has been observed being both dropped by and delivering SystemBC, a known ransomware precursor.[[New loader on the bloc - AresLoader | Intel471](/references/1bdd0957-1f5b-4323-bf49-f5c41b8c397a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5286", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "a2e000da-8181-4327-bacd-32013dbd3654", "84615fe0-c2a5-4e07-8957-78ebc29b4635", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [], "uuid": "5bf1ed41-8fe5-4c4b-8d80-a55980289e1f", "value": "AresLoader" }, { "description": "[Aria-body](https://app.tidalcyber.com/software/7ba79887-d496-47aa-8b71-df7f46329322) is a custom backdoor that has been used by [Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) since approximately 2017.[[CheckPoint Naikon May 2020](https://app.tidalcyber.com/references/f080acab-a6a0-42e1-98ff-45e415393648)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0456", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { "dest-uuid": "3161d76a-e2b2-4b97-9906-24909b735386", "type": "similar" } ], "uuid": "7ba79887-d496-47aa-8b71-df7f46329322", "value": "Aria-body" }, { "description": "[Arp](https://app.tidalcyber.com/software/45b51950-6190-4572-b1a2-7c69d865251e) displays and modifies information about a system's Address Resolution Protocol (ARP) cache. [[TechNet Arp](https://app.tidalcyber.com/references/7714222e-8046-4884-b460-493d9ef46305)]", "meta": { "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S0099", "source": "MITRE", "tags": [ "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "30489451-5886-4c46-90c9-0dff9adc5252", "type": "similar" } ], "uuid": "45b51950-6190-4572-b1a2-7c69d865251e", "value": "Arp" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** ASP.NET Compilation Tool\n\n**Author:** Jimmy (@bohops)\n\n**Paths:**\n* c:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_compiler.exe\n* c:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_compiler.exe\n\n**Resources:**\n* [https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/](https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/)\n* [https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8)\n\n**Detection:**\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* Sigma: [proc_creation_win_lolbin_aspnet_compiler.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_aspnet_compiler.yml)[[Aspnet_Compiler.exe - LOLBAS Project](/references/15864c56-115e-4163-b816-03bdb9bfd5c5)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5084", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "42763dde-8226-4f31-a3ba-face2da84dd2", "value": "Aspnet_Compiler" }, { "description": "[ASPXSpy](https://app.tidalcyber.com/software/a0cce010-9158-45e5-978a-f002e5c31a03) is a Web shell. It has been modified by [Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5) actors to create the ASPXTool version. [[Dell TG-3390](https://app.tidalcyber.com/references/dfd2d832-a6c5-40e7-a554-5a92f05bebae)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0073", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", "type": "used-by" }, { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", "type": "similar" } ], "uuid": "a0cce010-9158-45e5-978a-f002e5c31a03", "value": "ASPXSpy" }, { "description": "[Astaroth](https://app.tidalcyber.com/software/ea719a35-cbe9-4503-873d-164f68ab4544) is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. [[Cybereason Astaroth Feb 2019](https://app.tidalcyber.com/references/eb4dc1f8-c6e7-4d6c-9258-b03a0ae64d2e)][[Cofense Astaroth Sept 2018](https://app.tidalcyber.com/references/d316c581-646d-48e7-956e-34e2f957c67d)][[Securelist Brazilian Banking Malware July 2020](https://app.tidalcyber.com/references/ccc34875-93f3-40ed-a9ee-f31b86708507)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0373", "source": "MITRE", "tags": [ "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "edb24a93-1f7a-4bbf-a738-1397a14662c6", "type": "similar" } ], "uuid": "ea719a35-cbe9-4503-873d-164f68ab4544", "value": "Astaroth" }, { "description": "[AsyncRAT](https://app.tidalcyber.com/software/d587efff-4699-51c7-a4cc-bdbd1b302ed4) is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.[[Morphisec Snip3 May 2021](https://app.tidalcyber.com/references/abe44c50-8347-5c98-8b04-d41afbe59d4c)][[Cisco Operation Layover September 2021](https://app.tidalcyber.com/references/f19b4bd5-99f9-54c0-bffe-cc9c052aea12)][[Telefonica Snip3 December 2021](https://app.tidalcyber.com/references/f026dd44-1491-505b-8a8a-e4f28c6cd6a7)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1087", "source": "MITRE", "tags": [ "af5e9be5-b86e-47af-91dd-966a5e34a186", "27a117ce-bb19-4f79-9bc2-a851b69c5c50", "6070668f-1cbd-4878-8066-c636d1d8659c", "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "2feda37d-5579-4102-a073-aa02e82cb49f", "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", "d431939f-2dc0-410b-83f7-86c458125444" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" }, { "dest-uuid": "153c14a6-31b7-44f2-892e-6d9fdc152267", "type": "used-by" }, { "dest-uuid": "6a5947f3-1a36-4653-8734-526df3e1d28d", "type": "similar" } ], "uuid": "d587efff-4699-51c7-a4cc-bdbd1b302ed4", "value": "AsyncRAT" }, { "description": "[at](https://app.tidalcyber.com/software/af01dc7b-a2bc-4fda-bbfe-d2be889c2860) is used to schedule tasks on a system to run at a specified date or time.[[TechNet At](https://app.tidalcyber.com/references/31b40c09-d68f-4889-b585-c077bd9cef28)][[Linux at](https://app.tidalcyber.com/references/3e3a84bc-ab6d-460d-8abc-cafae6eaaedd)]", "meta": { "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S0110", "source": "MITRE", "tags": [ "5bc4c6c6-36df-4a53-920c-53e17d7027db", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" }, { "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", "type": "similar" } ], "uuid": "af01dc7b-a2bc-4fda-bbfe-d2be889c2860", "value": "at" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Helper binary for Assistive Technology (AT)\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\Atbroker.exe\n* C:\\Windows\\SysWOW64\\Atbroker.exe\n\n**Resources:**\n* [http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/](http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_susp_atbroker.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml)\n* Sigma: [registry_event_susp_atbroker_change.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml)\n* IOC: Changes to HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration\n* IOC: Changes to HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs\n* IOC: Unknown AT starting C:\\Windows\\System32\\ATBroker.exe /start malware[[Atbroker.exe - LOLBAS Project](/references/b0c21b56-6591-49c3-8e67-328ddb7b436d)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5085", "source": "Tidal Cyber", "tags": [ "85a29262-64bd-443c-9e08-3ee26aac859b", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "2efae55c-86f3-4234-af26-1c75e922d81a", "value": "Atbroker" }, { "description": "Atera Agent is a legitimate remote administration tool (specifically a remote management and maintenance (\"RMM\") solution) that adversaries have used as a command and control tool for remote code execution, tool ingress, and persisting in victim environments.[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5014", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", "d431939f-2dc0-410b-83f7-86c458125444", "9a5ed991-6fe7-49fe-8536-91defc449b18", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "15b77e5c-2285-434d-9719-73c14beba8bd", "992bdd33-4a47-495d-883a-58010a2f0efb", "e727eaa6-ef41-4965-b93a-8ad0c51d0236" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" }, { "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", "type": "used-by" } ], "uuid": "f8113a9f-a706-46df-8370-a9cef1c75f30", "value": "Atera Agent" }, { "description": "Atomic Stealer is an information-stealing malware (\"infostealer\") designed to harvest passwords, cookies, and other sensitive information from macOS systems. It is often delivered via malicious download sites promoted via malvertising.[[Malwarebytes 9 6 2023](/references/5f2f6a12-26c5-4c74-98ad-48b67379a716)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "macOS" ], "software_attack_id": "S5314", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [], "uuid": "ce914eea-8db9-425b-8ae2-a56a264b4951", "value": "Atomic Stealer" }, { "description": "[Attor](https://app.tidalcyber.com/software/89c35e9f-b435-4f58-9073-f24c1ee8754f) is a Windows-based espionage platform that has been seen in use since 2013. [Attor](https://app.tidalcyber.com/software/89c35e9f-b435-4f58-9073-f24c1ee8754f) has a loadable plugin architecture to customize functionality for specific targets.[[ESET Attor Oct 2019](https://app.tidalcyber.com/references/fdd57c56-d989-4a6f-8cc5-5b3713605dec)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0438", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "8f423bd7-6ca7-4303-9e85-008c7ad5fdaa", "type": "similar" } ], "uuid": "89c35e9f-b435-4f58-9073-f24c1ee8754f", "value": "Attor" }, { "description": "[AuditCred](https://app.tidalcyber.com/software/d0c25f14-5eb3-40c1-a890-2ab1349dff53) is a malicious DLL that has been used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) during their 2018 attacks.[[TrendMicro Lazarus Nov 2018](https://app.tidalcyber.com/references/4c697316-c13a-4243-be18-c0e059e4168c)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0347", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "24b4ce59-eaac-4c8b-8634-9b093b7ccd92", "type": "similar" } ], "uuid": "d0c25f14-5eb3-40c1-a890-2ab1349dff53", "value": "AuditCred" }, { "description": "[AutoIt backdoor](https://app.tidalcyber.com/software/3f927596-5219-49eb-bd0d-57068b0e04ed) is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [[Forcepoint Monsoon](https://app.tidalcyber.com/references/ea64a3a5-a248-44bb-98cd-f7e3d4c23d4e)] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0129", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" }, { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" }, { "dest-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", "type": "similar" } ], "uuid": "3f927596-5219-49eb-bd0d-57068b0e04ed", "value": "AutoIt backdoor" }, { "description": "Researchers describe Automim as a \"collection of .cmd, .vbs and .bat files that automate the execution\" of the Mimikatz and LaZagne credential harvesting tools.[[CrowdStrike Endpoint Security Testing Oct 2021](/references/4cecfe1f-c1d2-4a71-ac17-0effd5f045df)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5277", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "e1af18e3-3224-4e4c-9d0f-533768474508", "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" } ], "uuid": "984249bd-6421-4133-bd2a-25f330b4b441", "value": "Automim" }, { "description": "[AuTo Stealer](https://app.tidalcyber.com/software/649a4cfc-c0d0-412d-a28c-1bd4ed604ea8) is malware written in C++ has been used by [SideCopy](https://app.tidalcyber.com/groups/31bc763e-623f-4870-9780-86e43d732594) since at least December 2021 to target government agencies and personnel in India and Afghanistan.[[MalwareBytes SideCopy Dec 2021](https://app.tidalcyber.com/references/466569a7-1ef8-4824-bd9c-d25301184ea4)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1029", "source": "MITRE", "tags": [ "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "31bc763e-623f-4870-9780-86e43d732594", "type": "used-by" }, { "dest-uuid": "3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5", "type": "similar" } ], "uuid": "649a4cfc-c0d0-412d-a28c-1bd4ed604ea8", "value": "AuTo Stealer" }, { "description": "[Avaddon](https://app.tidalcyber.com/software/bad92974-35f6-4183-8024-b629140c6ee6) is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.[[Awake Security Avaddon](https://app.tidalcyber.com/references/c113cde7-5dd5-45e9-af16-3ab6ed0b1728)][[Arxiv Avaddon Feb 2021](https://app.tidalcyber.com/references/dbee8e7e-f477-4bd5-8225-84e0e222617e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0640", "source": "MITRE", "tags": [ "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "58c5a3a1-928f-4094-9e98-a5a4e56dd5f3", "type": "similar" } ], "uuid": "bad92974-35f6-4183-8024-b629140c6ee6", "value": "Avaddon" }, { "description": "[Avenger](https://app.tidalcyber.com/software/e5ca0192-e905-46a1-abef-ce1119c1f967) is a downloader that has been used by [BRONZE BUTLER](https://app.tidalcyber.com/groups/5825a840-5577-4ffc-a08d-3f48d64395cb) since at least 2019.[[Trend Micro Tick November 2019](https://app.tidalcyber.com/references/93adbf0d-5f5e-498e-aca1-ed3eb11561e7)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0473", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" }, { "dest-uuid": "36ede314-7db4-4d09-b53d-81bbfbe5f6f8", "type": "similar" } ], "uuid": "e5ca0192-e905-46a1-abef-ce1119c1f967", "value": "Avenger" }, { "description": "[AvosLocker](https://app.tidalcyber.com/software/e792dc8d-b0f4-5916-8850-a61ff53125d0) is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, [AvosLocker](https://app.tidalcyber.com/software/e792dc8d-b0f4-5916-8850-a61ff53125d0) had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.[[Malwarebytes AvosLocker Jul 2021](https://app.tidalcyber.com/references/88dffb14-a7a7-5b36-b269-8283dec0f1a3)][[Trend Micro AvosLocker Apr 2022](https://app.tidalcyber.com/references/01fdc732-0951-59e2-afaf-5fe761357e7f)][[Joint CSA AvosLocker Mar 2022](https://app.tidalcyber.com/references/8ad57a0d-d74f-5802-ab83-4ddac1beb083)]", "meta": { "platforms": [ "Linux", "Windows" ], "software_attack_id": "S1053", "source": "MITRE", "tags": [ "562e535e-19f5-4d6c-81ed-ce2aec544f09", "c3779a84-8132-4c62-be2f-9312ad41c273", "ce9f1048-09c1-49b0-a109-dd604afbf3cd", "fe3eb26d-6daa-4f82-b0dd-fc1e2fffbc2b", "9e4936f0-e3b7-4721-a638-58b2d093b2f2", "24448a05-2337-4bc9-a889-a83f2fd1f3ad", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "0945a1a5-a79a-47c8-9079-10c16cdfcb5d", "type": "similar" } ], "uuid": "e792dc8d-b0f4-5916-8850-a61ff53125d0", "value": "AvosLocker" }, { "description": "[Azorult](https://app.tidalcyber.com/software/cc68a7f0-c955-465f-bee0-2dacbb179078) is a commercial Trojan that is used to steal information from compromised hosts. [Azorult](https://app.tidalcyber.com/software/cc68a7f0-c955-465f-bee0-2dacbb179078) has been observed in the wild as early as 2016.\nIn July 2018, [Azorult](https://app.tidalcyber.com/software/cc68a7f0-c955-465f-bee0-2dacbb179078) was seen used in a spearphishing campaign against targets in North America. [Azorult](https://app.tidalcyber.com/software/cc68a7f0-c955-465f-bee0-2dacbb179078) has been seen used for cryptocurrency theft. [[Unit42 Azorult Nov 2018](https://app.tidalcyber.com/references/44ceddf6-bcbf-4a60-bb92-f8cdc675d185)][[Proofpoint Azorult July 2018](https://app.tidalcyber.com/references/a85c869a-3ba3-42c2-9460-d3d1f0874044)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0344", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, { "dest-uuid": "f9b05f33-d45d-4e4d-aafe-c208d38a0080", "type": "similar" } ], "uuid": "cc68a7f0-c955-465f-bee0-2dacbb179078", "value": "Azorult" }, { "description": "[Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1) is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of [Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1) employ a \"Big Game Hunting\" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.[[Sogeti CERT ESEC Babuk March 2021](https://app.tidalcyber.com/references/e85e3bd9-6ddc-4d0f-a16c-b525a75baa7e)][[McAfee Babuk February 2021](https://app.tidalcyber.com/references/bb23ca19-78bb-4406-90a4-bf82bd467e04)][[CyberScoop Babuk February 2021](https://app.tidalcyber.com/references/0a0aeacd-0976-4c84-b40d-5704afca9f0e)]", "meta": { "platforms": [ "Linux", "Windows" ], "software_attack_id": "S0638", "source": "MITRE", "tags": [ "64d3f7d8-30b7-4b03-bee2-a6029672216c", "375983b3-6e87-4281-99e2-1561519dd17b", "3ed2343c-a29c-42e2-8259-410381164c6a", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "b5962a84-f1c7-4d0d-985c-86301db95129", "12124060-8392-49a3-b7b7-1dde3ebc8e67", "915e7ac2-b266-45d7-945c-cb04327d6246", "d713747c-2d53-487e-9dac-259230f04460", "fde4c246-7d2d-4d53-938b-44651cf273f1", "964c2590-4b52-48c6-afff-9a6d72e68908", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", "a2e000da-8181-4327-bacd-32013dbd3654" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "61c7a91a-0b83-461d-ad32-75d96eed4a09", "type": "similar" } ], "uuid": "0dc07eb9-66df-4116-b1bc-7020ca6395a1", "value": "Babuk" }, { "description": "[BabyShark](https://app.tidalcyber.com/software/ebb824a2-abff-4bfd-87f0-d63cb02b62e6) is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. [[Unit42 BabyShark Feb 2019](https://app.tidalcyber.com/references/634404e3-e2c9-4872-a280-12d2be168cba)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0414", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { "dest-uuid": "d1b7830a-fced-4be3-a99c-f495af9d9e1b", "type": "similar" } ], "uuid": "ebb824a2-abff-4bfd-87f0-d63cb02b62e6", "value": "BabyShark" }, { "description": "[BackConfig](https://app.tidalcyber.com/software/2763ad8c-cf4e-42eb-88db-a40ff8f96cf9) is a custom Trojan with a flexible plugin architecture that has been used by [Patchwork](https://app.tidalcyber.com/groups/32385eba-7bbf-439e-acf2-83040e97165a).[[Unit 42 BackConfig May 2020](https://app.tidalcyber.com/references/f26629db-c641-4b6b-abbf-b55b9cc91cf1)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0475", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" }, { "dest-uuid": "c13d9621-aca7-436b-ab3d-3a95badb3d00", "type": "similar" } ], "uuid": "2763ad8c-cf4e-42eb-88db-a40ff8f96cf9", "value": "BackConfig" }, { "description": "[Backdoor.Oldrea](https://app.tidalcyber.com/software/f7cc5974-767c-4cb4-acc7-36295a386ce5) is a modular backdoor that used by [Dragonfly](https://app.tidalcyber.com/groups/472080b0-e3d4-4546-9272-c4359fe856e1) against energy companies since at least 2013. [Backdoor.Oldrea](https://app.tidalcyber.com/software/f7cc5974-767c-4cb4-acc7-36295a386ce5) was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.[[Symantec Dragonfly](https://app.tidalcyber.com/references/9514c5cd-2ed6-4dbf-aa9e-1c425e969226)][[Gigamon Berserk Bear October 2021](https://app.tidalcyber.com/references/06b6cbe3-8e35-4594-b36f-76b503c11520)][[Symantec Dragonfly Sept 2017](https://app.tidalcyber.com/references/11bbeafc-ed5d-4d2b-9795-a0a9544fb64e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0093", "source": "MITRE", "tags": [ "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" }, { "dest-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", "type": "similar" } ], "uuid": "f7cc5974-767c-4cb4-acc7-36295a386ce5", "value": "Backdoor.Oldrea" }, { "description": "[BACKSPACE](https://app.tidalcyber.com/software/d0daaa00-68e1-4568-bb08-3f28bcd82c63) is a backdoor used by [APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f) that dates back to at least 2005. [[FireEye APT30](https://app.tidalcyber.com/references/c48d2084-61cf-4e86-8072-01e5d2de8416)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0031", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" }, { "dest-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "type": "similar" } ], "uuid": "d0daaa00-68e1-4568-bb08-3f28bcd82c63", "value": "BACKSPACE" }, { "description": "Backstab is a tool used to terminate antimalware-protected processes.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5026", "source": "Tidal Cyber", "tags": [ "d903e38b-600d-4736-9e3b-cf1a6e436481", "e551ae97-d1b4-484e-9267-89f33829ec2c", "d819ae1a-e385-49fd-88d5-f66660729ecb", "d469efcf-4feb-4149-9c0f-c4b7821960bd", "e1af18e3-3224-4e4c-9d0f-533768474508", "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" } ], "uuid": "5a9a7a54-21cb-4a5c-bef0-d37f8678bf46", "value": "Backstab" }, { "description": "[BADCALL](https://app.tidalcyber.com/software/d7aa53a5-0912-4952-8f7f-55698e933c3b) is a Trojan malware variant used by the group [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08). [[US-CERT BADCALL](https://app.tidalcyber.com/references/aeb4ff70-fa98-474c-8337-9e50d07ee378)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0245", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "9dbdadb6-fdbf-490f-a35f-38762d06a0d2", "type": "similar" } ], "uuid": "d7aa53a5-0912-4952-8f7f-55698e933c3b", "value": "BADCALL" }, { "description": "[BADFLICK](https://app.tidalcyber.com/software/8c454294-81cb-45d0-b299-818994ad3e6f) is a backdoor used by [Leviathan](https://app.tidalcyber.com/groups/eadd78e3-3b5d-430a-b994-4360b172c871) in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.[[FireEye Periscope March 2018](https://app.tidalcyber.com/references/8edb5d2b-b5c4-4d9d-8049-43dd6ca9ab7f)][[Accenture MUDCARP March 2019](https://app.tidalcyber.com/references/811d433d-27a4-4411-8ec9-b3a173ba0033)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0642", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { "dest-uuid": "57d83eac-a2ea-42b0-a7b2-c80c55157790", "type": "similar" } ], "uuid": "8c454294-81cb-45d0-b299-818994ad3e6f", "value": "BADFLICK" }, { "description": "[BADHATCH](https://app.tidalcyber.com/software/16481e0f-49d5-54c1-a1fe-16d9e7f8d08c) is a backdoor that has been utilized by [FIN8](https://app.tidalcyber.com/groups/b3061284-0335-4dcb-9f8e-a3b0412fd46f) since at least 2019. [BADHATCH](https://app.tidalcyber.com/software/16481e0f-49d5-54c1-a1fe-16d9e7f8d08c) has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.[[Gigamon BADHATCH Jul 2019](https://app.tidalcyber.com/references/69a45479-e982-58ee-9e2d-caaf825f0ad4)][[BitDefender BADHATCH Mar 2021](https://app.tidalcyber.com/references/958cfc9a-901c-549d-96c2-956272b240e3)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1081", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" }, { "dest-uuid": "3553b49d-d4ae-4fb6-ab17-0adbc520c888", "type": "similar" } ], "uuid": "16481e0f-49d5-54c1-a1fe-16d9e7f8d08c", "value": "BADHATCH" }, { "description": "[BADNEWS](https://app.tidalcyber.com/software/34c24d27-c779-42a4-9f61-3f0d3fea6fd4) is malware that has been used by the actors responsible for the [Patchwork](https://app.tidalcyber.com/groups/32385eba-7bbf-439e-acf2-83040e97165a) campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. [[Forcepoint Monsoon](https://app.tidalcyber.com/references/ea64a3a5-a248-44bb-98cd-f7e3d4c23d4e)] [[TrendMicro Patchwork Dec 2017](https://app.tidalcyber.com/references/15465b26-99e1-4956-8c81-cda3388169b8)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0128", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" }, { "dest-uuid": "e9595678-d269-469e-ae6b-75e49259de63", "type": "similar" } ], "uuid": "34c24d27-c779-42a4-9f61-3f0d3fea6fd4", "value": "BADNEWS" }, { "description": "[BadPatch](https://app.tidalcyber.com/software/10e76722-4b52-47f6-9276-70e95fecb26b) is a Windows Trojan that was used in a Gaza Hackers-linked campaign.[[Unit 42 BadPatch Oct 2017](https://app.tidalcyber.com/references/9c294bf7-24ba-408a-90b8-5b9885838e1b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0337", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "9af05de0-bc09-4511-a350-5eb8b06185c1", "type": "similar" } ], "uuid": "10e76722-4b52-47f6-9276-70e95fecb26b", "value": "BadPatch" }, { "description": "BadPotato is an open-source software project that, according to its GitHub page, can be used for privilege escalation purposes.[[GitHub BeichenDream BadPotato](/references/e7f1d932-4bcd-4a78-b975-f4ebbce8c05e)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5304", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", "type": "used-by" } ], "uuid": "4b59bf81-d351-436e-aebc-f0111a892395", "value": "BadPotato" }, { "description": "[Bad Rabbit](https://app.tidalcyber.com/software/a1d86d8f-fa48-43aa-9833-7355750e455c) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://app.tidalcyber.com/software/a1d86d8f-fa48-43aa-9833-7355750e455c) has also targeted organizations and consumers in Russia. [[Secure List Bad Rabbit](https://app.tidalcyber.com/references/f4cec03a-ea94-4874-9bea-16189e967ff9)][[ESET Bad Rabbit](https://app.tidalcyber.com/references/a9664f01-78f0-4461-a757-12f54ec99a56)][[Dragos IT ICS Ransomware](https://app.tidalcyber.com/references/60187301-8d70-4023-8e6d-59cbb1468f0d)] ", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0606", "source": "MITRE", "tags": [ "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "5a463cb3-451d-47f7-93e4-1886150697ce", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "type": "similar" } ], "uuid": "a1d86d8f-fa48-43aa-9833-7355750e455c", "value": "Bad Rabbit" }, { "description": "[Bandook](https://app.tidalcyber.com/software/5c0f8c35-88ff-40a1-977a-af5ce534e932) is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. [Bandook](https://app.tidalcyber.com/software/5c0f8c35-88ff-40a1-977a-af5ce534e932) has been used by [Dark Caracal](https://app.tidalcyber.com/groups/7ad94dbf-9909-42dd-8b62-a435481bdb14), as well as in a separate campaign referred to as \"Operation Manul\".[[EFF Manul Aug 2016](https://app.tidalcyber.com/references/311a3863-3897-4ddf-a251-d0467a56675f)][[Lookout Dark Caracal Jan 2018](https://app.tidalcyber.com/references/c558f5db-a426-4041-b883-995ec56e7155)][[CheckPoint Bandook Nov 2020](https://app.tidalcyber.com/references/352652a9-86c9-42e1-8ee0-968180c6a51e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0234", "source": "MITRE", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14", "type": "used-by" }, { "dest-uuid": "835a79f1-842d-472d-b8f4-d54b545c341b", "type": "similar" } ], "uuid": "5c0f8c35-88ff-40a1-977a-af5ce534e932", "value": "Bandook" }, { "description": "[Bankshot](https://app.tidalcyber.com/software/24b8471d-698f-48cc-b47a-8fbbaf28b293) is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) used the [Bankshot](https://app.tidalcyber.com/software/24b8471d-698f-48cc-b47a-8fbbaf28b293) implant in attacks against the Turkish financial sector. [[McAfee Bankshot](https://app.tidalcyber.com/references/c748dc6c-8c19-4a5c-840f-3d47955a6c78)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0239", "source": "MITRE", "tags": [ "febea5b6-2ea2-402b-8bec-f3f5b3f73c59" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "1f6e3702-7ca1-4582-b2e7-4591297d05a8", "type": "similar" } ], "uuid": "24b8471d-698f-48cc-b47a-8fbbaf28b293", "value": "Bankshot" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** File used by Windows subsystem for Linux\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\bash.exe\n* C:\\Windows\\SysWOW64\\bash.exe\n\n**Resources:**\n* [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n\n**Detection:**\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* Sigma: [proc_creation_win_lolbin_bash.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml)\n* IOC: Child process from bash.exe[[Bash.exe - LOLBAS Project](/references/7d3efbc7-6abf-4f3f-aec8-686100bb90ad)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5086", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "cef3a09e-22ca-43dc-ad4a-95741a3b85ff", "value": "Bash" }, { "description": "Bat Armor is a tool used to generate .bat files using PowerShell scripts.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5027", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" } ], "uuid": "628037d4-962d-4f58-b32d-241d739bc62d", "value": "Bat Armor" }, { "description": "[Bazar](https://app.tidalcyber.com/software/b35d9817-6ead-4dbd-a2fa-4b8e217f8eac) is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. [Bazar](https://app.tidalcyber.com/software/b35d9817-6ead-4dbd-a2fa-4b8e217f8eac) reportedly has ties to [TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.[[Cybereason Bazar July 2020](https://app.tidalcyber.com/references/8819875a-5139-4dae-94c8-e7cc9f847580)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0534", "source": "MITRE", "tags": [ "818c3d93-c010-44f4-82bc-b63b4bc6c3c2", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" }, { "dest-uuid": "396a4361-3e84-47bc-9544-58e287c05799", "type": "used-by" }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "99fdf3b4-96ef-4ab9-b191-fc683441cad0", "type": "similar" } ], "uuid": "b35d9817-6ead-4dbd-a2fa-4b8e217f8eac", "value": "Bazar" }, { "description": "[BBK](https://app.tidalcyber.com/software/3daa5ae1-464e-4c0a-aa46-15264a2a0126) is a downloader that has been used by [BRONZE BUTLER](https://app.tidalcyber.com/groups/5825a840-5577-4ffc-a08d-3f48d64395cb) since at least 2019.[[Trend Micro Tick November 2019](https://app.tidalcyber.com/references/93adbf0d-5f5e-498e-aca1-ed3eb11561e7)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0470", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" }, { "dest-uuid": "f0fc920e-57a3-4af5-89be-9ea594c8b1ea", "type": "similar" } ], "uuid": "3daa5ae1-464e-4c0a-aa46-15264a2a0126", "value": "BBK" }, { "description": "[BBSRAT](https://app.tidalcyber.com/software/be4dab36-d499-4ac3-b204-5e309e3a5331) is malware with remote access tool functionality that has been used in targeted compromises. [[Palo Alto Networks BBSRAT](https://app.tidalcyber.com/references/8c5d61ba-24c5-4f6c-a208-e0a5d23ebb49)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0127", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "type": "similar" } ], "uuid": "be4dab36-d499-4ac3-b204-5e309e3a5331", "value": "BBSRAT" }, { "description": "[BendyBear](https://app.tidalcyber.com/software/a114a498-fcfd-4e0a-9d1e-e26750d71af8) is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, [BendyBear](https://app.tidalcyber.com/software/a114a498-fcfd-4e0a-9d1e-e26750d71af8) shares a variety of features with [Waterbear](https://app.tidalcyber.com/software/56872a5b-dc01-455c-85d5-06c577abb030), malware previously attributed to the Chinese cyber espionage group [BlackTech](https://app.tidalcyber.com/groups/528ab2ea-b8f1-44d8-8831-2a89fefd97cb).[[Unit42 BendyBear Feb 2021](https://app.tidalcyber.com/references/f5cbc08f-6f2c-4c81-9d68-07f61e16f138)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0574", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" }, { "dest-uuid": "805480f1-6caa-4a67-8ca9-b2b39650d986", "type": "similar" } ], "uuid": "a114a498-fcfd-4e0a-9d1e-e26750d71af8", "value": "BendyBear" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Background Information Utility included with SysInternals Suite\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* No fixed path\n\n**Resources:**\n* [https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/](https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_bginfo.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)[[Bginfo.exe - LOLBAS Project](/references/ca1eaac2-7449-4a76-bec2-9dc5971fd808)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5207", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "fe926654-0cff-4e8e-b192-2fa1eb8a9a67", "value": "Bginfo" }, { "description": "This Software object represents the custom backdoor tool used during intrusions conducted by the BianLian Ransomware Group.[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)][[BianLian Ransomware Gang Gives It a Go! | [redacted]](/references/fc1aa979-7dbc-4fff-a8d1-b35a3b2bec3d)]\n\n**Delivers**: TeamViewer[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)], Atera Agent[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)], Splashtop[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)], AnyDesk[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5001", "source": "Tidal Cyber", "tags": [ "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" } ], "uuid": "a4fb341d-8010-433f-b8f1-a8781f961435", "value": "BianLian Ransomware (Backdoor)" }, { "description": "This Software object represents the custom Go encryptor tool (`encryptor.exe`) used during intrusions conducted by the BianLian Ransomware Group.[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]. The tool will skip encryption of files based on a hardcoded file extension exclusion list.[[BianLian Ransomware Gang Gives It a Go! | [redacted]](/references/fc1aa979-7dbc-4fff-a8d1-b35a3b2bec3d)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5292", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" } ], "uuid": "252f56c2-4c85-4a19-8451-371cb04c6ceb", "value": "BianLian Ransomware (Encryptor)" }, { "description": "[BISCUIT](https://app.tidalcyber.com/software/3ad98097-2d10-4aa1-9594-7e74828a3643) is a backdoor that has been used by [APT1](https://app.tidalcyber.com/groups/5307bba1-2674-4fbd-bfd5-1db1ae06fc5f) since as early as 2007. [[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0017", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { "dest-uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda", "type": "similar" } ], "uuid": "3ad98097-2d10-4aa1-9594-7e74828a3643", "value": "BISCUIT" }, { "description": "[Bisonal](https://app.tidalcyber.com/software/b898816e-610f-4c2f-9045-d9f28a54ee58) is a remote access tool (RAT) that has been used by [Tonto Team](https://app.tidalcyber.com/groups/9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c) against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.[[Unit 42 Bisonal July 2018](https://app.tidalcyber.com/references/30b2ec12-b785-43fb-ab72-b37387046d15)][[Talos Bisonal Mar 2020](https://app.tidalcyber.com/references/eaecccff-e0a0-4fa0-81e5-799b23c26b5a)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0268", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" }, { "dest-uuid": "65ffc206-d7c1-45b3-b543-f6b726e7840d", "type": "similar" } ], "uuid": "b898816e-610f-4c2f-9045-d9f28a54ee58", "value": "Bisonal" }, { "description": "[BitPaymer](https://app.tidalcyber.com/software/e7dec940-8701-4c06-9865-5b11c61c046d) is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. [BitPaymer](https://app.tidalcyber.com/software/e7dec940-8701-4c06-9865-5b11c61c046d) uses a unique encryption key, ransom note, and contact information for each operation. [BitPaymer](https://app.tidalcyber.com/software/e7dec940-8701-4c06-9865-5b11c61c046d) has several indicators suggesting overlap with the [Dridex](https://app.tidalcyber.com/software/e3cd4405-b698-41d9-88e4-fff29e7a19e2) malware and is often delivered via [Dridex](https://app.tidalcyber.com/software/e3cd4405-b698-41d9-88e4-fff29e7a19e2).[[Crowdstrike Indrik November 2018](https://app.tidalcyber.com/references/0f85f611-90db-43ba-8b71-5d0d4ec8cdd5)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0570", "source": "MITRE", "tags": [ "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" }, { "dest-uuid": "fa766a65-5136-4ff3-8429-36d08eaa0100", "type": "similar" } ], "uuid": "e7dec940-8701-4c06-9865-5b11c61c046d", "value": "BitPaymer" }, { "description": "[BITSAdmin](https://app.tidalcyber.com/software/52a20d3d-1edd-4f17-87f0-b77c67d260b4) is a command line tool used to create and manage [BITS Jobs](https://app.tidalcyber.com/technique/6b278e5d-7383-42a4-9425-2da79bbe43e0). [[Microsoft BITSAdmin](https://app.tidalcyber.com/references/5b8c2a8c-f01e-491a-aaf9-504ee7a1caed)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0190", "source": "MITRE", "tags": [ "d903e38b-600d-4736-9e3b-cf1a6e436481", "e551ae97-d1b4-484e-9267-89f33829ec2c", "d819ae1a-e385-49fd-88d5-f66660729ecb", "15787198-6c8b-4f79-bf50-258d55072fee", "e1af18e3-3224-4e4c-9d0f-533768474508", "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", "d431939f-2dc0-410b-83f7-86c458125444", "10d09438-9ea5-405d-9b3a-36d351b5a5d9", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" }, { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" }, { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" }, { "dest-uuid": "275ca7b0-3b21-4c3a-8b6f-57b6f0ffb6fb", "type": "used-by" }, { "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", "type": "used-by" }, { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", "type": "similar" } ], "uuid": "52a20d3d-1edd-4f17-87f0-b77c67d260b4", "value": "BITSAdmin" }, { "description": "[Black Basta](https://app.tidalcyber.com/software/0d5b24ba-68dc-50fa-8268-3012180fe374) is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. [Black Basta](https://app.tidalcyber.com/software/0d5b24ba-68dc-50fa-8268-3012180fe374) operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. [Black Basta](https://app.tidalcyber.com/software/0d5b24ba-68dc-50fa-8268-3012180fe374) affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the [Black Basta](https://app.tidalcyber.com/software/0d5b24ba-68dc-50fa-8268-3012180fe374) RaaS operators could include current or former members of the [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5) group.[[Palo Alto Networks Black Basta August 2022](https://app.tidalcyber.com/references/fc9ee531-3680-549b-86e0-a10a70c3ec67)][[Deep Instinct Black Basta August 2022](https://app.tidalcyber.com/references/72b64d7d-f8eb-54d3-83c8-a883906ceea1)][[Minerva Labs Black Basta May 2022](https://app.tidalcyber.com/references/6358f7ed-41d6-56be-83bb-179e0a8b7873)][[Avertium Black Basta June 2022](https://app.tidalcyber.com/references/31c2ef62-2852-5418-9d52-2479a3a619d0)][[NCC Group Black Basta June 2022](https://app.tidalcyber.com/references/b5f91f77-b102-5812-a79f-69b254487da8)][[Cyble Black Basta May 2022](https://app.tidalcyber.com/references/18035aba-0ae3-58b8-b426-86c2e38a37ae)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1070", "source": "MITRE", "tags": [ "89c5b94b-ecf4-4d53-9b74-3465086d4565", "d903e38b-600d-4736-9e3b-cf1a6e436481", "e551ae97-d1b4-484e-9267-89f33829ec2c", "d819ae1a-e385-49fd-88d5-f66660729ecb", "15787198-6c8b-4f79-bf50-258d55072fee", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", "d431939f-2dc0-410b-83f7-86c458125444", "dea4388a-b1f2-4f2a-9df9-108631d0d078", "2743d495-7728-4a75-9e5f-b64854039792", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" }, { "dest-uuid": "8d242fb4-9033-4f13-8a88-4b9b4bcd9a53", "type": "similar" } ], "uuid": "0d5b24ba-68dc-50fa-8268-3012180fe374", "value": "Black Basta" }, { "description": "[BlackCat](https://app.tidalcyber.com/software/691369e5-ef74-5ff9-bc20-34efeb4b6c5b) is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, [BlackCat](https://app.tidalcyber.com/software/691369e5-ef74-5ff9-bc20-34efeb4b6c5b) has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.[[Microsoft BlackCat Jun 2022](https://app.tidalcyber.com/references/55be1ca7-fdb7-5d76-a9c8-5f44a0d00b0e)][[Sophos BlackCat Jul 2022](https://app.tidalcyber.com/references/481a0106-d5b6-532c-8f5b-6c0c477185f4)][[ACSC BlackCat Apr 2022](https://app.tidalcyber.com/references/3b85eaeb-6bf5-529b-80a4-439ceb6c5d6d)]", "meta": { "platforms": [ "Linux", "Windows" ], "software_attack_id": "S1068", "source": "MITRE", "tags": [ "562e535e-19f5-4d6c-81ed-ce2aec544f09", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "5e7433ad-a894-4489-93bc-41e90da90019", "15787198-6c8b-4f79-bf50-258d55072fee", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "50c44c34-3abb-48ae-9433-a2337de5b0bc", "type": "similar" } ], "uuid": "691369e5-ef74-5ff9-bc20-34efeb4b6c5b", "value": "BlackCat" }, { "description": "[BLACKCOFFEE](https://app.tidalcyber.com/software/e85e2fca-9347-4448-bfc1-342f29d5d6a1) is malware that has been used by several Chinese groups since at least 2013. [[FireEye APT17](https://app.tidalcyber.com/references/a303f97a-72dd-4833-bac7-a421addc3242)] [[FireEye Periscope March 2018](https://app.tidalcyber.com/references/8edb5d2b-b5c4-4d9d-8049-43dd6ca9ab7f)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0069", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "5f083251-f5dc-459a-abfc-47a1aa7f5094", "type": "used-by" }, { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { "dest-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", "type": "similar" } ], "uuid": "e85e2fca-9347-4448-bfc1-342f29d5d6a1", "value": "BLACKCOFFEE" }, { "description": "[BlackEnergy](https://app.tidalcyber.com/software/908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. [[F-Secure BlackEnergy 2014](https://app.tidalcyber.com/references/5f228fb5-d959-4c4a-bb8c-f9dc01d5af07)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0089", "source": "MITRE", "tags": [ "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "type": "similar" } ], "uuid": "908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f", "value": "BlackEnergy" }, { "description": "BlackLotus is a Unified Extensible Firmware Interface (UEFI) bootkit that enables bypass of Secure Boot, a UEFI feature that provides verification about the state of the boot chain, even on fully updated UEFI systems. It is considered the first “in-the-wild” UEFI bootkit, as it was observed for sale on underground forums in October 2022 and researchers were able to then confirm its existence. BlackLotus bypasses UEFI Secure Boot and establishes persistence by exploiting CVE-2022-21894, and after installation, it is designed to deploy a kernel driver for further persistence and an HTTP downloader, which allows communication with a command-and-control server and loading of additional user-mode or kernel-mode payloads. BlackLotus is also capable of disabling operating system security features, and some instances of the malware include a location-based check where it will terminate if the system uses a location associated with one of several Eastern European countries.[[ESET BlackLotus March 01 2023](/references/1a4c134b-c701-400f-beee-e6b3cc835042)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5306", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "1a5a32ac-1db6-46b1-b72e-18bc3d776aed", "df78b317-ce5d-423c-ac42-1e328ab27ffd", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [], "uuid": "4cd25fac-0b5d-44e2-8df1-2c7de06b4b39", "value": "BlackLotus" }, { "description": "[BlackMould](https://app.tidalcyber.com/software/da348a51-d047-4144-9ba4-34d2ce964a11) is a web shell based on [China Chopper](https://app.tidalcyber.com/software/723c5ab7-23ca-46f2-83bb-f1d1e550122c) for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by [GALLIUM](https://app.tidalcyber.com/groups/15ff1ce0-44f0-4f1d-a4ef-83444570e572) against telecommunication providers.[[Microsoft GALLIUM December 2019](https://app.tidalcyber.com/references/5bc76b47-ff68-4031-a347-f2dc0daba203)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0564", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { "dest-uuid": "63c4511b-2d6e-4bb2-b582-e2e99a8a467d", "type": "similar" } ], "uuid": "da348a51-d047-4144-9ba4-34d2ce964a11", "value": "BlackMould" }, { "description": "BlackSuit is a ransomware capable of running on Windows and Linux systems. BlackSuit is believed to be a successor to Royal, a ransomware operation which itself derives from the notorious Russia-based Conti gang. BlackSuit operations were first observed in May 2023, and although they were relatively low in number, U.S. authorities issued a warning for healthcare sector organizations due to the ransomware's suspected pedigree.[[HC3 Analyst Note BlackSuit Ransomware November 2023](/references/d956f0c6-d90e-49e8-a64c-a46bfc177cc6)] The number of attacks claimed by BlackSuit operators increased notably in Q2 2024.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Linux", "Windows" ], "software_attack_id": "S5324", "source": "Tidal Cyber", "tags": [ "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "a2e000da-8181-4327-bacd-32013dbd3654", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" } ], "uuid": "6e200813-4379-457b-9cce-2203bed4b072", "value": "BlackSuit Ransomware" }, { "description": "[BLINDINGCAN](https://app.tidalcyber.com/software/1af8ea81-40df-4fba-8d63-1858b8b31217) is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.[[US-CERT BLINDINGCAN Aug 2020](https://app.tidalcyber.com/references/0421788c-b807-4e19-897c-bfb4323feb16)][[NHS UK BLINDINGCAN Aug 2020](https://app.tidalcyber.com/references/acca4c89-acce-4916-88b6-f4dac7d8ab19)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0520", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "01dbc71d-0ee8-420d-abb4-3dfb6a4bf725", "type": "similar" } ], "uuid": "1af8ea81-40df-4fba-8d63-1858b8b31217", "value": "BLINDINGCAN" }, { "description": "[BloodHound](https://app.tidalcyber.com/software/72658763-8077-451e-8572-38858f8cacf3) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.[[GitHub Bloodhound](https://app.tidalcyber.com/references/e90b4941-5dff-4f38-b4dd-af3426fd621e)][[CrowdStrike BloodHound April 2018](https://app.tidalcyber.com/references/fa99f290-e42c-4311-9f6d-c519c9ab89fe)][[FoxIT Wocao December 2019](https://app.tidalcyber.com/references/aa3e31c7-71cd-4a3f-b482-9049c9abb631)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0521", "source": "MITRE", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "cd1b5d44-226e-4405-8985-800492cf2865" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" }, { "dest-uuid": "066b057c-944e-4cfc-b654-e3dfba04b926", "type": "similar" } ], "uuid": "72658763-8077-451e-8572-38858f8cacf3", "value": "BloodHound" }, { "description": "[BLUELIGHT](https://app.tidalcyber.com/software/3aaaaf86-638b-4a65-be18-c6e6dcdcdb97) is a remote access Trojan used by [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66) that was first observed in early 2021.[[Volexity InkySquid BLUELIGHT August 2021](https://app.tidalcyber.com/references/7e394434-364f-4e50-9a96-3e75dacc9866)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0657", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" }, { "dest-uuid": "8bd47506-29ae-44ea-a5c1-c57e8a1ab6b0", "type": "similar" } ], "uuid": "3aaaaf86-638b-4a65-be18-c6e6dcdcdb97", "value": "BLUELIGHT" }, { "description": "[Bonadan](https://app.tidalcyber.com/software/3793db4b-f843-4cfd-89d2-ec28b62feda5) is a malicious version of OpenSSH which acts as a custom backdoor. [Bonadan](https://app.tidalcyber.com/software/3793db4b-f843-4cfd-89d2-ec28b62feda5) has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.[[ESET ForSSHe December 2018](https://app.tidalcyber.com/references/0e25bf8b-3c9e-4661-a9fd-79b2ad3b8dd2)]", "meta": { "platforms": [ "Linux" ], "software_attack_id": "S0486", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c6d62c2-89f5-4159-8fab-0190b1f9d328", "type": "similar" } ], "uuid": "3793db4b-f843-4cfd-89d2-ec28b62feda5", "value": "Bonadan" }, { "description": "[BONDUPDATER](https://app.tidalcyber.com/software/d8690218-5272-47d8-8189-35d3b518e66f) is a PowerShell backdoor used by [OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2). It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.[[FireEye APT34 Dec 2017](https://app.tidalcyber.com/references/88f41728-08ad-4cd8-a418-895738d68b04)][[Palo Alto OilRig Sep 2018](https://app.tidalcyber.com/references/2ec6eabe-92e2-454c-ba7b-b27fec5b428d)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0360", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "d5268dfb-ae2b-4e0e-ac07-02a460613d8a", "type": "similar" } ], "uuid": "d8690218-5272-47d8-8189-35d3b518e66f", "value": "BONDUPDATER" }, { "description": "[BoomBox](https://app.tidalcyber.com/software/9d393f6f-855e-4348-8a26-008174e3605a) is a downloader responsible for executing next stage components that has been used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least 2021.[[MSTIC Nobelium Toolset May 2021](https://app.tidalcyber.com/references/52464e69-ff9e-4101-9596-dd0c6404bf76)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0635", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "c26f1c05-b861-4970-94dc-2f7f921a3074", "type": "similar" } ], "uuid": "9d393f6f-855e-4348-8a26-008174e3605a", "value": "BoomBox" }, { "description": "[BOOSTWRITE](https://app.tidalcyber.com/software/74a73624-d53b-4c84-a14b-8ae964fd577c) is a loader crafted to be launched via abuse of the DLL search order of applications used by [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff).[[FireEye FIN7 Oct 2019](https://app.tidalcyber.com/references/df8886d1-fbd7-4c24-8ab1-6261923dee96)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0415", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "56d10a7f-bb42-4267-9b4c-63abb9c06010", "type": "similar" } ], "uuid": "74a73624-d53b-4c84-a14b-8ae964fd577c", "value": "BOOSTWRITE" }, { "description": "[BOOTRASH](https://app.tidalcyber.com/software/d47a4753-80f5-494e-aad7-d033aaff0d6d) is a [Bootkit](https://app.tidalcyber.com/technique/032985de-5e09-4889-b8c4-84d940c6346c) that targets Windows operating systems. It has been used by threat actors that target the financial sector.[[Mandiant M Trends 2016](https://app.tidalcyber.com/references/f769a3ac-4330-46b7-bed8-61697e22cd24)][[FireEye Bootkits](https://app.tidalcyber.com/references/585827a8-1f03-439d-b66e-ad5290117c1b)][[FireEye BOOTRASH SANS](https://app.tidalcyber.com/references/835c9e5d-b291-43d9-9b8a-2978aa8c8cd3)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0114", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "da2ef4a9-7cbe-400a-a379-e2f230f28db3", "type": "similar" } ], "uuid": "d47a4753-80f5-494e-aad7-d033aaff0d6d", "value": "BOOTRASH" }, { "description": "[BoxCaon](https://app.tidalcyber.com/software/d3e46011-3433-426c-83b3-61c2576d5f71) is a Windows backdoor that was used by [IndigoZebra](https://app.tidalcyber.com/groups/988f5312-834e-48ea-93b7-e6e01ee0938d) in a 2021 spearphishing campaign against Afghan government officials. [BoxCaon](https://app.tidalcyber.com/software/d3e46011-3433-426c-83b3-61c2576d5f71)'s name stems from similarities shared with the malware family [xCaon](https://app.tidalcyber.com/software/11a0dff4-1dc8-4553-8a38-90a07b01bfcd).[[Checkpoint IndigoZebra July 2021](https://app.tidalcyber.com/references/cf4a8c8c-eab1-421f-b313-344aed03b42d)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0651", "source": "MITRE", "tags": [ "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "988f5312-834e-48ea-93b7-e6e01ee0938d", "type": "used-by" }, { "dest-uuid": "919a056e-5104-43b9-ad55-2ac929108b71", "type": "similar" } ], "uuid": "d3e46011-3433-426c-83b3-61c2576d5f71", "value": "BoxCaon" }, { "description": "[Brave Prince](https://app.tidalcyber.com/software/51b27e2c-c737-4006-a657-195ea1a1f4f0) is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to [Gold Dragon](https://app.tidalcyber.com/software/348fdeb5-6a74-4803-ac6e-e0133ecd7263), and was seen along with [Gold Dragon](https://app.tidalcyber.com/software/348fdeb5-6a74-4803-ac6e-e0133ecd7263) and [RunningRAT](https://app.tidalcyber.com/software/e8afda1f-fa83-4fc3-b6fb-7d5daca7173f) in operations surrounding the 2018 Pyeongchang Winter Olympics. [[McAfee Gold Dragon](https://app.tidalcyber.com/references/4bdfa92b-cbbd-43e6-aa3e-422561ff8d7a)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0252", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { "dest-uuid": "28b97733-ef07-4414-aaa5-df50b2d30cc5", "type": "similar" } ], "uuid": "51b27e2c-c737-4006-a657-195ea1a1f4f0", "value": "Brave Prince" }, { "description": "[Briba](https://app.tidalcyber.com/software/7942783c-73a7-413c-94d1-8981029a1c51) is a trojan used by [Elderwood](https://app.tidalcyber.com/groups/51146bb6-7478-44a3-8f08-19adcdceffca) to open a backdoor and download files on to compromised hosts. [[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)] [[Symantec Briba May 2012](https://app.tidalcyber.com/references/bcf0f82b-1b26-4c0c-905e-0dd8b88d0903)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0204", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" }, { "dest-uuid": "79499993-a8d6-45eb-b343-bf58dea5bdde", "type": "similar" } ], "uuid": "7942783c-73a7-413c-94d1-8981029a1c51", "value": "Briba" }, { "description": "[Brute Ratel C4](https://app.tidalcyber.com/software/23043b44-69a6-5cdf-8f60-5a68068680c7) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://app.tidalcyber.com/software/23043b44-69a6-5cdf-8f60-5a68068680c7) was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of [Brute Ratel C4](https://app.tidalcyber.com/software/23043b44-69a6-5cdf-8f60-5a68068680c7) was leaked in the cybercriminal underground, leading to its use by threat actors.[[Dark Vortex Brute Ratel C4](https://app.tidalcyber.com/references/47992cb5-df11-56c2-b266-6f58d75f8315)][[Palo Alto Brute Ratel July 2022](https://app.tidalcyber.com/references/a9ab0444-386b-5baf-84e1-0e6df4a21296)][[MDSec Brute Ratel August 2022](https://app.tidalcyber.com/references/dfd12595-0056-5b4a-b753-624fac1bb3a6)][[SANS Brute Ratel October 2022](https://app.tidalcyber.com/references/9544e762-6f72-59e7-8384-5bbef13bfe96)][[Trend Micro Black Basta October 2022](https://app.tidalcyber.com/references/6e4a1565-4a30-5a6b-961c-226a6f1967ae)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1063", "source": "MITRE", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "e81ba503-60b0-4b64-8f20-ef93e7783796" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "75d8b521-6b6a-42ff-8af3-d97e20ce12a5", "type": "similar" } ], "uuid": "23043b44-69a6-5cdf-8f60-5a68068680c7", "value": "Brute Ratel C4" }, { "description": "[BS2005](https://app.tidalcyber.com/software/c9e773de-0213-4b64-83fb-637060c8b5ed) is malware that was used by [Ke3chang](https://app.tidalcyber.com/groups/26c0925f-1a3c-4df6-b27a-62b9731299b8) in spearphishing campaigns since at least 2011. [[Mandiant Operation Ke3chang November 2014](https://app.tidalcyber.com/references/bb45cf96-ceae-4f46-a0f5-08cd89f699c9)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0014", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "67fc172a-36fa-4a35-88eb-4ba730ed52a6", "type": "similar" } ], "uuid": "c9e773de-0213-4b64-83fb-637060c8b5ed", "value": "BS2005" }, { "description": "[BUBBLEWRAP](https://app.tidalcyber.com/software/2be4e3d2-e8c5-4406-8041-2c17bdb3a547) is a full-featured, second-stage backdoor used by the [admin@338](https://app.tidalcyber.com/groups/8567136b-f84a-45ed-8cce-46324c7da60e) group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. [[FireEye admin@338](https://app.tidalcyber.com/references/f3470275-9652-440e-914d-ad4fc5165413)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0043", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "type": "used-by" }, { "dest-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", "type": "similar" } ], "uuid": "2be4e3d2-e8c5-4406-8041-2c17bdb3a547", "value": "BUBBLEWRAP" }, { "description": "[build_downer](https://app.tidalcyber.com/software/c21d3e6c-0f6d-44a8-bdd5-5b3180a641c9) is a downloader that has been used by [BRONZE BUTLER](https://app.tidalcyber.com/groups/5825a840-5577-4ffc-a08d-3f48d64395cb) since at least 2019.[[Trend Micro Tick November 2019](https://app.tidalcyber.com/references/93adbf0d-5f5e-498e-aca1-ed3eb11561e7)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0471", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" }, { "dest-uuid": "d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40", "type": "similar" } ], "uuid": "c21d3e6c-0f6d-44a8-bdd5-5b3180a641c9", "value": "build_downer" }, { "description": "[Bumblebee](https://app.tidalcyber.com/software/cc155181-fb34-4aaf-b083-b7b57b140b7a) is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. [Bumblebee](https://app.tidalcyber.com/software/cc155181-fb34-4aaf-b083-b7b57b140b7a) has been linked to ransomware operations including [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5), Quantum, and Mountlocker and derived its name from the appearance of \"bumblebee\" in the user-agent.[[Google EXOTIC LILY March 2022](https://app.tidalcyber.com/references/19d2cb48-bdb2-41fe-ba24-0769d7bd4d94)][[Proofpoint Bumblebee April 2022](https://app.tidalcyber.com/references/765b0ce9-7305-4b35-b5be-2f6f42339646)][[Symantec Bumblebee June 2022](https://app.tidalcyber.com/references/81bfabad-b5b3-4e45-ac1d-1e2e829fca33)]\n", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1039", "source": "MITRE", "tags": [ "aa983c81-e54b-49b3-b0dd-53cf950825b8", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "396a4361-3e84-47bc-9544-58e287c05799", "type": "used-by" }, { "dest-uuid": "04378e79-4387-468a-a8f7-f974b8254e44", "type": "similar" } ], "uuid": "cc155181-fb34-4aaf-b083-b7b57b140b7a", "value": "Bumblebee" }, { "description": "[Bundlore](https://app.tidalcyber.com/software/e9873bf1-9619-4c62-b4cf-1009e83de186) is adware written for macOS that has been in use since at least 2015. Though categorized as adware, [Bundlore](https://app.tidalcyber.com/software/e9873bf1-9619-4c62-b4cf-1009e83de186) has many features associated with more traditional backdoors.[[MacKeeper Bundlore Apr 2019](https://app.tidalcyber.com/references/4d631c9a-4fd5-43a4-8b78-4219bd371e87)]", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S0482", "source": "MITRE", "tags": [ "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "7bef1b56-4870-4e74-b32a-7dd88c390c44", "type": "similar" } ], "uuid": "e9873bf1-9619-4c62-b4cf-1009e83de186", "value": "Bundlore" }, { "description": "[BUSHWALK](https://app.tidalcyber.com/software/44ed9567-2cb6-590e-b332-154557fb93f9) is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs during [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b).[[Mandiant Cutting Edge Part 2 January 2024](https://app.tidalcyber.com/references/5209d259-4293-58c0-bbdc-f30ff77d57f7)][[Mandiant Cutting Edge Part 3 February 2024](https://app.tidalcyber.com/references/49e5b125-5503-5cb0-9a56-a93f82b55753)]", "meta": { "platforms": [ "Network" ], "software_attack_id": "S1118", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "29a0bb87-1162-4c83-9834-2a98a876051b", "type": "similar" } ], "uuid": "44ed9567-2cb6-590e-b332-154557fb93f9", "value": "BUSHWALK" }, { "description": "[Cachedump](https://app.tidalcyber.com/software/7c03fb92-3cd8-4ce4-a1e0-75e47465e4bc) is a publicly-available tool that program extracts cached password hashes from a system’s registry. [[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0119", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { "dest-uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52", "type": "similar" } ], "uuid": "7c03fb92-3cd8-4ce4-a1e0-75e47465e4bc", "value": "Cachedump" }, { "description": "This Software object reflects the TTPs associated with the CACTUS ransomware binary, a malware that researchers believe has been used since at least March 2023.[[Kroll CACTUS Ransomware May 10 2023](/references/f50de2f6-465f-4cae-a79c-cc135ebfee4f)] Other pre- and post-exploit TTPs associated with threat actors known to deploy CACTUS can be found in the separate dedicated Group object.", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5309", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "a2e000da-8181-4327-bacd-32013dbd3654", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" } ], "uuid": "ad51e7c6-7d3c-4c5d-a7e2-e50afb11a0ca", "value": "CACTUS Ransomware" }, { "description": "[CaddyWiper](https://app.tidalcyber.com/software/62d0ddcd-790d-4d2d-9d94-276f54b40cf0) is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.[[ESET CaddyWiper March 2022](https://app.tidalcyber.com/references/9fa97444-311f-40c1-8728-c5f91634c750)][[Cisco CaddyWiper March 2022](https://app.tidalcyber.com/references/88fc1f96-2d55-4c92-a929-234248490c30)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0693", "source": "MITRE", "tags": [ "2e621fc5-dea4-4cb9-987e-305845986cd3" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "b30d999d-64e0-4e35-9856-884e4b83d611", "type": "similar" } ], "uuid": "62d0ddcd-790d-4d2d-9d94-276f54b40cf0", "value": "CaddyWiper" }, { "description": "[Cadelspy](https://app.tidalcyber.com/software/c8a51b39-6906-4381-9bb4-4e9e612aa085) is a backdoor that has been used by [APT39](https://app.tidalcyber.com/groups/a57b52c7-9f64-4ffe-a7c3-0de738fb2af1).[[Symantec Chafer Dec 2015](https://app.tidalcyber.com/references/0a6166a3-5649-4117-97f4-7b8b5b559929)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0454", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, { "dest-uuid": "a705b085-1eae-455e-8f4d-842483d814eb", "type": "similar" } ], "uuid": "c8a51b39-6906-4381-9bb4-4e9e612aa085", "value": "Cadelspy" }, { "description": "[CALENDAR](https://app.tidalcyber.com/software/ad859a79-c183-44f6-a89a-f734710672a9) is malware used by [APT1](https://app.tidalcyber.com/groups/5307bba1-2674-4fbd-bfd5-1db1ae06fc5f) that mimics legitimate Gmail Calendar traffic. [[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0025", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { "dest-uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", "type": "similar" } ], "uuid": "ad859a79-c183-44f6-a89a-f734710672a9", "value": "CALENDAR" }, { "description": "[Calisto](https://app.tidalcyber.com/software/6b5b408c-4f9d-4137-bfb1-830d12e9736c) is a macOS Trojan that opens a backdoor on the compromised machine. [Calisto](https://app.tidalcyber.com/software/6b5b408c-4f9d-4137-bfb1-830d12e9736c) is believed to have first been developed in 2016. [[Securelist Calisto July 2018](https://app.tidalcyber.com/references/a292d77b-9150-46ea-b217-f51e091fdb57)] [[Symantec Calisto July 2018](https://app.tidalcyber.com/references/cefef3d8-94f5-4d94-9689-6ed38702454f)]", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S0274", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "b8fdef82-d2cf-4948-8949-6466357b1be1", "type": "similar" } ], "uuid": "6b5b408c-4f9d-4137-bfb1-830d12e9736c", "value": "Calisto" }, { "description": "[CallMe](https://app.tidalcyber.com/software/352ee271-89e6-4d3f-9c26-98dbab0e2986) is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell. [[Scarlet Mimic Jan 2016](https://app.tidalcyber.com/references/f84a5b6d-3af1-45b1-ac55-69ceced8735f)]", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S0077", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "type": "used-by" }, { "dest-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", "type": "similar" } ], "uuid": "352ee271-89e6-4d3f-9c26-98dbab0e2986", "value": "CallMe" }, { "description": "[Cannon](https://app.tidalcyber.com/software/790e931d-2571-496d-9f48-322774a7d482) is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. [[Unit42 Cannon Nov 2018](https://app.tidalcyber.com/references/8c634bbc-4878-4b27-aa18-5996ec968809)][[Unit42 Sofacy Dec 2018](https://app.tidalcyber.com/references/540c4c33-d4c2-4324-94cd-f57646666e32)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0351", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "d20b397a-ea47-48a9-b503-2e2a3551e11d", "type": "similar" } ], "uuid": "790e931d-2571-496d-9f48-322774a7d482", "value": "Cannon" }, { "description": "[Carbanak](https://app.tidalcyber.com/software/4cb9294b-9e4c-41b9-b640-46213a01952d) is a full-featured, remote backdoor used by a group of the same name ([Carbanak](https://app.tidalcyber.com/groups/72d9bea7-9ca1-43e6-8702-2fb7fb1355de)). It is intended for espionage, data exfiltration, and providing remote access to infected machines. [[Kaspersky Carbanak](https://app.tidalcyber.com/references/2f7e77db-fe39-4004-9945-3c8943708494)] [[FireEye CARBANAK June 2017](https://app.tidalcyber.com/references/39105492-6044-460c-9dc9-3d4473ee862e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0030", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", "type": "used-by" }, { "dest-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", "type": "similar" } ], "uuid": "4cb9294b-9e4c-41b9-b640-46213a01952d", "value": "Carbanak" }, { "description": "[Carberp](https://app.tidalcyber.com/software/df9491fd-5e24-4548-8e21-1268dce59d1f) is a credential and information stealing malware that has been active since at least 2009. [Carberp](https://app.tidalcyber.com/software/df9491fd-5e24-4548-8e21-1268dce59d1f)'s source code was leaked online in 2013, and subsequently used as the foundation for the [Carbanak](https://app.tidalcyber.com/software/4cb9294b-9e4c-41b9-b640-46213a01952d) backdoor.[[Trend Micro Carberp February 2014](https://app.tidalcyber.com/references/069e458f-d780-47f9-8ebe-21b195fe9b33)][[KasperskyCarbanak](https://app.tidalcyber.com/references/053a2bbb-5509-4aba-bbd7-ccc3d8074291)][[RSA Carbanak November 2017](https://app.tidalcyber.com/references/eb947d49-26f4-4104-8296-1552a273c9c3)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0484", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "bbcd7a02-ef24-4171-ac94-a93540173b94", "type": "similar" } ], "uuid": "df9491fd-5e24-4548-8e21-1268dce59d1f", "value": "Carberp" }, { "description": "[Carbon](https://app.tidalcyber.com/software/61f5d19c-1da2-43d1-ab20-51eacbca71f2) is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. [Carbon](https://app.tidalcyber.com/software/61f5d19c-1da2-43d1-ab20-51eacbca71f2) has been selectively used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) to target government and foreign affairs-related organizations in Central Asia.[[ESET Carbon Mar 2017](https://app.tidalcyber.com/references/5d2a3a81-e7b7-430d-b748-b773f89d3c77)][[Securelist Turla Oct 2018](https://app.tidalcyber.com/references/5b08ea46-e25d-4df9-9b91-f8e7a1d5f7ee)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0335", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f", "type": "similar" } ], "uuid": "61f5d19c-1da2-43d1-ab20-51eacbca71f2", "value": "Carbon" }, { "description": "[Cardinal RAT](https://app.tidalcyber.com/software/fa23acef-3034-43ee-9610-4fc322f0d80b) is a potentially low volume remote access trojan (RAT) observed since December 2015. [Cardinal RAT](https://app.tidalcyber.com/software/fa23acef-3034-43ee-9610-4fc322f0d80b) is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.[[PaloAlto CardinalRat Apr 2017](https://app.tidalcyber.com/references/8d978b94-75c9-46a1-812a-bafe3396eda9)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0348", "source": "MITRE", "tags": [ "febea5b6-2ea2-402b-8bec-f3f5b3f73c59" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "b879758f-bbc4-4cab-b5ba-177ac9b009b4", "type": "similar" } ], "uuid": "fa23acef-3034-43ee-9610-4fc322f0d80b", "value": "Cardinal RAT" }, { "description": "[CARROTBALL](https://app.tidalcyber.com/software/84bb4068-b441-435e-8535-02a458ffd50b) is an FTP downloader utility that has been in use since at least 2019. [CARROTBALL](https://app.tidalcyber.com/software/84bb4068-b441-435e-8535-02a458ffd50b) has been used as a downloader to install [SYSCON](https://app.tidalcyber.com/software/ea556a8d-4959-423f-a2dd-622d0497d484).[[Unit 42 CARROTBAT January 2020](https://app.tidalcyber.com/references/b65442ca-18ca-42e0-8be0-7c2b66c26d02)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0465", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "5fc81b43-62b5-41b1-9113-c79ae5f030c4", "type": "similar" } ], "uuid": "84bb4068-b441-435e-8535-02a458ffd50b", "value": "CARROTBALL" }, { "description": "[CARROTBAT](https://app.tidalcyber.com/software/aefa893d-fc6e-41a9-8794-2700049db9e5) is a customized dropper that has been in use since at least 2017. [CARROTBAT](https://app.tidalcyber.com/software/aefa893d-fc6e-41a9-8794-2700049db9e5) has been used to install [SYSCON](https://app.tidalcyber.com/software/ea556a8d-4959-423f-a2dd-622d0497d484) and has infrastructure overlap with [KONNI](https://app.tidalcyber.com/software/d381de2a-30cb-4d50-bbce-fd1e489c4889).[[Unit 42 CARROTBAT November 2018](https://app.tidalcyber.com/references/6986a64a-5fe6-4697-b70b-79cccaf3d730)][[Unit 42 CARROTBAT January 2020](https://app.tidalcyber.com/references/b65442ca-18ca-42e0-8be0-7c2b66c26d02)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0462", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "1b9f0800-035e-4ed1-9648-b18294cc5bc8", "type": "similar" } ], "uuid": "aefa893d-fc6e-41a9-8794-2700049db9e5", "value": "CARROTBAT" }, { "description": "[Catchamas](https://app.tidalcyber.com/software/04deccb5-9850-45c3-a900-5d7039a94190) is a Windows Trojan that steals information from compromised systems. [[Symantec Catchamas April 2018](https://app.tidalcyber.com/references/155cc2df-adf4-4b5f-a377-272947e5757e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0261", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", "type": "used-by" }, { "dest-uuid": "8d9e758b-735f-4cbc-ba7c-32cd15138b2a", "type": "similar" } ], "uuid": "04deccb5-9850-45c3-a900-5d7039a94190", "value": "Catchamas" }, { "description": "[Caterpillar WebShell](https://app.tidalcyber.com/software/ee88afaa-88bc-4c20-906f-332866388549) is a self-developed Web Shell tool created by the group [Volatile Cedar](https://app.tidalcyber.com/groups/7c3ef21c-0e1c-43d5-afb0-3a07c5a66937).[[ClearSky Lebanese Cedar Jan 2021](https://app.tidalcyber.com/references/53944d48-caa9-4912-b42d-94a3789ed15b)] ", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0572", "source": "MITRE", "tags": [ "311abf64-a9cc-4c6a-b778-32c5df5658be" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" }, { "dest-uuid": "751b77e6-af1f-483b-93fe-eddf17f92a64", "type": "similar" } ], "uuid": "ee88afaa-88bc-4c20-906f-332866388549", "value": "Caterpillar WebShell" }, { "description": "CC-Attack is a publicly available script that automates the use of open, external proxy servers as part of denial of service flood attacks. Its use has been promoted among the members of the Killnet hacktivist collective.[[Flashpoint Glossary Killnet](/references/502cc03b-350b-4e2d-9436-364c43a0a203)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Linux", "Windows" ], "software_attack_id": "S5062", "source": "Tidal Cyber", "tags": [ "62bde669-3020-4682-be68-36c83b2588a4" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "35fb7663-5c5d-43fe-a507-49612aa7960e", "type": "used-by" } ], "uuid": "7664bfa5-8477-4903-9103-1144113fca36", "value": "CC-Attack" }, { "description": "[CCBkdr](https://app.tidalcyber.com/software/4eb0720c-7046-4ff1-adfd-ae603506e499) is malware that was injected into a signed version of CCleaner and distributed from CCleaner's distribution website. [[Talos CCleanup 2017](https://app.tidalcyber.com/references/f2522cf4-dc65-4dc5-87e3-9e88212fcfe9)] [[Intezer Aurora Sept 2017](https://app.tidalcyber.com/references/b2999bd7-50d5-4d49-8893-8c0903d49104)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0222", "source": "MITRE", "tags": [ "f2ae2283-f94d-4f8f-bbde-43f2bed66c55" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "b0f13390-cec7-4814-b37c-ccec01887faa", "type": "similar" } ], "uuid": "4eb0720c-7046-4ff1-adfd-ae603506e499", "value": "CCBkdr" }, { "description": "[ccf32](https://app.tidalcyber.com/software/e00c2a0c-bbe5-4eff-b0ad-b2543456a317) is data collection malware that has been used since at least February 2019, most notably during the [FunnyDream](https://app.tidalcyber.com/campaigns/94587edf-0292-445b-8c66-b16629597f1e) campaign; there is also a similar x64 version.[[Bitdefender FunnyDream Campaign November 2020](https://app.tidalcyber.com/references/b62a9f2c-02ca-4dfa-95fc-5dc6ad9568de)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1043", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a394448a-4576-41b8-81cc-9b61abad94ab", "type": "similar" } ], "uuid": "e00c2a0c-bbe5-4eff-b0ad-b2543456a317", "value": "ccf32" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Debugging tool included with Windows Debugging Tools.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64\\cdb.exe\n* C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x86\\cdb.exe\n\n**Resources:**\n* [http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html](http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html)\n* [https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options)\n* [https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda](https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda)\n* [https://mrd0x.com/the-power-of-cdb-debugging-tool/](https://mrd0x.com/the-power-of-cdb-debugging-tool/)\n* [https://twitter.com/nas_bench/status/1534957360032120833](https://twitter.com/nas_bench/status/1534957360032120833)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_cdb.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)[[Cdb.exe - LOLBAS Project](/references/e61b035f-6247-47e3-918c-2892815dfddf)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5208", "source": "Tidal Cyber", "tags": [ "4479b9e9-d912-451a-9ad5-08b3d922422d", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "d9ea2696-7c47-44cd-8784-9aeef5e149ea", "value": "Cdb" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used for installing certificates\n\n**Author:** Ensar Samil\n\n**Paths:**\n* c:\\windows\\system32\\certoc.exe\n* c:\\windows\\syswow64\\certoc.exe\n\n**Resources:**\n* [https://twitter.com/sblmsrsn/status/1445758411803480072?s=20](https://twitter.com/sblmsrsn/status/1445758411803480072?s=20)\n* [https://twitter.com/sblmsrsn/status/1452941226198671363?s=20](https://twitter.com/sblmsrsn/status/1452941226198671363?s=20)\n\n**Detection:**\n* Sigma: [proc_creation_win_certoc_load_dll.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml)\n* IOC: Process creation with given parameter\n* IOC: Unsigned DLL load via certoc.exe\n* IOC: Network connection via certoc.exe[[CertOC.exe - LOLBAS Project](/references/b906498e-2773-419b-8c6d-3e974925ac18)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5087", "source": "Tidal Cyber", "tags": [ "fb909648-ee44-4871-abe6-82c909c4d677", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "34e1c197-ac43-4634-9a0d-9148c748f774", "value": "CertOC" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used for requesting and managing certificates\n\n**Author:** David Middlehurst\n\n**Paths:**\n* C:\\Windows\\System32\\certreq.exe\n* C:\\Windows\\SysWOW64\\certreq.exe\n\n**Resources:**\n* [https://dtm.uk/certreq](https://dtm.uk/certreq)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_susp_certreq_download.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml)\n* IOC: certreq creates new files\n* IOC: certreq makes POST requests[[CertReq.exe - LOLBAS Project](/references/be446484-8ecc-486e-8940-658c147f6978)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5088", "source": "Tidal Cyber", "tags": [ "35a798a2-eaab-48a3-9ee7-5538f36a4172", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "43050f80-ce28-49e3-aac6-cb3f4a07f4b4", "value": "CertReq" }, { "description": "[certutil](https://app.tidalcyber.com/software/2fe21578-ee31-4ee8-b6ab-b5f76f97d043) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. [[TechNet Certutil](https://app.tidalcyber.com/references/8d095aeb-c72c-49c1-8482-dbf4ce9203ce)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0160", "source": "MITRE", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", "d431939f-2dc0-410b-83f7-86c458125444", "412da5b4-fb41-40fc-a29a-78dc9119aa75", "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "35e694ec-5133-46e3-b7e1-5831867c3b55", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "303a3675-4855-4323-b042-95bb1d907cca", "84615fe0-c2a5-4e07-8957-78ebc29b4635", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "f1477581-d485-403f-a95f-c56bf88c5d1e", "type": "used-by" }, { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", "type": "used-by" }, { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" }, { "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a", "type": "used-by" }, { "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "type": "similar" } ], "uuid": "2fe21578-ee31-4ee8-b6ab-b5f76f97d043", "value": "certutil" }, { "description": "[Chaes](https://app.tidalcyber.com/software/0c8efcd0-bfdf-4771-8754-18aac836c359) is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. [Chaes](https://app.tidalcyber.com/software/0c8efcd0-bfdf-4771-8754-18aac836c359) was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.[[Cybereason Chaes Nov 2020](https://app.tidalcyber.com/references/aaefa162-82a8-4b6d-b7be-fd31fafd9246)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0631", "source": "MITRE", "tags": [ "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "77e0ecf7-ca91-4c06-8012-8e728986a87a", "type": "similar" } ], "uuid": "0c8efcd0-bfdf-4771-8754-18aac836c359", "value": "Chaes" }, { "description": "[Chaos](https://app.tidalcyber.com/software/92c88765-6b12-42cd-b1d7-f6a65b2236e2) is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. [[Chaos Stolen Backdoor](https://app.tidalcyber.com/references/8e6916c1-f102-4b54-b6a5-a58fed825c2e)]", "meta": { "platforms": [ "Linux" ], "software_attack_id": "S0220", "source": "MITRE", "tags": [ "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5bcd5511-6756-4824-a692-e8bb109364af", "type": "similar" } ], "uuid": "92c88765-6b12-42cd-b1d7-f6a65b2236e2", "value": "Chaos" }, { "description": "[CharmPower](https://app.tidalcyber.com/software/b1e3b56f-2e83-4cab-a1c1-16999009d056) is a PowerShell-based, modular backdoor that has been used by [Magic Hound](https://app.tidalcyber.com/groups/7a9d653c-8812-4b96-81d1-b0a27ca918b4) since at least 2022.[[Check Point APT35 CharmPower January 2022](https://app.tidalcyber.com/references/81dce660-93ea-42a4-902f-0c6021d30f59)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0674", "source": "MITRE", "tags": [ "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" }, { "dest-uuid": "7acb15b6-fe2c-4319-b136-6ab36ff0b2d4", "type": "similar" } ], "uuid": "b1e3b56f-2e83-4cab-a1c1-16999009d056", "value": "CharmPower" }, { "description": "[ChChes](https://app.tidalcyber.com/software/3f2283ef-67c2-49a3-98ac-1aa9f0499361) is a Trojan that appears to be used exclusively by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322). It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. [[Palo Alto menuPass Feb 2017](https://app.tidalcyber.com/references/ba4f7d65-73ec-4726-b1f6-f2443ffda5e7)] [[JPCERT ChChes Feb 2017](https://app.tidalcyber.com/references/657b43aa-ead2-41d3-911a-d714d9b28e19)] [[PWC Cloud Hopper Technical Annex April 2017](https://app.tidalcyber.com/references/da6c8a72-c732-44d5-81ac-427898706eed)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0144", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "type": "similar" } ], "uuid": "3f2283ef-67c2-49a3-98ac-1aa9f0499361", "value": "ChChes" }, { "description": "[Cheerscrypt](https://app.tidalcyber.com/software/6475bc8c-b95d-5cb3-92f0-aa7e2f18859a) is a ransomware that was developed by [Cinnamon Tempest](https://app.tidalcyber.com/groups/8e059c6b-d278-5454-a234-a8ad69feb66c) and has been used in attacks against ESXi and Windows environments since at least 2022. [Cheerscrypt](https://app.tidalcyber.com/software/6475bc8c-b95d-5cb3-92f0-aa7e2f18859a) was derived from the leaked [Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1) source code and has infrastructure overlaps with deployments of Night Sky ransomware, which was also derived from [Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1).[[Sygnia Emperor Dragonfly October 2022](https://app.tidalcyber.com/references/f9e40a71-c963-53de-9266-13f9f326c5bf)][[Trend Micro Cheerscrypt May 2022](https://app.tidalcyber.com/references/ca7ccf2c-37f3-522a-acfb-09daa16e23d8)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1096", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" }, { "dest-uuid": "5d3fa1db-5041-4560-b87b-8f61cc225c52", "type": "similar" } ], "uuid": "6475bc8c-b95d-5cb3-92f0-aa7e2f18859a", "value": "Cheerscrypt" }, { "description": "[Cherry Picker](https://app.tidalcyber.com/software/2fd6f564-918e-4ee7-920a-2b4be858d11a) is a point of sale (PoS) memory scraper. [[Trustwave Cherry Picker](https://app.tidalcyber.com/references/e09f639e-bdd3-4e88-8032-f665e347272b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0107", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", "type": "similar" } ], "uuid": "2fd6f564-918e-4ee7-920a-2b4be858d11a", "value": "Cherry Picker" }, { "description": "[China Chopper](https://app.tidalcyber.com/software/723c5ab7-23ca-46f2-83bb-f1d1e550122c) is a [Web Shell](https://app.tidalcyber.com/technique/05a5318f-476d-44c1-8a85-9466295d31dd) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.[[Lee 2013](https://app.tidalcyber.com/references/6d1e2b0a-fed2-490b-be25-6580dfb7d6aa)] It has been used by several threat groups.[[Dell TG-3390](https://app.tidalcyber.com/references/dfd2d832-a6c5-40e7-a554-5a92f05bebae)][[FireEye Periscope March 2018](https://app.tidalcyber.com/references/8edb5d2b-b5c4-4d9d-8049-43dd6ca9ab7f)][[CISA AA21-200A APT40 July 2021](https://app.tidalcyber.com/references/3a2dbd8b-54e3-406a-b77c-b6fae5541b6d)][[Rapid7 HAFNIUM Mar 2021](https://app.tidalcyber.com/references/cf05d229-c2ba-54f2-a79d-4b7c9185c663)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0020", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "311abf64-a9cc-4c6a-b778-32c5df5658be" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", "type": "used-by" }, { "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", "type": "used-by" }, { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" }, { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" }, { "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", "type": "similar" } ], "uuid": "723c5ab7-23ca-46f2-83bb-f1d1e550122c", "value": "China Chopper" }, { "description": "[Chinoxy](https://app.tidalcyber.com/software/7c36563a-9143-4766-8aef-4e1787e18d8c) is a backdoor that has been used since at least November 2018, during the [FunnyDream](https://app.tidalcyber.com/campaigns/94587edf-0292-445b-8c66-b16629597f1e) campaign, to gain persistence and drop additional payloads. According to security researchers, [Chinoxy](https://app.tidalcyber.com/software/7c36563a-9143-4766-8aef-4e1787e18d8c) has been used by Chinese-speaking threat actors.[[Bitdefender FunnyDream Campaign November 2020](https://app.tidalcyber.com/references/b62a9f2c-02ca-4dfa-95fc-5dc6ad9568de)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1041", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0b639373-5f03-430e-b8f9-2fe8c8faad8e", "type": "similar" } ], "uuid": "7c36563a-9143-4766-8aef-4e1787e18d8c", "value": "Chinoxy" }, { "description": "Chisel is an open source tool that can be used for networking tunneling.[[U.S. CISA AvosLocker October 11 2023](/references/d419a317-6599-4fc5-91d1-a4c2bc83bf6a)] According to its GitHub project page, \"Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH\".[[GitHub Chisel](/references/4a60fb46-06b7-44ea-a9f6-8d6fa81e9363)] Threat actors including ransomware operators and nation-state-aligned espionage actors have used Chisel as part of their operations.[[U.S. CISA AvosLocker October 11 2023](/references/d419a317-6599-4fc5-91d1-a4c2bc83bf6a)][[CISA AA20-259A Iran-Based Actor September 2020](/references/1bbc9446-9214-4fcd-bc7c-bf528370b4f8)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5063", "source": "Tidal Cyber", "tags": [ "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "febea5b6-2ea2-402b-8bec-f3f5b3f73c59", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" }, { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" } ], "uuid": "bd2b2375-4f16-42b2-a862-959b5b41c2af", "value": "Chisel" }, { "description": "Chocolatey is a command-line package manager for Microsoft Windows.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5028", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" } ], "uuid": "7a2b00ef-8a37-4901-bf0c-17da0ebf3d69", "value": "Chocolatey" }, { "description": "[CHOPSTICK](https://app.tidalcyber.com/software/01c6c49a-f7c8-44cd-a377-4dfd358ffeba) is a malware family of modular backdoors used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5). It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. [[FireEye APT28](https://app.tidalcyber.com/references/c423b2b2-25a3-4a8d-b89a-83ab07c0cd20)] [[ESET Sednit Part 2](https://app.tidalcyber.com/references/aefb9eda-df5a-437f-af2a-ec1b6c04628b)] [[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)] [[DOJ GRU Indictment Jul 2018](https://app.tidalcyber.com/references/d65f371b-19d0-49de-b92b-94a2bea1d988)] It is tracked separately from the [X-Agent for Android](https://app.tidalcyber.com/software/).", "meta": { "platforms": [ "Linux", "Windows" ], "software_attack_id": "S0023", "source": "MITRE", "tags": [ "febea5b6-2ea2-402b-8bec-f3f5b3f73c59", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", "type": "similar" } ], "uuid": "01c6c49a-f7c8-44cd-a377-4dfd358ffeba", "value": "CHOPSTICK" }, { "description": "[Chrommme](https://app.tidalcyber.com/software/df77ed2a-f135-4f00-9a5e-79b7a6a2ed14) is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with [Gelsemium](https://app.tidalcyber.com/software/9a117508-1d22-4fea-aa65-db670c13a5c9) malware.[[ESET Gelsemium June 2021](https://app.tidalcyber.com/references/ea28cf8c-8c92-48cb-b499-ffb7ff0e3cf5)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0667", "source": "MITRE", "tags": [ "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "579607c2-d046-40df-99ab-beb479c37a2a", "type": "similar" } ], "uuid": "df77ed2a-f135-4f00-9a5e-79b7a6a2ed14", "value": "Chrommme" }, { "description": "[Clambling](https://app.tidalcyber.com/software/4bac93bd-7e58-4ddb-a205-d99597b9e65e) is a modular backdoor written in C++ that has been used by [Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5) since at least 2017.[[Trend Micro DRBControl February 2020](https://app.tidalcyber.com/references/4dfbf26d-023b-41dd-82c8-12fe18cb10e6)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0660", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "6e95feb1-78ee-48d3-b421-4d76663b5c49", "type": "similar" } ], "uuid": "4bac93bd-7e58-4ddb-a205-d99597b9e65e", "value": "Clambling" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Aero diagnostics script\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1\n* C:\\Windows\\diagnostics\\system\\Audio\\CL_Invocation.ps1\n* C:\\Windows\\diagnostics\\system\\WindowsUpdate\\CL_Invocation.ps1\n\n**Resources:**\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_cl_invocation.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml)\n* Sigma: [posh_ps_cl_invocation_lolscript.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml)[[CL_Invocation.ps1 - LOLBAS Project](/references/a53e093a-973c-491d-91e3-bc7804d87b8b)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5257", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "4bc36e22-6529-4a4a-a5d2-461f3925c5f3", "value": "CL_Invocation" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** PowerShell Diagnostic Script\n\n**Author:** Jimmy (@bohops)\n\n**Paths:**\n* C:\\Windows\\diagnostics\\system\\Audio\\CL_LoadAssembly.ps1\n\n**Resources:**\n* [https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/](https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbas_cl_loadassembly.yml](https://github.com/SigmaHQ/sigma/blob/ff6c54ded6b52f379cec11fe17c1ccb956faa660/rules/windows/process_creation/proc_creation_win_lolbas_cl_loadassembly.yml)[[CL_LoadAssembly.ps1 - LOLBAS Project](/references/31a14027-1181-49b9-87bf-78a65a551312)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5255", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "cb950179-334d-4bd9-9cfb-87b09d279a3b", "value": "CL_LoadAssembly" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Proxy execution with CL_Mutexverifiers.ps1\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\diagnostics\\system\\WindowsUpdate\\CL_Mutexverifiers.ps1\n* C:\\Windows\\diagnostics\\system\\Audio\\CL_Mutexverifiers.ps1\n* C:\\Windows\\diagnostics\\system\\WindowsUpdate\\CL_Mutexverifiers.ps1\n* C:\\Windows\\diagnostics\\system\\Video\\CL_Mutexverifiers.ps1\n* C:\\Windows\\diagnostics\\system\\Speech\\CL_Mutexverifiers.ps1\n\n**Resources:**\n* [https://twitter.com/pabraeken/status/995111125447577600](https://twitter.com/pabraeken/status/995111125447577600)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_cl_mutexverifiers.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_cl_mutexverifiers.yml)[[CL_Mutexverifiers.ps1 - LOLBAS Project](/references/75b89502-21ed-4920-95cc-212eaf17f281)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5256", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "3c63792a-1184-416e-aa9b-18da72e88327", "value": "CL_Mutexverifiers" }, { "description": "[Clop](https://app.tidalcyber.com/software/5321aa75-924c-47ae-b97a-b36f023abf2a) is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. [Clop](https://app.tidalcyber.com/software/5321aa75-924c-47ae-b97a-b36f023abf2a) is a variant of the CryptoMix ransomware.[[Mcafee Clop Aug 2019](https://app.tidalcyber.com/references/458141bd-7dd2-41fd-82e8-7ea2e4a477ab)][[Cybereason Clop Dec 2020](https://app.tidalcyber.com/references/f54d682d-100e-41bb-96be-6a79ea422066)][[Unit42 Clop April 2021](https://app.tidalcyber.com/references/ce48d631-757c-480b-8572-b7d9f4d738c6)] ", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0611", "source": "MITRE", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "b15c16f7-b8c7-4962-9acc-a98a39f87b69", "b18b5401-d88d-4f28-8f50-a884a5e58349", "ac862a66-a4ec-4285-9a21-b63576a5867d", "5ab5f811-5c7e-4f77-ae90-59d3beb93346", "1b5da77a-bf84-4fba-a6d7-8b3b8f7699e0", "e401022a-36ac-486d-8503-dd531410a927", "8a77c410-bed9-4376-87bf-5ac84fbc2c9d", "ab64f2d8-8da3-48de-ac66-0fd91d634b22", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", "type": "used-by" }, { "dest-uuid": "cad3ba95-8c89-4146-ab10-08daa813f9de", "type": "similar" } ], "uuid": "5321aa75-924c-47ae-b97a-b36f023abf2a", "value": "Clop" }, { "description": "CloudChat Infostealer is an information-stealing malware designed to harvest passwords, cookies, and other sensitive information from macOS systems.[[Kandji 4 8 2024](/references/f2e74613-f578-4408-bc76-144ec671808b)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "macOS" ], "software_attack_id": "S5316", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [], "uuid": "7a57e81b-2453-4aaf-94ad-c007bd7105a2", "value": "CloudChat Infostealer" }, { "description": "[CloudDuke](https://app.tidalcyber.com/software/b3dd424b-ee96-449c-aa52-abbc7d4dfb86) is malware that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) in 2015. [[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)] [[Securelist Minidionis July 2015](https://app.tidalcyber.com/references/af40a05e-02fb-4943-b3ff-9a292679e93d)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0054", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", "type": "similar" } ], "uuid": "b3dd424b-ee96-449c-aa52-abbc7d4dfb86", "value": "CloudDuke" }, { "description": "[cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. [[TechNet Cmd](https://app.tidalcyber.com/references/dbfc01fe-c300-4c27-ab9a-a20508c1e04b)]\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir [[TechNet Dir](https://app.tidalcyber.com/references/f1eb8631-6bea-4688-a5ff-a388b1fdceb0)]), deleting files (e.g., del [[TechNet Del](https://app.tidalcyber.com/references/01fc44b9-0eb3-4fd2-b755-d611825374ae)]), and copying files (e.g., copy [[TechNet Copy](https://app.tidalcyber.com/references/4e0d4b94-6b4c-4104-86e6-499b6aa7ba78)]).", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0106", "source": "MITRE", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "a968c9f3-c190-488f-bacc-92e8f1ce295c", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" }, { "dest-uuid": "5f8c6ee0-f302-403b-b712-f1e3df064c0c", "type": "used-by" }, { "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", "type": "used-by" }, { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" }, { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "efb3b5ac-cd86-44a2-9de1-02e4612b8cc2", "type": "used-by" }, { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" }, { "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" }, { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" }, { "dest-uuid": "f1477581-d485-403f-a95f-c56bf88c5d1e", "type": "used-by" }, { "dest-uuid": "b8a349a6-cde1-4d95-b20f-44c62bbfc786", "type": "used-by" }, { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" }, { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" }, { "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" }, { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" }, { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" }, { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "type": "used-by" }, { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" }, { "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", "type": "similar" } ], "uuid": "98d89476-63ec-4baf-b2b3-86c52170f5d8", "value": "cmd" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** creates, lists, and deletes stored user names and passwords or credentials.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\cmdkey.exe\n* C:\\Windows\\SysWOW64\\cmdkey.exe\n\n**Resources:**\n* [https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation](https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation)\n* [https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey)\n\n**Detection:**\n* Sigma: [proc_creation_win_cmdkey_recon.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml)[[Cmdkey.exe - LOLBAS Project](/references/c9ca075a-8327-463d-96ec-adddf6f1a7bb)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5089", "source": "Tidal Cyber", "tags": [ "96bff827-e51f-47de-bde6-d2eec0f99767", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" } ], "uuid": "da252f67-2d4e-419f-b493-d4a1d024a01c", "value": "Cmdkey" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Connection Manager Auto-Download\n\n**Author:** Elliot Killick\n\n**Paths:**\n* C:\\Windows\\System32\\cmdl32.exe\n* C:\\Windows\\SysWOW64\\cmdl32.exe\n\n**Resources:**\n* [https://github.com/LOLBAS-Project/LOLBAS/pull/151](https://github.com/LOLBAS-Project/LOLBAS/pull/151)\n* [https://twitter.com/ElliotKillick/status/1455897435063074824](https://twitter.com/ElliotKillick/status/1455897435063074824)\n* [https://elliotonsecurity.com/living-off-the-land-reverse-engineering-methodology-plus-tips-and-tricks-cmdl32-case-study/](https://elliotonsecurity.com/living-off-the-land-reverse-engineering-methodology-plus-tips-and-tricks-cmdl32-case-study/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_cmdl32.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml)\n* IOC: Reports of downloading from suspicious URLs in %TMP%\\config.log\n* IOC: Useragent Microsoft(R) Connection Manager Vpn File Update[[cmdl32.exe - LOLBAS Project](/references/2628e452-caa1-4058-a405-7c4657fa3245)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5090", "source": "Tidal Cyber", "tags": [ "4c8f8830-0b2c-4c79-b1db-8659ede492f0", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "44a523a8-9ed6-4f01-9a53-0e8ea1e15b51", "value": "cmdl32" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Installs or removes a Connection Manager service profile.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\cmstp.exe\n* C:\\Windows\\SysWOW64\\cmstp.exe\n\n**Resources:**\n* [https://twitter.com/NickTyrer/status/958450014111633408](https://twitter.com/NickTyrer/status/958450014111633408)\n* [https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80](https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80)\n* [https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e](https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e)\n* [https://oddvar.moe/2017/08/15/research-on-cmstp-exe/](https://oddvar.moe/2017/08/15/research-on-cmstp-exe/)\n* [https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1](https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1)\n* [https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp)\n\n**Detection:**\n* Sigma: [proc_creation_win_cmstp_execution_by_creation.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml)\n* Sigma: [proc_creation_win_uac_bypass_cmstp.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml)\n* Splunk: [cmlua_or_cmstplua_uac_bypass.yml](https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml)\n* Elastic: [defense_evasion_suspicious_managedcode_host_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* IOC: Execution of cmstp.exe without a VPN use case is suspicious\n* IOC: DotNet CLR libraries loaded into cmstp.exe\n* IOC: DotNet CLR Usage Log - cmstp.exe.log[[Cmstp.exe - LOLBAS Project](/references/86c21dcd-464a-4870-8aae-25fcaccc889d)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5091", "source": "Tidal Cyber", "tags": [ "65938118-2f00-48a1-856e-d1a75a08e3c6", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" } ], "uuid": "6f848e15-5234-4445-9a05-2949e4c57f0b", "value": "Cmstp" }, { "description": "[COATHANGER](https://app.tidalcyber.com/software/fbd3f71a-e123-5527-908c-9e7ea0d646e8) is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, [COATHANGER](https://app.tidalcyber.com/software/fbd3f71a-e123-5527-908c-9e7ea0d646e8) was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. [COATHANGER](https://app.tidalcyber.com/software/fbd3f71a-e123-5527-908c-9e7ea0d646e8) is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name [COATHANGER](https://app.tidalcyber.com/software/fbd3f71a-e123-5527-908c-9e7ea0d646e8) is based on a unique string in the malware used to encrypt configuration files on disk: “She took his coat and hung it up”.[[NCSC-NL COATHANGER Feb 2024](https://app.tidalcyber.com/references/e8e60112-a08d-5316-b80f-f601e7e5c973)]", "meta": { "platforms": [ "Network", "Linux" ], "software_attack_id": "S1105", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0c242cc5-58d3-4fe3-a866-b00a4b6fb817", "type": "similar" } ], "uuid": "fbd3f71a-e123-5527-908c-9e7ea0d646e8", "value": "COATHANGER" }, { "description": "[Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[[cobaltstrike manual](https://app.tidalcyber.com/references/43277d05-0aa4-4cee-ac41-6f03a49851a9)]\n\nIn addition to its own capabilities, [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://app.tidalcyber.com/software/b8e7c0b4-49e4-4e8d-9467-b17f305ddf16).[[cobaltstrike manual](https://app.tidalcyber.com/references/43277d05-0aa4-4cee-ac41-6f03a49851a9)]", "meta": { "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S0154", "source": "MITRE", "tags": [ "d903e38b-600d-4736-9e3b-cf1a6e436481", "e551ae97-d1b4-484e-9267-89f33829ec2c", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e1af18e3-3224-4e4c-9d0f-533768474508", "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", "d431939f-2dc0-410b-83f7-86c458125444", "56d89c06-23a0-4642-adfc-1fffd3524191", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "992bdd33-4a47-495d-883a-58010a2f0efb", "e81ba503-60b0-4b64-8f20-ef93e7783796" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" }, { "dest-uuid": "b8a349a6-cde1-4d95-b20f-44c62bbfc786", "type": "used-by" }, { "dest-uuid": "f2b31240-0b4a-4fa4-82a4-6bb00e146e75", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" }, { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" }, { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", "type": "used-by" }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" }, { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" }, { "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", "type": "used-by" }, { "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", "type": "used-by" }, { "dest-uuid": "0898e7cb-118e-5eeb-b856-04e56ed18182", "type": "used-by" }, { "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", "type": "used-by" }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" }, { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" }, { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" }, { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", "type": "used-by" }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" }, { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" }, { "dest-uuid": "b10aa4c0-10a1-5e08-8d9d-82ce95d45e6a", "type": "used-by" }, { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" }, { "dest-uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "713e2963-fbf4-406f-a8cf-6a4489d90439", "type": "used-by" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "similar" } ], "uuid": "9b6bcbba-3ab4-4a4c-a233-cd12254823f6", "value": "Cobalt Strike" }, { "description": "This is an open-source tool for creating Cobalt Strike Malleable C2 profiles with randomly generated variables.[[GitHub random_c2_profile](/references/dcb30328-6aa4-461b-8333-451d6af4b384)] According to a September 2023 CERT-FR advisory, during an intrusion in March 2023, actors attributed to FIN12 used the tool to generate a Cobalt Strike malleable C2 profile.[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Linux", "macOS", "Windows" ], "software_attack_id": "S5057", "source": "Tidal Cyber", "tags": [ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "e81ba503-60b0-4b64-8f20-ef93e7783796" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" } ], "uuid": "cf47b3ce-1392-4904-a4e6-f65aebebddc6", "value": "Cobalt Strike Random C2 Profile Generator" }, { "description": "[Cobian RAT](https://app.tidalcyber.com/software/d4e6f9f7-7f4d-47c2-be24-b267d9317303) is a backdoor, remote access tool that has been observed since 2016.[[Zscaler Cobian Aug 2017](https://app.tidalcyber.com/references/46541bb9-15cb-4a7c-a624-48a1c7e838e3)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0338", "source": "MITRE", "tags": [ "16b47583-1c54-431f-9f09-759df7b5ddb7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "aa1462a1-d065-416c-b354-bedd04998c7f", "type": "similar" } ], "uuid": "d4e6f9f7-7f4d-47c2-be24-b267d9317303", "value": "Cobian RAT" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** VSCode binary, also portable (CLI) version\n\n**Author:** PfiatDe\n\n**Paths:**\n* %LOCALAPPDATA%\\Programs\\Microsoft VS Code\\Code.exe\n* C:\\Program Files\\Microsoft VS Code\\Code.exe\n* C:\\Program Files (x86)\\Microsoft VS Code\\Code.exe\n\n**Resources:**\n* [https://badoption.eu/blog/2023/01/31/code_c2.html](https://badoption.eu/blog/2023/01/31/code_c2.html)\n* [https://code.visualstudio.com/docs/remote/tunnels](https://code.visualstudio.com/docs/remote/tunnels)\n* [https://code.visualstudio.com/blogs/2022/12/07/remote-even-better](https://code.visualstudio.com/blogs/2022/12/07/remote-even-better)\n\n**Detection:**\n* IOC: Websocket traffic to global.rel.tunnels.api.visualstudio.com\n* IOC: Process tree: code.exe -> cmd.exe -> node.exe -> winpty-agent.exe\n* IOC: File write of code_tunnel.json which is parametizable, but defaults to: %UserProfile%\\.vscode-cli\\code_tunnel.json[[code.exe - LOLBAS Project](/references/4a93063b-f3a3-4726-870d-b8f744651363)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5185", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "49d440e4-b2ea-4e7d-8ded-8589ddf679d9", "value": "code" }, { "description": "[CoinTicker](https://app.tidalcyber.com/software/b0d9b31a-072b-4744-8d2f-3a63256a932f) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[[CoinTicker 2019](https://app.tidalcyber.com/references/99c53143-6f93-44c9-a874-c1b9e4506fb4)]", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S0369", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "d1531eaa-9e17-473e-a680-3298469662c3", "type": "similar" } ], "uuid": "b0d9b31a-072b-4744-8d2f-3a63256a932f", "value": "CoinTicker" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary that handles color management\n\n**Author:** Arjan Onwezen\n\n**Paths:**\n* C:\\Windows\\System32\\colorcpl.exe\n* C:\\Windows\\SysWOW64\\colorcpl.exe\n\n**Resources:**\n* [https://twitter.com/eral4m/status/1480468728324231172](https://twitter.com/eral4m/status/1480468728324231172)\n\n**Detection:**\n* Sigma: [file_event_win_susp_colorcpl.yml](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml)\n* IOC: colorcpl.exe writing files[[Colorcpl.exe - LOLBAS Project](/references/53ff662d-a0b3-41bd-ab9e-a9bb8bbdea25)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5092", "source": "Tidal Cyber", "tags": [ "884eb1b1-aede-4db0-8443-ba50624682e1", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "9f006b88-2f13-4c99-ade0-839da70d1e11", "value": "Colorcpl" }, { "description": "[Comnie](https://app.tidalcyber.com/software/341fc709-4908-4e41-8df3-554dae6d72b0) is a remote backdoor which has been used in attacks in East Asia. [[Palo Alto Comnie](https://app.tidalcyber.com/references/ff3cc105-2798-45de-8561-983bf57eb9d9)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0244", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e", "type": "similar" } ], "uuid": "341fc709-4908-4e41-8df3-554dae6d72b0", "value": "Comnie" }, { "description": "[ComRAT](https://app.tidalcyber.com/software/300c5997-a486-4a61-8213-93a180c22849) is a second stage implant suspected of being a descendant of [Agent.btz](https://app.tidalcyber.com/software/f27c9a91-c618-40c6-837d-089ba4d80f45) and used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2). The first version of [ComRAT](https://app.tidalcyber.com/software/300c5997-a486-4a61-8213-93a180c22849) was identified in 2007, but the tool has undergone substantial development for many years since.[[Symantec Waterbug](https://app.tidalcyber.com/references/ec02f951-17b8-44cb-945a-e5c313555124)][[NorthSec 2015 GData Uroburos Tools](https://app.tidalcyber.com/references/99e2709e-a32a-4fbf-a20a-ffcdd8befdc8)][[ESET ComRAT May 2020](https://app.tidalcyber.com/references/cd9043b8-4d14-449b-a6b2-2e9b99103bb0)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0126", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", "type": "similar" } ], "uuid": "300c5997-a486-4a61-8213-93a180c22849", "value": "ComRAT" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** COM+ Services\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\comsvcs.dll\n\n**Resources:**\n* [https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/](https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_process_dump_via_comsvcs.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml)\n* Sigma: [proc_access_win_lsass_dump_comsvcs_dll.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml)\n* Elastic: [credential_access_cmdline_dump_tool.toml](https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml)\n* Splunk: [dump_lsass_via_comsvcs_dll.yml](https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_comsvcs_dll.yml)[[Comsvcs.dll - LOLBAS Project](/references/2eb2756d-5a49-4df3-9e2f-104c41c645cd)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5202", "source": "Tidal Cyber", "tags": [ "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "35e694ec-5133-46e3-b7e1-5831867c3b55", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "334b0ee4-5a0d-4634-91c8-236593b818a0", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" } ], "uuid": "0448178d-fff1-4174-8339-e6bfca78fb84", "value": "Comsvcs" }, { "description": "[Conficker](https://app.tidalcyber.com/software/ef33f1fa-18a3-4b30-b359-17b7930f43a7) is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.[[SANS Conficker](https://app.tidalcyber.com/references/2dca2274-5f25-475a-b87d-97f3e3a525de)] In 2016, a variant of [Conficker](https://app.tidalcyber.com/software/ef33f1fa-18a3-4b30-b359-17b7930f43a7) made its way on computers and removable disk drives belonging to a nuclear power plant.[[Conficker Nuclear Power Plant](https://app.tidalcyber.com/references/83b8c3c4-d67a-48bd-8614-1c703a8d969b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0608", "source": "MITRE", "tags": [ "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "58eddbaf-7416-419a-ad7b-e65b9d4c3b55", "type": "similar" } ], "uuid": "ef33f1fa-18a3-4b30-b359-17b7930f43a7", "value": "Conficker" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.\n\n**Author:** Ialle Teixeira\n\n**Paths:**\n* C:\\Program Files\\Windows Defender\\ConfigSecurityPolicy.exe\n* C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2008.9-0\\ConfigSecurityPolicy.exe\n\n**Resources:**\n* [https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads](https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads)\n* [https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads](https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads)\n* [https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor](https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor)\n* [https://twitter.com/NtSetDefault/status/1302589153570365440?s=20](https://twitter.com/NtSetDefault/status/1302589153570365440?s=20)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_configsecuritypolicy.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml)\n* IOC: ConfigSecurityPolicy storing data into alternate data streams.\n* IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS.\n* IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe.\n* IOC: User Agent is \"MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)\"[[ConfigSecurityPolicy.exe - LOLBAS Project](/references/30b8a5d8-596c-4ab3-b3db-b799cc8923e1)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5093", "source": "Tidal Cyber", "tags": [ "d99039e1-e677-4226-8b63-e698d6642535", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "0e178275-4eb7-4fae-a703-d9730adf6a26", "value": "ConfigSecurityPolicy" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Console Window host\n\n**Author:** Wietze Beukema\n\n**Paths:**\n* c:\\windows\\system32\\conhost.exe\n\n**Resources:**\n* [https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/](https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/)\n* [https://twitter.com/Wietze/status/1511397781159751680](https://twitter.com/Wietze/status/1511397781159751680)\n* [https://twitter.com/embee_research/status/1559410767564181504](https://twitter.com/embee_research/status/1559410767564181504)\n* [https://twitter.com/ankit_anubhav/status/1561683123816972288](https://twitter.com/ankit_anubhav/status/1561683123816972288)\n\n**Detection:**\n* IOC: conhost.exe spawning unexpected processes\n* Sigma: [proc_creation_win_conhost_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml)[[Conhost.exe - LOLBAS Project](/references/5ed807c1-15d1-48aa-b497-8cd74fe5b299)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5094", "source": "Tidal Cyber", "tags": [ "ea54037d-e07b-42b0-afe6-33576ec36f44", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "d3f8a214-3e65-4b7d-aed6-97a3e38ef8e0", "value": "Conhost" }, { "description": "[ConnectWise](https://app.tidalcyber.com/software/6f9bb24d-cce2-49de-bedd-1849d9bde7a0) is a legitimate remote administration tool that has been used since at least 2016 by threat actors including [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6) and [GOLD SOUTHFIELD](https://app.tidalcyber.com/groups/b4d068ac-9b68-4cd8-bf0c-019f910ef8e3) to connect to and conduct lateral movement in target environments.[[Anomali Static Kitten February 2021](https://app.tidalcyber.com/references/710ed789-de1f-4601-a8ba-32147827adcb)][[Trend Micro Muddy Water March 2021](https://app.tidalcyber.com/references/16b4b834-2f44-4bac-b810-f92080c41f09)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0591", "source": "MITRE", "tags": [ "d903e38b-600d-4736-9e3b-cf1a6e436481", "e551ae97-d1b4-484e-9267-89f33829ec2c", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e1af18e3-3224-4e4c-9d0f-533768474508", "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", "d431939f-2dc0-410b-83f7-86c458125444", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "15b77e5c-2285-434d-9719-73c14beba8bd", "e727eaa6-ef41-4965-b93a-8ad0c51d0236" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" }, { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "b4d068ac-9b68-4cd8-bf0c-019f910ef8e3", "type": "used-by" }, { "dest-uuid": "842976c7-f9c8-41b2-8371-41dc64fbe261", "type": "similar" } ], "uuid": "6f9bb24d-cce2-49de-bedd-1849d9bde7a0", "value": "ConnectWise" }, { "description": "[Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5) is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5) has been deployed via [TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5) steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.[[Cybereason Conti Jan 2021](https://app.tidalcyber.com/references/3c0e82a2-41ab-4e63-ac10-bd691c786234)][[CarbonBlack Conti July 2020](https://app.tidalcyber.com/references/3c3a6dc0-66f2-492e-8c9c-c0bcca73008e)][[Cybleinc Conti January 2020](https://app.tidalcyber.com/references/5ef0ad9d-f34d-4771-a595-7ee4994f6c91)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0575", "source": "MITRE", "tags": [ "64d3f7d8-30b7-4b03-bee2-a6029672216c", "375983b3-6e87-4281-99e2-1561519dd17b", "3ed2343c-a29c-42e2-8259-410381164c6a", "89c5b94b-ecf4-4d53-9b74-3465086d4565", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "0ed7d10c-c65b-4174-9edb-446bf301d250", "3d90eed2-862d-4f61-8c8f-0b8da3e45af0", "12a2e20a-7c27-46bb-954d-b372833a9925", "1b98f09a-7d93-4abb-8f3e-1eacdb9f9871", "c2380542-36f2-4922-9ed2-80ced06645c9", "dea4388a-b1f2-4f2a-9df9-108631d0d078", "24448a05-2337-4bc9-a889-a83f2fd1f3ad", "2743d495-7728-4a75-9e5f-b64854039792", "d713747c-2d53-487e-9dac-259230f04460", "fde4c246-7d2d-4d53-938b-44651cf273f1", "964c2590-4b52-48c6-afff-9a6d72e68908", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "4dea7d8e-af94-4bfb-afe4-7ff54f59308b", "type": "similar" } ], "uuid": "8e995c29-2759-4aeb-9a0f-bb7cd97b06e5", "value": "Conti" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary used to launch controlpanel items in Windows\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\control.exe\n* C:\\Windows\\SysWOW64\\control.exe\n\n**Resources:**\n* [https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/](https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/)\n* [https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/](https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/)\n* [https://twitter.com/bohops/status/955659561008017409](https://twitter.com/bohops/status/955659561008017409)\n* [https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items](https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items)\n* [https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/](https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/)\n\n**Detection:**\n* Sigma: [proc_creation_win_exploit_cve_2021_40444.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml)\n* Sigma: [proc_creation_win_rundll32_susp_control_dll_load.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* Elastic: [defense_evasion_execution_control_panel_suspicious_args.toml](https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml)\n* Elastic: [defense_evasion_unusual_dir_ads.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml)\n* IOC: Control.exe executing files from alternate data streams\n* IOC: Control.exe executing library file without cpl extension\n* IOC: Suspicious network connections from control.exe[[Control.exe - LOLBAS Project](/references/d0c821b9-7d37-4158-89fa-0dabe6e06800)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5095", "source": "Tidal Cyber", "tags": [ "53ac2b35-d302-4bdd-9931-5b6c6cb31b96", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "efc46430-b27f-4b05-bc36-1d5eba685ec7", "value": "Control" }, { "description": "[CookieMiner](https://app.tidalcyber.com/software/6e2c4aef-2f69-4507-9ee3-55432d76341e) is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.[[Unit42 CookieMiner Jan 2019](https://app.tidalcyber.com/references/4605c51d-b36e-4c29-abda-2a97829f6019)]", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S0492", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "eedc01d5-95e6-4d21-bcd4-1121b1df4586", "type": "similar" } ], "uuid": "6e2c4aef-2f69-4507-9ee3-55432d76341e", "value": "CookieMiner" }, { "description": "[CORALDECK](https://app.tidalcyber.com/software/f13c8455-d615-4f8d-9d9c-5b31e593cd8a) is an exfiltration tool used by [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66). [[FireEye APT37 Feb 2018](https://app.tidalcyber.com/references/4d575c1a-4ff9-49ce-97cd-f9d0637c2271)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0212", "source": "MITRE", "tags": [ "8bf128ad-288b-41bc-904f-093f4fdde745" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" }, { "dest-uuid": "8ab98e25-1672-4b5f-a2fb-e60f08a5ea9e", "type": "similar" } ], "uuid": "f13c8455-d615-4f8d-9d9c-5b31e593cd8a", "value": "CORALDECK" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within \"C:\\Program Files (x86)\\Microsoft Silverlight\\5.1.50918.0\\\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight.\n\n**Author:** Martin Sohn Christensen\n\n**Paths:**\n* C:\\Program Files\\Microsoft Silverlight\\5.1.50918.0\\coregen.exe\n* C:\\Program Files (x86)\\Microsoft Silverlight\\5.1.50918.0\\coregen.exe\n\n**Resources:**\n* [https://www.youtube.com/watch?v=75XImxOOInU](https://www.youtube.com/watch?v=75XImxOOInU)\n* [https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html](https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html)\n\n**Detection:**\n* Sigma: [image_load_side_load_coregen.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/image_load/image_load_side_load_coregen.yml)\n* IOC: coregen.exe loading .dll file not in \"C:\\Program Files (x86)\\Microsoft Silverlight\\5.1.50918.0\\\"\n* IOC: coregen.exe loading .dll file not named coreclr.dll\n* IOC: coregen.exe command line containing -L or -l\n* IOC: coregen.exe command line containing unexpected/invald assembly name\n* IOC: coregen.exe application crash by invalid assembly name[[coregen.exe - LOLBAS Project](/references/f24d4cf5-9ca9-46bd-bd43-86b37e2a638a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5209", "source": "Tidal Cyber", "tags": [ "a19a158e-aec4-410a-8c3e-e9080b111183", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "b7dacd5c-eaba-48db-bdd7-e779a82b2ba7", "value": "coregen" }, { "description": "[CORESHELL](https://app.tidalcyber.com/software/3b193f62-2b49-4eff-bdf4-501fb8a28274) is a downloader used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5). The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.[[FireEye APT28](https://app.tidalcyber.com/references/c423b2b2-25a3-4a8d-b89a-83ab07c0cd20)] [[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0137", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", "type": "similar" } ], "uuid": "3b193f62-2b49-4eff-bdf4-501fb8a28274", "value": "CORESHELL" }, { "description": "[CosmicDuke](https://app.tidalcyber.com/software/43b317c6-5b4f-47b8-b7b4-15cd6f455091) is malware that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) from 2010 to 2015. [[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0050", "source": "MITRE", "tags": [ "16b47583-1c54-431f-9f09-759df7b5ddb7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "type": "similar" } ], "uuid": "43b317c6-5b4f-47b8-b7b4-15cd6f455091", "value": "CosmicDuke" }, { "description": "[CostaBricks](https://app.tidalcyber.com/software/ea9e2d19-89fe-4039-a1e0-467b14554c6f) is a loader that was used to deploy 32-bit backdoors in the [CostaRicto](https://app.tidalcyber.com/groups/) campaign.[[BlackBerry CostaRicto November 2020](https://app.tidalcyber.com/references/93a23447-641c-4ee2-9fbd-64b2adea8a5f)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0614", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "5d342981-5194-41e7-b33f-8e91998d7d88", "type": "similar" } ], "uuid": "ea9e2d19-89fe-4039-a1e0-467b14554c6f", "value": "CostaBricks" }, { "description": "[CozyCar](https://app.tidalcyber.com/software/c2353daa-fd4c-44e1-8013-55400439965a) is malware that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. [[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0046", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", "type": "similar" } ], "uuid": "c2353daa-fd4c-44e1-8013-55400439965a", "value": "CozyCar" }, { "description": "[CrackMapExec](https://app.tidalcyber.com/software/47e710b4-1397-47cf-a979-20891192f313), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://app.tidalcyber.com/software/47e710b4-1397-47cf-a979-20891192f313) collects Active Directory information to conduct lateral movement through targeted networks.[[CME Github September 2018](https://app.tidalcyber.com/references/a6e1e3b4-1b69-43b7-afbe-aedb812c5778)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0488", "source": "MITRE", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "e81ba503-60b0-4b64-8f20-ef93e7783796" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "c4810609-7da6-48ec-8057-1b70a7814db0", "type": "similar" } ], "uuid": "47e710b4-1397-47cf-a979-20891192f313", "value": "CrackMapExec" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft .NET Runtime Crash Dump Generator (included in .NET Core)\n\n**Author:** mr.d0x, Daniel Santos\n\n**Paths:**\n* C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\*\\createdump.exe\n* C:\\Program Files (x86)\\dotnet\\shared\\Microsoft.NETCore.App\\*\\createdump.exe\n* C:\\Program Files\\Microsoft Visual Studio\\*\\Community\\dotnet\\runtime\\shared\\Microsoft.NETCore.App\\6.0.0\\createdump.exe\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\*\\Community\\dotnet\\runtime\\shared\\Microsoft.NETCore.App\\6.0.0\\createdump.exe\n\n**Resources:**\n* [https://twitter.com/bopin2020/status/1366400799199272960](https://twitter.com/bopin2020/status/1366400799199272960)\n* [https://docs.microsoft.com/en-us/troubleshoot/developer/webapps/aspnetcore/practice-troubleshoot-linux/lab-1-3-capture-core-crash-dumps](https://docs.microsoft.com/en-us/troubleshoot/developer/webapps/aspnetcore/practice-troubleshoot-linux/lab-1-3-capture-core-crash-dumps)\n\n**Detection:**\n* Sigma: [proc_creation_win_proc_dump_createdump.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml)\n* Sigma: [proc_creation_win_renamed_createdump.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml)\n* IOC: createdump.exe process with a command line containing the lsass.exe process id[[Createdump.exe - LOLBAS Project](/references/f3ccacc1-3b42-4042-9a5c-f5b483a5e801)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5210", "source": "Tidal Cyber", "tags": [ "7beee233-2b65-4593-88e6-a5c0c02c6a08", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "a574b315-523c-45c3-8743-feb3d541e81a", "value": "Createdump" }, { "description": "CredoMap is a credential-stealing malware developed by the Russian espionage actor APT28. The malware harvests cookies and credentials from select web browsers and exfiltrates the information via the IMAP email protocol. CredoMap was observed being used in attack campaigns in Ukraine in 2022.[[CERTFR-2023-CTI-009](/references/5365ac4c-fbb8-4389-989e-a64cb7693371)][[SecurityScorecard CredoMap September 2022](/references/3e683efc-4712-4397-8d55-4354ff7ad9f0)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5074", "source": "Tidal Cyber", "tags": [ "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" } ], "uuid": "516ffd19-72b9-43a1-b866-bb075fdcb137", "value": "CredoMap" }, { "description": "[CreepyDrive](https://app.tidalcyber.com/software/7f7f05c3-fbb1-475e-b672-2113709065c8) is a custom implant has been used by [POLONIUM](https://app.tidalcyber.com/groups/7fbd7514-76e9-4696-8c66-9f95546e3315) since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.[[Microsoft POLONIUM June 2022](https://app.tidalcyber.com/references/689ff1ab-9fed-4aa2-8e5e-78dac31e6fbd)]\n\n[POLONIUM](https://app.tidalcyber.com/groups/7fbd7514-76e9-4696-8c66-9f95546e3315) has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.[[Microsoft POLONIUM June 2022](https://app.tidalcyber.com/references/689ff1ab-9fed-4aa2-8e5e-78dac31e6fbd)]", "meta": { "platforms": [ "Office 365", "Windows" ], "software_attack_id": "S1023", "source": "MITRE", "tags": [ "15f2277a-a17e-4d85-8acd-480bf84f16b4", "be319849-fb2c-4b5f-8055-0bde562c280b", "8bf128ad-288b-41bc-904f-093f4fdde745" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "7fbd7514-76e9-4696-8c66-9f95546e3315", "type": "used-by" }, { "dest-uuid": "750eb92a-7fdf-451e-9592-1d42357018f1", "type": "similar" } ], "uuid": "7f7f05c3-fbb1-475e-b672-2113709065c8", "value": "CreepyDrive" }, { "description": "[CreepySnail](https://app.tidalcyber.com/software/11ce380c-481b-4c9b-b44e-06f1a91c01c1) is a custom PowerShell implant that has been used by [POLONIUM](https://app.tidalcyber.com/groups/7fbd7514-76e9-4696-8c66-9f95546e3315) since at least 2022.[[Microsoft POLONIUM June 2022](https://app.tidalcyber.com/references/689ff1ab-9fed-4aa2-8e5e-78dac31e6fbd)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1024", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "7fbd7514-76e9-4696-8c66-9f95546e3315", "type": "used-by" }, { "dest-uuid": "d23de441-f9cf-4802-b1ff-f588a11a896b", "type": "similar" } ], "uuid": "11ce380c-481b-4c9b-b44e-06f1a91c01c1", "value": "CreepySnail" }, { "description": "[Crimson](https://app.tidalcyber.com/software/3b3f296f-20a6-459a-98c5-62ebdee3701f) is a remote access Trojan that has been used by [Transparent Tribe](https://app.tidalcyber.com/groups/441b91d1-256a-4763-bac6-8f1c76764a25) since at least 2016.[[Proofpoint Operation Transparent Tribe March 2016](https://app.tidalcyber.com/references/8e39d0da-114f-4ae6-8130-ca1380077d6a)][[Kaspersky Transparent Tribe August 2020](https://app.tidalcyber.com/references/42c7faa2-f664-4e4a-9d23-93c88a09da5b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0115", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" }, { "dest-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", "type": "similar" } ], "uuid": "3b3f296f-20a6-459a-98c5-62ebdee3701f", "value": "Crimson" }, { "description": "[CrossRAT](https://app.tidalcyber.com/software/38811c3b-f548-43fa-ab26-c7243b84a055) is a cross platform RAT.", "meta": { "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S0235", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14", "type": "used-by" }, { "dest-uuid": "a5e91d50-24fa-44ec-9894-39a88f658cea", "type": "similar" } ], "uuid": "38811c3b-f548-43fa-ab26-c7243b84a055", "value": "CrossRAT" }, { "description": "[Crutch](https://app.tidalcyber.com/software/e1ad229b-d750-4148-a1f3-36e767b03cd1) is a backdoor designed for document theft that has been used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) since at least 2015.[[ESET Crutch December 2020](https://app.tidalcyber.com/references/8b2f40f5-7dca-4edf-8314-a8f5bc4831b8)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0538", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "925a6c52-5cf0-4fec-99de-b0d6917d8593", "type": "similar" } ], "uuid": "e1ad229b-d750-4148-a1f3-36e767b03cd1", "value": "Crutch" }, { "description": "[Cryptoistic](https://app.tidalcyber.com/software/12ce6d04-ebe5-440e-b342-0283b7c8a0c8) is a backdoor, written in Swift, that has been used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08).[[SentinelOne Lazarus macOS July 2020](https://app.tidalcyber.com/references/489c52a2-34cc-47ff-b42b-9d48f83b9e90)]", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S0498", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "a04d9a4c-bb52-40bf-98ec-e350c2d6a862", "type": "similar" } ], "uuid": "12ce6d04-ebe5-440e-b342-0283b7c8a0c8", "value": "Cryptoistic" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary file used by .NET to compile C# code\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Csc.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Csc.exe\n\n**Resources:**\n* [https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe](https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe)\n\n**Detection:**\n* Sigma: [proc_creation_win_csc_susp_parent.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml)\n* Sigma: [proc_creation_win_csc_susp_folder.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml)\n* Elastic: [defense_evasion_dotnet_compiler_parent_process.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml)\n* Elastic: [defense_evasion_execution_msbuild_started_unusal_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml)\n* IOC: Csc.exe should normally not run as System account unless it is used for development.[[Csc.exe - LOLBAS Project](/references/276c9e55-4673-426d-8f49-06edee2e3b30)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5096", "source": "Tidal Cyber", "tags": [ "2ee25dd6-256c-4659-b1b6-f5afc943ccc1", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" } ], "uuid": "939eeb6b-3f74-43b6-8ead-644457ee7d78", "value": "Csc" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary used to execute scripts in Windows\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\cscript.exe\n* C:\\Windows\\SysWOW64\\cscript.exe\n\n**Resources:**\n* [https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)\n* [https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/](https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/)\n\n**Detection:**\n* Sigma: [proc_creation_win_wscript_cscript_script_exec.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml)\n* Sigma: [file_event_win_net_cli_artefact.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml)\n* Elastic: [defense_evasion_unusual_dir_ads.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml)\n* Elastic: [command_and_control_remote_file_copy_scripts.toml](https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml)\n* Elastic: [defense_evasion_suspicious_managedcode_host_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml)\n* Splunk: [wscript_or_cscript_suspicious_child_process.yml](https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: Cscript.exe executing files from alternate data streams\n* IOC: DotNet CLR libraries loaded into cscript.exe\n* IOC: DotNet CLR Usage Log - cscript.exe.log[[Cscript.exe - LOLBAS Project](/references/428b6223-63b7-497f-b13a-e472b4583a9f)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5097", "source": "Tidal Cyber", "tags": [ "7cae5f59-dbbf-406f-928d-118430d2bdd0", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "83036c61-d8cf-42f8-a9e5-dc3d26d75cdc", "value": "Cscript" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Command line interface included with Visual Studio.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* c:\\Program Files (x86)\\Microsoft Visual Studio\\2017\\Community\\MSBuild\\15.0\\Bin\\Roslyn\\csi.exe\n* c:\\Program Files (x86)\\Microsoft Web Tools\\Packages\\Microsoft.Net.Compilers.X.Y.Z\\tools\\csi.exe\n\n**Resources:**\n* [https://twitter.com/subTee/status/781208810723549188](https://twitter.com/subTee/status/781208810723549188)\n* [https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/](https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/)\n\n**Detection:**\n* Sigma: [proc_creation_win_csi_execution.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_csi_execution.yml)\n* Sigma: [proc_creation_win_csi_use_of_csharp_console.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)[[csi.exe - LOLBAS Project](/references/b810ee91-de4e-4c7b-8fa8-24dca95133e5)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5211", "source": "Tidal Cyber", "tags": [ "86bb7f3c-652c-4f77-af2a-34677ff42315", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "a11e4ebf-59e4-4b79-8a20-be1618dfbaed", "value": "csi" }, { "description": "[CSPY Downloader](https://app.tidalcyber.com/software/eb481db6-d7ba-4873-a171-76a228c9eb97) is a tool designed to evade analysis and download additional payloads used by [Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1).[[Cybereason Kimsuky November 2020](https://app.tidalcyber.com/references/ecc2f5ad-b2a8-470b-b919-cb184d12d00f)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0527", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { "dest-uuid": "5256c0f8-9108-4c92-8b09-482dfacdcd94", "type": "similar" } ], "uuid": "eb481db6-d7ba-4873-a171-76a228c9eb97", "value": "CSPY Downloader" }, { "description": "\n[Cuba](https://app.tidalcyber.com/software/095064c6-144e-4935-b878-f82151bc08e4) is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.[[McAfee Cuba April 2021](https://app.tidalcyber.com/references/e0e86e08-64ec-48dc-91e6-24fde989cd77)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0625", "source": "MITRE", "tags": [ "64d3f7d8-30b7-4b03-bee2-a6029672216c", "375983b3-6e87-4281-99e2-1561519dd17b", "3ed2343c-a29c-42e2-8259-410381164c6a", "89c5b94b-ecf4-4d53-9b74-3465086d4565", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "4bc9ab8f-7f57-4b1a-8857-ffaa7e5cc930", "17864218-bc4f-4564-8abf-97c988eea9f7", "b6458e46-650e-4e96-8e68-8a9d70bcf045", "bac51672-8240-4182-9087-23626023e509", "c5c8f954-1bc0-45d5-9a4f-4385d0a720a1", "2743d495-7728-4a75-9e5f-b64854039792", "d713747c-2d53-487e-9dac-259230f04460", "fde4c246-7d2d-4d53-938b-44651cf273f1", "964c2590-4b52-48c6-afff-9a6d72e68908", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5216ac81-da4c-4b87-86ce-b90a651f1048", "type": "used-by" }, { "dest-uuid": "c2015888-72c0-4367-b2cf-df85688a56b7", "type": "used-by" }, { "dest-uuid": "6cd07296-14aa-403d-9229-6343d03d4752", "type": "similar" } ], "uuid": "095064c6-144e-4935-b878-f82151bc08e4", "value": "Cuba" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** A host process that is used by custom shells when using Windows in Kiosk mode.\n\n**Author:** Wietze Beukema\n\n**Paths:**\n* C:\\Windows\\System32\\CustomShellHost.exe\n\n**Resources:**\n* [https://twitter.com/YoSignals/status/1381353520088113154](https://twitter.com/YoSignals/status/1381353520088113154)\n* [https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher)\n\n**Detection:**\n* IOC: CustomShellHost.exe is unlikely to run on normal workstations\n* Sigma: [proc_creation_win_lolbin_customshellhost.yml](https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml)[[CustomShellHost.exe - LOLBAS Project](/references/96324ab1-7eb8-42dc-b19a-fa1d9f85e239)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5098", "source": "Tidal Cyber", "tags": [ "536c3d51-9fc4-445e-9723-e11b69f0d6d5", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "3ff0d4fc-6678-42f0-869b-f48906d98f82", "value": "CustomShellHost" }, { "description": "[Cyclops Blink](https://app.tidalcyber.com/software/68792756-7dbf-41fd-8d48-ac3cc2b52712) is a modular malware that has been used in widespread campaigns by [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus.[[NCSC Cyclops Blink February 2022](https://app.tidalcyber.com/references/91ed6adf-f066-49e4-8ec7-1989bc6615a6)][[NCSC CISA Cyclops Blink Advisory February 2022](https://app.tidalcyber.com/references/bee6cf85-5cb9-4000-b82e-9e15aebfbece)][[Trend Micro Cyclops Blink March 2022](https://app.tidalcyber.com/references/64e9a24f-f386-4774-9874-063e0ebfb8e1)]", "meta": { "platforms": [ "Network" ], "software_attack_id": "S0687", "source": "MITRE", "tags": [ "b20e7912-6a8d-46e3-8e13-9a3fc4813852", "e809d252-12cc-494d-94f5-954c49eb87ce" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "b350b47f-88fe-4921-8538-6d9c59bac84e", "type": "similar" } ], "uuid": "68792756-7dbf-41fd-8d48-ac3cc2b52712", "value": "Cyclops Blink" }, { "description": "[Dacls](https://app.tidalcyber.com/software/9d521c18-09f0-47be-bfe5-e1bf26f7b928) is a multi-platform remote access tool used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) since at least December 2019.[[TrendMicro macOS Dacls May 2020](https://app.tidalcyber.com/references/0ef8691d-48ae-4057-82ef-eb086c05e2b9)][[SentinelOne Lazarus macOS July 2020](https://app.tidalcyber.com/references/489c52a2-34cc-47ff-b42b-9d48f83b9e90)]", "meta": { "platforms": [ "Linux", "macOS", "Windows" ], "software_attack_id": "S0497", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", "type": "similar" } ], "uuid": "9d521c18-09f0-47be-bfe5-e1bf26f7b928", "value": "Dacls" }, { "description": "[DanBot](https://app.tidalcyber.com/software/131c0eb2-9191-4ccd-a2d6-5f36046a8f2f) is a first-stage remote access Trojan written in C# that has been used by [HEXANE](https://app.tidalcyber.com/groups/eecf7289-294f-48dd-a747-7705820f4735) since at least 2018.[[SecureWorks August 2019](https://app.tidalcyber.com/references/573edbb6-687b-4bc2-bc4a-764a548633b5)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1014", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" }, { "dest-uuid": "b8d48deb-450c-44f6-a934-ac8765aa89cb", "type": "similar" } ], "uuid": "131c0eb2-9191-4ccd-a2d6-5f36046a8f2f", "value": "DanBot" }, { "description": "[DarkComet](https://app.tidalcyber.com/software/74f88899-56d0-4de8-97de-539b3590ab90) is a Windows remote administration tool and backdoor.[[TrendMicro DarkComet Sept 2014](https://app.tidalcyber.com/references/fb365600-4961-43ed-8292-1c07cbc530ef)][[Malwarebytes DarkComet March 2018](https://app.tidalcyber.com/references/6a765a99-8d9f-4076-8741-6415a5ab918b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0334", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "dfbce236-735c-436d-b433-933bd6eae17b", "type": "used-by" }, { "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", "type": "used-by" }, { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" }, { "dest-uuid": "53ab35c2-d00e-491a-8753-41d35ae7e547", "type": "similar" } ], "uuid": "74f88899-56d0-4de8-97de-539b3590ab90", "value": "DarkComet" }, { "description": "[DarkGate](https://app.tidalcyber.com/software/39d81c48-8f7c-54cb-8fac-485598e31a55) first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named \"DarkGate\" by its author, [DarkGate](https://app.tidalcyber.com/software/39d81c48-8f7c-54cb-8fac-485598e31a55) is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.[[Ensilo Darkgate 2018](https://app.tidalcyber.com/references/31796564-4154-54c0-958a-7d6802dfefad)] DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.[[Trellix Darkgate 2023](https://app.tidalcyber.com/references/83fb92d8-1245-5d68-b9f2-0915c10401c6)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1111", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" }, { "dest-uuid": "6f6f67c9-556d-4459-95c2-78d272190e52", "type": "similar" } ], "uuid": "39d81c48-8f7c-54cb-8fac-485598e31a55", "value": "DarkGate - Duplicate" }, { "description": "*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: \"DarkGate\" (Software). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.*\n\n\n*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nDarkGate is a commodity downloader. Researchers have often observed DarkGate samples making use of legitimate copies of AutoIt, a freeware BASIC-like scripting language, using it to run AutoIt scripts as part of its execution chain. Reports of DarkGate infections surged following the announcement of the disruption of the QakBot botnet by international authorities in late August 2023.[[Bleeping Computer DarkGate October 14 2023](/references/313e5558-d8f9-4457-9004-810d9fa5340c)] The delivery of DarkGate payloads via instant messaging platforms including Microsoft Teams and Skype was reported in September and October 2023.[[DarkGate Loader delivered via Teams - Truesec](/references/4222a06f-9528-4076-8037-a27012c2930c)][[Trend Micro DarkGate October 12 2023](/references/81650f5b-628b-4e76-80d6-2c15cf70d37a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5266", "source": "Tidal Cyber", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" } ], "uuid": "7144b703-f471-4bde-bedc-e8b274854de5", "value": "DarkGate (Deprecated)" }, { "description": "[DarkTortilla](https://app.tidalcyber.com/software/35abcb6b-3259-57c1-94fc-50cfd5bde786) is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. [DarkTortilla](https://app.tidalcyber.com/software/35abcb6b-3259-57c1-94fc-50cfd5bde786) has been used to deliver popular information stealers, RATs, and payloads such as [Agent Tesla](https://app.tidalcyber.com/software/304650b1-a0b5-460c-9210-23a5b53815a4), AsyncRat, [NanoCore](https://app.tidalcyber.com/software/db05dbaa-eb3a-4303-b37e-18d67e7e85a1), RedLine, [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6), and Metasploit.[[Secureworks DarkTortilla Aug 2022](https://app.tidalcyber.com/references/4b48cc22-55ac-5b61-b183-9008f7db37fd)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1066", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "5faaf81a-aa5b-4a4b-bae5-522439e068f8", "type": "similar" } ], "uuid": "35abcb6b-3259-57c1-94fc-50cfd5bde786", "value": "DarkTortilla" }, { "description": "[DarkWatchman](https://app.tidalcyber.com/software/740a0327-4caf-4d90-8b51-f3f9a4d59b37) is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.[[Prevailion DarkWatchman 2021](https://app.tidalcyber.com/references/449e7b5c-7c62-4a63-a676-80026a597fc9)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0673", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "63686509-069b-4143-99ea-4e59cad6cb2a", "type": "similar" } ], "uuid": "740a0327-4caf-4d90-8b51-f3f9a4d59b37", "value": "DarkWatchman" }, { "description": "[Daserf](https://app.tidalcyber.com/software/fad65026-57c4-4d4f-8803-87178dd4b887) is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. [[Trend Micro Daserf Nov 2017](https://app.tidalcyber.com/references/4ca0e6a9-8c20-49a0-957a-7108083a8a29)] [[Secureworks BRONZE BUTLER Oct 2017](https://app.tidalcyber.com/references/c62d8d1a-cd1b-4b39-95b6-68f3f063dacf)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0187", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" }, { "dest-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", "type": "similar" } ], "uuid": "fad65026-57c4-4d4f-8803-87178dd4b887", "value": "Daserf" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application.\n\n**Author:** Ialle Teixeira\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework64\\v3.5\\DataSvcUtil.exe\n\n**Resources:**\n* [https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe](https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe)\n* [https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services](https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services)\n* [https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services](https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml)\n* IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory.\n* IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS.\n* IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil.[[DataSvcUtil.exe - LOLBAS Project](/references/0c373780-3202-4036-8c83-f3d468155b35)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5099", "source": "Tidal Cyber", "tags": [ "0576be43-65c6-4d1a-8a06-ed8232ca0120", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "dd555a4c-3b04-48c1-988f-d530d699a5bf", "value": "DataSvcUtil" }, { "description": "DBatLoader is a malware used for downloading/dropping purposes.", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5287", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "84615fe0-c2a5-4e07-8957-78ebc29b4635", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [], "uuid": "789791b7-1ea1-4b18-8253-4663bb7ec143", "value": "DBatLoader" }, { "description": "[DCSrv](https://app.tidalcyber.com/software/26ae3cd1-6710-4807-b674-957bd67d3e76) is destructive malware that has been used by [Moses Staff](https://app.tidalcyber.com/groups/a41725c5-eb3a-4772-8d1e-17c3bbade79c) since at least September 2021. Though [DCSrv](https://app.tidalcyber.com/software/26ae3cd1-6710-4807-b674-957bd67d3e76) has ransomware-like capabilities, [Moses Staff](https://app.tidalcyber.com/groups/a41725c5-eb3a-4772-8d1e-17c3bbade79c) does not demand ransom or offer a decryption key.[[Checkpoint MosesStaff Nov 2021](https://app.tidalcyber.com/references/d6da2849-cff0-408a-9f09-81a33fc88a56)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1033", "source": "MITRE", "tags": [ "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c", "type": "used-by" }, { "dest-uuid": "5633ffd3-81ef-4f98-8f93-4896b03998f0", "type": "similar" } ], "uuid": "26ae3cd1-6710-4807-b674-957bd67d3e76", "value": "DCSrv" }, { "description": "[DDKONG](https://app.tidalcyber.com/software/0657b804-a889-400a-97d7-a4989809a623) is a malware sample that was part of a campaign by [Rancor](https://app.tidalcyber.com/groups/021b3c71-6467-4e46-a413-8b726f066f2c). [DDKONG](https://app.tidalcyber.com/software/0657b804-a889-400a-97d7-a4989809a623) was first seen used in February 2017. [[Rancor Unit42 June 2018](https://app.tidalcyber.com/references/45098a85-a61f-491a-a549-f62b02dc2ecd)]", "meta": { "software_attack_id": "S0255", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "type": "used-by" }, { "dest-uuid": "d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb", "type": "similar" } ], "uuid": "0657b804-a889-400a-97d7-a4989809a623", "value": "DDKONG" }, { "description": "[DEADEYE](https://app.tidalcyber.com/software/e9533664-90c5-5b40-a40e-a69a2eda8bc9) is a malware launcher that has been used by [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) since at least May 2021. [DEADEYE](https://app.tidalcyber.com/software/e9533664-90c5-5b40-a40e-a69a2eda8bc9) has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).[[Mandiant APT41](https://app.tidalcyber.com/references/e54415fe-40c2-55ff-9e75-881bc8a912b8)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1052", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "c46eb8e6-bf29-4696-8008-3ddb0b4ca470", "type": "similar" } ], "uuid": "e9533664-90c5-5b40-a40e-a69a2eda8bc9", "value": "DEADEYE" }, { "description": "[DealersChoice](https://app.tidalcyber.com/software/64dc5d44-2304-4875-b517-316ab98512c2) is a Flash exploitation framework used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5). [[Sofacy DealersChoice](https://app.tidalcyber.com/references/ec157d0c-4091-43f5-85f1-a271c4aac1fc)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0243", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "8f460983-1bbb-4e7e-8094-f0b5e720f658", "type": "similar" } ], "uuid": "64dc5d44-2304-4875-b517-316ab98512c2", "value": "DealersChoice" }, { "description": "[DEATHRANSOM](https://app.tidalcyber.com/software/832f5ab1-1267-40c9-84ef-f32d6373be4e) is ransomware written in C that has been used since at least 2020, and has potential overlap with [FIVEHANDS](https://app.tidalcyber.com/software/84187393-2fe9-4136-8720-a6893734ee8c) and [HELLOKITTY](https://app.tidalcyber.com/software/813a4ca1-84fe-42dc-89de-5873d028f98d).[[FireEye FiveHands April 2021](https://app.tidalcyber.com/references/832aeb46-b248-43e8-9157-a2f56bcd1806)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0616", "source": "MITRE", "tags": [ "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "6de9cad1-eed2-4e27-b0b5-39fa29349ea0", "type": "similar" } ], "uuid": "832f5ab1-1267-40c9-84ef-f32d6373be4e", "value": "DEATHRANSOM" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.\n\n**Author:** @checkymander\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft\\DefaultPack\\\n\n**Resources:**\n* [https://twitter.com/checkymander/status/1311509470275604480.](https://twitter.com/checkymander/status/1311509470275604480.)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_defaultpack.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml)\n* IOC: DefaultPack.EXE spawned an unknown process[[DefaultPack.EXE - LOLBAS Project](/references/106efc3e-5816-44ae-a384-5e026e68ab89)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5212", "source": "Tidal Cyber", "tags": [ "4f7be515-680e-4375-81f6-c71c83dd440d", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "ff25ec03-1e8d-427e-b207-1e1ecca542ec", "value": "DefaultPack" }, { "description": "Defender Control is a tool purpose-built to disable Microsoft Defender.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5029", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" } ], "uuid": "e8830cf3-53f3-4d15-858c-584589405fad", "value": "Defender Control" }, { "description": "[Denis](https://app.tidalcyber.com/software/df4002d2-f557-4f95-af7a-9a4582fb7068) is a Windows backdoor and Trojan used by [APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145). [Denis](https://app.tidalcyber.com/software/df4002d2-f557-4f95-af7a-9a4582fb7068) shares several similarities to the [SOUNDBITE](https://app.tidalcyber.com/software/069538a5-3cb8-4eb4-9fbb-83867bb4d826) backdoor and has been used in conjunction with the [Goopy](https://app.tidalcyber.com/software/a75855fd-2b6b-43d8-99a5-2be03b544f34) backdoor.[[Cybereason Oceanlotus May 2017](https://app.tidalcyber.com/references/1ef3025b-d4a9-49aa-b744-2dbea10a0abf)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0354", "source": "MITRE", "tags": [ "febea5b6-2ea2-402b-8bec-f3f5b3f73c59" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { "dest-uuid": "f25aab1a-0cef-4910-a85d-bb38b32ea41a", "type": "similar" } ], "uuid": "df4002d2-f557-4f95-af7a-9a4582fb7068", "value": "Denis" }, { "description": "Denonia is described as \"the first malware specifically targeting Lambda\", the AWS serverless computing platform. Early samples appeared to possess cryptomining capabilities, but researchers believe Denonia could be used to carry out other types of activities as well.[[Cado Denonia April 3 2022](/references/b276c28d-1488-4a21-86d1-7acdfd77794b)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "IaaS" ], "software_attack_id": "S5313", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2e5f6e4a-4579-46f7-9997-6923180815dd", "8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [], "uuid": "3c14ea0a-c85f-41b3-acd0-15d2565e3e07", "value": "Denonia" }, { "description": "[Derusbi](https://app.tidalcyber.com/software/9222aa77-922e-43c7-89ad-71067c428fb2) is malware used by multiple Chinese APT groups.[[Novetta-Axiom](https://app.tidalcyber.com/references/0dd428b9-849b-4108-87b1-20050b86f420)][[ThreatConnect Anthem](https://app.tidalcyber.com/references/61ecd0b4-6cac-4d9f-8e8c-3d488fef6fec)] Both Windows and Linux variants have been observed.[[Fidelis Turbo](https://app.tidalcyber.com/references/f19877f1-3e0f-4c68-b6c9-ef5b0bd470ed)]", "meta": { "platforms": [ "Linux", "Windows" ], "software_attack_id": "S0021", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" }, { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "type": "similar" } ], "uuid": "9222aa77-922e-43c7-89ad-71067c428fb2", "value": "Derusbi" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Desktop Settings Control Panel\n\n**Author:** Hai Vaknin\n\n**Paths:**\n* C:\\Windows\\System32\\desk.cpl\n* C:\\Windows\\SysWOW64\\desk.cpl\n\n**Resources:**\n* [https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt](https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt)\n* [https://twitter.com/pabraeken/status/998627081360695297](https://twitter.com/pabraeken/status/998627081360695297)\n* [https://twitter.com/VakninHai/status/1517027824984547329](https://twitter.com/VakninHai/status/1517027824984547329)\n* [https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files](https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files)\n\n**Detection:**\n* Sigma: [file_event_win_new_src_file.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/file/file_event/file_event_win_new_src_file.yml)\n* Sigma: [proc_creation_win_lolbin_rundll32_installscreensaver.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml)\n* Sigma: [registry_set_scr_file_executed_by_rundll32.yml](https://github.com/SigmaHQ/sigma/blob/940f89d43dbac5b7108610a5bde47cda0d2a643b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml)[[Desk.cpl - LOLBAS Project](/references/487a54d9-9f90-478e-b305-bd041af55e12)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5188", "source": "Tidal Cyber", "tags": [ "7ad2b1d5-c228-4bf5-bf8e-c80a8fef0079", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "1863a7e2-6212-48a0-b109-15d0198b93e2", "value": "Desk" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows binary used to configure lockscreen/desktop image\n\n**Author:** Gal Kristal\n\n**Paths:**\n* c:\\windows\\system32\\desktopimgdownldr.exe\n\n**Resources:**\n* [https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/](https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/)\n\n**Detection:**\n* Sigma: [proc_creation_win_desktopimgdownldr_susp_execution.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml)\n* Sigma: [file_event_win_susp_desktopimgdownldr_file.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml)\n* Elastic: [command_and_control_remote_file_copy_desktopimgdownldr.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml)\n* IOC: desktopimgdownldr.exe that creates non-image file\n* IOC: Change of HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PersonalizationCSP\\LockScreenImageUrl[[Desktopimgdownldr.exe - LOLBAS Project](/references/1df3aacf-76c4-472a-92c8-2a85ae9e2860)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5100", "source": "Tidal Cyber", "tags": [ "acc0e091-a071-4e83-b0b1-4f3adebeafa3", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "1b31652d-30bb-4c6e-bfe1-f2921a0aa64e", "value": "Desktopimgdownldr" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Device Credential Deployment\n\n**Author:** Elliot Killick\n\n**Paths:**\n* C:\\Windows\\System32\\DeviceCredentialDeployment.exe\n\n**Resources:**\nNone Provided\n\n**Detection:**\n* IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation\n* Sigma: [proc_creation_win_lolbin_device_credential_deployment.yml](https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml)[[DeviceCredentialDeployment.exe - LOLBAS Project](/references/fef281e8-8138-4420-b11b-66d1e6a19805)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5101", "source": "Tidal Cyber", "tags": [ "2a08c2eb-e90e-4bdb-a2dd-9da06de7ed25", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "b99bdf39-8dcf-4bae-95af-b029d48cb579", "value": "DeviceCredentialDeployment" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Visual Studio 2019 tool\n\n**Author:** mr.d0x\n\n**Paths:**\n* C:\\Program Files\\Microsoft Visual Studio\\*\\Community\\Common7\\Tools\\devinit\\devinit.exe\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\*\\Community\\Common7\\Tools\\devinit\\devinit.exe\n\n**Resources:**\n* [https://twitter.com/mrd0x/status/1460815932402679809](https://twitter.com/mrd0x/status/1460815932402679809)\n\n**Detection:**\n* Sigma: [proc_creation_win_devinit_lolbin_usage.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml)[[Devinit.exe - LOLBAS Project](/references/27343583-c17d-4c11-a7e3-14d725756556)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5213", "source": "Tidal Cyber", "tags": [ "bb814941-0155-49b1-8f93-39626d4f0ddd", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "102714a0-6b18-4d05-83c2-dd2929ce685a", "value": "Devinit" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary will execute specified binary. Part of VS/VScode installation.\n\n**Author:** felamos\n\n**Paths:**\n* c:\\windows\\system32\\devtoolslauncher.exe\n\n**Resources:**\n* [https://twitter.com/_felamos/status/1179811992841797632](https://twitter.com/_felamos/status/1179811992841797632)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_devtoolslauncher.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml)\n* IOC: DeveloperToolsSvc.exe spawned an unknown process[[Devtoolslauncher.exe - LOLBAS Project](/references/cb263978-019c-40c6-b6de-61db0e7a8941)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5214", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "6e213e33-c2e5-494f-bc1a-bf672f95dcf8", "value": "Devtoolslauncher" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary to enable forwarded ports on windows operating systems.\n\n**Author:** Kamran Saifullah\n\n**Paths:**\n* C:\\Users\\\\AppData\\Local\\Temp\\.net\\devtunnel\\\n* C:\\Users\\\\AppData\\Local\\Temp\\DevTunnels\n\n**Resources:**\n* [https://code.visualstudio.com/docs/editor/port-forwarding](https://code.visualstudio.com/docs/editor/port-forwarding)\n\n**Detection:**\n* IOC: devtunnel.exe binary spawned\n* IOC: *.devtunnels.ms\n* IOC: *.*.devtunnels.ms\n* Analysis: [https://cydefops.com/vscode-data-exfiltration](https://cydefops.com/vscode-data-exfiltration)[[devtunnel.exe - LOLBAS Project](/references/657c8b4c-1eee-4997-8461-c7592eaed9e8)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5252", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "672d80fe-656e-4b1b-8234-ebf2c5339166", "value": "devtunnel" }, { "description": "According to joint Cybersecurity Advisory AA23-158A (June 2023), DEWMODE is a web shell written in PHP that is designed to interact with a MySQL database. During a campaign from 2020 to 2021, threat actors exploited multiple zero-day vulnerabilities in internet-facing Accellion File Transfer Appliance (FTA) devices, installing DEWMODE web shells to exfiltrate data from compromised networks.[[Mandiant MOVEit Transfer June 2 2023](/references/232c7555-0483-4a57-88cb-71a990f7d683)]\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/php.dewmode\n\n**Malware Bazaar (Samples & IOCs)**: https://bazaar.abuse.ch/browse/tag/dewmode/", "meta": { "owner": "TidalCyberIan", "platforms": [ "Linux" ], "software_attack_id": "S5021", "source": "Tidal Cyber", "tags": [ "a98d7a43-f227-478e-81de-e7299639a355", "311abf64-a9cc-4c6a-b778-32c5df5658be" ], "type": [ "malware" ] }, "related": [], "uuid": "ff0b0792-5dd0-4e10-8b84-8da93a0198aa", "value": "DEWMODE" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** ClickOnce engine in Windows used by .NET\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Dfsvc.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Dfsvc.exe\n* C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Dfsvc.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Dfsvc.exe\n\n**Resources:**\n* [https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf](https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf)\n* [https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe](https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)[[Dfshim.dll - LOLBAS Project](/references/30503e42-6047-46a9-8189-e6caa5f4deb0)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5189", "source": "Tidal Cyber", "tags": [ "91fd24c3-f371-4c3b-b997-cd85e25c0967", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "b396eb52-3b6a-44e9-9534-d8b981a52192", "value": "Dfshim" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** ClickOnce engine in Windows used by .NET\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Dfsvc.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Dfsvc.exe\n* C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Dfsvc.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Dfsvc.exe\n\n**Resources:**\n* [https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf](https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf)\n* [https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe](https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)[[Dfsvc.exe - LOLBAS Project](/references/7f3a78c0-68b2-4a9d-ae6a-6e63e8ddac3f)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5102", "source": "Tidal Cyber", "tags": [ "18d6d91d-7df0-44c8-88fe-986d9ba00b8d", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "f85966ec-0c4d-4f7e-949f-bb73828bf601", "value": "Dfsvc" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary that package existing files into a cabinet (.cab) file\n\n**Author:** Tamir Yehuda\n\n**Paths:**\n* c:\\windows\\system32\\diantz.exe\n* c:\\windows\\syswow64\\diantz.exe\n\n**Resources:**\n* [https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_diantz_ads.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml)\n* Sigma: [proc_creation_win_lolbin_diantz_remote_cab.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml)\n* IOC: diantz storing data into alternate data streams.\n* IOC: diantz getting a file from a remote machine or the internet.[[diantz.exe_lolbas](/references/66652db8-5594-414f-8a6b-83d708a0c1fa)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5103", "source": "Tidal Cyber", "tags": [ "96f9b39f-0c59-48a0-9702-01920c1293a7", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "054ddf05-e9f0-4d14-8493-2a1b2ddbefad", "value": "Diantz" }, { "description": "[Diavol](https://app.tidalcyber.com/software/d057b6e7-1de4-4f2f-b374-7e879caecd67) is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. The [Diavol](https://app.tidalcyber.com/software/d057b6e7-1de4-4f2f-b374-7e879caecd67) Ransomware-as-a Service (RaaS) program is managed by [Wizard Spider](https://app.tidalcyber.com/groups/0b431229-036f-4157-a1da-ff16dfc095f8) and it has been observed being deployed by [Bazar](https://app.tidalcyber.com/software/b35d9817-6ead-4dbd-a2fa-4b8e217f8eac).[[Fortinet Diavol July 2021](https://app.tidalcyber.com/references/28c650f2-8ce8-4c78-ab4a-cae56c1548ed)][[FBI Flash Diavol January 2022](https://app.tidalcyber.com/references/a1691741-9ecd-4b20-8cc9-b9bdfc1592b5)][[DFIR Diavol Ransomware December 2021](https://app.tidalcyber.com/references/eb89f18d-684c-4220-b2a8-967f1f8f9162)][[Microsoft Ransomware as a Service](https://app.tidalcyber.com/references/833018b5-6ef6-5327-9af5-1a551df25cd2)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0659", "source": "MITRE", "tags": [ "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "4e9bdf9a-4957-47f6-87b3-c76898d3f623", "type": "similar" } ], "uuid": "d057b6e7-1de4-4f2f-b374-7e879caecd67", "value": "Diavol" }, { "description": "[Dipsind](https://app.tidalcyber.com/software/226ee563-4d49-48c2-aa91-82999f43ce30) is a malware family of backdoors that appear to be used exclusively by [PLATINUM](https://app.tidalcyber.com/groups/f036b992-4c3f-47b7-a458-94ac133bce74). [[Microsoft PLATINUM April 2016](https://app.tidalcyber.com/references/d0ec5037-aa7f-48ee-8d37-ff8fb2c8c297)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0200", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "f036b992-4c3f-47b7-a458-94ac133bce74", "type": "used-by" }, { "dest-uuid": "e170995d-4f61-4f17-b60e-04f9a06ee517", "type": "similar" } ], "uuid": "226ee563-4d49-48c2-aa91-82999f43ce30", "value": "Dipsind" }, { "description": "[Disco](https://app.tidalcyber.com/software/194314e3-4edc-5346-96b6-d2d7bf5d830a) is a custom implant that has been used by [MoustachedBouncer](https://app.tidalcyber.com/groups/f31df12e-66ea-5a49-87bc-2bc1756a89fc) since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.[[MoustachedBouncer ESET August 2023](https://app.tidalcyber.com/references/9070f14b-5d5e-5f6d-bcac-628478e01242)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1088", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "f31df12e-66ea-5a49-87bc-2bc1756a89fc", "type": "used-by" }, { "dest-uuid": "e1445afd-c359-45ed-8f27-626dc4d5e157", "type": "similar" } ], "uuid": "194314e3-4edc-5346-96b6-d2d7bf5d830a", "value": "Disco" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\diskshadow.exe\n* C:\\Windows\\SysWOW64\\diskshadow.exe\n\n**Resources:**\n* [https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_diskshadow.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diskshadow.yml)\n* Sigma: [proc_creation_win_susp_shadow_copies_deletion.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml)\n* Elastic: [credential_access_cmdline_dump_tool.toml](https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml)\n* IOC: Child process from diskshadow.exe[[Diskshadow.exe - LOLBAS Project](/references/27a3f0b4-e699-4319-8b52-8eae4581faa2)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5104", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "07c49566-5bea-44dc-b81f-e6c90bda9c39", "value": "Diskshadow" }, { "description": "Dnscmd is a Windows command-line utility used to manage DNS servers.[[Dnscmd Microsoft](/references/24b1cb7b-357f-470f-9715-fa0ec3958cbb)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5016", "source": "Tidal Cyber", "tags": [ "a45f9597-09c4-4e70-a7d3-d8235d2451a3", "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "35e694ec-5133-46e3-b7e1-5831867c3b55", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" } ], "uuid": "3fd09997-86e0-4dce-935e-421863e9bad0", "value": "Dnscmd" }, { "description": "[DnsSystem](https://app.tidalcyber.com/software/e69a913d-4ddc-4d69-9961-25a31cae5899) is a .NET based DNS backdoor, which is a customized version of the open source tool DIG.net, that has been used by [HEXANE](https://app.tidalcyber.com/groups/eecf7289-294f-48dd-a747-7705820f4735) since at least June 2022.[[Zscaler Lyceum DnsSystem June 2022](https://app.tidalcyber.com/references/eb78de14-8044-4466-8954-9ca44a17e895)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1021", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" }, { "dest-uuid": "8a2867f9-e8fc-4bf1-a860-ef6e46311900", "type": "similar" } ], "uuid": "e69a913d-4ddc-4d69-9961-25a31cae5899", "value": "DnsSystem" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** .Net Execution environment file included with .Net.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* N/A\n\n**Resources:**\n* [https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/](https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_dnx.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dnx.yml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)[[dnx.exe - LOLBAS Project](/references/50652a27-c47b-41d4-a2eb-2ebf74e5bd09)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5215", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "e2bdda2e-54b4-4d35-b7e5-4e20626a4481", "value": "dnx" }, { "description": "[DOGCALL](https://app.tidalcyber.com/software/81ce23c0-f505-4d75-9928-4fbd627d3bc2) is a backdoor used by [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66) that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. [[FireEye APT37 Feb 2018](https://app.tidalcyber.com/references/4d575c1a-4ff9-49ce-97cd-f9d0637c2271)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0213", "source": "MITRE", "tags": [ "16b47583-1c54-431f-9f09-759df7b5ddb7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" }, { "dest-uuid": "0852567d-7958-4f4b-8947-4f840ec8d57d", "type": "similar" } ], "uuid": "81ce23c0-f505-4d75-9928-4fbd627d3bc2", "value": "DOGCALL" }, { "description": "[Dok](https://app.tidalcyber.com/software/dfa14314-3c64-4a10-9889-0423b884f7aa) is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user's network traffic (i.e. [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9)).[[objsee mac malware 2017](https://app.tidalcyber.com/references/08227ae5-4086-4c31-83d9-459c3a097754)][[hexed osx.dok analysis 2019](https://app.tidalcyber.com/references/96f9d36a-01a5-418e-85f4-957e58d49c1b)][[CheckPoint Dok](https://app.tidalcyber.com/references/8c178fd8-db34-45c6-901a-a8b2c178d809)]", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S0281", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "f36b2598-515f-4345-84e5-5ccde253edbe", "type": "similar" } ], "uuid": "dfa14314-3c64-4a10-9889-0423b884f7aa", "value": "Dok" }, { "description": "[Doki](https://app.tidalcyber.com/software/e6160c55-1868-47bd-bec6-7becbf236bbb) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://app.tidalcyber.com/software/e6160c55-1868-47bd-bec6-7becbf236bbb) was used in conjunction with the [ngrok](https://app.tidalcyber.com/software/316ecd9d-ac0b-58c7-8083-5d9214c770f6) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. [[Intezer Doki July 20](https://app.tidalcyber.com/references/688b2582-6602-44e1-aaac-3a4b8e168b04)]", "meta": { "platforms": [ "Containers", "Linux" ], "software_attack_id": "S0600", "source": "MITRE", "tags": [ "efa33611-88a5-40ba-9bc4-3d85c6c8819b" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4f1c389e-a80e-4a3e-9b0e-9be8c91df64f", "type": "similar" } ], "uuid": "e6160c55-1868-47bd-bec6-7becbf236bbb", "value": "Doki" }, { "description": "[Donut](https://app.tidalcyber.com/software/40d25a38-91f4-4e07-bb97-8866bed8e44f) is an open source framework used to generate position-independent shellcode.[[Donut Github](https://app.tidalcyber.com/references/5f28c41f-6903-4779-93d4-3de99e031b70)][[Introducing Donut](https://app.tidalcyber.com/references/8fd099c6-e002-44d0-8b7f-65f290a42c07)] [Donut](https://app.tidalcyber.com/software/40d25a38-91f4-4e07-bb97-8866bed8e44f) generated code has been used by multiple threat actors to inject and load malicious payloads into memory.[[NCC Group WastedLocker June 2020](https://app.tidalcyber.com/references/1520f2e5-2689-428f-9ee4-05e153a52381)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0695", "source": "MITRE", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" }, { "dest-uuid": "a7b5df47-73bb-4d47-b701-869f185633a6", "type": "similar" } ], "uuid": "40d25a38-91f4-4e07-bb97-8866bed8e44f", "value": "Donut" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** dotnet.exe comes with .NET Framework\n\n**Author:** felamos\n\n**Paths:**\n* C:\\Program Files\\dotnet\\dotnet.exe\n\n**Resources:**\n* [https://twitter.com/_felamos/status/1204705548668555264](https://twitter.com/_felamos/status/1204705548668555264)\n* [https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc](https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc)\n* [https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/](https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/)\n* [https://learn.microsoft.com/en-us/dotnet/fsharp/tools/fsharp-interactive/](https://learn.microsoft.com/en-us/dotnet/fsharp/tools/fsharp-interactive/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_dotnet.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: dotnet.exe spawned an unknown process[[Dotnet.exe - LOLBAS Project](/references/8abe21ad-88d1-4a5c-b79e-8216b4b06862)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5216", "source": "Tidal Cyber", "tags": [ "09c24b93-bf06-4cbb-acb0-d7b9657a41dc", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "1bcd9c93-0944-4671-ab01-cabc5ffe30bf", "value": "Dotnet" }, { "description": "[Downdelph](https://app.tidalcyber.com/software/f7b64b81-f9e7-46bf-8f63-6d7520da832c) is a first-stage downloader written in Delphi that has been used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) in rare instances between 2013 and 2015. [[ESET Sednit Part 3](https://app.tidalcyber.com/references/7c2be444-a947-49bc-b5f6-8f6bec870c6a)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0134", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", "type": "similar" } ], "uuid": "f7b64b81-f9e7-46bf-8f63-6d7520da832c", "value": "Downdelph" }, { "description": " [down_new](https://app.tidalcyber.com/software/20b796cf-6c90-4928-999e-88107078e15e) is a downloader that has been used by [BRONZE BUTLER](https://app.tidalcyber.com/groups/5825a840-5577-4ffc-a08d-3f48d64395cb) since at least 2019.[[Trend Micro Tick November 2019](https://app.tidalcyber.com/references/93adbf0d-5f5e-498e-aca1-ed3eb11561e7)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0472", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" }, { "dest-uuid": "8be7c69e-d8e3-4970-9668-61de08e508cc", "type": "similar" } ], "uuid": "20b796cf-6c90-4928-999e-88107078e15e", "value": "down_new" }, { "description": "[DownPaper](https://app.tidalcyber.com/software/fc433c9d-a7fe-4915-8aa0-06b58f288249) is a backdoor Trojan; its main functionality is to download and run second stage malware. [[ClearSky Charming Kitten Dec 2017](https://app.tidalcyber.com/references/23ab1ad2-e9d4-416a-926f-6220a59044ab)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0186", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" }, { "dest-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", "type": "similar" } ], "uuid": "fc433c9d-a7fe-4915-8aa0-06b58f288249", "value": "DownPaper" }, { "description": "[DRATzarus](https://app.tidalcyber.com/software/c6c79fc5-e4b1-4f6c-a71d-d22d699d5caf) is a remote access tool (RAT) that has been used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) to target the defense and aerospace organizations globally since at least summer 2020. [DRATzarus](https://app.tidalcyber.com/software/c6c79fc5-e4b1-4f6c-a71d-d22d699d5caf) shares similarities with [Bankshot](https://app.tidalcyber.com/software/24b8471d-698f-48cc-b47a-8fbbaf28b293), which was used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) in 2017 to target the Turkish financial sector.[[ClearSky Lazarus Aug 2020](https://app.tidalcyber.com/references/2827e6e4-8163-47fb-9e22-b59e59cd338f)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0694", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "56aa3c82-ed40-4b5a-84bf-7231356d9e96", "type": "similar" } ], "uuid": "c6c79fc5-e4b1-4f6c-a71d-d22d699d5caf", "value": "DRATzarus" }, { "description": "[Dridex](https://app.tidalcyber.com/software/e3cd4405-b698-41d9-88e4-fff29e7a19e2) is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated [Dridex](https://app.tidalcyber.com/software/e3cd4405-b698-41d9-88e4-fff29e7a19e2) had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. [Dridex](https://app.tidalcyber.com/software/e3cd4405-b698-41d9-88e4-fff29e7a19e2) was created from the source code of the Bugat banking Trojan (also known as Cridex).[[Dell Dridex Oct 2015](https://app.tidalcyber.com/references/f81ce947-d875-4631-9709-b54c8b5d25bc)][[Kaspersky Dridex May 2017](https://app.tidalcyber.com/references/52c48bc3-2b53-4214-85c3-7e5dd036c969)][[Treasury EvilCorp Dec 2019](https://app.tidalcyber.com/references/074a52c4-26d9-4083-9349-c14e2639c1bc)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0384", "source": "MITRE", "tags": [ "e809d252-12cc-494d-94f5-954c49eb87ce" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" }, { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, { "dest-uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19", "type": "similar" } ], "uuid": "e3cd4405-b698-41d9-88e4-fff29e7a19e2", "value": "Dridex" }, { "description": "[DropBook](https://app.tidalcyber.com/software/9c44d3f9-7a7b-4716-9cfa-640b36548ab0) is a Python-based backdoor compiled with PyInstaller.[[Cybereason Molerats Dec 2020](https://app.tidalcyber.com/references/81a10a4b-c66f-4526-882c-184436807e1d)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0547", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" }, { "dest-uuid": "3ae6097d-d700-46c6-8b21-42fc0bcb48fa", "type": "similar" } ], "uuid": "9c44d3f9-7a7b-4716-9cfa-640b36548ab0", "value": "DropBook" }, { "description": "[Drovorub](https://app.tidalcyber.com/software/bb7f7c19-ffb5-4bfe-99b1-ead3525c5e7b) is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5).[[NSA/FBI Drovorub August 2020](https://app.tidalcyber.com/references/d697a342-4100-4e6b-95b9-4ae3ba80924b)]", "meta": { "platforms": [ "Linux" ], "software_attack_id": "S0502", "source": "MITRE", "tags": [ "febea5b6-2ea2-402b-8bec-f3f5b3f73c59", "1efd43ee-5752-49f2-99fe-e3441f126b00", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "99164b38-1775-40bc-b77b-a2373b14540a", "type": "similar" } ], "uuid": "bb7f7c19-ffb5-4bfe-99b1-ead3525c5e7b", "value": "Drovorub" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory.\n\n**Author:** Ekitji\n\n**Paths:**\n* C:\\Windows\\System32\\dsdbutil.exe\n* C:\\Windows\\SysWOW64\\dsdbutil.exe\n\n**Resources:**\n* [https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358](https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358)\n* [https://www.netwrix.com/ntds_dit_security_active_directory.html](https://www.netwrix.com/ntds_dit_security_active_directory.html)\n\n**Detection:**\n* IOC: Event ID 4688\n* IOC: dsdbutil.exe process creation\n* IOC: Event ID 4663\n* IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit\n* IOC: Event ID 4656\n* IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit\n* Analysis: None Provided\n* Sigma: None Provided\n* Elastic: None Provided\n* Splunk: None Provided\n* BlockRule: None Provided[[dsdbutil.exe - LOLBAS Project](/references/fc982faf-a37d-4d0b-949c-f7a27adc3030)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5217", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "9139c12f-a6d9-4300-8735-9298bc46a0bf", "value": "dsdbutil" }, { "description": "[dsquery](https://app.tidalcyber.com/software/06402bdc-a4a1-4e4a-bfc4-09f2c159af75) is a command-line utility that can be used to query Active Directory for information from a system within a domain. [[TechNet Dsquery](https://app.tidalcyber.com/references/bbbb4a45-2963-4f04-901a-fb2752800e12)] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0105", "source": "MITRE", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "cb3d30b3-8cfc-4202-8615-58a9b8f7f118", "cd1b5d44-226e-4405-8985-800492cf2865" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" }, { "dest-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", "type": "similar" } ], "uuid": "06402bdc-a4a1-4e4a-bfc4-09f2c159af75", "value": "dsquery" }, { "description": "[Dtrack](https://app.tidalcyber.com/software/aa21462d-9653-48eb-a82e-5c93c9db5f7a) is spyware that was discovered in 2019 and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. [Dtrack](https://app.tidalcyber.com/software/aa21462d-9653-48eb-a82e-5c93c9db5f7a) shares similarities with the DarkSeoul campaign, which was attributed to [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08). [[Kaspersky Dtrack](https://app.tidalcyber.com/references/0122ee35-938d-493f-a3bb-bc75fc808f62)][[Securelist Dtrack](https://app.tidalcyber.com/references/49bd8841-a4b5-4ced-adfa-0ad0c8625ccd)][[Dragos WASSONITE](https://app.tidalcyber.com/references/39e6ab06-9f9f-4292-9034-b2f56064164d)][[CyberBit Dtrack](https://app.tidalcyber.com/references/1ac944f4-868c-4312-8b5d-1580fd6542a0)][[ZDNet Dtrack](https://app.tidalcyber.com/references/6e6e02da-b805-47d7-b410-343a1b5da042)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0567", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "f8774023-8021-4ece-9aca-383ac89d2759", "type": "similar" } ], "uuid": "aa21462d-9653-48eb-a82e-5c93c9db5f7a", "value": "Dtrack" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Memory dump tool that comes with Microsoft Visual Studio\n\n**Author:** mr.d0x\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\Installer\\Feedback\\dump64.exe\n\n**Resources:**\n* [https://twitter.com/mrd0x/status/1460597833917251595](https://twitter.com/mrd0x/status/1460597833917251595)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_dump64.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml)\n* IOC: As a Windows SDK binary, execution on a system may be suspicious[[Dump64.exe - LOLBAS Project](/references/b0186447-a6d5-40d7-a11d-ab2e9fb93087)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5218", "source": "Tidal Cyber", "tags": [ "0f09c7f5-ba57-4ef0-a196-e85558804496", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "13482336-e22b-48e9-bd49-c6e6fc6612ec", "value": "Dump64" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Dump tool part Visual Studio 2022\n\n**Author:** mr.d0x\n\n**Paths:**\n* C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\IDE\\Extensions\\TestPlatform\\Extensions\n\n**Resources:**\n* [https://twitter.com/mrd0x/status/1511415432888131586](https://twitter.com/mrd0x/status/1511415432888131586)\n\n**Detection:**\n* Sigma: [proc_creation_win_dumpminitool_execution.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml)\n* Sigma: [proc_creation_win_dumpminitool_susp_execution.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml)\n* Sigma: [proc_creation_win_devinit_lolbin_usage.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml)[[DumpMinitool.exe - LOLBAS Project](/references/4634e025-c005-46fe-b97c-5d7dda455ba0)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5219", "source": "Tidal Cyber", "tags": [ "3b6ad94f-83ce-47bf-b82d-b98358d23434", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "7f3bf76a-4e6a-45f1-a4bf-400d5a914e52", "value": "DumpMinitool" }, { "description": "[Duqu](https://app.tidalcyber.com/software/d4a664e5-9819-4f33-8b2b-e6f8e6a64999) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. [[Symantec W32.Duqu](https://app.tidalcyber.com/references/8660411a-6b9c-46c2-8f5f-049ec60c7d40)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0038", "source": "MITRE", "tags": [ "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "type": "similar" } ], "uuid": "d4a664e5-9819-4f33-8b2b-e6f8e6a64999", "value": "Duqu" }, { "description": "[DustySky](https://app.tidalcyber.com/software/77506f02-104f-4aac-a4e0-9649bd7efe2e) is multi-stage malware written in .NET that has been used by [Molerats](https://app.tidalcyber.com/groups/679b7b6b-9659-4e56-9ffd-688a6fab01b6) since May 2015. [[DustySky](https://app.tidalcyber.com/references/b9e0770d-f54a-4ada-abd1-65c45eee00fa)] [[DustySky2](https://app.tidalcyber.com/references/4a3ecdec-254c-4eb4-9126-f540bb21dffe)][[Kaspersky MoleRATs April 2019](https://app.tidalcyber.com/references/38216a34-5ffd-4e79-80b1-7270743b728e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0062", "source": "MITRE", "tags": [ "e809d252-12cc-494d-94f5-954c49eb87ce" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" }, { "dest-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", "type": "similar" } ], "uuid": "77506f02-104f-4aac-a4e0-9649bd7efe2e", "value": "DustySky" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** DirectX diagnostics/debugger included with Visual Studio.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\dxcap.exe\n* C:\\Windows\\SysWOW64\\dxcap.exe\n\n**Resources:**\n* [https://twitter.com/harr0ey/status/992008180904419328](https://twitter.com/harr0ey/status/992008180904419328)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_susp_dxcap.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml)[[Dxcap.exe - LOLBAS Project](/references/7611eb7a-46b7-4c76-9728-67c1fbf20e17)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5220", "source": "Tidal Cyber", "tags": [ "6d065f28-e32d-4e87-b315-c43ebc45532a", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "9b5039b9-c5f1-4516-88ef-f63966ec2b36", "value": "Dxcap" }, { "description": "[Dyre](https://app.tidalcyber.com/software/38e012f7-fb3a-4250-a129-92da3a488724) is a banking Trojan that has been used for financial gain. \n [[Symantec Dyre June 2015](https://app.tidalcyber.com/references/a9780bb0-302f-44c2-8252-b53d94da24e6)][[Malwarebytes Dyreza November 2015](https://app.tidalcyber.com/references/0a5719f2-8a88-44e2-81c5-2d16a39f1f8d)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0024", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe", "type": "similar" } ], "uuid": "38e012f7-fb3a-4250-a129-92da3a488724", "value": "Dyre" }, { "description": "Earthworm is an open-source tool. According to its project website, Earthworm is a \"simple network tunnel with SOCKS v5 server and port transfer\".[[Elastic Docs Potential Protocol Tunneling via EarthWorm](/references/a02790a1-f7c5-43b6-bc7e-075b2c0aa791)] According to joint Cybersecurity Advisory AA23-144a (May 2023), Volt Typhoon actors have used Earthworm in their attacks.[[U.S. CISA Volt Typhoon May 24 2023](/references/12320f38-ebbf-486a-a450-8a548c3722d6)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5013", "source": "Tidal Cyber", "tags": [ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "35e694ec-5133-46e3-b7e1-5831867c3b55", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" } ], "uuid": "ee14e483-b5ef-4931-9c2a-72046b6555cc", "value": "Earthworm" }, { "description": "[Ebury](https://app.tidalcyber.com/software/2375465a-e6a9-40ab-b631-a5b04cf5c689) is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).[[ESET Ebury Feb 2014](https://app.tidalcyber.com/references/eb6d4f77-ac63-4cb8-8487-20f9e709334b)][[BleepingComputer Ebury March 2017](https://app.tidalcyber.com/references/e5d69297-b0f3-4586-9eb7-d2922b3ee7bb)][[ESET Ebury Oct 2017](https://app.tidalcyber.com/references/5257a8ed-1cc8-42f8-86a7-8c0fd0e553a7)]", "meta": { "platforms": [ "Linux" ], "software_attack_id": "S0377", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "eeb69751-8c22-4a5f-8da2-239cc7d7746c", "type": "used-by" }, { "dest-uuid": "d6b3fcd0-1c86-4350-96f0-965ed02fcc51", "type": "similar" } ], "uuid": "2375465a-e6a9-40ab-b631-a5b04cf5c689", "value": "Ebury" }, { "description": "[ECCENTRICBANDWAGON](https://app.tidalcyber.com/software/70f703b3-0e24-4ffe-9772-f0e386ec607f) is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.[[CISA EB Aug 2020](https://app.tidalcyber.com/references/a1b143f9-ca85-4c11-8909-49423c9ffeab)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0593", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "dfbce236-735c-436d-b433-933bd6eae17b", "type": "used-by" }, { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "e928333f-f3df-4039-9b8b-556c2add0e42", "type": "similar" } ], "uuid": "70f703b3-0e24-4ffe-9772-f0e386ec607f", "value": "ECCENTRICBANDWAGON" }, { "description": "[Ecipekac](https://app.tidalcyber.com/software/6508d3dc-eb22-468c-9122-dcf541caa69c) is a multi-layer loader that has been used by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) since at least 2019 including use as a loader for [P8RAT](https://app.tidalcyber.com/software/1933ad3d-3085-4b1b-82b9-ac51b440e2bf), [SodaMaster](https://app.tidalcyber.com/software/6ecd970c-427b-4421-a831-69f46047d22a), and [FYAnti](https://app.tidalcyber.com/software/be9a2ae5-373a-4dee-9c1e-b54235dafed0).[[Securelist APT10 March 2021](https://app.tidalcyber.com/references/90450a1e-59c3-491f-b842-2cf81023fc9e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0624", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "292eb0c5-b8e8-4af6-9e8f-0fda6b4528d3", "type": "similar" } ], "uuid": "6508d3dc-eb22-468c-9122-dcf541caa69c", "value": "Ecipekac" }, { "description": "EDRKillShifter is a suspected threat actor-developed tool that is designed to disable victim endpoint detection & response (EDR) software. In August 2024, security researchers reported that the RansomHub ransomware group had deployed EDRKillShifter during attacks in May. The researchers also noted that EDRKillShifter primarily functions as a loader for payloads that could vary. This object mainly reflects ATT&CK Techniques associated with observed EDRKillShifter loader and payload deployments reported in August 2024.[[Sophos News August 14 2024](/references/d0811fd4-e89d-4337-9bc1-a9a8774d44b1)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5332", "source": "Tidal Cyber", "tags": [ "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", "type": "used-by" } ], "uuid": "1233436f-2a00-4557-89a4-8cbc45e6f9f7", "value": "EDRKillShifter" }, { "description": "[Egregor](https://app.tidalcyber.com/software/0e36b62f-a6e2-4406-b3d9-e05204e14a66) is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between [Egregor](https://app.tidalcyber.com/software/0e36b62f-a6e2-4406-b3d9-e05204e14a66) and Sekhmet ransomware, as well as [Maze](https://app.tidalcyber.com/software/3c206491-45c0-4ff7-9f40-45f9aae4de64) ransomware.[[NHS Digital Egregor Nov 2020](https://app.tidalcyber.com/references/92f74037-2a20-4667-820d-2ccc0e4dbd3d)][[Cyble Egregor Oct 2020](https://app.tidalcyber.com/references/545a131d-88fc-4b34-923c-0b759b45fc7f)][[Security Boulevard Egregor Oct 2020](https://app.tidalcyber.com/references/cd37a000-9e15-45a3-a7c9-bb508c10e55d)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0554", "source": "MITRE", "tags": [ "562e535e-19f5-4d6c-81ed-ce2aec544f09", "3c3f9078-5d1e-4c29-a5eb-28f237bbd1ad", "0ed7d10c-c65b-4174-9edb-446bf301d250", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "cc4c1287-9c86-4447-810c-744f3880ec37", "type": "similar" } ], "uuid": "0e36b62f-a6e2-4406-b3d9-e05204e14a66", "value": "Egregor" }, { "description": "[EKANS](https://app.tidalcyber.com/software/cd7821cb-32f3-4d81-a5d1-0cdee94a15c4) is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. [EKANS](https://app.tidalcyber.com/software/cd7821cb-32f3-4d81-a5d1-0cdee94a15c4) has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in [MegaCortex](https://app.tidalcyber.com/software/d8a4a817-2914-47b0-867c-ad8eeb7efd10).[[Dragos EKANS](https://app.tidalcyber.com/references/c8a018c5-caa3-4af1-b210-b65bbf94c8b2)][[Palo Alto Unit 42 EKANS](https://app.tidalcyber.com/references/dcdd4e48-3c3d-4008-a6f6-390f896f147b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0605", "source": "MITRE", "tags": [ "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "00e7d565-9883-4ee5-b642-8fd17fd6a3f5", "type": "similar" } ], "uuid": "cd7821cb-32f3-4d81-a5d1-0cdee94a15c4", "value": "EKANS" }, { "description": "This object reflects the ATT&CK Techniques associated with binaries of Eldorado, a ransomware-as-a-service (\"RaaS\") first observed in March 2024.[[Group-IB July 3 2024](/references/50148a85-314c-4b29-bdfc-913ab647dadf)] A small number of Techniques associated with threat actors who deploy Eldorado can be found in the \"Eldorado Ransomware Operators\" Group object.\n\nEldorado is written in the cross-platform Golang language. A custom \"builder\" allows threat actors to create both Windows- and Linux-focused versions of the ransomware. Researchers indicate that the Linux version has a relatively simple set of capabilities, lacking any native discovery, defense evasion, or other common post-exploit abilities common in many modern (Windows) ransomware. The operator must have access to the target system(s) and must provide a target directory path, after which the ransomware will recursively loop through the files within that path and encrypt them (T1486).[[Group-IB July 3 2024](/references/50148a85-314c-4b29-bdfc-913ab647dadf)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Linux", "Windows" ], "software_attack_id": "S5330", "source": "Tidal Cyber", "tags": [ "a2e000da-8181-4327-bacd-32013dbd3654", "5e7433ad-a894-4489-93bc-41e90da90019", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "7e7b0c67-bb85-4996-a289-da0e792d7172", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "26e1c52e-0c48-4cd0-bdc5-9cf981a6e714", "type": "used-by" } ], "uuid": "a2ad5253-e31b-432c-804d-971be8652344", "value": "Eldorado Ransomware" }, { "description": "[Elise](https://app.tidalcyber.com/software/fd5efee9-8710-4536-861f-c88d882f4d24) is a custom backdoor Trojan that appears to be used exclusively by [Lotus Blossom](https://app.tidalcyber.com/groups/2849455a-cf39-4a9f-bd89-c2b3c1e5dd52). It is part of a larger group of\ntools referred to as LStudio, ST Group, and APT0LSTU. [[Lotus Blossom Jun 2015](https://app.tidalcyber.com/references/46fdb8ca-b14d-43bd-a20f-cae7b26e56c6)][[Accenture Dragonfish Jan 2018](https://app.tidalcyber.com/references/f692c6fa-7b3a-4d1d-9002-b1a59f7116f4)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0081", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "2849455a-cf39-4a9f-bd89-c2b3c1e5dd52", "type": "used-by" }, { "dest-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "type": "similar" } ], "uuid": "fd5efee9-8710-4536-861f-c88d882f4d24", "value": "Elise" }, { "description": "[ELMER](https://app.tidalcyber.com/software/6a3ca97e-6dd6-44e5-a5f0-7225099ab474) is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by [APT16](https://app.tidalcyber.com/groups/06a05175-0812-44f5-a529-30eba07d1762). [[FireEye EPS Awakens Part 2](https://app.tidalcyber.com/references/7fd58ef5-a0b7-40b6-8771-ca5e87740965)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0064", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "06a05175-0812-44f5-a529-30eba07d1762", "type": "used-by" }, { "dest-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", "type": "similar" } ], "uuid": "6a3ca97e-6dd6-44e5-a5f0-7225099ab474", "value": "ELMER" }, { "description": "[Emissary](https://app.tidalcyber.com/software/fd95d38d-83f9-4b31-8292-ba2b04275b36) is a Trojan that has been used by [Lotus Blossom](https://app.tidalcyber.com/groups/2849455a-cf39-4a9f-bd89-c2b3c1e5dd52). It shares code with [Elise](https://app.tidalcyber.com/software/fd5efee9-8710-4536-861f-c88d882f4d24), with both Trojans being part of a malware group referred to as LStudio. [[Lotus Blossom Dec 2015](https://app.tidalcyber.com/references/dcbe51a0-6d63-4401-b19e-46cd3c42204c)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0082", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "2849455a-cf39-4a9f-bd89-c2b3c1e5dd52", "type": "used-by" }, { "dest-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", "type": "similar" } ], "uuid": "fd95d38d-83f9-4b31-8292-ba2b04275b36", "value": "Emissary" }, { "description": "[Emotet](https://app.tidalcyber.com/software/c987d255-a351-4736-913f-91e2f28d0654) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) and [IcedID](https://app.tidalcyber.com/software/7f59bb7c-5fa9-497d-9d8e-ba9349fd9433). Emotet first emerged in June 2014 and has been primarily used to target the banking sector. [[Trend Micro Banking Malware Jan 2019](https://app.tidalcyber.com/references/4fee21e3-1b8f-4e10-b077-b59e2df94633)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0367", "source": "MITRE", "tags": [ "71dfe8d1-666f-4e71-8761-d2876078fb3e", "84615fe0-c2a5-4e07-8957-78ebc29b4635", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "32066e94-3112-48ca-b9eb-ba2b59d2f023", "type": "similar" } ], "uuid": "c987d255-a351-4736-913f-91e2f28d0654", "value": "Emotet" }, { "description": "[Empire](https://app.tidalcyber.com/software/fea655ac-558f-4dd0-867f-9a5553626207) is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) for Windows and Python for Linux/macOS. [Empire](https://app.tidalcyber.com/software/fea655ac-558f-4dd0-867f-9a5553626207) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[[NCSC Joint Report Public Tools](https://app.tidalcyber.com/references/601d88c5-4789-4fa8-a9ab-abc8137f061c)][[Github PowerShell Empire](https://app.tidalcyber.com/references/017ec673-454c-492a-a65b-10d3a20dfdab)][[GitHub ATTACK Empire](https://app.tidalcyber.com/references/b3d6bb33-2b23-4c0a-b8fa-e002a5c7edfc)]", "meta": { "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S0363", "source": "MITRE", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "4f05a12d-f497-4081-acb9-9a257ab87886", "15787198-6c8b-4f79-bf50-258d55072fee", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "e81ba503-60b0-4b64-8f20-ef93e7783796" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", "type": "used-by" }, { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" }, { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" }, { "dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a", "type": "used-by" }, { "dest-uuid": "713e2963-fbf4-406f-a8cf-6a4489d90439", "type": "used-by" }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, { "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", "type": "used-by" }, { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" }, { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" }, { "dest-uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b", "type": "used-by" }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" }, { "dest-uuid": "73da066d-b25f-45ba-862b-1a69228c6baa", "type": "used-by" }, { "dest-uuid": "345e553a-164d-4c9d-8bf9-19fcf8a51533", "type": "used-by" }, { "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "type": "similar" } ], "uuid": "fea655ac-558f-4dd0-867f-9a5553626207", "value": "Empire" }, { "description": "[EnvyScout](https://app.tidalcyber.com/software/8da6fbf0-a18d-49a0-9235-101300d49d5e) is a dropper that has been used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least 2021.[[MSTIC Nobelium Toolset May 2021](https://app.tidalcyber.com/references/52464e69-ff9e-4101-9596-dd0c6404bf76)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0634", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "2f8229dc-da94-41c6-89ba-b5b6c32f6b7d", "type": "similar" } ], "uuid": "8da6fbf0-a18d-49a0-9235-101300d49d5e", "value": "EnvyScout" }, { "description": "[Epic](https://app.tidalcyber.com/software/a7e71387-b276-413c-a0de-4cf07e39b158) is a backdoor that has been used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2). [[Kaspersky Turla](https://app.tidalcyber.com/references/535e9f1a-f89e-4766-a290-c5b8100968f8)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0091", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", "type": "similar" } ], "uuid": "a7e71387-b276-413c-a0de-4cf07e39b158", "value": "Epic" }, { "description": "[esentutl](https://app.tidalcyber.com/software/a7589733-6b04-4215-a4e7-4b62cd4610fa) is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.[[Microsoft Esentutl](https://app.tidalcyber.com/references/08fb9e84-495f-4710-bd1e-417eb8191a10)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0404", "source": "MITRE", "tags": [ "ee88899a-2bf0-4b96-bf69-5b686fa463c3", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "c256da91-6dd5-40b2-beeb-ee3b22ab3d27", "type": "similar" } ], "uuid": "a7589733-6b04-4215-a4e7-4b62cd4610fa", "value": "esentutl" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Displays Windows Event Logs in a GUI window.\n\n**Author:** Jacob Gajek\n\n**Paths:**\n* C:\\Windows\\System32\\eventvwr.exe\n* C:\\Windows\\SysWOW64\\eventvwr.exe\n\n**Resources:**\n* [https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/](https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/)\n* [https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1](https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1)\n* [https://twitter.com/orange_8361/status/1518970259868626944](https://twitter.com/orange_8361/status/1518970259868626944)\n\n**Detection:**\n* Sigma: [proc_creation_win_uac_bypass_eventvwr.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml)\n* Sigma: [registry_set_uac_bypass_eventvwr.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml)\n* Sigma: [file_event_win_uac_bypass_eventvwr.yml](https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml)\n* Elastic: [privilege_escalation_uac_bypass_event_viewer.toml](https://github.com/elastic/detection-rules/blob/d31ea6253ea40789b1fc49ade79b7ec92154d12a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml)\n* Splunk: [eventvwr_uac_bypass.yml](https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/eventvwr_uac_bypass.yml)\n* IOC: eventvwr.exe launching child process other than mmc.exe\n* IOC: Creation or modification of the registry value HKCU\\Software\\Classes\\mscfile\\shell\\open\\command[[Eventvwr.exe - LOLBAS Project](/references/0c09812a-a936-4282-b574-35a00f631857)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5105", "source": "Tidal Cyber", "tags": [ "59d03fb8-0620-468a-951c-069473cb86bc", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "4c371bd9-c97c-42ab-b913-1e19cd409382", "value": "Eventvwr" }, { "description": "[EvilBunny](https://app.tidalcyber.com/software/300e8176-e7ee-44ef-8d10-dff96502f6c6) is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.[[Cyphort EvilBunny Dec 2014](https://app.tidalcyber.com/references/a0218d0f-3378-4508-9d3c-a7cd3e00a156)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0396", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a8a778f5-0035-4870-bb25-53dc05029586", "type": "similar" } ], "uuid": "300e8176-e7ee-44ef-8d10-dff96502f6c6", "value": "EvilBunny" }, { "description": "EvilGinx is an open-source software project. According to its GitHub repository, EvilGinx is a \"Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication\".[[GitHub evilginx2](/references/eea178f4-80bd-49d1-84b1-f80671e9a3e4)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5078", "source": "Tidal Cyber", "tags": [ "fe28cf32-a15c-44cf-892c-faa0360d6109", "e1af18e3-3224-4e4c-9d0f-533768474508", "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "a13bd574-b907-4489-96ab-8d30faf7fca4", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" } ], "uuid": "4892c22d-6fd4-4876-8e8a-af968cf61ecc", "value": "EvilGinx" }, { "description": "[EvilGrab](https://app.tidalcyber.com/software/e862419c-d6b6-4433-a02a-c1cc98ea6f9e) is a malware family with common reconnaissance capabilities. It has been deployed by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) via malicious Microsoft Office documents as part of spearphishing campaigns. [[PWC Cloud Hopper Technical Annex April 2017](https://app.tidalcyber.com/references/da6c8a72-c732-44d5-81ac-427898706eed)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0152", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", "type": "similar" } ], "uuid": "e862419c-d6b6-4433-a02a-c1cc98ea6f9e", "value": "EvilGrab" }, { "description": "[EVILNUM](https://app.tidalcyber.com/software/e0eaae6d-5137-4053-bf37-ff90bf5767a9) is fully capable backdoor that was first identified in 2018. [EVILNUM](https://app.tidalcyber.com/software/e0eaae6d-5137-4053-bf37-ff90bf5767a9) is used by the APT group [Evilnum](https://app.tidalcyber.com/groups/4bdc62c9-af6a-4377-8431-58a6f39235dd) which has the same name.[[ESET EvilNum July 2020](https://app.tidalcyber.com/references/6851b3f9-0239-40fc-ba44-34a775e9bd4e)][[Prevailion EvilNum May 2020](https://app.tidalcyber.com/references/533b8ae2-2fc3-4cf4-bcaa-5d8bfcba91c0)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0568", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4bdc62c9-af6a-4377-8431-58a6f39235dd", "type": "used-by" }, { "dest-uuid": "7cdfccda-2950-4167-981a-60872ff5d0db", "type": "similar" } ], "uuid": "e0eaae6d-5137-4053-bf37-ff90bf5767a9", "value": "EVILNUM" }, { "description": "[Exaramel for Linux](https://app.tidalcyber.com/software/c773f709-b5fe-4514-9d88-24ceb0dd8063) is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under [Exaramel for Windows](https://app.tidalcyber.com/software/21569dfb-c9f1-468e-903e-348f19dbae1f).[[ESET TeleBots Oct 2018](https://app.tidalcyber.com/references/56372448-03f5-49b5-a2a9-384fbd49fefc)]", "meta": { "platforms": [ "Linux" ], "software_attack_id": "S0401", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "11194d8b-fdce-45d2-8047-df15bb8f16bd", "type": "similar" } ], "uuid": "c773f709-b5fe-4514-9d88-24ceb0dd8063", "value": "Exaramel for Linux" }, { "description": "[Exaramel for Windows](https://app.tidalcyber.com/software/21569dfb-c9f1-468e-903e-348f19dbae1f) is a backdoor used for targeting Windows systems. The Linux version is tracked separately under [Exaramel for Linux](https://app.tidalcyber.com/software/c773f709-b5fe-4514-9d88-24ceb0dd8063).[[ESET TeleBots Oct 2018](https://app.tidalcyber.com/references/56372448-03f5-49b5-a2a9-384fbd49fefc)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0343", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "051eaca1-958f-4091-9e5f-a9acd8f820b5", "type": "similar" } ], "uuid": "21569dfb-c9f1-468e-903e-348f19dbae1f", "value": "Exaramel for Windows" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Office binary\n\n**Author:** Reegun J (OCBC Bank)\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Office 16\\ClientX86\\Root\\Office16\\Excel.exe\n* C:\\Program Files\\Microsoft Office 16\\ClientX64\\Root\\Office16\\Excel.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office16\\Excel.exe\n* C:\\Program Files\\Microsoft Office\\Office16\\Excel.exe\n* C:\\Program Files (x86)\\Microsoft Office 15\\ClientX86\\Root\\Office15\\Excel.exe\n* C:\\Program Files\\Microsoft Office 15\\ClientX64\\Root\\Office15\\Excel.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office15\\Excel.exe\n* C:\\Program Files\\Microsoft Office\\Office15\\Excel.exe\n* C:\\Program Files (x86)\\Microsoft Office 14\\ClientX86\\Root\\Office14\\Excel.exe\n* C:\\Program Files\\Microsoft Office 14\\ClientX64\\Root\\Office14\\Excel.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office14\\Excel.exe\n* C:\\Program Files\\Microsoft Office\\Office14\\Excel.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office12\\Excel.exe\n* C:\\Program Files\\Microsoft Office\\Office12\\Excel.exe\n* C:\\Program Files\\Microsoft Office\\Office12\\Excel.exe\n\n**Resources:**\n* [https://twitter.com/reegun21/status/1150032506504151040](https://twitter.com/reegun21/status/1150032506504151040)\n* [https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191](https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_office.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_office.yml)\n* IOC: Suspicious Office application Internet/network traffic[[Excel.exe - LOLBAS Project](/references/9a2458f7-63ca-4eca-8c61-b6098ec0798f)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5221", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "46efd94e-afd2-4536-8525-0619fc56966f", "value": "Excel" }, { "description": "ExMatter is a custom data exfiltration tool. It was first observed in November 2021 during intrusions involving BlackMatter ransomware, and more recently has been used during BlackCat ransomware attacks. In August 2022, researchers observed a “heavily updated” version of ExMatter, which featured expanded protocols for exfiltrating data, a data corruption capability, enhanced defense evasion abilities, and a narrower range of targeted file types.[[Symantec Noberus September 22 2022](/references/afd6808d-2c9f-4926-b7c6-ca9d3abdd923)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5054", "source": "Tidal Cyber", "tags": [ "8bf128ad-288b-41bc-904f-093f4fdde745" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" } ], "uuid": "068b26ae-39b5-4b4e-8faa-eb304a17687d", "value": "ExMatter" }, { "description": "[Expand](https://app.tidalcyber.com/software/5d7a39e3-c667-45b3-987e-3b0ca49cff61) is a Windows utility used to expand one or more compressed CAB files.[[Microsoft Expand Utility](https://app.tidalcyber.com/references/bf73a375-87b7-4603-8734-9f3d8d11967e)] It has been used by [BBSRAT](https://app.tidalcyber.com/software/be4dab36-d499-4ac3-b204-5e309e3a5331) to decompress a CAB file into executable content.[[Palo Alto Networks BBSRAT](https://app.tidalcyber.com/references/8c5d61ba-24c5-4f6c-a208-e0a5d23ebb49)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0361", "source": "MITRE", "tags": [ "182dd4be-bbda-404f-aad1-156a22bbe7a4", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "ca656c25-44f1-471b-9d9f-e2a3bbb84973", "type": "similar" } ], "uuid": "5d7a39e3-c667-45b3-987e-3b0ca49cff61", "value": "Expand" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary used for managing files and system components within Windows\n\n**Author:** Jai Minton\n\n**Paths:**\n* C:\\Windows\\explorer.exe\n* C:\\Windows\\SysWOW64\\explorer.exe\n\n**Resources:**\n* [https://twitter.com/CyberRaiju/status/1273597319322058752?s=20](https://twitter.com/CyberRaiju/status/1273597319322058752?s=20)\n* [https://twitter.com/bohops/status/1276356245541335048](https://twitter.com/bohops/status/1276356245541335048)\n* [https://twitter.com/bohops/status/986984122563391488](https://twitter.com/bohops/status/986984122563391488)\n\n**Detection:**\n* Sigma: [proc_creation_win_explorer_break_process_tree.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml)\n* Sigma: [proc_creation_win_explorer_lolbin_execution.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_explorer_lolbin_execution.yml)\n* Elastic: [initial_access_via_explorer_suspicious_child_parent_args.toml](https://github.com/elastic/detection-rules/blob/f2bc0c685d83db7db395fc3dc4b9729759cd4329/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml)\n* IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious.[[Explorer.exe - LOLBAS Project](/references/9ba3d54c-02d1-45bd-bfe8-939e84d9d44b)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5106", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" } ], "uuid": "b792d713-fbb4-46e6-94ae-8b9a1f4e794d", "value": "Explorer" }, { "description": "[Explosive](https://app.tidalcyber.com/software/572eec55-2855-49ac-a82e-2c21e9aca27e) is a custom-made remote access tool used by the group [Volatile Cedar](https://app.tidalcyber.com/groups/7c3ef21c-0e1c-43d5-afb0-3a07c5a66937). It was first identified in the wild in 2015.[[CheckPoint Volatile Cedar March 2015](https://app.tidalcyber.com/references/a26344a2-63ca-422e-8cf9-0cf22a5bee72)][[ClearSky Lebanese Cedar Jan 2021](https://app.tidalcyber.com/references/53944d48-caa9-4912-b42d-94a3789ed15b)] ", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0569", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" }, { "dest-uuid": "6a21e3a4-5ffe-4581-af9a-6a54c7536f44", "type": "similar" } ], "uuid": "572eec55-2855-49ac-a82e-2c21e9aca27e", "value": "Explosive" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Load a DLL located in the c:\\test folder with a specific name.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Program Files\\Internet Explorer\\Extexport.exe\n* C:\\Program Files (x86)\\Internet Explorer\\Extexport.exe\n\n**Resources:**\n* [http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/](http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_extexport.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml)\n* IOC: Extexport.exe loads dll and is execute from other folder the original path[[Extexport.exe - LOLBAS Project](/references/2aa09a10-a492-4753-bbd8-aacd31e4fee3)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5107", "source": "Tidal Cyber", "tags": [ "5b81675a-742a-4ffd-b410-44ce3f1b0831", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "2e6f1aed-a983-44fb-aed1-b4a3d9cb9488", "value": "Extexport" }, { "description": "ExtPassword is a tool used to recover passwords from Windows systems.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5030", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" } ], "uuid": "363c38fc-8676-4a63-b3f4-f0237565a951", "value": "ExtPassword" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Extract to ADS, copy or overwrite a file with Extrac32.exe\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\extrac32.exe\n* C:\\Windows\\SysWOW64\\extrac32.exe\n\n**Resources:**\n* [https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/](https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/)\n* [https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)\n* [https://twitter.com/egre55/status/985994639202283520](https://twitter.com/egre55/status/985994639202283520)\n\n**Detection:**\n* Elastic: [defense_evasion_misc_lolbin_connecting_to_the_internet.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml)\n* Sigma: [proc_creation_win_lolbin_extrac32.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml)\n* Sigma: [proc_creation_win_lolbin_extrac32_ads.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml)[[Extrac32.exe - LOLBAS Project](/references/ae632afc-336c-488e-81f6-91ffe1829595)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5108", "source": "Tidal Cyber", "tags": [ "92092803-19a9-4288-b7fb-08e92e8ea693", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "53dc0180-0309-4489-af75-9c76b2887359", "value": "Extrac32" }, { "description": "[FakeM](https://app.tidalcyber.com/software/8c64a330-1457-4c32-ab2f-12b6eb37d607) is a shellcode-based Windows backdoor that has been used by [Scarlet Mimic](https://app.tidalcyber.com/groups/6c1bdc51-f633-4512-8b20-04a11c2d97f4). [[Scarlet Mimic Jan 2016](https://app.tidalcyber.com/references/f84a5b6d-3af1-45b1-ac55-69ceced8735f)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0076", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "type": "used-by" }, { "dest-uuid": "bb3c1098-d654-4620-bf40-694386d28921", "type": "similar" } ], "uuid": "8c64a330-1457-4c32-ab2f-12b6eb37d607", "value": "FakeM" }, { "description": "FakePenny is a ransomware, which includes both a loader and an encryptor, that is believed to have been developed by the North Korean threat actor Moonstone Sleet.[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5321", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "3b8a2c50-5d8e-49b4-bd50-10ae66ca6c72", "type": "used-by" } ], "uuid": "acbff463-ba1c-4d26-ab99-b9aa47b81c68", "value": "FakePenny" }, { "description": "[FALLCHILL](https://app.tidalcyber.com/software/ea47f1fd-0171-4254-8c92-92b7a5eec5e1) is a RAT that has been used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) malware or delivered when a victim unknowingly visits a compromised website. [[US-CERT FALLCHILL Nov 2017](https://app.tidalcyber.com/references/045e03f9-af83-4442-b69e-b80f68e570ac)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0181", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", "type": "similar" } ], "uuid": "ea47f1fd-0171-4254-8c92-92b7a5eec5e1", "value": "FALLCHILL" }, { "description": "[FatDuke](https://app.tidalcyber.com/software/997ff740-1b00-40b6-887a-ef4101e93295) is a backdoor used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least 2016.[[ESET Dukes October 2019](https://app.tidalcyber.com/references/fbc77b85-cc5a-4c65-956d-b8556974b4ef)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0512", "source": "MITRE", "tags": [ "8bf128ad-288b-41bc-904f-093f4fdde745" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "54a01db0-9fab-4d5f-8209-53cef8425f4a", "type": "similar" } ], "uuid": "997ff740-1b00-40b6-887a-ef4101e93295", "value": "FatDuke" }, { "description": "[Felismus](https://app.tidalcyber.com/software/c66ed8ab-4692-4948-820e-5ce87cc78db5) is a modular backdoor that has been used by [Sowbug](https://app.tidalcyber.com/groups/6632f07f-7c6b-4d12-8544-82edc6a7a577). [[Symantec Sowbug Nov 2017](https://app.tidalcyber.com/references/14f49074-fc46-45d3-bf7e-30c896c39c07)] [[Forcepoint Felismus Mar 2017](https://app.tidalcyber.com/references/23b94586-3856-4937-9b02-4fe184b7ba01)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0171", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "6632f07f-7c6b-4d12-8544-82edc6a7a577", "type": "used-by" }, { "dest-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", "type": "similar" } ], "uuid": "c66ed8ab-4692-4948-820e-5ce87cc78db5", "value": "Felismus" }, { "description": "[FELIXROOT](https://app.tidalcyber.com/software/4b1a07cd-4c1f-4d93-a454-07fd59b3039a) is a backdoor that has been used to target Ukrainian victims. [[FireEye FELIXROOT July 2018](https://app.tidalcyber.com/references/501057e2-9a31-46fe-aaa0-427218682153)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0267", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "cf8df906-179c-4a78-bd6e-6605e30f6624", "type": "similar" } ], "uuid": "4b1a07cd-4c1f-4d93-a454-07fd59b3039a", "value": "FELIXROOT" }, { "description": "[Ferocious](https://app.tidalcyber.com/software/3e54ba7a-fd4c-477f-9c2d-34b4f69fc091) is a first stage implant composed of VBS and PowerShell scripts that has been used by [WIRTE](https://app.tidalcyber.com/groups/73da066d-b25f-45ba-862b-1a69228c6baa) since at least 2021.[[Kaspersky WIRTE November 2021](https://app.tidalcyber.com/references/143b4694-024d-49a5-be3c-d9ceca7295b2)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0679", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "73da066d-b25f-45ba-862b-1a69228c6baa", "type": "used-by" }, { "dest-uuid": "73d08401-005f-4e1f-90b9-8f45d120879f", "type": "similar" } ], "uuid": "3e54ba7a-fd4c-477f-9c2d-34b4f69fc091", "value": "Ferocious" }, { "description": "[Fgdump](https://app.tidalcyber.com/software/1bbf04bb-d869-48c5-a538-70a25503de1d) is a Windows password hash dumper. [[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0120", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe", "type": "similar" } ], "uuid": "1bbf04bb-d869-48c5-a538-70a25503de1d", "value": "Fgdump" }, { "description": "FileZilla is a tool used to perform cross-platform File Transfer Protocol (FTP) to a site, server, or host.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5031", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "8bf128ad-288b-41bc-904f-093f4fdde745", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" } ], "uuid": "f2a6f899-15a8-4d77-bebd-14bc03958764", "value": "FileZilla" }, { "description": "[Final1stspy](https://app.tidalcyber.com/software/eb4dc358-e353-47fc-8207-b7cb10d580f7) is a dropper family that has been used to deliver [DOGCALL](https://app.tidalcyber.com/software/81ce23c0-f505-4d75-9928-4fbd627d3bc2).[[Unit 42 Nokki Oct 2018](https://app.tidalcyber.com/references/4eea6638-a71b-4d74-acc4-0fac82ef72f6)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0355", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" }, { "dest-uuid": "a2282af0-f9dd-4373-9b92-eaf9e11e0c71", "type": "similar" } ], "uuid": "eb4dc358-e353-47fc-8207-b7cb10d580f7", "value": "Final1stspy" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Write to ADS, discover, or download files with Findstr.exe\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\findstr.exe\n* C:\\Windows\\SysWOW64\\findstr.exe\n\n**Resources:**\n* [https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/](https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/)\n* [https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_findstr.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml)[[Findstr.exe - LOLBAS Project](/references/fc4b7b28-ac74-4a8f-a39d-ce55df5fca08)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5109", "source": "Tidal Cyber", "tags": [ "6ca537bb-94b6-4b12-8978-6250baa6a5cb", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" }, { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" } ], "uuid": "a62634f8-8f42-4874-9669-bea2e053dfea", "value": "Findstr" }, { "description": "[FinFisher](https://app.tidalcyber.com/software/41f54ce1-842c-428a-977f-518a5b63b4d7) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including [Wingbird](https://app.tidalcyber.com/software/3e70078f-407e-4b03-b604-bdc05b372f37). [[FinFisher Citation](https://app.tidalcyber.com/references/6ef0b8d8-ba98-49ce-807d-5a85d111b027)] [[Microsoft SIR Vol 21](https://app.tidalcyber.com/references/619b9cf8-7201-45de-9c36-834ccee356a9)] [[FireEye FinSpy Sept 2017](https://app.tidalcyber.com/references/142cf7a3-2ca2-4cf3-b95a-9f4b3bc1cdce)] [[Securelist BlackOasis Oct 2017](https://app.tidalcyber.com/references/66121c37-6b66-4ab2-9f63-1adb80dcec62)] [[Microsoft FinFisher March 2018](https://app.tidalcyber.com/references/88c97a9a-ef14-4695-bde0-9de2b5f5343b)]", "meta": { "platforms": [ "Android", "Windows" ], "software_attack_id": "S0182", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14", "type": "used-by" }, { "dest-uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", "type": "similar" } ], "uuid": "41f54ce1-842c-428a-977f-518a5b63b4d7", "value": "FinFisher" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Displays information about a user or users on a specified remote computer that is running the Finger service or daemon\n\n**Author:** Ruben Revuelta\n\n**Paths:**\n* c:\\windows\\system32\\finger.exe\n* c:\\windows\\syswow64\\finger.exe\n\n**Resources:**\n* [https://twitter.com/DissectMalware/status/997340270273409024](https://twitter.com/DissectMalware/status/997340270273409024)\n* [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11))\n\n**Detection:**\n* Sigma: [proc_creation_win_finger_usage.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_finger_usage.yml)\n* IOC: finger.exe should not be run on a normal workstation.\n* IOC: finger.exe connecting to external resources.[[Finger.exe - LOLBAS Project](/references/e32d01eb-d904-43dc-a7e2-bdcf42f3ebb2)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5110", "source": "Tidal Cyber", "tags": [ "1da4f610-4c54-46a3-b9b3-c38a002b623e", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "a9ce311d-dd8c-497d-b38f-b535d7318ed4", "value": "Finger" }, { "description": "[FIVEHANDS](https://app.tidalcyber.com/software/84187393-2fe9-4136-8720-a6893734ee8c) is a customized version of [DEATHRANSOM](https://app.tidalcyber.com/software/832f5ab1-1267-40c9-84ef-f32d6373be4e) ransomware written in C++. [FIVEHANDS](https://app.tidalcyber.com/software/84187393-2fe9-4136-8720-a6893734ee8c) has been used since at least 2021, including in Ransomware-as-a-Service (RaaS) campaigns, sometimes along with [SombRAT](https://app.tidalcyber.com/software/0ec24158-d5d7-4d2e-b5a5-bc862328a317).[[FireEye FiveHands April 2021](https://app.tidalcyber.com/references/832aeb46-b248-43e8-9157-a2f56bcd1806)][[NCC Group Fivehands June 2021](https://app.tidalcyber.com/references/33955c35-e8cd-4486-b1ab-6f992319c81c)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0618", "source": "MITRE", "tags": [ "562e535e-19f5-4d6c-81ed-ce2aec544f09", "f1ad9eba-f4fd-4aec-92c0-833ac14d741b", "5e7433ad-a894-4489-93bc-41e90da90019", "15787198-6c8b-4f79-bf50-258d55072fee", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", "type": "used-by" }, { "dest-uuid": "f464354c-7103-47c6-969b-8766f0157ed2", "type": "similar" } ], "uuid": "84187393-2fe9-4136-8720-a6893734ee8c", "value": "FIVEHANDS" }, { "description": "[Flagpro](https://app.tidalcyber.com/software/977aaf8a-2216-40f0-8682-61dd91638147) is a Windows-based, first-stage downloader that has been used by [BlackTech](https://app.tidalcyber.com/groups/528ab2ea-b8f1-44d8-8831-2a89fefd97cb) since at least October 2020. It has primarily been used against defense, media, and communications companies in Japan.[[NTT Security Flagpro new December 2021](https://app.tidalcyber.com/references/c0f523fa-7f3b-4c85-b48f-19ae770e9f3b)] ", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0696", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" }, { "dest-uuid": "592260fb-dd5c-4a30-8d99-106a0485be0d", "type": "similar" } ], "uuid": "977aaf8a-2216-40f0-8682-61dd91638147", "value": "Flagpro" }, { "description": "[Flame](https://app.tidalcyber.com/software/87604333-638f-4f4a-94e0-16aa825dd5b8) is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. [[Kaspersky Flame](https://app.tidalcyber.com/references/6db8f76d-fe38-43b1-ad85-ad372da9c09d)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0143", "source": "MITRE", "tags": [ "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "type": "similar" } ], "uuid": "87604333-638f-4f4a-94e0-16aa825dd5b8", "value": "Flame" }, { "description": "[FLASHFLOOD](https://app.tidalcyber.com/software/44a5e62a-6de4-49d2-8f1b-e68ecdf9f332) is malware developed by [APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f) that allows propagation and exfiltration of data over removable devices. [APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f) may use this capability to exfiltrate data across air-gaps. [[FireEye APT30](https://app.tidalcyber.com/references/c48d2084-61cf-4e86-8072-01e5d2de8416)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0036", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" }, { "dest-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", "type": "similar" } ], "uuid": "44a5e62a-6de4-49d2-8f1b-e68ecdf9f332", "value": "FLASHFLOOD" }, { "description": "[FlawedAmmyy](https://app.tidalcyber.com/software/308dbe77-3d58-40bb-b0a5-cd00f152dc60) is a remote access tool (RAT) that was first seen in early 2016. The code for [FlawedAmmyy](https://app.tidalcyber.com/software/308dbe77-3d58-40bb-b0a5-cd00f152dc60) was based on leaked source code for a version of Ammyy Admin, a remote access software.[[Proofpoint TA505 Mar 2018](https://app.tidalcyber.com/references/44e48c77-59dd-4851-8455-893513b7cf45)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0381", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" }, { "dest-uuid": "432555de-63bf-4f2a-a3fa-f720a4561078", "type": "similar" } ], "uuid": "308dbe77-3d58-40bb-b0a5-cd00f152dc60", "value": "FlawedAmmyy" }, { "description": "[FlawedGrace](https://app.tidalcyber.com/software/c558e948-c817-4494-a95d-ad3207f10e26) is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.[[Proofpoint TA505 Jan 2019](https://app.tidalcyber.com/references/b744f739-8810-4fb9-96e3-6488f9ed6305)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0383", "source": "MITRE", "tags": [ "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "84615fe0-c2a5-4e07-8957-78ebc29b4635", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, { "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", "type": "used-by" }, { "dest-uuid": "eb10ed9e-ea8d-4b61-bfc3-5994d30970df", "type": "used-by" }, { "dest-uuid": "43155329-3edf-47a6-9a14-7dac899b01e4", "type": "similar" } ], "uuid": "c558e948-c817-4494-a95d-ad3207f10e26", "value": "FlawedGrace" }, { "description": "FleetDeck is a commercial remote monitoring and management (RMM) tool that enables remote desktop access and “virtual terminal” capabilities. Government and commercial reports indicate that financially motivated adversaries, including BlackCat (AKA ALPHV or Noberus) actors and Scattered Spider (AKA 0ktapus or UNC3944), have used FleetDeck for command and control and persistence purposes during intrusions.[[Cyber Centre ALPHV/BlackCat July 25 2023](/references/610c8f22-1a96-42d2-934d-8467d136eed2)][[CrowdStrike Scattered Spider SIM Swapping December 22 2022](/references/e48760ba-2752-4d30-8f99-152c81f63017)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5056", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "e727eaa6-ef41-4965-b93a-8ad0c51d0236" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" } ], "uuid": "68758d3a-ec4b-4c19-933d-b4c3000281b2", "value": "FleetDeck" }, { "description": "[FLIPSIDE](https://app.tidalcyber.com/software/18002747-ddcc-42c1-b0ca-1e598a9f1919) is a simple tool similar to Plink that is used by [FIN5](https://app.tidalcyber.com/groups/7902f5cc-d6a5-4a57-8d54-4c75e0c58b83) to maintain access to victims. [[Mandiant FIN5 GrrCON Oct 2016](https://app.tidalcyber.com/references/2bd39baf-4223-4344-ba93-98aa8453dc11)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0173", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "type": "used-by" }, { "dest-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", "type": "similar" } ], "uuid": "18002747-ddcc-42c1-b0ca-1e598a9f1919", "value": "FLIPSIDE" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Filter Manager Control Program used by Windows\n\n**Author:** John Lambert\n\n**Paths:**\n* C:\\Windows\\System32\\fltMC.exe\n\n**Resources:**\n* [https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon](https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon)\n\n**Detection:**\n* Sigma: [proc_creation_win_fltmc_unload_driver_sysmon.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml)\n* Elastic: [defense_evasion_via_filter_manager.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_via_filter_manager.toml)\n* Splunk: [unload_sysmon_filter_driver.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/unload_sysmon_filter_driver.yml)\n* IOC: 4688 events with fltMC.exe[[fltMC.exe - LOLBAS Project](/references/cf9b4bd3-92f0-405b-85e7-95e65d548b79)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5111", "source": "Tidal Cyber", "tags": [ "49bbb074-2406-4f27-ad77-d2e433ba1ccb", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "43d57826-cd15-4154-8f04-38351c96986e", "value": "fltMC" }, { "description": "[FoggyWeb](https://app.tidalcyber.com/software/bc11844e-0348-4eed-a48a-0554d68db38c) is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federated Services (AD FS) server. It has been used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least early April 2021.[[MSTIC FoggyWeb September 2021](https://app.tidalcyber.com/references/1ef61100-c5e7-4725-8456-e508c5f6d68a)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0661", "source": "MITRE", "tags": [ "8bf128ad-288b-41bc-904f-093f4fdde745" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "72911fe3-f085-40f7-b4f2-f25a4221fe44", "type": "similar" } ], "uuid": "bc11844e-0348-4eed-a48a-0554d68db38c", "value": "FoggyWeb" }, { "description": "Fog is a ransomware family first observed in May 2024. Its distribution has been linked to Storm-0844, a threat actor that also leverages suspected valid credentials and freely available tools for initial access and post-exploit activity prior to ransomware deployment.[[Arctic Wolf Fog Ransomware June 4 2024](/references/86111971-cd37-4a87-bcaa-3e0f6326da5c)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5331", "source": "Tidal Cyber", "tags": [ "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", "type": "used-by" } ], "uuid": "3480069a-13eb-4f1e-9967-57ecac415c52", "value": "Fog Ransomware" }, { "description": "[Forfiles](https://app.tidalcyber.com/software/c6dc67a6-587d-4700-a7de-bee043a0031a) is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. [[Microsoft Forfiles Aug 2016](https://app.tidalcyber.com/references/fd7eaa47-3512-4dbd-b881-bc679d06cd1b)]", "meta": { "software_attack_id": "S0193", "source": "MITRE", "tags": [ "91804406-e20a-4455-8dbc-5528c35f8e20", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2", "type": "similar" } ], "uuid": "c6dc67a6-587d-4700-a7de-bee043a0031a", "value": "Forfiles" }, { "description": "Formbook is an information-stealing malware, discovered in 2016, that is capable of stealing data entered into HTML website forms and logging keystrokes and also acting as a downloader for other malware.[[What Is FormBook Malware?](/references/d1f57ed6-8f44-46cc-afb7-53d9543f68ed)][[What is FormBook Malware? - Check Point Software](/references/c7670c6d-014b-4937-ac0f-9f2aec60e2d8)] xLoader is a JavaScript-based, cross-platform Formbook variant discovered in 2020 that is crafted to infect macOS as well as Windows systems. Check Point Research's 2022 Mid-Year Report released in August 2022 placed Formbook as the \"most prevalent\" infostealer malware globally (and second-most prevalent of all malware types globally, behind only Emotet).[[Check Point Mid-Year Report 2022](/references/e929cd86-9903-481c-a841-ba387831cb77)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5288", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "84615fe0-c2a5-4e07-8957-78ebc29b4635", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [], "uuid": "376d1383-17a7-48b0-8a8b-d6142b2f3003", "value": "Formbook" }, { "description": "[FRAMESTING](https://app.tidalcyber.com/software/83721b89-df58-50bf-be2a-0b696fb0da78) is a Python web shell that was used during [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) to embed into an Ivanti Connect Secure Python package for command execution.[[Mandiant Cutting Edge Part 2 January 2024](https://app.tidalcyber.com/references/5209d259-4293-58c0-bbdc-f30ff77d57f7)]", "meta": { "platforms": [ "Network" ], "software_attack_id": "S1120", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "bcaae558-9697-47a2-9ec7-c75000ddf58c", "type": "similar" } ], "uuid": "83721b89-df58-50bf-be2a-0b696fb0da78", "value": "FRAMESTING" }, { "description": "[FrameworkPOS](https://app.tidalcyber.com/software/aef7cbbc-5163-419c-8e4b-3f73bed50474) is a point of sale (POS) malware used by [FIN6](https://app.tidalcyber.com/groups/fcaadc12-7c17-4946-a9dc-976ed610854c) to steal payment card data from sytems that run physical POS devices.[[SentinelOne FrameworkPOS September 2019](https://app.tidalcyber.com/references/054d7827-3d0c-40a7-b2a0-1428ad7729ea)]", "meta": { "software_attack_id": "S0503", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" }, { "dest-uuid": "1cdbbcab-903a-414d-8eb0-439a97343737", "type": "similar" } ], "uuid": "aef7cbbc-5163-419c-8e4b-3f73bed50474", "value": "FrameworkPOS" }, { "description": "FreeFileSync is a tool used to facilitate cloud-based file synchronization.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5032", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "8bf128ad-288b-41bc-904f-093f4fdde745", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" } ], "uuid": "1d5c5822-3cb4-455a-9976-f6bc17e2820d", "value": "FreeFileSync" }, { "description": "FruitFly is designed to spy on mac users [[objsee mac malware 2017](https://app.tidalcyber.com/references/08227ae5-4086-4c31-83d9-459c3a097754)].", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S0277", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "4a98e44a-bd52-461e-af1e-a4457de87a36", "type": "similar" } ], "uuid": "3a05085e-5a1f-4a74-b489-d679b80e2c18", "value": "FruitFly" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.\n\n**Author:** Jimmy (@bohops)\n\n**Paths:**\n* C:\\Program Files\\dotnet\\sdk\\[sdk version]\\FSharp\\fsi.exe\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Professional\\Common7\\IDE\\CommonExtensions\\Microsoft\\FSharp\\fsi.exe\n\n**Resources:**\n* [https://twitter.com/NickTyrer/status/904273264385589248](https://twitter.com/NickTyrer/status/904273264385589248)\n* [https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/](https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/)\n\n**Detection:**\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: Fsi.exe execution may be suspicious on non-developer machines\n* Sigma: [proc_creation_win_lolbin_fsharp_interpreters.yml](https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml)[[Fsi.exe - LOLBAS Project](/references/4e14e87f-2ad9-4959-8cb2-8585b67931c0)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5222", "source": "Tidal Cyber", "tags": [ "7a4b56fa-5419-411b-86fe-68c9b0ddd3c5", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" } ], "uuid": "f2a5e6cb-75fd-4108-9466-80471c7d0422", "value": "Fsi" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** 32/64-bit FSharp (F#) Interpreter included with Visual Studio.\n\n**Author:** Jimmy (@bohops)\n\n**Paths:**\n* c:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Professional\\Common7\\IDE\\CommonExtensions\\Microsoft\\FSharp\\fsianycpu.exe\n\n**Resources:**\n* [https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/](https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/)\n\n**Detection:**\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines\n* Sigma: [proc_creation_win_lolbin_fsharp_interpreters.yml](https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml)[[FsiAnyCpu.exe - LOLBAS Project](/references/87031d31-b6d7-4860-b11b-5a0dc8774d92)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5223", "source": "Tidal Cyber", "tags": [ "c5d1a687-8a36-4995-b8cb-415f33661821", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "9e5c41bb-f4cc-4132-8c7a-4a10a006190b", "value": "FsiAnyCpu" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** File System Utility\n\n**Author:** Elliot Killick\n\n**Paths:**\n* C:\\Windows\\System32\\fsutil.exe\n* C:\\Windows\\SysWOW64\\fsutil.exe\n\n**Resources:**\n* [https://twitter.com/0gtweet/status/1720724516324704404](https://twitter.com/0gtweet/status/1720724516324704404)\n\n**Detection:**\n* IOC: fsutil.exe should not be run on a normal workstation\n* IOC: file setZeroData (not case-sensitive) in the process arguments\n* IOC: Sysmon Event ID 1\n* IOC: Execution of process fsutil.exe with trace decode could be suspicious\n* IOC: Non-Windows netsh.exe execution\n* Sigma: [proc_creation_win_susp_fsutil_usage.yml](https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml)[[Fsutil.exe - LOLBAS Project](/references/e2305dac-4245-4fac-8813-69cb210e9cd3)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5112", "source": "Tidal Cyber", "tags": [ "76bb7541-94da-4d66-9a57-77f788330287", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "7a829dae-00cf-4321-95b4-276f7dfb5368", "value": "Fsutil" }, { "description": "[ftp](https://app.tidalcyber.com/software/062deac9-8f05-44e2-b347-96b59ba166ca) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.[[Microsoft FTP](https://app.tidalcyber.com/references/970f8d16-f5b7-44e2-b81f-738b931c60d9)][[Linux FTP](https://app.tidalcyber.com/references/021ea6bc-abff-48de-a6bb-315dbbfa6147)]", "meta": { "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S0095", "source": "MITRE", "tags": [ "95d37388-4e95-4d7f-96ba-99d94c842299", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "8bf128ad-288b-41bc-904f-093f4fdde745" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" }, { "dest-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", "type": "similar" } ], "uuid": "062deac9-8f05-44e2-b347-96b59ba166ca", "value": "ftp" }, { "description": "[FunnyDream](https://app.tidalcyber.com/software/d0490e1d-8287-44d3-8342-944d1203b237) is a backdoor with multiple components that was used during the [FunnyDream](https://app.tidalcyber.com/campaigns/94587edf-0292-445b-8c66-b16629597f1e) campaign since at least 2019, primarily for execution and exfiltration.[[Bitdefender FunnyDream Campaign November 2020](https://app.tidalcyber.com/references/b62a9f2c-02ca-4dfa-95fc-5dc6ad9568de)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1044", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "be25c1c0-1590-4219-a3d5-6f31799d1d1b", "type": "similar" } ], "uuid": "d0490e1d-8287-44d3-8342-944d1203b237", "value": "FunnyDream" }, { "description": "[FYAnti](https://app.tidalcyber.com/software/be9a2ae5-373a-4dee-9c1e-b54235dafed0) is a loader that has been used by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) since at least 2020, including to deploy [QuasarRAT](https://app.tidalcyber.com/software/4bab7c2b-5ec4-467e-8df4-f2e6996e136b).[[Securelist APT10 March 2021](https://app.tidalcyber.com/references/90450a1e-59c3-491f-b842-2cf81023fc9e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0628", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "434ba392-ebdc-488b-b1ef-518deea65774", "type": "similar" } ], "uuid": "be9a2ae5-373a-4dee-9c1e-b54235dafed0", "value": "FYAnti" }, { "description": "[Fysbis](https://app.tidalcyber.com/software/317a7647-aee7-4ce1-a8f8-33a61190f55d) is a Linux-based backdoor used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) that dates back to at least 2014.[[Fysbis Palo Alto Analysis](https://app.tidalcyber.com/references/3e527ad6-6b56-473d-8178-e1c3c14f2311)]", "meta": { "platforms": [ "Linux" ], "software_attack_id": "S0410", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "50d6688b-0985-4f3d-8cbe-0c796b30703b", "type": "similar" } ], "uuid": "317a7647-aee7-4ce1-a8f8-33a61190f55d", "value": "Fysbis" }, { "description": "[Gazer](https://app.tidalcyber.com/software/7a60b984-b0c8-4acc-be24-841f4b652872) is a backdoor used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) since at least 2016. [[ESET Gazer Aug 2017](https://app.tidalcyber.com/references/9d1c40af-d4bc-4d4a-b667-a17378942685)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0168", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", "type": "similar" } ], "uuid": "7a60b984-b0c8-4acc-be24-841f4b652872", "value": "Gazer" }, { "description": "[Gelsemium](https://app.tidalcyber.com/software/9a117508-1d22-4fea-aa65-db670c13a5c9) is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. [Gelsemium](https://app.tidalcyber.com/software/9a117508-1d22-4fea-aa65-db670c13a5c9) has been used by the Gelsemium group since at least 2014.[[ESET Gelsemium June 2021](https://app.tidalcyber.com/references/ea28cf8c-8c92-48cb-b499-ffb7ff0e3cf5)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0666", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "efa7c4d6-8e30-41d9-a8fd-26dc337f4a1b", "type": "similar" } ], "uuid": "9a117508-1d22-4fea-aa65-db670c13a5c9", "value": "Gelsemium" }, { "description": "[GeminiDuke](https://app.tidalcyber.com/software/97f32f68-dcd2-4f80-9967-cc87305dc342) is malware that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) from 2009 to 2012. [[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0049", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", "type": "similar" } ], "uuid": "97f32f68-dcd2-4f80-9967-cc87305dc342", "value": "GeminiDuke" }, { "description": "[Get2](https://app.tidalcyber.com/software/a997aaaf-edfc-4489-80a9-3f8d64545de1) is a downloader written in C++ that has been used by [TA505](https://app.tidalcyber.com/groups/b3220638-6682-4a4e-ab64-e7dc4202a3f1) to deliver [FlawedGrace](https://app.tidalcyber.com/software/c558e948-c817-4494-a95d-ad3207f10e26), [FlawedAmmyy](https://app.tidalcyber.com/software/308dbe77-3d58-40bb-b0a5-cd00f152dc60), Snatch and [SDBbot](https://app.tidalcyber.com/software/046bbd0c-bff5-46fc-9028-cbe46a9f8ec5).[[Proofpoint TA505 October 2019](https://app.tidalcyber.com/references/711ea2b3-58e2-4b38-aa71-877029c12e64)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0460", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, { "dest-uuid": "099ecff2-41b8-436d-843c-038a9aa9aa69", "type": "similar" } ], "uuid": "a997aaaf-edfc-4489-80a9-3f8d64545de1", "value": "Get2" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.\n\n**Author:** Jesus Galvez\n\n**Paths:**\n* c:\\windows\\system32\\driverstore\\filerepository\\64kb6472.inf_amd64_3daef03bbe98572b\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_comp.inf_amd64_0e9c57ae3396e055\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_comp.inf_amd64_209bd95d56b1ac2d\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_comp.inf_amd64_3fa2a843f8b7f16d\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_comp.inf_amd64_85c860f05274baa0\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_comp.inf_amd64_f7412e3e3404de80\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_comp.inf_amd64_feb9f1cf05b0de58\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_component.inf_amd64_0219cc1c7085a93f\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_component.inf_amd64_df4f60b1cae9b14a\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dc_comp.inf_amd64_16eb18b0e2526e57\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dc_comp.inf_amd64_1c77f1231c19bc72\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dc_comp.inf_amd64_31c60cc38cfcca28\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dc_comp.inf_amd64_82f69cea8b2d928f\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dc_comp.inf_amd64_b4d94f3e41ceb839\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_0606619cc97463de\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_0e95edab338ad669\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_22aac1442d387216\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_2461d914696db722\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_29d727269a34edf5\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_2caf76dbce56546d\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_353320edb98da643\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_4ea0ed0af1507894\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_56a48f4f1c2da7a7\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_64f23fdadb76a511\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_668dd0c6d3f9fa0e\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_6be8e5b7f731a6e5\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_6dad7e4e9a8fa889\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_6df442103a1937a4\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_767e7683f9ad126c\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_8644298f665a12c4\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_868acf86149aef5d\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_92cf9d9d84f1d3db\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_93239c65f222d453\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_9de8154b682af864\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_a7428663aca90897\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_ad7cb5e55a410add\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_afbf41cf8ab202d7\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_d193c96475eaa96e\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_db953c52208ada71\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_e7523682cc7528cc\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_e9f341319ca84274\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_f3a64c75ee4defb7\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_f51939e52b944f4b\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch_comp.inf_amd64_4938423c9b9639d7\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch_comp.inf_amd64_c8e108d4a62c59d5\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch_comp.inf_amd64_deecec7d232ced2b\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_01ee1299f4982efe\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_02edfc87000937e4\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_0541b698fc6e40b0\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_0707757077710fff\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_0b3e3ed3ace9602a\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_0cff362f9dff4228\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_16ed7d82b93e4f68\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_1a33d2f73651d989\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_1aca2a92a37fce23\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_1af2dd3e4df5fd61\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_1d571527c7083952\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_23f7302c2b9ee813\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_24de78387e6208e4\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_250db833a1cd577e\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_25e7c5a58c052bc5\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_28d80681d3523b1c\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_2dda3b1147a3a572\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_31ba00ea6900d67d\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_329877a66f240808\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_42af9f4718aa1395\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_4645af5c659ae51a\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_48c2e68e54c92258\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_48e7e903a369eae2\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_491d20003583dabe\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_4b34c18659561116\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_51ce968bf19942c2\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_555cfc07a674ecdd\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_561bd21d54545ed3\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_579a75f602cc2dce\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_57f66a4f0a97f1a3\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_587befb80671fb38\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_62f096fe77e085c0\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_6ae0ddbb4a38e23c\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_6bb02522ea3fdb0d\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_6d34ac0763025a06\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_712b6a0adbaabc0a\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_78b09d9681a2400f\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_842874489af34daa\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_88084eb1fe7cebc3\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_89033455cb08186f\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_8a9535cd18c90bc3\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_8c1fc948b5a01c52\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_9088b61921a6ff9f\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_90f68cd0dc48b625\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_95cb371d046d4b4c\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_a58de0cf5f3e9dca\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_abe9d37302f8b1ae\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_acb3edda7b82982f\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_aebc5a8535dd3184\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_b5d4c82c67b39358\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_b846bbf1e81ea3cf\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_babb2e8b8072ff3b\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_bc75cebf5edbbc50\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_be91293cf20d4372\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_c11f4d5f0bc4c592\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_c4e5173126d31cf0\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_c4f600ffe34acc7b\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_c8634ed19e331cda\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_c9081e50bcffa972\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_ceddadac8a2b489e\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_d4406f0ad6ec2581\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_d5877a2e0e6374b6\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_d8ca5f86add535ef\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_e8abe176c7b553b5\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_eabb3ac2c517211f\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_f8d8be8fea71e1a0\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_fe5e116bb07c0629\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_fe73d2ebaa05fb95\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64_kbl_kit127397.inf_amd64_e1da8ee9e92ccadb\\\n* c:\\windows\\system32\\driverstore\\filerepository\\k127153.inf_amd64_364f43f2a27f7bd7\\\n* c:\\windows\\system32\\driverstore\\filerepository\\k127153.inf_amd64_3f3936d8dec668b8\\\n* c:\\windows\\system32\\driverstore\\filerepository\\k127793.inf_amd64_3ab7883eddccbf0f\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki129523.inf_amd64_32947eecf8f3e231\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki126950.inf_amd64_fa7f56314967630d\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki126951.inf_amd64_94804e3918169543\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki126973.inf_amd64_06dde156632145e3\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki126974.inf_amd64_9168fc04b8275db9\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki127005.inf_amd64_753576c4406c1193\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki127018.inf_amd64_0f67ff47e9e30716\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki127021.inf_amd64_0d68af55c12c7c17\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki127171.inf_amd64_368f8c7337214025\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki127176.inf_amd64_86c658cabfb17c9c\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki127390.inf_amd64_e1ccb879ece8f084\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki127678.inf_amd64_8427d3a09f47dfc1\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki127727.inf_amd64_cf8e31692f82192e\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki127807.inf_amd64_fc915899816dbc5d\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki127850.inf_amd64_6ad8d99023b59fd5\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki128602.inf_amd64_6ff790822fd674ab\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki128916.inf_amd64_3509e1eb83b83cfb\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki129407.inf_amd64_f26f36ac54ce3076\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki129633.inf_amd64_d9b8af875f664a8c\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki129866.inf_amd64_e7cdca9882c16f55\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki130274.inf_amd64_bafd2440fa1ffdd6\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki130350.inf_amd64_696b7c6764071b63\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki130409.inf_amd64_0d8d61270dfb4560\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki130471.inf_amd64_26ad6921447aa568\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki130624.inf_amd64_d85487143eec5e1a\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki130825.inf_amd64_ee3ba427c553f15f\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki130871.inf_amd64_382f7c369d4bf777\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki131064.inf_amd64_5d13f27a9a9843fa\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki131176.inf_amd64_fb4fe914575fdd15\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki131191.inf_amd64_d668106cb6f2eae0\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki131622.inf_amd64_0058d71ace34db73\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki132032.inf_amd64_f29660d80998e019\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki132337.inf_amd64_223d6831ffa64ab1\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki132535.inf_amd64_7875dff189ab2fa2\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki132544.inf_amd64_b8c1f31373153db4\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki132574.inf_amd64_54c9b905b975ee55\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki132869.inf_amd64_052eb72d070df60f\\\n* c:\\windows\\system32\\driverstore\\filerepository\\kit126731.inf_amd64_1905c9d5f38631d9\\\n\n**Resources:**\n* [https://www.sothis.tech/author/jgalvez/](https://www.sothis.tech/author/jgalvez/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml)\n* IOC: [Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.](Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.)[[GfxDownloadWrapper.exe - LOLBAS Project](/references/5d97b7d7-428e-4408-a4d3-00f52cf4bf15)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5186", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "a83cfdbf-023a-4874-a3d8-9674149ceb53", "value": "GfxDownloadWrapper" }, { "description": "[gh0st RAT](https://app.tidalcyber.com/software/269ef8f5-35c8-44ba-afe4-63f4c6431427) is a remote access tool (RAT). The source code is public and it has been used by multiple groups.[[FireEye Hacking Team](https://app.tidalcyber.com/references/c1e798b8-6771-4ba7-af25-69c640321e40)][[Arbor Musical Chairs Feb 2018](https://app.tidalcyber.com/references/bddf44bb-7a0a-498b-9831-7b73cf9a582e)][[Nccgroup Gh0st April 2018](https://app.tidalcyber.com/references/4476aa0a-b1ef-4ac6-9e44-5721a0b3e92b)]", "meta": { "platforms": [ "macOS", "Windows" ], "software_attack_id": "S0032", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, { "dest-uuid": "f1477581-d485-403f-a95f-c56bf88c5d1e", "type": "used-by" }, { "dest-uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", "type": "used-by" }, { "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" }, { "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" }, { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", "type": "similar" } ], "uuid": "269ef8f5-35c8-44ba-afe4-63f4c6431427", "value": "gh0st RAT" }, { "description": "[GLASSTOKEN](https://app.tidalcyber.com/software/5c1a1ce5-927c-5c79-8a14-2789756d41ee) is a custom web shell used by threat actors during [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) to execute commands on compromised Ivanti Secure Connect VPNs.[[Volexity Ivanti Zero-Day Exploitation January 2024](https://app.tidalcyber.com/references/93eda380-ea21-59e0-97e8-5bec1f9a0e71)]", "meta": { "platforms": [ "Network" ], "software_attack_id": "S1117", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "554e010d-726b-439d-9a1a-f60fff0cc109", "type": "similar" } ], "uuid": "5c1a1ce5-927c-5c79-8a14-2789756d41ee", "value": "GLASSTOKEN" }, { "description": "[GLOOXMAIL](https://app.tidalcyber.com/software/09fdec78-5253-433d-8680-294ba6847be9) is malware used by [APT1](https://app.tidalcyber.com/groups/5307bba1-2674-4fbd-bfd5-1db1ae06fc5f) that mimics legitimate Jabber/XMPP traffic. [[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0026", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { "dest-uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2", "type": "similar" } ], "uuid": "09fdec78-5253-433d-8680-294ba6847be9", "value": "GLOOXMAIL" }, { "description": "GMER is a tool used to remove rootkits.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5033", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" } ], "uuid": "83713f85-8b2f-4733-9fea-e6a1494d0bbb", "value": "GMER" }, { "description": "[Gold Dragon](https://app.tidalcyber.com/software/348fdeb5-6a74-4803-ac6e-e0133ecd7263) is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. [Gold Dragon](https://app.tidalcyber.com/software/348fdeb5-6a74-4803-ac6e-e0133ecd7263) was used along with [Brave Prince](https://app.tidalcyber.com/software/51b27e2c-c737-4006-a657-195ea1a1f4f0) and [RunningRAT](https://app.tidalcyber.com/software/e8afda1f-fa83-4fc3-b6fb-7d5daca7173f) in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. [[McAfee Gold Dragon](https://app.tidalcyber.com/references/4bdfa92b-cbbd-43e6-aa3e-422561ff8d7a)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0249", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { "dest-uuid": "b9799466-9dd7-4098-b2d6-f999ce50b9a8", "type": "similar" } ], "uuid": "348fdeb5-6a74-4803-ac6e-e0133ecd7263", "value": "Gold Dragon" }, { "description": "[GoldenSpy](https://app.tidalcyber.com/software/1b135393-c799-4698-a880-c6a86782adee) is a backdoor malware which has been packaged with legitimate tax preparation software. [GoldenSpy](https://app.tidalcyber.com/software/1b135393-c799-4698-a880-c6a86782adee) was discovered targeting organizations in China, being delivered with the \"Intelligent Tax\" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.[[Trustwave GoldenSpy June 2020](https://app.tidalcyber.com/references/2a27a2ea-2815-4d97-88c0-47a6e04e84f8)] ", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0493", "source": "MITRE", "tags": [ "f2ae2283-f94d-4f8f-bbde-43f2bed66c55" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "b9704a7d-feef-4af9-8898-5280f1686326", "type": "similar" } ], "uuid": "1b135393-c799-4698-a880-c6a86782adee", "value": "GoldenSpy" }, { "description": "[GoldFinder](https://app.tidalcyber.com/software/4e8c58c5-443e-4f73-91e9-89146f04e307) is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. [GoldFinder](https://app.tidalcyber.com/software/4e8c58c5-443e-4f73-91e9-89146f04e307) was discovered in early 2021 during an investigation into the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447).[[MSTIC NOBELIUM Mar 2021](https://app.tidalcyber.com/references/8688a0a9-d644-4b96-81bb-031f1f898652)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0597", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "b7010785-699f-412f-ba49-524da6033c76", "type": "similar" } ], "uuid": "4e8c58c5-443e-4f73-91e9-89146f04e307", "value": "GoldFinder" }, { "description": "[GoldMax](https://app.tidalcyber.com/software/b05a9763-4288-4656-bf4e-ba02bb8b35d6) is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. [GoldMax](https://app.tidalcyber.com/software/b05a9763-4288-4656-bf4e-ba02bb8b35d6) was discovered in early 2021 during the investigation into the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a), and has likely been used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least mid-2019. [GoldMax](https://app.tidalcyber.com/software/b05a9763-4288-4656-bf4e-ba02bb8b35d6) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.[[MSTIC NOBELIUM Mar 2021](https://app.tidalcyber.com/references/8688a0a9-d644-4b96-81bb-031f1f898652)][[FireEye SUNSHUTTLE Mar 2021](https://app.tidalcyber.com/references/1cdb8a1e-fbed-4db3-b273-5f8f45356dc1)][[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)]", "meta": { "platforms": [ "Linux", "Windows" ], "software_attack_id": "S0588", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "5c747acd-47f0-4c5a-b9e5-213541fc01e0", "type": "similar" } ], "uuid": "b05a9763-4288-4656-bf4e-ba02bb8b35d6", "value": "GoldMax" }, { "description": "[Goopy](https://app.tidalcyber.com/software/a75855fd-2b6b-43d8-99a5-2be03b544f34) is a Windows backdoor and Trojan used by [APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145) and shares several similarities to another backdoor used by the group ([Denis](https://app.tidalcyber.com/software/df4002d2-f557-4f95-af7a-9a4582fb7068)). [Goopy](https://app.tidalcyber.com/software/a75855fd-2b6b-43d8-99a5-2be03b544f34) is named for its impersonation of the legitimate Google Updater executable.[[Cybereason Cobalt Kitty 2017](https://app.tidalcyber.com/references/bf838a23-1620-4668-807a-4354083d69b1)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0477", "source": "MITRE", "tags": [ "febea5b6-2ea2-402b-8bec-f3f5b3f73c59" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { "dest-uuid": "eac3d77f-2b7b-4599-ba74-948dc16633ad", "type": "similar" } ], "uuid": "a75855fd-2b6b-43d8-99a5-2be03b544f34", "value": "Goopy" }, { "description": "GooseEgg is a custom tool developed by Russian espionage group Forest Blizzard that is designed for privilege escalation and credential access purposes. GooseEgg exploits CVE-2022-38028, a vulnerability in the Windows Print Spooler service. Researchers describe the tool as a \"simple\" launcher application, but a range of subsequent post-exploitation actions are possible, including remote code execution, backdoor deployment, and lateral movement within the compromised network.[[Microsoft Security Blog 4 22 2024](/references/050ff793-d81d-499f-a136-905e76bce321)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5318", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", "7de7d799-f836-4555-97a4-0db776eb6932", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" } ], "uuid": "f9c32a11-964c-4480-968b-e520b8c7b26e", "value": "GooseEgg" }, { "description": "Gootloader is a highly active banking Trojan-turned-loader malware that has attacked organizations in a wide range of verticals and countries. Gootloader, also referred to by its related payload, Gootkit, first emerged in 2014 but has been especially active since 2020. In the past two years alone, verticals including finance, healthcare, defense, pharmaceutical, energy, & automotive have faced Gootloader campaigns, with victims across North America, Western Europe, & South Korea, and the malware is regularly used to deliver high-impact payloads, including Cobalt Strike, IcedID (a common ransomware precursor), & more. Cybereason indicates the financial & healthcare sectors are especially impacted.[[Cybereason Gootloader February 2023](/references/098bf58f-3868-4892-bb4d-c78ce8817a02)] Red Canary & The DFIR Report provide tool-agnostic suggested detection logic for key behaviors observed during recent Gootloader campaigns.[[Red Canary Gootloader April 2023](/references/658e3a1a-2f68-4e84-8dab-43e48766703e)][[DFIR Report Gootloader](/references/aa12dc30-ba81-46c5-b412-ca4a01e72d7f)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5289", "source": "Tidal Cyber", "tags": [ "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "84615fe0-c2a5-4e07-8957-78ebc29b4635", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" } ], "uuid": "3eec857e-dce3-4865-a65f-3ad5a559a3e6", "value": "Gootloader" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by group policy to process scripts\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\gpscript.exe\n* C:\\Windows\\SysWOW64\\gpscript.exe\n\n**Resources:**\n* [https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/](https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_gpscript.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml)\n* IOC: Scripts added in local group policy\n* IOC: Execution of Gpscript.exe after logon[[Gpscript.exe - LOLBAS Project](/references/619f57d9-d93b-4e9b-aae0-6ce89d91deb6)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5113", "source": "Tidal Cyber", "tags": [ "2ca5c5e4-ee7f-4698-84ec-ce04d2c1e9cc", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "acf4a502-2730-4b36-aea3-652420390977", "value": "Gpscript" }, { "description": "[Grandoreiro](https://app.tidalcyber.com/software/61d277f2-abdc-4f2b-b50a-10d0fe91e588) is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. [Grandoreiro](https://app.tidalcyber.com/software/61d277f2-abdc-4f2b-b50a-10d0fe91e588) has confirmed victims in Brazil, Mexico, Portugal, and Spain.[[Securelist Brazilian Banking Malware July 2020](https://app.tidalcyber.com/references/ccc34875-93f3-40ed-a9ee-f31b86708507)][[ESET Grandoreiro April 2020](https://app.tidalcyber.com/references/d6270492-986b-4fb6-bdbc-2e364947847c)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0531", "source": "MITRE", "tags": [ "16b47583-1c54-431f-9f09-759df7b5ddb7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "958b5d06-8bb0-4c5b-a2e7-0130fe654ac7", "type": "similar" } ], "uuid": "61d277f2-abdc-4f2b-b50a-10d0fe91e588", "value": "Grandoreiro" }, { "description": "According to joint Cybersecurity Advisory AA23-347A (December 2023), GraphicalProton \"is a simplistic backdoor that uses OneDrive, Dropbox, and randomly generated BMPs\" to exchange data with its operators. During a 2023 campaign, authorities also observed a HTTPS variant of GraphicalProton that relies on HTTP requests instead of cloud-based services.[[U.S. CISA SVR TeamCity Exploits December 2023](/references/5f66f864-58c2-4b41-8011-61f954e04b7e)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5077", "source": "Tidal Cyber", "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" } ], "uuid": "f77398ad-e043-4694-ade0-d6ea16a994e7", "value": "GraphicalProton" }, { "description": "[GravityRAT](https://app.tidalcyber.com/software/08cb425d-7b7a-41dc-a897-9057ce57fea9) is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are \"TheMartian\" and \"The Invincible.\" According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. [[Talos GravityRAT](https://app.tidalcyber.com/references/2d7a1d72-cc9a-4b0b-a89a-e24ca836879b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0237", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "1d1fce2f-0db5-402b-9843-4278a0694637", "type": "similar" } ], "uuid": "08cb425d-7b7a-41dc-a897-9057ce57fea9", "value": "GravityRAT" }, { "description": "[Green Lambert](https://app.tidalcyber.com/software/f5691425-6690-4e5e-8304-3ede9d2f5a90) is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of [Green Lambert](https://app.tidalcyber.com/software/f5691425-6690-4e5e-8304-3ede9d2f5a90) may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.[[Kaspersky Lamberts Toolkit April 2017](https://app.tidalcyber.com/references/2be23bfb-c6fb-455e-ae88-2ae910ccef60)][[Objective See Green Lambert for OSX Oct 2021](https://app.tidalcyber.com/references/fad94973-eafa-4fdb-b7aa-22c21d894f81)] ", "meta": { "platforms": [ "Linux", "macOS", "Windows", "iOS" ], "software_attack_id": "S0690", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "59c8a28c-200c-4565-9af1-cbdb24870ba0", "type": "similar" } ], "uuid": "f5691425-6690-4e5e-8304-3ede9d2f5a90", "value": "Green Lambert" }, { "description": "[GreyEnergy](https://app.tidalcyber.com/software/f646e7f9-4d09-46f6-9831-54668fa20483) is a backdoor written in C and compiled in Visual Studio. [GreyEnergy](https://app.tidalcyber.com/software/f646e7f9-4d09-46f6-9831-54668fa20483) shares similarities with the [BlackEnergy](https://app.tidalcyber.com/software/908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f) malware and is thought to be the successor of it.[[ESET GreyEnergy Oct 2018](https://app.tidalcyber.com/references/f3e70f41-6c22-465c-b872-a7ec5e6a3e67)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0342", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "308b3d68-a084-4dfb-885a-3125e1a9c1e8", "type": "similar" } ], "uuid": "f646e7f9-4d09-46f6-9831-54668fa20483", "value": "GreyEnergy" }, { "description": "[GRIFFON](https://app.tidalcyber.com/software/ad358082-d83a-4c22-81a1-6c34dd67af26) is a JavaScript backdoor used by [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff). [[SecureList Griffon May 2019](https://app.tidalcyber.com/references/42e196e4-42a7-427d-a69b-d78fa6375f8c)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0417", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "04fc1842-f9e4-47cf-8cb8-5c61becad142", "type": "similar" } ], "uuid": "ad358082-d83a-4c22-81a1-6c34dd67af26", "value": "GRIFFON" }, { "description": "[GrimAgent](https://app.tidalcyber.com/software/c40a71d4-8592-4f82-8af5-18f763e52caf) is a backdoor that has been used before the deployment of [Ryuk](https://app.tidalcyber.com/software/8ae86854-4cdc-49eb-895a-d1fa742f7974) ransomware since at least 2020; it is likely used by [FIN6](https://app.tidalcyber.com/groups/fcaadc12-7c17-4946-a9dc-976ed610854c) and [Wizard Spider](https://app.tidalcyber.com/groups/0b431229-036f-4157-a1da-ff16dfc095f8).[[Group IB GrimAgent July 2021](https://app.tidalcyber.com/references/6b0dd676-3ea5-4b56-a27b-b1685787de02)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0632", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "c9b99d03-ff11-4a48-95f0-82660d582c25", "type": "similar" } ], "uuid": "c40a71d4-8592-4f82-8af5-18f763e52caf", "value": "GrimAgent" }, { "description": "Grixba is a tool used by Play Ransomware operators to scan victim networks for information discovery purposes. Grixba compiles and saves collected information into CSV files, which are then compressed with WinRAR and exfiltrated to threat actors.[[Symantec Play Ransomware April 19 2023](/references/a78613a5-ce17-4d11-8f2f-3e642cd7673c)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5079", "source": "Tidal Cyber", "tags": [ "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" } ], "uuid": "3ff9e020-8a7a-4c6f-a607-117ce9e436c5", "value": "Grixba" }, { "description": "[gsecdump](https://app.tidalcyber.com/software/5ffe662f-9da1-4b6f-ad3a-f296383e828c) is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. [[TrueSec Gsecdump](https://app.tidalcyber.com/references/ba1d07ed-2e18-4f5f-9d44-082530946f14)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0008", "source": "MITRE", "tags": [ "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" }, { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" }, { "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", "type": "similar" } ], "uuid": "5ffe662f-9da1-4b6f-ad3a-f296383e828c", "value": "gsecdump" }, { "description": "[GuLoader](https://app.tidalcyber.com/software/03e985d6-870b-4533-af13-08b1e0511444) is a file downloader that has been used since at least December 2019 to distribute a variety of remote administration tool (RAT) malware, including [NETWIRE](https://app.tidalcyber.com/software/c7d0e881-80a1-49ea-9c1f-b6e53cf399a8), [Agent Tesla](https://app.tidalcyber.com/software/304650b1-a0b5-460c-9210-23a5b53815a4), [NanoCore](https://app.tidalcyber.com/software/db05dbaa-eb3a-4303-b37e-18d67e7e85a1), FormBook, and Parallax RAT.[[Unit 42 NETWIRE April 2020](https://app.tidalcyber.com/references/b42f119d-144a-470a-b9fe-ccbf80a78fbb)][[Medium Eli Salem GuLoader April 2021](https://app.tidalcyber.com/references/87c5e84a-b96d-489d-aa10-db95b78c5a93)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0561", "source": "MITRE", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "45c759ac-b490-48bb-80d4-c8eee3431027", "type": "similar" } ], "uuid": "03e985d6-870b-4533-af13-08b1e0511444", "value": "GuLoader" }, { "description": "[H1N1](https://app.tidalcyber.com/software/5f1602fe-a4ce-4932-9cf9-ec842f2c58f1) is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. [[Cisco H1N1 Part 1](https://app.tidalcyber.com/references/03a2faca-1a47-4f68-9f26-3fa98145f2ab)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0132", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", "type": "similar" } ], "uuid": "5f1602fe-a4ce-4932-9cf9-ec842f2c58f1", "value": "H1N1" }, { "description": "[Hacking Team UEFI Rootkit](https://app.tidalcyber.com/software/75db2ac3-901e-4b1f-9a0d-bac6562d57a3) is a rootkit developed by the company Hacking Team as a method of persistence for remote access software. [[TrendMicro Hacking Team UEFI](https://app.tidalcyber.com/references/24796535-d516-45e9-bcc7-8f03a3f3cd73)]", "meta": { "software_attack_id": "S0047", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8", "type": "similar" } ], "uuid": "75db2ac3-901e-4b1f-9a0d-bac6562d57a3", "value": "Hacking Team UEFI Rootkit" }, { "description": "[HALFBAKED](https://app.tidalcyber.com/software/5edf0ef7-a960-4500-8a89-8c8b4fdf8824) is a malware family consisting of multiple components intended to establish persistence in victim networks. [[FireEye FIN7 April 2017](https://app.tidalcyber.com/references/6ee27fdb-1753-4fdf-af72-3295b072ff10)]", "meta": { "software_attack_id": "S0151", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", "type": "similar" } ], "uuid": "5edf0ef7-a960-4500-8a89-8c8b4fdf8824", "value": "HALFBAKED" }, { "description": "[HAMMERTOSS](https://app.tidalcyber.com/software/cc07f03f-9919-4856-9b30-f4d88940b0ec) is a backdoor that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) in 2015. [[FireEye APT29](https://app.tidalcyber.com/references/78ead31e-7450-46e8-89cf-461ae1981994)] [[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0037", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", "type": "similar" } ], "uuid": "cc07f03f-9919-4856-9b30-f4d88940b0ec", "value": "HAMMERTOSS" }, { "description": "[Hancitor](https://app.tidalcyber.com/software/4eee3272-07fa-48ee-a7b9-9dfee3e4550a) is a downloader that has been used by [Pony](https://app.tidalcyber.com/software/555b612e-3f0d-421d-b2a7-63eb2d1ece5f) and other information stealing malware.[[Threatpost Hancitor](https://app.tidalcyber.com/references/70ad77af-88aa-4f06-a9cb-df9608157841)][[FireEye Hancitor](https://app.tidalcyber.com/references/65a07c8c-5b29-445f-8f01-6e577df4ea62)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0499", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "ef2247bf-8062-404b-894f-d65d00564817", "type": "similar" } ], "uuid": "4eee3272-07fa-48ee-a7b9-9dfee3e4550a", "value": "Hancitor" }, { "description": "[HAPPYWORK](https://app.tidalcyber.com/software/c2c31b2e-5da6-4feb-80e3-14ea6d0ea7e8) is a downloader used by [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66) to target South Korean government and financial victims in November 2016. [[FireEye APT37 Feb 2018](https://app.tidalcyber.com/references/4d575c1a-4ff9-49ce-97cd-f9d0637c2271)]", "meta": { "software_attack_id": "S0214", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" }, { "dest-uuid": "211cfe9f-2676-4e1c-a5f5-2c8091da2a68", "type": "similar" } ], "uuid": "c2c31b2e-5da6-4feb-80e3-14ea6d0ea7e8", "value": "HAPPYWORK" }, { "description": "[HARDRAIN](https://app.tidalcyber.com/software/ad0ae3b7-88aa-48b3-86ca-6a5d8b5309a7) is a Trojan malware variant reportedly used by the North Korean government. [[US-CERT HARDRAIN March 2018](https://app.tidalcyber.com/references/ffc17fa5-e7d3-4592-b47b-e12ced0e62a4)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0246", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "bd0536d7-b081-43ae-a773-cfb057c5b988", "type": "similar" } ], "uuid": "ad0ae3b7-88aa-48b3-86ca-6a5d8b5309a7", "value": "HARDRAIN" }, { "description": "[Havij](https://app.tidalcyber.com/software/8bd36306-bd4b-4a76-8842-44acb0cedbcc) is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. [[Check Point Havij Analysis](https://app.tidalcyber.com/references/2e00a539-acbe-4462-a30f-43da4e8b9c4f)]", "meta": { "software_attack_id": "S0224", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "e38bcb42-12c1-4202-a794-ec26cd830caa", "type": "used-by" }, { "dest-uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5", "type": "similar" } ], "uuid": "8bd36306-bd4b-4a76-8842-44acb0cedbcc", "value": "Havij" }, { "description": "[HAWKBALL](https://app.tidalcyber.com/software/392c5a32-53b5-4ce8-a946-226cb533cc4e) is a backdoor that was observed in targeting of the government sector in Central Asia.[[FireEye HAWKBALL Jun 2019](https://app.tidalcyber.com/references/c88150b1-8c0a-4fc5-b5b7-11e242af1c43)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0391", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "12a7450d-b03e-4990-a5b8-b405ab9c803b", "type": "similar" } ], "uuid": "392c5a32-53b5-4ce8-a946-226cb533cc4e", "value": "HAWKBALL" }, { "description": "[hcdLoader](https://app.tidalcyber.com/software/a7ffe1bd-45ca-4ca4-94da-3b6c583a868d) is a remote access tool (RAT) that has been used by [APT18](https://app.tidalcyber.com/groups/a0c31021-b281-4c41-9855-436768299fe7). [[Dell Lateral Movement](https://app.tidalcyber.com/references/fcc9b52a-751f-4985-8c32-7aaf411706ad)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0071", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" }, { "dest-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e", "type": "similar" } ], "uuid": "a7ffe1bd-45ca-4ca4-94da-3b6c583a868d", "value": "hcdLoader" }, { "description": "[HDoor](https://app.tidalcyber.com/software/f155b6f9-258d-4446-8867-fe5ee26d8c72) is malware that has been customized and used by the [Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) group. [[Baumgartner Naikon 2015](https://app.tidalcyber.com/references/09302b4f-7f71-4289-92f6-076c685f0810)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0061", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { "dest-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b", "type": "similar" } ], "uuid": "f155b6f9-258d-4446-8867-fe5ee26d8c72", "value": "HDoor" }, { "description": "[HELLOKITTY](https://app.tidalcyber.com/software/813a4ca1-84fe-42dc-89de-5873d028f98d) is a ransomware written in C++ that shares similar code structure and functionality with [DEATHRANSOM](https://app.tidalcyber.com/software/832f5ab1-1267-40c9-84ef-f32d6373be4e) and [FIVEHANDS](https://app.tidalcyber.com/software/84187393-2fe9-4136-8720-a6893734ee8c). [HELLOKITTY](https://app.tidalcyber.com/software/813a4ca1-84fe-42dc-89de-5873d028f98d) has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.[[FireEye FiveHands April 2021](https://app.tidalcyber.com/references/832aeb46-b248-43e8-9157-a2f56bcd1806)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0617", "source": "MITRE", "tags": [ "4ac8dcde-2665-4066-9ad9-b5572d5f0d28", "3535caad-a155-4996-b986-70bc3cd5ce1e", "f1ad9eba-f4fd-4aec-92c0-833ac14d741b", "5e7433ad-a894-4489-93bc-41e90da90019", "15787198-6c8b-4f79-bf50-258d55072fee", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", "type": "used-by" }, { "dest-uuid": "5d11d418-95dd-4377-b782-23160dfa17b4", "type": "similar" } ], "uuid": "813a4ca1-84fe-42dc-89de-5873d028f98d", "value": "HELLOKITTY" }, { "description": "[Helminth](https://app.tidalcyber.com/software/d6560c81-1e7e-4d01-9814-4be4fb43e655) is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. [[Palo Alto OilRig May 2016](https://app.tidalcyber.com/references/53836b95-a30a-4e95-8e19-e2bb2f18c738)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0170", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "type": "similar" } ], "uuid": "d6560c81-1e7e-4d01-9814-4be4fb43e655", "value": "Helminth" }, { "description": "[HermeticWiper](https://app.tidalcyber.com/software/f0456f14-4913-4861-b4ad-5e7f3960040e) is a data wiper that has been used since at least early 2022, primarily against Ukraine with additional activity observed in Latvia and Lithuania. Some sectors targeted include government, financial, defense, aviation, and IT services.[[SentinelOne Hermetic Wiper February 2022](https://app.tidalcyber.com/references/96825555-1936-4ee3-bb25-423dc16a9116)][[Symantec Ukraine Wipers February 2022](https://app.tidalcyber.com/references/3ed4cd00-3387-4b80-bda8-0a190dc6353c)][[Crowdstrike DriveSlayer February 2022](https://app.tidalcyber.com/references/4f01e901-58f8-4fdb-ac8c-ef4b6bfd068e)][[ESET Hermetic Wiper February 2022](https://app.tidalcyber.com/references/07ef66e8-195b-4afe-a518-ce9e77220038)][[Qualys Hermetic Wiper March 2022](https://app.tidalcyber.com/references/2b25969b-2f0b-4204-9277-596e80c4e626)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0697", "source": "MITRE", "tags": [ "2e621fc5-dea4-4cb9-987e-305845986cd3" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "a0ab8a96-40c9-4483-8a54-3fafa6d6007a", "type": "similar" } ], "uuid": "f0456f14-4913-4861-b4ad-5e7f3960040e", "value": "HermeticWiper" }, { "description": "[HermeticWizard](https://app.tidalcyber.com/software/36ddc8cd-8f80-489e-a702-c682936b5393) is a worm that has been used to spread [HermeticWiper](https://app.tidalcyber.com/software/f0456f14-4913-4861-b4ad-5e7f3960040e) in attacks against organizations in Ukraine since at least 2022.[[ESET Hermetic Wizard March 2022](https://app.tidalcyber.com/references/e0337ce9-2ca9-4877-b116-8c4d9d864df0)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0698", "source": "MITRE", "tags": [ "e809d252-12cc-494d-94f5-954c49eb87ce" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "ff7ed9c1-dca3-4e62-9da6-72c5d388b8fa", "type": "similar" } ], "uuid": "36ddc8cd-8f80-489e-a702-c682936b5393", "value": "HermeticWizard" }, { "description": "[Heyoka Backdoor](https://app.tidalcyber.com/software/1841a6e8-6c23-46a1-9c81-783746083764) is a custom backdoor--based on the Heyoka open source exfiltration tool--that has been used by [Aoqin Dragon](https://app.tidalcyber.com/groups/454402a3-0503-45bf-b2e0-177fa2e2d412) since at least 2013.[[SentinelOne Aoqin Dragon June 2022](https://app.tidalcyber.com/references/b4e792e0-b1fa-4639-98b1-233aaec53594)][[Sourceforge Heyoka 2022](https://app.tidalcyber.com/references/f6677391-cb7a-4abc-abb7-3a8cd47fbc90)] ", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1027", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "454402a3-0503-45bf-b2e0-177fa2e2d412", "type": "used-by" }, { "dest-uuid": "dff90475-9f72-41a6-84ed-1fbefd3874c0", "type": "similar" } ], "uuid": "1841a6e8-6c23-46a1-9c81-783746083764", "value": "Heyoka Backdoor" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary used for processing chm files in Windows\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\hh.exe\n* C:\\Windows\\SysWOW64\\hh.exe\n\n**Resources:**\n* [https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/](https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/)\n\n**Detection:**\n* Sigma: [proc_creation_win_hh_chm_execution.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml)\n* Sigma: [proc_creation_win_hh_html_help_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml)\n* Elastic: [execution_via_compiled_html_file.toml](https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/execution_via_compiled_html_file.toml)\n* Elastic: [execution_html_help_executable_program_connecting_to_the_internet.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml)\n* Splunk: [detect_html_help_spawn_child_process.yml](https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_html_help_spawn_child_process.yml)\n* Splunk: [detect_html_help_url_in_command_line.yml](https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_html_help_url_in_command_line.yml)[[Hh.exe - LOLBAS Project](/references/4e09bfcf-f5be-46c5-9ebf-8742ac8d1edc)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5114", "source": "Tidal Cyber", "tags": [ "7d028d1e-7a95-47f0-9367-55517f9ef170", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "5a0d0b83-5a10-425c-98f7-6cb8eb76fda4", "value": "Hh" }, { "description": "[HiddenWasp](https://app.tidalcyber.com/software/ec02fb9c-bf9f-404d-bc54-819f2b3fb040) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.[[Intezer HiddenWasp Map 2019](https://app.tidalcyber.com/references/dfef8451-031b-42a6-8b78-d25950cc9d23)]", "meta": { "platforms": [ "Linux" ], "software_attack_id": "S0394", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "fc774af4-533b-4724-96d2-ac1026316794", "type": "similar" } ], "uuid": "ec02fb9c-bf9f-404d-bc54-819f2b3fb040", "value": "HiddenWasp" }, { "description": "[HIDEDRV](https://app.tidalcyber.com/software/ce1af464-0b14-4fe9-8591-a6fe58aa96c7) is a rootkit used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5). It has been deployed along with [Downdelph](https://app.tidalcyber.com/software/f7b64b81-f9e7-46bf-8f63-6d7520da832c) to execute and hide that malware. [[ESET Sednit Part 3](https://app.tidalcyber.com/references/7c2be444-a947-49bc-b5f6-8f6bec870c6a)] [[Sekoia HideDRV Oct 2016](https://app.tidalcyber.com/references/c383811d-c036-4fe7-add8-b4d4f73b3ce4)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0135", "source": "MITRE", "tags": [ "1efd43ee-5752-49f2-99fe-e3441f126b00" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", "type": "similar" } ], "uuid": "ce1af464-0b14-4fe9-8591-a6fe58aa96c7", "value": "HIDEDRV" }, { "description": "[Hikit](https://app.tidalcyber.com/software/8046c80c-4339-4cfb-8bfd-464801db2bfe) is malware that has been used by [Axiom](https://app.tidalcyber.com/groups/90f4d3f9-3fe3-4a64-8dc1-172c6d037dca) for late-stage persistence and exfiltration after the initial compromise.[[Novetta-Axiom](https://app.tidalcyber.com/references/0dd428b9-849b-4108-87b1-20050b86f420)][[FireEye Hikit Rootkit](https://app.tidalcyber.com/references/65d751cb-fdd2-4a45-81db-8a5a11bbee62)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0009", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" }, { "dest-uuid": "95047f03-4811-4300-922e-1ba937d53a61", "type": "similar" } ], "uuid": "8046c80c-4339-4cfb-8bfd-464801db2bfe", "value": "Hikit" }, { "description": "[Hildegard](https://app.tidalcyber.com/software/7ef8cd3a-33cf-43bb-a3b8-a78fc844ce0c) is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind [Hildegard](https://app.tidalcyber.com/software/7ef8cd3a-33cf-43bb-a3b8-a78fc844ce0c). [[Unit 42 Hildegard Malware](https://app.tidalcyber.com/references/0941cf0e-75d8-4c96-bc42-c99d809e75f9)]", "meta": { "platforms": [ "Containers", "Linux", "IaaS" ], "software_attack_id": "S0601", "source": "MITRE", "tags": [ "4fa6f8e1-b0d5-4169-8038-33e355c08bde", "8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "325c11be-e1ee-47db-afa6-44ac5d16f0e7", "type": "used-by" }, { "dest-uuid": "40a1b8ec-7295-416c-a6b1-68181d86f120", "type": "similar" } ], "uuid": "7ef8cd3a-33cf-43bb-a3b8-a78fc844ce0c", "value": "Hildegard" }, { "description": "[Hi-Zor](https://app.tidalcyber.com/software/286184d9-f28a-4d5a-a9dd-2216b3c47809) is a remote access tool (RAT) that has characteristics similar to [Sakula](https://app.tidalcyber.com/software/a316c704-144a-4d14-8e4e-685bb6ae391c). It was used in a campaign named INOCNATION. [[Fidelis Hi-Zor](https://app.tidalcyber.com/references/0c9ff201-283a-4527-8cb8-6f0d05a4f724)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0087", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", "type": "similar" } ], "uuid": "286184d9-f28a-4d5a-a9dd-2216b3c47809", "value": "Hi-Zor" }, { "description": "[HOMEFRY](https://app.tidalcyber.com/software/16db13f2-f350-4323-96cb-c5f4ac36c3e0) is a 64-bit Windows password dumper/cracker that has previously been used in conjunction with other [Leviathan](https://app.tidalcyber.com/groups/eadd78e3-3b5d-430a-b994-4360b172c871) backdoors. [[FireEye Periscope March 2018](https://app.tidalcyber.com/references/8edb5d2b-b5c4-4d9d-8049-43dd6ca9ab7f)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0232", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { "dest-uuid": "7451bcf9-e6e6-4a70-bc3d-1599173d0035", "type": "similar" } ], "uuid": "16db13f2-f350-4323-96cb-c5f4ac36c3e0", "value": "HOMEFRY" }, { "description": "[HOPLIGHT](https://app.tidalcyber.com/software/4d94594c-2224-46ca-8bc3-28b12ed139f9) is a backdoor Trojan that has reportedly been used by the North Korean government.[[US-CERT HOPLIGHT Apr 2019](https://app.tidalcyber.com/references/e722b71b-9042-4143-a156-489783d86e0a)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0376", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "dfbce236-735c-436d-b433-933bd6eae17b", "type": "used-by" }, { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "454fe82d-6fd2-4ac6-91ab-28a33fe01369", "type": "similar" } ], "uuid": "4d94594c-2224-46ca-8bc3-28b12ed139f9", "value": "HOPLIGHT" }, { "description": "[HotCroissant](https://app.tidalcyber.com/software/a00e7fcc-b4e8-4f64-83d2-f9db64f0f3fe) is a remote access trojan (RAT) attributed by U.S. government entities to malicious North Korean government cyber activity, tracked collectively as HIDDEN COBRA.[[US-CERT HOTCROISSANT February 2020](https://app.tidalcyber.com/references/db5c816a-2a23-4966-8f0b-4ec86cae45c9)] [HotCroissant](https://app.tidalcyber.com/software/a00e7fcc-b4e8-4f64-83d2-f9db64f0f3fe) shares numerous code similarities with [Rifdoor](https://app.tidalcyber.com/software/ca5ae7c8-467a-4434-82fc-db50ce3fc671).[[Carbon Black HotCroissant April 2020](https://app.tidalcyber.com/references/43bcb35b-56e1-47a8-9c74-f7543a25b2a6)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0431", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "aad11e34-02ca-4220-91cd-2ed420af4db3", "type": "similar" } ], "uuid": "a00e7fcc-b4e8-4f64-83d2-f9db64f0f3fe", "value": "HotCroissant" }, { "description": "[HTRAN](https://app.tidalcyber.com/software/b98d9fe7-9aa3-409a-bf5c-eadb01bac948) is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. [[Operation Quantum Entanglement](https://app.tidalcyber.com/references/c94f9652-32c3-4975-a9c0-48f93bdfe790)][[NCSC Joint Report Public Tools](https://app.tidalcyber.com/references/601d88c5-4789-4fa8-a9ab-abc8137f061c)]", "meta": { "platforms": [ "Linux", "Windows" ], "software_attack_id": "S0040", "source": "MITRE", "tags": [ "febea5b6-2ea2-402b-8bec-f3f5b3f73c59" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { "dest-uuid": "225314a7-8f40-48d4-9cff-3ec39b177762", "type": "used-by" }, { "dest-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", "type": "similar" } ], "uuid": "b98d9fe7-9aa3-409a-bf5c-eadb01bac948", "value": "HTRAN" }, { "description": "[HTTPBrowser](https://app.tidalcyber.com/software/c4fe23f7-f18c-40f6-b431-0b104b497eaa) is malware that has been used by several threat groups. [[ThreatStream Evasion Analysis](https://app.tidalcyber.com/references/de6bc044-6275-4cab-80a1-feefebd3c1f0)] [[Dell TG-3390](https://app.tidalcyber.com/references/dfd2d832-a6c5-40e7-a554-5a92f05bebae)] It is believed to be of Chinese origin. [[ThreatConnect Anthem](https://app.tidalcyber.com/references/61ecd0b4-6cac-4d9f-8e8c-3d488fef6fec)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0070", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" }, { "dest-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", "type": "similar" } ], "uuid": "c4fe23f7-f18c-40f6-b431-0b104b497eaa", "value": "HTTPBrowser" }, { "description": "[httpclient](https://app.tidalcyber.com/software/bf19eba4-7ea1-4c24-95c6-6bcfb44f4c49) is malware used by [Putter Panda](https://app.tidalcyber.com/groups/6005f4a9-fe26-4237-a44e-3f6cbb1fe75c). It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool. [[CrowdStrike Putter Panda](https://app.tidalcyber.com/references/413962d0-bd66-4000-a077-38c2677995d1)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0068", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "type": "used-by" }, { "dest-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", "type": "similar" } ], "uuid": "bf19eba4-7ea1-4c24-95c6-6bcfb44f4c49", "value": "httpclient" }, { "description": "[HUI Loader](https://app.tidalcyber.com/software/2df88e4e-5a89-5535-ae1a-4c68b19d9078) is a custom DLL loader that has been used since at least 2015 by China-based threat groups including [Cinnamon Tempest](https://app.tidalcyber.com/groups/8e059c6b-d278-5454-a234-a8ad69feb66c) and [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) to deploy malware on compromised hosts. [HUI Loader](https://app.tidalcyber.com/software/2df88e4e-5a89-5535-ae1a-4c68b19d9078) has been observed in campaigns loading [SodaMaster](https://app.tidalcyber.com/software/6ecd970c-427b-4421-a831-69f46047d22a), [PlugX](https://app.tidalcyber.com/software/070b56f4-7810-4dad-b85f-bdfce9c08c10), [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6), [Komplex](https://app.tidalcyber.com/software/2cf1be0d-2fba-4fd0-ab2f-3695716d1735), and several strains of ransomware.[[SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022](https://app.tidalcyber.com/references/0b275cf9-a885-58cc-b859-112090a711e3)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1097", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "54089fba-8662-4f37-9a44-6ad25a5f630a", "type": "similar" } ], "uuid": "2df88e4e-5a89-5535-ae1a-4c68b19d9078", "value": "HUI Loader" }, { "description": "[Hydraq](https://app.tidalcyber.com/software/4ffbca79-358a-4ba5-bfbb-dc1694c45646) is a data-theft trojan first used by [Elderwood](https://app.tidalcyber.com/groups/51146bb6-7478-44a3-8f08-19adcdceffca) in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including [APT17](https://app.tidalcyber.com/groups/5f083251-f5dc-459a-abfc-47a1aa7f5094).[[MicroFocus 9002 Aug 2016](https://app.tidalcyber.com/references/a4d6bdd1-e70c-491b-a569-72708095c809)][[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)][[Symantec Trojan.Hydraq Jan 2010](https://app.tidalcyber.com/references/10bed842-400f-4276-972d-5fca794ea778)][[ASERT Seven Pointed Dagger Aug 2015](https://app.tidalcyber.com/references/a8f323c7-82bc-46e6-bd6c-0b631abc644a)][[FireEye DeputyDog 9002 November 2013](https://app.tidalcyber.com/references/68b5a913-b696-4ca5-89ed-63453023d2a2)][[ProofPoint GoT 9002 Aug 2017](https://app.tidalcyber.com/references/b796f889-400c-440b-86b2-1588fd15f3ae)][[FireEye Sunshop Campaign May 2013](https://app.tidalcyber.com/references/ec246c7a-3396-46f9-acc4-a100cb5e5fe6)][[PaloAlto 3102 Sept 2015](https://app.tidalcyber.com/references/db340043-43a7-4b16-a570-92a0d879b2bf)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0203", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" }, { "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", "type": "used-by" }, { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" }, { "dest-uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f", "type": "similar" } ], "uuid": "4ffbca79-358a-4ba5-bfbb-dc1694c45646", "value": "Hydraq" }, { "description": "[HyperBro](https://app.tidalcyber.com/software/57cec527-26fb-44a1-b1a9-506a3af2c9f2) is a custom in-memory backdoor used by [Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5).[[Unit42 Emissary Panda May 2019](https://app.tidalcyber.com/references/3a3ec86c-88da-40ab-8e5f-a7d5102c026b)][[Securelist LuckyMouse June 2018](https://app.tidalcyber.com/references/f974708b-598c-46a9-aac9-c5fbdd116c2a)][[Hacker News LuckyMouse June 2018](https://app.tidalcyber.com/references/de78446a-cb46-4422-820b-9ddf07557b1a)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0398", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "5e814485-012d-423d-b769-026bfed0f451", "type": "similar" } ], "uuid": "57cec527-26fb-44a1-b1a9-506a3af2c9f2", "value": "HyperBro" }, { "description": "[HyperStack](https://app.tidalcyber.com/software/ba3236e9-c86b-4b5d-89ed-7f71940a0588) is a RPC-based backdoor used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) since at least 2018. [HyperStack](https://app.tidalcyber.com/software/ba3236e9-c86b-4b5d-89ed-7f71940a0588) has similarities to other backdoors used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) including [Carbon](https://app.tidalcyber.com/software/61f5d19c-1da2-43d1-ab20-51eacbca71f2).[[Accenture HyperStack October 2020](https://app.tidalcyber.com/references/680f2a0b-f69d-48bd-93ed-20ee2f79e3f7)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0537", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "2cf7dec3-66fc-423f-b2c7-58f1de243b4e", "type": "similar" } ], "uuid": "ba3236e9-c86b-4b5d-89ed-7f71940a0588", "value": "HyperStack" }, { "description": "[IceApple](https://app.tidalcyber.com/software/5a73defd-6a1a-4132-8427-cec649e8267a) is a modular Internet Information Services (IIS) post-exploitation framework, that has been used since at least 2021 against the technology, academic, and government sectors.[[CrowdStrike IceApple May 2022](https://app.tidalcyber.com/references/325988b8-1c7d-4296-83d6-bfcbe533b75e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1022", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "dd889a55-fb2c-4ec7-8e9f-c399939a49e1", "type": "similar" } ], "uuid": "5a73defd-6a1a-4132-8427-cec649e8267a", "value": "IceApple" }, { "description": "[IcedID](https://app.tidalcyber.com/software/7f59bb7c-5fa9-497d-9d8e-ba9349fd9433) is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. [IcedID](https://app.tidalcyber.com/software/7f59bb7c-5fa9-497d-9d8e-ba9349fd9433) has been downloaded by [Emotet](https://app.tidalcyber.com/software/c987d255-a351-4736-913f-91e2f28d0654) in multiple campaigns.[[IBM IcedID November 2017](https://app.tidalcyber.com/references/fdc56361-24f4-4fa5-949e-02e61c4d3be8)][[Juniper IcedID June 2020](https://app.tidalcyber.com/references/426886d0-cdf2-4af7-a0e4-366c1b0a1942)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0483", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" }, { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" }, { "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", "type": "used-by" }, { "dest-uuid": "5147ef15-1cae-4707-8ea1-bee8d98b7f1d", "type": "similar" } ], "uuid": "7f59bb7c-5fa9-497d-9d8e-ba9349fd9433", "value": "IcedID" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Executes commands from a specially prepared ie4uinit.inf file.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* c:\\windows\\system32\\ie4uinit.exe\n* c:\\windows\\sysWOW64\\ie4uinit.exe\n* c:\\windows\\system32\\ieuinit.inf\n* c:\\windows\\sysWOW64\\ieuinit.inf\n\n**Resources:**\n* [https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/](https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/)\n\n**Detection:**\n* IOC: ie4uinit.exe copied outside of %windir%\n* IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir%\n* Sigma: [proc_creation_win_lolbin_ie4uinit.yml](https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml)[[Ie4uinit.exe - LOLBAS Project](/references/01f9a368-5933-47a1-85a9-e5883a5ca266)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5116", "source": "Tidal Cyber", "tags": [ "f32f1513-7277-4257-9c35-c8ab3da17c84", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "332e37c0-63fe-4e99-85a9-94210d42c21d", "value": "Ie4uinit" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\ieadvpack.dll\n* c:\\windows\\syswow64\\ieadvpack.dll\n\n**Resources:**\n* [https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/](https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/)\n* [https://twitter.com/pabraeken/status/991695411902599168](https://twitter.com/pabraeken/status/991695411902599168)\n* [https://twitter.com/0rbz_/status/974472392012689408](https://twitter.com/0rbz_/status/974472392012689408)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)\n* Splunk: [detect_rundll32_application_control_bypass___advpack.yml](https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml)[[Ieadvpack.dll - LOLBAS Project](/references/79943a49-23d6-499b-a022-7c2f8bd68aee)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5190", "source": "Tidal Cyber", "tags": [ "e794994d-c38a-44d9-9253-53191ca9e56b", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "e1aa3cbd-2337-47d6-b6b0-beb5d1bbfc1e", "value": "Ieadvpack" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Diagnostics Utility for Internet Explorer\n\n**Author:** manasmbellani\n\n**Paths:**\n* C:\\Program Files\\Internet Explorer\\iediagcmd.exe\n\n**Resources:**\n* [https://twitter.com/Hexacorn/status/1507516393859731456](https://twitter.com/Hexacorn/status/1507516393859731456)\n\n**Detection:**\n* Sigma: [https://github.com/manasmbellani/mycode_public/blob/master/sigma/rules/win_proc_creation_lolbin_iediagcmd.yml](https://github.com/manasmbellani/mycode_public/blob/master/sigma/rules/win_proc_creation_lolbin_iediagcmd.yml)\n* IOC: Sysmon Event ID 1\n* IOC: Execution of process iediagcmd.exe with /out could be suspicious[[iediagcmd.exe - LOLBAS Project](/references/de238a18-2275-497e-adcf-453a016a24c4)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5117", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "1feba268-9fff-495f-94e9-5b46336bff3b", "value": "iediagcmd" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ieexec.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\ieexec.exe\n\n**Resources:**\n* [https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/](https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_ieexec_download.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_misc_lolbin_connecting_to_the_internet.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* IOC: Network connections originating from ieexec.exe may be suspicious[[Ieexec.exe - LOLBAS Project](/references/91f31525-585d-4b71-83d7-9b7c2feacd34)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5118", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "e7ede205-4d50-42c3-92d0-4988aca5c4a1", "value": "Ieexec" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Internet Browser DLL for translating HTML code.\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\ieframe.dll\n* c:\\windows\\syswow64\\ieframe.dll\n\n**Resources:**\n* [http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/](http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/)\n* [https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/](https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/)\n* [https://twitter.com/bohops/status/997690405092290561](https://twitter.com/bohops/status/997690405092290561)\n* [https://windows10dll.nirsoft.net/ieframe_dll.html](https://windows10dll.nirsoft.net/ieframe_dll.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)[[Ieframe.dll - LOLBAS Project](/references/aab9c80d-1f1e-47ba-954d-65e7400054df)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5191", "source": "Tidal Cyber", "tags": [ "fc23fb85-8c48-4f0b-aeb6-b78fd6e25e0a", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "57072f02-06c1-4267-b665-fbbf72b96bb4", "value": "Ieframe" }, { "description": "[ifconfig](https://app.tidalcyber.com/software/93ab16d1-625e-4b1c-bb28-28974c269c47) is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. [[Wikipedia Ifconfig](https://app.tidalcyber.com/references/7bb238d4-4571-4cd0-aab2-76797570724a)]", "meta": { "software_attack_id": "S0101", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5", "type": "similar" } ], "uuid": "93ab16d1-625e-4b1c-bb28-28974c269c47", "value": "ifconfig" }, { "description": "[iKitten](https://app.tidalcyber.com/software/71098f6e-a2c0-434f-b991-6c079fd3e82d) is a macOS exfiltration agent [[objsee mac malware 2017](https://app.tidalcyber.com/references/08227ae5-4086-4c31-83d9-459c3a097754)].", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S0278", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "2cfe8a26-5be7-4a09-8915-ea3d9e787513", "type": "similar" } ], "uuid": "71098f6e-a2c0-434f-b991-6c079fd3e82d", "value": "iKitten" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** used for compile c# code into dll or exe.\n\n**Author:** Hai vaknin (lux)\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ilasm.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ilasm.exe\n\n**Resources:**\n* [https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt](https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt)\n\n**Detection:**\n* IOC: Ilasm may not be used often in production environments (such as on endpoints)\n* Sigma: [proc_creation_win_lolbin_ilasm.yml](https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml)[[Ilasm.exe - LOLBAS Project](/references/347a1f01-02ce-488e-9100-862971c1833f)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5119", "source": "Tidal Cyber", "tags": [ "8bcce456-e1dc-4dd0-99a9-8334fd6f2847", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "492104c0-79d6-461e-9dc5-0e4bfd3f2387", "value": "Ilasm" }, { "description": "IMAPLoader is a .NET downloader that uses email-based channels for command and control communication. It is believed to be developed and used by Yellow Liderc a threat actor group based in Iran and aligned with the Iranian Islamic Revolutionary Guard Corp (IRGC). IMAPLoader is delivered via drive-by compromises and phishing attacks.[[PwC Yellow Liderc October 25 2023](/references/cbeaf9b5-865f-44a1-a913-9eec28d7a5ff)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5308", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "84615fe0-c2a5-4e07-8957-78ebc29b4635", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "9e8620c4-a560-4081-aefc-118c7ec3fc22", "type": "used-by" } ], "uuid": "0832ffda-240a-4455-a53b-71b2683bea09", "value": "IMAPLoader" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft IME Open Extended Dictionary Module\n\n**Author:** Wade Hickey\n\n**Paths:**\n* C:\\Windows\\System32\\IME\\SHARED\\IMEWDBLD.exe\n\n**Resources:**\n* [https://twitter.com/notwhickey/status/1367493406835040265](https://twitter.com/notwhickey/status/1367493406835040265)\n\n**Detection:**\n* Sigma: [net_connection_win_imewdbld.yml](https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/network_connection/net_connection_win_imewdbld.yml)[[IMEWDBLD.exe - LOLBAS Project](/references/9d1d6bc1-61cf-4465-b3cb-b6af36769027)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5115", "source": "Tidal Cyber", "tags": [ "796962fe-56d7-4816-9193-153da0be7c10", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "2ef7c673-a0dc-4773-a9fd-337ed68d9b0b", "value": "IMEWDBLD" }, { "description": "[Imminent Monitor](https://app.tidalcyber.com/software/925fc0db-9315-4703-9353-1d0e9ecb1439) was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.[[Imminent Unit42 Dec2019](https://app.tidalcyber.com/references/28f858c6-4c00-4c0c-bb27-9e000ba22690)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0434", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "153c14a6-31b7-44f2-892e-6d9fdc152267", "type": "used-by" }, { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" }, { "dest-uuid": "8f8cd191-902c-4e83-bf20-b57c8c4640e9", "type": "similar" } ], "uuid": "925fc0db-9315-4703-9353-1d0e9ecb1439", "value": "Imminent Monitor" }, { "description": "[Impacket](https://app.tidalcyber.com/software/cf2c5666-e8ad-49c1-ac8f-30ed65f9e52c) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://app.tidalcyber.com/software/cf2c5666-e8ad-49c1-ac8f-30ed65f9e52c) contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.[[Impacket Tools](https://app.tidalcyber.com/references/cdaf72ce-e8f7-42ae-b815-14a7fd47e292)]", "meta": { "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S0357", "source": "MITRE", "tags": [ "27a117ce-bb19-4f79-9bc2-a851b69c5c50", "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "6070668f-1cbd-4878-8066-c636d1d8659c", "d8f7e071-fbfd-46f8-b431-e241bb1513ac", "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "e551ae97-d1b4-484e-9267-89f33829ec2c", "6a80006a-ff1c-48e8-bb6f-d109d7b7a2fc", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "35e694ec-5133-46e3-b7e1-5831867c3b55", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "4d767e87-4cf6-438a-927a-43d2d0beaab7", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" }, { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" }, { "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" }, { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a", "type": "used-by" }, { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" }, { "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", "type": "similar" } ], "uuid": "cf2c5666-e8ad-49c1-ac8f-30ed65f9e52c", "value": "Impacket" }, { "description": "[Industroyer](https://app.tidalcyber.com/software/09398a7c-aee5-44af-b99d-f73d3b39c299) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[[ESET Industroyer](https://app.tidalcyber.com/references/9197f712-3c53-4746-9722-30e248511611)] [Industroyer](https://app.tidalcyber.com/software/09398a7c-aee5-44af-b99d-f73d3b39c299) was used in the attacks on the Ukrainian power grid in December 2016.[[Dragos Crashoverride 2017](https://app.tidalcyber.com/references/c8f624e3-2ba2-4564-bd1c-f06b9a6a8bce)] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[[Dragos Crashoverride 2018](https://app.tidalcyber.com/references/d14442d5-2557-4a92-9a29-b15a20752f56)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0604", "source": "MITRE", "tags": [ "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "37dff778-95a6-4e51-a26a-1d399ef713be" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "e401d4fe-f0c9-44f0-98e6-f93487678808", "type": "similar" } ], "uuid": "09398a7c-aee5-44af-b99d-f73d3b39c299", "value": "Industroyer" }, { "description": "[Industroyer2](https://app.tidalcyber.com/software/53c5fb76-a690-55c3-9e02-39577990da2a) is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in [Industroyer](https://app.tidalcyber.com/software/09398a7c-aee5-44af-b99d-f73d3b39c299). Security researchers assess that [Industroyer2](https://app.tidalcyber.com/software/53c5fb76-a690-55c3-9e02-39577990da2a) was designed to cause impact to high-voltage electrical substations. The initial [Industroyer2](https://app.tidalcyber.com/software/53c5fb76-a690-55c3-9e02-39577990da2a) sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.[[Industroyer2 Blackhat ESET](https://app.tidalcyber.com/references/d9e8ca96-8646-5dd9-bede-56305385b2e4)]", "meta": { "software_attack_id": "S1072", "source": "MITRE", "tags": [ "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "37dff778-95a6-4e51-a26a-1d399ef713be" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", "type": "similar" } ], "uuid": "53c5fb76-a690-55c3-9e02-39577990da2a", "value": "Industroyer2" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary used to perform installation based on content inside inf files\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\Infdefaultinstall.exe\n* C:\\Windows\\SysWOW64\\Infdefaultinstall.exe\n\n**Resources:**\n* [https://twitter.com/KyleHanslovan/status/911997635455852544](https://twitter.com/KyleHanslovan/status/911997635455852544)\n* [https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/](https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/)\n* [https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/](https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/)\n\n**Detection:**\n* Sigma: [proc_creation_win_infdefaultinstall_execute_sct_scripts.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)[[Infdefaultinstall.exe - LOLBAS Project](/references/5e83d17c-dbdd-4a6c-a395-4f921b68ebec)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5120", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "e35b5513-4370-4f8c-b3a6-1f64c65f1e85", "value": "Infdefaultinstall" }, { "description": "[InnaputRAT](https://app.tidalcyber.com/software/e42bf572-1e70-4467-a4b7-5e22c776c758) is a remote access tool that can exfiltrate files from a victim’s machine. [InnaputRAT](https://app.tidalcyber.com/software/e42bf572-1e70-4467-a4b7-5e22c776c758) has been seen out in the wild since 2016. [[ASERT InnaputRAT April 2018](https://app.tidalcyber.com/references/29c6575f-9e47-48cb-8162-15280002a6d5)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0259", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "c8b6cc43-ce61-42ae-87f3-a5f10526f952", "type": "similar" } ], "uuid": "e42bf572-1e70-4467-a4b7-5e22c776c758", "value": "InnaputRAT" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\InstallUtil.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\InstallUtil.exe\n* C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe\n\n**Resources:**\n* [https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/](https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/)\n* [https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12](https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12)\n* [https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md)\n* [https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/](https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/)\n* [https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/](https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/)\n* [https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool](https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool)\n\n**Detection:**\n* Sigma: [proc_creation_win_instalutil_no_log_execution.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml)\n* Sigma: [proc_creation_win_lolbin_installutil_download.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml)\n* Elastic: [defense_evasion_installutil_beacon.toml](https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)[[LOLBAS Installutil](/references/7dfb2c45-862a-4c25-a65a-55abea4b0e44)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5121", "source": "Tidal Cyber", "tags": [ "a3f84674-3813-4993-9e34-39cdaa19cbd1", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "c983bb77-b96c-44d5-b3f8-2540d7c604db", "value": "Installutil" }, { "description": "According to joint Cybersecurity Advisory AA23-250A (September 2023), Interactsh is \"an open-source tool for detecting external interactions (communication)\". The Advisory further states that the tool is \"used to detect callbacks from target systems for specified vulnerabilities and commonly used during the reconnaissance stages of adversary activity\".[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5049", "source": "Tidal Cyber", "tags": [ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "15787198-6c8b-4f79-bf50-258d55072fee" ], "type": [ "tool" ] }, "related": [], "uuid": "9ec3777d-9a36-4822-a3e2-a7ce5d296309", "value": "Interactsh" }, { "description": "Inveigh is an open-source utility. According to its GitHub project page, it is a \"machine-in-the-middle\" tool designed for penetration testing purposes.[[GitHub Inveigh](/references/cca306e5-f9da-4782-a06f-ba3ad70e34ca)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5272", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" ], "type": [ "tool" ] }, "related": [], "uuid": "5658f260-8e96-4fa5-9863-189660048e5d", "value": "Inveigh" }, { "description": "[InvisiMole](https://app.tidalcyber.com/software/3ee4c49d-2f2c-4677-b193-69f16f2851a4) is a modular spyware program that has been used by the InvisiMole Group since at least 2013. [InvisiMole](https://app.tidalcyber.com/software/3ee4c49d-2f2c-4677-b193-69f16f2851a4) has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. [Gamaredon Group](https://app.tidalcyber.com/groups/41e8b4a4-2d31-46ee-bc56-12375084d067) infrastructure has been used to download and execute [InvisiMole](https://app.tidalcyber.com/software/3ee4c49d-2f2c-4677-b193-69f16f2851a4) against a small number of victims.[[ESET InvisiMole June 2018](https://app.tidalcyber.com/references/629fa1d8-06cb-405c-a2f7-c511b54cd727)][[ESET InvisiMole June 2020](https://app.tidalcyber.com/references/d10cfda8-8fd8-4ada-8c61-dba6065b0bac)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0260", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "47afe41c-4c08-485e-b062-c3bd209a1cce", "type": "similar" } ], "uuid": "3ee4c49d-2f2c-4677-b193-69f16f2851a4", "value": "InvisiMole" }, { "description": "[Invoke-PSImage](https://app.tidalcyber.com/software/2200a647-3312-44c0-9691-4a26153febbb) takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. [[GitHub Invoke-PSImage](https://app.tidalcyber.com/references/dd210b79-bd5f-4282-9542-4d1ae2f16438)]", "meta": { "software_attack_id": "S0231", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "b52d6583-14a2-4ddc-8527-87fd2142558f", "type": "similar" } ], "uuid": "2200a647-3312-44c0-9691-4a26153febbb", "value": "Invoke-PSImage" }, { "description": "IOBit is a self-described \"freeware\" tool that can ostensibly be used to \"clean, optimize, speed up and secure\" personal computers. According to U.S. cybersecurity authorities, IOBit has been used by adversaries, such as ransomware actors, as part of their operations, for example to disable anti-virus software.[[U.S. CISA Play Ransomware December 2023](/references/ad96148c-8230-4923-86fd-4b1da211db1a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5080", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "e1af18e3-3224-4e4c-9d0f-533768474508", "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" } ], "uuid": "9c955014-2d83-4b5b-9127-cfc49e86779f", "value": "IOBit" }, { "description": "[ipconfig](https://app.tidalcyber.com/software/4f519002-0576-4f8e-8add-73ebac9a86e6) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. [[TechNet Ipconfig](https://app.tidalcyber.com/references/8a6e6f59-70fb-48bf-96d2-318dd92df995)]", "meta": { "software_attack_id": "S0100", "source": "MITRE", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "35e694ec-5133-46e3-b7e1-5831867c3b55", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "cd1b5d44-226e-4405-8985-800492cf2865", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" }, { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" }, { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" }, { "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "type": "used-by" }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" }, { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", "type": "used-by" }, { "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "type": "similar" } ], "uuid": "4f519002-0576-4f8e-8add-73ebac9a86e6", "value": "ipconfig" }, { "description": "[IronNetInjector](https://app.tidalcyber.com/software/9ca96281-8ff9-4619-a79d-16c5a9594eae) is a [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including [ComRAT](https://app.tidalcyber.com/software/300c5997-a486-4a61-8213-93a180c22849).[[Unit 42 IronNetInjector February 2021 ](https://app.tidalcyber.com/references/f04c89f7-d951-4ebc-a5e4-2cc69476c43f)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0581", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "b1595ddd-a783-482a-90e1-8afc8d48467e", "type": "similar" } ], "uuid": "9ca96281-8ff9-4619-a79d-16c5a9594eae", "value": "IronNetInjector" }, { "description": "[ISMInjector](https://app.tidalcyber.com/software/752ab0fc-7fa1-4e54-bd9a-7a280a38ed77) is a Trojan used to install another [OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2) backdoor, ISMAgent. [[OilRig New Delivery Oct 2017](https://app.tidalcyber.com/references/f5f3e1e7-1d83-4ddc-a878-134cd0d268ce)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0189", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", "type": "similar" } ], "uuid": "752ab0fc-7fa1-4e54-bd9a-7a280a38ed77", "value": "ISMInjector" }, { "description": "[Ixeshe](https://app.tidalcyber.com/software/6dbf31cf-0ba0-48b4-be82-38889450845c) is a malware family that has been used since at least 2009 against targets in East Asia. [[Moran 2013](https://app.tidalcyber.com/references/d38bdb47-1a8d-43f8-b7ed-dfa5e430ac2f)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0015", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "225314a7-8f40-48d4-9cff-3ec39b177762", "type": "used-by" }, { "dest-uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", "type": "similar" } ], "uuid": "6dbf31cf-0ba0-48b4-be82-38889450845c", "value": "Ixeshe" }, { "description": "Jaguar Tooth is a malicious software bundle consisting of a series of payloads and patches. Russia-backed APT28 used Jaguar Tooth during a series of compromises involving vulnerable Cisco routers belonging to U.S., Ukrainian, and other entities in 2021.[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]\n\nAccording to an April 2023 UK National Cyber Security Centre technical report on Jaguar Tooth, the malware is deployed and executed via exploitation of CVE-2017-6742, a Simple Network Management Protocol (SNMP) vulnerability for which Cisco released a patch in 2017. Jaguar Tooth deployments allowed actors to collect further device information via execution of Cisco IOS Command Line Interface commands, discover other network devices, and achieve unauthenticated backdoor access to victim systems.[[UK NCSC Jaguar Tooth April 18 2023](/references/954e0cb9-9a93-4cac-af84-c6989b973fac)]\n\n**Related Vulnerabilities**: CVE-2017-6742[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Network" ], "software_attack_id": "S5061", "source": "Tidal Cyber", "tags": [ "b20e7912-6a8d-46e3-8e13-9a3fc4813852", "af5e9be5-b86e-47af-91dd-966a5e34a186", "15787198-6c8b-4f79-bf50-258d55072fee", "f01290d9-7160-44cb-949f-ee4947d04b6f", "cd1b5d44-226e-4405-8985-800492cf2865" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" } ], "uuid": "0eb47e25-56ec-42ba-9850-e50450b853e0", "value": "Jaguar Tooth" }, { "description": "[Janicab](https://app.tidalcyber.com/software/a4debf1f-8a37-4c89-8ebc-31de71d33f79) is an OS X trojan that relied on a valid developer ID and oblivious users to install it. [[Janicab](https://app.tidalcyber.com/references/1acc1a83-faac-41d3-a08b-cc3a539567fb)]", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S0163", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", "type": "similar" } ], "uuid": "a4debf1f-8a37-4c89-8ebc-31de71d33f79", "value": "Janicab" }, { "description": "[Javali](https://app.tidalcyber.com/software/853d3d18-d746-4650-a9bd-c36a0e86dd02) is a banking trojan that has targeted Portuguese and Spanish-speaking countries since 2017, primarily focusing on customers of financial institutions in Brazil and Mexico.[[Securelist Brazilian Banking Malware July 2020](https://app.tidalcyber.com/references/ccc34875-93f3-40ed-a9ee-f31b86708507)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0528", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "64122557-5940-4271-9123-25bfc0c693db", "type": "similar" } ], "uuid": "853d3d18-d746-4650-a9bd-c36a0e86dd02", "value": "Javali" }, { "description": "[JCry](https://app.tidalcyber.com/software/41ec0bbc-65ca-4913-a763-1638215d7b2f) is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.[[Carbon Black JCry May 2019](https://app.tidalcyber.com/references/deb97163-323a-493a-9c73-b41c8c5e5cd1)]", "meta": { "software_attack_id": "S0389", "source": "MITRE", "tags": [ "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "aaf3fa65-8b27-4e68-91de-2b7738fe4c82", "type": "similar" } ], "uuid": "41ec0bbc-65ca-4913-a763-1638215d7b2f", "value": "JCry" }, { "description": "[JHUHUGIT](https://app.tidalcyber.com/software/d50ef3fc-7d1c-4a82-b1cf-2319d83da3ae) is malware used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5). It is based on Carberp source code and serves as reconnaissance malware. [[Kaspersky Sofacy](https://app.tidalcyber.com/references/46226f98-c762-48e3-9bcd-19ff14184bb5)] [[F-Secure Sofacy 2015](https://app.tidalcyber.com/references/56a95d3c-5268-4e69-b669-7055fb38d570)] [[ESET Sednit Part 1](https://app.tidalcyber.com/references/a2016103-ead7-46b3-bae5-aa97c45a12b7)] [[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0044", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", "type": "similar" } ], "uuid": "d50ef3fc-7d1c-4a82-b1cf-2319d83da3ae", "value": "JHUHUGIT" }, { "description": "[JPIN](https://app.tidalcyber.com/software/c96fce69-6b9c-4bbc-bb42-f6a8fb6eb88f) is a custom-built backdoor family used by [PLATINUM](https://app.tidalcyber.com/groups/f036b992-4c3f-47b7-a458-94ac133bce74). Evidence suggests developers of [JPIN](https://app.tidalcyber.com/software/c96fce69-6b9c-4bbc-bb42-f6a8fb6eb88f) and [Dipsind](https://app.tidalcyber.com/software/226ee563-4d49-48c2-aa91-82999f43ce30) code bases were related in some way. [[Microsoft PLATINUM April 2016](https://app.tidalcyber.com/references/d0ec5037-aa7f-48ee-8d37-ff8fb2c8c297)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0201", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "f036b992-4c3f-47b7-a458-94ac133bce74", "type": "used-by" }, { "dest-uuid": "de6cb631-52f6-4169-a73b-7965390b0c30", "type": "similar" } ], "uuid": "c96fce69-6b9c-4bbc-bb42-f6a8fb6eb88f", "value": "JPIN" }, { "description": "[jRAT](https://app.tidalcyber.com/software/42fe9795-5cf6-4ad7-b56e-2aa655377992) is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of [jRAT](https://app.tidalcyber.com/software/42fe9795-5cf6-4ad7-b56e-2aa655377992) have been distributed via a software-as-a-service platform, similar to an online subscription model.[[Kaspersky Adwind Feb 2016](https://app.tidalcyber.com/references/69fd8de4-81bc-4165-b77d-c5fc72cfa699)] [[jRAT Symantec Aug 2018](https://app.tidalcyber.com/references/8aed9534-2ec6-4c9f-b63b-9bb135432cfb)]", "meta": { "platforms": [ "macOS", "Linux", "Android", "Windows" ], "software_attack_id": "S0283", "source": "MITRE", "tags": [ "16b47583-1c54-431f-9f09-759df7b5ddb7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" }, { "dest-uuid": "efece7e8-e40b-49c2-9f84-c55c5c93d05c", "type": "similar" } ], "uuid": "42fe9795-5cf6-4ad7-b56e-2aa655377992", "value": "jRAT" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary file used by .NET to compile JavaScript code to .exe or .dll format\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Jsc.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Jsc.exe\n* C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Jsc.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Jsc.exe\n\n**Resources:**\n* [https://twitter.com/DissectMalware/status/998797808907046913](https://twitter.com/DissectMalware/status/998797808907046913)\n* [https://www.phpied.com/make-your-javascript-a-windows-exe/](https://www.phpied.com/make-your-javascript-a-windows-exe/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_jsc.yml](https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml)\n* IOC: Jsc.exe should normally not run a system unless it is used for development.[[Jsc.exe - LOLBAS Project](/references/ae25ff74-05eb-46d7-9c60-4c149b7c7f1f)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5122", "source": "Tidal Cyber", "tags": [ "ee16a0c7-b3cf-4303-9681-b3076da9bff0", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "1c67bf0b-22f8-4f57-8f91-f15b4923455f", "value": "Jsc" }, { "description": "[JSS Loader](https://app.tidalcyber.com/software/c67f3029-a26c-4752-b7f1-8e3369c2f79d) is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) since at least 2020.[[eSentire FIN7 July 2021](https://app.tidalcyber.com/references/3976dd0e-7dee-4ae7-8c38-484b12ca233e)][[CrowdStrike Carbon Spider August 2021](https://app.tidalcyber.com/references/36f0ddb0-94af-494c-ad10-9d3f75d1d810)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0648", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "f559f945-eb8b-48b1-904c-68568deebed3", "type": "similar" } ], "uuid": "c67f3029-a26c-4752-b7f1-8e3369c2f79d", "value": "JSS Loader" }, { "description": "Juicy Potato is an open-source software project that, according to its GitHub page, can be used for privilege escalation purposes.[[GitHub ohpe Juicy Potato](/references/16d0dd05-763a-4503-aa88-c8867d8f202d)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5303", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", "type": "used-by" } ], "uuid": "57e9c32b-a1fa-45bc-9a57-098834a2c356", "value": "Juicy Potato" }, { "description": "[KARAE](https://app.tidalcyber.com/software/ca883d21-97ca-420d-a66b-ef19a8355467) is a backdoor typically used by [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66) as first-stage malware. [[FireEye APT37 Feb 2018](https://app.tidalcyber.com/references/4d575c1a-4ff9-49ce-97cd-f9d0637c2271)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0215", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" }, { "dest-uuid": "3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322", "type": "similar" } ], "uuid": "ca883d21-97ca-420d-a66b-ef19a8355467", "value": "KARAE" }, { "description": "[Kasidet](https://app.tidalcyber.com/software/1896b9c9-a93e-4220-b4c2-6c4c9c5ca297) is a backdoor that has been dropped by using malicious VBA macros. [[Zscaler Kasidet](https://app.tidalcyber.com/references/63077223-4711-4c1e-9fb2-3995c7e03cf2)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0088", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", "type": "similar" } ], "uuid": "1896b9c9-a93e-4220-b4c2-6c4c9c5ca297", "value": "Kasidet" }, { "description": "[Kazuar](https://app.tidalcyber.com/software/e93990a0-4841-4867-8b74-ac2806d787bf) is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. [[Unit 42 Kazuar May 2017](https://app.tidalcyber.com/references/07e64ee6-3d3e-49e4-bb06-ff5897e26ea9)]", "meta": { "platforms": [ "macOS", "Windows" ], "software_attack_id": "S0265", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "536be338-e2ef-4a6b-afb6-8d5568b91eb2", "type": "similar" } ], "uuid": "e93990a0-4841-4867-8b74-ac2806d787bf", "value": "Kazuar" }, { "description": "[Kerrdown](https://app.tidalcyber.com/software/17c28e46-1005-4737-8567-d4ad9f1aefd1) is a custom downloader that has been used by [APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145) since at least 2018 to install spyware from a server on the victim's network.[[Amnesty Intl. Ocean Lotus February 2021](https://app.tidalcyber.com/references/a54a2f68-8406-43ab-8758-07edd49dfb83)][[Unit 42 KerrDown February 2019](https://app.tidalcyber.com/references/bff5dbfe-d080-46c1-82b7-272e03d2aa8c)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0585", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { "dest-uuid": "8c1d01ff-fdc0-4586-99bd-c248e0761af5", "type": "similar" } ], "uuid": "17c28e46-1005-4737-8567-d4ad9f1aefd1", "value": "Kerrdown" }, { "description": "[Kessel](https://app.tidalcyber.com/software/32f1e0d3-753f-4b51-aec5-cfaa393cedc3) is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. [Kessel](https://app.tidalcyber.com/software/32f1e0d3-753f-4b51-aec5-cfaa393cedc3) has been active since its C2 domain began resolving in August 2018.[[ESET ForSSHe December 2018](https://app.tidalcyber.com/references/0e25bf8b-3c9e-4661-a9fd-79b2ad3b8dd2)]", "meta": { "platforms": [ "Linux" ], "software_attack_id": "S0487", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "c984b414-b766-44c5-814a-2fe96c913c12", "type": "similar" } ], "uuid": "32f1e0d3-753f-4b51-aec5-cfaa393cedc3", "value": "Kessel" }, { "description": "[Kevin](https://app.tidalcyber.com/software/b9730d7c-aa57-4d6f-9125-57dcb65b02e0) is a backdoor implant written in C++ that has been used by [HEXANE](https://app.tidalcyber.com/groups/eecf7289-294f-48dd-a747-7705820f4735) since at least June 2020, including in operations against organizations in Tunisia.[[Kaspersky Lyceum October 2021](https://app.tidalcyber.com/references/b3d13a82-c24e-4b47-b47a-7221ad449859)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1020", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" }, { "dest-uuid": "e7863f5d-cb6a-4f81-8804-0a635eec160a", "type": "similar" } ], "uuid": "b9730d7c-aa57-4d6f-9125-57dcb65b02e0", "value": "Kevin" }, { "description": "[KeyBoy](https://app.tidalcyber.com/software/6ec39371-d50b-43b6-937c-52de00491eab) is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.[[CitizenLab KeyBoy Nov 2016](https://app.tidalcyber.com/references/a9394372-3981-4f41-ad66-9db343e773b1)][[PWC KeyBoys Feb 2017](https://app.tidalcyber.com/references/9ac6737b-c8a2-416f-bbc3-8c5556ad4833)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0387", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" }, { "dest-uuid": "5dd649c0-bca4-488b-bd85-b180474ec62e", "type": "similar" } ], "uuid": "6ec39371-d50b-43b6-937c-52de00491eab", "value": "KeyBoy" }, { "description": "This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor [[OSX Keydnap malware](https://app.tidalcyber.com/references/d43e0dd1-0946-4f49-bcc7-3ef38445eac3)].", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S0276", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "4b072c90-bc7a-432b-940e-016fc1c01761", "type": "similar" } ], "uuid": "aefbe6ff-7ce4-479e-916d-e8f0259d81f6", "value": "Keydnap" }, { "description": "[KEYMARBLE](https://app.tidalcyber.com/software/a644f61e-6a9b-41ab-beca-72518351c27f) is a Trojan that has reportedly been used by the North Korean government. [[US-CERT KEYMARBLE Aug 2018](https://app.tidalcyber.com/references/b30dd720-a85d-4bf5-84e1-394a27917ee7)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0271", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", "type": "similar" } ], "uuid": "a644f61e-6a9b-41ab-beca-72518351c27f", "value": "KEYMARBLE" }, { "description": "[KEYPLUG](https://app.tidalcyber.com/software/ba9e56b9-7904-5ec8-bb39-7f82f7b2e89a) is a modular backdoor written in C++, with Windows and Linux variants, that has been used by [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) since at least June 2021.[[Mandiant APT41](https://app.tidalcyber.com/references/e54415fe-40c2-55ff-9e75-881bc8a912b8)]", "meta": { "platforms": [ "Linux", "Windows" ], "software_attack_id": "S1051", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "6c575670-d14c-4c7f-9b9d-fd1b363e255d", "type": "similar" } ], "uuid": "ba9e56b9-7904-5ec8-bb39-7f82f7b2e89a", "value": "KEYPLUG" }, { "description": "[KGH_SPY](https://app.tidalcyber.com/software/c1e1ab6a-d5ce-4520-98c5-c6df41005fd9) is a modular suite of tools used by [Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1) for reconnaissance, information stealing, and backdoor capabilities. [KGH_SPY](https://app.tidalcyber.com/software/c1e1ab6a-d5ce-4520-98c5-c6df41005fd9) derived its name from PDB paths and internal names found in samples containing \"KGH\".[[Cybereason Kimsuky November 2020](https://app.tidalcyber.com/references/ecc2f5ad-b2a8-470b-b919-cb184d12d00f)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0526", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { "dest-uuid": "8bdfe255-e658-4ddd-a11c-b854762e451d", "type": "similar" } ], "uuid": "c1e1ab6a-d5ce-4520-98c5-c6df41005fd9", "value": "KGH_SPY" }, { "description": "[KillDisk](https://app.tidalcyber.com/software/b5532e91-d267-4819-a05d-8c5358995add) is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of [BlackEnergy](https://app.tidalcyber.com/software/908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f) malware during cyber attacks against Ukraine in 2015. [KillDisk](https://app.tidalcyber.com/software/b5532e91-d267-4819-a05d-8c5358995add) has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some [KillDisk](https://app.tidalcyber.com/software/b5532e91-d267-4819-a05d-8c5358995add) variants.[[KillDisk Ransomware](https://app.tidalcyber.com/references/9d22f13d-af6d-47b5-93ed-5e4b85b94978)][[ESEST Black Energy Jan 2016](https://app.tidalcyber.com/references/4d626eb9-3722-4aa4-b95e-1650cc2865c2)][[Trend Micro KillDisk 1](https://app.tidalcyber.com/references/8ae31db0-2744-4366-9747-55fc4679dbf5)][[Trend Micro KillDisk 2](https://app.tidalcyber.com/references/62d9a4c9-e669-4dd4-a584-4f3e3e54f97f)]", "meta": { "platforms": [ "Linux", "Windows" ], "software_attack_id": "S0607", "source": "MITRE", "tags": [ "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "dfbce236-735c-436d-b433-933bd6eae17b", "type": "used-by" }, { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "e221eb77-1502-4129-af1d-fe1ad55e7ec6", "type": "similar" } ], "uuid": "b5532e91-d267-4819-a05d-8c5358995add", "value": "KillDisk" }, { "description": "[Kinsing](https://app.tidalcyber.com/software/7b4f157c-4b34-4f55-9c20-ff787495e9ba) is Golang-based malware that runs a cryptocurrency miner and attempts to spread itself to other hosts in the victim environment. [[Aqua Kinsing April 2020](https://app.tidalcyber.com/references/67dd04dd-c0e0-49e6-9341-4e445d660641)][[Sysdig Kinsing November 2020](https://app.tidalcyber.com/references/4922dbb5-d3fd-4bf2-8af7-3b8889579c31)][[Aqua Security Cloud Native Threat Report June 2021](https://app.tidalcyber.com/references/be9652d5-7531-4143-9c44-aefd019b7a32)]", "meta": { "platforms": [ "Linux", "Containers" ], "software_attack_id": "S0599", "source": "MITRE", "tags": [ "efa33611-88a5-40ba-9bc4-3d85c6c8819b", "8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "d6e55656-e43f-411f-a7af-45df650471c5", "type": "similar" } ], "uuid": "7b4f157c-4b34-4f55-9c20-ff787495e9ba", "value": "Kinsing" }, { "description": "[Kivars](https://app.tidalcyber.com/software/673ed346-9562-4997-80b2-e701b1a99a58) is a modular remote access tool (RAT), derived from the Bifrost RAT, that was used by [BlackTech](https://app.tidalcyber.com/groups/528ab2ea-b8f1-44d8-8831-2a89fefd97cb) in a 2010 campaign.[[TrendMicro BlackTech June 2017](https://app.tidalcyber.com/references/abb9cb19-d30e-4048-b106-eb29a6dad7fc)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0437", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" }, { "dest-uuid": "b2d134a1-7bd5-4293-94d4-8fc978cb1cd7", "type": "similar" } ], "uuid": "673ed346-9562-4997-80b2-e701b1a99a58", "value": "Kivars" }, { "description": "[Koadic](https://app.tidalcyber.com/software/5e981594-d00a-4c7f-8ed0-3d4a60cc3fcd) is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. [Koadic](https://app.tidalcyber.com/software/5e981594-d00a-4c7f-8ed0-3d4a60cc3fcd) has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.[[Github Koadic](https://app.tidalcyber.com/references/54cbf1bd-9aed-4f82-8c15-6e88dd5d8d64)][[Palo Alto Sofacy 06-2018](https://app.tidalcyber.com/references/a32357eb-3226-4bee-aeed-d2fbcfa52da0)][[MalwareBytes LazyScripter Feb 2021](https://app.tidalcyber.com/references/078837a7-82cd-4e26-9135-43b612e911fe)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0250", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" }, { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { "dest-uuid": "44f8bd4e-a357-4a76-b031-b7455a305ef0", "type": "used-by" }, { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "c8655260-9f4b-44e3-85e1-6538a5f6e4f4", "type": "similar" } ], "uuid": "5e981594-d00a-4c7f-8ed0-3d4a60cc3fcd", "value": "Koadic" }, { "description": "[Kobalos](https://app.tidalcyber.com/software/bf918663-90bd-489e-91e7-6951a18a25fd) is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. [Kobalos](https://app.tidalcyber.com/software/bf918663-90bd-489e-91e7-6951a18a25fd) has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. [Kobalos](https://app.tidalcyber.com/software/bf918663-90bd-489e-91e7-6951a18a25fd) was first identified in late 2019.[[ESET Kobalos Feb 2021](https://app.tidalcyber.com/references/883a9417-f7f6-4aa6-8708-8c320d4e0a7a)][[ESET Kobalos Jan 2021](https://app.tidalcyber.com/references/745e963e-33fd-40d4-a8c6-1a9f321017f4)]", "meta": { "platforms": [ "Linux" ], "software_attack_id": "S0641", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "9abdda30-08e0-4ab1-9cf0-d447654c6de9", "type": "similar" } ], "uuid": "bf918663-90bd-489e-91e7-6951a18a25fd", "value": "Kobalos" }, { "description": "[KOCTOPUS](https://app.tidalcyber.com/software/3e13d07d-d9e1-4456-bec3-b2375e404753)'s batch variant is loader used by [LazyScripter](https://app.tidalcyber.com/groups/12279b62-289e-49ee-97cb-c780edd3d091) since 2018 to launch [Octopus](https://app.tidalcyber.com/software/8f04e609-8773-4529-b247-d32f530cc453) and [Koadic](https://app.tidalcyber.com/software/5e981594-d00a-4c7f-8ed0-3d4a60cc3fcd) and, in some cases, [QuasarRAT](https://app.tidalcyber.com/software/4bab7c2b-5ec4-467e-8df4-f2e6996e136b). [KOCTOPUS](https://app.tidalcyber.com/software/3e13d07d-d9e1-4456-bec3-b2375e404753) also has a VBA variant that has the same functionality as the batch version.[[MalwareBytes LazyScripter Feb 2021](https://app.tidalcyber.com/references/078837a7-82cd-4e26-9135-43b612e911fe)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0669", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" }, { "dest-uuid": "df9b350b-d4f9-4e79-a826-75cc75fbc1eb", "type": "similar" } ], "uuid": "3e13d07d-d9e1-4456-bec3-b2375e404753", "value": "KOCTOPUS" }, { "description": "[Komplex](https://app.tidalcyber.com/software/2cf1be0d-2fba-4fd0-ab2f-3695716d1735) is a backdoor that has been used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) on OS X and appears to be developed in a similar manner to [XAgentOSX](https://app.tidalcyber.com/software/6f411b69-6643-4cc7-9cbd-e15d9219e99c) [[XAgentOSX 2017](https://app.tidalcyber.com/references/2dc7a8f1-ccee-46f0-a995-268694f11b02)] [[Sofacy Komplex Trojan](https://app.tidalcyber.com/references/a21be45e-26c3-446d-b336-b58d08df5749)].", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S0162", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "f108215f-3487-489d-be8b-80e346d32518", "type": "similar" } ], "uuid": "2cf1be0d-2fba-4fd0-ab2f-3695716d1735", "value": "Komplex" }, { "description": "[KOMPROGO](https://app.tidalcyber.com/software/3067f148-2e2b-4aac-9652-59823b3ad4f1) is a signature backdoor used by [APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145) that is capable of process, file, and registry management. [[FireEye APT32 May 2017](https://app.tidalcyber.com/references/b72d017b-a70f-4003-b3d9-90d79aca812d)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0156", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { "dest-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a", "type": "similar" } ], "uuid": "3067f148-2e2b-4aac-9652-59823b3ad4f1", "value": "KOMPROGO" }, { "description": "[KONNI](https://app.tidalcyber.com/software/d381de2a-30cb-4d50-bbce-fd1e489c4889) is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. [KONNI](https://app.tidalcyber.com/software/d381de2a-30cb-4d50-bbce-fd1e489c4889) has significant code overlap with the [NOKKI](https://app.tidalcyber.com/software/31aa0433-fb6b-4290-8af5-a0d0c6c18548) malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking [KONNI](https://app.tidalcyber.com/software/d381de2a-30cb-4d50-bbce-fd1e489c4889) to [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66).[[Talos Konni May 2017](https://app.tidalcyber.com/references/4cb69c58-4e47-4fb9-9eef-8a0b5447a553)][[Unit 42 NOKKI Sept 2018](https://app.tidalcyber.com/references/f3d3b9bc-4c59-4a1f-b602-e3e884661708)][[Unit 42 Nokki Oct 2018](https://app.tidalcyber.com/references/4eea6638-a71b-4d74-acc4-0fac82ef72f6)][[Medium KONNI Jan 2020](https://app.tidalcyber.com/references/e117a6ac-eaa2-4494-b4ae-2d9ae52c3251)][[Malwarebytes Konni Aug 2021](https://app.tidalcyber.com/references/fb8c6402-ec18-414a-85f7-3d76eacbd890)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0356", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "86b92f6c-9c05-4c51-b361-4c7bb13e21a1", "type": "similar" } ], "uuid": "d381de2a-30cb-4d50-bbce-fd1e489c4889", "value": "KONNI" }, { "description": "[KOPILUWAK](https://app.tidalcyber.com/software/d09c4459-1aa3-547d-99f4-7ac73b8043f0) is a JavaScript-based reconnaissance tool that has been used for victim profiling and C2 since at least 2017.[[Mandiant Suspected Turla Campaign February 2023](https://app.tidalcyber.com/references/d8f43a52-a59e-5567-8259-821b1b6bde43)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1075", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "09fcc02f-f9d4-43fa-8609-5e5e186b7103", "type": "similar" } ], "uuid": "d09c4459-1aa3-547d-99f4-7ac73b8043f0", "value": "KOPILUWAK" }, { "description": "[Kwampirs](https://app.tidalcyber.com/software/35ac4018-8506-4025-a9e3-bd017700b3b3) is a backdoor Trojan used by [Orangeworm](https://app.tidalcyber.com/groups/863b7013-133d-4a82-93d2-51b53a8fd30e). [Kwampirs](https://app.tidalcyber.com/software/35ac4018-8506-4025-a9e3-bd017700b3b3) has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines.[[Symantec Orangeworm April 2018](https://app.tidalcyber.com/references/eee5efa1-bbc6-44eb-8fae-23002f351605)] [Kwampirs](https://app.tidalcyber.com/software/35ac4018-8506-4025-a9e3-bd017700b3b3) has multiple technical overlaps with [Shamoon](https://app.tidalcyber.com/software/840db1db-e262-4d6f-b6e3-2a64696a41c5) based on reverse engineering analysis.[[Cylera Kwampirs 2022](https://app.tidalcyber.com/references/06442111-2c71-5efb-9530-cabeba159a91)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0236", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", "type": "used-by" }, { "dest-uuid": "c2417bab-3189-4d4d-9d60-96de2cdaf0ab", "type": "similar" } ], "uuid": "35ac4018-8506-4025-a9e3-bd017700b3b3", "value": "Kwampirs" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Locates and imports a Developer PowerShell module and calls the Enter-VsDevShell cmdlet\n\n**Author:** Nasreddine Bencherchali\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\Tools\\Launch-VsDevShell.ps1\n* C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\Tools\\Launch-VsDevShell.ps1\n\n**Resources:**\n* [https://twitter.com/nas_bench/status/1535981653239255040](https://twitter.com/nas_bench/status/1535981653239255040)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_launch_vsdevshell.yml](https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml)[[Launch-VsDevShell.ps1 - LOLBAS Project](/references/6e81ff6a-a386-495e-bd4b-cf698b02bce8)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5258", "source": "Tidal Cyber", "tags": [ "5be0da70-9249-44fa-8c3b-7394ef26b2e0", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "288b2ab2-255a-457a-a6eb-02ee4711d6b8", "value": "Launch-VsDevShell" }, { "description": "[LaZagne](https://app.tidalcyber.com/software/f5558af4-e3e2-47c2-b8fe-72850bd30f37) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. [LaZagne](https://app.tidalcyber.com/software/f5558af4-e3e2-47c2-b8fe-72850bd30f37) is publicly available on GitHub.[[GitHub LaZagne Dec 2018](https://app.tidalcyber.com/references/9347b507-3a41-405d-87f9-d4fc2bfc48e5)]", "meta": { "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S0349", "source": "MITRE", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "26c5dec7-3184-4873-ae20-9558a498a27f", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" }, { "dest-uuid": "325c11be-e1ee-47db-afa6-44ac5d16f0e7", "type": "used-by" }, { "dest-uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6", "type": "used-by" }, { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" }, { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "4bdc62c9-af6a-4377-8431-58a6f39235dd", "type": "used-by" }, { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "b5c28235-d441-40d9-8da2-d49ba2f2568b", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", "type": "similar" } ], "uuid": "f5558af4-e3e2-47c2-b8fe-72850bd30f37", "value": "LaZagne" }, { "description": "Ldifde is a Windows command-line tool that is used to create, modify, and delete directory objects. Ldifde can also be used to \"extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory Domain Services (AD DS) with data from other directory services\".[[Ldifde Microsoft](/references/c47ed0e0-f3e3-41de-9ea7-64fe4e343d9d)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5017", "source": "Tidal Cyber", "tags": [ "cea43301-9f7a-46a5-be3a-3a09f0f3c09e", "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "35e694ec-5133-46e3-b7e1-5831867c3b55", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" } ], "uuid": "d0ff555f-ba74-457c-b6e4-02962c230b60", "value": "Ldifde" }, { "description": "LEMURLOOT is a web shell written in C# that was used by threat actors after exploiting a MOVEit file transfer software vulnerability (CVE-2023-34362) during a campaign beginning in late May 2023. The malware supports staging and exfiltration of compressed victim data, including files and folders stored on vulnerable MOVEit servers.[[Mandiant MOVEit Transfer June 2 2023](/references/232c7555-0483-4a57-88cb-71a990f7d683)]\n\n**Related Vulnerabilities**: CVE-2023-34362[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)][[Mandiant MOVEit Transfer June 2 2023](/references/232c7555-0483-4a57-88cb-71a990f7d683)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5020", "source": "Tidal Cyber", "tags": [ "15787198-6c8b-4f79-bf50-258d55072fee", "a98d7a43-f227-478e-81de-e7299639a355", "173e1480-8d9b-49c5-854d-594dde9740d6", "311abf64-a9cc-4c6a-b778-32c5df5658be" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", "type": "used-by" } ], "uuid": "d5d79a51-3756-40de-81cd-4dac172fbb74", "value": "LEMURLOOT" }, { "description": "According to joint Cybersecurity Advisory AA23-320A (November 2023), Level is a publicly available, legitimate tool that \"enables remote monitoring and management of systems\". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.[[U.S. CISA Scattered Spider November 16 2023](/references/9c242265-c28c-4580-8e6a-478d8700b092)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5067", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "e727eaa6-ef41-4965-b93a-8ad0c51d0236" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" } ], "uuid": "bce485ad-7d4f-45b6-b3c1-218f2f757611", "value": "Level" }, { "description": "[LightNeuron](https://app.tidalcyber.com/software/c9d2f023-d54b-4d08-9598-a42fb92b3161) is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. [LightNeuron](https://app.tidalcyber.com/software/c9d2f023-d54b-4d08-9598-a42fb92b3161) has been used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of [LightNeuron](https://app.tidalcyber.com/software/c9d2f023-d54b-4d08-9598-a42fb92b3161) exists.[[ESET LightNeuron May 2019](https://app.tidalcyber.com/references/679aa333-572c-44ba-b94a-606f168d1ed2)]", "meta": { "platforms": [ "Linux", "Windows" ], "software_attack_id": "S0395", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb", "type": "similar" } ], "uuid": "c9d2f023-d54b-4d08-9598-a42fb92b3161", "value": "LightNeuron" }, { "description": "[LIGHTWIRE](https://app.tidalcyber.com/software/1b3af76f-f9a1-58ce-8c7d-aec535f8d0c0) is a web shell written in Perl that was used during [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) to maintain access and enable command execution by imbedding into the legitimate compcheckresult.cgi component of Ivanti Secure Connect VPNs.[[Mandiant Cutting Edge Part 2 January 2024](https://app.tidalcyber.com/references/5209d259-4293-58c0-bbdc-f30ff77d57f7)][[Mandiant Cutting Edge January 2024](https://app.tidalcyber.com/references/9d9ec923-89c1-5155-ae6e-98d4776d4250)]", "meta": { "platforms": [ "Network" ], "software_attack_id": "S1119", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "5dc9e8ec-9917-4de7-b8ab-16007899dd80", "type": "similar" } ], "uuid": "1b3af76f-f9a1-58ce-8c7d-aec535f8d0c0", "value": "LIGHTWIRE" }, { "description": "Ligolo is a tool used to establish SOCKS5 or TCP tunnels from a reverse connection.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5034", "source": "Tidal Cyber", "tags": [ "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "febea5b6-2ea2-402b-8bec-f3f5b3f73c59", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" } ], "uuid": "3113cb05-23b4-4f90-ab7a-623b800302ce", "value": "Ligolo" }, { "description": "Line Dancer is one of the two key tools used during the ArcaneDoor network device intrusions, serving as an in-memory implant used to upload capabilities permitting arbitrary code execution and persistence (Line Runner).[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Network" ], "software_attack_id": "S5284", "source": "Tidal Cyber", "tags": [ "a159c91c-5258-49ea-af7d-e803008d97d3", "af5e9be5-b86e-47af-91dd-966a5e34a186", "15787198-6c8b-4f79-bf50-258d55072fee", "6bb2f579-a5cd-4647-9dcd-eff05efe3679", "9768aada-9d63-4d46-ab9f-d41b8c8e4010", "0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3" ], "type": [ "malware" ] }, "related": [], "uuid": "80412b83-74e4-4bea-b05b-84b00f41db69", "value": "Line Dancer" }, { "description": "Line Runner is one of the two key tools (along with Line Dancer) used during the ArcaneDoor network device intrusion. Line Runner is used to maintain persistence and execute commands on compromised devices.[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Network" ], "software_attack_id": "S5285", "source": "Tidal Cyber", "tags": [ "a159c91c-5258-49ea-af7d-e803008d97d3", "af5e9be5-b86e-47af-91dd-966a5e34a186", "15787198-6c8b-4f79-bf50-258d55072fee", "c25f341a-7030-4688-a00b-6d637298e52e", "9768aada-9d63-4d46-ab9f-d41b8c8e4010", "0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3", "2e85babc-77cd-4455-9c6e-312223a956de" ], "type": [ "malware" ] }, "related": [], "uuid": "60bb6282-9eb8-4640-9d79-69c0c8ee0e0b", "value": "Line Runner" }, { "description": "[Linfo](https://app.tidalcyber.com/software/925975f8-e8ff-411f-a40e-f799968046f7) is a rootkit trojan used by [Elderwood](https://app.tidalcyber.com/groups/51146bb6-7478-44a3-8f08-19adcdceffca) to open a backdoor on compromised hosts. [[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)] [[Symantec Linfo May 2012](https://app.tidalcyber.com/references/e6b88cd4-a58e-4139-b266-48d0f5957407)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0211", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" }, { "dest-uuid": "e9e9bfe2-76f4-4870-a2a1-b7af89808613", "type": "similar" } ], "uuid": "925975f8-e8ff-411f-a40e-f799968046f7", "value": "Linfo" }, { "description": "[Linux Rabbit](https://app.tidalcyber.com/software/d017e133-fce9-4982-a2df-6867a80089e7) is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.[[Anomali Linux Rabbit 2018](https://app.tidalcyber.com/references/e843eb47-21b0-44b9-8065-02aea0a0b05f)]\n", "meta": { "platforms": [ "Linux" ], "software_attack_id": "S0362", "source": "MITRE", "tags": [ "b20e7912-6a8d-46e3-8e13-9a3fc4813852", "70dc52b0-f317-4134-8a42-71aea1443707" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "0efefea5-78da-4022-92bc-d726139e8883", "type": "similar" } ], "uuid": "d017e133-fce9-4982-a2df-6867a80089e7", "value": "Linux Rabbit" }, { "description": "[LiteDuke](https://app.tidalcyber.com/software/71e4028c-9ca1-45ce-bc44-98209ae9f6bd) is a third stage backdoor that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447), primarily in 2014-2015. [LiteDuke](https://app.tidalcyber.com/software/71e4028c-9ca1-45ce-bc44-98209ae9f6bd) used the same dropper as [PolyglotDuke](https://app.tidalcyber.com/software/3b7179fa-7b8b-4068-b224-d8d9c642964d), and was found on machines also compromised by [MiniDuke](https://app.tidalcyber.com/software/2bb16809-6bc3-46c3-b28a-39cb49410340).[[ESET Dukes October 2019](https://app.tidalcyber.com/references/fbc77b85-cc5a-4c65-956d-b8556974b4ef)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0513", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "95e2cbae-d82c-4f7b-b63c-16462015d35d", "type": "similar" } ], "uuid": "71e4028c-9ca1-45ce-bc44-98209ae9f6bd", "value": "LiteDuke" }, { "description": "[LitePower](https://app.tidalcyber.com/software/cc568409-71ff-468b-9c38-d0dd9020e409) is a downloader and second stage malware that has been used by [WIRTE](https://app.tidalcyber.com/groups/73da066d-b25f-45ba-862b-1a69228c6baa) since at least 2021.[[Kaspersky WIRTE November 2021](https://app.tidalcyber.com/references/143b4694-024d-49a5-be3c-d9ceca7295b2)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0680", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "73da066d-b25f-45ba-862b-1a69228c6baa", "type": "used-by" }, { "dest-uuid": "9020f5c7-efde-4125-a4f1-1b70f1274ddd", "type": "similar" } ], "uuid": "cc568409-71ff-468b-9c38-d0dd9020e409", "value": "LitePower" }, { "description": "[LITTLELAMB.WOOLTEA](https://app.tidalcyber.com/software/c9c5e7ad-6e95-5d53-b4db-f6b51c7167ca) is a backdoor that was used by UNC5325 during [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) to deploy malware on targeted Ivanti Connect Secure VPNs and to establish persistence across system upgrades and patches.[[Mandiant Cutting Edge Part 3 February 2024](https://app.tidalcyber.com/references/49e5b125-5503-5cb0-9a56-a93f82b55753)]", "meta": { "platforms": [ "Network" ], "software_attack_id": "S1121", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "19256855-65e9-48f2-8b74-9f3d0a994428", "type": "similar" } ], "uuid": "c9c5e7ad-6e95-5d53-b4db-f6b51c7167ca", "value": "LITTLELAMB.WOOLTEA" }, { "description": "[Lizar](https://app.tidalcyber.com/software/65d46aab-b3ce-4f5b-b1fc-871db2573fa1) is a modular remote access tool written using the .NET Framework that shares structural similarities to [Carbanak](https://app.tidalcyber.com/software/4cb9294b-9e4c-41b9-b640-46213a01952d). It has likely been used by [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) since at least February 2021.[[BiZone Lizar May 2021](https://app.tidalcyber.com/references/315f47e1-69e5-4dcb-94b2-59583e91dd26)][[Threatpost Lizar May 2021](https://app.tidalcyber.com/references/1b89f62f-586d-4dee-b6dd-e5a5cd090a0e)][[Gemini FIN7 Oct 2021](https://app.tidalcyber.com/references/bbaef178-8577-4398-8e28-604faf0950b4)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0681", "source": "MITRE", "tags": [ "15787198-6c8b-4f79-bf50-258d55072fee", "992bdd33-4a47-495d-883a-58010a2f0efb", "84615fe0-c2a5-4e07-8957-78ebc29b4635", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", "type": "used-by" }, { "dest-uuid": "f74a5069-015d-4404-83ad-5ca01056c0dc", "type": "similar" } ], "uuid": "65d46aab-b3ce-4f5b-b1fc-871db2573fa1", "value": "Lizar" }, { "description": "Ransomware labeled “LockBit” was first observed in 2020, and since that time, the LockBit group and its affiliates have carried out a very large number of attacks involving a wide range of victims around the world.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]\n\nLockBit developers have introduced multiple versions of the LockBit encryption tool. According to the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), the following major LockBit variants have been observed (first-observed dates in parentheses): ABCD (LockBit malware’s predecessor; September 2019), LockBit (January 2020), LockBit 2.0 (June 2021), LockBit Linux-ESXi Locker (October 2021), LockBit 3.0 (September 2022), LockBit Green (a variant that incorporates source code from Conti ransomware; January 2023), and variants capable of targeting macOS environments (April 2023). As of June 2023, CISA reported that the web panel that offers affiliates access to LockBit malware explicitly listed the LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker variants.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)] According to CISA, LockBit 3.0 (also known as “LockBit Black”) shares code similarities with Blackmatter and BlackCat ransomware and is “more modular and evasive\" than previous LockBit strains.[[U.S. CISA LockBit 3.0 March 2023](/references/06de9247-ce40-4709-a17a-a65b8853758b)]\n\nAccording to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, LockBit actors publicly claimed 970 victims in 2022 (394 associated with LockBit 3.0), the most of any extortion threat that year. Through April 2023, LockBit had claimed 406 victims (all associated with LockBit 3.0), more than double the number of the next threat (Clop, with 179 victims).[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]\n\n**Delivered By**: Cobalt Strike[[Sentinel Labs LockBit 3.0 July 2022](/references/9a73b140-b483-4274-a134-ed1bb15ac31c)], PsExec[[NCC Group Research Blog August 19 2022](/references/8c1fbe98-5fc1-4e67-9b96-b740ffc9b1ae)]\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit\n\n**Malware Bazaar (Samples & IOCs)**: https://bazaar.abuse.ch/browse/tag/lockbit/\n\n**PulseDive (IOCs)**: https://pulsedive.com/threat/LockBit", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5047", "source": "Tidal Cyber", "tags": [ "562e535e-19f5-4d6c-81ed-ce2aec544f09", "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", "d431939f-2dc0-410b-83f7-86c458125444", "5e7433ad-a894-4489-93bc-41e90da90019", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" } ], "uuid": "08c70ea5-9d4d-4146-826e-c5ebd5490378", "value": "LockBit 3.0" }, { "description": "[LockerGoga](https://app.tidalcyber.com/software/65bc8e81-0a08-49f6-9d04-a2d63d512342) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.[[Unit42 LockerGoga 2019](https://app.tidalcyber.com/references/8f058923-f2f7-4c0e-b90a-c7a0d5e62186)][[CarbonBlack LockerGoga 2019](https://app.tidalcyber.com/references/9970063c-6df7-4638-a247-6b1102289372)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0372", "source": "MITRE", "tags": [ "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" }, { "dest-uuid": "5af7a825-2d9f-400d-931a-e00eb9e27f48", "type": "similar" } ], "uuid": "65bc8e81-0a08-49f6-9d04-a2d63d512342", "value": "LockerGoga" }, { "description": "[LoFiSe](https://app.tidalcyber.com/software/d28c3706-df25-59e2-939f-131abaf8a1eb) has been used by [ToddyCat](https://app.tidalcyber.com/groups/0f41da7d-1e47-58fe-ba6e-ee658a985e1b) since at least 2023 to identify and collect files of interest on targeted systems.[[Kaspersky ToddyCat Check Logs October 2023](https://app.tidalcyber.com/references/dbdaf320-eada-5bbb-95ab-aaa987ed7960)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1101", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" }, { "dest-uuid": "452da2d9-706c-4185-ad6f-f5edaf4b9f48", "type": "similar" } ], "uuid": "d28c3706-df25-59e2-939f-131abaf8a1eb", "value": "LoFiSe" }, { "description": "LogMeIn provides multiple freely available tools that can be used for remote access to systems, including the flagship Rescue tool.[[LogMeIn Homepage](/references/e113b544-82ad-4099-ab4e-7fc8b78f54bd)] Adversary groups, including the Royal ransomware operation and LAPSUS$, have used LogMeIn remote access software for initial access to and persistence within victim networks.[[CISA Royal AA23-061A March 2023](/references/81baa61e-13c3-51e0-bf22-08383dbfb2a1)][[CSRB LAPSUS$ July 24 2023](/references/f8311977-303c-4d05-a7f4-25b3ae36318b)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5073", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "e727eaa6-ef41-4965-b93a-8ad0c51d0236" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", "type": "used-by" }, { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" } ], "uuid": "7b471178-30a1-4c48-bbff-c4d2fdbb35a9", "value": "LogMeIn" }, { "description": "[LoJax](https://app.tidalcyber.com/software/039f34e9-f379-4a24-a53f-b28ba579854c) is a UEFI rootkit used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) to persist remote access software on targeted systems.[[ESET LoJax Sept 2018](https://app.tidalcyber.com/references/bb938fea-2b2e-41d3-a55c-40ea34c00d21)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0397", "source": "MITRE", "tags": [ "1efd43ee-5752-49f2-99fe-e3441f126b00" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "b865dded-0553-4962-a44b-6fe7863effed", "type": "similar" } ], "uuid": "039f34e9-f379-4a24-a53f-b28ba579854c", "value": "LoJax" }, { "description": "[Lokibot](https://app.tidalcyber.com/software/4fead65c-499d-4f44-8879-2c35b24dac68) is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. [Lokibot](https://app.tidalcyber.com/software/4fead65c-499d-4f44-8879-2c35b24dac68) can also create a backdoor into infected systems to allow an attacker to install additional payloads.[[Infoblox Lokibot January 2019](https://app.tidalcyber.com/references/17ab0f84-a062-4c4f-acf9-e0b8f81c3cda)][[Morphisec Lokibot April 2020](https://app.tidalcyber.com/references/e938bab1-7dc1-4a78-b1e2-ab2aa0a83eb0)][[CISA Lokibot September 2020](https://app.tidalcyber.com/references/df979f7b-6de8-4029-ae47-700f29157db0)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0447", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", "type": "used-by" }, { "dest-uuid": "cb741463-f0fe-42e0-8d45-bc7e8335f5ae", "type": "similar" } ], "uuid": "4fead65c-499d-4f44-8879-2c35b24dac68", "value": "Lokibot" }, { "description": "[LookBack](https://app.tidalcyber.com/software/bfd2a077-5000-4500-82c4-5c85fb98dd5a) is a remote access trojan written in C++ that was used against at least three US utility companies in July 2019. The TALONITE activity group has been observed using [LookBack](https://app.tidalcyber.com/software/bfd2a077-5000-4500-82c4-5c85fb98dd5a).[[Proofpoint LookBack Malware Aug 2019](https://app.tidalcyber.com/references/77887f82-7815-4a91-8c8a-f77dc8a9ba53)][[Dragos TALONITE](https://app.tidalcyber.com/references/f8ef1920-a4ad-4d65-b9de-8357d75f6929)][[Dragos Threat Report 2020](https://app.tidalcyber.com/references/8bb3147c-3178-4449-9978-f1248b1bcb0a)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0582", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "c9ccc4df-1f56-49e7-ad57-b383e1451688", "type": "similar" } ], "uuid": "bfd2a077-5000-4500-82c4-5c85fb98dd5a", "value": "LookBack" }, { "description": "LostMyPassword is a tool used to recover passwords from Windows systems.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5035", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" } ], "uuid": "41041d5d-0866-4a57-92b7-d075d8b344ad", "value": "LostMyPassword" }, { "description": "[LoudMiner](https://app.tidalcyber.com/software/f503535b-406c-4e24-8123-0e22fec995bb) is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.[[ESET LoudMiner June 2019](https://app.tidalcyber.com/references/f1e4ff9e-cb6c-46cc-898e-5f170bb5f634)]", "meta": { "platforms": [ "macOS", "Windows" ], "software_attack_id": "S0451", "source": "MITRE", "tags": [ "a2e000da-8181-4327-bacd-32013dbd3654" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "f99f3dcc-683f-4936-8791-075ac5e58f10", "type": "similar" } ], "uuid": "f503535b-406c-4e24-8123-0e22fec995bb", "value": "LoudMiner" }, { "description": "[LOWBALL](https://app.tidalcyber.com/software/fce1117a-e699-4aef-b1fc-04c3967acc33) is malware used by [admin@338](https://app.tidalcyber.com/groups/8567136b-f84a-45ed-8cce-46324c7da60e). It was used in August 2015 in email messages targeting Hong Kong-based media organizations. [[FireEye admin@338](https://app.tidalcyber.com/references/f3470275-9652-440e-914d-ad4fc5165413)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0042", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "type": "used-by" }, { "dest-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", "type": "similar" } ], "uuid": "fce1117a-e699-4aef-b1fc-04c3967acc33", "value": "LOWBALL" }, { "description": "[Lslsass](https://app.tidalcyber.com/software/37a5ae23-3da5-4cbc-a21a-a7ef98a3b7cc) is a publicly-available tool that can dump active logon session password hashes from the lsass process. [[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0121", "source": "MITRE", "tags": [ "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { "dest-uuid": "2fab555f-7664-4623-b4e0-1675ae38190b", "type": "similar" } ], "uuid": "37a5ae23-3da5-4cbc-a21a-a7ef98a3b7cc", "value": "Lslsass" }, { "description": "[Lucifer](https://app.tidalcyber.com/software/723d9a27-74fd-4333-a8db-63df2a8b4dd4) is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread laterally on Windows platforms.[[Unit 42 Lucifer June 2020](https://app.tidalcyber.com/references/3977a87a-2eab-4a67-82b2-10c9dc7e4554)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0532", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "54a73038-1937-4d71-a253-316e76d5413c", "type": "similar" } ], "uuid": "723d9a27-74fd-4333-a8db-63df2a8b4dd4", "value": "Lucifer" }, { "description": "[Lurid](https://app.tidalcyber.com/software/0cc9e24b-d458-4782-a332-4e4fd68c057b) is a malware family that has been used by several groups, including [PittyTiger](https://app.tidalcyber.com/groups/60936d3c-37ed-4116-a407-868da3aa4446), in targeted attacks as far back as 2006. [[Villeneuve 2014](https://app.tidalcyber.com/references/a156e24e-0da5-4ac7-b914-29f2f05e7d6f)] [[Villeneuve 2011](https://app.tidalcyber.com/references/ed5a2ec0-8328-40db-9f58-7eaac4ad39a0)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0010", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", "type": "used-by" }, { "dest-uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad", "type": "similar" } ], "uuid": "0cc9e24b-d458-4782-a332-4e4fd68c057b", "value": "Lurid" }, { "description": "[Machete](https://app.tidalcyber.com/software/be8a1630-9562-41ad-a621-65989f961a10) is a cyber espionage toolset used by [Machete](https://app.tidalcyber.com/groups/a3be79a2-3d4f-4697-a8a1-83f0884220af). It is a Python-based backdoor targeting Windows machines that was first observed in 2010.[[ESET Machete July 2019](https://app.tidalcyber.com/references/408d5e33-fcb6-4d21-8be9-7aa5a8bd3385)][[Securelist Machete Aug 2014](https://app.tidalcyber.com/references/fc7be240-bd15-4ec4-bc01-f8891d7210d9)][[360 Machete Sep 2020](https://app.tidalcyber.com/references/682c843d-1bb8-4f30-9d2e-35e8d41b1976)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0409", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a3be79a2-3d4f-4697-a8a1-83f0884220af", "type": "used-by" }, { "dest-uuid": "35cd1d01-1ede-44d2-b073-a264d727bc04", "type": "similar" } ], "uuid": "be8a1630-9562-41ad-a621-65989f961a10", "value": "Machete" }, { "description": "[MacMa](https://app.tidalcyber.com/software/7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb) is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. [MacMa](https://app.tidalcyber.com/software/7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb) has been observed in the wild since November 2021.[[ESET DazzleSpy Jan 2022](https://app.tidalcyber.com/references/212012ac-9084-490f-8dd2-5cc9ac6e6de1)]", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S1016", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "bdee9574-7479-4073-a7dc-e86d8acd073a", "type": "similar" } ], "uuid": "7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb", "value": "MacMa" }, { "description": "[macOS.OSAMiner](https://app.tidalcyber.com/software/74feb557-21bc-40fb-8ab5-45d3af84c380) is a Monero mining trojan that was first observed in 2018; security researchers assessed [macOS.OSAMiner](https://app.tidalcyber.com/software/74feb557-21bc-40fb-8ab5-45d3af84c380) may have been circulating since at least 2015. [macOS.OSAMiner](https://app.tidalcyber.com/software/74feb557-21bc-40fb-8ab5-45d3af84c380) is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.[[SentinelLabs reversing run-only applescripts 2021](https://app.tidalcyber.com/references/34dc9010-e800-420c-ace4-4f426c915d2f)][[VMRay OSAMiner dynamic analysis 2021](https://app.tidalcyber.com/references/47a5d32d-e6a5-46c2-898a-e45dc42371be)]", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S1048", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "2a59a237-1530-4d55-91f9-2aebf961cc37", "type": "similar" } ], "uuid": "74feb557-21bc-40fb-8ab5-45d3af84c380", "value": "macOS.OSAMiner" }, { "description": "[MacSpy](https://app.tidalcyber.com/software/e5e67c67-e658-45b5-850b-044312be4258) is a malware-as-a-service offered on the darkweb [[objsee mac malware 2017](https://app.tidalcyber.com/references/08227ae5-4086-4c31-83d9-459c3a097754)].", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S0282", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "f72251cb-2be5-421f-a081-99c29a1209e7", "type": "similar" } ], "uuid": "e5e67c67-e658-45b5-850b-044312be4258", "value": "MacSpy" }, { "description": "[Mafalda](https://app.tidalcyber.com/software/7506616c-b808-54fb-9982-072a0dcf8a04) is a flexible interactive implant that has been used by [Metador](https://app.tidalcyber.com/groups/a3a3a1d3-7fe7-5578-8c5f-9c0f2f68079b). Security researchers assess the [Mafalda](https://app.tidalcyber.com/software/7506616c-b808-54fb-9982-072a0dcf8a04) name may be inspired by an Argentinian cartoon character that has been popular as a means of political commentary since the 1960s. [[SentinelLabs Metador Sept 2022](https://app.tidalcyber.com/references/137474b7-638a-56d7-9ce2-ab906f207175)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1060", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a3a3a1d3-7fe7-5578-8c5f-9c0f2f68079b", "type": "used-by" }, { "dest-uuid": "3be1fb7a-0f7e-415e-8e3a-74a80d596e68", "type": "similar" } ], "uuid": "7506616c-b808-54fb-9982-072a0dcf8a04", "value": "Mafalda" }, { "description": "MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used by a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.[[GitHub MailSniper](https://app.tidalcyber.com/references/50595548-b0c6-49d1-adab-43c8969ae716)]", "meta": { "platforms": [ "Office 365", "Windows", "Azure AD" ], "software_attack_id": "S0413", "source": "MITRE", "tags": [ "15f2277a-a17e-4d85-8acd-480bf84f16b4", "c9c73000-30a5-4a16-8c8b-79169f9c24aa" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "b5c28235-d441-40d9-8da2-d49ba2f2568b", "type": "used-by" }, { "dest-uuid": "999c4e6e-b8dc-4b4f-8d6e-1b829f29997e", "type": "similar" } ], "uuid": "d762974a-ca7e-45ee-bc1d-f5218bf46c84", "value": "MailSniper" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary to package existing files into a cabinet (.cab) file\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\makecab.exe\n* C:\\Windows\\SysWOW64\\makecab.exe\n\n**Resources:**\n* [https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)\n\n**Detection:**\n* Sigma: [proc_creation_win_susp_alternate_data_streams.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml)\n* Elastic: [defense_evasion_misc_lolbin_connecting_to_the_internet.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml)\n* IOC: Makecab retrieving files from Internet\n* IOC: Makecab storing data into alternate data streams[[Makecab.exe - LOLBAS Project](/references/6473e36b-b5ad-4254-b46d-38c53ccbe446)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5123", "source": "Tidal Cyber", "tags": [ "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "35e694ec-5133-46e3-b7e1-5831867c3b55", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" } ], "uuid": "cf7f05a7-4093-4855-b9d9-b93226056aec", "value": "Makecab" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Script for managing BitLocker\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\manage-bde.wsf\n\n**Resources:**\n* [https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712](https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712)\n* [https://twitter.com/bohops/status/980659399495741441](https://twitter.com/bohops/status/980659399495741441)\n* [https://twitter.com/JohnLaTwC/status/1223292479270600706](https://twitter.com/JohnLaTwC/status/1223292479270600706)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_manage_bde.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml)\n* IOC: Manage-bde.wsf should not be invoked by a standard user under normal situations[[Manage-bde.wsf - LOLBAS Project](/references/74d5483e-2268-464c-a048-bb1f25bbfc4f)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5259", "source": "Tidal Cyber", "tags": [ "ff10869f-fed4-4f21-b83a-9939e7381d6e", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "9b6b705e-55ae-4d9e-9c57-baf1358cc324", "value": "Manage-bde" }, { "description": "[MarkiRAT](https://app.tidalcyber.com/software/40806539-1496-4a64-b740-66f6a1467f40) is a remote access Trojan (RAT) compiled with Visual Studio that has been used by [Ferocious Kitten](https://app.tidalcyber.com/groups/275ca7b0-3b21-4c3a-8b6f-57b6f0ffb6fb) since at least 2015.[[Kaspersky Ferocious Kitten Jun 2021](https://app.tidalcyber.com/references/b8f8020d-3f5c-4b5e-8761-6ecdd63fcd50)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0652", "source": "MITRE", "tags": [ "16b47583-1c54-431f-9f09-759df7b5ddb7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "275ca7b0-3b21-4c3a-8b6f-57b6f0ffb6fb", "type": "used-by" }, { "dest-uuid": "532c6004-b1e8-415b-9516-f7c14ba783b1", "type": "similar" } ], "uuid": "40806539-1496-4a64-b740-66f6a1467f40", "value": "MarkiRAT" }, { "description": "According to its GitHub project page, MASSCAN is an \"Internet-scale\" TCP port scanner. Its usage is similar to that of the popular nmap scanning tool, but it is designed to be operated at a larger scale.[[GitHub masscan](/references/7ae0b5c6-c9e5-4922-9e98-6483c81a8b42)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Linux", "macOS", "Windows" ], "software_attack_id": "S5282", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "cd1b5d44-226e-4405-8985-800492cf2865", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" } ], "uuid": "24862f72-a4e0-4a6b-90d7-2465aa86c402", "value": "MASSCAN" }, { "description": "[Matryoshka](https://app.tidalcyber.com/software/eeb700ea-2819-46f4-936d-f7592f20dedc) is a malware framework used by [CopyKittens](https://app.tidalcyber.com/groups/6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b) that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. [[ClearSky Wilted Tulip July 2017](https://app.tidalcyber.com/references/50233005-8dc4-4e91-9477-df574271df40)] [[CopyKittens Nov 2015](https://app.tidalcyber.com/references/04e3ce40-5487-4931-98db-f55da83f412e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0167", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b", "type": "used-by" }, { "dest-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", "type": "similar" } ], "uuid": "eeb700ea-2819-46f4-936d-f7592f20dedc", "value": "Matryoshka" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by App-v in Windows\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\mavinject.exe\n* C:\\Windows\\SysWOW64\\mavinject.exe\n\n**Resources:**\n* [https://twitter.com/gN3mes1s/status/941315826107510784](https://twitter.com/gN3mes1s/status/941315826107510784)\n* [https://twitter.com/Hexcorn/status/776122138063409152](https://twitter.com/Hexcorn/status/776122138063409152)\n* [https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/](https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_mavinject_process_injection.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml)\n* IOC: mavinject.exe should not run unless APP-v is in use on the workstation[[LOLBAS Mavinject](/references/4ba7fa89-006b-4fbf-aa6c-6775842c97a4)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5124", "source": "Tidal Cyber", "tags": [ "724c3509-ad5e-46a3-a72c-6f3807b13793", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "aa472f81-7673-4545-89f9-1dd43cead4f1", "value": "Mavinject" }, { "description": "[Maze](https://app.tidalcyber.com/software/3c206491-45c0-4ff7-9f40-45f9aae4de64) ransomware, previously known as \"ChaCha\", was discovered in May 2019. In addition to encrypting files on victim machines for impact, [Maze](https://app.tidalcyber.com/software/3c206491-45c0-4ff7-9f40-45f9aae4de64) operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.[[FireEye Maze May 2020](https://app.tidalcyber.com/references/02338a66-6820-4505-8239-a1f1fcc60d32)][[McAfee Maze March 2020](https://app.tidalcyber.com/references/627a14dd-5300-4f58-869c-0ec91ffb664e)][[Sophos Maze VM September 2020](https://app.tidalcyber.com/references/9c4bbcbb-2c18-453c-8b02-0a0cd512c3f3)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0449", "source": "MITRE", "tags": [ "562e535e-19f5-4d6c-81ed-ce2aec544f09", "3c3f9078-5d1e-4c29-a5eb-28f237bbd1ad", "1cc90752-70a3-4a17-b370-e1473a212f79", "286918d5-0b48-4655-9118-907b53de0ee0", "c5c8f954-1bc0-45d5-9a4f-4385d0a720a1", "ab64f2d8-8da3-48de-ac66-0fd91d634b22", "5e7433ad-a894-4489-93bc-41e90da90019", "a2e000da-8181-4327-bacd-32013dbd3654", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" }, { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "d9f7383c-95ec-4080-bbce-121c9384457b", "type": "similar" } ], "uuid": "3c206491-45c0-4ff7-9f40-45f9aae4de64", "value": "Maze" }, { "description": "MBR Killer is a wiper malware observed during a May 2023 data theft and wiper campaign and a 2016 attack on Banco de Chile.[[The DFIR Report Truebot June 12 2023](/references/a6311a66-bb36-4cad-a98f-2b0b89aafa3d)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5297", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2e621fc5-dea4-4cb9-987e-305845986cd3", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", "type": "used-by" } ], "uuid": "fb879c66-92b1-4a43-8df8-987fc3bc1b1b", "value": "MBR Killer" }, { "description": "[MCMD](https://app.tidalcyber.com/software/939cbe39-5b63-4651-b0c0-85ac39cb9f0e) is a remote access tool that provides remote command shell capability used by [Dragonfly 2.0](https://app.tidalcyber.com/groups/).[[Secureworks MCMD July 2019](https://app.tidalcyber.com/references/f7364cfc-5a3b-4538-80d0-cae65f3c6592)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0500", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" }, { "dest-uuid": "975737f1-b10d-476f-8bda-3ec26ea57172", "type": "similar" } ], "uuid": "939cbe39-5b63-4651-b0c0-85ac39cb9f0e", "value": "MCMD" }, { "description": "[MechaFlounder](https://app.tidalcyber.com/software/31cbe3c8-be88-4a4f-891d-04c3bb7ed482) is a python-based remote access tool (RAT) that has been used by [APT39](https://app.tidalcyber.com/groups/a57b52c7-9f64-4ffe-a7c3-0de738fb2af1). The payload uses a combination of actor developed code and code snippets freely available online in development communities.[[Unit 42 MechaFlounder March 2019](https://app.tidalcyber.com/references/2263af27-9c30-4bf6-a204-2f148ebdd17c)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0459", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, { "dest-uuid": "dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2", "type": "similar" } ], "uuid": "31cbe3c8-be88-4a4f-891d-04c3bb7ed482", "value": "MechaFlounder" }, { "description": "MedusaLocker is a ransomware-as-a-service (\"RaaS\") operation that has been active since September 2019. U.S. cybersecurity authorities indicate that MedusaLocker operators have primarily targeted victims in the healthcare sector, among other unspecified sectors. Initial access for MedusaLocker intrusions originally came via phishing and spam email campaigns, but since 2022 has typically occurred via exploit of vulnerable Remote Desktop Protocol devices.[[HC3 Analyst Note MedusaLocker Ransomware February 2023](/references/49e314d6-5324-41e0-8bee-2b3e08d5e12f)]\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker\n\n**Malware Bazaar (Samples & IOCs)**: https://bazaar.abuse.ch/browse/tag/medusalocker/", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5022", "source": "Tidal Cyber", "tags": [ "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "55b20209-c04a-47ab-805d-ace83522ef6a", "type": "used-by" } ], "uuid": "c9e824b2-554b-4f42-b4c3-48e0a841f589", "value": "MedusaLocker Ransomware" }, { "description": "[meek](https://app.tidalcyber.com/software/6c3bbcae-3217-43c7-b709-5c54bc7636b1) is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.", "meta": { "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S0175", "source": "MITRE", "tags": [ "febea5b6-2ea2-402b-8bec-f3f5b3f73c59" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830", "type": "similar" } ], "uuid": "6c3bbcae-3217-43c7-b709-5c54bc7636b1", "value": "meek" }, { "description": "MEGAcmd is an open-source tool that enables non-UI access (e.g., via command line interaction or scripts) to the MEGA cloud storage/file sharing service.[[GitHub meganz MEGAcmd](/references/6e4d67f5-cca1-4298-b21c-d7511aa264ae)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S5328", "source": "Tidal Cyber", "tags": [ "8bf128ad-288b-41bc-904f-093f4fdde745", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "e1af18e3-3224-4e4c-9d0f-533768474508", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" } ], "uuid": "f2384d09-61fa-4679-b975-6901dcd5c506", "value": "MEGAcmd" }, { "description": "[MegaCortex](https://app.tidalcyber.com/software/d8a4a817-2914-47b0-867c-ad8eeb7efd10) is ransomware that first appeared in May 2019. [[IBM MegaCortex](https://app.tidalcyber.com/references/3d70d9b7-88e4-411e-a59a-bc862da965a7)] [MegaCortex](https://app.tidalcyber.com/software/d8a4a817-2914-47b0-867c-ad8eeb7efd10) has mainly targeted industrial organizations. [[FireEye Ransomware Disrupt Industrial Production](https://app.tidalcyber.com/references/9ffa0f35-98e4-4265-8b66-9c805a2b6525)][[FireEye Financial Actors Moving into OT](https://app.tidalcyber.com/references/4bd514b8-1f79-4946-b001-110ce5cf29a9)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0576", "source": "MITRE", "tags": [ "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "909617c3-6d87-4330-8f32-bd3af38c3b92", "type": "similar" } ], "uuid": "d8a4a817-2914-47b0-867c-ad8eeb7efd10", "value": "MegaCortex" }, { "description": "A legitimate binary that automates syncing between an endpoint and the MEGA Cloud Drive.[[GitHub meganz MEGAsync](/references/6e59c47d-597c-4687-942f-9f1cf1db75d5)] Adversaries are known to abuse the tool for data exfiltration purposes.[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Linux", "macOS", "Windows" ], "software_attack_id": "S5005", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "8bf128ad-288b-41bc-904f-093f4fdde745", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", "type": "used-by" }, { "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" } ], "uuid": "eed908e5-a0b3-473f-bca4-0d3197af2168", "value": "MEGAsync" }, { "description": "[Melcoz](https://app.tidalcyber.com/software/aa844e6b-feda-4928-8c6d-c59f7be88da0) is a banking trojan family built from the open source tool Remote Access PC. [Melcoz](https://app.tidalcyber.com/software/aa844e6b-feda-4928-8c6d-c59f7be88da0) was first observed in attacks in Brazil and since 2018 has spread to Chile, Mexico, Spain, and Portugal.[[Securelist Brazilian Banking Malware July 2020](https://app.tidalcyber.com/references/ccc34875-93f3-40ed-a9ee-f31b86708507)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0530", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "d3105fb5-c494-4fd1-a7be-414eab9e0c96", "type": "similar" } ], "uuid": "aa844e6b-feda-4928-8c6d-c59f7be88da0", "value": "Melcoz" }, { "description": "[MESSAGETAP](https://app.tidalcyber.com/software/15d7e478-349d-42e6-802d-f16302b98319) is a data mining malware family deployed by [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) into telecommunications networks to monitor and save SMS traffic from specific phone numbers, IMSI numbers, or that contain specific keywords. [[FireEye MESSAGETAP October 2019](https://app.tidalcyber.com/references/f56380e8-3cfa-407c-a493-7f9e50ba3867)]", "meta": { "platforms": [ "Linux" ], "software_attack_id": "S0443", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "9b19d6b4-cfcb-492f-8ca8-8449e7331573", "type": "similar" } ], "uuid": "15d7e478-349d-42e6-802d-f16302b98319", "value": "MESSAGETAP" }, { "description": "[metaMain](https://app.tidalcyber.com/software/0a9874bf-4f02-5fab-8ab6-d0f42c6bc71d) is a backdoor used by [Metador](https://app.tidalcyber.com/groups/a3a3a1d3-7fe7-5578-8c5f-9c0f2f68079b) to maintain long-term access to compromised machines; it has also been used to decrypt [Mafalda](https://app.tidalcyber.com/software/7506616c-b808-54fb-9982-072a0dcf8a04) into memory.[[SentinelLabs Metador Sept 2022](https://app.tidalcyber.com/references/137474b7-638a-56d7-9ce2-ab906f207175)][[SentinelLabs Metador Technical Appendix Sept 2022](https://app.tidalcyber.com/references/aa021076-e9c5-5428-a938-c10cfb6b7c97)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1059", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a3a3a1d3-7fe7-5578-8c5f-9c0f2f68079b", "type": "used-by" }, { "dest-uuid": "df350889-4de9-44e5-8cb3-888b8343e97c", "type": "similar" } ], "uuid": "0a9874bf-4f02-5fab-8ab6-d0f42c6bc71d", "value": "metaMain" }, { "description": "[Metamorfo](https://app.tidalcyber.com/software/ca607087-25ad-4a91-af83-608646cccbcb) is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.[[Medium Metamorfo Apr 2020](https://app.tidalcyber.com/references/356defac-b976-41c1-aac8-5d6ff0c80e28)][[ESET Casbaneiro Oct 2019](https://app.tidalcyber.com/references/a5cb3ee6-9a0b-4e90-bf32-be7177a858b1)] ", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0455", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "81c57a96-fc8c-4f91-af8e-63e24c2927c2", "type": "similar" } ], "uuid": "ca607087-25ad-4a91-af83-608646cccbcb", "value": "Metamorfo" }, { "description": "The Metasploit Framework is an open-source software project that aids in penetration testing.[[Metasploit_Ref](/references/ab6ea6b3-3c71-4e69-9713-dae3e4446083)] The software is often abused by malicious actors to perform a range of post-exploitation activities.", "meta": { "owner": "TidalCyberIan", "platforms": [ "Linux", "macOS", "Windows" ], "software_attack_id": "S5050", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "15787198-6c8b-4f79-bf50-258d55072fee", "e81ba503-60b0-4b64-8f20-ef93e7783796" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", "type": "used-by" } ], "uuid": "8d3b1150-8bb3-49a8-8266-7023e3c5e50a", "value": "Metasploit" }, { "description": "MetaStealer is an information-stealing malware (\"infostealer\") designed to harvest passwords, cookies, and other sensitive information from victim systems.[[SentinelOne 9 11 2023](/references/0d015be9-34ba-4c59-9cea-80b76ee89dd0)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "macOS" ], "software_attack_id": "S5315", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [], "uuid": "e95281ef-a1b1-4da0-b7cc-fa0a9236a4fc", "value": "MetaStealer" }, { "description": "[Meteor](https://app.tidalcyber.com/software/ee07030e-ff50-404b-ad27-ab999fc1a23a) is a wiper that was used against Iranian government organizations, including Iranian Railways, the Ministry of Roads, and Urban Development systems, in July 2021. [Meteor](https://app.tidalcyber.com/software/ee07030e-ff50-404b-ad27-ab999fc1a23a) is likely a newer version of similar wipers called Stardust and Comet that were reportedly used by a group called \"Indra\" since at least 2019 against private companies in Syria.[[Check Point Meteor Aug 2021](https://app.tidalcyber.com/references/bb79207f-3ab4-4b86-8b1c-d587724efb7c)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0688", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "d79e7a60-5de9-448e-a074-f95d2d80f8d0", "type": "similar" } ], "uuid": "ee07030e-ff50-404b-ad27-ab999fc1a23a", "value": "Meteor" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Trace log generation tool for Media Foundation Tools.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.16299.0\\x86\n* C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.16299.0\\x64\n* C:\\Program Files (x86)\\Windows Kits\\10\\bin\\x86\n* C:\\Program Files (x86)\\Windows Kits\\10\\bin\\x64\n\n**Resources:**\n* [https://twitter.com/0rbz_/status/988911181422186496](https://twitter.com/0rbz_/status/988911181422186496)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_mftrace.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml)[[Mftrace.exe - LOLBAS Project](/references/b6d42cc9-1bf0-4389-8654-90b8d4e7ff49)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5224", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "4184f447-6f74-487b-be08-6330a6b78992", "value": "Mftrace" }, { "description": "[Micropsia](https://app.tidalcyber.com/software/5879efc1-f122-43ec-a80d-e25aa449594d) is a remote access tool written in Delphi.[[Talos Micropsia June 2017](https://app.tidalcyber.com/references/c727152c-079a-4ff9-a0e5-face919cf59b)][[Radware Micropsia July 2018](https://app.tidalcyber.com/references/8771ed60-eecb-4e0c-b22c-0c26d30d4dec)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0339", "source": "MITRE", "tags": [ "16b47583-1c54-431f-9f09-759df7b5ddb7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "e3c5164e-49cf-5bb1-955d-6775585abb14", "type": "used-by" }, { "dest-uuid": "8c050cea-86e1-4b63-bf21-7af4fa483349", "type": "similar" } ], "uuid": "5879efc1-f122-43ec-a80d-e25aa449594d", "value": "Micropsia" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Part of the NodeJS Visual Studio tools.\n\n**Author:** mr.d0x\n\n**Paths:**\n* C:\\Program Files\\Microsoft Visual Studio\\*\\Community\\Common7\\IDE\\Extensions\\Microsoft\\NodeJsTools\\NodeJsTools\\Microsoft.NodejsTools.PressAnyKey.exe\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\*\\Community\\Common7\\IDE\\Extensions\\Microsoft\\NodeJsTools\\NodeJsTools\\Microsoft.NodejsTools.PressAnyKey.exe\n\n**Resources:**\n* [https://twitter.com/mrd0x/status/1463526834918854661](https://twitter.com/mrd0x/status/1463526834918854661)\n\n**Detection:**\n* Sigma: [proc_creation_win_renamed_pressanykey.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml)\n* Sigma: [proc_creation_win_pressanykey_lolbin_execution.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml)[[Microsoft.NodejsTools.PressAnyKey.exe - LOLBAS Project](/references/25c46948-a648-4c3c-b442-e700df68fa20)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5225", "source": "Tidal Cyber", "tags": [ "eb75bfce-e0d6-41b3-a3f0-df34e6e9b476", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "370b00ba-1f91-4375-8a4c-5ca67066f4fd", "value": "Microsoft.NodejsTools.PressAnyKey" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** A utility included with .NET that is capable of compiling and executing C# or VB.net code.\n\n**Author:** Conor Richard\n\n**Paths:**\n* C:\\Windows\\Microsoft.Net\\Framework64\\v4.0.30319\\Microsoft.Workflow.Compiler.exe\n\n**Resources:**\n* [https://twitter.com/mattifestation/status/1030445200475185154](https://twitter.com/mattifestation/status/1030445200475185154)\n* [https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb](https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb)\n* [https://gist.github.com/mattifestation/3e28d391adbd7fe3e0c722a107a25aba#file-workflowcompilerdetectiontests-ps1](https://gist.github.com/mattifestation/3e28d391adbd7fe3e0c722a107a25aba#file-workflowcompilerdetectiontests-ps1)\n* [https://gist.github.com/mattifestation/7ba8fc8f724600a9f525714c9cf767fd#file-createcompilerinputxml-ps1](https://gist.github.com/mattifestation/7ba8fc8f724600a9f525714c9cf767fd#file-createcompilerinputxml-ps1)\n* [https://www.forcepoint.com/blog/security-labs/using-c-post-powershell-attacks](https://www.forcepoint.com/blog/security-labs/using-c-post-powershell-attacks)\n* [https://www.fortynorthsecurity.com/microsoft-workflow-compiler-exe-veil-and-cobalt-strike/](https://www.fortynorthsecurity.com/microsoft-workflow-compiler-exe-veil-and-cobalt-strike/)\n* [https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15](https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_workflow_compiler.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml)\n* Splunk: [suspicious_microsoft_workflow_compiler_usage.yml](https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml)\n* Splunk: [suspicious_microsoft_workflow_compiler_rename.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations.\n* IOC: The presence of csc.exe or vbc.exe as child processes of Microsoft.Workflow.Compiler.exe\n* IOC: Presence of \"[[Microsoft.Workflow.Compiler.exe - LOLBAS Project](/references/1e659b32-a06f-45dc-a1eb-03f1a42c55ef)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5125", "source": "Tidal Cyber", "tags": [ "b48e3fa8-25b4-42be-97e7-086068a150c5", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "27bd5fc3-17d9-46fa-84ce-c772736512cd", "value": "Microsoft.Workflow.Compiler" }, { "description": "[Milan](https://app.tidalcyber.com/software/57545dbc-c72a-409d-a373-bc35e25160cd) is a backdoor implant based on [DanBot](https://app.tidalcyber.com/software/131c0eb2-9191-4ccd-a2d6-5f36046a8f2f) that was written in Visual C++ and .NET. [Milan](https://app.tidalcyber.com/software/57545dbc-c72a-409d-a373-bc35e25160cd) has been used by [HEXANE](https://app.tidalcyber.com/groups/eecf7289-294f-48dd-a747-7705820f4735) since at least June 2020.[[ClearSky Siamesekitten August 2021](https://app.tidalcyber.com/references/9485efce-8d54-4461-b64e-0d15e31fbf8c)][[Kaspersky Lyceum October 2021](https://app.tidalcyber.com/references/b3d13a82-c24e-4b47-b47a-7221ad449859)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1015", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" }, { "dest-uuid": "aea6d6b8-d832-4c90-a1bb-f52c6684db6c", "type": "similar" } ], "uuid": "57545dbc-c72a-409d-a373-bc35e25160cd", "value": "Milan" }, { "description": "[Mimikatz](https://app.tidalcyber.com/software/b8e7c0b4-49e4-4e8d-9467-b17f305ddf16) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. [[Deply Mimikatz](https://app.tidalcyber.com/references/c92d890c-2839-433a-b458-f663e66e1c63)] [[Adsecurity Mimikatz Guide](https://app.tidalcyber.com/references/b251ed65-a145-4053-9dc2-bf0dad83d76c)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0002", "source": "MITRE", "tags": [ "27a117ce-bb19-4f79-9bc2-a851b69c5c50", "6070668f-1cbd-4878-8066-c636d1d8659c", "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "d903e38b-600d-4736-9e3b-cf1a6e436481", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "5fda51b0-dfda-49bd-8615-524b45d4cd44", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "35e694ec-5133-46e3-b7e1-5831867c3b55", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "15b77e5c-2285-434d-9719-73c14beba8bd", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, { "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" }, { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" }, { "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" }, { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { "dest-uuid": "b5c28235-d441-40d9-8da2-d49ba2f2568b", "type": "used-by" }, { "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", "type": "used-by" }, { "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", "type": "used-by" }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" }, { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" }, { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", "type": "used-by" }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" }, { "dest-uuid": "dfbce236-735c-436d-b433-933bd6eae17b", "type": "used-by" }, { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "b07431f8-fcf0-4204-8e7c-138eb5cd5342", "type": "used-by" }, { "dest-uuid": "f2b31240-0b4a-4fa4-82a4-6bb00e146e75", "type": "used-by" }, { "dest-uuid": "b82c6ed1-c74a-4128-8b4d-18d1e17e1134", "type": "used-by" }, { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" }, { "dest-uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", "type": "used-by" }, { "dest-uuid": "3a54b8dc-a231-4db8-96da-1c0c1aa396f6", "type": "used-by" }, { "dest-uuid": "f0943620-7bbb-4239-8ed3-c541c36baaa1", "type": "used-by" }, { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" }, { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" }, { "dest-uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", "type": "used-by" }, { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" }, { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" }, { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" }, { "dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a", "type": "used-by" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "similar" } ], "uuid": "b8e7c0b4-49e4-4e8d-9467-b17f305ddf16", "value": "Mimikatz" }, { "description": "[MimiPenguin](https://app.tidalcyber.com/software/42350632-b59a-4cc5-995e-d95d8c608553) is a credential dumper, similar to [Mimikatz](https://app.tidalcyber.com/software/b8e7c0b4-49e4-4e8d-9467-b17f305ddf16), designed specifically for Linux platforms. [[MimiPenguin GitHub May 2017](https://app.tidalcyber.com/references/b10cd6cc-35ed-4eac-b213-110de28f33ef)]", "meta": { "platforms": [ "Linux" ], "software_attack_id": "S0179", "source": "MITRE", "tags": [ "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "325c11be-e1ee-47db-afa6-44ac5d16f0e7", "type": "used-by" }, { "dest-uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27", "type": "similar" } ], "uuid": "42350632-b59a-4cc5-995e-d95d8c608553", "value": "MimiPenguin" }, { "description": "[Miner-C](https://app.tidalcyber.com/software/c0dea9db-1551-4f6c-8a19-182efc34093a) is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. [[Softpedia MinerC](https://app.tidalcyber.com/references/087b9bf1-bd9e-4cd6-a386-d9d2c812c927)]", "meta": { "software_attack_id": "S0133", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "17dec760-9c8f-4f1b-9b4b-0ac47a453234", "type": "similar" } ], "uuid": "c0dea9db-1551-4f6c-8a19-182efc34093a", "value": "Miner-C" }, { "description": "[MiniDuke](https://app.tidalcyber.com/software/2bb16809-6bc3-46c3-b28a-39cb49410340) is malware that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) from 2010 to 2015. The [MiniDuke](https://app.tidalcyber.com/software/2bb16809-6bc3-46c3-b28a-39cb49410340) toolset consists of multiple downloader and backdoor components. The loader has been used with other [MiniDuke](https://app.tidalcyber.com/software/2bb16809-6bc3-46c3-b28a-39cb49410340) components as well as in conjunction with [CosmicDuke](https://app.tidalcyber.com/software/43b317c6-5b4f-47b8-b7b4-15cd6f455091) and [PinchDuke](https://app.tidalcyber.com/software/ba2208c8-5e1e-46cd-bef1-ffa7a2be3be4). [[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0051", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "type": "similar" } ], "uuid": "2bb16809-6bc3-46c3-b28a-39cb49410340", "value": "MiniDuke" }, { "description": "[MirageFox](https://app.tidalcyber.com/software/535f1b97-7a70-4d18-be4e-3a9f74ccf78a) is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012. [[APT15 Intezer June 2018](https://app.tidalcyber.com/references/0110500c-bf67-43a5-97cb-16eb6c01040b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0280", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" }, { "dest-uuid": "e3cedcfe-6515-4348-af65-7f2c4157bf0d", "type": "similar" } ], "uuid": "535f1b97-7a70-4d18-be4e-3a9f74ccf78a", "value": "MirageFox" }, { "description": "[Misdat](https://app.tidalcyber.com/software/4048afa2-79c8-4d38-8219-2207adddd884) is a backdoor that was used in [Operation Dust Storm](https://app.tidalcyber.com/campaigns/af0c0f55-dc4f-4cb5-9350-3a2d7c07595f) from 2010 to 2011.[[Cylance Dust Storm](https://app.tidalcyber.com/references/001dd53c-74e6-4add-aeb7-da76b0d2afe8)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0083", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", "type": "similar" } ], "uuid": "4048afa2-79c8-4d38-8219-2207adddd884", "value": "Misdat" }, { "description": "[Mispadu](https://app.tidalcyber.com/software/758e5226-6015-5cc7-af4b-20fa35c9bac1) is a banking trojan written in Delphi that was first observed in 2019 and uses a Malware-as-a-Service (MaaS) business model.[[ESET Security Mispadu Facebook Ads 2019](https://app.tidalcyber.com/references/e1b945f4-20e0-5b69-8fd7-f05afce8c0ba)][[SCILabs Malteiro 2021](https://app.tidalcyber.com/references/c6948dfc-b133-556b-a8ac-b3a4dba09c0e)] This malware is operated, managed, and sold by the [Malteiro](https://app.tidalcyber.com/groups/803f8018-6e45-5b0f-978f-1fe96b217120) cybercriminal group.[[SCILabs Malteiro 2021](https://app.tidalcyber.com/references/c6948dfc-b133-556b-a8ac-b3a4dba09c0e)] [Mispadu](https://app.tidalcyber.com/software/758e5226-6015-5cc7-af4b-20fa35c9bac1) has mainly been used to target victims in Brazil and Mexico, and has also had confirmed operations throughout Latin America and Europe.[[SCILabs Malteiro 2021](https://app.tidalcyber.com/references/c6948dfc-b133-556b-a8ac-b3a4dba09c0e)][[SCILabs URSA/Mispadu Evolution 2023](https://app.tidalcyber.com/references/a7a0db8d-bc1c-5e89-8c42-a3a6cc2cf28d)][[Segurança Informática URSA Sophisticated Loader 2020](https://app.tidalcyber.com/references/29d25b85-ae13-57d6-9e6f-d0f65783b5ac)] ", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1122", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "803f8018-6e45-5b0f-978f-1fe96b217120", "type": "used-by" }, { "dest-uuid": "4e6464d2-69df-4e56-8d4c-1973f84d7b80", "type": "similar" } ], "uuid": "758e5226-6015-5cc7-af4b-20fa35c9bac1", "value": "Mispadu" }, { "description": "[Mis-Type](https://app.tidalcyber.com/software/fe554d2e-f974-41d6-8e7a-701bd758355d) is a backdoor hybrid that was used in [Operation Dust Storm](https://app.tidalcyber.com/campaigns/af0c0f55-dc4f-4cb5-9350-3a2d7c07595f) by 2012.[[Cylance Dust Storm](https://app.tidalcyber.com/references/001dd53c-74e6-4add-aeb7-da76b0d2afe8)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0084", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", "type": "similar" } ], "uuid": "fe554d2e-f974-41d6-8e7a-701bd758355d", "value": "Mis-Type" }, { "description": "[Mivast](https://app.tidalcyber.com/software/f603ea32-91c3-4b62-a60f-57670433b080) is a backdoor that has been used by [Deep Panda](https://app.tidalcyber.com/groups/43f826a1-e8c8-47b8-9b00-38e1b3e4293b). It was reportedly used in the Anthem breach. [[Symantec Black Vine](https://app.tidalcyber.com/references/0b7745ce-04c0-41d9-a440-df9084a45d09)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0080", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" }, { "dest-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", "type": "similar" } ], "uuid": "f603ea32-91c3-4b62-a60f-57670433b080", "value": "Mivast" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Load snap-ins to locally and remotely manage Windows systems\n\n**Author:** @bohops\n\n**Paths:**\n* C:\\Windows\\System32\\mmc.exe\n* C:\\Windows\\SysWOW64\\mmc.exe\n\n**Resources:**\n* [https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/](https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/)\n* [https://offsec.almond.consulting/UAC-bypass-dotnet.html](https://offsec.almond.consulting/UAC-bypass-dotnet.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_mmc_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml)\n* Sigma: [file_event_win_uac_bypass_dotnet_profiler.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml)[[Mmc.exe - LOLBAS Project](/references/490b6769-e386-4a3d-972e-5a919cb2f6f5)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5126", "source": "Tidal Cyber", "tags": [ "f9e6382f-e41e-438e-bd7e-57a57046d9e6", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "8c7acae2-f844-4e01-86d8-18c3ea90963f", "value": "Mmc" }, { "description": "[MobileOrder](https://app.tidalcyber.com/software/116f913c-0d5e-43d1-ba0d-3a12127af8f6) is a Trojan intended to compromise Android mobile devices. It has been used by [Scarlet Mimic](https://app.tidalcyber.com/groups/6c1bdc51-f633-4512-8b20-04a11c2d97f4). [[Scarlet Mimic Jan 2016](https://app.tidalcyber.com/references/f84a5b6d-3af1-45b1-ac55-69ceced8735f)]", "meta": { "software_attack_id": "S0079", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "type": "used-by" }, { "dest-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", "type": "similar" } ], "uuid": "116f913c-0d5e-43d1-ba0d-3a12127af8f6", "value": "MobileOrder" }, { "description": "[MoleNet](https://app.tidalcyber.com/software/7ca5debb-f813-4e06-98f8-d1186552e5d2) is a downloader tool with backdoor capabilities that has been observed in use since at least 2019.[[Cybereason Molerats Dec 2020](https://app.tidalcyber.com/references/81a10a4b-c66f-4526-882c-184436807e1d)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0553", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" }, { "dest-uuid": "8a59f456-79a0-4151-9f56-9b1a67332af2", "type": "similar" } ], "uuid": "7ca5debb-f813-4e06-98f8-d1186552e5d2", "value": "MoleNet" }, { "description": "[Mongall](https://app.tidalcyber.com/software/7f5355b3-e819-4c82-a0fa-b80fda8fd6e6) is a backdoor that has been used since at least 2013, including by [Aoqin Dragon](https://app.tidalcyber.com/groups/454402a3-0503-45bf-b2e0-177fa2e2d412).[[SentinelOne Aoqin Dragon June 2022](https://app.tidalcyber.com/references/b4e792e0-b1fa-4639-98b1-233aaec53594)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1026", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "454402a3-0503-45bf-b2e0-177fa2e2d412", "type": "used-by" }, { "dest-uuid": "6fb36c6f-bb3d-4ed6-9471-cb9933e5c154", "type": "similar" } ], "uuid": "7f5355b3-e819-4c82-a0fa-b80fda8fd6e6", "value": "Mongall" }, { "description": "[MoonWind](https://app.tidalcyber.com/software/a699f32f-6596-4060-8fcd-42587a844b80) is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. [[Palo Alto MoonWind March 2017](https://app.tidalcyber.com/references/4f3d7a08-2cf5-49ed-8bcd-6df180f3d194)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0149", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "type": "similar" } ], "uuid": "a699f32f-6596-4060-8fcd-42587a844b80", "value": "MoonWind" }, { "description": "[More_eggs](https://app.tidalcyber.com/software/69f202e7-4bc9-4f4f-943f-330c053ae977) is a JScript backdoor used by [Cobalt Group](https://app.tidalcyber.com/groups/58db02e6-d908-47c2-bc82-ed58ada61331) and [FIN6](https://app.tidalcyber.com/groups/fcaadc12-7c17-4946-a9dc-976ed610854c). Its name was given based on the variable \"More_eggs\" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. [[Talos Cobalt Group July 2018](https://app.tidalcyber.com/references/7cdfd0d1-f7e6-4625-91ff-f87f46f95864)][[Security Intelligence More Eggs Aug 2019](https://app.tidalcyber.com/references/f0a0286f-adb9-4a6e-85b5-5b0f45e6fbf3)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0284", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4bdc62c9-af6a-4377-8431-58a6f39235dd", "type": "used-by" }, { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" }, { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" }, { "dest-uuid": "bfd2738c-8b43-43c3-bc9f-d523c8e88bf4", "type": "similar" } ], "uuid": "69f202e7-4bc9-4f4f-943f-330c053ae977", "value": "More_eggs" }, { "description": "[Mori](https://app.tidalcyber.com/software/385e1eaf-9ba8-4381-981a-3c7af718a77d) is a backdoor that has been used by [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6) since at least January 2022.[[DHS CISA AA22-055A MuddyWater February 2022](https://app.tidalcyber.com/references/e76570e1-43ab-4819-80bc-895ede67a205)][[CYBERCOM Iranian Intel Cyber January 2022](https://app.tidalcyber.com/references/671e1559-c7dc-4cb4-a9a1-21776f2ae56a)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1047", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { "dest-uuid": "7e100ca4-e639-48d9-9a9d-8ad84aa7b448", "type": "similar" } ], "uuid": "385e1eaf-9ba8-4381-981a-3c7af718a77d", "value": "Mori" }, { "description": "[Mosquito](https://app.tidalcyber.com/software/c3939dad-d728-4ddb-804e-cf1e3743a55d) is a Win32 backdoor that has been used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2). [Mosquito](https://app.tidalcyber.com/software/c3939dad-d728-4ddb-804e-cf1e3743a55d) is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. [[ESET Turla Mosquito Jan 2018](https://app.tidalcyber.com/references/cd177c2e-ef22-47be-9926-61e25fd5f33b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0256", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "92b55426-109f-4d93-899f-1833ce91ff90", "type": "similar" } ], "uuid": "c3939dad-d728-4ddb-804e-cf1e3743a55d", "value": "Mosquito" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary part of Windows Defender. Used to manage settings in Windows Defender\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2008.4-0\\MpCmdRun.exe\n* C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2008.7-0\\MpCmdRun.exe\n* C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2008.9-0\\MpCmdRun.exe\n\n**Resources:**\n* [https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus)\n* [https://twitter.com/mohammadaskar2/status/1301263551638761477](https://twitter.com/mohammadaskar2/status/1301263551638761477)\n* [https://twitter.com/Oddvarmoe/status/1301444858910052352](https://twitter.com/Oddvarmoe/status/1301444858910052352)\n* [https://twitter.com/NotMedic/status/1301506813242867720](https://twitter.com/NotMedic/status/1301506813242867720)\n\n**Detection:**\n* Sigma: [win_susp_mpcmdrun_download.yml](https://github.com/SigmaHQ/sigma/blob/159bf4bbc103cc2be3fef4b7c2e7c8b23b63fd10/rules/windows/process_creation/win_susp_mpcmdrun_download.yml)\n* Elastic: [command_and_control_remote_file_copy_mpcmdrun.toml](https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml)\n* IOC: MpCmdRun storing data into alternate data streams.\n* IOC: MpCmdRun retrieving a file from a remote machine or the internet that is not expected.\n* IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe.\n* IOC: Monitor for the creation of %USERPROFILE%\\AppData\\Local\\Temp\\MpCmdRun.log\n* IOC: User Agent is \"MpCommunication\"[[MpCmdRun.exe - LOLBAS Project](/references/2082d5ca-474f-4130-b275-c1ac5e30064c)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5127", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "ec54a1e4-92d4-4503-a510-a18989f1f8f3", "value": "MpCmdRun" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used to compile and execute code\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Msbuild.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Msbuild.exe\n* C:\\Windows\\Microsoft.NET\\Framework\\v3.5\\Msbuild.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v3.5\\Msbuild.exe\n* C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Msbuild.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Msbuild.exe\n* C:\\Program Files (x86)\\MSBuild\\14.0\\bin\\MSBuild.exe\n\n**Resources:**\n* [https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md)\n* [https://github.com/Cn33liz/MSBuildShell](https://github.com/Cn33liz/MSBuildShell)\n* [https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/](https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/)\n* [https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/](https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/)\n* [https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191](https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191)\n* [https://github.com/LOLBAS-Project/LOLBAS/issues/165](https://github.com/LOLBAS-Project/LOLBAS/issues/165)\n* [https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-response-files](https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-response-files)\n* [https://www.daveaglick.com/posts/msbuild-loggers-and-logging-events](https://www.daveaglick.com/posts/msbuild-loggers-and-logging-events)\n\n**Detection:**\n* Sigma: [file_event_win_shell_write_susp_directory.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml)\n* Sigma: [proc_creation_win_msbuild_susp_parent_process.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml)\n* Sigma: [net_connection_win_silenttrinity_stager_msbuild_activity.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml)\n* Splunk: [suspicious_msbuild_spawn.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_msbuild_spawn.yml)\n* Splunk: [suspicious_msbuild_rename.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_msbuild_rename.yml)\n* Splunk: [msbuild_suspicious_spawned_by_script_process.yml](https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml)\n* Elastic: [defense_evasion_msbuild_beacon_sequence.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_msbuild_beacon_sequence.toml)\n* Elastic: [defense_evasion_msbuild_making_network_connections.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_msbuild_making_network_connections.toml)\n* Elastic: [defense_evasion_execution_msbuild_started_by_script.toml](https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml)\n* Elastic: [defense_evasion_execution_msbuild_started_by_office_app.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml)\n* Elastic: [defense_evasion_execution_msbuild_started_renamed.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: Msbuild.exe should not normally be executed on workstations[[LOLBAS Msbuild](/references/de8e0741-255b-4c41-ba50-248ac5acc325)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5128", "source": "Tidal Cyber", "tags": [ "dfda978e-e0a0-4e1a-85c7-d9ab2cd7ccc5", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "1f500e4c-25a1-4570-a3ba-5c9cd463afde", "value": "Msbuild" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\msconfig.exe\n\n**Resources:**\n* [https://twitter.com/pabraeken/status/991314564896690177](https://twitter.com/pabraeken/status/991314564896690177)\n\n**Detection:**\n* Sigma: [proc_creation_win_uac_bypass_msconfig_gui.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml)\n* Sigma: [file_event_win_uac_bypass_msconfig_gui.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml)\n* IOC: mscfgtlc.xml changes in system32 folder[[Msconfig.exe - LOLBAS Project](/references/a073d2fc-d20d-4a52-944e-85ff89f04978)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5129", "source": "Tidal Cyber", "tags": [ "7e20fe4e-6883-457d-81f9-b4010e739f89", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "90c6cc43-d9dd-436c-b7ee-ede979765bdf", "value": "Msconfig" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft tool used to deploy Web Applications.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Program Files (x86)\\IIS\\Microsoft Web Deploy V3\\msdeploy.exe\n\n**Resources:**\n* [https://twitter.com/pabraeken/status/995837734379032576](https://twitter.com/pabraeken/status/995837734379032576)\n* [https://twitter.com/pabraeken/status/999090532839313408](https://twitter.com/pabraeken/status/999090532839313408)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_msdeploy.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml)[[Msdeploy.exe - LOLBAS Project](/references/e563af9a-5e49-4612-a52b-31f22f76193c)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5226", "source": "Tidal Cyber", "tags": [ "11452158-b8d2-4a33-952a-8896f961a2f5", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "175b32ed-bea6-491c-8aac-d088f642a6e1", "value": "Msdeploy" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft diagnostics tool\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\Msdt.exe\n* C:\\Windows\\SysWOW64\\Msdt.exe\n\n**Resources:**\n* [https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/](https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/)\n* [https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/](https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/)\n* [https://twitter.com/harr0ey/status/991338229952598016](https://twitter.com/harr0ey/status/991338229952598016)\n* [https://twitter.com/nas_bench/status/1531944240271568896](https://twitter.com/nas_bench/status/1531944240271568896)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_msdt_answer_file.yml](https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml)\n* Sigma: [proc_creation_win_msdt_arbitrary_command_execution.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)[[Msdt.exe - LOLBAS Project](/references/3eb1750c-a2f2-4d68-b060-ceb32f44f5fe)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5130", "source": "Tidal Cyber", "tags": [ "8c30b46b-3651-4ccd-9d91-34fe89bc6843", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "bc39280c-da92-4e78-ab37-7c54ff72a1ba", "value": "Msdt" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Edge browser\n\n**Author:** mr.d0x\n\n**Paths:**\n* c:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe\n* c:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n\n**Resources:**\n* [https://twitter.com/mrd0x/status/1478116126005641220](https://twitter.com/mrd0x/status/1478116126005641220)\n* [https://twitter.com/mrd0x/status/1478234484881436672](https://twitter.com/mrd0x/status/1478234484881436672)\n\n**Detection:**\n* Sigma: [proc_creation_win_browsers_msedge_arbitrary_download.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_browsers_msedge_arbitrary_download.yml)\n* Sigma: [proc_creation_win_browsers_chromium_headless_file_download.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml)[[Msedge.exe - LOLBAS Project](/references/6169c12e-9753-4e48-8213-aff95b0f6a95)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5131", "source": "Tidal Cyber", "tags": [ "5bd3af6b-cb96-4d96-9576-26521dd76513", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "d64d75ba-1722-4a39-ab7f-d46c5d5815ec", "value": "Msedge" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Edge Browser\n\n**Author:** Mert Daş\n\n**Paths:**\n* C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge_proxy.exe\n\n**Resources:**\nNone Provided\n\n**Detection:**\nNone Provided[[msedge_proxy.exe - LOLBAS Project](/references/a6fd4727-e22f-4157-9a5f-1217cb876b32)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5182", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "e098413e-1d54-4d1f-bf63-1443b57bcc2f", "value": "msedge_proxy" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** msedgewebview2.exe is the executable file for Microsoft Edge WebView2, which is a web browser control used by applications to display web content.\n\n**Author:** Matan Bahar\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\114.0.1823.43\\msedgewebview2.exe\n\n**Resources:**\n* [https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf](https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf)\n\n**Detection:**\n* IOC: msedgewebview2.exe spawned with any of the following: --gpu-launcher, --utility-cmd-prefix, --renderer-cmd-prefix, --browser-subprocess-path[[msedgewebview2.exe - LOLBAS Project](/references/8125ece7-10d1-4e79-8ea1-724fe46a3c97)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5183", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "ac6d4ab8-f34c-4b00-a943-cc2749b28a05", "value": "msedgewebview2" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows to execute html applications. (.hta)\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\mshta.exe\n* C:\\Windows\\SysWOW64\\mshta.exe\n\n**Resources:**\n* [https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4](https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4)\n* [https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct)\n* [https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/](https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/)\n* [https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/](https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/)\n\n**Detection:**\n* Sigma: [proc_creation_win_mshta_susp_pattern.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml)\n* Sigma: [proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml)\n* Sigma: [proc_creation_win_mshta_lethalhta_technique.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml)\n* Sigma: [proc_creation_win_mshta_javascript.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml)\n* Sigma: [file_event_win_net_cli_artefact.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml)\n* Sigma: [image_load_susp_script_dotnet_clr_dll_load.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml)\n* Elastic: [defense_evasion_mshta_beacon.toml](https://github.com/elastic/detection-rules/blob/f8f643041a584621e66cf8e6d534ad3db92edc29/rules/windows/defense_evasion_mshta_beacon.toml)\n* Elastic: [lateral_movement_dcom_hta.toml](https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/lateral_movement_dcom_hta.toml)\n* Elastic: [defense_evasion_suspicious_managedcode_host_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml)\n* Splunk: [suspicious_mshta_activity.yml](https://github.com/splunk/security_content/blob/08ed88bd88259c03c771c30170d2934ed0a8f878/stories/suspicious_mshta_activity.yml)\n* Splunk: [detect_mshta_renamed.yml](https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_mshta_renamed.yml)\n* Splunk: [suspicious_mshta_spawn.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_mshta_spawn.yml)\n* Splunk: [suspicious_mshta_child_process.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_mshta_child_process.yml)\n* Splunk: [detect_mshta_url_in_command_line.yml](https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_mshta_url_in_command_line.yml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: mshta.exe executing raw or obfuscated script within the command-line\n* IOC: General usage of HTA file\n* IOC: msthta.exe network connection to Internet/WWW resource\n* IOC: DotNet CLR libraries loaded into mshta.exe\n* IOC: DotNet CLR Usage Log - mshta.exe.log[[LOLBAS Mshta](/references/915a4aef-800e-4c68-ad39-df67c3dbaf75)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5132", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "e1af18e3-3224-4e4c-9d0f-533768474508", "fe0e2dd3-962e-41a3-9850-cea146b1301f", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "31bc763e-623f-4870-9780-86e43d732594", "type": "used-by" }, { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" }, { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "44f8bd4e-a357-4a76-b031-b7455a305ef0", "type": "used-by" }, { "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" }, { "dest-uuid": "d0f29889-7a9c-44d8-abdc-480b371f7b2b", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" }, { "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" }, { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" }, { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" } ], "uuid": "f552a5a4-49dd-4ba6-9916-e631df4d4457", "value": "Mshta" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft HTML Viewer\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\mshtml.dll\n* c:\\windows\\syswow64\\mshtml.dll\n\n**Resources:**\n* [https://twitter.com/pabraeken/status/998567549670477824](https://twitter.com/pabraeken/status/998567549670477824)\n* [https://windows10dll.nirsoft.net/mshtml_dll.html](https://windows10dll.nirsoft.net/mshtml_dll.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)[[Mshtml.dll - LOLBAS Project](/references/1a135e0b-5a79-4a4c-bc70-fd8f3f84e1f0)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5192", "source": "Tidal Cyber", "tags": [ "46338353-52ee-4f8d-9f18-f1b32644dd76", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "f94674b9-f924-4452-8516-49657ed40032", "value": "Mshtml" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows to execute msi files\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\msiexec.exe\n* C:\\Windows\\SysWOW64\\msiexec.exe\n\n**Resources:**\n* [https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/](https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/)\n* [https://twitter.com/PhilipTsukerman/status/992021361106268161](https://twitter.com/PhilipTsukerman/status/992021361106268161)\n* [https://badoption.eu/blog/2023/10/03/MSIFortune.html](https://badoption.eu/blog/2023/10/03/MSIFortune.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_msiexec_web_install.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml)\n* Sigma: [proc_creation_win_msiexec_masquerading.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* Splunk: [uninstall_app_using_msiexec.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/uninstall_app_using_msiexec.yml)\n* IOC: msiexec.exe retrieving files from Internet[[LOLBAS Msiexec](/references/996cc7ea-0729-4c51-b9c3-b201ec32e984)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5133", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "fc2bbc6f-da5c-4afd-ae27-2fadf77c3bc4", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "a3be79a2-3d4f-4697-a8a1-83f0884220af", "type": "used-by" }, { "dest-uuid": "5e34409e-2f55-4384-b519-80747d02394c", "type": "used-by" }, { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" }, { "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "type": "used-by" } ], "uuid": "9d00d3c4-9a01-403a-9275-c94960fd871f", "value": "Msiexec" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Office component\n\n**Author:** Nir Chako\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Office 16\\ClientX86\\Root\\Office16\\MSOHTMED.exe\n* C:\\Program Files\\Microsoft Office 16\\ClientX64\\Root\\Office16\\MSOHTMED.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office16\\MSOHTMED.exe\n* C:\\Program Files\\Microsoft Office\\Office16\\MSOHTMED.exe\n* C:\\Program Files (x86)\\Microsoft Office 15\\ClientX86\\Root\\Office15\\MSOHTMED.exe\n* C:\\Program Files\\Microsoft Office 15\\ClientX64\\Root\\Office15\\MSOHTMED.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office15\\MSOHTMED.exe\n* C:\\Program Files\\Microsoft Office\\Office15\\MSOHTMED.exe\n* C:\\Program Files (x86)\\Microsoft Office 14\\ClientX86\\Root\\Office14\\MSOHTMED.exe\n* C:\\Program Files\\Microsoft Office 14\\ClientX64\\Root\\Office14\\MSOHTMED.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSOHTMED.exe\n* C:\\Program Files\\Microsoft Office\\Office14\\MSOHTMED.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office12\\MSOHTMED.exe\n* C:\\Program Files\\Microsoft Office\\Office12\\MSOHTMED.exe\n* C:\\Program Files\\Microsoft Office\\Office12\\MSOHTMED.exe\n\n**Resources:**\nNone Provided\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_msohtmed_download.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml)\n* IOC: Suspicious Office application internet/network traffic[[MsoHtmEd.exe - LOLBAS Project](/references/c39fdefa-4c54-48a9-8357-ffe4dca2a2f4)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5227", "source": "Tidal Cyber", "tags": [ "874c053b-d6b8-42c2-accc-cd256bb4d350", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "d316ab94-0420-4356-a3bb-f92f42a4247c", "value": "MsoHtmEd" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Publisher\n\n**Author:** Nir Chako\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Office 16\\ClientX86\\Root\\Office16\\MSPUB.exe\n* C:\\Program Files\\Microsoft Office 16\\ClientX64\\Root\\Office16\\MSPUB.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office16\\MSPUB.exe\n* C:\\Program Files\\Microsoft Office\\Office16\\MSPUB.exe\n* C:\\Program Files (x86)\\Microsoft Office 15\\ClientX86\\Root\\Office15\\MSPUB.exe\n* C:\\Program Files\\Microsoft Office 15\\ClientX64\\Root\\Office15\\MSPUB.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office15\\MSPUB.exe\n* C:\\Program Files\\Microsoft Office\\Office15\\MSPUB.exe\n* C:\\Program Files (x86)\\Microsoft Office 14\\ClientX86\\Root\\Office14\\MSPUB.exe\n* C:\\Program Files\\Microsoft Office 14\\ClientX64\\Root\\Office14\\MSPUB.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.exe\n* C:\\Program Files\\Microsoft Office\\Office14\\MSPUB.exe\n\n**Resources:**\nNone Provided\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_mspub_download.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml)\n* IOC: Suspicious Office application internet/network traffic[[Mspub.exe - LOLBAS Project](/references/41eff63a-fef0-4b4b-86f7-0908150fcfcf)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5228", "source": "Tidal Cyber", "tags": [ "a523dcb0-9181-4170-a113-126df84594ca", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "c07f48ee-4667-4dd3-aa8e-cb6d588c547c", "value": "Mspub" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Command line utility used to perform XSL transformations.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* no default\n\n**Resources:**\n* [https://twitter.com/subTee/status/877616321747271680](https://twitter.com/subTee/status/877616321747271680)\n* [https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker](https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker)\n* [https://github.com/RonnieSalomonsen/Use-msxsl-to-download-file](https://github.com/RonnieSalomonsen/Use-msxsl-to-download-file)\n\n**Detection:**\n* Sigma: [proc_creation_win_wmic_xsl_script_processing.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml)\n* Elastic: [defense_evasion_msxsl_beacon.toml](https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_msxsl_beacon.toml)\n* Elastic: [defense_evasion_msxsl_network.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_msxsl_network.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)[[msxsl.exe - LOLBAS Project](/references/4e1ed0a8-60d0-45e2-9592-573b904811f8)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5229", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" } ], "uuid": "8cccbfed-3f78-45fd-b5d1-efe884d28f09", "value": "msxsl" }, { "description": "[MURKYTOP](https://app.tidalcyber.com/software/768111f9-0948-474b-82a6-cd5455079513) is a reconnaissance tool used by [Leviathan](https://app.tidalcyber.com/groups/eadd78e3-3b5d-430a-b994-4360b172c871). [[FireEye Periscope March 2018](https://app.tidalcyber.com/references/8edb5d2b-b5c4-4d9d-8049-43dd6ca9ab7f)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0233", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { "dest-uuid": "049ff071-0b3c-4712-95d2-d21c6aa54501", "type": "similar" } ], "uuid": "768111f9-0948-474b-82a6-cd5455079513", "value": "MURKYTOP" }, { "description": "[Mythic](https://app.tidalcyber.com/software/f1398367-a0af-4a89-b240-50cae4985ed9) is an open source, cross-platform post-exploitation/command and control platform. [Mythic](https://app.tidalcyber.com/software/f1398367-a0af-4a89-b240-50cae4985ed9) is designed to \"plug-n-play\" with various agents and communication channels.[[Mythic Github](https://app.tidalcyber.com/references/20d0adf0-b832-4b03-995e-dfb56474ddcc)][[Mythic SpecterOps](https://app.tidalcyber.com/references/98d4453e-2e80-422a-ac8c-47f650f46e3c)][[Mythc Documentation](https://app.tidalcyber.com/references/de3091b4-663e-4d9e-9dde-51250749863d)] Deployed [Mythic](https://app.tidalcyber.com/software/f1398367-a0af-4a89-b240-50cae4985ed9) C2 servers have been observed as part of potentially malicious infrastructure.[[RecordedFuture 2021 Ad Infra](https://app.tidalcyber.com/references/d509e6f2-c317-4483-a51e-ad15a78a12c0)]", "meta": { "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S0699", "source": "MITRE", "tags": [ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "e81ba503-60b0-4b64-8f20-ef93e7783796" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "d505fc8b-2e64-46eb-96d6-9ef7ffca5b66", "type": "similar" } ], "uuid": "f1398367-a0af-4a89-b240-50cae4985ed9", "value": "Mythic" }, { "description": "[Naid](https://app.tidalcyber.com/software/5cfd6135-c53b-4234-a17e-759494b2101f) is a trojan used by [Elderwood](https://app.tidalcyber.com/groups/51146bb6-7478-44a3-8f08-19adcdceffca) to open a backdoor on compromised hosts. [[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)] [[Symantec Naid June 2012](https://app.tidalcyber.com/references/dc3c16b3-e06b-4b56-b6bd-b98a0b39df3b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0205", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" }, { "dest-uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2", "type": "similar" } ], "uuid": "5cfd6135-c53b-4234-a17e-759494b2101f", "value": "Naid" }, { "description": "[NanHaiShu](https://app.tidalcyber.com/software/0e28dfc9-8948-4c08-b7d8-9e80e19cc464) is a remote access tool and JScript backdoor used by [Leviathan](https://app.tidalcyber.com/groups/eadd78e3-3b5d-430a-b994-4360b172c871). [NanHaiShu](https://app.tidalcyber.com/software/0e28dfc9-8948-4c08-b7d8-9e80e19cc464) has been used to target government and private-sector organizations that have relations to the South China Sea dispute. [[Proofpoint Leviathan Oct 2017](https://app.tidalcyber.com/references/f8c2b67b-c097-4b48-8d95-266a45b7dd4d)] [[fsecure NanHaiShu July 2016](https://app.tidalcyber.com/references/41984650-a0ac-4445-80b6-7ceaf93bd135)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0228", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { "dest-uuid": "705f0783-5f7d-4491-b6b7-9628e6e006d2", "type": "similar" } ], "uuid": "0e28dfc9-8948-4c08-b7d8-9e80e19cc464", "value": "NanHaiShu" }, { "description": "[NanoCore](https://app.tidalcyber.com/software/db05dbaa-eb3a-4303-b37e-18d67e7e85a1) is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.[[DigiTrust NanoCore Jan 2017](https://app.tidalcyber.com/references/6abac972-bbd0-4cd2-b3a7-25e7825ac134)][[Cofense NanoCore Mar 2018](https://app.tidalcyber.com/references/de31ba54-5634-48c5-aa57-c6b0dbb53870)][[PaloAlto NanoCore Feb 2016](https://app.tidalcyber.com/references/caa0a421-04b0-4ebc-b365-97082d69d33d)][[Unit 42 Gorgon Group Aug 2018](https://app.tidalcyber.com/references/d0605185-3f8d-4846-a718-15572714e15b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0336", "source": "MITRE", "tags": [ "4d767e87-4cf6-438a-927a-43d2d0beaab7", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", "type": "used-by" }, { "dest-uuid": "efb3b5ac-cd86-44a2-9de1-02e4612b8cc2", "type": "used-by" }, { "dest-uuid": "fcc6d937-8cd6-4f2c-adb8-48caedbde70a", "type": "used-by" }, { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" }, { "dest-uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", "type": "similar" } ], "uuid": "db05dbaa-eb3a-4303-b37e-18d67e7e85a1", "value": "NanoCore" }, { "description": "[NativeZone](https://app.tidalcyber.com/software/a814fd1d-8c2c-41b3-bb3a-30c4318c74c0) is the name given collectively to disposable custom [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6) loaders used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least 2021.[[MSTIC Nobelium Toolset May 2021](https://app.tidalcyber.com/references/52464e69-ff9e-4101-9596-dd0c6404bf76)][[SentinelOne NobleBaron June 2021](https://app.tidalcyber.com/references/98cf2bb0-f36c-45af-8d47-bf26aca3bb09)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0637", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "b4783be3-35d9-4a56-ac8d-1f3e1c9d9a84", "type": "similar" } ], "uuid": "a814fd1d-8c2c-41b3-bb3a-30c4318c74c0", "value": "NativeZone" }, { "description": "[NavRAT](https://app.tidalcyber.com/software/b410d30c-4db6-4239-950e-9b0e0521f0d2) is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. [[Talos NavRAT May 2018](https://app.tidalcyber.com/references/f644ac27-a923-489b-944e-1ba89c609307)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0247", "source": "MITRE", "tags": [ "16b47583-1c54-431f-9f09-759df7b5ddb7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" }, { "dest-uuid": "53a42597-1974-4b8e-84fd-3675e8992053", "type": "similar" } ], "uuid": "b410d30c-4db6-4239-950e-9b0e0521f0d2", "value": "NavRAT" }, { "description": "[NBTscan](https://app.tidalcyber.com/software/950f13e6-3ae3-411e-a2b2-4ba1afe6cb76) is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.[[Debian nbtscan Nov 2019](https://app.tidalcyber.com/references/8d718be1-9695-4e61-a922-5162d88477c0)][[SecTools nbtscan June 2003](https://app.tidalcyber.com/references/505c9e8b-66e0-435c-835f-b4405ba91966)][[Symantec Waterbug Jun 2019](https://app.tidalcyber.com/references/ddd5c2c9-7126-4b89-b415-dc651a2ccc0e)][[FireEye APT39 Jan 2019](https://app.tidalcyber.com/references/ba366cfc-cc04-41a5-903b-a7bb73136bc3)]", "meta": { "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S0590", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" }, { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", "type": "used-by" }, { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" }, { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" }, { "dest-uuid": "b63970b7-ddfb-4aee-97b1-80d335e033a8", "type": "similar" } ], "uuid": "950f13e6-3ae3-411e-a2b2-4ba1afe6cb76", "value": "NBTscan" }, { "description": "[nbtstat](https://app.tidalcyber.com/software/81c2fc9b-8c2c-40f6-a327-dcdd64b70a7e) is a utility used to troubleshoot NetBIOS name resolution. [[TechNet Nbtstat](https://app.tidalcyber.com/references/1b1e6b08-fc2a-48f7-82bd-e3c1a7a0d97e)]", "meta": { "software_attack_id": "S0102", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "b35068ec-107a-4266-bda8-eb7036267aea", "type": "similar" } ], "uuid": "81c2fc9b-8c2c-40f6-a327-dcdd64b70a7e", "value": "nbtstat" }, { "description": "[NDiskMonitor](https://app.tidalcyber.com/software/6d42e6c5-3056-4ff1-8d5d-a736807ec84c) is a custom backdoor written in .NET that appears to be unique to [Patchwork](https://app.tidalcyber.com/groups/32385eba-7bbf-439e-acf2-83040e97165a). [[TrendMicro Patchwork Dec 2017](https://app.tidalcyber.com/references/15465b26-99e1-4956-8c81-cda3388169b8)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0272", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" }, { "dest-uuid": "d1183cb9-258e-4f2f-8415-50ac8252c49e", "type": "similar" } ], "uuid": "6d42e6c5-3056-4ff1-8d5d-a736807ec84c", "value": "NDiskMonitor" }, { "description": "[Nebulae](https://app.tidalcyber.com/software/38510bab-aece-4d7b-b621-7594c2c4fe14) Is a backdoor that has been used by [Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) since at least 2020.[[Bitdefender Naikon April 2021](https://app.tidalcyber.com/references/55660913-4c03-4360-bb8b-1cad94bd8d0e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0630", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { "dest-uuid": "22b17791-45bf-45c0-9322-ff1a0af5cf2b", "type": "similar" } ], "uuid": "38510bab-aece-4d7b-b621-7594c2c4fe14", "value": "Nebulae" }, { "description": "[Neoichor](https://app.tidalcyber.com/software/8662e29e-5766-4311-894e-5ca52515ccbe) is C2 malware used by [Ke3chang](https://app.tidalcyber.com/groups/26c0925f-1a3c-4df6-b27a-62b9731299b8) since at least 2019; similar malware families used by the group include Leeson and Numbldea.[[Microsoft NICKEL December 2021](https://app.tidalcyber.com/references/29a46bb3-f514-4554-ad9c-35f9a5ad9870)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0691", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" }, { "dest-uuid": "4d7bf2ac-f953-4907-b114-be44dc174d67", "type": "similar" } ], "uuid": "8662e29e-5766-4311-894e-5ca52515ccbe", "value": "Neoichor" }, { "description": "[Nerex](https://app.tidalcyber.com/software/de8b18c9-ebab-4126-96a9-282fa8829877) is a Trojan used by [Elderwood](https://app.tidalcyber.com/groups/51146bb6-7478-44a3-8f08-19adcdceffca) to open a backdoor on compromised hosts. [[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)] [[Symantec Nerex May 2012](https://app.tidalcyber.com/references/1613fd6b-4d62-464b-9cda-6f7d3f0192e1)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0210", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" }, { "dest-uuid": "c251e4a5-9a2e-4166-8e42-442af75c3b9a", "type": "similar" } ], "uuid": "de8b18c9-ebab-4126-96a9-282fa8829877", "value": "Nerex" }, { "description": "The [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [[Microsoft Net Utility](https://app.tidalcyber.com/references/75998d1c-69c0-40d2-a64b-43ad8efa05da)]\n\n[Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) has a great deal of functionality, [[Savill 1999](https://app.tidalcyber.com/references/e814d4a5-b846-4d68-ac00-7021238d287a)] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through [SMB/Windows Admin Shares](https://app.tidalcyber.com/technique/bc2f2c6c-ffe7-4e78-bbac-369f6781bbdd) using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0039", "source": "MITRE", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "cd1b5d44-226e-4405-8985-800492cf2865", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "4e7ae33d-e040-4618-bccf-3b5e4aac81ed", "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "35e694ec-5133-46e3-b7e1-5831867c3b55", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" }, { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" }, { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" }, { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "0f86e871-0c6c-4227-ae28-3f3696d6ae9d", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { "dest-uuid": "dfbce236-735c-436d-b433-933bd6eae17b", "type": "used-by" }, { "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "type": "used-by" }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" }, { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", "type": "used-by" }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", "type": "used-by" }, { "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", "type": "used-by" }, { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" }, { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" }, { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "similar" } ], "uuid": "c9b8522f-126d-40ff-b44e-1f46098bd8cc", "value": "Net" }, { "description": "[Net Crawler](https://app.tidalcyber.com/software/947c6212-4da8-48dd-9da9-ce4b077dd759) is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using [PsExec](https://app.tidalcyber.com/software/73eb32af-4bd3-4e21-8048-355edc55a9c6) to execute a copy of [Net Crawler](https://app.tidalcyber.com/software/947c6212-4da8-48dd-9da9-ce4b077dd759). [[Cylance Cleaver](https://app.tidalcyber.com/references/f0b45225-3ec3-406f-bd74-87f24003761b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0056", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", "type": "used-by" }, { "dest-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", "type": "similar" } ], "uuid": "947c6212-4da8-48dd-9da9-ce4b077dd759", "value": "Net Crawler" }, { "description": "[NETEAGLE](https://app.tidalcyber.com/software/852c300d-9313-442d-9b49-9883522c3f4b) is a backdoor developed by [APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f) with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.” [[FireEye APT30](https://app.tidalcyber.com/references/c48d2084-61cf-4e86-8072-01e5d2de8416)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0034", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" }, { "dest-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", "type": "similar" } ], "uuid": "852c300d-9313-442d-9b49-9883522c3f4b", "value": "NETEAGLE" }, { "description": "[netsh](https://app.tidalcyber.com/software/803192b8-747b-4108-ae15-2d7481d39162) is a scripting utility used to interact with networking components on local or remote systems. [[TechNet Netsh](https://app.tidalcyber.com/references/58112a3a-06bd-4a46-8a09-4dba5f42a04f)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0108", "source": "MITRE", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "064dc489-6b50-4cc1-bb9b-fe722f21aaf1", "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "35e694ec-5133-46e3-b7e1-5831867c3b55", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "303a3675-4855-4323-b042-95bb1d907cca", "84615fe0-c2a5-4e07-8957-78ebc29b4635", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" }, { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", "type": "used-by" }, { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" }, { "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "type": "similar" } ], "uuid": "803192b8-747b-4108-ae15-2d7481d39162", "value": "netsh" }, { "description": "[netstat](https://app.tidalcyber.com/software/132fb908-9f13-4bcf-aa64-74cbc72f5491) is an operating system utility that displays active TCP connections, listening ports, and network statistics. [[TechNet Netstat](https://app.tidalcyber.com/references/84ac26d8-9c7c-4c8c-bf64-a9fb4578388c)]", "meta": { "software_attack_id": "S0104", "source": "MITRE", "tags": [ "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "35e694ec-5133-46e3-b7e1-5831867c3b55", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" }, { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" }, { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, { "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", "type": "used-by" }, { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", "type": "similar" } ], "uuid": "132fb908-9f13-4bcf-aa64-74cbc72f5491", "value": "netstat" }, { "description": "NetSupport is a legitimate utility that has been long-used for remote management and monitoring (RMM) purposes. In recent years, it has been heavily abused by threat actors for maintaining persistent remote access to victim systems.[[The DFIR Report NetSupport October 30 2023](/references/0436db31-42f0-47c1-b9a9-c6bb7c60a1ec)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S5320", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "e1af18e3-3224-4e4c-9d0f-533768474508", "e727eaa6-ef41-4965-b93a-8ad0c51d0236", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" }, { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" } ], "uuid": "96ecdb59-b047-4557-b2a7-c9712e8c903b", "value": "NetSupport" }, { "description": "[NetTraveler](https://app.tidalcyber.com/software/1b8f9cf9-db8f-437d-800e-5ddd090fe30d) is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013. [[Kaspersky NetTraveler](https://app.tidalcyber.com/references/a7d4b322-3710-436f-bd51-e5c258073dba)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0033", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", "type": "used-by" }, { "dest-uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e", "type": "similar" } ], "uuid": "1b8f9cf9-db8f-437d-800e-5ddd090fe30d", "value": "NetTraveler" }, { "description": "[Netwalker](https://app.tidalcyber.com/software/5b4b395f-f61a-4bd6-94c1-fb45ed3cd13d) is fileless ransomware written in PowerShell and executed directly in memory.[[TrendMicro Netwalker May 2020](https://app.tidalcyber.com/references/ceda9ef6-e609-4a34-9db1-d2a3ebffb679)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0457", "source": "MITRE", "tags": [ "89c5b94b-ecf4-4d53-9b74-3465086d4565", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "242bc007-5ac5-4d96-8638-699a06d06d24", "e554bd60-5de3-4162-9ed3-66073ae9d6b3", "0e948c57-6c10-4576-ad27-9832cc2af3a1", "3d90eed2-862d-4f61-8c8f-0b8da3e45af0", "2743d495-7728-4a75-9e5f-b64854039792", "4fb4824e-1995-4c65-8c71-e818c0aa1086", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "754effde-613c-4244-a83e-fb659b2a4d06", "type": "similar" } ], "uuid": "5b4b395f-f61a-4bd6-94c1-fb45ed3cd13d", "value": "Netwalker" }, { "description": "[NETWIRE](https://app.tidalcyber.com/software/c7d0e881-80a1-49ea-9c1f-b6e53cf399a8) is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.[[FireEye APT33 Sept 2017](https://app.tidalcyber.com/references/70610469-db0d-45ab-a790-6e56309a39ec)][[McAfee Netwire Mar 2015](https://app.tidalcyber.com/references/b02fbf00-f571-4507-941d-ac1d4a8310b0)][[FireEye APT33 Webinar Sept 2017](https://app.tidalcyber.com/references/9b378592-5737-403d-8a07-27077f5b2d61)]", "meta": { "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S0198", "source": "MITRE", "tags": [ "6c6c0125-9631-4c2c-90ab-cfef374d5198" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "830079fe-9824-405b-93e0-c28592155c49", "type": "used-by" }, { "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", "type": "used-by" }, { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" }, { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" }, { "dest-uuid": "2a70812b-f1ef-44db-8578-a496a227aef2", "type": "similar" } ], "uuid": "c7d0e881-80a1-49ea-9c1f-b6e53cf399a8", "value": "NETWIRE" }, { "description": "Network Scanner (NS.exe) is a utility that can be used to enumerate file shares within a given environment.[[The DFIR Report Dharma Ransomware June 2020](/references/b1002e9a-020d-4224-bf60-0c2a66d511f2)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5278", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "cd1b5d44-226e-4405-8985-800492cf2865", "e1af18e3-3224-4e4c-9d0f-533768474508" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" } ], "uuid": "56018455-7644-4e59-845a-986f55efcad4", "value": "Network Scanner" }, { "description": "[NGLite](https://app.tidalcyber.com/software/48b161fe-3ae1-5551-9f26-d6f2d6b5afb9) is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.[[NGLite Trojan](https://app.tidalcyber.com/references/7cdd99d2-bbb2-5c81-ad09-92b581f33ffe)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1106", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "72b5f07f-5448-4e00-9ff2-08bc193a7b77", "type": "similar" } ], "uuid": "48b161fe-3ae1-5551-9f26-d6f2d6b5afb9", "value": "NGLite" }, { "description": "[ngrok](https://app.tidalcyber.com/software/316ecd9d-ac0b-58c7-8083-5d9214c770f6) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [ngrok](https://app.tidalcyber.com/software/316ecd9d-ac0b-58c7-8083-5d9214c770f6) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.[[Zdnet Ngrok September 2018](https://app.tidalcyber.com/references/3edb88be-2ca6-4925-ba2e-a5a4ac5f9ab0)][[FireEye Maze May 2020](https://app.tidalcyber.com/references/02338a66-6820-4505-8239-a1f1fcc60d32)][[Cyware Ngrok May 2019](https://app.tidalcyber.com/references/583a01b6-cb4e-41e7-aade-ac2fd19bda4e)][[MalwareBytes LazyScripter Feb 2021](https://app.tidalcyber.com/references/078837a7-82cd-4e26-9135-43b612e911fe)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0508", "source": "MITRE", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "6070668f-1cbd-4878-8066-c636d1d8659c", "d8f7e071-fbfd-46f8-b431-e241bb1513ac", "d75c1a80-0cb8-4a64-8379-10514cd44b1e", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "febea5b6-2ea2-402b-8bec-f3f5b3f73c59" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", "type": "used-by" }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "07bdadce-905e-4337-898a-13e88cfb5a61", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" }, { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" }, { "dest-uuid": "2f7f03bb-f367-4a5a-ad9b-310a12a48906", "type": "similar" } ], "uuid": "316ecd9d-ac0b-58c7-8083-5d9214c770f6", "value": "ngrok" }, { "description": "NICECURL is a custom backdoor developed and used by Iranian espionage group APT42. It is usually delivered via phishing attacks and serves as a post-compromise command execution and malware ingress capability.[[Mandiant Uncharmed May 1 2024](/references/84c0313a-bea1-44a7-9396-8e12437852d1)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5333", "source": "Tidal Cyber", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "ce126445-6984-45bb-9737-35448f06f27b", "type": "used-by" } ], "uuid": "9d3fd630-1ba8-4d14-907f-f3bdc5a13fa3", "value": "NICECURL" }, { "description": "[Nidiran](https://app.tidalcyber.com/software/3ae9acd7-39f8-45c6-b557-c7d9a40eed2c) is a custom backdoor developed and used by [Suckfly](https://app.tidalcyber.com/groups/06549082-ff70-43bf-985e-88c695c7113c). It has been delivered via strategic web compromise. [[Symantec Suckfly March 2016](https://app.tidalcyber.com/references/8711c175-e405-4cb0-8c86-8aaa471e5573)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0118", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "06549082-ff70-43bf-985e-88c695c7113c", "type": "used-by" }, { "dest-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", "type": "similar" } ], "uuid": "3ae9acd7-39f8-45c6-b557-c7d9a40eed2c", "value": "Nidiran" }, { "description": "[NightClub](https://app.tidalcyber.com/software/b1963876-dbdc-5beb-ace3-acb6d7705543) is a modular implant written in C++ that has been used by [MoustachedBouncer](https://app.tidalcyber.com/groups/f31df12e-66ea-5a49-87bc-2bc1756a89fc) since at least 2014.[[MoustachedBouncer ESET August 2023](https://app.tidalcyber.com/references/9070f14b-5d5e-5f6d-bcac-628478e01242)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1090", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "f31df12e-66ea-5a49-87bc-2bc1756a89fc", "type": "used-by" }, { "dest-uuid": "91c57ed3-7c32-4c68-b388-7db00cb8dac6", "type": "similar" } ], "uuid": "b1963876-dbdc-5beb-ace3-acb6d7705543", "value": "NightClub" }, { "description": "[Ninja](https://app.tidalcyber.com/software/2dd26ff0-22d6-591b-9054-78e84fa3e05c) is a malware developed in C++ that has been used by [ToddyCat](https://app.tidalcyber.com/groups/0f41da7d-1e47-58fe-ba6e-ee658a985e1b) to penetrate networks and control remote systems since at least 2020. [Ninja](https://app.tidalcyber.com/software/2dd26ff0-22d6-591b-9054-78e84fa3e05c) is possibly part of a post exploitation toolkit exclusively used by [ToddyCat](https://app.tidalcyber.com/groups/0f41da7d-1e47-58fe-ba6e-ee658a985e1b) and allows multiple operators to work simultaneously on the same machine. [Ninja](https://app.tidalcyber.com/software/2dd26ff0-22d6-591b-9054-78e84fa3e05c) has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by [Samurai](https://app.tidalcyber.com/software/bd75c822-7be6-5e6f-bd2e-0512be6d38d9).[[Kaspersky ToddyCat June 2022](https://app.tidalcyber.com/references/285c038b-e5fc-57ef-9a98-d9e24c52e2cf)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1100", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" }, { "dest-uuid": "023254de-caaf-4a05-b2c7-e4e2f283f7a5", "type": "similar" } ], "uuid": "2dd26ff0-22d6-591b-9054-78e84fa3e05c", "value": "Ninja" }, { "description": "NirSoft is a self-described \"freeware\" utility that can be used to recover passwords.[[NirSoft Website](/references/024e4e25-aab7-4231-bb4b-5e399d02d7b2)] According to U.S. cybersecurity authorities, ransomware actors such as those associated with the Royal ransomware operation have used the NirSoft utility to harvest passwords for malicious purposes.[[#StopRansomware: Royal Ransomware | CISA](/references/dd094572-da2e-4e54-9e54-b243dd4fcd2b)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5271", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" } ], "uuid": "efa5fff4-f6db-4719-91c7-97dbe93099a8", "value": "NirSoft" }, { "description": "[njRAT](https://app.tidalcyber.com/software/82996f6f-0575-45cd-8f7c-ba1b063d5b9f) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.[[Fidelis njRAT June 2013](https://app.tidalcyber.com/references/6c985470-a923-48fd-82c9-9128b6d59bcb)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0385", "source": "MITRE", "tags": [ "16b47583-1c54-431f-9f09-759df7b5ddb7", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" }, { "dest-uuid": "fcc6d937-8cd6-4f2c-adb8-48caedbde70a", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "efb3b5ac-cd86-44a2-9de1-02e4612b8cc2", "type": "used-by" }, { "dest-uuid": "b8a349a6-cde1-4d95-b20f-44c62bbfc786", "type": "used-by" }, { "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" }, { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" }, { "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", "type": "similar" } ], "uuid": "82996f6f-0575-45cd-8f7c-ba1b063d5b9f", "value": "njRAT" }, { "description": "[NKAbuse](https://app.tidalcyber.com/software/e26988e0-e755-54a4-8234-e8f961266d82) is a Go-based, multi-platform malware abusing NKN (New Kind of Network) technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities.[[NKAbuse BC](https://app.tidalcyber.com/references/7c0fea50-a125-57eb-9a86-dd0d6693abce)][[NKAbuse SL](https://app.tidalcyber.com/references/96e199f8-1d33-574f-a507-05303db728e1)]", "meta": { "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S1107", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "bd2ebee8-7c38-408a-871d-221012104222", "type": "similar" } ], "uuid": "e26988e0-e755-54a4-8234-e8f961266d82", "value": "NKAbuse" }, { "description": "[Nltest](https://app.tidalcyber.com/software/fbb1546a-f288-4e43-9e5c-14c94423c4f6) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.[[Nltest Manual](https://app.tidalcyber.com/references/4bb113a8-7e2c-4656-86f4-c30b08705ffa)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0359", "source": "MITRE", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "24f6ba0e-9230-4410-a9fb-b0f3b55de326", "15787198-6c8b-4f79-bf50-258d55072fee", "cd1b5d44-226e-4405-8985-800492cf2865", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" }, { "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, { "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", "type": "used-by" }, { "dest-uuid": "981acc4c-2ede-4b56-be6e-fa1a75f37acf", "type": "similar" } ], "uuid": "fbb1546a-f288-4e43-9e5c-14c94423c4f6", "value": "Nltest" }, { "description": "According to its project website, \"Nmap (\"Network Mapper\") is a free and open source utility for network discovery and security auditing\".[[Nmap: the Network Mapper](/references/65f1bbaa-8ad1-4ad5-b726-660558d27efc)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5051", "source": "Tidal Cyber", "tags": [ "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "96d58ca1-ab18-4e53-8891-d8ba62a47e5d", "6070668f-1cbd-4878-8066-c636d1d8659c", "d8f7e071-fbfd-46f8-b431-e241bb1513ac", "758c3085-2f79-40a8-ab95-f8a684737927", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "e551ae97-d1b4-484e-9267-89f33829ec2c", "35e694ec-5133-46e3-b7e1-5831867c3b55", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "6ff40d11-214a-434b-b137-993e4ff5e34e", "15787198-6c8b-4f79-bf50-258d55072fee", "cd1b5d44-226e-4405-8985-800492cf2865" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" }, { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" }, { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", "type": "used-by" } ], "uuid": "042e61cf-a8e1-42ec-8974-a3b2e2037c08", "value": "Nmap" }, { "description": "[NOKKI](https://app.tidalcyber.com/software/31aa0433-fb6b-4290-8af5-a0d0c6c18548) is a modular remote access tool. The earliest observed attack using [NOKKI](https://app.tidalcyber.com/software/31aa0433-fb6b-4290-8af5-a0d0c6c18548) was in January 2018. [NOKKI](https://app.tidalcyber.com/software/31aa0433-fb6b-4290-8af5-a0d0c6c18548) has significant code overlap with the [KONNI](https://app.tidalcyber.com/software/d381de2a-30cb-4d50-bbce-fd1e489c4889) malware family. There is some evidence potentially linking [NOKKI](https://app.tidalcyber.com/software/31aa0433-fb6b-4290-8af5-a0d0c6c18548) to [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66).[[Unit 42 NOKKI Sept 2018](https://app.tidalcyber.com/references/f3d3b9bc-4c59-4a1f-b602-e3e884661708)][[Unit 42 Nokki Oct 2018](https://app.tidalcyber.com/references/4eea6638-a71b-4d74-acc4-0fac82ef72f6)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0353", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { "dest-uuid": "071d5d65-83ec-4a55-acfa-be7d5f28ba9a", "type": "similar" } ], "uuid": "31aa0433-fb6b-4290-8af5-a0d0c6c18548", "value": "NOKKI" }, { "description": "[NotPetya](https://app.tidalcyber.com/software/2538e0fe-1290-4ae1-aef9-e55d83c9eb23) is malware that was used by [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) in a worldwide attack starting on June 27, 2017. While [NotPetya](https://app.tidalcyber.com/software/2538e0fe-1290-4ae1-aef9-e55d83c9eb23) appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://app.tidalcyber.com/software/2538e0fe-1290-4ae1-aef9-e55d83c9eb23) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://app.tidalcyber.com/software/2538e0fe-1290-4ae1-aef9-e55d83c9eb23) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.[[Talos Nyetya June 2017](https://app.tidalcyber.com/references/c76e806c-b0e3-4ab9-ba6d-68a9f731f127)][[US-CERT NotPetya 2017](https://app.tidalcyber.com/references/6a009850-834b-4178-9028-2745921b6743)][[ESET Telebots June 2017](https://app.tidalcyber.com/references/eb5c2951-b149-4e40-bc5f-b2630213eb8b)][[US District Court Indictment GRU Unit 74455 October 2020](https://app.tidalcyber.com/references/77788d05-30ff-4308-82e6-d123a3c2fd80)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0368", "source": "MITRE", "tags": [ "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "09de661e-60c4-43fb-bfef-df017215d1d8", "5a463cb3-451d-47f7-93e4-1886150697ce", "c2380542-36f2-4922-9ed2-80ced06645c9", "7e7b0c67-bb85-4996-a289-da0e792d7172", "e809d252-12cc-494d-94f5-954c49eb87ce" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "5719af9d-6b16-46f9-9b28-fb019541ddbb", "type": "similar" } ], "uuid": "2538e0fe-1290-4ae1-aef9-e55d83c9eb23", "value": "NotPetya" }, { "description": "According to its project website, \"Npcap is the Nmap Project's packet capture (and sending) library for Microsoft Windows\".[[Npcap: Windows Packet Capture Library & Driver](/references/c8dc5650-eb37-4bb6-b5b7-e6269c79785c)] Nmap is a utility used for network discovery and security auditing.", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5052", "source": "Tidal Cyber", "tags": [ "15787198-6c8b-4f79-bf50-258d55072fee", "cd1b5d44-226e-4405-8985-800492cf2865" ], "type": [ "tool" ] }, "related": [], "uuid": "d1817595-9186-4749-aeab-26c774c1885d", "value": "Npcap" }, { "description": "Ntdsutil is a Windows command-line tool \"that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).\"[[Ntdsutil Microsoft](/references/34de2f08-0481-4894-80ef-86506d821cf0)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5018", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "1da5eb1e-7ac5-4284-99cb-ce227cad8983", "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "35e694ec-5133-46e3-b7e1-5831867c3b55", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" }, { "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", "type": "used-by" }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "b07431f8-fcf0-4204-8e7c-138eb5cd5342", "type": "used-by" } ], "uuid": "9af571bb-f3c7-434b-8187-3e4ceb0ec6fc", "value": "Ntdsutil" }, { "description": "[ObliqueRAT](https://app.tidalcyber.com/software/97e8148c-e146-444c-9de5-6e2fdbda2f9f) is a remote access trojan, similar to [Crimson](https://app.tidalcyber.com/software/3b3f296f-20a6-459a-98c5-62ebdee3701f), that has been in use by [Transparent Tribe](https://app.tidalcyber.com/groups/441b91d1-256a-4763-bac6-8f1c76764a25) since at least 2020.[[Talos Oblique RAT March 2021](https://app.tidalcyber.com/references/20e13efb-4ca1-43b2-83a6-c852e03333d7)][[Talos Transparent Tribe May 2021](https://app.tidalcyber.com/references/5d58c285-bc7d-4a8a-a96a-ac7118c1089d)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0644", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" }, { "dest-uuid": "5864e59f-eb4c-43ad-83b2-b5e4fae056c9", "type": "similar" } ], "uuid": "97e8148c-e146-444c-9de5-6e2fdbda2f9f", "value": "ObliqueRAT" }, { "description": "[OceanSalt](https://app.tidalcyber.com/software/f1723994-058b-4525-8e11-2f0c80d8f3a4) is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. [OceanSalt](https://app.tidalcyber.com/software/f1723994-058b-4525-8e11-2f0c80d8f3a4) shares code similarity with [SpyNote RAT](https://app.tidalcyber.com/software/), which has been linked to [APT1](https://app.tidalcyber.com/groups/5307bba1-2674-4fbd-bfd5-1db1ae06fc5f).[[McAfee Oceansalt Oct 2018](https://app.tidalcyber.com/references/04b475ab-c7f6-4373-a4b0-04b5d8028f95)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0346", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "288fa242-e894-4c7e-ac86-856deedf5cea", "type": "similar" } ], "uuid": "f1723994-058b-4525-8e11-2f0c80d8f3a4", "value": "OceanSalt" }, { "description": "[Octopus](https://app.tidalcyber.com/software/8f04e609-8773-4529-b247-d32f530cc453) is a Windows Trojan written in the Delphi programming language that has been used by [Nomadic Octopus](https://app.tidalcyber.com/groups/5f8c6ee0-f302-403b-b712-f1e3df064c0c) to target government organizations in Central Asia since at least 2014.[[Securelist Octopus Oct 2018](https://app.tidalcyber.com/references/77407057-53f1-4fde-bc74-00f73d417f7d)][[Security Affairs DustSquad Oct 2018](https://app.tidalcyber.com/references/0e6b019c-cf8e-40a7-9e7c-6a7dc5309dc6)][[ESET Nomadic Octopus 2018](https://app.tidalcyber.com/references/50dcb3f0-1461-453a-aab9-38c2e259173f)] ", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0340", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "5f8c6ee0-f302-403b-b712-f1e3df064c0c", "type": "used-by" }, { "dest-uuid": "e2031fd5-02c2-43d4-85e2-b64f474530c2", "type": "similar" } ], "uuid": "8f04e609-8773-4529-b247-d32f530cc453", "value": "Octopus" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used in Windows for managing ODBC connections\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\odbcconf.exe\n* C:\\Windows\\SysWOW64\\odbcconf.exe\n\n**Resources:**\n* [https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b](https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b)\n* [https://github.com/woanware/application-restriction-bypasses](https://github.com/woanware/application-restriction-bypasses)\n* [https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/](https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/)\n\n**Detection:**\n* Sigma: [proc_creation_win_odbcconf_response_file.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml)\n* Sigma: [proc_creation_win_odbcconf_response_file_susp.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)[[LOLBAS Odbcconf](/references/febcaaec-b535-4347-a4c7-b3284b251897)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5134", "source": "Tidal Cyber", "tags": [ "64825d12-3cd6-4446-a93c-ff7d8ec13dc8", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" } ], "uuid": "5e434819-7f4a-440c-a9bd-7675c0218be1", "value": "Odbcconf" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows Defender Offline Shell\n\n**Author:** Elliot Killick\n\n**Paths:**\n* C:\\Program Files\\Windows Defender\\Offline\\OfflineScannerShell.exe\n\n**Resources:**\nNone Provided\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbas_offlinescannershell.yml](https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml)\n* IOC: OfflineScannerShell.exe should not be run on a normal workstation[[OfflineScannerShell.exe - LOLBAS Project](/references/8194442f-4f86-438e-bd0c-f4cbda0264b8)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5135", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "8bc7c62a-110d-451b-9ca6-bc48a13e72d4", "value": "OfflineScannerShell" }, { "description": "[Okrum](https://app.tidalcyber.com/software/f9bcf0a1-f287-44ec-8f53-6859d41e041c) is a Windows backdoor that has been seen in use since December 2016 with strong links to [Ke3chang](https://app.tidalcyber.com/groups/26c0925f-1a3c-4df6-b27a-62b9731299b8).[[ESET Okrum July 2019](https://app.tidalcyber.com/references/197163a8-1a38-4edd-ba73-f44e7a329f41)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0439", "source": "MITRE", "tags": [ "8bf128ad-288b-41bc-904f-093f4fdde745" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" }, { "dest-uuid": "4b6ec280-7bbb-48ff-ae59-b189520ebe83", "type": "similar" } ], "uuid": "f9bcf0a1-f287-44ec-8f53-6859d41e041c", "value": "Okrum" }, { "description": "[OLDBAIT](https://app.tidalcyber.com/software/479814e2-2656-4ea2-9e79-fcdb818f703e) is a credential harvester used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5). [[FireEye APT28](https://app.tidalcyber.com/references/c423b2b2-25a3-4a8d-b89a-83ab07c0cd20)] [[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0138", "source": "MITRE", "tags": [ "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", "type": "similar" } ], "uuid": "479814e2-2656-4ea2-9e79-fcdb818f703e", "value": "OLDBAIT" }, { "description": "[Olympic Destroyer](https://app.tidalcyber.com/software/073b5288-11d6-4db0-9f2c-a1816847d15c) is malware that was used by [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. [Olympic Destroyer](https://app.tidalcyber.com/software/073b5288-11d6-4db0-9f2c-a1816847d15c) has worm-like features to spread itself across a computer network in order to maximize its destructive impact.[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)][[US District Court Indictment GRU Unit 74455 October 2020](https://app.tidalcyber.com/references/77788d05-30ff-4308-82e6-d123a3c2fd80)] ", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0365", "source": "MITRE", "tags": [ "e809d252-12cc-494d-94f5-954c49eb87ce" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "3249e92a-870b-426d-8790-ba311c1abfb4", "type": "similar" } ], "uuid": "073b5288-11d6-4db0-9f2c-a1816847d15c", "value": "Olympic Destroyer" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** OneDrive Standalone Updater\n\n**Author:** Elliot Killick\n\n**Paths:**\n* %localappdata%\\Microsoft\\OneDrive\\OneDriveStandaloneUpdater.exe\n\n**Resources:**\n* [https://github.com/LOLBAS-Project/LOLBAS/pull/153](https://github.com/LOLBAS-Project/LOLBAS/pull/153)\n\n**Detection:**\n* IOC: HKCU\\Software\\Microsoft\\OneDrive\\UpdateOfficeConfig\\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL\n* IOC: Reports of downloading from suspicious URLs in %localappdata%\\OneDrive\\setup\\logs\\StandaloneUpdate_*.log files\n* Sigma: [registry_set_lolbin_onedrivestandaloneupdater.yml](https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml)[[OneDriveStandaloneUpdater.exe - LOLBAS Project](/references/3d7dcd68-a7b2-438c-95bb-b7523a39c6f7)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5136", "source": "Tidal Cyber", "tags": [ "b6116080-8fbf-4e9f-9206-20b025f2cf23", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "49ef42bc-0958-4b61-9593-a4af69432410", "value": "OneDriveStandaloneUpdater" }, { "description": "[OnionDuke](https://app.tidalcyber.com/software/6056bf36-fb45-498d-a285-5f98ae08b090) is malware that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) from 2013 to 2015. [[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0052", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", "type": "similar" } ], "uuid": "6056bf36-fb45-498d-a285-5f98ae08b090", "value": "OnionDuke" }, { "description": "[OopsIE](https://app.tidalcyber.com/software/4f1894d4-d085-4348-af50-dfda257a9e18) is a Trojan used by [OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2) to remotely execute commands as well as upload/download files to/from victims. [[Unit 42 OopsIE! Feb 2018](https://app.tidalcyber.com/references/d4c2bac0-e95c-46af-ae52-c93de3d92f19)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0264", "source": "MITRE", "tags": [ "8bf128ad-288b-41bc-904f-093f4fdde745" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "8e101fdd-9f7f-4916-bb04-6bd9e94c129c", "type": "similar" } ], "uuid": "4f1894d4-d085-4348-af50-dfda257a9e18", "value": "OopsIE" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Console Window host for Windows Terminal\n\n**Author:** Nasreddine Bencherchali\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\CommonExtensions\\Microsoft\\Terminal\\ServiceHub\\os64\\OpenConsole.exe\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\CommonExtensions\\Microsoft\\Terminal\\ServiceHub\\os86\\OpenConsole.exe\n* C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\IDE\\CommonExtensions\\Microsoft\\Terminal\\ServiceHub\\os64\\OpenConsole.exe\n\n**Resources:**\n* [https://twitter.com/nas_bench/status/1537563834478645252](https://twitter.com/nas_bench/status/1537563834478645252)\n\n**Detection:**\n* IOC: OpenConsole.exe spawning unexpected processes\n* Sigma: [proc_creation_win_lolbin_openconsole.yml](https://github.com/SigmaHQ/sigma/blob/9e0ef7251b075f15e7abafbbec16d3230c5fa477/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml)[[OpenConsole.exe - LOLBAS Project](/references/e597522a-68ac-4d7e-80c4-db1c66d2da04)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5230", "source": "Tidal Cyber", "tags": [ "1dd2d703-fed1-41d2-9843-7b276ef3d6f2", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "54030309-671d-4e4b-b9c0-619cd07f5e05", "value": "OpenConsole" }, { "description": "OpenSSH is a publicly available tool for traffic encryption and remote login using the Secure Shell (\"SSH\") protocol. According to its project website, it also \"provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options\".[[OpenSSH Project Page](/references/e5ca6811-cd22-4be5-a751-d23fb99d206e)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5273", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "2feda37d-5579-4102-a073-aa02e82cb49f", "e1af18e3-3224-4e4c-9d0f-533768474508", "febea5b6-2ea2-402b-8bec-f3f5b3f73c59", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" }, { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" } ], "uuid": "5edec691-d2f1-4928-a12d-1ff59ba959a6", "value": "OpenSSH" }, { "description": "[Orz](https://app.tidalcyber.com/software/45a52a29-00c0-458a-b705-1040e06a43f2) is a custom JavaScript backdoor used by [Leviathan](https://app.tidalcyber.com/groups/eadd78e3-3b5d-430a-b994-4360b172c871). It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. [[Proofpoint Leviathan Oct 2017](https://app.tidalcyber.com/references/f8c2b67b-c097-4b48-8d95-266a45b7dd4d)] [[FireEye Periscope March 2018](https://app.tidalcyber.com/references/8edb5d2b-b5c4-4d9d-8049-43dd6ca9ab7f)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0229", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { "dest-uuid": "06d735e7-1db1-4dbe-ab4b-acbe419f902b", "type": "similar" } ], "uuid": "45a52a29-00c0-458a-b705-1040e06a43f2", "value": "Orz" }, { "description": "[OSInfo](https://app.tidalcyber.com/software/fa1e13b8-2fb7-42e8-b630-25f0edfbca65) is a custom tool used by [APT3](https://app.tidalcyber.com/groups/9da726e6-af02-49b8-8ebe-7ea4235513c9) to do internal discovery on a victim's computer and network. [[Symantec Buckeye](https://app.tidalcyber.com/references/dbf3ce3e-bcf2-4e47-ad42-839e51967395)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0165", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" }, { "dest-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", "type": "similar" } ], "uuid": "fa1e13b8-2fb7-42e8-b630-25f0edfbca65", "value": "OSInfo" }, { "description": "[OSX_OCEANLOTUS.D](https://app.tidalcyber.com/software/a45904b5-0ada-4567-be4c-947146c7f574) is a macOS backdoor used by [APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145). First discovered in 2015, [APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145) has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib` files. [OSX_OCEANLOTUS.D](https://app.tidalcyber.com/software/a45904b5-0ada-4567-be4c-947146c7f574) can also determine it's permission level and execute according to access type (`root` or `user`).[[Unit42 OceanLotus 2017](https://app.tidalcyber.com/references/fcaf57f1-6696-54a5-a78c-255c8f6ac235)][[TrendMicro MacOS April 2018](https://app.tidalcyber.com/references/e18ad1a7-1e7e-4aca-be9b-9ee12b41c147)][[Trend Micro MacOS Backdoor November 2020](https://app.tidalcyber.com/references/43726cb8-a169-4594-9323-fad65b9bae97)]", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S0352", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { "dest-uuid": "b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29", "type": "similar" } ], "uuid": "a45904b5-0ada-4567-be4c-947146c7f574", "value": "OSX_OCEANLOTUS.D" }, { "description": "[OSX/Shlayer](https://app.tidalcyber.com/software/4d91d625-21d8-484a-b63f-0a3daa4ed434) is a Trojan designed to install adware on macOS that was first discovered in 2018.[[Carbon Black Shlayer Feb 2019](https://app.tidalcyber.com/references/d8212691-4a6e-49bf-bc33-740850a1189a)][[Intego Shlayer Feb 2018](https://app.tidalcyber.com/references/46eb883c-e203-4cd9-8f1c-c6ea12bc2742)]", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S0402", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "f1314e75-ada8-49f4-b281-b1fb8b48f2a7", "type": "similar" } ], "uuid": "4d91d625-21d8-484a-b63f-0a3daa4ed434", "value": "OSX/Shlayer" }, { "description": "[Out1](https://app.tidalcyber.com/software/273b1e8d-a23d-4c22-8493-80f3d6639352) is a remote access tool written in python and used by [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6) since at least 2021.[[Trend Micro Muddy Water March 2021](https://app.tidalcyber.com/references/16b4b834-2f44-4bac-b810-f92080c41f09)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0594", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { "dest-uuid": "80c815bb-b24a-4b9c-9d73-ff4c075a278d", "type": "similar" } ], "uuid": "273b1e8d-a23d-4c22-8493-80f3d6639352", "value": "Out1" }, { "description": "[OutSteel](https://app.tidalcyber.com/software/042fe42b-f60e-45e1-b47d-a913e0677976) is a file uploader and document stealer developed with the scripting language AutoIT that has been used by [Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) since at least March 2021.[[Palo Alto Unit 42 OutSteel SaintBot February 2022 ](https://app.tidalcyber.com/references/b0632490-76be-4018-982d-4b73b3d13881)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1017", "source": "MITRE", "tags": [ "8bf128ad-288b-41bc-904f-093f4fdde745", "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" }, { "dest-uuid": "c113230f-f044-423b-af63-9b63c802f5ae", "type": "similar" } ], "uuid": "042fe42b-f60e-45e1-b47d-a913e0677976", "value": "OutSteel" }, { "description": "[OwaAuth](https://app.tidalcyber.com/software/6d8a8510-e6f1-49a7-b3a5-bd4664937147) is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by [Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5). [[Dell TG-3390](https://app.tidalcyber.com/references/dfd2d832-a6c5-40e7-a554-5a92f05bebae)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0072", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", "type": "similar" } ], "uuid": "6d8a8510-e6f1-49a7-b3a5-bd4664937147", "value": "OwaAuth" }, { "description": "[P2P ZeuS](https://app.tidalcyber.com/software/916f8a7c-e487-4446-b6ee-c8da712a9569) is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture. [[Dell P2P ZeuS](https://app.tidalcyber.com/references/773d1d91-a93c-4bb3-928b-4c3f82f2c889)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0016", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "b2c5d3ca-b43a-4888-ad8d-e2d43497bf85", "type": "similar" } ], "uuid": "916f8a7c-e487-4446-b6ee-c8da712a9569", "value": "P2P ZeuS" }, { "description": "[P8RAT](https://app.tidalcyber.com/software/1933ad3d-3085-4b1b-82b9-ac51b440e2bf) is a fileless malware used by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) to download and execute payloads since at least 2020.[[Securelist APT10 March 2021](https://app.tidalcyber.com/references/90450a1e-59c3-491f-b842-2cf81023fc9e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0626", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "7c58fff0-d206-4db1-96b1-e3a9e0e320b9", "type": "similar" } ], "uuid": "1933ad3d-3085-4b1b-82b9-ac51b440e2bf", "value": "P8RAT" }, { "description": "[PACEMAKER](https://app.tidalcyber.com/software/13856c51-d81c-5d75-bb6a-0bbdcc857cdd) is a credential stealer that was used by [APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) as early as 2020 including activity against US Defense Industrial Base (DIB) companies.[[Mandiant Pulse Secure Zero-Day April 2021](https://app.tidalcyber.com/references/0760480c-97be-5fc9-a6aa-f1df91a314a3)]", "meta": { "platforms": [ "Network", "Linux" ], "software_attack_id": "S1109", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, { "dest-uuid": "647215dd-29a6-4528-b354-ca8b5e08fca1", "type": "similar" } ], "uuid": "13856c51-d81c-5d75-bb6a-0bbdcc857cdd", "value": "PACEMAKER" }, { "description": "Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[[GitHub Pacu](https://app.tidalcyber.com/references/bda43b1b-ea8d-4371-9984-6d8a7cc24965)]", "meta": { "platforms": [ "IaaS" ], "software_attack_id": "S1091", "source": "MITRE", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "e81ba503-60b0-4b64-8f20-ef93e7783796", "a2e000da-8181-4327-bacd-32013dbd3654", "2e5f6e4a-4579-46f7-9997-6923180815dd", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "788ffbf6-1a36-481a-a504-bbcd9f907886", "type": "used-by" }, { "dest-uuid": "1b3b8f96-43b1-4460-8e02-1f53d7802fb9", "type": "similar" } ], "uuid": "e90eb529-1665-5fd7-a44e-695715e4081b", "value": "Pacu" }, { "description": "[Pandora](https://app.tidalcyber.com/software/320b0784-4f0f-46ea-99e9-c34bfcca1c2e) is a multistage kernel rootkit with backdoor functionality that has been in use by [Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5) since at least 2020.[[Trend Micro Iron Tiger April 2021](https://app.tidalcyber.com/references/d0890d4f-e7ca-4280-a54e-d147f6dd72aa)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0664", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "a545456a-f9a7-47ad-9ea6-8b017def38d1", "type": "similar" } ], "uuid": "320b0784-4f0f-46ea-99e9-c34bfcca1c2e", "value": "Pandora" }, { "description": "[Pasam](https://app.tidalcyber.com/software/3f018e73-d09b-4c8d-815b-8b2c8faf7055) is a trojan used by [Elderwood](https://app.tidalcyber.com/groups/51146bb6-7478-44a3-8f08-19adcdceffca) to open a backdoor on compromised hosts. [[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)] [[Symantec Pasam May 2012](https://app.tidalcyber.com/references/c8135017-43c5-4bde-946e-141684c29b7a)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0208", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" }, { "dest-uuid": "e811ff6a-4cef-4856-a6ae-a7daf9ed39ae", "type": "similar" } ], "uuid": "3f018e73-d09b-4c8d-815b-8b2c8faf7055", "value": "Pasam" }, { "description": "[Pass-The-Hash Toolkit](https://app.tidalcyber.com/software/8d007d52-8898-494c-8d72-354abd93da1e) is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems. [[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]", "meta": { "software_attack_id": "S0122", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { "dest-uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69", "type": "similar" } ], "uuid": "8d007d52-8898-494c-8d72-354abd93da1e", "value": "Pass-The-Hash Toolkit" }, { "description": "PasswordFox is a tool used to recover passwords from Firefox web browser.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5037", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" } ], "uuid": "e12e1de8-a0d9-4602-8264-5952106bd53c", "value": "PasswordFox" }, { "description": "[P.A.S. Webshell](https://app.tidalcyber.com/software/4d79530c-2fd9-4438-a8da-74f42119695a) is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.[[ANSSI Sandworm January 2021](https://app.tidalcyber.com/references/5e619fef-180a-46d4-8bf5-998860b5ad7e)]", "meta": { "platforms": [ "Linux", "Windows" ], "software_attack_id": "S0598", "source": "MITRE", "tags": [ "311abf64-a9cc-4c6a-b778-32c5df5658be" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "4800d0f9-00aa-47cd-a4d2-92198585b8fd", "type": "similar" } ], "uuid": "4d79530c-2fd9-4438-a8da-74f42119695a", "value": "P.A.S. Webshell" }, { "description": "[Pay2Key](https://app.tidalcyber.com/software/9aa21e50-726e-4002-8b7b-75697a03eb2b) is a ransomware written in C++ that has been used by [Fox Kitten](https://app.tidalcyber.com/groups/7094468a-2310-48b5-ad24-e669152bd66d) since at least July 2020 including campaigns against Israeli companies. [Pay2Key](https://app.tidalcyber.com/software/9aa21e50-726e-4002-8b7b-75697a03eb2b) has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.[[ClearkSky Fox Kitten February 2020](https://app.tidalcyber.com/references/a5ad6321-897a-4adc-9cdd-034a2538e3d6)][[Check Point Pay2Key November 2020](https://app.tidalcyber.com/references/e4ea263d-f70e-4f9c-92a1-cb0e565a5ae9)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0556", "source": "MITRE", "tags": [ "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" }, { "dest-uuid": "77ca1aa3-280c-4b67-abaa-e8fb891a8f83", "type": "similar" } ], "uuid": "9aa21e50-726e-4002-8b7b-75697a03eb2b", "value": "Pay2Key" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Program Compatibility Assistant\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\pcalua.exe\n\n**Resources:**\n* [https://twitter.com/KyleHanslovan/status/912659279806640128](https://twitter.com/KyleHanslovan/status/912659279806640128)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_pcalua.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml)[[Pcalua.exe - LOLBAS Project](/references/958064d4-7f9f-46a9-b475-93d6587ed770)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5137", "source": "Tidal Cyber", "tags": [ "074533ec-e14a-4dc3-98ae-c029904e3d6d", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "00daafc4-8bf1-4447-b24f-1580263124f5", "value": "Pcalua" }, { "description": "[Pcexter](https://app.tidalcyber.com/software/873ede85-548b-5fc0-a29e-80bd5afc5bf4) is an uploader that has been used by [ToddyCat](https://app.tidalcyber.com/groups/0f41da7d-1e47-58fe-ba6e-ee658a985e1b) since at least 2023 to exfiltrate stolen files.[[Kaspersky ToddyCat Check Logs October 2023](https://app.tidalcyber.com/references/dbdaf320-eada-5bbb-95ab-aaa987ed7960)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1102", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" }, { "dest-uuid": "e4feffc2-53d1-45c9-904e-adb9faca0d15", "type": "similar" } ], "uuid": "873ede85-548b-5fc0-a29e-80bd5afc5bf4", "value": "Pcexter" }, { "description": "PCHunter is a tool used to enable advanced task management, including for system processes and kernels.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5038", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" } ], "uuid": "591acc39-1218-4710-aadc-150ae6475ee3", "value": "PCHunter" }, { "description": "[PcShare](https://app.tidalcyber.com/software/71eb2211-39aa-4b89-bd51-9dcabd363149) is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.[[Bitdefender FunnyDream Campaign November 2020](https://app.tidalcyber.com/references/b62a9f2c-02ca-4dfa-95fc-5dc6ad9568de)][[GitHub PcShare 2014](https://app.tidalcyber.com/references/f113559f-a6da-43bc-bc64-9ff7155b82bc)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1050", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, { "dest-uuid": "3a53b207-aba2-4a2b-9cdb-273d633669e7", "type": "similar" } ], "uuid": "71eb2211-39aa-4b89-bd51-9dcabd363149", "value": "PcShare" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Program Compatibility Wizard\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\pcwrun.exe\n\n**Resources:**\n* [https://twitter.com/pabraeken/status/991335019833708544](https://twitter.com/pabraeken/status/991335019833708544)\n* [https://twitter.com/nas_bench/status/1535663791362519040](https://twitter.com/nas_bench/status/1535663791362519040)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_pcwrun_follina.yml](https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml)[[Pcwrun.exe - LOLBAS Project](/references/b5946ca4-1f1b-4cba-af2f-0b99d6fff8b0)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5138", "source": "Tidal Cyber", "tags": [ "62496b72-7820-4512-b3f9-188464bb8161", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "7babb537-ec29-425a-9108-43d1619e02b5", "value": "Pcwrun" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft HTML Viewer\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\pcwutl.dll\n* c:\\windows\\syswow64\\pcwutl.dll\n\n**Resources:**\n* [https://twitter.com/harr0ey/status/989617817849876488](https://twitter.com/harr0ey/status/989617817849876488)\n* [https://windows10dll.nirsoft.net/pcwutl_dll.html](https://windows10dll.nirsoft.net/pcwutl_dll.html)\n\n**Detection:**\n* Analysis: [https://redcanary.com/threat-detection-report/techniques/rundll32/](https://redcanary.com/threat-detection-report/techniques/rundll32/)\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)[[Pcwutl.dll - LOLBAS Project](/references/1050758d-20da-4c4a-83d3-40aeff3db9ca)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5193", "source": "Tidal Cyber", "tags": [ "ff5c357e-6b9b-4ef3-a7ed-e5d4c0091c0c", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "47ba2c2c-b4f3-48dc-878f-b8cab6d97f65", "value": "Pcwutl" }, { "description": "[Peirates](https://app.tidalcyber.com/software/52a19c73-2454-4893-8f84-8d05c37a9472) is a post-exploitation Kubernetes exploitation framework with a focus on gathering service account tokens for lateral movement and privilege escalation. The tool is written in GoLang and publicly available on GitHub.[[Peirates GitHub](https://app.tidalcyber.com/references/a75cde8b-76e4-4dc3-b1d5-cf08479905e7)]", "meta": { "platforms": [ "Containers" ], "software_attack_id": "S0683", "source": "MITRE", "tags": [ "2e5f6e4a-4579-46f7-9997-6923180815dd", "4fa6f8e1-b0d5-4169-8038-33e355c08bde", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "325c11be-e1ee-47db-afa6-44ac5d16f0e7", "type": "used-by" }, { "dest-uuid": "788ffbf6-1a36-481a-a504-bbcd9f907886", "type": "used-by" }, { "dest-uuid": "79dd477a-8226-4b3d-ad15-28623675f221", "type": "similar" } ], "uuid": "52a19c73-2454-4893-8f84-8d05c37a9472", "value": "Peirates" }, { "description": "[Penquin](https://app.tidalcyber.com/software/951fad62-f636-4c01-b924-bb0ce87f5b20) is a remote access trojan (RAT) with multiple versions used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) to target Linux systems since at least 2014.[[Kaspersky Turla Penquin December 2014](https://app.tidalcyber.com/references/957edb5c-b893-4968-9603-1a6b8577f3aa)][[Leonardo Turla Penquin May 2020](https://app.tidalcyber.com/references/09d8bb54-6fa5-4842-98aa-6e9656a19092)]", "meta": { "platforms": [ "Linux" ], "software_attack_id": "S0587", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "d18cb958-f4ad-4fb3-bb4f-e8994d206550", "type": "similar" } ], "uuid": "951fad62-f636-4c01-b924-bb0ce87f5b20", "value": "Penquin" }, { "description": "[Peppy](https://app.tidalcyber.com/software/1f080577-c002-4b49-a342-fa70983c1d58) is a Python-based remote access Trojan, active since at least 2012, with similarities to [Crimson](https://app.tidalcyber.com/software/3b3f296f-20a6-459a-98c5-62ebdee3701f).[[Proofpoint Operation Transparent Tribe March 2016](https://app.tidalcyber.com/references/8e39d0da-114f-4ae6-8130-ca1380077d6a)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0643", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" }, { "dest-uuid": "6c2550d5-a01a-4bbb-a004-6ead348ba623", "type": "similar" } ], "uuid": "1f080577-c002-4b49-a342-fa70983c1d58", "value": "Peppy" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used as part of the Powershell pester\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* c:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\bin\\Pester.bat\n* c:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*\\bin\\Pester.bat\n\n**Resources:**\n* [https://twitter.com/Oddvarmoe/status/993383596244258816](https://twitter.com/Oddvarmoe/status/993383596244258816)\n* [https://twitter.com/_st0pp3r_/status/1560072680887525378](https://twitter.com/_st0pp3r_/status/1560072680887525378)\n* [https://twitter.com/_st0pp3r_/status/1560072680887525378](https://twitter.com/_st0pp3r_/status/1560072680887525378)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_pester_1.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml)[[Pester.bat - LOLBAS Project](/references/93f281f6-6fcc-474a-b222-b303ea417a18)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5264", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "5028ed72-8e6b-48bd-b4f4-e42df926893d", "value": "Pester" }, { "description": "This object represents a collection of MITRE ATT&CK® Techniques associated with Phobos ransomware binaries, as highlighted in sources such as joint Cybersecurity Advisory AA24-060A.[[U.S. CISA Phobos February 29 2024](/references/bd6f9bd3-22ec-42fc-9d85-fdc14dcfa55a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5279", "source": "Tidal Cyber", "tags": [ "562e535e-19f5-4d6c-81ed-ce2aec544f09", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" } ], "uuid": "d7015696-0aa1-4c13-a0e6-b9d8e027dabf", "value": "Phobos Ransomware" }, { "description": "PhonyC2 is a command and control framework attributed to the MuddyWater group. Researchers believe the tool has existed since at least 2021 and has been regularly updated since that time. PhonyC2 is believed to have been used in a 2023 attack on an institute of technology in Israel, as well as in a MuddyWater campaign beginning in May 2023 that featured exploitation of a vulnerability in PaperCut print management software (CVE-2023-27350).[[Deep Instinct PhonyC2 June 2023](/references/fd42ac0b-eae5-41bb-b56c-cb1c6d19857b)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5307", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "992bdd33-4a47-495d-883a-58010a2f0efb", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" } ], "uuid": "c6fc073b-fa8a-4fff-a066-3fd788d3ac85", "value": "PhonyC2" }, { "description": "[PHOREAL](https://app.tidalcyber.com/software/fd63cec1-9f72-4ed0-9926-2dbbb3d9cead) is a signature backdoor used by [APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145). [[FireEye APT32 May 2017](https://app.tidalcyber.com/references/b72d017b-a70f-4003-b3d9-90d79aca812d)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0158", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { "dest-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", "type": "similar" } ], "uuid": "fd63cec1-9f72-4ed0-9926-2dbbb3d9cead", "value": "PHOREAL" }, { "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nPikabot is a malware first observed in early 2023 that has downloader/dropper and backdoor functionality. Researchers observed Pikabot distribution increase following the disruption of the QakBot botnet by authorities in August 2023. Originally distributed via spam email campaigns, researchers observed the threat actor TA577 (previously known for distributing payloads including QakBot, IcedID, SystemBC, and Cobalt Strike) distributing Pikabot starting in December 2023.[[Malwarebytes Pikabot December 15 2023](/references/50b29ef4-7ade-4672-99b6-fdf367170a5b)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5265", "source": "Tidal Cyber", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" } ], "uuid": "d2a226a2-ffa1-4bb0-a090-96dc42f9c84c", "value": "Pikabot" }, { "description": "[Pillowmint](https://app.tidalcyber.com/software/db5d718b-1344-4aa2-8e6a-54e68d8adfb1) is a point-of-sale malware used by [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) designed to capture credit card information.[[Trustwave Pillowmint June 2020](https://app.tidalcyber.com/references/31bf381d-a0fc-4a4f-8d39-832480891685)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0517", "source": "MITRE", "tags": [ "6c6c0125-9631-4c2c-90ab-cfef374d5198" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "bd7a9e13-69fa-4243-a5e5-04326a63f9f2", "type": "similar" } ], "uuid": "db5d718b-1344-4aa2-8e6a-54e68d8adfb1", "value": "Pillowmint" }, { "description": "[PinchDuke](https://app.tidalcyber.com/software/ba2208c8-5e1e-46cd-bef1-ffa7a2be3be4) is malware that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) from 2008 to 2010. [[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0048", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", "type": "similar" } ], "uuid": "ba2208c8-5e1e-46cd-bef1-ffa7a2be3be4", "value": "PinchDuke" }, { "description": "[Ping](https://app.tidalcyber.com/software/4ea12106-c0a1-4546-bb64-a1675d9f5dc7) is an operating system utility commonly used to troubleshoot and verify network connections. [[TechNet Ping](https://app.tidalcyber.com/references/5afc8ad5-f50d-464f-ba84-e347b3f3e994)]", "meta": { "software_attack_id": "S0097", "source": "MITRE", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "cd1b5d44-226e-4405-8985-800492cf2865", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" }, { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" }, { "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", "type": "used-by" }, { "dest-uuid": "b07431f8-fcf0-4204-8e7c-138eb5cd5342", "type": "used-by" }, { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" }, { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" }, { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" }, { "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", "type": "similar" } ], "uuid": "4ea12106-c0a1-4546-bb64-a1675d9f5dc7", "value": "Ping" }, { "description": "PingCastle is a tool that can be used to enumerate Active Directory and map trust relationships. BianLian Ransomware Group actors have used the tool for discovery purposes during attacks.[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5003", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "cd1b5d44-226e-4405-8985-800492cf2865", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" } ], "uuid": "1debf242-3c91-4bdb-932c-27d61fe17474", "value": "PingCastle" }, { "description": "[PingPull](https://app.tidalcyber.com/software/4360cc62-7263-48b2-bd2a-a7737563545c) is a remote access Trojan (RAT) written in Visual C++ that has been used by [GALLIUM](https://app.tidalcyber.com/groups/15ff1ce0-44f0-4f1d-a4ef-83444570e572) since at least June 2022. [PingPull](https://app.tidalcyber.com/software/4360cc62-7263-48b2-bd2a-a7737563545c) has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.[[Unit 42 PingPull Jun 2022](https://app.tidalcyber.com/references/ac6491ab-6ef1-4091-8a15-50e2cbafe157)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1031", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { "dest-uuid": "3a0f6128-0a01-421d-8eca-e57d8671b1f1", "type": "similar" } ], "uuid": "4360cc62-7263-48b2-bd2a-a7737563545c", "value": "PingPull" }, { "description": "[PipeMon](https://app.tidalcyber.com/software/92744f7b-9f1a-472c-bae0-2d4a7ce68bb4) is a multi-stage modular backdoor used by [Winnti Group](https://app.tidalcyber.com/groups/6932662a-53a7-4e43-877f-6e940e2d744b).[[ESET PipeMon May 2020](https://app.tidalcyber.com/references/cbc09411-be18-4241-be69-b718a741ed8c)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0501", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "type": "used-by" }, { "dest-uuid": "8393dac0-0583-456a-9372-fd81691bca20", "type": "similar" } ], "uuid": "92744f7b-9f1a-472c-bae0-2d4a7ce68bb4", "value": "PipeMon" }, { "description": "[Pisloader](https://app.tidalcyber.com/software/14e65c5d-5164-41a3-92de-67fdd1d529d2) is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by [APT18](https://app.tidalcyber.com/groups/a0c31021-b281-4c41-9855-436768299fe7) and is similar to another malware family, [HTTPBrowser](https://app.tidalcyber.com/software/c4fe23f7-f18c-40f6-b431-0b104b497eaa), that has been used by the group. [[Palo Alto DNS Requests](https://app.tidalcyber.com/references/4a946c3f-ee0a-4649-8104-2bd9d90ebd49)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0124", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" }, { "dest-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", "type": "similar" } ], "uuid": "14e65c5d-5164-41a3-92de-67fdd1d529d2", "value": "Pisloader" }, { "description": "[PITSTOP](https://app.tidalcyber.com/software/c0e56f14-9768-5547-abcb-aa3f220d0e40) is a backdoor that was deployed on compromised Ivanti Connect Secure VPNs during [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) to enable command execution and file read/write.[[Mandiant Cutting Edge Part 3 February 2024](https://app.tidalcyber.com/references/49e5b125-5503-5cb0-9a56-a93f82b55753)]", "meta": { "platforms": [ "Network" ], "software_attack_id": "S1123", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "d79b1800-3b5d-4a4f-8863-8251eca793e2", "type": "similar" } ], "uuid": "c0e56f14-9768-5547-abcb-aa3f220d0e40", "value": "PITSTOP" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Capture Network Packets on the windows 10 with October 2018 Update or later.\n\n**Author:** Derek Johnson\n\n**Paths:**\n* c:\\windows\\system32\\pktmon.exe\n* c:\\windows\\syswow64\\pktmon.exe\n\n**Resources:**\n* [https://binar-x79.com/windows-10-secret-sniffer/](https://binar-x79.com/windows-10-secret-sniffer/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_pktmon.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml)\n* IOC: .etl files found on system[[Pktmon.exe - LOLBAS Project](/references/8f0ad4ed-869b-4332-b091-7551262cff29)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5139", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "0b0ae21a-987c-44c5-93db-3b228544eb99", "value": "Pktmon" }, { "description": "[PLAINTEE](https://app.tidalcyber.com/software/9445f18a-a796-447a-a35f-94a9fb72411c) is a malware sample that has been used by [Rancor](https://app.tidalcyber.com/groups/021b3c71-6467-4e46-a413-8b726f066f2c) in targeted attacks in Singapore and Cambodia. [[Rancor Unit42 June 2018](https://app.tidalcyber.com/references/45098a85-a61f-491a-a549-f62b02dc2ecd)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0254", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "type": "used-by" }, { "dest-uuid": "21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b", "type": "similar" } ], "uuid": "9445f18a-a796-447a-a35f-94a9fb72411c", "value": "PLAINTEE" }, { "description": "Play is a ransomware operation first observed in July 2022. Security researchers have observed filename, filepath, and TTP overlaps between Play and Hive and Nokayawa ransomwares, which themselves are believed to be linked.[[Trend Micro Play Playbook September 06 2022](/references/2d2b527d-25b0-4b58-9ae6-c87060b64069)] According to publicly available ransomware extortion threat data, Play has claimed nearly 200 victims from a wide range of sectors on its data leak site since December 2022.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5300", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" } ], "uuid": "aeafc9f4-e3b4-42ec-a156-4a05f1aa5ea3", "value": "Play Ransomware" }, { "description": "[PLEAD](https://app.tidalcyber.com/software/9a890a85-afbe-4c35-a3e7-1adad481bdf7) is a remote access tool (RAT) and downloader used by [BlackTech](https://app.tidalcyber.com/groups/528ab2ea-b8f1-44d8-8831-2a89fefd97cb) in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.[[TrendMicro BlackTech June 2017](https://app.tidalcyber.com/references/abb9cb19-d30e-4048-b106-eb29a6dad7fc)][[JPCert PLEAD Downloader June 2018](https://app.tidalcyber.com/references/871f4af2-ed99-4256-a74d-b8c0816a82ab)] [PLEAD](https://app.tidalcyber.com/software/9a890a85-afbe-4c35-a3e7-1adad481bdf7) has also been referred to as [TSCookie](https://app.tidalcyber.com/software/9872ab5a-c76e-4404-91f9-5b745722443b), though more recent reporting indicates likely separation between the two. [PLEAD](https://app.tidalcyber.com/software/9a890a85-afbe-4c35-a3e7-1adad481bdf7) was observed in use as early as March 2017.[[JPCert TSCookie March 2018](https://app.tidalcyber.com/references/ff1717f7-0d2e-4947-87d7-44576affe9f8)][[JPCert PLEAD Downloader June 2018](https://app.tidalcyber.com/references/871f4af2-ed99-4256-a74d-b8c0816a82ab)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0435", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" }, { "dest-uuid": "b57f419e-8b12-49d3-886b-145383725dcd", "type": "similar" } ], "uuid": "9a890a85-afbe-4c35-a3e7-1adad481bdf7", "value": "PLEAD" }, { "description": "Plink is a tool used to automate Secure Shell (SSH) actions on Windows.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5041", "source": "Tidal Cyber", "tags": [ "27a117ce-bb19-4f79-9bc2-a851b69c5c50", "6070668f-1cbd-4878-8066-c636d1d8659c", "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "febea5b6-2ea2-402b-8bec-f3f5b3f73c59", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "a1427c89-2ebd-440f-b7e0-9728e3ef2096", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "15b77e5c-2285-434d-9719-73c14beba8bd", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" } ], "uuid": "6117e2b5-140b-49d2-89b7-76d91e6c798c", "value": "Plink" }, { "description": "[PlugX](https://app.tidalcyber.com/software/070b56f4-7810-4dad-b85f-bdfce9c08c10) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.[[Lastline PlugX Analysis](https://app.tidalcyber.com/references/9f7fa262-cede-4f47-94ca-1534c65c86e2)][[FireEye Clandestine Fox Part 2](https://app.tidalcyber.com/references/82500741-984d-4039-8f53-b303845c2849)][[New DragonOK](https://app.tidalcyber.com/references/82c1ed0d-a41d-4212-a3ae-a1d661bede2d)][[Dell TG-3390](https://app.tidalcyber.com/references/dfd2d832-a6c5-40e7-a554-5a92f05bebae)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0013", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" }, { "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" }, { "dest-uuid": "b10aa4c0-10a1-5e08-8d9d-82ce95d45e6a", "type": "used-by" }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", "type": "used-by" }, { "dest-uuid": "f2c2db08-624c-46b9-b7ed-b22c21b81813", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "f1477581-d485-403f-a95f-c56bf88c5d1e", "type": "used-by" }, { "dest-uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", "type": "used-by" }, { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" }, { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" }, { "dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "type": "used-by" }, { "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "type": "similar" } ], "uuid": "070b56f4-7810-4dad-b85f-bdfce9c08c10", "value": "PlugX" }, { "description": "[pngdowner](https://app.tidalcyber.com/software/95c273d2-3081-4cb5-8d41-37eb4e90264d) is malware used by [Putter Panda](https://app.tidalcyber.com/groups/6005f4a9-fe26-4237-a44e-3f6cbb1fe75c). It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple \"download-and-\nexecute\" utility. [[CrowdStrike Putter Panda](https://app.tidalcyber.com/references/413962d0-bd66-4000-a077-38c2677995d1)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0067", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "type": "used-by" }, { "dest-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", "type": "similar" } ], "uuid": "95c273d2-3081-4cb5-8d41-37eb4e90264d", "value": "pngdowner" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used for installing drivers\n\n**Author:** Hai vaknin (lux)\n\n**Paths:**\n* C:\\Windows\\system32\\pnputil.exe\n\n**Resources:**\nNone Provided\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml)[[Pnputil.exe - LOLBAS Project](/references/21d0419a-5454-4808-b7e6-2b1b9de08ed6)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5140", "source": "Tidal Cyber", "tags": [ "6d924d43-5de3-45de-8466-a8c47a5b9e68", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "dd1e8b57-4900-4823-b194-1526c1e00099", "value": "Pnputil" }, { "description": "[PoetRAT](https://app.tidalcyber.com/software/79b4f277-3b18-4aa7-9f96-44b35b23166b) is a remote access trojan (RAT) that was first identified in April 2020. [PoetRAT](https://app.tidalcyber.com/software/79b4f277-3b18-4aa7-9f96-44b35b23166b) has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. [PoetRAT](https://app.tidalcyber.com/software/79b4f277-3b18-4aa7-9f96-44b35b23166b) derived its name from references in the code to poet William Shakespeare. [[Talos PoetRAT April 2020](https://app.tidalcyber.com/references/fe2a79a5-bc50-4147-b919-f3d0eb7430b6)][[Talos PoetRAT October 2020](https://app.tidalcyber.com/references/5862c90a-3bae-48d0-8749-9a6510fe3630)][[Dragos Threat Report 2020](https://app.tidalcyber.com/references/8bb3147c-3178-4449-9978-f1248b1bcb0a)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0428", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c", "type": "similar" } ], "uuid": "79b4f277-3b18-4aa7-9f96-44b35b23166b", "value": "PoetRAT" }, { "description": "[PoisonIvy](https://app.tidalcyber.com/software/1d87a695-7989-49ae-ac1a-b6601db565c3) is a popular remote access tool (RAT) that has been used by many groups.[[FireEye Poison Ivy](https://app.tidalcyber.com/references/c189447e-a903-4dc2-a38b-1f4accc64e20)][[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)][[Symantec Darkmoon Aug 2005](https://app.tidalcyber.com/references/7088234d-a6fc-49ad-b4fd-2fe8ca333c1d)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0012", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" }, { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" }, { "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", "type": "used-by" }, { "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "type": "used-by" }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "4510ce41-27b9-479c-9bf3-a328b77bae29", "type": "used-by" }, { "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" }, { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" }, { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" }, { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, { "dest-uuid": "988f5312-834e-48ea-93b7-e6e01ee0938d", "type": "used-by" }, { "dest-uuid": "f2c2db08-624c-46b9-b7ed-b22c21b81813", "type": "used-by" }, { "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", "type": "used-by" }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "similar" } ], "uuid": "1d87a695-7989-49ae-ac1a-b6601db565c3", "value": "PoisonIvy" }, { "description": "[PolyglotDuke](https://app.tidalcyber.com/software/3b7179fa-7b8b-4068-b224-d8d9c642964d) is a downloader that has been used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least 2013. [PolyglotDuke](https://app.tidalcyber.com/software/3b7179fa-7b8b-4068-b224-d8d9c642964d) has been used to drop [MiniDuke](https://app.tidalcyber.com/software/2bb16809-6bc3-46c3-b28a-39cb49410340).[[ESET Dukes October 2019](https://app.tidalcyber.com/references/fbc77b85-cc5a-4c65-956d-b8556974b4ef)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0518", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "3d57dcc4-be99-4613-9482-d5218f5ec13e", "type": "similar" } ], "uuid": "3b7179fa-7b8b-4068-b224-d8d9c642964d", "value": "PolyglotDuke" }, { "description": "[Pony](https://app.tidalcyber.com/software/555b612e-3f0d-421d-b2a7-63eb2d1ece5f) is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked online, leading to their use by various threat actors.[[Malwarebytes Pony April 2016](https://app.tidalcyber.com/references/f8700002-5da6-4cb8-be62-34e421d2a573)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0453", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "222ba512-32d9-49ac-aefd-50ce981ce2ce", "type": "similar" } ], "uuid": "555b612e-3f0d-421d-b2a7-63eb2d1ece5f", "value": "Pony" }, { "description": "[POORAIM](https://app.tidalcyber.com/software/1353d695-5bae-4593-988f-9bd07a6fd1bb) is a backdoor used by [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66) in campaigns since at least 2014. [[FireEye APT37 Feb 2018](https://app.tidalcyber.com/references/4d575c1a-4ff9-49ce-97cd-f9d0637c2271)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0216", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" }, { "dest-uuid": "53d47b09-09c2-4015-8d37-6633ecd53f79", "type": "similar" } ], "uuid": "1353d695-5bae-4593-988f-9bd07a6fd1bb", "value": "POORAIM" }, { "description": "POORTRY is a malicious kernel driver known to be used by multiple ransomware groups for defense evasion purposes, typically in conjunction with a related loader capability, STONESTOP. POORTRY abuses or falsifies certificates to evade code signing processes. Since being discovered and disclosed in 2022, POORTRY has evolved its focus from disabling security software to actually removing critical software components from victim disks.[[Sophos News August 27 2024](/references/af1dfc7b-fdc2-448f-a4bf-34f8ee7d55bc)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5336", "source": "Tidal Cyber", "tags": [ "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5216ac81-da4c-4b87-86ce-b90a651f1048", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "316a49d5-5fe0-4e0b-a276-f955f4277162", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", "type": "used-by" } ], "uuid": "439059e2-f756-4c38-8d87-1d3c534f2e16", "value": "POORTRY" }, { "description": "[PoshC2](https://app.tidalcyber.com/software/a3a03835-79bf-4558-8e80-7983aeb842fb) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde). Although [PoshC2](https://app.tidalcyber.com/software/a3a03835-79bf-4558-8e80-7983aeb842fb) is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[[GitHub PoshC2](https://app.tidalcyber.com/references/45e79c0e-a2f6-4b56-b621-4142756bd1b1)]", "meta": { "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S0378", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" }, { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" }, { "dest-uuid": "4b57c098-f043-4da2-83ef-7588a6d426bc", "type": "similar" } ], "uuid": "a3a03835-79bf-4558-8e80-7983aeb842fb", "value": "PoshC2" }, { "description": "[POSHSPY](https://app.tidalcyber.com/software/b92f28c4-cbc8-4721-ac79-2d8bdf5247e5) is a backdoor that has been used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. [[FireEye POSHSPY April 2017](https://app.tidalcyber.com/references/b1271e05-80d7-4761-a13f-b6f0db7d7e5a)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0150", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", "type": "similar" } ], "uuid": "b92f28c4-cbc8-4721-ac79-2d8bdf5247e5", "value": "POSHSPY" }, { "description": "[PowerDuke](https://app.tidalcyber.com/software/d9e4f4a1-dd41-424e-986a-b9a39ebea805) is a backdoor that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. [[Volexity PowerDuke November 2016](https://app.tidalcyber.com/references/4026c055-6020-41bb-a4c8-54b308867023)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0139", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "type": "similar" } ], "uuid": "d9e4f4a1-dd41-424e-986a-b9a39ebea805", "value": "PowerDuke" }, { "description": "[PowerLess](https://app.tidalcyber.com/software/8b9159c1-db48-472b-9897-34325da5dca7) is a PowerShell-based modular backdoor that has been used by [Magic Hound](https://app.tidalcyber.com/groups/7a9d653c-8812-4b96-81d1-b0a27ca918b4) since at least 2022.[[Cybereason PowerLess February 2022](https://app.tidalcyber.com/references/095aaa25-b674-4313-bc4f-3227b00c0459)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1012", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" }, { "dest-uuid": "35ee9bf3-264b-4411-8a8f-b58cec8f35e4", "type": "similar" } ], "uuid": "8b9159c1-db48-472b-9897-34325da5dca7", "value": "PowerLess" }, { "description": "[Power Loader](https://app.tidalcyber.com/software/018ee1d9-35af-49dc-a667-11b77cd76f46) is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. [[MalwareTech Power Loader Aug 2013](https://app.tidalcyber.com/references/9a9a6ca1-d7c5-4385-924b-cdeffd66602e)] [[WeLiveSecurity Gapz and Redyms Mar 2013](https://app.tidalcyber.com/references/b8d328b7-2eb3-4851-8d44-2e1bad7710c2)]", "meta": { "software_attack_id": "S0177", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3", "type": "similar" } ], "uuid": "018ee1d9-35af-49dc-a667-11b77cd76f46", "value": "Power Loader" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Office binary.\n\n**Author:** Reegun J (OCBC Bank)\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Office 16\\ClientX86\\Root\\Office16\\Powerpnt.exe\n* C:\\Program Files\\Microsoft Office 16\\ClientX64\\Root\\Office16\\Powerpnt.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office16\\Powerpnt.exe\n* C:\\Program Files\\Microsoft Office\\Office16\\Powerpnt.exe\n* C:\\Program Files (x86)\\Microsoft Office 15\\ClientX86\\Root\\Office15\\Powerpnt.exe\n* C:\\Program Files\\Microsoft Office 15\\ClientX64\\Root\\Office15\\Powerpnt.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office15\\Powerpnt.exe\n* C:\\Program Files\\Microsoft Office\\Office15\\Powerpnt.exe\n* C:\\Program Files (x86)\\Microsoft Office 14\\ClientX86\\Root\\Office14\\Powerpnt.exe\n* C:\\Program Files\\Microsoft Office 14\\ClientX64\\Root\\Office14\\Powerpnt.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office14\\Powerpnt.exe\n* C:\\Program Files\\Microsoft Office\\Office14\\Powerpnt.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office12\\Powerpnt.exe\n* C:\\Program Files\\Microsoft Office\\Office12\\Powerpnt.exe\n* C:\\Program Files\\Microsoft Office\\Office12\\Powerpnt.exe\n\n**Resources:**\n* [https://twitter.com/reegun21/status/1150032506504151040](https://twitter.com/reegun21/status/1150032506504151040)\n* [https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191](https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_office.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_office.yml)\n* IOC: Suspicious Office application Internet/network traffic[[Powerpnt.exe - LOLBAS Project](/references/23c48ab3-9426-4949-9a35-d1b9ecb4bb47)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5231", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "155053be-8a2c-4d5e-8206-36d992c5651d", "value": "Powerpnt" }, { "description": "[PowerPunch](https://app.tidalcyber.com/software/e7cdaf70-5e28-442a-b34d-894484788dc5) is a lightweight downloader that has been used by [Gamaredon Group](https://app.tidalcyber.com/groups/41e8b4a4-2d31-46ee-bc56-12375084d067) since at least 2021.[[Microsoft Actinium February 2022](https://app.tidalcyber.com/references/5ab658db-7f71-4213-8146-e22da54160b3)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0685", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" }, { "dest-uuid": "d52291b4-bb23-45a8-aef0-3dc7e986ba15", "type": "similar" } ], "uuid": "e7cdaf70-5e28-442a-b34d-894484788dc5", "value": "PowerPunch" }, { "description": "[PowerShower](https://app.tidalcyber.com/software/2ca245de-77a9-4857-ba93-fd0d6988df9d) is a PowerShell backdoor used by [Inception](https://app.tidalcyber.com/groups/d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6) for initial reconnaissance and to download and execute second stage payloads.[[Unit 42 Inception November 2018](https://app.tidalcyber.com/references/5cb98fce-f386-4878-b69c-5c6440ad689c)][[Kaspersky Cloud Atlas August 2019](https://app.tidalcyber.com/references/4c3ae600-0787-4847-b528-ae3e8ff1b5ef)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0441", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6", "type": "used-by" }, { "dest-uuid": "53486bc7-7748-4716-8190-e4f1fde04c53", "type": "similar" } ], "uuid": "2ca245de-77a9-4857-ba93-fd0d6988df9d", "value": "PowerShower" }, { "description": "[POWERSOURCE](https://app.tidalcyber.com/software/a4700431-6578-489f-9782-52e394277296) is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. [[FireEye FIN7 March 2017](https://app.tidalcyber.com/references/7987bb91-ec41-42f8-bd2d-dabc26509a08)] [[Cisco DNSMessenger March 2017](https://app.tidalcyber.com/references/49f22ba2-5aca-4204-858e-c2499a7050ae)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0145", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", "type": "similar" } ], "uuid": "a4700431-6578-489f-9782-52e394277296", "value": "POWERSOURCE" }, { "description": "[PowerSploit](https://app.tidalcyber.com/software/82fad10d-c921-4a87-a533-49def83d002b) is an open source, offensive security framework comprised of [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [[GitHub PowerSploit May 2012](https://app.tidalcyber.com/references/ec3edb54-9f1b-401d-a265-cd8924e5cb2b)] [[PowerShellMagazine PowerSploit July 2014](https://app.tidalcyber.com/references/7765d4f7-bf2d-43b9-a87e-74114a092645)] [[PowerSploit Documentation](https://app.tidalcyber.com/references/56628e55-94cd-4c5e-8f5a-34ffb7a45174)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0194", "source": "MITRE", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "e81ba503-60b0-4b64-8f20-ef93e7783796" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" }, { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" }, { "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", "type": "similar" } ], "uuid": "82fad10d-c921-4a87-a533-49def83d002b", "value": "PowerSploit" }, { "description": "[PowerStallion](https://app.tidalcyber.com/software/837bcf97-37a7-4001-a466-306574fd7890) is a lightweight [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) backdoor used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2), possibly as a recovery access tool to install other backdoors.[[ESET Turla PowerShell May 2019](https://app.tidalcyber.com/references/68c0f34b-691a-4847-8d49-f18b7f4e5188)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0393", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "dcac85c1-6485-4790-84f6-de5e6f6b91dd", "type": "similar" } ], "uuid": "837bcf97-37a7-4001-a466-306574fd7890", "value": "PowerStallion" }, { "description": "[POWERSTATS](https://app.tidalcyber.com/software/39fc59c6-f1aa-4c93-8e43-1f41563e9d9e) is a PowerShell-based first stage backdoor used by [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6). [[Unit 42 MuddyWater Nov 2017](https://app.tidalcyber.com/references/dcdee265-2e46-4f40-95c7-6a2683edb23a)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0223", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { "dest-uuid": "e8545794-b98c-492b-a5b3-4b5a02682e37", "type": "similar" } ], "uuid": "39fc59c6-f1aa-4c93-8e43-1f41563e9d9e", "value": "POWERSTATS" }, { "description": "[POWERTON](https://app.tidalcyber.com/software/b3c28750-3825-4e4d-ab92-f39a6b0827dd) is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by [APT33](https://app.tidalcyber.com/groups/99bbbe25-45af-492f-a7ff-7cbc57828bac). At least two variants of the backdoor have been identified, with the later version containing improved functionality.[[FireEye APT33 Guardrail](https://app.tidalcyber.com/references/4b4c9e72-eee1-4fa4-8dcb-501ec49882b0)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0371", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" }, { "dest-uuid": "e85cae1a-bce3-4ac4-b36b-b00acac0567b", "type": "similar" } ], "uuid": "b3c28750-3825-4e4d-ab92-f39a6b0827dd", "value": "POWERTON" }, { "description": "PowerTool is a tool used to remove rootkits, as well as to detect, analyze, and fix kernel structure modifications.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5039", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" } ], "uuid": "b8a101e4-e0d2-4002-94c6-18ea30da7aa7", "value": "PowerTool" }, { "description": "A PowerShell-based, in-memory loader that executes embedded payloads.[[Mandiant FIN7 April 4 2022](/references/fbc3ea90-d3d4-440e-964d-6cd2e991df0c)] According to Mandiant, POWERTRASH is a \"uniquely obfuscated\" version of PowerSploit's `Invoke-Shellcode.ps1` shellcode invoker module known to be used by FIN7.[[GitHub - PowerSploit Invoke-Shellcode](/references/cf75a442-c6c0-4e83-87bf-8bb42839452b)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5294", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "84615fe0-c2a5-4e07-8957-78ebc29b4635", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" } ], "uuid": "3192d79f-2a24-4461-b4c8-4b40ef7c163f", "value": "POWERTRASH" }, { "description": "[PowGoop](https://app.tidalcyber.com/software/7ed984bb-d098-4d0a-90fd-b03e68842479) is a loader that consists of a DLL loader and a PowerShell-based downloader; it has been used by [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6) as their main loader.[[DHS CISA AA22-055A MuddyWater February 2022](https://app.tidalcyber.com/references/e76570e1-43ab-4819-80bc-895ede67a205)][[CYBERCOM Iranian Intel Cyber January 2022](https://app.tidalcyber.com/references/671e1559-c7dc-4cb4-a9a1-21776f2ae56a)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1046", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { "dest-uuid": "c19d19ae-dd58-4584-8469-966bbeaa80e3", "type": "similar" } ], "uuid": "7ed984bb-d098-4d0a-90fd-b03e68842479", "value": "PowGoop" }, { "description": "[POWRUNER](https://app.tidalcyber.com/software/67cdb7a6-5142-43fa-8b8d-d9bdd2a4dae4) is a PowerShell script that sends and receives commands to and from the C2 server. [[FireEye APT34 Dec 2017](https://app.tidalcyber.com/references/88f41728-08ad-4cd8-a418-895738d68b04)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0184", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "type": "similar" } ], "uuid": "67cdb7a6-5142-43fa-8b8d-d9bdd2a4dae4", "value": "POWRUNER" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** File is used for executing Browser applications\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\Presentationhost.exe\n* C:\\Windows\\SysWOW64\\Presentationhost.exe\n\n**Resources:**\n* [https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf](https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf)\n* [https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/](https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_presentationhost_download.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml)\n* Sigma: [proc_creation_win_lolbin_presentationhost.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml)\n* IOC: Execution of .xbap files may not be common on production workstations[[Presentationhost.exe - LOLBAS Project](/references/37539e72-18f5-435a-a949-f9fa5991149a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5141", "source": "Tidal Cyber", "tags": [ "0661bf1f-76ec-490c-937a-efa3f02bc59b", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "8127f51d-dce0-405a-a785-83883ba19c23", "value": "Presentationhost" }, { "description": "[Prestige](https://app.tidalcyber.com/software/4fb5b109-5a5c-5441-a0f9-f639ead5405e) ransomware has been used by [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.[[Microsoft Prestige ransomware October 2022](https://app.tidalcyber.com/references/b57e1181-461b-5ada-a739-873ede1ec079)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1058", "source": "MITRE", "tags": [ "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "1da748a5-875d-4212-9222-b4c23ab861be", "type": "similar" } ], "uuid": "4fb5b109-5a5c-5441-a0f9-f639ead5405e", "value": "Prestige" }, { "description": "[Prikormka](https://app.tidalcyber.com/software/1da989a8-41cc-4e89-a435-a88acb72ae0d) is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. [[ESET Operation Groundbait](https://app.tidalcyber.com/references/218e69fd-558c-459b-9a57-ad2ee3e96296)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0113", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "type": "similar" } ], "uuid": "1da989a8-41cc-4e89-a435-a88acb72ae0d", "value": "Prikormka" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows to send files to the printer\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\print.exe\n* C:\\Windows\\SysWOW64\\print.exe\n\n**Resources:**\n* [https://twitter.com/Oddvarmoe/status/985518877076541440](https://twitter.com/Oddvarmoe/status/985518877076541440)\n* [https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410](https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410)\n\n**Detection:**\n* Sigma: [proc_creation_win_print_remote_file_copy.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml)\n* IOC: Print.exe retrieving files from internet\n* IOC: Print.exe creating executable files on disk[[Print.exe - LOLBAS Project](/references/696ce89a-b3a1-4993-b30d-33a669a57031)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5142", "source": "Tidal Cyber", "tags": [ "01aca077-8cfb-4d1d-9b83-3678cd26f050", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "8ad4945d-6c54-4472-a476-906a9860fb82", "value": "Print" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Printer Migration Command-Line Tool\n\n**Author:** Elliot Killick\n\n**Paths:**\n* C:\\Windows\\System32\\spool\\tools\\PrintBrm.exe\n\n**Resources:**\n* [https://twitter.com/elliotkillick/status/1404117015447670800](https://twitter.com/elliotkillick/status/1404117015447670800)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_printbrm.yml](https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml)\n* IOC: PrintBrm.exe should not be run on a normal workstation[[PrintBrm.exe - LOLBAS Project](/references/a7ab6f09-c22f-4627-afb1-c13a963efca5)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5143", "source": "Tidal Cyber", "tags": [ "37a70ca8-a027-458c-9a48-7e0d307462be", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "93ec2323-f93b-4d21-9930-f367948187f0", "value": "PrintBrm" }, { "description": "ProcDump is a tool used to monitor applications for CPU spikes and generate crash dumps.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5036", "source": "Tidal Cyber", "tags": [ "27a117ce-bb19-4f79-9bc2-a851b69c5c50", "6070668f-1cbd-4878-8066-c636d1d8659c", "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "c3eaf8a7-06e5-4e3a-9615-36316d9e10a8", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" } ], "uuid": "0d6e00a3-6237-458a-85e5-1128bd7f4f50", "value": "ProcDump" }, { "description": "Process Hacker is a tool used to remove rootkits.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5040", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" } ], "uuid": "d390ea7d-0995-4069-924d-65d6c7c98e3c", "value": "Process Hacker" }, { "description": "[ProLock](https://app.tidalcyber.com/software/c8af096e-c71e-4751-b203-70c285b7a7bd) is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at least 2020, often obtaining initial access with [QakBot](https://app.tidalcyber.com/software/9050b418-5ffd-481a-a30d-f9059b0871ea). [ProLock](https://app.tidalcyber.com/software/c8af096e-c71e-4751-b203-70c285b7a7bd) is the successor to PwndLocker ransomware which was found to contain a bug allowing decryption without ransom payment in 2019.[[Group IB Ransomware September 2020](https://app.tidalcyber.com/references/52d0e16f-9a20-442f-9a17-686e51d7e32b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0654", "source": "MITRE", "tags": [ "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "471d0e9f-2c8a-4e4b-8f3b-f85d2407806e", "type": "similar" } ], "uuid": "c8af096e-c71e-4751-b203-70c285b7a7bd", "value": "ProLock" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Office binary\n\n**Author:** Nir Chako\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Office 16\\ClientX86\\Root\\Office16\\ProtocolHandler.exe\n* C:\\Program Files\\Microsoft Office 16\\ClientX64\\Root\\Office16\\ProtocolHandler.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office16\\ProtocolHandler.exe\n* C:\\Program Files\\Microsoft Office\\Office16\\ProtocolHandler.exe\n* C:\\Program Files (x86)\\Microsoft Office 15\\ClientX86\\Root\\Office15\\ProtocolHandler.exe\n* C:\\Program Files\\Microsoft Office 15\\ClientX64\\Root\\Office15\\ProtocolHandler.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office15\\ProtocolHandler.exe\n* C:\\Program Files\\Microsoft Office\\Office15\\ProtocolHandler.exe\n\n**Resources:**\nNone Provided\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_protocolhandler_download.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml)\n* IOC: Suspicious Office application Internet/network traffic[[ProtocolHandler.exe - LOLBAS Project](/references/1f678111-dfa3-4c06-9359-816b9ca12cd0)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5232", "source": "Tidal Cyber", "tags": [ "77131d00-b8b2-42ef-afbd-1fbfc12729df", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "2ecf8041-8069-41a0-b6e8-5b328ae69e31", "value": "ProtocolHandler" }, { "description": "[Proton](https://app.tidalcyber.com/software/d3bcdbc4-5998-4e50-bd45-cba6a3278427) is a macOS backdoor focusing on data theft and credential access [[objsee mac malware 2017](https://app.tidalcyber.com/references/08227ae5-4086-4c31-83d9-459c3a097754)].", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S0279", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "c541efb4-e7b1-4ad6-9da8-b4e113f5dd42", "type": "similar" } ], "uuid": "d3bcdbc4-5998-4e50-bd45-cba6a3278427", "value": "Proton" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Launcher process\n\n**Author:** Grzegorz Tworek\n\n**Paths:**\n* c:\\windows\\system32\\provlaunch.exe\n\n**Resources:**\n* [https://twitter.com/0gtweet/status/1674399582162153472](https://twitter.com/0gtweet/status/1674399582162153472)\n\n**Detection:**\n* Sigma: [proc_creation_win_provlaunch_potential_abuse.yml](https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml)\n* Sigma: [proc_creation_win_provlaunch_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml)\n* Sigma: [proc_creation_win_registry_provlaunch_provisioning_command.yml](https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml)\n* Sigma: [registry_set_provisioning_command_abuse.yml](https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml)\n* IOC: c:\\windows\\system32\\provlaunch.exe executions\n* IOC: Creation/existence of HKLM\\SOFTWARE\\Microsoft\\Provisioning\\Commands subkeys[[Provlaunch.exe - LOLBAS Project](/references/56a57369-4707-4dff-ad23-431109f24233)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5144", "source": "Tidal Cyber", "tags": [ "9e5ec91c-0d0f-4e40-846d-d7b7eb941e17", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "83e1ac24-3928-40ba-b701-d72549a9430c", "value": "Provlaunch" }, { "description": "[Proxysvc](https://app.tidalcyber.com/software/94f43629-243e-49dc-8c2b-cdf4fc15cf83) is a malicious DLL used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of [Proxysvc](https://app.tidalcyber.com/software/94f43629-243e-49dc-8c2b-cdf4fc15cf83) is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. [[McAfee GhostSecret](https://app.tidalcyber.com/references/d1cd4f5b-253c-4833-8905-49fb58e7c016)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0238", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "069af411-9b24-4e85-b26c-623d035bbe84", "type": "similar" } ], "uuid": "94f43629-243e-49dc-8c2b-cdf4fc15cf83", "value": "Proxysvc" }, { "description": "[PS1](https://app.tidalcyber.com/software/8cd401ac-a233-4395-a8ae-d75db9d5b845) is a loader that was used to deploy 64-bit backdoors in the [CostaRicto](https://app.tidalcyber.com/groups/) campaign.[[BlackBerry CostaRicto November 2020](https://app.tidalcyber.com/references/93a23447-641c-4ee2-9fbd-64b2adea8a5f)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0613", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "13183cdf-280b-46be-913a-5c6df47831e7", "type": "similar" } ], "uuid": "8cd401ac-a233-4395-a8ae-d75db9d5b845", "value": "PS1" }, { "description": "[PsExec](https://app.tidalcyber.com/software/73eb32af-4bd3-4e21-8048-355edc55a9c6) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.[[Russinovich Sysinternals](https://app.tidalcyber.com/references/72d27aca-62c5-4e96-9977-c41951aaa888)][[SANS PsExec](https://app.tidalcyber.com/references/a8d1e40d-b291-443c-86cc-edf6db00b898)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0029", "source": "MITRE", "tags": [ "d903e38b-600d-4736-9e3b-cf1a6e436481", "e551ae97-d1b4-484e-9267-89f33829ec2c", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e1af18e3-3224-4e4c-9d0f-533768474508", "5cd85fec-0e37-4892-9cd2-bb8c70139072", "0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "950e8d3a-044b-43e3-b5db-bba61f70ff51", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "15b77e5c-2285-434d-9719-73c14beba8bd", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, { "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" }, { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { "dest-uuid": "0f86e871-0c6c-4227-ae28-3f3696d6ae9d", "type": "used-by" }, { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" }, { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { "dest-uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", "type": "used-by" }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" }, { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "55b20209-c04a-47ab-805d-ace83522ef6a", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", "type": "used-by" }, { "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", "type": "used-by" }, { "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" }, { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" }, { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { "dest-uuid": "b5c28235-d441-40d9-8da2-d49ba2f2568b", "type": "used-by" }, { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c", "type": "used-by" }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", "type": "used-by" }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" }, { "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", "type": "used-by" }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" }, { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" }, { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "d428f9be-6faf-4d57-b677-4a927fea5f7e", "type": "used-by" }, { "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", "type": "used-by" }, { "dest-uuid": "3a54b8dc-a231-4db8-96da-1c0c1aa396f6", "type": "used-by" }, { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" }, { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" }, { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "similar" } ], "uuid": "73eb32af-4bd3-4e21-8048-355edc55a9c6", "value": "PsExec" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows Problem Steps Recorder, used to record screen and clicks.\n\n**Author:** Leon Rodenko\n\n**Paths:**\n* c:\\windows\\system32\\psr.exe\n* c:\\windows\\syswow64\\psr.exe\n\n**Resources:**\n* [https://social.technet.microsoft.com/wiki/contents/articles/51722.windows-problem-steps-recorder-psr-quick-and-easy-documenting-of-your-steps-and-procedures.aspx](https://social.technet.microsoft.com/wiki/contents/articles/51722.windows-problem-steps-recorder-psr-quick-and-easy-documenting-of-your-steps-and-procedures.aspx)\n\n**Detection:**\n* Sigma: [proc_creation_win_psr_capture_screenshots.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml)\n* IOC: psr.exe spawned\n* IOC: suspicious activity when running with \"/gui 0\" flag[[Psr.exe - LOLBAS Project](/references/a00782cf-f6b2-4b63-9d8d-97efe17e11c0)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5145", "source": "Tidal Cyber", "tags": [ "08f4ef8d-94bb-42f7-b76d-71bcc809bcc9", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "1945584b-bb16-48a2-902d-2a1c9591efcd", "value": "Psr" }, { "description": "[Psylo](https://app.tidalcyber.com/software/8c35d349-2f70-4edb-8668-e1cc2b67e4a0) is a shellcode-based Trojan that has been used by [Scarlet Mimic](https://app.tidalcyber.com/groups/6c1bdc51-f633-4512-8b20-04a11c2d97f4). It has similar characteristics as [FakeM](https://app.tidalcyber.com/software/8c64a330-1457-4c32-ab2f-12b6eb37d607). [[Scarlet Mimic Jan 2016](https://app.tidalcyber.com/references/f84a5b6d-3af1-45b1-ac55-69ceced8735f)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0078", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "type": "used-by" }, { "dest-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", "type": "similar" } ], "uuid": "8c35d349-2f70-4edb-8668-e1cc2b67e4a0", "value": "Psylo" }, { "description": "[Pteranodon](https://app.tidalcyber.com/software/7fed4276-807e-4656-95f5-90878b6e2dbb) is a custom backdoor used by [Gamaredon Group](https://app.tidalcyber.com/groups/41e8b4a4-2d31-46ee-bc56-12375084d067). [[Palo Alto Gamaredon Feb 2017](https://app.tidalcyber.com/references/3f9a6343-1db3-4696-99ed-f22c6eabee71)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0147", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" }, { "dest-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", "type": "similar" } ], "uuid": "7fed4276-807e-4656-95f5-90878b6e2dbb", "value": "Pteranodon" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Proxy execution with Pubprn.vbs\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\pubprn.vbs\n* C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\en-US\\pubprn.vbs\n\n**Resources:**\n* [https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/](https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/)\n* [https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology](https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology)\n* [https://github.com/enigma0x3/windows-operating-system-archaeology](https://github.com/enigma0x3/windows-operating-system-archaeology)\n\n**Detection:**\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* Sigma: [proc_creation_win_lolbin_pubprn.yml](https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml)[[Pubprn.vbs - LOLBAS Project](/references/d2b6b9fd-5f80-41c0-ac22-06b78c86a9e5)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5260", "source": "Tidal Cyber", "tags": [ "8177e8ac-f80d-477d-b0af-c2ea243ddf00", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" } ], "uuid": "58883c83-d5be-42fc-b4bd-9287e55cd499", "value": "Pubprn" }, { "description": "[PULSECHECK](https://app.tidalcyber.com/software/d777204c-f93c-54d9-b80e-41641a3d55ce) is a web shell written in Perl that was used by [APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) companies.[[Mandiant Pulse Secure Zero-Day April 2021](https://app.tidalcyber.com/references/0760480c-97be-5fc9-a6aa-f1df91a314a3)]", "meta": { "platforms": [ "Network", "Linux" ], "software_attack_id": "S1108", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, { "dest-uuid": "9a097d18-d15f-4635-a4f1-189df7efdc40", "type": "similar" } ], "uuid": "d777204c-f93c-54d9-b80e-41641a3d55ce", "value": "PULSECHECK" }, { "description": "According to joint Cybersecurity Advisory AA23-320A (November 2023), Pulseway is a publicly available, legitimate tool that \"enables remote monitoring and management of systems\". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.[[U.S. CISA Scattered Spider November 16 2023](/references/9c242265-c28c-4580-8e6a-478d8700b092)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5068", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "e727eaa6-ef41-4965-b93a-8ad0c51d0236" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" } ], "uuid": "74eb97b8-fc2c-41f0-b497-aad08a52777e", "value": "Pulseway" }, { "description": "[PUNCHBUGGY](https://app.tidalcyber.com/software/d8999d60-3818-4d75-8756-8a55531254d8) is a backdoor malware used by [FIN8](https://app.tidalcyber.com/groups/b3061284-0335-4dcb-9f8e-a3b0412fd46f) that has been observed targeting POS networks in the hospitality industry. [[Morphisec ShellTea June 2019](https://app.tidalcyber.com/references/1b6ce918-651a-480d-8305-82bccbf42e96)][[FireEye Fin8 May 2016](https://app.tidalcyber.com/references/2079101c-d988-430a-9082-d25c475b2af5)] [[FireEye Know Your Enemy FIN8 Aug 2016](https://app.tidalcyber.com/references/0119687c-b46b-4b5f-a6d8-affa14258392)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0196", "source": "MITRE", "tags": [ "6c6c0125-9631-4c2c-90ab-cfef374d5198" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" }, { "dest-uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", "type": "similar" } ], "uuid": "d8999d60-3818-4d75-8756-8a55531254d8", "value": "PUNCHBUGGY" }, { "description": "[PUNCHTRACK](https://app.tidalcyber.com/software/1638d99b-fbcf-40ec-ac48-802ce5be520a) is non-persistent point of sale (POS) system malware utilized by [FIN8](https://app.tidalcyber.com/groups/b3061284-0335-4dcb-9f8e-a3b0412fd46f) to scrape payment card data. [[FireEye Fin8 May 2016](https://app.tidalcyber.com/references/2079101c-d988-430a-9082-d25c475b2af5)] [[FireEye Know Your Enemy FIN8 Aug 2016](https://app.tidalcyber.com/references/0119687c-b46b-4b5f-a6d8-affa14258392)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0197", "source": "MITRE", "tags": [ "6c6c0125-9631-4c2c-90ab-cfef374d5198" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" }, { "dest-uuid": "c4de7d83-e875-4c88-8b5d-06c41e5b7e79", "type": "similar" } ], "uuid": "1638d99b-fbcf-40ec-ac48-802ce5be520a", "value": "PUNCHTRACK" }, { "description": "[Pupy](https://app.tidalcyber.com/software/0a8bedc2-b404-4a9a-b4f5-ff90ff8294be) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. [[GitHub Pupy](https://app.tidalcyber.com/references/69d5cb59-6545-4405-8ca6-733db99d3ee9)] It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). [[GitHub Pupy](https://app.tidalcyber.com/references/69d5cb59-6545-4405-8ca6-733db99d3ee9)] [Pupy](https://app.tidalcyber.com/software/0a8bedc2-b404-4a9a-b4f5-ff90ff8294be) is publicly available on GitHub. [[GitHub Pupy](https://app.tidalcyber.com/references/69d5cb59-6545-4405-8ca6-733db99d3ee9)]", "meta": { "platforms": [ "macOS", "Linux", "Android", "Windows" ], "software_attack_id": "S0192", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" }, { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" }, { "dest-uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4", "type": "similar" } ], "uuid": "0a8bedc2-b404-4a9a-b4f5-ff90ff8294be", "value": "Pupy" }, { "description": "PureCrypter is a malware used for downloading/dropping purposes.", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5291", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "84615fe0-c2a5-4e07-8957-78ebc29b4635", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [], "uuid": "a381cec1-9e87-415e-9025-a6e31fc8a48d", "value": "PureCrypter" }, { "description": "PuTTy is an open-source SSH and telnet client.[[PuTTY Download Page](/references/bf278270-128e-483b-9f09-ce24f5f6ed80)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5065", "source": "Tidal Cyber", "tags": [ "af5e9be5-b86e-47af-91dd-966a5e34a186", "27a117ce-bb19-4f79-9bc2-a851b69c5c50", "6070668f-1cbd-4878-8066-c636d1d8659c", "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "15787198-6c8b-4f79-bf50-258d55072fee" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" } ], "uuid": "313c78e9-488d-4fbc-a6e5-05c0df3cb8a4", "value": "PuTTy" }, { "description": "[pwdump](https://app.tidalcyber.com/software/77f629db-d971-49d8-8b73-c7c779b7de3e) is a credential dumper. [[Wikipedia pwdump](https://app.tidalcyber.com/references/6a1a1ae1-a587-41f5-945f-011d6808e5b8)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0006", "source": "MITRE", "tags": [ "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "type": "used-by" }, { "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", "type": "similar" } ], "uuid": "77f629db-d971-49d8-8b73-c7c779b7de3e", "value": "pwdump" }, { "description": "[PyDCrypt](https://app.tidalcyber.com/software/51b2c56e-7d64-4e15-b1bd-45a980c9c44d) is malware written in Python designed to deliver [DCSrv](https://app.tidalcyber.com/software/26ae3cd1-6710-4807-b674-957bd67d3e76). It has been used by [Moses Staff](https://app.tidalcyber.com/groups/a41725c5-eb3a-4772-8d1e-17c3bbade79c) since at least September 2021, with each sample tailored for its intended victim organization.[[Checkpoint MosesStaff Nov 2021](https://app.tidalcyber.com/references/d6da2849-cff0-408a-9f09-81a33fc88a56)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1032", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c", "type": "used-by" }, { "dest-uuid": "2ac41e8b-4865-4ced-839d-78e7852c47f3", "type": "similar" } ], "uuid": "51b2c56e-7d64-4e15-b1bd-45a980c9c44d", "value": "PyDCrypt" }, { "description": "[Pysa](https://app.tidalcyber.com/software/e0d5ecce-eca0-4f01-afcc-0c8e92323016) is a ransomware that was first used in October 2018 and has been seen to target particularly high-value finance, government and healthcare organizations.[[CERT-FR PYSA April 2020](https://app.tidalcyber.com/references/4e502db6-2e09-4422-9dcc-1e10e701e122)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0583", "source": "MITRE", "tags": [ "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "a19c1197-9414-46e3-986f-0f609ff4a46b", "type": "similar" } ], "uuid": "e0d5ecce-eca0-4f01-afcc-0c8e92323016", "value": "Pysa" }, { "description": "[QakBot](https://app.tidalcyber.com/software/9050b418-5ffd-481a-a30d-f9059b0871ea) is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. [QakBot](https://app.tidalcyber.com/software/9050b418-5ffd-481a-a30d-f9059b0871ea) is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably [ProLock](https://app.tidalcyber.com/software/c8af096e-c71e-4751-b203-70c285b7a7bd) and [Egregor](https://app.tidalcyber.com/software/0e36b62f-a6e2-4406-b3d9-e05204e14a66).[[Trend Micro Qakbot December 2020](https://app.tidalcyber.com/references/c061ce45-1452-4c11-9586-bd5eb2d718ab)][[Red Canary Qbot](https://app.tidalcyber.com/references/6e4960e7-ae5e-4b68-ac85-4bd84e940634)][[Kaspersky QakBot September 2021](https://app.tidalcyber.com/references/f40cabe3-a324-4b4d-8e95-25c036dbd8b5)][[ATT QakBot April 2021](https://app.tidalcyber.com/references/c7b0b3f3-e9ea-4159-acd1-f6d92ed41828)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0650", "source": "MITRE", "tags": [ "d903e38b-600d-4736-9e3b-cf1a6e436481", "e551ae97-d1b4-484e-9267-89f33829ec2c", "d819ae1a-e385-49fd-88d5-f66660729ecb", "15787198-6c8b-4f79-bf50-258d55072fee", "e096f0dd-fa2c-4771-8270-128c97c09f5b", "e809d252-12cc-494d-94f5-954c49eb87ce" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" }, { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" }, { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" }, { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" }, { "dest-uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9", "type": "similar" } ], "uuid": "9050b418-5ffd-481a-a30d-f9059b0871ea", "value": "QakBot" }, { "description": "Qilin (also known as Agenda) is a ransomware discovered in 2022. Attacks by threat actors deploying Qilin increased considerably in Q1 2024, impacting organizations in a wide range of sectors and locations across the globe.[[Trend Micro March 26 2024](/references/d5634b8e-420a-4721-a3d2-19d9f36697f4)]\n\nThe ransomware's capabilities have evolved over time, and multiple Qilin/Agenda variants and versions have been observed. The techniques featured in this object mainly derive from a variant observed in February 2024 written in the Rust programming language. A variant focused on encrypting Linux-based virtual machine servers can be found in the separate \"Qilin Ransomware (Linux)\" Software object.", "meta": { "owner": "TidalCyberIan", "platforms": [ "Linux", "Windows" ], "software_attack_id": "S5326", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "a2e000da-8181-4327-bacd-32013dbd3654", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" } ], "uuid": "3b78dda9-d273-4ffc-9a9f-75e80178c7b2", "value": "Qilin Ransomware" }, { "description": "Qilin is a Linux-based ransomware. The malware is technically capable of running on Linux, FreeBSD, and VMware ESXi servers, but researchers have most often observed Qilin being used to encrypt virtual machines. Qilin users can use various flags to customize its capabilities. Qilin operators maintain a website where they threaten to leak data exfiltrated during their attacks, in an attempt to pressure victims into paying a ransom.[[BleepingComputer 12 3 2023](/references/8cb73f97-0256-472d-88b7-92b6d63578fd)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Linux" ], "software_attack_id": "S5310", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "a2e000da-8181-4327-bacd-32013dbd3654", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [], "uuid": "01a33c16-7eb3-4494-8c05-b163f871b951", "value": "Qilin Ransomware (Linux)" }, { "description": "[QUADAGENT](https://app.tidalcyber.com/software/2bf68242-1dbd-405b-ac35-330eda887081) is a PowerShell backdoor used by [OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2). [[Unit 42 QUADAGENT July 2018](https://app.tidalcyber.com/references/320f49df-7b0a-4a6a-8542-17b0f56c94c9)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0269", "source": "MITRE", "tags": [ "febea5b6-2ea2-402b-8bec-f3f5b3f73c59" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", "type": "similar" } ], "uuid": "2bf68242-1dbd-405b-ac35-330eda887081", "value": "QUADAGENT" }, { "description": "[QuasarRAT](https://app.tidalcyber.com/software/4bab7c2b-5ec4-467e-8df4-f2e6996e136b) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://app.tidalcyber.com/software/4bab7c2b-5ec4-467e-8df4-f2e6996e136b) is developed in the C# language.[[GitHub QuasarRAT](https://app.tidalcyber.com/references/c87e4427-af97-4e93-9596-ad5a588aa171)][[Volexity Patchwork June 2018](https://app.tidalcyber.com/references/d3ed7dd9-0941-4160-aa6a-c0244c63560f)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0262", "source": "MITRE", "tags": [ "febea5b6-2ea2-402b-8bec-f3f5b3f73c59" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" }, { "dest-uuid": "efb3b5ac-cd86-44a2-9de1-02e4612b8cc2", "type": "used-by" }, { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" }, { "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", "type": "used-by" }, { "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", "type": "similar" } ], "uuid": "4bab7c2b-5ec4-467e-8df4-f2e6996e136b", "value": "QuasarRAT" }, { "description": "Quick Assist is a built-in Windows utility that can be used to grant external users remote access to a particular system. Financially motivated adversaries abused Quick Assist during an April 2024 campaign that in some cases led to Black Basta ransomware deployment.[[Microsoft Security Blog 5 15 2024](/references/0876de6e-ea0c-4717-89a4-9c7baed53b6f)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5319", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "e1af18e3-3224-4e4c-9d0f-533768474508", "e727eaa6-ef41-4965-b93a-8ad0c51d0236", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" }, { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" } ], "uuid": "9c4f3f26-c391-4b2c-9dd4-e4bb9bbc5ea3", "value": "Quick Assist" }, { "description": "[QUIETCANARY](https://app.tidalcyber.com/software/52d3515c-5184-5257-bf24-56adccb4cccd) is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.[[Mandiant Suspected Turla Campaign February 2023](https://app.tidalcyber.com/references/d8f43a52-a59e-5567-8259-821b1b6bde43)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1076", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "93289ecf-4d15-4d6b-a9c3-4ab27e145ef4", "type": "similar" } ], "uuid": "52d3515c-5184-5257-bf24-56adccb4cccd", "value": "QUIETCANARY" }, { "description": "[QUIETEXIT](https://app.tidalcyber.com/software/947ab087-7550-577f-9ae9-5e82e9910610) is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least 2021. [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) has deployed [QUIETEXIT](https://app.tidalcyber.com/software/947ab087-7550-577f-9ae9-5e82e9910610) on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.[[Mandiant APT29 Eye Spy Email Nov 22](https://app.tidalcyber.com/references/452ca091-42b1-5bef-8a01-921c1f46bbee)]", "meta": { "platforms": [ "Network" ], "software_attack_id": "S1084", "source": "MITRE", "tags": [ "33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "4816d361-f82b-4a18-aa05-b215e7cf9200", "type": "similar" } ], "uuid": "947ab087-7550-577f-9ae9-5e82e9910610", "value": "QUIETEXIT" }, { "description": "[QuietSieve](https://app.tidalcyber.com/software/dcdb74c5-4445-49bd-9f9c-236a7ecc7904) is an information stealer that has been used by [Gamaredon Group](https://app.tidalcyber.com/groups/41e8b4a4-2d31-46ee-bc56-12375084d067) since at least 2021.[[Microsoft Actinium February 2022](https://app.tidalcyber.com/references/5ab658db-7f71-4213-8146-e22da54160b3)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0686", "source": "MITRE", "tags": [ "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" }, { "dest-uuid": "03eb4a05-6a02-43f6-afb7-3c7835501828", "type": "similar" } ], "uuid": "dcdb74c5-4445-49bd-9f9c-236a7ecc7904", "value": "QuietSieve" }, { "description": "According to joint Cybersecurity Advisory AA23-250A (September 2023), Quser is \"a valid program on Windows machines that displays information about user sessions on a Remote Desktop Session Host server\".[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5053", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "cd1b5d44-226e-4405-8985-800492cf2865" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", "type": "used-by" } ], "uuid": "7b78eb31-f251-493b-8058-14a3452e8ccc", "value": "Quser" }, { "description": "Raccoon Stealer is one of the most heavily used information & credential stealers (\"\"infostealers\"\") in recent years. The \"\"2.0\"\" version of Raccoon Stealer was observed in mid-2022, featuring new capabilities designed to improve its stealth.[[Sekoia.io Raccoon Stealer June 28 2022](/references/df0c9cbd-8692-497e-9f81-cf9e44a3a5cd)] Raccoon Stealer is licensed as a service, and like many other modern infostealer families, the relatively low cost of a Raccoon Stealer subscription (around $75 for weeklong access) contributes to the malware's popularity. Victim credentials acquired via Raccoon Stealer are often resold on illicit, automated marketplaces on the dark web.\n\nMore details on the shifting infostealer landscape, the rising threat posed by infostealers to large and small organizations, and defending against top infostealer TTPs can be found in the Tidal Cyber blog series: Part 1 (https://www.tidalcyber.com/blog/big-game-stealing-part-1-the-infostealer-landscape-rising-infostealer-threats-to-businesses-w), Part 2 (https://www.tidalcyber.com/blog/big-game-stealing-part-2-defenses-for-top-infostealer-techniques).", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5070", "source": "Tidal Cyber", "tags": [ "15787198-6c8b-4f79-bf50-258d55072fee", "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" } ], "uuid": "7046193b-96c2-462b-9ba1-ea39a938e8e9", "value": "Raccoon Stealer 2.0" }, { "description": "Radmin is a free remote desktop software application. It has been abused by cyber threat actors such as Akira ransomware operators to facilitate remote access into victim networks.[[Sophos Akira May 9 2023](/references/1343b052-b158-4dad-9ed4-9dbb7bb778dd)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5281", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "e1af18e3-3224-4e4c-9d0f-533768474508", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "e727eaa6-ef41-4965-b93a-8ad0c51d0236", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", "type": "used-by" }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" } ], "uuid": "33c0f985-3e1e-4901-bfee-d3c81bba0d71", "value": "Radmin" }, { "description": "[Ragnar Locker](https://app.tidalcyber.com/software/d25f7acd-a995-4b8b-8ffe-ccc9703cdf5f) is a ransomware that has been in use since at least December 2019.[[Sophos Ragnar May 2020](https://app.tidalcyber.com/references/04ed6dc0-45c2-4e36-8ec7-a75f6f715f0a)][[Cynet Ragnar Apr 2020](https://app.tidalcyber.com/references/aeb637ea-0b83-42a0-8f68-9fdc59aa462a)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0481", "source": "MITRE", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f", "cb5803f0-8ab4-4ada-8540-7758dfc126e2", "5e7433ad-a894-4489-93bc-41e90da90019", "a2e000da-8181-4327-bacd-32013dbd3654", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" }, { "dest-uuid": "54895630-efd2-4608-9c24-319de972a9eb", "type": "similar" } ], "uuid": "d25f7acd-a995-4b8b-8ffe-ccc9703cdf5f", "value": "Ragnar Locker" }, { "description": "[Raindrop](https://app.tidalcyber.com/software/80295aeb-59e3-4c5d-ac39-9879158f8d23) is a loader used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a). It was discovered in January 2021 and was likely used since at least May 2020.[[Symantec RAINDROP January 2021](https://app.tidalcyber.com/references/9185092d-3d99-466d-b885-f4e76fe74b6b)][[Microsoft Deep Dive Solorigate January 2021](https://app.tidalcyber.com/references/ddd70eef-ab94-45a9-af43-c396c9e3fbc6)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0565", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "4efc3e00-72f2-466a-ab7c-8a7dc6603b19", "type": "similar" } ], "uuid": "80295aeb-59e3-4c5d-ac39-9879158f8d23", "value": "Raindrop" }, { "description": "[RainyDay](https://app.tidalcyber.com/software/42b775bd-0c1d-4ad3-8f7f-cbb0ba84e19e) is a backdoor tool that has been used by [Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) since at least 2020.[[Bitdefender Naikon April 2021](https://app.tidalcyber.com/references/55660913-4c03-4360-bb8b-1cad94bd8d0e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0629", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { "dest-uuid": "29231689-5837-4a7a-aafc-1b65b3f50cc7", "type": "similar" } ], "uuid": "42b775bd-0c1d-4ad3-8f7f-cbb0ba84e19e", "value": "RainyDay" }, { "description": "[Ramsay](https://app.tidalcyber.com/software/dc307b3c-9bc5-4624-b0bc-4807fa1fc57b) is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between [Ramsay](https://app.tidalcyber.com/software/dc307b3c-9bc5-4624-b0bc-4807fa1fc57b) and the [Darkhotel](https://app.tidalcyber.com/groups/efa1d922-8f48-43a6-89fe-237e1f3812c8)-associated Retro malware.[[Eset Ramsay May 2020](https://app.tidalcyber.com/references/3c149b0b-f37c-4d4e-aa61-351c87fd57ce)][[Antiy CERT Ramsay April 2020](https://app.tidalcyber.com/references/280636da-fa21-472c-947c-651a628ea2cd)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0458", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "ba09b86c-1c40-4ff1-bda0-0d8c4ca35997", "type": "similar" } ], "uuid": "dc307b3c-9bc5-4624-b0bc-4807fa1fc57b", "value": "Ramsay" }, { "description": "This object represents the techniques associated with the payload binary used in attacks associated with the RansomHub ransomware-as-a-service (\"RaaS\") operation. The RansomHub gang is suspected of leaking victim data exfiltrated in attacks by other groups, but researchers have also observed an apparent original ransomware payload linked to the group.[[BroadcomSW June 5 2024](/references/3fa49490-cb22-4362-bf48-eaba9e83e6f5)][[The Record RansomHub June 3 2024](/references/1e474240-bd12-4472-8e69-1631b0e4c102)] This payload displays a high degree of code similarity with Knight ransomware, whose source code was offered for sale in cybercriminal forums in February 2024.[[BroadcomSW June 5 2024](/references/3fa49490-cb22-4362-bf48-eaba9e83e6f5)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5325", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "89c5b94b-ecf4-4d53-9b74-3465086d4565", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" }, { "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", "type": "used-by" } ], "uuid": "a3044fb5-3aae-4590-b589-cc88bf0d1f34", "value": "RansomHub (Payload)" }, { "description": "[RAPIDPULSE](https://app.tidalcyber.com/software/129abb68-7992-554e-92fa-fa376279c0b6) is a web shell that exists as a modification to a legitimate Pulse Secure file that has been used by [APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) since at least 2021.[[Mandiant Pulse Secure Update May 2021](https://app.tidalcyber.com/references/5620adaf-c2a7-5f0f-ae70-554ce720426e)]", "meta": { "platforms": [ "Network", "Linux" ], "software_attack_id": "S1113", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, { "dest-uuid": "880f7b3e-ad27-4158-8b03-d44c9357950b", "type": "similar" } ], "uuid": "129abb68-7992-554e-92fa-fa376279c0b6", "value": "RAPIDPULSE" }, { "description": "[RARSTONE](https://app.tidalcyber.com/software/a9c9fda8-c156-44f2-bc7e-1b696f3fbaa2) is malware used by the [Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) group that has some characteristics similar to [PlugX](https://app.tidalcyber.com/software/070b56f4-7810-4dad-b85f-bdfce9c08c10). [[Aquino RARSTONE](https://app.tidalcyber.com/references/2327592e-4e8a-481e-bdf9-d548c776adee)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0055", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { "dest-uuid": "8c553311-0baa-4146-997a-f79acef3d831", "type": "similar" } ], "uuid": "a9c9fda8-c156-44f2-bc7e-1b696f3fbaa2", "value": "RARSTONE" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows Remote Access Dialer\n\n**Author:** Tony Lambert\n\n**Paths:**\n* C:\\Windows\\System32\\rasautou.exe\n\n**Resources:**\n* [https://github.com/fireeye/DueDLLigence](https://github.com/fireeye/DueDLLigence)\n* [https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html](https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html)\n\n**Detection:**\n* Sigma: [win_rasautou_dll_execution.yml](https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_rasautou_dll_execution.yml)\n* IOC: rasautou.exe command line containing -d and -p[[Rasautou.exe - LOLBAS Project](/references/dc299f7a-403b-4a22-9386-0be3e160d185)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5146", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "8d34715e-1018-40fc-bf09-4eca69be830e", "value": "Rasautou" }, { "description": "A highly active worm that spreads through removable media devices and abuses built-in Windows utilities after initial infection of the host. Raspberry Robin has evolved into a major malware delivery threat, with links to infections involving Cobalt Strike, SocGholish, Truebot, and ultimately ransomware.[[Microsoft Security Raspberry Robin October 2022](/references/8017e42a-8373-4d24-8d89-638a925b704b)]\n\n**Delivers**: Cobalt Strike[[Microsoft Security Raspberry Robin October 2022](/references/8017e42a-8373-4d24-8d89-638a925b704b)], SocGholish[[Microsoft Security Raspberry Robin October 2022](/references/8017e42a-8373-4d24-8d89-638a925b704b)], Truebot[[Microsoft Security Raspberry Robin October 2022](/references/8017e42a-8373-4d24-8d89-638a925b704b)][[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.raspberry_robin\n\n**Malware Bazaar (Samples & IOCs)**: https://bazaar.abuse.ch/browse/tag/raspberryrobin/\n\n**PulseDive (IOCs)**: https://pulsedive.com/threat/Raspberry%20Robin", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5002", "source": "Tidal Cyber", "tags": [ "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "e809d252-12cc-494d-94f5-954c49eb87ce" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", "type": "used-by" } ], "uuid": "dc0dbd15-0916-43c7-a3b9-6dc3ce0771be", "value": "Raspberry Robin" }, { "description": "[RATANKBA](https://app.tidalcyber.com/software/40466d7d-a107-46aa-a6fc-180e0eef2c6b) is a remote controller tool used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08). [RATANKBA](https://app.tidalcyber.com/software/40466d7d-a107-46aa-a6fc-180e0eef2c6b) has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. [RATANKBA](https://app.tidalcyber.com/software/40466d7d-a107-46aa-a6fc-180e0eef2c6b) has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. [[Lazarus RATANKBA](https://app.tidalcyber.com/references/e3f9853f-29b0-4219-a488-a6ecfa16b09f)] [[RATANKBA](https://app.tidalcyber.com/references/7d08ec64-7fb8-4520-b26b-95b0dee891fe)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0241", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "type": "similar" } ], "uuid": "40466d7d-a107-46aa-a6fc-180e0eef2c6b", "value": "RATANKBA" }, { "description": "[RawDisk](https://app.tidalcyber.com/software/d86a562d-d235-4481-9a3f-273fa3ebe89a) is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.[[EldoS RawDisk ITpro](https://app.tidalcyber.com/references/a6cf3d1d-2310-42bb-9324-495b4e94d329)][[Novetta Blockbuster Destructive Malware](https://app.tidalcyber.com/references/de278b77-52cb-4126-9341-5b32843ae9f1)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0364", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "3ffbdc1f-d2bf-41ab-91a2-c7b857e98079", "type": "similar" } ], "uuid": "d86a562d-d235-4481-9a3f-273fa3ebe89a", "value": "RawDisk" }, { "description": "[RawPOS](https://app.tidalcyber.com/software/6ea1bf95-fed8-4b94-8071-aa19a3af5e34) is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. [[Kroll RawPOS Jan 2017](https://app.tidalcyber.com/references/cbbfffb9-c378-4e57-a2af-e76e6014ed57)] [[TrendMicro RawPOS April 2015](https://app.tidalcyber.com/references/e483ed86-713b-42c6-ad77-e9b889bbcb81)] [[Visa RawPOS March 2015](https://app.tidalcyber.com/references/a2371f44-0a88-4d68-bbe7-7e79f13f78c2)] FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD. [[Mandiant FIN5 GrrCON Oct 2016](https://app.tidalcyber.com/references/2bd39baf-4223-4344-ba93-98aa8453dc11)] [[DarkReading FireEye FIN5 Oct 2015](https://app.tidalcyber.com/references/afe0549d-dc1b-4bcf-9a1d-55698afd530e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0169", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "type": "used-by" }, { "dest-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", "type": "similar" } ], "uuid": "6ea1bf95-fed8-4b94-8071-aa19a3af5e34", "value": "RawPOS" }, { "description": "[Rclone](https://app.tidalcyber.com/software/1f3f15fa-1b4b-494d-abc8-c7f8a227b7b4) is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. [Rclone](https://app.tidalcyber.com/software/1f3f15fa-1b4b-494d-abc8-c7f8a227b7b4) has been used in a number of ransomware campaigns, including those associated with the [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5) and DarkSide Ransomware-as-a-Service operations.[[Rclone](https://app.tidalcyber.com/references/3c7824de-d958-4254-beec-bc4e5ab989b0)][[Rclone Wars](https://app.tidalcyber.com/references/d47e5f7c-cf70-4f7c-ac83-57e4e1187485)][[Detecting Rclone](https://app.tidalcyber.com/references/2e44290c-32f5-4e7f-96de-9874df79fe89)][[DarkSide Ransomware Gang](https://app.tidalcyber.com/references/5f8d49e8-22da-425f-b63b-a799b97ec2b5)][[DFIR Conti Bazar Nov 2021](https://app.tidalcyber.com/references/a6f1a15d-448b-41d4-81f0-ee445cba83bd)]", "meta": { "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S1040", "source": "MITRE", "tags": [ "d903e38b-600d-4736-9e3b-cf1a6e436481", "d819ae1a-e385-49fd-88d5-f66660729ecb", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "a40b7316-bef6-4186-9764-58ce6f033850", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "8bf128ad-288b-41bc-904f-093f4fdde745", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", "type": "used-by" }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "07bdadce-905e-4337-898a-13e88cfb5a61", "type": "used-by" }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, { "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", "type": "used-by" }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" }, { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" }, { "dest-uuid": "59096109-a1dd-463b-87e7-a8d110fe3a79", "type": "similar" } ], "uuid": "1f3f15fa-1b4b-494d-abc8-c7f8a227b7b4", "value": "Rclone" }, { "description": "[RCSession](https://app.tidalcyber.com/software/38c4d208-fe38-4965-871c-709fa1479ba3) is a backdoor written in C++ that has been in use since at least 2018 by [Mustang Panda](https://app.tidalcyber.com/groups/4a4641b1-7686-49da-8d83-00d8013f4b47) and by [Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5) (Type II Backdoor).[[Secureworks BRONZE PRESIDENT December 2019](https://app.tidalcyber.com/references/019889e0-a2ce-476f-9a31-2fc394de2821)][[Trend Micro Iron Tiger April 2021](https://app.tidalcyber.com/references/d0890d4f-e7ca-4280-a54e-d147f6dd72aa)][[Trend Micro DRBControl February 2020](https://app.tidalcyber.com/references/4dfbf26d-023b-41dd-82c8-12fe18cb10e6)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0662", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" }, { "dest-uuid": "03acae53-9b98-46f6-b204-16b930839055", "type": "similar" } ], "uuid": "38c4d208-fe38-4965-871c-709fa1479ba3", "value": "RCSession" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Non-Interactive command line inerface included with Visual Studio.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* no default\n\n**Resources:**\n* [https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/](https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/)\n\n**Detection:**\n* Sigma: [proc_creation_win_csi_execution.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_csi_execution.yml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* BlockRule: [proc_creation_win_csi_execution.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_csi_execution.yml)[[rcsi.exe - LOLBAS Project](/references/dc02058a-7ed3-4253-a976-6f99b9e91406)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5233", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "9a5cff11-6bad-407a-a53c-2562a56ac024", "value": "rcsi" }, { "description": "[RDAT](https://app.tidalcyber.com/software/567da30e-fd4d-4ec5-a308-bf08788f3bfb) is a backdoor used by the suspected Iranian threat group [OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2). [RDAT](https://app.tidalcyber.com/software/567da30e-fd4d-4ec5-a308-bf08788f3bfb) was originally identified in 2017 and targeted companies in the telecommunications sector.[[Unit42 RDAT July 2020](https://app.tidalcyber.com/references/2929baa5-ead7-4936-ab67-c4742afc473c)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0495", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "4b346d12-7f91-48d2-8f06-b26ffa0d825b", "type": "similar" } ], "uuid": "567da30e-fd4d-4ec5-a308-bf08788f3bfb", "value": "RDAT" }, { "description": "[RDFSNIFFER](https://app.tidalcyber.com/software/ca4e973c-da15-46a9-8f3a-0b1560c9a783) is a module loaded by [BOOSTWRITE](https://app.tidalcyber.com/software/74a73624-d53b-4c84-a14b-8ae964fd577c) which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.[[FireEye FIN7 Oct 2019](https://app.tidalcyber.com/references/df8886d1-fbd7-4c24-8ab1-6261923dee96)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0416", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "065196de-d7e8-4888-acfb-b2134022ba1b", "type": "similar" } ], "uuid": "ca4e973c-da15-46a9-8f3a-0b1560c9a783", "value": "RDFSNIFFER" }, { "description": "RDP Recognizer is a tool that can be used to brute force RDP passwords and check for RDP vulnerabilities. U.S. authorities observed BianLian Ransomware Group actors downloading the tool during intrusions.[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5012", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" } ], "uuid": "22d9f7be-7447-4cce-90f0-67a13d4b6a82", "value": "RDP Recognizer" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Windows resource leak diagnostic tool\n\n**Author:** John Dwyer\n\n**Paths:**\n* c:\\windows\\system32\\rdrleakdiag.exe\n* c:\\Windows\\SysWOW64\\rdrleakdiag.exe\n\n**Resources:**\n* [https://twitter.com/0gtweet/status/1299071304805560321?s=21](https://twitter.com/0gtweet/status/1299071304805560321?s=21)\n* [https://www.pureid.io/dumping-abusing-windows-credentials-part-1/](https://www.pureid.io/dumping-abusing-windows-credentials-part-1/)\n* [https://github.com/LOLBAS-Project/LOLBAS/issues/84](https://github.com/LOLBAS-Project/LOLBAS/issues/84)\n\n**Detection:**\n* Sigma: [proc_creation_win_rdrleakdiag_process_dumping.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml)\n* Elastic: [https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html](https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html)\n* Elastic: [credential_access_cmdline_dump_tool.toml](https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml)[[rdrleakdiag.exe - LOLBAS Project](/references/1feff728-2230-4a45-bd64-6093f8b42646)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5147", "source": "Tidal Cyber", "tags": [ "9fbc403c-bd2e-458a-a202-a65b8201e973", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "3b37c81a-9574-4ac3-a996-d4cfe1e3ddb1", "value": "rdrleakdiag" }, { "description": "[Reaver](https://app.tidalcyber.com/software/ca544771-d43e-4747-80e5-cf0f4a4836f3) is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the \"Five Poisons,\" which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of [Control Panel](https://app.tidalcyber.com/technique/b5cc9ab3-6501-4c50-904e-1a25a4088125) items.[[Palo Alto Reaver Nov 2017](https://app.tidalcyber.com/references/69fbe527-2ec4-457b-81b1-2eda65eb8442)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0172", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", "type": "similar" } ], "uuid": "ca544771-d43e-4747-80e5-cf0f4a4836f3", "value": "Reaver" }, { "description": "[RedLeaves](https://app.tidalcyber.com/software/5264c3ab-14e1-4ae1-854e-889ebde029b4) is a malware family used by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322). The code overlaps with [PlugX](https://app.tidalcyber.com/software/070b56f4-7810-4dad-b85f-bdfce9c08c10) and may be based upon the open source tool Trochilus. [[PWC Cloud Hopper Technical Annex April 2017](https://app.tidalcyber.com/references/da6c8a72-c732-44d5-81ac-427898706eed)] [[FireEye APT10 April 2017](https://app.tidalcyber.com/references/2d494df8-83e3-45d2-b798-4c3bcf55f675)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0153", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "type": "similar" } ], "uuid": "5264c3ab-14e1-4ae1-854e-889ebde029b4", "value": "RedLeaves" }, { "description": "[Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532) is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. [[Microsoft Reg](https://app.tidalcyber.com/references/1e1b21bd-18b3-4c77-8eb8-911b028ab603)]\n\nUtilities such as [Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532) are known to be used by persistent threats. [[Windows Commands JPCERT](https://app.tidalcyber.com/references/9d935f7f-bc2a-4d09-a51a-82074ffd7d77)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0075", "source": "MITRE", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "ec4a7c87-051b-4b7d-8acc-03696fe2113e", "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "35e694ec-5133-46e3-b7e1-5831867c3b55", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "303a3675-4855-4323-b042-95bb1d907cca", "8bf128ad-288b-41bc-904f-093f4fdde745", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "type": "used-by" }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" }, { "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", "type": "used-by" }, { "dest-uuid": "b07431f8-fcf0-4204-8e7c-138eb5cd5342", "type": "used-by" }, { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", "type": "similar" } ], "uuid": "d796615c-fa3d-4afd-817a-1a3db8c73532", "value": "Reg" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Part of .NET\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\regasm.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\regasm.exe\n* C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\regasm.exe\n\n**Resources:**\n* [https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/](https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/)\n* [https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/](https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/)\n* [https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_regasm.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml)\n* Elastic: [execution_register_server_program_connecting_to_the_internet.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml)\n* Splunk: [suspicious_regsvcs_regasm_activity.md](https://github.com/splunk/security_content/blob/bc93e670f5dcb24e96fbe3664d6bcad92df5acad/docs/_stories/suspicious_regsvcs_regasm_activity.md)\n* Splunk: [detect_regasm_with_network_connection.yml](https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_regasm_with_network_connection.yml)\n* IOC: regasm.exe executing dll file[[LOLBAS Regasm](/references/b6a3356f-72c2-4ec2-a276-2432eb691055)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5148", "source": "Tidal Cyber", "tags": [ "7d31d8f7-375b-4fb3-a631-51b42e58d95a", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "1e892f4b-5398-44ac-aeb4-2e50f70c5716", "value": "Regasm" }, { "description": "[RegDuke](https://app.tidalcyber.com/software/52dc08d8-82cc-46dc-91ae-383193d72963) is a first stage implant written in .NET and used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least 2017. [RegDuke](https://app.tidalcyber.com/software/52dc08d8-82cc-46dc-91ae-383193d72963) has been used to control a compromised machine when control of other implants on the machine was lost.[[ESET Dukes October 2019](https://app.tidalcyber.com/references/fbc77b85-cc5a-4c65-956d-b8556974b4ef)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0511", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "47124daf-44be-4530-9c63-038bc64318dd", "type": "similar" } ], "uuid": "52dc08d8-82cc-46dc-91ae-383193d72963", "value": "RegDuke" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows to manipulate registry\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\regedit.exe\n\n**Resources:**\n* [https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)\n\n**Detection:**\n* Sigma: [proc_creation_win_regedit_import_keys_ads.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml)\n* IOC: regedit.exe reading and writing to alternate data stream\n* IOC: regedit.exe should normally not be executed by end-users[[Regedit.exe - LOLBAS Project](/references/86e47198-751b-4754-8741-6dd8f2960416)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5149", "source": "Tidal Cyber", "tags": [ "36affa3d-c949-4e1b-8667-299490580dd5", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "16cc6ff2-8804-4863-aede-40c4376e0af3", "value": "Regedit" }, { "description": "[Regin](https://app.tidalcyber.com/software/e88bf527-bb9c-45c3-b86b-04a07dcd91fd) is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some [Regin](https://app.tidalcyber.com/software/e88bf527-bb9c-45c3-b86b-04a07dcd91fd) timestamps date back to 2003. [[Kaspersky Regin](https://app.tidalcyber.com/references/1b521b76-5b8f-4bd9-b312-7c795fc97898)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0019", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", "type": "similar" } ], "uuid": "e88bf527-bb9c-45c3-b86b-04a07dcd91fd", "value": "Regin" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used to manipulate the registry\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\regini.exe\n* C:\\Windows\\SysWOW64\\regini.exe\n\n**Resources:**\n* [https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)\n\n**Detection:**\n* Sigma: [proc_creation_win_regini_ads.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regini_ads.yml)\n* Sigma: [proc_creation_win_regini_execution.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regini_execution.yml)\n* IOC: regini.exe reading from ADS[[Regini.exe - LOLBAS Project](/references/db2573d2-6ecd-4c5a-b038-2f799f9723ae)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5150", "source": "Tidal Cyber", "tags": [ "288c6e19-cf6c-451a-aff3-547f371ff4ad", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "92457f9e-c2e6-4d61-b927-0d8ff0f6d617", "value": "Regini" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used to register new wmi providers\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\Register-cimprovider.exe\n* C:\\Windows\\SysWOW64\\Register-cimprovider.exe\n\n**Resources:**\n* [https://twitter.com/PhilipTsukerman/status/992021361106268161](https://twitter.com/PhilipTsukerman/status/992021361106268161)\n\n**Detection:**\n* Sigma: [proc_creation_win_susp_register_cimprovider.yml](https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml)\n* IOC: Register-cimprovider.exe execution and cmdline DLL load may be supsicious[[Register-cimprovider.exe - LOLBAS Project](/references/d445d016-c4f1-45c8-929d-913867275417)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5151", "source": "Tidal Cyber", "tags": [ "d379a1fb-1028-4986-ae6c-eb8cc068aa68", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "c80bac89-6b63-4860-9f66-260976a184e8", "value": "Register-cimprovider" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* c:\\Windows\\Microsoft.NET\\Framework\\v*\\regsvcs.exe\n* c:\\Windows\\Microsoft.NET\\Framework64\\v*\\regsvcs.exe\n\n**Resources:**\n* [https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/](https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/)\n* [https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/](https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/)\n* [https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_regasm.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml)\n* Elastic: [execution_register_server_program_connecting_to_the_internet.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml)\n* Splunk: [detect_regsvcs_with_network_connection.yml](https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_regsvcs_with_network_connection.yml)[[LOLBAS Regsvcs](/references/3f669f4c-0b94-4b78-ad3e-fd62f7600902)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5152", "source": "Tidal Cyber", "tags": [ "141e4dce-00be-4bd7-9f81-6202939f0359", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "271dd92b-76ee-4a00-ba41-343c32fc084e", "value": "Regsvcs" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows to register dlls\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\regsvr32.exe\n* C:\\Windows\\SysWOW64\\regsvr32.exe\n\n**Resources:**\n* [https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/](https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/)\n* [https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/](https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/)\n* [https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md)\n\n**Detection:**\n* Sigma: [proc_creation_win_regsvr32_susp_parent.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml)\n* Sigma: [proc_creation_win_regsvr32_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml)\n* Sigma: [proc_creation_win_regsvr32_susp_exec_path_1.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml)\n* Sigma: [proc_creation_win_regsvr32_network_pattern.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml)\n* Sigma: [net_connection_win_regsvr32_network_activity.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml)\n* Sigma: [dns_query_win_regsvr32_network_activity.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml)\n* Sigma: [proc_creation_win_regsvr32_flags_anomaly.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml)\n* Sigma: [file_event_win_net_cli_artefact.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml)\n* Splunk: [detect_regsvr32_application_control_bypass.yml](https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_regsvr32_application_control_bypass.yml)\n* Elastic: [defense_evasion_suspicious_managedcode_host_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml)\n* Elastic: [execution_register_server_program_connecting_to_the_internet.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml)\n* IOC: regsvr32.exe retrieving files from Internet\n* IOC: regsvr32.exe executing scriptlet (sct) files\n* IOC: DotNet CLR libraries loaded into regsvr32.exe\n* IOC: DotNet CLR Usage Log - regsvr32.exe.log[[LOLBAS Regsvr32](/references/8e32abef-534e-475a-baad-946b6ec681c1)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5153", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "32be7240-e5ea-4e8a-8e95-7c1bd7869754", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { "dest-uuid": "b82c6ed1-c74a-4128-8b4d-18d1e17e1134", "type": "used-by" }, { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" }, { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" }, { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" }, { "dest-uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6", "type": "used-by" }, { "dest-uuid": "73da066d-b25f-45ba-862b-1a69228c6baa", "type": "used-by" }, { "dest-uuid": "713e2963-fbf4-406f-a8cf-6a4489d90439", "type": "used-by" } ], "uuid": "533d2c42-45a7-456e-af75-b61e2aff98a7", "value": "Regsvr32" }, { "description": "[Remcos](https://app.tidalcyber.com/software/2eb92fa8-514e-4018-adc4-c9fe4f082567) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://app.tidalcyber.com/software/2eb92fa8-514e-4018-adc4-c9fe4f082567) has been observed being used in malware campaigns.[[Riskiq Remcos Jan 2018](https://app.tidalcyber.com/references/a641a41c-dcd8-47e5-9b29-109dd2eb7f1e)][[Talos Remcos Aug 2018](https://app.tidalcyber.com/references/c5cb2eff-ed48-47ff-bfd6-79152bf51430)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0332", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "efb3b5ac-cd86-44a2-9de1-02e4612b8cc2", "type": "used-by" }, { "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" }, { "dest-uuid": "7cd0bc75-055b-4098-a00e-83dc8beaff14", "type": "similar" } ], "uuid": "2eb92fa8-514e-4018-adc4-c9fe4f082567", "value": "Remcos" }, { "description": "[Remexi](https://app.tidalcyber.com/software/82d0bb4d-4711-49e3-9fe5-c522bbe5e8bb) is a Windows-based Trojan that was developed in the C programming language.[[Securelist Remexi Jan 2019](https://app.tidalcyber.com/references/07dfd8e7-4e51-4c6e-a4f6-aaeb74ff8845)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0375", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, { "dest-uuid": "ecc2f65a-b452-4eaf-9689-7e181f17f7a5", "type": "similar" } ], "uuid": "82d0bb4d-4711-49e3-9fe5-c522bbe5e8bb", "value": "Remexi" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Debugging tool included with Windows Debugging Tools\n\n**Author:** mr.d0x\n\n**Paths:**\n* C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64\\remote.exe\n* C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x86\\remote.exe\n\n**Resources:**\n* [https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/](https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/)\n\n**Detection:**\n* IOC: remote.exe process spawns\n* Sigma: [proc_creation_win_lolbin_remote.yml](https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml)[[Remote.exe - LOLBAS Project](/references/9a298f83-80b8-45a3-9f63-6119be6621b4)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5234", "source": "Tidal Cyber", "tags": [ "828f1559-b13d-4426-9dcf-5f601fcb6ff0", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "3a1436e9-ce2c-449e-a670-c1b212ebd754", "value": "Remote" }, { "description": "[RemoteCMD](https://app.tidalcyber.com/software/57fa64ea-975a-470a-a194-3428148ae9ee) is a custom tool used by [APT3](https://app.tidalcyber.com/groups/9da726e6-af02-49b8-8ebe-7ea4235513c9) to execute commands on a remote system similar to SysInternal's PSEXEC functionality. [[Symantec Buckeye](https://app.tidalcyber.com/references/dbf3ce3e-bcf2-4e47-ad42-839e51967395)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0166", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" }, { "dest-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", "type": "similar" } ], "uuid": "57fa64ea-975a-470a-a194-3428148ae9ee", "value": "RemoteCMD" }, { "description": "[RemoteUtilities](https://app.tidalcyber.com/software/8a7fa0df-c688-46be-94bf-462fae33b788) is a legitimate remote administration tool that has been used by [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6) since at least 2021 for execution on target machines.[[Trend Micro Muddy Water March 2021](https://app.tidalcyber.com/references/16b4b834-2f44-4bac-b810-f92080c41f09)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0592", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { "dest-uuid": "03c6e0ea-96d3-4b23-9afb-05055663cf4b", "type": "similar" } ], "uuid": "8a7fa0df-c688-46be-94bf-462fae33b788", "value": "RemoteUtilities" }, { "description": "[Remsec](https://app.tidalcyber.com/software/e3729cff-f25e-4c01-a7a1-e8b83e903b30) is a modular backdoor that has been used by [Strider](https://app.tidalcyber.com/groups/deb573c6-071a-4b50-9e92-4aa648d8bdc1) and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. [[Symantec Strider Blog](https://app.tidalcyber.com/references/664eac41-257f-4d4d-aba5-5d2e8e2117a7)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0125", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "deb573c6-071a-4b50-9e92-4aa648d8bdc1", "type": "used-by" }, { "dest-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "type": "similar" } ], "uuid": "e3729cff-f25e-4c01-a7a1-e8b83e903b30", "value": "Remsec" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used to replace file with another file\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\replace.exe\n* C:\\Windows\\SysWOW64\\replace.exe\n\n**Resources:**\n* [https://twitter.com/elceef/status/986334113941655553](https://twitter.com/elceef/status/986334113941655553)\n* [https://twitter.com/elceef/status/986842299861782529](https://twitter.com/elceef/status/986842299861782529)\n\n**Detection:**\n* IOC: Replace.exe retrieving files from remote server\n* Sigma: [proc_creation_win_lolbin_replace.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml)[[Replace.exe - LOLBAS Project](/references/82a473e9-208c-4c47-bf38-92aee43238dd)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5154", "source": "Tidal Cyber", "tags": [ "accb4d24-4b40-41ce-ae2e-adcca7e80b41", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "19a04c82-f816-464c-b050-a57269cba157", "value": "Replace" }, { "description": "Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. [[GitHub Responder](https://app.tidalcyber.com/references/3ef681a9-4ab0-420b-9d1a-b8152c50b3ca)]", "meta": { "software_attack_id": "S0174", "source": "MITRE", "tags": [ "af5e9be5-b86e-47af-91dd-966a5e34a186", "6070668f-1cbd-4878-8066-c636d1d8659c", "d8f7e071-fbfd-46f8-b431-e241bb1513ac", "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "e551ae97-d1b4-484e-9267-89f33829ec2c", "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", "type": "similar" } ], "uuid": "2a5ea3a7-9873-4a2e-b4b5-4e27a80db305", "value": "Responder" }, { "description": "[Revenge RAT](https://app.tidalcyber.com/software/f99712b4-37a2-437c-92d7-fb4f94a1f892) is a freely available remote access tool written in .NET (C#).[[Cylance Shaheen Nov 2018](https://app.tidalcyber.com/references/57802e46-e12c-4230-8d1c-08854a0de06a)][[Cofense RevengeRAT Feb 2019](https://app.tidalcyber.com/references/3abfc3eb-7f9d-49e5-8048-4118cde3122e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0379", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" }, { "dest-uuid": "830079fe-9824-405b-93e0-c28592155c49", "type": "used-by" }, { "dest-uuid": "bdb27a1d-1844-42f1-a0c0-826027ae0326", "type": "similar" } ], "uuid": "f99712b4-37a2-437c-92d7-fb4f94a1f892", "value": "Revenge RAT" }, { "description": "[REvil](https://app.tidalcyber.com/software/9314531e-bf46-4cba-9c19-198279ccf9cd) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://app.tidalcyber.com/groups/b4d068ac-9b68-4cd8-bf0c-019f910ef8e3) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://app.tidalcyber.com/software/9314531e-bf46-4cba-9c19-198279ccf9cd), which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[[Secureworks REvil September 2019](https://app.tidalcyber.com/references/8f4e2baf-4227-4bbd-bfdb-5598717dcf88)][[Intel 471 REvil March 2020](https://app.tidalcyber.com/references/b939dc98-e00e-4d47-84a4-3eaaeb5c0abf)][[Group IB Ransomware May 2020](https://app.tidalcyber.com/references/18d20965-f1f4-439f-a4a3-34437ad1fe14)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0496", "source": "MITRE", "tags": [ "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "286918d5-0b48-4655-9118-907b53de0ee0", "93c53801-5427-4678-a753-7fc761e9eda1", "1138181b-b2cf-4b6b-82da-10867aa4089d", "00ec2407-cc63-4b62-b967-c3e06bdddd2f", "1cc90752-70a3-4a17-b370-e1473a212f79", "0e948c57-6c10-4576-ad27-9832cc2af3a1", "0ed7d10c-c65b-4174-9edb-446bf301d250", "1b98f09a-7d93-4abb-8f3e-1eacdb9f9871", "ab64f2d8-8da3-48de-ac66-0fd91d634b22", "c8ce7130-e134-492c-a98a-ed1d25b57e4c", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "b4d068ac-9b68-4cd8-bf0c-019f910ef8e3", "type": "used-by" }, { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" }, { "dest-uuid": "ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "type": "similar" } ], "uuid": "9314531e-bf46-4cba-9c19-198279ccf9cd", "value": "REvil" }, { "description": "[RGDoor](https://app.tidalcyber.com/software/d5649d69-52d4-4198-9683-b250348dea32) is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. [RGDoor](https://app.tidalcyber.com/software/d5649d69-52d4-4198-9683-b250348dea32) has been seen deployed on webservers belonging to the Middle East government organizations. [RGDoor](https://app.tidalcyber.com/software/d5649d69-52d4-4198-9683-b250348dea32) provides backdoor access to compromised IIS servers. [[Unit 42 RGDoor Jan 2018](https://app.tidalcyber.com/references/94b37da6-f808-451e-8f2d-5df0e93358ca)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0258", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "b9eec47e-98f4-4b3c-b574-3fa8a87ebe05", "type": "similar" } ], "uuid": "d5649d69-52d4-4198-9683-b250348dea32", "value": "RGDoor" }, { "description": "Rhysida is a ransomware-as-a-service (RaaS) operation that has been active since May 2023, claiming attacks on multiple sectors in several countries in North and South America, Western Europe, and Australia. Many alleged victims are education sector entities. Security researchers have observed TTP and victimology overlaps with the Vice Society extortion group.[[HC3 Analyst Note Rhysida Ransomware August 2023](/references/3f6e2821-5073-4382-b5dd-08676eaa2240)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5302", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" } ], "uuid": "f7c1e1cd-cc64-4417-92c3-76afed55d38c", "value": "Rhysida Ransomware" }, { "description": "[Rifdoor](https://app.tidalcyber.com/software/ca5ae7c8-467a-4434-82fc-db50ce3fc671) is a remote access trojan (RAT) that shares numerous code similarities with [HotCroissant](https://app.tidalcyber.com/software/a00e7fcc-b4e8-4f64-83d2-f9db64f0f3fe).[[Carbon Black HotCroissant April 2020](https://app.tidalcyber.com/references/43bcb35b-56e1-47a8-9c74-f7543a25b2a6)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0433", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, { "dest-uuid": "44c75271-0e4d-496f-ae0a-a6d883a42a65", "type": "similar" } ], "uuid": "ca5ae7c8-467a-4434-82fc-db50ce3fc671", "value": "Rifdoor" }, { "description": "[RIPTIDE](https://app.tidalcyber.com/software/00fa4cc2-6f99-4b18-b927-689964ef57e1) is a proxy-aware backdoor used by [APT12](https://app.tidalcyber.com/groups/225314a7-8f40-48d4-9cff-3ec39b177762). [[Moran 2014](https://app.tidalcyber.com/references/15ef155b-7628-4b18-bc53-1d30be4eac5d)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0003", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "225314a7-8f40-48d4-9cff-3ec39b177762", "type": "used-by" }, { "dest-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", "type": "similar" } ], "uuid": "00fa4cc2-6f99-4b18-b927-689964ef57e1", "value": "RIPTIDE" }, { "description": "[Rising Sun](https://app.tidalcyber.com/software/19b1f1c8-5ef3-4328-b605-38e0bafc084d) is a modular backdoor that was used extensively in [Operation Sharpshooter](https://app.tidalcyber.com/campaigns/57e858c8-fd0b-4382-a178-0165d03aa8a9) between 2017 and 2019. [Rising Sun](https://app.tidalcyber.com/software/19b1f1c8-5ef3-4328-b605-38e0bafc084d) infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed [Rising Sun](https://app.tidalcyber.com/software/19b1f1c8-5ef3-4328-b605-38e0bafc084d) included some source code from [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08)'s Trojan Duuzer.[[McAfee Sharpshooter December 2018](https://app.tidalcyber.com/references/96b6d012-8620-4ef5-bf9a-5f88e465a495)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0448", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "56e6b6c2-e573-4969-8bab-783205cebbbf", "type": "similar" } ], "uuid": "19b1f1c8-5ef3-4328-b605-38e0bafc084d", "value": "Rising Sun" }, { "description": "[ROADTools](https://app.tidalcyber.com/software/15bc8e94-64d1-4f1f-bc99-08cfbac417dc) is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.[[ROADtools Github](https://app.tidalcyber.com/references/90c592dc-2c9d-401a-96ab-b539f7522956)]", "meta": { "software_attack_id": "S0684", "source": "MITRE", "tags": [ "c9c73000-30a5-4a16-8c8b-79169f9c24aa" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "6dbdc657-d8e0-4f2f-909b-7251b3e72c6d", "type": "similar" } ], "uuid": "15bc8e94-64d1-4f1f-bc99-08cfbac417dc", "value": "ROADTools" }, { "description": "[RobbinHood](https://app.tidalcyber.com/software/b65956ef-439a-463d-b85e-6606467f508a) is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.[[CarbonBlack RobbinHood May 2019](https://app.tidalcyber.com/references/cb9e49fa-253a-447a-9c88-c6e507bae0bb)][[BaltimoreSun RobbinHood May 2019](https://app.tidalcyber.com/references/f578de81-ea6b-49d0-9a0a-111e07249cd8)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0400", "source": "MITRE", "tags": [ "ce9f1048-09c1-49b0-a109-dd604afbf3cd", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "0a607c53-df52-45da-a75d-0e53df4dad5f", "type": "similar" } ], "uuid": "b65956ef-439a-463d-b85e-6606467f508a", "value": "RobbinHood" }, { "description": "[ROCKBOOT](https://app.tidalcyber.com/software/cb7aa34e-312f-4210-be7b-47a1e3f5b7b5) is a [Bootkit](https://app.tidalcyber.com/technique/032985de-5e09-4889-b8c4-84d940c6346c) that has been used by an unidentified, suspected China-based group. [[FireEye Bootkits](https://app.tidalcyber.com/references/585827a8-1f03-439d-b66e-ad5290117c1b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0112", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7", "type": "similar" } ], "uuid": "cb7aa34e-312f-4210-be7b-47a1e3f5b7b5", "value": "ROCKBOOT" }, { "description": "[RogueRobin](https://app.tidalcyber.com/software/852cf78d-9cdc-4971-a972-405921027436) is a payload used by [DarkHydrus](https://app.tidalcyber.com/groups/f2b31240-0b4a-4fa4-82a4-6bb00e146e75) that has been developed in PowerShell and C#. [[Unit 42 DarkHydrus July 2018](https://app.tidalcyber.com/references/800279cf-e6f8-4721-818f-46e35ec7892a)][[Unit42 DarkHydrus Jan 2019](https://app.tidalcyber.com/references/eb235504-d142-4c6d-9ffd-3c0b0dd23e80)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0270", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "f2b31240-0b4a-4fa4-82a4-6bb00e146e75", "type": "used-by" }, { "dest-uuid": "8ec6e3b4-b06d-4805-b6aa-af916acc2122", "type": "similar" } ], "uuid": "852cf78d-9cdc-4971-a972-405921027436", "value": "RogueRobin" }, { "description": "[ROKRAT](https://app.tidalcyber.com/software/a3479628-af0b-4088-8d2a-fafa384731dd) is a cloud-based remote access tool (RAT) used by [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66) to target victims in South Korea. [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66) has used ROKRAT during several campaigns from 2016 through 2021.[[Talos ROKRAT](https://app.tidalcyber.com/references/1bd78a2f-2bc6-426f-ac9f-16bf3fdf4cdf)][[Talos Group123](https://app.tidalcyber.com/references/bf8b2bf0-cca3-437b-a640-715f9cc945f7)][[Volexity InkySquid RokRAT August 2021](https://app.tidalcyber.com/references/bff1667b-3f87-4653-bd17-b675e997baf1)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0240", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" }, { "dest-uuid": "60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", "type": "similar" } ], "uuid": "a3479628-af0b-4088-8d2a-fafa384731dd", "value": "ROKRAT" }, { "description": "RomCom is a custom backdoor believed to be developed and distributed by the Void Rabisu threat actor. It has been used in attacks that Trend Micro researchers assess to be geopolitically motivated.[[Trend Micro Void Rabisu May 30 2023](/references/5fd628ca-f366-4f0d-b493-8be19fa4dd4e)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5295", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "c2015888-72c0-4367-b2cf-df85688a56b7", "type": "used-by" } ], "uuid": "4af6326b-eba7-4446-83aa-8b98771d390f", "value": "RomCom" }, { "description": "[RotaJakiro](https://app.tidalcyber.com/software/169bfcf6-544c-5824-a7cd-2d5070304b57) is a 64-bit Linux backdoor used by [APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145). First seen in 2018, it uses a plugin architecture to extend capabilities. [RotaJakiro](https://app.tidalcyber.com/software/169bfcf6-544c-5824-a7cd-2d5070304b57) can determine it's permission level and execute according to access type (`root` or `user`).[[RotaJakiro 2021 netlab360 analysis](https://app.tidalcyber.com/references/7a9c53dd-2c0e-5452-9ee2-01531fbf8ba8)][[netlab360 rotajakiro vs oceanlotus](https://app.tidalcyber.com/references/20967c9b-5bb6-5cdd-9466-2c9efd9ab98c)]", "meta": { "platforms": [ "Linux" ], "software_attack_id": "S1078", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { "dest-uuid": "08e844a8-371f-4fe3-9d1f-e056e64a7fde", "type": "similar" } ], "uuid": "169bfcf6-544c-5824-a7cd-2d5070304b57", "value": "RotaJakiro" }, { "description": "[route](https://app.tidalcyber.com/software/3b755518-9085-474e-8bc4-4f9344d9c8af) can be used to find or change information within the local system IP routing table. [[TechNet Route](https://app.tidalcyber.com/references/0e483ec8-af40-4139-9711-53b999e069ee)]", "meta": { "software_attack_id": "S0103", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", "type": "used-by" }, { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de", "type": "similar" } ], "uuid": "3b755518-9085-474e-8bc4-4f9344d9c8af", "value": "route" }, { "description": "[Rover](https://app.tidalcyber.com/software/ef38ff3e-fa36-46f2-a720-3abaca167b04) is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. [[Palo Alto Rover](https://app.tidalcyber.com/references/bbdf3f49-9875-4d41-986d-b693e82c77e1)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0090", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", "type": "similar" } ], "uuid": "ef38ff3e-fa36-46f2-a720-3abaca167b04", "value": "Rover" }, { "description": "[Royal](https://app.tidalcyber.com/software/221e24cb-910f-5988-9473-578ef350870c) is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. [Royal](https://app.tidalcyber.com/software/221e24cb-910f-5988-9473-578ef350870c) employs partial encryption and multiple threads to evade detection and speed encryption. [Royal](https://app.tidalcyber.com/software/221e24cb-910f-5988-9473-578ef350870c) has been used in attacks against multiple industries worldwide--including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in [Royal](https://app.tidalcyber.com/software/221e24cb-910f-5988-9473-578ef350870c) and [Conti](https://app.tidalcyber.com/software/8e995c29-2759-4aeb-9a0f-bb7cd97b06e5) attacks and noted a possible connection between their operators.[[Microsoft Royal ransomware November 2022](https://app.tidalcyber.com/references/91efc6bf-e15c-514a-96c1-e838268d222f)][[Cybereason Royal December 2022](https://app.tidalcyber.com/references/28aef64e-20d3-5227-a3c9-e657c6e2d07e)][[Kroll Royal Deep Dive February 2023](https://app.tidalcyber.com/references/dcdcc965-56d0-58e6-996b-d8bd40916745)][[Trend Micro Royal Linux ESXi February 2023](https://app.tidalcyber.com/references/e5bb846f-d11f-580c-b96a-9de4ba5eaed6)][[CISA Royal AA23-061A March 2023](https://app.tidalcyber.com/references/81baa61e-13c3-51e0-bf22-08383dbfb2a1)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1073", "source": "MITRE", "tags": [ "e551ae97-d1b4-484e-9267-89f33829ec2c", "a2e000da-8181-4327-bacd-32013dbd3654", "5e7433ad-a894-4489-93bc-41e90da90019", "15787198-6c8b-4f79-bf50-258d55072fee", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" }, { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" }, { "dest-uuid": "802a874d-7463-4f2a-99e3-6a1f5a919a21", "type": "similar" } ], "uuid": "221e24cb-910f-5988-9473-578ef350870c", "value": "Royal" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used to verify rpc connection\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\rpcping.exe\n* C:\\Windows\\SysWOW64\\rpcping.exe\n\n**Resources:**\n* [https://github.com/vysec/RedTips](https://github.com/vysec/RedTips)\n* [https://twitter.com/vysecurity/status/974806438316072960](https://twitter.com/vysecurity/status/974806438316072960)\n* [https://twitter.com/vysecurity/status/873181705024266241](https://twitter.com/vysecurity/status/873181705024266241)\n* [https://twitter.com/splinter_code/status/1421144623678988298](https://twitter.com/splinter_code/status/1421144623678988298)\n\n**Detection:**\n* Sigma: [proc_creation_win_rpcping_credential_capture.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml)[[Rpcping.exe - LOLBAS Project](/references/dc15a187-4de7-422e-a507-223e89e317b1)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5155", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "3e42b791-fb59-4a8e-a27e-1cc544f353ee", "value": "Rpcping" }, { "description": "Rsockstun is an open-source software project. According to its GitHub repository, Rsockstun is a reverse socks5 tunneler with SSL, ntlm, and proxy support.[[GitHub rsockstun](/references/1644457f-75d6-4064-a11b-9217249fa5e6)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5076", "source": "Tidal Cyber", "tags": [ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" } ], "uuid": "c3b9281b-5f18-4119-903e-c27f1a4004b4", "value": "Rsockstun" }, { "description": "[RTM](https://app.tidalcyber.com/software/1836485e-a3a6-4fae-a15d-d0990788811a) is custom malware written in Delphi. It is used by the group of the same name ([RTM](https://app.tidalcyber.com/groups/666ab5f0-3ef1-4e74-8a10-65c60a7d1acd)). Newer versions of the malware have been reported publicly as Redaman.[[ESET RTM Feb 2017](https://app.tidalcyber.com/references/ab2cced7-05b8-4788-8d3c-8eadb0aaf38c)][[Unit42 Redaman January 2019](https://app.tidalcyber.com/references/433cd55a-f912-4d5a-aff6-92133d08267b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0148", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "666ab5f0-3ef1-4e74-8a10-65c60a7d1acd", "type": "used-by" }, { "dest-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "type": "similar" } ], "uuid": "1836485e-a3a6-4fae-a15d-d0990788811a", "value": "RTM" }, { "description": "[Rubeus](https://app.tidalcyber.com/software/2e54f40c-ab62-535e-bbab-3f3a835ff55a) is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.[[GitHub Rubeus March 2023](https://app.tidalcyber.com/references/4bde7ce6-7fc6-5660-a8aa-745f19350ee1)][[FireEye KEGTAP SINGLEMALT October 2020](https://app.tidalcyber.com/references/59162ffd-cb95-4757-bb1e-0c2a4ad5c083)][[DFIR Ryuk's Return October 2020](https://app.tidalcyber.com/references/eba1dafb-ff62-4d34-b268-3b9ba6a7a822)][[DFIR Ryuk 2 Hour Speed Run November 2020](https://app.tidalcyber.com/references/3b904516-3b26-4caa-8814-6e69b76a7c8c)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1071", "source": "MITRE", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "e33267fe-099f-4af2-8730-63d49f8813b2", "type": "similar" } ], "uuid": "2e54f40c-ab62-535e-bbab-3f3a835ff55a", "value": "Rubeus" }, { "description": "[Ruler](https://app.tidalcyber.com/software/69563cbd-7dc1-4396-b576-d5886df11046) is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of [Ruler](https://app.tidalcyber.com/software/69563cbd-7dc1-4396-b576-d5886df11046) have also released a defensive tool, NotRuler, to detect its usage.[[SensePost Ruler GitHub](https://app.tidalcyber.com/references/aa0a1508-a872-4e69-bf20-d3c8202f18c1)][[SensePost NotRuler](https://app.tidalcyber.com/references/1bafe35e-f99c-4aa9-8b2f-5a35970ec83b)]", "meta": { "platforms": [ "Office 365", "Windows" ], "software_attack_id": "S0358", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" }, { "dest-uuid": "90ac9266-68ce-46f2-b24f-5eb3b2a8ea38", "type": "similar" } ], "uuid": "69563cbd-7dc1-4396-b576-d5886df11046", "value": "Ruler" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows to execute dll files\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\rundll32.exe\n* C:\\Windows\\SysWOW64\\rundll32.exe\n\n**Resources:**\n* [https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/](https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/)\n* [https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7](https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7)\n* [https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/](https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/)\n* [https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/](https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/)\n* [https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/](https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/)\n* [https://github.com/sailay1996/expl-bin/blob/master/obfus.md](https://github.com/sailay1996/expl-bin/blob/master/obfus.md)\n* [https://github.com/sailay1996/misc-bin/blob/master/rundll32.md](https://github.com/sailay1996/misc-bin/blob/master/rundll32.md)\n* [https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90](https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90)\n* [https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code](https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code)\n\n**Detection:**\n* Sigma: [net_connection_win_rundll32_net_connections.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml)\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)\n* Elastic: [defense_evasion_unusual_network_connection_via_rundll32.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml)\n* IOC: Outbount Internet/network connections made from rundll32\n* IOC: Suspicious use of cmdline flags such as -sta[[Rundll32.exe - LOLBAS Project](/references/90aff246-ce27-4f21-96f9-38543718ab07)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5156", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "d28b269e-588d-49ed-b5c9-8e82077924c0", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "dfbce236-735c-436d-b433-933bd6eae17b", "type": "used-by" }, { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", "type": "used-by" }, { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" }, { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" }, { "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", "type": "used-by" }, { "dest-uuid": "b82c6ed1-c74a-4128-8b4d-18d1e17e1134", "type": "used-by" }, { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" }, { "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" }, { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b", "type": "used-by" }, { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" }, { "dest-uuid": "713e2963-fbf4-406f-a8cf-6a4489d90439", "type": "used-by" } ], "uuid": "cd5a27c8-9611-41d9-b839-b0ba7daf58b5", "value": "Rundll32" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Launcher process\n\n**Author:** Grzegorz Tworek\n\n**Paths:**\n* c:\\windows\\system32\\runexehelper.exe\n\n**Resources:**\n* [https://twitter.com/0gtweet/status/1206692239839289344](https://twitter.com/0gtweet/status/1206692239839289344)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_runexehelper.yml](https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml)\n* IOC: c:\\windows\\system32\\runexehelper.exe is run\n* IOC: Existence of runexewithargs_output.txt file[[Runexehelper.exe - LOLBAS Project](/references/86ff0379-2b73-4981-9f13-2b02b53bc90f)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5157", "source": "Tidal Cyber", "tags": [ "270a347d-d2e1-4d46-9b32-37e8d7264301", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "db516b7d-e5bd-4da8-a708-2fe5d2a2fdfd", "value": "Runexehelper" }, { "description": "[RunningRAT](https://app.tidalcyber.com/software/e8afda1f-fa83-4fc3-b6fb-7d5daca7173f) is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with [Gold Dragon](https://app.tidalcyber.com/software/348fdeb5-6a74-4803-ac6e-e0133ecd7263) and [Brave Prince](https://app.tidalcyber.com/software/51b27e2c-c737-4006-a657-195ea1a1f4f0). [[McAfee Gold Dragon](https://app.tidalcyber.com/references/4bdfa92b-cbbd-43e6-aa3e-422561ff8d7a)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0253", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "60d50676-459a-47dd-92e9-a827a9fe9c58", "type": "similar" } ], "uuid": "e8afda1f-fa83-4fc3-b6fb-7d5daca7173f", "value": "RunningRAT" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Executes a Run Once Task that has been configured in the registry\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\runonce.exe\n* C:\\Windows\\SysWOW64\\runonce.exe\n\n**Resources:**\n* [https://twitter.com/pabraeken/status/990717080805789697](https://twitter.com/pabraeken/status/990717080805789697)\n* [https://cmatskas.com/configure-a-runonce-task-on-windows/](https://cmatskas.com/configure-a-runonce-task-on-windows/)\n\n**Detection:**\n* Sigma: [registry_event_runonce_persistence.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml)\n* Sigma: [proc_creation_win_runonce_execution.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_runonce_execution.yml)\n* Elastic: [persistence_run_key_and_startup_broad.toml](https://github.com/elastic/detection-rules/blob/2926e98c5d998706ef7e248a63fb0367c841f685/rules/windows/persistence_run_key_and_startup_broad.toml)\n* IOC: Registy key add - HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\YOURKEY[[Runonce.exe - LOLBAS Project](/references/b97d4b16-ead2-4cc7-90e5-f8b05d84faf3)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5158", "source": "Tidal Cyber", "tags": [ "065db33d-c152-4ba9-8bf9-13616f78ae05", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "ccad36ac-b526-44ec-840a-6f498c51781c", "value": "Runonce" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Execute target PowerShell script\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\WinSxS\\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\\Runscripthelper.exe\n* C:\\Windows\\WinSxS\\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\\Runscripthelper.exe\n\n**Resources:**\n* [https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc](https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_runscripthelper.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: Event 4014 - Powershell logging\n* IOC: Event 400[[Runscripthelper.exe - LOLBAS Project](/references/6d7151e3-685a-4dc7-a44d-aefae4f3db6a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5159", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "035bae51-c1cc-46f0-8532-a5d01c4d4a52", "value": "Runscripthelper" }, { "description": "[Ryuk](https://app.tidalcyber.com/software/8ae86854-4cdc-49eb-895a-d1fa742f7974) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://app.tidalcyber.com/software/8ae86854-4cdc-49eb-895a-d1fa742f7974) shares code similarities with Hermes ransomware.[[CrowdStrike Ryuk January 2019](https://app.tidalcyber.com/references/df471757-2ce0-48a7-922f-a84c57704914)][[FireEye Ryuk and Trickbot January 2019](https://app.tidalcyber.com/references/b29dc755-f1f0-4206-9ecf-29257a1909ee)][[FireEye FIN6 Apr 2019](https://app.tidalcyber.com/references/e8a2bc6a-04e3-484e-af67-5f57656c7206)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0446", "source": "MITRE", "tags": [ "89c5b94b-ecf4-4d53-9b74-3465086d4565", "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "12a2e20a-7c27-46bb-954d-b372833a9925", "c2380542-36f2-4922-9ed2-80ced06645c9", "c8ce7130-e134-492c-a98a-ed1d25b57e4c", "2743d495-7728-4a75-9e5f-b64854039792", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" }, { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" }, { "dest-uuid": "a020a61c-423f-4195-8c46-ba1d21abba37", "type": "similar" } ], "uuid": "8ae86854-4cdc-49eb-895a-d1fa742f7974", "value": "Ryuk" }, { "description": "[Saint Bot](https://app.tidalcyber.com/software/d66e5d18-e9f5-4091-bdf4-acdac129e2e0) is a .NET downloader that has been used by [Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) since at least March 2021.[[Malwarebytes Saint Bot April 2021](https://app.tidalcyber.com/references/3a1faa47-7bd3-453f-9b7a-bb17efb8bb3c)][[Palo Alto Unit 42 OutSteel SaintBot February 2022 ](https://app.tidalcyber.com/references/b0632490-76be-4018-982d-4b73b3d13881)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1018", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" }, { "dest-uuid": "7724581b-06ff-4d2b-b77c-80dc8d53070b", "type": "similar" } ], "uuid": "d66e5d18-e9f5-4091-bdf4-acdac129e2e0", "value": "Saint Bot" }, { "description": "[Sakula](https://app.tidalcyber.com/software/a316c704-144a-4d14-8e4e-685bb6ae391c) is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. [[Dell Sakula](https://app.tidalcyber.com/references/e9a2ffd8-7aed-4343-8678-66fc3e758d19)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0074", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" }, { "dest-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", "type": "similar" } ], "uuid": "a316c704-144a-4d14-8e4e-685bb6ae391c", "value": "Sakula" }, { "description": "[SamSam](https://app.tidalcyber.com/software/88831e9f-453e-466f-9510-9acaa1f20368) is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.[[US-CERT SamSam 2018](https://app.tidalcyber.com/references/b9d14fea-2330-4eed-892c-b4e05a35d273)][[Talos SamSam Jan 2018](https://app.tidalcyber.com/references/0965bb64-be96-46b9-b60f-6829c43a661f)][[Sophos SamSam Apr 2018](https://app.tidalcyber.com/references/4da5e9c3-7205-4a6e-b147-be7c971380f0)][[Symantec SamSam Oct 2018](https://app.tidalcyber.com/references/c5022a91-bdf4-4187-9967-dfe6362219ea)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0370", "source": "MITRE", "tags": [ "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62", "type": "similar" } ], "uuid": "88831e9f-453e-466f-9510-9acaa1f20368", "value": "SamSam" }, { "description": "[Samurai](https://app.tidalcyber.com/software/bd75c822-7be6-5e6f-bd2e-0512be6d38d9) is a passive backdoor that has been used by [ToddyCat](https://app.tidalcyber.com/groups/0f41da7d-1e47-58fe-ba6e-ee658a985e1b) since at least 2020. [Samurai](https://app.tidalcyber.com/software/bd75c822-7be6-5e6f-bd2e-0512be6d38d9) allows arbitrary C# code execution and is used with multiple modules for remote administration and lateral movement.[[Kaspersky ToddyCat June 2022](https://app.tidalcyber.com/references/285c038b-e5fc-57ef-9a98-d9e24c52e2cf)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1099", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" }, { "dest-uuid": "ae91fb8f-5031-4f57-9839-e3be3ed503f0", "type": "similar" } ], "uuid": "bd75c822-7be6-5e6f-bd2e-0512be6d38d9", "value": "Samurai" }, { "description": "[Sardonic](https://app.tidalcyber.com/software/9ab0d523-3496-5e64-9ca1-bb756f5e64e0) is a backdoor written in C and C++ that is known to be used by [FIN8](https://app.tidalcyber.com/groups/b3061284-0335-4dcb-9f8e-a3b0412fd46f), as early as August 2021 to target a financial institution in the United States. [Sardonic](https://app.tidalcyber.com/software/9ab0d523-3496-5e64-9ca1-bb756f5e64e0) has a plugin system that can load specially made DLLs and execute their functions.[[Bitdefender Sardonic Aug 2021](https://app.tidalcyber.com/references/8e9d05c9-6783-5738-ac85-a444810a8074)][[Symantec FIN8 Jul 2023](https://app.tidalcyber.com/references/9b08b7f0-1a33-5d76-817f-448fac0d165a)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1085", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" }, { "dest-uuid": "0c52f5bc-557d-4083-bd27-66d7cdb794bb", "type": "similar" } ], "uuid": "9ab0d523-3496-5e64-9ca1-bb756f5e64e0", "value": "Sardonic" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows to manage services\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\sc.exe\n* C:\\Windows\\SysWOW64\\sc.exe\n\n**Resources:**\n* [https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/](https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/)\n\n**Detection:**\n* Sigma: [proc_creation_win_susp_service_creation.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml)\n* Sigma: [proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml)\n* Sigma: [proc_creation_win_sc_service_path_modification.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml)\n* Splunk: [sc_exe_manipulating_windows_services.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/sc_exe_manipulating_windows_services.yml)\n* Elastic: [lateral_movement_cmd_service.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/lateral_movement_cmd_service.toml)\n* IOC: Unexpected service creation\n* IOC: Unexpected service modification[[Sc.exe - LOLBAS Project](/references/5ce3ef73-f789-4939-a60e-e0a373048bda)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5160", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "41be663f-ecc9-4ab6-afeb-c52737f84858", "value": "Sc" }, { "description": "[schtasks](https://app.tidalcyber.com/software/2aacbf3a-a359-41d2-9a71-76447f0545b5) is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. [[TechNet Schtasks](https://app.tidalcyber.com/references/17c03e27-222d-41b5-9fa2-34f0939e5371)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0111", "source": "MITRE", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "f0c54030-956a-4bac-9f98-deb2349183ac", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" }, { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" }, { "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "type": "used-by" }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" }, { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" }, { "dest-uuid": "c9703cd3-141c-43a0-a926-380082be5d04", "type": "similar" } ], "uuid": "2aacbf3a-a359-41d2-9a71-76447f0545b5", "value": "schtasks" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Execute binary through proxy binary to evade defensive counter measures\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\scriptrunner.exe\n* C:\\Windows\\SysWOW64\\scriptrunner.exe\n\n**Resources:**\n* [https://twitter.com/KyleHanslovan/status/914800377580503040](https://twitter.com/KyleHanslovan/status/914800377580503040)\n* [https://twitter.com/NickTyrer/status/914234924655312896](https://twitter.com/NickTyrer/status/914234924655312896)\n* [https://github.com/MoooKitty/Code-Execution](https://github.com/MoooKitty/Code-Execution)\n\n**Detection:**\n* Sigma: [proc_creation_win_servu_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml)\n* IOC: Scriptrunner.exe should not be in use unless App-v is deployed[[Scriptrunner.exe - LOLBAS Project](/references/805d16cc-8bd0-4f80-b0ac-c5b5df51427c)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5161", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "ba4d8522-9656-462e-b25e-32a9bba85a60", "value": "Scriptrunner" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows Script Component Runtime\n\n**Author:** Eral4m\n\n**Paths:**\n* c:\\windows\\system32\\scrobj.dll\n* c:\\windows\\syswow64\\scrobj.dll\n\n**Resources:**\n* [https://twitter.com/eral4m/status/1479106975967240209](https://twitter.com/eral4m/status/1479106975967240209)\n\n**Detection:**\n* IOC: Execution of rundll32.exe with 'GenerateTypeLib' and a protocol handler ('://') on the command line[[Scrobj.dll - LOLBAS Project](/references/c50ff71f-c742-4d63-a18e-e1ce41d55193)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5194", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "101f7867-9c5c-482e-b26e-9fdb8ff9b2c7", "value": "Scrobj" }, { "description": "[SDBbot](https://app.tidalcyber.com/software/046bbd0c-bff5-46fc-9028-cbe46a9f8ec5) is a backdoor with installer and loader components that has been used by [TA505](https://app.tidalcyber.com/groups/b3220638-6682-4a4e-ab64-e7dc4202a3f1) since at least 2019.[[Proofpoint TA505 October 2019](https://app.tidalcyber.com/references/711ea2b3-58e2-4b38-aa71-877029c12e64)][[IBM TA505 April 2020](https://app.tidalcyber.com/references/bcef8bf8-5fc2-4921-b920-74ef893b8a27)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0461", "source": "MITRE", "tags": [ "febea5b6-2ea2-402b-8bec-f3f5b3f73c59" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, { "dest-uuid": "92b03a94-7147-4952-9d5a-b4d24da7487c", "type": "similar" } ], "uuid": "046bbd0c-bff5-46fc-9028-cbe46a9f8ec5", "value": "SDBbot" }, { "description": "[SDelete](https://app.tidalcyber.com/software/3d4be65d-231b-44bb-8d12-5038a3d48bae) is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. [[Microsoft SDelete July 2016](https://app.tidalcyber.com/references/356c7d49-5abc-4566-9657-5ce58cf7be67)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0195", "source": "MITRE", "tags": [ "16b47583-1c54-431f-9f09-759df7b5ddb7" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", "type": "used-by" }, { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" }, { "dest-uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", "type": "similar" } ], "uuid": "3d4be65d-231b-44bb-8d12-5038a3d48bae", "value": "SDelete" }, { "description": "[SeaDuke](https://app.tidalcyber.com/software/ae30d58e-21c5-41a4-9ebb-081dc1f26863) is malware that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with [CozyCar](https://app.tidalcyber.com/software/c2353daa-fd4c-44e1-8013-55400439965a). [[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0053", "source": "MITRE", "tags": [ "8bf128ad-288b-41bc-904f-093f4fdde745" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", "type": "similar" } ], "uuid": "ae30d58e-21c5-41a4-9ebb-081dc1f26863", "value": "SeaDuke" }, { "description": "[Seasalt](https://app.tidalcyber.com/software/3527b09b-f3f6-4716-9f90-64ea7d3b9d8a) is malware that has been linked to [APT1](https://app.tidalcyber.com/groups/5307bba1-2674-4fbd-bfd5-1db1ae06fc5f)'s 2010 operations. It shares some code similarities with [OceanSalt](https://app.tidalcyber.com/software/f1723994-058b-4525-8e11-2f0c80d8f3a4).[[Mandiant APT1 Appendix](https://app.tidalcyber.com/references/1f31c09c-6a93-4142-8333-154138c1d70a)][[McAfee Oceansalt Oct 2018](https://app.tidalcyber.com/references/04b475ab-c7f6-4373-a4b0-04b5d8028f95)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0345", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { "dest-uuid": "b45747dc-87ca-4597-a245-7e16a61bc491", "type": "similar" } ], "uuid": "3527b09b-f3f6-4716-9f90-64ea7d3b9d8a", "value": "Seasalt" }, { "description": "[SEASHARPEE](https://app.tidalcyber.com/software/42c8504c-8a18-46d2-a145-35b0cd8ba669) is a Web shell that has been used by [OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2). [[FireEye APT34 Webinar Dec 2017](https://app.tidalcyber.com/references/4eef7032-de14-44a2-a403-82aefdc85c50)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0185", "source": "MITRE", "tags": [ "311abf64-a9cc-4c6a-b778-32c5df5658be" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "0998045d-f96e-4284-95ce-3c8219707486", "type": "similar" } ], "uuid": "42c8504c-8a18-46d2-a145-35b0cd8ba669", "value": "SEASHARPEE" }, { "description": "Seatbelt is a tool used to perform numerous security-oriented checks.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5042", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "cd1b5d44-226e-4405-8985-800492cf2865", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" } ], "uuid": "74beac1c-8468-4f1e-8990-11a4eb7b0110", "value": "Seatbelt" }, { "description": "According to joint Cybersecurity Advisory AA23-319A (November 2023), secretsdump is a Python script \"used to extract credentials and other confidential information from a system\".[[U.S. CISA Rhysida Ransomware November 15 2023](/references/6d902955-d9a9-4ec1-8dd4-264f7594605e)] Secretsdump is publicly available and included as a module of Impacket, a tool for working with network protocols.[[GitHub secretsdump](/references/c29a90a7-016f-49b7-a970-334290964f19)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5072", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "61b7b81d-3f98-4bed-97a9-d6c536b8969b", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "15b77e5c-2285-434d-9719-73c14beba8bd", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" } ], "uuid": "a1fef846-cb22-4885-aa14-cb67ab38fce4", "value": "secretsdump" }, { "description": "According to its GitHub project page, Secure Socket Funneling (SSF) is a \"network tool and toolkit\" that \"provides simple and efficient ways to forward data from multiple sockets (TCP or UDP) through a single secure TLS tunnel to a remote computer\".[[GitHub securesocketfunneling ssf](/references/077ab224-9406-4be7-8467-2a6da8dc786d)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "macOS", "Network", "Linux", "Windows" ], "software_attack_id": "S5329", "source": "Tidal Cyber", "tags": [ "96d58ca1-ab18-4e53-8891-d8ba62a47e5d", "6070668f-1cbd-4878-8066-c636d1d8659c", "d8f7e071-fbfd-46f8-b431-e241bb1513ac", "758c3085-2f79-40a8-ab95-f8a684737927", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "35e694ec-5133-46e3-b7e1-5831867c3b55", "febea5b6-2ea2-402b-8bec-f3f5b3f73c59", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "80b9180e-bae5-44a7-8016-8c1463bbd054", "value": "Secure Socket Funneling" }, { "description": "[ServHelper](https://app.tidalcyber.com/software/704ed49d-103c-4b33-b85c-73670cc1d719) is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.[[Proofpoint TA505 Jan 2019](https://app.tidalcyber.com/references/b744f739-8810-4fb9-96e3-6488f9ed6305)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0382", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, { "dest-uuid": "aae22730-e571-4d17-b037-65f2a3e26213", "type": "similar" } ], "uuid": "704ed49d-103c-4b33-b85c-73670cc1d719", "value": "ServHelper" }, { "description": "[Seth-Locker](https://app.tidalcyber.com/software/fb47c051-d22b-4a05-94a7-cf979419b60a) is a ransomware with some remote control capabilities that has been in use since at least 2021.\n[[Trend Micro Ransomware February 2021](https://app.tidalcyber.com/references/64a86a3f-0160-4766-9ac1-7d287eb2c323)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0639", "source": "MITRE", "tags": [ "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "f931a0b9-0361-4b1b-bacf-955062c35746", "type": "similar" } ], "uuid": "fb47c051-d22b-4a05-94a7-cf979419b60a", "value": "Seth-Locker" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Configures display settings\n\n**Author:** Grzegorz Tworek\n\n**Paths:**\n* c:\\windows\\system32\\setres.exe\n\n**Resources:**\n* [https://twitter.com/0gtweet/status/1583356502340870144](https://twitter.com/0gtweet/status/1583356502340870144)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_setres.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml)\n* IOC: Unusual location for choice.exe file\n* IOC: Process created from choice.com binary\n* IOC: Existence of choice.cmd file[[Setres.exe - LOLBAS Project](/references/631de0bd-d536-4183-bc5a-25af83bd795a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5162", "source": "Tidal Cyber", "tags": [ "d75511ab-cbff-46d3-8268-427e3cff134a", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "ad872ead-f3be-49df-b2f3-2526246acdf5", "value": "Setres" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Host Process for Setting Synchronization\n\n**Author:** Elliot Killick\n\n**Paths:**\n* C:\\Windows\\System32\\SettingSyncHost.exe\n* C:\\Windows\\SysWOW64\\SettingSyncHost.exe\n\n**Resources:**\n* [https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin/](https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_settingsynchost.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml)\n* IOC: SettingSyncHost.exe should not be run on a normal workstation[[SettingSyncHost.exe - LOLBAS Project](/references/57f573f2-1c9b-4037-8f4d-9ae65d13af94)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5163", "source": "Tidal Cyber", "tags": [ "8929bc83-9ed6-4579-b837-40236b59b383", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "e46a42d6-ca6e-4237-ab66-b0d102a580c7", "value": "SettingSyncHost" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows Setup Application Programming Interface\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\setupapi.dll\n* c:\\windows\\syswow64\\setupapi.dll\n\n**Resources:**\n* [https://github.com/huntresslabs/evading-autoruns](https://github.com/huntresslabs/evading-autoruns)\n* [https://twitter.com/pabraeken/status/994742106852941825](https://twitter.com/pabraeken/status/994742106852941825)\n* [https://windows10dll.nirsoft.net/setupapi_dll.html](https://windows10dll.nirsoft.net/setupapi_dll.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_setupapi_installhinfsection.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml)\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)\n* Splunk: [detect_rundll32_application_control_bypass___setupapi.yml](https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml)[[Setupapi.dll - LOLBAS Project](/references/1a8a1434-fc4a-4c3e-9a9b-fb91692d7efd)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5195", "source": "Tidal Cyber", "tags": [ "da405033-3571-4f98-9810-53d9df1ac0fb", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "e7d450ec-dd29-455f-8d26-f8a563e1e88d", "value": "Setupapi" }, { "description": "[ShadowPad](https://app.tidalcyber.com/software/5190f50d-7e54-410a-9961-79ab751ddbab) is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9), but has since been observed to be used by various Chinese threat activity groups. [[Recorded Future RedEcho Feb 2021](https://app.tidalcyber.com/references/6da7eb8a-aab4-41ea-a0b7-5313d88cbe91)][[Securelist ShadowPad Aug 2017](https://app.tidalcyber.com/references/862877d7-e18c-4613-bdad-0700bf3d45ae)][[Kaspersky ShadowPad Aug 2017](https://app.tidalcyber.com/references/95c9a28d-6056-4f87-9a46-9491318889e2)] ", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0596", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" }, { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" }, { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" }, { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" }, { "dest-uuid": "ec9e00dd-0313-4d5b-8105-c20aa47abffc", "type": "similar" } ], "uuid": "5190f50d-7e54-410a-9961-79ab751ddbab", "value": "ShadowPad" }, { "description": "[Shamoon](https://app.tidalcyber.com/software/840db1db-e262-4d6f-b6e3-2a64696a41c5) is wiper malware that was first used by an Iranian group known as the \"Cutting Sword of Justice\" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Shamoon](https://app.tidalcyber.com/software/840db1db-e262-4d6f-b6e3-2a64696a41c5) has also been seen leveraging [RawDisk](https://app.tidalcyber.com/software/d86a562d-d235-4481-9a3f-273fa3ebe89a) and Filerase to carry out data wiping tasks. Analysis has linked [Shamoon](https://app.tidalcyber.com/software/840db1db-e262-4d6f-b6e3-2a64696a41c5) with [Kwampirs](https://app.tidalcyber.com/software/35ac4018-8506-4025-a9e3-bd017700b3b3) based on multiple shared artifacts and coding patterns.[[Cylera Kwampirs 2022](https://app.tidalcyber.com/references/06442111-2c71-5efb-9530-cabeba159a91)] The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.[[Palo Alto Shamoon Nov 2016](https://app.tidalcyber.com/references/15007a87-a281-41ae-b203-fdafe02a885f)][[Unit 42 Shamoon3 2018](https://app.tidalcyber.com/references/c2148166-faf4-4ab7-a37e-deae0c88c08d)][[Symantec Shamoon 2012](https://app.tidalcyber.com/references/ac634e99-d951-402b-bb1c-e575753dfda8)][[FireEye Shamoon Nov 2016](https://app.tidalcyber.com/references/44b2eb6b-4902-4ca0-80e5-7333d620e075)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0140", "source": "MITRE", "tags": [ "e809d252-12cc-494d-94f5-954c49eb87ce" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "type": "similar" } ], "uuid": "840db1db-e262-4d6f-b6e3-2a64696a41c5", "value": "Shamoon" }, { "description": "[Shark](https://app.tidalcyber.com/software/278da5e8-4d4c-4c45-ad72-8f078872fb4a) is a backdoor malware written in C# and .NET that is an updated version of [Milan](https://app.tidalcyber.com/software/57545dbc-c72a-409d-a373-bc35e25160cd); it has been used by [HEXANE](https://app.tidalcyber.com/groups/eecf7289-294f-48dd-a747-7705820f4735) since at least July 2021.[[ClearSky Siamesekitten August 2021](https://app.tidalcyber.com/references/9485efce-8d54-4461-b64e-0d15e31fbf8c)][[Accenture Lyceum Targets November 2021](https://app.tidalcyber.com/references/127836ce-e459-405d-a75c-32fd5f0ab198)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1019", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" }, { "dest-uuid": "99854cc8-f202-4e03-aa0a-4f8a4af93229", "type": "similar" } ], "uuid": "278da5e8-4d4c-4c45-ad72-8f078872fb4a", "value": "Shark" }, { "description": "SharpChromium is an open-source software project. According to its GitHub repository, SharpChromium is a \".NET 4.0 CLR Project to retrieve Chromium data, such as cookies, history and saved logins.\"[[GitHub SharpChromium](/references/ca1956a5-72f2-43ad-a17f-a52ca97bd84e)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5075", "source": "Tidal Cyber", "tags": [ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" } ], "uuid": "311e8944-2157-4616-8b95-d75020e21c35", "value": "SharpChromium" }, { "description": "[SharpDisco](https://app.tidalcyber.com/software/4ed1e83b-a208-5518-bed2-d07c1b289da2) is a dropper developed in C# that has been used by [MoustachedBouncer](https://app.tidalcyber.com/groups/f31df12e-66ea-5a49-87bc-2bc1756a89fc) since at least 2020 to load malicious plugins.[[MoustachedBouncer ESET August 2023](https://app.tidalcyber.com/references/9070f14b-5d5e-5f6d-bcac-628478e01242)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1089", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "f31df12e-66ea-5a49-87bc-2bc1756a89fc", "type": "used-by" }, { "dest-uuid": "1fefb062-feda-484a-8f10-0cebf65e20e3", "type": "similar" } ], "uuid": "4ed1e83b-a208-5518-bed2-d07c1b289da2", "value": "SharpDisco" }, { "description": "According to its GitHub project page, SharpExfiltrate is a \"modular C# framework to exfiltrate loot over secure and trusted channels\".[[GitHub Flangvik SharpExfiltrate](/references/7f0c0c86-c042-4a69-982a-c8c70ec1199c)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5327", "source": "Tidal Cyber", "tags": [ "8bf128ad-288b-41bc-904f-093f4fdde745", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "e1af18e3-3224-4e4c-9d0f-533768474508", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" } ], "uuid": "20e472dd-dc65-40e4-b655-c8b4fae7714a", "value": "SharpExfiltrate" }, { "description": "SharpHound is an open-source software utility incorporated into the BloodHound Active Directory (AD) reconnaissance tool.[[GitHub SharpHound](/references/e1c405b4-b591-4469-848c-7a7dd69151c0)] Adversaries have used SharpHound for AD enumeration.[[U.S. CISA Phobos February 29 2024](/references/bd6f9bd3-22ec-42fc-9d85-fdc14dcfa55a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5275", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "cd1b5d44-226e-4405-8985-800492cf2865", "e1af18e3-3224-4e4c-9d0f-533768474508" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" } ], "uuid": "0bcf0dae-315f-491f-bc65-b1772ffa31c1", "value": "SharpHound" }, { "description": "SharpRoast is an open-source tool used to carry out Kerberoasting attacks. According to its GitHub project page, the tool is a C# port of specific functionality included in the PowerView module of the PowerSploit offensive security framework.[[GitHub SharpRoast](/references/43a2e05d-4662-4a5c-9c99-3165f0d71169)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5060", "source": "Tidal Cyber", "tags": [ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" } ], "uuid": "54a5c881-c1ad-40d0-88c0-6c32b9ef95cb", "value": "SharpRoast" }, { "description": "SharpShares is a tool that can be used to enumerate accessible network shares in a domain. BianLian Ransomware Group actors have used the tool for discovery purposes during attacks.[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5004", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "cd1b5d44-226e-4405-8985-800492cf2865", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", "type": "used-by" } ], "uuid": "a202b37f-5c61-410b-bb14-a3e6b2b82833", "value": "SharpShares" }, { "description": "[SharpStage](https://app.tidalcyber.com/software/564643fd-7113-490e-9f6a-f0cc3f0e1a4c) is a .NET malware with backdoor capabilities.[[Cybereason Molerats Dec 2020](https://app.tidalcyber.com/references/81a10a4b-c66f-4526-882c-184436807e1d)][[BleepingComputer Molerats Dec 2020](https://app.tidalcyber.com/references/307108c8-9c72-4f31-925b-0b9bd4b31e7b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0546", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" }, { "dest-uuid": "0ba9281c-93fa-4b29-8e9e-7ef918c7b13a", "type": "similar" } ], "uuid": "564643fd-7113-490e-9f6a-f0cc3f0e1a4c", "value": "SharpStage" }, { "description": "[SHARPSTATS](https://app.tidalcyber.com/software/f655306f-f7b4-4eec-9bd6-ac75142fcb43) is a .NET backdoor used by [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6) since at least 2019.[[TrendMicro POWERSTATS V3 June 2019](https://app.tidalcyber.com/references/bf9847e2-f2bb-4a96-af8f-56e1ffc45cf7)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0450", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { "dest-uuid": "73c4711b-407a-449d-b269-e3b1531fe7a9", "type": "similar" } ], "uuid": "f655306f-f7b4-4eec-9bd6-ac75142fcb43", "value": "SHARPSTATS" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Shell Doc Object and Control Library.\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\shdocvw.dll\n* c:\\windows\\syswow64\\shdocvw.dll\n\n**Resources:**\n* [http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/](http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/)\n* [https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/](https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/)\n* [https://twitter.com/bohops/status/997690405092290561](https://twitter.com/bohops/status/997690405092290561)\n* [https://windows10dll.nirsoft.net/shdocvw_dll.html](https://windows10dll.nirsoft.net/shdocvw_dll.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)[[Shdocvw.dll - LOLBAS Project](/references/0739d5fe-b460-4ed4-be75-cff422643a32)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5196", "source": "Tidal Cyber", "tags": [ "2c0f0b44-9b09-49a0-8dc5-d9fdcc515825", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "67323b8a-e805-4503-8a40-d47f229453a0", "value": "Shdocvw" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows Shell Common Dll\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\shell32.dll\n* c:\\windows\\syswow64\\shell32.dll\n\n**Resources:**\n* [https://twitter.com/Hexacorn/status/885258886428725250](https://twitter.com/Hexacorn/status/885258886428725250)\n* [https://twitter.com/pabraeken/status/991768766898941953](https://twitter.com/pabraeken/status/991768766898941953)\n* [https://twitter.com/mattifestation/status/776574940128485376](https://twitter.com/mattifestation/status/776574940128485376)\n* [https://twitter.com/KyleHanslovan/status/905189665120149506](https://twitter.com/KyleHanslovan/status/905189665120149506)\n* [https://windows10dll.nirsoft.net/shell32_dll.html](https://windows10dll.nirsoft.net/shell32_dll.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)\n* Splunk: [rundll32_control_rundll_hunt.yml](https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/rundll32_control_rundll_hunt.yml)[[Shell32.dll - LOLBAS Project](/references/9465358f-e0cc-41f0-a7f9-01d5faca8157)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5197", "source": "Tidal Cyber", "tags": [ "e0b9882e-b9bb-4c16-b3d9-9268866eded0", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "edf31b62-e9db-43c8-b9ef-55afd6b0404c", "value": "Shell32" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Photo Gallery Viewer\n\n**Author:** Eral4m\n\n**Paths:**\n* c:\\windows\\system32\\shimgvw.dll\n* c:\\windows\\syswow64\\shimgvw.dll\n\n**Resources:**\n* [https://twitter.com/eral4m/status/1479080793003671557](https://twitter.com/eral4m/status/1479080793003671557)\n\n**Detection:**\n* IOC: Execution of rundll32.exe with 'ImageView_Fullscreen' and a protocol handler ('://') on the command line[[Shimgvw.dll - LOLBAS Project](/references/aba1cc57-ac30-400f-8b02-db7bf279dfb6)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5198", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "691b3a37-af46-47d2-a027-d93d901e0dac", "value": "Shimgvw" }, { "description": "[ShimRat](https://app.tidalcyber.com/software/a3287231-351f-472f-96cc-24db2e3829c7) has been used by the suspected China-based adversary [Mofang](https://app.tidalcyber.com/groups/8bc69792-c26d-4493-87e3-d8e47605fed8) in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name \"[ShimRat](https://app.tidalcyber.com/software/a3287231-351f-472f-96cc-24db2e3829c7)\" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. [[FOX-IT May 2016 Mofang](https://app.tidalcyber.com/references/f1a08b1c-f7d5-4a91-b3b7-0f042b297842)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0444", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "8bc69792-c26d-4493-87e3-d8e47605fed8", "type": "used-by" }, { "dest-uuid": "5763217a-05b6-4edd-9bca-057e47b5e403", "type": "similar" } ], "uuid": "a3287231-351f-472f-96cc-24db2e3829c7", "value": "ShimRat" }, { "description": "[ShimRatReporter](https://app.tidalcyber.com/software/77d9c948-93e3-4e12-9764-4da7570d9275) is a tool used by suspected Chinese adversary [Mofang](https://app.tidalcyber.com/groups/8bc69792-c26d-4493-87e3-d8e47605fed8) to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as [ShimRat](https://app.tidalcyber.com/software/a3287231-351f-472f-96cc-24db2e3829c7)) as well as set up faux infrastructure which mimics the adversary's targets. [ShimRatReporter](https://app.tidalcyber.com/software/77d9c948-93e3-4e12-9764-4da7570d9275) has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.[[FOX-IT May 2016 Mofang](https://app.tidalcyber.com/references/f1a08b1c-f7d5-4a91-b3b7-0f042b297842)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0445", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "8bc69792-c26d-4493-87e3-d8e47605fed8", "type": "used-by" }, { "dest-uuid": "115f88dd-0618-4389-83cb-98d33ae81848", "type": "similar" } ], "uuid": "77d9c948-93e3-4e12-9764-4da7570d9275", "value": "ShimRatReporter" }, { "description": "[SHIPSHAPE](https://app.tidalcyber.com/software/3db0b464-ec5d-4cdd-86c2-62eac9c8acd6) is malware developed by [APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f) that allows propagation and exfiltration of data over removable devices. [APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f) may use this capability to exfiltrate data across air-gaps. [[FireEye APT30](https://app.tidalcyber.com/references/c48d2084-61cf-4e86-8072-01e5d2de8416)]", "meta": { "software_attack_id": "S0028", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" }, { "dest-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", "type": "similar" } ], "uuid": "3db0b464-ec5d-4cdd-86c2-62eac9c8acd6", "value": "SHIPSHAPE" }, { "description": "[SHOTPUT](https://app.tidalcyber.com/software/49351818-579e-4298-9137-03b3dc699e22) is a custom backdoor used by [APT3](https://app.tidalcyber.com/groups/9da726e6-af02-49b8-8ebe-7ea4235513c9). [[FireEye Clandestine Wolf](https://app.tidalcyber.com/references/dbb779c4-4d75-4fb4-ad3a-7d1f0f74e26f)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0063", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" }, { "dest-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", "type": "similar" } ], "uuid": "49351818-579e-4298-9137-03b3dc699e22", "value": "SHOTPUT" }, { "description": "[SHUTTERSPEED](https://app.tidalcyber.com/software/5b2d82a6-ed96-485d-bca9-2320590de890) is a backdoor used by [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66). [[FireEye APT37 Feb 2018](https://app.tidalcyber.com/references/4d575c1a-4ff9-49ce-97cd-f9d0637c2271)]", "meta": { "software_attack_id": "S0217", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" }, { "dest-uuid": "4189a679-72ed-4a89-a57c-7f689712ecf8", "type": "similar" } ], "uuid": "5b2d82a6-ed96-485d-bca9-2320590de890", "value": "SHUTTERSPEED" }, { "description": "[Sibot](https://app.tidalcyber.com/software/ea0a1282-f2bf-4ae0-a19c-d7e379c2309b) is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three [Sibot](https://app.tidalcyber.com/software/ea0a1282-f2bf-4ae0-a19c-d7e379c2309b) variants in early 2021 during its investigation of [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) and the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a).[[MSTIC NOBELIUM Mar 2021](https://app.tidalcyber.com/references/8688a0a9-d644-4b96-81bb-031f1f898652)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0589", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "979adb5a-dc30-48f0-9e3d-9a26d866928c", "type": "similar" } ], "uuid": "ea0a1282-f2bf-4ae0-a19c-d7e379c2309b", "value": "Sibot" }, { "description": "[SideTwist](https://app.tidalcyber.com/software/61227a76-d315-4339-803a-e024f96e089e) is a C-based backdoor that has been used by [OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2) since at least 2021.[[Check Point APT34 April 2021](https://app.tidalcyber.com/references/593e8f9f-88ec-4bdc-90c3-1a320fa8a041)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0610", "source": "MITRE", "tags": [ "8bf128ad-288b-41bc-904f-093f4fdde745" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "df4cd566-ff2f-4d08-976d-8c86e95782de", "type": "similar" } ], "uuid": "61227a76-d315-4339-803a-e024f96e089e", "value": "SideTwist" }, { "description": "[SILENTTRINITY](https://app.tidalcyber.com/software/4765999f-c35e-4a9f-8284-9f10a17e6c34) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://app.tidalcyber.com/software/4765999f-c35e-4a9f-8284-9f10a17e6c34) was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.[[GitHub SILENTTRINITY March 2022](https://app.tidalcyber.com/references/cff66280-c592-4e3c-a56c-32a9620cf95c)][[Security Affairs SILENTTRINITY July 2019](https://app.tidalcyber.com/references/b4945fc0-b89b-445c-abfb-14959deba3d0)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0692", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "1244e058-fa10-48cb-b484-0bcf671107ae", "type": "similar" } ], "uuid": "4765999f-c35e-4a9f-8284-9f10a17e6c34", "value": "SILENTTRINITY" }, { "description": "[Siloscape](https://app.tidalcyber.com/software/8ea75674-cc08-40cf-824c-40eb5cd6097e) is malware that targets Kubernetes clusters through Windows containers. [Siloscape](https://app.tidalcyber.com/software/8ea75674-cc08-40cf-824c-40eb5cd6097e) was first observed in March 2021.[[Unit 42 Siloscape Jun 2021](https://app.tidalcyber.com/references/4be128a7-97b8-48fa-8a52-a53c1e56f086)]", "meta": { "platforms": [ "Containers", "Windows" ], "software_attack_id": "S0623", "source": "MITRE", "tags": [ "4fa6f8e1-b0d5-4169-8038-33e355c08bde" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4fbd565b-bf55-4ac7-80b4-b183a7b64b9c", "type": "similar" } ], "uuid": "8ea75674-cc08-40cf-824c-40eb5cd6097e", "value": "Siloscape" }, { "description": "[Skeleton Key](https://app.tidalcyber.com/software/206453a4-a298-4cab-9fdf-f136a4e0c761) is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. [[Dell Skeleton](https://app.tidalcyber.com/references/cea9ce77-7641-4086-b92f-a4c3ad94a49c)] Functionality similar to [Skeleton Key](https://app.tidalcyber.com/software/206453a4-a298-4cab-9fdf-f136a4e0c761) is included as a module in [Mimikatz](https://app.tidalcyber.com/software/b8e7c0b4-49e4-4e8d-9467-b17f305ddf16).", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0007", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, { "dest-uuid": "89f63ae4-f229-4a5c-95ad-6f22ed2b5c49", "type": "similar" } ], "uuid": "206453a4-a298-4cab-9fdf-f136a4e0c761", "value": "Skeleton Key" }, { "description": "[Skidmap](https://app.tidalcyber.com/software/cc91d3d4-bbf5-4a9c-b43a-2ba034db4858) is a kernel-mode rootkit used for cryptocurrency mining.[[Trend Micro Skidmap](https://app.tidalcyber.com/references/53291621-f0ad-4cb7-af08-78b96eb67168)]", "meta": { "platforms": [ "Linux" ], "software_attack_id": "S0468", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "4b68b5ea-2e1b-4225-845b-8632f702b9a0", "type": "similar" } ], "uuid": "cc91d3d4-bbf5-4a9c-b43a-2ba034db4858", "value": "Skidmap" }, { "description": "[SLIGHTPULSE](https://app.tidalcyber.com/software/c8fed4fc-5721-5db2-b107-b2a9b677244e) is a web shell that was used by [APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) entities.[[Mandiant Pulse Secure Zero-Day April 2021](https://app.tidalcyber.com/references/0760480c-97be-5fc9-a6aa-f1df91a314a3)]", "meta": { "platforms": [ "Network", "Linux" ], "software_attack_id": "S1110", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, { "dest-uuid": "d1008b78-960c-4b36-bdc4-39a734e1e4e3", "type": "similar" } ], "uuid": "c8fed4fc-5721-5db2-b107-b2a9b677244e", "value": "SLIGHTPULSE" }, { "description": "[Sliver](https://app.tidalcyber.com/software/bbd16b7b-7e35-4a11-86ff-9b19e17bdab3) is an open source, cross-platform, red team command and control framework written in Golang.[[Bishop Fox Sliver Framework August 2019](https://app.tidalcyber.com/references/51e67e37-2d61-4228-999b-bec6f80cf106)]", "meta": { "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S0633", "source": "MITRE", "tags": [ "e81ba503-60b0-4b64-8f20-ef93e7783796" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" }, { "dest-uuid": "11f8d7eb-1927-4806-9267-3a11d4d4d6be", "type": "similar" } ], "uuid": "bbd16b7b-7e35-4a11-86ff-9b19e17bdab3", "value": "Sliver" }, { "description": "[SLOTHFULMEDIA](https://app.tidalcyber.com/software/563c6534-497e-4d65-828c-420d5bb2041a) is a remote access Trojan written in C++ that has been used by an unidentified \"sophisticated cyber actor\" since at least January 2017.[[CISA MAR SLOTHFULMEDIA October 2020](https://app.tidalcyber.com/references/57c3256c-0d24-4647-9037-fefe1c88ad61)][[Costin Raiu IAmTheKing October 2020](https://app.tidalcyber.com/references/2be88843-ed3a-460e-87c1-85aa50e827c8)] It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.[[USCYBERCOM SLOTHFULMEDIA October 2020](https://app.tidalcyber.com/references/600de668-f128-4368-8667-24ed9a9db47a)][[Kaspersky IAmTheKing October 2020](https://app.tidalcyber.com/references/fe4050f3-1a73-4e98-9bf1-e8fb73a23b7a)] \n\nIn October 2020, Kaspersky Labs assessed [SLOTHFULMEDIA](https://app.tidalcyber.com/software/563c6534-497e-4d65-828c-420d5bb2041a) is part of an activity cluster it refers to as \"IAmTheKing\".[[Kaspersky IAmTheKing October 2020](https://app.tidalcyber.com/references/fe4050f3-1a73-4e98-9bf1-e8fb73a23b7a)] ESET also noted code similarity between [SLOTHFULMEDIA](https://app.tidalcyber.com/software/563c6534-497e-4d65-828c-420d5bb2041a) and droppers used by a group it refers to as \"PowerPool\".[[ESET PowerPool Code October 2020](https://app.tidalcyber.com/references/d583b409-35bd-45ea-8f2a-c0d566a6865b)] ", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0533", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "feb2d7bb-aacb-48df-ad04-ccf41a30cd90", "type": "similar" } ], "uuid": "563c6534-497e-4d65-828c-420d5bb2041a", "value": "SLOTHFULMEDIA" }, { "description": "[SLOWDRIFT](https://app.tidalcyber.com/software/7c047a54-93cf-4dfc-ab20-d905791aebb2) is a backdoor used by [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66) against academic and strategic victims in South Korea. [[FireEye APT37 Feb 2018](https://app.tidalcyber.com/references/4d575c1a-4ff9-49ce-97cd-f9d0637c2271)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0218", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" }, { "dest-uuid": "414dc555-c79e-4b24-a2da-9b607f7eaf16", "type": "similar" } ], "uuid": "7c047a54-93cf-4dfc-ab20-d905791aebb2", "value": "SLOWDRIFT" }, { "description": "[SLOWPULSE](https://app.tidalcyber.com/software/37e264a6-5ad3-5a79-bf2c-db725622206e) is a malware that was used by [APT5](https://app.tidalcyber.com/groups/f46d6ee9-9d1d-586a-9f2d-6bff8fb92910) as early as 2020 including against U.S. Defense Industrial Base (DIB) companies. [SLOWPULSE](https://app.tidalcyber.com/software/37e264a6-5ad3-5a79-bf2c-db725622206e) has several variants and can modify legitimate Pulse Secure VPN files in order to log credentials and bypass single and two-factor authentication flows.[[Mandiant Pulse Secure Zero-Day April 2021](https://app.tidalcyber.com/references/0760480c-97be-5fc9-a6aa-f1df91a314a3)]", "meta": { "platforms": [ "Network" ], "software_attack_id": "S1104", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, { "dest-uuid": "f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4", "type": "similar" } ], "uuid": "37e264a6-5ad3-5a79-bf2c-db725622206e", "value": "SLOWPULSE" }, { "description": "[Small Sieve](https://app.tidalcyber.com/software/c58028b9-2e79-4bc9-9b04-d24ea4dd4948) is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6) since at least January 2022.[[DHS CISA AA22-055A MuddyWater February 2022](https://app.tidalcyber.com/references/e76570e1-43ab-4819-80bc-895ede67a205)][[NCSC GCHQ Small Sieve Jan 2022](https://app.tidalcyber.com/references/0edb8946-be38-45f5-a27c-bdbebc383d72)]\n\nSecurity researchers have also noted [Small Sieve](https://app.tidalcyber.com/software/c58028b9-2e79-4bc9-9b04-d24ea4dd4948)'s use by UNC3313, which may be associated with [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6).[[Mandiant UNC3313 Feb 2022](https://app.tidalcyber.com/references/ac1a1262-1254-4ab2-a940-2d08b6558e9e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1035", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { "dest-uuid": "ff41b9b6-4c1d-407b-a7e2-835109c8dbc5", "type": "similar" } ], "uuid": "c58028b9-2e79-4bc9-9b04-d24ea4dd4948", "value": "Small Sieve" }, { "description": "[SMOKEDHAM](https://app.tidalcyber.com/software/9ae4154d-ee48-4aeb-b76f-6e40dbe18ff3) is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used by at least one ransomware-as-a-service affiliate.[[FireEye Shining A Light on DARKSIDE May 2021](https://app.tidalcyber.com/references/6ac6acc2-9fea-4887-99b2-9988991b47b6)][[FireEye SMOKEDHAM June 2021](https://app.tidalcyber.com/references/a81ad3ef-fd96-432c-a7c8-ccc86d127a1b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0649", "source": "MITRE", "tags": [ "16b47583-1c54-431f-9f09-759df7b5ddb7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "7e0f8b0f-716e-494d-827e-310bd6ed709e", "type": "similar" } ], "uuid": "9ae4154d-ee48-4aeb-b76f-6e40dbe18ff3", "value": "SMOKEDHAM" }, { "description": "[Smoke Loader](https://app.tidalcyber.com/software/2244253f-a4ad-4ea9-a4bf-fa2f4d895853) is a malicious bot application that can be used to load other malware.\n[Smoke Loader](https://app.tidalcyber.com/software/2244253f-a4ad-4ea9-a4bf-fa2f4d895853) has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. [[Malwarebytes SmokeLoader 2016](https://app.tidalcyber.com/references/b619e338-16aa-478c-b227-b22f78d572a3)] [[Microsoft Dofoil 2018](https://app.tidalcyber.com/references/85069317-2c25-448b-9ff4-504e429dc1bf)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0226", "source": "MITRE", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "00b45c13-d165-44d0-ad6b-99787d2a7ce3", "type": "used-by" }, { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" }, { "dest-uuid": "0c824410-58ff-49b2-9cf2-1c96b182bdf0", "type": "similar" } ], "uuid": "2244253f-a4ad-4ea9-a4bf-fa2f4d895853", "value": "Smoke Loader" }, { "description": "[Snip3](https://app.tidalcyber.com/software/f587dc27-92be-5894-a4a8-d6c8bbcf8ede) is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including [AsyncRAT](https://app.tidalcyber.com/software/d587efff-4699-51c7-a4cc-bdbd1b302ed4), [Revenge RAT](https://app.tidalcyber.com/software/f99712b4-37a2-437c-92d7-fb4f94a1f892), [Agent Tesla](https://app.tidalcyber.com/software/304650b1-a0b5-460c-9210-23a5b53815a4), and [NETWIRE](https://app.tidalcyber.com/software/c7d0e881-80a1-49ea-9c1f-b6e53cf399a8).[[Morphisec Snip3 May 2021](https://app.tidalcyber.com/references/abe44c50-8347-5c98-8b04-d41afbe59d4c)][[Telefonica Snip3 December 2021](https://app.tidalcyber.com/references/f026dd44-1491-505b-8a8a-e4f28c6cd6a7)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1086", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" }, { "dest-uuid": "4327aff5-f194-440c-b499-4d9730cc1eab", "type": "similar" } ], "uuid": "f587dc27-92be-5894-a4a8-d6c8bbcf8ede", "value": "Snip3" }, { "description": "[SNUGRIDE](https://app.tidalcyber.com/software/d6c24f7c-fe79-4094-8f3c-68c4446ae4c7) is a backdoor that has been used by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) as first stage malware. [[FireEye APT10 April 2017](https://app.tidalcyber.com/references/2d494df8-83e3-45d2-b798-4c3bcf55f675)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0159", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", "type": "similar" } ], "uuid": "d6c24f7c-fe79-4094-8f3c-68c4446ae4c7", "value": "SNUGRIDE" }, { "description": "[SocGholish](https://app.tidalcyber.com/software/ab84f259-9b9a-51d8-a68a-2bcd7512d760) is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily through drive-by-downloads masquerading as software updates. SocGholish is operated by [Mustard Tempest](https://app.tidalcyber.com/groups/0898e7cb-118e-5eeb-b856-04e56ed18182) and its access has been sold to groups including [Indrik Spider](https://app.tidalcyber.com/groups/3c7ad595-1940-40fc-b9ca-3e649c1e5d87) for downloading secondary RAT and ransomware payloads.[[SentinelOne SocGholish Infrastructure November 2022](https://app.tidalcyber.com/references/8a26eeb6-6f80-58f1-b773-b38835c6781d)][[SocGholish-update](https://app.tidalcyber.com/references/01d9c3ba-29e2-5090-b399-0e7adf50a6b9)][[Red Canary SocGholish March 2024](https://app.tidalcyber.com/references/70fa26e4-109c-5a48-b9fd-ac8b9acf2cf3)][[Secureworks Gold Prelude Profile](https://app.tidalcyber.com/references/b16ae37d-5244-5c1e-92a9-e494b5a9ef49)] ", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1124", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "0898e7cb-118e-5eeb-b856-04e56ed18182", "type": "used-by" }, { "dest-uuid": "5911d2ca-64f6-49b3-b94f-29b5d185085c", "type": "similar" } ], "uuid": "ab84f259-9b9a-51d8-a68a-2bcd7512d760", "value": "SocGholish" }, { "description": "[Socksbot](https://app.tidalcyber.com/software/c1906bb6-0b5b-4916-8b29-37f7e272f6b3) is a backdoor that abuses Socket Secure (SOCKS) proxies. [[TrendMicro Patchwork Dec 2017](https://app.tidalcyber.com/references/15465b26-99e1-4956-8c81-cda3388169b8)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0273", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "e494ad79-37ee-4cd0-866b-299c521d8b94", "type": "similar" } ], "uuid": "c1906bb6-0b5b-4916-8b29-37f7e272f6b3", "value": "Socksbot" }, { "description": "[SodaMaster](https://app.tidalcyber.com/software/6ecd970c-427b-4421-a831-69f46047d22a) is a fileless malware used by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) to download and execute payloads since at least 2020.[[Securelist APT10 March 2021](https://app.tidalcyber.com/references/90450a1e-59c3-491f-b842-2cf81023fc9e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0627", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "94d6d788-07bb-4dcc-b62f-e02626b00108", "type": "similar" } ], "uuid": "6ecd970c-427b-4421-a831-69f46047d22a", "value": "SodaMaster" }, { "description": "SoftEther VPN is an open-source software project that, according to its GitHub page, is \"cross-platform multi-protocol VPN software\".[[GitHub SoftEtherVPN SoftEtherVPN_Stable](/references/f9d28db2-499f-407c-94d2-652b9ed5f928)] In August 2023, Microsoft researchers reported how Flax Typhoon, a nation-state-sponsored espionage group based in China, used SoftEther VPN as a key element of its command and control infrastructure during attacks on targets in Taiwan and elsewhere.[[Microsoft Flax Typhoon August 24 2023](/references/ec962b72-7b7f-4f7e-b6d6-7c5380b07201)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S5305", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", "type": "used-by" } ], "uuid": "46a9ee9c-6c4a-4db9-9385-46d2617d8050", "value": "SoftEther VPN" }, { "description": "SoftPerfect Network Scanner is a tool used to perform network scans for systems management purposes.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5008", "source": "Tidal Cyber", "tags": [ "d903e38b-600d-4736-9e3b-cf1a6e436481", "d819ae1a-e385-49fd-88d5-f66660729ecb", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "cd1b5d44-226e-4405-8985-800492cf2865", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "15b77e5c-2285-434d-9719-73c14beba8bd", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", "type": "used-by" }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" } ], "uuid": "4272447f-8803-4947-b66f-051eecdd3385", "value": "SoftPerfect Network Scanner" }, { "description": "[SombRAT](https://app.tidalcyber.com/software/0ec24158-d5d7-4d2e-b5a5-bc862328a317) is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including [FIVEHANDS](https://app.tidalcyber.com/software/84187393-2fe9-4136-8720-a6893734ee8c) ransomware.[[BlackBerry CostaRicto November 2020](https://app.tidalcyber.com/references/93a23447-641c-4ee2-9fbd-64b2adea8a5f)][[FireEye FiveHands April 2021](https://app.tidalcyber.com/references/832aeb46-b248-43e8-9157-a2f56bcd1806)][[CISA AR21-126A FIVEHANDS May 2021](https://app.tidalcyber.com/references/f98604dd-2881-4024-8e43-6f5f48c6c9fa)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0615", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "425771c5-48b4-4ecd-9f95-74ed3fc9da59", "type": "similar" } ], "uuid": "0ec24158-d5d7-4d2e-b5a5-bc862328a317", "value": "SombRAT" }, { "description": "[SoreFang](https://app.tidalcyber.com/software/3e959586-14ff-407b-a0d0-4e9580546f3f) is first stage downloader used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) for exfiltration and to load other malware.[[NCSC APT29 July 2020](https://app.tidalcyber.com/references/28da86a6-4ca1-4bb4-a401-d4aa469c0034)][[CISA SoreFang July 2016](https://app.tidalcyber.com/references/a87db09c-cadc-48fd-9634-8dd44bbd9009)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0516", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "e33e4603-afab-402d-b2a1-248d435b5fe0", "type": "similar" } ], "uuid": "3e959586-14ff-407b-a0d0-4e9580546f3f", "value": "SoreFang" }, { "description": "[SOUNDBITE](https://app.tidalcyber.com/software/069538a5-3cb8-4eb4-9fbb-83867bb4d826) is a signature backdoor used by [APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145). [[FireEye APT32 May 2017](https://app.tidalcyber.com/references/b72d017b-a70f-4003-b3d9-90d79aca812d)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0157", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { "dest-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", "type": "similar" } ], "uuid": "069538a5-3cb8-4eb4-9fbb-83867bb4d826", "value": "SOUNDBITE" }, { "description": "[SPACESHIP](https://app.tidalcyber.com/software/0f8d0a73-9cd3-475a-b31b-d457278c921a) is malware developed by [APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f) that allows propagation and exfiltration of data over removable devices. [APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f) may use this capability to exfiltrate data across air-gaps. [[FireEye APT30](https://app.tidalcyber.com/references/c48d2084-61cf-4e86-8072-01e5d2de8416)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0035", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" }, { "dest-uuid": "8b880b41-5139-4807-baa9-309690218719", "type": "similar" } ], "uuid": "0f8d0a73-9cd3-475a-b31b-d457278c921a", "value": "SPACESHIP" }, { "description": "\n[Spark](https://app.tidalcyber.com/software/93f8c180-6794-4e9c-b716-6b31f42eb72d) is a Windows backdoor and has been in use since as early as 2017.[[Unit42 Molerat Mar 2020](https://app.tidalcyber.com/references/328f1c87-c9dc-42d8-bb33-a17ad4d7f57e)] ", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0543", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" }, { "dest-uuid": "03ea629c-517a-41e3-94f8-c7e5368cf8f4", "type": "similar" } ], "uuid": "93f8c180-6794-4e9c-b716-6b31f42eb72d", "value": "Spark" }, { "description": "[SpeakUp](https://app.tidalcyber.com/software/b9b67878-4eb1-4a0b-9b36-a798881ed566) is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. [[CheckPoint SpeakUp Feb 2019](https://app.tidalcyber.com/references/8f0d6a8d-6bd4-4df5-aa28-70e1ec4b0b12)]", "meta": { "platforms": [ "macOS", "Linux" ], "software_attack_id": "S0374", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a5575606-9b85-4e3d-9cd2-40ef30e3672d", "type": "similar" } ], "uuid": "b9b67878-4eb1-4a0b-9b36-a798881ed566", "value": "SpeakUp" }, { "description": "SpectralBlur is a malware targeting macOS systems that has backdoor functionality. Researchers have linked the malware to \"TA444/Bluenoroff\" actors.[[Objective_See 1 4 2024](/references/c96535be-4859-4ae3-9ba0-d482f1195863)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "macOS" ], "software_attack_id": "S5311", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "dfbce236-735c-436d-b433-933bd6eae17b", "type": "used-by" } ], "uuid": "89e2bdbf-4839-4b35-bd19-316a953d7acf", "value": "SpectralBlur" }, { "description": "Sphynx is a variant of BlackCat ransomware (AKA ALPHV or Noberus) first observed in early 2023, which features multiple defense evasion-focused enhancements over the BlackCat strain. For example, Sphynx uses a more complex set of execution parameters, its configuration details are formatted as raw structures instead of JSON, and observed samples contain large amounts of “junk” code and encrypted strings.[[X-Force BlackCat May 30 2023](/references/b80c1f70-9d05-4f4b-bdc2-6157c6837202)] Sphynx also features built-in versions of other tools to support specific functions, including the open-source Impacket tool for lateral movement and Remcom, a hacking tool that facilitates remote code execution.[[Microsoft Threat Intelligence Tweet August 17 2023](/references/8b0ebcb5-d531-4f49-aa2d-bceb5e491b3f)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5055", "source": "Tidal Cyber", "tags": [ "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" } ], "uuid": "cdbebd0a-3036-4a24-b1d5-a3f0ca9c758e", "value": "Sphynx" }, { "description": "[SpicyOmelette](https://app.tidalcyber.com/software/2be9e22d-0af8-46f5-b30e-b3712ccf716d) is a JavaScript based remote access tool that has been used by [Cobalt Group](https://app.tidalcyber.com/groups/58db02e6-d908-47c2-bc82-ed58ada61331) since at least 2018.[[Secureworks GOLD KINGSWOOD September 2018](https://app.tidalcyber.com/references/cda529b2-e152-4ff0-a6b3-d0305b09fef9)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0646", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" }, { "dest-uuid": "599cd7b5-37b5-4cdd-8174-2811531ce9d0", "type": "similar" } ], "uuid": "2be9e22d-0af8-46f5-b30e-b3712ccf716d", "value": "SpicyOmelette" }, { "description": "Splashtop is a tool used to enable remote connections to network devices for support and administration.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5009", "source": "Tidal Cyber", "tags": [ "d903e38b-600d-4736-9e3b-cf1a6e436481", "e551ae97-d1b4-484e-9267-89f33829ec2c", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e1af18e3-3224-4e4c-9d0f-533768474508", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "9bc47297-864d-4f39-be37-ad9379102853", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "15b77e5c-2285-434d-9719-73c14beba8bd", "e727eaa6-ef41-4965-b93a-8ad0c51d0236" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", "type": "used-by" }, { "dest-uuid": "fac6fbf1-935f-4106-ad8b-c8fd8389dd38", "type": "used-by" } ], "uuid": "ecf8b878-19e5-425b-bc34-d5ed6e999fea", "value": "Splashtop" }, { "description": "SplitLoader is an intermediate-stage malware used by the North Korean threat actor Moonstone Sleet mainly for payload execution purposes. It is also capable of performing system reconnaissance.[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5322", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "84615fe0-c2a5-4e07-8957-78ebc29b4635", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "3b8a2c50-5d8e-49b4-bd50-10ae66ca6c72", "type": "used-by" } ], "uuid": "9a20c7f3-4e17-4a79-994a-c577afef5c72", "value": "SplitLoader" }, { "description": "[spwebmember](https://app.tidalcyber.com/software/0fdabff3-d996-493c-af67-f3ac02e4b00b) is a Microsoft SharePoint enumeration and data dumping tool written in .NET. [[NCC Group APT15 Alive and Strong](https://app.tidalcyber.com/references/02a50445-de06-40ab-9ea4-da5c37e066cd)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0227", "source": "MITRE", "tags": [ "cd1b5d44-226e-4405-8985-800492cf2865", "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" }, { "dest-uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4", "type": "similar" } ], "uuid": "0fdabff3-d996-493c-af67-f3ac02e4b00b", "value": "spwebmember" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Debugging utility included with Microsoft SQL.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Program Files\\Microsoft SQL Server\\90\\Shared\\SQLDumper.exe\n* C:\\Program Files (x86)\\Microsoft Office\\root\\vfs\\ProgramFilesX86\\Microsoft Analysis\\AS OLEDB\\140\\SQLDumper.exe\n\n**Resources:**\n* [https://twitter.com/countuponsec/status/910969424215232518](https://twitter.com/countuponsec/status/910969424215232518)\n* [https://twitter.com/countuponsec/status/910977826853068800](https://twitter.com/countuponsec/status/910977826853068800)\n* [https://support.microsoft.com/en-us/help/917825/how-to-use-the-sqldumper-exe-utility-to-generate-a-dump-file-in-sql-se](https://support.microsoft.com/en-us/help/917825/how-to-use-the-sqldumper-exe-utility-to-generate-a-dump-file-in-sql-se)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_susp_sqldumper_activity.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml)\n* Elastic: [credential_access_lsass_memdump_file_created.toml](https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_lsass_memdump_file_created.toml)\n* Elastic: [credential_access_cmdline_dump_tool.toml](https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml)[[Sqldumper.exe - LOLBAS Project](/references/793d6262-37af-46e1-a6b5-a5262f4a749d)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5235", "source": "Tidal Cyber", "tags": [ "e992169d-832d-44e9-8218-0f4ab0ff72b4", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "146bd853-166b-4859-b4d7-b70f51bfd8e9", "value": "Sqldumper" }, { "description": "[sqlmap](https://app.tidalcyber.com/software/96c224a6-6ca4-4ac1-9990-d863ec5a317a) is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. [[sqlmap Introduction](https://app.tidalcyber.com/references/ac643245-d54f-470f-a393-26875c0877c8)]", "meta": { "software_attack_id": "S0225", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "e38bcb42-12c1-4202-a794-ec26cd830caa", "type": "used-by" }, { "dest-uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555", "type": "similar" } ], "uuid": "96c224a6-6ca4-4ac1-9990-d863ec5a317a", "value": "sqlmap" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\\100 and 110 are Powershell v2. Microsoft SQL Server\\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Program files (x86)\\Microsoft SQL Server\\100\\Tools\\Binn\\sqlps.exe\n* C:\\Program files (x86)\\Microsoft SQL Server\\110\\Tools\\Binn\\sqlps.exe\n* C:\\Program files (x86)\\Microsoft SQL Server\\120\\Tools\\Binn\\sqlps.exe\n* C:\\Program files (x86)\\Microsoft SQL Server\\130\\Tools\\Binn\\sqlps.exe\n* C:\\Program Files (x86)\\Microsoft SQL Server\\150\\Tools\\Binn\\SQLPS.exe\n\n**Resources:**\n* [https://twitter.com/ManuelBerrueta/status/1527289261350760455](https://twitter.com/ManuelBerrueta/status/1527289261350760455)\n* [https://twitter.com/bryon_/status/975835709587075072](https://twitter.com/bryon_/status/975835709587075072)\n* [https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017](https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017)\n\n**Detection:**\n* Sigma: [proc_creation_win_mssql_sqlps_susp_execution.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml)\n* Sigma: [image_load_dll_system_management_automation_susp_load.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml)\n* Elastic: [execution_suspicious_powershell_imgload.toml](https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/execution_suspicious_powershell_imgload.toml)\n* Splunk: [2021-10-05-suspicious_copy_on_system32.md](https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md)[[Sqlps.exe - LOLBAS Project](/references/31cc851a-c536-4cef-9391-d3c7d3eab64f)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5236", "source": "Tidal Cyber", "tags": [ "da7e88fd-2d71-4928-81ce-e3d455b3d418", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "5b3c03d3-9ea1-4322-a422-ab2401ffc294", "value": "Sqlps" }, { "description": "[SQLRat](https://app.tidalcyber.com/software/612f780a-239a-4bd0-a29f-63beadf3ed22) is malware that executes SQL scripts to avoid leaving traditional host artifacts. [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) has been observed using it.[[Flashpoint FIN 7 March 2019](https://app.tidalcyber.com/references/b09453a3-c0df-4e96-b399-e7b34e068e9d)]", "meta": { "software_attack_id": "S0390", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "8fc6c9e7-a162-4ca4-a488-f1819e9a7b06", "type": "similar" } ], "uuid": "612f780a-239a-4bd0-a29f-63beadf3ed22", "value": "SQLRat" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Tool included with Microsoft SQL that loads SQL Server cmdlts. A replacement for sqlps.exe. Successor to sqlps.exe in SQL Server 2016+.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Program files (x86)\\Microsoft SQL Server\\130\\Tools\\Binn\\sqlps.exe\n\n**Resources:**\n* [https://twitter.com/pabraeken/status/993298228840992768](https://twitter.com/pabraeken/status/993298228840992768)\n* [https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017](https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017)\n\n**Detection:**\n* Sigma: [proc_creation_win_mssql_sqltoolsps_susp_execution.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml)\n* Splunk: [2021-10-05-suspicious_copy_on_system32.md](https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md)[[SQLToolsPS.exe - LOLBAS Project](/references/612c9569-80af-48d2-a853-0f6e3f55aa50)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5237", "source": "Tidal Cyber", "tags": [ "f4867256-402a-4bcb-97d3-e071ee0993c1", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "9271e5cf-f788-4d7d-9c7a-8d5e37cbb9a6", "value": "SQLToolsPS" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.\n\n**Author:** Reegun J (OCBC Bank) - @reegun21\n\n**Paths:**\n* %localappdata%\\Microsoft\\Teams\\current\\Squirrel.exe\n\n**Resources:**\n* [https://www.youtube.com/watch?v=rOP3hnkj7ls](https://www.youtube.com/watch?v=rOP3hnkj7ls)\n* [https://twitter.com/reegun21/status/1144182772623269889](https://twitter.com/reegun21/status/1144182772623269889)\n* [http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/](http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/)\n* [https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12](https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12)\n* [https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56](https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_squirrel.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml)[[Squirrel.exe - LOLBAS Project](/references/952b5ca5-1251-4e27-bd30-5d55d7d2da5e)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5238", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "13d5d060-8462-4592-8efb-2243fd2138d1", "value": "Squirrel" }, { "description": "[Squirrelwaffle](https://app.tidalcyber.com/software/46943a69-0b19-4d3a-b2a3-1302e85239a3) is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as [Cobalt Strike](https://app.tidalcyber.com/software/9b6bcbba-3ab4-4a4c-a233-cd12254823f6) and the [QakBot](https://app.tidalcyber.com/software/9050b418-5ffd-481a-a30d-f9059b0871ea) banking trojan.[[ZScaler Squirrelwaffle Sep 2021](https://app.tidalcyber.com/references/624a62db-f00f-45f9-89f6-2c3505b4979f)][[Netskope Squirrelwaffle Oct 2021](https://app.tidalcyber.com/references/5559895a-4647-438f-b3d5-6d6aa323a6f9)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1030", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "3c18ad16-9eaf-4649-984e-68551bff0d47", "type": "similar" } ], "uuid": "46943a69-0b19-4d3a-b2a3-1302e85239a3", "value": "Squirrelwaffle" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.\n\n**Author:** Akshat Pradhan\n\n**Paths:**\n* c:\\windows\\system32\\OpenSSH\\ssh.exe\n\n**Resources:**\n* [https://gtfobins.github.io/gtfobins/ssh/](https://gtfobins.github.io/gtfobins/ssh/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_ssh.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml)\n* IOC: Event ID 4624 with process name C:\\Windows\\System32\\OpenSSH\\sshd.exe.\n* IOC: command line arguments specifying execution.[[ssh.exe - LOLBAS Project](/references/b1a9af1c-0cfc-4e8a-88ac-7d33cddc26a1)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5164", "source": "Tidal Cyber", "tags": [ "6070668f-1cbd-4878-8066-c636d1d8659c", "d8f7e071-fbfd-46f8-b431-e241bb1513ac", "64a55f86-15db-4599-b165-81be7f024397", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "7b607493-5035-4e29-9f95-55362f53b805", "value": "ssh" }, { "description": "[SslMM](https://app.tidalcyber.com/software/3334a124-3e74-4a90-8ed1-55eea3274b19) is a full-featured backdoor used by [Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) that has multiple variants. [[Baumgartner Naikon 2015](https://app.tidalcyber.com/references/09302b4f-7f71-4289-92f6-076c685f0810)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0058", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { "dest-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", "type": "similar" } ], "uuid": "3334a124-3e74-4a90-8ed1-55eea3274b19", "value": "SslMM" }, { "description": "[Starloader](https://app.tidalcyber.com/software/fc18e220-2200-4d70-a426-0700ba14c4c0) is a loader component that has been observed loading [Felismus](https://app.tidalcyber.com/software/c66ed8ab-4692-4948-820e-5ce87cc78db5) and associated tools. [[Symantec Sowbug Nov 2017](https://app.tidalcyber.com/references/14f49074-fc46-45d3-bf7e-30c896c39c07)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0188", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "6632f07f-7c6b-4d12-8544-82edc6a7a577", "type": "used-by" }, { "dest-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", "type": "similar" } ], "uuid": "fc18e220-2200-4d70-a426-0700ba14c4c0", "value": "Starloader" }, { "description": "[STARWHALE](https://app.tidalcyber.com/software/764c6121-2d15-4a10-ac53-b1c431dc8b47) is Windows Script File (WSF) backdoor that has been used by [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6), possibly since at least November 2021; there is also a [STARWHALE](https://app.tidalcyber.com/software/764c6121-2d15-4a10-ac53-b1c431dc8b47) variant written in Golang with similar capabilities. Security researchers have also noted the use of [STARWHALE](https://app.tidalcyber.com/software/764c6121-2d15-4a10-ac53-b1c431dc8b47) by UNC3313, which may be associated with [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6).[[Mandiant UNC3313 Feb 2022](https://app.tidalcyber.com/references/ac1a1262-1254-4ab2-a940-2d08b6558e9e)][[DHS CISA AA22-055A MuddyWater February 2022](https://app.tidalcyber.com/references/e76570e1-43ab-4819-80bc-895ede67a205)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1037", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" }, { "dest-uuid": "e355fc84-6f3c-4888-8e0a-d7fa9c378532", "type": "similar" } ], "uuid": "764c6121-2d15-4a10-ac53-b1c431dc8b47", "value": "STARWHALE" }, { "description": "[STEADYPULSE](https://app.tidalcyber.com/software/ea561f0b-b891-5735-aa99-97cc8818fbef) is a web shell that infects targeted Pulse Secure VPN servers through modification of a legitimate Perl script that was used as early as 2020 including in activity against US Defense Industrial Base (DIB) entities.[[Mandiant Pulse Secure Zero-Day April 2021](https://app.tidalcyber.com/references/0760480c-97be-5fc9-a6aa-f1df91a314a3)]", "meta": { "platforms": [ "Network" ], "software_attack_id": "S1112", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "ca0fead6-5277-427a-825b-42ff1fbe476e", "type": "similar" } ], "uuid": "ea561f0b-b891-5735-aa99-97cc8818fbef", "value": "STEADYPULSE" }, { "description": "Stealc is a credential and information stealer first discovered by researchers in January 2023. Researchers assess the malware contains code similarities to prominent stealer families including Vidar, Raccoon, Mars, and RedLine.[[Sekoia.io Stealc February 20 2023](/references/ca5b727d-f35b-4009-b4d4-21a69d41162d)] Red Canary researchers indicated in July 2023 that they observed a \"surge\" of Stealc activity during the second half of the preceding month.[[Red Canary Intelligence Insights July 20 2023](/references/ad1d3f99-e5bf-41c6-871b-dd2c9d540341)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5298", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "4d767e87-4cf6-438a-927a-43d2d0beaab7", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [], "uuid": "7ae6b9f0-3a50-4ebc-ae2c-9569f00dbd81", "value": "Stealc" }, { "description": "STEALDEAL is a relatively simple information and credential stealer that is known to be downloaded by RomCom malware and used to collect and exfiltrate victim data, including locally stored web browser credentials, cookies, and history.[[Trend Micro Void Rabisu May 30 2023](/references/5fd628ca-f366-4f0d-b493-8be19fa4dd4e)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5296", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "4d767e87-4cf6-438a-927a-43d2d0beaab7", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "c2015888-72c0-4367-b2cf-df85688a56b7", "type": "used-by" } ], "uuid": "39aaa970-8c33-4fd3-a7f0-4b769f301460", "value": "STEALDEAL" }, { "description": "[StoneDrill](https://app.tidalcyber.com/software/9eee52a2-5ac1-4561-826c-23ec7fbc7876) is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with [APT33](https://app.tidalcyber.com/groups/99bbbe25-45af-492f-a7ff-7cbc57828bac).[[FireEye APT33 Sept 2017](https://app.tidalcyber.com/references/70610469-db0d-45ab-a790-6e56309a39ec)][[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0380", "source": "MITRE", "tags": [ "2e621fc5-dea4-4cb9-987e-305845986cd3" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" }, { "dest-uuid": "8dbadf80-468c-4a62-b817-4e4d8b606887", "type": "similar" } ], "uuid": "9eee52a2-5ac1-4561-826c-23ec7fbc7876", "value": "StoneDrill" }, { "description": "STONESTOP refers to the loader capability associated with the malicious kernel driver POORTRY, which has been used by multiple ransomware groups since 2022.[[Sophos News August 27 2024](/references/af1dfc7b-fdc2-448f-a4bf-34f8ee7d55bc)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5337", "source": "Tidal Cyber", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [], "uuid": "9bfeb8a3-5a5e-4e66-acfd-0b84d74e0e0d", "value": "STONESTOP" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Storage diagnostic tool\n\n**Author:** Eral4m\n\n**Paths:**\n* c:\\windows\\system32\\stordiag.exe\n* c:\\windows\\syswow64\\stordiag.exe\n\n**Resources:**\n* [https://twitter.com/eral4m/status/1451112385041911809](https://twitter.com/eral4m/status/1451112385041911809)\n\n**Detection:**\n* Sigma: [proc_creation_win_stordiag_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml)\n* IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\\windows\\system32\\ or c:\\windows\\syswow64\\[[Stordiag.exe - LOLBAS Project](/references/5e52a211-7ef6-42bd-93a1-5902f5e1c2ea)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5165", "source": "Tidal Cyber", "tags": [ "f0e3d6ea-d7ea-4d73-b868-1076fac744a8", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "7430c53f-41a0-4395-88c7-fc2c34ee52c7", "value": "Stordiag" }, { "description": "[StreamEx](https://app.tidalcyber.com/software/502b490c-2067-40a4-8f73-7245d7910851) is a malware family that has been used by [Deep Panda](https://app.tidalcyber.com/groups/43f826a1-e8c8-47b8-9b00-38e1b3e4293b) since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. [[Cylance Shell Crew Feb 2017](https://app.tidalcyber.com/references/c0fe5d29-838b-4e91-bd33-59ab3dbcfbc3)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0142", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" }, { "dest-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", "type": "similar" } ], "uuid": "502b490c-2067-40a4-8f73-7245d7910851", "value": "StreamEx" }, { "description": "[StrifeWater](https://app.tidalcyber.com/software/dd8bb0a3-6cb1-412d-adeb-cbaae98462a9) is a remote-access tool that has been used by [Moses Staff](https://app.tidalcyber.com/groups/a41725c5-eb3a-4772-8d1e-17c3bbade79c) in the initial stages of their attacks since at least November 2021.[[Cybereason StrifeWater Feb 2022](https://app.tidalcyber.com/references/30c911b2-9a5e-4510-a78c-c65e84398c7e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1034", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c", "type": "used-by" }, { "dest-uuid": "fb78294a-7d7a-4d38-8ad0-92e67fddc9f0", "type": "similar" } ], "uuid": "dd8bb0a3-6cb1-412d-adeb-cbaae98462a9", "value": "StrifeWater" }, { "description": "[StrongPity](https://app.tidalcyber.com/software/ed563524-235e-4e06-8c69-3f9d8ddbfd8a) is an information stealing malware used by [PROMETHIUM](https://app.tidalcyber.com/groups/cc798766-8662-4b55-8536-6d057fbc58f0).[[Bitdefender StrongPity June 2020](https://app.tidalcyber.com/references/7d2e20f2-20ba-4d51-9495-034c07be41a8)][[Talos Promethium June 2020](https://app.tidalcyber.com/references/188d990e-f0be-40f2-90f3-913dfe687d27)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0491", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "cc798766-8662-4b55-8536-6d057fbc58f0", "type": "used-by" }, { "dest-uuid": "20945359-3b39-4542-85ef-08ecb4e1c174", "type": "similar" } ], "uuid": "ed563524-235e-4e06-8c69-3f9d8ddbfd8a", "value": "StrongPity" }, { "description": "[Stuxnet](https://app.tidalcyber.com/software/3fdf3833-fca9-4414-8d2e-779dabc4ee31) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://app.tidalcyber.com/software/3fdf3833-fca9-4414-8d2e-779dabc4ee31) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[[Nicolas Falliere, Liam O Murchu, Eric Chien February 2011](https://app.tidalcyber.com/references/a1b371c2-b2b1-5780-95c8-11f8c616dcf3)][[CISA ICS Advisory ICSA-10-272-01](https://app.tidalcyber.com/references/25b3c18c-e017-4773-91dd-b489220d4fcb)][[ESET Stuxnet Under the Microscope](https://app.tidalcyber.com/references/4ec039a9-f843-42de-96ed-185c4e8c2d9f)][[Langer Stuxnet](https://app.tidalcyber.com/references/76b99581-e94d-4e51-8110-80557474048e)] [Stuxnet](https://app.tidalcyber.com/software/3fdf3833-fca9-4414-8d2e-779dabc4ee31) was discovered in 2010, with some components being used as early as November 2008.[[Nicolas Falliere, Liam O Murchu, Eric Chien February 2011](https://app.tidalcyber.com/references/a1b371c2-b2b1-5780-95c8-11f8c616dcf3)] ", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0603", "source": "MITRE", "tags": [ "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "a98d7a43-f227-478e-81de-e7299639a355" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "088f1d6e-0783-47c6-9923-9c79b2af43d4", "type": "similar" } ], "uuid": "3fdf3833-fca9-4414-8d2e-779dabc4ee31", "value": "Stuxnet" }, { "description": "[S-Type](https://app.tidalcyber.com/software/b19b6c38-d38b-46f2-a535-d0bfc5790368) is a backdoor that was used in [Operation Dust Storm](https://app.tidalcyber.com/campaigns/af0c0f55-dc4f-4cb5-9350-3a2d7c07595f) since at least 2013.[[Cylance Dust Storm](https://app.tidalcyber.com/references/001dd53c-74e6-4add-aeb7-da76b0d2afe8)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0085", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", "type": "similar" } ], "uuid": "b19b6c38-d38b-46f2-a535-d0bfc5790368", "value": "S-Type" }, { "description": "[SUGARDUMP](https://app.tidalcyber.com/software/6ff7bf2e-286c-4b1b-92a0-1e5322870c59) is a proprietary browser credential harvesting tool that was used by UNC3890 during the [C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) campaign. The first known [SUGARDUMP](https://app.tidalcyber.com/software/6ff7bf2e-286c-4b1b-92a0-1e5322870c59) version was used since at least early 2021, a second SMTP C2 version was used from late 2021-early 2022, and a third HTTP C2 variant was used since at least April 2022.[[Mandiant UNC3890 Aug 2022](https://app.tidalcyber.com/references/7b3fda0b-d327-4f02-bebe-2b8974f9959d)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1042", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "9c10cede-c0bb-4c5c-91c0-8baec30abaf6", "type": "similar" } ], "uuid": "6ff7bf2e-286c-4b1b-92a0-1e5322870c59", "value": "SUGARDUMP" }, { "description": "[SUGARUSH](https://app.tidalcyber.com/software/004c781a-3d7d-446b-9677-a042c8f6566e) is a small custom backdoor that can establish a reverse shell over TCP to a hard coded C2 address. [SUGARUSH](https://app.tidalcyber.com/software/004c781a-3d7d-446b-9677-a042c8f6566e) was first identified during analysis of UNC3890's [C0010](https://app.tidalcyber.com/campaigns/a1e33caf-6eb0-442f-b97a-f6042f21df48) campaign targeting Israeli companies, which began in late 2020.[[Mandiant UNC3890 Aug 2022](https://app.tidalcyber.com/references/7b3fda0b-d327-4f02-bebe-2b8974f9959d)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1049", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "44e2a842-415b-47f4-8549-83fbdb8a5674", "type": "similar" } ], "uuid": "004c781a-3d7d-446b-9677-a042c8f6566e", "value": "SUGARUSH" }, { "description": "[SUNBURST](https://app.tidalcyber.com/software/6b04e98e-c541-4958-a8a5-d433e575ce78) is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least February 2020.[[SolarWinds Sunburst Sunspot Update January 2021](https://app.tidalcyber.com/references/1be1b6e0-1b42-4d07-856b-b6321c17bb88)][[Microsoft Deep Dive Solorigate January 2021](https://app.tidalcyber.com/references/ddd70eef-ab94-45a9-af43-c396c9e3fbc6)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0559", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "a8839c95-029f-44cf-8f3d-a3cf2039e927", "type": "similar" } ], "uuid": "6b04e98e-c541-4958-a8a5-d433e575ce78", "value": "SUNBURST" }, { "description": "[SUNSPOT](https://app.tidalcyber.com/software/66966a12-3db3-4e43-a7e8-6c6836ccd8fe) is an implant that injected the [SUNBURST](https://app.tidalcyber.com/software/6b04e98e-c541-4958-a8a5-d433e575ce78) backdoor into the SolarWinds Orion software update framework. It was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least February 2020.[[CrowdStrike SUNSPOT Implant January 2021](https://app.tidalcyber.com/references/3a7b71cf-961a-4f63-84a8-31b43b18fb95)] ", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0562", "source": "MITRE", "tags": [ "f2ae2283-f94d-4f8f-bbde-43f2bed66c55", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "bf48e7f8-752c-4ce8-bf8f-748edacd8fa6", "type": "similar" } ], "uuid": "66966a12-3db3-4e43-a7e8-6c6836ccd8fe", "value": "SUNSPOT" }, { "description": "[SUPERNOVA](https://app.tidalcyber.com/software/f02abaee-237b-4891-bb5d-30ca86dfc2c8) is an in-memory web shell written in .NET C#. It was discovered in November 2020 during the investigation of [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447)'s SolarWinds cyber operation but determined to be unrelated. Subsequent analysis suggests [SUPERNOVA](https://app.tidalcyber.com/software/f02abaee-237b-4891-bb5d-30ca86dfc2c8) may have been used by the China-based threat group SPIRAL.[[Guidepoint SUPERNOVA Dec 2020](https://app.tidalcyber.com/references/78fee365-ab2b-4823-8358-46c362be1ac0)][[Unit42 SUPERNOVA Dec 2020](https://app.tidalcyber.com/references/e884d0b5-f2a2-47cb-bb77-3acdac6b1790)][[SolarWinds Advisory Dec 2020](https://app.tidalcyber.com/references/4e8b908a-bdc5-441b-bc51-98dfa87f6b7a)][[CISA Supernova Jan 2021](https://app.tidalcyber.com/references/ce300d75-8351-4d7c-b280-7d5fbe17f9bb)][[Microsoft Analyzing Solorigate Dec 2020](https://app.tidalcyber.com/references/8ad72d46-ba2c-426f-bb0d-eb47723c8e11)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0578", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "b2b0b946-be0a-4a7f-9c32-a2e5211d1cd9", "type": "similar" } ], "uuid": "f02abaee-237b-4891-bb5d-30ca86dfc2c8", "value": "SUPERNOVA" }, { "description": "[SVCReady](https://app.tidalcyber.com/software/a8110f81-5ee9-5819-91ce-3a57aa330dcb) is a loader that has been used since at least April 2022 in malicious spam campaigns. Security researchers have noted overlaps between [TA551](https://app.tidalcyber.com/groups/8951bff3-c444-4374-8a9e-b2115d9125b2) activity and [SVCReady](https://app.tidalcyber.com/software/a8110f81-5ee9-5819-91ce-3a57aa330dcb) distribution, including similarities in file names, lure images, and identical grammatical errors.[[HP SVCReady Jun 2022](https://app.tidalcyber.com/references/48d5ec83-f1b9-595c-bb9a-d6d5cc513a41)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1064", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "7230ded7-3b1a-4d6e-9735-d0ffd47af9f6", "type": "similar" } ], "uuid": "a8110f81-5ee9-5819-91ce-3a57aa330dcb", "value": "SVCReady" }, { "description": "[Sykipot](https://app.tidalcyber.com/software/ae749f9c-cf46-42ce-b0b8-f0be8660e3f3) is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of [Sykipot](https://app.tidalcyber.com/software/ae749f9c-cf46-42ce-b0b8-f0be8660e3f3) hijacks smart cards on victims. [[Alienvault Sykipot DOD Smart Cards](https://app.tidalcyber.com/references/1a96544f-5b4e-4e1a-8db0-a989df9e4aaa)] The group using this malware has also been referred to as Sykipot. [[Blasco 2013](https://app.tidalcyber.com/references/46be6b77-ee2b-407e-bdd4-5a1183eda7f3)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0018", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "type": "similar" } ], "uuid": "ae749f9c-cf46-42ce-b0b8-f0be8660e3f3", "value": "Sykipot" }, { "description": "[SynAck](https://app.tidalcyber.com/software/19ae8345-745e-4872-8a29-d56c8800d626) is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. [[SecureList SynAck Doppelgänging May 2018](https://app.tidalcyber.com/references/d9f0af0f-8a65-406b-9d7e-4051086ef301)] [[Kaspersky Lab SynAck May 2018](https://app.tidalcyber.com/references/bbb9bcb5-cd44-4dcb-a7e5-f6c4cf93f74f)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0242", "source": "MITRE", "tags": [ "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "04227b24-7817-4de1-9050-b7b1b57f5866", "type": "similar" } ], "uuid": "19ae8345-745e-4872-8a29-d56c8800d626", "value": "SynAck" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Script used related to app-v and publishing server\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\SyncAppvPublishingServer.vbs\n\n**Resources:**\n* [https://twitter.com/monoxgas/status/895045566090010624](https://twitter.com/monoxgas/status/895045566090010624)\n* [https://twitter.com/subTee/status/855738126882316288](https://twitter.com/subTee/status/855738126882316288)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml)[[Syncappvpublishingserver.vbs - LOLBAS Project](/references/adb09226-894c-4874-a2e3-fb2c6de30173)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5261", "source": "Tidal Cyber", "tags": [ "9e504206-7a84-40a5-b896-8995d82e3586", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "6af0eac2-c35f-4569-ae09-47f1ca846961", "value": "Syncappvpublishingserver - Duplicate" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by App-v to get App-v server lists\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\SyncAppvPublishingServer.exe\n* C:\\Windows\\SysWOW64\\SyncAppvPublishingServer.exe\n\n**Resources:**\n* [https://twitter.com/monoxgas/status/895045566090010624](https://twitter.com/monoxgas/status/895045566090010624)\n\n**Detection:**\n* Sigma: [posh_ps_syncappvpublishingserver_exe.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml)\n* Sigma: [posh_pm_syncappvpublishingserver_exe.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml)\n* Sigma: [proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml)\n* IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed[[SyncAppvPublishingServer.exe - LOLBAS Project](/references/ce371df7-aab6-4338-9491-656481cb5601)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5166", "source": "Tidal Cyber", "tags": [ "acda137a-d1c9-4216-9c08-d07c8d899725", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "f2928533-34e1-4599-a3ec-c8b4ef9d81b4", "value": "SyncAppvPublishingServer" }, { "description": "[SYNful Knock](https://app.tidalcyber.com/software/69ab291d-5066-4e47-9862-1f5c7bac7200) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.[[Mandiant - Synful Knock](https://app.tidalcyber.com/references/1f6eaa98-9184-4341-8634-5512a9c632dd)][[Cisco Synful Knock Evolution](https://app.tidalcyber.com/references/29301297-8343-4f75-8096-7fe229812f75)]", "meta": { "platforms": [ "Network" ], "software_attack_id": "S0519", "source": "MITRE", "tags": [ "b20e7912-6a8d-46e3-8e13-9a3fc4813852" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "84c1ecc6-e5a2-4e8a-bf4b-651a618e0053", "type": "similar" } ], "uuid": "69ab291d-5066-4e47-9862-1f5c7bac7200", "value": "SYNful Knock" }, { "description": "[Sys10](https://app.tidalcyber.com/software/2df35a92-2295-417a-af5a-ba5c943ef40d) is a backdoor that was used throughout 2013 by [Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d). [[Baumgartner Naikon 2015](https://app.tidalcyber.com/references/09302b4f-7f71-4289-92f6-076c685f0810)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0060", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { "dest-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", "type": "similar" } ], "uuid": "2df35a92-2295-417a-af5a-ba5c943ef40d", "value": "Sys10" }, { "description": "[SYSCON](https://app.tidalcyber.com/software/ea556a8d-4959-423f-a2dd-622d0497d484) is a backdoor that has been in use since at least 2017 and has been associated with campaigns involving North Korean themes. [SYSCON](https://app.tidalcyber.com/software/ea556a8d-4959-423f-a2dd-622d0497d484) has been delivered by the [CARROTBALL](https://app.tidalcyber.com/software/84bb4068-b441-435e-8535-02a458ffd50b) and [CARROTBAT](https://app.tidalcyber.com/software/aefa893d-fc6e-41a9-8794-2700049db9e5) droppers.[[Unit 42 CARROTBAT November 2018](https://app.tidalcyber.com/references/6986a64a-5fe6-4697-b70b-79cccaf3d730)][[Unit 42 CARROTBAT January 2020](https://app.tidalcyber.com/references/b65442ca-18ca-42e0-8be0-7c2b66c26d02)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0464", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "edf5aee2-9b1c-4252-8e64-25b12f14c8b3", "type": "similar" } ], "uuid": "ea556a8d-4959-423f-a2dd-622d0497d484", "value": "SYSCON" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows NT System Setup\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\syssetup.dll\n* c:\\windows\\syswow64\\syssetup.dll\n\n**Resources:**\n* [https://twitter.com/pabraeken/status/994392481927258113](https://twitter.com/pabraeken/status/994392481927258113)\n* [https://twitter.com/harr0ey/status/975350238184697857](https://twitter.com/harr0ey/status/975350238184697857)\n* [https://twitter.com/bohops/status/975549525938135040](https://twitter.com/bohops/status/975549525938135040)\n* [https://windows10dll.nirsoft.net/syssetup_dll.html](https://windows10dll.nirsoft.net/syssetup_dll.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)\n* Splunk: [detect_rundll32_application_control_bypass___syssetup.yml](https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml)[[Syssetup.dll - LOLBAS Project](/references/3bb7027f-7cbb-47e7-8cbb-cf45604669af)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5199", "source": "Tidal Cyber", "tags": [ "9105775d-bdcb-45cc-895d-6c7bbb3d30ce", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "5d220e4f-db5f-4523-8dc5-63a604f3964b", "value": "Syssetup" }, { "description": "SystemBC is a commodity backdoor malware used as a Tor proxy and remote access Trojan (RAT). It was used during the high-profile 2021 Colonial Pipeline DarkSide ransomware attack and has since been used as a persistence & lateral movement tool during other ransomware compromises, including intrusions involving Ryuk, Egregor, and Play.[[BlackBerry SystemBC June 10 2021](/references/08186ff9-6ca5-4c09-b5e7-b883eb15fdba)][[Sophos SystemBC December 16 2020](/references/eca1301f-deeb-4a97-8c4e-e61210706116)][[WithSecure SystemBC May 10 2021](/references/4004e072-9e69-4e81-a2b7-840e106cf3d9)][[Trend Micro Play Ransomware September 06 2022](/references/ed02529c-920d-4a92-8e86-be1ed7083991)] According to Mandiant's 2023 M-Trends report, SystemBC was the second most frequently seen malware family in 2022 after only Cobalt Strike Beacon.[[TechRepublic M-Trends 2023](/references/1347e21e-e77d-464d-bbbe-dc4d3f2b07a1)]\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc\n\n**Malware Bazaar (Samples & IOCs)**: https://bazaar.abuse.ch/browse/tag/systembc/\n\n**PulseDive (IOCs)**: https://pulsedive.com/threat/SystemBC", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5058", "source": "Tidal Cyber", "tags": [ "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" }, { "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", "type": "used-by" }, { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" } ], "uuid": "c30929fb-28a1-407c-a1c3-a83374c63267", "value": "SystemBC" }, { "description": "[Systeminfo](https://app.tidalcyber.com/software/cecea681-a753-47b5-9d77-c10a5b4403ab) is a Windows utility that can be used to gather detailed information about a computer. [[TechNet Systeminfo](https://app.tidalcyber.com/references/5462ba66-6e26-41c2-bc28-6c19085d4469)]", "meta": { "software_attack_id": "S0096", "source": "MITRE", "tags": [ "7b918200-2c8d-4b86-a81b-b2bdec5b2c2b", "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "35e694ec-5133-46e3-b7e1-5831867c3b55", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "type": "used-by" }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", "type": "used-by" }, { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", "type": "similar" } ], "uuid": "cecea681-a753-47b5-9d77-c10a5b4403ab", "value": "Systeminfo" }, { "description": "[SysUpdate](https://app.tidalcyber.com/software/148d587c-3b1e-4e71-bdfb-8c37005e7e77) is a backdoor written in C++ that has been used by [Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5) since at least 2020.[[Trend Micro Iron Tiger April 2021](https://app.tidalcyber.com/references/d0890d4f-e7ca-4280-a54e-d147f6dd72aa)]", "meta": { "platforms": [ "Linux", "Windows" ], "software_attack_id": "S0663", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "c009560a-f097-45a3-8f9f-78ec1440a783", "type": "similar" } ], "uuid": "148d587c-3b1e-4e71-bdfb-8c37005e7e77", "value": "SysUpdate" }, { "description": "[T9000](https://app.tidalcyber.com/software/c5647cc4-0d46-4a41-8591-9179737747a2) is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. [[FireEye admin@338 March 2014](https://app.tidalcyber.com/references/6a37e6eb-b767-4b10-9c39-660a42b19ddd)] [[Palo Alto T9000 Feb 2016](https://app.tidalcyber.com/references/d7eefe85-86cf-4b9d-bf70-f16c5a0227cc)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0098", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", "type": "similar" } ], "uuid": "c5647cc4-0d46-4a41-8591-9179737747a2", "value": "T9000" }, { "description": "According to joint Cybersecurity Advisory AA23-320A (November 2023), Tactical RMM is a publicly available, legitimate tool that \"enables remote monitoring and management of systems\". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.[[U.S. CISA Scattered Spider November 16 2023](/references/9c242265-c28c-4580-8e6a-478d8700b092)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5066", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "e727eaa6-ef41-4965-b93a-8ad0c51d0236" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" } ], "uuid": "ba4777f9-bb3b-4143-8062-a510c30544ce", "value": "Tactical RMM" }, { "description": "[Taidoor](https://app.tidalcyber.com/software/9334df79-9023-44bb-bc28-16c1f07b836b) is a remote access trojan (RAT) that has been used by Chinese government cyber actors to maintain access on victim networks.[[CISA MAR-10292089-1.v2 TAIDOOR August 2021](https://app.tidalcyber.com/references/0ae18fda-cc88-49f4-8e85-7b63044579ea)] [Taidoor](https://app.tidalcyber.com/software/9334df79-9023-44bb-bc28-16c1f07b836b) has primarily been used against Taiwanese government organizations since at least 2010.[[TrendMicro Taidoor](https://app.tidalcyber.com/references/3d703dfa-97c5-498f-a712-cb4995119297)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0011", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "b143dfa4-e944-43ff-8429-bfffc308c517", "type": "similar" } ], "uuid": "9334df79-9023-44bb-bc28-16c1f07b836b", "value": "Taidoor" }, { "description": "According to joint Cybersecurity Advisory AA23-320A (November 2023), Tailscale is a publicly available, legitimate tool that \"provides virtual private networks (VPNs) to secure network communications\". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.[[U.S. CISA Scattered Spider November 16 2023](/references/9c242265-c28c-4580-8e6a-478d8700b092)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5069", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "e727eaa6-ef41-4965-b93a-8ad0c51d0236" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" } ], "uuid": "130a5491-1b93-45fd-bd72-9e5f8ddeba2a", "value": "Tailscale" }, { "description": "[TAINTEDSCRIBE](https://app.tidalcyber.com/software/1548c94a-fb4d-43d8-9956-ea26f5cc552f) is a fully-featured beaconing implant integrated with command modules used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08). It was first reported in May 2020.[[CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020](https://app.tidalcyber.com/references/b9946fcc-592a-4c54-b504-4fe5050704df)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0586", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "7f4bbe05-1674-4087-8a16-8f1ad61b6152", "type": "similar" } ], "uuid": "1548c94a-fb4d-43d8-9956-ea26f5cc552f", "value": "TAINTEDSCRIBE" }, { "description": "[TajMahal](https://app.tidalcyber.com/software/b1b7a8d9-6df3-4e89-8622-a6eea3da729b) is a multifunctional spying framework that has been in use since at least 2014. [TajMahal](https://app.tidalcyber.com/software/b1b7a8d9-6df3-4e89-8622-a6eea3da729b) is comprised of two separate packages, named Tokyo and Yokohama, and can deploy up to 80 plugins.[[Kaspersky TajMahal April 2019](https://app.tidalcyber.com/references/1ed20522-52ae-4d0c-b42e-c680490958ac)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0467", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "b51797f7-57da-4210-b8ac-b8632ee75d70", "type": "similar" } ], "uuid": "b1b7a8d9-6df3-4e89-8622-a6eea3da729b", "value": "TajMahal" }, { "description": "TAMECAT is a custom backdoor developed and used by Iranian espionage group APT42. It is usually delivered via phishing attacks and serves as a post-compromise command execution and malware ingress capability.[[Mandiant Uncharmed May 1 2024](/references/84c0313a-bea1-44a7-9396-8e12437852d1)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5334", "source": "Tidal Cyber", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "ce126445-6984-45bb-9737-35448f06f27b", "type": "used-by" } ], "uuid": "8d00b893-7492-4a67-a9b0-d817c5a21603", "value": "TAMECAT" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows to extract and create archives.\n\n**Author:** Brian Lucero\n\n**Paths:**\n* C:\\Windows\\System32\\tar.exe\n\n**Resources:**\n* [https://twitter.com/Cyber_Sorcery/status/1619819249886969856](https://twitter.com/Cyber_Sorcery/status/1619819249886969856)\n\n**Detection:**\n* IOC: tar.exe extracting files from a remote host within the environment[[Tar.exe - LOLBAS Project](/references/e5f54ded-3ec1-49c1-9302-6b9f372d5015)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5167", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "65e149a8-7c78-40d0-9cc5-9f420011facc", "value": "Tar" }, { "description": "[Tarrask](https://app.tidalcyber.com/software/7bb9d181-4405-4938-bafb-b13cc98b6cd8) is malware that has been used by [HAFNIUM](https://app.tidalcyber.com/groups/1bcc9382-ccfe-4b04-91f3-ef1250df5e5b) since at least August 2021. [Tarrask](https://app.tidalcyber.com/software/7bb9d181-4405-4938-bafb-b13cc98b6cd8) was designed to evade digital defenses and maintain persistence by generating concealed scheduled tasks.[[Tarrask scheduled task](https://app.tidalcyber.com/references/87682623-d1dd-4ee8-ae68-b08be5113e3e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1011", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", "type": "used-by" }, { "dest-uuid": "988976ff-beeb-4fb5-b07d-ca7437ea66e8", "type": "similar" } ], "uuid": "7bb9d181-4405-4938-bafb-b13cc98b6cd8", "value": "Tarrask" }, { "description": "The [Tasklist](https://app.tidalcyber.com/software/abae8f19-9497-4a71-82b6-ae6edd26ad98) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. [[Microsoft Tasklist](https://app.tidalcyber.com/references/2c09561a-02ee-4948-9745-9d6c8eb2881d)]", "meta": { "software_attack_id": "S0057", "source": "MITRE", "tags": [ "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "35e694ec-5133-46e3-b7e1-5831867c3b55", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "cd1b5d44-226e-4405-8985-800492cf2865", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" }, { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" }, { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" }, { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" }, { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "type": "similar" } ], "uuid": "abae8f19-9497-4a71-82b6-ae6edd26ad98", "value": "Tasklist" }, { "description": "tcpdump is an open-source network packet analyzer utility run from the command line.", "meta": { "owner": "TidalCyberIan", "platforms": [ "Linux", "macOS", "Windows" ], "software_attack_id": "S5267", "source": "Tidal Cyber", "tags": [ "96d58ca1-ab18-4e53-8891-d8ba62a47e5d", "758c3085-2f79-40a8-ab95-f8a684737927", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "35e694ec-5133-46e3-b7e1-5831867c3b55", "02495172-1563-48e7-8ac2-98463bd85e9d", "6070668f-1cbd-4878-8066-c636d1d8659c", "d8f7e071-fbfd-46f8-b431-e241bb1513ac", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "cd1b5d44-226e-4405-8985-800492cf2865" ], "type": [ "tool" ] }, "related": [], "uuid": "7a5d457c-949c-4e8f-817a-7e2d33f6c618", "value": "tcpdump" }, { "description": "TDSSKiller is a tool used to remove rootkits.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5044", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" } ], "uuid": "c62b061a-b4d0-4b28-932c-3c9423443248", "value": "TDSSKiller" }, { "description": "[TDTESS](https://app.tidalcyber.com/software/e7116740-fe7c-45e2-b98d-0c594a7dff2f) is a 64-bit .NET binary backdoor used by [CopyKittens](https://app.tidalcyber.com/groups/6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b). [[ClearSky Wilted Tulip July 2017](https://app.tidalcyber.com/references/50233005-8dc4-4e91-9477-df574271df40)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0164", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b", "type": "used-by" }, { "dest-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", "type": "similar" } ], "uuid": "e7116740-fe7c-45e2-b98d-0c594a7dff2f", "value": "TDTESS" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Testing tool included with Microsoft Test Authoring and Execution Framework (TAEF).\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* no default\n\n**Resources:**\n* [https://twitter.com/gn3mes1s/status/927680266390384640?lang=bg](https://twitter.com/gn3mes1s/status/927680266390384640?lang=bg)\n\n**Detection:**\n* Sigma: [proc_creation_win_susp_use_of_te_bin.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml)[[te.exe - LOLBAS Project](/references/e7329381-319e-4dcc-8187-92882e6f2e12)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5239", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "8eef4e4b-e294-47bb-befa-9cd97ceced57", "value": "te" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Electron runtime binary which runs the Teams application\n\n**Author:** Andrew Kisliakov\n\n**Paths:**\n* %LOCALAPPDATA%\\Microsoft\\Teams\\current\\Teams.exe\n\n**Resources:**\n* [https://l--k.uk/2022/01/16/microsoft-teams-and-other-electron-apps-as-lolbins/](https://l--k.uk/2022/01/16/microsoft-teams-and-other-electron-apps-as-lolbins/)\n\n**Detection:**\n* IOC: %LOCALAPPDATA%\\Microsoft\\Teams\\current\\app directory created\n* IOC: %LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar file created/modified by non-Teams installer/updater\n* Sigma: [proc_creation_win_susp_electron_exeuction_proxy.yml](https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml)[[Teams.exe - LOLBAS Project](/references/ceee2b13-331f-4019-9c27-af0ce8b25414)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5240", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "13221a7b-6c23-48a7-97bd-21e2c689a391", "value": "Teams" }, { "description": "TeamViewer is a tool used to enable remote connections to network devices for support and administration.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5010", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "15b77e5c-2285-434d-9719-73c14beba8bd", "e727eaa6-ef41-4965-b93a-8ad0c51d0236" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { "dest-uuid": "0060bb76-6713-4942-a4c0-d4ae01ec2866", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" }, { "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" }, { "dest-uuid": "666ab5f0-3ef1-4e74-8a10-65c60a7d1acd", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" }, { "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", "type": "used-by" }, { "dest-uuid": "4bdc62c9-af6a-4377-8431-58a6f39235dd", "type": "used-by" } ], "uuid": "6b5f6eb4-4cdd-4383-8623-d1f7de486865", "value": "TeamViewer" }, { "description": "[TEARDROP](https://app.tidalcyber.com/software/bae20f59-469c-451c-b4ca-70a9a04a1574) is a memory-only dropper that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a). It was likely used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least May 2020.[[FireEye SUNBURST Backdoor December 2020](https://app.tidalcyber.com/references/d006ed03-a8af-4887-9356-3481d81d43e4)][[Microsoft Deep Dive Solorigate January 2021](https://app.tidalcyber.com/references/ddd70eef-ab94-45a9-af43-c396c9e3fbc6)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0560", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "32f49626-87f4-4d6c-8f59-a0dca953fe26", "type": "similar" } ], "uuid": "bae20f59-469c-451c-b4ca-70a9a04a1574", "value": "TEARDROP" }, { "description": "Teleport is a custom tool for data exfiltration. It has been observed in use during intrusions involving Truebot, a botnet and loader malware, in 2022 and 2023.[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5011", "source": "Tidal Cyber", "tags": [ "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "8bf128ad-288b-41bc-904f-093f4fdde745" ], "type": [ "malware" ] }, "related": [], "uuid": "b9a98499-c984-4199-ae64-d1381ebbaa1f", "value": "Teleport" }, { "description": "Terminator is an open-source software package that is designed to facilitate disabling of endpoint security/antivirus tools by abusing the `zam64.sys` driver.[[GitHub Terminator](/references/c2556bcf-9cc9-4f46-8a0f-8f8d801dfdbf)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5283", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" } ], "uuid": "5cd0db7a-d47d-479b-89ac-9e78dfc0cd9d", "value": "Terminator" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** TestWindowRemoteAgent.exe is the command-line tool to establish RPC\n\n**Author:** Onat Uzunyayla\n\n**Paths:**\n* C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\IDE\\CommonExtensions\\Microsoft\\TestWindow\\RemoteAgent\\TestWindowRemoteAgent.exe\n\n**Resources:**\nNone Provided\n\n**Detection:**\n* IOC: TestWindowRemoteAgent.exe spawning unexpectedly[[TestWindowRemoteAgent.exe - LOLBAS Project](/references/0cc891bc-692c-4a52-9985-39ddb434294d)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5241", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "2143f749-d7b8-43c0-8041-8aeb486142c2", "value": "TestWindowRemoteAgent" }, { "description": "[TEXTMATE](https://app.tidalcyber.com/software/49d0ae81-d51b-4534-b1e0-08371a47ef79) is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with [POWERSOURCE](https://app.tidalcyber.com/software/a4700431-6578-489f-9782-52e394277296) in February 2017. [[FireEye FIN7 March 2017](https://app.tidalcyber.com/references/7987bb91-ec41-42f8-bd2d-dabc26509a08)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0146", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", "type": "similar" } ], "uuid": "49d0ae81-d51b-4534-b1e0-08371a47ef79", "value": "TEXTMATE" }, { "description": "[ThiefQuest](https://app.tidalcyber.com/software/2ed5f691-68eb-49dd-b730-793dc8a7d134) is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. [ThiefQuest](https://app.tidalcyber.com/software/2ed5f691-68eb-49dd-b730-793dc8a7d134) was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.[[Reed thiefquest fake ransom](https://app.tidalcyber.com/references/b265ef93-c1fb-440d-a9e0-89cf25a3de05)] Even though [ThiefQuest](https://app.tidalcyber.com/software/2ed5f691-68eb-49dd-b730-793dc8a7d134) presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.[[wardle evilquest partii](https://app.tidalcyber.com/references/4fee237c-c2ec-47f5-b382-ec6bd4779281)][[reed thiefquest ransomware analysis](https://app.tidalcyber.com/references/47b49df4-34f1-4a89-9983-e8bc19aadf8c)]", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S0595", "source": "MITRE", "tags": [ "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", "2e621fc5-dea4-4cb9-987e-305845986cd3" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "727afb95-3d0f-4451-b297-362a43909923", "type": "similar" } ], "uuid": "2ed5f691-68eb-49dd-b730-793dc8a7d134", "value": "ThiefQuest" }, { "description": "[ThreatNeedle](https://app.tidalcyber.com/software/b31c7b8e-dbdd-4ad5-802e-dcdc72b7462e) is a backdoor that has been used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08)'s Manuscrypt (a.k.a. NukeSped) malware family.[[Kaspersky ThreatNeedle Feb 2021](https://app.tidalcyber.com/references/ba6a5fcc-9391-42c0-8b90-57b729525f41)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0665", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "16040b1c-ed28-4850-9d8f-bb8b81c42092", "type": "similar" } ], "uuid": "b31c7b8e-dbdd-4ad5-802e-dcdc72b7462e", "value": "ThreatNeedle" }, { "description": "ThunderShell is a tool used to facilitate remote access via HTTP requests.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5045", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "be319849-fb2c-4b5f-8055-0bde562c280b", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" } ], "uuid": "8fe38eda-30be-4c88-ae76-ac6ebc89d66b", "value": "ThunderShell" }, { "description": "Tickler is a custom multi-stage backdoor deployed by Iranian state-sponsored espionage group Peach Sandstorm (APT33) in compromises in Q2 and Q3 2024.[[Microsoft Security Blog August 28 2024](/references/940c0755-18df-4fcb-9691-9f2eb45e6441)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5335", "source": "Tidal Cyber", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" } ], "uuid": "b39d2bea-83f4-4450-b331-3c39dff89ee8", "value": "Tickler" }, { "description": "According to its project page, TightVNC is a free and open-source remote desktop software tool that is Virtual Network Computing (VNC)-compatible. It is designed to enable remote access to other systems.[[TightVNC Software Project Page](/references/e1725230-4f6c-47c5-8e30-90dfb01a75d7)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Linux", "macOS", "Windows" ], "software_attack_id": "S5015", "source": "Tidal Cyber", "tags": [ "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "e727eaa6-ef41-4965-b93a-8ad0c51d0236" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" }, { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" }, { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" } ], "uuid": "6b0d5be9-5305-4b45-bed9-43dee66b85e8", "value": "TightVNC" }, { "description": "[TinyTurla](https://app.tidalcyber.com/software/39f0371c-b755-4655-a97e-82a572f2fae4) is a backdoor that has been used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) against targets in the US, Germany, and Afghanistan since at least 2020.[[Talos TinyTurla September 2021](https://app.tidalcyber.com/references/94cdbd73-a31a-4ec3-aa36-de3ea077c1c7)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0668", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "2a7c1bb7-cd12-456e-810d-ab3bf8457bab", "type": "similar" } ], "uuid": "39f0371c-b755-4655-a97e-82a572f2fae4", "value": "TinyTurla" }, { "description": "[TINYTYPHON](https://app.tidalcyber.com/software/0e009cb8-848e-427a-9581-d3a4fd9f6a87) is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. [[Forcepoint Monsoon](https://app.tidalcyber.com/references/ea64a3a5-a248-44bb-98cd-f7e3d4c23d4e)]", "meta": { "software_attack_id": "S0131", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" }, { "dest-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", "type": "similar" } ], "uuid": "0e009cb8-848e-427a-9581-d3a4fd9f6a87", "value": "TINYTYPHON" }, { "description": "[TinyZBot](https://app.tidalcyber.com/software/277290fe-51f3-4822-bb46-8b69fd1c8ae5) is a bot written in C# that was developed by [Cleaver](https://app.tidalcyber.com/groups/c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07). [[Cylance Cleaver](https://app.tidalcyber.com/references/f0b45225-3ec3-406f-bd74-87f24003761b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0004", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", "type": "used-by" }, { "dest-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", "type": "similar" } ], "uuid": "277290fe-51f3-4822-bb46-8b69fd1c8ae5", "value": "TinyZBot" }, { "description": "[Tomiris](https://app.tidalcyber.com/software/eff417ad-c775-4a95-9f36-a1b5a675ba82) is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between [Tomiris](https://app.tidalcyber.com/software/eff417ad-c775-4a95-9f36-a1b5a675ba82) and [GoldMax](https://app.tidalcyber.com/software/b05a9763-4288-4656-bf4e-ba02bb8b35d6).[[Kaspersky Tomiris Sep 2021](https://app.tidalcyber.com/references/a881a7e4-a1df-4ad2-b67f-ef03caddb721)]", "meta": { "software_attack_id": "S0671", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "327b3a25-9e60-4431-b3b6-93b9c64eacbc", "type": "similar" } ], "uuid": "eff417ad-c775-4a95-9f36-a1b5a675ba82", "value": "Tomiris" }, { "description": "[Tor](https://app.tidalcyber.com/software/8c70d85b-b06d-423c-8bab-ecff18f332d6) is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. [Tor](https://app.tidalcyber.com/software/8c70d85b-b06d-423c-8bab-ecff18f332d6) utilizes \"Onion Routing,\" in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. [[Dingledine Tor The Second-Generation Onion Router](https://app.tidalcyber.com/references/ffb6a26d-2da9-4cce-bb2d-5280e9cc16b4)]", "meta": { "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S0183", "source": "MITRE", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "be319849-fb2c-4b5f-8055-0bde562c280b", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "42a7c134-c574-430b-8105-bf7a00e742ae", "type": "used-by" }, { "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", "type": "similar" } ], "uuid": "8c70d85b-b06d-423c-8bab-ecff18f332d6", "value": "Tor" }, { "description": "[Torisma](https://app.tidalcyber.com/software/4bce135b-91ba-45ae-88f9-09e01f983a74) is a second stage implant designed for specialized monitoring that has been used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08). [Torisma](https://app.tidalcyber.com/software/4bce135b-91ba-45ae-88f9-09e01f983a74) was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.[[McAfee Lazarus Nov 2020](https://app.tidalcyber.com/references/a283d229-3a2a-43ef-bcbe-aa6d41098b51)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0678", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0715560d-4299-4e84-9e20-6e80ab57e4f2", "type": "similar" } ], "uuid": "4bce135b-91ba-45ae-88f9-09e01f983a74", "value": "Torisma" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Tool included with Microsoft .Net Framework.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* no default\n\n**Resources:**\n* [https://twitter.com/subTee/status/793151392185589760](https://twitter.com/subTee/status/793151392185589760)\n* [https://attack.mitre.org/wiki/Execution](https://attack.mitre.org/wiki/Execution)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_tracker.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml)[[LOLBAS Tracker](/references/f0e368f1-3347-41ef-91fb-995c3cb07707)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5242", "source": "Tidal Cyber", "tags": [ "3c9b26cf-9bda-4feb-ab42-ef7865cc80fd", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "62ebde4b-4936-49f6-842b-8c0313ea26f5", "value": "Tracker" }, { "description": "[TrailBlazer](https://app.tidalcyber.com/software/7a6ae9f8-5f8b-4e94-8716-d8ee82027197) is a modular malware that has been used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least 2019.[[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0682", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "bdad6f3b-de88-42fa-9295-d29b5271808e", "type": "similar" } ], "uuid": "7a6ae9f8-5f8b-4e94-8716-d8ee82027197", "value": "TrailBlazer" }, { "description": "[TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to [Dyre](https://app.tidalcyber.com/software/38e012f7-fb3a-4250-a129-92da3a488724). [TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) was developed and initially used by [Wizard Spider](https://app.tidalcyber.com/groups/0b431229-036f-4157-a1da-ff16dfc095f8) for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of \"big game hunting\" ransomware campaigns.[[S2 Grupo TrickBot June 2017](https://app.tidalcyber.com/references/28faff77-3e68-4f5c-974d-dc7c9d06ce5e)][[Fidelis TrickBot Oct 2016](https://app.tidalcyber.com/references/839c02d1-58ec-4e25-a981-0276dbb1acc8)][[IBM TrickBot Nov 2016](https://app.tidalcyber.com/references/092aec63-aea0-4bc9-9c05-add89b4233ff)][[CrowdStrike Wizard Spider October 2020](https://app.tidalcyber.com/references/5c8d67ea-63bc-4765-b6f6-49fa5210abe6)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0266", "source": "MITRE", "tags": [ "e809d252-12cc-494d-94f5-954c49eb87ce" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" }, { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" }, { "dest-uuid": "00806466-754d-44ea-ad6f-0caf59cb8556", "type": "similar" } ], "uuid": "c2bd4213-fc7b-474f-b5a0-28145b07c51d", "value": "TrickBot" }, { "description": "[Trojan.Karagany](https://app.tidalcyber.com/software/b88c4891-40da-4832-ba42-6c6acd455bd1) is a modular remote access tool used for recon and linked to [Dragonfly](https://app.tidalcyber.com/groups/472080b0-e3d4-4546-9272-c4359fe856e1). The source code for [Trojan.Karagany](https://app.tidalcyber.com/software/b88c4891-40da-4832-ba42-6c6acd455bd1) originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. [[Symantec Dragonfly](https://app.tidalcyber.com/references/9514c5cd-2ed6-4dbf-aa9e-1c425e969226)][[Secureworks Karagany July 2019](https://app.tidalcyber.com/references/61c05edf-24aa-4399-8cdf-01d27f6595a1)][[Dragos DYMALLOY ](https://app.tidalcyber.com/references/d2785c6e-e0d1-4e90-a2d5-2c302176d5d3)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0094", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" }, { "dest-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", "type": "similar" } ], "uuid": "b88c4891-40da-4832-ba42-6c6acd455bd1", "value": "Trojan.Karagany" }, { "description": "[Trojan.Mebromi](https://app.tidalcyber.com/software/f8a4213d-633b-4e3d-8e59-a769e852b93b) is BIOS-level malware that takes control of the victim before MBR. [[Ge 2011](https://app.tidalcyber.com/references/dd6032fb-8913-4593-81b9-86d1239e01f4)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0001", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "c5e9cb46-aced-466c-85ea-7db5572ad9ec", "type": "similar" } ], "uuid": "f8a4213d-633b-4e3d-8e59-a769e852b93b", "value": "Trojan.Mebromi" }, { "description": "Truebot is a botnet often used as a loader for other malware. In July 2023, U.S. authorities released joint Cybersecurity Advisory AA23-187A, which detailed increased observations of new Truebot variants infecting organizations in the United States and Canada. Authorities assessed that Truebot infections are primarily motivated around collection and exfiltration of sensitive victim data for financial gain. Officials also assessed that actors were using both spearphishing emails containing malicious hyperlinks and exploitation of CVE-2022-31199 (a vulnerability in the IT auditing application Netwrix Auditor) to deliver Truebot during these attacks. Additional tools associated with the attacks included Raspberry Robin for initial infections; FlawedGrace and Cobalt Strike for various post-exploitation activities; and Teleport, a custom tool for data exfiltration.[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.silence\n\n**Malware Bazaar (Samples & IOCs)**: https://bazaar.abuse.ch/browse/tag/truebot/\n\n**PulseDive (IOCs)**: https://pulsedive.com/threat/Truebot", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5000", "source": "Tidal Cyber", "tags": [ "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "a98d7a43-f227-478e-81de-e7299639a355", "992bdd33-4a47-495d-883a-58010a2f0efb", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", "type": "used-by" }, { "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", "type": "used-by" }, { "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", "type": "used-by" } ], "uuid": "669f8b7a-2404-47ab-843d-e63431faafec", "value": "Truebot" }, { "description": "[Truvasys](https://app.tidalcyber.com/software/50844dba-8999-42ba-ba29-511e3faf4bc3) is first-stage malware that has been used by [PROMETHIUM](https://app.tidalcyber.com/groups/cc798766-8662-4b55-8536-6d057fbc58f0). It is a collection of modules written in the Delphi programming language. [[Microsoft Win Defender Truvasys Sep 2017](https://app.tidalcyber.com/references/3c8ba6ef-8edc-44bf-9abe-655ba0f45912)] [[Microsoft NEODYMIUM Dec 2016](https://app.tidalcyber.com/references/87c9f8e4-f8d1-4f19-86ca-6fd18a33890b)] [[Microsoft SIR Vol 21](https://app.tidalcyber.com/references/619b9cf8-7201-45de-9c36-834ccee356a9)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0178", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "cc798766-8662-4b55-8536-6d057fbc58f0", "type": "used-by" }, { "dest-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad", "type": "similar" } ], "uuid": "50844dba-8999-42ba-ba29-511e3faf4bc3", "value": "Truvasys" }, { "description": "[TSCookie](https://app.tidalcyber.com/software/9872ab5a-c76e-4404-91f9-5b745722443b) is a remote access tool (RAT) that has been used by [BlackTech](https://app.tidalcyber.com/groups/528ab2ea-b8f1-44d8-8831-2a89fefd97cb) in campaigns against Japanese targets.[[JPCert TSCookie March 2018](https://app.tidalcyber.com/references/ff1717f7-0d2e-4947-87d7-44576affe9f8)][[JPCert BlackTech Malware September 2019](https://app.tidalcyber.com/references/26f44bde-f723-4854-8acc-3d95e5fa764a)]. [TSCookie](https://app.tidalcyber.com/software/9872ab5a-c76e-4404-91f9-5b745722443b) has been referred to as [PLEAD](https://app.tidalcyber.com/software/9a890a85-afbe-4c35-a3e7-1adad481bdf7) though more recent reporting indicates a separation between the two.[[JPCert PLEAD Downloader June 2018](https://app.tidalcyber.com/references/871f4af2-ed99-4256-a74d-b8c0816a82ab)][[JPCert BlackTech Malware September 2019](https://app.tidalcyber.com/references/26f44bde-f723-4854-8acc-3d95e5fa764a)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0436", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" }, { "dest-uuid": "76ac7989-c5cc-42e2-93e3-d6c476f01ace", "type": "similar" } ], "uuid": "9872ab5a-c76e-4404-91f9-5b745722443b", "value": "TSCookie" }, { "description": "TShark is a network protocol analyzer utility.", "meta": { "owner": "TidalCyberIan", "platforms": [ "Linux", "macOS", "Windows" ], "software_attack_id": "S5268", "source": "Tidal Cyber", "tags": [ "e1be4b53-7524-4e88-bf6d-358cfdf96772", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "cd1b5d44-226e-4405-8985-800492cf2865" ], "type": [ "tool" ] }, "related": [], "uuid": "57f9458f-4dad-411e-9971-8e3e166f173b", "value": "TShark" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)\n\n**Author:** Maxime Nadeau\n\n**Paths:**\n* C:\\Windows\\System32\\ttdinject.exe\n* C:\\Windows\\Syswow64\\ttdinject.exe\n\n**Resources:**\n* [https://twitter.com/Oddvarmoe/status/1196333160470138880](https://twitter.com/Oddvarmoe/status/1196333160470138880)\n\n**Detection:**\n* Sigma: [create_remote_thread_win_ttdinjec.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml)\n* Sigma: [proc_creation_win_lolbin_ttdinject.yml](https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml)\n* IOC: Parent child relationship. Ttdinject.exe parent for executed command\n* IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\payload.exe\") from the ttdinject.exe process[[Ttdinject.exe - LOLBAS Project](/references/3146c9c9-9836-4ce5-afe6-ef8f7b4a7b9d)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5168", "source": "Tidal Cyber", "tags": [ "fc67aea7-f207-4cf5-8413-e33c76538cf6", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "7bd9859e-4260-4c86-903b-1f8bcf658da1", "value": "Ttdinject" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows 1809 and newer to Debug Time Travel\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\tttracer.exe\n* C:\\Windows\\SysWOW64\\tttracer.exe\n\n**Resources:**\n* [https://twitter.com/oulusoyum/status/1191329746069655553](https://twitter.com/oulusoyum/status/1191329746069655553)\n* [https://twitter.com/mattifestation/status/1196390321783025666](https://twitter.com/mattifestation/status/1196390321783025666)\n* [https://lists.samba.org/archive/cifs-protocol/2016-April/002877.html](https://lists.samba.org/archive/cifs-protocol/2016-April/002877.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_tttracer_mod_load.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml)\n* Sigma: [image_load_tttracer_mod_load.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_tttracer_mod_load.yml)\n* Elastic: [credential_access_cmdline_dump_tool.toml](https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml)\n* IOC: Parent child relationship. Tttracer parent for executed command[[Tttracer.exe - LOLBAS Project](/references/7c88a77e-034e-4847-8bd7-1be3a684a158)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5169", "source": "Tidal Cyber", "tags": [ "3c4e3160-4e82-49ce-b6a3-17879dd4b83c", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "ab06ccb0-21c7-4d84-99ff-3349ce476910", "value": "Tttracer" }, { "description": "[Turian](https://app.tidalcyber.com/software/571a45a7-68c9-452c-99bf-1d5b5fdd08b3) is a backdoor that has been used by [BackdoorDiplomacy](https://app.tidalcyber.com/groups/e5b0da2b-12bc-4113-9459-9c51329c9ae0) to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, [Turian](https://app.tidalcyber.com/software/571a45a7-68c9-452c-99bf-1d5b5fdd08b3) is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.[[ESET BackdoorDiplomacy Jun 2021](https://app.tidalcyber.com/references/127d4b10-8d61-4bdf-b5b9-7d86bbc065b6)]", "meta": { "platforms": [ "Linux", "Windows" ], "software_attack_id": "S0647", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", "type": "used-by" }, { "dest-uuid": "350f12cf-fd3b-4dad-b323-14b943090df4", "type": "similar" } ], "uuid": "571a45a7-68c9-452c-99bf-1d5b5fdd08b3", "value": "Turian" }, { "description": "[TURNEDUP](https://app.tidalcyber.com/software/c7f10715-cf13-4360-8511-aa3f93dd7688) is a non-public backdoor. It has been dropped by [APT33](https://app.tidalcyber.com/groups/99bbbe25-45af-492f-a7ff-7cbc57828bac)'s [StoneDrill](https://app.tidalcyber.com/software/9eee52a2-5ac1-4561-826c-23ec7fbc7876) malware. [[FireEye APT33 Sept 2017](https://app.tidalcyber.com/references/70610469-db0d-45ab-a790-6e56309a39ec)] [[FireEye APT33 Webinar Sept 2017](https://app.tidalcyber.com/references/9b378592-5737-403d-8a07-27077f5b2d61)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0199", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" }, { "dest-uuid": "db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c", "type": "similar" } ], "uuid": "c7f10715-cf13-4360-8511-aa3f93dd7688", "value": "TURNEDUP" }, { "description": "[TYPEFRAME](https://app.tidalcyber.com/software/6c93d3c4-cae5-48a9-948d-bc5264230316) is a remote access tool that has been used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08). [[US-CERT TYPEFRAME June 2018](https://app.tidalcyber.com/references/b89f20ad-39c4-480f-b02e-20f4e71f6b95)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0263", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", "type": "similar" } ], "uuid": "6c93d3c4-cae5-48a9-948d-bc5264230316", "value": "TYPEFRAME" }, { "description": "[UACMe](https://app.tidalcyber.com/software/5788edee-d1b7-4406-9122-bee596362236) is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. [[Github UACMe](https://app.tidalcyber.com/references/7006d59d-3b61-4030-a680-5dac52133722)]", "meta": { "software_attack_id": "S0116", "source": "MITRE", "tags": [ "7de7d799-f836-4555-97a4-0db776eb6932", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507", "type": "similar" } ], "uuid": "5788edee-d1b7-4406-9122-bee596362236", "value": "UACMe" }, { "description": "[UBoatRAT](https://app.tidalcyber.com/software/5214ae01-ccd5-4e97-8f9c-14eb16e75544) is a remote access tool that was identified in May 2017.[[PaloAlto UBoatRAT Nov 2017](https://app.tidalcyber.com/references/235a1129-2f35-4861-90b8-1f761d89b0f9)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0333", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "518bb5f1-91f4-4ff2-b09d-5a94e1ebe95f", "type": "similar" } ], "uuid": "5214ae01-ccd5-4e97-8f9c-14eb16e75544", "value": "UBoatRAT" }, { "description": "A Linux rootkit that provides backdoor access and hides from defenders.", "meta": { "platforms": [ "Linux" ], "software_attack_id": "S0221", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "3d8e547d-9456-4f32-a895-dc86134e282f", "type": "similar" } ], "uuid": "227c12df-8126-4e79-b9bd-0e4633fa12fa", "value": "Umbreon" }, { "description": "Universal Virus Sniffer is a tool that can be used for impairing and evading an environment's defenses.[[U.S. CISA Phobos February 29 2024](/references/bd6f9bd3-22ec-42fc-9d85-fdc14dcfa55a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5276", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "e1af18e3-3224-4e4c-9d0f-533768474508" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" } ], "uuid": "d876bb61-3122-44e7-ace4-f473a7b30f58", "value": "Universal Virus Sniffer" }, { "description": "[Unknown Logger](https://app.tidalcyber.com/software/846b3762-3949-4501-b781-6dca22db088f) is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. [[Forcepoint Monsoon](https://app.tidalcyber.com/references/ea64a3a5-a248-44bb-98cd-f7e3d4c23d4e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0130", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" }, { "dest-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", "type": "similar" } ], "uuid": "846b3762-3949-4501-b781-6dca22db088f", "value": "Unknown Logger" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Windows Media Player Setup Utility\n\n**Author:** Wade Hickey\n\n**Paths:**\n* C:\\Windows\\System32\\unregmp2.exe\n* C:\\Windows\\SysWOW64\\unregmp2.exe\n\n**Resources:**\n* [https://twitter.com/notwhickey/status/1466588365336293385](https://twitter.com/notwhickey/status/1466588365336293385)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_unregmp2.yml](https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml)\n* IOC: Low-prevalence binaries, with filename 'wmpnscfg.exe', spawned as child-processes of `unregmp2.exe /HideWMP`[[Unregmp2.exe - LOLBAS Project](/references/9ad11187-bf91-4205-98c7-c7b981e4ab6f)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5170", "source": "Tidal Cyber", "tags": [ "40f11d0d-09f2-4bd1-bc79-1430464a52a7", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "456fb5b3-76e5-47f4-b964-09d68adb889e", "value": "Unregmp2" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* %localappdata%\\Microsoft\\Teams\\update.exe\n\n**Resources:**\n* [https://www.youtube.com/watch?v=rOP3hnkj7ls](https://www.youtube.com/watch?v=rOP3hnkj7ls)\n* [https://twitter.com/reegun21/status/1144182772623269889](https://twitter.com/reegun21/status/1144182772623269889)\n* [https://twitter.com/MrUn1k0d3r/status/1143928885211537408](https://twitter.com/MrUn1k0d3r/status/1143928885211537408)\n* [https://twitter.com/reegun21/status/1291005287034281990](https://twitter.com/reegun21/status/1291005287034281990)\n* [http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/](http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/)\n* [https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12](https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12)\n* [https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56](https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56)\n* [https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_squirrel.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml)\n* IOC: Update.exe spawned an unknown process[[Update.exe - LOLBAS Project](/references/2c85d5e5-2cb2-4af7-8c33-8aaac3360706)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5243", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "487d4c42-12ee-4c90-b284-cca04dadb951", "value": "Update" }, { "description": "[UPPERCUT](https://app.tidalcyber.com/software/a3c211f8-52aa-4bfd-8382-940f2194af28) is a backdoor that has been used by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322). [[FireEye APT10 Sept 2018](https://app.tidalcyber.com/references/5f122a27-2137-4016-a482-d04106187594)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0275", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" }, { "dest-uuid": "fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa", "type": "similar" } ], "uuid": "a3c211f8-52aa-4bfd-8382-940f2194af28", "value": "UPPERCUT" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Internet Shortcut Shell Extension DLL.\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\url.dll\n* c:\\windows\\syswow64\\url.dll\n\n**Resources:**\n* [https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/](https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/)\n* [https://twitter.com/DissectMalware/status/995348436353470465](https://twitter.com/DissectMalware/status/995348436353470465)\n* [https://twitter.com/bohops/status/974043815655956481](https://twitter.com/bohops/status/974043815655956481)\n* [https://twitter.com/yeyint_mth/status/997355558070927360](https://twitter.com/yeyint_mth/status/997355558070927360)\n* [https://twitter.com/Hexacorn/status/974063407321223168](https://twitter.com/Hexacorn/status/974063407321223168)\n* [https://windows10dll.nirsoft.net/url_dll.html](https://windows10dll.nirsoft.net/url_dll.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)[[Url.dll - LOLBAS Project](/references/0c88fb72-6be5-4a01-af1c-553650779253)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5200", "source": "Tidal Cyber", "tags": [ "34505028-b7d8-4da4-8dee-9926f3dbd37a", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "96e24cc0-f1ce-4595-90c4-5a4976394db8", "value": "Url" }, { "description": "[Uroburos](https://app.tidalcyber.com/software/89ffc27c-b81f-473a-87d6-907cacdce61c) is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) toolset to collect intelligence on sensitive targets worldwide. [Uroburos](https://app.tidalcyber.com/software/89ffc27c-b81f-473a-87d6-907cacdce61c) has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. [Uroburos](https://app.tidalcyber.com/software/89ffc27c-b81f-473a-87d6-907cacdce61c) is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. [Uroburos](https://app.tidalcyber.com/software/89ffc27c-b81f-473a-87d6-907cacdce61c) has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.[[Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023](https://app.tidalcyber.com/references/1931b80a-effb-59ec-acae-c0f17efb8cad)][[Kaspersky Turla](https://app.tidalcyber.com/references/535e9f1a-f89e-4766-a290-c5b8100968f8)]", "meta": { "platforms": [ "macOS", "Linux", "Windows" ], "software_attack_id": "S0022", "source": "MITRE", "tags": [ "1efd43ee-5752-49f2-99fe-e3441f126b00" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" }, { "dest-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", "type": "similar" } ], "uuid": "89ffc27c-b81f-473a-87d6-907cacdce61c", "value": "Uroburos" }, { "description": "[Ursnif](https://app.tidalcyber.com/software/3e501609-87e4-4c47-bd88-5054be0f1037) is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, [Spearphishing Attachment](https://app.tidalcyber.com/technique/ba553ad4-5699-4458-ae4e-76e1faa43291)s, and malicious links.[[NJCCIC Ursnif Sept 2016](https://app.tidalcyber.com/references/d57a2efe-8c98-491e-aecd-e051241a1779)][[ProofPoint Ursnif Aug 2016](https://app.tidalcyber.com/references/4cef8c44-d440-4746-b3e8-c8e4d307273d)] [Ursnif](https://app.tidalcyber.com/software/3e501609-87e4-4c47-bd88-5054be0f1037) is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.[[TrendMicro Ursnif Mar 2015](https://app.tidalcyber.com/references/d02287df-9d93-4cbe-8e59-8f4ef3debc65)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0386", "source": "MITRE", "tags": [ "15787198-6c8b-4f79-bf50-258d55072fee", "4d767e87-4cf6-438a-927a-43d2d0beaab7", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" }, { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" }, { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" }, { "dest-uuid": "1492d0f8-7e14-4af3-9239-bc3fe10d3407", "type": "similar" } ], "uuid": "3e501609-87e4-4c47-bd88-5054be0f1037", "value": "Ursnif" }, { "description": "[USBferry](https://app.tidalcyber.com/software/26d93db8-dbc3-44b5-a393-2b219cef4f5b) is an information stealing malware and has been used by [Tropic Trooper](https://app.tidalcyber.com/groups/0a245c5e-c1a8-480f-8655-bb2594e3266b) in targeted attacks against Taiwanese and Philippine air-gapped military environments. [USBferry](https://app.tidalcyber.com/software/26d93db8-dbc3-44b5-a393-2b219cef4f5b) shares an overlapping codebase with [YAHOYAH](https://app.tidalcyber.com/software/0844bc42-5c29-47c3-b1b3-6bfffbf1732a), though it has several features which makes it a distinct piece of malware.[[TrendMicro Tropic Trooper May 2020](https://app.tidalcyber.com/references/4fbc1df0-f174-4461-817d-0baf6e947ba1)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0452", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" }, { "dest-uuid": "75bba379-4ba1-467e-8c60-ec2b269ee984", "type": "similar" } ], "uuid": "26d93db8-dbc3-44b5-a393-2b219cef4f5b", "value": "USBferry" }, { "description": "[USBStealer](https://app.tidalcyber.com/software/50eab018-8d52-46f5-8252-95942c2c0a89) is malware that has been used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with [ADVSTORESHELL](https://app.tidalcyber.com/software/ef7f4f5f-6f30-4059-87d1-cd8375bf1bee). [[ESET Sednit USBStealer 2014](https://app.tidalcyber.com/references/8673f7fc-5b23-432a-a2d8-700ece46bd0f)] [[Kaspersky Sofacy](https://app.tidalcyber.com/references/46226f98-c762-48e3-9bcd-19ff14184bb5)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0136", "source": "MITRE", "tags": [ "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "type": "similar" } ], "uuid": "50eab018-8d52-46f5-8252-95942c2c0a89", "value": "USBStealer" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** PowerShell Diagnostic Script\n\n**Author:** Jimmy (@bohops)\n\n**Paths:**\n* C:\\Windows\\diagnostics\\system\\Networking\\UtilityFunctions.ps1\n\n**Resources:**\n* [https://twitter.com/nickvangilder/status/1441003666274668546](https://twitter.com/nickvangilder/status/1441003666274668546)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbas_utilityfunctions.yml](https://github.com/SigmaHQ/sigma/blob/0.21-688-gd172b136b/rules/windows/process_creation/proc_creation_win_lolbas_utilityfunctions.yml)[[UtilityFunctions.ps1 - LOLBAS Project](/references/8f15755b-2e32-420e-8463-497e3f8d8cfd)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5262", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "50a57a6f-6597-42d1-b686-7003c631ddb0", "value": "UtilityFunctions" }, { "description": "[Valak](https://app.tidalcyber.com/software/b149f12f-3cf4-4547-841d-c63b7677547d) is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.[[Cybereason Valak May 2020](https://app.tidalcyber.com/references/235d1cf1-2413-4620-96cf-083d348410c2)][[Unit 42 Valak July 2020](https://app.tidalcyber.com/references/9a96da13-5795-49bc-ab82-dfd4f964d9d0)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0476", "source": "MITRE", "tags": [ "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" }, { "dest-uuid": "ade37ada-14af-4b44-b36c-210eec255d53", "type": "similar" } ], "uuid": "b149f12f-3cf4-4547-841d-c63b7677547d", "value": "Valak" }, { "description": "[VaporRage](https://app.tidalcyber.com/software/63940761-8dea-4362-8795-7bc0653ce1d4) is a shellcode downloader that has been used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least 2021.[[MSTIC Nobelium Toolset May 2021](https://app.tidalcyber.com/references/52464e69-ff9e-4101-9596-dd0c6404bf76)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0636", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "96eca9b9-b37f-42f1-96dc-a2c441403194", "type": "similar" } ], "uuid": "63940761-8dea-4362-8795-7bc0653ce1d4", "value": "VaporRage" }, { "description": "[Vasport](https://app.tidalcyber.com/software/fe116518-cd0c-4b10-8190-4f57208df4e4) is a trojan used by [Elderwood](https://app.tidalcyber.com/groups/51146bb6-7478-44a3-8f08-19adcdceffca) to open a backdoor on compromised hosts. [[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)] [[Symantec Vasport May 2012](https://app.tidalcyber.com/references/2dc7d7fb-3d13-4647-b15b-5e501946d606)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0207", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" }, { "dest-uuid": "f4d8a2d6-c684-453a-8a14-cf4a94f755c5", "type": "similar" } ], "uuid": "fe116518-cd0c-4b10-8190-4f57208df4e4", "value": "Vasport" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary file used for compile vbs code\n\n**Author:** Lior Adar\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\vbc.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v3.5\\vbc.exe\n\n**Resources:**\nNone Provided\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_visual_basic_compiler.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml)\n* Elastic: [defense_evasion_dotnet_compiler_parent_process.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml)[[vbc.exe - LOLBAS Project](/references/25eb4048-ee6d-44ca-a70b-37605028bd3c)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5171", "source": "Tidal Cyber", "tags": [ "bc6f5172-90af-491e-817d-2eaa522f93af", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "25ae056b-aa3d-4bfb-9b53-ba76bce0dad1", "value": "vbc" }, { "description": "[VBShower](https://app.tidalcyber.com/software/150b6079-bb10-48a8-b570-fbe8b0e3287c) is a backdoor that has been used by [Inception](https://app.tidalcyber.com/groups/d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6) since at least 2019. [VBShower](https://app.tidalcyber.com/software/150b6079-bb10-48a8-b570-fbe8b0e3287c) has been used as a downloader for second stage payloads, including [PowerShower](https://app.tidalcyber.com/software/2ca245de-77a9-4857-ba93-fd0d6988df9d).[[Kaspersky Cloud Atlas August 2019](https://app.tidalcyber.com/references/4c3ae600-0787-4847-b528-ae3e8ff1b5ef)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0442", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6", "type": "used-by" }, { "dest-uuid": "8caa18af-4758-4fd3-9600-e8af579e89ed", "type": "similar" } ], "uuid": "150b6079-bb10-48a8-b570-fbe8b0e3287c", "value": "VBShower" }, { "description": "A prominent ransomware family.[[HC3 Analyst Note Venus Ransomware November 2022](/references/bd6e6a59-3a73-48f6-84cd-e7c027c8671f)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5293", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [], "uuid": "2f33ae13-8ab2-4ec1-8358-c81218c1f3a5", "value": "Venus Ransomware" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used to verify a COM object before it is instantiated by Windows Explorer\n\n**Author:** @bohops\n\n**Paths:**\n* C:\\Windows\\System32\\verclsid.exe\n* C:\\Windows\\SysWOW64\\verclsid.exe\n\n**Resources:**\n* [https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5](https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5)\n* [https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/](https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/)\n\n**Detection:**\n* Sigma: [proc_creation_win_verclsid_runs_com.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml)\n* Splunk: [verclsid_clsid_execution.yml](https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/verclsid_clsid_execution.yml)[[LOLBAS Verclsid](/references/63ac9e95-aad8-4735-9e63-f45d8c499030)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5172", "source": "Tidal Cyber", "tags": [ "4e91036d-809b-4eae-8a09-86bdc6cd1f0e", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "56dc0bea-bdfb-4731-b6c0-425fb7f9bf4d", "value": "Verclsid" }, { "description": "[VERMIN](https://app.tidalcyber.com/software/afa4023f-aa2e-45d6-bb3c-38e61f876eac) is a remote access tool written in the Microsoft .NET framework. It is mostly composed of original code, but also has some open source code. [[Unit 42 VERMIN Jan 2018](https://app.tidalcyber.com/references/0d6db249-9368-495e-9f1f-c7f10041f5ff)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0257", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "5189f018-fea2-45d7-b0ed-23f9ee0a46f3", "type": "similar" } ], "uuid": "afa4023f-aa2e-45d6-bb3c-38e61f876eac", "value": "VERMIN" }, { "description": "Vidar Stealer is one of the most heavily used information & credential stealers (\"infostealers\") in recent years. While many of today's most popular infostealers were developed relatively recently, Vidar is more established, having been released in 2018. Its developers continue to add new capabilities, however, for example to improve the malware's stealth.[[Minerva Labs Vidar Stealer Evasion](/references/ce9714d3-7f7c-4068-bcc8-0f0eeaf0dc0b)]\n\nMore details on the shifting infostealer landscape, the rising threat posed by infostealers to large and small organizations, and defending against top infostealer TTPs can be found in the Tidal Cyber blog series: Part 1 (https://www.tidalcyber.com/blog/big-game-stealing-part-1-the-infostealer-landscape-rising-infostealer-threats-to-businesses-w), Part 2 (https://www.tidalcyber.com/blog/big-game-stealing-part-2-defenses-for-top-infostealer-techniques).", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5071", "source": "Tidal Cyber", "tags": [ "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", "d431939f-2dc0-410b-83f7-86c458125444", "15787198-6c8b-4f79-bf50-258d55072fee", "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" } ], "uuid": "ced8364c-e0e2-429a-a029-300fa2f0d5be", "value": "Vidar Stealer" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.\n\n**Author:** Jimmy (@bohops)\n\n**Paths:**\n* c:\\Program Files (x86)\\Windows Kits\\10\\bin\\[SDK version]\\arm64\\UIAVerify\\VisualUiaVerifyNative.exe\n* c:\\Program Files (x86)\\Windows Kits\\10\\bin\\[SDK version]\\x64\\UIAVerify\\VisualUiaVerifyNative.exe\n* c:\\Program Files (x86)\\Windows Kits\\10\\bin\\[SDK version]\\UIAVerify\\VisualUiaVerifyNative.exe\n\n**Resources:**\n* [https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/](https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/)\n* [https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad](https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad)\n\n**Detection:**\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* Sigma: [proc_creation_win_lolbin_visualuiaverifynative.yml](https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml)\n* IOC: As a Windows SDK binary, execution on a system may be suspicious[[VisualUiaVerifyNative.exe - LOLBAS Project](/references/b17be296-15ad-468f-8157-8cb4093b2e97)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5246", "source": "Tidal Cyber", "tags": [ "5e096dac-47b7-4657-a57b-752ef7da0263", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "acfbcd12-25fd-41cd-83ef-c7af7cb59fff", "value": "VisualUiaVerifyNative" }, { "description": "[Volgmer](https://app.tidalcyber.com/software/7fcfba45-5752-4f0c-8023-db67729ae34e) is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. [[US-CERT Volgmer Nov 2017](https://app.tidalcyber.com/references/c48c7ac0-8d55-4b62-9606-a9ce420459b6)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0180", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", "type": "similar" } ], "uuid": "7fcfba45-5752-4f0c-8023-db67729ae34e", "value": "Volgmer" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Command-line tool used for performing diagnostics.\n\n**Author:** Bobby Cooke\n\n**Paths:**\n* C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Team Tools\\DiagnosticsHub\\Collector\\VSDiagnostics.exe\n\n**Resources:**\n* [https://twitter.com/0xBoku/status/1679200664013135872](https://twitter.com/0xBoku/status/1679200664013135872)\n\n**Detection:**\n* Sigma: [https://github.com/tsale/Sigma_rules/blob/d5b4a09418edfeeb3a2d654f556d5bca82003cd7/LOL_BINs/VSDiagnostics_LoLBin.yml](https://github.com/tsale/Sigma_rules/blob/d5b4a09418edfeeb3a2d654f556d5bca82003cd7/LOL_BINs/VSDiagnostics_LoLBin.yml)[[VSDiagnostics.exe - LOLBAS Project](/references/b4658fc0-af16-45b1-8403-a9676760a36a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5244", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "fca6d378-bbe6-4418-b238-6a9a63aaabba", "value": "VSDiagnostics" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** VShadow is a command-line tool that can be used to create and manage volume shadow copies.\n\n**Author:** Ayberk Halaç\n\n**Paths:**\n* C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.XXXXX.0\\x64\\vshadow.exe\n\n**Resources:**\n* [https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample](https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample)\n\n**Detection:**\n* IOC: vshadow.exe usage with -exec parameter[[Vshadow.exe - LOLBAS Project](/references/ae3b1e26-d7d7-4049-b4a7-80cd2b149b7c)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5247", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "f39988b4-acf7-4d56-a7e5-8e8fa0b8ccc2", "value": "Vshadow" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary will execute specified binary. Part of VS/VScode installation.\n\n**Author:** timwhite\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\Extensions\\Microsoft\\Web Tools\\ProjectSystem\\VSIISExeLauncher.exe\n\n**Resources:**\n* [https://github.com/timwhitez](https://github.com/timwhitez)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_vsiisexelauncher.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml)\n* IOC: VSIISExeLauncher.exe spawned an unknown process[[VSIISExeLauncher.exe - LOLBAS Project](/references/e2fda344-77b8-4650-a7da-1e422db6d3a1)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5245", "source": "Tidal Cyber", "tags": [ "0bf195a2-c577-4317-973e-a72dde5a06e6", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "2517da5a-11b1-4f77-b488-c096173b1b50", "value": "VSIISExeLauncher" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Just-In-Time (JIT) debugger included with Visual Studio\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* c:\\windows\\system32\\vsjitdebugger.exe\n\n**Resources:**\n* [https://twitter.com/pabraeken/status/990758590020452353](https://twitter.com/pabraeken/status/990758590020452353)\n\n**Detection:**\n* Sigma: [proc_creation_win_susp_use_of_vsjitdebugger_bin.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml)[[vsjitdebugger.exe - LOLBAS Project](/references/94a880fa-70b0-46c3-997e-b22dc9180134)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5248", "source": "Tidal Cyber", "tags": [ "71bc284c-bfce-4191-80e0-ef70ff4315bf", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "34ba500e-c37c-45ec-abf4-16e2f76d82c8", "value": "vsjitdebugger" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Agent for Visual Studio Live Share (Code Collaboration)\n\n**Author:** Jimmy (@bohops)\n\n**Paths:**\n* c:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Professional\\Common7\\IDE\\Extensions\\Microsoft\\LiveShare\\Agent\\vsls-agent.exe\n\n**Resources:**\n* [https://twitter.com/bohops/status/1583916360404729857](https://twitter.com/bohops/status/1583916360404729857)\n\n**Detection:**\n* Sigma: [proc_creation_win_vslsagent_agentextensionpath_load.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml)[[vsls-agent.exe - LOLBAS Project](/references/325eab54-bcdd-4a12-ab41-aaf06a0405e9)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5253", "source": "Tidal Cyber", "tags": [ "375cb8ad-2b6a-49b7-8eb3-757aaaf72d8b", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "99f752db-12c4-45a7-9f7b-f4fcda033462", "value": "vsls-agent" }, { "description": "Play ransomware operators are known to use a custom tool that serves as an interface for interacting with Windows Volume Shadow Copy Service (\"VSS\") over APIs. The tool can enumerate and copy files and folders in a VSS snapshot prior to encryption to serve as backups.[[Symantec Play Ransomware April 19 2023](/references/a78613a5-ce17-4d11-8f2f-3e642cd7673c)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5301", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "4d767e87-4cf6-438a-927a-43d2d0beaab7", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" } ], "uuid": "a3ebc075-c87b-4400-9498-09bb95d47231", "value": "VSS Copying Tool (Play Ransomware)" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** VSTest.Console.exe is the command-line tool to run tests\n\n**Author:** Onat Uzunyayla\n\n**Paths:**\n* C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\IDE\\CommonExtensions\\Microsoft\\TestWindow\\vstest.console.exe\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\2022\\TestAgent\\Common7\\IDE\\CommonExtensions\\Microsoft\\TestWindow\\vstest.console.exe\n\n**Resources:**\n* [https://learn.microsoft.com/en-us/visualstudio/test/vstest-console-options?view=vs-2022](https://learn.microsoft.com/en-us/visualstudio/test/vstest-console-options?view=vs-2022)\n\n**Detection:**\n* IOC: vstest.console.exe spawning unexpected processes[[vstest.console.exe - LOLBAS Project](/references/70c168a0-9ddf-408d-ba29-885c0c5c936a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5254", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "dfbe173f-5c36-4596-aefb-7ccf504e03c8", "value": "vstest.console" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows address book manager\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Program Files\\Windows Mail\\wab.exe\n* C:\\Program Files (x86)\\Windows Mail\\wab.exe\n\n**Resources:**\n* [https://twitter.com/Hexacorn/status/991447379864932352](https://twitter.com/Hexacorn/status/991447379864932352)\n* [http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/](http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/)\n\n**Detection:**\n* Sigma: [registry_set_wab_dllpath_reg_change.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml)\n* IOC: WAB.exe should normally never be used[[Wab.exe - LOLBAS Project](/references/c432556e-c7f9-4e36-af7e-d7bea6f51e95)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5173", "source": "Tidal Cyber", "tags": [ "a53c9f4b-6f0d-4afa-b1ac-8e2d91279210", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "6cbd62e8-9024-42d7-93d5-6b8b3409425b", "value": "Wab" }, { "description": "[WannaCry](https://app.tidalcyber.com/software/6e7d1bcf-a308-4861-8aa5-0f4c6f126b0a) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.[[LogRhythm WannaCry](https://app.tidalcyber.com/references/305d0742-154a-44af-8686-c6d8bd7f8636)][[US-CERT WannaCry 2017](https://app.tidalcyber.com/references/349b8e9d-7172-4d01-b150-f0371d038b7e)][[Washington Post WannaCry 2017](https://app.tidalcyber.com/references/bbf9b08a-072c-4fb9-8c3c-cb6f91e8940c)][[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0366", "source": "MITRE", "tags": [ "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "45795633-a32b-4d9e-8620-4044ac056647", "09de661e-60c4-43fb-bfef-df017215d1d8", "5a463cb3-451d-47f7-93e4-1886150697ce", "c2380542-36f2-4922-9ed2-80ced06645c9", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", "e809d252-12cc-494d-94f5-954c49eb87ce" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", "type": "similar" } ], "uuid": "6e7d1bcf-a308-4861-8aa5-0f4c6f126b0a", "value": "WannaCry" }, { "description": "[WARPWIRE](https://app.tidalcyber.com/software/9a592b49-1701-5e4c-95cf-9b8c98b80527) is a Javascript credential stealer that targets plaintext passwords and usernames for exfiltration that was used during [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) to target Ivanti Connect Secure VPNs.[[Mandiant Cutting Edge January 2024](https://app.tidalcyber.com/references/9d9ec923-89c1-5155-ae6e-98d4776d4250)][[Mandiant Cutting Edge Part 2 January 2024](https://app.tidalcyber.com/references/5209d259-4293-58c0-bbdc-f30ff77d57f7)]", "meta": { "platforms": [ "Network" ], "software_attack_id": "S1116", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a5818d36-e9b0-46da-842d-b727a5e36ea6", "type": "similar" } ], "uuid": "9a592b49-1701-5e4c-95cf-9b8c98b80527", "value": "WARPWIRE" }, { "description": "[WarzoneRAT](https://app.tidalcyber.com/software/cfebe868-15cb-4be5-b7ed-38b52f2a0722) is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.[[Check Point Warzone Feb 2020](https://app.tidalcyber.com/references/c214c36e-2bc7-4b98-a74e-529aae99f9cf)][[Uptycs Warzone UAC Bypass November 2020](https://app.tidalcyber.com/references/1324b314-a4d9-43e7-81d6-70b6917fe527)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0670", "source": "MITRE", "tags": [ "15787198-6c8b-4f79-bf50-258d55072fee" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "d0f29889-7a9c-44d8-abdc-480b371f7b2b", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" }, { "dest-uuid": "fde19a18-e502-467f-be14-58c71b4e7f4b", "type": "similar" } ], "uuid": "cfebe868-15cb-4be5-b7ed-38b52f2a0722", "value": "WarzoneRAT" }, { "description": "[WastedLocker](https://app.tidalcyber.com/software/0ba6ee8d-2b29-4980-8e55-348ea05f00ad) is a ransomware family attributed to [Indrik Spider](https://app.tidalcyber.com/groups/3c7ad595-1940-40fc-b9ca-3e649c1e5d87) that has been used since at least May 2020. [WastedLocker](https://app.tidalcyber.com/software/0ba6ee8d-2b29-4980-8e55-348ea05f00ad) has been used against a broad variety of sectors, including manufacturing, information technology, and media.[[Symantec WastedLocker June 2020](https://app.tidalcyber.com/references/061d8f74-a202-4089-acae-687e4f96933b)][[NCC Group WastedLocker June 2020](https://app.tidalcyber.com/references/1520f2e5-2689-428f-9ee4-05e153a52381)][[Sentinel Labs WastedLocker July 2020](https://app.tidalcyber.com/references/5ed4eb07-cc90-46bc-8527-0bb59e1eefe1)] ", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0612", "source": "MITRE", "tags": [ "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" }, { "dest-uuid": "46cbafbc-8907-42d3-9002-5327c26f8927", "type": "similar" } ], "uuid": "0ba6ee8d-2b29-4980-8e55-348ea05f00ad", "value": "WastedLocker" }, { "description": "[Waterbear](https://app.tidalcyber.com/software/56872a5b-dc01-455c-85d5-06c577abb030) is modular malware attributed to [BlackTech](https://app.tidalcyber.com/groups/528ab2ea-b8f1-44d8-8831-2a89fefd97cb) that has been used primarily for lateral movement, decrypting, and triggering payloads and is capable of hiding network behaviors.[[Trend Micro Waterbear December 2019](https://app.tidalcyber.com/references/bf320133-3823-4232-b7d2-d07da9bbccc2)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0579", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" }, { "dest-uuid": "f3f1fbed-7e29-49cb-8579-4a378f858deb", "type": "similar" } ], "uuid": "56872a5b-dc01-455c-85d5-06c577abb030", "value": "Waterbear" }, { "description": "[WEBC2](https://app.tidalcyber.com/software/f228af8f-8938-4836-9461-c6ca220ed7c5) is a family of backdoor malware used by [APT1](https://app.tidalcyber.com/groups/5307bba1-2674-4fbd-bfd5-1db1ae06fc5f) as early as July 2006. [WEBC2](https://app.tidalcyber.com/software/f228af8f-8938-4836-9461-c6ca220ed7c5) backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. [[Mandiant APT1 Appendix](https://app.tidalcyber.com/references/1f31c09c-6a93-4142-8333-154138c1d70a)][[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0109", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { "dest-uuid": "1d808f62-cf63-4063-9727-ff6132514c22", "type": "similar" } ], "uuid": "f228af8f-8938-4836-9461-c6ca220ed7c5", "value": "WEBC2" }, { "description": "[WellMail](https://app.tidalcyber.com/software/b936a1b3-5493-4d6c-9b69-29addeace418) is a lightweight malware written in Golang used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447), similar in design and structure to [WellMess](https://app.tidalcyber.com/software/20725ec7-ee35-44cf-bed6-91158aa03ce4).[[CISA WellMail July 2020](https://app.tidalcyber.com/references/2f33b88a-a8dd-445b-a34f-e356b94bed35)][[NCSC APT29 July 2020](https://app.tidalcyber.com/references/28da86a6-4ca1-4bb4-a401-d4aa469c0034)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0515", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "959f3b19-2dc8-48d5-8942-c66813a5101a", "type": "similar" } ], "uuid": "b936a1b3-5493-4d6c-9b69-29addeace418", "value": "WellMail" }, { "description": "[WellMess](https://app.tidalcyber.com/software/20725ec7-ee35-44cf-bed6-91158aa03ce4) is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447).[[CISA WellMess July 2020](https://app.tidalcyber.com/references/40e9eda2-51a2-4fd8-b0b1-7d2c6deca820)][[PWC WellMess July 2020](https://app.tidalcyber.com/references/22794e37-3c55-444a-b659-e5a1a6bc2da0)][[NCSC APT29 July 2020](https://app.tidalcyber.com/references/28da86a6-4ca1-4bb4-a401-d4aa469c0034)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0514", "source": "MITRE", "tags": [ "8bf128ad-288b-41bc-904f-093f4fdde745", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" }, { "dest-uuid": "3a4197ae-ec63-4162-907b-9a073d1157e4", "type": "similar" } ], "uuid": "20725ec7-ee35-44cf-bed6-91158aa03ce4", "value": "WellMess" }, { "description": "[Wevtutil](https://app.tidalcyber.com/software/2bcbcea6-192a-4501-aab1-1edde53875fa) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.[[Wevtutil Microsoft Documentation](https://app.tidalcyber.com/references/25511dde-9e13-4e03-8ae4-2495e9f5eb5e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0645", "source": "MITRE", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "5db11c6f-cba4-4865-b993-7a3aafd0f037", "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "35e694ec-5133-46e3-b7e1-5831867c3b55", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "cd1b5d44-226e-4405-8985-800492cf2865", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, { "dest-uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", "type": "used-by" }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" }, { "dest-uuid": "f91162cc-1686-4ff8-8115-bf3f61a4cc7a", "type": "similar" } ], "uuid": "2bcbcea6-192a-4501-aab1-1edde53875fa", "value": "Wevtutil" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).\n\n**Author:** Jimmy (@bohops)\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft SDKs\\Windows\\v10.0A\\bin\\NETFX 4.8 Tools\\wfc.exe\n\n**Resources:**\n* [https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/](https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/)\n\n**Detection:**\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* Sigma: [proc_creation_win_lolbin_wfc.yml](https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml)\n* IOC: As a Windows SDK binary, execution on a system may be suspicious[[Wfc.exe - LOLBAS Project](/references/a937012a-01c8-457c-8808-47c1753e8781)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5249", "source": "Tidal Cyber", "tags": [ "be621f15-1788-490f-b8bb-85511a5a8074", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "dadd1243-6a4a-4ce2-9eea-1c530e7510d9", "value": "Wfc" }, { "description": "[WhisperGate](https://app.tidalcyber.com/software/791f0afd-c2c4-4e23-8aee-1d14462667f5) is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.[[Cybereason WhisperGate February 2022](https://app.tidalcyber.com/references/464d9cac-04c7-4e57-a5d6-604fba90a982)][[Unit 42 WhisperGate January 2022](https://app.tidalcyber.com/references/3daa8c9e-da17-4eda-aa0d-df97c5de8f64)][[Microsoft WhisperGate January 2022](https://app.tidalcyber.com/references/e0c1fcd3-b7a8-42af-8984-873a6f969975)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0689", "source": "MITRE", "tags": [ "2e621fc5-dea4-4cb9-987e-305845986cd3" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" }, { "dest-uuid": "49fee0b0-390e-4bde-97f8-97ed46bd19b7", "type": "similar" } ], "uuid": "791f0afd-c2c4-4e23-8aee-1d14462667f5", "value": "WhisperGate" }, { "description": "[Wiarp](https://app.tidalcyber.com/software/7b393608-c141-48af-ae3d-3eff13c3e01c) is a trojan used by [Elderwood](https://app.tidalcyber.com/groups/51146bb6-7478-44a3-8f08-19adcdceffca) to open a backdoor on compromised hosts. [[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)] [[Symantec Wiarp May 2012](https://app.tidalcyber.com/references/78285833-4b0d-4077-86d2-f34b010a5862)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0206", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" }, { "dest-uuid": "039814a0-88de-46c5-a4fb-b293db21880a", "type": "similar" } ], "uuid": "7b393608-c141-48af-ae3d-3eff13c3e01c", "value": "Wiarp" }, { "description": "[Windows Credential Editor](https://app.tidalcyber.com/software/7c2c44d7-b307-4e13-b181-52352975a6f5) is a password dumping tool. [[Amplia WCE](https://app.tidalcyber.com/references/790ea33a-7a64-488e-ab90-d82e021e0c06)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0005", "source": "MITRE", "tags": [ "1d306cbd-9894-4322-a233-b1576b8e25ba" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" }, { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" }, { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" }, { "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "type": "used-by" }, { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", "type": "similar" } ], "uuid": "7c2c44d7-b307-4e13-b181-52352975a6f5", "value": "Windows Credential Editor" }, { "description": "[WINDSHIELD](https://app.tidalcyber.com/software/ed50dcf7-e283-451e-95b1-a8485f8dd214) is a signature backdoor used by [APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145). [[FireEye APT32 May 2017](https://app.tidalcyber.com/references/b72d017b-a70f-4003-b3d9-90d79aca812d)]", "meta": { "software_attack_id": "S0155", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" }, { "dest-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", "type": "similar" } ], "uuid": "ed50dcf7-e283-451e-95b1-a8485f8dd214", "value": "WINDSHIELD" }, { "description": "[WindTail](https://app.tidalcyber.com/software/3afe711d-ed58-4c94-a9b6-9c847e1e8a2f) is a macOS surveillance implant used by [Windshift](https://app.tidalcyber.com/groups/4e880d01-313a-4926-8470-78c48824aa82). [WindTail](https://app.tidalcyber.com/software/3afe711d-ed58-4c94-a9b6-9c847e1e8a2f) shares code similarities with Hack Back aka KitM OSX.[[SANS Windshift August 2018](https://app.tidalcyber.com/references/97eac0f2-d528-4f7c-8425-7531eae4fc39)][[objective-see windtail1 dec 2018](https://app.tidalcyber.com/references/7a32c962-8050-45de-8b90-8644be5109d9)][[objective-see windtail2 jan 2019](https://app.tidalcyber.com/references/e6bdc679-ee0c-4f34-b5bc-0d6a26485b36)]", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S0466", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "4e880d01-313a-4926-8470-78c48824aa82", "type": "used-by" }, { "dest-uuid": "0d1f9f5b-11ea-42c3-b5f4-63cce0122541", "type": "similar" } ], "uuid": "3afe711d-ed58-4c94-a9b6-9c847e1e8a2f", "value": "WindTail" }, { "description": "[WINERACK](https://app.tidalcyber.com/software/5f994df7-55b0-4383-8ebc-506d4987292a) is a backdoor used by [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66). [[FireEye APT37 Feb 2018](https://app.tidalcyber.com/references/4d575c1a-4ff9-49ce-97cd-f9d0637c2271)]", "meta": { "software_attack_id": "S0219", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" }, { "dest-uuid": "49abab73-3c5c-476e-afd5-69b5c732d845", "type": "similar" } ], "uuid": "5f994df7-55b0-4383-8ebc-506d4987292a", "value": "WINERACK" }, { "description": "[Winexe](https://app.tidalcyber.com/software/65d5b524-0e84-417d-9884-e2c501abfacd) is a lightweight, open source tool similar to [PsExec](https://app.tidalcyber.com/software/73eb32af-4bd3-4e21-8048-355edc55a9c6) designed to allow system administrators to execute commands on remote servers. [[Winexe Github Sept 2013](https://app.tidalcyber.com/references/7003e2d4-83e5-4672-aaa9-53cc4bcb08b5)] [Winexe](https://app.tidalcyber.com/software/65d5b524-0e84-417d-9884-e2c501abfacd) is unique in that it is a GNU/Linux based client. [[Überwachung APT28 Forfiles June 2015](https://app.tidalcyber.com/references/3b85fff0-88d8-4df6-af0b-66e57492732e)]", "meta": { "software_attack_id": "S0191", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "b534349f-55a4-41b8-9623-6707765c3c50", "type": "used-by" }, { "dest-uuid": "d428f9be-6faf-4d57-b677-4a927fea5f7e", "type": "used-by" }, { "dest-uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d", "type": "similar" } ], "uuid": "65d5b524-0e84-417d-9884-e2c501abfacd", "value": "Winexe" }, { "description": "[Wingbird](https://app.tidalcyber.com/software/3e70078f-407e-4b03-b604-bdc05b372f37) is a backdoor that appears to be a version of commercial software [FinFisher](https://app.tidalcyber.com/software/41f54ce1-842c-428a-977f-518a5b63b4d7). It is reportedly used to attack individual computers instead of networks. It was used by [NEODYMIUM](https://app.tidalcyber.com/groups/3a660ef3-9954-4252-8946-f903f3f42d0c) in a May 2016 campaign. [[Microsoft SIR Vol 21](https://app.tidalcyber.com/references/619b9cf8-7201-45de-9c36-834ccee356a9)] [[Microsoft NEODYMIUM Dec 2016](https://app.tidalcyber.com/references/87c9f8e4-f8d1-4f19-86ca-6fd18a33890b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0176", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "3a660ef3-9954-4252-8946-f903f3f42d0c", "type": "used-by" }, { "dest-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", "type": "similar" } ], "uuid": "3e70078f-407e-4b03-b604-bdc05b372f37", "value": "Wingbird" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows Package Manager tool\n\n**Author:** Paul Sanders\n\n**Paths:**\n* C:\\Users\\user\\AppData\\Local\\Microsoft\\WindowsApps\\winget.exe\n\n**Resources:**\n* [https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html](https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html)\n* [https://docs.microsoft.com/en-us/windows/package-manager/winget/#production-recommended](https://docs.microsoft.com/en-us/windows/package-manager/winget/#production-recommended)\n\n**Detection:**\n* IOC: winget.exe spawned with local manifest file\n* IOC: Sysmon Event ID 1 - Process Creation\n* Analysis: [https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html](https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html)\n* Sigma: [proc_creation_win_winget_local_install_via_manifest.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml)[[winget.exe - LOLBAS Project](/references/5ef334f3-fe6f-4cc1-b37d-d147180a8b8d)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5174", "source": "Tidal Cyber", "tags": [ "61f778ca-b2f1-4877-b0f5-fd5e87b6ddab", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "6c4e7a00-0151-490c-8a41-98981d355725", "value": "winget" }, { "description": "[WinMM](https://app.tidalcyber.com/software/e10423c2-71a7-4878-96ba-343191136c19) is a full-featured, simple backdoor used by [Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d). [[Baumgartner Naikon 2015](https://app.tidalcyber.com/references/09302b4f-7f71-4289-92f6-076c685f0810)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0059", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" }, { "dest-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", "type": "similar" } ], "uuid": "e10423c2-71a7-4878-96ba-343191136c19", "value": "WinMM" }, { "description": "[Winnti for Linux](https://app.tidalcyber.com/software/e384e711-0796-4cbc-8854-8c3f939faf57) is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including [Winnti Group](https://app.tidalcyber.com/groups/6932662a-53a7-4e43-877f-6e940e2d744b). The Windows variant is tracked separately under [Winnti for Windows](https://app.tidalcyber.com/software/245c216e-41c3-4dec-8b23-bfc7c6a46d6e).[[Chronicle Winnti for Linux May 2019](https://app.tidalcyber.com/references/e815e47a-c924-4b03-91e5-d41f2bb74773)]", "meta": { "platforms": [ "Linux" ], "software_attack_id": "S0430", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" }, { "dest-uuid": "8787e86d-8475-4f13-acea-d33eb83b6105", "type": "similar" } ], "uuid": "e384e711-0796-4cbc-8854-8c3f939faf57", "value": "Winnti for Linux" }, { "description": "[Winnti for Windows](https://app.tidalcyber.com/software/245c216e-41c3-4dec-8b23-bfc7c6a46d6e) is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, [Winnti Group](https://app.tidalcyber.com/groups/6932662a-53a7-4e43-877f-6e940e2d744b).[[Kaspersky Winnti April 2013](https://app.tidalcyber.com/references/2d4834b9-61c4-478e-919a-317d97cd2c36)][[Microsoft Winnti Jan 2017](https://app.tidalcyber.com/references/6b63fac9-4bde-4fc8-a016-e77c8485fab7)][[Novetta Winnti April 2015](https://app.tidalcyber.com/references/cbe8373b-f14b-4890-99fd-35ffd7090dea)][[401 TRG Winnti Umbrella May 2018](https://app.tidalcyber.com/references/e3f1f2e4-dc1c-4d9c-925d-47013f44a69f)]. The Linux variant is tracked separately under [Winnti for Linux](https://app.tidalcyber.com/software/e384e711-0796-4cbc-8854-8c3f939faf57).[[Chronicle Winnti for Linux May 2019](https://app.tidalcyber.com/references/e815e47a-c924-4b03-91e5-d41f2bb74773)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0141", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "type": "used-by" }, { "dest-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", "type": "similar" } ], "uuid": "245c216e-41c3-4dec-8b23-bfc7c6a46d6e", "value": "Winnti for Windows" }, { "description": "According to its website, WinRAR is a \"data compression, encryption and archiving tool for Windows\", which is designed to process RAR and ZIP files.[[WinRAR Website](/references/ad620d61-108c-4bb0-a897-02764ea9a903)] It is known to be abused by threat actors in order to archive (compress) files prior to their exfiltration from victim environments.[[U.S. CISA Play Ransomware December 2023](/references/ad96148c-8230-4923-86fd-4b1da211db1a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5081", "source": "Tidal Cyber", "tags": [ "af5e9be5-b86e-47af-91dd-966a5e34a186", "27a117ce-bb19-4f79-9bc2-a851b69c5c50", "6070668f-1cbd-4878-8066-c636d1d8659c", "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "e1af18e3-3224-4e4c-9d0f-533768474508", "c45ce044-b5b9-426a-866c-130e9f2a4427", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "23d0545e-45fa-4f0a-957e-deb923039c80" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" } ], "uuid": "d9792748-b81a-4d82-a45e-de05c2a23dbf", "value": "WinRAR" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Script used for manage Windows RM settings\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\winrm.vbs\n* C:\\Windows\\SysWOW64\\winrm.vbs\n\n**Resources:**\n* [https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology](https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology)\n* [https://www.youtube.com/watch?v=3gz1QmiMhss](https://www.youtube.com/watch?v=3gz1QmiMhss)\n* [https://github.com/enigma0x3/windows-operating-system-archaeology](https://github.com/enigma0x3/windows-operating-system-archaeology)\n* [https://redcanary.com/blog/lateral-movement-winrm-wmi/](https://redcanary.com/blog/lateral-movement-winrm-wmi/)\n* [https://twitter.com/bohops/status/994405551751815170](https://twitter.com/bohops/status/994405551751815170)\n* [https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404](https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404)\n* [https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf)\n\n**Detection:**\n* Sigma: [proc_creation_win_winrm_awl_bypass.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml)\n* Sigma: [proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml)\n* Sigma: [file_event_win_winrm_awl_bypass.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)[[winrm.vbs - LOLBAS Project](/references/86107810-8a1d-4c13-80f0-c1624143d057)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5263", "source": "Tidal Cyber", "tags": [ "2eecd309-e75d-4f7b-8f6f-e11213f48b12", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "8807e10c-dc1b-4dab-8f60-c03a85c18873", "value": "winrm" }, { "description": "WinSCP is a tool used to facilitate file transfer using Secure Shell (SSH) File Transfer Protocol (FTP) for Microsoft Windows.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5046", "source": "Tidal Cyber", "tags": [ "27a117ce-bb19-4f79-9bc2-a851b69c5c50", "6070668f-1cbd-4878-8066-c636d1d8659c", "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "d903e38b-600d-4736-9e3b-cf1a6e436481", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "8bf128ad-288b-41bc-904f-093f4fdde745", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "af5e9be5-b86e-47af-91dd-966a5e34a186", "758c3085-2f79-40a8-ab95-f8a684737927", "2185ed93-7e1c-4553-9452-c8411b5dca93", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "35e694ec-5133-46e3-b7e1-5831867c3b55", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" }, { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" }, { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" }, { "dest-uuid": "0fcb2205-e75b-46c9-ac54-00f218d5e331", "type": "used-by" }, { "dest-uuid": "6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3", "type": "used-by" }, { "dest-uuid": "cca12ba9-f65f-4a29-87ab-a9fc0f99521f", "type": "used-by" }, { "dest-uuid": "b07431f8-fcf0-4204-8e7c-138eb5cd5342", "type": "used-by" } ], "uuid": "3ded75ea-b253-48cd-94e7-aef53e0d1e31", "value": "WinSCP" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Office binary\n\n**Author:** Reegun J (OCBC Bank)\n\n**Paths:**\n* C:\\Program Files\\Microsoft Office\\root\\Office16\\winword.exe\n* C:\\Program Files (x86)\\Microsoft Office 16\\ClientX86\\Root\\Office16\\winword.exe\n* C:\\Program Files\\Microsoft Office 16\\ClientX64\\Root\\Office16\\winword.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office16\\winword.exe\n* C:\\Program Files\\Microsoft Office\\Office16\\winword.exe\n* C:\\Program Files (x86)\\Microsoft Office 15\\ClientX86\\Root\\Office15\\winword.exe\n* C:\\Program Files\\Microsoft Office 15\\ClientX64\\Root\\Office15\\winword.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office15\\winword.exe\n* C:\\Program Files\\Microsoft Office\\Office15\\winword.exe\n* C:\\Program Files (x86)\\Microsoft Office 14\\ClientX86\\Root\\Office14\\winword.exe\n* C:\\Program Files\\Microsoft Office 14\\ClientX64\\Root\\Office14\\winword.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office14\\winword.exe\n* C:\\Program Files\\Microsoft Office\\Office14\\winword.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office12\\winword.exe\n* C:\\Program Files\\Microsoft Office\\Office12\\winword.exe\n* C:\\Program Files\\Microsoft Office\\Office12\\winword.exe\n\n**Resources:**\n* [https://twitter.com/reegun21/status/1150032506504151040](https://twitter.com/reegun21/status/1150032506504151040)\n* [https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191](https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191)\n\n**Detection:**\n* Sigma: [proc_creation_win_office_arbitrary_cli_download.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml)\n* IOC: Suspicious Office application Internet/network traffic[[Winword.exe - LOLBAS Project](/references/6d75b154-a51d-4541-8353-22ee1d12ebed)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5250", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", "228354f0-c709-4a16-a489-c5098ae06c17", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" } ], "uuid": "7adaeb79-087f-4d65-8f8f-d4689755b107", "value": "Winword" }, { "description": "[Wiper](https://app.tidalcyber.com/software/627e05c2-c02e-433e-9288-c2d78bce156f) is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. [[Dell Wiper](https://app.tidalcyber.com/references/be6629ef-e7c6-411c-9bd2-34e59062cadd)]", "meta": { "software_attack_id": "S0041", "source": "MITRE", "tags": [ "2e621fc5-dea4-4cb9-987e-305845986cd3" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "a19c49aa-36fe-4c05-b817-23e1c7a7d085", "type": "similar" } ], "uuid": "627e05c2-c02e-433e-9288-c2d78bce156f", "value": "Wiper" }, { "description": "[WIREFIRE](https://app.tidalcyber.com/software/93b02819-8acc-5d7d-ad11-abb33f9309cc) is a web shell written in Python that exists as trojanized logic to the visits.py component of Ivanti Connect Secure VPN appliances. [WIREFIRE](https://app.tidalcyber.com/software/93b02819-8acc-5d7d-ad11-abb33f9309cc) was used during [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) for downloading files and command execution.[[Mandiant Cutting Edge January 2024](https://app.tidalcyber.com/references/9d9ec923-89c1-5155-ae6e-98d4776d4250)]", "meta": { "platforms": [ "Network" ], "software_attack_id": "S1115", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "c93e3079-43fb-4d8d-9e99-db63d07eadc9", "type": "similar" } ], "uuid": "93b02819-8acc-5d7d-ad11-abb33f9309cc", "value": "WIREFIRE" }, { "description": "Wireshark is a popular open-source packet analyzer utility.", "meta": { "owner": "TidalCyberIan", "platforms": [ "Linux", "macOS", "Windows" ], "software_attack_id": "S5269", "source": "Tidal Cyber", "tags": [ "dbe18a6a-c8f9-451e-837e-5a7f25dcf913", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "cd1b5d44-226e-4405-8985-800492cf2865" ], "type": [ "tool" ] }, "related": [], "uuid": "804da3b9-9c3a-4937-aa4a-efddfa5c176e", "value": "Wireshark" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows Logon Reminder executable\n\n**Author:** Moshe Kaplan\n\n**Paths:**\n* c:\\windows\\system32\\wlrmdr.exe\n\n**Resources:**\n* [https://twitter.com/0gtweet/status/1493963591745220608](https://twitter.com/0gtweet/status/1493963591745220608)\n* [https://twitter.com/Oddvarmoe/status/927437787242090496](https://twitter.com/Oddvarmoe/status/927437787242090496)\n* [https://twitter.com/falsneg/status/1461625526640992260](https://twitter.com/falsneg/status/1461625526640992260)\n* [https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-notifyicondataw](https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-notifyicondataw)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_wlrmdr.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml)\n* IOC: wlrmdr.exe spawning any new processes[[Wlrmdr.exe - LOLBAS Project](/references/43bebdc3-3072-4a3d-a0b7-0b23f1119136)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5175", "source": "Tidal Cyber", "tags": [ "ebf92004-6e43-434c-8380-3671cf3640a2", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "f3eb99a8-b7b5-4e90-8e99-3f38309402c0", "value": "Wlrmdr" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** The WMI command-line (WMIC) utility provides a command-line interface for WMI\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\wbem\\wmic.exe\n* C:\\Windows\\SysWOW64\\wbem\\wmic.exe\n\n**Resources:**\n* [https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory](https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory)\n* [https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html](https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html)\n* [https://twitter.com/subTee/status/986234811944648707](https://twitter.com/subTee/status/986234811944648707)\n\n**Detection:**\n* Sigma: [image_load_wmic_remote_xsl_scripting_dlls.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml)\n* Sigma: [proc_creation_win_wmic_xsl_script_processing.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml)\n* Sigma: [proc_creation_win_wmic_squiblytwo_bypass.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml)\n* Sigma: [proc_creation_win_wmic_eventconsumer_creation.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml)\n* Elastic: [defense_evasion_suspicious_wmi_script.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_suspicious_wmi_script.toml)\n* Elastic: [persistence_via_windows_management_instrumentation_event_subscription.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml)\n* Elastic: [defense_evasion_suspicious_managedcode_host_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml)\n* Splunk: [xsl_script_execution_with_wmic.yml](https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/xsl_script_execution_with_wmic.yml)\n* Splunk: [remote_wmi_command_attempt.yml](https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/remote_wmi_command_attempt.yml)\n* Splunk: [remote_process_instantiation_via_wmi.yml](https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/remote_process_instantiation_via_wmi.yml)\n* Splunk: [process_execution_via_wmi.yml](https://github.com/splunk/security_content/blob/08ed88bd88259c03c771c30170d2934ed0a8f878/detections/endpoint/process_execution_via_wmi.yml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: Wmic retrieving scripts from remote system/Internet location\n* IOC: DotNet CLR libraries loaded into wmic.exe\n* IOC: DotNet CLR Usage Log - wmic.exe.log[[LOLBAS Wmic](/references/497e73d4-9f27-4b30-ba09-f152ce866d0f)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5176", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", "35e694ec-5133-46e3-b7e1-5831867c3b55", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "9988b5fd-6235-4a8e-bb8e-d9124ead11d4", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "05cd82bb-f8fc-40f3-83ba-1586ef953d05", "type": "used-by" }, { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" }, { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" }, { "dest-uuid": "b82c6ed1-c74a-4128-8b4d-18d1e17e1134", "type": "used-by" }, { "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" }, { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" }, { "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", "type": "used-by" } ], "uuid": "24f3b066-a533-4b6c-a590-313a67154ba0", "value": "Wmic" }, { "description": " [Woody RAT](https://app.tidalcyber.com/software/1f374a54-c839-5139-b755-555c66a21c12) is a remote access trojan (RAT) that has been used since at least August 2021 against Russian organizations.[[MalwareBytes WoodyRAT Aug 2022](https://app.tidalcyber.com/references/5c2ecb15-14e9-5bd3-be5f-628fa4e98ee6)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1065", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "3bc7e862-5610-4c02-9c48-15b2e2dc1ddb", "type": "similar" } ], "uuid": "1f374a54-c839-5139-b755-555c66a21c12", "value": "Woody RAT" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Work Folders\n\n**Author:** Elliot Killick\n\n**Paths:**\n* C:\\Windows\\System32\\WorkFolders.exe\n\n**Resources:**\n* [https://www.ctus.io/2021/04/12/exploading/](https://www.ctus.io/2021/04/12/exploading/)\n* [https://twitter.com/ElliotKillick/status/1449812843772227588](https://twitter.com/ElliotKillick/status/1449812843772227588)\n\n**Detection:**\n* Sigma: [proc_creation_win_susp_workfolders.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml)\n* IOC: WorkFolders.exe should not be run on a normal workstation[[WorkFolders.exe - LOLBAS Project](/references/42cfa3eb-7a8c-482e-b8d8-78ae5c30b843)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5177", "source": "Tidal Cyber", "tags": [ "b5581207-a45f-4f7f-b637-14444d716ad1", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "7720f60a-5c03-4241-b635-6313eceb3307", "value": "WorkFolders" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows to execute scripts\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\wscript.exe\n* C:\\Windows\\SysWOW64\\wscript.exe\n\n**Resources:**\n* [https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)\n\n**Detection:**\n* Sigma: [proc_creation_win_wscript_cscript_script_exec.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml)\n* Sigma: [file_event_win_net_cli_artefact.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml)\n* Sigma: [image_load_susp_script_dotnet_clr_dll_load.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml)\n* Elastic: [defense_evasion_unusual_dir_ads.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml)\n* Elastic: [command_and_control_remote_file_copy_scripts.toml](https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml)\n* Elastic: [defense_evasion_suspicious_managedcode_host_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml)\n* Splunk: [wscript_or_cscript_suspicious_child_process.yml](https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: Wscript.exe executing code from alternate data streams\n* IOC: DotNet CLR libraries loaded into wscript.exe\n* IOC: DotNet CLR Usage Log - wscript.exe.log[[Wscript.exe - LOLBAS Project](/references/6c536675-84dd-44c3-8771-70120b413db7)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5178", "source": "Tidal Cyber", "tags": [ "b4520b56-73e3-43fd-9f0d-70191132b451", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" }, { "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" } ], "uuid": "be8d1032-3452-4d44-83cb-c7ece7d5a052", "value": "Wscript" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows subsystem for Linux executable\n\n**Author:** Matthew Brown\n\n**Paths:**\n* C:\\Windows\\System32\\wsl.exe\n\n**Resources:**\n* [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* [https://twitter.com/nas_bench/status/1535431474429808642](https://twitter.com/nas_bench/status/1535431474429808642)\n\n**Detection:**\n* Sigma: [proc_creation_win_wsl_lolbin_execution.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: Child process from wsl.exe[[Wsl.exe - LOLBAS Project](/references/c147902a-e8e4-449f-8106-9e268d5367d8)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5251", "source": "Tidal Cyber", "tags": [ "96ebb518-7c1f-4011-a3ec-42aa78a95e4f", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "9663965e-0fd1-45c3-a138-c7539ed91832", "value": "Wsl" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used to reset Windows Store settings according to its manifest file\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\wsreset.exe\n\n**Resources:**\n* [https://www.activecyber.us/activelabs/windows-uac-bypass](https://www.activecyber.us/activelabs/windows-uac-bypass)\n* [https://twitter.com/ihack4falafel/status/1106644790114947073](https://twitter.com/ihack4falafel/status/1106644790114947073)\n* [https://github.com/hfiref0x/UACME/blob/master/README.md](https://github.com/hfiref0x/UACME/blob/master/README.md)\n\n**Detection:**\n* Sigma: [proc_creation_win_uac_bypass_wsreset_integrity_level.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml)\n* Sigma: [proc_creation_win_uac_bypass_wsreset.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml)\n* Sigma: [registry_event_bypass_via_wsreset.yml#](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml#)\n* Splunk: [wsreset_uac_bypass.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/wsreset_uac_bypass.yml)\n* IOC: wsreset.exe launching child process other than mmc.exe\n* IOC: Creation or modification of the registry value HKCU\\Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\n* IOC: Microsoft Defender Antivirus as Behavior:Win32/UACBypassExp.T!gen[[Wsreset.exe - LOLBAS Project](/references/24b73a27-f2ec-4cfa-a9df-59d4d4c1dd89)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5179", "source": "Tidal Cyber", "tags": [ "291fab5d-e732-4b19-83e4-ee642b2ae0f0", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "b75e4dcf-62ed-44cc-b9d2-d6d1b90955a8", "value": "Wsreset" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows Terminal\n\n**Author:** Nasreddine Bencherchali\n\n**Paths:**\n* C:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_\\wt.exe\n\n**Resources:**\n* [https://twitter.com/nas_bench/status/1552100271668469761](https://twitter.com/nas_bench/status/1552100271668469761)\n\n**Detection:**\n* Sigma: [proc_creation_win_windows_terminal_susp_children.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml)[[wt.exe - LOLBAS Project](/references/bbdd85b0-fdbb-4bd2-b962-a915c23c83c2)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5184", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "a34b303e-e8bb-48b2-85e0-f6e2620d68ab", "value": "wt" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows Update Client\n\n**Author:** David Middlehurst\n\n**Paths:**\n* C:\\Windows\\System32\\wuauclt.exe\n\n**Resources:**\n* [https://dtm.uk/wuauclt/](https://dtm.uk/wuauclt/)\n\n**Detection:**\n* Sigma: [net_connection_win_wuauclt_network_connection.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml)\n* Sigma: [proc_creation_win_lolbin_wuauclt.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml)\n* Sigma: [proc_creation_win_wuauclt_execution.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml)\n* IOC: wuauclt run with a parameter of a DLL path\n* IOC: Suspicious wuauclt Internet/network connections[[wuauclt.exe - LOLBAS Project](/references/09229ea3-ffd8-4d97-9728-f8c683ef6f26)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5180", "source": "Tidal Cyber", "tags": [ "03f0e493-63ae-47b5-8353-238390a895a8", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" } ], "uuid": "06fe608d-a517-492f-8557-cfb820984146", "value": "wuauclt" }, { "description": "[XAgentOSX](https://app.tidalcyber.com/software/6f411b69-6643-4cc7-9cbd-e15d9219e99c) is a trojan that has been used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) on OS X and appears to be a port of their standard [CHOPSTICK](https://app.tidalcyber.com/software/01c6c49a-f7c8-44cd-a377-4dfd358ffeba) or XAgent trojan. [[XAgentOSX 2017](https://app.tidalcyber.com/references/2dc7a8f1-ccee-46f0-a995-268694f11b02)]", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S0161", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", "type": "similar" } ], "uuid": "6f411b69-6643-4cc7-9cbd-e15d9219e99c", "value": "XAgentOSX" }, { "description": "[Xbash](https://app.tidalcyber.com/software/ab442140-0761-4227-bd9e-151da5d0a04f) is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. [Xbash](https://app.tidalcyber.com/software/ab442140-0761-4227-bd9e-151da5d0a04f) was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.[[Unit42 Xbash Sept 2018](https://app.tidalcyber.com/references/21b890f7-82db-4840-a05e-2155b8ddce8c)]", "meta": { "platforms": [ "Linux", "Windows" ], "software_attack_id": "S0341", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "6a92d80f-cc65-45f6-aa66-3cdea6786b3c", "type": "similar" } ], "uuid": "ab442140-0761-4227-bd9e-151da5d0a04f", "value": "Xbash" }, { "description": "[xCaon](https://app.tidalcyber.com/software/11a0dff4-1dc8-4553-8a38-90a07b01bfcd) is an HTTP variant of the [BoxCaon](https://app.tidalcyber.com/software/d3e46011-3433-426c-83b3-61c2576d5f71) malware family that has used by [IndigoZebra](https://app.tidalcyber.com/groups/988f5312-834e-48ea-93b7-e6e01ee0938d) since at least 2014. [xCaon](https://app.tidalcyber.com/software/11a0dff4-1dc8-4553-8a38-90a07b01bfcd) has been used to target political entities in Central Asia, including Kyrgyzstan and Uzbekistan.[[Checkpoint IndigoZebra July 2021](https://app.tidalcyber.com/references/cf4a8c8c-eab1-421f-b313-344aed03b42d)][[Securelist APT Trends Q2 2017](https://app.tidalcyber.com/references/fe28042c-d289-463f-9ece-1a75a70b966e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0653", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "988f5312-834e-48ea-93b7-e6e01ee0938d", "type": "used-by" }, { "dest-uuid": "21583311-6321-4891-8a37-3eb4e57b0fb1", "type": "similar" } ], "uuid": "11a0dff4-1dc8-4553-8a38-90a07b01bfcd", "value": "xCaon" }, { "description": "[xCmd](https://app.tidalcyber.com/software/d943d3d9-3a99-464f-94f0-95aa7963d858) is an open source tool that is similar to [PsExec](https://app.tidalcyber.com/software/73eb32af-4bd3-4e21-8048-355edc55a9c6) and allows the user to execute applications on remote systems. [[xCmd](https://app.tidalcyber.com/references/430fc6ef-33c5-4cd8-b785-358e4aae5230)]", "meta": { "software_attack_id": "S0123", "source": "MITRE", "type": [ "tool" ] }, "related": [ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" }, { "dest-uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b", "type": "similar" } ], "uuid": "d943d3d9-3a99-464f-94f0-95aa7963d858", "value": "xCmd" }, { "description": "xcopy is a Windows tool used to copy files and directories, including subdirectories, with a variety of options. According to Microsoft, the `xcopy` command \"creates files with the archive attribute set, whether or not this attribute was set in the source file\".[[xcopy Microsoft](/references/05e01751-ebb4-4b09-be89-4e405ab7e7e4)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5019", "source": "Tidal Cyber", "tags": [ "758c3085-2f79-40a8-ab95-f8a684737927", "af5e9be5-b86e-47af-91dd-966a5e34a186", "35e694ec-5133-46e3-b7e1-5831867c3b55", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, { "dest-uuid": "3290dcb9-5781-4b87-8fa0-6ae820e152cd", "type": "used-by" } ], "uuid": "84954209-1e2a-48dd-ba17-0f015f6de3ef", "value": "xcopy" }, { "description": "[XCSSET](https://app.tidalcyber.com/software/3672ecfa-20bf-4d69-948d-876be343563f) is a macOS modular backdoor that targets Xcode application developers. [XCSSET](https://app.tidalcyber.com/software/3672ecfa-20bf-4d69-948d-876be343563f) was first observed in August 2020 and has been used to install a backdoor component, modify browser applications, conduct collection, and provide ransomware-like encryption capabilities.[[trendmicro xcsset xcode project 2020](https://app.tidalcyber.com/references/0194bb11-8b97-4d61-8ddb-824077edc7db)]", "meta": { "platforms": [ "macOS" ], "software_attack_id": "S0658", "source": "MITRE", "tags": [ "4a457eb3-e404-47e5-b349-8b1f743dc657", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "e14085cb-0e8d-4be6-92ba-e3b93ee5978f", "type": "similar" } ], "uuid": "3672ecfa-20bf-4d69-948d-876be343563f", "value": "XCSSET" }, { "description": "Researchers discovered an updated macOS variant of the XLoader stealer/botnet malware, which is programmed in C and Objective C and signed with an Apple developer signature.[[SentinelOne 8 21 2023](/references/fc9b3eac-a638-4b84-92ae-591bc16a845e)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "macOS" ], "software_attack_id": "S5317", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [], "uuid": "5ced31ef-8e03-4125-be9b-922dac49bfa2", "value": "Xloader (macOS Variant)" }, { "description": "XMRig is an open-source tool that uses the resources of the running system to mine Monero cryptocurrency. According to U.S. cybersecurity authorities, \"XMRig can cause a victim computer to overheat and perform poorly by using additional system resources that would otherwise not be active\".[[U.S. CISA Trends June 30 2020](/references/b97e9a02-4cc5-4845-8058-0be4c566cd7c)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5064", "source": "Tidal Cyber", "tags": [ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "15787198-6c8b-4f79-bf50-258d55072fee", "291c006e-f77a-4c9c-ae7e-084974c0e1eb", "4fa6f8e1-b0d5-4169-8038-33e355c08bde", "efa33611-88a5-40ba-9bc4-3d85c6c8819b", "8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e" ], "type": [ "tool" ] }, "related": [ { "dest-uuid": "b82c6ed1-c74a-4128-8b4d-18d1e17e1134", "type": "used-by" }, { "dest-uuid": "325c11be-e1ee-47db-afa6-44ac5d16f0e7", "type": "used-by" } ], "uuid": "1491c020-6449-48e7-8ebf-abf7b71fbc97", "value": "XMRig" }, { "description": "According to joint Cybersecurity Advisory AA23-250A (September 2023), Xpack is a malicious, \"custom .NET loader that decrypts (AES), loads, and executes accompanying files\".[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5048", "source": "Tidal Cyber", "tags": [ "15787198-6c8b-4f79-bf50-258d55072fee", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [], "uuid": "19e7e967-7d0a-4930-8ef9-11a43dcb081d", "value": "Xpack" }, { "description": "[XTunnel](https://app.tidalcyber.com/software/133136f0-7254-4cec-8710-0ab99d5da4e5) a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) during the compromise of the Democratic National Committee. [[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)] [[Invincea XTunnel](https://app.tidalcyber.com/references/43773784-92b8-4722-806c-4b1fc4278bb0)] [[ESET Sednit Part 2](https://app.tidalcyber.com/references/aefb9eda-df5a-437f-af2a-ec1b6c04628b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0117", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", "type": "similar" } ], "uuid": "133136f0-7254-4cec-8710-0ab99d5da4e5", "value": "XTunnel" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Execute custom class that has been added to the registry or download a file with Xwizard.exe\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\xwizard.exe\n* C:\\Windows\\SysWOW64\\xwizard.exe\n\n**Resources:**\n* [http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/](http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/)\n* [https://www.youtube.com/watch?v=LwDHX7DVHWU](https://www.youtube.com/watch?v=LwDHX7DVHWU)\n* [https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5](https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5)\n* [https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/](https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/)\n* [https://twitter.com/notwhickey/status/1306023056847110144](https://twitter.com/notwhickey/status/1306023056847110144)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_class_exec_xwizard.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml)\n* Sigma: [proc_creation_win_lolbin_dll_sideload_xwizard.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml)\n* Elastic: [execution_com_object_xwizard.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/execution_com_object_xwizard.toml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)[[Xwizard.exe - LOLBAS Project](/references/573df5d1-83e7-4437-bdad-604f093b3cfd)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5181", "source": "Tidal Cyber", "tags": [ "c37d2f5f-91da-43c6-869e-192bf0e0ae90", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "d5663ff2-904b-42d6-b4d8-672017d91de2", "value": "Xwizard" }, { "description": "XWorm is a Remote Access Trojan (RAT)/Backdoor malware.", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5290", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", "d431939f-2dc0-410b-83f7-86c458125444", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [], "uuid": "15a19d45-8f31-4ee4-ba01-0c8c1f24a67b", "value": "Xworm" }, { "description": "[YAHOYAH](https://app.tidalcyber.com/software/0844bc42-5c29-47c3-b1b3-6bfffbf1732a) is a Trojan used by [Tropic Trooper](https://app.tidalcyber.com/groups/0a245c5e-c1a8-480f-8655-bb2594e3266b) as a second-stage backdoor.[[TrendMicro TropicTrooper 2015](https://app.tidalcyber.com/references/65d1f980-1dc2-4d36-8148-2d8747a39883)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0388", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" }, { "dest-uuid": "cb444a16-3ea5-4a91-88c6-f329adcb8af3", "type": "similar" } ], "uuid": "0844bc42-5c29-47c3-b1b3-6bfffbf1732a", "value": "YAHOYAH" }, { "description": "YouieLoad is an intermediate-stage malware used by the North Korean threat actor Moonstone Sleet mainly for payload execution purposes. It is also capable of performing system reconnaissance.[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5323", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "84615fe0-c2a5-4e07-8957-78ebc29b4635", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "3b8a2c50-5d8e-49b4-bd50-10ae66ca6c72", "type": "used-by" } ], "uuid": "2992159c-d71c-48cf-8302-020f90332390", "value": "YouieLoad" }, { "description": "[yty](https://app.tidalcyber.com/software/e0962ff7-5524-4683-9b95-0e4ba07dccb2) is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. [[ASERT Donot March 2018](https://app.tidalcyber.com/references/a1b987cc-7789-411c-9673-3cf6357b207c)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0248", "source": "MITRE", "tags": [ "16b47583-1c54-431f-9f09-759df7b5ddb7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "0817aaf2-afea-4c32-9285-4dcd1df5bf14", "type": "similar" } ], "uuid": "e0962ff7-5524-4683-9b95-0e4ba07dccb2", "value": "yty" }, { "description": "[Zebrocy](https://app.tidalcyber.com/software/e317b8a6-1722-4017-be33-717a5a93ef1c) is a Trojan that has been used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. [[Palo Alto Sofacy 06-2018](https://app.tidalcyber.com/references/a32357eb-3226-4bee-aeed-d2fbcfa52da0)][[Unit42 Cannon Nov 2018](https://app.tidalcyber.com/references/8c634bbc-4878-4b27-aa18-5996ec968809)][[Unit42 Sofacy Dec 2018](https://app.tidalcyber.com/references/540c4c33-d4c2-4324-94cd-f57646666e32)][[CISA Zebrocy Oct 2020](https://app.tidalcyber.com/references/b7518c4d-6c10-43d2-8e57-d354fb8d4a99)] ", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0251", "source": "MITRE", "tags": [ "febea5b6-2ea2-402b-8bec-f3f5b3f73c59" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" }, { "dest-uuid": "a4f57468-fbd5-49e4-8476-52088220b92d", "type": "similar" } ], "uuid": "e317b8a6-1722-4017-be33-717a5a93ef1c", "value": "Zebrocy" }, { "description": "[Zeroaccess](https://app.tidalcyber.com/software/2f52b513-5293-4833-9c4d-b120e7a84341) is a kernel-mode [Rootkit](https://app.tidalcyber.com/technique/cf2b56f6-3ebd-48ec-b9d9-835397acef89) that attempts to add victims to the ZeroAccess botnet, often for monetary gain. [[Sophos ZeroAccess](https://app.tidalcyber.com/references/41b51767-62f1-45c2-98cb-47c44c975a58)]", "meta": { "software_attack_id": "S0027", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "552462b9-ae79-49dd-855c-5973014e157f", "type": "similar" } ], "uuid": "2f52b513-5293-4833-9c4d-b120e7a84341", "value": "Zeroaccess" }, { "description": "[ZeroT](https://app.tidalcyber.com/software/f51df90e-ea1b-4eeb-9aff-ec5abf4a5dfd) is a Trojan used by [TA459](https://app.tidalcyber.com/groups/e343c1f1-458c-467b-bc4a-c1b97b2127e3), often in conjunction with [PlugX](https://app.tidalcyber.com/software/070b56f4-7810-4dad-b85f-bdfce9c08c10). [[Proofpoint TA459 April 2017](https://app.tidalcyber.com/references/dabad6df-1e31-4c16-9217-e079f2493b02)] [[Proofpoint ZeroT Feb 2017](https://app.tidalcyber.com/references/63787035-f136-43e1-b445-22853bbed92b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0230", "source": "MITRE", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", "type": "used-by" }, { "dest-uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f", "type": "similar" } ], "uuid": "f51df90e-ea1b-4eeb-9aff-ec5abf4a5dfd", "value": "ZeroT" }, { "description": "[Zeus Panda](https://app.tidalcyber.com/software/be8add13-40d7-495e-91eb-258d3a4711bc) is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. [Zeus Panda](https://app.tidalcyber.com/software/be8add13-40d7-495e-91eb-258d3a4711bc)’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.[[Talos Zeus Panda Nov 2017](https://app.tidalcyber.com/references/f96711d4-010d-4d7e-8074-31dd1b41c54d)][[GDATA Zeus Panda June 2017](https://app.tidalcyber.com/references/2d9a6957-5645-4863-968b-4a3c8736564b)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0330", "source": "MITRE", "tags": [ "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "198db886-47af-4f4c-bff5-11b891f85946", "type": "similar" } ], "uuid": "be8add13-40d7-495e-91eb-258d3a4711bc", "value": "Zeus Panda" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Compressed Folder library\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\zipfldr.dll\n* c:\\windows\\syswow64\\zipfldr.dll\n\n**Resources:**\n* [https://twitter.com/moriarty_meng/status/977848311603380224](https://twitter.com/moriarty_meng/status/977848311603380224)\n* [https://twitter.com/bohops/status/997896811904929792](https://twitter.com/bohops/status/997896811904929792)\n* [https://windows10dll.nirsoft.net/zipfldr_dll.html](https://windows10dll.nirsoft.net/zipfldr_dll.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)[[Zipfldr.dll - LOLBAS Project](/references/3bee0640-ea48-4164-be57-ac565d8cbea7)]", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5201", "source": "Tidal Cyber", "tags": [ "0d0098b4-e159-4502-973d-714011ba605f", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], "type": [ "tool" ] }, "related": [], "uuid": "34d0c5b5-f6e1-41e9-9061-cf9d36fe61c8", "value": "Zipfldr" }, { "description": "[ZIPLINE](https://app.tidalcyber.com/software/976a7797-3008-5316-9e28-19c9a05959d0) is a passive backdoor that was used during [Cutting Edge](https://app.tidalcyber.com/campaigns/4e605e33-57fe-5bb2-b0ad-ec146aac041b) on compromised Secure Connect VPNs for reverse shell and proxy functionality.[[Mandiant Cutting Edge January 2024](https://app.tidalcyber.com/references/9d9ec923-89c1-5155-ae6e-98d4776d4250)]", "meta": { "platforms": [ "Network" ], "software_attack_id": "S1114", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "d9765cbd-4c88-4805-ba98-4c6ccb56b864", "type": "similar" } ], "uuid": "976a7797-3008-5316-9e28-19c9a05959d0", "value": "ZIPLINE" }, { "description": "[ZLib](https://app.tidalcyber.com/software/1ac8d363-2903-43da-9c1d-2b28179638c8) is a full-featured backdoor that was used as a second-stage implant during [Operation Dust Storm](https://app.tidalcyber.com/campaigns/af0c0f55-dc4f-4cb5-9350-3a2d7c07595f) since at least 2014. [ZLib](https://app.tidalcyber.com/software/1ac8d363-2903-43da-9c1d-2b28179638c8) is malware and should not be confused with the legitimate compression library from which its name is derived.[[Cylance Dust Storm](https://app.tidalcyber.com/references/001dd53c-74e6-4add-aeb7-da76b0d2afe8)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0086", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", "type": "similar" } ], "uuid": "1ac8d363-2903-43da-9c1d-2b28179638c8", "value": "ZLib" }, { "description": "Zloader originated in 2016 as a modular banking trojan based on the popular Zeus malware. It has evolved in the years since to be used as an important distribution mechanism for various other malware, including ransomware.[[WeLiveSecurity April 19 2022](/references/f86845b9-03c4-446b-845f-b31b79b247ee)]\n\nThis object represents a collection of MITRE ATT&CK® Techniques associated with Zloader binaries. Techniques used by various actors to distribute Zloader can be found in the separate \"Zloader Threat Actors\" Group object.", "meta": { "owner": "TidalCyberIan", "platforms": [ "Windows" ], "software_attack_id": "S5312", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "39357cc1-dbb1-49e4-9fe0-ff24032b94d5", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "d2fd3da1-e49c-4273-9add-3d15afc3b837", "type": "used-by" } ], "uuid": "a106fb66-bd68-40cc-9374-8b59234a0cec", "value": "Zloader" }, { "description": "[Zox](https://app.tidalcyber.com/software/75dd9acb-fcff-4b0b-b45b-f943fb589d78) is a remote access tool that has been used by [Axiom](https://app.tidalcyber.com/groups/90f4d3f9-3fe3-4a64-8dc1-172c6d037dca) since at least 2008.[[Novetta-Axiom](https://app.tidalcyber.com/references/0dd428b9-849b-4108-87b1-20050b86f420)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0672", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" }, { "dest-uuid": "fb28627c-d6ea-4c35-b138-ab5e96ae5445", "type": "similar" } ], "uuid": "75dd9acb-fcff-4b0b-b45b-f943fb589d78", "value": "Zox" }, { "description": "[zwShell](https://app.tidalcyber.com/software/49314d4e-dc04-456f-918e-a3bedfc3192a) is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during [Night Dragon](https://app.tidalcyber.com/campaigns/85f136b3-d5a3-4c4c-a37c-40e4418dc989).[[McAfee Night Dragon](https://app.tidalcyber.com/references/242d2933-ca2b-4511-803a-454727a3acc5)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0350", "source": "MITRE", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "54e8672d-5338-4ad1-954a-a7c986bee530", "type": "similar" } ], "uuid": "49314d4e-dc04-456f-918e-a3bedfc3192a", "value": "zwShell" }, { "description": "[ZxShell](https://app.tidalcyber.com/software/eea89ff2-036d-4fa6-bbed-f89502c62318) is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.[[FireEye APT41 Aug 2019](https://app.tidalcyber.com/references/20f8e252-0a95-4ebd-857c-d05b0cde0904)][[Talos ZxShell Oct 2014](https://app.tidalcyber.com/references/41c20013-71b3-4957-98f0-fb919014c93e)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S0412", "source": "MITRE", "tags": [ "febea5b6-2ea2-402b-8bec-f3f5b3f73c59" ], "type": [ "malware" ] }, "related": [ { "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" }, { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" }, { "dest-uuid": "4173c301-0307-458d-89dd-2583e94247ec", "type": "used-by" }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" }, { "dest-uuid": "cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", "type": "similar" } ], "uuid": "eea89ff2-036d-4fa6-bbed-f89502c62318", "value": "ZxShell" }, { "description": "[ZxxZ](https://app.tidalcyber.com/software/91e1ee26-d6ae-4203-a466-93c9e5019b47) is a trojan written in Visual C++ that has been used by [BITTER](https://app.tidalcyber.com/groups/3a02aa1b-851a-43e1-b83b-58037f3c7025) since at least August 2021, including against Bangladeshi government personnel.[[Cisco Talos Bitter Bangladesh May 2022](https://app.tidalcyber.com/references/097583ed-03b0-41cd-bf85-66d473f46439)]", "meta": { "platforms": [ "Windows" ], "software_attack_id": "S1013", "source": "MITRE", "type": [ "malware" ] }, "related": [ { "dest-uuid": "3a02aa1b-851a-43e1-b83b-58037f3c7025", "type": "used-by" }, { "dest-uuid": "97cfbdc6-504d-41e9-a46c-78a9f806ff0d", "type": "similar" } ], "uuid": "91e1ee26-d6ae-4203-a466-93c9e5019b47", "value": "ZxxZ" } ], "version": 1 }