{
"authors": [
"MITRE"
],
"category": "tool",
"description": "Name of ATT&CK software",
"name": "mitre-tool",
"source": "https://github.com/mitre/cti",
"type": "mitre-tool",
"uuid": "d700dc5c-78f6-11e7-a476-5f748c8e4fe0",
"values": [
{
"description": "[Windows Credential Editor](https://attack.mitre.org/software/S0005) is a password dumping tool. (Citation: Amplia WCE)",
"meta": {
"external_id": "S0005",
"mitre_platforms": [
"Windows"
],
"refs": [
"http://www.ampliasecurity.com/research/wcefaq.html",
"https://attack.mitre.org/software/S0005"
],
"synonyms": [
"Windows Credential Editor",
"WCE"
]
},
"related": [
{
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
"type": "uses"
}
],
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966",
"value": "Windows Credential Editor - S0005"
},
{
"description": "[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of [Brute Ratel C4](https://attack.mitre.org/software/S1063) was leaked in the cybercriminal underground, leading to its use by threat actors.(Citation: Dark Vortex Brute Ratel C4)(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)(Citation: SANS Brute Ratel October 2022)(Citation: Trend Micro Black Basta October 2022)",
"meta": {
"external_id": "S1063",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S1063",
"https://bruteratel.com/",
"https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/",
"https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/",
"https://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/",
"https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html"
],
"synonyms": [
"Brute Ratel C4",
"BRc4"
]
},
"related": [
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "uses"
},
{
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
"type": "uses"
},
{
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
"type": "uses"
},
{
"dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471",
"type": "uses"
},
{
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
"type": "uses"
},
{
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
"type": "uses"
},
{
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
"type": "uses"
},
{
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"type": "uses"
},
{
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
"type": "uses"
},
{
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
"type": "uses"
},
{
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
"type": "uses"
},
{
"dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
"type": "uses"
},
{
"dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
"type": "uses"
},
{
"dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65",
"type": "uses"
},
{
"dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da",
"type": "uses"
},
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"type": "uses"
},
{
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
"type": "uses"
},
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "uses"
},
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"type": "uses"
},
{
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
},
{
"dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4",
"type": "uses"
},
{
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
"type": "uses"
},
{
"dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee",
"type": "uses"
}
],
"uuid": "75d8b521-6b6a-42ff-8af3-d97e20ce12a5",
"value": "Brute Ratel C4 - S1063"
},
{
"description": "[Pass-The-Hash Toolkit](https://attack.mitre.org/software/S0122) is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)",
"meta": {
"external_id": "S0122",
"refs": [
"https://attack.mitre.org/software/S0122",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
]
},
"related": [
{
"dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e",
"type": "uses"
}
],
"uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69",
"value": "Pass-The-Hash Toolkit - S0122"
},
{
"description": "[CSPY Downloader](https://attack.mitre.org/software/S0527) is a tool designed to evade analysis and download additional payloads used by [Kimsuky](https://attack.mitre.org/groups/G0094).(Citation: Cybereason Kimsuky November 2020)",
"meta": {
"external_id": "S0527",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0527",
"https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite"
],
"synonyms": [
"CSPY Downloader"
]
},
"related": [
{
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
"type": "uses"
},
{
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
"type": "uses"
},
{
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
"type": "uses"
},
{
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
"type": "uses"
},
{
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
"type": "uses"
},
{
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
"type": "uses"
},
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"type": "uses"
},
{
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
}
],
"uuid": "5256c0f8-9108-4c92-8b09-482dfacdcd94",
"value": "CSPY Downloader - S0527"
},
{
"description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.(Citation: Imminent Unit42 Dec2019)",
"meta": {
"external_id": "S0434",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0434",
"https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/"
],
"synonyms": [
"Imminent Monitor"
]
},
"related": [
{
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"type": "uses"
},
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"type": "uses"
},
{
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
"type": "uses"
},
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"type": "uses"
},
{
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "uses"
},
{
"dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783",
"type": "uses"
},
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"type": "uses"
},
{
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
"type": "uses"
},
{
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
"type": "uses"
}
],
"uuid": "8f8cd191-902c-4e83-bf20-b57c8c4640e9",
"value": "Imminent Monitor - S0434"
},
{
"description": "[Invoke-PSImage](https://attack.mitre.org/software/S0231) takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. (Citation: GitHub Invoke-PSImage)",
"meta": {
"external_id": "S0231",
"refs": [
"https://attack.mitre.org/software/S0231",
"https://github.com/peewpw/Invoke-PSImage"
],
"synonyms": [
"Invoke-PSImage"
]
},
"related": [
{
"dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1",
"type": "uses"
},
{
"dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916",
"type": "uses"
}
],
"uuid": "b52d6583-14a2-4ddc-8527-87fd2142558f",
"value": "Invoke-PSImage - S0231"
},
{
"description": "[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)",
"meta": {
"external_id": "S0100",
"refs": [
"https://attack.mitre.org/software/S0100",
"https://technet.microsoft.com/en-us/library/bb490921.aspx"
],
"synonyms": [
"ipconfig"
]
},
"related": [
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "uses"
}
],
"uuid": "294e2560-bd48-44b2-9da2-833b5588ad11",
"value": "ipconfig - S0100"
},
{
"description": "[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide)",
"meta": {
"external_id": "S0002",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://adsecurity.org/?page_id=1821",
"https://attack.mitre.org/software/S0002",
"https://github.com/gentilkiwi/mimikatz"
],
"synonyms": [
"Mimikatz"
]
},
"related": [
{
"dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
"type": "uses"
},
{
"dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc",
"type": "uses"
},
{
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
"type": "uses"
},
{
"dest-uuid": "5095a853-299c-4876-abd7-ac0050fb5462",
"type": "uses"
},
{
"dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a",
"type": "uses"
},
{
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
"type": "uses"
},
{
"dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf",
"type": "uses"
},
{
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
"type": "uses"
},
{
"dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1",
"type": "uses"
},
{
"dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926",
"type": "uses"
},
{
"dest-uuid": "7de1f7ac-5d0c-4c9c-8873-627202205331",
"type": "uses"
},
{
"dest-uuid": "7f3a035d-d83a-45b8-8111-412aa8ade802",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27",
"type": "uses"
},
{
"dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023",
"type": "uses"
},
{
"dest-uuid": "d273434a-448e-4598-8e14-607f4a0d5e27",
"type": "uses"
},
{
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
"type": "uses"
},
{
"dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e",
"type": "uses"
},
{
"dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163",
"type": "uses"
}
],
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
"value": "Mimikatz - S0002"
},
{
"description": "[HTRAN](https://attack.mitre.org/software/S0040) is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. (Citation: Operation Quantum Entanglement)(Citation: NCSC Joint Report Public Tools)",
"meta": {
"external_id": "S0040",
"mitre_platforms": [
"Linux",
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0040",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
"https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools"
],
"synonyms": [
"HTRAN",
"HUC Packet Transmit Tool"
]
},
"related": [
{
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
"type": "uses"
},
{
"dest-uuid": "3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"type": "uses"
}
],
"uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e",
"value": "HTRAN - S0040"
},
{
"description": "[MCMD](https://attack.mitre.org/software/S0500) is a remote access tool that provides remote command shell capability used by [Dragonfly 2.0](https://attack.mitre.org/groups/G0074).(Citation: Secureworks MCMD July 2019)",
"meta": {
"external_id": "S0500",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0500",
"https://www.secureworks.com/research/mcmd-malware-analysis"
],
"synonyms": [
"MCMD"
]
},
"related": [
{
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
"type": "uses"
},
{
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"type": "uses"
},
{
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "uses"
},
{
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
"type": "uses"
},
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"type": "uses"
},
{
"dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33",
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
}
],
"uuid": "975737f1-b10d-476f-8bda-3ec26ea57172",
"value": "MCMD - S0500"
},
{
"description": "[pwdump](https://attack.mitre.org/software/S0006) is a credential dumper. (Citation: Wikipedia pwdump)",
"meta": {
"external_id": "S0006",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0006",
"https://en.wikipedia.org/wiki/Pwdump"
],
"synonyms": [
"pwdump"
]
},
"related": [
{
"dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
"type": "uses"
}
],
"uuid": "9de2308e-7bed-43a3-8e58-f194b3586700",
"value": "pwdump - S0006"
},
{
"description": "[gsecdump](https://attack.mitre.org/software/S0008) is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. (Citation: TrueSec Gsecdump)",
"meta": {
"external_id": "S0008",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0008",
"https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5"
],
"synonyms": [
"gsecdump"
]
},
"related": [
{
"dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
"type": "uses"
},
{
"dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc",
"type": "uses"
},
{
"dest-uuid": "8410d208-7450-407d-b56c-e5c1ced19632",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54",
"value": "gsecdump - S0008"
},
{
"description": "[at](https://attack.mitre.org/software/S0110) is used to schedule tasks on a system to run at a specified date or time.(Citation: TechNet At)(Citation: Linux at)",
"meta": {
"external_id": "S0110",
"mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0110",
"https://man7.org/linux/man-pages/man1/at.1p.html",
"https://technet.microsoft.com/en-us/library/bb490866.aspx"
],
"synonyms": [
"at",
"at.exe"
]
},
"related": [
{
"dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0",
"type": "uses"
}
],
"uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952",
"value": "at - S0110"
},
{
"description": "[ifconfig](https://attack.mitre.org/software/S0101) is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)",
"meta": {
"external_id": "S0101",
"refs": [
"https://attack.mitre.org/software/S0101",
"https://en.wikipedia.org/wiki/Ifconfig"
]
},
"related": [
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "uses"
}
],
"uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5",
"value": "ifconfig - S0101"
},
{
"description": "[Fgdump](https://attack.mitre.org/software/S0120) is a Windows password hash dumper. (Citation: Mandiant APT1)",
"meta": {
"external_id": "S0120",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0120",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": [
"Fgdump"
]
},
"related": [
{
"dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
"type": "uses"
}
],
"uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe",
"value": "Fgdump - S0120"
},
{
"description": "[nbtstat](https://attack.mitre.org/software/S0102) is a utility used to troubleshoot NetBIOS name resolution. (Citation: TechNet Nbtstat)",
"meta": {
"external_id": "S0102",
"refs": [
"https://attack.mitre.org/software/S0102",
"https://technet.microsoft.com/en-us/library/cc940106.aspx"
]
},
"related": [
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"type": "uses"
}
],
"uuid": "b35068ec-107a-4266-bda8-eb7036267aea",
"value": "nbtstat - S0102"
},
{
"description": "[route](https://attack.mitre.org/software/S0103) can be used to find or change information within the local system IP routing table. (Citation: TechNet Route)",
"meta": {
"external_id": "S0103",
"refs": [
"https://attack.mitre.org/software/S0103",
"https://technet.microsoft.com/en-us/library/bb490991.aspx"
]
},
"related": [
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "uses"
}
],
"uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de",
"value": "route - S0103"
},
{
"description": "[Rclone](https://attack.mitre.org/software/S1040) is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. [Rclone](https://attack.mitre.org/software/S1040) has been used in a number of ransomware campaigns, including those associated with the [Conti](https://attack.mitre.org/software/S0575) and DarkSide Ransomware-as-a-Service operations.(Citation: Rclone)(Citation: Rclone Wars)(Citation: Detecting Rclone)(Citation: DarkSide Ransomware Gang)(Citation: DFIR Conti Bazar Nov 2021)",
"meta": {
"external_id": "S1040",
"mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S1040",
"https://rclone.org",
"https://redcanary.com/blog/rclone-mega-extortion/",
"https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/",
"https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/",
"https://unit42.paloaltonetworks.com/darkside-ransomware/"
],
"synonyms": [
"Rclone"
]
},
"related": [
{
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"type": "uses"
},
{
"dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5",
"type": "uses"
},
{
"dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b",
"type": "uses"
},
{
"dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
"type": "uses"
},
{
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
"type": "uses"
}
],
"uuid": "59096109-a1dd-463b-87e7-a8d110fe3a79",
"value": "Rclone - S1040"
},
{
"description": "[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)",
"meta": {
"external_id": "S0104",
"refs": [
"https://attack.mitre.org/software/S0104",
"https://technet.microsoft.com/en-us/library/bb490947.aspx"
],
"synonyms": [
"netstat"
]
},
"related": [
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"type": "uses"
}
],
"uuid": "4664b683-f578-434f-919b-1c1aad2a1111",
"value": "netstat - S0104"
},
{
"description": "[PcShare](https://attack.mitre.org/software/S1050) is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.(Citation: Bitdefender FunnyDream Campaign November 2020)(Citation: GitHub PcShare 2014)",
"meta": {
"external_id": "S1050",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S1050",
"https://github.com/LiveMirror/pcshare",
"https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf"
],
"synonyms": [
"PcShare"
]
},
"related": [
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "uses"
},
{
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
"type": "uses"
},
{
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"type": "uses"
},
{
"dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144",
"type": "uses"
},
{
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"type": "uses"
},
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"type": "uses"
},
{
"dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52",
"type": "uses"
},
{
"dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae",
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"type": "uses"
},
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"type": "uses"
},
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "uses"
}
],
"uuid": "3a53b207-aba2-4a2b-9cdb-273d633669e7",
"value": "PcShare - S1050"
},
{
"description": "[dsquery](https://attack.mitre.org/software/S0105) is a command-line utility that can be used to query Active Directory for information from a system within a domain. (Citation: TechNet Dsquery) It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.",
"meta": {
"external_id": "S0105",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0105",
"https://technet.microsoft.com/en-us/library/cc732952.aspx"
],
"synonyms": [
"dsquery",
"dsquery.exe"
]
},
"related": [
{
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
"type": "uses"
},
{
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "uses"
},
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"type": "uses"
}
],
"uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe",
"value": "dsquery - S0105"
},
{
"description": "[cmd](https://attack.mitre.org/software/S0106) is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd)\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir
(Citation: TechNet Dir)), deleting files (e.g., del
(Citation: TechNet Del)), and copying files (e.g., copy
(Citation: TechNet Copy)).",
"meta": {
"external_id": "S0106",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0106",
"https://technet.microsoft.com/en-us/library/bb490880.aspx",
"https://technet.microsoft.com/en-us/library/bb490886.aspx",
"https://technet.microsoft.com/en-us/library/cc755121.aspx",
"https://technet.microsoft.com/en-us/library/cc771049.aspx"
],
"synonyms": [
"cmd",
"cmd.exe"
]
},
"related": [
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"type": "uses"
},
{
"dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5",
"type": "uses"
},
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"type": "uses"
},
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
}
],
"uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e",
"value": "cmd - S0106"
},
{
"description": "[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)",
"meta": {
"external_id": "S0160",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0160",
"https://technet.microsoft.com/library/cc732443.aspx"
],
"synonyms": [
"certutil",
"certutil.exe"
]
},
"related": [
{
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"type": "uses"
},
{
"dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
}
],
"uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc",
"value": "certutil - S0160"
},
{
"description": "[netsh](https://attack.mitre.org/software/S0108) is a scripting utility used to interact with networking components on local or remote systems. (Citation: TechNet Netsh)",
"meta": {
"external_id": "S0108",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0108",
"https://technet.microsoft.com/library/bb490939.aspx"
],
"synonyms": [
"netsh",
"netsh.exe"
]
},
"related": [
{
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"type": "uses"
},
{
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
"type": "uses"
},
{
"dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed",
"type": "uses"
}
],
"uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71",
"value": "netsh - S0108"
},
{
"description": "[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)",
"meta": {
"external_id": "S0190",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0190",
"https://msdn.microsoft.com/library/aa362813.aspx"
],
"synonyms": [
"BITSAdmin"
]
},
"related": [
{
"dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5",
"type": "uses"
},
{
"dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
},
{
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
"type": "uses"
}
],
"uuid": "64764dc6-a032-495f-8250-1e4c06bdc163",
"value": "BITSAdmin - S0190"
},
{
"description": "[Koadic](https://attack.mitre.org/software/S0250) is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. [Koadic](https://attack.mitre.org/software/S0250) has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.(Citation: Github Koadic)(Citation: Palo Alto Sofacy 06-2018)(Citation: MalwareBytes LazyScripter Feb 2021)",
"meta": {
"external_id": "S0250",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0250",
"https://github.com/zerosum0x0/koadic",
"https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/",
"https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf"
],
"synonyms": [
"Koadic"
]
},
"related": [
{
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"type": "uses"
},
{
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
"type": "uses"
},
{
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
"type": "uses"
},
{
"dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
"type": "uses"
},
{
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
"type": "uses"
},
{
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"type": "uses"
},
{
"dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade",
"type": "uses"
},
{
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"type": "uses"
},
{
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
"type": "uses"
},
{
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
"type": "uses"
},
{
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
"type": "uses"
},
{
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
"type": "uses"
},
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "uses"
},
{
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"type": "uses"
},
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
},
{
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
"type": "uses"
},
{
"dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24",
"type": "uses"
},
{
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
"type": "uses"
},
{
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
"type": "uses"
}
],
"uuid": "c8655260-9f4b-44e3-85e1-6538a5f6e4f4",
"value": "Koadic - S0250"
},
{
"description": "[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS PsExec)",
"meta": {
"external_id": "S0029",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0029",
"https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx",
"https://www.sans.org/blog/protecting-privileged-domain-accounts-psexec-deep-dive/"
],
"synonyms": [
"PsExec"
]
},
"related": [
{
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
"type": "uses"
},
{
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
"type": "uses"
},
{
"dest-uuid": "6dd05630-9bd8-11e8-a8b9-47ce338a4367",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177",
"type": "uses"
},
{
"dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5",
"type": "uses"
},
{
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
"type": "uses"
}
],
"uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db",
"value": "PsExec - S0029"
},
{
"description": "The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\n[Net](https://attack.mitre.org/software/S0039) has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) using net use
commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user
.",
"meta": {
"external_id": "S0039",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0039",
"https://msdn.microsoft.com/en-us/library/aa939914",
"https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference"
],
"synonyms": [
"Net",
"net.exe"
]
},
"related": [
{
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
"type": "uses"
},
{
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
"type": "uses"
},
{
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"type": "uses"
},
{
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
"type": "uses"
},
{
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
"type": "uses"
},
{
"dest-uuid": "635cbe30-392d-4e27-978e-66774357c762",
"type": "uses"
},
{
"dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177",
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"type": "uses"
},
{
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
"type": "uses"
},
{
"dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c",
"type": "uses"
},
{
"dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5",
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"type": "uses"
},
{
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"type": "uses"
}
],
"uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"value": "Net - S0039"
},
{
"description": "[esentutl](https://attack.mitre.org/software/S0404) is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.(Citation: Microsoft Esentutl)",
"meta": {
"external_id": "S0404",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0404",
"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh875546(v=ws.11)"
],
"synonyms": [
"esentutl",
"esentutl.exe"
]
},
"related": [
{
"dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5",
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"type": "uses"
},
{
"dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
},
{
"dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24",
"type": "uses"
},
{
"dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5",
"type": "uses"
}
],
"uuid": "c256da91-6dd5-40b2-beeb-ee3b22ab3d27",
"value": "esentutl - S0404"
},
{
"description": "[FlexiSpy](https://attack.mitre.org/software/S0408) is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy)\n\n[FlexiSpy](https://attack.mitre.org/software/S0408) markets itself as a parental control and employee monitoring application.(Citation: FlexiSpy-Website)",
"meta": {
"external_id": "S0408",
"mitre_platforms": [
"Android"
],
"refs": [
"http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html",
"https://attack.mitre.org/software/S0408",
"https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf",
"https://www.flexispy.com/"
],
"synonyms": [
"FlexiSpy"
]
},
"related": [
{
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
"type": "uses"
},
{
"dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9",
"type": "uses"
},
{
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"type": "uses"
},
{
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
"type": "uses"
},
{
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
"type": "uses"
},
{
"dest-uuid": "948a447c-d783-4ba0-8516-a64140fcacd5",
"type": "uses"
},
{
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
"type": "uses"
},
{
"dest-uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922",
"type": "uses"
},
{
"dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63",
"type": "uses"
},
{
"dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47",
"type": "uses"
},
{
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
"type": "uses"
},
{
"dest-uuid": "c6e17ca2-08b5-4379-9786-89bd05241831",
"type": "uses"
},
{
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"type": "uses"
},
{
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
"type": "uses"
},
{
"dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb",
"type": "uses"
},
{
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
"type": "uses"
},
{
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"type": "uses"
},
{
"dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
"type": "uses"
}
],
"uuid": "1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"value": "FlexiSpy - S0408"
},
{
"description": "[Reg](https://attack.mitre.org/software/S0075) is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation: Microsoft Reg)\n\nUtilities such as [Reg](https://attack.mitre.org/software/S0075) are known to be used by persistent threats. (Citation: Windows Commands JPCERT)",
"meta": {
"external_id": "S0075",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0075",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
"https://technet.microsoft.com/en-us/library/cc732643.aspx"
],
"synonyms": [
"Reg",
"reg.exe"
]
},
"related": [
{
"dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580",
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"type": "uses"
}
],
"uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f",
"value": "Reg - S0075"
},
{
"description": "The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. (Citation: Microsoft Tasklist)",
"meta": {
"external_id": "S0057",
"refs": [
"https://attack.mitre.org/software/S0057",
"https://technet.microsoft.com/en-us/library/bb491010.aspx"
],
"synonyms": [
"Tasklist"
]
},
"related": [
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "uses"
},
{
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
"type": "uses"
}
],
"uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f",
"value": "Tasklist - S0057"
},
{
"description": "[ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021)",
"meta": {
"external_id": "S0508",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0508",
"https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44",
"https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
"https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf",
"https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/"
],
"synonyms": [
"ngrok"
]
},
"related": [
{
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
"type": "uses"
},
{
"dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807",
"type": "uses"
},
{
"dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"type": "uses"
}
],
"uuid": "2f7f03bb-f367-4a5a-ad9b-310a12a48906",
"value": "ngrok - S0508"
},
{
"description": "[NBTscan](https://attack.mitre.org/software/S0590) is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June 2003)(Citation: Symantec Waterbug Jun 2019)(Citation: FireEye APT39 Jan 2019)",
"meta": {
"external_id": "S0590",
"mitre_platforms": [
"Windows",
"Linux",
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0590",
"https://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html",
"https://sectools.org/tool/nbtscan/",
"https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html",
"https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments"
],
"synonyms": [
"NBTscan"
]
},
"related": [
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"type": "uses"
},
{
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"type": "uses"
},
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"type": "uses"
}
],
"uuid": "b63970b7-ddfb-4aee-97b1-80d335e033a8",
"value": "NBTscan - S0590"
},
{
"description": "[ftp](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.(Citation: Microsoft FTP)(Citation: Linux FTP)",
"meta": {
"external_id": "S0095",
"mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0095",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ftp",
"https://linux.die.net/man/1/ftp"
],
"synonyms": [
"ftp",
"ftp.exe"
]
},
"related": [
{
"dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
},
{
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
"type": "uses"
}
],
"uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565",
"value": "ftp - S0095"
},
{
"description": "[Systeminfo](https://attack.mitre.org/software/S0096) is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)",
"meta": {
"external_id": "S0096",
"refs": [
"https://attack.mitre.org/software/S0096",
"https://technet.microsoft.com/en-us/library/bb491007.aspx"
],
"synonyms": [
"Systeminfo"
]
},
"related": [
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "uses"
}
],
"uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1",
"value": "Systeminfo - S0096"
},
{
"description": "[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)",
"meta": {
"external_id": "S0097",
"refs": [
"https://attack.mitre.org/software/S0097",
"https://technet.microsoft.com/en-us/library/bb490968.aspx"
],
"synonyms": [
"Ping"
]
},
"related": [
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"type": "uses"
}
],
"uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47",
"value": "Ping - S0097"
},
{
"description": "[Arp](https://attack.mitre.org/software/S0099) displays and modifies information about a system's Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp)",
"meta": {
"external_id": "S0099",
"mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0099",
"https://technet.microsoft.com/en-us/library/bb490864.aspx"
],
"synonyms": [
"Arp",
"arp.exe"
]
},
"related": [
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"type": "uses"
}
],
"uuid": "30489451-5886-4c46-90c9-0dff9adc5252",
"value": "Arp - S0099"
},
{
"description": "[schtasks](https://attack.mitre.org/software/S0111) is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. (Citation: TechNet Schtasks)",
"meta": {
"external_id": "S0111",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0111",
"https://technet.microsoft.com/en-us/library/bb490996.aspx"
],
"synonyms": [
"schtasks",
"schtasks.exe"
]
},
"related": [
{
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
"type": "uses"
}
],
"uuid": "c9703cd3-141c-43a0-a926-380082be5d04",
"value": "schtasks - S0111"
},
{
"description": "[Lslsass](https://attack.mitre.org/software/S0121) is a publicly-available tool that can dump active logon session password hashes from the lsass process. (Citation: Mandiant APT1)",
"meta": {
"external_id": "S0121",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0121",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": [
"Lslsass"
]
},
"related": [
{
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
"type": "uses"
}
],
"uuid": "2fab555f-7664-4623-b4e0-1675ae38190b",
"value": "Lslsass - S0121"
},
{
"description": "[UACMe](https://attack.mitre.org/software/S0116) is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. (Citation: Github UACMe)",
"meta": {
"external_id": "S0116",
"refs": [
"https://attack.mitre.org/software/S0116",
"https://github.com/hfiref0x/UACME"
]
},
"related": [
{
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
"type": "uses"
},
{
"dest-uuid": "ccde5b0d-fe13-48e6-a6f4-4e434ce29371",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507",
"value": "UACMe - S0116"
},
{
"description": "[Rubeus](https://attack.mitre.org/software/S1071) is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.(Citation: GitHub Rubeus March 2023)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)",
"meta": {
"external_id": "S1071",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S1071",
"https://github.com/GhostPack/Rubeus",
"https://thedfirreport.com/2020/10/08/ryuks-return/",
"https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/",
"https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html"
],
"synonyms": [
"Rubeus"
]
},
"related": [
{
"dest-uuid": "3986e7fd-a8e9-4ecb-bfc6-55920855912b",
"type": "uses"
},
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"type": "uses"
},
{
"dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1",
"type": "uses"
},
{
"dest-uuid": "d273434a-448e-4598-8e14-607f4a0d5e27",
"type": "uses"
},
{
"dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee",
"type": "uses"
}
],
"uuid": "e33267fe-099f-4af2-8730-63d49f8813b2",
"value": "Rubeus - S1071"
},
{
"description": "[Cachedump](https://attack.mitre.org/software/S0119) is a publicly-available tool that program extracts cached password hashes from a system’s registry. (Citation: Mandiant APT1)",
"meta": {
"external_id": "S0119",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0119",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": [
"Cachedump"
]
},
"related": [
{
"dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530",
"type": "uses"
}
],
"uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52",
"value": "Cachedump - S0119"
},
{
"description": "Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)",
"meta": {
"external_id": "S1091",
"mitre_platforms": [
"IaaS"
],
"refs": [
"https://attack.mitre.org/software/S1091",
"https://github.com/RhinoSecurityLabs/pacu"
],
"synonyms": [
"Pacu"
]
},
"related": [
{
"dest-uuid": "16e94db9-b5b1-4cd0-b851-f38fbd0a70f2",
"type": "uses"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"type": "uses"
},
{
"dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7",
"type": "uses"
},
{
"dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517",
"type": "uses"
},
{
"dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf",
"type": "uses"
},
{
"dest-uuid": "57a3d31a-d04f-4663-b2da-7df8ec3f8c9d",
"type": "uses"
},
{
"dest-uuid": "77532a55-c283-4cd2-bc5d-2d0b65e9d88c",
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"type": "uses"
},
{
"dest-uuid": "8565825b-21c8-4518-b75e-cbc4c717a156",
"type": "uses"
},
{
"dest-uuid": "866d0d6d-02c6-42bd-aa2f-02907fdc0969",
"type": "uses"
},
{
"dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd",
"type": "uses"
},
{
"dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe",
"type": "uses"
},
{
"dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db",
"type": "uses"
},
{
"dest-uuid": "cacc40da-4c9e-462c-80d5-fd70a178b12d",
"type": "uses"
},
{
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
"type": "uses"
},
{
"dest-uuid": "cfb525cc-5494-401d-a82b-2539ca46a561",
"type": "uses"
},
{
"dest-uuid": "d94b3ae9-8059-4989-8e9f-ea0f601f80a7",
"type": "uses"
},
{
"dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db",
"type": "uses"
},
{
"dest-uuid": "e848506b-8484-4410-8017-3d235a52f5b3",
"type": "uses"
},
{
"dest-uuid": "ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1",
"type": "uses"
},
{
"dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65",
"type": "uses"
}
],
"uuid": "1b3b8f96-43b1-4460-8e02-1f53d7802fb9",
"value": "Pacu - S1091"
},
{
"description": "[Winexe](https://attack.mitre.org/software/S0191) is a lightweight, open source tool similar to [PsExec](https://attack.mitre.org/software/S0029) designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) [Winexe](https://attack.mitre.org/software/S0191) is unique in that it is a GNU/Linux based client. (Citation: Ãœberwachung APT28 Forfiles June 2015)",
"meta": {
"external_id": "S0191",
"refs": [
"https://attack.mitre.org/software/S0191",
"https://github.com/skalkoto/winexe/",
"https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/"
]
},
"related": [
{
"dest-uuid": "811bdec0-e236-48ae-b27c-1a8fe0bfc3a9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
"type": "uses"
}
],
"uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d",
"value": "Winexe - S0191"
},
{
"description": "[xCmd](https://attack.mitre.org/software/S0123) is an open source tool that is similar to [PsExec](https://attack.mitre.org/software/S0029) and allows the user to execute applications on remote systems. (Citation: xCmd)",
"meta": {
"external_id": "S0123",
"refs": [
"https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/",
"https://attack.mitre.org/software/S0123"
]
},
"related": [
{
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
"type": "uses"
}
],
"uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b",
"value": "xCmd - S0123"
},
{
"description": "[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT Wocao December 2019)",
"meta": {
"external_id": "S0521",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0521",
"https://github.com/BloodHoundAD/BloodHound",
"https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/",
"https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf"
],
"synonyms": [
"BloodHound"
]
},
"related": [
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"type": "uses"
},
{
"dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b",
"type": "uses"
},
{
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
"type": "uses"
},
{
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
"type": "uses"
},
{
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"type": "uses"
},
{
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
"type": "uses"
},
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"type": "uses"
},
{
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"type": "uses"
},
{
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
"type": "uses"
},
{
"dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5",
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"type": "uses"
}
],
"uuid": "066b057c-944e-4cfc-b654-e3dfba04b926",
"value": "BloodHound - S0521"
},
{
"description": "[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). (Citation: GitHub Pupy) [Pupy](https://attack.mitre.org/software/S0192) is publicly available on GitHub. (Citation: GitHub Pupy)",
"meta": {
"external_id": "S0192",
"mitre_platforms": [
"Linux",
"Windows",
"macOS",
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0192",
"https://github.com/n1nj4sec/pupy"
],
"synonyms": [
"Pupy"
]
},
"related": [
{
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"type": "uses"
},
{
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"type": "uses"
},
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"type": "uses"
},
{
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
"type": "uses"
},
{
"dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004",
"type": "uses"
},
{
"dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc",
"type": "uses"
},
{
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
"type": "uses"
},
{
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
"type": "uses"
},
{
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "uses"
},
{
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
"type": "uses"
},
{
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
"type": "uses"
},
{
"dest-uuid": "635cbe30-392d-4e27-978e-66774357c762",
"type": "uses"
},
{
"dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
"type": "uses"
},
{
"dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e",
"type": "uses"
},
{
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
"type": "uses"
},
{
"dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530",
"type": "uses"
},
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "uses"
},
{
"dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177",
"type": "uses"
},
{
"dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926",
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"type": "uses"
},
{
"dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
"type": "uses"
},
{
"dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d",
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"type": "uses"
},
{
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"type": "uses"
},
{
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
"type": "uses"
},
{
"dest-uuid": "bdb420be-5882-41c8-b439-02bbef69d83f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
"type": "uses"
},
{
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "uses"
},
{
"dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b",
"type": "uses"
},
{
"dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11",
"type": "uses"
},
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
},
{
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
"type": "uses"
},
{
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
"type": "uses"
},
{
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
"type": "uses"
}
],
"uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4",
"value": "Pupy - S0192"
},
{
"description": "MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used by a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.(Citation: GitHub MailSniper)",
"meta": {
"external_id": "S0413",
"mitre_platforms": [
"Office 365",
"Windows",
"Azure AD"
],
"refs": [
"https://attack.mitre.org/software/S0413",
"https://github.com/dafthack/MailSniper"
],
"synonyms": [
"MailSniper"
]
},
"related": [
{
"dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470",
"type": "uses"
},
{
"dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c",
"type": "uses"
},
{
"dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a",
"type": "uses"
}
],
"uuid": "999c4e6e-b8dc-4b4f-8d6e-1b829f29997e",
"value": "MailSniper - S0413"
},
{
"description": "[Expand](https://attack.mitre.org/software/S0361) is a Windows utility used to expand one or more compressed CAB files.(Citation: Microsoft Expand Utility) It has been used by [BBSRAT](https://attack.mitre.org/software/S0127) to decompress a CAB file into executable content.(Citation: Palo Alto Networks BBSRAT)",
"meta": {
"external_id": "S0361",
"mitre_platforms": [
"Windows"
],
"refs": [
"http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/",
"https://attack.mitre.org/software/S0361",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/expand"
],
"synonyms": [
"Expand"
]
},
"related": [
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"type": "uses"
},
{
"dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5",
"type": "uses"
},
{
"dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5",
"type": "uses"
}
],
"uuid": "ca656c25-44f1-471b-9d9f-e2a3bbb84973",
"value": "Expand - S0361"
},
{
"description": "[Tor](https://attack.mitre.org/software/S0183) is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. [Tor](https://attack.mitre.org/software/S0183) utilizes \"Onion Routing,\" in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. (Citation: Dingledine Tor The Second-Generation Onion Router)",
"meta": {
"external_id": "S0183",
"mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"refs": [
"http://www.dtic.mil/dtic/tr/fulltext/u2/a465464.pdf",
"https://attack.mitre.org/software/S0183"
],
"synonyms": [
"Tor"
]
},
"related": [
{
"dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d",
"type": "uses"
},
{
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
"type": "uses"
}
],
"uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68",
"value": "Tor - S0183"
},
{
"description": "[Forfiles](https://attack.mitre.org/software/S0193) is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. (Citation: Microsoft Forfiles Aug 2016)",
"meta": {
"external_id": "S0193",
"refs": [
"https://attack.mitre.org/software/S0193",
"https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753551(v=ws.11)"
]
},
"related": [
{
"dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e",
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"type": "uses"
}
],
"uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2",
"value": "Forfiles - S0193"
},
{
"description": "[Out1](https://attack.mitre.org/software/S0594) is a remote access tool written in python and used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021.(Citation: Trend Micro Muddy Water March 2021)",
"meta": {
"external_id": "S0594",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0594",
"https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html"
],
"synonyms": [
"Out1"
]
},
"related": [
{
"dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004",
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "uses"
},
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "uses"
}
],
"uuid": "80c815bb-b24a-4b9c-9d73-ff4c075a278d",
"value": "Out1 - S0594"
},
{
"description": "Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. (Citation: GitHub Responder)",
"meta": {
"external_id": "S0174",
"refs": [
"https://attack.mitre.org/software/S0174",
"https://github.com/SpiderLabs/Responder"
],
"synonyms": [
"Responder"
]
},
"related": [
{
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
"type": "uses"
},
{
"dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e",
"type": "uses"
}
],
"uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719",
"value": "Responder - S0174"
},
{
"description": "[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)",
"meta": {
"external_id": "S0194",
"mitre_platforms": [
"Windows"
],
"refs": [
"http://powersploit.readthedocs.io",
"http://www.powershellmagazine.com/2014/07/08/powersploit/",
"https://attack.mitre.org/software/S0194",
"https://github.com/PowerShellMafia/PowerSploit"
],
"synonyms": [
"PowerSploit"
]
},
"related": [
{
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "uses"
},
{
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"type": "uses"
},
{
"dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32",
"type": "uses"
},
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"type": "uses"
},
{
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
"type": "uses"
},
{
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
"type": "uses"
},
{
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
"type": "uses"
},
{
"dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580",
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"type": "uses"
},
{
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
"type": "uses"
},
{
"dest-uuid": "5095a853-299c-4876-abd7-ac0050fb5462",
"type": "uses"
},
{
"dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2",
"type": "uses"
},
{
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
"type": "uses"
},
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"type": "uses"
},
{
"dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e",
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "uses"
},
{
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"type": "uses"
},
{
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
"type": "uses"
},
{
"dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92",
"type": "uses"
},
{
"dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b",
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"type": "uses"
},
{
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
"type": "uses"
},
{
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"type": "uses"
},
{
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
"type": "uses"
},
{
"dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee",
"type": "uses"
},
{
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
"type": "uses"
}
],
"uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d",
"value": "PowerSploit - S0194"
},
{
"description": "[meek](https://attack.mitre.org/software/S0175) is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.",
"meta": {
"external_id": "S0175",
"mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0175"
],
"synonyms": [
"meek"
]
},
"related": [
{
"dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2",
"type": "uses"
}
],
"uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830",
"value": "meek - S0175"
},
{
"description": "[IronNetInjector](https://attack.mitre.org/software/S0581) is a [Turla](https://attack.mitre.org/groups/G0010) toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including [ComRAT](https://attack.mitre.org/software/S0126).(Citation: Unit 42 IronNetInjector February 2021 )",
"meta": {
"external_id": "S0581",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0581",
"https://unit42.paloaltonetworks.com/ironnetinjector/"
],
"synonyms": [
"IronNetInjector"
]
},
"related": [
{
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
"type": "uses"
},
{
"dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144",
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"type": "uses"
},
{
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "uses"
},
{
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
"type": "uses"
},
{
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
"type": "uses"
}
],
"uuid": "b1595ddd-a783-482a-90e1-8afc8d48467e",
"value": "IronNetInjector - S0581"
},
{
"description": "[ConnectWise](https://attack.mitre.org/software/S0591) is a legitimate remote administration tool that has been used since at least 2016 by threat actors including [MuddyWater](https://attack.mitre.org/groups/G0069) and [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) to connect to and conduct lateral movement in target environments.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)",
"meta": {
"external_id": "S0591",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0591",
"https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies",
"https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html"
],
"synonyms": [
"ConnectWise",
"ScreenConnect"
]
},
"related": [
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "uses"
},
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"type": "uses"
},
{
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"type": "uses"
}
],
"uuid": "842976c7-f9c8-41b2-8371-41dc64fbe261",
"value": "ConnectWise - S0591"
},
{
"description": "[SDelete](https://attack.mitre.org/software/S0195) is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. (Citation: Microsoft SDelete July 2016)",
"meta": {
"external_id": "S0195",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0195",
"https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete"
],
"synonyms": [
"SDelete"
]
},
"related": [
{
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
"type": "uses"
},
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"type": "uses"
}
],
"uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153",
"value": "SDelete - S0195"
},
{
"description": "[AsyncRAT](https://attack.mitre.org/software/S1087) is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.(Citation: Morphisec Snip3 May 2021)(Citation: Cisco Operation Layover September 2021)(Citation: Telefonica Snip3 December 2021)",
"meta": {
"external_id": "S1087",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S1087",
"https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader",
"https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/",
"https://telefonicatech.com/blog/snip3-investigacion-malware"
],
"synonyms": [
"AsyncRAT"
]
},
"related": [
{
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"type": "uses"
},
{
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"type": "uses"
},
{
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"type": "uses"
},
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"type": "uses"
},
{
"dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b",
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "uses"
},
{
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
"type": "uses"
},
{
"dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
}
],
"uuid": "6a5947f3-1a36-4653-8734-526df3e1d28d",
"value": "AsyncRAT - S1087"
},
{
"description": "[MimiPenguin](https://attack.mitre.org/software/S0179) is a credential dumper, similar to [Mimikatz](https://attack.mitre.org/software/S0002), designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)",
"meta": {
"external_id": "S0179",
"mitre_platforms": [
"Linux"
],
"refs": [
"https://attack.mitre.org/software/S0179",
"https://github.com/huntergregal/mimipenguin"
],
"synonyms": [
"MimiPenguin"
]
},
"related": [
{
"dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d",
"type": "uses"
}
],
"uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27",
"value": "MimiPenguin - S0179"
},
{
"description": "[Havij](https://attack.mitre.org/software/S0224) is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. (Citation: Check Point Havij Analysis)",
"meta": {
"external_id": "S0224",
"refs": [
"https://attack.mitre.org/software/S0224",
"https://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/"
]
},
"related": [
{
"dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
"type": "uses"
}
],
"uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5",
"value": "Havij - S0224"
},
{
"description": "[sqlmap](https://attack.mitre.org/software/S0225) is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. (Citation: sqlmap Introduction)",
"meta": {
"external_id": "S0225",
"refs": [
"http://sqlmap.org/",
"https://attack.mitre.org/software/S0225"
]
},
"related": [
{
"dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
"type": "uses"
}
],
"uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555",
"value": "sqlmap - S0225"
},
{
"description": "[QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)",
"meta": {
"external_id": "S0262",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0262",
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf",
"https://github.com/quasar/QuasarRAT",
"https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/",
"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/"
],
"synonyms": [
"QuasarRAT",
"xRAT"
]
},
"related": [
{
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"type": "uses"
},
{
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"type": "uses"
},
{
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
"type": "uses"
},
{
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
"type": "uses"
},
{
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"type": "uses"
},
{
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"type": "uses"
},
{
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
"type": "uses"
},
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"type": "uses"
},
{
"dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
"type": "uses"
},
{
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
"type": "uses"
},
{
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"type": "uses"
},
{
"dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979",
"type": "uses"
},
{
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
"type": "uses"
},
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
},
{
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
"type": "uses"
},
{
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
"type": "uses"
}
],
"uuid": "da04ac30-27da-4959-a67d-450ce47d9470",
"value": "QuasarRAT - S0262"
},
{
"description": "[spwebmember](https://attack.mitre.org/software/S0227) is a Microsoft SharePoint enumeration and data dumping tool written in .NET. (Citation: NCC Group APT15 Alive and Strong)",
"meta": {
"external_id": "S0227",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0227",
"https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
],
"synonyms": [
"spwebmember"
]
},
"related": [
{
"dest-uuid": "0c4b4fda-9062-47da-98b9-ceae2dcf052a",
"type": "uses"
}
],
"uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4",
"value": "spwebmember - S0227"
},
{
"description": "[Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in malware campaigns.(Citation: Riskiq Remcos Jan 2018)(Citation: Talos Remcos Aug 2018)",
"meta": {
"external_id": "S0332",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0332",
"https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html",
"https://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/",
"https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html"
],
"synonyms": [
"Remcos"
]
},
"related": [
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "uses"
},
{
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"type": "uses"
},
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"type": "uses"
},
{
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
"type": "uses"
},
{
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
"type": "uses"
},
{
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"type": "uses"
},
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"type": "uses"
},
{
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "uses"
},
{
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
"type": "uses"
},
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
}
],
"uuid": "7cd0bc75-055b-4098-a00e-83dc8beaff14",
"value": "Remcos - S0332"
},
{
"description": "[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in [PowerShell](https://attack.mitre.org/techniques/T1059/001). Although [PoshC2](https://attack.mitre.org/software/S0378) is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.(Citation: GitHub PoshC2)",
"meta": {
"external_id": "S0378",
"mitre_platforms": [
"Windows",
"Linux",
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0378",
"https://github.com/nettitude/PoshC2_Python"
],
"synonyms": [
"PoshC2"
]
},
"related": [
{
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"type": "uses"
},
{
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"type": "uses"
},
{
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
"type": "uses"
},
{
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
"type": "uses"
},
{
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
"type": "uses"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"type": "uses"
},
{
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "uses"
},
{
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"type": "uses"
},
{
"dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e",
"type": "uses"
},
{
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
"type": "uses"
},
{
"dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf",
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"type": "uses"
},
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"type": "uses"
},
{
"dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
"type": "uses"
},
{
"dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
"type": "uses"
},
{
"dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
"type": "uses"
},
{
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
"type": "uses"
},
{
"dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
"type": "uses"
},
{
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
"type": "uses"
},
{
"dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5",
"type": "uses"
},
{
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "uses"
},
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"type": "uses"
},
{
"dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e",
"type": "uses"
},
{
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
"type": "uses"
}
],
"uuid": "4b57c098-f043-4da2-83ef-7588a6d426bc",
"value": "PoshC2 - S0378"
},
{
"description": "[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)",
"meta": {
"external_id": "S0552",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0552",
"https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/",
"https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html",
"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html"
],
"synonyms": [
"AdFind"
]
},
"related": [
{
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
"type": "uses"
},
{
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "uses"
},
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"type": "uses"
}
],
"uuid": "f59508a6-3615-47c3-b493-6676e1a39a87",
"value": "AdFind - S0552"
},
{
"description": "[RemoteUtilities](https://attack.mitre.org/software/S0592) is a legitimate remote administration tool that has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021 for execution on target machines.(Citation: Trend Micro Muddy Water March 2021)",
"meta": {
"external_id": "S0592",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0592",
"https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html"
],
"synonyms": [
"RemoteUtilities"
]
},
"related": [
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "uses"
},
{
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
}
],
"uuid": "03c6e0ea-96d3-4b23-9afb-05055663cf4b",
"value": "RemoteUtilities - S0592"
},
{
"description": "[SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.(Citation: GitHub SILENTTRINITY March 2022)(Citation: Security Affairs SILENTTRINITY July 2019)",
"meta": {
"external_id": "S0692",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0692",
"https://github.com/byt3bl33d3r/SILENTTRINITY",
"https://securityaffairs.co/wordpress/88021/apt/croatia-government-silenttrinity-malware.html"
],
"synonyms": [
"SILENTTRINITY"
]
},
"related": [
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"type": "uses"
},
{
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"type": "uses"
},
{
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
"type": "uses"
},
{
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
"type": "uses"
},
{
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
"type": "uses"
},
{
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"type": "uses"
},
{
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"type": "uses"
},
{
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"type": "uses"
},
{
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
"type": "uses"
},
{
"dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65",
"type": "uses"
},
{
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
"type": "uses"
},
{
"dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd",
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"type": "uses"
},
{
"dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d",
"type": "uses"
},
{
"dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e",
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "uses"
},
{
"dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59",
"type": "uses"
},
{
"dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"type": "uses"
},
{
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"type": "uses"
},
{
"dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c",
"type": "uses"
},
{
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
"type": "uses"
},
{
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
"type": "uses"
},
{
"dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d",
"type": "uses"
},
{
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
"type": "uses"
},
{
"dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae",
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"type": "uses"
},
{
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
"type": "uses"
},
{
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
"type": "uses"
},
{
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
"type": "uses"
},
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"type": "uses"
},
{
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
"type": "uses"
},
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"type": "uses"
},
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
},
{
"dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee",
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"type": "uses"
},
{
"dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84",
"type": "uses"
}
],
"uuid": "1244e058-fa10-48cb-b484-0bcf671107ae",
"value": "SILENTTRINITY - S0692"
},
{
"description": "[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)",
"meta": {
"external_id": "S0298",
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/",
"https://attack.mitre.org/software/S0298"
]
},
"related": [
{
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
"type": "uses"
},
{
"dest-uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "5a78ec38-8b93-4dde-a99e-0c9b77674838",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
"type": "uses"
},
{
"dest-uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4",
"type": "uses"
},
{
"dest-uuid": "e683cd91-40b4-4e1c-be25-34a27610a22e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
"type": "uses"
}
],
"uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4",
"value": "Xbot - S0298"
},
{
"description": "[Empire](https://attack.mitre.org/software/S0363) is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https://attack.mitre.org/techniques/T1059/001) for Windows and Python for Linux/macOS. [Empire](https://attack.mitre.org/software/S0363) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire)",
"meta": {
"external_id": "S0363",
"mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0363",
"https://github.com/PowerShellEmpire/Empire",
"https://github.com/dstepanic/attck_empire",
"https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools"
],
"synonyms": [
"Empire",
"EmPyre",
"PowerShell Empire"
]
},
"related": [
{
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"type": "uses"
},
{
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"type": "uses"
},
{
"dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32",
"type": "uses"
},
{
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
"type": "uses"
},
{
"dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b",
"type": "uses"
},
{
"dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004",
"type": "uses"
},
{
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
"type": "uses"
},
{
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
"type": "uses"
},
{
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
"type": "uses"
},
{
"dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6",
"type": "uses"
},
{
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
"type": "uses"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"type": "uses"
},
{
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
"type": "uses"
},
{
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
"type": "uses"
},
{
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"type": "uses"
},
{
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
"type": "uses"
},
{
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
"type": "uses"
},
{
"dest-uuid": "5095a853-299c-4876-abd7-ac0050fb5462",
"type": "uses"
},
{
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
"type": "uses"
},
{
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
"type": "uses"
},
{
"dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2",
"type": "uses"
},
{
"dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163",
"type": "uses"
},
{
"dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7",
"type": "uses"
},
{
"dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf",
"type": "uses"
},
{
"dest-uuid": "635cbe30-392d-4e27-978e-66774357c762",
"type": "uses"
},
{
"dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e",
"type": "uses"
},
{
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
"type": "uses"
},
{
"dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf",
"type": "uses"
},
{
"dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd",
"type": "uses"
},
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "uses"
},
{
"dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5",
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"type": "uses"
},
{
"dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177",
"type": "uses"
},
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"type": "uses"
},
{
"dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1",
"type": "uses"
},
{
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"type": "uses"
},
{
"dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
"type": "uses"
},
{
"dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7",
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"type": "uses"
},
{
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"type": "uses"
},
{
"dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
"type": "uses"
},
{
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
"type": "uses"
},
{
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
"type": "uses"
},
{
"dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023",
"type": "uses"
},
{
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
"type": "uses"
},
{
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
"type": "uses"
},
{
"dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b",
"type": "uses"
},
{
"dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b",
"type": "uses"
},
{
"dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96",
"type": "uses"
},
{
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
"type": "uses"
},
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"type": "uses"
},
{
"dest-uuid": "d273434a-448e-4598-8e14-607f4a0d5e27",
"type": "uses"
},
{
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"type": "uses"
},
{
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "uses"
},
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"type": "uses"
},
{
"dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
},
{
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
"type": "uses"
},
{
"dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee",
"type": "uses"
},
{
"dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6",
"type": "uses"
},
{
"dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490",
"type": "uses"
}
],
"uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3",
"value": "Empire - S0363"
},
{
"description": "[Sliver](https://attack.mitre.org/software/S0633) is an open source, cross-platform, red team command and control framework written in Golang.(Citation: Bishop Fox Sliver Framework August 2019)",
"meta": {
"external_id": "S0633",
"mitre_platforms": [
"Windows",
"Linux",
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0633",
"https://labs.bishopfox.com/tech-blog/sliver"
],
"synonyms": [
"Sliver"
]
},
"related": [
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"type": "uses"
},
{
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
"type": "uses"
},
{
"dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144",
"type": "uses"
},
{
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
"type": "uses"
},
{
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"type": "uses"
},
{
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
"type": "uses"
},
{
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
},
{
"dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235",
"type": "uses"
}
],
"uuid": "11f8d7eb-1927-4806-9267-3a11d4d4d6be",
"value": "Sliver - S0633"
},
{
"description": "[RawDisk](https://attack.mitre.org/software/S0364) is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.(Citation: EldoS RawDisk ITpro)(Citation: Novetta Blockbuster Destructive Malware)",
"meta": {
"external_id": "S0364",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0364",
"https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf",
"https://www.itprotoday.com/windows-78/eldos-provides-raw-disk-access-vista-and-xp"
],
"synonyms": [
"RawDisk"
]
},
"related": [
{
"dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9",
"type": "uses"
},
{
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
"type": "uses"
},
{
"dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac",
"type": "uses"
}
],
"uuid": "3ffbdc1f-d2bf-41ab-91a2-c7b857e98079",
"value": "RawDisk - S0364"
},
{
"description": "[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. [LaZagne](https://attack.mitre.org/software/S0349) is publicly available on GitHub.(Citation: GitHub LaZagne Dec 2018)",
"meta": {
"external_id": "S0349",
"mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0349",
"https://github.com/AlessandroZ/LaZagne"
],
"synonyms": [
"LaZagne"
]
},
"related": [
{
"dest-uuid": "1eaebf46-e361-4437-bc23-d5d65a3b92e3",
"type": "uses"
},
{
"dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc",
"type": "uses"
},
{
"dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d",
"type": "uses"
},
{
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
"type": "uses"
},
{
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
"type": "uses"
},
{
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
"type": "uses"
},
{
"dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530",
"type": "uses"
},
{
"dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
"type": "uses"
},
{
"dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4",
"type": "uses"
},
{
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
"type": "uses"
}
],
"uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b",
"value": "LaZagne - S0349"
},
{
"description": "[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.(Citation: Impacket Tools)",
"meta": {
"external_id": "S0357",
"mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0357",
"https://www.secureauth.com/labs/open-source-tools/impacket"
],
"synonyms": [
"Impacket"
]
},
"related": [
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"type": "uses"
},
{
"dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
"type": "uses"
},
{
"dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc",
"type": "uses"
},
{
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
"type": "uses"
},
{
"dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e",
"type": "uses"
},
{
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
"type": "uses"
},
{
"dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24",
"type": "uses"
},
{
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
"type": "uses"
},
{
"dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee",
"type": "uses"
}
],
"uuid": "26c87906-d750-42c5-946c-d4162c73fc7b",
"value": "Impacket - S0357"
},
{
"description": "[Ruler](https://attack.mitre.org/software/S0358) is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of [Ruler](https://attack.mitre.org/software/S0358) have also released a defensive tool, NotRuler, to detect its usage.(Citation: SensePost Ruler GitHub)(Citation: SensePost NotRuler)",
"meta": {
"external_id": "S0358",
"mitre_platforms": [
"Windows",
"Office 365"
],
"refs": [
"https://attack.mitre.org/software/S0358",
"https://github.com/sensepost/notruler",
"https://github.com/sensepost/ruler"
],
"synonyms": [
"Ruler"
]
},
"related": [
{
"dest-uuid": "3d1b9d7e-3921-4d25-845a-7d9f15c0da44",
"type": "uses"
},
{
"dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470",
"type": "uses"
},
{
"dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634",
"type": "uses"
},
{
"dest-uuid": "bf147104-abf9-4221-95d1-e81585859441",
"type": "uses"
}
],
"uuid": "90ac9266-68ce-46f2-b24f-5eb3b2a8ea38",
"value": "Ruler - S0358"
},
{
"description": "[Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)",
"meta": {
"external_id": "S0359",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0359",
"https://ss64.com/nt/nltest.html"
],
"synonyms": [
"Nltest"
]
},
"related": [
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "uses"
},
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"type": "uses"
}
],
"uuid": "981acc4c-2ede-4b56-be6e-fa1a75f37acf",
"value": "Nltest - S0359"
},
{
"description": "[Peirates](https://attack.mitre.org/software/S0683) is a post-exploitation Kubernetes exploitation framework with a focus on gathering service account tokens for lateral movement and privilege escalation. The tool is written in GoLang and publicly available on GitHub.(Citation: Peirates GitHub)",
"meta": {
"external_id": "S0683",
"mitre_platforms": [
"Containers"
],
"refs": [
"https://attack.mitre.org/software/S0683",
"https://github.com/inguardians/peirates"
],
"synonyms": [
"Peirates"
]
},
"related": [
{
"dest-uuid": "0470e792-32f8-46b0-a351-652bc35e9336",
"type": "uses"
},
{
"dest-uuid": "19bf235b-8620-4997-b5b4-94e0659ed7c3",
"type": "uses"
},
{
"dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7",
"type": "uses"
},
{
"dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665",
"type": "uses"
},
{
"dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92",
"type": "uses"
},
{
"dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1",
"type": "uses"
},
{
"dest-uuid": "8565825b-21c8-4518-b75e-cbc4c717a156",
"type": "uses"
},
{
"dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a",
"type": "uses"
},
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"type": "uses"
},
{
"dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51",
"type": "uses"
},
{
"dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65",
"type": "uses"
},
{
"dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436",
"type": "uses"
}
],
"uuid": "79dd477a-8226-4b3d-ad15-28623675f221",
"value": "Peirates - S0683"
},
{
"description": "[ShimRatReporter](https://attack.mitre.org/software/S0445) is a tool used by suspected Chinese adversary [Mofang](https://attack.mitre.org/groups/G0103) to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as [ShimRat](https://attack.mitre.org/software/S0444)) as well as set up faux infrastructure which mimics the adversary's targets. [ShimRatReporter](https://attack.mitre.org/software/S0445) has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.(Citation: FOX-IT May 2016 Mofang)",
"meta": {
"external_id": "S0445",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0445",
"https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf"
],
"synonyms": [
"ShimRatReporter"
]
},
"related": [
{
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
"type": "uses"
},
{
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
"type": "uses"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"type": "uses"
},
{
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"type": "uses"
},
{
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "uses"
},
{
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
}
],
"uuid": "115f88dd-0618-4389-83cb-98d33ae81848",
"value": "ShimRatReporter - S0445"
},
{
"description": "[CARROTBALL](https://attack.mitre.org/software/S0465) is an FTP downloader utility that has been in use since at least 2019. [CARROTBALL](https://attack.mitre.org/software/S0465) has been used as a downloader to install [SYSCON](https://attack.mitre.org/software/S0464).(Citation: Unit 42 CARROTBAT January 2020)",
"meta": {
"external_id": "S0465",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0465",
"https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/"
],
"synonyms": [
"CARROTBALL"
]
},
"related": [
{
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
"type": "uses"
},
{
"dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b",
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
}
],
"uuid": "5fc81b43-62b5-41b1-9113-c79ae5f030c4",
"value": "CARROTBALL - S0465"
},
{
"description": "[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)",
"meta": {
"external_id": "S0645",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0645",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil"
],
"synonyms": [
"Wevtutil"
]
},
"related": [
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"type": "uses"
},
{
"dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a",
"type": "uses"
},
{
"dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
"type": "uses"
}
],
"uuid": "f91162cc-1686-4ff8-8115-bf3f61a4cc7a",
"value": "Wevtutil - S0645"
},
{
"description": "[ROADTools](https://attack.mitre.org/software/S0684) is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.(Citation: ROADtools Github)",
"meta": {
"external_id": "S0684",
"refs": [
"https://attack.mitre.org/software/S0684",
"https://github.com/dirkjanm/ROADtools"
],
"synonyms": [
"ROADTools"
]
},
"related": [
{
"dest-uuid": "16e94db9-b5b1-4cd0-b851-f38fbd0a70f2",
"type": "uses"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"type": "uses"
},
{
"dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe",
"type": "uses"
},
{
"dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db",
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"type": "uses"
},
{
"dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65",
"type": "uses"
}
],
"uuid": "6dbdc657-d8e0-4f2f-909b-7251b3e72c6d",
"value": "ROADTools - S0684"
},
{
"description": "[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted networks.(Citation: CME Github September 2018)",
"meta": {
"external_id": "S0488",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0488",
"https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference"
],
"synonyms": [
"CrackMapExec"
]
},
"related": [
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"type": "uses"
},
{
"dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119",
"type": "uses"
},
{
"dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
"type": "uses"
},
{
"dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc",
"type": "uses"
},
{
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
"type": "uses"
},
{
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
"type": "uses"
},
{
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"type": "uses"
},
{
"dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c",
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"type": "uses"
},
{
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"type": "uses"
},
{
"dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
"type": "uses"
},
{
"dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5",
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"type": "uses"
},
{
"dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e",
"type": "uses"
},
{
"dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24",
"type": "uses"
},
{
"dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0",
"type": "uses"
}
],
"uuid": "c4810609-7da6-48ec-8057-1b70a7814db0",
"value": "CrackMapExec - S0488"
},
{
"description": "[Donut](https://attack.mitre.org/software/S0695) is an open source framework used to generate position-independent shellcode.(Citation: Donut Github)(Citation: Introducing Donut) [Donut](https://attack.mitre.org/software/S0695) generated code has been used by multiple threat actors to inject and load malicious payloads into memory.(Citation: NCC Group WastedLocker June 2020)",
"meta": {
"external_id": "S0695",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0695",
"https://github.com/TheWover/donut",
"https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/",
"https://thewover.github.io/Introducing-Donut/"
],
"synonyms": [
"Donut"
]
},
"related": [
{
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"type": "uses"
},
{
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"type": "uses"
},
{
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"type": "uses"
},
{
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"type": "uses"
},
{
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
"type": "uses"
},
{
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "uses"
},
{
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"type": "uses"
}
],
"uuid": "a7b5df47-73bb-4d47-b701-869f185633a6",
"value": "Donut - S0695"
},
{
"description": "[AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)",
"meta": {
"external_id": "S0677",
"mitre_platforms": [
"Windows",
"Azure AD",
"Office 365"
],
"refs": [
"https://attack.mitre.org/software/S0677",
"https://github.com/Gerenios/AADInternals",
"https://o365blog.com/aadinternals",
"https://o365blog.com/aadinternals/"
],
"synonyms": [
"AADInternals"
]
},
"related": [
{
"dest-uuid": "16e94db9-b5b1-4cd0-b851-f38fbd0a70f2",
"type": "uses"
},
{
"dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc",
"type": "uses"
},
{
"dest-uuid": "1f9c2bae-b441-4f66-a8af-b65946ee72f2",
"type": "uses"
},
{
"dest-uuid": "24769ab5-14bd-4f4e-a752-cfb185da53ee",
"type": "uses"
},
{
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
"type": "uses"
},
{
"dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230",
"type": "uses"
},
{
"dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7",
"type": "uses"
},
{
"dest-uuid": "54ca26f3-c172-4231-93e5-ccebcac2161f",
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"type": "uses"
},
{
"dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf",
"type": "uses"
},
{
"dest-uuid": "69f897fd-12a9-4c89-ad6a-46d2f3c38262",
"type": "uses"
},
{
"dest-uuid": "7de1f7ac-5d0c-4c9c-8873-627202205331",
"type": "uses"
},
{
"dest-uuid": "7decb26c-715c-40cf-b7e0-026f7d7cc215",
"type": "uses"
},
{
"dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
"type": "uses"
},
{
"dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a",
"type": "uses"
},
{
"dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe",
"type": "uses"
},
{
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"type": "uses"
},
{
"dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b",
"type": "uses"
},
{
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
"type": "uses"
},
{
"dest-uuid": "b4409cd8-0da9-46e1-a401-a241afd4d1cc",
"type": "uses"
},
{
"dest-uuid": "d273434a-448e-4598-8e14-607f4a0d5e27",
"type": "uses"
},
{
"dest-uuid": "d94b3ae9-8059-4989-8e9f-ea0f601f80a7",
"type": "uses"
},
{
"dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db",
"type": "uses"
},
{
"dest-uuid": "e3b168bd-fcd7-439e-9382-2e6c2f63514d",
"type": "uses"
}
],
"uuid": "2c5281dd-b5fd-4531-8aea-c1bf8a0f8756",
"value": "AADInternals - S0677"
},
{
"description": "[Mythic](https://attack.mitre.org/software/S0699) is an open source, cross-platform post-exploitation/command and control platform. [Mythic](https://attack.mitre.org/software/S0699) is designed to \"plug-n-play\" with various agents and communication channels.(Citation: Mythic Github)(Citation: Mythic SpecterOps)(Citation: Mythc Documentation) Deployed [Mythic](https://attack.mitre.org/software/S0699) C2 servers have been observed as part of potentially malicious infrastructure.(Citation: RecordedFuture 2021 Ad Infra)",
"meta": {
"external_id": "S0699",
"mitre_platforms": [
"Windows",
"Linux",
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0699",
"https://docs.mythic-c2.net/",
"https://github.com/its-a-feature/Mythic",
"https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf",
"https://posts.specterops.io/a-change-of-mythic-proportions-21debeb03617"
],
"synonyms": [
"Mythic"
]
},
"related": [
{
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
"type": "uses"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"type": "uses"
},
{
"dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
"type": "uses"
},
{
"dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3",
"type": "uses"
},
{
"dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b",
"type": "uses"
},
{
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"type": "uses"
},
{
"dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
"type": "uses"
},
{
"dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2",
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"type": "uses"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"type": "uses"
},
{
"dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
"type": "uses"
}
],
"uuid": "d505fc8b-2e64-46eb-96d6-9ef7ffca5b66",
"value": "Mythic - S0699"
}
],
"version": 32
}