mitre-tool
Name of ATT&CK software
Authors
| Authors and/or Contributors |
|---|
| MITRE |
Windows Credential Editor - S0005
Windows Credential Editor is a password dumping tool. (Citation: Amplia WCE)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Windows Credential Editor - S0005.
| Known Synonyms |
|---|
WCE |
Windows Credential Editor |
Internal MISP references
UUID 242f3da3-4425-4d11-8f5c-b842886da966 which can be used as unique global reference for Windows Credential Editor - S0005 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0005 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Brute Ratel C4 - S1063
Brute Ratel C4 is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. Brute Ratel C4 was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.(Citation: Dark Vortex Brute Ratel C4)(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)(Citation: SANS Brute Ratel October 2022)(Citation: Trend Micro Black Basta October 2022)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Brute Ratel C4 - S1063.
| Known Synonyms |
|---|
BRc4 |
Brute Ratel C4 |
Internal MISP references
UUID 75d8b521-6b6a-42ff-8af3-d97e20ce12a5 which can be used as unique global reference for Brute Ratel C4 - S1063 in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S1063 - webarchive
- https://bruteratel.com/ - webarchive
- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ - webarchive
- https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/ - webarchive
- https://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/ - webarchive
- https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S1063 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Pass-The-Hash Toolkit - S0122
Pass-The-Hash Toolkit is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)
Internal MISP references
UUID a52edc76-328d-4596-85e7-d56ef5a9eb69 which can be used as unique global reference for Pass-The-Hash Toolkit - S0122 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0122 |
Related clusters
To see the related clusters, click here.
CSPY Downloader - S0527
CSPY Downloader is a tool designed to evade analysis and download additional payloads used by Kimsuky.(Citation: Cybereason Kimsuky November 2020)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CSPY Downloader - S0527.
| Known Synonyms |
|---|
CSPY Downloader |
Internal MISP references
UUID 5256c0f8-9108-4c92-8b09-482dfacdcd94 which can be used as unique global reference for CSPY Downloader - S0527 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0527 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Imminent Monitor - S0434
Imminent Monitor was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.(Citation: Imminent Unit42 Dec2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Imminent Monitor - S0434.
| Known Synonyms |
|---|
Imminent Monitor |
Internal MISP references
UUID 8f8cd191-902c-4e83-bf20-b57c8c4640e9 which can be used as unique global reference for Imminent Monitor - S0434 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0434 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Invoke-PSImage - S0231
Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. (Citation: GitHub Invoke-PSImage)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Invoke-PSImage - S0231.
| Known Synonyms |
|---|
Invoke-PSImage |
Internal MISP references
UUID b52d6583-14a2-4ddc-8527-87fd2142558f which can be used as unique global reference for Invoke-PSImage - S0231 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0231 |
Related clusters
To see the related clusters, click here.
ipconfig - S0100
ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ipconfig - S0100.
| Known Synonyms |
|---|
ipconfig |
Internal MISP references
UUID 294e2560-bd48-44b2-9da2-833b5588ad11 which can be used as unique global reference for ipconfig - S0100 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0100 |
Related clusters
To see the related clusters, click here.
Mimikatz - S0002
Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mimikatz - S0002.
| Known Synonyms |
|---|
Mimikatz |
Internal MISP references
UUID afc079f3-c0ea-4096-b75d-3f05338b7f60 which can be used as unique global reference for Mimikatz - S0002 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0002 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
HTRAN - S0040
HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. (Citation: Operation Quantum Entanglement)(Citation: NCSC Joint Report Public Tools)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HTRAN - S0040.
| Known Synonyms |
|---|
HTRAN |
HUC Packet Transmit Tool |
Internal MISP references
UUID d5e96a35-7b0b-4c6a-9533-d63ecbda563e which can be used as unique global reference for HTRAN - S0040 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0040 |
| mitre_platforms | ['Linux', 'Windows'] |
Related clusters
To see the related clusters, click here.
MCMD - S0500
MCMD is a remote access tool that provides remote command shell capability used by Dragonfly 2.0.(Citation: Secureworks MCMD July 2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MCMD - S0500.
| Known Synonyms |
|---|
MCMD |
Internal MISP references
UUID 975737f1-b10d-476f-8bda-3ec26ea57172 which can be used as unique global reference for MCMD - S0500 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0500 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
pwdump - S0006
pwdump is a credential dumper. (Citation: Wikipedia pwdump)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular pwdump - S0006.
| Known Synonyms |
|---|
pwdump |
Internal MISP references
UUID 9de2308e-7bed-43a3-8e58-f194b3586700 which can be used as unique global reference for pwdump - S0006 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0006 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
gsecdump - S0008
gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. (Citation: TrueSec Gsecdump)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular gsecdump - S0008.
| Known Synonyms |
|---|
gsecdump |
Internal MISP references
UUID b07c2c47-fefb-4d7c-a69e-6a3296171f54 which can be used as unique global reference for gsecdump - S0008 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0008 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
at - S0110
at is used to schedule tasks on a system to run at a specified date or time.(Citation: TechNet At)(Citation: Linux at)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular at - S0110.
| Known Synonyms |
|---|
at |
at.exe |
Internal MISP references
UUID 0c8465c0-d0b4-4670-992e-4eee8d7ff952 which can be used as unique global reference for at - S0110 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0110 |
| mitre_platforms | ['Linux', 'Windows', 'macOS'] |
Related clusters
To see the related clusters, click here.
ifconfig - S0101
ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)
Internal MISP references
UUID 362dc67f-4e85-4562-9dac-1b6b7f3ec4b5 which can be used as unique global reference for ifconfig - S0101 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0101 |
Related clusters
To see the related clusters, click here.
Fgdump - S0120
Fgdump is a Windows password hash dumper. (Citation: Mandiant APT1)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fgdump - S0120.
| Known Synonyms |
|---|
Fgdump |
Internal MISP references
UUID 4f45dfeb-fe51-4df0-8db3-edf7dd0513fe which can be used as unique global reference for Fgdump - S0120 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0120 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
nbtstat - S0102
nbtstat is a utility used to troubleshoot NetBIOS name resolution. (Citation: TechNet Nbtstat)
Internal MISP references
UUID b35068ec-107a-4266-bda8-eb7036267aea which can be used as unique global reference for nbtstat - S0102 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0102 |
Related clusters
To see the related clusters, click here.
route - S0103
route can be used to find or change information within the local system IP routing table. (Citation: TechNet Route)
Internal MISP references
UUID c11ac61d-50f4-444f-85d8-6f006067f0de which can be used as unique global reference for route - S0103 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0103 |
Related clusters
To see the related clusters, click here.
Rclone - S1040
Rclone is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. Rclone has been used in a number of ransomware campaigns, including those associated with the Conti and DarkSide Ransomware-as-a-Service operations.(Citation: Rclone)(Citation: Rclone Wars)(Citation: Detecting Rclone)(Citation: DarkSide Ransomware Gang)(Citation: DFIR Conti Bazar Nov 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rclone - S1040.
| Known Synonyms |
|---|
Rclone |
Internal MISP references
UUID 59096109-a1dd-463b-87e7-a8d110fe3a79 which can be used as unique global reference for Rclone - S1040 in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S1040 - webarchive
- https://rclone.org - webarchive
- https://redcanary.com/blog/rclone-mega-extortion/ - webarchive
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ - webarchive
- https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ - webarchive
- https://unit42.paloaltonetworks.com/darkside-ransomware/ - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S1040 |
| mitre_platforms | ['Linux', 'Windows', 'macOS'] |
Related clusters
To see the related clusters, click here.
netstat - S0104
netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular netstat - S0104.
| Known Synonyms |
|---|
netstat |
Internal MISP references
UUID 4664b683-f578-434f-919b-1c1aad2a1111 which can be used as unique global reference for netstat - S0104 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0104 |
Related clusters
To see the related clusters, click here.
PcShare - S1050
PcShare is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.(Citation: Bitdefender FunnyDream Campaign November 2020)(Citation: GitHub PcShare 2014)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PcShare - S1050.
| Known Synonyms |
|---|
PcShare |
Internal MISP references
UUID 3a53b207-aba2-4a2b-9cdb-273d633669e7 which can be used as unique global reference for PcShare - S1050 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S1050 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
dsquery - S0105
dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. (Citation: TechNet Dsquery) It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular dsquery - S0105.
| Known Synonyms |
|---|
dsquery |
dsquery.exe |
Internal MISP references
UUID 38952eac-cb1b-4a71-bad2-ee8223a1c8fe which can be used as unique global reference for dsquery - S0105 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0105 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
cmd - S0106
cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd)
Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir (Citation: TechNet Dir)), deleting files (e.g., del (Citation: TechNet Del)), and copying files (e.g., copy (Citation: TechNet Copy)).
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular cmd - S0106.
| Known Synonyms |
|---|
cmd |
cmd.exe |
Internal MISP references
UUID bba595da-b73a-4354-aa6c-224d4de7cb4e which can be used as unique global reference for cmd - S0106 in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0106 - webarchive
- https://technet.microsoft.com/en-us/library/bb490880.aspx - webarchive
- https://technet.microsoft.com/en-us/library/bb490886.aspx - webarchive
- https://technet.microsoft.com/en-us/library/cc755121.aspx - webarchive
- https://technet.microsoft.com/en-us/library/cc771049.aspx - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0106 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
certutil - S0160
certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular certutil - S0160.
| Known Synonyms |
|---|
certutil |
certutil.exe |
Internal MISP references
UUID 0a68f1f1-da74-4d28-8d9a-696c082706cc which can be used as unique global reference for certutil - S0160 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0160 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
netsh - S0108
netsh is a scripting utility used to interact with networking components on local or remote systems. (Citation: TechNet Netsh)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular netsh - S0108.
| Known Synonyms |
|---|
netsh |
netsh.exe |
Internal MISP references
UUID 5a63f900-5e7e-4928-a746-dd4558e1df71 which can be used as unique global reference for netsh - S0108 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0108 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
BITSAdmin - S0190
BITSAdmin is a command line tool used to create and manage BITS Jobs. (Citation: Microsoft BITSAdmin)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BITSAdmin - S0190.
| Known Synonyms |
|---|
BITSAdmin |
Internal MISP references
UUID 64764dc6-a032-495f-8250-1e4c06bdc163 which can be used as unique global reference for BITSAdmin - S0190 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0190 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Koadic - S0250
Koadic is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. Koadic has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.(Citation: Github Koadic)(Citation: Palo Alto Sofacy 06-2018)(Citation: MalwareBytes LazyScripter Feb 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Koadic - S0250.
| Known Synonyms |
|---|
Koadic |
Internal MISP references
UUID c8655260-9f4b-44e3-85e1-6538a5f6e4f4 which can be used as unique global reference for Koadic - S0250 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0250 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
PsExec - S0029
PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS PsExec)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PsExec - S0029.
| Known Synonyms |
|---|
PsExec |
Internal MISP references
UUID ff6caf67-ea1f-4895-b80e-4bb0fc31c6db which can be used as unique global reference for PsExec - S0029 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0029 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Net - S0039
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)
Net has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Net - S0039.
| Known Synonyms |
|---|
Net |
net.exe |
Internal MISP references
UUID 03342581-f790-4f03-ba41-e82e67392e23 which can be used as unique global reference for Net - S0039 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0039 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
esentutl - S0404
esentutl is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.(Citation: Microsoft Esentutl)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular esentutl - S0404.
| Known Synonyms |
|---|
esentutl |
esentutl.exe |
Internal MISP references
UUID c256da91-6dd5-40b2-beeb-ee3b22ab3d27 which can be used as unique global reference for esentutl - S0404 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0404 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
FlexiSpy - S0408
FlexiSpy is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy)
FlexiSpy markets itself as a parental control and employee monitoring application.(Citation: FlexiSpy-Website)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FlexiSpy - S0408.
| Known Synonyms |
|---|
FlexiSpy |
Internal MISP references
UUID 1622fd3d-fcfc-4d02-ac49-f2d786f79b81 which can be used as unique global reference for FlexiSpy - S0408 in MISP communities and other software using the MISP galaxy
External references
- http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html - webarchive
- https://attack.mitre.org/software/S0408 - webarchive
- https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf - webarchive
- https://www.flexispy.com/ - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0408 |
| mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Reg - S0075
Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation: Microsoft Reg)
Utilities such as Reg are known to be used by persistent threats. (Citation: Windows Commands JPCERT)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Reg - S0075.
| Known Synonyms |
|---|
Reg |
reg.exe |
Internal MISP references
UUID cde2d700-9ed1-46cf-9bce-07364fe8b24f which can be used as unique global reference for Reg - S0075 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0075 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Tasklist - S0057
The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. (Citation: Microsoft Tasklist)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tasklist - S0057.
| Known Synonyms |
|---|
Tasklist |
Internal MISP references
UUID 2e45723a-31da-4a7e-aaa6-e01998a6788f which can be used as unique global reference for Tasklist - S0057 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0057 |
Related clusters
To see the related clusters, click here.
ngrok - S0508
ngrok is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. ngrok has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ngrok - S0508.
| Known Synonyms |
|---|
ngrok |
Internal MISP references
UUID 2f7f03bb-f367-4a5a-ad9b-310a12a48906 which can be used as unique global reference for ngrok - S0508 in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0508 - webarchive
- https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44 - webarchive
- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html - webarchive
- https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf - webarchive
- https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/ - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0508 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
NBTscan - S0590
NBTscan is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June 2003)(Citation: Symantec Waterbug Jun 2019)(Citation: FireEye APT39 Jan 2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NBTscan - S0590.
| Known Synonyms |
|---|
NBTscan |
Internal MISP references
UUID b63970b7-ddfb-4aee-97b1-80d335e033a8 which can be used as unique global reference for NBTscan - S0590 in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0590 - webarchive
- https://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html - webarchive
- https://sectools.org/tool/nbtscan/ - webarchive
- https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html - webarchive
- https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0590 |
| mitre_platforms | ['Windows', 'Linux', 'macOS'] |
Related clusters
To see the related clusters, click here.
ftp - S0095
ftp is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.(Citation: Microsoft FTP)(Citation: Linux FTP)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ftp - S0095.
| Known Synonyms |
|---|
ftp |
ftp.exe |
Internal MISP references
UUID cf23bf4a-e003-4116-bbae-1ea6c558d565 which can be used as unique global reference for ftp - S0095 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0095 |
| mitre_platforms | ['Linux', 'Windows', 'macOS'] |
Related clusters
To see the related clusters, click here.
Systeminfo - S0096
Systeminfo is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Systeminfo - S0096.
| Known Synonyms |
|---|
Systeminfo |
Internal MISP references
UUID 7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1 which can be used as unique global reference for Systeminfo - S0096 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0096 |
Related clusters
To see the related clusters, click here.
Ping - S0097
Ping is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ping - S0097.
| Known Synonyms |
|---|
Ping |
Internal MISP references
UUID b77b563c-34bb-4fb8-86a3-3694338f7b47 which can be used as unique global reference for Ping - S0097 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0097 |
Related clusters
To see the related clusters, click here.
Arp - S0099
Arp displays and modifies information about a system's Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Arp - S0099.
| Known Synonyms |
|---|
Arp |
arp.exe |
Internal MISP references
UUID 30489451-5886-4c46-90c9-0dff9adc5252 which can be used as unique global reference for Arp - S0099 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0099 |
| mitre_platforms | ['Linux', 'Windows', 'macOS'] |
Related clusters
To see the related clusters, click here.
schtasks - S0111
schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. (Citation: TechNet Schtasks)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular schtasks - S0111.
| Known Synonyms |
|---|
schtasks |
schtasks.exe |
Internal MISP references
UUID c9703cd3-141c-43a0-a926-380082be5d04 which can be used as unique global reference for schtasks - S0111 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0111 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Lslsass - S0121
Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process. (Citation: Mandiant APT1)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lslsass - S0121.
| Known Synonyms |
|---|
Lslsass |
Internal MISP references
UUID 2fab555f-7664-4623-b4e0-1675ae38190b which can be used as unique global reference for Lslsass - S0121 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0121 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
UACMe - S0116
UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. (Citation: Github UACMe)
Internal MISP references
UUID 102c3898-85e0-43ee-ae28-62a0a3ed9507 which can be used as unique global reference for UACMe - S0116 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0116 |
Related clusters
To see the related clusters, click here.
Rubeus - S1071
Rubeus is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.(Citation: GitHub Rubeus March 2023)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rubeus - S1071.
| Known Synonyms |
|---|
Rubeus |
Internal MISP references
UUID e33267fe-099f-4af2-8730-63d49f8813b2 which can be used as unique global reference for Rubeus - S1071 in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S1071 - webarchive
- https://github.com/GhostPack/Rubeus - webarchive
- https://thedfirreport.com/2020/10/08/ryuks-return/ - webarchive
- https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/ - webarchive
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S1071 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Cachedump - S0119
Cachedump is a publicly-available tool that program extracts cached password hashes from a system’s registry. (Citation: Mandiant APT1)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cachedump - S0119.
| Known Synonyms |
|---|
Cachedump |
Internal MISP references
UUID c9cd7ec9-40b7-49db-80be-1399eddd9c52 which can be used as unique global reference for Cachedump - S0119 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0119 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Pacu - S1091
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pacu - S1091.
| Known Synonyms |
|---|
Pacu |
Internal MISP references
UUID 1b3b8f96-43b1-4460-8e02-1f53d7802fb9 which can be used as unique global reference for Pacu - S1091 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S1091 |
| mitre_platforms | ['IaaS'] |
Related clusters
To see the related clusters, click here.
Winexe - S0191
Winexe is a lightweight, open source tool similar to PsExec designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) Winexe is unique in that it is a GNU/Linux based client. (Citation: Ãœberwachung APT28 Forfiles June 2015)
Internal MISP references
UUID 96fd6cc4-a693-4118-83ec-619e5352d07d which can be used as unique global reference for Winexe - S0191 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0191 |
Related clusters
To see the related clusters, click here.
xCmd - S0123
xCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems. (Citation: xCmd)
Internal MISP references
UUID 4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b which can be used as unique global reference for xCmd - S0123 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0123 |
Related clusters
To see the related clusters, click here.
BloodHound - S0521
BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT Wocao December 2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BloodHound - S0521.
| Known Synonyms |
|---|
BloodHound |
Internal MISP references
UUID 066b057c-944e-4cfc-b654-e3dfba04b926 which can be used as unique global reference for BloodHound - S0521 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0521 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Pupy - S0192
Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). (Citation: GitHub Pupy) Pupy is publicly available on GitHub. (Citation: GitHub Pupy)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pupy - S0192.
| Known Synonyms |
|---|
Pupy |
Internal MISP references
UUID cb69b20d-56d0-41ab-8440-4a4b251614d4 which can be used as unique global reference for Pupy - S0192 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0192 |
| mitre_platforms | ['Linux', 'Windows', 'macOS', 'Android'] |
Related clusters
To see the related clusters, click here.
MailSniper - S0413
MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used by a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.(Citation: GitHub MailSniper)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MailSniper - S0413.
| Known Synonyms |
|---|
MailSniper |
Internal MISP references
UUID 999c4e6e-b8dc-4b4f-8d6e-1b829f29997e which can be used as unique global reference for MailSniper - S0413 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0413 |
| mitre_platforms | ['Office 365', 'Windows', 'Azure AD'] |
Related clusters
To see the related clusters, click here.
Expand - S0361
Expand is a Windows utility used to expand one or more compressed CAB files.(Citation: Microsoft Expand Utility) It has been used by BBSRAT to decompress a CAB file into executable content.(Citation: Palo Alto Networks BBSRAT)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Expand - S0361.
| Known Synonyms |
|---|
Expand |
Internal MISP references
UUID ca656c25-44f1-471b-9d9f-e2a3bbb84973 which can be used as unique global reference for Expand - S0361 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0361 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Tor - S0183
Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. (Citation: Dingledine Tor The Second-Generation Onion Router)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tor - S0183.
| Known Synonyms |
|---|
Tor |
Internal MISP references
UUID ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68 which can be used as unique global reference for Tor - S0183 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0183 |
| mitre_platforms | ['Linux', 'Windows', 'macOS'] |
Related clusters
To see the related clusters, click here.
Forfiles - S0193
Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. (Citation: Microsoft Forfiles Aug 2016)
Internal MISP references
UUID 90ec2b22-7061-4469-b539-0989ec4f96c2 which can be used as unique global reference for Forfiles - S0193 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0193 |
Related clusters
To see the related clusters, click here.
Out1 - S0594
Out1 is a remote access tool written in python and used by MuddyWater since at least 2021.(Citation: Trend Micro Muddy Water March 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Out1 - S0594.
| Known Synonyms |
|---|
Out1 |
Internal MISP references
UUID 80c815bb-b24a-4b9c-9d73-ff4c075a278d which can be used as unique global reference for Out1 - S0594 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0594 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Responder - S0174
Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. (Citation: GitHub Responder)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Responder - S0174.
| Known Synonyms |
|---|
Responder |
Internal MISP references
UUID a1dd2dbd-1550-44bf-abcc-1a4c52e97719 which can be used as unique global reference for Responder - S0174 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0174 |
Related clusters
To see the related clusters, click here.
PowerSploit - S0194
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PowerSploit - S0194.
| Known Synonyms |
|---|
PowerSploit |
Internal MISP references
UUID 13cd9151-83b7-410d-9f98-25d0f0d1d80d which can be used as unique global reference for PowerSploit - S0194 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0194 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
meek - S0175
meek is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular meek - S0175.
| Known Synonyms |
|---|
meek |
Internal MISP references
UUID 65370d0b-3bd4-4653-8cf9-daf56f6be830 which can be used as unique global reference for meek - S0175 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0175 |
| mitre_platforms | ['Linux', 'Windows', 'macOS'] |
Related clusters
To see the related clusters, click here.
IronNetInjector - S0581
IronNetInjector is a Turla toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including ComRAT.(Citation: Unit 42 IronNetInjector February 2021 )
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IronNetInjector - S0581.
| Known Synonyms |
|---|
IronNetInjector |
Internal MISP references
UUID b1595ddd-a783-482a-90e1-8afc8d48467e which can be used as unique global reference for IronNetInjector - S0581 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0581 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
ConnectWise - S0591
ConnectWise is a legitimate remote administration tool that has been used since at least 2016 by threat actors including MuddyWater and GOLD SOUTHFIELD to connect to and conduct lateral movement in target environments.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ConnectWise - S0591.
| Known Synonyms |
|---|
ConnectWise |
ScreenConnect |
Internal MISP references
UUID 842976c7-f9c8-41b2-8371-41dc64fbe261 which can be used as unique global reference for ConnectWise - S0591 in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0591 - webarchive
- https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies - webarchive
- https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0591 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
SDelete - S0195
SDelete is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. (Citation: Microsoft SDelete July 2016)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SDelete - S0195.
| Known Synonyms |
|---|
SDelete |
Internal MISP references
UUID d8d19e33-94fd-4aa3-b94a-08ee801a2153 which can be used as unique global reference for SDelete - S0195 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0195 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
AsyncRAT - S1087
AsyncRAT is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.(Citation: Morphisec Snip3 May 2021)(Citation: Cisco Operation Layover September 2021)(Citation: Telefonica Snip3 December 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AsyncRAT - S1087.
| Known Synonyms |
|---|
AsyncRAT |
Internal MISP references
UUID 6a5947f3-1a36-4653-8734-526df3e1d28d which can be used as unique global reference for AsyncRAT - S1087 in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S1087 - webarchive
- https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader - webarchive
- https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/ - webarchive
- https://telefonicatech.com/blog/snip3-investigacion-malware - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S1087 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
MimiPenguin - S0179
MimiPenguin is a credential dumper, similar to Mimikatz, designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MimiPenguin - S0179.
| Known Synonyms |
|---|
MimiPenguin |
Internal MISP references
UUID 5a33468d-844d-4b1f-98c9-0e786c556b27 which can be used as unique global reference for MimiPenguin - S0179 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0179 |
| mitre_platforms | ['Linux'] |
Related clusters
To see the related clusters, click here.
Havij - S0224
Havij is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. (Citation: Check Point Havij Analysis)
Internal MISP references
UUID fbd727ea-c0dc-42a9-8448-9e12962d1ab5 which can be used as unique global reference for Havij - S0224 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0224 |
Related clusters
To see the related clusters, click here.
sqlmap - S0225
sqlmap is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. (Citation: sqlmap Introduction)
Internal MISP references
UUID 9a2640c2-9f43-46fe-b13f-bde881e55555 which can be used as unique global reference for sqlmap - S0225 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0225 |
Related clusters
To see the related clusters, click here.
QuasarRAT - S0262
QuasarRAT is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. QuasarRAT is developed in the C# language.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QuasarRAT - S0262.
| Known Synonyms |
|---|
QuasarRAT |
xRAT |
Internal MISP references
UUID da04ac30-27da-4959-a67d-450ce47d9470 which can be used as unique global reference for QuasarRAT - S0262 in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0262 - webarchive
- https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf - webarchive
- https://github.com/quasar/QuasarRAT - webarchive
- https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/ - webarchive
- https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/ - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0262 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
spwebmember - S0227
spwebmember is a Microsoft SharePoint enumeration and data dumping tool written in .NET. (Citation: NCC Group APT15 Alive and Strong)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular spwebmember - S0227.
| Known Synonyms |
|---|
spwebmember |
Internal MISP references
UUID 33b9e38f-103c-412d-bdcf-904a91fff1e4 which can be used as unique global reference for spwebmember - S0227 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0227 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Remcos - S0332
Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. Remcos has been observed being used in malware campaigns.(Citation: Riskiq Remcos Jan 2018)(Citation: Talos Remcos Aug 2018)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Remcos - S0332.
| Known Synonyms |
|---|
Remcos |
Internal MISP references
UUID 7cd0bc75-055b-4098-a00e-83dc8beaff14 which can be used as unique global reference for Remcos - S0332 in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0332 - webarchive
- https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html - webarchive
- https://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/ - webarchive
- https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0332 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
PoshC2 - S0378
PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.(Citation: GitHub PoshC2)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PoshC2 - S0378.
| Known Synonyms |
|---|
PoshC2 |
Internal MISP references
UUID 4b57c098-f043-4da2-83ef-7588a6d426bc which can be used as unique global reference for PoshC2 - S0378 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0378 |
| mitre_platforms | ['Windows', 'Linux', 'macOS'] |
Related clusters
To see the related clusters, click here.
AdFind - S0552
AdFind is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AdFind - S0552.
| Known Synonyms |
|---|
AdFind |
Internal MISP references
UUID f59508a6-3615-47c3-b493-6676e1a39a87 which can be used as unique global reference for AdFind - S0552 in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0552 - webarchive
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ - webarchive
- https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html - webarchive
- https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0552 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
RemoteUtilities - S0592
RemoteUtilities is a legitimate remote administration tool that has been used by MuddyWater since at least 2021 for execution on target machines.(Citation: Trend Micro Muddy Water March 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RemoteUtilities - S0592.
| Known Synonyms |
|---|
RemoteUtilities |
Internal MISP references
UUID 03c6e0ea-96d3-4b23-9afb-05055663cf4b which can be used as unique global reference for RemoteUtilities - S0592 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0592 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
SILENTTRINITY - S0692
SILENTTRINITY is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. SILENTTRINITY was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.(Citation: GitHub SILENTTRINITY March 2022)(Citation: Security Affairs SILENTTRINITY July 2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SILENTTRINITY - S0692.
| Known Synonyms |
|---|
SILENTTRINITY |
Internal MISP references
UUID 1244e058-fa10-48cb-b484-0bcf671107ae which can be used as unique global reference for SILENTTRINITY - S0692 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0692 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Xbot - S0298
Xbot is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)
Internal MISP references
UUID da21929e-40c0-443d-bdf4-6b60d15448b4 which can be used as unique global reference for Xbot - S0298 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0298 |
Related clusters
To see the related clusters, click here.
Empire - S0363
Empire is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Empire - S0363.
| Known Synonyms |
|---|
EmPyre |
Empire |
PowerShell Empire |
Internal MISP references
UUID 3433a9e8-1c47-4320-b9bf-ed449061d1c3 which can be used as unique global reference for Empire - S0363 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0363 |
| mitre_platforms | ['Linux', 'macOS', 'Windows'] |
Related clusters
To see the related clusters, click here.
Sliver - S0633
Sliver is an open source, cross-platform, red team command and control framework written in Golang.(Citation: Bishop Fox Sliver Framework August 2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sliver - S0633.
| Known Synonyms |
|---|
Sliver |
Internal MISP references
UUID 11f8d7eb-1927-4806-9267-3a11d4d4d6be which can be used as unique global reference for Sliver - S0633 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0633 |
| mitre_platforms | ['Windows', 'Linux', 'macOS'] |
Related clusters
To see the related clusters, click here.
RawDisk - S0364
RawDisk is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.(Citation: EldoS RawDisk ITpro)(Citation: Novetta Blockbuster Destructive Malware)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RawDisk - S0364.
| Known Synonyms |
|---|
RawDisk |
Internal MISP references
UUID 3ffbdc1f-d2bf-41ab-91a2-c7b857e98079 which can be used as unique global reference for RawDisk - S0364 in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0364 - webarchive
- https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf - webarchive
- https://www.itprotoday.com/windows-78/eldos-provides-raw-disk-access-vista-and-xp - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0364 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
LaZagne - S0349
LaZagne is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. LaZagne is publicly available on GitHub.(Citation: GitHub LaZagne Dec 2018)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LaZagne - S0349.
| Known Synonyms |
|---|
LaZagne |
Internal MISP references
UUID b76b2d94-60e4-4107-a903-4a3a7622fb3b which can be used as unique global reference for LaZagne - S0349 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0349 |
| mitre_platforms | ['Linux', 'macOS', 'Windows'] |
Related clusters
To see the related clusters, click here.
Impacket - S0357
Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.(Citation: Impacket Tools)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Impacket - S0357.
| Known Synonyms |
|---|
Impacket |
Internal MISP references
UUID 26c87906-d750-42c5-946c-d4162c73fc7b which can be used as unique global reference for Impacket - S0357 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0357 |
| mitre_platforms | ['Linux', 'macOS', 'Windows'] |
Related clusters
To see the related clusters, click here.
Ruler - S0358
Ruler is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of Ruler have also released a defensive tool, NotRuler, to detect its usage.(Citation: SensePost Ruler GitHub)(Citation: SensePost NotRuler)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ruler - S0358.
| Known Synonyms |
|---|
Ruler |
Internal MISP references
UUID 90ac9266-68ce-46f2-b24f-5eb3b2a8ea38 which can be used as unique global reference for Ruler - S0358 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0358 |
| mitre_platforms | ['Windows', 'Office 365'] |
Related clusters
To see the related clusters, click here.
Nltest - S0359
Nltest is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nltest - S0359.
| Known Synonyms |
|---|
Nltest |
Internal MISP references
UUID 981acc4c-2ede-4b56-be6e-fa1a75f37acf which can be used as unique global reference for Nltest - S0359 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0359 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Peirates - S0683
Peirates is a post-exploitation Kubernetes exploitation framework with a focus on gathering service account tokens for lateral movement and privilege escalation. The tool is written in GoLang and publicly available on GitHub.(Citation: Peirates GitHub)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Peirates - S0683.
| Known Synonyms |
|---|
Peirates |
Internal MISP references
UUID 79dd477a-8226-4b3d-ad15-28623675f221 which can be used as unique global reference for Peirates - S0683 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0683 |
| mitre_platforms | ['Containers'] |
Related clusters
To see the related clusters, click here.
ShimRatReporter - S0445
ShimRatReporter is a tool used by suspected Chinese adversary Mofang to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as ShimRat) as well as set up faux infrastructure which mimics the adversary's targets. ShimRatReporter has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.(Citation: FOX-IT May 2016 Mofang)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ShimRatReporter - S0445.
| Known Synonyms |
|---|
ShimRatReporter |
Internal MISP references
UUID 115f88dd-0618-4389-83cb-98d33ae81848 which can be used as unique global reference for ShimRatReporter - S0445 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0445 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
CARROTBALL - S0465
CARROTBALL is an FTP downloader utility that has been in use since at least 2019. CARROTBALL has been used as a downloader to install SYSCON.(Citation: Unit 42 CARROTBAT January 2020)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CARROTBALL - S0465.
| Known Synonyms |
|---|
CARROTBALL |
Internal MISP references
UUID 5fc81b43-62b5-41b1-9113-c79ae5f030c4 which can be used as unique global reference for CARROTBALL - S0465 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0465 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Wevtutil - S0645
Wevtutil is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Wevtutil - S0645.
| Known Synonyms |
|---|
Wevtutil |
Internal MISP references
UUID f91162cc-1686-4ff8-8115-bf3f61a4cc7a which can be used as unique global reference for Wevtutil - S0645 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0645 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
ROADTools - S0684
ROADTools is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.(Citation: ROADtools Github)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ROADTools - S0684.
| Known Synonyms |
|---|
ROADTools |
Internal MISP references
UUID 6dbdc657-d8e0-4f2f-909b-7251b3e72c6d which can be used as unique global reference for ROADTools - S0684 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0684 |
Related clusters
To see the related clusters, click here.
CrackMapExec - S0488
CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.(Citation: CME Github September 2018)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CrackMapExec - S0488.
| Known Synonyms |
|---|
CrackMapExec |
Internal MISP references
UUID c4810609-7da6-48ec-8057-1b70a7814db0 which can be used as unique global reference for CrackMapExec - S0488 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0488 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Donut - S0695
Donut is an open source framework used to generate position-independent shellcode.(Citation: Donut Github)(Citation: Introducing Donut) Donut generated code has been used by multiple threat actors to inject and load malicious payloads into memory.(Citation: NCC Group WastedLocker June 2020)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Donut - S0695.
| Known Synonyms |
|---|
Donut |
Internal MISP references
UUID a7b5df47-73bb-4d47-b701-869f185633a6 which can be used as unique global reference for Donut - S0695 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0695 |
| mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
AADInternals - S0677
AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AADInternals - S0677.
| Known Synonyms |
|---|
AADInternals |
Internal MISP references
UUID 2c5281dd-b5fd-4531-8aea-c1bf8a0f8756 which can be used as unique global reference for AADInternals - S0677 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0677 |
| mitre_platforms | ['Windows', 'Azure AD', 'Office 365'] |
Related clusters
To see the related clusters, click here.
Mythic - S0699
Mythic is an open source, cross-platform post-exploitation/command and control platform. Mythic is designed to "plug-n-play" with various agents and communication channels.(Citation: Mythic Github)(Citation: Mythic SpecterOps)(Citation: Mythc Documentation) Deployed Mythic C2 servers have been observed as part of potentially malicious infrastructure.(Citation: RecordedFuture 2021 Ad Infra)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mythic - S0699.
| Known Synonyms |
|---|
Mythic |
Internal MISP references
UUID d505fc8b-2e64-46eb-96d6-9ef7ffca5b66 which can be used as unique global reference for Mythic - S0699 in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0699 - webarchive
- https://docs.mythic-c2.net/ - webarchive
- https://github.com/its-a-feature/Mythic - webarchive
- https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf - webarchive
- https://posts.specterops.io/a-change-of-mythic-proportions-21debeb03617 - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| external_id | S0699 |
| mitre_platforms | ['Windows', 'Linux', 'macOS'] |
Related clusters
To see the related clusters, click here.