Skip to content

Hide Navigation Hide TOC

Edit

mitre-tool

Name of ATT&CK software

Authors
Authors and/or Contributors
MITRE

Windows Credential Editor - S0005

Windows Credential Editor is a password dumping tool. (Citation: Amplia WCE)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Windows Credential Editor - S0005.

Known Synonyms
WCE
Windows Credential Editor
Internal MISP references

UUID 242f3da3-4425-4d11-8f5c-b842886da966 which can be used as unique global reference for Windows Credential Editor - S0005 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0005
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Brute Ratel C4 - S1063

Brute Ratel C4 is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. Brute Ratel C4 was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.(Citation: Dark Vortex Brute Ratel C4)(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)(Citation: SANS Brute Ratel October 2022)(Citation: Trend Micro Black Basta October 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Brute Ratel C4 - S1063.

Known Synonyms
BRc4
Brute Ratel C4
Internal MISP references

UUID 75d8b521-6b6a-42ff-8af3-d97e20ce12a5 which can be used as unique global reference for Brute Ratel C4 - S1063 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1063
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Pass-The-Hash Toolkit - S0122

Pass-The-Hash Toolkit is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)

Internal MISP references

UUID a52edc76-328d-4596-85e7-d56ef5a9eb69 which can be used as unique global reference for Pass-The-Hash Toolkit - S0122 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0122
Related clusters

To see the related clusters, click here.

CSPY Downloader - S0527

CSPY Downloader is a tool designed to evade analysis and download additional payloads used by Kimsuky.(Citation: Cybereason Kimsuky November 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CSPY Downloader - S0527.

Known Synonyms
CSPY Downloader
Internal MISP references

UUID 5256c0f8-9108-4c92-8b09-482dfacdcd94 which can be used as unique global reference for CSPY Downloader - S0527 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0527
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Imminent Monitor - S0434

Imminent Monitor was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.(Citation: Imminent Unit42 Dec2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Imminent Monitor - S0434.

Known Synonyms
Imminent Monitor
Internal MISP references

UUID 8f8cd191-902c-4e83-bf20-b57c8c4640e9 which can be used as unique global reference for Imminent Monitor - S0434 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0434
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Invoke-PSImage - S0231

Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. (Citation: GitHub Invoke-PSImage)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Invoke-PSImage - S0231.

Known Synonyms
Invoke-PSImage
Internal MISP references

UUID b52d6583-14a2-4ddc-8527-87fd2142558f which can be used as unique global reference for Invoke-PSImage - S0231 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0231
Related clusters

To see the related clusters, click here.

ipconfig - S0100

ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ipconfig - S0100.

Known Synonyms
ipconfig
Internal MISP references

UUID 294e2560-bd48-44b2-9da2-833b5588ad11 which can be used as unique global reference for ipconfig - S0100 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0100
Related clusters

To see the related clusters, click here.

Mimikatz - S0002

Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mimikatz - S0002.

Known Synonyms
Mimikatz
Internal MISP references

UUID afc079f3-c0ea-4096-b75d-3f05338b7f60 which can be used as unique global reference for Mimikatz - S0002 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0002
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

HTRAN - S0040

HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. (Citation: Operation Quantum Entanglement)(Citation: NCSC Joint Report Public Tools)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HTRAN - S0040.

Known Synonyms
HTRAN
HUC Packet Transmit Tool
Internal MISP references

UUID d5e96a35-7b0b-4c6a-9533-d63ecbda563e which can be used as unique global reference for HTRAN - S0040 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0040
mitre_platforms ['Linux', 'Windows']
Related clusters

To see the related clusters, click here.

MCMD - S0500

MCMD is a remote access tool that provides remote command shell capability used by Dragonfly 2.0.(Citation: Secureworks MCMD July 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MCMD - S0500.

Known Synonyms
MCMD
Internal MISP references

UUID 975737f1-b10d-476f-8bda-3ec26ea57172 which can be used as unique global reference for MCMD - S0500 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0500
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

pwdump - S0006

pwdump is a credential dumper. (Citation: Wikipedia pwdump)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular pwdump - S0006.

Known Synonyms
pwdump
Internal MISP references

UUID 9de2308e-7bed-43a3-8e58-f194b3586700 which can be used as unique global reference for pwdump - S0006 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0006
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

gsecdump - S0008

gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. (Citation: TrueSec Gsecdump)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular gsecdump - S0008.

Known Synonyms
gsecdump
Internal MISP references

UUID b07c2c47-fefb-4d7c-a69e-6a3296171f54 which can be used as unique global reference for gsecdump - S0008 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0008
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

at - S0110

at is used to schedule tasks on a system to run at a specified date or time.(Citation: TechNet At)(Citation: Linux at)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular at - S0110.

Known Synonyms
at
at.exe
Internal MISP references

UUID 0c8465c0-d0b4-4670-992e-4eee8d7ff952 which can be used as unique global reference for at - S0110 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0110
mitre_platforms ['Linux', 'Windows', 'macOS']
Related clusters

To see the related clusters, click here.

ifconfig - S0101

ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)

Internal MISP references

UUID 362dc67f-4e85-4562-9dac-1b6b7f3ec4b5 which can be used as unique global reference for ifconfig - S0101 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0101
Related clusters

To see the related clusters, click here.

Fgdump - S0120

Fgdump is a Windows password hash dumper. (Citation: Mandiant APT1)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fgdump - S0120.

Known Synonyms
Fgdump
Internal MISP references

UUID 4f45dfeb-fe51-4df0-8db3-edf7dd0513fe which can be used as unique global reference for Fgdump - S0120 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0120
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

nbtstat - S0102

nbtstat is a utility used to troubleshoot NetBIOS name resolution. (Citation: TechNet Nbtstat)

Internal MISP references

UUID b35068ec-107a-4266-bda8-eb7036267aea which can be used as unique global reference for nbtstat - S0102 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0102
Related clusters

To see the related clusters, click here.

route - S0103

route can be used to find or change information within the local system IP routing table. (Citation: TechNet Route)

Internal MISP references

UUID c11ac61d-50f4-444f-85d8-6f006067f0de which can be used as unique global reference for route - S0103 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0103
Related clusters

To see the related clusters, click here.

Rclone - S1040

Rclone is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. Rclone has been used in a number of ransomware campaigns, including those associated with the Conti and DarkSide Ransomware-as-a-Service operations.(Citation: Rclone)(Citation: Rclone Wars)(Citation: Detecting Rclone)(Citation: DarkSide Ransomware Gang)(Citation: DFIR Conti Bazar Nov 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rclone - S1040.

Known Synonyms
Rclone
Internal MISP references

UUID 59096109-a1dd-463b-87e7-a8d110fe3a79 which can be used as unique global reference for Rclone - S1040 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1040
mitre_platforms ['Linux', 'Windows', 'macOS']
Related clusters

To see the related clusters, click here.

netstat - S0104

netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular netstat - S0104.

Known Synonyms
netstat
Internal MISP references

UUID 4664b683-f578-434f-919b-1c1aad2a1111 which can be used as unique global reference for netstat - S0104 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0104
Related clusters

To see the related clusters, click here.

PcShare - S1050

PcShare is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.(Citation: Bitdefender FunnyDream Campaign November 2020)(Citation: GitHub PcShare 2014)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PcShare - S1050.

Known Synonyms
PcShare
Internal MISP references

UUID 3a53b207-aba2-4a2b-9cdb-273d633669e7 which can be used as unique global reference for PcShare - S1050 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1050
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

dsquery - S0105

dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. (Citation: TechNet Dsquery) It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular dsquery - S0105.

Known Synonyms
dsquery
dsquery.exe
Internal MISP references

UUID 38952eac-cb1b-4a71-bad2-ee8223a1c8fe which can be used as unique global reference for dsquery - S0105 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0105
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

cmd - S0106

cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd)

Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir (Citation: TechNet Dir)), deleting files (e.g., del (Citation: TechNet Del)), and copying files (e.g., copy (Citation: TechNet Copy)).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular cmd - S0106.

Known Synonyms
cmd
cmd.exe
Internal MISP references

UUID bba595da-b73a-4354-aa6c-224d4de7cb4e which can be used as unique global reference for cmd - S0106 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0106
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

certutil - S0160

certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular certutil - S0160.

Known Synonyms
certutil
certutil.exe
Internal MISP references

UUID 0a68f1f1-da74-4d28-8d9a-696c082706cc which can be used as unique global reference for certutil - S0160 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0160
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

netsh - S0108

netsh is a scripting utility used to interact with networking components on local or remote systems. (Citation: TechNet Netsh)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular netsh - S0108.

Known Synonyms
netsh
netsh.exe
Internal MISP references

UUID 5a63f900-5e7e-4928-a746-dd4558e1df71 which can be used as unique global reference for netsh - S0108 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0108
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

BITSAdmin - S0190

BITSAdmin is a command line tool used to create and manage BITS Jobs. (Citation: Microsoft BITSAdmin)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BITSAdmin - S0190.

Known Synonyms
BITSAdmin
Internal MISP references

UUID 64764dc6-a032-495f-8250-1e4c06bdc163 which can be used as unique global reference for BITSAdmin - S0190 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0190
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Koadic - S0250

Koadic is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. Koadic has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.(Citation: Github Koadic)(Citation: Palo Alto Sofacy 06-2018)(Citation: MalwareBytes LazyScripter Feb 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Koadic - S0250.

Known Synonyms
Koadic
Internal MISP references

UUID c8655260-9f4b-44e3-85e1-6538a5f6e4f4 which can be used as unique global reference for Koadic - S0250 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0250
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

PsExec - S0029

PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS PsExec)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PsExec - S0029.

Known Synonyms
PsExec
Internal MISP references

UUID ff6caf67-ea1f-4895-b80e-4bb0fc31c6db which can be used as unique global reference for PsExec - S0029 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0029
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Net - S0039

The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)

Net has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Net - S0039.

Known Synonyms
Net
net.exe
Internal MISP references

UUID 03342581-f790-4f03-ba41-e82e67392e23 which can be used as unique global reference for Net - S0039 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0039
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

esentutl - S0404

esentutl is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.(Citation: Microsoft Esentutl)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular esentutl - S0404.

Known Synonyms
esentutl
esentutl.exe
Internal MISP references

UUID c256da91-6dd5-40b2-beeb-ee3b22ab3d27 which can be used as unique global reference for esentutl - S0404 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0404
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

FlexiSpy - S0408

FlexiSpy is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy)

FlexiSpy markets itself as a parental control and employee monitoring application.(Citation: FlexiSpy-Website)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FlexiSpy - S0408.

Known Synonyms
FlexiSpy
Internal MISP references

UUID 1622fd3d-fcfc-4d02-ac49-f2d786f79b81 which can be used as unique global reference for FlexiSpy - S0408 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0408
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Reg - S0075

Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation: Microsoft Reg)

Utilities such as Reg are known to be used by persistent threats. (Citation: Windows Commands JPCERT)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Reg - S0075.

Known Synonyms
Reg
reg.exe
Internal MISP references

UUID cde2d700-9ed1-46cf-9bce-07364fe8b24f which can be used as unique global reference for Reg - S0075 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0075
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Tasklist - S0057

The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. (Citation: Microsoft Tasklist)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tasklist - S0057.

Known Synonyms
Tasklist
Internal MISP references

UUID 2e45723a-31da-4a7e-aaa6-e01998a6788f which can be used as unique global reference for Tasklist - S0057 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0057
Related clusters

To see the related clusters, click here.

ngrok - S0508

ngrok is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. ngrok has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ngrok - S0508.

Known Synonyms
ngrok
Internal MISP references

UUID 2f7f03bb-f367-4a5a-ad9b-310a12a48906 which can be used as unique global reference for ngrok - S0508 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0508
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

NBTscan - S0590

NBTscan is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June 2003)(Citation: Symantec Waterbug Jun 2019)(Citation: FireEye APT39 Jan 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NBTscan - S0590.

Known Synonyms
NBTscan
Internal MISP references

UUID b63970b7-ddfb-4aee-97b1-80d335e033a8 which can be used as unique global reference for NBTscan - S0590 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0590
mitre_platforms ['Windows', 'Linux', 'macOS']
Related clusters

To see the related clusters, click here.

ftp - S0095

ftp is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.(Citation: Microsoft FTP)(Citation: Linux FTP)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ftp - S0095.

Known Synonyms
ftp
ftp.exe
Internal MISP references

UUID cf23bf4a-e003-4116-bbae-1ea6c558d565 which can be used as unique global reference for ftp - S0095 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0095
mitre_platforms ['Linux', 'Windows', 'macOS']
Related clusters

To see the related clusters, click here.

Systeminfo - S0096

Systeminfo is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Systeminfo - S0096.

Known Synonyms
Systeminfo
Internal MISP references

UUID 7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1 which can be used as unique global reference for Systeminfo - S0096 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0096
Related clusters

To see the related clusters, click here.

Ping - S0097

Ping is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ping - S0097.

Known Synonyms
Ping
Internal MISP references

UUID b77b563c-34bb-4fb8-86a3-3694338f7b47 which can be used as unique global reference for Ping - S0097 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0097
Related clusters

To see the related clusters, click here.

Arp - S0099

Arp displays and modifies information about a system's Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Arp - S0099.

Known Synonyms
Arp
arp.exe
Internal MISP references

UUID 30489451-5886-4c46-90c9-0dff9adc5252 which can be used as unique global reference for Arp - S0099 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0099
mitre_platforms ['Linux', 'Windows', 'macOS']
Related clusters

To see the related clusters, click here.

schtasks - S0111

schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. (Citation: TechNet Schtasks)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular schtasks - S0111.

Known Synonyms
schtasks
schtasks.exe
Internal MISP references

UUID c9703cd3-141c-43a0-a926-380082be5d04 which can be used as unique global reference for schtasks - S0111 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0111
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Lslsass - S0121

Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process. (Citation: Mandiant APT1)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lslsass - S0121.

Known Synonyms
Lslsass
Internal MISP references

UUID 2fab555f-7664-4623-b4e0-1675ae38190b which can be used as unique global reference for Lslsass - S0121 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0121
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

UACMe - S0116

UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. (Citation: Github UACMe)

Internal MISP references

UUID 102c3898-85e0-43ee-ae28-62a0a3ed9507 which can be used as unique global reference for UACMe - S0116 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0116
Related clusters

To see the related clusters, click here.

Rubeus - S1071

Rubeus is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.(Citation: GitHub Rubeus March 2023)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rubeus - S1071.

Known Synonyms
Rubeus
Internal MISP references

UUID e33267fe-099f-4af2-8730-63d49f8813b2 which can be used as unique global reference for Rubeus - S1071 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1071
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Cachedump - S0119

Cachedump is a publicly-available tool that program extracts cached password hashes from a system’s registry. (Citation: Mandiant APT1)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cachedump - S0119.

Known Synonyms
Cachedump
Internal MISP references

UUID c9cd7ec9-40b7-49db-80be-1399eddd9c52 which can be used as unique global reference for Cachedump - S0119 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0119
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Pacu - S1091

Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pacu - S1091.

Known Synonyms
Pacu
Internal MISP references

UUID 1b3b8f96-43b1-4460-8e02-1f53d7802fb9 which can be used as unique global reference for Pacu - S1091 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1091
mitre_platforms ['IaaS']
Related clusters

To see the related clusters, click here.

Winexe - S0191

Winexe is a lightweight, open source tool similar to PsExec designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) Winexe is unique in that it is a GNU/Linux based client. (Citation: Überwachung APT28 Forfiles June 2015)

Internal MISP references

UUID 96fd6cc4-a693-4118-83ec-619e5352d07d which can be used as unique global reference for Winexe - S0191 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0191
Related clusters

To see the related clusters, click here.

xCmd - S0123

xCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems. (Citation: xCmd)

Internal MISP references

UUID 4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b which can be used as unique global reference for xCmd - S0123 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0123
Related clusters

To see the related clusters, click here.

BloodHound - S0521

BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT Wocao December 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BloodHound - S0521.

Known Synonyms
BloodHound
Internal MISP references

UUID 066b057c-944e-4cfc-b654-e3dfba04b926 which can be used as unique global reference for BloodHound - S0521 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0521
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Pupy - S0192

Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). (Citation: GitHub Pupy) Pupy is publicly available on GitHub. (Citation: GitHub Pupy)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pupy - S0192.

Known Synonyms
Pupy
Internal MISP references

UUID cb69b20d-56d0-41ab-8440-4a4b251614d4 which can be used as unique global reference for Pupy - S0192 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0192
mitre_platforms ['Linux', 'Windows', 'macOS', 'Android']
Related clusters

To see the related clusters, click here.

MailSniper - S0413

MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used by a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.(Citation: GitHub MailSniper)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MailSniper - S0413.

Known Synonyms
MailSniper
Internal MISP references

UUID 999c4e6e-b8dc-4b4f-8d6e-1b829f29997e which can be used as unique global reference for MailSniper - S0413 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0413
mitre_platforms ['Office 365', 'Windows', 'Azure AD']
Related clusters

To see the related clusters, click here.

Expand - S0361

Expand is a Windows utility used to expand one or more compressed CAB files.(Citation: Microsoft Expand Utility) It has been used by BBSRAT to decompress a CAB file into executable content.(Citation: Palo Alto Networks BBSRAT)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Expand - S0361.

Known Synonyms
Expand
Internal MISP references

UUID ca656c25-44f1-471b-9d9f-e2a3bbb84973 which can be used as unique global reference for Expand - S0361 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0361
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Tor - S0183

Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. (Citation: Dingledine Tor The Second-Generation Onion Router)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tor - S0183.

Known Synonyms
Tor
Internal MISP references

UUID ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68 which can be used as unique global reference for Tor - S0183 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0183
mitre_platforms ['Linux', 'Windows', 'macOS']
Related clusters

To see the related clusters, click here.

Forfiles - S0193

Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. (Citation: Microsoft Forfiles Aug 2016)

Internal MISP references

UUID 90ec2b22-7061-4469-b539-0989ec4f96c2 which can be used as unique global reference for Forfiles - S0193 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0193
Related clusters

To see the related clusters, click here.

Out1 - S0594

Out1 is a remote access tool written in python and used by MuddyWater since at least 2021.(Citation: Trend Micro Muddy Water March 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Out1 - S0594.

Known Synonyms
Out1
Internal MISP references

UUID 80c815bb-b24a-4b9c-9d73-ff4c075a278d which can be used as unique global reference for Out1 - S0594 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0594
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Responder - S0174

Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. (Citation: GitHub Responder)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Responder - S0174.

Known Synonyms
Responder
Internal MISP references

UUID a1dd2dbd-1550-44bf-abcc-1a4c52e97719 which can be used as unique global reference for Responder - S0174 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0174
Related clusters

To see the related clusters, click here.

PowerSploit - S0194

PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PowerSploit - S0194.

Known Synonyms
PowerSploit
Internal MISP references

UUID 13cd9151-83b7-410d-9f98-25d0f0d1d80d which can be used as unique global reference for PowerSploit - S0194 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0194
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

meek - S0175

meek is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular meek - S0175.

Known Synonyms
meek
Internal MISP references

UUID 65370d0b-3bd4-4653-8cf9-daf56f6be830 which can be used as unique global reference for meek - S0175 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0175
mitre_platforms ['Linux', 'Windows', 'macOS']
Related clusters

To see the related clusters, click here.

IronNetInjector - S0581

IronNetInjector is a Turla toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including ComRAT.(Citation: Unit 42 IronNetInjector February 2021 )

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IronNetInjector - S0581.

Known Synonyms
IronNetInjector
Internal MISP references

UUID b1595ddd-a783-482a-90e1-8afc8d48467e which can be used as unique global reference for IronNetInjector - S0581 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0581
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

ConnectWise - S0591

ConnectWise is a legitimate remote administration tool that has been used since at least 2016 by threat actors including MuddyWater and GOLD SOUTHFIELD to connect to and conduct lateral movement in target environments.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ConnectWise - S0591.

Known Synonyms
ConnectWise
ScreenConnect
Internal MISP references

UUID 842976c7-f9c8-41b2-8371-41dc64fbe261 which can be used as unique global reference for ConnectWise - S0591 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0591
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

SDelete - S0195

SDelete is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. (Citation: Microsoft SDelete July 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SDelete - S0195.

Known Synonyms
SDelete
Internal MISP references

UUID d8d19e33-94fd-4aa3-b94a-08ee801a2153 which can be used as unique global reference for SDelete - S0195 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0195
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

AsyncRAT - S1087

AsyncRAT is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.(Citation: Morphisec Snip3 May 2021)(Citation: Cisco Operation Layover September 2021)(Citation: Telefonica Snip3 December 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AsyncRAT - S1087.

Known Synonyms
AsyncRAT
Internal MISP references

UUID 6a5947f3-1a36-4653-8734-526df3e1d28d which can be used as unique global reference for AsyncRAT - S1087 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1087
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

MimiPenguin - S0179

MimiPenguin is a credential dumper, similar to Mimikatz, designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MimiPenguin - S0179.

Known Synonyms
MimiPenguin
Internal MISP references

UUID 5a33468d-844d-4b1f-98c9-0e786c556b27 which can be used as unique global reference for MimiPenguin - S0179 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0179
mitre_platforms ['Linux']
Related clusters

To see the related clusters, click here.

Havij - S0224

Havij is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. (Citation: Check Point Havij Analysis)

Internal MISP references

UUID fbd727ea-c0dc-42a9-8448-9e12962d1ab5 which can be used as unique global reference for Havij - S0224 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0224
Related clusters

To see the related clusters, click here.

sqlmap - S0225

sqlmap is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. (Citation: sqlmap Introduction)

Internal MISP references

UUID 9a2640c2-9f43-46fe-b13f-bde881e55555 which can be used as unique global reference for sqlmap - S0225 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0225
Related clusters

To see the related clusters, click here.

QuasarRAT - S0262

QuasarRAT is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. QuasarRAT is developed in the C# language.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QuasarRAT - S0262.

Known Synonyms
QuasarRAT
xRAT
Internal MISP references

UUID da04ac30-27da-4959-a67d-450ce47d9470 which can be used as unique global reference for QuasarRAT - S0262 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0262
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

spwebmember - S0227

spwebmember is a Microsoft SharePoint enumeration and data dumping tool written in .NET. (Citation: NCC Group APT15 Alive and Strong)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular spwebmember - S0227.

Known Synonyms
spwebmember
Internal MISP references

UUID 33b9e38f-103c-412d-bdcf-904a91fff1e4 which can be used as unique global reference for spwebmember - S0227 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0227
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Remcos - S0332

Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. Remcos has been observed being used in malware campaigns.(Citation: Riskiq Remcos Jan 2018)(Citation: Talos Remcos Aug 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Remcos - S0332.

Known Synonyms
Remcos
Internal MISP references

UUID 7cd0bc75-055b-4098-a00e-83dc8beaff14 which can be used as unique global reference for Remcos - S0332 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0332
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

PoshC2 - S0378

PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.(Citation: GitHub PoshC2)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PoshC2 - S0378.

Known Synonyms
PoshC2
Internal MISP references

UUID 4b57c098-f043-4da2-83ef-7588a6d426bc which can be used as unique global reference for PoshC2 - S0378 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0378
mitre_platforms ['Windows', 'Linux', 'macOS']
Related clusters

To see the related clusters, click here.

AdFind - S0552

AdFind is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AdFind - S0552.

Known Synonyms
AdFind
Internal MISP references

UUID f59508a6-3615-47c3-b493-6676e1a39a87 which can be used as unique global reference for AdFind - S0552 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0552
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

RemoteUtilities - S0592

RemoteUtilities is a legitimate remote administration tool that has been used by MuddyWater since at least 2021 for execution on target machines.(Citation: Trend Micro Muddy Water March 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RemoteUtilities - S0592.

Known Synonyms
RemoteUtilities
Internal MISP references

UUID 03c6e0ea-96d3-4b23-9afb-05055663cf4b which can be used as unique global reference for RemoteUtilities - S0592 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0592
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

SILENTTRINITY - S0692

SILENTTRINITY is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. SILENTTRINITY was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.(Citation: GitHub SILENTTRINITY March 2022)(Citation: Security Affairs SILENTTRINITY July 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SILENTTRINITY - S0692.

Known Synonyms
SILENTTRINITY
Internal MISP references

UUID 1244e058-fa10-48cb-b484-0bcf671107ae which can be used as unique global reference for SILENTTRINITY - S0692 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0692
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Xbot - S0298

Xbot is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)

Internal MISP references

UUID da21929e-40c0-443d-bdf4-6b60d15448b4 which can be used as unique global reference for Xbot - S0298 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0298
Related clusters

To see the related clusters, click here.

Empire - S0363

Empire is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Empire - S0363.

Known Synonyms
EmPyre
Empire
PowerShell Empire
Internal MISP references

UUID 3433a9e8-1c47-4320-b9bf-ed449061d1c3 which can be used as unique global reference for Empire - S0363 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0363
mitre_platforms ['Linux', 'macOS', 'Windows']
Related clusters

To see the related clusters, click here.

Sliver - S0633

Sliver is an open source, cross-platform, red team command and control framework written in Golang.(Citation: Bishop Fox Sliver Framework August 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sliver - S0633.

Known Synonyms
Sliver
Internal MISP references

UUID 11f8d7eb-1927-4806-9267-3a11d4d4d6be which can be used as unique global reference for Sliver - S0633 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0633
mitre_platforms ['Windows', 'Linux', 'macOS']
Related clusters

To see the related clusters, click here.

RawDisk - S0364

RawDisk is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.(Citation: EldoS RawDisk ITpro)(Citation: Novetta Blockbuster Destructive Malware)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RawDisk - S0364.

Known Synonyms
RawDisk
Internal MISP references

UUID 3ffbdc1f-d2bf-41ab-91a2-c7b857e98079 which can be used as unique global reference for RawDisk - S0364 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0364
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

LaZagne - S0349

LaZagne is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. LaZagne is publicly available on GitHub.(Citation: GitHub LaZagne Dec 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LaZagne - S0349.

Known Synonyms
LaZagne
Internal MISP references

UUID b76b2d94-60e4-4107-a903-4a3a7622fb3b which can be used as unique global reference for LaZagne - S0349 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0349
mitre_platforms ['Linux', 'macOS', 'Windows']
Related clusters

To see the related clusters, click here.

Impacket - S0357

Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.(Citation: Impacket Tools)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Impacket - S0357.

Known Synonyms
Impacket
Internal MISP references

UUID 26c87906-d750-42c5-946c-d4162c73fc7b which can be used as unique global reference for Impacket - S0357 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0357
mitre_platforms ['Linux', 'macOS', 'Windows']
Related clusters

To see the related clusters, click here.

Ruler - S0358

Ruler is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of Ruler have also released a defensive tool, NotRuler, to detect its usage.(Citation: SensePost Ruler GitHub)(Citation: SensePost NotRuler)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ruler - S0358.

Known Synonyms
Ruler
Internal MISP references

UUID 90ac9266-68ce-46f2-b24f-5eb3b2a8ea38 which can be used as unique global reference for Ruler - S0358 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0358
mitre_platforms ['Windows', 'Office 365']
Related clusters

To see the related clusters, click here.

Nltest - S0359

Nltest is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nltest - S0359.

Known Synonyms
Nltest
Internal MISP references

UUID 981acc4c-2ede-4b56-be6e-fa1a75f37acf which can be used as unique global reference for Nltest - S0359 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0359
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Peirates - S0683

Peirates is a post-exploitation Kubernetes exploitation framework with a focus on gathering service account tokens for lateral movement and privilege escalation. The tool is written in GoLang and publicly available on GitHub.(Citation: Peirates GitHub)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Peirates - S0683.

Known Synonyms
Peirates
Internal MISP references

UUID 79dd477a-8226-4b3d-ad15-28623675f221 which can be used as unique global reference for Peirates - S0683 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0683
mitre_platforms ['Containers']
Related clusters

To see the related clusters, click here.

ShimRatReporter - S0445

ShimRatReporter is a tool used by suspected Chinese adversary Mofang to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as ShimRat) as well as set up faux infrastructure which mimics the adversary's targets. ShimRatReporter has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.(Citation: FOX-IT May 2016 Mofang)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ShimRatReporter - S0445.

Known Synonyms
ShimRatReporter
Internal MISP references

UUID 115f88dd-0618-4389-83cb-98d33ae81848 which can be used as unique global reference for ShimRatReporter - S0445 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0445
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

CARROTBALL - S0465

CARROTBALL is an FTP downloader utility that has been in use since at least 2019. CARROTBALL has been used as a downloader to install SYSCON.(Citation: Unit 42 CARROTBAT January 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CARROTBALL - S0465.

Known Synonyms
CARROTBALL
Internal MISP references

UUID 5fc81b43-62b5-41b1-9113-c79ae5f030c4 which can be used as unique global reference for CARROTBALL - S0465 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0465
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Wevtutil - S0645

Wevtutil is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Wevtutil - S0645.

Known Synonyms
Wevtutil
Internal MISP references

UUID f91162cc-1686-4ff8-8115-bf3f61a4cc7a which can be used as unique global reference for Wevtutil - S0645 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0645
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

ROADTools - S0684

ROADTools is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.(Citation: ROADtools Github)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ROADTools - S0684.

Known Synonyms
ROADTools
Internal MISP references

UUID 6dbdc657-d8e0-4f2f-909b-7251b3e72c6d which can be used as unique global reference for ROADTools - S0684 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0684
Related clusters

To see the related clusters, click here.

CrackMapExec - S0488

CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.(Citation: CME Github September 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CrackMapExec - S0488.

Known Synonyms
CrackMapExec
Internal MISP references

UUID c4810609-7da6-48ec-8057-1b70a7814db0 which can be used as unique global reference for CrackMapExec - S0488 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0488
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Donut - S0695

Donut is an open source framework used to generate position-independent shellcode.(Citation: Donut Github)(Citation: Introducing Donut) Donut generated code has been used by multiple threat actors to inject and load malicious payloads into memory.(Citation: NCC Group WastedLocker June 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Donut - S0695.

Known Synonyms
Donut
Internal MISP references

UUID a7b5df47-73bb-4d47-b701-869f185633a6 which can be used as unique global reference for Donut - S0695 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0695
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

AADInternals - S0677

AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AADInternals - S0677.

Known Synonyms
AADInternals
Internal MISP references

UUID 2c5281dd-b5fd-4531-8aea-c1bf8a0f8756 which can be used as unique global reference for AADInternals - S0677 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0677
mitre_platforms ['Windows', 'Azure AD', 'Office 365']
Related clusters

To see the related clusters, click here.

Mythic - S0699

Mythic is an open source, cross-platform post-exploitation/command and control platform. Mythic is designed to "plug-n-play" with various agents and communication channels.(Citation: Mythic Github)(Citation: Mythic SpecterOps)(Citation: Mythc Documentation) Deployed Mythic C2 servers have been observed as part of potentially malicious infrastructure.(Citation: RecordedFuture 2021 Ad Infra)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mythic - S0699.

Known Synonyms
Mythic
Internal MISP references

UUID d505fc8b-2e64-46eb-96d6-9ef7ffca5b66 which can be used as unique global reference for Mythic - S0699 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0699
mitre_platforms ['Windows', 'Linux', 'macOS']
Related clusters

To see the related clusters, click here.