Unrivaled Threat Detection, Intelligence, and Advanced Coverage Across All Environments
Why Uptycs is a Leader
in Threat Detection
Uptycs offers some of the most comprehensive and advanced threat detection capabilities in the industry. Our research-backed approach, cutting-edge threat intelligence, and expert implementation ensure unrivaled protection across hybrid and cloud-native environments.
Key Areas of Expertise
Understand the behaviors behind the threats
Uptycs identifies malicious activities based on behavioral patterns, catching both known and emerging threats in real time. Our IOBs go beyond static signatures to catch threats as they evolve, adapting to zero-day attacks and insider threats.
Mastering the essentials of threat intelligence
We continuously monitor and detect traditional indicators such as malware signatures, compromised IPs, and hash values from over 800 toolkits. With over 100 threat actor profiles covered by our research team, Uptycs excels in detecting, classifying, and responding to known threats with speed and precision.
The language of threat detection
Uptycs leverages industry-leading YARA rules to detect advanced persistent threats (APT). Our platform simplifies YARA rule creation, enabling detection of over 500 APT toolkits and offering unmatched malware hunting capabilities, outpacing CrowdStrike and Microsoft.
Harnessing the power of ML and AI for anomaly detections
Our platform automatically identifies outliers in your environment by combining machine learning and statistical analysis. Whether it's abnormal CPU usage, disk activity, or network connections, Uptycs’ anomaly detection ensures threats are caught even before they're fully understood.
Why It Matters for Your Organization
With Uptycs, security teams have the tools they need to showcase their efforts effectively:
Our insights are tailored to help mid-level and senior managers present key findings up the chain to CISOs and boards. You’ll have comprehensive yet digestible data and infographics to support business decisions.
Backed by expert research, Uptycs helps position your organization as a leader in threat management. Leverage our in-depth reports, covering the latest in IOBs, IOCs, and APT threats, to stay ahead of the curve.
Uptycs by the Numbers
Comprehensive threat detection from dev to runtime in cloud and hybrid environments
- Cloud
- Endpoint
- Container
- Kuberenetes
- Github
- Linux
- Windows
- macOS
- AIX
- AWS
- Azure
- GCP
- Cloud
- Cloud
- Endpoint
- Container
- Kuberenetes
- Github
- Linux
- Windows
- macOS
- AIX
- AWS
- Azure
- GCP
- Cloud
| Detection Name | Platform | OS / Cloud | Tactic/Technique |
|---|---|---|---|
| Malicious binary event | Cloud | All OS | |
| Hosts file bad IPs | Cloud | All OS | |
| AWS Cross account activity | Cloud | AWS | |
| Uptycs virus total | Cloud | All OS | |
| Ensure that your user-managed service account keys are rotated every 90 days | Cloud | GCP | |
| Ensure that no service accounts have admin, owner or write privileges. | Cloud | GCP | |
| Deleted an IAM Service Account | Cloud | GCP | |
| Ensure that no users are using their personal Gmail accounts for access to GCP | Cloud | GCP | |
| Ensure there are no IAM members with Service Account User and Service Account Token Creator roles at the project level. | Cloud | GCP | |
| Ensure that no service accounts have both the Service Account User and Service Account Admin role attached | Cloud | GCP | |
| Created a user which is using the personal Gmail accounts for access to GCP | Cloud | GCP | |
| Ensures that service account keys are rotated within 90 days of creation. | Cloud | GCP | |
| Ensure that no service accounts have the Service Account User role attached | Cloud | GCP | |
| Ensure that separation of duties is implemented for all Google Cloud service account roles. | Cloud | GCP | |
| Ensure that the use of IAM primitive roles is limited within your Google Cloud projects | Cloud | GCP | |
| Ensure that no service accounts have both the KMS admin role and any of CryptoKey roles attached. | Cloud | GCP | |
| Attached service account User and Admin role to a service account | Cloud | GCP | |
| Created an IAM Service Account | Cloud | GCP | |
| Ensure there are no user-managed keys associated with your GCP service accounts | Cloud | GCP | |
| Created or Updated a Cloud Function which allows Internal Traffic and traffic from Cloud Load Balancing | Cloud | GCP | |
| Ensure that Cloud function is running with an HTTPS trigger | Cloud | GCP | |
| Created or Updated a Cloud Function where all the ingress traffic originates from the VPC network within the service perimeter | Cloud | GCP | |
| Permission granted to create a Cloud Function | Cloud | GCP | |
| Permission granted to update a Cloud Function | Cloud | GCP | |
| Ensure that Cloud function is not running with an outdated Runtime | Cloud | GCP | |
| Ensure GCP Function has HTTP Enforcement | Cloud | GCP | |
| Ensure that Cloud function does not have policy bindings with 'all authenticated users' | Cloud | GCP | |
| Set up Maintenance Actions for VM Instances | Cloud | GCP | |
| Ensure that instances are not configured to use the default service account | Cloud | GCP | |
| Deleted a created VM instance | Cloud | GCP | |
| Enable "Shielded VM" Security Feature | Cloud | GCP | |
| Ensure that Google Cloud VM instances are not using public IP addresses | Cloud | GCP | |
| Ensure that project-wide SSH keys are not used to access your Google Cloud VM instances | Cloud | GCP | |
| Instance created with Default Service Account | Cloud | GCP | |
| Ensure connecting to serial ports is not enabled for VM instances. | Cloud | GCP | |
| Ensure OS login is enabled for the project | Cloud | GCP | |
| Ensure Customer Supplied Encryption Keys (CSEKs) is enabled on disks | Cloud | GCP | |
| Ensure that VM instances are not associated with default service accounts | Cloud | GCP | |
| Disable IP forwarding on all instances | Cloud | GCP | |
| Ensure that VM instances are not associated with default service accounts that allow full access to all Google Cloud API's | Cloud | GCP | |
| Created a new Compute Engine VM Instance | Cloud | GCP | |
| Ensure Confidential Computing for your virtual machine instances is enabled | Cloud | GCP | |
| Ensure that Shielded VM feature is enabled for VM instances | Cloud | GCP | |
| Check for Virtual Machine Instances with Public IP Addresses | Cloud | GCP | |
| Turn off preemptibility for VM instances. | Cloud | GCP | |
| Ensure OS Login for GCP Projects is enabled | Cloud | GCP | |
| Enable "Block Project-Wide SSH Keys" Security Feature | Cloud | GCP | |
| Ensure that interactive serial console support is not enabled for your Google Cloud instances | Cloud | GCP | |
| Activate automatic restart for VM instances. | Cloud | GCP | |
| Check for Instance-Associated Service Accounts with Full API Access | Cloud | GCP | |
| Rotate Google Cloud KMS Keys | Cloud | GCP | |
| Created a KMS key which is not rotated within a period of 90 days | Cloud | GCP | |
| Cloud Run Service is running with Compute Engine default Service Account | Cloud | GCP | |
| Created a Cloud Run Service with Allow Unauthenticated Invocations enabled | Cloud | GCP | |
| Created a FileStore Instance | Cloud | GCP | |
| Ensure FileStore is encrypted using CMEKs (Customer Managed Encryption Keys) | Cloud | GCP | |
| Deleted a FileStore Instance | Cloud | GCP | |
| Ensure algorithm used for key-signing key in Cloud DNS DNSSEC is strong | Cloud | GCP | |
| Ensure that GCP Cloud DNS zones are NOT using the RSASHA1 algorithm for DNSSEC zone-signing | Cloud | GCP | |
| Ensure DNSSEC is enabled for all managed zones in the cloud DNS service | Cloud | GCP | |
| Deleted a BigQuery Dataset | Cloud | GCP | |
| GCP BigQuery Datasets are Publicly Accessible | Cloud | GCP | |
| GCP BigQuery Dataset Encryption with Customer-Managed Encryption Keys is Not Enabled | Cloud | GCP | |
| GCP BigQuery Dataset Table Encryption with Customer-Managed Keys | Cloud | GCP | |
| Created a BigQuery Dataset | Cloud | GCP | |
| A Redis instance is using the default endpoint port 6379 | Cloud | GCP | |
| The MemoryStore Redis instance does not have encryption during transit. | Cloud | GCP | |
| Created or Updated a Redis instance with In-transit encryption disabled | Cloud | GCP | |
| Authentication for the MemoryStore Redis instance is disabled | Cloud | GCP | |
| Enable Application-Layer Secrets Encryption for GKE Clusters | Cloud | GCP | |
| Enable master authorized networks on all clusters | Cloud | GCP | |
| Ensure GKE uses private nodes | Cloud | GCP | |
| Ensure that intra - node visibility is enabled to configure networking on each GKE node | Cloud | GCP | |
| Enable logging on all clusters | Cloud | GCP | |
| Disabled Vulnerability scanning which scans images automatically | Cloud | GCP | |
| Enable network policy on all clusters | Cloud | GCP | |
| Enable monitoring on all clusters | Cloud | GCP | |
| Ensure cluster labels on all Kubernetes clusters | Cloud | GCP | |
| Ensure that cluster nodes are not using default service account | Cloud | GCP | |
| Enable Customer Optimized OS on all cluster nodes | Cloud | GCP | |
| Permission granted to delete a Cloud SQL Instance | Cloud | GCP | |
| Ensure that PostgreSQL database instances have the "log_disconnections" flag set to On | Cloud | GCP | |
| Ensure that PostgreSQL database instances have the "log_temp_files" flag set to 0 (On) | Cloud | GCP | |
| Ensure that PostgreSQL database instances have the "log_lock_waits" flag set to On | Cloud | GCP | |
| [Deprecated] Automatic storage increase limit is disabled for a CloudSQL Instance | Cloud | GCP | |
| Ensure that SQL Server database instances have "cross db ownership chaining" flag set to Off | Cloud | GCP | |
| Ensure there is an automatic storage increase limit configured for your Cloud SQL database instances | Cloud | GCP | |
| Ensure that SQL Server database instances have "contained database authentication" flag set to Off. | Cloud | GCP | |
| Ensure that PostgreSQL database instances have the appropriate configuration set for the "max_connections" flag | Cloud | GCP | |
| Ensure that MySQL database instances have the "local_infile" flag set to Off (disabled) | Cloud | GCP | |
| Cloud SQL database instance is not configured with Automated Backups | Cloud | GCP | |
| Permission granted to create a Cloud SQL Instance | Cloud | GCP | |
| Ensure that the SQL DB instance label is set for easy identification and searches | Cloud | GCP | |
| Ensure that Cloud SQL database instances are not wide open to the Internet | Cloud | GCP | |
| Ensure that your MySQL database instances have Point-in-Time Recovery feature enabled | Cloud | GCP | |
| Ensure that Cloud SQL database instances don't have public IP addresses assigned | Cloud | GCP | |
| Ensure that SQL Server database instances require all incoming connections to use SSL/TLS | Cloud | GCP | |
| Ensure that Cloud SQL instances are encrypted with Customer-Managed Keys (CMKs) | Cloud | GCP | |
| Ensure that PostgreSQL database instances have "log_checkpoints" flag set to On | Cloud | GCP | |
| Permission granted to update the Cloud SQL Instance | Cloud | GCP | |
| Ensure that PostgreSQL database instances have the "log_connections" configuration flag set to On | Cloud | GCP | |
| Ensure that MySQL database instances have the "slow_query_log" flag set to On (enabled) | Cloud | GCP | |
| Ensure that PostgreSQL database instances have the appropriate configuration set for the "log_min_error_statement" flag. | Cloud | GCP | |
| Ensure that SQL instances have a failover replica to be cross-AZ for high availability | Cloud | GCP | |
| Ensure that Cloud SQL database instances are configured with automated backups | Cloud | GCP | |
| Ensure that PostgreSQL database instances have "log_min_duration_statement" flag set to -1 (Off) | Cloud | GCP | |
| Deleted a Pub/Sub topic | Cloud | GCP | |
| Created a Pub/Sub topic with no Customer-Managed Keys encryption | Cloud | GCP | |
| Enable Pub/Sub Topic Encryption with Customer-Managed Keys | Cloud | GCP | |
| Ensure dead letter topics for Pub/Sub subscription is configured | Cloud | GCP | |
| Ensure that your Cloud Storage objects are encrypted using Customer-Managed Keys (CMKs) | Cloud | GCP | |
| Permission granted to update the Cloud Storage Bucket metadata | Cloud | GCP | |
| Created a new Cloud Storage Bucket | Cloud | GCP | |
| Updated a Storage Bucket which becomes publicly accessible | Cloud | GCP | |
| Permission granted to update storage bucket IAM policies | Cloud | GCP | |
| Ensure that website index (main) page suffix and error (404 not found) page are defined for your GCP storage buckets | Cloud | GCP | |
| Ensures object versioning is enabled on storage buckets | Cloud | GCP | |
| Deleted a Cloud Storage Bucket | Cloud | GCP | |
| Ensure there is a sufficient retention period configured for Google Cloud Storage objects | Cloud | GCP | |
| Ensure that Google Cloud Storage buckets have uniform bucket-level access enabled | Cloud | GCP | |
| [Deprecated] Enable Uniform Bucket-Level Access for Cloud Storage Buckets | Cloud | GCP | |
| Ensure that your GCP Storage buckets are using lifecycle management rules | Cloud | GCP | |
| Check for Insecure SSL Cipher Suites | Cloud | GCP | |
| Cloud Load Balancer is not configured to only accept connections on HTTPS ports | Cloud | GCP | |
| Created or Updated Load Balancing Backend Service with Logging disabled | Cloud | GCP | |
| HTTPS for Google Cloud Load Balancers is not enabled | Cloud | GCP | |
| Created or Updated a Load Balancer with CloudCDN disabled | Cloud | GCP | |
| Created or Updated a Secret with CMKs encryption disabled | Cloud | GCP | |
| Created or Updated a Secret with Automatic Rotation disabled | Cloud | GCP | |
| Ensure that your VPC firewall logging is not configured to include logging metadata. | Cloud | GCP | |
| Ensure that you enable logging for each VPC firewall rule that you want to track. | Cloud | GCP | |
| Ensure that your GCP projects are not using the default VPC. | Cloud | GCP | |
| Created or Updated a VPC Subnet with Flow Logs Disabled | Cloud | GCP | |
| Created or Updated a VPC subnet with Private IP Google Access disabled | Cloud | GCP | |
| Permission granted for IAM Service Accounts Signblob | Cloud | GCP | Privilege Escalation: T1078: Valid Accounts |
| Permission granted for a role to create a new Compute Engine Instance | Cloud | GCP | Privilege Escalation: T1078: Valid Accounts |
| Permission granted for IAM Service Accounts Implicit Delegation | Cloud | GCP | Privilege Escalation: T1078: Valid Accounts |
| Permission granted for a role to create a new Cloud Function | Cloud | GCP | Privilege Escalation: T1078: Valid Accounts |
| Permission granted for a role to create IAM service account key | Cloud | GCP | Privilege Escalation: T1078: Valid Accounts |
| Permission granted to update the user IAM role | Cloud | GCP | Privilege Escalation: T1078: Valid Accounts |
| Permission granted for a role to act as IAM Service Account | Cloud | GCP | Privilege Escalation: T1078: Valid Accounts |
| Permission granted for a role to request an Access Token for the IAM Service Account | Cloud | GCP | Privilege Escalation: T1078: Valid Accounts |
| Permission granted for a role to create a new Cloud Run Service | Cloud | GCP | Privilege Escalation: T1078: Valid Accounts |
| Permission granted for IAM Service Accounts SignJWT | Cloud | GCP | Privilege Escalation: T1078: Valid Accounts |
| Permission granted for a role to update the Cloud Function | Cloud | GCP | Privilege Escalation: T1078: Valid Accounts |
| Permission granted for a role to create Cloud Scheduler Jobs | Cloud | GCP | Privilege Escalation: T1078: Valid Accounts |
| Ensure that Cloud Monitoring log retention period is set for 365 days or greater | Cloud | GCP | |
| GCP Cloud Logging Global Scope Not Enabled for Cloud Logging Buckets | Cloud | GCP | |
| Ensure that monitoring for cloud storage IAM permission changes are monitored | Cloud | GCP | |
| Stopped a Virtual Machine | Cloud | Azure | |
| Unattached Disk Volume is not encrypted | Cloud | Azure | |
| [Template] Ensure that Azure virtual machine app tier disk volumes are encrypted | Cloud | Azure | |
| An Azure virtual machine containing secrets within the user_data attribute | Cloud | Azure | |
| All unused load balancers in your Microsoft Azure cloud account must be identified and removed | Cloud | Azure | |
| Virtual machine is not configured to use managed disk volumes | Cloud | Azure | |
| Virtual Machine is launched with non-approved machine image | Cloud | Azure | |
| Encryption is not enabled for Azure virtual machine non boot volumes | Cloud | Azure | |
| Deleted a Virtual Machine | Cloud | Azure | |
| Created or Updated a Virtual Machine | Cloud | Azure | |
| [Template] Ensure that Azure virtual machine disk volumes deployed within the web tier are encrypted | Cloud | Azure | |
| Virtual machine is not configured to use SSH keys for authentication | Cloud | Azure | |
| Automatic OS upgrades for your Azure Virtual Machine Scale Set are currently deactivated | Cloud | Azure | |
| Encryption is not enabled for Azure virtual machine boot volumes | Cloud | Azure | |
| The AKS cluster is currently operating without Azure Policy for Kubernetes clusters | Cloud | Azure | |
| The AKS cluster is currently not configured to utilize Azure Active Directory (Azure AD) authentication | Cloud | Azure | |
| The AKS cluster is currently not configured to use a network policy plugin | Cloud | Azure | |
| The AKS cluster is using publicly accessible nodes | Cloud | Azure | |
| Ensure that your Azure Cosmos DB accounts are configured to deny default network access | Cloud | Azure | |
| The Azure Cosmos DB firewall settings allow access from all public Azure datacenters | Cloud | Azure | |
| Enable Automatic Failover feature | Cloud | Azure | |
| Ensure that only clients/networks from allowed IP addresses are given access | Cloud | Azure | |
| Created or Updated Azure Cosmos Database | Cloud | Azure | |
| Enable Advance threat protection for Cosmos DB | Cloud | Azure | |
| Deleted Azure Cosmos Database | Cloud | Azure | |
| Created or Updated Load Balancer | Cloud | Azure | |
| Deleted a MySQL Database | Cloud | Azure | |
| Deleted Network Security Group | Cloud | Azure | |
| Deleted a Storage Account | Cloud | Azure | |
| Deleted a PostgreSQL Database | Cloud | Azure | |
| Created or Updated Network Security Group Rule | Cloud | Azure | |
| Deleted Network Security Group Rule | Cloud | Azure | |
| Created, Updated or Deleted SQL Server Firewall Rule | Cloud | Azure | |
| Deleted a Load Balancer | Cloud | Azure | |
| Administration activities are performed by a Managed Identity | Cloud | Azure | |
| Created or Updated Azure SQL Database | Cloud | Azure | |
| Created or Updated Database for MySQL Servers | Cloud | Azure | |
| Updated a Key Vault | Cloud | Azure | |
| Administration activities for Storage Account committed from a Malicious IP/Tor IP | Cloud | Azure | |
| Deleted a Security Solution | Cloud | Azure | |
| Deleted a Key Vault | Cloud | Azure | |
| DNS configuration changes have been detected within your account | Cloud | Azure | |
| Created or Updated SSH Public Key | Cloud | Azure | |
| Created a Policy Assignment | Cloud | Azure | |
| Deleted Azure SQL Database | Cloud | Azure | |
| Created or Updated Security Solution | Cloud | Azure | |
| Created or Updated Database for PostgreSQL Servers | Cloud | Azure | |
| Created or Updated Storage Account | Cloud | Azure | |
| Deleted a Policy Assignment | Cloud | Azure | |
| Created or Updated Network Security Group | Cloud | Azure | |
| Created or Updated Security Policy | Cloud | Azure | |
| Enable role-based access control (RBAC) within Azure Kubernetes Services | Cloud | Azure | |
| Ensure that "Also send email notification to subscription owners" feature is enabled within Azure Security Center. | Cloud | Azure | |
| Security Center is currently disabled for App Service | Cloud | Azure | |
| Security Center is currently disabled for Key Vault | Cloud | Azure | |
| Ensure that Azure Defender is enabled for Microsoft SQL database servers. | Cloud | Azure | |
| Ensure that the Azure Defender feature is enabled for Azure Storage accounts. | Cloud | Azure | |
| Security Center is currently disabled for Servers | Cloud | Azure | |
| Ensure that "Automatic provisioning of monitoring agent" feature is enabled to enhance security at the virtual machine (VM) level. | Cloud | Azure | |
| Enable adaptive application safe listing monitoring for Microsoft Azure virtual machines | Cloud | Azure | |
| Ensure that your Microsoft Azure Key Vault instances are recoverable | Cloud | Azure | |
| [Template] Ensure that your Microsoft Azure Key Vault SSL certificates are using the allowed key type(s). | Cloud | Azure | |
| Azure Key Vault does not have firewall rules configured. | Cloud | Azure | |
| "Allow trusted Microsoft services to bypass this firewall" setting is enabled for an Azure Key Vault | Cloud | Azure | |
| Expiration date is not set for a Key Vault Secret | Cloud | Azure | |
| Ensure that soft delete is enabled on key vault. | Cloud | Azure | |
| Expiration Date is not set for a key | Cloud | Azure | |
| The Azure Key Vault is currently not configured with a virtual network service endpoint. | Cloud | Azure | |
| Ensure that your Microsoft Azure Key Vault RSA certificates are generated with the minimum key size allowed within your organisation | Cloud | Azure | |
| Ensure that Certificate Transparency feature is enabled for all Azure Key Vault SSL/TLS certificates | Cloud | Azure | |
| Ensure that Azure SQL database servers are accessible via private endpoints only | Cloud | Azure | |
| Database auditing is not enabled at the Azure SQL database server level | Cloud | Azure | |
| The "Also send email notifications to admins and subscription owners" option for the SQL Server Vulnerability Assessment (VA) is currently turned off or disabled | Cloud | Azure | |
| All types of threat detection for your Microsoft Azure SQL database servers is not Enabled | Cloud | Azure | |
| SQL Server firewall rule changes have been detected in your Microsoft Azure cloud account | Cloud | Azure | |
| Ensure that Automatic Tuning feature is enabled for Microsoft Azure SQL database servers | Cloud | Azure | |
| Data encryption is set 'Disabled' on a SQL Database | Cloud | Azure | |
| The SQL Server ATP Admin is not Receiving Alerts | Cloud | Azure | |
| The list of emails to whom the SQL Server Vulnerability Assessment (VA) scan reports should be sent is currently empty | Cloud | Azure | |
| Ensure that AuditActionGroup property is well configured at the Azure SQL database server level | Cloud | Azure | |
| SQL server ATP are disabled | Cloud | Azure | |
| Enable threat detection email notification alerts for your Microsoft Azure SQL servers | Cloud | Azure | |
| Ensure there is a sufficient PITR backup retention period configured for Azure SQL databases | Cloud | Azure | |
| Enable administrators and subscription owners to receive threat detection email notification alerts for SQL servers | Cloud | Azure | |
| The configuration for 'Infrastructure double encryption' is currently disabled for the MySQL Database Server | Cloud | Azure | |
| Azure MySQL Server not using private endpoints | Cloud | Azure | |
| The Azure MySQL Server Firewall is configured to allow access from all Azure services | Cloud | Azure | |
| Enforce SSL connection is set to 'DISABLED' to for a MySQL Database Server | Cloud | Azure | |
| The Azure MySQL server does not have any tags assigned to it | Cloud | Azure | |
| Public network access is currently enabled for Azure MySQL Server | Cloud | Azure | |
| Ensure that all load balancers should have backend server resources | Cloud | Azure | |
| Ensure that Prevention mode is set on WAF policy for Microsoft Azure Application gateway | Cloud | Azure | |
| Ensure that each Microsoft Azure WAF Policy has tags | Cloud | Azure | |
| Enforce SSL connection is set to 'DISABLED' to for a PostgreSQL Database Server | Cloud | Azure | |
| Ensure that your Microsoft Azure PostgreSQL database servers have geo-redundant backups enabled | Cloud | Azure | |
| Ensure connection duration logs are enabled for PostgreSQL servers | Cloud | Azure | |
| Log Disconnections is set to 'OFF' for a PostgreSQL Database Server | Cloud | Azure | |
| Connection Throttling is set to 'OFF' for a PostgreSQL Database Server | Cloud | Azure | |
| Log Checkpoints is set to 'OFF' for a PostgreSQL Database Server | Cloud | Azure | |
| Enable Storage Auto-Growth feature for Microsoft Azure PostgreSQL servers | Cloud | Azure | |
| Log Connections is set to 'OFF' for a PostgreSQL Database Server | Cloud | Azure | |
| Ensure 'Allow access to Azure services' is OFF in Firewall Rules under each database | Cloud | Azure | |
| Log Retention Days is not greater than 3 days for a PostgreSQL Database Server | Cloud | Azure | |
| Configure an Active Directory administrator for all PostgreSQL servers | Cloud | Azure | |
| Public network access is currently enabled for Azure Cache for Redis | Cloud | Azure | |
| Ensure that azure Redis Cache servers are using the latest version of the TLS protocol | Cloud | Azure | |
| Deleted Azure Cache for Redis | Cloud | Azure | |
| Azure Cache for Redis without private endpoint | Cloud | Azure | |
| Created or Updated Azure Cache for Redis | Cloud | Azure | |
| Azure Cache For Redis with basic SKU | Cloud | Azure | |
| The Azure Storage account's Queue service is not utilizing customer-managed keys encryption | Cloud | Azure | |
| Ensure that Azure Storage containers created to host static websites are not publicly accessible | Cloud | Azure | |
| Ensure that critical Azure Blob Storage data is protected from accidental deletion or modification | Cloud | Azure | |
| Ensure storage for critical data are encrypted with Customer Managed Key | Cloud | Azure | |
| Ensure that Azure Storage shared access signature (SAS) tokens are not using overly permissive access policies | Cloud | Azure | |
| Ensure that Azure Blob Storage service has a lifecycle management policy configured | Cloud | Azure | |
| Ensure that storage logging is enabled for the Azure Storage Blob service | Cloud | Azure | |
| Ensure default network access rule for Storage Accounts is set to deny | Cloud | Azure | |
| Ensure that detailed storage logging is enabled for the Azure Storage Queue service | Cloud | Azure | |
| Ensure that "Secure transfer required" is set to "Enabled" | Cloud | Azure | |
| Azure Storage Account without firewall and private endpoint configured | Cloud | Azure | |
| Ensure that "Public access level" is set to Private for blob containers | Cloud | Azure | |
| Ensure there is a retention period of at least 30 days configured for Azure Blob Storage soft deleted data | Cloud | Azure | |
| The encryption feature for the infrastructure of the Azure Storage Account is currently turned off | Cloud | Azure | |
| Ensure that anonymous access to blob containers is disabled within your Azure Storage account | Cloud | Azure | |
| Ensures that Azure Network route tables have tags associated | Cloud | Azure | |
| Ensures that Microsoft Azure Virtual Network has tags associated | Cloud | Azure | |
| Ensures that Virtual Networks have multiple subnets in order to provide a layered architecture | Cloud | Azure | |
| Ensure that monitoring of DDoS protection at the Azure virtual network level is enabled | Cloud | Azure | |
| Ensure there are no unnecessary guest users. | Cloud | Azure | |
| Ensure that "Users can create Office 365 groups in Azure portals" is set to "No" in your AAD settings | Cloud | Azure | |
| Ensure that only Active Directory (AD) administrators have permission to manage security groups. | Cloud | Azure | |
| Security Defaults is disabled for Microsoft Azure Active Directory | Cloud | Azure | |
| Ensure that there are 2 alternate methods for users to identify themselves before resetting their password | Cloud | Azure | |
| Ensure that only Active Directory (AD) administrators have permission to create security groups | Cloud | Azure | |
| Ensure that Web Application FireWall (WAF) is enabled for Application Gateways | Cloud | Azure | |
| Microsoft Azure App Service web application is not using the latest version of the HTTP protocol (i.e. HTTP/2) | Cloud | Azure | |
| Web app is not using the latest version of TLS encryption | Cloud | Azure | |
| The âRemote debuggingâ setting is currently not enabled on your app service | Cloud | Azure | |
| Microsoft Azure App Service web applications redirect all non-secure HTTP traffic to HTTPS | Cloud | Azure | |
| Microsoft Azure App Services web applications does not enforce FTPS-only access to encrypt FTP traffic | Cloud | Azure | |
| The Azure Active Directory (AD) system-assigned identity has not been assigned to the app service | Cloud | Azure | |
| Ensure that Azure App Service web applications are using incoming client certificates | Cloud | Azure | |
| Registration with Azure Active Directory (AAD) is disabled for Microsoft Azure App Service web application | Cloud | Azure | |
| App Service Authentication is disabled within Microsoft Azure Cloud Account | Cloud | Azure | |
| Ensure that in-transit encryption is enabled for all Microsoft Azure Redis Cache servers. | Cloud | Azure | |
| App Service Authentication is not set on Azure App Service | Cloud | Azure | |
| Function App should only be accessed via HTTPS | Cloud | Azure | |
| The "Always on" setting is currently not enabled on your app service | Cloud | Azure | |
| Ensure that no network security groups with range of ports are opened to allow incoming traffic. | Cloud | Azure | |
| Network Security Group Flow Log retention period is not greater than '90' days | Cloud | Azure | |
| Malicious process Detected - Malware | Endpoint | All OS | |
| Bad IP - Malware | Endpoint | All OS | |
| Bad domain - Coinminer | Endpoint | All OS | |
| Bad IP - Attack | Endpoint | All OS | |
| Bad IP - Phishing | Endpoint | All OS | |
| Bad domain - Not Recommended Website | Endpoint | All OS | |
| Bad domain - DGA | Endpoint | All OS | |
| Bad IP - NRD | Endpoint | All OS | |
| Bad domain - Attack | Endpoint | All OS | |
| Bad domain - Malware | Endpoint | All OS | |
| Bad domain - Phishing | Endpoint | All OS | |
| Bad IP - DGA | Endpoint | All OS | |
| Bad IP - Coinminer | Endpoint | All OS | |
| Bad IP - Anonymizer | Endpoint | All OS | |
| Bad domain - Anonymizer | Endpoint | All OS | |
| Bad domain - NRD | Endpoint | All OS | |
| Bad IP - Not Recommended Website | Endpoint | All OS | |
| GitHub Team Added or Removed From a Repository | Github | Github | |
| GitHub Repository Renamed | Github | Github | |
| GitHub New Branch Created | Github | Github | |
| GitHub Users Invited to Join | Github | Github | |
| GitHub Branch Protection Turned OFF | Github | Github | |
| GitHub Repository Visibility Changed to Public | Github | Github | |
| GitHub Access Token Expired | Github | Github | |
| GitHub Public Repository Created | Github | Github | |
| GitHub Access Token Reached API Limit | Github | Github | |
| GitHub IaC scanner checks failed on PR | Github | Github | |
| GitHub User Removed From Organization | Github | Github | |
| GitHub IaC scan completed | Github | Github | |
| UPTYCS_UNSEEN_CHROME_EXTENSIONS_NAME | Cloud | All OS | |
| UPTYCS_UNSEEN_USERS_NAME | Cloud | All OS | |
| UPTYCS_UNSEEN_RPM_PACKAGES_NAME | Cloud | All OS | |
| UPTYCS_UNSEEN_PROCESS_EVENTS_SHA256 | Cloud | All OS | |
| UPTYCS_UNSEEN_PROCESSES_NAME | Cloud | All OS | |
| UPTYCS_UNSEEN_DNS_LOOKUP_EVENTS_QUESTION | Cloud | All OS | |
| UPTYCS_UNSEEN_PROCESS_FILE_EVENTS_SHA256 | Cloud | All OS | |
| UPTYCS_UNSEEN_SOCKET_EVENTS_REMOTE_ADDRESS | Cloud | All OS | |
| UPTYCS_UNSEEN_STARTUP_ITEMS_NAME | Cloud | All OS | |
| Powershell suspicious screen capture activity detected - T1113 - Screen Capture - Windows | Endpoint | Windows | Collection: T1113: Screen Capture Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| GTFOBIN_easy_install_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Registry value updated/added with base64 data - T1112 - Modify Registry - Windows | Endpoint | Windows | Defense Evasion: T1112: Modify Registry |
| GTFOBIN_view_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Suspicious use of ioreg to get hard disk details - T1082 - System Information Discovery - macOS | Endpoint | macOS | Discovery: T1082: System Information Discovery |
| Data compression utilities launched - T1560.001 - Archive via Utility - macOS | Endpoint | macOS | Collection: T1560, T1560.001: Archive Collected Data, Archive via Utility |
| New shim database files created in the default shim database directory using PowerShell - T1546.011 - Application Shimming - Windows | Endpoint | Windows | Privilege Escalation: T1546, T1546.011: Event Triggered Execution, Application Shimming |
| Extrac32.exe execution detected - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer |
| Tasklist.exe execution detected from monitored applications - T1007 - System Service Discovery - Windows | Endpoint | Windows | Discovery: T1007, T1057: System Service Discovery, Process Discovery |
| Process attempted to monitor mouse input - T1056.001 - Keylogging - Linux | Container | Linux | Collection: T1056, T1056.001, T1560: Input Capture, Keylogging, Archive Collected Data |
| Process or script trying to hide process artifacts - T1564 - Hide Artifacts - Linux | Container | Linux | Defense Evasion: T1564: Hide Artifacts |
| Sftp transferring files - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer Exfiltration: T1048: Exfiltration Over Alternative Protocol |
| Process attempted to clear paging cache - T1562.001 - Disable or Modify Tools - Linux | Container | Linux | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Pod created with host volume mount via external request - T1610 - Deploy Container - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| System cluster role being deleted using external request in kubernetes cluster - T1070 - Defense Evasion - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1070: Indicator Removal |
| Replace binary of sticky keys detected - T1546.008 - Accessibility Features - Windows | Endpoint | Windows | Privilege Escalation: T1546, T1546.008: Event Triggered Execution, Accessibility Features |
| AnyDesk execution Detected - T1219 - Remote Access Software - Windows | Endpoint | Windows | Command and Control: T1219: Remote Access Software |
| Nmap execution detected for portscan - T1595.001 - Active Scanning - Linux | Container | Linux | Reconnaissance: T1595, T1595.001, T1595.002: Active Scanning, Scanning IP Blocks, Vulnerability Scanning Resource Development: T1588, T1588.002: Obtain Capabilities, Tool |
| GTFOBIN_ftp_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Net.exe execution detected for network share discovery - T1135 - Network Share Discovery - Windows | Endpoint | Windows | Discovery: T1018, T1135: Remote System Discovery, Network Share Discovery Lateral Movement: T1021, T1021.002: Remote Services, SMB/Windows Admin Shares |
| Stratus executed detected - T1562.008 - Disable or Modify Cloud Logs - Linux | Container | Linux | Defense Evasion: T1562, T1562.008: Impair Defenses, Disable Cloud Logs |
| Kubernetes cluster utilities communicating with public IP - T1219 - Command And Control - Linux | Container | Linux | Command and Control: T1219: Remote Access Software |
| Process attempted to masquerade kernel mode worker - T1036.004 - Masquerade Task or Service - AIX | Endpoint | AIX | Defense Evasion: T1036, T1036.004, T1036.005: Masquerading, Masquerade Task or Service, Match Legitimate Name or Location |
| Process attempted to perform DLL Search Order Hijacking - T1574.001 - Persistence - Windows | Endpoint | Windows | Persistence: T1574, T1574.001, T1574.002, T1574.006, T1574.007, T1574.008: Hijack Execution Flow, DLL Search Order Hijacking, DLL Side-Loading, Dynamic Linker Hijacking, Path Interception by PATH Environment Variable, Path Interception by Search Order Hijacking |
| Process attempted inter-process communication using domain socket - T1559 - Inter-Process Communication - Linux | Container | Linux | Execution: T1559: Inter-Process Communication |
| Tracert.exe execution detected - T1018 - Remote System Discovery - Windows | Endpoint | Windows | Discovery: T1016, T1018: System Network Configuration Discovery, Remote System Discovery |
| Process accessing credentials from registry - T1003.002 - Security Account Manager - Windows | Endpoint | Windows | Credential Access: T1003, T1003.002: OS Credential Dumping, Security Account Manager |
| Container process creating hidden files of directories - T1564.001 - Hidden Files and Directories - Linux | Container | Linux | Defense Evasion: T1564, T1564.001: Hide Artifacts, Hidden Files and Directories |
| Cmd/Powershell spawns Sc.exe to identify/install system services - T1543.003 - Windows Service - Windows | Endpoint | Windows | Execution: T1059, T1059.001, T1569, T1569.002: Command and Scripting Interpreter, PowerShell, System Services, Service Execution Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service |
| Arp.exe executed via cmd.exe - T1016 - System Network Configuration Discovery - Windows | Endpoint | Windows | Discovery: T1016: System Network Configuration Discovery |
| Ifconfig or Arp utility executed - T1016 - System Network Configuration Discovery - macOS | Endpoint | macOS | Discovery: T1016: System Network Configuration Discovery |
| Container process accessing cgroup information - T1082 - System Information Discovery - Linux | Container | Linux | Discovery: T1082: System Information Discovery |
| WmiPrvSE spawns new process - T1047 - Execution - Windows | Endpoint | Windows | Execution: T1047: Windows Management Instrumentation |
| Process attempted to enumerate installed security solution - T1518.001 - Security Software Discovery - macOS | Endpoint | macOS | Discovery: T1518, T1518.001: Software Discovery, Security Software Discovery |
| Powershell bypassing AMSI by modifying AMSI provider registry key - T1562.001 - Disable or Modify Tools - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| GTFOBIN_stdbuf_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process attempting to execute scheduled task on remote machine - T1053.005 - Scheduled Task - Windows | Endpoint | Windows | Execution: T1053, T1053.005: Scheduled Task/Job, Scheduled Task Lateral Movement: T1021, T1021.003: Remote Services, Distributed Component Object Model |
| New pods being created in default namespace using external request in kubernetes cluster - T1610 - Execution - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| Arp.exe executed via monitored applications - T1016 - System Network Configuration Discovery - Windows | Endpoint | Windows | Discovery: T1016: System Network Configuration Discovery |
| NSudo.exe execution detected - T1068 - Exploitation for Privilege Escalation - Windows | Endpoint | Windows | Privilege Escalation: T1068: Exploitation for Privilege Escalation |
| Kubectl utility launched to access kubernetes secrets on host - T1552 - Unsecured Credentials - Linux | Endpoint | Linux | Credential Access: T1552, T1552.001: Unsecured Credentials, Credentials In Files |
| Process attempted to build a container image - T1612 - Build Image on Host - Linux | Endpoint | Linux | Defense Evasion: T1612: Build Image on Host |
| PowerShell executing Invoke-FileFinder script for file discovery - T1135 - Network Share Discovery - Windows | Endpoint | Windows | Discovery: T1135: Network Share Discovery Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Lateral Movement: T1021, T1021.002: Remote Services, SMB/Windows Admin Shares |
| Suspicious use of grep to check for Credentials from Password Stores - T1539 - Steal Web Session Cookie - macOS | Endpoint | macOS | Credential Access: T1539: Steal Web Session Cookie |
| Process attempting to enumerate network share folders and drives - T1135 - Network Share Discovery - Windows | Endpoint | Windows | Discovery: T1135: Network Share Discovery Execution: T1106: Native API Lateral Movement: T1021, T1021.002: Remote Services, SMB/Windows Admin Shares |
| Email Hiding Rules creation/modification detected - T1564.008 - Email Hiding Rules - Windows | Endpoint | Windows | Defense Evasion: T1564, T1564.008: Hide Artifacts, Email Hiding Rules Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Ldapsearch utility launched to query an LDAP directory - T1069 - Permission Groups Discovery - macOS | Endpoint | macOS | Discovery: T1069, T1087, T1615: Permission Groups Discovery, Account Discovery, Group Policy Discovery |
| Process modified PAM configuration - T1556.003 - Pluggable Authentication Modules - macOS | Endpoint | macOS | Credential Access: T1556, T1556.003: Modify Authentication Process, Pluggable Authentication Modules |
| Sysmon.exe execution detected - TA0002 - Execution - Windows | Endpoint | Windows | |
| Process attempting to stop Service - T1489 - Impact - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools Execution: T1106: Native API Impact: T1489: Service Stop |
| Nginx_spawning local shell (Potential Reverse Shell Detected) - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Container process modified kernel core dump configuration - T1611 - Escape to Host - Linux | Container | Linux | Privilege Escalation: T1611: Escape to Host |
| Process from StartUp executing Script Interpreter - T1059 - Command and Scripting Interpreter - Windows | Endpoint | Windows | Execution: T1059: Command and Scripting Interpreter |
| Dump64.exe execution detected for process dump - T1003.001 - LSASS Memory - Windows | Endpoint | Windows | Credential Access: T1003, T1003.001: OS Credential Dumping, LSASS Memory |
| Pluginkit utility executed - T1543 - Create or Modify System Process - macOS | Endpoint | macOS | Persistence: T1543: Create or Modify System Process |
| Portainer utility is running inside container - T1595 - Active Scanning - Linux | Container | Linux | Discovery: T1046: Network Service Discovery Reconnaissance: T1595, T1595.001: Active Scanning, Scanning IP Blocks |
| Process created or modify Systemd Timer - T1053.006 - Systemd Timers - Linux | Endpoint | Linux | Execution: T1053, T1053.006: Scheduled Task/Job, Systemd Timers Exfiltration: T1029: Scheduled Transfer |
| Process attempting Kerberoasting detected - T1558.003 - Kerberoasting - Windows | Endpoint | Windows | Credential Access: T1558, T1558.003: Steal or Forge Kerberos Tickets, Kerberoasting Execution: T1106: Native API |
| Process masqueraded system service file name - T1036.004 - Masquerade Task or Service - Linux | Container | Linux | Defense Evasion: T1036, T1036.004: Masquerading, Masquerade Task or Service |
| Process attempted to modify bash profile - T1546.004 - Unix Shell Configuration Modification - macOS | Endpoint | macOS | Privilege Escalation: T1546, T1546.004: Event Triggered Execution, Unix Shell Configuration Modification |
| PowerShell using New-PSDrive flag to map admin share - T1021.002 - SMB/Windows Admin Shares - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.002: Remote Services, SMB/Windows Admin Shares |
| GTFOBIN_time_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process attempted to enumerate containers - T1613 - Container and Resource Discovery - Linux | Endpoint | Linux | Discovery: T1613: Container and Resource Discovery |
| Ldap utility launched inside Container - T1136.002 - Domain Account - Linux | Container | Linux | Persistence: T1136, T1136.002: Create Account, Domain Account |
| Mail Transport Agent Installation detected - T1505.002 - Transport Agent - Windows | Endpoint | Windows | Collection: T1114: Email Collection Command and Control: T1071, T1071.003: Application Layer Protocol, Mail Protocols Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Persistence: T1505, T1505.002: Server Software Component, Transport Agent |
| GTFOBIN_php_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process attempting to access TCC.db File - T1562.001 - Disable or Modify Tools - macOS | Endpoint | macOS | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools Privilege Escalation: T1548: Abuse Elevation Control Mechanism |
| Touch utility executed to modify Emond config file - T1546.014 - Emond - macOS | Endpoint | macOS | Privilege Escalation: T1546, T1546.014: Event Triggered Execution, Emond |
| Touch utility launched to change the access time of file - T1070.006 - Timestomp - Linux | Container | Linux | Defense Evasion: T1070, T1070.006: Indicator Removal on Host, Timestomp |
| MpCmdRun.exe execution detected - T1562.001 - Disable or Modify Tools - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Suspicious process attempting to connect to GSuite web services - T1102 - Web Service - Windows | Endpoint | Windows | Command and Control: T1071, T1071.001, T1090, T1090.001, T1090.002, T1102, T1102.002, T1573: Application Layer Protocol, Web Protocols, Proxy, Internal Proxy, External Proxy, Web Service, Bidirectional Communication, Encrypted Channel Exfiltration: T1048: Exfiltration Over Alternative Protocol |
| Process attempted to detect virtualization/sandbox - T1497 - Virtualization/Sandbox Evasion - Linux | Container | Linux | Defense Evasion: T1497: Virtualization/Sandbox Evasion |
| Web server trying to start unwanted process - T1203 - Exploitation for Client Execution - AIX | Endpoint | AIX | Execution: T1203: Exploitation for Client Execution |
| Process attempting to find System Location - T1614 - System Location Discovery - Windows | Endpoint | Windows | Discovery: T1614: System Location Discovery Execution: T1106: Native API |
| Database server process attempting to modify OS credentials - T1003.008 - /etc/passwd and /etc/shadow - Linux | Container | Linux | Credential Access: T1003, T1003.008, T1552, T1552.001: OS Credential Dumping, /etc/passwd and /etc/shadow, Unsecured Credentials, Credentials In Files Persistence: T1136, T1505: Create Account, Server Software Component |
| FsiAnyCpu.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Process attempted inter-process communication using network socket - T1559 - Inter-Process Communication - AIX | Endpoint | AIX | Execution: T1559: Inter-Process Communication |
| Process attempting to perform Pass the Ticket attack - T1550.003 - Pass the Ticket - Windows | Endpoint | Windows | Credential Access: T1558, T1558.003: Steal or Forge Kerberos Tickets, Kerberoasting Defense Evasion: T1550, T1550.003: Use Alternate Authentication Material, Pass the Ticket Execution: T1106: Native API |
| Id utility launched to get current user information - T1033 - System Owner/User Discovery - macOS | Endpoint | macOS | Discovery: T1033, T1087: System Owner/User Discovery, Account Discovery |
| Obfuscated Data Detected - T1027 - Obfuscated Files or Information - Windows | Endpoint | Windows | Command and Control: T1001, T1132, T1132.001: Data Obfuscation, Data Encoding, Standard Encoding Defense Evasion: T1027: Obfuscated Files or Information |
| Smb utility launched to mount or unmount SMB share - T1021.002 - SMB/Windows Admin Shares - macOS | Endpoint | macOS | Lateral Movement: T1021, T1021.002: Remote Services, SMB/Windows Admin Shares |
| Process trying to get AWS lamba information - T1613 - Container and Resource Discovery - Linux | Container | Linux | Discovery: T1082, T1613: System Information Discovery, Container and Resource Discovery |
| Powershell execution detected for mail exchange - T1059.001 - PowerShell - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Process attempted to access web application cookies - T1539 - Steal Web Session Cookie - Windows | Endpoint | Windows | Credential Access: T1539, T1555, T1555.003: Steal Web Session Cookie, Credentials from Password Stores, Credentials from Web Browsers |
| Process attempted to access WebCam to capture photos/videos - T1125 - Video Capture - Windows | Endpoint | Windows | Collection: T1125: Video Capture |
| Netsh.exe executed via CMD/PowerShell - T1016 - System Network Configuration Discovery - Windows | Endpoint | Windows | Discovery: T1016: System Network Configuration Discovery |
| GTFOBIN_nmap_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process attempted to impair command history logging - T1562.003 - Impair Command History Logging - macOS | Endpoint | macOS | Defense Evasion: T1562, T1562.003: Impair Defenses, Impair Command History Logging |
| Process accessing Ntds.dit file database - T1003.003 - NTDS - Windows | Endpoint | Windows | Credential Access: T1003, T1003.003: OS Credential Dumping, NTDS |
| Unexpected child shell process executed - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process or script trying to find or access network shares - T1135 - Network Share Discovery - Linux | Container | Linux | Discovery: T1135: Network Share Discovery |
| Openssl utility being used to encrypt/decrypt file - T1027 - Obfuscated Files or Information - Linux | Endpoint | Linux | Command and Control: T1001, T1132: Data Obfuscation, Data Encoding Defense Evasion: T1027, T1140: Obfuscated Files or Information, Deobfuscate/Decode Files or Information |
| Process created hidden file in LaunchAgents/LaunchDaemons - T1543 - Create or Modify System Process - macOS | Endpoint | macOS | Defense Evasion: T1564, T1564.001: Hide Artifacts, Hidden Files and Directories Persistence: T1543, T1543.001, T1543.004: Create or Modify System Process, Launch Agent, Launch Daemon |
| Cmd.exe used to launch Chrome to download payload from monitored application - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer |
| Process attempted to rename system binaries - T1036 - Masquerading - AIX | Container | AIX | Defense Evasion: T1036: Masquerading |
| Process attempted to perform COM Hijacking - T1546.015 - Component Object Model Hijacking - Windows | Endpoint | Windows | Execution: T1559, T1559.001: Inter-Process Communication, Component Object Model Privilege Escalation: T1546, T1546.015: Event Triggered Execution, Component Object Model Hijacking |
| Scripting process drooped files in hidden directory - T1564.001 - Hidden Files and Directories - macOS | Endpoint | macOS | Collection: T1119: Automated Collection Defense Evasion: T1564, T1564.001: Hide Artifacts, Hidden Files and Directories |
| Process attempting to access secrets using external request in kubernetes cluster - T1552.007 - Credential Access - Kubernetes | Kuberenetes | Kubernetes | Credential Access: T1552.007, T1552: Container API, Unsecured Credentials |
| Dscl utility executed to list local accounts - T1087.001 - Account Discovery - macOS | Endpoint | macOS | Discovery: T1087, T1087.001: Account Discovery, Local Account |
| Process added content as debugger to be triggered by Image File Execution Option - T1546.012 - Image File Execution Options Injection - Windows | Endpoint | Windows | Privilege Escalation: T1546, T1546.012: Event Triggered Execution, Image File Execution Options Injection |
| Process downloaded/uploaded encoded data - T1132.001 - Standard Encoding - Windows | Endpoint | Windows | Command and Control: T1001, T1071, T1071.001, T1102, T1102.002, T1132, T1132.001, T1573: Data Obfuscation, Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Data Encoding, Standard Encoding, Encrypted Channel Exfiltration: T1048: Exfiltration Over Alternative Protocol |
| Container process modified .bashrc or .bash_profile - T1546.004 - Unix Shell Configuration Modification - Linux | Endpoint | Linux | Defense Evasion: T1480, T1480.001: Execution Guardrails, Environmental Keying Privilege Escalation: T1546, T1546.004: Event Triggered Execution, Unix Shell Configuration Modification |
| Suspicious process using ptrace API to hook into remote process - T1055.008 - Ptrace System Calls - Linux | Container | Linux | Defense Evasion: T1055, T1055.008: Process Injection, Ptrace System Calls |
| Web Shell attack Detected & Blocked on Endpoint - T1505.003 - Web Shell - macOS | Endpoint | macOS | Persistence: T1505, T1505.003: Server Software Component, Web Shell |
| Remote User Logon detected - T1078 - Valid Accounts - Windows | Endpoint | Windows | Defense Evasion: T1078, T1078.002: Valid Accounts, Domain Accounts |
| Process created SSH tunnel - T1572 - Protocol Tunneling - macOS | Endpoint | macOS | Command and Control: T1572: Protocol Tunneling Exfiltration: T1041: Exfiltration Over C2 Channel Lateral Movement: T1021, T1021.004: Remote Services, SSH |
| Kerberos Authentication Detected - T1558.003 - Kerberoasting - Windows | Endpoint | Windows | Credential Access: T1558, T1558.003: Steal or Forge Kerberos Tickets, Kerberoasting |
| Reverse shell detected - T1059 - Command and Scripting Interpreter - Windows | Endpoint | Windows | Execution: T1059, T1106: Command and Scripting Interpreter, Native API |
| Csrutil launched to get System Integrity Protection (SIP) status - T1082 - System Information Discovery - macOS | Endpoint | macOS | Discovery: T1082: System Information Discovery |
| PowerShell making dns query - T1071 - Application Layer Protocol - Windows | Endpoint | Windows | Command and Control: T1071: Application Layer Protocol |
| Regsvr32.exe execution detected for loading a binary in memory - T1218.010 - Regsvr32 - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.010: System Binary Proxy Execution, Regsvr32 |
| Curl dropped executable file - T1204.002 - Malicious File - AIX | Endpoint | AIX | Execution: T1204, T1204.002: User Execution, Malicious File |
| Permission Groups Discovery PowerShell - T1069 - Permission Groups Discovery - Windows | Endpoint | Windows | Discovery: T1069: Permission Groups Discovery |
| Process attempting to disable process crash dump - T1562 - Impair Defenses - Windows | Endpoint | Windows | Defense Evasion: T1562: Impair Defenses |
| Lua script attempted to spawn reverse shell - T1059.004 - Unix Shell - macOS | Endpoint | macOS | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Remote SSH connection detected - T1021.004 - SSH - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.004: Remote Services, SSH |
| Suspicious process spawned via node package manager - T1059.007 - JavaScript - Linux | Container | Linux | Execution: T1059, T1059.007: Command and Scripting Interpreter, JavaScript |
| Process attempted to enumerate netrc file - T1552 - Unsecured Credentials - Linux | Container | Linux | Credential Access: T1552: Unsecured Credentials |
| Database server attempted to get users information - T1033 - System Owner/User Discovery - Linux | Endpoint | Linux | Discovery: T1033: System Owner/User Discovery |
| RegSvcs.exe execution detected from monitored applications - T1218.009 - Regsvcs/Regasm - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.009: System Binary Proxy Execution, Regsvcs/Regasm |
| Process attempted to masquerade filename with space after filename - T1036.006 - Space After Filename - AIX | Endpoint | AIX | Defense Evasion: T1036, T1036.006: Masquerading, Space after Filename |
| Process attempted to delete a file - T1070.004 - File Deletion - AIX | Endpoint | AIX | Defense Evasion: T1070, T1070.004: Indicator Removal on Host, File Deletion |
| Detected use of powershell to enumerate services - T1007 - System Service Discovery - Windows | Endpoint | Windows | Discovery: T1007: System Service Discovery Persistence: T1574, T1574.010: Hijack Execution Flow, Services File Permissions Weakness |
| Remote desktop utility executed - T1219 - Remote Access Software - Linux | Container | Linux | Command and Control: T1219: Remote Access Software |
| Setcap utility executed - T1548 - Abuse Elevation Control Mechanism - Linux | Container | Linux | Privilege Escalation: T1548: Abuse Elevation Control Mechanism |
| Msconfig.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| InternalMonologue.exe execution detected for retrieving NTLM hashes - T1556 - Modify Authentication Process - Windows | Endpoint | Windows | Credential Access: T1556: Modify Authentication Process |
| Web server dropped files in monitored directories - T1204.002 - Malicious File - AIX | Endpoint | AIX | Collection: T1005, T1074, T1074.001, T1074.002: Data from Local System, Data Staged, Local Data Staging, Remote Data Staging Execution: T1204, T1204.002: User Execution, Malicious File |
| Pkill utility executed to kill cfprefsd daemon - T1562.001 - Disable or Modify Tools - macOS | Endpoint | macOS | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| GTFOBIN_time_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Winrar.exe spawning suspicious process (CVE-2023-38831) - T1203 - Exploitation for Client Execution - Windows | Endpoint | Windows | Execution: T1203: Exploitation for Client Execution |
| Dsquery.exe execution detected from monitored applications - T1482 - Domain Trust Discovery - Windows | Endpoint | Windows | Discovery: T1482: Domain Trust Discovery |
| Keylogging Attack Detected & Blocked on Endpoint - T1056.001 - Keylogging - macOS | Endpoint | macOS | Collection: T1056, T1056.001: Input Capture, Keylogging |
| Suspicious use of dd utility to obfuscate files - T1027.001 - Binary Padding - macOS | Endpoint | macOS | Defense Evasion: T1027, T1027.001: Obfuscated Files or Information, Binary Padding |
| Reg.exe executed to dump SAM credentials - T1003 - OS Credential Dumping - Windows | Endpoint | Windows | Credential Access: T1003: OS Credential Dumping |
| Shred utility executed for Data deletion - T1485 - Data Destruction - Linux | Container | Linux | Defense Evasion: T1070, T1070.004, T1027.005: Indicator Removal, File Deletion, Indicator Removal from Tools Impact: T1485: Data Destruction |
| Process trying to access /etc/hosts - T1018 - Discovery - Linux | Container | Linux | Discovery: T1018: Remote System Discovery |
| Quser.exe executed - T1033 - System Owner/User Discovery - Windows | Endpoint | Windows | Discovery: T1033, T1082, T1087: System Owner/User Discovery, System Information Discovery, Account Discovery |
| Reflective Code Loading using PowerShell detected - T1620 - Reflective Code Loading - Windows | Endpoint | Windows | Defense Evasion: T1620: Reflective Code Loading |
| Container process attempted to drift image (chmod) - T1222.002 - Linux and Mac File and Directory Permissions Modification - Linux | Container | Linux | Defense Evasion: T1222, T1222.002: File and Directory Permissions Modification, Linux and Mac File and Directory Permissions Modification |
| Process dropped windows executable file in monitored directories - T1570 - Lateral Tool Transfer - AIX | Endpoint | AIX | Lateral Movement: T1570: Lateral Tool Transfer Command and Control: T1105: Ingress Tool Transfer Collection: T1119: Automated Collection |
| Xencrypt powershell script execution detected - T1027 - Obfuscated Files or Information - Windows | Endpoint | Windows | Defense Evasion: T1027: Obfuscated Files or Information |
| Powershell execution detected with Get-NetTCPConnection command - T1049 - System Network Connections Discovery - Windows | Endpoint | Windows | Discovery: T1049: System Network Connections Discovery |
| Wget dropped executable file in tmp directory - T1105 - Ingress Tool Transfer - AIX | Endpoint | AIX | Command and Control: T1105: Ingress Tool Transfer |
| Container process accessed VNC password file - T1552 - Unsecured Credentials - Linux | Container | Linux | Credential Access: T1552, T1552.001: Unsecured Credentials, Credentials In Files Lateral Movement: T1021, T1021.005: Remote Services, VNC |
| Process dropped script file in AppData folder - TA0002 - Execution - Windows | Endpoint | Windows | |
| Psexesvc.exe execution detected - T1569.002 - Service Execution - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer Execution: T1569, T1569.002: System Services, Service Execution Lateral Movement: T1021, T1021.002, T1570: Remote Services, SMB/Windows Admin Shares, Lateral Tool Transfer Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service Resource Development: T1588, T1588.001, T1588.002: Obtain Capabilities, Malware, Tool |
| Shutdown utility executed - T1529 - System Shutdown/Reboot - macOS | Endpoint | macOS | Impact: T1529: System Shutdown/Reboot |
| Data compression utilities launched - T1560.001 - Archive via Utility - Linux | Container | Linux | Collection: T1560, T1560.001, T1074: Archive Collected Data, Archive via Utility, Data Staged Exfiltration: T1020, T1041: Automated Exfiltration, Exfiltration Over C2 Channel |
| Process attempted to enumerate cloud credentials - T1552.001 - Credentials in Files - macOS | Endpoint | macOS | Credential Access: T1552, T1552.001, T1552.004: Unsecured Credentials, Credentials In Files, Private Keys |
| Pod created with host PID enabled via external request - T1610 - Deploy Container - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| Telnet utility launched to connect remote address - T1021 - Remote Services - macOS | Endpoint | macOS | Lateral Movement: T1021: Remote Services |
| Adfind execution detected for remote system discovery - T1018 - Remote System Discovery - Windows | Endpoint | Windows | Discovery: T1018: Remote System Discovery Resource Development: T1588, T1588.002: Obtain Capabilities, Tool |
| Chattr utility executed to change file attributes - T1564 - Hide Artifacts - Linux | Container | Linux | Defense Evasion: T1564: Hide Artifacts |
| Process or script trying to get system information - T1082 - Discovery - Linux | Container | Linux | Discovery: T1082: System Information Discovery |
| Host process mining crypto using stratum protocol - T1496 - Resource Hijacking - Linux | Endpoint | Linux | Impact: T1496: Resource Hijacking |
| Database server attempted to delete logs from the system - T1070.002 - Clear Linux or Mac System Logs - Linux | Container | Linux | Defense Evasion: T1070, T1070.002: Indicator Removal on Host, Clear Linux or Mac System Logs Persistence: T1505: Server Software Component |
| Netcat in container attempting remote code execution - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Schtasks.exe execution detected to create new scheduled task as a startup script - T1053.005 - Scheduled Task - Windows | Endpoint | Windows | Execution: T1053, T1053.005: Scheduled Task/Job, Scheduled Task |
| Detected use of WinRM to enable windows remote management - T1021.006 - Windows Remote Management - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.006: Remote Services, Windows Remote Management |
| Container process mining crypto using stratum protocol - T1496 - Resource Hijacking - Linux | Container | Linux | Impact: T1496: Resource Hijacking |
| Powershell using Get-AppxPackage command for software discovery - T1518 - Software Discovery - Windows | Endpoint | Windows | Discovery: T1518: Software Discovery Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| SyncAppvPublishingServer.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Process trying to access cloud instance metadata API - T1552.005 - Cloud Instance Metadata API - Linux | Container | Linux | Credential Access: T1552, T1552.005: Unsecured Credentials, Cloud Instance Metadata API |
| GTFOBIN_strace_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Powershell/cmd child process made network connection to access local network resources - T1570 - Lateral Tool Transfer - Windows | Endpoint | Windows | Lateral Movement: T1570: Lateral Tool Transfer |
| Kubectl executed inside container - T1609 - Container Administration Command - Linux | Container | Linux | Execution: T1609: Container Administration Command |
| Utility launched to manipulate user account - T1098 - Account Manipulation - AIX | Endpoint | AIX | Persistence: T1098: Account Manipulation |
| Process attempting to disable NLA for RDP Sessions - T1556 - Modify Authentication Process - Windows | Endpoint | Windows | Credential Access: T1556: Modify Authentication Process Lateral Movement: T1021, T1021.001: Remote Services, Remote Desktop Protocol |
| Xattr utility launched to manipulate file attributes - T1553 - Gatekeeper Bypass - macOS | Endpoint | macOS | Defense Evasion: T1553, T1553.001: Subvert Trust Controls, Gatekeeper Bypass |
| Findstr.exe execution detected - TA0002 - Execution - Windows | Endpoint | Windows | Credential Access: T1552, T1552.001: Unsecured Credentials, Credentials In Files |
| Process using dsenableroot to enable or disable the root account - T1098 - Account Manipulation - macOS | Endpoint | macOS | Defense Evasion: T1078: Valid Accounts Persistence: T1098: Account Manipulation |
| Python spawning local shell (Possible Reverse Shell) - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004, T1059.006: Command and Scripting Interpreter, Unix Shell, Python |
| GTFOBIN_timeout_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Process attempted to exfiltrate data - T1048 - Exfiltration Over Alternative Protocol - Linux | Container | Linux | Exfiltration: T1048: Exfiltration Over Alternative Protocol |
| Process attempted to load ntoskrnl to inject in kernel space - T1553.006 - Code Signing Policy Modification - Windows | Endpoint | Windows | Defense Evasion: T1553, T1553.006: Subvert Trust Controls, Code Signing Policy Modification Privilege Escalation: T1068: Exploitation for Privilege Escalation |
| Unsigned process attempting to perform screen capture - T1113 - Screen Capture - macOS | Endpoint | macOS | Collection: T1113: Screen Capture |
| UAC Bypass Detected - T1548.002 - Bypass User Access Control - Windows | Endpoint | Windows | Defense Evasion: T1112: Modify Registry Privilege Escalation: T1548, T1548.002: Abuse Elevation Control Mechanism, Bypass User Account Control |
| Accessing Shell History File - T1552.003 - Bash History - AIX | Endpoint | AIX | Credential Access: T1552, T1552.003: Unsecured Credentials, Bash History |
| WSReset.exe execution detected from monitored applications - T1548.002 - Bypass User Account Control - Windows | Endpoint | Windows | Privilege Escalation: T1548, T1548.002: Abuse Elevation Control Mechanism, Bypass User Account Control |
| Process attempting to access webcam - T1125 - Video Capture - Windows | Endpoint | Windows | Collection: T1125: Video Capture |
| Process attempted to install root certificate - T1553.004 - Install Root Certificate - Windows | Endpoint | Windows | Defense Evasion: T1553, T1553.004: Subvert Trust Controls, Install Root Certificate |
| Process using trap command to execute code - T1546.005 - Trap - AIX | Endpoint | AIX | Privilege Escalation: T1546, T1546.005: Event Triggered Execution, Trap |
| Detected powershell execution with Net.Sockets.TcpClient flag - T1049 - System Network Configuration Discovery - Windows | Endpoint | Windows | Discovery: T1049: System Network Connections Discovery |
| Process or script executed from memfd - T1106 - Native API - Linux | Endpoint | Linux | Execution: T1106: Native API |
| Scripting Interpreter dropped archive file - T1560 - Archive Collected Data - Windows | Endpoint | Windows | Collection: T1005, T1074, T1074.001, T1119, T1560: Data from Local System, Data Staged, Local Data Staging, Automated Collection, Archive Collected Data Execution: T1059: Command and Scripting Interpreter |
| GTFOBIN_tar_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process attempted to create transient systemd service and timer - T1053.006 - Systemd Timers - Linux | Container | Linux | Execution: T1053, T1053.006: Scheduled Task/Job, Systemd Timers |
| Process attempting to access SMB shares - T1021.002 - SMB/Windows Admin Shares - Linux | Container | Linux | Lateral Movement: T1021, T1021.002: Remote Services, SMB/Windows Admin Shares |
| Mktemp utility executed to temporary file/directory - T1564 - Hide Artifacts - macOS | Endpoint | macOS | Defense Evasion: T1564: Hide Artifacts |
| Tccutil utility executed to reset TCC permissions - T1562 - Impair Defenses - macOS | Endpoint | macOS | Defense Evasion: T1562: Impair Defenses |
| Cloud utility executed with IAM command - T1098.003 - Additional Cloud Roles - macOS | Endpoint | macOS | Persistence: T1098, T1098.001, T1098.003: Account Manipulation, Additional Cloud Credentials, Additional Cloud Roles |
| Vsjitdebugger.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Dsmemberutil utility executed - T1087 - Account Discovery - macOS | Endpoint | macOS | Discovery: T1087: Account Discovery |
| Process trying to access bash history - T1552.003 - Bash History - AIX | Endpoint | AIX | Credential Access: T1552, T1552.003: Unsecured Credentials, Bash History |
| GTFOBIN_sed_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Process using Uptycs Sensor Command Line Mode to extract system information - T1082 - System Information Discovery - macOS | Endpoint | macOS | Discovery: T1082: System Information Discovery |
| Process prompted the user for their credential - T1056.002 - GUI Input Capture - Windows | Endpoint | Windows | Collection: T1056, T1056.002: Input Capture, GUI Input Capture Execution: T1106: Native API |
| Process attempted to get system location - T1614 - System Location Discovery - Linux | Container | Linux | Discovery: T1614: System Location Discovery |
| Rcsi.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Process attempted to setuid - T1548.001 - Setuid and Setgid - Linux | Container | Linux | Privilege Escalation: T1548, T1548.001: Abuse Elevation Control Mechanism, Setuid and Setgid |
| GTFOBIN_rpm_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Container initialised with Host's User Namespace - T1610 - Deploy Container - Linux | Container | Linux | Defense Evasion: T1610: Deploy Container |
| Process attempting to perform Virtual Machine Fingerprinting - T1497 - Virtualization/Sandbox Evasion - macOS | Endpoint | macOS | Defense Evasion: T1497, T1497.001: Virtualization/Sandbox Evasion, System Checks |
| Container process attempted to change root directory - T1211 - Exploitation for Defense Evasion - Linux | Container | Linux | Defense Evasion: T1211: Exploitation for Defense Evasion |
| Runscripthelper.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Powershell modifying/querying AMSI provider - T1562.001 - Disable or Modify Tools - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Suspicious use of xwd for capture screenshot - T1113 - Screen Capture - AIX | Endpoint | AIX | Collection: T1113: Screen Capture |
| Network sniffing tool launched to capture network traffic on Host - T1040 - Network Sniffing - Linux | Endpoint | Linux | Credential Access: T1040: Network Sniffing |
| System process running with different file name - T1036 - Masquerading - Windows | Endpoint | Windows | Defense Evasion: T1036, T1036.003, T1036.005: Masquerading, Rename System Utilities, Match Legitimate Name or Location |
| Pip installed python package - T1059.006 - Python - Linux | Endpoint | Linux | Execution: T1059, T1059.006, T1072: Command and Scripting Interpreter, Python, Software Deployment Tools |
| Process with hidden binary in Application Support directory - T1564 - Hide Artifacts - macOS | Endpoint | macOS | Defense Evasion: T1564, T1564.001: Hide Artifacts, Hidden Files and Directories |
| Web server trying to get system information - T1082 - System Information Discovery - AIX | Endpoint | AIX | Discovery: T1082: System Information Discovery Persistence: T1505, T1505.003: Server Software Component, Web Shell |
| Touch utility executed to create plist file in LaunchAgents - T1543.001 - Launch Agent - macOS | Endpoint | macOS | Persistence: T1543, T1543.001: Create or Modify System Process, Launch Agent |
| Process attempted to masquerade file name - T1036.002 - Right-to-Left Override - AIX | Endpoint | AIX | Defense Evasion: T1036, T1036.002: Masquerading, Right-to-Left Override |
| Powershell execution with schedule task/service commands detected - T1053.005 - Scheduled Task - Windows | Endpoint | Windows | Execution: T1053, T1053.005: Scheduled Task/Job, Scheduled Task |
| Process trying to update /etc/hosts - T1018 - Remote System Discovery - AIX | Endpoint | AIX | Discovery: T1018: Remote System Discovery |
| Findstr.exe used to find critical keys - T1552.004 - Private Keys - Windows | Endpoint | Windows | Credential Access: T1552, T1552.001, T1552.004: Unsecured Credentials, Credentials In Files, Private Keys |
| Bginfo.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| OpenVPN client running inside container - T1133 - External Remote Services - Linux | Container | Linux | Persistence: T1133: External Remote Services |
| Process dropped EICAR file in monitored directories - T1204.002 - Malicious File - Linux | Endpoint | Linux | Command and Control: T1105: Ingress Tool Transfer Defense Evasion: T1036, T1036.005: Masquerading, Match Legitimate Name or Location Execution: T1204, T1204.002: User Execution, Malicious File |
| Process launched with (DYLD) environment configuration - T1574.006 - Dynamic Linker Hijacking - macOS | Endpoint | macOS | Persistence: T1574, T1574.004, T1574.006: Hijack Execution Flow, Dylib Hijacking, Dynamic Linker Hijacking |
| Web server dropped files in monitored directories - T1204.002 - User Execution - Linux | Container | Linux | Collection: T1005, T1074, T1074.001, T1074.002: Data from Local System, Data Staged, Local Data Staging, Remote Data Staging Execution: T1204, T1204.002: User Execution, Malicious File |
| Container process making suspicious UDP communication - T1095 - Command And Control - Linux | Container | Linux | Command and Control: T1095: Non-Application Layer Protocol |
| Process deleted or dropped plist file in Startup Items - T1037 - Boot or Logon Initialization Scripts - macOS | Endpoint | macOS | Persistence: T1037: Boot or Logon Initialization Scripts |
| Mkdir utility launched to create directory in LaunchDaemons - T1543.004 - Launch Daemon - macOS | Endpoint | macOS | Persistence: T1543, T1543.004: Create or Modify System Process, Launch Daemon |
| Detected use of powershell to enable windows remote management - T1021.006 - Windows Remote Management - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.006: Remote Services, Windows Remote Management |
| Cp utility launched to create plist file in LaunchAgents - T1543.001 - Launch Agent - macOS | Endpoint | macOS | Persistence: T1543, T1543.001: Create or Modify System Process, Launch Agent |
| Process trying to create or modify schedule task - T1053 - Scheduled Task/Job - Windows | Endpoint | Windows | Execution: T1053, T1053.005: Scheduled Task/Job, Scheduled Task |
| Database process modifying DB server configuration - T1210 - Exploitation of Remote Services - AIX | Endpoint | AIX | Lateral Movement: T1210: Exploitation of Remote Services |
| Cmstp.exe loading inf file from temp/startup directory - T1218.003 - CMSTP - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.003: System Binary Proxy Execution, CMSTP |
| Ipconfig.exe execution detected from powershell/cmd - T1016 - System Network Configuration Discovery - Windows | Endpoint | Windows | Discovery: T1016: System Network Configuration Discovery |
| Whoami.exe execution detected - T1033 - System Owner/User Discovery - Windows | Endpoint | Windows | Discovery: T1033, T1082, T1087: System Owner/User Discovery, System Information Discovery, Account Discovery |
| Wget process started from /tmp directory - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer |
| COM Hijack using powershell - T1546.015 - Component Object Model Hijacking - Windows | Endpoint | Windows | Privilege Escalation: T1546, T1546.015: Event Triggered Execution, Component Object Model Hijacking |
| New role masquerading system role being created using external request in kubernetes cluster - T1078 - Persistence - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1078: Valid Accounts |
| Process attempting to access device location - T1614 - System Location Discovery - Windows | Endpoint | Windows | Discovery: T1082, T1124, T1614: System Information Discovery, System Time Discovery, System Location Discovery |
| Process attempted to exfilterate data to DNS resolver - T1583.002 - DNS Server - Linux | Container | Linux | Resource Development: T1583, T1583.002, T1584, T1584.002: Acquire Infrastructure, DNS Server, Compromise Infrastructure, DNS Server |
| Vssadmin.exe execution detected for deleting shadow copies - T1490 - Inhibit System Recovery - Windows | Endpoint | Windows | Impact: T1490: Inhibit System Recovery |
| Network sniffing tool launched to capture network traffic in Container - T1040 - Network Sniffing - Linux | Container | Linux | Credential Access: T1040: Network Sniffing |
| Process attempting to intercept keystrokes via HID APIs - T1056.001 - Keylogging - macOS | Endpoint | macOS | Collection: T1056, T1056.001: Input Capture, Keylogging |
| Remote process dropped executable file in monitored directories - T1105 - Ingress Tool Transfer - Linux | Endpoint | Linux | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer |
| Coinminer Attack Detected on Endpoint - T1496 - Resource Hijacking - macOS | Endpoint | macOS | Impact: T1496: Resource Hijacking |
| Rundll32.exe execution detected with MiniDump export function - T1003.001 - LSASS Memory - Windows | Endpoint | Windows | Credential Access: T1003, T1003.001: OS Credential Dumping, LSASS Memory |
| Process attempting to masquerade filename - T1036.006 - Space after Filename - macOS | Endpoint | macOS | Defense Evasion: T1036, T1036.006: Masquerading, Space after Filename |
| Process using linux utility to get system information - T1082 - System Information Discovery - Linux | Container | Linux | Discovery: T1046, T1049, T1082: Network Service Discovery, System Network Connections Discovery, System Information Discovery |
| New role binding with cluster-admin being created using external request in kubernetes cluster - T1078 - Persistence - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1078: Valid Accounts |
| TFTP utility dropped executable files in monitored directories - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Execution: T1204: User Execution |
| Suspicious use of wget to download file in tmp directory - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1071, T1071.001, T1102, T1102.002, T1105, T1573, T1573.002: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Ingress Tool Transfer, Encrypted Channel, Asymmetric Cryptography |
| Web server dropped archive file - T1560 - Archive Collected Data - Windows | Endpoint | Windows | Collection: T1074, T1074.002, T1560, T1560.003: Data Staged, Remote Data Staging, Archive Collected Data, Archive via Custom Method Resource Development: T1584, T1584.006: Compromise Infrastructure, Web Services |
| GTFOBIN_mysql_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process modified appinit registry key - T1112 - Modify Registry - Windows | Endpoint | Windows | Defense Evasion: T1112: Modify Registry |
| Web server attempted to drop web shell inside container - T1505.003 - Web Shell - Linux | Container | Linux | Persistence: T1505, T1505.003: Server Software Component, Web Shell |
| Ransomware execution detected (No file extension change) - T1486 - Data Encrypted for Impact - Linux | Container | Linux | Impact: T1486: Data Encrypted for Impact |
| Powershell executed Invoke-ExecuteMSBuild script - T1127.001 - MSBuild - Windows | Endpoint | Windows | Defense Evasion: T1127, T1127.001: Trusted Developer Utilities Proxy Execution, MSBuild Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| New configmap being created using external request in kubernetes cluster - T1610 - Execution Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| Powershell spawned Linux utilities - T1059.001 - PowerShell - Linux | Container | Linux | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| System Utility launched to get system information - T1082 - System Information Discovery - macOS | Endpoint | macOS | Discovery: T1082: System Information Discovery |
| PlistBuddy utility executed to list browser information - T1217 - Browser Information Discovery - macOS | Endpoint | macOS | Discovery: T1217: Browser Bookmark Discovery |
| Mshta.exe execution detected - T1218.005 - Mshta - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.005: System Binary Proxy Execution, Mshta |
| Process dropped kerberos ticket on Linux host - T1550.003 - Pass the Ticket - AIX | Endpoint | AIX | Defense Evasion: T1550, T1550.003: Use Alternate Authentication Material, Pass the Ticket |
| Process using hostname utility to get the system name - T1082 - Discovery - Linux | Container | Linux | Discovery: T1082: System Information Discovery |
| Wmic.exe executed via CMD/PowerShell - T1047 - Windows Management Instrumentation - Windows | Endpoint | Windows | Execution: T1047: Windows Management Instrumentation |
| FUSE filesystem being mounted - T1564.005 - Hidden File System - Linux | Container | Linux | Defense Evasion: T1564, T1564.005: Hide Artifacts, Hidden File System |
| Takeown.exe execution detected - T1222 - File and Directory Permissions Modification - Windows | Endpoint | Windows | Defense Evasion: T1222: File and Directory Permissions Modification |
| Scripting process from cron communicating on higher port - T1059 - Command and Scripting Interpreter - macOS | Endpoint | macOS | Execution: T1059: Command and Scripting Interpreter |
| Wmic made network connection - T1047 - Windows Management Instrumentation - Windows | Endpoint | Windows | Execution: T1047: Windows Management Instrumentation |
| Container process attempted to mount or unmount devices - T1211 - Exploitation for Defense Evasion - Linux | Container | Linux | Defense Evasion: T1211: Exploitation for Defense Evasion |
| Plink.exe execution detected - T1572 - Protocol Tunneling - Windows | Endpoint | Windows | Command and Control: T1572: Protocol Tunneling |
| Container exploitation tool running inside container for breakout - T1611 - Escape to Host - Linux | Container | Linux | Defense Evasion: T1610: Deploy Container Privilege Escalation: T1611: Escape to Host |
| Process modified firewall configuration - T1562.004 - Disable or Modify System Firewall - Linux | Container | Linux | Defense Evasion: T1562, T1562.004: Impair Defenses, Disable or Modify System Firewall |
| Csc.exe executed via CMD/PowerShell - T1027.004 - Compile After Delivery - Windows | Endpoint | Windows | Defense Evasion: T1027, T1027.004: Obfuscated Files or Information, Compile After Delivery Resource Development: T1587, T1587.001, T1588, T1588.001: Develop Capabilities, Malware, Obtain Capabilities, Malware |
| Web server trying to get users information - T1033 - System Owner/User Discovery - AIX | Endpoint | AIX | Discovery: T1033: System Owner/User Discovery |
| Process attempting to Create Service with CreateService API - T1543.003 - Windows Service - Windows | Endpoint | Windows | Execution: T1106: Native API Persistence: T1543, T1543.002, T1543.003: Create or Modify System Process, Systemd Service, Windows Service |
| Ilasm.exe execution detected - T1127 - Trusted Developer Utilities Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1127: Trusted Developer Utilities Proxy Execution |
| Web server launched suspicious python script - T1059.006 - Python - Linux | Container | Linux | Execution: T1059, T1059.006: Command and Scripting Interpreter, Python Persistence: T1505, T1505.003: Server Software Component, Web Shell |
| Powershell using Get-Eventslog command to enumerate users in the system - T1033 - System Owner/User Discovery - Windows | Endpoint | Windows | Discovery: T1033: System Owner/User Discovery Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Process attempted to install Tor service - T1090.003 - Multi-hop Proxy - Linux | Container | Linux | Command and Control: T1090, T1090.003: Proxy, Multi-hop Proxy |
| Web server spawning lsof or netstat to get system information - T1049 - System Network Connections Discovery - AIX | Endpoint | AIX | Discovery: T1049: System Network Connections Discovery |
| Nltest.exe execution detected - T1482 - Domain Trust Discovery - Windows | Endpoint | Windows | Discovery: T1069, T1069.002, T1087, T1087.002, T1482: Permission Groups Discovery, Domain Groups, Account Discovery, Domain Account, Domain Trust Discovery |
| Browser loaded extension - T1176 - Browser Extensions - Windows | Endpoint | Windows | Persistence: T1176: Browser Extensions |
| Data compression utility executed - T1560.001 - Archive via Utility - macOS | Endpoint | macOS | Collection: T1560, T1560.001: Archive Collected Data, Archive via Utility |
| Process loading Avicap32.dll for Screen Capture - T1113 - Collection - Windows | Endpoint | Windows | Collection: T1113: Screen Capture |
| Process created remote file - T1105 - Ingress Tool Transfer - Linux | Endpoint | Linux | Command and Control: T1105: Ingress Tool Transfer |
| Verclsid.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Server Application Exploitation Detected & Blocked on Endpoint - T1505 - Server Software Component - macOS | Endpoint | macOS | Credential Access: T1212: Exploitation for Credential Access Defense Evasion: T1211: Exploitation for Defense Evasion Persistence: T1505: Server Software Component Privilege Escalation: T1068: Exploitation for Privilege Escalation |
| Disallowed namespace being created using external request in kubernetes cluster - T1609 - Execution - Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| Scripting Process attempted reverse shell execution via pipes - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process exfiltrating data through ICMP protocol - T1095 - Non-Application Layer Protocol - Windows | Endpoint | Windows | Command and Control: T1095: Non-Application Layer Protocol Defense Evasion: T1205: Traffic Signaling Exfiltration: T1020, T1041, T1048, T1048.003: Automated Exfiltration, Exfiltration Over C2 Channel, Exfiltration Over Alternative Protocol, Exfiltration Over Unencrypted Non-C2 Protocol |
| Process attempting to enumerate network connections - T1049 - System Network Connections Discovery - Windows | Endpoint | Windows | Discovery: T1049: System Network Connections Discovery Execution: T1106: Native API |
| Aha.pl utility launched for event subscription - T1546 - Event Triggered Execution - AIX | Endpoint | AIX | Privilege Escalation: T1546: Event Triggered Execution |
| Replicaset being created using external request in kubernetes cluster - T1609 - Execution Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| Process communicating through FTP protocol - T1071.002 - File Transfer Protocols - Windows | Endpoint | Windows | Command and Control: T1071, T1071.002, T1105: Application Layer Protocol, File Transfer Protocols, Ingress Tool Transfer Exfiltration: T1020, T1048: Automated Exfiltration, Exfiltration Over Alternative Protocol Lateral Movement: T1570: Lateral Tool Transfer |
| Process attempting to access bookmarks file - T1217 - Browser Information Discovery - Linux | Container | Linux | Discovery: T1217: Browser Bookmark Discovery |
| GTFOBIN_Irb acting as remote access software - T1219 Command And Control_LINUX | Container | Linux | Command and Control: T1219: Remote Access Software |
| Osascript utility launched to create hidden Login Item via Apple Script - T1059.002 - AppleScript - macOS | Endpoint | macOS | Execution: T1059, T1059.002: Command and Scripting Interpreter, AppleScript Persistence: T1547, T1547.015: Boot or Logon Autostart Execution, Login Items |
| Web Server spawned suspicious process - T1505.003 - Web Shell - Windows | Endpoint | Windows | Persistence: T1505, T1505.003: Server Software Component, Web Shell Resource Development: T1584, T1584.006: Compromise Infrastructure, Web Services |
| Process transferred data on base64/base32 encoded URL - T1132.001 - Standard Encoding - Linux | Container | Linux | Command and Control: T1132, T1132.001, T1571: Data Encoding, Standard Encoding, Non-Standard Port |
| Possible Obfuscated Mimikatz execution detected - T1003 - OS Credential Dumping - Windows | Endpoint | Windows | Credential Access: T1003: OS Credential Dumping Resource Development: T1588, T1588.002: Obtain Capabilities, Tool |
| Tail command executed to get N number of bytes - T1059.004 - Unix Shell - macOS | Endpoint | macOS | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process accessed browser credentials - T1555.003 - Credentials from Web Browsers - macOS | Endpoint | macOS | Credential Access: T1555, T1555.003: Credentials from Password Stores, Credentials from Web Browsers |
| Powershell trying to disable Windows Defender Registry - T1562.001 - Disable or Modify Tools - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Powershell used MSXML COM object to make internet connection - T1059.001 - PowerShell - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Process accessed system config files - T1552.001 - Unsecured Credentials - Linux | Container | Linux | Credential Access: T1552, T1552.001: Unsecured Credentials, Credentials In Files |
| Container process attempted to access SSH keys - T1552.004 - Private Keys - Linux | Container | Linux | Credential Access: T1552, T1552.004: Unsecured Credentials, Private Keys |
| Process modified Bashrc or Bash Profile file - T1546.004 - Unix Shell Configuration Modification - AIX | Container | AIX | Defense Evasion: T1480, T1480.001: Execution Guardrails, Environmental Keying Privilege Escalation: T1546, T1546.004: Event Triggered Execution, Unix Shell Configuration Modification |
| Powershell execution detected for Kerberos Authentication - T1558.003 - Kerberoasting - Windows | Endpoint | Windows | Credential Access: T1558, T1558.003: Steal or Forge Kerberos Tickets, Kerberoasting Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Process stopping running services on the system - T1489 - Service Stop - Windows | Endpoint | Windows | Impact: T1489: Service Stop |
| Process created a New User - T1136 - Create Account - Linux | Container | Linux | Persistence: T1136: Create Account |
| Process attempted to encrypt monitored file (No file extension change) - T1486 - Data Encrypted for Impact - macOS | Endpoint | macOS | Impact: T1486: Data Encrypted for Impact |
| Process accessing credentials from windows credential manager - T1555.004 - Windows Credential Manager - Windows | Endpoint | Windows | Credential Access: T1555, T1555.004: Credentials from Password Stores, Windows Credential Manager |
| Tasklist.exe executed via CMD/Powershell - T1057 - Process Discovery - Windows | Endpoint | Windows | Discovery: T1007, T1057: System Service Discovery, Process Discovery |
| Netsh.exe execution detected with advfirewall command - T1562.004 - Disable or Modify System Firewall - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.004: Impair Defenses, Disable or Modify System Firewall |
| TeamViewer execution Detected - T1219 - Remote Desktop - Windows | Endpoint | Windows | Command and Control: T1219: Remote Access Software |
| Magnify.exe execution detected - T1546.008 - Accessibility Features - Windows | Endpoint | Windows | Privilege Escalation: T1546, T1546.008: Event Triggered Execution, Accessibility Features |
| Process attempted to add root certificates - T1553.004 - Install Root Certificate - Linux | Endpoint | Linux | Defense Evasion: T1553, T1553.004: Subvert Trust Controls, Install Root Certificate |
| Dig utility launched to exfilterate data via DNS Protocol - T1048 - Exfiltration Over Alternative Protocol - Linux | Container | Linux | Exfiltration: T1048: Exfiltration Over Alternative Protocol |
| Process attempted to modify Uptycs Sensor configuration - T1562.001 - Disable or Modify Tools - Linux | Container | Linux | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Powershell execution detected using encode or decode commands - T1132.001 - Standard Encoding - Windows | Endpoint | Windows | Command and Control: T1132, T1132.001: Data Encoding, Standard Encoding Defense Evasion: T1027, T1140: Obfuscated Files or Information, Deobfuscate/Decode Files or Information Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| GTFOBIN_Awk_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| PowerShell execution detected for creating New User - T1136 - Create Account - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Persistence: T1136: Create Account |
| Curl utility executed to download file in tmp directory - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1071, T1071.001, T1102, T1102.002, T1105, T1573, T1573.002: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Ingress Tool Transfer, Encrypted Channel, Asymmetric Cryptography |
| PowerShell executed with Get-AdDecodedPassword - T1555 - Credentials from Password Stores - Windows | Endpoint | Windows | Credential Access: T1555: Credentials from Password Stores Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Process dumped keychain file on to the disk - T1555.001 - Keychain - macOS | Endpoint | macOS | Credential Access: T1555, T1555.001: Credentials from Password Stores, Keychain |
| Ie4uinit.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| PowerShell executing code with hidden window flag - T1564.003 - Hidden Window - Windows | Endpoint | Windows | Defense Evasion: T1564, T1564.003: Hide Artifacts, Hidden Window |
| GTFOBIN_pico_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Unsigned Process dropped portable executable file - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer |
| Process attempting to download or execute files - T1106 - Native API - Windows | Endpoint | Windows | Execution: T1106: Native API |
| Scheduled process executed from hidden directory - T1564.001 - Hidden Files and Directories - AIX | Endpoint | AIX | Defense Evasion: T1564, T1564.001: Hide Artifacts, Hidden Files and Directories Execution: T1053, T1053.003, T1053.005: Scheduled Task/Job, Cron, Scheduled Task |
| Ingress without TLS being created using external request in kubernetes cluster - T1609 - Execution - Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| Launchctl utility execution to load plist from non standard library directory - T1569.001 - Launchctl - macOS | Endpoint | macOS | Execution: T1569, T1569.001: System Services, Launchctl |
| Process attempted to access cloud instance metadata API - T1552.005 - Cloud Instance Metadata API - macOS | Endpoint | macOS | Credential Access: T1552, T1552.005: Unsecured Credentials, Cloud Instance Metadata API |
| Process redirected output to public address (Reverse Shell) - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Request to Kubernetes cluster received from unknown user-agent - T1133 - External Remote Services - Kubernetes | Kuberenetes | Kubernetes | Persistence: T1133: External Remote Services |
| Container process trying to access or modify OS credentials - T1003.008 - Credential Access - Linux | Container | Linux | Credential Access: T1003, T1003.008: OS Credential Dumping, /etc/passwd and /etc/shadow Discovery: T1087: Account Discovery |
| Remote Service Created - T1543.003 - Windows Service - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.003: Remote Services, Distributed Component Object Model Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service |
| Suspicious process attempting to connect to GSuite web services - T1102 - Web Service - macOS | Endpoint | macOS | Command and Control: T1071, T1071.001, T1090, T1090.001, T1090.002, T1102, T1102.002, T1573: Application Layer Protocol, Web Protocols, Proxy, Internal Proxy, External Proxy, Web Service, Bidirectional Communication, Encrypted Channel Exfiltration: T1048: Exfiltration Over Alternative Protocol |
| Process Injection Detected on Endpoint - T1055.008 - Ptrace System Calls - macOS | Endpoint | macOS | Defense Evasion: T1055, T1055.008: Process Injection, Ptrace System Calls |
| New Service installed in the system - T1543.003 - Windows Service - Windows | Endpoint | Windows | Execution: T1569, T1569.002: System Services, Service Execution Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service |
| Kubectl launched to execute commands inside container - T1609 - Container Administration Command - Linux | Container | Linux | Execution: T1059, T1059.004, T1609: Command and Scripting Interpreter, Unix Shell, Container Administration Command |
| Process trying to discover remote systems - T1018 - Remote System Discovery - Linux | Container | Linux | Discovery: T1018, T1016.001: Remote System Discovery, Internet Connection Discovery |
| New cluster role masquerading system role being created using external request in kubernetes cluster - T1078 - Persistence - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1078: Valid Accounts |
| Process or Script executed from tmp directory - T1059 - Command and Scripting Interpreter - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Nscurl utility executed to download file - T1105 - Command And Control - macOS | Endpoint | macOS | Command and Control: T1071, T1071.001, T1105: Application Layer Protocol, Web Protocols, Ingress Tool Transfer |
| Container process updated SSH accounts - T1098.004 - SSH Authorized Keys - Linux | Container | Linux | Persistence: T1098, T1098.004: Account Manipulation, SSH Authorized Keys |
| Psexec.exe execution detected from monitored application - T1569.002 - Service Execution - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer Execution: T1569, T1569.002: System Services, Service Execution Lateral Movement: T1021, T1021.002, T1570: Remote Services, SMB/Windows Admin Shares, Lateral Tool Transfer Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service Resource Development: T1587, T1587.001, T1588, T1588.001, T1588.002: Develop Capabilities, Malware, Obtain Capabilities, Malware, Tool |
| Suspicious execution of ioreg utility to identify the usb vendor name - T1120 - Peripheral Device Discovery - macOS | Endpoint | macOS | Discovery: T1082, T1120: System Information Discovery, Peripheral Device Discovery |
| GTFOBIN_Awk acting as remote access software - T1219 Command And Control_LINUX | Container | Linux | Command and Control: T1219: Remote Access Software |
| GTFOBIN_socat_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Sdelete.exe execution detected to perform cleanup - T1070 - File Deletion - Windows | Endpoint | Windows | Defense Evasion: T1070, T1070.004: Indicator Removal on Host, File Deletion |
| Powershell using Get-CimInstance command for security software discovery - T1518.001 - Security Software Discovery - Windows | Endpoint | Windows | Discovery: T1518, T1518.001: Software Discovery, Security Software Discovery Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Process attempted to enumerate aws credentials - T1552.001 - Credentials In Files - Linux | Container | Linux | Credential Access: T1552, T1552.001: Unsecured Credentials, Credentials In Files |
| NetScan execution detected - T1046 - Network Service Discovery - Windows | Endpoint | Windows | Discovery: T1046, T1135: Network Service Discovery, Network Share Discovery Reconnaissance: T1595: Active Scanning |
| PowerShell executing Invoke-EternalBlue script for exploiting SMB services - T1210 - Exploitation of Remote Services - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Lateral Movement: T1210: Exploitation of Remote Services |
| GTFOBIN_scp_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| X-based GUI connection made to remote system - T1219 - Remote Access Software - Linux | Container | Linux | Command and Control: T1219: Remote Access Software Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Likely remote system process dropped archive file - T1560 - Archive Collected Data - Windows | Endpoint | Windows | Collection: T1005, T1074, T1074.002, T1119, T1560: Data from Local System, Data Staged, Remote Data Staging, Automated Collection, Archive Collected Data |
| Process attempted to enumerate peripheral devices - T1120 - Peripheral Device Discovery - Linux | Container | Linux | Discovery: T1120: Peripheral Device Discovery |
| Rm utility executed with -rf to delete data - T1070.004 - File Deletion - macOS | Endpoint | macOS | Defense Evasion: T1070, T1070.004: Indicator Removal, File Deletion Impact: T1485: Data Destruction |
| Process attempting to bypass EDR with unhooking technique - TA0005 - Defense Evasion - Windows | Endpoint | Windows | Execution: T1106: Native API |
| Mshta attempting to connect webservice for code execution - T1218.005 - Mshta - Windows | Endpoint | Windows | Command and Control: T1071, T1071.001: Application Layer Protocol, Web Protocols Defense Evasion: T1218, T1218.005: System Binary Proxy Execution, Mshta Execution: T1204, T1204.001, T1204.002: User Execution, Malicious Link, Malicious File |
| Touch utility executed to create plist file in LaunchDaemons - T1543.004 - Launch Daemon - macOS | Endpoint | macOS | Persistence: T1543, T1543.004: Create or Modify System Process, Launch Daemon |
| Process trying to launch privileged container - T1610 - Deploy Container - Linux | Container | Linux | Defense Evasion: T1610: Deploy Container |
| Spctl utility launched to disable Gatekeeper - T1553.001 - Gatekeeper Bypass - macOS | Endpoint | macOS | Defense Evasion: T1553, T1553.001: Subvert Trust Controls, Gatekeeper Bypass |
| Web server process spawned utilities to get the network configuration - T1016 - System Network Configuration Discovery - Linux | Container | Linux | Discovery: T1016, T1046, T1049, T1082: System Network Configuration Discovery, Network Service Discovery, System Network Connections Discovery, System Information Discovery |
| GTFOBIN_wish_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Ldapsearch utility executed to query Active Directory - T1087.002 - Domain Account - AIX | Endpoint | AIX | Discovery: T1069, T1069.002, T1087, T1087.002, T1615: Permission Groups Discovery, Domain Groups, Account Discovery, Domain Account, Group Policy Discovery |
| Masscan utility is running inside container - T1595.001 - Scanning IP Blocks - Linux | Container | Linux | Reconnaissance: T1595, T1595.001: Active Scanning, Scanning IP Blocks |
| Process or script trying to encrypt/decrypt data - T1486 - Data Encrypted for Impact - Linux | Container | Linux | Collection: T1560, T1074, T1560.001: Archive Collected Data, Data Staged, Archive via Utility Impact: T1486: Data Encrypted for Impact |
| PowerShell Send-Mail command execution detected - T1071.003 - Mail Protocols - Windows | Endpoint | Windows | Command and Control: T1071, T1071.003: Application Layer Protocol, Mail Protocols Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Collection: T1114: Email Collection |
| Dscl utility launched to list Domain Accounts - T1087.002 - Domain Account - macOS | Endpoint | macOS | Discovery: T1069, T1069.002, T1087, T1087.002: Permission Groups Discovery, Domain Groups, Account Discovery, Domain Account |
| Pod created inside kube-system namespace - T1036 - Masquerading - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1036, T1610: Masquerading, Deploy Container |
| Mqsvc.exe spawned suspicious process (CVE-2024-30080) - T1210 - Exploitation of Remote Services - Windows | Endpoint | Windows | Lateral Movement: T1210: Exploitation of Remote Services |
| MS office spawns suspicious process - TA0002 - Execution - Windows | Endpoint | Windows | |
| Drive-By Download Attack Detected on Endpoint (Malicious File) - T1189 - Drive-by Compromise - Linux | Container | Linux | Execution: T1204, T1204.002: User Execution, Malicious File Initial Access: T1189: Drive-by Compromise |
| GTFOBIN_ruby_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Compromised Account Access Detected on Endpoint - T1078 - Valid Accounts - macOS | Endpoint | macOS | Defense Evasion: T1078: Valid Accounts |
| Process communicating through ICMP protocol - T1095 - Non-Application Layer Protocol - Windows | Endpoint | Windows | Command and Control: T1095: Non-Application Layer Protocol Defense Evasion: T1205: Traffic Signaling |
| Scutil utility executed - T1016 - System Network Configuration Discovery - macOS | Endpoint | macOS | Discovery: T1016, T1049: System Network Configuration Discovery, System Network Connections Discovery |
| GTFOBIN_gem_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| PowerShell accessing Group Policy Preferences(GPP) Passwords - T1552.006 - Group Policy Preferences - Windows | Endpoint | Windows | Credential Access: T1552, T1552.001, T1552.006: Unsecured Credentials, Credentials In Files, Group Policy Preferences Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Process dropped archive file in AppData folder - T1560 - Archive Collected Data - Windows | Endpoint | Windows | Collection: T1005, T1074, T1074.001, T1119, T1560: Data from Local System, Data Staged, Local Data Staging, Automated Collection, Archive Collected Data |
| Sethc.exe execution detected - T1546.008 - Accessibility Features - Windows | Endpoint | Windows | Privilege Escalation: T1546, T1546.008: Event Triggered Execution, Accessibility Features |
| Crond running inside container - T1053.003 - Cron - Linux | Container | Linux | Execution: T1053, T1053.003: Scheduled Task/Job, Cron |
| Hdiutil utility executed to get mounted disk image information - T1082 - System Information Discovery - macOS | Endpoint | macOS | Discovery: T1082: System Information Discovery |
| Process attempting to modify registry key - T1112 - Modify Registry - Windows | Endpoint | Windows | Defense Evasion: T1112: Modify Registry Execution: T1106: Native API |
| Xcopy.exe execution detected for coping data - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer |
| GTFOBIN_less_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Process attempted to make HTTPS connection on non-standard port - T1571 - Non-Standard Port - AIX | Endpoint | AIX | Command and Control: T1071, T1071.001, T1102, T1102.002, T1571: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Non-Standard Port |
| Process modified firewall rules - T1562.004 - Disable or Modify System Firewall - Linux | Container | Linux | Defense Evasion: T1562, T1562.004: Impair Defenses, Disable or Modify System Firewall |
| Web server dropped portable executable file - TA0002 - Execution - Windows | Endpoint | Windows | Execution: T1059: Command and Scripting Interpreter |
| Process attempting to access microphone for audio capture - T1123 - Audio Capture - macOS | Endpoint | macOS | Collection: T1123: Audio Capture |
| Unsigned Process attempted to access System Keychain - T1555.001 - Keychain - macOS | Endpoint | macOS | Credential Access: T1555, T1555.001: Credentials from Password Stores, Keychain |
| Pkexec utility launched to execute command in privilege - T1548.004 - Elevated Execution with Prompt - Linux | Container | Linux | Privilege Escalation: T1548, T1548.004: Abuse Elevation Control Mechanism, Elevated Execution with Prompt |
| Process attempting to get system information - T1082 - System Information Discovery - Windows | Endpoint | Windows | Discovery: T1082: System Information Discovery Execution: T1106: Native API |
| Credential Stealer Detected & Blocked on Endpoint - T1003 - OS Credential Dumping - Linux | Container | Linux | Credential Access: T1003, T1552, T1555, T1555.003: OS Credential Dumping, Unsecured Credentials, Credentials from Password Stores, Credentials from Web Browsers |
| Process attempted to access Keychain - T1555.001 - Keychain - macOS | Endpoint | macOS | Credential Access: T1555, T1555.001: Credentials from Password Stores, Keychain |
| Crystal script attempted to spawn reverse shell - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process attempting to delete logs from system - T1070.002 - Clear Linux System Logs - AIX | Endpoint | AIX | Defense Evasion: T1070, T1070.002: Indicator Removal, Clear Linux or Mac System Logs |
| Process Injection Detected & Blocked on Endpoint - T1055.008 - Ptrace System Calls - Linux | Container | Linux | Defense Evasion: T1055, T1055.008: Process Injection, Ptrace System Calls |
| FTP dropped executable files in monitored directories - T1204 - User Execution - Linux | Container | Linux | Command and Control: T1071, T1071.002: Application Layer Protocol, File Transfer Protocols Execution: T1204, T1204.002: User Execution, Malicious File Lateral Movement: T1021, T1570: Remote Services, Lateral Tool Transfer |
| Dllhost.exe execution detected - T1546.015 - Component Object Model Hijacking - Windows | Endpoint | Windows | Privilege Escalation: T1546, T1546.015: Event Triggered Execution, Component Object Model Hijacking |
| Process may potentially have encrypted monitored file extension - T1486 - Data Encrypted for Impact - Windows | Endpoint | Windows | Impact: T1486: Data Encrypted for Impact |
| Remote process dropped script file in monitored directories - T1105 - Ingress Tool Transfer - AIX | Endpoint | AIX | Command and Control: T1105: Ingress Tool Transfer Execution: T1059: Command and Scripting Interpreter Lateral Movement: T1021, T1021.004, T1570: Remote Services, SSH, Lateral Tool Transfer |
| Dnscmd.exe execution detected - T1569.002 - Service Execution - Windows | Endpoint | Windows | Execution: T1569, T1569.002: System Services, Service Execution |
| Beta_Container process attempted to install suspicious package - T1546.016 - Installer Packages - Linux | Container | Linux | Privilege Escalation: T1546, T1546.016: Event Triggered Execution, Installer Packages |
| WScript.exe execution detected - T1059.005 - Visual Basic - Windows | Endpoint | Windows | Execution: T1059, T1059.005: Command and Scripting Interpreter, Visual Basic Resource Development: T1587, T1587.001, T1588, T1588.001: Develop Capabilities, Malware, Obtain Capabilities, Malware |
| Process trying to dump LSASS memory - T1003.001 - LSASS Memory - Windows | Endpoint | Windows | Credential Access: T1003, T1003.001: OS Credential Dumping, LSASS Memory Execution: T1106: Native API |
| Process enabled SUID/SGID bit on file - T1548.001 - Setuid and Setgid - Linux | Container | Linux | Privilege Escalation: T1548, T1548.001: Abuse Elevation Control Mechanism, Setuid and Setgid |
| Process or script running from /dev/shm directory - T1564 - Hide Artifacts - Linux | Container | Linux | Defense Evasion: T1564: Hide Artifacts |
| Process created plist file in LaunchDaemons using osascript - T1543.004 - Launch Daemon - macOS | Endpoint | macOS | Persistence: T1543, T1543.004: Create or Modify System Process, Launch Daemon |
| New cluster role being created using external request in kubernetes cluster - T1078 - Persistence - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1078: Valid Accounts |
| GTFOBIN_xargs_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| MS office loaded VBE dll to execute macro - T1204 - User Execution - Windows | Endpoint | Windows | Execution: T1204: User Execution |
| At.exe execution detected - T1053.002 - At (Windows) - Windows | Endpoint | Windows | Execution: T1053, T1053.002: Scheduled Task/Job, At |
| Net.exe executed to get System Time - T1124 - System Time Discovery - Windows | Endpoint | Windows | Discovery: T1124, T1614: System Time Discovery, System Location Discovery |
| Process initiating VNC connection - T1021.005 - VNC - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.005: Remote Services, VNC |
| Multiple failed login attempts detected - T1110 - Brute Force - Windows | Endpoint | Windows | Credential Access: T1110, T1110.001, T1110.002, T1110.003: Brute Force, Password Guessing, Password Cracking, Password Spraying |
| Container process modified /etc/ld.so.preload - T1574.006 - Dynamic Linker Hijacking - Linux | Container | Linux | Persistence: T1574, T1574.006: Hijack Execution Flow, Dynamic Linker Hijacking |
| Container making unexpected connection to IRC port - T1219 - Remote Access Software - Linux | Container | Linux | Command and Control: T1102, T1102.002, T1219: Web Service, Bidirectional Communication, Remote Access Software |
| Process using who or users utility to get users information - T1033 - System Owner/User Discovery - Linux | Container | Linux | Discovery: T1033, T1087: System Owner/User Discovery, Account Discovery |
| Process attempting to masquerade file name - T1036.002 - Right-to-Left Override - Windows | Endpoint | Windows | Defense Evasion: T1036, T1036.002: Masquerading, Right-to-Left Override |
| Suspicious use of osacompile to compile apple script - T1027.004 - Compile After Delivery - macOS | Endpoint | macOS | Defense Evasion: T1027, T1027.004: Obfuscated Files or Information, Compile After Delivery |
| Process made network connection on encrypted channel ports - T1573 - Encrypted Channel - Windows | Endpoint | Windows | Command and Control: T1573: Encrypted Channel |
| Wevtutil.exe execution detected to clear logs - T1070.001 - Clear Windows Event Logs - Windows | Endpoint | Windows | Defense Evasion: T1070, T1070.001: Indicator Removal on Host, Clear Windows Event Logs |
| Web server process modified OS credentials - T1003.008 - /etc/passwd and /etc/shadow - AIX | Endpoint | AIX | Credential Access: T1003, T1003.008: OS Credential Dumping, /etc/passwd and /etc/shadow Discovery: T1087: Account Discovery Persistence: T1136: Create Account |
| Runonce.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Tar utility launched on hidden tmp directory - T1560.001 - Archive via Utility - macOS | Endpoint | macOS | Collection: T1560, T1560.001: Archive Collected Data, Archive via Utility |
| Container process attempted to modify kernel core dumps configuration - T1611 - Escape to Host - Linux | Container | Linux | Privilege Escalation: T1611: Escape to Host |
| Process encrypting data using Asymmetric Cryptography - T1573.002 - Asymmetric Cryptography - Windows | Endpoint | Windows | Command and Control: T1573, T1573.002: Encrypted Channel, Asymmetric Cryptography Execution: T1106: Native API Impact: T1486: Data Encrypted for Impact |
| File Transfer utility downloaded executable file - T1105 - Ingress Tool Transfer - macOS | Endpoint | macOS | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer |
| GTFOBIN_tclsh_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Suspicious Perl process attempting to spawn reverse shell - T1059 - Command and Scripting Interpreter - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Docker client copying docker-cache inside remote container - T1609 - Container Administration Command - Linux | Container | Linux | Execution: T1609: Container Administration Command Defense Evasion: T1564.006: Run Virtual Instance |
| Pod created with Over-Privileged capabilities enabled via external request - T1610 - Deploy Container - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| GTFOBIN_tclsh_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process attempted to masquerade file name - T1036.002 - Right-to-Left Override - Linux | Container | Linux | Defense Evasion: T1036, T1036.002: Masquerading, Right-to-Left Override |
| Curl.exe execution via monitored application detected - T1071 - Standard Application Layer Protocol - Windows | Endpoint | Windows | Command and Control: T1071: Application Layer Protocol |
| VboxHeadless.exe execution detected to run vm instance as headless - T1564.006 - Run Virtual Instance - Windows | Endpoint | Windows | Defense Evasion: T1564, T1564.006: Hide Artifacts, Run Virtual Instance |
| GTFOBIN_stdbuf_spawning local shell - T1059.004 Execution for AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| New pods being created using external request in kubernetes cluster - T1610 - Execution Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| Dsconfigad utility used show AD configuration - T1087.002 - Domain Account - macOS | Endpoint | macOS | Discovery: T1087, T1087.002: Account Discovery, Domain Account |
| GTFOBIN_rlwrap_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Process attempting to change desktop background - T1491.001 - Internal Defacement - Windows | Endpoint | Windows | Impact: T1491, T1491.001: Defacement, Internal Defacement |
| GTFOBIN_nmap acting as remote access software - T1219 Command And Control_LINUX | Container | Linux | Command and Control: T1219: Remote Access Software |
| Utilman.exe execution detected - T1015 - Accessibility Features - Windows | Endpoint | Windows | |
| Process trying to access bash history - T1552.003 - Bash History - macOS | Endpoint | macOS | Credential Access: T1552, T1552.003: Unsecured Credentials, Bash History |
| Presentationhost.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Local shell connected to remote host (Possible Reverse Shell) - T1059.004 - Unix Shell - AIX | Endpoint | AIX | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Touch utility executed to create hidden file inside Library directory - T1564.001 - Hidden Files and Directories - macOS | Endpoint | macOS | Defense Evasion: T1564, T1564.001: Hide Artifacts, Hidden Files and Directories |
| Process using shutdown utility to shutdown/reboot the system - T1529 - System Shutdown/Reboot - Linux | Container | Linux | Impact: T1529: System Shutdown/Reboot |
| Process attempted to stage data for exfiltration - T1074 - Data Staged - Linux | Container | Linux | Collection: T1074: Data Staged |
| Outbound Windows Remote Desktop connection detected - T1021.001 - Remote Desktop Protocol - AIX | Endpoint | AIX | Lateral Movement: T1021, T1021.001: Remote Services, Remote Desktop Protocol |
| Process attempted to access microphone - T1123 - Audio Capture - Windows | Endpoint | Windows | Collection: T1123: Audio Capture |
| Finger protocol used to get user information over network - T1105 - Ingress Tool Transfer - AIX | Endpoint | AIX | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1021: Remote Services |
| Powershell execution detected to Deobfuscate/Decode Files - T1140 - Deobfuscate/Decode Files or Information - Windows | Endpoint | Windows | Defense Evasion: T1027, T1140: Obfuscated Files or Information, Deobfuscate/Decode Files or Information Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Net.exe execution detected for permission group discovery - T1069 - Permission Group Discovery - Windows | Endpoint | Windows | Discovery: T1018, T1069, T1069.001, T1069.002: Remote System Discovery, Permission Groups Discovery, Local Groups, Domain Groups |
| Process created or modified Systemd Service - T1543.002 - Systemd Service - Linux | Endpoint | Linux | Execution: T1053, T1569: Scheduled Task/Job, System Services Persistence: T1037, T1543, T1543.002: Boot or Logon Initialization Scripts, Create or Modify System Process, Systemd Service |
| Powershell executed Invoke-WCMDump script - T1555.004 - Windows Credential Manager - Windows | Endpoint | Windows | Credential Access: T1555, T1555.004: Credentials from Password Stores, Windows Credential Manager Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Process modifying backgroundtaskmanagement files - T1547 - Boot or Logon Autostart Execution - macOS | Endpoint | macOS | Persistence: T1547: Boot or Logon Autostart Execution |
| Msdt.exe execution detected for calling .DIAG files - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Exploitation for Privilege Escalation Detected & Blocked on Endpoint - T1068 - Exploitation for Privilege Escalation - macOS | Endpoint | macOS | Persistence: T1505: Server Software Component Privilege Escalation: T1068: Exploitation for Privilege Escalation |
| Docker client running inside container - T1609 - Container Administration Command - Linux | Container | Linux | Execution: T1609: Container Administration Command |
| Process modified bash profile - T1546.004 - Unix Shell Configuration Modification - Linux | Container | Linux | Defense Evasion: T1480, T1480.001: Execution Guardrails, Environmental Keying Privilege Escalation: T1546, T1546.004: Event Triggered Execution, Unix Shell Configuration Modification |
| Process attempted to deploy container - T1610 - Deploy Container - Linux | Endpoint | Linux | Defense Evasion: T1610: Deploy Container |
| Tttracer.exe execution detected - T1003 - OS Credential Dumping - Windows | Endpoint | Windows | Credential Access: T1003: OS Credential Dumping Resource Development: T1587, T1587.001, T1588, T1588.001, T1588.002: Develop Capabilities, Malware, Obtain Capabilities, Malware, Tool |
| Process attempted to perform network scanning - T1595 - Active Scanning - macOS | Endpoint | macOS | Reconnaissance: T1595, T1595.001, T1595.002: Active Scanning, Scanning IP Blocks, Vulnerability Scanning |
| Process Running From AppData directory - TA0002 - Execution - Windows | Endpoint | Windows | |
| Process modified SSH Authorised Keys file - T1098.004 - SSH Authorized Keys - macOS | Endpoint | macOS | Persistence: T1098, T1098.004: Account Manipulation, SSH Authorized Keys |
| PowerShell executing PowerUpSQL script for discovery - TA0007 - Discovery - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Kd.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Process attempted to enumerate ssh keys - T1552.004 - Private Keys - Linux | Container | Linux | Credential Access: T1552, T1552.004: Unsecured Credentials, Private Keys Discovery: T1018: Remote System Discovery |
| GTFOBIN_vi_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Process loading Vbe dll to execute macro or VBS code - T1204 - User Execution - Windows | Endpoint | Windows | Execution: T1204: User Execution |
| Container vulnerability scanner utility is running inside container - T1595.002 - Vulnerability Scanning - Linux | Container | Linux | Reconnaissance: T1595, T1595.002: Active Scanning, Vulnerability Scanning |
| Sftp transferring files - T1105 - Ingress Tool Transfer - AIX | Endpoint | AIX | Command and Control: T1105: Ingress Tool Transfer Exfiltration: T1048: Exfiltration Over Alternative Protocol |
| DefaultPack.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Process disabled or stopped services with sudo privileges - T1489 - Service Stop - Linux | Container | Linux | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools Impact: T1489: Service Stop |
| Process attempting to connect to HTTP proxy - T1090 - Command and Control - Windows | Endpoint | Windows | Command and Control: T1071, T1071.001, T1090, T1090.001, T1090.002, T1102, T1102.002, T1573: Application Layer Protocol, Web Protocols, Proxy, Internal Proxy, External Proxy, Web Service, Bidirectional Communication, Encrypted Channel Exfiltration: T1020, T1020.001, T1048: Automated Exfiltration, Traffic Duplication, Exfiltration Over Alternative Protocol |
| Process attempted to encrypt monitored file using File I/O operations - T1486 - Data Encrypted for Impact - macOS | Endpoint | macOS | Impact: T1486: Data Encrypted for Impact |
| Detected suspicious connection to remote machine using openssl - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Kubectl utility launched to delete kubernetes cluster events - T1070 - Indicator Removal - Linux | Container | Linux | Defense Evasion: T1027, T1027.005, T1070: Obfuscated Files or Information, Indicator Removal from Tools, Indicator Removal on Host |
| Credential Dumping with NPPSpy detected - T1003 - OS Credential Dumping - Windows | Endpoint | Windows | Credential Access: T1003: OS Credential Dumping Resource Development: T1587, T1587.001, T1588, T1588.001, T1588.002: Develop Capabilities, Malware, Obtain Capabilities, Malware, Tool |
| Cluster role with wildcard verbs being created using external request in kubernetes cluster - T1078 - Persistence - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1078: Valid Accounts |
| Curl dropped executable files in monitored directories in Container - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer |
| Process modified PAM configuration - T1556.003 - Pluggable Authentication Modules - Linux | Endpoint | Linux | Credential Access: T1556, T1556.003: Modify Authentication Process, Pluggable Authentication Modules |
| Process escalated privilege to system privilege - TA0004 - Privilege Escalation - Windows | Endpoint | Windows | Privilege Escalation: T1068, T1548, T1548.002: Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Bypass User Account Control |
| Monitored application attempted to download file from internet - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer Execution: T1106: Native API |
| Diskutil executed to erase data from the disk - T1561 - Disk Wipe - macOS | Endpoint | macOS | Impact: T1561, T1561.001, T1561.002: Disk Wipe, Disk Content Wipe, Disk Structure Wipe |
| GTFOBIN_ruby_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Process attempted to load suspicious kernel module - T1547.006 - Kernel Modules and Extensions - Linux | Container | Linux | Persistence: T1547, T1547.006: Boot or Logon Autostart Execution, Kernel Modules and Extensions |
| Cgroup mounted inside container for possible breakout - T1611 - Escape to Host - Linux | Container | Linux | Privilege Escalation: T1611: Escape to Host |
| Rclone execution detected for exfiltration - T1020 - Automated Exfiltration - Linux | Container | Linux | Exfiltration: T1020, T1029, T1041, T1048: Automated Exfiltration, Scheduled Transfer, Exfiltration Over C2 Channel, Exfiltration Over Alternative Protocol |
| Process running with high integrity level from monitored applications - TA0004 - Privilege Escalation - Windows | Endpoint | Windows | Privilege Escalation: T1068, T1548, T1548.002: Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Bypass User Account Control |
| Rundll32.exe executing js/vbs code - T1218.011 - Rundll32 - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.011: System Binary Proxy Execution, Rundll32 |
| Curl attempting download inside remote kubelet node - T1609 - Container Administration Command - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Execution: T1609: Container Administration Command Lateral Movement: T1570: Lateral Tool Transfer Defense Evasion: T1564.006: Run Virtual Instance |
| Process executed by User - T1204 - User Execution - Linux | Container | Linux | Execution: T1204: User Execution |
| Scripting process launched remote admin utilities - T1219 - Remote Access Software - macOS | Endpoint | macOS | Command and Control: T1219: Remote Access Software Execution: T1059: Command and Scripting Interpreter |
| Whois utility launched to exfiltrate data - T1041 - Exfiltration Over C2 Channel - Linux | Container | Linux | Exfiltration: T1041, T1048: Exfiltration Over C2 Channel, Exfiltration Over Alternative Protocol |
| Process created or modified RC scripts - T1037.004 - RC Scripts - Linux | Endpoint | Linux | Execution: T1569: System Services Persistence: T1037, T1037.004: Boot or Logon Initialization Scripts, RC Scripts |
| Process trying to access SMB share - T1021.002 - SMB/Windows Admin Shares - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer Exfiltration: T1048: Exfiltration Over Alternative Protocol Lateral Movement: T1021, T1021.002, T1570: Remote Services, SMB/Windows Admin Shares, Lateral Tool Transfer |
| At utility running inside container - T1053.001 - Scheduled Task/Job: At - Linux | Container | Linux | Execution: T1053, T1053.002, T1053.005: Scheduled Task/Job, At, Scheduled Task |
| Namespace being deleted using external request in kubernetes cluster - T1609 - Execution - Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| Malware Detected & Blocked on Endpoint - T1204.002 - Malicious File - Linux | Container | Linux | Execution: T1204, T1204.002: User Execution, Malicious File |
| Ransomware Detected on Endpoint - T1486 - Data Encrypted for Impact - Linux | Container | Linux | Impact: T1486: Data Encrypted for Impact |
| Process connecting to VNC server - T1021 - VNC - Linux | Container | Linux | Lateral Movement: T1021, T1021.005: Remote Services, VNC |
| Malware Detected & Blocked on Endpoint - T1204.002 - Malicious File - macOS | Endpoint | macOS | Execution: T1204, T1204.002: User Execution, Malicious File |
| JDBC enabled Java process running inside container - T1210 - Exploitation of Remote Services - Linux | Container | Linux | Lateral Movement: T1210: Exploitation of Remote Services |
| Process attempted to exfilterate data to DNS resolver - T1583.002 - DNS Server - AIX | Endpoint | AIX | Resource Development: T1583, T1583.002, T1584, T1584.002: Acquire Infrastructure, DNS Server, Compromise Infrastructure, DNS Server |
| Container initialised with SELinux disabled - T1610 - Deploy Container - Linux | Container | Linux | Defense Evasion: T1562, T1562.001, T1610: Impair Defenses, Disable or Modify Tools, Deploy Container |
| Process attempted to access SSH keys - T1552.004 - Private Keys - Linux | Endpoint | Linux | Credential Access: T1552, T1552.004: Unsecured Credentials, Private Keys |
| Ieexec.exe execution detected - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer |
| GTFOBIN_socat_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Mstsc.exe execution detected - T1021.001 - Remote Desktop Protocol - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.001: Remote Services, Remote Desktop Protocol |
| Process or script trying to disable or uninstall Security Tools - T1562.001 - Disable or Modify Tools - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Suspicious process trying to access or modify mailbox data - T1070.008 - Clear Mailbox Data - Linux | Container | Linux | Defense Evasion: T1070, T1070.008: Indicator Removal on Host, Clear Mailbox Data |
| Privileged pods being created using external request - T1610 - Deploy Container - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| Process or script trying to alter firewall configuration - T1562.004 - Disable or Modify System Firewall - AIX | Endpoint | AIX | Defense Evasion: T1562, T1562.004: Impair Defenses, Disable or Modify System Firewall |
| Services.exe execution detected for executing remote service - T1569.002 - Service Execution - Windows | Endpoint | Windows | Execution: T1569, T1569.002: System Services, Service Execution Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service |
| Process spawned by browser - T1189 - Drive-by Compromise - Linux | Endpoint | Linux | Initial Access: T1189: Drive-by Compromise |
| Kcc utility launched to access or dump Kerberos Tickets - T1558 - Steal or Forge Kerberos Tickets - macOS | Endpoint | macOS | Credential Access: T1558: Steal or Forge Kerberos Tickets |
| Pscp.exe execution detected from cmd.exe - T1021.004 - SSH - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.004: Remote Services, SSH |
| Container making unexpected outbound connection to login to remote host - T1021 - Remote Services - Linux | Container | Linux | Lateral Movement: T1021: Remote Services |
| Container initialized with host mount - T1610 - Deploy Container - Linux | Container | Linux | Defense Evasion: T1610: Deploy Container |
| Zgrab utility is running inside container - T1595.001 - Scanning IP Blocks - Linux | Container | Linux | Reconnaissance: T1595, T1595.001: Active Scanning, Scanning IP Blocks |
| GTFOBIN_byebug_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process dropped archive file on monitored locations - T1560 - Archive Collected Data - AIX | Endpoint | AIX | Collection: T1005, T1074, T1074.001, T1119, T1560, T1560.002: Data from Local System, Data Staged, Local Data Staging, Automated Collection, Archive Collected Data, Archive via Library |
| RAID utility executed inside container - T1562 - Impair Defense - Linux | Container | Linux | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| GTFOBIN_find_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Process accessed Kubernetes credentials or configuration - T1552.001 - Credentials In Files - Linux | Endpoint | Linux | Credential Access: T1552, T1552.001: Unsecured Credentials, Credentials In Files |
| Patchelf utility being used to patch ELF files - T1574 - Hijack Execution Flow - Linux | Endpoint | Linux | Persistence: T1574, T1574.006: Hijack Execution Flow, Dynamic Linker Hijacking |
| GTFOBIN_service_utility_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Suspicious process attempted to access Jenkins credential files - T1003 - OS Credential Dumping - AIX | Endpoint | AIX | Credential Access: T1003, T1555: OS Credential Dumping, Credentials from Password Stores Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Schtasks.exe executed to create new scheduled task - T1053.005 - Scheduled Task - Windows | Endpoint | Windows | Execution: T1053, T1053.005: Scheduled Task/Job, Scheduled Task |
| Mavinject.exe execution detected - T1055 - Process Injection - Windows | Endpoint | Windows | Defense Evasion: T1055: Process Injection |
| Makecab.exe execution detected - T1564.004 - NTFS File Attributes - Windows | Endpoint | Windows | Defense Evasion: T1564, T1564.004: Hide Artifacts, NTFS File Attributes |
| Register-CimProvider.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Process attempted to masquerade System Binary - T1036 - Masquerading - AIX | Endpoint | AIX | Defense Evasion: T1036, T1036.003: Masquerading, Rename System Utilities |
| Process attempted to enumerate software installed - T1518 - Software Discovery - Windows | Endpoint | Windows | Discovery: T1518, T1518.001: Software Discovery, Security Software Discovery |
| Detected use of wget to download file from internet - T1105 - Ingress Tool Transfer - AIX | Endpoint | AIX | Command and Control: T1105: Ingress Tool Transfer |
| Bash.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Sharp View execution detected - TA0007 - Discovery - Windows | Endpoint | Windows | |
| GTFOBIN_gtester_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Auditpol.exe execution detected for disabling windows logging - T1562.002 - Disable Windows Event Logging - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.002: Impair Defenses, Disable Windows Event Logging |
| Process modified Kernel Extensions - T1547.006 - Kernel Modules and Extensions - macOS | Endpoint | macOS | Defense Evasion: T1014: Rootkit Persistence: T1547, T1547.006: Boot or Logon Autostart Execution, Kernel Modules and Extensions |
| Vssadmin.exe execution detected for create volume shadow copies - T1003.003 - NTDS - Windows | Endpoint | Windows | Credential Access: T1003, T1003.003: OS Credential Dumping, NTDS Impact: T1490: Inhibit System Recovery |
| SSH Multiplexing detected - T1563.001 - SSH Hijacking - Linux | Container | Linux | Lateral Movement: T1563, T1563.001: Remote Service Session Hijacking, SSH Hijacking |
| Gpscript.exe execution detected - T1216 - Signed Script Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1216: System Script Proxy Execution |
| Process attempted to compile an executable - T1027.004 - Compile After Delivery - Linux | Container | Linux | Defense Evasion: T1027, T1027.004: Obfuscated Files or Information, Compile After Delivery |
| Process modified ownership of credential files - T1003.008 - OS Credential Dumping - Linux | Endpoint | Linux | Credential Access: T1003, T1003.008, T1552, T1555: OS Credential Dumping, /etc/passwd and /etc/shadow, Unsecured Credentials, Credentials from Password Stores Defense Evasion: T1222, T1222.002: File and Directory Permissions Modification, Linux and Mac File and Directory Permissions Modification Discovery: T1087: Account Discovery Persistence: T1136: Create Account |
| AWS utility launched to get AWS lamba information - T1613 - Container and Resource Discovery - macOS | Endpoint | macOS | Discovery: T1082, T1613: System Information Discovery, Container and Resource Discovery |
| Chrome execution detected with remote debugging - T1059 - Execution - Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process attempted to exfiltrate files using web services - T1567 - Exfiltration Over Web Service - Windows | Endpoint | Windows | Collection: T1213: Data from Information Repositories Command and Control: T1071, T1071.001, T1102, T1102.002: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication Exfiltration: T1041, T1048, T1537, T1567, T1567.002: Exfiltration Over C2 Channel, Exfiltration Over Alternative Protocol, Transfer Data to Cloud Account, Exfiltration Over Web Service, Exfiltration to Cloud Storage Resource Development: T1584, T1584.006: Compromise Infrastructure, Web Services |
| Process dropped a pcap file - T1040 - Network Sniffing - Windows | Endpoint | Windows | Credential Access: T1040: Network Sniffing Defense Evasion: T1205: Traffic Signaling |
| System users taking interactive shell in container - T1078.001 - Default Accounts - Linux | Container | Linux | Defense Evasion: T1078, T1078.001: Valid Accounts, Default Accounts Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Package manager is running inside container - T1072 - Execution - Linux | Container | Linux | Execution: T1072: Software Deployment Tools |
| Useradd utility launched to create user account - T1136 - Create Account - AIX | Endpoint | AIX | Persistence: T1136: Create Account |
| New service with load balancer being created using external request in kubernetes cluster - T1610 - Execution - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| GTFOBIN_nroff_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Scripting process launched pbpaste/pbcopy utility - T1115 - Clipboard Data - macOS | Endpoint | macOS | Collection: T1115: Clipboard Data |
| Trap utility used to execute code - T1546.005 - Trap - macOS | Endpoint | macOS | Privilege Escalation: T1546, T1546.005: Event Triggered Execution, Trap |
| Process attempted to access FUSE device - T1564.005 - Hidden File System - Linux | Container | Linux | Defense Evasion: T1564, T1564.005: Hide Artifacts, Hidden File System |
| Credential Stealer Detected on Endpoint - T1003 - OS Credential Dumping - Linux | Container | Linux | Credential Access: T1003, T1552, T1555, T1555.003: OS Credential Dumping, Unsecured Credentials, Credentials from Password Stores, Credentials from Web Browsers |
| Wuauclt.exe execution detected - T1218.011 - Rundll32 - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.011: System Binary Proxy Execution, Rundll32 |
| Database server attempted to get users information in container - T1033 - System Owner/User Discovery - Linux | Container | Linux | Discovery: T1033: System Owner/User Discovery |
| Password guessing detected - T1110.001 - Password Guessing - AIX | Endpoint | AIX | Credential Access: T1110, T1110.001, T1110.003: Brute Force, Password Guessing, Password Spraying |
| Privileged Container Initialized - T1610 - Deploy Container - Linux | Container | Linux | Defense Evasion: T1610: Deploy Container |
| GTFOBIN_nmap_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| IP Scan Attack Detected & Blocked on Endpoint - T1595.001 - Scanning IP Blocks - Linux | Container | Linux | Discovery: T1046: Network Service Discovery Reconnaissance: T1595, T1595.001: Active Scanning, Scanning IP Blocks |
| Choice.exe execution detected - T1059.003 - Execution - Windows | Endpoint | Windows | Execution: T1059, T1059.003: Command and Scripting Interpreter, Windows Command Shell |
| Powershell execution detected with Test-NetConnection flag - T1059.001 - PowerShell - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Web server process spawned utilities to get the network configuration - T1016 - System Network Configuration Discovery - AIX | Endpoint | AIX | Discovery: T1016, T1046, T1049, T1082: System Network Configuration Discovery, Network Service Discovery, System Network Connections Discovery, System Information Discovery |
| Powershell execution detected for Potential Reverse Shell connection - T1059.003 - Windows Command Shell - Windows | Endpoint | Windows | Command and Control: T1132, T1132.002: Data Encoding, Non-Standard Encoding Execution: T1059, T1059.001, T1059.003: Command and Scripting Interpreter, PowerShell, Windows Command Shell |
| Nohup executed to launch process immuned to hangups - T1564.011 - Ignore Process Interrupts - macOS | Endpoint | macOS | Defense Evasion: T1564, T1564.011: Hide Artifacts, Ignore Process Interrupts Execution: T1059.004: Unix Shell |
| MS office process spawns EQNEDT32.exe - T1203 - Exploitation for Client Execution - Windows | Endpoint | Windows | Execution: T1203: Exploitation for Client Execution |
| Reg.exe execution detected for UAC bypass - T1548.002 - Bypass User Access Control - Windows | Endpoint | Windows | Defense Evasion: T1112: Modify Registry Privilege Escalation: T1548, T1548.002: Abuse Elevation Control Mechanism, Bypass User Account Control |
| Touch utility launched to change the access time of file - T1070.006 - Timestomp - AIX | Endpoint | AIX | Defense Evasion: T1070, T1070.006: Indicator Removal on Host, Timestomp |
| 7zip.exe execution detected - T1560.001 - Archive via Utility - Windows | Endpoint | Windows | Collection: T1005, T1074, T1074.001, T1119, T1560, T1560.001: Data from Local System, Data Staged, Local Data Staging, Automated Collection, Archive Collected Data, Archive via Utility |
| Suspicious use of port scanning utilities - T1046 - Network Service Discovery - macOS | Endpoint | macOS | Discovery: T1046: Network Service Discovery |
| Process attempted to connect with X11 server - T1559 - Inter-Process Communication - Linux | Container | Linux | Discovery: T1010: Application Window Discovery Execution: T1559: Inter-Process Communication |
| Process modified permissions of credential files - T1003.008 - OS Credential Dumping - Linux | Endpoint | Linux | Credential Access: T1003, T1003.008, T1552, T1555: OS Credential Dumping, /etc/passwd and /etc/shadow, Unsecured Credentials, Credentials from Password Stores Defense Evasion: T1222, T1222.002: File and Directory Permissions Modification, Linux and Mac File and Directory Permissions Modification Discovery: T1087: Account Discovery Persistence: T1136: Create Account |
| Process attempted reverse shell connection via pipes - T1059.004 - Unix Shell - macOS | Endpoint | macOS | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Kubectl utility launched to access kubernetes secrets - T1552 - Unsecured Credentials - AIX | Endpoint | AIX | Credential Access: T1552: Unsecured Credentials |
| New role binding being created using external request in kubernetes cluster - T1078 - Persistence Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1078: Valid Accounts |
| Process launched inside privileged container - T1610 - Deploy Container - Linux | Container | Linux | Defense Evasion: T1610: Deploy Container |
| Ephemeral container being created using external request in kubernetes cluster - T1610 - Execution - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| Pods created with host IPC enabled via external request - T1610 - Deploy Container - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| Process attempted to access shadow file - T1003.008 - /etc/passwd and /etc/shadow - Linux | Endpoint | Linux | Credential Access: T1003, T1003.008: OS Credential Dumping, /etc/passwd and /etc/shadow |
| Process accessed web application cookies - T1539 - Steal Web Session Cookie - Linux | Endpoint | Linux | Credential Access: T1539, T1555, T1555.003: Steal Web Session Cookie, Credentials from Password Stores, Credentials from Web Browsers |
| Process attempting to enumerate user accounts - T1033 - System Owner/User Discovery - Windows | Endpoint | Windows | Discovery: T1033, T1082, T1087: System Owner/User Discovery, System Information Discovery, Account Discovery Execution: T1106: Native API |
| Process attempted to alter linux security modules - T1562.001 - Disable or Modify Tools - Linux | Container | Linux | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Browser spawned monitored applications - T1189 - Drive by Compromise - Windows | Endpoint | Windows | Initial Access: T1189: Drive-by Compromise |
| Database utility executed - T1505.001 - SQL Stored Procedures - Linux | Container | Linux | Persistence: T1505, T1505.001: Server Software Component, SQL Stored Procedures |
| Container process dropped file in monitored directories - T1036 - Match Legitimate Name or Location - Linux | Container | Linux | Defense Evasion: T1036, T1036.005: Masquerading, Match Legitimate Name or Location |
| Powershell executing powershell(.ps1) script - T1059.001 - PowerShell - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Database server using who or users utility to get users information - T1033 - System Owner/User Discovery - AIX | Endpoint | AIX | Discovery: T1033: System Owner/User Discovery |
| Monitored utility sent output to shell via pipe (Potential Reverse Shell) - T1059 - Command and Scripting Interpreter - macOS | Endpoint | macOS | Execution: T1059: Command and Scripting Interpreter |
| GTFOBIN_gcc_spawning local shell - T1059.004 - UNIX Shel - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Process attempted to create guest user account - T1078.001 - Default Accounts - macOS | Endpoint | macOS | Defense Evasion: T1078, T1078.001: Valid Accounts, Default Accounts |
| Process attempted to dump password or settings - T1555 - Credentials from Password Stores - macOS | Endpoint | macOS | Credential Access: T1555: Credentials from Password Stores |
| Process accessed browser bookmarks file - T1217 - Browser Information Discovery - macOS | Endpoint | macOS | Discovery: T1217: Browser Bookmark Discovery |
| Dbghost.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Powershell execution detected for Active directory query - T1558.003 - Kerberoasting - Windows | Endpoint | Windows | Credential Access: T1558, T1558.003: Steal or Forge Kerberos Tickets, Kerberoasting |
| Database server process created or modified RC scripts - T1037.004 - RC Scripts - Linux | Container | Linux | Persistence: T1037, T1037.004, T1505: Boot or Logon Initialization Scripts, RC Scripts, Server Software Component |
| Process attempted to access .ssh file - T1552.004 - Private Keys - macOS | Endpoint | macOS | Credential Access: T1552, T1552.004: Unsecured Credentials, Private Keys |
| Registry Startups entry modification/addition Detected from monitored application - T1547.001 - Registry Run Keys / Startup Folder - Windows | Endpoint | Windows | Persistence: T1547, T1547.001: Boot or Logon Autostart Execution, Registry Run Keys / Startup Folder |
| Perl base64 Module launched to decode or encode data - T1132.001 - Standard Encoding - AIX | Endpoint | AIX | Command and Control: T1132, T1132.001: Data Encoding, Standard Encoding Execution: T1059: Command and Scripting Interpreter |
| PowerShell loaded profile to maintain persistence on system - T1546.013 - PowerShell Profile - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Privilege Escalation: T1546, T1546.013: Event Triggered Execution, PowerShell Profile |
| Netsh.exe execution detected to disable or modify system firewall - T1562.004 - Disable or Modify System Firewall - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.004: Impair Defenses, Disable or Modify System Firewall |
| Host process created hidden files or directories - T1564.001 - Hidden Files and Directories - Linux | Endpoint | Linux | Defense Evasion: T1564, T1564.001: Hide Artifacts, Hidden Files and Directories |
| WDigest Downgrade attack detected - T1112 - Modify Registry - Windows | Endpoint | Windows | Defense Evasion: T1112: Modify Registry |
| Unsigned Process dropped portable executable file in startup folders - T1547.001 - Registry Run Keys / Startup Folder - Windows | Endpoint | Windows | Persistence: T1547, T1547.001: Boot or Logon Autostart Execution, Registry Run Keys / Startup Folder |
| Server Application Exploitation Detected on Endpoint - T1505 - Server Software Component - macOS | Endpoint | macOS | Credential Access: T1212: Exploitation for Credential Access Defense Evasion: T1211: Exploitation for Defense Evasion Persistence: T1505: Server Software Component Privilege Escalation: T1068: Exploitation for Privilege Escalation |
| GTFOBIN_rsync_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Kerberoast authentication with WMI detected - T1558.003 - Kerberoasting - Windows | Endpoint | Windows | Credential Access: T1558, T1558.003: Steal or Forge Kerberos Tickets, Kerberoasting Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service |
| Ldap utility launched to create domain user account - T1136.002 - Domain Account - AIX | Endpoint | AIX | Persistence: T1136, T1136.002: Create Account, Domain Account |
| Web server process created or modified Systemd Service - T1543.002 - Systemd Service - Linux | Container | Linux | Persistence: T1543, T1543.002: Create or Modify System Process, Systemd Service |
| Process communicating through FTP protocol - T1071.002 - File Transfer Protocols - Linux | Container | Linux | Command and Control: T1071, T1071.002, T1105: Application Layer Protocol, File Transfer Protocols, Ingress Tool Transfer Exfiltration: T1020, T1048: Automated Exfiltration, Exfiltration Over Alternative Protocol Lateral Movement: T1570: Lateral Tool Transfer |
| Container process attempted to drift image (new file execution) - T1222.002 - Linux and Mac File and Directory Permissions Modification - Linux | Container | Linux | Defense Evasion: T1222, T1222.002: File and Directory Permissions Modification, Linux and Mac File and Directory Permissions Modification |
| Putty.exe execution detected from cmd.exe - T1021.004 - SSH - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.004: Remote Services, SSH |
| Reg.exe execution detected for dumping LSA secrets - T1003.004 - LSA Secrets - Windows | Endpoint | Windows | Credential Access: T1003, T1003.004: OS Credential Dumping, LSA Secrets |
| Winlogon userinit key logon persistence - T1547.004 - Winlogon Helper DLL - Windows | Endpoint | Windows | Persistence: T1547, T1547.004: Boot or Logon Autostart Execution, Winlogon Helper DLL |
| Web server launched utility to enumerate network connections - T1049 - System Network Connections Discovery - Linux | Container | Linux | Discovery: T1016, T1049, T1082: System Network Configuration Discovery, System Network Connections Discovery, System Information Discovery |
| PowerShell execution with obfuscated commands - T1027 - Obfuscated Files or Information - Windows | Endpoint | Windows | Defense Evasion: T1027: Obfuscated Files or Information |
| Possible HTML Smuggling execution detected - T1027.006 - HTML Smuggling - Windows | Endpoint | Windows | Defense Evasion: T1027, T1027.006: Obfuscated Files or Information, HTML Smuggling Collection: T1560, T1560.001: Archive Collected Data, Archive via Utility |
| Powershell executed Invoke-Start-Hollow script for Process Hollowing - T1055.012 - Process Hollowing - Windows | Endpoint | Windows | Defense Evasion: T1055, T1055.012: Process Injection, Process Hollowing |
| Process modified ld.so configuration or cache - T1574.008 - Path Interception by Search Order Hijacking - Linux | Endpoint | Linux | Persistence: T1574, T1574.006, T1574.008: Hijack Execution Flow, Dynamic Linker Hijacking, Path Interception by Search Order Hijacking |
| Process Running From Windows temp directory - TA0002 - Execution - Windows | Endpoint | Windows | |
| Process attempted to read/write data from remote process - T1055 - Process Injection - Linux | Container | Linux | Defense Evasion: T1055, T1055.008, T1205: Process Injection, Ptrace System Calls, Traffic Signaling |
| Process loaded msr driver inside kernel - T1588.002 - Tool - Linux | Container | Linux | Resource Development: T1588, T1588.002: Obtain Capabilities, Tool |
| Process execution detected for DLL side loading - T1574.002 - DLL Side-Loading - Windows | Endpoint | Windows | Persistence: T1574, T1574.002: Hijack Execution Flow, DLL Side-Loading |
| Process modifying Apache web server configuration - T1584.006 - Web Services - Linux | Container | Linux | Resource Development: T1584, T1584.006: Compromise Infrastructure, Web Services |
| Database server spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Unsigned process attempted to access microphone for audio capture - T1123 - Audio Capture - macOS | Endpoint | macOS | Collection: T1123: Audio Capture |
| Outbound Windows Remote Desktop connection detected - T1021.001 - Remote Desktop Protocol - Linux | Container | Linux | Lateral Movement: T1021, T1021.001: Remote Services, Remote Desktop Protocol |
| Likely remote system process dropped portable executable file - T1570 - Lateral Movement - Windows | Endpoint | Windows | Lateral Movement: T1570: Lateral Tool Transfer |
| Shortcut Modification - T1547.009 - Shortcut Modification - Windows | Endpoint | Windows | Persistence: T1547, T1547.009: Boot or Logon Autostart Execution, Shortcut Modification |
| Msdeploy.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Base64 utility launched to decode data from tmp directory - T1132.001 - Standard Encoding - AIX | Endpoint | AIX | Command and Control: T1001, T1132, T1132.001: Data Obfuscation, Data Encoding, Standard Encoding Defense Evasion: T1027, T1140: Obfuscated Files or Information, Deobfuscate/Decode Files or Information |
| Adfind execution detected for domain account discovery - T1087.002 - Domain Account - Windows | Endpoint | Windows | Discovery: T1087, T1087.002: Account Discovery, Domain Account Resource Development: T1588, T1588.002: Obtain Capabilities, Tool |
| Powershell execution detected to archive files - T1560 - Archive Collected Data - Windows | Endpoint | Windows | Collection: T1005, T1074, T1074.001, T1119, T1560, T1560.001, T1560.002, T1560.003: Data from Local System, Data Staged, Local Data Staging, Automated Collection, Archive Collected Data, Archive via Utility, Archive via Library, Archive via Custom Method Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Possible script based reverse shell executed with root privileges - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process modified sudo configuration - T1548.003 - Sudo and Sudo Caching - Linux | Endpoint | Linux | Privilege Escalation: T1548, T1548.003: Abuse Elevation Control Mechanism, Sudo and Sudo Caching |
| Process attempting to perform screen/video capture - T1113 - Screen Capture - macOS | Endpoint | macOS | Collection: T1113, T1125: Screen Capture, Video Capture |
| PowerShell executing Invoke-HostRecon script for host discovery - T1018 - Remote System Discovery - Windows | Endpoint | Windows | Discovery: T1018: Remote System Discovery Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Inbound RDP connection detected - T1021.001 - Remote Desktop Protocol - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.001: Remote Services, Remote Desktop Protocol |
| Mimikatz Golden Ticket attack detected - T1558.001 - Golden Ticket - Windows | Endpoint | Windows | Credential Access: T1558, T1558.001: Steal or Forge Kerberos Tickets, Golden Ticket Resource Development: T1587, T1587.001, T1588, T1588.001, T1588.002: Develop Capabilities, Malware, Obtain Capabilities, Malware, Tool |
| Robocopy.exe execution detected - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer |
| PowerShell child process made network connection - T1071 - Application Layer Protocol - Windows | Endpoint | Windows | Command and Control: T1071: Application Layer Protocol |
| Process loading scrobj.dll for script execution - T1559.001 - Component Object Model - Windows | Endpoint | Windows | Execution: T1559, T1559.001: Inter-Process Communication, Component Object Model |
| PowerShell using GetTypeFromCLSID command - T1559.001 - Component Object Model - Windows | Endpoint | Windows | Execution: T1559, T1559.001: Inter-Process Communication, Component Object Model |
| Web server process attempted to access process memory/memory map - T1003.007 - Proc Filesystem - Linux | Container | Linux | Credential Access: T1003, T1003.007: OS Credential Dumping, Proc Filesystem |
| Web Shell attack Detected on Endpoint - T1505.003 - Web Shell - macOS | Endpoint | macOS | Persistence: T1505, T1505.003: Server Software Component, Web Shell |
| Credential Stealer Detected & Blocked on Endpoint - T1003 - OS Credential Dumping - macOS | Endpoint | macOS | Credential Access: T1003, T1552, T1555, T1555.003: OS Credential Dumping, Unsecured Credentials, Credentials from Password Stores, Credentials from Web Browsers |
| Process downloaded executable from internet - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1071, T1071.001, T1102, T1102.002, T1105: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Ingress Tool Transfer Execution: T1204, T1204.001, T1204.002, T1204.003: User Execution, Malicious Link, Malicious File, Malicious Image Exfiltration: T1041: Exfiltration Over C2 Channel |
| Container accepting unexpected inbound connection - T1219 - Command And Control - Linux | Container | Linux | Command and Control: T1219: Remote Access Software |
| Likely remote system process dropped script file - T1570 - Lateral Movement - Windows | Endpoint | Windows | Lateral Movement: T1570: Lateral Tool Transfer |
| Process access AWS security credentials - T1552.005 - Credential Access - Linux | Container | Linux | Command and Control: T1071, T1071.001, T1102, T1102.002, T1105: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Ingress Tool Transfer Credential Access: T1552, T1552.005: Unsecured Credentials, Cloud Instance Metadata API Execution: T1204, T1204.001: User Execution, Malicious Link Exfiltration: T1048: Exfiltration Over Alternative Protocol Lateral Movement: T1570: Lateral Tool Transfer |
| PowerShell using custom user agent - T1071 - Standard Application Layer Protocol - Windows | Endpoint | Windows | Command and Control: T1071: Application Layer Protocol |
| Process trying to access startup folders - T1547.001 - Startup Folder - Windows | Endpoint | Windows | Persistence: T1547, T1547.001: Boot or Logon Autostart Execution, Registry Run Keys / Startup Folder |
| Cp utility launched to create plist file in LaunchDaemons - T1543.004 - Launch Daemon - macOS | Endpoint | macOS | Persistence: T1543, T1543.004: Create or Modify System Process, Launch Daemon |
| Process using crontab utility to add entires in cron jobs - T1053.003 - Cron - macOS | Endpoint | macOS | Execution: T1053, T1053.003: Scheduled Task/Job, Cron |
| Process modified Files and Directory permissions/attributes - T1222.001 - Windows File and Directory Permissions Modification - Windows | Endpoint | Windows | Defense Evasion: T1222, T1222.001: File and Directory Permissions Modification, Windows File and Directory Permissions Modification |
| Process or script trying to hijack upgrade execution - T1574 - Hijack Execution Flow - AIX | Endpoint | AIX | Persistence: T1574, T1574.006: Hijack Execution Flow, Dynamic Linker Hijacking |
| Process attempted reverse shell execution - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| PowerShell executing Get-smbshare command for network share discovery - T1135 - Network Share Discovery - Windows | Endpoint | Windows | Discovery: T1135: Network Share Discovery Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Lateral Movement: T1021, T1021.002: Remote Services, SMB/Windows Admin Shares |
| Process dropped archive file - T1560 - Archive Collected Data - Windows | Endpoint | Windows | Collection: T1005, T1074, T1074.001, T1119, T1560, T1560.001, T1560.002, T1560.003: Data from Local System, Data Staged, Local Data Staging, Automated Collection, Archive Collected Data, Archive via Utility, Archive via Library, Archive via Custom Method |
| Web server spawned suspicious process - T1505.003 - Web Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell Persistence: T1505, T1505.003: Server Software Component, Web Shell |
| Process attempted to masquerade file path with three dots - T1036.005 - Match Legitimate Name or Location - Linux | Container | Linux | Defense Evasion: T1036, T1036.005: Masquerading, Match Legitimate Name or Location |
| Telnet execution detected - T1021 - Remote Services - AIX | Endpoint | AIX | Lateral Movement: T1021: Remote Services |
| Pcwrun.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Mv utility launched to create plist file in LaunchAgents - T1543 - Launch Agent - macOS | Endpoint | macOS | Persistence: T1543, T1543.001: Create or Modify System Process, Launch Agent |
| Network sniffing tool launched to capture network traffic - T1040 - Network Sniffing - AIX | Endpoint | AIX | Credential Access: T1040: Network Sniffing |
| Process or script trying to alter firewall rules - T1562.004 - Disable or Modify System Firewall - AIX | Endpoint | AIX | Defense Evasion: T1562, T1562.004: Impair Defenses, Disable or Modify System Firewall |
| Process spawned LOLBINS for suspicious execution - TA0002 - Execution - Windows | Endpoint | Windows | |
| Sc.exe execution detected - T1543.003 - Windows Service - Windows | Endpoint | Windows | Discovery: T1007: System Service Discovery Execution: T1569, T1569.002: System Services, Service Execution Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service |
| Process attempting to create SSH tunnel - T1572 - Protocol Tunneling - Linux | Container | Linux | Command and Control: T1572: Protocol Tunneling Exfiltration: T1041: Exfiltration Over C2 Channel Lateral Movement: T1021, T1021.004: Remote Services, SSH |
| Source command executed to execute file - T1059 - Command and Scripting Interpreter - macOS | Endpoint | macOS | Execution: T1059: Command and Scripting Interpreter |
| Process attempting to add DLL as Port Monitors in print spooler service - T1547.010 - Port Monitors - Windows | Endpoint | Windows | Persistence: T1547, T1547.010: Boot or Logon Autostart Execution, Port Monitors |
| Winlogon notify key logon persistence - T1547.004 - Winlogon Helper DLL - Windows | Endpoint | Windows | Persistence: T1547, T1547.004: Boot or Logon Autostart Execution, Winlogon Helper DLL |
| Keylogging Attack Detected & Blocked on Endpoint - T1056.001 - Keylogging - Linux | Container | Linux | Collection: T1056, T1056.001: Input Capture, Keylogging |
| Powershell execution with Set-MpPreference command - T1562.001 - Disable or Modify Tools - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Process attempted to access or create hidden files - T1564.001 - Hidden Files and Directories - Linux | Container | Linux | Defense Evasion: T1564, T1564.001: Hide Artifacts, Hidden Files and Directories |
| Process dropped executable file in monitored directories - T1204.002 - Malicious File - AIX | Endpoint | AIX | Execution: T1204, T1204.002: User Execution, Malicious File Defense Evasion: T1036.005: Match Legitimate Name or Location Command and Control: T1105: Ingress Tool Transfer |
| Createdump.exe execution detected for process dump - T1003.001 - LSASS Memory - Windows | Endpoint | Windows | Credential Access: T1003, T1003.001: OS Credential Dumping, LSASS Memory Resource Development: T1588, T1588.002: Obtain Capabilities, Tool |
| Process dropped archive file in startup folders - T1547.001 - Registry Run Keys / Startup Folder - Windows | Endpoint | Windows | Collection: T1005, T1074, T1074.001, T1119, T1560, T1560.003: Data from Local System, Data Staged, Local Data Staging, Automated Collection, Archive Collected Data, Archive via Custom Method Persistence: T1547, T1547.001: Boot or Logon Autostart Execution, Registry Run Keys / Startup Folder |
| Pod created with Privilege Escalation enabled via external request - T1610 - Deploy Container - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| Process starting interactive shell - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Suspicious use of shell script for Input Capture - T1056 - Input Capture - macOS | Endpoint | macOS | Collection: T1056: Input Capture |
| Scp utility launched to copy remote file - T1105 - Ingress Tool Transfer - macOS | Endpoint | macOS | Command and Control: T1105: Ingress Tool Transfer |
| Coinminer Attack Detected on Endpoint - T1496 - Resource Hijacking - Linux | Container | Linux | Impact: T1496: Resource Hijacking |
| GTFOBIN_sqlite3_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Rundll32.exe execution detected - T1218.011 - Rundll32 - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.011: System Binary Proxy Execution, Rundll32 |
| Process trying to Ping different IP/Subnet with IPV6 IP - T1018 - Remote System Discovery - Windows | Endpoint | Windows | Discovery: T1018: Remote System Discovery |
| Iptables utility launched to delete or flush firewall rules - T1562.004 - Impair Defense Modify Firewall - Linux | Container | Linux | Defense Evasion: T1562, T1562.004: Impair Defenses, Disable or Modify System Firewall |
| Process attempted reverse shell execution via pipes - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Mount or unmount network devices detected - T1211 - Exploitation for Defense Evasion - AIX | Endpoint | AIX | Defense Evasion: T1211: Exploitation for Defense Evasion |
| Process running from hidden directory - T1564.001 - Persistence - Linux | Container | Linux | Defense Evasion: T1564, T1564.001: Hide Artifacts, Hidden Files and Directories |
| Vbc.exe execution detected - T1127 - Trusted Developer Utilities Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1127: Trusted Developer Utilities Proxy Execution |
| Web server attempting to delete logs from system - T1070.002 - Clear Linux or Mac System Logs - Linux | Container | Linux | Defense Evasion: T1027, T1027.005, T1070, T1070.002: Obfuscated Files or Information, Indicator Removal from Tools, Indicator Removal on Host, Clear Linux or Mac System Logs Persistence: T1505, T1505.003: Server Software Component, Web Shell |
| Devtoolslauncher.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Process attempting to transfer tools of monitored extensions - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Exfiltration: T1048: Exfiltration Over Alternative Protocol Lateral Movement: T1570: Lateral Tool Transfer |
| Process trying to access /etc/passwd file - T1087.001 - Local Account - AIX | Endpoint | AIX | Discovery: T1087, T1087.001: Account Discovery, Local Account |
| Pip executed via monitored applications - T1072 - Software Deployment Tools - Windows | Endpoint | Windows | Execution: T1072: Software Deployment Tools |
| Kubectl launched with service account inside container - T1564.006 - Run Virtual Instance - Linux | Container | Linux | Defense Evasion: T1564, T1564.006, T1610: Hide Artifacts, Run Virtual Instance, Deploy Container |
| Monitored application spawns explorer.exe - TA0002 - Execution - Windows | Endpoint | Windows | |
| MS office process spawns cmd.exe - T1059.003 - Windows Command Shell - Windows | Endpoint | Windows | Execution: T1059, T1059.003: Command and Scripting Interpreter, Windows Command Shell |
| Process dropped portable executable in System directory - T1574.010 - Services File Permissions Weakness - Windows | Endpoint | Windows | Persistence: T1574, T1574.010: Hijack Execution Flow, Services File Permissions Weakness |
| Microsoft Teams installation of Nuget/squirrel package - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Process starting container with host network enabled - T1610 - Deploy Container - Linux | Container | Linux | Defense Evasion: T1610: Deploy Container |
| Tscon.exe execution detected - T1021.001 - Remote Desktop Protocol - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.001, T1563, T1563.002: Remote Services, Remote Desktop Protocol, Remote Service Session Hijacking, RDP Hijacking |
| PowerShell diagnostic scripts executed for proxy execution - T1216 - System Script Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1216: System Script Proxy Execution |
| Detected use of wget to download file from internet - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer |
| Cp utility launched to copy file in hidden mode in/from Library directory - T1564.001 - Hidden Files and Directories - macOS | Endpoint | macOS | Defense Evasion: T1564, T1564.001: Hide Artifacts, Hidden Files and Directories |
| Process attempting to capture video through WebCam Device - T1125 - Collection - Windows | Endpoint | Windows | Collection: T1125: Video Capture Execution: T1106: Native API |
| Find or locate utilities launched to search files on disk - T1083 - File and Directory Discovery - macOS | Endpoint | macOS | Discovery: T1082, T1083: System Information Discovery, File and Directory Discovery |
| Outbound Windows Remote Desktop detected - T1021.001 - Remote Desktop Protocol - macOS | Endpoint | macOS | Lateral Movement: T1021, T1021.001: Remote Services, Remote Desktop Protocol |
| Kubernetes proxy communicating with public IP - T1090 - Proxy - Linux | Container | Linux | Command and Control: T1090, T1219: Proxy, Remote Access Software |
| GTFOBIN_ltrace_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process creating a pipe to enable inter-process communication - T1559 - Inter-Process Communication - Windows | Endpoint | Windows | Execution: T1106, T1559, T1559.001: Native API, Inter-Process Communication, Component Object Model |
| Container making unexpected outbound connection - T1219 - Command And Control - Linux | Container | Linux | Command and Control: T1219: Remote Access Software |
| Process created hidden bplist file - T1543 - Create or Modify System Process - macOS | Endpoint | macOS | Persistence: T1543, T1543.001, T1543.004: Create or Modify System Process, Launch Agent, Launch Daemon |
| GTFOBIN_ssh_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Certreq.exe execution detected - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer |
| Ransomware execution detected (removed extension) - T1486 - Data Encrypted for Impact - Linux | Container | Linux | Impact: T1486: Data Encrypted for Impact |
| Psexec execution detected for Lateral Movement - T1021.002 - SMB/Windows Admin Shares - AIX | Endpoint | AIX | Defense Evasion: T1550, T1550.002: Use Alternate Authentication Material, Pass the Hash Execution: T1569, T1569.002, T1059.003, T1059.006: System Services, Service Execution, Windows Command Shell, Python Lateral Movement: T1021, T1021.002: Remote Services, SMB/Windows Admin Shares Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service Resource Development: T1587, T1587.001, T1588, T1588.001, T1588.002: Develop Capabilities, Malware, Obtain Capabilities, Malware, Tool Command and Control: T1105: Ingress Tool Transfer |
| Chown used on hidden directory or file - T1222.002 - Linux and Mac File and Directory Permissions Modification - macOS | Endpoint | macOS | Defense Evasion: T1222, T1222.002: File and Directory Permissions Modification, Linux and Mac File and Directory Permissions Modification |
| Monitored process launched with base64 data as parameter - T1027 - Obfuscated Files or Information - Windows | Endpoint | Windows | Defense Evasion: T1027: Obfuscated Files or Information |
| Container process trying to alter firewall rules - T1562.004 - Disable or Modify System Firewall - Linux | Container | Linux | Defense Evasion: T1562, T1562.004: Impair Defenses, Disable or Modify System Firewall |
| Caffeinate utility executed to prevent the system from sleeping - T1653 - Power Settings - macOS | Endpoint | macOS | Persistence: T1653: Power Settings |
| Process accessed/dropped email files - T1114 - Email Collection - AIX | Endpoint | AIX | Collection: T1114, T1114.001, T1114.002: Email Collection, Local Email Collection, Remote Email Collection |
| File Transfer utility downloaded script file - T1105 - Ingress Tool Transfer - macOS | Endpoint | macOS | Command and Control: T1105: Ingress Tool Transfer Execution: T1059: Command and Scripting Interpreter Lateral Movement: T1021, T1021.004, T1570: Remote Services, SSH, Lateral Tool Transfer |
| Ping.exe execution detected - T1018 - Remote System Discovery - Windows | Endpoint | Windows | Discovery: T1018: Remote System Discovery |
| Debugfs launched inside container - T1562 - Impair Defenses - Linux | Container | Linux | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Process enumerated System Information from configuration file - T1082 - System Information Discovery - Linux | Container | Linux | Discovery: T1033, T1082: System Owner/User Discovery, System Information Discovery |
| Process attempted to access local timezone configuration file - T1614 - System Location Discovery - AIX | Endpoint | AIX | Discovery: T1614: System Location Discovery |
| Process accessed password policy - T1201 - Password Policy Discovery - Linux | Container | Linux | Discovery: T1201: Password Policy Discovery |
| Powershell spawned macOS utilities - T1059.001 - PowerShell - macOS | Endpoint | macOS | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Process attempting to access SSH keys - T1552.004 - Private Keys - AIX | Endpoint | AIX | Credential Access: T1552, T1552.004: Unsecured Credentials, Private Keys |
| Process attempted to enumerate application windows - T1010 - Application Window Discovery - Linux | Container | Linux | Discovery: T1010: Application Window Discovery |
| Docker client running package manager inside remote container - T1609 - Container Administration Command - Linux | Container | Linux | Defense Evasion: T1610, T1564.006: Deploy Container, Run Virtual Instance Execution: T1609: Container Administration Command |
| Cloud Service Enumeration detected - T1526 - Cloud Service Discovery - Linux | Container | Linux | Discovery: T1526: Cloud Service Discovery |
| Port forwarding being created from kubernetes pod to local machine - T1610 - Execution Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| GTFOBIN_APT_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Mimikatz execution detected for offline credential theft - T1003.001 - LSASS Memory - Windows | Endpoint | Windows | Credential Access: T1003, T1003.001: OS Credential Dumping, LSASS Memory Resource Development: T1587, T1587.001, T1588, T1588.001, T1588.002: Develop Capabilities, Malware, Obtain Capabilities, Malware, Tool Defense Evasion: T1550: Use Alternate Authentication Material |
| Psexesvc.exe spawned a new process - T1569.002 - Service Execution - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer Execution: T1569, T1569.002: System Services, Service Execution Lateral Movement: T1021, T1021.002, T1570: Remote Services, SMB/Windows Admin Shares, Lateral Tool Transfer Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service |
| Possible Pass the Hash attack detected - T1550.002 - Pass the Hash - Windows | Endpoint | Windows | Credential Access: T1003, T1003.001: OS Credential Dumping, LSASS Memory Defense Evasion: T1055, T1550, T1550.002: Process Injection, Use Alternate Authentication Material, Pass the Hash Execution: T1106: Native API |
| Scrub or wipe utility launched to delete disk data - T1561.002 - Disk Structure Wipe - Linux | Container | Linux | Impact: T1485, T1561, T1561.001, T1561.002: Data Destruction, Disk Wipe, Disk Content Wipe, Disk Structure Wipe |
| EventViewer (Eventvwr.msc) execution detected - T1548.002 - Bypass User Account Control - Windows | Endpoint | Windows | Privilege Escalation: T1548, T1548.002: Abuse Elevation Control Mechanism, Bypass User Account Control |
| Sudo utility executed to spawn process with higher privileges - T1548.003 - Abuse Elevation Control Mechanism - macOS | Endpoint | macOS | Privilege Escalation: T1548, T1548.003: Abuse Elevation Control Mechanism, Sudo and Sudo Caching |
| Process attempting to change password of user account - T1098 - Account Manipulation - macOS | Endpoint | macOS | Impact: T1531: Account Access Removal Persistence: T1098: Account Manipulation |
| Process attempted to exfiltrate files using web services - T1567 - Exfiltration Over Web Service - Linux | Container | Linux | Command and Control: T1071, T1071.001, T1102, T1102.002: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication Exfiltration: T1048, T1567: Exfiltration Over Alternative Protocol, Exfiltration Over Web Service |
| PowerShell decoding/encoding base64 data - T1027 - Obfuscated Files or Information - Windows | Endpoint | Windows | Defense Evasion: T1027: Obfuscated Files or Information |
| Rsync utility launched to copy file on remote machine - T1105 - Ingress Tool Transfer - macOS | Endpoint | macOS | Command and Control: T1105: Ingress Tool Transfer |
| AVDump32.exe execution detected for DLL Side-Loading - T1574.002 - DLL Side-Loading - Windows | Endpoint | Windows | Persistence: T1574, T1574.002: Hijack Execution Flow, DLL Side-Loading |
| Process executed by User - T1204 - User Execution - AIX | Endpoint | AIX | Execution: T1204: User Execution |
| Process attempting to capture screen shot - T1113 - Screen Capture - Windows | Endpoint | Windows | Collection: T1113: Screen Capture Execution: T1106: Native API |
| Process dropped or accessed xmrig configuration - T1496 - Resource Hijacking - Linux | Container | Linux | Impact: T1496: Resource Hijacking |
| GTFOBIN_ed_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Bash script executed from tmp directory - T1059.004 - Unix Shell - macOS | Endpoint | macOS | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Ingress Tool Transfer detected - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer |
| Process using chage utility to change password policy - T1201 - Password Policy Discovery - Linux | Endpoint | Linux | Discovery: T1201: Password Policy Discovery |
| Container process communicated with newly registered domain - T1583.001 - Domains - Linux | Container | Linux | Resource Development: T1583, T1583.001: Acquire Infrastructure, Domains |
| Strace utility using ptrace API to hook into another process - T1055.008 - Ptrace System Calls - Linux | Container | Linux | Defense Evasion: T1055, T1055.008: Process Injection, Ptrace System Calls |
| Qwinsta.exe execution detected from monitored applications - T1033 - System Owner/User Discovery - Windows | Endpoint | Windows | Discovery: T1033, T1082, T1087: System Owner/User Discovery, System Information Discovery, Account Discovery |
| Web server spawned suspicious process to access credential files - T1003 - OS Credential Dumping - AIX | Endpoint | AIX | Credential Access: T1003, T1555: OS Credential Dumping, Credentials from Password Stores Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell Persistence: T1505, T1505.003: Server Software Component, Web Shell |
| X-based GUI connection made to remote system - T1219 - Remote Access Software - AIX | Endpoint | AIX | Command and Control: T1219: Remote Access Software Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Base64 utility launched to encode/decode data - T1132 - Data Encoding - macOS | Endpoint | macOS | Command and Control: T1132, T1132.001: Data Encoding, Standard Encoding Defense Evasion: T1027, T1140: Obfuscated Files or Information, Deobfuscate/Decode Files or Information |
| Process added executable as active setup to gain persistence - T1547.014 - Active Setup - Windows | Endpoint | Windows | Persistence: T1547, T1547.014: Boot or Logon Autostart Execution, Active Setup |
| Bcdedit.exe utility used to modify the code signing policy of a system - T1553.006 - Code Signing Policy Modification - Windows | Endpoint | Windows | Defense Evasion: T1553, T1553.006: Subvert Trust Controls, Code Signing Policy Modification |
| Domain Logon detected - T1078.002 - Domain Accounts - Windows | Endpoint | Windows | Defense Evasion: T1078, T1078.002: Valid Accounts, Domain Accounts |
| Desktopimgdownldr.exe execution detected - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer |
| Cmdkey.exe execution detected - T1087 - Account Discovery - Windows | Endpoint | Windows | Discovery: T1087, T1087.001: Account Discovery, Local Account |
| Xxd utility executed to decode file - T1140 - Deobfuscate/Decode Files or Information - macOS | Endpoint | macOS | Defense Evasion: T1140: Deobfuscate/Decode Files or Information |
| Process launched via browser - T1189 - Drive-by Compromise - macOS | Endpoint | macOS | Initial Access: T1189: Drive-by Compromise Collection: T1056: Input Capture |
| Lsass.exe process added as silent process exit for dumping memory - T1003.001 - LSASS Memory - Windows | Endpoint | Windows | Credential Access: T1003, T1003.001: OS Credential Dumping, LSASS Memory |
| Process using trap command to execute code - T1546.005 - Trap - Linux | Container | Linux | Privilege Escalation: T1546, T1546.005: Event Triggered Execution, Trap |
| Process or script acting as remote access software - T1219 - Command And Control - macOS | Endpoint | macOS | Command and Control: T1219: Remote Access Software |
| Type.exe Execution Detected - T1552.001 - Credentials in Files - Windows | Endpoint | Windows | Credential Access: T1552, T1552.001: Unsecured Credentials, Credentials In Files |
| Process created with Access Token - T1134.002 - Create Process with Token - Windows | Endpoint | Windows | Defense Evasion: T1134, T1134.002: Access Token Manipulation, Create Process with Token Execution: T1106: Native API |
| Process attempted to modify /etc/hosts - T1565 - Data Manipulation - macOS | Endpoint | macOS | Impact: T1565: Data Manipulation |
| Process modified permissions of credential files - T1003.008 - OS Credential Dumping - macOS | Endpoint | macOS | Credential Access: T1003, T1003.008, T1552, T1552.001, T1555: OS Credential Dumping, /etc/passwd and /etc/shadow, Unsecured Credentials, Credentials In Files, Credentials from Password Stores Defense Evasion: T1222: File and Directory Permissions Modification |
| GTFOBIN_setarch_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process created hidden Plist file - T1647 - Plist File Modification - macOS | Endpoint | macOS | Defense Evasion: T1647: Plist File Modification Persistence: T1543: Create or Modify System Process |
| Rundll32.exe executes DLL from suspicious location - T1085 - Rundll32 - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Process attempted to deobfuscate and execute suspicious script - T1059 - Command and Scripting Interpreter - Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Netcat in host attempting remote code execution - T1059.004 - Unix Shell - Linux | Endpoint | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Container process created or modified Systemd Service - T1543.002 - Systemd Service - Linux | Container | Linux | Persistence: T1543, T1543.002: Create or Modify System Process, Systemd Service |
| Process accessed shell history file - T1552.003 - Bash History - Linux | Container | Linux | Credential Access: T1552, T1552.003: Unsecured Credentials, Bash History |
| Process attempted to modify DirectoryService Plugin - T1547 - Boot or Logon Autostart Execution - macOS | Endpoint | macOS | Persistence: T1547: Boot or Logon Autostart Execution |
| GTFOBIN_make_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process trying to overwrite Master Boot Record (MBR) - T1561.002 - Disk Structure Wipe - Windows | Endpoint | Windows | Execution: T1106: Native API Impact: T1561, T1561.002: Disk Wipe, Disk Structure Wipe |
| Python script execution detected - T1059.006 - Command and Scripting Interpreter - macOS | Endpoint | macOS | Execution: T1059, T1059.006: Command and Scripting Interpreter, Python |
| Process downloaded archive or script file using non standard port - T1571 - Non-Standard Port - Linux | Container | Linux | Command and Control: T1105, T1571: Ingress Tool Transfer, Non-Standard Port Execution: T1204, T1204.001: User Execution, Malicious Link Exfiltration: T1048: Exfiltration Over Alternative Protocol Lateral Movement: T1570: Lateral Tool Transfer |
| Database server spawned suspicious process - T1203 - Exploitation for Client Execution - Linux | Container | Linux | Execution: T1059, T1059.004, T1203: Command and Scripting Interpreter, Unix Shell, Exploitation for Client Execution Persistence: T1505: Server Software Component |
| PowerShell with suspicious commands - T1059.001 - PowerShell - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Fodhelper.exe execution detected - T1548.002 - Bypass User Account Control - Windows | Endpoint | Windows | Privilege Escalation: T1548, T1548.002: Abuse Elevation Control Mechanism, Bypass User Account Control |
| Process made HTTP connection on non-standard port - T1571 - Non-Standard Port - Linux | Container | Linux | Command and Control: T1071, T1071.001, T1102, T1102.002, T1571: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Non-Standard Port Exfiltration: T1567: Exfiltration Over Web Service |
| Process attempting to load Kernel Driver - T1014 - Rootkit - Windows | Endpoint | Windows | Defense Evasion: T1014: Rootkit Execution: T1106: Native API Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service |
| Openssl utility being used to encrypt/decrypt file - T1027 - Obfuscated Files or Information - AIX | Endpoint | AIX | Command and Control: T1001, T1132: Data Obfuscation, Data Encoding Defense Evasion: T1027, T1140: Obfuscated Files or Information, Deobfuscate/Decode Files or Information |
| New cronjob in default namespace being created using external request in kubernetes cluster - T1053 - Persistence Kubernetes | Kuberenetes | Kubernetes | Execution: T1053: Scheduled Task/Job |
| Process trying to access /etc/hosts - T1018 - Remote System Discovery - AIX | Endpoint | AIX | Discovery: T1018: Remote System Discovery |
| Java process spawning local shell inside container - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Suspicious file dropped by MS Office Application - T1497 - Virtualization/Sandbox Evasion - macOS | Endpoint | macOS | Defense Evasion: T1497: Virtualization/Sandbox Evasion |
| Socat utility launched to spawn reverse shell - T1059.004 - Unix Shell - macOS | Endpoint | macOS | Command and Control: T1219: Remote Access Software Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Nsenter utility executed for possible break out to host - T1611 - Escape to Host - Linux | Container | Linux | Defense Evasion: T1610: Deploy Container Privilege Escalation: T1611: Escape to Host |
| Process modified ownership of credential files - T1003.008 - OS Credential Dumping - macOS | Endpoint | macOS | Credential Access: T1003, T1003.008, T1552, T1555: OS Credential Dumping, /etc/passwd and /etc/shadow, Unsecured Credentials, Credentials from Password Stores Defense Evasion: T1222: File and Directory Permissions Modification Discovery: T1087: Account Discovery Persistence: T1136: Create Account |
| Process created a hidden file - T1564.001 - Hidden Files and Directories - Windows | Endpoint | Windows | Defense Evasion: T1564, T1564.001: Hide Artifacts, Hidden Files and Directories Execution: T1106: Native API |
| PowerShell executing PowerSploit for CodeExecution - T1055.002 - Process Executable Injection - Windows | Endpoint | Windows | Defense Evasion: T1055, T1055.001, T1055.002, T1055.003, T1055.012: Process Injection, Dynamic-link Library Injection, Portable Executable Injection, Thread Execution Hijacking, Process Hollowing Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Touch utility launched to change the access time of file - T1070.006 - Timestomp - macOS | Endpoint | macOS | Defense Evasion: T1070, T1070.006: Indicator Removal, Timestomp |
| Process trying to access cron entries - T1053.003 - Cron - Linux | Container | Linux | Execution: T1053, T1053.003: Scheduled Task/Job, Cron |
| Registry Startups entry modification/addition detected for SDB - T1546.001 - Application Shimming - Windows | Endpoint | Windows | Privilege Escalation: T1546, T1546.001: Event Triggered Execution, Change Default File Association Persistence: T1547.001, T1547: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
| Process loaded WinPcap DLL to sniff network packets - T1040 - Network Sniffing - Windows | Endpoint | Windows | Credential Access: T1040: Network Sniffing Defense Evasion: T1205: Traffic Signaling |
| Process attempting to enumerate Files and Directory - T1083 - File and Directory Discovery - Windows | Endpoint | Windows | Discovery: T1083: File and Directory Discovery Execution: T1106: Native API |
| Process modified Dynamic Linker (DYLD) environment variable - T1574.006 - Dynamic Linker Hijacking - macOS | Endpoint | macOS | Persistence: T1574, T1574.004, T1574.006: Hijack Execution Flow, Dylib Hijacking, Dynamic Linker Hijacking |
| Process using scp utility to copy file on remote machine - T1105 - Ingress Tool Transfer - AIX | Endpoint | AIX | Command and Control: T1105: Ingress Tool Transfer |
| Powershell using WMI event subscriptions for persistence - T1546.003 - Windows Management Instrumentation Event Subscription - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Privilege Escalation: T1546, T1546.003: Event Triggered Execution, Windows Management Instrumentation Event Subscription |
| PowerShell executing PowerView's UserHunter script for account discovery - T1087 - Account Discovery - Windows | Endpoint | Windows | Discovery: T1087: Account Discovery Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Bash process with script as command line launched - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Compromised Account Access Detected & Blocked on Endpoint - T1078 - Valid Accounts - Linux | Container | Linux | Defense Evasion: T1078: Valid Accounts |
| Docker client installing masscan inside remote container - T1609 - Container Administration Command - Linux | Container | Linux | Execution: T1609: Container Administration Command Reconnaissance: T1595, T1595.001: Active Scanning, Scanning IP Blocks Defense Evasion: T1564.006: Run Virtual Instance |
| Microsoft Windows Defender Detected Malicious File - T1204.002 - Malicious File - Windows | Endpoint | Windows | Execution: T1204, T1204.002: User Execution, Malicious File |
| Cloud utilities being used inside container - T1078.004 - Cloud Accounts - Linux | Container | Linux | Defense Evasion: T1078, T1078.004: Valid Accounts, Cloud Accounts Discovery: T1069, T1069.003, T1087, T1087.004, T1580: Permission Groups Discovery, Cloud Groups, Account Discovery, Cloud Account, Cloud Infrastructure Discovery |
| PowerShell Downgrade to earlier version - T1059.001 - Powershell - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Scheduled Task by Cron - T1053.003 - Scheduled Task - AIX | Endpoint | AIX | Execution: T1053, T1053.003: Scheduled Task/Job, Cron Exfiltration: T1029: Scheduled Transfer |
| Pbpaste utility to collect clipboard data - T1115 - Clipboard Data - macOS | Endpoint | macOS | Collection: T1115: Clipboard Data |
| Powershell execution with -enc and others commands - T1059.001 - PowerShell - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Process attempted to obfuscate binary file - T1027.001 - Binary Padding - Linux | Container | Linux | Defense Evasion: T1027, T1027.001: Obfuscated Files or Information, Binary Padding |
| Exploitation for Privilege Escalation Detected on Endpoint - T1068 - Exploitation for Privilege Escalation - Linux | Container | Linux | Persistence: T1505: Server Software Component Privilege Escalation: T1068: Exploitation for Privilege Escalation |
| Detected use of tftp to download file from internet - T1105 - Ingress Tool Transfer - AIX | Endpoint | AIX | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer |
| Process attempting to drop web shell - T1505.003 - Web Shell - AIX | Endpoint | AIX | Persistence: T1505, T1505.003: Server Software Component, Web Shell |
| Signed Binary execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Process attempted to query external IP address - T1016 - System Network Configuration Discovery - Cross Platform | Endpoint | All OS | Discovery: T1016: System Network Configuration Discovery |
| Process accessed Kubernetes cluster config - T1552.001 - Credentials In Files - Linux | Endpoint | Linux | Credential Access: T1552, T1552.001: Unsecured Credentials, Credentials In Files |
| Container process attempted to find cloud credentials - T1552.004 - Private Keys - Linux | Container | Linux | Credential Access: T1552, T1552.001, T1552.004: Unsecured Credentials, Credentials In Files, Private Keys |
| Powershell script attempting to disable or modify firewall - T1562.004 - Disable or Modify System Firewall - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.004: Impair Defenses, Disable or Modify System Firewall Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Msiexec.exe execution detected - T1218.007 - Msiexec - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.007: System Binary Proxy Execution, Msiexec |
| Curl executed to connect to socks5 protocol (Possible CVE-2023-38545 exploit) - T1203 - Exploitation for Client Execution - Linux | Container | Linux | Command and Control: T1090, T1105: Proxy, Ingress Tool Transfer Execution: T1203: Exploitation for Client Execution |
| Process attempted to import certificate to Keychains - T1553.004 - Install Root Certificate - macOS | Endpoint | macOS | Credential Access: T1555, T1555.001: Credentials from Password Stores, Keychain Defense Evasion: T1553, T1553.004: Subvert Trust Controls, Install Root Certificate |
| PowerShell execution detected for initiating COM Objects - T1559.001 - Component Object Model - Windows | Endpoint | Windows | Execution: T1059, T1059.001, T1559, T1559.001: Command and Scripting Interpreter, PowerShell, Inter-Process Communication, Component Object Model |
| Sftp utility executed to copy remote file - T1105 - Ingress Tool Transfer - macOS | Endpoint | macOS | Command and Control: T1105: Ingress Tool Transfer |
| Process Running from Programdata Directory - TA0002 - Execution - Windows | Endpoint | Windows | |
| Nslookup.exe execution detected from monitored applications - T1018 - Remote System Discovery - Windows | Endpoint | Windows | Discovery: T1016, T1016.001, T1018: System Network Configuration Discovery, Internet Connection Discovery, Remote System Discovery |
| Csc.exe execution detected - T1127 - Trusted Developer Utilities - Windows | Endpoint | Windows | Defense Evasion: T1127: Trusted Developer Utilities Proxy Execution |
| Process accessed rc.common file for persistence - T1037.004 - RC Scripts - macOS | Endpoint | macOS | Persistence: T1037, T1037.004: Boot or Logon Initialization Scripts, RC Scripts |
| Reverse shell attempted to connect public IP address - T1059.004 - Unix Shell - macOS | Endpoint | macOS | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Productivity applications spawned browser applications - T1566 - Phishing - Windows | Endpoint | Windows | Execution: T1204, T1204.001, T1204.002: User Execution, Malicious Link, Malicious File Initial Access: T1566, T1566.001, T1566.002: Phishing, Spearphishing Attachment, Spearphishing Link |
| Process attempting to make LDAP connection - T1087.002 - Domain Account - Linux | Container | Linux | Discovery: T1069, T1069.002, T1087, T1087.002, T1482: Permission Groups Discovery, Domain Groups, Account Discovery, Domain Account, Domain Trust Discovery |
| GTFOBIN_lua acting as remote access software - T1219 Command And Control_LINUX | Container | Linux | Command and Control: T1219: Remote Access Software |
| Execute command writing output to local admin share detected - T1021.002 - SMB/Windows Admin Shares - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.002: Remote Services, SMB/Windows Admin Shares |
| Suspicious use of wget to download file in tmp directory - T1105 - Ingress Tool Transfer - AIX | Endpoint | AIX | Command and Control: T1071, T1071.001, T1102, T1102.002, T1105, T1573, T1573.002: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Ingress Tool Transfer, Encrypted Channel, Asymmetric Cryptography |
| Funzip utility execution detected - T1560 - Archive via Utility - macOS | Endpoint | macOS | Collection: T1560, T1560.001: Archive Collected Data, Archive via Utility |
| Webserver process trying to modify sudo configuration - T1548.003 - Sudo and Sudo Caching - AIX | Endpoint | AIX | Privilege Escalation: T1548, T1548.003: Abuse Elevation Control Mechanism, Sudo and Sudo Caching |
| Suspicious process spawned by MS Office Application - T1566 - Phishing - macOS | Endpoint | macOS | Initial Access: T1566, T1566.001: Phishing, Spearphishing Attachment |
| Sc.exe execution detected to create a service for VirtualBox Driver - T1564.006 - Run Virtual Instance - Windows | Endpoint | Windows | Defense Evasion: T1564, T1564.006: Hide Artifacts, Run Virtual Instance |
| Dsenableroot utility executed to enable root account - T1548 - Abuse Elevation Control Mechanism - macOS | Endpoint | macOS | Privilege Escalation: T1548: Abuse Elevation Control Mechanism |
| Process attempting to transfer tools or other files - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Exfiltration: T1048: Exfiltration Over Alternative Protocol Lateral Movement: T1570: Lateral Tool Transfer |
| Unsigned process attempting to intercept keystrokes via HID APIs - T1056.001 - Keylogging - macOS | Endpoint | macOS | Collection: T1056, T1056.001: Input Capture, Keylogging |
| Csi.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1027, T1027.004, T1218: Obfuscated Files or Information, Compile After Delivery, System Binary Proxy Execution Resource Development: T1587, T1587.001, T1588, T1588.001: Develop Capabilities, Malware, Obtain Capabilities, Malware |
| Host process modified /etc/ld.so.preload - T1574.006 - Dynamic Linker Hijacking - Linux | Endpoint | Linux | Persistence: T1574, T1574.006: Hijack Execution Flow, Dynamic Linker Hijacking |
| Web server using who or users utility to get users information - T1033 - System Owner/User Discovery - AIX | Endpoint | AIX | Discovery: T1033: System Owner/User Discovery |
| Powershell Modifying SSP configuration in registry - T1547.005 - Security Support Provider - Windows | Endpoint | Windows | Persistence: T1547, T1547.005: Boot or Logon Autostart Execution, Security Support Provider |
| Process attempted to modify Apple's Remote Desktop settings - T1018 - Remote System Discovery - macOS | Endpoint | macOS | Discovery: T1018: Remote System Discovery |
| Sc.exe made network connection - T1543.003 - Windows Service - Windows | Endpoint | Windows | Execution: T1569, T1569.002: System Services, Service Execution Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service |
| Process attempted to connect to HTTP proxy - T1090 - Proxy - Linux | Container | Linux | Command and Control: T1071, T1071.001, T1090, T1090.001, T1090.002, T1102, T1102.002, T1573: Application Layer Protocol, Web Protocols, Proxy, Internal Proxy, External Proxy, Web Service, Bidirectional Communication, Encrypted Channel Exfiltration: T1048: Exfiltration Over Alternative Protocol |
| Userdel utility launched to delete user account - T1531 - Account Access Removal - Linux | Container | Linux | Impact: T1531: Account Access Removal |
| GTFOBIN_zip_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Crontab utility launched to add cron jobs - T1053.003 - Scheduled Task/Job: Cron - AIX | Endpoint | AIX | Execution: T1053, T1053.003, T1053.005: Scheduled Task/Job, Cron, Scheduled Task |
| Suspicious process attempted to access Jenkins credential files - T1552.001 - Credentials In Files - Linux | Container | Linux | Credential Access: T1552, T1552.001, T1555: Unsecured Credentials, Credentials In Files, Credentials from Password Stores |
| Msdt.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Nmap utility is running inside container - T1595.001 - Scanning IP Blocks - Linux | Container | Linux | Reconnaissance: T1595, T1595.001, T1595.002, T1595.003: Active Scanning, Scanning IP Blocks, Vulnerability Scanning, Wordlist Scanning |
| Software Packer Detected - T1027.002 - Software Packing - Windows | Endpoint | Windows | Defense Evasion: T1027, T1027.002: Obfuscated Files or Information, Software Packing |
| Remote SSH login detected - T1021.004 - SSH - macOS | Endpoint | macOS | Lateral Movement: T1021, T1021.004: Remote Services, SSH |
| Process attempted to discover system services - T1007 - Discovery - Linux | Container | Linux | Discovery: T1007: System Service Discovery |
| Web Shell attack Detected on Endpoint - T1505.003 - Web Shell - Linux | Container | Linux | Persistence: T1505, T1505.003: Server Software Component, Web Shell |
| Process trying to modify global bash profile - T1546.004 - Unix Shell Configuration Modification - AIX | Endpoint | AIX | Defense Evasion: T1480, T1480.001: Execution Guardrails, Environmental Keying Privilege Escalation: T1546, T1546.004: Event Triggered Execution, Unix Shell Configuration Modification |
| Diskshadow.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| MS Office or scripting engine dropped script file - TA0002 - Execution - Windows | Endpoint | Windows | |
| Process made HTTPS Connection - T1573 - Encrypted Channel - Linux | Container | Linux | Command and Control: T1071, T1071.001, T1102, T1102.002, T1573: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Encrypted Channel Exfiltration: T1567: Exfiltration Over Web Service |
| Reg.exe execution detected for querying statup registry key - T1547.001 - Registry Run Keys / Startup Folder - Windows | Endpoint | Windows | Discovery: T1012: Query Registry Persistence: T1547, T1547.001: Boot or Logon Autostart Execution, Registry Run Keys / Startup Folder |
| GTFOBIN_script_utility_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Process accessed /etcgroup file - T1069.001 - Local Groups - Linux | Container | Linux | Discovery: T1033, T1069, T1069.001: System Owner/User Discovery, Permission Groups Discovery, Local Groups |
| Process dropped EICAR file in monitored directories - T1204.002 - Malicious File - AIX | Endpoint | AIX | Command and Control: T1105: Ingress Tool Transfer Defense Evasion: T1036, T1036.005: Masquerading, Match Legitimate Name or Location Execution: T1204, T1204.002: User Execution, Malicious File |
| Deployment being created in default namespace using external request in kubernetes cluster - T1609 - Execution Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| Replicaset being deleted from kubernetes cluster using external request - T1609 - Execution - Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| Defaults utility launched to modify LoginHook/LogoutHook - T1037.002 - Login Hook - macOS | Endpoint | macOS | Persistence: T1037, T1037.002: Boot or Logon Initialization Scripts, Login Hook |
| Process sent encoding data through HTTP protocol - T1132.001 - Standard Encoding - AIX | Endpoint | AIX | Command and Control: T1071, T1071.001, T1102, T1102.002, T1132, T1132.001: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Data Encoding, Standard Encoding Exfiltration: T1048: Exfiltration Over Alternative Protocol |
| GTFOBIN_jjs_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Scripting process attempted to access microphone for audio capture - T1123 - Audio Capture - macOS | Endpoint | macOS | Collection: T1123: Audio Capture |
| Utility launched to add user in privileged group - T1484.001 - Group Policy Modification - macOS | Endpoint | macOS | Defense Evasion: T1484, T1484.001: Domain Policy Modification, Group Policy Modification Discovery: T1057: Process Discovery |
| Database server spawning local shell - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process attempted to monitor keyboard input - T1056.001 - Keylogging - Linux | Container | Linux | Collection: T1056, T1056.001, T1560: Input Capture, Keylogging, Archive Collected Data |
| Suspicious use of ZIP on Keychains - T1555.001 - Keychain - macOS | Endpoint | macOS | Credential Access: T1555, T1555.001: Credentials from Password Stores, Keychain |
| RegSvcs.exe/Regasm.exe execution detected - T1218.009 - Regsvcs/Regasm - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.009: System Binary Proxy Execution, Regsvcs/Regasm |
| Outlook Spawns MS office process - T1566.001 - Spearphishing Attachment - Windows | Endpoint | Windows | Initial Access: T1566, T1566.001: Phishing, Spearphishing Attachment |
| Process dropped executable file in startup folder - T1547.001 - Registry Run Keys / Startup Folder - Windows | Endpoint | Windows | Persistence: T1547, T1547.001: Boot or Logon Autostart Execution, Registry Run Keys / Startup Folder |
| Whoami.exe execution detected from monitored applications - T1033 - System Owner/User Discovery - Windows | Endpoint | Windows | Discovery: T1033, T1082, T1087: System Owner/User Discovery, System Information Discovery, Account Discovery |
| Pcalua.exe execution detected - T1202 - Indirect Command Execution - Windows | Endpoint | Windows | Defense Evasion: T1202: Indirect Command Execution |
| Ransomware execution detected using File I/O operations - T1486 - Data Encrypted for Impact - AIX | Endpoint | AIX | Impact: T1486: Data Encrypted for Impact |
| FSUtil.exe executed to enumerate peripheral devices - T1120 - Peripheral Device Discovery - Windows | Endpoint | Windows | Discovery: T1120: Peripheral Device Discovery Defense Evasion: T1070: Indicator Removal |
| Container process attempting to create files under /dev - T1036.004 - Masquerade Task or Service - Linux | Container | Linux | Defense Evasion: T1036, T1036.004: Masquerading, Masquerade Task or Service |
| FTP utility execution detected for downloading files from internet - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer |
| Monitored utility sending output to shell via pipe (Potential Reverse Shell) - T1059 - Command and Scripting Interpreter - Linux | Endpoint | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process or script trying to encrypt data - T1486 - Data Encrypted for Impact - Linux | Container | Linux | Collection: T1560, T1074, T1560.001: Archive Collected Data, Data Staged, Archive via Utility Impact: T1486: Data Encrypted for Impact |
| Chgrp utility executed to change group ownership of a file - T1222.002 - Linux and Mac File and Directory Permissions Modification - macOS | Endpoint | macOS | Defense Evasion: T1222, T1222.002: File and Directory Permissions Modification, Linux and Mac File and Directory Permissions Modification |
| Psexec execution detected for Lateral Movement - T1021.002 - SMB/Windows Admin Shares - Linux | Container | Linux | Defense Evasion: T1550, T1550.002: Use Alternate Authentication Material, Pass the Hash Execution: T1569, T1569.002, T1059.003, T1059.006: System Services, Service Execution, Windows Command Shell, Python Lateral Movement: T1021, T1021.002: Remote Services, SMB/Windows Admin Shares Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service Resource Development: T1587, T1587.001, T1588, T1588.001, T1588.002: Develop Capabilities, Malware, Obtain Capabilities, Malware, Tool Command and Control: T1105: Ingress Tool Transfer |
| AD replication request detected - T1003.003 - NTDS - Windows | Endpoint | Windows | Credential Access: T1003, T1003.003, T1003.006: OS Credential Dumping, NTDS, DCSync Defense Evasion: T1207: Rogue Domain Controller Lateral Movement: T1021, T1021.003: Remote Services, Distributed Component Object Model |
| Process attempted to get system time - T1124 - System Time Discovery - Linux | Container | Linux | Discovery: T1124: System Time Discovery |
| Dd utility launched to delete disk data - T1561.002 - Disk Structure Wipe - Linux | Container | Linux | Impact: T1485, T1561, T1561.001, T1561.002: Data Destruction, Disk Wipe, Disk Content Wipe, Disk Structure Wipe |
| Database server spawned suspicious process to access credential files - T1003 - OS Credential Dumping - Linux | Container | Linux | Credential Access: T1003, T1555: OS Credential Dumping, Credentials from Password Stores Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell Persistence: T1505: Server Software Component |
| Remote process attempting to enumerate user groups and permission settings - T1069 - Permission Groups Discovery - Windows | Endpoint | Windows | Discovery: T1069, T1069.001, T1069.002, T1069.003, T1615: Permission Groups Discovery, Local Groups, Domain Groups, Cloud Groups, Group Policy Discovery |
| Process attempted to dump credential file with sudo privileges - T1003 - OS Credential Dumping - Linux | Container | Linux | Credential Access: T1003, T1552, T1552.001, T1555: OS Credential Dumping, Unsecured Credentials, Credentials In Files, Credentials from Password Stores |
| Mftrace.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Process running from sensitive locations with hidden directory - T1564.001 - Hidden Files and Directories - macOS | Endpoint | macOS | Defense Evasion: T1564, T1564.001: Hide Artifacts, Hidden Files and Directories |
| Process creating SSH tunnel - T1572 - Protocol Tunneling - AIX | Endpoint | AIX | Command and Control: T1572: Protocol Tunneling |
| Kubectl launched to access kubernetes secrets - T1552 - Unsecured Credentials - macOS | Endpoint | macOS | Credential Access: T1552, T1552.001: Unsecured Credentials, Credentials In Files |
| Dsconfigad utility used to remove computer from the domain - T1484 - Domain Policy Modification - macOS | Endpoint | macOS | Defense Evasion: T1484: Domain Policy Modification |
| Monitored application child process injected code in remote process - T1055 - Process Injection - Windows | Endpoint | Windows | Defense Evasion: T1055: Process Injection |
| Credential Stealer Detected on Endpoint - T1003 - OS Credential Dumping - macOS | Endpoint | macOS | Credential Access: T1003, T1552, T1555, T1555.003: OS Credential Dumping, Unsecured Credentials, Credentials from Password Stores, Credentials from Web Browsers |
| Process modified loginwindow plist - T1547.007 - Reopened Applications - macOS | Endpoint | macOS | Persistence: T1037, T1037.002, T1547, T1547.007: Boot or Logon Initialization Scripts, Login Hook, Boot or Logon Autostart Execution, Re-opened Applications |
| Powershell using Start-BitsTransfer flag to create BITS jobs - T1197 - BITS Jobs - Windows | Endpoint | Windows | Defense Evasion: T1197: BITS Jobs |
| PowerShell execution detected for collecting credentials from password stores - T1555 - Credentials from Password Stores - Windows | Endpoint | Windows | Credential Access: T1555: Credentials from Password Stores Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Ping.exe execution detected from powershell/cmd - T1018 - Remote System Discovery - Windows | Endpoint | Windows | Discovery: T1018: Remote System Discovery |
| GetSymbol execution detected - TA0002 - Execution - Windows | Endpoint | Windows | |
| Process accessed stored web browser credentials - T1555.003 - Credentials from Web Browsers - Windows | Endpoint | Windows | Credential Access: T1555, T1555.003: Credentials from Password Stores, Credentials from Web Browsers |
| Polkit local privilege escalation (CVE-2021-3560) - T1068 - Exploitation for Privilege Escalation - Linux | Container | Linux | Privilege Escalation: T1068: Exploitation for Privilege Escalation |
| DataSvcUtil.exe execution detected - T1567 - Exfiltration Over Web Service - Windows | Endpoint | Windows | Exfiltration: T1020, T1567: Automated Exfiltration, Exfiltration Over Web Service |
| Process accessed/forged Kerberos Tickets - T1558.003 - Kerberoasting - macOS | Endpoint | macOS | Credential Access: T1558, T1558.003: Steal or Forge Kerberos Tickets, Kerberoasting |
| Wmic.exe spawned suspicious process - T1047 - Windows Management Instrumentation - Windows | Endpoint | Windows | Execution: T1047, T1059: Windows Management Instrumentation, Command and Scripting Interpreter |
| Appcmd.exe execution detected - T1562.001 - Disable or Modify Tools - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Process dropped shortcuts file in AppData folder - TA0002 - Execution - Windows | Endpoint | Windows | |
| Scripting process executed applescript - T1059.002 - AppleScript - macOS | Endpoint | macOS | Execution: T1059, T1059.002: Command and Scripting Interpreter, AppleScript |
| Tor utility executed to create an encrypted proxy channel - T1090.003 - Multi-hop Proxy - macOS | Endpoint | macOS | Command and Control: T1090, T1090.003: Proxy, Multi-hop Proxy |
| Process attempted to access password quality policy - T1201 - Password Policy Discovery - Linux | Container | Linux | Discovery: T1201: Password Policy Discovery |
| GTFOBIN_less_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process dropped apple script - T1059.002 - AppleScript - macOS | Endpoint | macOS | Execution: T1059, T1059.002: Command and Scripting Interpreter, AppleScript |
| Role binding being deleted using external request in kubernetes cluster - T1609 - Execution Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| Xclip utility launched to collect clipboard data - T1115 - Clipboard Data - Linux | Container | Linux | Collection: T1115: Clipboard Data |
| VSDiagnostics.exe execution detected to launch suspicious process - T1127 - Trusted Developer Utilities Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1127: Trusted Developer Utilities Proxy Execution |
| GfxDownloadWrapper.exe execution detected - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer |
| Daemonset being deleted from kubernetes cluster using external request - T1609 - Execution - Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| Registry dump of SAM for hashes and usernames using powershell - T1003.002 - Security Account Manager - Windows | Endpoint | Windows | Credential Access: T1003, T1003.002: OS Credential Dumping, Security Account Manager |
| Dscacheutil utility launched to enumerate mounts and services - T1135 - Network Share Discovery - macOS | Endpoint | macOS | Discovery: T1007, T1135, T1087: System Service Discovery, Network Share Discovery, Account Discovery |
| Process accessed Email File - T1114.001 - Local Email Collection - Windows | Endpoint | Windows | Collection: T1114, T1114.001, T1114.002: Email Collection, Local Email Collection, Remote Email Collection Discovery: T1087, T1087.003: Account Discovery, Email Account Persistence: T1137.001, T1137: Office Template Macros, Office Application Startup |
| Powershell execution detected with IEX command for code execution - T1059.001 - PowerShell - Windows | Endpoint | Windows | Command and Control: T1071, T1071.001, T1102, T1102.002, T1105: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Ingress Tool Transfer Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Process attempted to access /etc/ld.so.preload file - T1574.006 - Dynamic Linker Hijacking - Linux | Container | Linux | Persistence: T1574, T1574.006: Hijack Execution Flow, Dynamic Linker Hijacking |
| Process modifying cron jobs - T1053.003 - Cron - macOS | Endpoint | macOS | Execution: T1053, T1053.003: Scheduled Task/Job, Cron |
| Prs.exe execution detected - T1113 - Screen Capture - Windows | Endpoint | Windows | Collection: T1113: Screen Capture |
| Process dropped executable file in /etc directory - T1204.002 - Malicious File - Linux | Container | Linux | Defense Evasion: T1036, T1036.005: Masquerading, Match Legitimate Name or Location Execution: T1204, T1204.002: User Execution, Malicious File Command and Control: T1105: Ingress Tool Transfer |
| Chrome execution detected with remote debugging - T1059 - Execution - Windows | Endpoint | Windows | Execution: T1059: Command and Scripting Interpreter |
| Docker client copying portainer inside remote container - T1609 - Container Administration Command - Linux | Container | Linux | Execution: T1609: Container Administration Command |
| Process disabled or uninstalled Security Tool - T1562.001 - Disable or Modify Tools - macOS | Endpoint | macOS | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Regsvr32.exe/Rundll32.exe execution detected - T1218 - System Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.010, T1218.011: System Binary Proxy Execution, Regsvr32, Rundll32 |
| Tmutil utility launched to delete snapshots - T1485 - Data Destruction - macOS | Endpoint | macOS | Impact: T1485, T1561, T1561.001: Data Destruction, Disk Wipe, Disk Content Wipe |
| Container initialised with host network enabled - T1610 - Deploy Container - Linux | Container | Linux | Defense Evasion: T1610: Deploy Container |
| PowerShell executing Invoke-AllChecks script for privilege escalation - TA0004 - Privilege Escalation - Windows | Endpoint | Windows | |
| Process attempting to modify templates for Office Applications - T1137.001 - Office Template Macros - Windows | Endpoint | Windows | Persistence: T1137, T1137.001: Office Application Startup, Office Template Macros |
| PowerShell execution detected for creating services with system privilege - T1543.003 - Windows Service - Windows | Endpoint | Windows | Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service |
| Kubectl utility launched to delete kubernetes cluster events - T1070 - Indicator Removal - AIX | Endpoint | AIX | Defense Evasion: T1027, T1027.005, T1070: Obfuscated Files or Information, Indicator Removal from Tools, Indicator Removal on Host |
| Process masquerading with original system file name - T1036 - Masquerading - Windows | Endpoint | Windows | Defense Evasion: T1036, T1036.003, T1036.005: Masquerading, Rename System Utilities, Match Legitimate Name or Location |
| Process attempted to change file permission - T1222.002 - Linux and Mac File and Directory Permissions Modification - Linux | Endpoint | Linux | Defense Evasion: T1222, T1222.002: File and Directory Permissions Modification, Linux and Mac File and Directory Permissions Modification Persistence: T1525: Implant Internal Image |
| PowerShell execution detected for clear command History - T1070.003 - Clear Command History - Windows | Endpoint | Windows | Defense Evasion: T1070, T1070.003: Indicator Removal on Host, Clear Command History Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| PowerShell looking for network shares - T1135 - Network Share Discovery - Windows | Endpoint | Windows | Discovery: T1135: Network Share Discovery Lateral Movement: T1021, T1021.002: Remote Services, SMB/Windows Admin Shares |
| At utility executed to scheduled task to gain persistence - T1053.001 - At - macOS | Endpoint | macOS | Execution: T1053, T1053.002: Scheduled Task/Job, At |
| Docker using ps utility to get running processes on remote container - T1057 - Process Discovery - Linux | Container | Linux | Defense Evasion: T1610: Deploy Container Discovery: T1057: Process Discovery |
| Process dropped kerberos ticket on Linux host - T1550.003 - Pass the Ticket - Linux | Container | Linux | Credential Access: T1558, T1558.003: Steal or Forge Kerberos Tickets, Kerberoasting Defense Evasion: T1550, T1550.003: Use Alternate Authentication Material, Pass the Ticket |
| Remote file copy detected - T1021.002 - SMB/Windows Admin Shares - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.002: Remote Services, SMB/Windows Admin Shares |
| Process attempting to set executable bit on file - T1525 - Implant Internal Image - AIX | Endpoint | AIX | Persistence: T1525: Implant Internal Image |
| System role being deleted using external request in kubernetes cluster - T1609 - Execution Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| New role being created using external request in kubernetes cluster - T1078 - Persistence - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1078: Valid Accounts |
| Grep utility launched to enumerate passwords in files - T1552.001 - Credentials In Files - Linux | Container | Linux | Credential Access: T1552, T1552.001, T1555, T1552.004: Unsecured Credentials, Credentials In Files, Credentials from Password Stores, Private Keys |
| Process attempted reverse shell execution via bash - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Cluster role with wildcard resources being created using external request in kubernetes cluster - T1078 - Persistence - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1078: Valid Accounts |
| Nltest.exe execution detected from monitored applications - T1016 - System Network Configuration Discovery - Windows | Endpoint | Windows | Discovery: T1016: System Network Configuration Discovery |
| Python base64 Module launched to decode or encode data - T1132.001 - Standard Encoding - AIX | Endpoint | AIX | Command and Control: T1132, T1132.001: Data Encoding, Standard Encoding Execution: T1059, T1059.006: Command and Scripting Interpreter, Python |
| Svchost.exe launched CMD with System Privileges - T1059.003 - Windows Command Shell - Windows | Endpoint | Windows | Execution: T1059, T1059.003: Command and Scripting Interpreter, Windows Command Shell |
| Process dropped a possible Web Shell - T1505.003 - Web Shell - Linux | Container | Linux | Persistence: T1505, T1505.003: Server Software Component, Web Shell |
| Statefulset being created in default namespace using external request in kubernetes cluster - T1609 - Execution - Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| Process attempting to install tor inside container - T1090.003 - Multi-hop Proxy - Linux | Container | Linux | Command and Control: T1090, T1090.003: Proxy, Multi-hop Proxy Execution: T1609: Container Administration Command |
| Process attempted to change file ownership - T1222.002 - Linux and Mac File and Directory Permissions Modification - Linux | Endpoint | Linux | Defense Evasion: T1222, T1222.002: File and Directory Permissions Modification, Linux and Mac File and Directory Permissions Modification |
| Suspicious use of QTKIT detected for video capture - T1125 - Video Capture - macOS | Endpoint | macOS | Collection: T1125: Video Capture |
| Yara rule match on process memory | Endpoint | All OS | |
| New service account being created in kube namespace using external request in kubernetes cluster - T1078.004 - Persistence - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1078.004, T1078: Cloud Accounts, Valid Accounts |
| Process attempted to capture network packets - T1040 - Network Sniffing - AIX | Endpoint | AIX | Credential Access: T1040: Network Sniffing Defense Evasion: T1205: Traffic Signaling |
| Process trying to perform Access Token Manipulation - T1134 - Access Token Manipulation - Windows | Endpoint | Windows | Defense Evasion: T1134, T1134.002: Access Token Manipulation, Create Process with Token Execution: T1106: Native API |
| Drive-By Download Attack Detected & Blocked on Endpoint (Malicious File) - T1189 - Drive-by Compromise - Linux | Container | Linux | Execution: T1204, T1204.002: User Execution, Malicious File Initial Access: T1189: Drive-by Compromise |
| Process communicating through mail protocol - T1071.003 - Mail Protocols - Windows | Endpoint | Windows | Command and Control: T1071, T1071.003: Application Layer Protocol, Mail Protocols |
| Process disabled windows command line (CMD) utility with help of registry - T1112 - Modify Registry - Windows | Endpoint | Windows | Defense Evasion: T1112: Modify Registry |
| Process initiating LDAP connection for domain account discovery - T1087.002 - Domain Account - Windows | Endpoint | Windows | Discovery: T1087, T1087.002: Account Discovery, Domain Account |
| Wmic.exe execution detected to modify size of page file - T1047 - Windows Management Instrumentation - Windows | Endpoint | Windows | Execution: T1047: Windows Management Instrumentation |
| Chflags utility launched with hidden flag to hide item from GUI - T1564.001 - Hidden Files and Directories - macOS | Endpoint | macOS | Defense Evasion: T1564, T1564.001: Hide Artifacts, Hidden Files and Directories |
| Container process using runuser utility to execute privileged commands - T1548.003 - Sudo and Sudo Caching - Linux | Container | Linux | Privilege Escalation: T1548, T1548.003: Abuse Elevation Control Mechanism, Sudo and Sudo Caching |
| Process disabled swap partition - T1562.001 - Disable or Modify Tools - AIX | Endpoint | AIX | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Process attempted to access group file - T1069.001 - Local Groups - AIX | Endpoint | AIX | Discovery: T1033, T1069, T1069.001: System Owner/User Discovery, Permission Groups Discovery, Local Groups |
| Database server process trying to modify sudo configuration - T1548.003 - Sudo and Sudo Caching - Linux | Container | Linux | Persistence: T1505: Server Software Component Privilege Escalation: T1548, T1548.003: Abuse Elevation Control Mechanism, Sudo and Sudo Caching |
| Process using cp utility to create bplist file in LaunchAgents - T1543 - Create or Modify System Process - macOS | Endpoint | macOS | Persistence: T1543: Create or Modify System Process |
| Dll order hijacking - T1574.001 - DLL Search Order Hijacking - Windows | Endpoint | Windows | Persistence: T1574, T1574.001, T1574.002, T1574.006, T1574.008: Hijack Execution Flow, DLL Search Order Hijacking, DLL Side-Loading, Dynamic Linker Hijacking, Path Interception by Search Order Hijacking |
| Assoc.exe execution detected - T1546.001 - Change Default File Association - Windows | Endpoint | Windows | Privilege Escalation: T1546, T1546.001: Event Triggered Execution, Change Default File Association |
| Pnputil.exe execution detected - T1547.006 - Kernel Modules and Extensions - Windows | Endpoint | Windows | Persistence: T1547, T1547.006: Boot or Logon Autostart Execution, Kernel Modules and Extensions |
| Schtasks.exe executed to schedule scripting engines execution - T1053.005 - Scheduled Task - Windows | Endpoint | Windows | Execution: T1053, T1053.005: Scheduled Task/Job, Scheduled Task |
| Process attempted to access credentials In files - T1552.001 - Credentials In Files - macOS | Endpoint | macOS | Credential Access: T1552, T1552.001: Unsecured Credentials, Credentials In Files |
| PowerShell Modifying file last access timestamp - T1070.006 - Timestomp - Windows | Endpoint | Windows | Defense Evasion: T1070, T1070.006: Indicator Removal on Host, Timestomp |
| Mimikatz DCsync attack detected - T1003.006 - DCSync - Windows | Endpoint | Windows | Credential Access: T1003, T1003.006: OS Credential Dumping, DCSync Resource Development: T1587, T1587.001, T1588, T1588.001, T1588.002: Develop Capabilities, Malware, Obtain Capabilities, Malware, Tool |
| Process disabled Windows Defender detection capabilities - T1562.001 - Impair Defenses - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| GTFOBIN_System pager spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Outlook launched with alternate VBA file - T1137 - Office Application Startup - Windows | Endpoint | Windows | Persistence: T1137: Office Application Startup |
| AppInstaller.exe execution detected - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer |
| Process masqueraded file name - T1036.002 - Right-to-Left Override - macOS | Endpoint | macOS | Defense Evasion: T1036, T1036.002: Masquerading, Right-to-Left Override |
| Process dropped portable executable file in AppData folder - TA0002 - Execution - Windows | Endpoint | Windows | |
| Process Hollowing detected - T1055.012 - Process Hollowing - Windows | Endpoint | Windows | Defense Evasion: T1055, T1055.001, T1055.002, T1055.003, T1055.012: Process Injection, Dynamic-link Library Injection, Portable Executable Injection, Thread Execution Hijacking, Process Hollowing Execution: T1106: Native API |
| Port Scan Attack Detected & Blocked on Endpoint - T1046 - Network Service Discovery - macOS | Endpoint | macOS | Discovery: T1046: Network Service Discovery |
| Bcdedit.exe execution detected - T1490 - Inhibit System Recovery - Windows | Endpoint | Windows | Impact: T1490: Inhibit System Recovery |
| Find or locate utilities launched to search files on disk - T1083 - File and Directory Discovery - Linux | Container | Linux | Discovery: T1083: File and Directory Discovery Collection: T1119: Automated Collection |
| Process allowed remote desktop connections using registry key - T1021.001 - Remote Desktop Protocol - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.001: Remote Services, Remote Desktop Protocol |
| Container process dropped EICAR file in monitored directories - T1204.002 - Malicious File - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Defense Evasion: T1036, T1036.005: Masquerading, Match Legitimate Name or Location Execution: T1204, T1204.002: User Execution, Malicious File |
| Statefulset being deleted from kubernetes cluster using external request - T1609 - Execution - Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| Coregen.exe execution detected - T1055 - Process Injection - Windows | Endpoint | Windows | Defense Evasion: T1055: Process Injection |
| Process accessed/dropped email file - T1114 - Email Collection - Linux | Container | Linux | Collection: T1114, T1114.001, T1114.002: Email Collection, Local Email Collection, Remote Email Collection |
| Sw_vers utility executed to print OS version information - T1082 - System Information Discovery - macOS | Endpoint | macOS | Discovery: T1082: System Information Discovery |
| Hostname.exe execution detected from monitored applications - T1016 - System Network Configuration Discovery - Windows | Endpoint | Windows | Discovery: T1016: System Network Configuration Discovery |
| Kubectl utility executed inside container to access secrets - T1552 - Unsecured Credentials - Linux | Container | Linux | Credential Access: T1552: Unsecured Credentials |
| Powershell execution detected for MiniDump - T1003.001 - LSASS Memory - Windows | Endpoint | Windows | Credential Access: T1003, T1003.001: OS Credential Dumping, LSASS Memory Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Resource Development: T1588, T1588.002: Obtain Capabilities, Tool |
| PAExec execution detected for lateral movement - T1021.002 - SMB/Windows Admin Shares - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.002: Remote Services, SMB/Windows Admin Shares |
| Reg.exe execution detected - T1112 - Modify Registry - Windows | Endpoint | Windows | Defense Evasion: T1112: Modify Registry |
| Rundll32.exe execution with mshtml as command line parameter detected - T1218.011 - Rundll32 - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.011: System Binary Proxy Execution, Rundll32 |
| Cscript.exe execution detected - T1216 - Signed Script Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1216: System Script Proxy Execution |
| Process made HTTPS connection on non-standard port - T1571 - Non-Standard Port - Linux | Container | Linux | Command and Control: T1071, T1071.001, T1102, T1102.002, T1571: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Non-Standard Port |
| PowerShell modified file timestamp - T1070.006 - Timestomp - Windows | Endpoint | Windows | Defense Evasion: T1070, T1070.006: Indicator Removal on Host, Timestomp |
| CompMgmtLauncher.exe execution detected - T1548.002 - Bypass User Account Control - Windows | Endpoint | Windows | Privilege Escalation: T1548, T1548.002: Abuse Elevation Control Mechanism, Bypass User Account Control |
| FTP utility execution detected - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer |
| Powershell with suspicious commands to download file from internet - T1102.002 - Bidirectional Communication - Windows | Endpoint | Windows | Command and Control: T1071, T1102, T1102.002, T1071.001: Application Layer Protocol, Web Service, Bidirectional Communication, Web Protocols |
| Process made HTTP/HTTPS Connection - T1071.001 - Command and Control - Windows | Endpoint | Windows | Command and Control: T1071, T1071.001, T1102, T1102.002, T1573: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Encrypted Channel Exfiltration: T1041, T1567: Exfiltration Over C2 Channel, Exfiltration Over Web Service |
| Process attempting to access SMB shares - T1021.002 - SMB/Windows Admin Shares - AIX | Endpoint | AIX | Lateral Movement: T1021, T1021.002: Remote Services, SMB/Windows Admin Shares |
| Wscript.exe execution detected from monitored applications - T1059.005 - Visual Basic - Windows | Endpoint | Windows | Execution: T1059, T1059.005: Command and Scripting Interpreter, Visual Basic Resource Development: T1587, T1587.001, T1588, T1588.001: Develop Capabilities, Malware, Obtain Capabilities, Malware |
| Process attempted to make HTTP connection on non-standard port - T1571 - Non-Standard Port - AIX | Endpoint | AIX | Command and Control: T1071, T1071.001, T1102, T1102.002, T1571: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Non-Standard Port Exfiltration: T1567: Exfiltration Over Web Service |
| GTFOBIN_jrunscript acting as remote access software - T1219 Command And Control_LINUX | Container | Linux | Command and Control: T1219: Remote Access Software |
| Process Running from Startup folder - T1060 - Registry Run Keys / Startup Folder - Windows | Endpoint | Windows | |
| Process attempting to spawn PTY shell - T1059.004 - Unix Shell - macOS | Endpoint | macOS | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process attempted to enumerate network connections - T1049 - System Network Connections Discovery - Linux | Container | Linux | Discovery: T1049: System Network Connections Discovery |
| Powershell used with Get-Process command - T1057 - Process Discovery - Windows | Endpoint | Windows | Discovery: T1057: Process Discovery |
| Process using Tor utility to create an encrypted proxy channel - T1090.003 - Multi-hop Proxy - Linux | Container | Linux | Command and Control: T1090, T1090.002, T1090.003, T1573: Proxy, External Proxy, Multi-hop Proxy, Encrypted Channel |
| Dism.exe execution detected to disable or modify Tools - T1562.001 - Disable or Modify Tools - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Container process attempting to clear logs - T1070.002 - Clear Linux or Mac System Logs - Linux | Container | Linux | Defense Evasion: T1070, T1070.002: Indicator Removal on Host, Clear Linux or Mac System Logs |
| GTFOBIN_run-parts_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process created /etc/launchd.conf file - T1543 - Create or Modify System Process - macOS | Endpoint | macOS | Persistence: T1543: Create or Modify System Process |
| Launchctl utility used to execute commands or programs - T1059 - Command and Scripting Interpreter - macOS | Endpoint | macOS | Execution: T1059: Command and Scripting Interpreter Persistence: T1543: Create or Modify System Process |
| Icacls.exe execution detected for grant permission for all users - T1222.001 - Windows File and Directory Permissions Modification - Windows | Endpoint | Windows | Defense Evasion: T1222, T1222.001: File and Directory Permissions Modification, Windows File and Directory Permissions Modification |
| Rclone execution detected for data exfiltration from monitored application - T1567.002 - Exfiltration to Cloud Storage - Windows | Endpoint | Windows | Exfiltration: T1020, T1048, T1567, T1567.002: Automated Exfiltration, Exfiltration Over Alternative Protocol, Exfiltration Over Web Service, Exfiltration to Cloud Storage |
| Visudo utility launched to update sudoers file - T1548.003 - Sudo and Sudo Caching - Linux | Container | Linux | Privilege Escalation: T1548, T1548.003: Abuse Elevation Control Mechanism, Sudo and Sudo Caching |
| 7zip.exe execution detected from temp directory - T1560.001 - Archive via Utility - Windows | Endpoint | Windows | Collection: T1005, T1074, T1074.001, T1119, T1560, T1560.001: Data from Local System, Data Staged, Local Data Staging, Automated Collection, Archive Collected Data, Archive via Utility |
| Process loading PowerShell DLL - T1059.001 - PowerShell - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Suspicious ruby process attempted to spawn reverse shell - T1059 - Command and Scripting Interpreter - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Keylogging Attack Detected on Endpoint - T1056.001 - Keylogging - Linux | Container | Linux | Collection: T1056, T1056.001: Input Capture, Keylogging |
| UAC bypass attempt detected - T1548.002 - Bypass User Account Control - Windows | Endpoint | Windows | Execution: T1106: Native API Privilege Escalation: T1548, T1548.002: Abuse Elevation Control Mechanism, Bypass User Account Control |
| Sdbinst.exe execution detected - T1546.011 - Application Shimming - Windows | Endpoint | Windows | Privilege Escalation: T1546, T1546.011: Event Triggered Execution, Application Shimming |
| Osk.exe execution detected - T1546.008 - Accessibility Features - Windows | Endpoint | Windows | Privilege Escalation: T1546, T1546.008: Event Triggered Execution, Accessibility Features |
| Process using scp utility to copy file on remote machine - T1570 - Lateral Tool Transfer - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer |
| Java application spawned suspicious process - T1082 - System Information Discovery - Windows | Endpoint | Windows | Discovery: T1018, T1033, T1046, T1049, T1057, T1082: Remote System Discovery, System Owner/User Discovery, Network Service Discovery, System Network Connections Discovery, Process Discovery, System Information Discovery Execution: T1059: Command and Scripting Interpreter |
| GTFOBIN_ionice_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process attempted inter-process communication using pipe - T1559 - Inter-Process Communication - Linux | Container | Linux | Execution: T1559: Inter-Process Communication |
| Wsmprovhost.exe spawned suspicious process - T1021.006 - Windows Remote Management - Windows | Endpoint | Windows | Execution: T1047: Windows Management Instrumentation Lateral Movement: T1021, T1021.006: Remote Services, Windows Remote Management |
| Reg.exe execution detected for querying Registry - T1012 - Query Registry - Windows | Endpoint | Windows | Discovery: T1012: Query Registry |
| Process attempted to scan the network - T1595 - Active Scanning - Linux | Container | Linux | Reconnaissance: T1595, T1595.001, T1595.002: Active Scanning, Scanning IP Blocks, Vulnerability Scanning |
| Reverse Shell Detected & Blocked on Endpoint - T1059.004 - Unix Shell - macOS | Endpoint | macOS | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process trying to access or modify OS credentials - T1003.008 - /etc/passwd and /etc/shadow - AIX | Endpoint | AIX | Credential Access: T1003, T1003.008: OS Credential Dumping, /etc/passwd and /etc/shadow Discovery: T1087: Account Discovery Persistence: T1136: Create Account |
| Suspicious use of open utility to open pdf file from tmp directory - T1036 - Masquerading - macOS | Endpoint | macOS | Defense Evasion: T1036: Masquerading |
| Wsmprovhost.exe spawned scripting engine to execute script - T1021.006 - Windows Remote Management - Windows | Endpoint | Windows | Execution: T1047: Windows Management Instrumentation Lateral Movement: T1021, T1021.006: Remote Services, Windows Remote Management |
| Curl inside container attempting to connect to docker domain socket - T1021.004 - SSH - Linux | Container | Linux | Lateral Movement: T1021, T1021.004: Remote Services, SSH |
| Powershell launched to get remote machine access via WinRM - T1021.006 - Windows Remote Management - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Lateral Movement: T1021, T1021.006: Remote Services, Windows Remote Management |
| Net.exe executed via monitored applications to create new admin account - T1136.001 - Local Accounts - Windows | Endpoint | Windows | Persistence: T1136, T1136.001: Create Account, Local Account |
| Process attempting to create user account with different user attributes - T1136 - Create Account - macOS | Endpoint | macOS | Persistence: T1136: Create Account |
| System utility launched to get users information - T1033 - System Owner/User Discovery - AIX | Endpoint | AIX | Discovery: T1033, T1087: System Owner/User Discovery, Account Discovery |
| Process trying to retrieve the ARP entries from the local system - T1016 - System Network Configuration Discovery - Windows | Endpoint | Windows | Discovery: T1016: System Network Configuration Discovery Execution: T1106: Native API |
| Ipconfig.exe execution detected from monitored applications - T1016 - System Network Configuration Discovery - Windows | Endpoint | Windows | Discovery: T1016: System Network Configuration Discovery |
| Database server dropped executable or script files on Host - T1105 - Ingress Tool Transfer - Linux | Endpoint | Linux | Command and Control: T1105: Ingress Tool Transfer Execution: T1059, T1204, T1204.002: Command and Scripting Interpreter, User Execution, Malicious File Persistence: T1505: Server Software Component |
| Base64 utility launched to decode data from tmp directory - T1132.001 - Standard Encoding - macOS | Endpoint | macOS | Command and Control: T1132, T1132.001: Data Encoding, Standard Encoding |
| Launchctl utility launched to list Launch Agents - T1007 - System Service Discovery - macOS | Endpoint | macOS | Discovery: T1007: System Service Discovery |
| Process attempted to load a kernel module - T1547.006 - Kernel Modules and Extensions - Linux | Container | Linux | Persistence: T1547, T1547.006: Boot or Logon Autostart Execution, Kernel Modules and Extensions |
| New cluster role binding being created using external request in kubernetes cluster - T1078 - Persistence - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1078: Valid Accounts |
| Fltmc.exe execution detected - T1518.001 - Security Software Discovery - Windows | Endpoint | Windows | Discovery: T1518, T1518.001: Software Discovery, Security Software Discovery |
| Wbadmin.exe execution detected with suspicious commands - T1490 - Inhibit System Recovery - Windows | Endpoint | Windows | Impact: T1490: Inhibit System Recovery |
| GTFOBIN_gdb_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Schtasks.exe launched to create new scheduled task on remote machine - T1053.005 - Scheduled Task - Windows | Endpoint | Windows | Execution: T1053, T1053.005: Scheduled Task/Job, Scheduled Task |
| Process running with system integrity level from monitored applications - TA0004 - Privilege Escalation - Windows | Endpoint | Windows | Privilege Escalation: T1068, T1548, T1548.002: Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Bypass User Account Control |
| Process deleted user account - T1531 - Account Access Removal - macOS | Endpoint | macOS | Impact: T1531: Account Access Removal Persistence: T1098: Account Manipulation |
| Web server attempted to drop web shell on host - T1505.003 - Web Shell - Linux | Endpoint | Linux | Persistence: T1505, T1505.003: Server Software Component, Web Shell |
| WMI query launched for security software discovery - T1518.001 - Security Software Discovery - Windows | Endpoint | Windows | Discovery: T1518, T1518.001: Software Discovery, Security Software Discovery |
| Odbcconf.exe execution detected - T1218.008 - Odbcconf - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.008: System Binary Proxy Execution, Odbcconf |
| Process attempted to enable/disable macros for MS Documents - T1137 - Office Application Startup - Windows | Endpoint | Windows | Persistence: T1137: Office Application Startup |
| Kubectl deployment from container - T1610 - Deploy Container - Linux | Container | Linux | Defense Evasion: T1610: Deploy Container |
| Powershell decompressing archived file - T1027 - Obfuscated Files or Information - Windows | Endpoint | Windows | Defense Evasion: T1027, T1140: Obfuscated Files or Information, Deobfuscate/Decode Files or Information Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Curl utility executed inside a pod - T1105 - Ingress Tool Transfer - Kubernetes | Kuberenetes | Kubernetes | Command and Control: T1105: Ingress Tool Transfer Defense Evasion: T1610: Deploy Container Lateral Movement: T1570: Lateral Tool Transfer |
| Local User Login detected - T1078 - Valid Accounts - Windows | Endpoint | Windows | Defense Evasion: T1078, T1078.001, T1078.002, T1078.003: Valid Accounts, Default Accounts, Domain Accounts, Local Accounts |
| Log4j exploit attempt detected - T1068 - Exploitation for Privilege Escalation - Cross Platform | Endpoint | All OS | Privilege Escalation: T1068: Exploitation for Privilege Escalation |
| GTFOBIN_Bundler_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process encrypting data using Symmetric Cryptography - T1573.001 - Symmetric Cryptography - Windows | Endpoint | Windows | Command and Control: T1573, T1573.001: Encrypted Channel, Symmetric Cryptography Execution: T1106: Native API Impact: T1486: Data Encrypted for Impact |
| Process attempting to bypass TCC via Mounted APFS Snapshot Access - T1006 - Direct Volume Access - macOS | Endpoint | macOS | Defense Evasion: T1006: Direct Volume Access |
| Process attempted to get system information - T1082 - System Information Discovery - Linux | Container | Linux | Discovery: T1082: System Information Discovery |
| SMTP connection detected - T1071.003 - Mail Protocol - AIX | Endpoint | AIX | Command and Control: T1071, T1071.003, T1071.001: Application Layer Protocol, Mail Protocols, Web Protocols |
| Process attempting to transfer tools or other files - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer Exfiltration: T1048: Exfiltration Over Alternative Protocol Lateral Movement: T1570: Lateral Tool Transfer |
| GTFOBIN_more_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Credential access with the help of LSA Provider detected - T1556.002 - Password Filter DLL - Windows | Endpoint | Windows | Credential Access: T1556, T1556.002: Modify Authentication Process, Password Filter DLL |
| GTFOBIN_pry_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process executed suspicious Library file - T1204.002 - Malicious File - Linux | Container | Linux | Execution: T1204, T1204.002: User Execution, Malicious File |
| Process trying to setuid to become root - T1548 - Abuse Elevation Control Mechanism - Linux | Container | Linux | Privilege Escalation: T1548: Abuse Elevation Control Mechanism |
| GTFOBIN_xargs_spawning local shell - T1059.004 - UNIX Shells - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Reg.exe execution detected for querying credentials in Registry - T1552.002 - Credentials in Registry - Windows | Endpoint | Windows | Credential Access: T1552, T1552.002: Unsecured Credentials, Credentials in Registry Discovery: T1012: Query Registry |
| Configmap being deleted from kubernetes cluster using external request - T1610 - Execution Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| Inbound SSH connection detected - T1021.004 - SSH - macOS | Endpoint | macOS | Lateral Movement: T1021, T1021.004: Remote Services, SSH |
| Cmd.exe executed to enumerate Browser Bookmarks - T1217 - Browser Information Discovery - Windows | Endpoint | Windows | Discovery: T1217: Browser Information Discovery |
| Exploitation for Privilege Escalation Detected & Blocked on Endpoint - T1068 - Exploitation for Privilege Escalation - Linux | Container | Linux | Persistence: T1505: Server Software Component Privilege Escalation: T1068: Exploitation for Privilege Escalation |
| Mimikatz execution detected - T1003 - OS Credential Dumping - Windows | Endpoint | Windows | Credential Access: T1003, T1003.001, T1003.003, T1003.006, T1555, T1555.003, T1555.004, T1558, T1558.001, T1558.002, T1558.003: OS Credential Dumping, LSASS Memory, NTDS, DCSync, Credentials from Password Stores, Credentials from Web Browsers, Windows Credential Manager, Steal or Forge Kerberos Tickets, Golden Ticket, Silver Ticket, Kerberoasting Resource Development: T1588, T1588.001, T1588.002: Obtain Capabilities, Malware, Tool |
| Process attempted to access/write files in hidden file system - T1564.005 - Hidden File System - Windows | Endpoint | Windows | Defense Evasion: T1564, T1564.005: Hide Artifacts, Hidden File System |
| New secret being created using external request in kubernetes cluster - T1610 - Deploy Container - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| Process attempted to impair command history logging - T1562.003 - Impair Command History Logging - Linux | Container | Linux | Defense Evasion: T1562, T1562.003: Impair Defenses, Impair Command History Logging |
| Suspicious python process attempting to spawn reverse shell - T1059 - Python - AIX | Endpoint | AIX | Execution: T1059, T1059.004, T1059.006: Command and Scripting Interpreter, Unix Shell, Python |
| Ransomware execution detected - T1486 - Data Encrypted for Impact - Linux | Container | Linux | Impact: T1486: Data Encrypted for Impact |
| Suspicious use of explorer.exe for directory listing detected - T1083 - File and Directory Discovery - Windows | Endpoint | Windows | Discovery: T1083: File and Directory Discovery |
| VBoxManage.exe execution detected to run virtual machine instance with headless command - T1564.006 - Run Virtual Instance - Windows | Endpoint | Windows | Defense Evasion: T1564, T1564.006: Hide Artifacts, Run Virtual Instance |
| WMI query executed - T1047 - Windows Management Instrumentation - Windows | Endpoint | Windows | Execution: T1047: Windows Management Instrumentation |
| Process made HTTPS Connection - T1573 - Encrypted Channel - Windows | Endpoint | Windows | Command and Control: T1071, T1071.001, T1102, T1102.002, T1573, T1573.002: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Encrypted Channel, Asymmetric Cryptography Exfiltration: T1041, T1567: Exfiltration Over C2 Channel, Exfiltration Over Web Service |
| Ntsd.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Sysdig Sdjagent running inside container - T1005 - Data from Local System - Linux | Container | Linux | Collection: T1005: Data from Local System |
| Zmap utility is running inside container - T1595.001 - Scanning IP Blocks - Linux | Container | Linux | Reconnaissance: T1595, T1595.001, T1595.002: Active Scanning, Scanning IP Blocks, Vulnerability Scanning |
| Process attempted to enable SMB admin shares - T1021.002 - Server Message Block - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.002: Remote Services, SMB/Windows Admin Shares |
| Powershell execution with get-acl command - T1574.011 - Service Registry Permissions Weakness - Windows | Endpoint | Windows | Persistence: T1574, T1574.011: Hijack Execution Flow, Services Registry Permissions Weakness |
| Plutil utility executed to replace plist file - T1647 - Plist File Modification - macOS | Endpoint | macOS | Defense Evasion: T1647: Plist File Modification Persistence: T1543: Create or Modify System Process |
| Web server process created or modified RC scripts - T1037.004 - RC Scripts - Linux | Container | Linux | Execution: T1569: System Services Persistence: T1037, T1037.004: Boot or Logon Initialization Scripts, RC Scripts |
| Process using ifconfig, ip or arp to get the network configuration - T1016 - System Network Configuration Discovery - AIX | Endpoint | AIX | Discovery: T1016: System Network Configuration Discovery |
| Container process trying to find passwords or keys - T1552.004 - Private Keys - Linux | Container | Linux | Credential Access: T1552, T1552.004: Unsecured Credentials, Private Keys |
| Process connected to monero crypto mining pool (EBPF Based) - T1496 - Resource Hijacking - Linux | Container | Linux | Impact: T1496: Resource Hijacking |
| Cluster role being deleted using external request in kubernetes cluster - T1070 - Defense Evasion - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1070: Indicator Removal |
| Web server dropped script file - TA0002 - Execution - Windows | Endpoint | Windows | Resource Development: T1584, T1584.006: Compromise Infrastructure, Web Services |
| Process Running From Programdata Folder - TA0002 - Execution - Windows | Endpoint | Windows | |
| Process dropped Windows script file - T1105 - Ingress Tool Transfer - AIX | Endpoint | AIX | Command and Control: T1105: Ingress Tool Transfer |
| Process attempting to enumerate WebCam Devices - T1125 - Collection - Windows | Endpoint | Windows | Collection: T1125: Video Capture Execution: T1106: Native API |
| Suspicious use of xwd for capture screenshot - T1113 - Screen Capture - Linux | Container | Linux | Collection: T1113: Screen Capture |
| Process using built in utility to dump data - T1003 - OS Credential Dumping - macOS | Endpoint | macOS | Credential Access: T1003: OS Credential Dumping |
| Microsoft.Workflow.Compiler.exe execution detected - T1127 - Trusted Developer Utilities - Windows | Endpoint | Windows | Defense Evasion: T1127: Trusted Developer Utilities Proxy Execution |
| Process dropped archive file on monitored locations - T1560 - Archive Collected Data - Linux | Container | Linux | Collection: T1005, T1074, T1074.001, T1119, T1560, T1560.002: Data from Local System, Data Staged, Local Data Staging, Automated Collection, Archive Collected Data, Archive via Library |
| Powershell using telegram for command and control - T1567 - Exfiltration Over Web Service - Windows | Endpoint | Windows | Command and Control: T1071, T1071.001, T1102, T1102.002, T1573: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Encrypted Channel Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Exfiltration: T1041, T1048, T1537, T1567: Exfiltration Over C2 Channel, Exfiltration Over Alternative Protocol, Transfer Data to Cloud Account, Exfiltration Over Web Service |
| Container Image built inside container - T1612 - Build Image on Host - Linux | Container | Linux | Defense Evasion: T1612: Build Image on Host |
| Suspicious execution of sqlite3 to get the history of downloaded files from internet - T1217 - Browser Information Discovery - macOS | Endpoint | macOS | Discovery: T1217: Browser Bookmark Discovery |
| Hostname.exe utility launched via CMD/PowerShell - T1016 - System Network Configuration Discovery - Windows | Endpoint | Windows | Discovery: T1016: System Network Configuration Discovery |
| PowerShell executing Invoke-Kerberoast script for Kerberoasting - T1558.003 - Kerberoasting - Windows | Endpoint | Windows | Credential Access: T1558, T1558.003: Steal or Forge Kerberos Tickets, Kerberoasting Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Schtasks.exe execution detected - T1053.005 - Scheduled Task - Windows | Endpoint | Windows | Execution: T1053, T1053.005: Scheduled Task/Job, Scheduled Task |
| Process accessing stored credentials from the machine - T1555.003 - Credentials from Web Browsers - Windows | Endpoint | Windows | Credential Access: T1555, T1555.003: Credentials from Password Stores, Credentials from Web Browsers |
| Reverse Shell Detected on Endpoint - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Msxsl.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Print.exe execution detected - T1564.004 - NTFS File Attributes - Windows | Endpoint | Windows | Defense Evasion: T1564, T1564.004: Hide Artifacts, NTFS File Attributes |
| Ftpget dropped executable files in monitored directories - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Execution: T1204, T1204.002: User Execution, Malicious File |
| PowerShell launched to access Cloud IMDS - T1552.005 - Cloud Instance Metadata API - Windows | Endpoint | Windows | Credential Access: T1552, T1552.005: Unsecured Credentials, Cloud Instance Metadata API Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| EQNEDT32.exe execution detected - T1203 - Exploitation for Client Execution - Windows | Endpoint | Windows | Execution: T1203: Exploitation for Client Execution |
| Unsigned Process attempted to access Login Keychain - T1555.001 - Keychain - macOS | Endpoint | macOS | Credential Access: T1555, T1555.001: Credentials from Password Stores, Keychain |
| Services entry modification/addition Detected from monitored application - T1543.003 - Windows Service - Windows | Endpoint | Windows | Persistence: T1543, T1543.003, T1574, T1574.011: Create or Modify System Process, Windows Service, Hijack Execution Flow, Services Registry Permissions Weakness |
| PowerShell using ICMP protocol - T1048 - Exfiltration Over Alternative Protocol - Windows | Endpoint | Windows | Exfiltration: T1020, T1048, T1567: Automated Exfiltration, Exfiltration Over Alternative Protocol, Exfiltration Over Web Service |
| Base64 utility launched to decode data from tmp directory - T1132.001 - Standard Encoding - Linux | Container | Linux | Command and Control: T1001, T1132, T1132.001: Data Obfuscation, Data Encoding, Standard Encoding Defense Evasion: T1027, T1140: Obfuscated Files or Information, Deobfuscate/Decode Files or Information |
| Process attempted to update environment variable - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process attempting to masquerade filename with space after filename - T1036.006 - Space After Filename - Linux | Container | Linux | Defense Evasion: T1036, T1036.006: Masquerading, Space after Filename |
| Process accessed Local Timezone Configuration File - T1614 - System Location Discovery - Linux | Container | Linux | Discovery: T1614: System Location Discovery |
| Process created plist file in LaunchAgents - T1543.001 - Launch Agent - macOS | Endpoint | macOS | Persistence: T1543, T1543.001: Create or Modify System Process, Launch Agent |
| Powershell modifying account information - T1098 - Account Manipulation - Windows | Endpoint | Windows | Persistence: T1098: Account Manipulation |
| Scripting process attempted reverse shell execution using pipes - T1059.004 - Unix Shell - macOS | Endpoint | macOS | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| FTP utility launched to download file from internet - T1105 - Ingress Tool Transfer - macOS | Endpoint | macOS | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer |
| Ntdsutil.exe execution detected - T1003.003 - NTDS - Windows | Endpoint | Windows | Credential Access: T1003, T1003.003: OS Credential Dumping, NTDS |
| Detected use of curl utility to download file from internet - T1105 - Ingress Tool Transfer - AIX | Endpoint | AIX | Command and Control: T1105: Ingress Tool Transfer |
| Container process dropped file in binary directory - T1036.004 - Masquerade Task or Service - Linux | Container | Linux | Defense Evasion: T1036, T1036.004: Masquerading, Masquerade Task or Service |
| Process disabled registry editor key - T1112 - Modify Registry - Windows | Endpoint | Windows | Defense Evasion: T1112: Modify Registry |
| Mountvol.exe execution detected to mount volumes - T1006 - Direct Volume Access - Windows | Endpoint | Windows | Defense Evasion: T1006: Direct Volume Access |
| InstallUtil.exe execution detected - T1218.004 - InstallUtil - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.004: System Binary Proxy Execution, InstallUtil |
| Curl or Wget dropped executable or script files from internet - T1105 - Ingress Tool Transfer - macOS | Endpoint | macOS | Command and Control: T1105: Ingress Tool Transfer Execution: T1204: User Execution |
| Process attempted to enumerate network configuration - T1016 - System Network Configuration Discovery - Linux | Container | Linux | Discovery: T1016, T1049: System Network Configuration Discovery, System Network Connections Discovery Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Crackmap execution detected for lateral movement - T1550 - Use Alternate Authentication Material - Windows | Endpoint | Windows | Defense Evasion: T1550, T1550.002, T1550.003: Use Alternate Authentication Material, Pass the Hash, Pass the Ticket |
| PowerShell launched to gain persistence via WMI Event Subscription - T1546.003 - Windows Management Instrumentation Event Subscription - Windows | Endpoint | Windows | Privilege Escalation: T1546, T1546.003: Event Triggered Execution, Windows Management Instrumentation Event Subscription |
| Mimikatz SID-History Injection attack detected - T1134.005 - SID-History Injection - Windows | Endpoint | Windows | Defense Evasion: T1134, T1134.005: Access Token Manipulation, SID-History Injection Resource Development: T1587, T1587.001, T1588, T1588.001, T1588.002: Develop Capabilities, Malware, Obtain Capabilities, Malware, Tool |
| GTFOBIN_expect_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Database server process attempted to access process memory/memory map - T1003.007 - Proc Filesystem - Linux | Container | Linux | Credential Access: T1003, T1003.007: OS Credential Dumping, Proc Filesystem Persistence: T1505: Server Software Component |
| Port tunneling detected - T1021.004 - Remote services - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.004: Remote Services, SSH |
| IP Scan Attack Detected on Endpoint - T1595.001 - Scanning IP Blocks - macOS | Endpoint | macOS | Discovery: T1046: Network Service Discovery Reconnaissance: T1595, T1595.001: Active Scanning, Scanning IP Blocks |
| Monitored application executed via Link File - TA0002 - Execution - Windows | Endpoint | Windows | |
| Modify SSP configuration with the help of LSA Provider detected - T1547.005 - Security Support Provider - Windows | Endpoint | Windows | Persistence: T1547, T1547.005: Boot or Logon Autostart Execution, Security Support Provider |
| Cmd.exe used to launch Chrome to download payload - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer |
| Javaw.exe execution detected from monitored applications - TA0002 - Execution - Windows | Endpoint | Windows | |
| Wevtutil.exe execution detected - T1070.001 - Clear Windows Event Logs - Windows | Endpoint | Windows | Defense Evasion: T1070, T1070.001: Indicator Removal on Host, Clear Windows Event Logs |
| Container runtime utility launched inside container - T1611 - Escape to Host - Linux | Container | Linux | Privilege Escalation: T1611: Escape to Host |
| PowerShell spawns suspicious process - T1059.001 - PowerShell - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Unsigned Process dropped portable executable file in AppData folder - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer |
| Net.exe executed via monitored applications to create user - T1136.001 - Local Account - Windows | Endpoint | Windows | Persistence: T1136, T1136.001: Create Account, Local Account |
| PowerShell execution detected for DCSync - T1003.006 - DCSync - Windows | Endpoint | Windows | Credential Access: T1003, T1003.006: OS Credential Dumping, DCSync Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Web server process trying to modify OS credentials - T1003.008 - /etc/passwd and /etc/shadow - Linux | Container | Linux | Credential Access: T1003, T1003.008: OS Credential Dumping, /etc/passwd and /etc/shadow Discovery: T1087: Account Discovery Persistence: T1136: Create Account |
| Winlogon Shell Key Persistence With PowerShell - T1547.004 - Winlogon Helper DLL - Windows | Endpoint | Windows | Persistence: T1547, T1547.004: Boot or Logon Autostart Execution, Winlogon Helper DLL |
| Utility dropped inside container to interact with container runtime - T1611 - Escape to Host - Linux | Container | Linux | Privilege Escalation: T1611: Escape to Host |
| Attrib.exe execution detected - T1564.001 - Hidden Files and Directories - Windows | Endpoint | Windows | Defense Evasion: T1564, T1564.001: Hide Artifacts, Hidden Files and Directories |
| Rundll32.exe executed DLL using Named Pipe - T1218 - Rundll32 - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.011: System Binary Proxy Execution, Rundll32 Execution: T1559: Inter-Process Communication |
| Fsi.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Xattr utility launched to remove File Quarantine Attribute - T1553.001 - Gatekeeper Bypass - macOS | Endpoint | macOS | Defense Evasion: T1553, T1553.001: Subvert Trust Controls, Gatekeeper Bypass |
| Process attempted to access shell history - T1552.003 - Bash History - Linux | Container | Linux | Credential Access: T1552, T1552.003: Unsecured Credentials, Bash History |
| SSH Port tunneling detected - T1572 - Protocol Tunneling - Linux | Container | Linux | Command and Control: T1572: Protocol Tunneling Lateral Movement: T1021, T1021.004: Remote Services, SSH |
| Process accessed or modified /etc/passwd file - T1003.008 - /etc/passwd and /etc/shadow - macOS | Endpoint | macOS | Credential Access: T1003, T1003.008: OS Credential Dumping, /etc/passwd and /etc/shadow Privilege Escalation: T1548: Abuse Elevation Control Mechanism |
| Web server spawned local shell - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell Persistence: T1505, T1505.003: Server Software Component, Web Shell |
| Removable media device connection detected - T1052.001 - Exfiltration over USB - Windows | Endpoint | Windows | Exfiltration: T1052, T1052.001: Exfiltration Over Physical Medium, Exfiltration over USB |
| Download or file transfer utility is running inside container - T1072 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Execution: T1072: Software Deployment Tools Lateral Movement: T1570: Lateral Tool Transfer |
| Process attempting to read local files - T1005 - Data from Local System - AIX | Endpoint | AIX | Collection: T1005: Data from Local System |
| Process trying to modify SUID or SGID bits - T1548.001 - Setuid and Setgid - Linux | Container | Linux | Privilege Escalation: T1548, T1548.001: Abuse Elevation Control Mechanism, Setuid and Setgid |
| New pods with sensitive host mount being created using external request in kubernetes cluster - T1610 - Execution - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| Netcat attempted remote code execution - T1059.004 - Unix Shell - macOS | Endpoint | macOS | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process attempting to clear windows events logs - T1070.001 - Clear Windows Event Logs - Windows | Endpoint | Windows | Defense Evasion: T1070, T1070.001, T1562, T1562.002, T1562.006: Indicator Removal, Clear Windows Event Logs, Impair Defenses, Disable Windows Event Logging, Indicator Blocking Execution: T1106: Native API |
| Process attempted to modify com.jamfsoftware.jamf.plist - T1036.004 - Masquerade Task or Service - macOS | Endpoint | macOS | Defense Evasion: T1036, T1036.004: Masquerading, Masquerade Task or Service Persistence: T1543: Create or Modify System Process |
| Deployment being deleted from kubernetes cluster using external request - T1609 - Execution - Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| Ruby process attempted to spawn reverse shell - T1059.004 - Unix Shell - macOS | Endpoint | macOS | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process attempted to enumerate files in system - T1083 - File and Directory Discovery - Linux | Container | Linux | Discovery: T1083: File and Directory Discovery |
| Credential being brute forced - T1110 - Brute Force - AIX | Endpoint | AIX | Credential Access: T1110, T1110.001, T1110.002, T1110.003: Brute Force, Password Guessing, Password Cracking, Password Spraying |
| GTFOBIN_sftp_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| GTFOBIN_rpm_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Powershell using Mimikatz to dump credentials - T1003 - OS Credential Dumping - Windows | Endpoint | Windows | Credential Access: T1003: OS Credential Dumping Resource Development: T1587, T1587.001, T1588, T1588.001, T1588.002: Develop Capabilities, Malware, Obtain Capabilities, Malware, Tool |
| Process modified global bash profile - T1546.004 - Unix Shell Configuration Modification - Linux | Endpoint | Linux | Defense Evasion: T1480, T1480.001: Execution Guardrails, Environmental Keying Privilege Escalation: T1546, T1546.004: Event Triggered Execution, Unix Shell Configuration Modification |
| Productivity Application dropped executable or script file - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer |
| FSUtil.exe execution detected - T1070 - Indicator Removal on Host - Windows | Endpoint | Windows | Defense Evasion: T1070: Indicator Removal on Host |
| Mshta.exe initiating outbound connection - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer |
| Port scanning utility executed - T1046 - Network Service Discovery - Linux | Endpoint | Linux | Discovery: T1046: Network Service Discovery Reconnaissance: T1595: Active Scanning |
| Ldap utility launched to create domain user account - T1136.002 - Domain Account - Linux | Endpoint | Linux | Persistence: T1136, T1136.002: Create Account, Domain Account |
| PowerShell deletes windows system logs - T1070 - Indicator Removal on Host - Windows | Endpoint | Windows | Defense Evasion: T1070, T1070.001: Indicator Removal on Host, Clear Windows Event Logs |
| Powershell using System.Xml.XmlDocument to likely download data - T1059.001 - PowerShell - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Process attempted to inject code into another process - T1055.008 - Ptrace System Calls - Linux | Container | Linux | Defense Evasion: T1055, T1055.008: Process Injection, Ptrace System Calls |
| Expand.exe execution detected - T1544 - Remote File Copy - Windows | Endpoint | Windows | Command and Control: T1544: Ingress Tool Transfer |
| Mimikatz Kerberos ticket attack detected - T1550.003 - Pass the Ticket - Windows | Endpoint | Windows | Credential Access: T1558, T1558.003: Steal or Forge Kerberos Tickets, Kerberoasting Defense Evasion: T1550, T1550.003: Use Alternate Authentication Material, Pass the Ticket Resource Development: T1588, T1588.001, T1588.002: Obtain Capabilities, Malware, Tool |
| Process dropped executable file in system path - T1036.005 - Match Legitimate Name or Location - AIX | Endpoint | AIX | Defense Evasion: T1036, T1036.005: Masquerading, Match Legitimate Name or Location |
| Bash process with script as command line launched - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process trying to access /proc directory - T1003.007 - Credential Access - Linux | Container | Linux | Credential Access: T1003, T1003.007: OS Credential Dumping, Proc Filesystem |
| Process executed with ld preload configuration - T1574.006 - Dynamic Linker Hijacking - Linux | Endpoint | Linux | Persistence: T1574, T1574.006: Hijack Execution Flow, Dynamic Linker Hijacking |
| Certutil.exe execution detected to download and decode data - T1140 - Deobfuscate/Decode Files or Information - Windows | Endpoint | Windows | Command and Control: T1001, T1132, T1132.001: Data Obfuscation, Data Encoding, Standard Encoding Defense Evasion: T1027, T1140: Obfuscated Files or Information, Deobfuscate/Decode Files or Information |
| Net.exe execution detected for adding new domain user from monitored applications - T1136.002 - Domain Account - Windows | Endpoint | Windows | Persistence: T1136, T1136.002, T1136.001: Create Account, Domain Account, Local Account |
| Replace.exe execution detected - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer |
| Net.exe executed for network share discovery from monitored applications - T1135 - Network Share Discovery - Windows | Endpoint | Windows | Discovery: T1135: Network Share Discovery Lateral Movement: T1021, T1021.002: Remote Services, SMB/Windows Admin Shares |
| Web server dropped executable files - T1204 - User Execution - Linux | Container | Linux | Execution: T1204, T1204.002: User Execution, Malicious File |
| Process disabled task manager registry key - T1112 - Modify Registry - Windows | Endpoint | Windows | Defense Evasion: T1112, T1562, T1562.001: Modify Registry, Impair Defenses, Disable or Modify Tools |
| Suspicious scripting interpreter spawned security_authtrampoline - T1548 - Abuse Elevation Control Mechanism - macOS | Endpoint | macOS | Execution: T1059: Command and Scripting Interpreter Privilege Escalation: T1548: Abuse Elevation Control Mechanism |
| Plink.exe execution detected from cmd.exe - T1572 - Protocol Tunneling - Windows | Endpoint | Windows | Command and Control: T1572: Protocol Tunneling |
| Process accessed Kubernetes credentials/configuration - T1552.001 - Credentials in Files - Windows | Endpoint | Windows | Credential Access: T1552, T1552.001, T1555: Unsecured Credentials, Credentials In Files, Credentials from Password Stores |
| Data deletion using shred detected - T1485 - Data Destruction - AIX | Endpoint | AIX | Impact: T1485: Data Destruction Defense Evasion: T1027.005, T1070.004: Indicator Removal from Tools, File Deletion |
| Process modified /etc/sudoers file - T1548.003 - Sudo and Sudo Caching - macOS | Endpoint | macOS | Privilege Escalation: T1548, T1548.003: Abuse Elevation Control Mechanism, Sudo and Sudo Caching |
| Database server trying to get system information - T1082 - System Information Discovery - Linux | Container | Linux | Discovery: T1082: System Information Discovery |
| Process or script trying to trying to change subsystem definitions - T1569 - System Services - AIX | Endpoint | AIX | Execution: T1569: System Services |
| GTFOBIN_ed_spawning local shell - T1059.004 - UNIX shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Ransomware execution detected - T1486 - Data Encrypted for Impact - AIX | Endpoint | AIX | Impact: T1486: Data Encrypted for Impact |
| WpnUserService service hijack execution detected - T1546.015 - Component Object Model Hijacking - Windows | Endpoint | Windows | Privilege Escalation: T1546, T1546.015: Event Triggered Execution, Component Object Model Hijacking |
| Reverse Shell Detected & Blocked on Endpoint - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Pods from unwanted registry being created using external request in kubernetes cluster - T1610 - Execution - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| WMI query launched for network configuration discovery - T1016 - System Network Configuration Discovery - Windows | Endpoint | Windows | Discovery: T1016: System Network Configuration Discovery |
| Container process modified file in binary directory - T1036.005 - Match Legitimate Name or Location - Linux | Container | Linux | Defense Evasion: T1036, T1036.004, T1036.005: Masquerading, Masquerade Task or Service, Match Legitimate Name or Location |
| GTFOBIN_socat_acting as remote access software - T1219 - Remote Access Software - AIX | Endpoint | AIX | Command and Control: T1219: Remote Access Software |
| Certutil.exe execution detected to install/modify certificates - T1553.004 - Install Root Certificate - Windows | Endpoint | Windows | Defense Evasion: T1140, T1553, T1553.004, T1027.005: Deobfuscate/Decode Files or Information, Subvert Trust Controls, Install Root Certificate, Indicator Removal from Tools |
| Process manipulating SSH Config/SSH accounts - T1098.004 - Persistence - Linux | Container | Linux | Lateral Movement: T1563, T1563.001: Remote Service Session Hijacking, SSH Hijacking Persistence: T1098, T1098.004: Account Manipulation, SSH Authorized Keys |
| Process attempted to change login shell - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| UAC bypass detected by Mocking Trusted Directories - T1548.002 - Bypass User Account Control - Windows | Endpoint | Windows | Defense Evasion: T1036: Masquerading Privilege Escalation: T1548, T1548.002: Abuse Elevation Control Mechanism, Bypass User Account Control |
| Container process attempting to load kernel module - T1611 - Escape to Host - Linux | Container | Linux | Defense Evasion: T1014: Rootkit Privilege Escalation: T1611: Escape to Host |
| Icacls.exe execution detected - T1222.001 - Windows File and Directory Permissions Modification - Windows | Endpoint | Windows | Defense Evasion: T1222, T1222.001: File and Directory Permissions Modification, Windows File and Directory Permissions Modification |
| Fileless Malware Attack Detected on Endpoint - T1620 - Reflective Code Loading - Linux | Container | Linux | Defense Evasion: T1055, T1620: Process Injection, Reflective Code Loading |
| Unsigned process executed from monitored locations - T1036 - Masquerading - macOS | Endpoint | macOS | Defense Evasion: T1036: Masquerading |
| GTFOBIN_rake_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process attempting to start service - T1569.002 - Service Execution - Windows | Endpoint | Windows | Execution: T1106, T1569, T1569.002: Native API, System Services, Service Execution Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service |
| GTFOBIN_zip_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Sysdig running inside container - T1005 - Data from Local System - Linux | Container | Linux | Collection: T1005: Data from Local System Discovery: T1057: Process Discovery |
| Regini.exe execution detected - T1564.004 - NTFS File Attributes - Windows | Endpoint | Windows | Defense Evasion: T1564, T1564.004: Hide Artifacts, NTFS File Attributes |
| Process dropped shortcuts file - TA0002 - Execution - Windows | Endpoint | Windows | Execution: T1204, T1204.002: User Execution, Malicious File Persistence: T1547, T1547.009: Boot or Logon Autostart Execution, Shortcut Modification |
| Nltest.exe execution detected : CMD - T1016 - System Network Configuration Discovery - Windows | Endpoint | Windows | Discovery: T1016: System Network Configuration Discovery |
| SCP utility launched to bypass privacy control to copy files locally - T1548 - Abuse Elevation Control Mechanism - macOS | Endpoint | macOS | Privilege Escalation: T1548: Abuse Elevation Control Mechanism |
| Process modified rc.common file for persistence - T1037.004 - RC Scripts - macOS | Endpoint | macOS | Persistence: T1037, T1037.004: Boot or Logon Initialization Scripts, RC Scripts |
| Use of PowerShell to compress data detected - T1560 - Archive Collected Data - Windows | Endpoint | Windows | Collection: T1005, T1074, T1074.001, T1119, T1560, T1560.002, T1560.003: Data from Local System, Data Staged, Local Data Staging, Automated Collection, Archive Collected Data, Archive via Library, Archive via Custom Method |
| Rclone execution detected for exfiltration - T1020 - Automated Exfiltration - macOS | Endpoint | macOS | Exfiltration: T1020, T1029, T1041, T1048: Automated Exfiltration, Scheduled Transfer, Exfiltration Over C2 Channel, Exfiltration Over Alternative Protocol |
| Script Interpreter execution detected with script file in command line - T1059 - Command and Scripting Interpreter - Windows | Endpoint | Windows | Execution: T1059: Command and Scripting Interpreter |
| SSH server running inside container - T1021.004 - SSH - Linux | Container | Linux | Defense Evasion: T1610: Deploy Container Lateral Movement: T1021, T1021.004: Remote Services, SSH |
| Detected use of ftpget to download file from internet - T1105 - Ingress Tool Transfer - AIX | Endpoint | AIX | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer |
| Database server spawning lsof or netstat to get system information - T1049 - System Network Connections Discovery - AIX | Endpoint | AIX | Discovery: T1049: System Network Connections Discovery |
| Process attempted to discover active local network connections - T1049 - System Network Connections Discovery - Windows | Endpoint | Windows | Discovery: T1016, T1016.001, T1018, T1046, T1049: System Network Configuration Discovery, Internet Connection Discovery, Remote System Discovery, Network Service Discovery, System Network Connections Discovery |
| Process attempting to find user's group - T1069 - Permission Groups Discovery - Windows | Endpoint | Windows | Discovery: T1069, T1069.001, T1069.002: Permission Groups Discovery, Local Groups, Domain Groups Execution: T1106: Native API |
| Utility launched to mount or unmount network devices - T1211 - Exploitation for Defense Evasion - Linux | Container | Linux | Defense Evasion: T1211: Exploitation for Defense Evasion |
| PowerShell executed with enable-BitLocker cmdlet to encrypt System Drive - T1486 - Data Encrypted for Impact - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Impact: T1486: Data Encrypted for Impact Credential Access: T1552.006, T1552: Group Policy Preferences, Unsecured Credentials |
| Database server trying to get users information - T1033 - System Owner/User Discovery - AIX | Endpoint | AIX | Discovery: T1033: System Owner/User Discovery |
| Container initialised with host IPC enabled - T1610 - Deploy Container - Linux | Container | Linux | Defense Evasion: T1610: Deploy Container |
| GTFOBIN_sed_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Remote domain login inside host - T1078.002 - Domain Accounts - Linux | Container | Linux | Defense Evasion: T1078, T1078.001, T1078.002: Valid Accounts, Default Accounts, Domain Accounts |
| ComputerDefaults.exe execution detected - T1548.002 - Bypass User Account Control - Windows | Endpoint | Windows | Privilege Escalation: T1548, T1548.002: Abuse Elevation Control Mechanism, Bypass User Account Control |
| Perl base64 Module launched to decode or encode data - T1132.001 - Standard Encoding - Linux | Container | Linux | Command and Control: T1132, T1132.001: Data Encoding, Standard Encoding Defense Evasion: T1140: Deobfuscate/Decode Files or Information Execution: T1059.006: Python |
| Schtasks.exe execution detected with monitored extension - T1053.005 - Scheduled Task - Windows | Endpoint | Windows | Execution: T1053, T1053.005: Scheduled Task/Job, Scheduled Task |
| FTP utility dropped executable file - T1105 - Ingress Tool Transfer - AIX | Endpoint | AIX | Command and Control: T1105: Ingress Tool Transfer |
| PowerShell using WMI commands/queries system information discovery - T1082 - System Information Discovery - Windows | Endpoint | Windows | Discovery: T1082: System Information Discovery |
| Suspicious usage of curl detected to download plist file from internet - T1105 - Ingress Tool Transfer - macOS | Endpoint | macOS | Command and Control: T1105: Ingress Tool Transfer Defense Evasion: T1647: Plist File Modification Persistence: T1543: Create or Modify System Process |
| Mimikatz pass the hash attack detected - T1550.002 - Pass the Hash - Windows | Endpoint | Windows | Defense Evasion: T1550, T1550.002: Use Alternate Authentication Material, Pass the Hash Resource Development: T1588, T1588.001, T1588.002: Obtain Capabilities, Malware, Tool |
| Registry value updated with scripting engines - T1112 - Modify Registry - Windows | Endpoint | Windows | Defense Evasion: T1112: Modify Registry Execution: T1059: Command and Scripting Interpreter |
| PowerShell executing PowerUp script for Privilege Escalation - T1543.003 - Windows Service - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service |
| Ransomware Detected & Blocked on Endpoint - T1486 - Data Encrypted for Impact - macOS | Endpoint | macOS | Impact: T1486: Data Encrypted for Impact |
| Rsync transferred files over network - T1105 - Ingress Tool Transfer - AIX | Endpoint | AIX | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1021, T1570: Remote Services, Lateral Tool Transfer |
| Process or script acting as remote access software - T1219 - Command And Control - Linux | Container | Linux | Command and Control: T1219: Remote Access Software |
| Jsc.exe execution detected - T1127 - Trusted Developer Utilities Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1127: Trusted Developer Utilities Proxy Execution |
| Curl attempting shell command inside remote kubelet node - T1609 - Container Administration Command - Linux | Container | Linux | Execution: T1609: Container Administration Command |
| Killall utility launched to kill running process - T1562.001 - Disable or Modify Tools - macOS | Endpoint | macOS | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Java initiating out bound connection on non-standard ports - T1571 - Non-Standard Port | Endpoint | Windows | Command and Control: T1571: Non-Standard Port |
| Networksetup utility launched to list networks - T1049 - System Network Connections Discovery - macOS | Endpoint | macOS | Discovery: T1016, T1016.001, T1049: System Network Configuration Discovery, Internet Connection Discovery, System Network Connections Discovery |
| Pgrep utility executed to enumerate running processes - T1057 - Process Discovery - macOS | Endpoint | macOS | Discovery: T1057: Process Discovery |
| Process attempted to create service - T1543.003 - Windows Service - Windows | Endpoint | Windows | Defense Evasion: T1036, T1036.004, T1112: Masquerading, Masquerade Task or Service, Modify Registry Execution: T1569, T1569.002: System Services, Service Execution Persistence: T1543, T1543.003, T1574, T1574.011: Create or Modify System Process, Windows Service, Hijack Execution Flow, Services Registry Permissions Weakness |
| Wsl.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Atbroker.exe execution detected - T1546.008 - Accessibility Features - Windows | Endpoint | Windows | Privilege Escalation: T1546, T1546.008: Event Triggered Execution, Accessibility Features |
| Database server launched suspicious python script - T1059.006 - Python - Linux | Container | Linux | Execution: T1059, T1059.006: Command and Scripting Interpreter, Python Persistence: T1505: Server Software Component |
| Process executed from hidden directory - T1564.001 - Hidden Files and Directories - macOS | Endpoint | macOS | Defense Evasion: T1564, T1564.001: Hide Artifacts, Hidden Files and Directories |
| Detected use of lftp to download file from internet - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer |
| Monitored utility executed to get system information - T1082 - System Information Discovery - macOS | Endpoint | macOS | Discovery: T1082: System Information Discovery |
| Container process trying to access or modify OS credentials - T1003.008 - /etc/passwd and /etc/shadow - Linux | Container | Linux | Credential Access: T1003, T1003.008: OS Credential Dumping, /etc/passwd and /etc/shadow Discovery: T1087: Account Discovery |
| Process or script trying to drop binaries in system path - T1105 - Ingress Tool Transfer - Linux | Endpoint | Linux | Command and Control: T1105: Ingress Tool Transfer Execution: T1204, T1204.002: User Execution, Malicious File |
| Scripting Process (python etc.) using screencapture to take screenshot - T1113 - Screen Capture - macOS | Endpoint | macOS | Collection: T1113: Screen Capture Execution: T1059, T1059.006: Command and Scripting Interpreter, Python |
| Curl utility executed to upload file - T1048 - Exfiltration Over Alternative Protocol - Linux | Container | Linux | Exfiltration: T1048: Exfiltration Over Alternative Protocol |
| PowerShell or its child process dropped script file - T1059.001 - Execution - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Scripting process dropped Image file - T1113 - Screen Capture - macOS | Endpoint | macOS | Collection: T1113: Screen Capture |
| Compromised Account Access Detected on Endpoint - T1078 - Valid Accounts - Linux | Container | Linux | Defense Evasion: T1078: Valid Accounts |
| PowerShell execution with New-Service/Start-Service command - T1543.003 - New Service - Windows | Endpoint | Windows | Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service |
| Process attempted to access the user credentials - T1555 - Credentials from Password Stores - macOS | Endpoint | macOS | Credential Access: T1552, T1552.001, T1555: Unsecured Credentials, Credentials In Files, Credentials from Password Stores |
| Process attempting to enumerate Application Windows - T1010 - Application Window Discovery - Windows | Endpoint | Windows | Discovery: T1010: Application Window Discovery Execution: T1106: Native API |
| Import utility launched to capture screenshot - T1113 - Screen Capture - Linux | Container | Linux | Collection: T1113: Screen Capture |
| PowerShell.exe execution detected - T1059.001 - Execution - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| GTFOBIN_ncftp_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Process or script trying to encrypt/decrypt data - T1560.001 - Archive via Utility - AIX | Endpoint | AIX | Collection: T1560, T1560.001, T1074: Archive Collected Data, Archive via Utility, Data Staged |
| Uuidgen utility executed to create a unique identifier for the system - T1082 - System Information Discovery - macOS | Endpoint | macOS | Discovery: T1082: System Information Discovery |
| Role being deleted using external request in kubernetes cluster - T1609 - Execution Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| MS Document Crashed and Spawns Dwwin.exe - TA0002 - Execution - Windows | Endpoint | Windows | |
| Suspicious script detected to patch System DLLs - T1562.001 - Disable or Modify Tools - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| NTLM Authentication detected - T1550.002 - Pass the Hash - Windows | Endpoint | Windows | Defense Evasion: T1550, T1550.002: Use Alternate Authentication Material, Pass the Hash |
| Qwinsta.exe executed via CMD - T1033 - System Owner/User Discovery - Windows | Endpoint | Windows | Discovery: T1033, T1082, T1087: System Owner/User Discovery, System Information Discovery, Account Discovery |
| Process accessed git credentials - T1552.001 - Credentials In Files - Linux | Endpoint | Linux | Credential Access: T1552, T1552.001: Unsecured Credentials, Credentials In Files |
| Process creating EarthWorm tunnel - T1572 - Protocol Tunneling - Linux | Container | Linux | Command and Control: T1572: Protocol Tunneling |
| Process made SSH connection to remote system - T1021.004 - SSH - AIX | Endpoint | AIX | Lateral Movement: T1021, T1021.004: Remote Services, SSH |
| Suspicious execution of osascript detected for Input Capture - T1056 - Input Capture - macOS | Endpoint | macOS | Collection: T1056: Input Capture Execution: T1059, T1059.002: Command and Scripting Interpreter, AppleScript |
| Windump.exe execution detected - T1040 - Network Sniffing - Windows | Endpoint | Windows | Credential Access: T1040: Network Sniffing Defense Evasion: T1205: Traffic Signaling |
| Rpcping.exe execution detected - T1003 - OS Credential Dumping - Windows | Endpoint | Windows | Credential Access: T1003: OS Credential Dumping Resource Development: T1587, T1587.001, T1588, T1588.001, T1588.002: Develop Capabilities, Malware, Obtain Capabilities, Malware, Tool |
| Process dropped windows executable file in monitored directories - T1570 - Lateral Tool Transfer - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer Collection: T1119: Automated Collection |
| Appvlp.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Utility launched to add user in privileged group - T1098 - Account Manipulation - Linux | Container | Linux | Persistence: T1098: Account Manipulation |
| Utility executed to exfiltrate file from the container - T1048 - Exfiltration Over Alternative Protocol - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Exfiltration: T1048: Exfiltration Over Alternative Protocol |
| Clip.exe execution detected for coping data - T1115 - Clipboard Data - Windows | Endpoint | Windows | Collection: T1115: Clipboard Data |
| Process masqueraded system service file name - T1036.004 - Masquerade Task or Service - AIX | Endpoint | AIX | Defense Evasion: T1036, T1036.004: Masquerading, Masquerade Task or Service |
| Process attempted to access /etc/passwd or /etc/group - T1003 - OS Credential Dumping - macOS | Endpoint | macOS | Credential Access: T1003, T1555: OS Credential Dumping, Credentials from Password Stores Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| LVM utilities being run inside container - T1562 - Impair Defense - Linux | Container | Linux | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Process modifying Apache web server configuration - T1584.006 - Web Services - AIX | Endpoint | AIX | Resource Development: T1584, T1584.006: Compromise Infrastructure, Web Services |
| GTFOBIN_taskset_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process dropped script file on monitored locations - T1204.002 - Malicious File - AIX | Endpoint | AIX | Execution: T1204, T1204.002: User Execution, Malicious File Command and Control: T1105: Ingress Tool Transfer |
| Apache_spawning local shell (Potential Reverse Shell Detected) - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| GTFOBIN_lua_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| GTFOBIN_node_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process attempting to create tunnel device - T1572 - Protocol Tunneling - Linux | Container | Linux | Command and Control: T1572: Protocol Tunneling |
| Process executed by user - T1204 - User Execution - Windows | Endpoint | Windows | Execution: T1204, T1204.001, T1204.002: User Execution, Malicious Link, Malicious File |
| Powershell execution detected using SQL commands - T1059.001 - PowerShell - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| GTFOBIN_jrunscript_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Tcpdump launched to capture network traffic - T1040 - Network Sniffing - macOS | Endpoint | macOS | Credential Access: T1040: Network Sniffing |
| Crontab utility launched to add entries in cron jobs - T1053.003 - Scheduled Task/Job: Cron - Linux | Container | Linux | Execution: T1053, T1053.003, T1053.005: Scheduled Task/Job, Cron, Scheduled Task |
| Process using Uptycs Sensor Command Line Mode to extract system information - T1082 - System Information Discovery - Linux | Container | Linux | Discovery: T1082: System Information Discovery |
| PowerShell made network connection - T1071 - Application Layer Protocol - Windows | Endpoint | Windows | Command and Control: T1071: Application Layer Protocol |
| New pods being created from disallowed images using external request in kubernetes cluster - T1610 - Execution - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| New pods being created in kube using external request in kubernetes cluster - T1610 - Execution - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| Powershell disables Microsoft Office Security Features - T1562.001 - Disable or Modify Tools - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Container process escaped to host - T1611 - Escape to Host - Linux | Container | Linux | Privilege Escalation: T1611: Escape to Host |
| Utility launched to add user in privileged group - T1098 - Account Manipulation - AIX | Endpoint | AIX | Persistence: T1098: Account Manipulation |
| Eventvwr.exe execution detected - T1548.002 - Bypass User Access Control - Windows | Endpoint | Windows | Privilege Escalation: T1548, T1548.002: Abuse Elevation Control Mechanism, Bypass User Account Control |
| Process attempted to enumerate system services - T1007 - System Service Discovery - Linux | Container | Linux | Discovery: T1007, T1057: System Service Discovery, Process Discovery |
| Sudo local privilege escalation: CVE-2021-3156 - T1548.003 - Sudo and Sudo Caching - AIX | Endpoint | AIX | Privilege Escalation: T1068, T1548, T1548.003: Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Sudo and Sudo Caching |
| Dir command executed via monitored application - T1083 - File and Directory Discovery - Windows | Endpoint | Windows | Discovery: T1083: File and Directory Discovery |
| Process unmapping Remote process image tree - T1055.012 - Process Hollowing - Windows | Endpoint | Windows | Defense Evasion: T1055, T1055.012: Process Injection, Process Hollowing |
| Kernel Module attempted to hook syscall - T1014 - Rootkit - Linux | Container | Linux | Defense Evasion: T1014: Rootkit |
| Detected use of ftpget to download file from internet - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer |
| Scripting process created plist file - T1543 - Create or Modify System Process - macOS | Endpoint | macOS | Persistence: T1543, T1543.001, T1543.004: Create or Modify System Process, Launch Agent, Launch Daemon |
| Wmic.exe execution detected - T1047 - Windows Management Instrumentation - Windows | Endpoint | Windows | Execution: T1047: Windows Management Instrumentation |
| Process trying to access unattend.xml - T1552.001 - Credentials in Files - Windows | Endpoint | Windows | Credential Access: T1552, T1552.001: Unsecured Credentials, Credentials In Files |
| Process attempted to list packages - T1518 - Software Discovery - Linux | Container | Linux | Discovery: T1518, T1518.001: Software Discovery, Security Software Discovery |
| Powershell executing PowerCat for executing remote commands - T1588.002 - Tool - Windows | Endpoint | Windows | Credential Access: T1558: Steal or Forge Kerberos Tickets Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Resource Development: T1588, T1588.002: Obtain Capabilities, Tool |
| Remote process attempting to enumerate Domain Trust Relationships - T1482 - Domain Trust Discovery - Windows | Endpoint | Windows | Discovery: T1482: Domain Trust Discovery |
| Process added Boot or Logon Initialization Scripts - T1037.005 - Startup Items - macOS | Endpoint | macOS | Persistence: T1037, T1037.005: Boot or Logon Initialization Scripts, Startup Items |
| Unsigned process executed from hidden directory - T1564.001 - Hidden Files and Directories - macOS | Endpoint | macOS | Defense Evasion: T1564, T1564.001: Hide Artifacts, Hidden Files and Directories |
| Process attempted to rename system binaries - T1036 - Masquerading - Linux | Container | Linux | Defense Evasion: T1036: Masquerading |
| Security_authtrampoline utility executed - T1548 - Abuse Elevation Control Mechanism - macOS | Endpoint | macOS | Privilege Escalation: T1548: Abuse Elevation Control Mechanism |
| Netsh.exe execution detected from monitored applications - T1016 - System Network Configuration Discovery - Windows | Endpoint | Windows | Discovery: T1016: System Network Configuration Discovery |
| GTFOBIN_script_utility_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| PowerShell execution detected for disabling Windows Services - T1489 - Service Stop - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Impact: T1489: Service Stop |
| Process or script attempting to get account information - T1069 - Permission Groups Discovery - Linux | Container | Linux | Discovery: T1069: Permission Groups Discovery Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Useradd utility launched to create system user account - T1136 - Create Account - Linux | Container | Linux | Persistence: T1136: Create Account |
| Addinutil.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Bitsadmin.exe execution detected - T1197 - BITS Jobs - Windows | Endpoint | Windows | Defense Evasion: T1197: BITS Jobs |
| Process or script trying to hijack upgrade execution - T1574 - Hijack Execution Flow - Linux | Endpoint | Linux | Persistence: T1574, T1574.006: Hijack Execution Flow, Dynamic Linker Hijacking |
| Ngrok.exe executed for protocol tunneling - T1572 - Protocol Tunneling - Windows | Endpoint | Windows | Command and Control: T1572: Protocol Tunneling |
| Process attempted to encrypt data - T1486 - Data Encrypted for Impact - macOS | Endpoint | macOS | Collection: T1560, T1074, T1560.001: Archive Collected Data, Data Staged, Archive via Utility Impact: T1486: Data Encrypted for Impact |
| Tracert.exe execution detected via monitored application - T1018 - Remote System Discovery - Windows | Endpoint | Windows | Discovery: T1016, T1018: System Network Configuration Discovery, Remote System Discovery |
| Process attempting to make LDAP connection - T1087.002 - Domain Account - AIX | Endpoint | AIX | Discovery: T1069, T1069.002, T1087, T1087.002, T1482: Permission Groups Discovery, Domain Groups, Account Discovery, Domain Account, Domain Trust Discovery |
| Process trying to enable remote login - T1021.004 - SSH - macOS | Endpoint | macOS | Lateral Movement: T1021, T1021.004: Remote Services, SSH Discovery: T1018: Remote System Discovery |
| Wmic.exe execution detected with suspicious commands - T1082 - System Information Discovery - Windows | Endpoint | Windows | Discovery: T1082: System Information Discovery |
| Kubernetes proxy exposed - T1090 - Proxy - Linux | Container | Linux | Command and Control: T1090, T1090.001, T1090.002: Proxy, Internal Proxy, External Proxy |
| Msbuild.exe execution detected - T1127 - Trusted Developer Utilities - Windows | Endpoint | Windows | Defense Evasion: T1127: Trusted Developer Utilities Proxy Execution |
| Remote process dropped script file in monitored directories - T1105 - Ingress Tool Transfer - Linux | Endpoint | Linux | Command and Control: T1105: Ingress Tool Transfer Execution: T1059: Command and Scripting Interpreter Lateral Movement: T1021, T1021.004, T1570: Remote Services, SSH, Lateral Tool Transfer |
| Process attempting execution with python - T1059.006 - Python - AIX | Endpoint | AIX | Execution: T1059, T1059.006: Command and Scripting Interpreter, Python |
| Process dropped executable file in /etc directory - T1204.002 - Malicious File - macOS | Endpoint | macOS | Defense Evasion: T1036, T1036.005: Masquerading, Match Legitimate Name or Location Execution: T1204, T1204.002: User Execution, Malicious File Command and Control: T1105: Ingress Tool Transfer |
| Vaultcmd.exe execution detected for saved credentials - T1555.004 - Windows Credential Manager - Windows | Endpoint | Windows | Credential Access: T1555, T1555.004: Credentials from Password Stores, Windows Credential Manager |
| PowerShell attempted to collect email account information - T1087.003 - Email Account - Windows | Endpoint | Windows | Collection: T1114, T1114.001, T1114.002: Email Collection, Local Email Collection, Remote Email Collection Discovery: T1087, T1087.003: Account Discovery, Email Account |
| PowerShell executing Invoke-ShareFinder script for network share discovery - T1135 - Network Share Discovery - Windows | Endpoint | Windows | Discovery: T1135: Network Share Discovery Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Lateral Movement: T1021, T1021.002: Remote Services, SMB/Windows Admin Shares Resource Development: T1588.002, T1588: Tool, Obtain Capabilities |
| Taskkill.exe execution detected - T1489 - Service Stop - Windows | Endpoint | Windows | Impact: T1489: Service Stop |
| Process trying to modify sudo configuration - T1548.003 - Privilege escalation - Linux | Container | Linux | Privilege Escalation: T1548, T1548.003: Abuse Elevation Control Mechanism, Sudo and Sudo Caching |
| Process accessing SAM file database - T1003 - OS Credential Dumping - Windows | Endpoint | Windows | Credential Access: T1003: OS Credential Dumping |
| Cmd.exe execution detected - T1059 - Command and Scripting Interpreter - Windows | Endpoint | Windows | Execution: T1059, T1059.003: Command and Scripting Interpreter, Windows Command Shell |
| Detected use of cmd.exe to copy files to network share - T1059.003 - Execution - Windows | Endpoint | Windows | Execution: T1059, T1059.003: Command and Scripting Interpreter, Windows Command Shell |
| Process executed via vim with sudo privileges - T1548 - Abuse Elevation Control Mechanism - Linux | Container | Linux | Privilege Escalation: T1548: Abuse Elevation Control Mechanism |
| Security utility executed to access Keychains - T1555.001 - Keychain - macOS | Endpoint | macOS | Credential Access: T1555, T1555.001: Credentials from Password Stores, Keychain |
| PowerShell Invoking WmiMethod for executing WMI commands - T1047 - Windows Management Instrumentation - Windows | Endpoint | Windows | Execution: T1047, T1059, T1059.001: Windows Management Instrumentation, Command and Scripting Interpreter, PowerShell |
| System service launched from suspicious location - T1036.005 - Match Legitimate Name or Location - Linux | Container | Linux | Defense Evasion: T1036, T1036.005: Masquerading, Match Legitimate Name or Location |
| WMI query launched for shadow command - T1047 - Windows Management Instrumentation - Windows | Endpoint | Windows | Execution: T1047: Windows Management Instrumentation |
| Hypervisor starting VM in headless mode - T1564.006 - Run Virtual Instance - Linux | Container | Linux | Defense Evasion: T1564, T1564.006: Hide Artifacts, Run Virtual Instance |
| PowerShell.exe execution detected through dcom/rpc - T1559.001 - Component Object Model - Windows | Endpoint | Windows | Execution: T1559, T1559.001: Inter-Process Communication, Component Object Model Lateral Movement: T1021, T1021.003: Remote Services, Distributed Component Object Model |
| Security utility executed to dump Keychain - T1555.001 - Keychain - macOS | Endpoint | macOS | Credential Access: T1555, T1555.001: Credentials from Password Stores, Keychain |
| GTFOBIN_perl_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| PS utility launched to get running processes - T1057 - Process Discovery - macOS | Endpoint | macOS | Discovery: T1057: Process Discovery |
| Java process spawning local shell - T1059.004 - Unix Shell - AIX | Container | AIX | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| EDR Silencer tool command lines detected to block EDR Security Tools - T1562.001 - Disable or Modify Tools - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Process accessed VNC password file - T1552 - Unsecured Credentials - Linux | Endpoint | Linux | Credential Access: T1552, T1552.001: Unsecured Credentials, Credentials In Files Lateral Movement: T1021, T1021.005: Remote Services, VNC |
| Process attempted to spawn process with shell - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process attempted to disable or modify audit system - T1562.012 - Disable or Modify Linux Audit System - Linux | Container | Linux | Defense Evasion: T1562, T1562.001, T1562.012: Impair Defenses, Disable or Modify Tools, Disable or Modify Linux Audit System |
| New service being created using external request in kubernetes cluster - T1610 - Execution Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| Split utility execution detected - T1218 - System Binary Proxy Execution - Linux | Container | Linux | Defense Evasion: T1218: System Binary Proxy Execution Execution: T1059: Command and Scripting Interpreter |
| Process attempted to communicate via SMTP protocol - T1071.003 - Mail Protocol - macOS | Endpoint | macOS | Command and Control: T1071, T1071.003: Application Layer Protocol, Mail Protocols |
| Smbutil utility executed for accessing network shares - T1135 - Network Share Discovery - macOS | Endpoint | macOS | Discovery: T1135: Network Share Discovery |
| Incoming request for attaching to container process using external request in kubernetes cluster - T1609 - Execution - Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| Process created plist file in LaunchDaemons - T1543.004 - Launch Daemon - macOS | Endpoint | macOS | Persistence: T1543, T1543.004: Create or Modify System Process, Launch Daemon |
| Web server using who or users utility to get users information - T1033 - Discovery - Linux | Container | Linux | Discovery: T1033: System Owner/User Discovery |
| Process attempting to enumerate RDP Sessions - T1563 - Remote Service Session Hijacking - Windows | Endpoint | Windows | Execution: T1106: Native API Lateral Movement: T1021, T1021.001, T1563, T1563.002: Remote Services, Remote Desktop Protocol, Remote Service Session Hijacking, RDP Hijacking |
| Chmod used with sudo to change file permissions - T1222.002 - File and Directory Permissions Modification: Linux and Mac - macOS | Endpoint | macOS | Defense Evasion: T1222, T1222.002: File and Directory Permissions Modification, Linux and Mac File and Directory Permissions Modification |
| Reverse shell attempted to connect public IP address - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process accessing Domain Cached Credentials from registry - T1003.005 - Cached Domain Credentials - Windows | Endpoint | Windows | Credential Access: T1003, T1003.005: OS Credential Dumping, Cached Domain Credentials |
| Powershell executing Mimikatz commands - T1059.001 - PowerShell - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Resource Development: T1587, T1587.001, T1588, T1588.001, T1588.002: Develop Capabilities, Malware, Obtain Capabilities, Malware, Tool |
| Pip process installed Python Package - T1059.006 - Python - AIX | Endpoint | AIX | Execution: T1059, T1059.006, T1072: Command and Scripting Interpreter, Python, Software Deployment Tools |
| Ipconfig.exe execution detected : CMD - T1016 - System Network Configuration Discovery - Windows | Endpoint | Windows | Discovery: T1016: System Network Configuration Discovery |
| GTFOBIN_start_stop_daemon_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Powershell execution detected for deleting shadow copies - T1490 - Inhibit System Recovery - Windows | Endpoint | Windows | Impact: T1490: Inhibit System Recovery Defense Evasion: T1562: Impair Defenses |
| Process created mach-O file - T1543 - Create or Modify System Process - macOS | Endpoint | macOS | Persistence: T1543: Create or Modify System Process |
| Process connected to monero crypto mining pool - T1496 - Resource Hijacking - Cross Platform | Endpoint | All OS | Impact: T1496: Resource Hijacking |
| DCSync/DCShadow Attack detected - T1003.006 - DCSync - Windows | Endpoint | Windows | Credential Access: T1003, T1003.006: OS Credential Dumping, DCSync Defense Evasion: T1207: Rogue Domain Controller Lateral Movement: T1021, T1021.003: Remote Services, Distributed Component Object Model |
| Process listening for requests on port 80 - T1102.002 - Bidirectional Communication - macOS | Endpoint | macOS | Command and Control: T1102, T1102.002: Web Service, Bidirectional Communication |
| Sdclt.exe execution detected - T1548.002 - Bypass User Account Control - Windows | Endpoint | Windows | Privilege Escalation: T1548, T1548.002: Abuse Elevation Control Mechanism, Bypass User Account Control |
| Scheduled Task Created - T1053.005 - Scheduled Task - Windows | Endpoint | Windows | Execution: T1053, T1053.005: Scheduled Task/Job, Scheduled Task |
| Esentutl.exe execution detected - T1544 - Remote File Copy - Windows | Endpoint | Windows | Command and Control: T1544: Ingress Tool Transfer |
| GTFOBIN_rake_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Process attempted to clear command history for PowerShell - T1070.003 - Clear Command History - Windows | Endpoint | Windows | Defense Evasion: T1070, T1070.003: Indicator Removal on Host, Clear Command History Collection: T1560: Archive Collected Data |
| Cmd.exe made network connection - T1071 - Application Layer Protocol - Windows | Endpoint | Windows | Command and Control: T1071: Application Layer Protocol |
| Suspicious process attempted to access credential files - T1552.001 - Credentials In Files - macOS | Endpoint | macOS | Credential Access: T1003, T1552, T1552.001, T1555: OS Credential Dumping, Unsecured Credentials, Credentials In Files, Credentials from Password Stores Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| IP Scan Attack Detected on Endpoint - T1595.001 - Scanning IP Blocks - Linux | Container | Linux | Discovery: T1046: Network Service Discovery Reconnaissance: T1595, T1595.001: Active Scanning, Scanning IP Blocks |
| Container process modified PAM configuration - T1556.003 - Pluggable Authentication Modules - Linux | Container | Linux | Credential Access: T1556, T1556.003: Modify Authentication Process, Pluggable Authentication Modules |
| Process modified Authorization Plugin - T1556 - Modify Authentication Process - macOS | Endpoint | macOS | Credential Access: T1556: Modify Authentication Process |
| Cscript.exe execution detected from monitored applications - T1216 - Signed Script Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1216: System Script Proxy Execution |
| GTFOBIN_sqlite3_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| GTFOBIN_ruby acting as remote access software - T1219 Command And Control_LINUX | Container | Linux | Command and Control: T1219: Remote Access Software |
| Process dropped file in external drive - T1052 - Exfiltration Over Physical Medium - Windows | Endpoint | Windows | Collection: T1005, T1025, T1074, T1074.001, T1119: Data from Local System, Data from Removable Media, Data Staged, Local Data Staging, Automated Collection Command and Control: T1105: Ingress Tool Transfer Exfiltration: T1052: Exfiltration Over Physical Medium Lateral Movement: T1570: Lateral Tool Transfer |
| Ldapsearch utility executed to query Active Directory - T1087.002 - Domain Account - Linux | Container | Linux | Discovery: T1069, T1069.002, T1087, T1087.002, T1615: Permission Groups Discovery, Domain Groups, Account Discovery, Domain Account, Group Policy Discovery |
| Deployment being created using external request in kubernetes cluster - T1609 - Execution Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| Keylogging Attack Detected on Endpoint - T1056.001 - Keylogging - macOS | Endpoint | macOS | Collection: T1056, T1056.001: Input Capture, Keylogging |
| Process starting privileged container on remote host - T1610 - Deploy Container - Linux | Container | Linux | Defense Evasion: T1610, T1211: Deploy Container, Exploitation for Defense Evasion |
| BitTorrent execution detected - T1189 - Drive-by Compromise - Windows | Endpoint | Windows | Initial Access: T1189: Drive-by Compromise |
| PowerShell.exe execution detected from monitored applications - T1059.001 - Execution - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Suspicious Perl process attempting to spawn reverse shell - T1059 - Command and Scripting Interpreter - macOS | Endpoint | macOS | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Suspicious python process attempted to spawn reverse shell - T1059 - Python - Linux | Container | Linux | Execution: T1059, T1059.004, T1059.006: Command and Scripting Interpreter, Unix Shell, Python |
| Suspicious execution of openssl with base64 parameter - T1027 - Obfuscated Files or Information - macOS | Endpoint | macOS | Command and Control: T1132, T1132.001: Data Encoding, Standard Encoding Defense Evasion: T1027: Obfuscated Files or Information |
| Process attempted to capture input - T1056 - Input Capture - Linux | Container | Linux | Collection: T1056: Input Capture |
| Screencapture utility launched to take screenshot - T1113 - Screen Capture - macOS | Endpoint | macOS | Collection: T1113: Screen Capture |
| Process trying to find cloud credentials - T1552.001 - Credentials in Files - Linux | Endpoint | Linux | Credential Access: T1552, T1552.001, T1552.004: Unsecured Credentials, Credentials In Files, Private Keys |
| Displayswitch.exe utility spawned via monitored application - T1546.008 - Accessibility Features - Windows | Endpoint | Windows | Privilege Escalation: T1546, T1546.008: Event Triggered Execution, Accessibility Features |
| Process attempted reverse shell execution using bash - T1059.004 - Unix Shell - macOS | Endpoint | macOS | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Access Token Impersonation detected - T1134.001 - Token Impersonation/Theft - Windows | Endpoint | Windows | Defense Evasion: T1134, T1134.001: Access Token Manipulation, Token Impersonation/Theft Execution: T1106: Native API |
| Process downloaded executable file - T1204.001 - Malicious Link - AIX | Endpoint | AIX | Command and Control: T1071, T1071.001, T1102, T1102.002, T1105, T1132: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Ingress Tool Transfer, Data Encoding Execution: T1204, T1204.001: User Execution, Malicious Link Exfiltration: T1048: Exfiltration Over Alternative Protocol Lateral Movement: T1570: Lateral Tool Transfer |
| Ransomware execution detected using File I/O operations - T1486 - Data Encrypted for Impact - Linux | Container | Linux | Impact: T1486: Data Encrypted for Impact |
| Process trying to enumerate running processes - T1057 - Process Discovery - Windows | Endpoint | Windows | Discovery: T1057: Process Discovery Execution: T1106: Native API |
| Port Scan Attack Detected on Endpoint - T1046 - Network Service Discovery - macOS | Endpoint | macOS | Discovery: T1046: Network Service Discovery |
| Systeminfo.exe execution detected - T1082 - System Information Discovery - Windows | Endpoint | Windows | Discovery: T1082: System Information Discovery |
| Process attempted to masquerade kernel mode worker - T1036.004 - Masquerade Task or Service - Linux | Container | Linux | Defense Evasion: T1036, T1036.004, T1036.005: Masquerading, Masquerade Task or Service, Match Legitimate Name or Location |
| Docker client installing docker.io runtime inside remote container - T1609 - Container Administration Command - Linux | Container | Linux | Defense Evasion: T1610: Deploy Container Execution: T1609: Container Administration Command |
| Who or Users utility launched to get users information - T1033 - System Owner/User Discovery - macOS | Endpoint | macOS | Discovery: T1033, T1087: System Owner/User Discovery, Account Discovery |
| Monitored application spawns Findstr.exe - TA0002 - Execution - Windows | Endpoint | Windows | |
| Process executed by browser - T1189 - Drive by Compromise - Windows | Endpoint | Windows | Initial Access: T1189: Drive-by Compromise |
| Drive-By Download Attack Detected on Endpoint (Malicious File) - T1189 - Drive-by Compromise - macOS | Endpoint | macOS | Execution: T1204, T1204.002: User Execution, Malicious File Initial Access: T1189: Drive-by Compromise |
| Shred utility executed for data deletion - T1485 - Data Destruction - macOS | Endpoint | macOS | Defense Evasion: T1070, T1070.004, T1027.005: Indicator Removal, File Deletion, Indicator Removal from Tools Impact: T1485: Data Destruction |
| Remote process attempting to enumerate user accounts - T1087 - Account Discovery - Windows | Endpoint | Windows | Discovery: T1033, T1082, T1087, T1087.001, T1087.002, T1087.003, T1087.004: System Owner/User Discovery, System Information Discovery, Account Discovery, Local Account, Domain Account, Email Account, Cloud Account |
| Malware Detected on Endpoint - T1204.002 - Malicious File - Linux | Container | Linux | Execution: T1204, T1204.002: User Execution, Malicious File |
| Suspected web shell dropped by Web server - T1505.003 - Web Shell - Windows | Endpoint | Windows | Persistence: T1505, T1505.003: Server Software Component, Web Shell Resource Development: T1584, T1584.006: Compromise Infrastructure, Web Services |
| GTFOBIN_rlwrap_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Javaw execution detected - TA0002 - Execution - Windows | Endpoint | Windows | |
| Pnscan utility is running inside container - T1595.001 - Scanning IP Blocks - Linux | Container | Linux | Reconnaissance: T1595, T1595.001: Active Scanning, Scanning IP Blocks |
| Powershell using Invoke-Command flag - T1059.001 - PowerShell - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Process accessed or modified Kubelet Configuration - T1552 - Unsecured Credentials - Linux | Container | Linux | Credential Access: T1552: Unsecured Credentials |
| Suspicious use of lwp-download to download file from internet - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1071, T1102, T1102.002, T1105: Application Layer Protocol, Web Service, Bidirectional Communication, Ingress Tool Transfer |
| Process attempted to encrypt monitored file extension - T1486 - Data Encrypted for Impact - macOS | Endpoint | macOS | Impact: T1486: Data Encrypted for Impact |
| Rsync transferring files over network - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1021, T1570: Remote Services, Lateral Tool Transfer |
| Process attempting to read credentials from Windows Credential Manager - T1555.004 - Windows Credential Manager - Windows | Endpoint | Windows | Credential Access: T1555, T1555.004: Credentials from Password Stores, Windows Credential Manager Execution: T1106: Native API Defense Evasion: T1070.001, T1070: Clear Windows Event Logs, Indicator Removal |
| Mount execution detected for drive information - T1082 - System Information Discovery - AIX | Endpoint | AIX | Discovery: T1082: System Information Discovery Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process using ps utility to get running processes - T1057 - Discovery - Linux | Container | Linux | Discovery: T1057: Process Discovery |
| Dbgsvc.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Replicaset being created in default namespace using external request in kubernetes cluster - T1609 - Execution - Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| Remote directory listing detected - T1021.002 - SMB/Windows Admin Shares - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.002: Remote Services, SMB/Windows Admin Shares |
| GTFOBIN_scp_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| PowerShell executing Invoke-mimikittenz script for web browser credential dump - T1555.003 - Credentials from Web Browsers - Windows | Endpoint | Windows | Credential Access: T1555, T1555.003: Credentials from Password Stores, Credentials from Web Browsers Resource Development: T1587, T1587.001, T1588, T1588.001, T1588.002: Develop Capabilities, Malware, Obtain Capabilities, Malware, Tool |
| Web server launched suspicious python script - T1059.006 - Python - AIX | Endpoint | AIX | Execution: T1059, T1059.006: Command and Scripting Interpreter, Python Persistence: T1505, T1505.003: Server Software Component, Web Shell |
| Scripting process attempted to perform screen/video capture - T1113 - Screen Capture - macOS | Endpoint | macOS | Collection: T1113, T1125: Screen Capture, Video Capture |
| Process updated the user password - T1098 - Account Manipulation - Linux | Container | Linux | Persistence: T1098: Account Manipulation |
| Container orchestration job running as scheduled job - T1053.007 - Container Orchestration Job - Linux | Container | Linux | Execution: T1053, T1053.007: Scheduled Task/Job, Container Orchestration Job |
| Pod log being accessed using external request in kubernetes cluster - T1609 - Execution - Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| Utility launched to encode or decode data - T1132 - Data Encoding - macOS | Endpoint | macOS | Command and Control: T1132, T1132.001: Data Encoding, Standard Encoding Defense Evasion: T1027, T1140: Obfuscated Files or Information, Deobfuscate/Decode Files or Information |
| PowerShell using connect-RDP flag - T1021.001 - Remote Desktop Protocol - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.001: Remote Services, Remote Desktop Protocol |
| Process attempting to delete/modify system log files - T1070.002 - Clear Linux or Mac System Logs - macOS | Endpoint | macOS | Defense Evasion: T1027, T1027.005, T1070, T1070.002: Obfuscated Files or Information, Indicator Removal from Tools, Indicator Removal on Host, Clear Linux or Mac System Logs |
| Process created hidden plist file in LaunchAgent/LaunchDaemon - T1543 - Create or Modify System Process - macOS | Endpoint | macOS | Persistence: T1543, T1543.001, T1543.004: Create or Modify System Process, Launch Agent, Launch Daemon |
| SSH connection made to remote system - T1219 - Command And Control - Linux | Container | Linux | Command and Control: T1219: Remote Access Software |
| Grep utility launched to search files on disk - T1083 - File and Directory Discovery - Linux | Container | Linux | Collection: T1119: Automated Collection Discovery: T1083: File and Directory Discovery |
| Suspicious execution of package from tmp directory - T1204 - User Execution - macOS | Endpoint | macOS | Discovery: T1083: File and Directory Discovery Execution: T1204: User Execution |
| Process attempted to install root certificate - T1553.004 - Install Root Certificate - macOS | Endpoint | macOS | Defense Evasion: T1553, T1553.004: Subvert Trust Controls, Install Root Certificate |
| Quser.exe execution detected from monitored applications - T1033 - System Owner/User Discovery - Windows | Endpoint | Windows | Discovery: T1033, T1082, T1087: System Owner/User Discovery, System Information Discovery, Account Discovery |
| Mount execution detected for drive information - T1082 - System Information Discovery - Linux | Container | Linux | Discovery: T1082: System Information Discovery Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Curl utility executed to connect via Telnet Protocol - T1021 - Remote Services - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell Lateral Movement: T1021: Remote Services |
| Process dropped Windows script file - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer |
| Process dropped a remote file - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer |
| GTFOBIN_nice_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Powershell executing New-Item or New-ItemProperty command - T1112 - Modify Registry - Windows | Endpoint | Windows | Defense Evasion: T1112: Modify Registry Discovery: T1012: Query Registry Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Process blocked by Blocking Policy | Endpoint | All OS | |
| Bifrost utility launched to perform kerberos attack - T1558 - Steal or Forge Kerberos Tickets - macOS | Endpoint | macOS | Credential Access: T1558: Steal or Forge Kerberos Tickets |
| ConfigSecurityPolicy.exe execution detected - T1567 - Exfiltration Over Web Service - Windows | Endpoint | Windows | Exfiltration: T1020, T1567: Automated Exfiltration, Exfiltration Over Web Service |
| Suspicious process attempted to access Jenkins credential files - T1552.001 - Credentials In Files - macOS | Endpoint | macOS | Credential Access: T1552, T1552.001, T1555: Unsecured Credentials, Credentials In Files, Credentials from Password Stores |
| Process dropped shortcuts file in startup folders - T1547.001 - Registry Run Keys / Startup Folder - Windows | Endpoint | Windows | Persistence: T1547, T1547.001: Boot or Logon Autostart Execution, Registry Run Keys / Startup Folder |
| Process modifying Root Crontab File to escalate privileges - T1053 - Scheduled Task/Job - macOS | Endpoint | macOS | Execution: T1053: Scheduled Task/Job |
| Database process modifying DB server configuration - T1210 - Exploitation of Remote Services - Linux | Container | Linux | Lateral Movement: T1210: Exploitation of Remote Services Persistence: T1505: Server Software Component |
| PowerShell or its child process dropped portable executable file - TA0002 - Execution - Windows | Endpoint | Windows | |
| Control.exe calling CLP file from suspicious location - T1218.002 - Control Panel - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.002: System Binary Proxy Execution, Control Panel |
| Possible Code Injection using LD_PRELOAD configuration - T1574.006 - Dynamic Linker Hijacking - Linux | Container | Linux | Persistence: T1574, T1574.006: Hijack Execution Flow, Dynamic Linker Hijacking |
| Reg.exe executed to modify registry - T1112 - Modify Registry - Windows | Endpoint | Windows | Defense Evasion: T1112: Modify Registry |
| Process attempted to detect virtualization/sandbox - T1497 - Virtualization/Sandbox Evasion - AIX | Endpoint | AIX | Defense Evasion: T1497: Virtualization/Sandbox Evasion |
| Process trying to enumerate mounted drives - T1083 - File and Directory Discovery - Windows | Endpoint | Windows | Discovery: T1083: File and Directory Discovery Execution: T1106: Native API |
| Database Server spawned shell - T1505.001 - SQL Stored Procedures - Windows | Endpoint | Windows | Persistence: T1505, T1505.001: Server Software Component, SQL Stored Procedures Resource Development: T1584, T1584.006: Compromise Infrastructure, Web Services |
| Process accessing SDB file - T1546.011 - Application Shimming - Windows | Endpoint | Windows | Privilege Escalation: T1546, T1546.011: Event Triggered Execution, Application Shimming |
| Process having unquoted path in cmdline - T1574.009 - Path Interception by Unquoted Path - Windows | Endpoint | Windows | Persistence: T1574, T1574.009: Hijack Execution Flow, Path Interception by Unquoted Path |
| Process attempting to access filesystem used inside container - T1006 - Direct Volume Access - Linux | Container | Linux | Defense Evasion: T1006: Direct Volume Access |
| Local shell connected to remote host - T1059.004 - Unix Shell - macOS | Endpoint | macOS | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Malware Detected on Endpoint - T1204.002 - Malicious File - macOS | Endpoint | macOS | Execution: T1204, T1204.002: User Execution, Malicious File |
| Process attempted to split a file - T1030 - Data Transfer Size Limits - Linux | Container | Linux | Exfiltration: T1030: Data Transfer Size Limits |
| Wmic.exe execution detected for lateral movement - T1047 - Windows Management Instrumentation - Windows | Endpoint | Windows | Execution: T1047: Windows Management Instrumentation |
| Process made HTTP/HTTPS Connection - T1071.001 - Web Protocols - AIX | Endpoint | AIX | Command and Control: T1071, T1071.001, T1102, T1102.002, T1573: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Encrypted Channel Exfiltration: T1567: Exfiltration Over Web Service |
| Process attempted to access SMB shares - T1021.002 - SMB/Windows Admin Shares - macOS | Endpoint | macOS | Lateral Movement: T1021, T1021.002: Remote Services, SMB/Windows Admin Shares |
| Taskeng.exe execution detected - T1053.005 - Scheduled Task - Windows | Endpoint | Windows | Execution: T1053, T1053.005: Scheduled Task/Job, Scheduled Task |
| Powershell.exe execution detected for create volume shadow copies - T1003.003 - NTDS - Windows | Endpoint | Windows | Credential Access: T1003, T1003.003: OS Credential Dumping, NTDS Impact: T1490: Inhibit System Recovery |
| Malicious payload download via Office binaries - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer |
| Process using ifconfig, ip or arp to get the network configuration - T1016 - System Network Configuration Discovery - Linux | Container | Linux | Discovery: T1016, T1046, T1049, T1082: System Network Configuration Discovery, Network Service Discovery, System Network Connections Discovery, System Information Discovery |
| Process created Hidden User - T1564.002 - Hidden Users - Windows | Endpoint | Windows | Defense Evasion: T1564, T1564.002: Hide Artifacts, Hidden Users |
| GTFOBIN_valgrind_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Reverse Shell Detected on Endpoint - T1059.004 - Unix Shell - macOS | Endpoint | macOS | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Interpreted process in container doing inbound network activity - T1219 - Command And Control - Linux | Container | Linux | Command and Control: T1219: Remote Access Software |
| Kernel mode driver installation detected - T1014 - Rootkit - Windows | Endpoint | Windows | Defense Evasion: T1014: Rootkit Execution: T1569, T1569.002: System Services, Service Execution Persistence: T1543: Create or Modify System Process |
| Process made HTTP/HTTPS Connection - T1071.001 - Web Protocols - Linux | Container | Linux | Command and Control: T1071, T1071.001, T1102, T1102.002, T1573: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Encrypted Channel Exfiltration: T1567: Exfiltration Over Web Service |
| MS-MSDT post exploitation execution detected - T1059 - Command and Scripting Interpreter - Windows | Endpoint | Windows | Execution: T1059: Command and Scripting Interpreter |
| Remote SSH login inside host - T1078.003 - Persistence - Linux | Container | Linux | Defense Evasion: T1078, T1078.001, T1078.003: Valid Accounts, Default Accounts, Local Accounts |
| Adfind execution detected - T1482 - Domain Trust Discovery - Windows | Endpoint | Windows | Discovery: T1482: Domain Trust Discovery Resource Development: T1587, T1587.001, T1588, T1588.001, T1588.002: Develop Capabilities, Malware, Obtain Capabilities, Malware, Tool |
| GTFOBIN_emacs_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Pfctl utility executed to modify/disable system firewall - T1562.004 - Disable or Modify System Firewall - macOS | Endpoint | macOS | Defense Evasion: T1562, T1562.004: Impair Defenses, Disable or Modify System Firewall |
| Process deleted a file - T1070.004 - File Deletion - Linux | Endpoint | Linux | Defense Evasion: T1070, T1070.004: Indicator Removal on Host, File Deletion |
| Diantz.exe execution detected - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer |
| Process Running From AppDataRoaming directory - TA0002 - Execution - Windows | Endpoint | Windows | |
| WinZip.exe execution detected - T1560.001 - Archive via Utility - Windows | Endpoint | Windows | Collection: T1005, T1074, T1074.001, T1119, T1560, T1560.001: Data from Local System, Data Staged, Local Data Staging, Automated Collection, Archive Collected Data, Archive via Utility |
| PowerShell modifying logon notification key for persistence - T1547.004 - Winlogon Helper DLL - Windows | Endpoint | Windows | Persistence: T1547, T1547.004: Boot or Logon Autostart Execution, Winlogon Helper DLL |
| Cluster role binding being deleted using external request in kubernetes cluster - T1609 - Execution - Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| Scriptrunner.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| ProcDump.exe execution detected for process dump - T1003.001 - LSASS Memory - Windows | Endpoint | Windows | Credential Access: T1003, T1003.001: OS Credential Dumping, LSASS Memory Resource Development: T1587, T1587.001, T1588, T1588.001, T1588.002: Develop Capabilities, Malware, Obtain Capabilities, Malware, Tool |
| New service with nodeport being created using external request in kubernetes cluster - T1610 - Execution - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| Winlogon shell key logon persistence - T1547.004 - Winlogon Helper DLL - Windows | Endpoint | Windows | Persistence: T1547, T1547.004: Boot or Logon Autostart Execution, Winlogon Helper DLL |
| Process Downloaded executable binaries - T1204.001 - User Execution - Linux | Container | Linux | Command and Control: T1071, T1071.001, T1102, T1102.002, T1105, T1132: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Ingress Tool Transfer, Data Encoding Execution: T1204, T1204.001: User Execution, Malicious Link Exfiltration: T1048: Exfiltration Over Alternative Protocol Lateral Movement: T1570: Lateral Tool Transfer |
| Suspicious process attempted to access credential files - T1552.001 - Credentials In Files - Linux | Container | Linux | Credential Access: T1003, T1552, T1552.001, T1555: OS Credential Dumping, Unsecured Credentials, Credentials In Files, Credentials from Password Stores Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process modified At job to schedule task - T1053.002 - Scheduled Task/Job: At - macOS | Endpoint | macOS | Execution: T1053, T1053.002: Scheduled Task/Job, At |
| Javascript interpreter detected - T1059.007 - JavaScript - Linux | Container | Linux | Execution: T1059, T1059.007: Command and Scripting Interpreter, JavaScript |
| Container initialised with host PID enabled - T1610 - Deploy Container - Linux | Container | Linux | Defense Evasion: T1610: Deploy Container |
| Userhelper utility launched to alter User/PAM configuration - T1136 - Create Account - Linux | Container | Linux | Persistence: T1136: Create Account |
| Container process attempted to modify repository sources - T1195.002 - Compromise Software Supply Chain - Linux | Container | Linux | Initial Access: T1195, T1195.002: Supply Chain Compromise, Compromise Software Supply Chain |
| Apple script attempting to make network connection to public IP address - T1059.002 - AppleScript - macOS | Endpoint | macOS | Command and Control: T1071: Application Layer Protocol Execution: T1059, T1059.002: Command and Scripting Interpreter, AppleScript |
| Powershell execution detected with suspicious commands - T1059.001 - Command and Scripting Interpreter - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Process attempted to communicate using mail protocol - T1071.003 - Mail Protocols - Windows | Endpoint | Windows | Command and Control: T1071, T1071.003, T1102, T1102.002: Application Layer Protocol, Mail Protocols, Web Service, Bidirectional Communication Exfiltration: T1020, T1048: Automated Exfiltration, Exfiltration Over Alternative Protocol |
| PowerShell executed with Start-BitsTransfer command - T1197 - BITS Jobs - Windows | Endpoint | Windows | Defense Evasion: T1197: BITS Jobs Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Powershell using WMI event filters and consumers for persistence - T1546.003 - Windows Management Instrumentation Event Subscription - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Privilege Escalation: T1546, T1546.003: Event Triggered Execution, Windows Management Instrumentation Event Subscription |
| Inbound SSH connection detected - T1021.004 - SSH - Linux | Container | Linux | Lateral Movement: T1021, T1021.004: Remote Services, SSH |
| Process attempted to access password or password quality policy - T1201 - Password Policy Discovery - AIX | Endpoint | AIX | Discovery: T1201: Password Policy Discovery |
| Process enumerated system hardware information - T1082 - System Information Discovery - Linux | Container | Linux | Discovery: T1082: System Information Discovery |
| Daemonset being created using external request in kubernetes cluster - T1609 - Execution - Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| Process acccessed/dropped files in removable drives - T1025 - Data from Removable Media - Windows | Endpoint | Windows | Collection: T1005, T1025, T1074, T1074.001, T1119: Data from Local System, Data from Removable Media, Data Staged, Local Data Staging, Automated Collection Command and Control: T1105: Ingress Tool Transfer Exfiltration: T1052: Exfiltration Over Physical Medium Lateral Movement: T1570: Lateral Tool Transfer |
| Remote.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Process attempted to enumerate processes - T1057 - Process Discovery - Linux | Container | Linux | Discovery: T1057: Process Discovery |
| Wget dropped executable file - T1105 - Ingress Tool Transfer - AIX | Endpoint | AIX | Command and Control: T1105: Ingress Tool Transfer |
| Process modified the grub configuration - T1542.003 - Bootkit - Linux | Container | Linux | Defense Evasion: T1542: Pre-OS Boot Persistence: T1542.003: Bootkit |
| cmd.exe execution detected with large size command line options - T1059.001 - Execution - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Cluster role allowing execution into pods being created using external request in kubernetes cluster - T1078 - Persistence - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1078: Valid Accounts |
| New cronjob being created using external request in kubernetes cluster - T1053 - Persistence - Kubernetes | Kuberenetes | Kubernetes | Execution: T1053: Scheduled Task/Job |
| Syncappvpublishingserver.vbs execution detected - T1216 - Signed Script Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1216: System Script Proxy Execution |
| Process trying to access or modify OS credentials - T1003.008 - Credential Access - Linux | Endpoint | Linux | Credential Access: T1003, T1003.008: OS Credential Dumping, /etc/passwd and /etc/shadow |
| Process attempting to intercept keystrokes - T1056.001 - Input Capture - Windows | Endpoint | Windows | Collection: T1056, T1056.001: Input Capture, Keylogging Execution: T1106: Native API |
| Process created EarthWorm tunnel - T1572 - Protocol Tunneling - macOS | Endpoint | macOS | Command and Control: T1572: Protocol Tunneling |
| VNC share access detected - T1021 - Remote Services - macOS | Endpoint | macOS | Lateral Movement: T1021: Remote Services |
| Process trying to access system password file - T1003.008 - /etc/passwd and /etc/shadow - AIX | Endpoint | AIX | Credential Access: T1003, T1003.008: OS Credential Dumping, /etc/passwd and /etc/shadow |
| Process created hidden mach-O file - T1564.001 - Hidden Files and Directories - macOS | Endpoint | macOS | Defense Evasion: T1564, T1564.001: Hide Artifacts, Hidden Files and Directories |
| Suspicious use of curl utility to download file in tmp directory - T1105 - Ingress Tool Transfer - macOS | Endpoint | macOS | Command and Control: T1105: Ingress Tool Transfer |
| Process attempted to modify file or directory permissions - T1222 - File and Directory Permissions Modification - Linux | Container | Linux | Defense Evasion: T1222: File and Directory Permissions Modification |
| Web server trying to start unwanted process - T1203 - Exploitation for Client Execution - Linux | Container | Linux | Execution: T1203: Exploitation for Client Execution |
| Web Server spawned ls utility to list files and directories - T1083 - File and Directory Discovery - Linux | Container | Linux | Discovery: T1083: File and Directory Discovery |
| SMTP connection detected - T1071.003 - Mail Protocol - LINUX | Container | Linux | Command and Control: T1071, T1071.003, T1071.001: Application Layer Protocol, Mail Protocols, Web Protocols |
| Pod created with host network enabled via external request - T1610 - Deploy Container - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| Process dumping Lsass.exe to access stored credential in process memory - T1003.001 - LSASS Memory - Windows | Endpoint | Windows | Credential Access: T1003, T1003.001: OS Credential Dumping, LSASS Memory |
| GTFOBIN_Jjs acting as remote access software - T1219 Command And Control_LINUX | Container | Linux | Command and Control: T1219: Remote Access Software |
| Process dropped kerberos ticket - T1550.003 - Pass the Ticket - macOS | Endpoint | macOS | Credential Access: T1558, T1558.003: Steal or Forge Kerberos Tickets, Kerberoasting Defense Evasion: T1550, T1550.003: Use Alternate Authentication Material, Pass the Ticket |
| Process attempted to masquerade System Binary - T1036 - Masquerading - Linux | Container | Linux | Defense Evasion: T1036, T1036.003: Masquerading, Rename System Utilities |
| PowerShell executed Active Directory PowerShell module - T1482 - Domain Trust Discovery - Windows | Endpoint | Windows | Discovery: T1069, T1069.002, T1082, T1087, T1482: Permission Groups Discovery, Domain Groups, System Information Discovery, Account Discovery, Domain Trust Discovery Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Networksetup utility executed to create a proxy - T1090.001 - Internal Proxy - macOS | Endpoint | macOS | Command and Control: T1090, T1090.001: Proxy, Internal Proxy |
| Database server attempting to start unwanted process - T1203 - Exploitation for Client Execution - Linux | Container | Linux | Execution: T1059, T1203: Command and Scripting Interpreter, Exploitation for Client Execution Persistence: T1505: Server Software Component |
| SSH utility launched with archive utility or file - T1560 - Archive Collected Data - Linux | Container | Linux | Collection: T1560, T1560.001: Archive Collected Data, Archive via Utility Lateral Movement: T1021, T1021.004: Remote Services, SSH |
| Process dropped portable executable file - TA0002 - Execution - Windows | Endpoint | Windows | |
| Dxcap.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| SetFile utility executed to modify file time attributes - T1070.006 - Timestomp - macOS | Endpoint | macOS | Defense Evasion: T1027, T1027.005, T1070, T1070.006: Obfuscated Files or Information, Indicator Removal from Tools, Indicator Removal, Timestomp |
| SSH Port tunneling detected - T1572 - Protocol Tunneling - AIX | Endpoint | AIX | Command and Control: T1572: Protocol Tunneling Lateral Movement: T1021, T1021.004: Remote Services, SSH |
| GTFOBIN_nsenter_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Wbadmin.exe execution detected - T1490 - Inhibit System Recovery - Windows | Endpoint | Windows | Impact: T1490: Inhibit System Recovery |
| Process attempting to enumerate domain trusts - T1482 - Domain Trust Discovery - Windows | Endpoint | Windows | Discovery: T1482: Domain Trust Discovery Execution: T1106: Native API |
| Process attempting MSR modification - T1588.002 - Obtain Capabilities Tool - Linux | Container | Linux | Resource Development: T1588, T1588.002: Obtain Capabilities, Tool |
| Process modification registry startups entry - T1547.001 - Registry Run Keys / Startup Folder - Windows | Endpoint | Windows | Persistence: T1547, T1547.001: Boot or Logon Autostart Execution, Registry Run Keys / Startup Folder |
| Process trying to access /proc directory - T1003.007 - Proc Filesystem - AIX | Endpoint | AIX | Credential Access: T1003, T1003.007: OS Credential Dumping, Proc Filesystem |
| Process dropped kerberos ticket - T1550.003 - Pass the Ticket - Windows | Endpoint | Windows | Defense Evasion: T1550, T1550.003: Use Alternate Authentication Material, Pass the Ticket |
| PowerShell executing Invoke-UserHunter script for account discovery - T1087 - Account Discovery - Windows | Endpoint | Windows | Discovery: T1087: Account Discovery Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Dotnet.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1027, T1027.004, T1218: Obfuscated Files or Information, Compile After Delivery, System Binary Proxy Execution Resource Development: T1587, T1587.001, T1588, T1588.001: Develop Capabilities, Malware, Obtain Capabilities, Malware |
| Container attempting unexpected nodeport outbound connection - T1219 - Command And Control - Linux | Container | Linux | Command and Control: T1219: Remote Access Software |
| Python script execution detected - T1059.006 - Python - AIX | Endpoint | AIX | Execution: T1059, T1059.006: Command and Scripting Interpreter, Python |
| Pwpolicy utility executed to change account policies - T1201 - Password Policy Discovery - macOS | Endpoint | macOS | Discovery: T1201: Password Policy Discovery |
| Ngrok running inside container - T1090 - Proxy - Linux | Container | Linux | Command and Control: T1090, T1105, T1572: Proxy, Ingress Tool Transfer, Protocol Tunneling |
| Process attempting to create user account - T1136 - Create Account - macOS | Endpoint | macOS | Persistence: T1136: Create Account |
| Web Shell attack Detected & Blocked on Endpoint - T1505.003 - Web Shell - Linux | Container | Linux | Persistence: T1505, T1505.003: Server Software Component, Web Shell |
| Web server attempting to drop web shell - T1505.003 - Web Shell - AIX | Endpoint | AIX | Persistence: T1505, T1505.003: Server Software Component, Web Shell |
| Server Application Exploitation Detected on Endpoint - T1505 - Server Software Component - Linux | Container | Linux | Credential Access: T1212: Exploitation for Credential Access Defense Evasion: T1211: Exploitation for Defense Evasion Persistence: T1505: Server Software Component Privilege Escalation: T1068: Exploitation for Privilege Escalation |
| GTFOBIN_cpulimit spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Lwp-download utility launched to download file from internet - T1105 - Ingress Tool Transfer - macOS | Endpoint | macOS | Command and Control: T1071, T1102, T1102.002, T1105: Application Layer Protocol, Web Service, Bidirectional Communication, Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer |
| Lua script attempted to spawn reverse shell - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process attempted LDAP connection - T1087.002 - Domain Account - macOS | Endpoint | macOS | Discovery: T1069, T1069.002, T1087, T1087.002, T1482: Permission Groups Discovery, Domain Groups, Account Discovery, Domain Account, Domain Trust Discovery |
| GTFOBIN_lua_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| WinRar.exe execution detected - T1560.001 - Archive via Utility - Windows | Endpoint | Windows | Collection: T1005, T1074, T1074.001, T1119, T1560, T1560.001: Data from Local System, Data Staged, Local Data Staging, Automated Collection, Archive Collected Data, Archive via Utility |
| Process attempting to set executable bit on file - T1525 - Persistence - Linux | Endpoint | Linux | Persistence: T1525: Implant Internal Image |
| Powershell executed version command - T1059.001 - PowerShell - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Process or script running from memfd in container - T1106 - Native API - Linux | Endpoint | Linux | Execution: T1106: Native API |
| Airport utility executed - T1016 - System Network Configuration Discovery - macOS | Endpoint | macOS | Discovery: T1016: System Network Configuration Discovery |
| GTFOBIN_logsave_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Werfault.exe execution detected - TA0002 - Execution - Windows | Endpoint | Windows | |
| Process disabled or stop service - T1562.001 - Disable or Modify Tools - AIX | Endpoint | AIX | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Data deletion using rm -rf detected - T1485 - Data Destruction - Linux | Container | Linux | Impact: T1485: Data Destruction Defense Evasion: T1027.005, T1070.004: Indicator Removal from Tools, File Deletion |
| Container process modified ld.so configuration or cache - T1574.006 - Dynamic Linker Hijacking - Linux | Container | Linux | Persistence: T1574, T1574.006: Hijack Execution Flow, Dynamic Linker Hijacking |
| Container initialized with additional capabilities - T1610 - Deploy Container - Linux | Container | Linux | Defense Evasion: T1610: Deploy Container |
| PowerShell Modifying file last modified timestamp - T1099 - Timestomp - Windows | Endpoint | Windows | |
| Database server trying to get users information using utility - T1033 - System Owner/User Discovery - Linux | Container | Linux | Discovery: T1033, T1082, T1087: System Owner/User Discovery, System Information Discovery, Account Discovery |
| Container initialised with AppArmor disabled - T1610 - Deploy Container - Linux | Container | Linux | Defense Evasion: T1562, T1562.001, T1610: Impair Defenses, Disable or Modify Tools, Deploy Container |
| Socat utility launched to spawn reverse shell - T1059.004 - Unix Shell - Linux | Container | Linux | Command and Control: T1219: Remote Access Software Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process attempted to enumerate secrets or keys - T1552 - Unsecured Credentials - AIX | Endpoint | AIX | Credential Access: T1552, T1552.004, T1555: Unsecured Credentials, Private Keys, Credentials from Password Stores |
| Sudo local privilege escalation: CVE-2021-3156 - T1548.003 - Sudo and Sudo Caching - Linux | Container | Linux | Privilege Escalation: T1068, T1548, T1548.003: Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Sudo and Sudo Caching |
| Scripting process attempted to intercept keystrokes via HID APIs - T1056.001 - Keylogging - macOS | Endpoint | macOS | Collection: T1056, T1056.001: Input Capture, Keylogging |
| Command executed in pod inside Kubernetes cluster - T1059 - Command and Scripting Interpreter - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container Execution: T1059: Command and Scripting Interpreter |
| Container process trying to modify sudo configuration - T1548.003 - Sudo and Sudo Caching - Linux | Container | Linux | Privilege Escalation: T1548, T1548.003: Abuse Elevation Control Mechanism, Sudo and Sudo Caching |
| Suspicious use of xxd utility detected - T1140 - Deobfuscate/Decode Files or Information - Linux | Container | Linux | Defense Evasion: T1027, T1140: Obfuscated Files or Information, Deobfuscate/Decode Files or Information |
| Net.exe execution detected for stopping specific services - T1489 - Service Stop - Windows | Endpoint | Windows | Impact: T1489: Service Stop |
| Process conntected to remote machine via Telnet - T1021 - Remote Services - AIX | Endpoint | AIX | Lateral Movement: T1021: Remote Services |
| Process modified PAM configuration - T1556.003 - Modify Authentication Process - AIX | Endpoint | AIX | Credential Access: T1556, T1556.003: Modify Authentication Process, Pluggable Authentication Modules |
| Productivity application spawned browser - T1566 - Phishing - Linux | Container | Linux | Initial Access: T1566, T1566.001, T1566.002: Phishing, Spearphishing Attachment, Spearphishing Link |
| Systeminfo.exe execution detected from monitored applications - T1082 - System Information Discovery - Windows | Endpoint | Windows | Discovery: T1082: System Information Discovery |
| Process attempted Automated Collection using cloud utilities - T1119 - Automated Collection - Linux | Container | Linux | Collection: T1119: Automated Collection |
| Find utility executed to enumerate Setuid/Setgid bit enabled file - T1548.001 - Setuid and Setgid - Linux | Container | Linux | Privilege Escalation: T1548, T1548.001: Abuse Elevation Control Mechanism, Setuid and Setgid |
| Monitored application child process allocated memory in remote process - T1055 - Process Injection - Windows | Endpoint | Windows | Defense Evasion: T1055: Process Injection |
| PowerShell executed PowerView for domain discovery - T1482 - Domain Trust Discovery - Windows | Endpoint | Windows | Discovery: T1482: Domain Trust Discovery Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Resource Development: T1588, T1588.002: Obtain Capabilities, Tool |
| Process dropped executable file in /etc directory - T1204.002 - Malicious File - AIX | Endpoint | AIX | Execution: T1204, T1204.002: User Execution, Malicious File |
| Process attempted to modify PowerShell profiles for persistence - T1546.013 - PowerShell Profile - Windows | Endpoint | Windows | Privilege Escalation: T1546, T1546.013: Event Triggered Execution, PowerShell Profile |
| Process disabled swap partition - T1562.001 - Disable or Modify Tools - Linux | Container | Linux | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| PowerShell.exe execution detected with large size command line options - T1059.001 - Execution - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Container started via misconfigured docker API - T1613 - Container and Resource Discovery - Linux | Container | Linux | Defense Evasion: T1610: Deploy Container Discovery: T1613: Container and Resource Discovery |
| Scheduled process executed from hidden directory - T1564.001 - Hidden Files and Directories - Linux | Container | Linux | Defense Evasion: T1564, T1564.001: Hide Artifacts, Hidden Files and Directories Execution: T1053, T1053.003, T1053.005: Scheduled Task/Job, Cron, Scheduled Task |
| Detected use of curl utility to download file from internet - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer |
| MS Office or scripting engine dropped archive file - TA0002 - Execution - Windows | Endpoint | Windows | Collection: T1074, T1074.001, T1560, T1560.003: Data Staged, Local Data Staging, Archive Collected Data, Archive via Custom Method |
| Coinminer Attack Detected & Blocked on Endpoint - T1496 - Resource Hijacking - Linux | Container | Linux | Impact: T1496: Resource Hijacking |
| Nvram utility launched to manipulate system variables - T1542.001 - System Firmware - macOS | Endpoint | macOS | Defense Evasion: T1542: Pre-OS Boot Persistence: T1542.001: System Firmware |
| Process attempted to capture network packets - T1040 - Network Sniffing - Linux | Container | Linux | Credential Access: T1040: Network Sniffing Defense Evasion: T1205: Traffic Signaling |
| Process disabled or uninstalled Security Tools - T1562.001 - Disable or Modify Tools - Linux | Container | Linux | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Process attempted to modify Microsoft Office Startups/Templates - T1137 - Office Application Startup - Windows | Endpoint | Windows | Persistence: T1137, T1137.001: Office Application Startup, Office Template Macros |
| Python base64 module launched to decode or encode data - T1132.001 - Standard Encoding - macOS | Endpoint | macOS | Command and Control: T1132, T1132.001: Data Encoding, Standard Encoding Execution: T1059, T1059.006: Command and Scripting Interpreter, Python |
| PowerShell execution detected for Account Discovery - T1087 - Account Discovery - Windows | Endpoint | Windows | Discovery: T1087: Account Discovery Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Adplus.exe execution detected - T1003 - OS Credential Dumping - Windows | Endpoint | Windows | Credential Access: T1003: OS Credential Dumping Resource Development: T1588, T1588.002: Obtain Capabilities, Tool |
| Process attempted to access Kubernetes credentials or configuration - T1552.001 - Credentials In Files - macOS | Endpoint | macOS | Credential Access: T1552, T1552.001: Unsecured Credentials, Credentials In Files |
| Network Sniffing tool execution detected - T1040 - Network Sniffing - Windows | Endpoint | Windows | Credential Access: T1040: Network Sniffing Defense Evasion: T1205: Traffic Signaling |
| Process modifying /etc/hosts file - T1565 - Data Manipulation - macOS | Endpoint | macOS | Impact: T1565, T1565.001: Data Manipulation, Stored Data Manipulation |
| Process created plist file in Launch Agent with osascript - T1543.001 - Launch Agent - macOS | Endpoint | macOS | Persistence: T1543, T1543.001: Create or Modify System Process, Launch Agent |
| Systemd-logind running inside container - T1078.003 - Local Accounts - Linux | Container | Linux | Defense Evasion: T1078, T1078.003: Valid Accounts, Local Accounts |
| Process attempting to stop cloudtrail logging - T1562.008 - Disable Cloud Logs - Linux | Container | Linux | Defense Evasion: T1562, T1562.008: Impair Defenses, Disable Cloud Logs |
| Rundll32.exe execution with suspicious DLL as command line parameter - T1218.011 - Rundll32 - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.011: System Binary Proxy Execution, Rundll32 |
| Gpresult.exe execution detected for display group policy information - T1615 - Group Policy Discovery - Windows | Endpoint | Windows | Discovery: T1615: Group Policy Discovery |
| Dd utility launched to delete disk data - T1561.002 - Disk Structure Wipe - AIX | Endpoint | AIX | Impact: T1485, T1561, T1561.001, T1561.002: Data Destruction, Disk Wipe, Disk Content Wipe, Disk Structure Wipe |
| SSH utility launched with -T to disable history - T1021.004 - SSH - Linux | Container | Linux | Defense Evasion: T1562, T1562.003: Impair Defenses, Impair Command History Logging Lateral Movement: T1021, T1021.004: Remote Services, SSH |
| MSPUB.exe execution detected - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer Defense Evasion: T1218: System Binary Proxy Execution |
| Sysmon.exe executing another executable - T1203 - Exploitation for Client Execution - Windows | Endpoint | Windows | Execution: T1203: Exploitation for Client Execution |
| Process accessed Kubernetes secrets - T1552.001 - Credentials In Files - Linux | Endpoint | Linux | Credential Access: T1552, T1552.001: Unsecured Credentials, Credentials In Files |
| Winlogon Userinit Key Persistence With PowerShell - T1547.004 - Winlogon Helper DLL - Windows | Endpoint | Windows | Persistence: T1547, T1547.004: Boot or Logon Autostart Execution, Winlogon Helper DLL |
| Web.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Wget utility executed - T1105 - Ingress Tool Transfer - macOS | Endpoint | macOS | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer |
| Utility launched to manipulate user account - T1098 - Account Manipulation - Linux | Container | Linux | Persistence: T1098: Account Manipulation |
| Database server dropped executable or script files inside Container - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Execution: T1059, T1204, T1204.002: Command and Scripting Interpreter, User Execution, Malicious File Persistence: T1505: Server Software Component |
| Powershell executed for remote system discovery - T1018 - Remote System Discovery - Windows | Endpoint | Windows | Discovery: T1018: Remote System Discovery Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Curl utility launched with suspicious User Agent - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1071, T1071.001, T1102, T1102.002, T1105, T1573, T1573.002: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Ingress Tool Transfer, Encrypted Channel, Asymmetric Cryptography |
| Suspicious execution of emond utility detected - T1546.014 - Emond - macOS | Endpoint | macOS | Privilege Escalation: T1546, T1546.014: Event Triggered Execution, Emond |
| Masqueraded socat utility executed to get Reverse Shell - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Fileless Malware Attack Detected & Blocked on Endpoint - T1620 - Reflective Code Loading - macOS | Endpoint | macOS | Defense Evasion: T1055, T1620: Process Injection, Reflective Code Loading |
| Container process attempted to modify RPM database - T1546.016 - Installer Packages - Linux | Container | Linux | Privilege Escalation: T1546, T1546.016: Event Triggered Execution, Installer Packages |
| Process or script trying to disable or stop NX Logging Tool - T1562.006 - Indicator Blocking - Linux | Container | Linux | Defense Evasion: T1562, T1562.006: Impair Defenses, Indicator Blocking |
| Data compression utilities launched - T1560.001 - Archive via Utility - AIX | Endpoint | AIX | Collection: T1560, T1560.001, T1074: Archive Collected Data, Archive via Utility, Data Staged Exfiltration: T1020, T1041: Automated Exfiltration, Exfiltration Over C2 Channel |
| Suspicious Python script executed via cron job - T1059.006 - Python - macOS | Endpoint | macOS | Execution: T1053, T1053.003, T1053.005, T1059, T1059.006, T1059.004: Scheduled Task/Job, Cron, Scheduled Task, Command and Scripting Interpreter, Python, Unix Shell |
| Powershell using Set-NetFirewallProfile to disable or modify system firewall - T1562.004 - Disable or Modify System Firewall - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.004: Impair Defenses, Disable or Modify System Firewall Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Base64 utility launched to decode/encode data - T1132.001 - Command and Control - Linux | Container | Linux | Command and Control: T1001, T1132, T1132.001: Data Obfuscation, Data Encoding, Standard Encoding Defense Evasion: T1027, T1140: Obfuscated Files or Information, Deobfuscate/Decode Files or Information |
| Process attempted to enumerate netrc file - T1552 - Unsecured Credentials - AIX | Endpoint | AIX | Credential Access: T1552: Unsecured Credentials |
| Anonymous request coming in kubernetes cluster - T1078 - Initial Access - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1078: Valid Accounts |
| Suspicious use of Zip utility on hidden directory - T1560.001 - Archive via Utility - macOS | Endpoint | macOS | Collection: T1560, T1560.001: Archive Collected Data, Archive via Utility |
| Process dropped executable file in monitored directories - T1204.002 - Malicious File - Linux | Endpoint | Linux | Command and Control: T1105: Ingress Tool Transfer Defense Evasion: T1036, T1036.005: Masquerading, Match Legitimate Name or Location Execution: T1204, T1204.002: User Execution, Malicious File |
| Suspicious process spawned by DHCP Server - T1068 - Exploitation for Privilege Escalation - Windows | Endpoint | Windows | Defense Evasion: T1211: Exploitation for Defense Evasion Execution: T1059: Command and Scripting Interpreter Privilege Escalation: T1068: Exploitation for Privilege Escalation |
| Remote system discovery utility execution detected - T1018 - Remote System Discovery - Windows | Endpoint | Windows | Discovery: T1016, T1016.001, T1018: System Network Configuration Discovery, Internet Connection Discovery, Remote System Discovery |
| Getmac.exe executed via monitored applications - T1016 - System Network Configuration Discovery - Windows | Endpoint | Windows | Discovery: T1016: System Network Configuration Discovery |
| GTFOBIN_smbclient_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Detected use of powershell to list Bookmarks on Windows - T1217 - Browser Bookmark Discovery - Windows | Endpoint | Windows | Discovery: T1217: Browser Information Discovery |
| Utility launched with masqueraded filename - T1036.004 - Masquerade Task or Service - Cross Platform | Endpoint | All OS | Defense Evasion: T1036, T1036.004: Masquerading, Masquerade Task or Service |
| Scripting process scheduled suspicious execution of utility - T1059 - Command and Scripting Interpreter - macOS | Endpoint | macOS | Discovery: T1033, T1049, T1082, T1087: System Owner/User Discovery, System Network Connections Discovery, System Information Discovery, Account Discovery Execution: T1053, T1053.003, T1053.005, T1059, T1059.006: Scheduled Task/Job, Cron, Scheduled Task, Command and Scripting Interpreter, Python |
| Process or script trying to disable or modify subsystems - T1562.001 - Disable or Modify Tools - AIX | Endpoint | AIX | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Process using runuser utility to execute command in privilege - T1548.003 - Sudo and Sudo Caching - Linux | Container | Linux | Privilege Escalation: T1548, T1548.003: Abuse Elevation Control Mechanism, Sudo and Sudo Caching |
| Process communicating with malware domain - T1583.001 - Domains - Linux | Container | Linux | Resource Development: T1583, T1583.001: Acquire Infrastructure, Domains |
| PowerShell executing Invoke-Inveigh script for LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay - Windows | Endpoint | Windows | Credential Access: T1557, T1557.001: Adversary-in-the-Middle, LLMNR/NBT-NS Poisoning and SMB Relay Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Process attempted to enumerate softwares installed - T1518 - Software Discovery - Linux | Container | Linux | Discovery: T1518: Software Discovery |
| Hh.exe utility executed - T1218.001 - Compiled HTML File - Windows | Endpoint | Windows | Defense Evasion: T1027, T1027.004, T1218, T1218.001: Obfuscated Files or Information, Compile After Delivery, System Binary Proxy Execution, Compiled HTML File Resource Development: T1587, T1587.001, T1588, T1588.001: Develop Capabilities, Malware, Obtain Capabilities, Malware |
| Userdel utility launched to delete user account - T1531 - Account Access Removal - AIX | Endpoint | AIX | Impact: T1531: Account Access Removal |
| Control.exe execution detected - T1218.002 - Control Panel Items - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.002: System Binary Proxy Execution, Control Panel |
| Reg.exe execution detected for export the key - T1112 - Modify Registry - Windows | Endpoint | Windows | Defense Evasion: T1112: Modify Registry |
| Windbg.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Process attempted to make HTTPS Connection - T1573 - Encrypted Channel - AIX | Endpoint | AIX | Command and Control: T1071, T1071.001, T1102, T1102.002, T1573: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Encrypted Channel Exfiltration: T1567: Exfiltration Over Web Service |
| Process accessed process memory - T1003.007 - Proc Filesystem - Linux | Endpoint | Linux | Credential Access: T1003, T1003.007: OS Credential Dumping, Proc Filesystem |
| Process Injection Detected on Endpoint - T1055.008 - Ptrace System Calls - Linux | Container | Linux | Defense Evasion: T1055, T1055.008: Process Injection, Ptrace System Calls |
| Suspicious process attempted to access credential files for secrets - T1003 - OS Credential Dumping - AIX | Endpoint | AIX | Credential Access: T1003, T1555: OS Credential Dumping, Credentials from Password Stores Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Suspicious use of curl utility to download file in tmp directory - T1105 - Ingress Tool Transfer - AIX | Endpoint | AIX | Command and Control: T1071, T1071.001, T1102, T1102.002, T1105, T1573, T1573.002: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Ingress Tool Transfer, Encrypted Channel, Asymmetric Cryptography |
| Ftp dropped executable files in monitored directories - T1105 - Ingress Tool Transfer - AIX | Endpoint | AIX | Command and Control: T1105: Ingress Tool Transfer Execution: T1204, T1204.002: User Execution, Malicious File |
| Python script execution detected - T1059.006 - Python - Linux | Container | Linux | Execution: T1059, T1059.006: Command and Scripting Interpreter, Python |
| Web server trying to get system information - T1082 - System Information Discovery - Linux | Container | Linux | Discovery: T1082: System Information Discovery Persistence: T1505, T1505.003: Server Software Component, Web Shell |
| Nginx_spawning local shell (Potential Reverse Shell Detected) - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process manipulating SSH Config/SSH accounts - T1098.004 - SSH Authorized Keys - AIX | Endpoint | AIX | Lateral Movement: T1563, T1563.001: Remote Service Session Hijacking, SSH Hijacking Persistence: T1098, T1098.004: Account Manipulation, SSH Authorized Keys |
| System network connections discovery utility launched - T1016 - System Network Connections Discovery - Windows | Endpoint | Windows | Discovery: T1016, T1016.001, T1018, T1046, T1049: System Network Configuration Discovery, Internet Connection Discovery, Remote System Discovery, Network Service Discovery, System Network Connections Discovery |
| Sc.exe execution detected for disabling services - T1543.003 - Windows Service - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service |
| Schtasks.exe execution detected for UAC bypass - T1548.002 - Bypass User Access Control - Windows | Endpoint | Windows | Privilege Escalation: T1548, T1548.002: Abuse Elevation Control Mechanism, Bypass User Account Control |
| Killall utility launched to terminate Terminal - T1562.001 - Disable or Modify Tools - macOS | Endpoint | macOS | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Process attempted to load kernel module - T1547.006 - Kernel Modules and Extensions - Linux | Container | Linux | Persistence: T1547, T1547.006: Boot or Logon Autostart Execution, Kernel Modules and Extensions |
| Process modified emond configuration or rules for persistence - T1546.014 - Emond - macOS | Endpoint | macOS | Privilege Escalation: T1546, T1546.014: Event Triggered Execution, Emond |
| Container initialized with host volume mount - T1610 - Deploy Container - Linux | Container | Linux | Defense Evasion: T1610, T1211: Deploy Container, Exploitation for Defense Evasion Privilege Escalation: T1611: Escape to Host |
| Process modified permissions of credential file - T1003.008 - OS Credential Dumping - AIX | Endpoint | AIX | Credential Access: T1003, T1003.008, T1552, T1555: OS Credential Dumping, /etc/passwd and /etc/shadow, Unsecured Credentials, Credentials from Password Stores Defense Evasion: T1222, T1222.002: File and Directory Permissions Modification, Linux and Mac File and Directory Permissions Modification Discovery: T1087: Account Discovery Persistence: T1136: Create Account |
| Mmc.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Process communicated with crypto mining host - T1496 - Resource Hijacking - Linux | Container | Linux | Impact: T1496: Resource Hijacking |
| Process attempted to enumerate users via SAM registry - T1003.002 - Security Account Manager - Windows | Endpoint | Windows | Credential Access: T1003, T1003.002: OS Credential Dumping, Security Account Manager Discovery: T1033, T1087: System Owner/User Discovery, Account Discovery |
| Chrome Binary execution using remote debugging port - T1059 - Command and Scripting Interpreter - macOS | Endpoint | macOS | Execution: T1059: Command and Scripting Interpreter |
| Grep utility launched to search files on disk - T1083 - File and Directory Discovery - AIX | Endpoint | AIX | Collection: T1119: Automated Collection Discovery: T1083: File and Directory Discovery |
| PowerShell or its child process dropped archive file - T1560 - Archive Collected Data - Windows | Endpoint | Windows | Collection: T1005, T1074, T1074.001, T1119, T1560, T1560.003: Data from Local System, Data Staged, Local Data Staging, Automated Collection, Archive Collected Data, Archive via Custom Method |
| Container process dropped executable file in monitored directories - T1204 - User Execution - Linux | Container | Linux | Execution: T1204, T1204.002: User Execution, Malicious File |
| Process installing root certificate - T1553.004 - Install Root Certificate - Linux | Endpoint | Linux | Defense Evasion: T1553, T1553.004: Subvert Trust Controls, Install Root Certificate |
| Nbtstat.exe execution detected from monitored applications - T1016 - System Network Configuration Discovery - Windows | Endpoint | Windows | Discovery: T1016: System Network Configuration Discovery |
| Fileless Malware Attack Detected on Endpoint - T1620 - Reflective Code Loading - macOS | Endpoint | macOS | Defense Evasion: T1055, T1620: Process Injection, Reflective Code Loading |
| Process made network connection on non-standard ports - T1571 - Non-Standard Port - Windows | Endpoint | Windows | Command and Control: T1571: Non-Standard Port |
| Process trying to tunnel protocol - T1572 - Protocol Tunneling - Linux | Container | Linux | Command and Control: T1572: Protocol Tunneling |
| New Service Created - T1543.003 - Windows Service - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.003: Remote Services, Distributed Component Object Model Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service |
| Process modified Uptycs Sensor configuration - T1562.001 - Disable or Modify Tools - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Monitored application spawns process from user's directory - TA0002 - Execution - Windows | Endpoint | Windows | |
| Process attempted inter-process communication using network socket - T1559 - Inter-Process Communication - Linux | Container | Linux | Execution: T1559: Inter-Process Communication |
| Process trying to access/drop over FTP - T1071.002 - File Transfer Protocols - Windows | Endpoint | Windows | Command and Control: T1071, T1071.002, T1102, T1102.002, T1105: Application Layer Protocol, File Transfer Protocols, Web Service, Bidirectional Communication, Ingress Tool Transfer Exfiltration: T1020, T1041, T1048: Automated Exfiltration, Exfiltration Over C2 Channel, Exfiltration Over Alternative Protocol |
| GTFOBIN_pic_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Credential access inside kubernetes pod - T1552.001 - Credentials In Files - Kubernetes | Endpoint | All OS | Credential Access: T1552, T1552.001, T1555: Unsecured Credentials, Credentials In Files, Credentials from Password Stores Defense Evasion: T1610: Deploy Container |
| Java application spawned CMD/Powershell to execute commands/scripts - T1059 - Command and Scripting Interpreter - Windows | Endpoint | Windows | Execution: T1059, T1059.001, T1059.003: Command and Scripting Interpreter, PowerShell, Windows Command Shell |
| StorSvc service loaded malicious SprintCSP.dll - T1574.001 - DLL Hijacking - Windows | Endpoint | Windows | Persistence: T1574, T1574.001: Hijack Execution Flow, DLL Search Order Hijacking |
| Process modified /etc/hosts - T1565 - Data Manipulation - Linux | Container | Linux | Discovery: T1018: Remote System Discovery Impact: T1565, T1565.001: Data Manipulation, Stored Data Manipulation |
| Container process accessed cloud credentials - T1552.001 - Credentials in Files - Linux | Container | Linux | Credential Access: T1552, T1552.001: Unsecured Credentials, Credentials In Files |
| Detected use of curl utility to download file - T1105 - Ingress Tool Transfer - macOS | Endpoint | macOS | Command and Control: T1071, T1071.002, T1105: Application Layer Protocol, File Transfer Protocols, Ingress Tool Transfer |
| PuTTY credential enumeration via registry detected - T1552.002 - Credentials in Registry - Windows | Endpoint | Windows | Credential Access: T1552, T1552.002: Unsecured Credentials, Credentials in Registry Discovery: T1012: Query Registry |
| Registry Startups entry modification/addition Detected - T1547.001 - Registry Run Keys / Startup Folder - Windows | Endpoint | Windows | Persistence: T1547, T1547.001: Boot or Logon Autostart Execution, Registry Run Keys / Startup Folder |
| Ldapdomaindump utility launched - T1087.002 - Domain Account - Linux | Container | Linux | Discovery: T1087, T1087.002: Account Discovery, Domain Account |
| Process attempting to create or modify registry remotely - T1112 - Modify Registry - Windows | Endpoint | Windows | Defense Evasion: T1112: Modify Registry Lateral Movement: T1021, T1021.003: Remote Services, Distributed Component Object Model |
| Adfind execution detected for domain trust discovery - T1482 - Domain Trust Discovery - Windows | Endpoint | Windows | Discovery: T1482: Domain Trust Discovery Resource Development: T1588, T1588.002: Obtain Capabilities, Tool |
| Monitored application spawns Svchost.exe - TA0002 - Execution - Windows | Endpoint | Windows | |
| Process attempted to delete history file - T1070.003 - Clear Command History - Linux | Endpoint | Linux | Defense Evasion: T1070, T1070.003, T1070.004: Indicator Removal on Host, Clear Command History, File Deletion |
| GTFOBIN_nohup_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Chmod utility executed on hidden directory/file - T1222.002 - Linux and Mac File and Directory Permissions Modification - macOS | Endpoint | macOS | Defense Evasion: T1222, T1222.002: File and Directory Permissions Modification, Linux and Mac File and Directory Permissions Modification |
| Fileless Malware Attack Detected & Blocked on Endpoint - T1620 - Reflective Code Loading - Linux | Container | Linux | Defense Evasion: T1055, T1620: Process Injection, Reflective Code Loading |
| Compromised Account Access Detected & Blocked on Endpoint - T1078 - Valid Accounts - macOS | Endpoint | macOS | Defense Evasion: T1078: Valid Accounts |
| Finger.exe execution detected - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer |
| GTFOBIN_expect_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Reg.exe execution detected for import the key - T1112 - Modify Registry - Windows | Endpoint | Windows | Defense Evasion: T1112: Modify Registry |
| GTFOBIN_gcc_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| GTFOBIN_Awk_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| GTFOBIN_tclsh acting as remote access software - T1219 Command And Control_LINUX | Container | Linux | Command and Control: T1219: Remote Access Software |
| Plink.exe execution detected for RDP Tunneling from monitored application - T1572 - Protocol Tunneling - Windows | Endpoint | Windows | Command and Control: T1572: Protocol Tunneling |
| Process attempted to wipe data from the disk - T1485 - Data Destruction - Linux | Container | Linux | Impact: T1485, T1561: Data Destruction, Disk Wipe Defense Evasion: T1027.005, T1070.004: Indicator Removal from Tools, File Deletion |
| Container process attempting to set executable bit on file - T1222.002 - File and Directory Permissions Modification - Linux | Container | Linux | Defense Evasion: T1222, T1222.002: File and Directory Permissions Modification, Linux and Mac File and Directory Permissions Modification Persistence: T1525: Implant Internal Image |
| Process attempting to modify Path Environment Variables - T1574.007 - Path Interception by PATH Environment Variable - Windows | Endpoint | Windows | Persistence: T1574, T1574.001, T1574.007: Hijack Execution Flow, DLL Search Order Hijacking, Path Interception by PATH Environment Variable |
| Registry Services entry modification/addition Detected - T1543.003 - Windows Service - Windows | Endpoint | Windows | Defense Evasion: T1112: Modify Registry Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service |
| Process attempting to access system key file - T1555 - Credentials from Password Stores - macOS | Endpoint | macOS | Credential Access: T1555: Credentials from Password Stores |
| Net.exe execution detected from monitored applications - T1007 - System Service Discovery - Windows | Endpoint | Windows | Discovery: T1007: System Service Discovery |
| Process made HTTP connection on non-standard port - T1571 - Non-Standard Port - Windows | Endpoint | Windows | Command and Control: T1071, T1071.001, T1102, T1102.002, T1571: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Non-Standard Port Exfiltration: T1041, T1567: Exfiltration Over C2 Channel, Exfiltration Over Web Service |
| Dd utility executed to delete disk data - T1561 - Disk Wipe - macOS | Endpoint | macOS | Impact: T1561, T1561.001, T1561.002: Disk Wipe, Disk Content Wipe, Disk Structure Wipe |
| Process downloaded microsoft document file from internet - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1071, T1071.001, T1102, T1102.002, T1105: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Ingress Tool Transfer Exfiltration: T1041: Exfiltration Over C2 Channel |
| Powershell executing Get-ItemProperty command - T1012 - Query Registry - Windows | Endpoint | Windows | Discovery: T1012: Query Registry Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Process attempted to enumerate firewall logs - T1562.004 - Disable or Modify System Firewall - Linux | Container | Linux | Defense Evasion: T1562, T1562.004: Impair Defenses, Disable or Modify System Firewall |
| Cluster role with write access being created using external request in kubernetes cluster - T1078 - Persistence Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1078: Valid Accounts |
| Auditctl launched to capture keyboard input - T1056.001 - Keylogging - Linux | Container | Linux | Collection: T1056, T1056.001: Input Capture, Keylogging |
| Process dropped ISO file - T1204.002 - Malicious File - Windows | Endpoint | Windows | Execution: T1204, T1204.002: User Execution, Malicious File |
| PowerShell executing PowerShell Empire for Credential Access - TA0006 - Credential Access - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Wmic.exe execution detected for deleting shadow copies - T1490 - Inhibit System Recovery - Windows | Endpoint | Windows | Impact: T1490: Inhibit System Recovery |
| Process attempted to access cloud credentials - T1552.001 - Credentials In Files - Linux | Endpoint | Linux | Credential Access: T1552, T1552.001: Unsecured Credentials, Credentials In Files |
| GTFOBIN_pic_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| EQNEDT32.exe Spawns another process - T1203 - Exploitation for Client Execution - Windows | Endpoint | Windows | Execution: T1203: Exploitation for Client Execution |
| Process trying to modify SUID or SGID bits - T1548.001 - Setuid and Setgid - macOS | Endpoint | macOS | Privilege Escalation: T1548, T1548.001: Abuse Elevation Control Mechanism, Setuid and Setgid |
| PowerShell execution with Remove-SmbShare commands - T1070.005 - Network Share Connection Removal - Windows | Endpoint | Windows | Defense Evasion: T1070, T1070.005: Indicator Removal on Host, Network Share Connection Removal |
| Openssl utility being used to encrypt file in container - T1027 - Obfuscated Files or Information - Linux | Container | Linux | Command and Control: T1132, T1132.001: Data Encoding, Standard Encoding Defense Evasion: T1027: Obfuscated Files or Information Impact: T1486: Data Encrypted for Impact |
| Suspicious python process attempted to spawn reverse shell - T1059 - Python - macOS | Endpoint | macOS | Execution: T1059, T1059.006: Command and Scripting Interpreter, Python |
| Container process modified Host file - T1611 - Escape to Host - Linux | Container | Linux | Privilege Escalation: T1611: Escape to Host |
| Process dropped windows executable file in monitored directories - T1570 - Lateral Tool Transfer - macOS | Endpoint | macOS | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer Collection: T1119: Automated Collection |
| Osascript utility launched to execute script file - T1059.002 - AppleScript - macOS | Endpoint | macOS | Execution: T1059, T1059.002: Command and Scripting Interpreter, AppleScript |
| Database server trying to get system information - T1082 - System Information Discovery - AIX | Endpoint | AIX | Discovery: T1082: System Information Discovery |
| Process executing script file - T1059 - Command and Scripting Interpreter - Windows | Endpoint | Windows | Execution: T1059: Command and Scripting Interpreter |
| Unsigned process modified startup registry - T1547.001 - Registry Run Keys / Startup Folder - Windows | Endpoint | Windows | Persistence: T1547, T1547.001: Boot or Logon Autostart Execution, Registry Run Keys / Startup Folder |
| Powershell gathering list of installed applications - T1518 - Security Software Discovery - Windows | Endpoint | Windows | Discovery: T1518: Software Discovery |
| Xwizard.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Forfiles.exe execution detected - T1202 - Indirect Command Execution - Windows | Endpoint | Windows | Defense Evasion: T1202: Indirect Command Execution |
| Process trying to download from a remotely hosted URL - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer Execution: T1106: Native API |
| Process created hidden plist file in monitored locations - T1543 - Create or Modify System Process - macOS | Endpoint | macOS | Defense Evasion: T1564, T1564.001: Hide Artifacts, Hidden Files and Directories Persistence: T1543, T1543.001, T1543.004: Create or Modify System Process, Launch Agent, Launch Daemon |
| Daemonset being created in default namespace using external request in kubernetes cluster - T1609 - Execution - Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| Container process modified local DNS resolver configuration - T1584.002 - DNS Server - Linux | Container | Linux | Resource Development: T1584, T1584.002: Compromise Infrastructure, DNS Server |
| Net.exe execution detected with add/delete command - T1136 - Create Account - Windows | Endpoint | Windows | Impact: T1531: Account Access Removal Persistence: T1136, T1136.001, T1136.002: Create Account, Local Account, Domain Account |
| New namespace being created using external request in kubernetes cluster - T1609 - Execution - Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| Auditpol.exe execution detected - T1562.002 - Disable Windows Event Logging - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.002: Impair Defenses, Disable Windows Event Logging |
| Process trying to alter ufw firewall rules - T1562.004 - Disable or Modify System Firewall - Linux | Endpoint | Linux | Defense Evasion: T1562, T1562.004: Impair Defenses, Disable or Modify System Firewall |
| Suspicious use of openssl with pass parameter - T1486 - Data Encrypted for Impact - macOS | Endpoint | macOS | Defense Evasion: T1027: Obfuscated Files or Information Impact: T1486: Data Encrypted for Impact |
| Process attempting to Shutdown the System - T1529 - Impact - Windows | Endpoint | Windows | Execution: T1106: Native API Impact: T1529: System Shutdown/Reboot |
| Wget dropped executable files in monitored directories - T1204 - User Execution - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Execution: T1204, T1204.002: User Execution, Malicious File |
| Process attempted to configure AHAFS for event triggers - T1546 - Event Triggered Execution - AIX | Endpoint | AIX | Privilege Escalation: T1546: Event Triggered Execution |
| PowerShell script executed to invoke fake login prompt - T1056.002 - GUI Input Capture - Windows | Endpoint | Windows | Collection: T1056, T1056.002: Input Capture, GUI Input Capture Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Resource Development: T1588.002, T1588: Tool, Obtain Capabilities |
| Process connected to remote machine via VNC protocol - T1021 - Remote Services - AIX | Endpoint | AIX | Lateral Movement: T1021: Remote Services |
| GTFOBIN_view_spawning local shell - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Suspicious execution of system service detected - T1569.002 - Service Execution - Windows | Endpoint | Windows | Execution: T1569, T1569.002: System Services, Service Execution |
| New service account being created using external request in kubernetes cluster - T1078.004 - Cloud Accounts - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1078, T1078.004: Valid Accounts, Cloud Accounts |
| Process using mkdir utility to create plist file in LaunchAgents - T1543.001 - Launch Agent - macOS | Endpoint | macOS | Defense Evasion: T1647: Plist File Modification Persistence: T1543, T1543.001: Create or Modify System Process, Launch Agent |
| Possible remote access software detected - T1219 - Remote Access Software - AIX | Endpoint | AIX | Command and Control: T1219: Remote Access Software |
| Pip installed python package - T1059.006 - Python - macOS | Endpoint | macOS | Execution: T1059, T1059.006, T1072: Command and Scripting Interpreter, Python, Software Deployment Tools |
| GTFOBIN_vi_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process used standard Data Encoding techniques - T1132.001 - Standard Encoding - Linux | Container | Linux | Command and Control: T1071, T1071.001, T1102, T1102.002, T1132, T1132.001: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Data Encoding, Standard Encoding Exfiltration: T1048: Exfiltration Over Alternative Protocol |
| Infdefaultinstall.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Useradd utility launched to create user account - T1136 - Create Account - Linux | Container | Linux | Persistence: T1136: Create Account |
| GTFOBIN_wish acting as remote access software - T1219 Command And Control_LINUX | Container | Linux | Command and Control: T1219: Remote Access Software |
| Certutil.exe execution detected - T1140 - Deobfuscate/Decode Files or Information - Windows | Endpoint | Windows | Command and Control: T1001, T1132, T1132.001: Data Obfuscation, Data Encoding, Standard Encoding Defense Evasion: T1027, T1140: Obfuscated Files or Information, Deobfuscate/Decode Files or Information |
| Plink.exe execution detected for SSH Tunneling - T1572 - Protocol Tunneling - Windows | Endpoint | Windows | Command and Control: T1572: Protocol Tunneling |
| Suspicious access to bookmarks file - T1217 - Browser Information Discovery - AIX | Endpoint | AIX | Discovery: T1217: Browser Information Discovery |
| Process attempting to modify Environment Variables - T1480.001 - Environmental Keying - Windows | Endpoint | Windows | Defense Evasion: T1480, T1480.001: Execution Guardrails, Environmental Keying |
| Powershell execution detected for registry dump of SAM for hashes and usernames - T1003.002 - Security Account Manager - Windows | Endpoint | Windows | Credential Access: T1003, T1003.002: OS Credential Dumping, Security Account Manager Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Curl or Wget attempting to connect to Public IP address with higher port - T1071 - Application Layer Protocol - macOS | Endpoint | macOS | Command and Control: T1071: Application Layer Protocol |
| Date utility launched to change the system clock - T1070.006 - Timestomp - Linux | Container | Linux | Defense Evasion: T1070, T1070.006: Indicator Removal on Host, Timestomp |
| Cdb.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Process or script trying to encrypt data - T1560.001 - Archive via Utility - AIX | Endpoint | AIX | Collection: T1560, T1560.001, T1074: Archive Collected Data, Archive via Utility, Data Staged |
| Lighttpd spawning local shell (Potential Reverse Shell Detected) - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Regsvr32.exe execution detected - T1218.010 - Regsvr32 - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.010: System Binary Proxy Execution, Regsvr32 |
| Process enumerated users information - T1033 - System Owner/User Discovery - Linux | Container | Linux | Discovery: T1033, T1087: System Owner/User Discovery, Account Discovery |
| Process attempted to scan the network - T1595 - Active Scanning - AIX | Endpoint | AIX | Reconnaissance: T1595, T1595.001, T1595.002: Active Scanning, Scanning IP Blocks, Vulnerability Scanning |
| Scheduled Task by Cron inside container - T1053.003 - Cron - Linux | Container | Linux | Execution: T1053, T1053.003: Scheduled Task/Job, Cron |
| Database server process created or modified Systemd Service - T1543.002 - Systemd Service - Linux | Container | Linux | Persistence: T1505, T1543, T1543.002: Server Software Component, Create or Modify System Process, Systemd Service |
| Container process dropped script file on monitored locations - T1204.002 - Malicious File - Linux | Container | Linux | Defense Evasion: T1036, T1036.005: Masquerading, Match Legitimate Name or Location Execution: T1204, T1204.002: User Execution, Malicious File |
| Tshark.exe execution detected - T1040 - Network Sniffing - Windows | Endpoint | Windows | Credential Access: T1040: Network Sniffing Defense Evasion: T1205: Traffic Signaling |
| WMI query detected to enumerate services - T1007 - System Service Discovery - Windows | Endpoint | Windows | Discovery: T1007: System Service Discovery Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service |
| GTFOBIN_watch_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process created or modified XDG Autostart Entry - T1547.013 - XDG Autostart Entries - Linux | Container | Linux | Persistence: T1547, T1547.013: Boot or Logon Autostart Execution, XDG Autostart Entries |
| Suspicious use of osascript to run AppleScript - T1059.002 - AppleScript - macOS | Endpoint | macOS | Execution: T1059, T1059.002: Command and Scripting Interpreter, AppleScript |
| Dscl utility executed to list local system accounts - T1087.001 - Account Discovery - macOS | Endpoint | macOS | Discovery: T1087, T1087.001: Account Discovery, Local Account |
| User Account Created - T1136 - Create Account - Windows | Endpoint | Windows | Persistence: T1136, T1136.001, T1136.002: Create Account, Local Account, Domain Account |
| Process dropped file in startup folder - T1547.001 - Registry Run Keys / Startup Folder - Windows | Endpoint | Windows | Persistence: T1547, T1547.001: Boot or Logon Autostart Execution, Registry Run Keys / Startup Folder |
| Detected use of tftp to download file from internet - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer |
| Remote process dropped file in monitored directories - T1105 - Ingress Tool Transfer - Linux | Container | Linux | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer |
| GTFOBIN_more_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process attempted to enumerate firewall rules - T1016 - System Network Configuration Discovery - macOS | Endpoint | macOS | Discovery: T1016: System Network Configuration Discovery |
| GTFOBIN_nano_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process attempted to perform self deletion - T1070.004 - File Deletion - Linux | Endpoint | Linux | Defense Evasion: T1070, T1070.004: Indicator Removal on Host, File Deletion |
| Pod created with root user enabled via external request - T1610 - Deploy Container - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| Process using mv utility to create plist file in LaunchDaemons - T1543 - Launch Daemon - macOS | Endpoint | macOS | Persistence: T1543, T1543.004: Create or Modify System Process, Launch Daemon |
| Sips utility execution detected - T1553.006 - Code Signing Policy Modification - macOS | Endpoint | macOS | Defense Evasion: T1553, T1553.006: Subvert Trust Controls, Code Signing Policy Modification |
| Regasm.exe execution detected - T1218.009 - Regsvcs/Regasm - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.009: System Binary Proxy Execution, Regsvcs/Regasm |
| GTFOBIN_mail_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process attempted to patch NTDLL - T1562.001 - Disable or Modify Tools - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Pipe in command lines of cmd.exe detected - TA0004 - Privilege Escalation - Windows | Endpoint | Windows | |
| Scheduled task by at utility - T1053.001 - Scheduled Task/Job: At - Linux | Endpoint | Linux | Execution: T1053, T1053.002, T1053.005: Scheduled Task/Job, At, Scheduled Task Persistence: T1037, T1037.005: Boot or Logon Initialization Scripts, Startup Items |
| Mount utility launched to mount AHAFS File System - T1211 - Exploitation for Defense Evasion - AIX | Endpoint | AIX | Defense Evasion: T1211: Exploitation for Defense Evasion |
| Pscp.exe execution detected - T1021.004 - SSH - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.004: Remote Services, SSH |
| MS Office or scripting engine dropped portable executable file - TA0002 - Execution - Windows | Endpoint | Windows | |
| Suspicious use of sqlite3 to enumerate messages - T1005 - Data from Local System - macOS | Endpoint | macOS | Collection: T1005: Data from Local System |
| Osascript utility launched with administrator privileges to run AppleScript - T1059.002 - AppleScript - macOS | Endpoint | macOS | Execution: T1059, T1059.002: Command and Scripting Interpreter, AppleScript |
| NTFS Alternate Data Stream accessed via Powershell - T1059.001 - Command and Scripting Interpreter - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Process trying to discover remote systems - T1018 - Remote System Discovery - AIX | Endpoint | AIX | Discovery: T1018, T1016.001: Remote System Discovery, Internet Connection Discovery |
| Process dropped script file on monitored locations - T1204.002 - User Execution - Linux | Container | Linux | Execution: T1204, T1204.002: User Execution, Malicious File Command and Control: T1105: Ingress Tool Transfer |
| Local shell connecting to remote host as possible reverse shell - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process accessing credentials from LSA Secrets - T1003.004 - LSA Secrets - Windows | Endpoint | Windows | Credential Access: T1003, T1003.004: OS Credential Dumping, LSA Secrets |
| Setfacl utility executed to change ACL - T1222.002 - Linux and Mac File and Directory Permissions Modification - Linux | Container | Linux | Defense Evasion: T1222, T1222.002: File and Directory Permissions Modification, Linux and Mac File and Directory Permissions Modification |
| Container initialised with seccomp disabled - T1610 - Deploy Container - Linux | Container | Linux | Defense Evasion: T1562, T1562.001, T1610: Impair Defenses, Disable or Modify Tools, Deploy Container |
| Process using dscacheutil to get user or group policies - T1087 - Account Discovery - macOS | Endpoint | macOS | Discovery: T1087, T1069: Account Discovery, Permission Groups Discovery |
| Process attempted to access/modify /etc/sudoers file - T1548.003 - Sudo and Sudo Caching - macOS | Endpoint | macOS | Privilege Escalation: T1548, T1548.003: Abuse Elevation Control Mechanism, Sudo and Sudo Caching |
| Process attempted to enumerate cloud services - T1526 - Cloud Service Discovery - macOS | Endpoint | macOS | Discovery: T1526: Cloud Service Discovery |
| Process modifying Nginx web server configuration on host - T1584.006 - Resource Development - Linux | Endpoint | Linux | Resource Development: T1584, T1584.006: Compromise Infrastructure, Web Services |
| Process dropped executable file in monitored directories - T1204.002 - Malicious File - macOS | Endpoint | macOS | Command and Control: T1105: Ingress Tool Transfer Defense Evasion: T1036, T1036.005: Masquerading, Match Legitimate Name or Location Execution: T1204, T1204.002: User Execution, Malicious File |
| Python script execution detected - T1059.006 - Python - Windows | Endpoint | Windows | Execution: T1059, T1059.006: Command and Scripting Interpreter, Python Resource Development: T1587, T1587.001, T1588, T1588.001: Develop Capabilities, Malware, Obtain Capabilities, Malware |
| Process attempted to execute commands within a container - T1609 - Container Administration Command - Linux | Endpoint | Linux | Execution: T1609: Container Administration Command |
| Process trying to access process memory or memory map - T1003.007 - Proc Filesystem - AIX | Endpoint | AIX | Credential Access: T1003, T1003.007: OS Credential Dumping, Proc Filesystem |
| PHP-FPM spawning local shell (Potential Reverse Shell Detected) - T1059.004 - Unix Shell - Linux | Container | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Cloud utility executed with IAM command - T1098.003 - Additional Cloud Roles - Linux | Container | Linux | Persistence: T1098, T1098.001, T1098.003: Account Manipulation, Additional Cloud Credentials, Additional Cloud Roles |
| PowerShell using MMC20 command - T1021.003 - Distributed Component Object Model - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.003, T1021.006: Remote Services, Distributed Component Object Model, Windows Remote Management |
| Process trying to modify sudo configuration - T1548.003 - Sudo and Sudo Caching - AIX | Endpoint | AIX | Privilege Escalation: T1548, T1548.003: Abuse Elevation Control Mechanism, Sudo and Sudo Caching |
| Windows Filtering Platform (WFP) provider has been changed - T1562.001 - Disable or Modify Tools - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools |
| Plink.exe execution detected for RDP Tunneling - T1572 - Protocol Tunneling - Windows | Endpoint | Windows | Command and Control: T1572: Protocol Tunneling |
| GTFOBIN_nice_spawning local shell - T1059.004 Execution for AIX | Endpoint | AIX | Execution: T1059: Command and Scripting Interpreter |
| Process attempting to access registry remotely - T1012 - Query Registry - Windows | Endpoint | Windows | Discovery: T1012: Query Registry Lateral Movement: T1021, T1021.003: Remote Services, Distributed Component Object Model |
| Docker inside container attempting to connecting to remote swarm - T1021.004 - SSH - Linux | Container | Linux | Lateral Movement: T1021, T1021.004: Remote Services, SSH |
| Kubernetes dashboard being installed using external request in Kubernetes cluster - T1609 - Execution Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| GTFOBIN_flock_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Wsreset.exe execution detected - T1548.002 - Bypass User Account Control - Windows | Endpoint | Windows | Privilege Escalation: T1548, T1548.002: Abuse Elevation Control Mechanism, Bypass User Account Control |
| Process accessed or modified OS credentials - T1003.008 - OS Credential Dumping - Linux | Endpoint | Linux | Credential Access: T1003, T1003.008: OS Credential Dumping, /etc/passwd and /etc/shadow Discovery: T1087: Account Discovery Persistence: T1136: Create Account |
| Process unmapping Remote process image from memory - T1055.012 - Process Hollowing - Windows | Endpoint | Windows | Defense Evasion: T1055, T1055.012: Process Injection, Process Hollowing |
| Cron utilities running inside container - T1053.003 - Cron - Linux | Container | Linux | Execution: T1053, T1053.003: Scheduled Task/Job, Cron |
| Process launched with unicode characters in command line - T1027 - Obfuscated Files or Information - Windows | Endpoint | Windows | Defense Evasion: T1027: Obfuscated Files or Information |
| Suspicious process spawned through RPC methods - TA0002 - Execution - Windows | Endpoint | Windows | Execution: T1059, T1059.001, T1059.003, T1106: Command and Scripting Interpreter, PowerShell, Windows Command Shell, Native API |
| Process attempted to access /etc/passwd or /etc/shadow file - T1003.008 - /etc/passwd and /etc/shadow - Linux | Container | Linux | Credential Access: T1003, T1003.008: OS Credential Dumping, /etc/passwd and /etc/shadow Discovery: T1087, T1033: Account Discovery, System Owner/User Discovery |
| PowerShell creating New User - T1136 - Create Account - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell Persistence: T1136: Create Account |
| Grep utility launched to enumerate passwords in files - T1552.001 - Credentials In Files - AIX | Container | AIX | Credential Access: T1552, T1552.001, T1555, T1552.004: Unsecured Credentials, Credentials In Files, Credentials from Password Stores, Private Keys |
| Python base64 Module launched to decode or encode data - T1132.001 - Standard Encoding - Linux | Container | Linux | Command and Control: T1132, T1132.001: Data Encoding, Standard Encoding Execution: T1059, T1059.006: Command and Scripting Interpreter, Python |
| WMI query launched for process discovery - T1057 - Process Discovery - Windows | Endpoint | Windows | Discovery: T1057: Process Discovery |
| Process created or modified RC scripts - T1037.004 - RC Scripts - AIX | Endpoint | AIX | Execution: T1569: System Services Persistence: T1037, T1037.004: Boot or Logon Initialization Scripts, RC Scripts |
| Syncappvpublishingserver execution detected - T1216 - Signed Script Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1216: System Script Proxy Execution |
| Process trying to connect over IPv6 address - T1071.001 - Command and Control - Windows | Endpoint | Windows | Command and Control: T1071, T1071.001, T1102, T1102.002, T1573: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Encrypted Channel Exfiltration: T1041, T1567: Exfiltration Over C2 Channel, Exfiltration Over Web Service |
| Rclone Execution detected for data exfiltration - T1567.002 - Exfiltration to Cloud Storage - Windows | Endpoint | Windows | Exfiltration: T1020, T1048, T1567, T1567.002: Automated Exfiltration, Exfiltration Over Alternative Protocol, Exfiltration Over Web Service, Exfiltration to Cloud Storage |
| Coinminer Attack Detected & Blocked on Endpoint - T1496 - Resource Hijacking - macOS | Endpoint | macOS | Impact: T1496: Resource Hijacking |
| Process attempting to load system DLLs from other location - TA0005 - Defense Evasion - Windows | Endpoint | Windows | |
| Statefulset being created using external request in kubernetes cluster - T1609 - Execution - Kubernetes | Kuberenetes | Kubernetes | Execution: T1609: Container Administration Command |
| GTFOBIN_gdb_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Process attempted to access Cloud IMDS - T1552.005 - Cloud Instance Metadata API - Windows | Endpoint | Windows | Credential Access: T1552, T1552.005: Unsecured Credentials, Cloud Instance Metadata API |
| Keychain file accessed via suspicious script - T1555.001 - Keychain - macOS | Endpoint | macOS | Credential Access: T1555, T1555.001: Credentials from Password Stores, Keychain |
| Setcap utility launched to set capabilities of a executable to elevate privileges - T1548 - Abuse Elevation Control Mechanism - Linux | Container | Linux | Privilege Escalation: T1548: Abuse Elevation Control Mechanism |
| Process attempting to transfer tools of monitored extensions - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer Exfiltration: T1048: Exfiltration Over Alternative Protocol Lateral Movement: T1570: Lateral Tool Transfer |
| Pods being created with sensitive mounts using external request in kubernetes cluster - T1610 - Execution - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| Telnet execution detected - T1021 - Remote Services - Linux | Container | Linux | Lateral Movement: T1021: Remote Services |
| Browser spawned an unsigned binary - T1189 - Drive by Compromise - Windows | Endpoint | Windows | Initial Access: T1189: Drive-by Compromise |
| PowerShell trying to perform direct volume access - T1006 - Direct Volume Access - Windows | Endpoint | Windows | Defense Evasion: T1006: Direct Volume Access Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| UAC disable registry key modification detected - T1548.002 - Bypass User Account Control - Windows | Endpoint | Windows | Defense Evasion: T1112: Modify Registry Privilege Escalation: T1548, T1548.002: Abuse Elevation Control Mechanism, Bypass User Account Control |
| Detected use of ftp to download file from internet - T1105 - Ingress Tool Transfer - AIX | Endpoint | AIX | Command and Control: T1105: Ingress Tool Transfer Exfiltration: T1048: Exfiltration Over Alternative Protocol |
| AgentExecutor.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Adfind execution detected for permission groups discovery - T1069.002 - Domain Groups - Windows | Endpoint | Windows | Discovery: T1069, T1069.002, T1087: Permission Groups Discovery, Domain Groups, Account Discovery Resource Development: T1583, T1583.001, T1584, T1584.001, T1588, T1588.002: Acquire Infrastructure, Domains, Compromise Infrastructure, Domains, Obtain Capabilities, Tool |
| Database Server spawned suspicious process - T1505.001 - SQL Stored Procedures - Windows | Endpoint | Windows | Persistence: T1505, T1505.001: Server Software Component, SQL Stored Procedures Resource Development: T1584, T1584.006: Compromise Infrastructure, Web Services |
| Process dropped script file in startup folders - T1547.001 - Registry Run Keys / Startup Folder - Windows | Endpoint | Windows | Persistence: T1547, T1547.001: Boot or Logon Autostart Execution, Registry Run Keys / Startup Folder |
| Container initialised with host UTS enabled - T1610 - Deploy Container - Linux | Container | Linux | Defense Evasion: T1610: Deploy Container |
| Chown used with sudo to change file permission - T1222 - File and Directory Permissions Modification - macOS | Endpoint | macOS | Defense Evasion: T1222: File and Directory Permissions Modification |
| Sqldumper.exe execution detected - T1003 - OS Credential Dumping - Windows | Endpoint | Windows | Credential Access: T1003: OS Credential Dumping Resource Development: T1587, T1587.001, T1588, T1588.001, T1588.002: Develop Capabilities, Malware, Obtain Capabilities, Malware, Tool |
| Process modified Periodic Tasks config file for persistence - T1053 - Scheduled Task/Job - macOS | Endpoint | macOS | Execution: T1053, T1053.003: Scheduled Task/Job, Cron |
| Utilities spawned via monitored scripting interpreters - T1082 - System Information Discovery - macOS | Endpoint | macOS | Discovery: T1016, T1049, T1057, T1082: System Network Configuration Discovery, System Network Connections Discovery, Process Discovery, System Information Discovery Execution: T1059: Command and Scripting Interpreter |
| Narrator.exe Execution detected - T1546.008 - Accessibility Features - Windows | Endpoint | Windows | Privilege Escalation: T1546, T1546.008: Event Triggered Execution, Accessibility Features |
| Process attempting to read local files - T1005 - Collection - Linux | Container | Linux | Collection: T1005: Data from Local System |
| Process attempting to modify windows logon scripts - T1037.001 - Logon Script (Windows) - Windows | Endpoint | Windows | Persistence: T1037, T1037.001: Boot or Logon Initialization Scripts, Logon Script (Windows) |
| Dll order hijacking for amsi.dll detected - T1574.001 - DLL Search Order Hijacking - Windows | Endpoint | Windows | Persistence: T1574, T1574.001, T1574.006: Hijack Execution Flow, DLL Search Order Hijacking, Dynamic Linker Hijacking |
| Addinprocess.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Process Injection detected - T1055 - Process Injection - Windows | Endpoint | Windows | Defense Evasion: T1055, T1055.001, T1055.002, T1055.003, T1055.012: Process Injection, Dynamic-link Library Injection, Portable Executable Injection, Thread Execution Hijacking, Process Hollowing Execution: T1106: Native API |
| Dnx.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Net.exe executed to enumerate password policy information - T1201 - Password Policy Discovery - Windows | Endpoint | Windows | Discovery: T1201: Password Policy Discovery |
| Cmstp.exe execution detected - T1218.003 - CMSTP - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.003: System Binary Proxy Execution, CMSTP |
| Winrm.vbs execution detected - T1216 - Signed Script Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1216: System Script Proxy Execution |
| Process accessed web application cookies - T1539 - Steal Web Session Cookie - macOS | Endpoint | macOS | Credential Access: T1539, T1555, T1555.003: Steal Web Session Cookie, Credentials from Password Stores, Credentials from Web Browsers |
| Extexport.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Process disabled windows run (WINDOWS + R) hotkey with help of registry - T1112 - Modify Registry - Windows | Endpoint | Windows | Defense Evasion: T1112: Modify Registry |
| PC Hunter execution detected - T1046 - Network Service Discovery - Windows | Endpoint | Windows | Discovery: T1046: Network Service Discovery Reconnaissance: T1595: Active Scanning |
| Suspicious use of wget to download file in tmp directory - T1105 - Ingress Tool Transfer - macOS | Endpoint | macOS | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer |
| Process Running from User's Directory - TA0002 - Execution - Windows | Endpoint | Windows | |
| GTFOBIN_find_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Msohtmed.exe execution detected - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer Lateral Movement: T1570: Lateral Tool Transfer |
| Telnet server access detected - T1021 - Remote Services - Linux | Container | Linux | Lateral Movement: T1021: Remote Services |
| Regedit.exe execution detected - T1564.004 - NTFS File Attributes - Windows | Endpoint | Windows | Defense Evasion: T1564, T1564.004: Hide Artifacts, NTFS File Attributes |
| Process communicating through ICMP protocol - T1095 - Non-Application Layer Protocol - Linux | Container | Linux | Command and Control: T1095: Non-Application Layer Protocol Defense Evasion: T1205: Traffic Signaling |
| Ransomware Detected & Blocked on Endpoint - T1486 - Data Encrypted for Impact - Linux | Container | Linux | Impact: T1486: Data Encrypted for Impact |
| GTFOBIN_timeout_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Scheduled task by at utility - T1053.001 - Scheduled Task - AIX | Endpoint | AIX | Execution: T1053: Scheduled Task/Job |
| Process attempted to modify Disk Structure on System Drive - T1561.002 - Disk Wipe: Disk Structure Wipe - Windows | Endpoint | Windows | Impact: T1561, T1561.001, T1561.002: Disk Wipe, Disk Content Wipe, Disk Structure Wipe |
| Drive-By Download Attack Detected & Blocked on Endpoint (Malicious File) - T1189 - Drive-by Compromise - macOS | Endpoint | macOS | Execution: T1204, T1204.002: User Execution, Malicious File Initial Access: T1189: Drive-by Compromise |
| Suspicious Ruby process attempted to spawn reverse shell - T1059 - Command and Scripting Interpreter - AIX | Endpoint | AIX | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Process attempting to get system network configuration - T1016 - System Network Configuration Discovery - Windows | Endpoint | Windows | Discovery: T1016: System Network Configuration Discovery Execution: T1106: Native API |
| Process deleted logs from system - T1070.002 - Clear Linux or Mac System Logs - Linux | Container | Linux | Defense Evasion: T1027, T1027.005, T1070, T1070.002: Obfuscated Files or Information, Indicator Removal from Tools, Indicator Removal on Host, Clear Linux or Mac System Logs |
| Process made HTTPS connection on non-standard port - T1571 - Non-Standard Port - Windows | Endpoint | Windows | Command and Control: T1071, T1071.001, T1102, T1102.002, T1571: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication, Non-Standard Port Exfiltration: T1041: Exfiltration Over C2 Channel |
| Net.exe execution detected for deleting share connections - T1070.005 - Network Share Connection Removal - Windows | Endpoint | Windows | Defense Evasion: T1070, T1070.005: Indicator Removal on Host, Network Share Connection Removal |
| Netcat in host attempting remote code execution - T1059.004 - UNIX Shell - AIX | Endpoint | AIX | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Remote process attempting to create user accounts - T1136 - Create Account - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.003: Remote Services, Distributed Component Object Model Persistence: T1136, T1136.001, T1136.002: Create Account, Local Account, Domain Account |
| Process trying to access hidden directory - T1564.001 - Hidden Files and Directories - macOS | Endpoint | macOS | Defense Evasion: T1564, T1564.001: Hide Artifacts, Hidden Files and Directories |
| Container process modified Nginx web server configuration - T1584.006 - Web Services - Linux | Container | Linux | Resource Development: T1584, T1584.006: Compromise Infrastructure, Web Services |
| Process modifying Nginx web server configuration on host - T1584.006 - Web Services - AIX | Endpoint | AIX | Resource Development: T1584, T1584.006: Compromise Infrastructure, Web Services |
| Find or locate utilities launched to search files on disk - T1083 - File and Directory Discovery - AIX | Endpoint | AIX | Discovery: T1083: File and Directory Discovery Collection: T1119: Automated Collection |
| Powershell downloading AnyDesk for remote access - T1219 - Remote Access Software - Windows | Endpoint | Windows | Command and Control: T1219, T1102.002: Remote Access Software, Bidirectional Communication Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Wmic.exe execution detected for create volume shadow copies - T1003.003 - NTDS - Windows | Endpoint | Windows | Credential Access: T1003, T1003.003: OS Credential Dumping, NTDS Execution: T1047: Windows Management Instrumentation |
| Ransomware Detected on Endpoint - T1486 - Data Encrypted for Impact - macOS | Endpoint | macOS | Impact: T1486: Data Encrypted for Impact |
| Process accessed browser credentials - T1555.003 - Credentials from Web Browsers - Linux | Endpoint | Linux | Credential Access: T1555, T1555.003: Credentials from Password Stores, Credentials from Web Browsers |
| SetSPN execution detected for querying Service Principal Names - T1558.003 - Kerberoasting - Windows | Endpoint | Windows | Credential Access: T1558, T1558.003: Steal or Forge Kerberos Tickets, Kerberoasting |
| Ttdinject.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Net.exe executed via monitored applications to enumerate user accounts - T1087 - Account Discovery - Windows | Endpoint | Windows | Discovery: T1069, T1069.001, T1087, T1087.001: Permission Groups Discovery, Local Groups, Account Discovery, Local Account |
| Cp utility launched to create bplist file in LaunchDaemons - T1543 - Create or Modify System Process - macOS | Endpoint | macOS | Persistence: T1543: Create or Modify System Process |
| Process trying to modify .bashrc or .bash_profile - T1546.004 - Unix Shell Configuration Modification - macOS | Endpoint | macOS | Privilege Escalation: T1546, T1546.004: Event Triggered Execution, Unix Shell Configuration Modification |
| Assoc.exe execution detected in cmd command line - T1546.001 - Change Default File Association - Windows | Endpoint | Windows | Privilege Escalation: T1546, T1546.001: Event Triggered Execution, Change Default File Association |
| GTFOBIN_unshare_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Credential being brute forced - T1110 - Brute Force - Linux | Container | Linux | Credential Access: T1110, T1110.001, T1110.002, T1110.003: Brute Force, Password Guessing, Password Cracking, Password Spraying |
| Rasautou.exe execution detected - T1218 - Signed Binary Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1218: System Binary Proxy Execution |
| Password guessing detected - T1110.001 - Credential Access - Linux | Container | Linux | Credential Access: T1110, T1110.001, T1110.003: Brute Force, Password Guessing, Password Spraying |
| Server Application Exploitation Detected & Blocked on Endpoint - T1505 - Server Software Component - Linux | Container | Linux | Credential Access: T1212: Exploitation for Credential Access Defense Evasion: T1211: Exploitation for Defense Evasion Persistence: T1505: Server Software Component Privilege Escalation: T1068: Exploitation for Privilege Escalation |
| External request of disallowed user coming in Kubernetes cluster - T1078 - Initial Access Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1078: Valid Accounts |
| Process accessed password policy - T1201 - Password Policy Discovery - AIX | Endpoint | AIX | Discovery: T1201: Password Policy Discovery |
| Suspicious Perl process attempting to spawn reverse shell - T1059 - Command and Scripting Interpreter - AIX | Endpoint | AIX | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Ransomware execution detected - T1486 - Data Encrypted for Impact - Windows | Endpoint | Windows | Execution: T1106: Native API Impact: T1486: Data Encrypted for Impact |
| Code execution through hooks detected - T1055 - Process Injection - Windows | Endpoint | Windows | Credential Access: T1555: Credentials from Password Stores Defense Evasion: T1055: Process Injection Execution: T1106: Native API |
| Process using COM for code execution - T1559.001 - Component Object Model - Windows | Endpoint | Windows | Execution: T1106, T1559, T1559.001: Native API, Inter-Process Communication, Component Object Model |
| Process attempted to access/modify cron entries - T1053.003 - Cron - macOS | Endpoint | macOS | Execution: T1053, T1053.003: Scheduled Task/Job, Cron |
| Certmgr.exe execution detected - T1553.004 - Install Root Certificate - Windows | Endpoint | Windows | Defense Evasion: T1553, T1553.004, T1553.006: Subvert Trust Controls, Install Root Certificate, Code Signing Policy Modification |
| Process loaded kernel module and extension - T1547.006 - Kernel Modules and Extensions - macOS | Endpoint | macOS | Defense Evasion: T1014: Rootkit Persistence: T1547, T1547.006: Boot or Logon Autostart Execution, Kernel Modules and Extensions |
| Sc.exe executed to create a service on remote host - T1021 - Remote Services - Windows | Endpoint | Windows | Lateral Movement: T1021: Remote Services Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service |
| Remote Scheduled Task Created - T1053.005 - Scheduled Task - Windows | Endpoint | Windows | Execution: T1053, T1053.005: Scheduled Task/Job, Scheduled Task Lateral Movement: T1021, T1021.003: Remote Services, Distributed Component Object Model |
| Port Scan Attack Detected & Blocked on Endpoint - T1046 - Network Service Discovery - Linux | Container | Linux | Discovery: T1046: Network Service Discovery |
| Process added executable as Login Item - T1547.015 - Login Items - macOS | Endpoint | macOS | Persistence: T1547, T1547.015: Boot or Logon Autostart Execution, Login Items |
| Process attempted to connect to HTTP proxy - T1090 - Proxy - AIX | Endpoint | AIX | Command and Control: T1071, T1071.001, T1090, T1090.001, T1090.002, T1102, T1102.002, T1573: Application Layer Protocol, Web Protocols, Proxy, Internal Proxy, External Proxy, Web Service, Bidirectional Communication, Encrypted Channel Exfiltration: T1048: Exfiltration Over Alternative Protocol |
| Curl dropped executable files in monitored directories on Host - T1204.002 - User Execution - Linux | Endpoint | Linux | Execution: T1204, T1204.002: User Execution, Malicious File |
| Net.exe execution detected for domain account discovery from monitored applications - T1087.002 - Account Discovery - Windows | Endpoint | Windows | Discovery: T1018, T1069, T1069.002, T1087, T1087.002: Remote System Discovery, Permission Groups Discovery, Domain Groups, Account Discovery, Domain Account |
| Ifconfig output stored in hidden directory or file - T1564 - Hide Artifacts - macOS | Endpoint | macOS | Collection: T1074: Data Staged Defense Evasion: T1564: Hide Artifacts |
| Chflags utility launched to modify file flags - T1222 - File and Directory Permissions Modification - Linux | Container | Linux | Defense Evasion: T1222: File and Directory Permissions Modification |
| Process attempted to access password policy - T1201 - Password Policy Discovery - Linux | Container | Linux | Discovery: T1201: Password Policy Discovery |
| Process attempted to modify com.apple.dock.plist - T1543 - Create or Modify System Process - macOS | Endpoint | macOS | Persistence: T1543: Create or Modify System Process |
| Csrutil utility executed to disable System Integrity Protection (SIP) - T1553.006 - Code Signing Policy Modification - macOS | Endpoint | macOS | Defense Evasion: T1553, T1553.006: Subvert Trust Controls, Code Signing Policy Modification Impact: T1490: Inhibit System Recovery |
| Process attempting to force system to boot into Safe mode - T1562.009 - Safe Mode Boot - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.009: Impair Defenses, Safe Mode Boot |
| Process disabled syslog service - T1562.001 - Disable or Modify Tools - Linux | Container | Linux | Defense Evasion: T1070, T1562, T1562.001: Indicator Removal on Host, Impair Defenses, Disable or Modify Tools |
| Process using sudo utility to execute command in privilege - T1548.003 - Sudo and Sudo Caching - Linux | Container | Linux | Privilege Escalation: T1548, T1548.003: Abuse Elevation Control Mechanism, Sudo and Sudo Caching |
| Process deleted the file - T1070.004 - File Deletion - Windows | Endpoint | Windows | Defense Evasion: T1070, T1070.004: Indicator Removal on Host, File Deletion Persistence: T1137.001, T1137: Office Template Macros, Office Application Startup |
| Suspicious use of openssl with encrypt parameter - T1486 - Data Encrypted for Impact - macOS | Endpoint | macOS | Command and Control: T1573: Encrypted Channel Impact: T1486: Data Encrypted for Impact Defense Evasion: T1027: Obfuscated Files or Information |
| Process Injection Detected & Blocked on Endpoint - T1055.008 - Ptrace System Calls - macOS | Endpoint | macOS | Defense Evasion: T1055, T1055.008: Process Injection, Ptrace System Calls |
| PowerShell using Hyper-v to check hypervisor version - T1062 - Hypervisor - Windows | Endpoint | Windows | |
| Web server spawned suspicious process to access credential files - T1003 - OS Credential Dumping - Linux | Container | Linux | Credential Access: T1003, T1555: OS Credential Dumping, Credentials from Password Stores Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell Persistence: T1505, T1505.003: Server Software Component, Web Shell |
| AWS utility launched to exfiltrate data to S3 bucket - T1567.002 - Exfiltration to Cloud Storage - Linux | Container | Linux | Exfiltration: T1567, T1567.002: Exfiltration Over Web Service, Exfiltration to Cloud Storage |
| Web server process trying to modify sudo configuration - T1548.003 - Sudo and Sudo Caching - Linux | Container | Linux | Privilege Escalation: T1548, T1548.003: Abuse Elevation Control Mechanism, Sudo and Sudo Caching |
| Powershell execution with -port command - T1595 - Active Scanning - Windows | Endpoint | Windows | Reconnaissance: T1595, T1595.001: Active Scanning, Scanning IP Blocks Command and Control: T1571: Non-Standard Port |
| Rundll32.exe execution with davclnt.dll detected - T1221 - Template Injection - Windows | Endpoint | Windows | Defense Evasion: T1218, T1221: System Binary Proxy Execution, Template Injection |
| IP Scan Attack Detected & Blocked on Endpoint - T1595.001 - Scanning IP Blocks - macOS | Endpoint | macOS | Discovery: T1046: Network Service Discovery Reconnaissance: T1595, T1595.001: Active Scanning, Scanning IP Blocks |
| Perl base64 Module launched to decode or encode data - T1132.001 - Standard Encoding - macOS | Endpoint | macOS | Command and Control: T1132, T1132.001: Data Encoding, Standard Encoding Defense Evasion: T1027, T1140: Obfuscated Files or Information, Deobfuscate/Decode Files or Information |
| Kerberos Authentication Detected - T1558.003 - Kerberoasting - Linux | Container | Linux | Credential Access: T1558, T1558.003: Steal or Forge Kerberos Tickets, Kerberoasting |
| Mimikatz Process injection in LSASS detected - T1055 - Process Injection - Windows | Endpoint | Windows | Credential Access: T1003, T1003.004: OS Credential Dumping, LSA Secrets Defense Evasion: T1055: Process Injection Resource Development: T1587, T1587.001, T1588, T1588.001, T1588.002: Develop Capabilities, Malware, Obtain Capabilities, Malware, Tool |
| Utility launched to unlock retired user account - T1098 - Account Manipulation - Linux | Container | Linux | Persistence: T1098: Account Manipulation |
| Pods being created unmasked procmount using external request in kubernetes cluster - T1610 - Execution - Kubernetes | Kuberenetes | Kubernetes | Defense Evasion: T1610: Deploy Container |
| Process updated SSH Config/SSH accounts - T1098.004 - SSH Authorized Keys - Linux | Endpoint | Linux | Lateral Movement: T1563, T1563.001: Remote Service Session Hijacking, SSH Hijacking Persistence: T1098, T1098.004: Account Manipulation, SSH Authorized Keys |
| Mshta.exe executing js/vbs script - T1218.005 - Mshta - Windows | Endpoint | Windows | Defense Evasion: T1218, T1218.005: System Binary Proxy Execution, Mshta |
| Lscpu utility executed inside container - T1082 - System Information Discovery - Linux | Container | Linux | Discovery: T1057, T1082: Process Discovery, System Information Discovery |
| SSH Port tunneling detected - T1572 - Protocol Tunneling - macOS | Endpoint | macOS | Command and Control: T1572: Protocol Tunneling Lateral Movement: T1021, T1021.004: Remote Services, SSH |
| Process attempted to access shadow file with sudo privileges - T1003.008 - /etc/passwd and /etc/shadow - Linux | Endpoint | Linux | Credential Access: T1003, T1003.008: OS Credential Dumping, /etc/passwd and /etc/shadow |
| Port Scan Attack Detected on Endpoint - T1046 - Network Service Discovery - Linux | Container | Linux | Discovery: T1046: Network Service Discovery |
| Mail utility executed inside container - T1071.003 - Mail Protocol - Linux | Container | Linux | Command and Control: T1071, T1071.003: Application Layer Protocol, Mail Protocols |
| Process attempting to encrypt data - T1486 - Data Encrypted for Impact - Windows | Endpoint | Windows | Execution: T1106: Native API Impact: T1486: Data Encrypted for Impact |
| Scheduled Task by Cron - T1053.003 - Scheduled Task/Job: Cron - Linux | Endpoint | Linux | Execution: T1053, T1053.003, T1053.005: Scheduled Task/Job, Cron, Scheduled Task Exfiltration: T1029: Scheduled Transfer |
| GTFOBIN_env_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Container attempting unexpected nodeport connection - T1219 - Command And Control - Linux | Container | Linux | Command and Control: T1219: Remote Access Software |
| Putty.exe execution detected - T1021.004 - SSH - Windows | Endpoint | Windows | Lateral Movement: T1021, T1021.004: Remote Services, SSH |
| GTFOBIN_irb_spawning local shell - T1059.004 Execution for Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Sharp Hound execution detected - T1033 - System Owner/User Discovery - Windows | Endpoint | Windows | Discovery: T1033, T1082, T1087: System Owner/User Discovery, System Information Discovery, Account Discovery |
| Process dropped portable executable file in Temp folder - TA0002 - Execution - Windows | Endpoint | Windows | |
| Process attempted to unhook API hook of NTDLL - T1562.001 - Disable or Modify Tools - Windows | Endpoint | Windows | Defense Evasion: T1562, T1562.001: Impair Defenses, Disable or Modify Tools Execution: T1106: Native API |
| Process attempted to exfiltrate files using web services - T1567 - Exfiltration Over Web Service - AIX | Endpoint | AIX | Command and Control: T1071, T1071.001, T1102, T1102.002: Application Layer Protocol, Web Protocols, Web Service, Bidirectional Communication Exfiltration: T1048, T1567: Exfiltration Over Alternative Protocol, Exfiltration Over Web Service |
| Nmap execution detected - T1046 - Network Service Discovery - Windows | Endpoint | Windows | Discovery: T1046: Network Service Discovery |
| Process attempted to enumerate secrets or keys - T1552 - Unsecured Credentials - Linux | Container | Linux | Credential Access: T1552, T1552.001, T1552.004, T1555: Unsecured Credentials, Credentials In Files, Private Keys, Credentials from Password Stores |
| Ansible running inside container - T1059 - Command and Scripting Interpreter - Linux | Container | Linux | Execution: T1059: Command and Scripting Interpreter |
| Cmd.exe execution detected for starting new process - T1059.003 - Windows Command Shell - Windows | Endpoint | Windows | Execution: T1059, T1059.003, T1059.001: Command and Scripting Interpreter, Windows Command Shell, PowerShell |
| Powershell using start-process flag to create process - T1059.001 - PowerShell - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| Dfsvc.exe execution detected - T1127 - Trusted Developer Utilities Proxy Execution - Windows | Endpoint | Windows | Defense Evasion: T1127: Trusted Developer Utilities Proxy Execution |
| Process created hidden bplist file in monitored locations - T1543 - Create or Modify System Process - macOS | Endpoint | macOS | Persistence: T1543, T1543.001, T1543.004: Create or Modify System Process, Launch Agent, Launch Daemon |
| Kextunload utility attempts to unload the Elastic Endpoint Security kernel extension - T1562 - Impair Defenses - macOS | Endpoint | macOS | Defense Evasion: T1562: Impair Defenses |
| Dscl utility launched to create hidden user - T1564.002 - Hidden Users - macOS | Endpoint | macOS | Defense Evasion: T1564, T1564.002: Hide Artifacts, Hidden Users |
| Process attempted to spawn PTY shell - T1059.004 - Unix Shell - Linux | Endpoint | Linux | Execution: T1059, T1059.004: Command and Scripting Interpreter, Unix Shell |
| Container initialised with Root User - T1610 - Deploy Container - Linux | Container | Linux | Defense Evasion: T1610: Deploy Container |
| Web server attempted to get users information - T1033 - System Owner/User Discovery - Linux | Container | Linux | Discovery: T1033, T1082, T1087: System Owner/User Discovery, System Information Discovery, Account Discovery |
| Cmd.exe executed mklink to create shortcut file - T1059.003 - Windows Command Shell - Windows | Endpoint | Windows | Execution: T1059, T1059.003, T1059.001: Command and Scripting Interpreter, Windows Command Shell, PowerShell Persistence: T1547, T1547.009: Boot or Logon Autostart Execution, Shortcut Modification |
| Suspicious process spawned via node package manager - T1059.007 - Javascript - AIX | Endpoint | AIX | Execution: T1059, T1059.007: Command and Scripting Interpreter, JavaScript |
| Sc.exe execution detected from monitored applications - T1543.003 - Windows Service - Windows | Endpoint | Windows | Execution: T1569, T1569.002: System Services, Service Execution Persistence: T1543, T1543.003: Create or Modify System Process, Windows Service |
| Powershell execution detected to bypass defender detection - T1562 - Impair Defenses - Windows | Endpoint | Windows | Defense Evasion: T1562: Impair Defenses |
| Process communicated through mail protocol - T1071.003 - Mail Protocols - Linux | Container | Linux | Command and Control: T1071, T1071.003: Application Layer Protocol, Mail Protocols |
| Process trying to access Clipboard Data - T1115 - Clipboard Data - Windows | Endpoint | Windows | Collection: T1115: Clipboard Data Execution: T1106: Native API |
| Process modified boot.efi file for Persistence - T1542 - Pre-OS Boot - macOS | Endpoint | macOS | Defense Evasion: T1542: Pre-OS Boot |
| Process attempting to enumerate Domain controller - T1018 - Remote System Discovery - Windows | Endpoint | Windows | Discovery: T1018: Remote System Discovery Execution: T1106: Native API |
| Pwsh.exe execution detected - T1059.001 - Execution - Windows | Endpoint | Windows | Execution: T1059, T1059.001: Command and Scripting Interpreter, PowerShell |
| EICAR file detected | Endpoint | All OS | |
| Process performed Reflective Code Loading - T1620 - Reflective Code Loading - macOS | Endpoint | macOS | Defense Evasion: T1620: Reflective Code Loading |
| Imewdbld.exe execution detected - T1105 - Ingress Tool Transfer - Windows | Endpoint | Windows | Command and Control: T1105: Ingress Tool Transfer |
| Wmic.exe execution detected to create persistence - T1546.003 - Windows Management Instrumentation Event Subscription - Windows | Endpoint | Windows | Privilege Escalation: T1546, T1546.003: Event Triggered Execution, Windows Management Instrumentation Event Subscription Execution: T1047: Windows Management Instrumentation |
| Web server dropped executable files - T1204.002 - Malicious File - AIX | Endpoint | AIX | Execution: T1204, T1204.002: User Execution, Malicious File |
| Process attempting to create a User Account - T1136 - Create Account - Windows | Endpoint | Windows | Execution: T1106: Native API Persistence: T1136, T1136.001, T1136.002, T1136.003: Create Account, Local Account, Domain Account, Cloud Account |
| Database server spawned utilities to get the network configuration/connections - T1049 - System Network Connections Discovery - Linux | Container | Linux | Discovery: T1016, T1018, T1046, T1049, T1082: System Network Configuration Discovery, Remote System Discovery, Network Service Discovery, System Network Connections Discovery, System Information Discovery |
| WMI query launched for system discovery - T1082 - System Information Discovery - Windows | Endpoint | Windows | Discovery: T1082: System Information Discovery Privilege Escalation: T1546, T1546.003: Event Triggered Execution, Windows Management Instrumentation Event Subscription |
| Exploitation for Privilege Escalation Detected on Endpoint - T1068 - Exploitation for Privilege Escalation - macOS | Endpoint | macOS | Persistence: T1505: Server Software Component Privilege Escalation: T1068: Exploitation for Privilege Escalation |
| Access Keys are Not Rotated Every 90 Days or Less | Cloud | AWS | |
| IAM PassRole Policy is Overly Permissive due to Exclusions in the Resource | Cloud | AWS | |
| AWS IAM Backdoor User Key Creation | Cloud | AWS | |
| AWS IAM Role has No Permissions Boundary but can Create a User/Role | Cloud | AWS | |
| MFA Device Deactivated | Cloud | AWS | |
| AWS IAM User Password Policy is Not Complex Enough | Cloud | AWS | |
| AWS Customer-Managed Policy is Unused | Cloud | AWS | |
| IAM PassRole Policy is Overly Permissive due to Exclusions in the Resource and a Wildcard in the Action | Cloud | AWS | |
| Deprecated AWS IAM Policy Being Used | Cloud | AWS | |
| IAM PassRole Policy is Overly Permissive due to Exclusions in both Resource and Action | Cloud | AWS | |
| AWS User Added or Removed from a Group | Cloud | AWS | |
| Detect Anyone is Changing Password on Behalf of Other Users | Cloud | AWS | |
| Misuse of GetSessionToken by a User | Cloud | AWS | |
| AWS IAM User have More than One Active Access Keys | Cloud | AWS | |
| AWS IAM User has No Permissions Boundary but can Create a User/Role | Cloud | AWS | |
| Manual IAM Modification Event | Cloud | AWS | |
| AWS RDS DB Instance is Not Enabled with Auto Minor Version Upgrade | Cloud | AWS | |
| AWS RDS Snapshot Accessible to Public | Cloud | AWS | |
| AWS RDS Aurora cCuster is Not Enabled with Backtrack Window | Cloud | AWS | |
| AWS RDS Instance is Not Set with Copy Tags to Snapshot | Cloud | AWS | |
| AWS RDS Aurora Cluster is Not Enabled with Deletion Protection | Cloud | AWS | |
| AWS RDS Instance is Not Using IAM Database Authentication | Cloud | AWS | |
| AWS RDS Instance is Not Encrypted Using CMK | Cloud | AWS | |
| AWS RDS DB Instance is Not Delete Protected | Cloud | AWS | |
| AWS RDS Instance is Not Enabled with Automatic Backup | Cloud | AWS | |
| AWS RDS Cluster is Not Deployed in Multiple Availability Zones | Cloud | AWS | |
| AWS RDS DB Instance is Using Default Port | Cloud | AWS | |
| AWS RDS Instance is Not Using Secure Master Username | Cloud | AWS | |
| AWS RDS Instance is not Deployed in Multiple Availability Zones | Cloud | AWS | |
| AWS RDS DB Instance is Not Exporting Logs | Cloud | AWS | |
| AWS RDS Instance Data-at-Rest is Not Encrypted | Cloud | AWS | |
| AWS RDS Reserved Instance Lease is Expiring in the Next 7 Days | Cloud | AWS | |
| AWS RDS Aurora Serverless Instance is Not Exporting Logs | Cloud | AWS | |
| AWS RDS Instance is Publicly Accessible | Cloud | AWS | |
| AWS RDS Security Group does Not Restrict Access to DB Instances | Cloud | AWS | |
| AWS RDS Instance is Not Enabled with Minimum Backup Retention Period | Cloud | AWS | |
| AWS EFS is Not Encrypted for Data at Rest | Cloud | AWS | |
| AWS Elastic File System (EFS) not encrypted using Customer Managed Key | Cloud | AWS | |
| AWS Security Hub findings | Cloud | AWS | |
| AWS Security Hub Configuration Changes | Cloud | AWS | |
| Auto Renewal is Not Enabled for AWS Route53 Domain | Cloud | AWS | |
| Transfer lock is not Enabled For AWS Route53 Domain | Cloud | AWS | |
| Privacy Protection Feature is not Enabled for AWS Route53 Domain | Cloud | AWS | |
| AWS EBS Volume Snapshots are Accessible to All AWS Accounts | Cloud | AWS | |
| AWS EBS Volume Snapshot is Not Encrypted | Cloud | AWS | |
| AWS EBS Volumes does not have snapshots taken within the last 7 days | Cloud | AWS | |
| AWS EBS Volume is Unattached | Cloud | AWS | |
| AWS EBS Attached Volume is Not Encrypted | Cloud | AWS | |
| AWS EBS Root Volume is Not Encrypted | Cloud | AWS | |
| AWS EBS Volume Created | Cloud | AWS | |
| AWS KMS Master Key is Exposed | Cloud | AWS | |
| AWS KMS Key Rotation is Not Enabled for CMK | Cloud | AWS | |
| AWS KMS Configuration Changes | Cloud | AWS | |
| AWS Kinesis Data Stream is Not Encrypted with CMK | Cloud | AWS | |
| AWS Kinesis Server Side Encryption is Disabled | Cloud | AWS | |
| AWS Kinesis Data Stream does Not have Shard level Metrics Enabled | Cloud | AWS | |
| AWS SNS Configuration Changes | Cloud | AWS | |
| AWS Secret is Not Encrypted with KMS CMK | Cloud | AWS | |
| Automatic Rotation is Disabled for AWS Secrets Manager Secret | Cloud | AWS | |
| Amazon SageMaker Enabled Direct Internet Access | Cloud | AWS | |
| Amazon SageMaker Inadequate User Access Control in Studio | Cloud | AWS | |
| Amazon SageMaker Notebook Instance Root Access is Enabled | Cloud | AWS | |
| Amazon SageMaker Unencrypted Feature Store Data | Cloud | AWS | |
| AWS ECS Configuration Changes | Cloud | AWS | |
| AWS Application Load Balancer Listener Not Using Secure Protocol (HTTPS or TLS) | Cloud | AWS | |
| AWS ELB(Classic) with Access Log Disabled | Cloud | AWS | |
| AWS ELB v2 Application Load Balancer with Access Log Disabled | Cloud | AWS | |
| AWS ELB (Classic) with Cross-Zone Load Balancing Disabled | Cloud | AWS | |
| AWS ELBv2 Deletion Protection Disabled | Cloud | AWS | |
| AWS ELB(Classic) with Connection Draining Disabled | Cloud | AWS | |
| AWS CloudWatch Event Bus Allows Access to Everyone | Cloud | AWS | |
| AWS S3 Bucket Offers Full Control to Authenticated Users | Cloud | AWS | |
| AWS S3 Bucket has Authenticated READ_ACP Access | Cloud | AWS | |
| AWS S3 Bucket has Authenticated READ Access | Cloud | AWS | |
| AWS S3 Bucket has Public READ_ACP Access | Cloud | AWS | |
| AWS S3 Bucket has authenticated WRITE access | Cloud | AWS | |
| AWS S3 Bucket have Website Configuration Enabled | Cloud | AWS | |
| AWS S3 Bucket Does Not have logging enabled | Cloud | AWS | |
| AWS S3 Bucket has Public READ Access | Cloud | AWS | |
| AWS S3 Bucket has Authenticated WRITE_ACP Access | Cloud | AWS | |
| AWS S3 Bucket has Public WRITE_ACP Access | Cloud | AWS | |
| AWS S3 Bucket Permission ACL Not Enabled | Cloud | AWS | |
| AWS S3 Bucket Versioning Not Enabled | Cloud | AWS | |
| AWS S3 Bucket Data in Transit Not Encrypted | Cloud | AWS | |
| AWS S3 Bucket has Public WRITE Access | Cloud | AWS | |
| AWS S3 Bucket Offers Full Control to All Users | Cloud | AWS | |
| AWS User Without MFA Enabled Can Delete Bucket | Cloud | AWS | |
| AWS Organizations Configuration Changes | Cloud | AWS | |
| AWS Network Gateway Changes | Cloud | AWS | |
| AWS Unauthorized API Call | Cloud | AWS | |
| AWS Network Access Control List Changes | Cloud | AWS | |
| AWS Console Authentication Failure | Cloud | AWS | |
| AWS Security Groups Allows Ingress from 0.0.0.0/0 to Port 22 | Cloud | AWS | |
| AWS CloudTrail S3 Bucket Does not Have Access Logging Enabled | Cloud | AWS | |
| AWS S3 Bucket Policy Changes | Cloud | AWS | |
| AWS CloudTrail Logs are Not Encrypted Using KMS CMK | Cloud | AWS | |
| AWS MFA is Disabled for a User | Cloud | AWS | |
| AWS IAM Password Policy Enforce Prevention of Password Reuse | Cloud | AWS | |
| AWS Config Service Configuration Changes | Cloud | AWS | |
| AWS IAM Root Account Access Key Exists | Cloud | AWS | |
| AWS CloudTrail Configuration Changes | Cloud | AWS | |
| AWS Security Group Changes | Cloud | AWS | |
| AWS IAM Password Policy Enforce having at least One Symbol | Cloud | AWS | |
| AWS IAM Password Policy does Not Expire Passwords within 90 Days | Cloud | AWS | |
| AWS Console Sign-in Without MFA | Cloud | AWS | |
| AWS IAM Password Policy Enforce having a Minimum Length of 14 | Cloud | AWS | |
| AWS VPC Changes | Cloud | AWS | |
| AWS CloudTrail KMS CMK Key Rotation is Disabled | Cloud | AWS | |
| AWS Customer Created CMKs Disabled or Scheduled for Deletion | Cloud | AWS | |
| AWS IAM Password Policy Enforce having at least One Uppercase Letter | Cloud | AWS | |
| AWS CloudTrail S3 Bucket is Publicly Accessible | Cloud | AWS | |
| AWS CloudTrail Log File Validation is Disabled | Cloud | AWS | |
| AWS CloudTrail is Not Integrated with CloudWatch | Cloud | AWS | |
| AWS IAM MFA is Not Enabled for the "Root" Account | Cloud | AWS | |
| AWS Default Security Group Does Not Restrict All Traffic | Cloud | AWS | |
| AWS Route Table Changes | Cloud | AWS | |
| AWS IAM Password Policy Enforce having at least One Lowercase Letter | Cloud | AWS | |
| AWS Root Account Usage | Cloud | AWS | |
| AWS IAM Policies are Attached to User | Cloud | AWS | |
| AWS IAM Policy Changes | Cloud | AWS | |
| AWS IAM Password Policy Enforce having at least One Number | Cloud | AWS | |
| AWS IAM Support Role is Not Created | Cloud | AWS | |
| AWS Security Groups Allows Ingress from 0.0.0.0/0 to Port 3389 | Cloud | AWS | |
| AWS API Gateway Rest API Certificates are Not Rotated Periodically | Cloud | AWS | |
| AWS API Gateway Rest API Does Not Have CloudWatch Logging Enabled | Cloud | AWS | |
| AWS API Gateway Rest API Active Tracing is Disabled | Cloud | AWS | |
| AWS API Gateway Rest API Does Not Have Web Application Firewall | Cloud | AWS | |
| AWS API Gateway Rest API Does Not Have Content Encoding Enabled | Cloud | AWS | |
| AWS API Gateway Rest API Does Not Have CloudWatch Metrics Enabled | Cloud | AWS | |
| AWS API Gateway Rest API is Not Using Client Certificates | Cloud | AWS | |
| AWS API Gateway Rest API Access is Not Restricted to Private Endpoints | Cloud | AWS | |
| AWS ECR Repository is Open to the Public | Cloud | AWS | |
| A Security Issue or Suspicious Activity has been Detected by GuardDuty. | Cloud | AWS | |
| AWS GuardDuty Configuration Changes | Cloud | AWS | |
| AWS EKS Cluster Endpoints Are Publicly Accessible | Cloud | AWS | |
| AWS EKS Cluster Control Plane Logging is Not Enabled | Cloud | AWS | |
| Latest Kubernetes Version Not Installed in AWS EKS Cluster | Cloud | AWS | |
| AWS EKS Configuration Changes | Cloud | AWS | |
| [Template] AWS EC2 Instance Launched with Non-Approved AMI | Cloud | AWS | |
| AWS EC2 Default Security Group Allows Unrestricted Outbound Access | Cloud | AWS | |
| AWS EC2 Instance is Not Using IAM Role/Profile | Cloud | AWS | |
| AWS EC2 Security Group Allows Unrestricted RPC Access | Cloud | AWS | |
| AWS EC2 Security Group Allows Unrestricted Oracle Access | Cloud | AWS | |
| AWS EC2 Security Group Allows Unrestricted CIFS Access | Cloud | AWS | |
| AWS EC2 Instance with Public IP | Cloud | AWS | |
| AWS EC2 Instance Provisioned with Default Security Group | Cloud | AWS | |
| AWS AMI is Not Encrypted For Data at Rest | Cloud | AWS | |
| AWS EC2 Security Group Allows Unrestricted Telnet Access | Cloud | AWS | |
| AWS EC2 Security Group Allows Unrestricted DNS Access | Cloud | AWS | |
| AWS EC2 Security Group Allows Unrestricted PostgreSQL Access | Cloud | AWS | |
| AWS EC2 IMDSv2 is Not Enabled | Cloud | AWS | |
| AWS EC2 Security Group Allows Unrestricted MS SQL Access | Cloud | AWS | |
| AWS EC2 Instance is Using Image Older than 180 Days | Cloud | AWS | |
| Security Group Allowing Unrestricted Access to Ports 22 and 3389 | Cloud | AWS | |
| AWS EC2 Security Group Allows Unrestricted HTTP Access | Cloud | AWS | |
| AWS EC2 Security Group Allows Unrestricted SMTP Access | Cloud | AWS | |
| AWS EC2 Security Group Allows Unrestricted ICMP Access | Cloud | AWS | |
| AWS EC2 Security Group Allows Unrestricted MySQL Access | Cloud | AWS | |
| AWS EC2 Security Group Allows Unrestricted SSH Access | Cloud | AWS | |
| AWS EC2 Security Group Allows Unrestricted FTP Access | Cloud | AWS | |
| Security Group Allowing Ingress Access to Ports Other than 80 and 443 | Cloud | AWS | |
| AWS EC2 Security Group Allows Unrestricted NetBIOS Access | Cloud | AWS | |
| AWS EC2 Security Group Allows Unrestricted MongoDB Access | Cloud | AWS | |
| AWS EC2 Default Security Group Open to Inbound Public Traffic | Cloud | AWS | |
| AWS EC2 Security Group Allows Unrestricted HTTPS Access | Cloud | AWS | |
| AWS AMI Shared with other AWS Account | Cloud | AWS | |
| AWS EC2 Security Group Allows Unrestricted RDP Access | Cloud | AWS | |
| AWS CloudFormation Stack has No Deletion Policy | Cloud | AWS | |
| AWS CloudFormation Stack Policy Not Set to Prevent Accidental Update | Cloud | AWS | |
| AWS CloudFormation Stack Configured Without SNS Topic | Cloud | AWS | |
| AWS CloudFormation Stack Not Enabled for Termination Protection | Cloud | AWS | |
| event logging activity for new country | Cloud | AWS | |
| event logging activity for new region | Cloud | AWS | |
| AWS CloudTrail Reference Inactive SNS Topic | Cloud | AWS | |
| Event Logging Activity for user | Cloud | AWS | |
| AWS Data Events Not Included in CloudTrail Trails Configuration | Cloud | AWS | |
| AWS CloudTrail Trails API Calls Does Not Track IAM STS and CloudFront | Cloud | AWS | |
| Event Detected for a New Service | Cloud | AWS | |
| event logging activity for new service | Cloud | AWS | |
| Event Detected with a New Username | Cloud | AWS | |
| AWS CloudTrail Logging Bucket has No MFA Delete | Cloud | AWS | |
| AWS CloudTrail logs have been delivered with errors | Cloud | AWS | |
| Event Detected for a New Country | Cloud | AWS | |
| Event Detected for a New Region | Cloud | AWS | |
| AWS EC2 Instance does Not have Uptycs Sensor Installed | Cloud | AWS | |
| [Template] AWS IAM User Changes having Access to EC2 Instances | Cloud | AWS | |
| AWS S3 Bucket ACL Changes | Cloud | AWS | |
| AWS IAM Group Changes | Cloud | AWS | |
| [Template] AWS IAM User Changes having Access to S3 and EBS | Cloud | AWS | |
| [Template] AWS IAM Group Changes having Access to S3 and EBS | Cloud | AWS | |
| AWS Account Removed From the Organization | Cloud | AWS | |
| AWS CloudFront Configuration Changes | Cloud | AWS | |
| AWS EC2 instance termination protection is not enabled | Cloud | AWS | |
| [Template] AWS IAM Role Changes having Access to S3 and EBS | Cloud | AWS | |
| AWS S3 Bucket is Publicly Accessible | Cloud | AWS | |
| AWS IAM User Access Keys are Not Rotated Every 30 Days | Cloud | AWS | |
| [Template] AWS IAM Policy Changes having Access to S3 buckets | Cloud | AWS | |
| AWS IAM User Deleted | Cloud | AWS | |
| AWS IAM User Changes | Cloud | AWS | |
| AWS WAF Rules Changes | Cloud | AWS | |
| New AWS Account Created | Cloud | AWS | |
| AWS EC2 Security Group Provides Unrestricted Inbound Access on Uncommon Ports | Cloud | AWS | |
| [Template] AWS IAM Policy Changes having Access to EBS Volumes | Cloud | AWS | |
| AWS ElastiCache Clusters are Not Using Latest Version | Cloud | AWS | |
| AWS ElastiCache Reserved Cache Node Lease is Expiring in Next 7 Days | Cloud | AWS | |
| AWS Redis Cluster Does Not have Encryption Enabled for Data at Rest | Cloud | AWS | |
| AWS ElastiCache Cluster is Using Default Port | Cloud | AWS | |
| AWS Redis Replication Group Does Not have Multi-AZ Auto Failover Enabled | Cloud | AWS | |
| AWS ElastiCache Clusters are Not Deployed in Virtual Private Network (VPC) | Cloud | AWS | |
| AWS Redis Cluster Does Not have Encryption Enabled for Data in Transit | Cloud | AWS | |
| AWS Redis Cluster does Not have Redis Auth Enabled | Cloud | AWS | |
| AWS Config Service Configuration has No Global Resources Included | Cloud | AWS | |
| AWS Config log File Delivery Failure | Cloud | AWS | |
| AWS Certificate Manager Certificate has Wildcard Domain Name | Cloud | AWS | |
| AWS Certificate Manager Certificate is Unused | Cloud | AWS | |
| AWS Certificate Manager Certificate is Expired | Cloud | AWS | |
| AWS Elasticsearch Domain is not Using Latest ES Version | Cloud | AWS | |
| AWS Elasticsearch Domain is Exposed to Everyone | Cloud | AWS | |
| AWS Elasticsearch Domain is not Encrypted with KMS CMK | Cloud | AWS | |
| AWS Elasticsearch Reserved Instance is Expiring in Next 7 Days | Cloud | AWS | |
| AWS Elasticsearch Domain is Not Accessible Only from VPC | Cloud | AWS | |
| AWS Elasticsearch Domain does Not have Search Slow Logs Enabled | Cloud | AWS | |
| AWS Elasticsearch Domain does Not have Index Slow Logs Enabled | Cloud | AWS | |
| AWS Elasticsearch Domain does Not have Node-to-Node Encryption Enabled | Cloud | AWS | |
| AWS Elasticsearch Domain Does Not have Encryption of Data at Rest Enabled | Cloud | AWS | |
| AWS SQS Server Side Encryption Not Enabled | Cloud | AWS | |
| AWS SQS Does Not have a Dead Letter Queue Configured | Cloud | AWS | |
| AWS SQS Not Encrypted with KMS CMK | Cloud | AWS | |
| AWS SQS Queue is Exposed to Everyone | Cloud | AWS | |
| AWS Lambda Function does Not have Tracing Enabled | Cloud | AWS | |
| AWS Lambda Function does Not have Access to Resources in VPC | Cloud | AWS | |
| AWS Lambda Environment Variables Not Encrypted Using KMS CMK | Cloud | AWS | |
| AWS Lambda Function is Exposed to Everyone | Cloud | AWS | |
| AWS Lambda Function is Not Using Latest Runtime | Cloud | AWS | |
| Amazon Bedrock Vector Database Network Policy Public | Cloud | AWS | |
| Amazon Bedrock Vector Database Data Access Policy Overly Permissive | Cloud | AWS | |
| [Deprecated] Amazon Bedrock Vector Database Not Encrypted | Cloud | AWS | |
| AWS Network ACL Allows Outbound/Egress Traffic to All Ports | Cloud | AWS | |
| AWS VPC Subnet is Allowing Automatic Public IP Assignment | Cloud | AWS | |
| AWS VPC Endpoint is Exposed to Everyone | Cloud | AWS | |
| AWS Virtual Private Gateway is Unused | Cloud | AWS | |
| AWS Network ACL Allows Inbound/Ingress Traffic from All Ports | Cloud | AWS | |
| [Template] AWS VPC Peering Connection to Account Outside AWS Organization | Cloud | AWS | |
| RDS DB Instance Restored from a Snapshot | Cloud | AWS | |
| Potential Network DoS by Deleting the Subnet by Unknown Source IP Actor | Cloud | AWS | Impact: T1499: Endpoint Denial of Service |
| Potential Network DoS from Unknown Actor | Cloud | AWS | Impact: T1498: Network Denial of Service |
| Potential Network DoS by Removal of Security Group from Unknown Actor | Cloud | AWS | Impact: T1498: Network Denial of Service |
| Potential Network DoS by Unknown Source IP Actor | Cloud | AWS | Impact: T1499: Endpoint Denial of Service |
| Potential Network DoS by Deleting a Subnet by an Unknown Country Actor | Cloud | AWS | Impact: T1498: Network Denial of Service |
| Potential Network DoS by Associating a New Route Table by Unknown Source IP Actor | Cloud | AWS | Impact: T1499: Endpoint Denial of Service |
| Potential Network DoS by Removal of Subnet from Unknown Actor | Cloud | AWS | Impact: T1498: Network Denial of Service |
| Potential Network DoS by Deleting a Security Group by Unknown Source IP Actor | Cloud | AWS | Impact: T1499: Endpoint Denial of Service |
| Potential Network DoS by Associating a New Route Table by an Unknown Country Actor | Cloud | AWS | Impact: T1498: Network Denial of Service |
| Potential Network DoS by Unknown Country Actor | Cloud | AWS | Impact: T1498: Network Denial of Service |
| Potential Network DoS by Associating a New Route Table from Unknown Actor | Cloud | AWS | Impact: T1498: Network Denial of Service |
| Potential Network DoS by Deleting Security Group by an Unknown Country Actor | Cloud | AWS | Impact: T1498: Network Denial of Service |
| EBS Snapshot Copied to an Unused Region | Cloud | AWS | Execution: T1204: User Execution |
| Data Collection from an Unknown Country | Cloud | AWS | Collection: T1530: Data from Cloud Storage |
| Data Staged by Unknown User | Cloud | AWS | Collection: T1074: Data Staged |
| Data Staged from Unknown Country | Cloud | AWS | Collection: T1074: Data Staged |
| Data Collection by Unknown User | Cloud | AWS | Collection: T1530: Data from Cloud Storage |
| Data Staged from Unknown Source IP Address | Cloud | AWS | Collection: T1074: Data Staged |
| Data Collection from an Unknown Source IP Address | Cloud | AWS | Collection: T1530: Data from Cloud Storage |
| AWS Lightsail New SSH Keypair Generated | Cloud | AWS | |
| AWS Lightsail Default Key Pair Downloaded | Cloud | AWS | |
| AWS API Gateway New Keys Created | Cloud | AWS | |
| IAM Policy Updated by an Unknown User | Cloud | AWS | Persistence: T1098: Account Manipulation |
| ECR Image Uploaded from an Unknown Source IP address | Cloud | AWS | Persistence: T1525: Implant Internal Image |
| ECR Image Uploaded by an Unknown User | Cloud | AWS | Persistence: T1525: Implant Internal Image |
| ECR Image Uploaded from an Unknown Country | Cloud | AWS | Persistence: T1525: Implant Internal Image |
| IAM Policy Updated from an Unknown Source IP Address | Cloud | AWS | Persistence: T1098: Account Manipulation |
| IAM Policy Updated from an Unknown Country | Cloud | AWS | Persistence: T1098: Account Manipulation |
| New Lambda Function Created | Cloud | AWS | Privilege Escalation: T1078: Valid Accounts |
| User Can Escalate Privileges | Cloud | AWS | |
| Login Profile Changes Detected | Cloud | AWS | |
| New Policy Version Created | Cloud | AWS | |
| IAM Administrator Policy Attached to User/Group/Role | Cloud | AWS | |
| Inline Policy Created/Updated | Cloud | AWS | |
| Access Key Created | Cloud | AWS | |
| A User Was Added to an IAM group. | Cloud | AWS | |
| Data Upload from Unknown Country | Cloud | AWS | Defacement: T1491: Defacement |
| Data Upload from Unknown Source IP Address | Cloud | AWS | Defacement: T1491: Defacement |
| Data Upload from Unknown User | Cloud | AWS | Defacement: T1491: Defacement |
| Unknown Machine Image ID | Cloud | AWS | Defacement: T1496: Resource Hijacking |
| User Can Expose Credentials | Cloud | AWS | |
| New User Created from Unknown Country | Cloud | AWS | Initial_Access: T1078: Valid Accounts |
| New Inbound Rule Added to a Security Group | Cloud | AWS | |
| New User Created from an Unknown Region | Cloud | AWS | Initial_Access: T1078: Valid Accounts |
| New User Created by Unknown User | Cloud | AWS | Initial_Access: T1078: Valid Accounts |
| Role Assumed by Updating the AssumeRolePolicyDocument | Cloud | AWS | |
| Failed AWS Console Login Attempt | Cloud | AWS | |
| Potential Endpoint DoS by Deleting a Bucket from Unknown Source IP | Cloud | AWS | Endpoint: T1499: Endpoint Denial of Service |
| Potential Endpoint DoS by Keypair Deletion from Unknown Country | Cloud | AWS | Endpoint: T1499: Endpoint Denial of Service |
| Potential Endpoint DoS from Unknown Actor | Cloud | AWS | Endpoint: T1499: Endpoint Denial of Service |
| Potential Endpoint DoS by Deleting a Bucket from Unknown Country | Cloud | AWS | Endpoint: T1499: Endpoint Denial of Service |
| Potential Endpoint DoS by Deleting Bucket by Unknown Actor | Cloud | AWS | Endpoint: T1499: Endpoint Denial of Service |
| Potential Endpoint DoS by Keypair Deletion from Unknown Source IP | Cloud | AWS | Endpoint: T1499: Endpoint Denial of Service |
| AWS Config Configuration Recorder Deleted | Cloud | AWS | |
| AWS VPC Flow Logs deleted | Cloud | AWS | |
| AWS CloudWatch Alarm Action Disabled/Alarm Deleted | Cloud | AWS | |
| VPC Created in an Unknown Region | Cloud | AWS | Defense Evasion: T1535: Unused/Unsupported Cloud Regions |
| A VPC is Deleted by an Unknown User | Cloud | AWS | Defense Evasion: T1578: Modify Cloud Compute Infrastructure |
| A VPC is Deleted from an Unknown Country | Cloud | AWS | Defense Evasion: T1578: Modify Cloud Compute Infrastructure |
| AWS Activity from Malicious IP Address | Cloud | AWS | |
| AWS Inbound Connection from Malicious IP Address | Cloud | AWS | |
| AWS Outbound Connection to Malicious IP Address | Cloud | AWS | |
| Request for IAM Roles Listing from an Unknown Source IP Address | Cloud | AWS | Discovery: T1087: Account Discovery |
| Unknown User Console Access | Cloud | AWS | Discovery: T1538: Cloud Service Dashboard |
| Console Access from an Unknown Source IP Address | Cloud | AWS | Discovery: T1538: Cloud Service Dashboard |
| Topology Description Request from an Unknown Country | Cloud | AWS | Discovery: T1580: Cloud Infrastructure Discovery |
| AWS EC2 Instance Attribute has been Modified | Cloud | AWS | |
| Request For IAM Roles Listing from an Unknown Country | Cloud | AWS | Discovery: T1087: Account Discovery |
| An Unknown User Lists IAM Roles | Cloud | AWS | Discovery: T1087: Account Discovery |
| Console Access from an Unknown Country | Cloud | AWS | Discovery: T1538: Cloud Service Dashboard |
| AWS Redshift Cluster is Not Encrypted with KMS Customer Master Key | Cloud | AWS | |
| AWS Redshift Cluster Encryption Disabled for Data at Rest | Cloud | AWS | |
| AWS Redshift User Activity Logging Feature is Disabled | Cloud | AWS | |
| AWS Redshift Reserved Node End Time is Within the Next 7 days | Cloud | AWS | |
| AWS Redshift Cluster Deferred Maintenance Feature is Disabled | Cloud | AWS | |
| AWS Redshift Automated Snapshot Retention Period Disabled | Cloud | AWS | |
| AWS Redshift Cluster is Publicly Accessible | Cloud | AWS | |
| AWS Redshift Parameter Group Does Not have SSL for Data in Transit | Cloud | AWS | |
| AWS Redshift Cluster Audit Logging is Not Enabled | Cloud | AWS | |
| AWS Redshift Cluster is Not Launched in AWS VPC | Cloud | AWS | |
| AWS Redshift Cluster Version Upgrade Disabled | Cloud | AWS | |
| AWS Redshift Cluster Using Default Port for Access | Cloud | AWS |
- APT22
- EVILNUM
- ARID VIPER
- APT21
- GAMAREDON GROUP
- GOLD MELODY
- APT33
- APT14
- APT6
- APT39
- STAR BLIZZARD
- APT29
- APT-C-36
- APT28
- MUSTANGPANDA
- DARKHOTEL
- POLONIUM
- CLEAVER
- TONTO TEAM
- MOLERATS
- BITTER
- BAD MAGIC
- SIDEWINDER
- HAFNIUM
- SANDWORMTEAM
- GOLDENJACKEL
- HEXANE
- INDRIK SPIDER
- APT16
- FIN8
- APT9
- MANIC MENAGERIE
- 8220 GANG
- VENOM SPIDER
- APT41
- LUCKY CAT
- CONFUCIUS
- BUHTRAP
- APT1
- YOROTROOPER
- QUILTED TIGER
- TURLA
- DARK BASIN
- APT40
- SNOWGLOBE
- APT31
- KIMSUKY
- RANCOR
- GORGON GROUP
- APT12
- DARKHYDRUS
- APT32
- APT34
- MUDDLED LIBRA
- NAIKON
- LANCEFLY
- APT26
- APT4
- TA551
- TA505
- FIN7
- ALLOY TAURUS
- EQUATION GROUP
- PLATINUM
- EVASIVE PANDA
- APT25
- APT23
- UNC1878
- APT30
- NEWSPENGUIN
- WINTER VIVERN
- FLAX TYPHOON
- UNFADING SEA HAZE
- GREYENERGY
- HELLSING
- LONGHORN
- UNC4841
- WIZARDSPIDER
- GHOSTEMPEROR
- APT35
- APT3
- SILENCE GROUP
- DOPPEL SPIDER
- APT2
- BLACKTECH
- DRAGONOK
- APT36
- APT20
- TA428
- MUDDYWATER
- DNSPIONAGE
- APT37
- DARK PINK
- APT19
- APT24
- LAZARUS GROUP
- ROCKET KITTEN
- SILENT CHOLLIMA
- APT27
- UAC-0050
- TICK
- TODDYCAT
- APT10
- APT17
- APT43
- DARK CARACAL
- DONOT GROUP
- APT15
- GUI-VIL
- CAMARO DRAGON
- MAGNET GLOBIN
- EARTH BERBEROKA
- RED MENSHEN
- SIDECOPY
- UAC-0056
- GREENBUG
- APT18
- IMPERIAL KITTEN
- EARTH LUSCA
- ASYLUM AMBUSCADE
- EARTH KARAHANG
- MOONSTONE SLEET
- APT22
- EVILNUM
- ARID VIPER
- APT21
- GAMAREDON GROUP
- GOLD MELODY
- APT33
- APT14
- APT6
- APT39
- STAR BLIZZARD
- APT29
- APT-C-36
- APT28
- MUSTANGPANDA
- DARKHOTEL
- POLONIUM
- CLEAVER
- TONTO TEAM
- MOLERATS
- BITTER
- BAD MAGIC
- SIDEWINDER
- HAFNIUM
- SANDWORMTEAM
- GOLDENJACKEL
- HEXANE
- INDRIK SPIDER
- APT16
- FIN8
- APT9
- MANIC MENAGERIE
- 8220 GANG
- VENOM SPIDER
- APT41
- LUCKY CAT
- CONFUCIUS
- BUHTRAP
- APT1
- YOROTROOPER
- QUILTED TIGER
- TURLA
- DARK BASIN
- APT40
- SNOWGLOBE
- APT31
- KIMSUKY
- RANCOR
- GORGON GROUP
- APT12
- DARKHYDRUS
- APT32
- APT34
- MUDDLED LIBRA
- NAIKON
- LANCEFLY
- APT26
- APT4
- TA551
- TA505
- FIN7
- ALLOY TAURUS
- EQUATION GROUP
- PLATINUM
- EVASIVE PANDA
- APT25
- APT23
- UNC1878
- APT30
- NEWSPENGUIN
- WINTER VIVERN
- FLAX TYPHOON
- UNFADING SEA HAZE
- GREYENERGY
- HELLSING
- LONGHORN
- UNC4841
- WIZARDSPIDER
- GHOSTEMPEROR
- APT35
- APT3
- SILENCE GROUP
- DOPPEL SPIDER
- APT2
- BLACKTECH
- DRAGONOK
- APT36
- APT20
- TA428
- MUDDYWATER
- DNSPIONAGE
- APT37
- DARK PINK
- APT19
- APT24
- LAZARUS GROUP
- ROCKET KITTEN
- SILENT CHOLLIMA
- APT27
- UAC-0050
- TICK
- TODDYCAT
- APT10
- APT17
- APT43
- DARK CARACAL
- DONOT GROUP
- APT15
- GUI-VIL
- CAMARO DRAGON
- MAGNET GLOBIN
- EARTH BERBEROKA
- RED MENSHEN
- SIDECOPY
- UAC-0056
- GREENBUG
- APT18
- IMPERIAL KITTEN
- EARTH LUSCA
- ASYLUM AMBUSCADE
- EARTH KARAHANG
- MOONSTONE SLEET
APT22
Description
APT22 has conducted a long-running espionage campaign against Indian government and commercial organizations between early 2014 and mid-2015. The group used a range of commodity and custom tools combined with stolen certificates from a South Korean mobile operator to carry out their intrusions. APT22 threat actors have used strategic web compromises in order to passively exploit targets of interest. APT22 actors have also identified vulnerable public-facing web servers on victim networks and uploaded webshells to gain access to the victim network. This group's interest appears to be focused around commercial and government entities based in India. Arsenal / Toolkit PISCES, SOGU, FLATNOTE, ANGRYBELL, BASELESS, SEAWOLF, LOGJAM, ANGRYREBEL, DESTROYRAT, PLUGX, TCP/ICMP RAT
EVILNUM
Description
Active since 2018, the Evilnum APT is a group that has launched several low volume but targeted attack campaigns against victims in the UK and Europe. The group initially only targeted the financial sector but has now switched gears and is targeting immigration organizations. Evilnum was also observed targeting organizations related to cryptocurrency and DeFi, placing backdoors in their systems which allow the threat actors to steal valuable information or wait for opportunities to compromise financial platforms. During 2020, Evilnum’s tactics included spearphishing emails containing a link to a ZIP file hosted by Google Drive. The file contained shortcut files which extracted and executed a malicious JavaScript component all while displaying a decoy document.
ARID VIPER
Description
Arid Viper, also known as Desert Falcon or APT C-23, has been linked to attacks aimed at Palestine and the Middle East at least since 2014. This threat actor's main motivation is espionage and information theft, and has been attributed to malicious operators politically motivated towards the liberation of Palestine. Its victimology is dispersed all over the world, including Palestinian organizations and individuals. Arid Viper is not a technically evolved actor, however, it is known to target mobile and desktop platforms, including Apple iOS. Their toolkit consists of Delphi packers and compilers around their staple malware, Micropsia. This implant has also been ported to other platforms with versions based on Python and an Android version. Threat group has used an arsenal of homemade malware tools such as ViperRat and FrozenCell (also known as VolatileVenom) to execute and conceal its campaigns across Windows, Android, and iOS platforms.
APT21
Description
APT21 is a group of suspected state sponsored hackers of Chinese origin known to target high-profile victims like government agencies, nuclear power installations and embassies in dozens of countries. APT21 leverages spear phishing email messages with malicious attachment, links to malicious files, or web pages. They have also used strategic web compromises to target potential victims. APT21 frequently uses custom backdoors known as TRAVELNET and TEMPFUN and rarely uses publicly available tools. Using data compression and data-encoding methods allows APT21 attempts to steal huge amounts of data including sensitive data, document files from the target machine. The attack group continues to maintain the foothold and persistence for a relatively longer span to upload the victims data in chunks to the C2. Arsenal / Toolkit SOGU, TEMPFUN, GH0ST, TRAVELNET, HOMEUNIX, ZEROTWO, PCRAT
GAMAREDON GROUP
Description
The Gamaredon Group is a Russian state-sponsored cyber espionage group that has been active since 2013. Over the years, Gamaredon’s main target has always been Ukrainian government organizations. To bypass the government’s security measures, the threat group works continually to improve their malicious code over time. The initial infection vector reported on was weaponized documents written in both the Russian and Ukrainian languages and sent via spear-phishing techniques, exploiting the remote template injection vulnerability that enables attackers to bypass Microsoft Word macro protections to compromise target systems with malware, gain access to information, then spread the infection to other users.
GOLD MELODY
Description
Gold Melody threat group acts as an initial access broker (IAB) that sells access to compromised organizations for other cybercriminals to exploit. This financially motivated group has been active since at least 2017, compromising organizations by exploiting vulnerabilities in unpatched internet-facing servers. Gold Melody has been linked to attacks exploiting security flaws in JBoss Messaging (CVE-2017-7504), Citrix ADC (CVE-2019-19781), Oracle WebLogic (CVE-2020-14750 and CVE-2020-14882), GitLab (CVE-2021-22205), Citrix ShareFile Storage Zones Controller (CVE-2021-22941), Atlassian Confluence (CVE-2021-26084), ForgeRock AM (CVE-2021-35464), and Apache Log4j (CVE-2021-44228) servers. Besides relying on a diverse arsenal comprising web shells, built-in operating system software, and publicly available utilities, it's known to employ proprietary remote access trojans (RATs) and tunneling tools to execute arbitrary commands, gather system information, and establish a reverse tunnel with a hard-coded IP address. A successful foothold is succeeded by the deployment of web shells for persistence, followed by creating directories in the compromised host to stage the tools used in the infection chain.
APT33
Description
APT33 leverages a mix of public and non-public tools and often conducts spear-phishing operations using a built-in phishing module from “ALFA TEaM Shell,” a publicly available web shell. The use of multiple nonpublic backdoors suggests the group is supported by software developers. This group has used tools like NANOCORE, NETWIRE, TWINSERVE, TURNEDUP, DROPBACK to maintain, establish foothold and persistence. Alongside this PsExec, WMI, VB Scripts have been used for lateral movement. On a successful detonation of the target machine, the group has performed the following actions: Staged data in hidden $Recycle.Bin directories and used FastUploader tools. Arsenal / Toolkit TWINSERVE, TURNEDUP, GREATFALL, NANOCORE, NETWIRE, DROPBACK, MIMIKATZ, PROCDUMP, ADEXPLORER
APT14
Description
APT14 engages in cyber operations where the goal is data theft, with a possible focus on military and maritime equipment, operations, and policies. APT14 is known to target both civilian and military maritime operations in the green/brown water regions primarily in the area of operations of the South Sea Fleet of the PLA Navy. The stolen data, especially encryption and satellite communication equipment specifications, could be used to enhance military operations, such as intercepting signals or otherwise interfering with military satellite communication networks. Arsenal / Toolkit GH0ST, POISONIVY, CLUBSEAT, GROOVY, TORNRAT
APT6
Description
APT6 is a Chinese cyber espionage group whose targeted China/US relations experts, Defense entities, and the Geospatial industry. APT6 engages in cyber operations where the goal is data theft, most likely data and projects that make an organization competitive within its field. APT6 targeted organizations headquartered in the U.S and U.K. APT6 has compromised and stolen sensitive information from various government and commercial networks. : APT6 utilizes several custom backdoors, including some used by other APT groups as well as those that are unique to the group. Arsenal / Toolkit BELUGA, EXCHAIN, PUPTENT, POISONIVY
APT39
Description
APT39 uses a variety of custom and publicly available malware and tools at all stages of the attack lifecycle. For initial compromise, it has usually leveraged spear phishing emails with malicious attachments and/or hyperlinks typically resulting in a Powbat infection. APT39 frequently registers and leverages domains that masquerade as legitimate web services and organizations that are relevant to the intended target. Furthermore, this group has routinely identified and exploited vulnerable web servers of targeted organizations to install web shells, such as Antak and Aspxpsy, and used stolen legitimate credentials to compromise externally facing Outlook Web Access (OWA) resources. Post-compromise, APT39 leverages custom backdoors such as SEAWEED, CACHEMONEY, and a unique variant of Powbat to establish a foothold in a target environment. During privilege escalation, freely available tools such as MIMIKATZ and NCRACK have been observed, in addition to legitimate tools such as Windows Credential Editor and ProcDump. Internal reconnaissance has been performed using custom scripts and both freely available and custom tools such as the port scanner, BLUETORCH. APT39 facilitates lateral movement through myriad tools such as Remote Desktop Protocol (RDP), Secure Shell (SSH), PsExec, RemCom, and xCmdSvc. Custom tools such as REDTRIP, PINKTRIP, AND BLUETRIPHAVE also been used to create socks5 proxies between infected hosts. In addition to using RDP for lateral movement, APT39 has used this protocol to maintain persistence in a victim environment. To complete its mission, APT39 typically archives stolen data with compression tools such as WinRAR or 7-Zip. Arsenal / Toolkit SEAWEED, CACHEMONEY, POWBAT, REDTRIP, PINKTRIP, BLUETRIP, CLEARPIPE, ANTAK, ASPXSPY, BLUETORCH, MIMIKATZ, NCRACK, PROCDUMP, WINDOWS CREDENTIAL EDITOR.
STAR BLIZZARD
Description
Star Blizzard has evolved to focus on improving its detection evasion capabilities. Star Blizzard activities remain focused on email credential theft, predominantly targeting cloud-based email providers that host organizational and/or personal email accounts. Star Blizzard activities remain focused on email credential theft, predominantly targeting cloud-based email providers that host organizational and/or personal email accounts. Star Blizzard utilizes the publicly available Evilginx framework to achieve their objective, with the initial access vector remaining to be spear-phishing via email. Target redirection to the threat actor’s Evilginx server infrastructure is achieved using custom-built PDF lures that open a browser session. This session follows a redirection chain ending at actor-controlled Evilginx infrastructure that is configured with a phishlet for the intended targets’ email provider.
APT29
Description
APT29, a Russian espionage group also called Cozy Bear, Iron Hemlock, and The Dukes, is known for its intrusions aimed at collecting intelligence that align with the country's strategic objectives. It's believed to be sponsored by the Foreign Intelligence Service (SVR). Some of the adversarial collective's cyber activities are tracked publicly under the moniker Nobelium, a threat cluster responsible for the widespread supply chain compromise through SolarWinds software in December 2020.
APT-C-36
Description
APT-C-36 is a suspected South America espionage group that has been active since at least 2018. The group relies on spear-phishing emails sent to specific and strategic companies to conduct its campaigns. The initial infection vector is typically a PDF attachment sent by email. APT-C-36 has been known for their extensive and intricate use of Remote Access Trojans (RATs) to achieve their actions on objectives.
APT28
Description
APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy) is a highly skilled threat actor. APT28 has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. Fancy Bear uses a wide variety of phishing via malicious email and credential harvesting using fake websites embedded with malicious links. Additionally, Fancy Bear has developed multiple proprietary tools in all phases of its attack activity. Their most frequently used tools are XAgent, CompuTrace, ZEBROCY, XTUNNEL, etc. APT28 has also been observed using commercially available code repositories, and post-exploit frameworks such as Empire. It also used infrastructure to masquerade Simple Network Management protocol (SNMP) access into Cisco routers worldwide. In recent attacks, the group has also leveraged news about the ongoing conflict between Russia and Ukraine to trick recipients into opening malicious emails that would exploit Roundcube Webmail vulnerabilities to hack into unpatched servers.
MUSTANGPANDA
Description
Mustang Panda, also known as HoneyMyte, Bronze President or Red Delta, is one of the more active APT groups in operation on the threat landscape today, with a wide variety of campaigns documented as far back as 2012. It is publicly attributed to China-based cyberespionage threat actors. It is continually honing its capabilities, but its core approach remains consistent, with the use of themed lures related to current events. These contain decoy documents and legitimate applications that are susceptible to DLL search order hijacking. Mustang Panda is known for its customized Korplug variants (also dubbed PlugX) and elaborate loading chains. Earth Preta abused fake Google accounts to distribute the malware via spear-phishing emails, initially stored in an archive file (such as rar/zip/jar) and distributed through Google Drive links. Users are then lured into downloading and triggering the malware to execute, TONEINS, TONESHELL, and PUBLOAD. Researchers have also analyzed MQsTTang, a new custom backdoor that we attribute to the Mustang Panda APT group.
DARKHOTEL
Description
DarkHotel APT name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has conducted campaigns by spear phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses and also infected victims through peer-to-peer and file sharing networks. Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world. The hotel network intrusion set provides the attackers with precise global scale access to high value targets. The travelers are often top executives from a variety of industries doing business and outsourcing in the APAC region. Additionally, the APT polluting p2p networks to infect the masses, they delegitimize Certificate Authorities to further their attacks. They abuse weakly implemented digital certificates to sign their malcode. It is observed that they are stealing and re-using other legitimate certificates to sign their mostly static backdoor and infostealer toolset.
POLONIUM
Description
POLONIUM is a cyberespionage group first documented by Microsoft in June 2022. According to Microsoft, the group is based in Lebanon and coordinates its activities with other actors affiliated with Iran’s Ministry of Intelligence and Security. POLONIUM is a very active threat actor with a vast arsenal of malware tools and is constantly modifying them and developing new ones. A common characteristic of several of the group’s tools is the abuse of cloud services such as Dropbox, Mega, and OneDrive for command and control (C&C) communications. POLONIUM’s toolset consists of seven custom backdoors: CreepyDrive, which abuses OneDrive and Dropbox cloud services for C&C; CreepySnail, which executes commands received from the attackers’ own infrastructure; DeepCreep and MegaCreep, which make use of Dropbox and Mega file storage services, respectively; and FlipCreep, TechnoCreep, and PapaCreep, which receive commands from attackers’ servers. The group has also developed several custom modules to spy on its targets by taking screenshots, logging keystrokes, spying via the webcam, opening reverse shells, exfiltrating files, and more.
CLEAVER
Description
Operation Cleaver has, over the past several years, conducted a significant global surveillance and infiltration campaign. Since at least 2012, Iranian actors have directly attacked, established persistence in, and extracted highly sensitive materials from the networks of government agencies and major Critical infrastructure companies in the following countries: Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates, and the United States. The group is believed to work from Tehran, Iran, although auxiliary team members were identified in other locations including the Netherlands, Canada, and the UK. The group successfully leveraged both publicly available, and customized tools to attack and compromise targets around the globe. Initial compromise techniques include SQL injection, web attacks, and creative deception based attacks – all of which have been implemented in the past by Chinese and Russian hacking teams. Pivoting and exploitation techniques leveraged existing public exploits for MS08-067 and Windows privilege escalations, and were coupled with automated, worm-like propagation mechanisms. Customized private tools with functions that include ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface snifng, and keystroke logging. The group has ability to build customized tools to compromise any target they choose. Cleaver’s level of access into each organization varied greatly, including completely compromised systems and networks, Active Directory domain controllers and credentials, compromised data repositories and stolen VPN credentials. Compromised systems include Microsoft Windows web servers running IIS and ColdFusion, Apache with PHP, many variants of Microsoft Windows desktops and servers, and Linux servers. Compromised network infrastructure included Cisco VPNs as well as Cisco switches and routers.
TONTO TEAM
Description
Tonto Team, also called Bronze Huntley, Cactus Pete, Earth Akhlut, Karma Panda, and UAC-0018, is a suspected Chinese hacking group that has been linked to attacks targeting a wide range of organizations in Asia and Eastern Europe. The attacks use purported government advisories sent as Rich Text Files (RTFs) in an attempt to convince victims to open the documents, thus allowing a remote code execution (RCE) exploit in Microsoft Office to be run. Threat actor used Bisonal.DoubleT backdoor to target the victim. Bisonal.DoubleT is a unique tool developed by the Tonto Team APT. The attackers used a new downloader named TontoTeam.Downloader, also known as QuickMute.
MOLERATS
Description
MoleRats is an attack group with limited infrastructure and an open-source type of toolset, which conducts widespread attacks. The group threat actors rely a lot on chained attack stages to evade quick detection and hide the communication infrastructure. MoleRats are known to lure their victims using political and Middle Eastern themed phishing files. MoleRats campaign used disposable emails and domains as the phishing platform to target the victims. MoleRats used two backdoors dubbed SharpStage and DropBook, as well as the MoleNet downloader, all of which can allow the attackers the ability to execute arbitrary code and collect sensitive data for exfiltration from infected computers. The DropBook backdoor used fake Facebook accounts or Simplenote for command and control (C2) operations, and both SharpStage and DropBook implement a Dropbox client in order to exfiltrate the data stolen from their targets to a cloud storage, as well as for storing their espionage tools.
BITTER
Description
The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released in 2014 were based on the AndroRAT framework. Over time, they switched to a custom version that has been known as BitterRAT ever since. Bitter threat actors, in past, appears to target users in Bangladesh, a change from the attackers' usual victims. As part of this, there's a trojan named "ZxxZ," that, among other features, includes remote file execution capability. In recent attacks, researchers also noted updates to the first-stage payloads and the implementation of new layers of obfuscation to avoid detection. Threat actors also employed additional decoys for social engineering. The most common files used by the APT group are the CHM files, they can be used to execute arbitrary code with low user interaction. One of the CHM file analyzed by the experts was performing a similar activity through an encoded PowerShell command stage. One of the variants also created a scheduled task to execute a remote MSI payload using msiexec.
BAD MAGIC
Description
Bad Magic APT has been observed targeting individuals, diplomatic, research agriculture, government, and transportation organizations located in Ukraine region Donetsk, Lugansk, and Crimea. Bad Magic most likely uses spear-phishing messages with booby-trapped URLs to deliver a malicious ZIP archive hosted on an attacker-controlled web server. The archive contains a decoy document and a malicious LNK file with a double extension. The LNK file starts the infection and culminates in the deployment of a backdoor, named PowerMagic, which is written in PowerShell. The backdoor establishes a connection with a remote server and receives arbitrary commands that are executed on the infected machine. Subsequently, the results are uploaded to public cloud services such as Dropbox and Microsoft OneDrive, and OAuth refresh tokens are used as credentials. PowerMagic acts as a medium to deliver the CommonMagic framework that contains a set of several executable modules. These modules are capable of interacting with the C2 server, encrypting and decrypting C2 traffic, and executing plugins. In the recently discovered campaign involved using a modular framework named CloudWizard. Its features include taking screenshots, microphone recording, keylogging and more.
SIDEWINDER
Description
SideWinder APT mainly targeting Pakistan military targets, active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia. SideWinder primarily makes use of email spear-phishing, document exploitation, and DLL side-loading techniques in an attempt to avoid detection and deliver targeted implants. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages. SideWinder also known to use Server-side polymorphism technique to target Pakistan Government Officials. The use of this technique allows the threat actor to potentially bypass traditional signature-based antivirus (AV) detection to deliver the next stage payload. SideWinder APT campaign also targeted Pakistan with a backdoor named 'WarHawk'. WarHawk contains various malicious modules that deliver Cobalt Strike, incorporating new TTPs such as KernelCallBackTable Injection and Pakistan Standard Time zone check in order to ensure a victorious campaign.
HAFNIUM
Description
Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs. While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the United States. Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Secondly, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network. Also, HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.
SANDWORMTEAM
Description
Sandworm, also known as Telebots, is one of the most dangerous Russian threat actors impacting industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. It is also believed that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Sandworm launched the wipers in parallel with Russia’s armed forces launching missile strikes targeting energy infrastructure. Sandworm may also behind the new malware called SwiftSlicer that targeted Ukraine entities.
GOLDENJACKEL
Description
The threat actors have maintained a low profile for stealthiness, carefully selecting their victims and keeping the number of attacks at a minimum to reduce the likelihood of exposure. The infection vectors of the APT are unknown. However, the researchers have observed signs of phishing operations with malicious documents that employ the remote template injection technique to exploit the Microsoft Office Follina vulnerability. Additionally, researchers have seen a case of trojanized 'Skype for Business' installers that drop a trojan alongside a legitimate copy of the software. Researchers have noticed code and TTP (techniques, tactics, and procedures) similarities with Turla, they track GoldenJackal as a separate activity cluster. According to the researchers, GoldenJackal employs a set of custom .NET malware tools that provide various functions, including credential dumping, data stealing, malware loading, lateral movement, file exfiltration, and more. The primary payload used first to infect a system is 'JackalControl,' which gives the attackers remote control over the infected computer. The malware can be run as a program or a Windows service and can establish persistence by adding Registry keys, Windows scheduled tasks, or Windows services. It receives encoded commands from the C2 server via HTTP POST requests, which concern the execution of arbitrary programs, exfiltration of files, or fetching additional payloads from the C2. The second tool used by the hackers is 'JackalSteal,' an implant devoted to data exfiltration from all logical drives on the compromised computer, including remote shares and even newly connected USB drives. The attackers can execute the stealer with arguments determining the targeted file types, paths, sizes, when files were last used, and exclude specific paths that security tools might monitor. All files matching the set parameters are encrypted using AES, RSA, or DES, then compressed with GZIP, and eventually transmitted to the C2 server. The third tool in GoldenJackal's arsenal is 'JackalWorm,' which infects USB drives to spread on potentially other valuable computers. It will create a copy of itself on the drive root using the same directory name and change the directory's attribute to "hidden." This will result in the actual directory being hidden and replaced with a copy of the malware with the directory name." To obfuscate its nature and trick the victim into executing it, 'JackalWorm' uses a Windows directory icon on the removable drive. The fourth tool used by the Golden Jackal APT is 'JacklPerInfo,' a basic system information collector with the additional capabilities of identifying and exfiltrating browsing history and credentials stored in web browsers. Serving like a typical info-stealer malware, JacklPerInfo can also exfiltrate files from the Desktop, Documents, Downloads, and AppDataRoamingMicrosoftWindowsRecent directories. The fifth and final malware tool used by this APT is the 'JackalScreenWatcher,' which is used for snapping screenshots on the infected device.
HEXANE
Description
Active since 2017, LYCEUM group is an Iranian APT group most active in the Middle east and in Africa in launching supply chain attacks. The group used a malware which is a .NET based DNS Backdoor which is a customized version of the open source tool 'DIG.net'. The malware leverages a DNS attack technique called "DNS Hijacking" in which an attacker- controlled DNS server manipulates the response of DNS queries and resolve them as per their malicious requirements.
INDRIK SPIDER
Description
Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. In August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K.’s National Health Service (NHS). Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex. Later technical analysis of BitPaymer indicated that it had been developed by Indrik Spider, suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy. In the beginning of 2017, Dridex spam campaigns significantly declined, with new campaigns moving from high volume and frequency, to smaller, targeted distribution.
APT16
Description
APT16 is known to target Taiwanese news organizations allowing the actors to gain access to informants or other protected sources, who might then be targeted for further intelligence collection or even retribution. This is executed by a non-persistent proxy-aware HTTP backdoor named ELMER capable of performing file uploads and downloads, file execution, and process and directory listings. Arsenal / Toolkit IRONHALO, ELMER, DOORJAMB
FIN8
Description
FIN8 is known for its attacks against the retail, hospitality, and entertainment industries while making use of a wide array of techniques such as spear-phishing and malicious tools like BADHATCH to steal payment card data from point-of-sale (POS) systems. The BADHATCH malware is a mature, highly advanced backdoor that uses several evasion and defense techniques. The new backdoor also attempts to evade security monitoring by using TLS encryption to conceal Powershell commands. The group resurfaced after more than a year in March 2021 with an updated version of BADHATCH, following it up with a completely new bespoke implant called Sardonic.
APT9
Description
APT9 is a Chinese cyber espionage group that engages in cyber operations where the goal is data theft, usually focusing on the data and projects that make a particular organization competitive within its field. APT9 group historically very active in targeting the pharmaceuticals and biotechnology industry. The actors have gained initial access to one of the companies by using a trusted relationship between the two companies. APT9 uses a wide range of backdoors, including publicly available backdoors, as well as backdoors that are believed to be custom, but are used by multiple APT groups. Arsenal / Toolkit SOGU, HOMEUNIX, PHOTO, FUNRUN, GH0ST, ZXSHEL, RIPTIDE , ICEFOG, PLUGX, POISONIVY, 3102 RAT, 9002 RAT, EVILGRAB RAT, MOONWIND RAT, TROCHILUS RAT.
MANIC MENAGERIE
Description
Manic Menagerie is a threat group mostly relied on exploiting vulnerable web applications to gain initial access to the servers, using a combination of automated scanning and manual interaction with the network. The actor used a web browser to manually interact with websites to identify vulnerabilities. Once identified, the vulnerability was manually exploited to create a web shell on the server to enable future steps. The actor used multiple publicly available web shells, including variants of ChinaChopper. When the web shell was in place, the actor switched from using a web browser to use a controller to perform future interactions with the web shell. The threat actors also exploits misconfigured services and uploading additional binaries to assist with privilege escalation. The ACSC identified three privilege escalation binaries used by the actors. All three were implemented proof-of-concept (POC) exploit code publicly available on the internet. The vulnerabilities used in privilege, CVE-2018–10388, CVE-2016–32259 and CVE-2016–009910, were patched prior to the compromise. In one instance, the actor used valid credentials to authenticate and subsequently login to an FTP server as a user with the home directory ‘C:’. The FTP server was configured to run as the local administrator user and gave the actor full read/write access to the victim’s system drive. Access to the FTP was used to backup and replace the binaries for several operating system services with binaries which, when executed, would install Gh0st RAT or perform credential manipulation known as RID hijacking. The actor deployed a utility that poorly implemented a technique known as RID hijacking. Using the utility, the actor created a new Windows user account with effective permissions of the local administrator account. RID hijacking is a relatively new technique that allows an attacker with local administration or higher privileges to replace the relative identifier (RID) of one account with that of another.
8220 GANG
Description
The 8220 Gang, a notorious Chinese-based threat actor group, has surfaced in the spotlight with a renewed assault on cloud based infrastructure. Through a meticulously orchestrated operation, the group has been exploiting well-known vulnerabilities, including CVE-2021-44228 and CVE-2022-26134, underscoring a persistent threat to cloud environments worldwide. By leveraging internet scans for vulnerable applications, the group identifies potential entry points into cloud systems, exploiting unpatched vulnerabilities to gain unauthorized access. Once inside, they deploy a series of advanced evasion techniques, demonstrating a profound understanding of how to navigate and manipulate cloud environments to their advantage. This includes disabling security enforcement, modifying firewall rules, and removing cloud security services, thereby ensuring their malicious activities remain undetected. The group was documented to have used Tsunami malware, XMRIG cryptominer, masscan, and spirit, amongst other tools in their campaigns. In the latest campaign, the utilization of Windows PowerShell for fileless execution is noted, which leads to the deployment of a cryptominer. In Linux variants, it will be in the form of a shell script which downloads miners and other malware later.
VENOM SPIDER
Description
VENOM SPIDER has developed several modules for Taurus Loader; these include a Stealer Module, a TeamViewer Module, a Reconnaissance Module and a Ransomware Module. Recent advertisements for the malware indicate that VENOM SPIDER limits the sale and use of its tools, selling modules only to trusted affiliates. Researchers recently observed a attack campaign where some of the malicious payloads leveraged as part of the attack campaign observed appear to be related to the More_eggs.
APT41
Description
APT-41 is a state sponsored group aligned with China’s Five-Year economic development plans known to gather information related to merger and acquisitions and politics. The group uses spear-phishing emails with .chm attachments to compromise the victims. This group uses 9002 RAT, ASPXSpy, NjRat, RockBoot, PowerSploit to establish, maintain foothold and persistence. The group uses Meterpreter, AceHash, ADORE.XSEC, Mimikatz, NTDSDump, PwDump to carry out lateral movement lateral movement. It uses BlackCoffee, FTP, MessageTap, ChinaChopper, CertUtil for exfiltration. It uses rootkit and bootkit the installed malwares. Arsenal / Toolkit / Threat attribution 9002 RAT, ACEHASH, ADORE.XSEC, ASPXSPY, BARLAIY, BLACKCOFFEE, CERTUTIL, CHINA CHOPPER, COBALT STRIKE, COLDJAVA, CRACKSHOT, CROSSWALK, DEADEYE, DERUSBI, DIRTCLEANER, EASYNIGHT, GEARSHIFT, GH0ST RAT, HDROOT, HIGHNOON, HIGHNOTE, HKDOOR, JUMPALL, LATELUNCH, LIFEBOAT, LOWKEY, MESSAGETAP, METERPRETER, MIMIKATZ, NJRAT, NTDSDUMP, PACMAN, PIPEMON, PLUGX, POTROAST, PWDUMP, ROCKBOOT, SAGEHIRE, SHADOWHAMMER, SHADOWPAD WINNTI, SKIP-2.0, SPECULOOS, SWEETCANDLE, TERA, TIDYELF, WIDETONE, WINNTI, WINTERLOVE, XDLL, XDOOR, XMRIG, ZXSHELL, POWERSPLOIT, FTP
LUCKY CAT
Description
The Luckycat campaign attacked a diverse set of targets using a variety of malware, some of which have been linked to other cyber-espionage campaigns. Each malware attack involves a unique campaign code that can be used to track which victims were compromised by which malware attack. This illustrates that the attackers are both very aggressive and continually target their intended victims. In sum, the Luckycat campaign managed to compromise 233 computers. The Luckycat campaign use free web-hosting services that provide a diversity of domain names as well as IP addresses. This distributes the campaign, making it more difficult to track. However, the attackers also made use of Virtual Private Servers (VPSs). The attackers behind this campaign maintain a diverse set of C&C infrastructure and leverages anonymity tools to obfuscate their operations.
CONFUCIUS
Description
Confucius is an APT organization funded by India. Researchers have discovered that Confucius APT deploys Warzone RAT malware. Confucius uses both the Windows and Android Trojan programs to spy on the target to steal intelligence. The attack tools include SubBird, CharSpy and Hornbill, which have strong development and penetration capabilities. Confucius has also used a new variant of the known attack tool MessPrint.
BUHTRAP
Description
BuhTrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network. As a result, banks have to shut down the whole infrastructure which provokes delay in servicing customers and additional losses. The Malicious programs intentionally scan for machines with an automated Bank-Customer system of the Central Bank of Russia (further referred to as BCS CBR). In June 2019, the Buhtrap group use a zero-day exploit as part of a campaign by using a local privilege escalation exploit, CVE-2019-1132, against one of its victims. The exploit abuses a local privilege escalation vulnerability in Microsoft Windows, specifically a NULL pointer dereference in the win32k.sys component. Buhtrap has some infrastructure overlap with TA505, Graceful Spider, Gold Evergreen.
APT1
Description
APT1 is the Military Unit Cover Designator (MUCD) of a People's Liberation Army advanced persistent threat unit stationed in Pudong, Shanghai that has been alleged to be a source of Chinese computer hacking attacks. APT1's arsenal of digital weapons includes over 40 malware families in its arsenal / toolkit. Because these malware families have evolved over time, each family may include variants whose features differ in some detail from its family’s profile, including file names, registry keys, mutex names, and command and control addresses. In addition, some variants may not include every function that is described in the family’s profile APT1 has been stealing hundreds of terabytes of data from at least 141 organizations across a diverse set of industries beginning as early as 2006. Once the group establishes access to a victim’s network, they continue to access it periodically over several months or years to steal large volumes of valuable intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, emails and contact lists from victim organizations’ leadership The main goal of APT intrusions is to steal data, including intellectual property, business contracts or negotiations, policy papers or internal memoranda. Once APT groups find files of interest on compromised systems, they often pack them into archive files before stealing them. They most commonly use the RAR archiving utility for this task, but may also use other publicly available utilities such as ZIP or 7-ZIP. APT threat actors not only compress data, but frequently password-protect the archive. From there they use a variety of methods to transfer files out of the victim network, including FTP, custom file transfer tools, or existing backdoors. Arsenal / Toolkit WEBC2, GETMAIL, LIGHTDART, MAPIGET, BISCUIT, MANITSME, STARSYPOUND, DAIRY, TARSIP, SWORD, HELAUTO, HACKSFASE, MACROMAIL, NEWSREELS, GREENCAT, AURIGA, GOGGLES, BANGAT, LONGRUN, SEASALT, WARP, TABMSGSQL, COMBOS, GDOCUPLOAD, COOKIEBAG, GLOOXMAIL, MINIASP, BOUNCER, CALENDAR, KURTON, POISON IVY, GH0ST RAT, , CACHEDUMP, FGDUMP, GSECDUMP, LSLSASS, MIMIKATZ, PASS-THE-HASH TOOLKIT, PWDUMPX, HTRAN, LIGHTBOLT
YOROTROOPER
Description
YoroTrooper threat actor has been running several successful espionage campaigns since at least June 2022. The infection chain consists of malicious shortcut files (LNKs) and optional decoy documents wrapped in malicious archives delivered to targets. The actor appears intent on exfiltrating documents and other information, likely for use in future operations. YoroTrooper employs a variety of self-developed and commodity malware families, such as Warzone RAT/AveMaria and LodaRAT. Credential stealers used by YoroTrooper are either custom scripts, which in some cases are based on the open-sourced Lazagne project or commodity stealers such as the Stink Stealer. All the Python-based malware used in the campaign is wrapped up into an executable using frameworks such as Nuitka or PyInstaller. The custom implants (stealers and RATs) use Telegram bots to exfiltrate information or receive commands from the operator.
QUILTED TIGER
Description
Dropping Elephant aka Quilted Tiger uses two main infection vectors that share a common, and fairly elaborately maintained, social engineering theme – foreign relations with China. The first approach involves spear-phishing targets using a document with remote content. As soon as the user opens the document, a “ping” request is sent to the attackers’ server. At this point, the attackers know the user has opened the document and send another spear-phishing email, this time containing an MS Word document with an embedded executable. Once the payload is executed, an UPX packed AutoIT executable is dropped. Upon execution, this downloads additional components from the attackers’ servers. Then begins the stealing of documents and data. The second approach involves capturing victims through watering hole attacks. The actor created a website that downloads genuine news articles from other websites. If a website visitor wants to view the whole article they would need to download a PowerPoint document. This reveals the rest of the article, but also asks the visitor to download a malicious artifact. The two main infection vectors are supported by other approaches. Sometimes, the attackers email out links to their watering hole websites. They also maintain Google+, Facebook and twitter accounts to develop relevant SEO and to reach out to wider targets.
TURLA
Description
Turla is one of the most advanced APTs in the world it is famous for developing new and very advanced techniques to avoid detection and to ensure the persistence on the targeted network. Turla has also used inventive, out-of-the box techniques, including using satellites to exfiltrate data from remote areas in North Africa and the Middle East. The group is known for the use of both unaltered and customized versions of open source software such as Meterpreter and Mimikatz, as well as bespoke malware such as Gazer, IcedCoffee, Carbon, and Mosquito. Their espionage platform is mainly used against Windows machines, but also against macOS and Linux machines with various backdoors and a rootkit. In June 2019, Turla Group was found to have infiltrated the computer network operations infrastructure of APT34, an Iranian threat group. This amounted to the effective takeover of the computer network operations of a nation-state group by state actors from another country. Again in 2019, Turla began relying heavily on PowerShell scripts for malware installation. Previously, it had also heavily targeted Microsoft vulnerabilities as well as email servers. Turla also often uses compromised WordPress websites as the foundation of its C2 infrastructure.
DARK BASIN
Description
Dark Basin extensively targeted American nonprofits, including organisations working on a campaign called #ExxonKnew, which asserted that ExxonMobil hid information about climate change for decades. Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy. Researchers link Dark Basin with high confidence to an Indian company, BellTroX InfoTech Services, and related entities.
APT40
Description
APT40 is focused on targeting countries critical to China’s Belt and Road Initiative (i.e., Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom). The cyberespionage group also targeted universities and research centers involved in marine research, mostly from the USA. This was done with the intent to access advanced technology to accelerate the growth of the Chinese maritime industry. These attacks on the naval research firms ultimately support China’s dream to establish a blue-water navy in the South-China sea. APT40 uses a variety of malware and tools to establish a foothold, many of which are either publicly available or used by other threat groups. Such tools include ScanBox, WindTone, Grillmark, BlackCoffee, Gh0st, WilDelk, KorPlug, HomeFry, RedMage, FieldGoal, RedMage, Eviltech, and Js Spy. This group also uses genuine software within the victim environment (RDP, SSH), publicly available tools (MurkyShell, MurkyTop), an array of native Windows capabilities, as well as custom scripts to accomplish internal reconnaissance. For lateral movement, the group uses native Windows utilities such as net:exe (a network resources management tool) and at:exe (a task scheduler). For initial foothold, the group also uses first-stage backdoors such as AirBreak, FreshAir, Photo, BadFlick, China Chopper, and Beacon, and targets VPN and remote desktop credentials. At later stages, for privilege escalation and password hash dumping, the group uses custom and publicly available credential harvesting tools like HomeFry, Windows Credential Editor (WCE), and Windows Sysinternals ProcDump. Arsenal / Toolkit AIRBREAK, BADFLICK, BLACKCOFFEE, ESKC2, EVILTECH, GHOSTRAT, CHINA CHOPPER, PHOTO, PLUGX, BEACON, JUMPKICK, JSPSPY, GRILLMARK, FIELDGOAL, DADBOD, BADSIGN, COOKIEFISH, GREENPIG, GSECDUMP, HOMEFRY, TWONICKS, WAVEKEY, COATHOOK, LAUNCHMONEY, PAPERRUSH, TRAFFIX, XTHEIF, MURKYTOP, REDMAGE, DISHCLOTH, RELAYRACE, WIDETONE, MURKYSHELL, WIDELK, MOVIETIME, QUARKSPWDUMP, WASHBOARD, ZXSHELL, TRANSPORTER, FINDLOCK, DEATHCLOCK, SCANBOX
SNOWGLOBE
Description
In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor called Animal Farm. Animal Farm aka Snowglobe which is made up of several implants known as Babar, Bunny, NBot, Dino, Casper and Tafacalou. Some of these tools have been used in past attacks against organizations, companies and individuals. One of the first tools believed to be used by this adversary to target a potential victim is Babar, also known as SNOWBALL. The Babar RAT has common features such as code execution, code injection into running processes, file stealing (the extensions listed in the configuration file come into play at this point). It has additional features such as being a key logger in order to record key strokes and it also has the possibility to steal the clipboard content (frequently used to store passwords in case the user uses password storage application such as KeePass).
APT31
Description
APT31 is a China-nexus cyber espionage actor focused on obtaining information that can provide the Chinese government and state-owned enterprises with political, economic, and military advantage APT31 has been observed to use a range of tools for initial access, persistence and lateral movement, including but not limited to: SQL injection, Trochilus RAT, HanaRat, and other malwares. Stolen data has been compressed as rar files and staged in temp directories on compromised servers prior to exfiltration. In targeted intrusions, the group has been careful to compartmentalize command and control infrastructure in order to make it harder to link the APT group’s activity across multiple clients. The group has used public sites such as Github and Dropbox for command and control. Arsenal / Toolkit SOGU, LUCKYBIRD, SLOWGYRO, DUCKFAT, PLUGX, DROPBOXAES RAT, HANALOADER, METASPLOIT, MIMIKATZ, REVERSE ICMP SHELL, TROCHILUS
KIMSUKY
Description
Kimsuky is most likely tasked by the North Korean regime with a global intelligence gathering mission. It commonly employs social engineering tactics, spearphishing, and watering hole attacks to gain initial access and exfiltrate desired information from victims. The threat group mainly targeting individual users rather than companies but has also been continuously attacking public institutions and companies. The group has the capability to set up phishing infrastructure to mimic well known websites and trick victims to enter their credentials. In recent years Kimsuky has expanded their operations to include states such as Russia, the United States, and European nations.
RANCOR
Description
Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents. Researchers have identified decoy files which indicate these attacks began with spear phishing messages but have not observed the actual messages. These decoys contain details from public news articles focused primarily on political news and events. Based on this, researchers believes that the Rancor attackers were targeting political entities. Additionally, these decoy documents are hosted on legitimate websites including a government website belonging to the Cambodia Government and in at least once case, Facebook. Researchers were able to identify the final payloads used, the DDKONG or PLAINTEE malware families were used. Researchers have observed that DDKONG in use between February 2017 and the present, while PLAINTEE is a newer addition with the earliest known sample being observed in October 2017.
GORGON GROUP
Description
The Gorgon Group being tracked as Subaat is active since 2017. Subaat drew attention due to renewed targeted attack activity. As a part of monitoring Subaat included the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. In addition to the numerous targeted attacks, it was observed that the group also performed a litany of attacks and operations around the globe, involving both criminal as well as targeted attacks. Additionally, the members of Gorgon Group were also performing criminal operations against targets across the globe, often using shared infrastructure with their targeted attack operations. Gorgon Group's activity is interesting because in addition to traditional command and control (C2) domain utilization, Gorgon Group used common URL shortening services to download payloads, which then provide an extensive list of click counts and statistical data.
APT12
Description
APT12, also known as DNSCalc, BRONZE GLOBE, Numbered Panda, targets organizations in a wide range of sectors including technology, media and government. The group has leveraged multiple remote access trojans including Gh0st as part of its campaigns. Screen saver files, which are binary executables and PDF documents, are common Numbered Panda weaponization tactics. One of the most interesting techniques that Numbered Panda likes to use is to dynamically calculate the Command and Control (C2) port by resolving a DNS. This effectively helps Numbered Panda bypass egress filtering implemented to prevent unauthorized communications on some enterprises.
DARKHYDRUS
Description
The DarkHydrus group carried out an attack campaign targeting government agency in the Middle East using malicious .iqy files. The .iqy files take advantage of Excel's willingness to download and include the contents from a remote server in a spreadsheet. DarkHydrus leveraged this obscure file format to run a command to install a PowerShell scripts to gain backdoor access to the system. The PowerShell backdoor delivered in this attack was custom developed by the threat group. DarkHydrus pieced together this tool by using code from legitimate open source tools. Later in another campaign DarkHydrus threat group carryied out a credential harvesting attack in June 2018. The attacks were targeting government entities and educational institutions in the Middle East. The credential harvesting attacks used spear-phishing emails that contained malicious Microsoft Office documents that leveraged the “attachedTemplate” technique to load a template from a remote server. When attempting to load this remote template, Microsoft Office will display an authentication dialog box to ask the user to provide login credentials. When entered, these credentials are then sent to the C2 server, which allows DarkHydrus to collect the user account credentials. DarkHydrus used the open-source Phishery tool to create two of the known Word documents used in these credential harvesting attacks. This group was then observed using tactics such as registering typosquatting domains for security or technology vendors, abusing open-source penetration testing tools known as AppLocker bypass, and leverages novel file types as anti-analysis techniques.
APT32
Description
The Ocean Lotus APT group is a hacker group operating against both private and government organizations and their opponents since 2014. The primary motivation behind the attacks carried out by the Ocean Lotus group is information theft and espionage – given the private information sought to be obtained in the attacks and the high-profile individuals targeted. The techniques, tactics, and procedures used by the Ocean Lotus group to violate the security of the target system in their attacks help define the threat group’s characteristics and determine the countermeasures that can be taken.
APT34
Description
APT34 or OilRig APT carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. OilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities. However, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The technique used by this APT involves Organized evasion testing used the during development of their tools, Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration, Custom web-shells and backdoors used to persistently access servers. OilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access.
MUDDLED LIBRA
Description
Muddled Libra threat actors are both methodical and flexible in their attack technique, able to pivot to another vector or even modify an environment to allow for their favored attack path. Muddled Libra shows proficiency in a range of security disciplines and can thrive and execute "devastating" attack chains rapidly, even in environments that organizations have adequately secured by most standards. The group's attacks typically start with reconnaissance to create profiles of targets, followed by the development of resources, such as setting up lookalike phishing domains and the deployment of the Oktapus phishing kit. These resources eventually lead to a smishing attack that sends a lure message directly to the targeted employees' mobile phones. The message claims the need to update account information or re-authenticate to a corporate application and includes a link that emulates a familiar corporate log-in page. The attackers then employs social engineering in conversation with the employee to gain access to the network, capturing credentials to be used for initial access and navigating multifactor authentication (MFA), either by asking for a code or generating an endless string of MFA prompts until the user accepts one out of fatigue or frustration, in a tactic known as MFA bombing. Once after establishing a network foothold, Muddled Libra moves quickly to elevate access using standard credential-stealing tools such as Mimikatz, ProcDump, DCSync, Raccoon Stealer, and LAPSToolkit. Muddled Libra also deploys at least a half dozen free or demo versions of remote monitoring and management (RMM) tools, which are legitimately used within organizations and thus won't arouse suspicion, once it gains access to an environment. The group also engages in a series of evasive maneuvers, including disabling antivirus and host-based firewalls; attempting to delete firewall profiles; creating defender exclusions; and deactivating or uninstalling EDR and other monitoring products to ensure persistence on the network. In the final stage, Muddled Libra eventually moves on to accessing and exfiltrating data, which appears to be its primary goal. To exfiltrate data, the group attempted to establish reverse proxy shells or secure shell (SSH) tunnels for command and control (C2) or used common file-transfer sites or the Cyberduck file-transfer agent.
NAIKON
Description
Naikon APT group is a China-linked cyber espionage group that has been active at least since 2010 and that remained under the radar since 2015 while targeting entities in Asia-Pacific (APAC) region. Chinese state-sponsored cyberespionage gang Naikon, also known as Override Panda and Lotus Panda, is using a combination of spear-phishing with weaponized documents and open-source pen-testing tools to stage out the attack. Naikon also aims to exfiltrate confidential information with the phishing attack. The APT employed a secondary backdoor, tracked Nebulae, to gain persistence on the infected systems. The malware gains persistence by adding a new registry key to automatically execute the malicious code on system restarts after login.
LANCEFLY
Description
Lancefly advanced persistent threat (APT) group is using a custom-written backdoor in attacks targeting organizations in South and Southeast Asia, in activity that has been ongoing for several years. Lancefly’s custom malware, dubbed Merdoor, is a powerful backdoor that appears to have existed since 2018. The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted. The attackers in this campaign also have access to an updated version of the ZXShell rootkit. PlugX is also seen being used by Lancefly. PlugX is a remote access Trojan (RAT) with multiple functionalities including backdoor access and data exfiltration. ShadowPad is also used by these attackers.
APT26
Description
APT26 is known to leverage supply chain attacks by compromising third party service providers that host victim websites. It is known to use web application framework exploits to gain initial access to the target network. The group uses webshell to maintain low level persistence. The group further uses tools like Cobalt Strike, Derusbi, FormerFirstRAT, Hurix, Mivast, PlugX, Sakula RAT, StreamEx, Winnti, Living off the Land (LOLBAS tools) to gain foothold and maintain persistence. The group uses tools like GSEDump, RDP, PsExec, at command and stolen credentials to carry out lateral movement. It uses methods in SETHC:exe accessible from RDP to exploit systems in the network. The group is known to use anti-forensic techniques. They install malicious proxies on compromised windows servers to bypass proxy logging. The malware is known to use date/time stomping to confuse forensic tools. There are some more unique attack patterns used by the group. The group is known to abuse code signing to sign it’s custom backdoors. The malware is proxy aware and uses stolen credentials to bypass NTLM authentication. It is known to use Htran for data infiltration. Arsenal / Toolkit / Threat attribution COBALT STRIKE, DERUSBI, FORMERFIRSTRAT, HURIX, MIVAST, PLUGX, SAKULA RAT, STREAMEX, WINNTI, LIVING OFF THE LAND(LOLBAS), GSEDUMP, SOGU, HTRAN, POSTSIZE, TWOCHAINS, BEACON, PSEXEC.
APT4
Description
APT4 is a Chinese cyber espionage group that appears to target the Defense Industrial Base (DIB) at a higher rate of frequency than other commercial organizations. APT4 actors often leverage spear phishing messages using U.S. government, Department of Defense, or defense industrial base themes. APT4 actors may repurpose valid content from government or U.S. DoD web sites within their message bodies to lend them legitimacy. The main goal of this attack group is to obtain sensitive documents to high level executives within a variety of target organizations, of which the vast majority have been defense related. This group has historically used the Wkysol (aka Sykipot) backdoor and installer that also has the capability to hijack smart cards on victims. Arsenal / Toolkit GH0ST RAT, WKYSOL, ZXPORTMAP, GETKYS, LIFESAVER, CCHIP, SHYLILT, SWEETTOOTH, PHOTO, SOGO
TA551
Description
TA551 (also known as Shathak) is an email-based malware distribution campaign that often targets English-speaking victims. TA551 uses malicious documents, often contained in password-protected archives, delivered through email to download and execute payloads. TA551 infrastructure relies on artificial appearing and frequently changing URLs created with a domain generation algorithm (DGA). The URLs host a PHP object that returns the malware as a DLL file. TA551 has historically pushed different families of information-stealing malware like Ursnif (Gozi ISFB), Emotet and Valak. After mid-July 2020, this campaign has exclusively pushed IcedID (Bokbot) malware, another information stealer. TA551 has also added the Sliver red-teaming tool to its bag of tracks.
TA505
Description
TA505 has been in the cybercrime business for several years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. TA505 hacking group believed to reside in Russia and the threat actors from this group involved in various high profile cyber attacks delivered through malicious email campaigns. The TA505 hacking group ran a spear phishing campaign targeting a financial institution with the help of a signed version of the ServHelper backdoor and a number of LOLBins designed to help the operation evade detection. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.
FIN7
Description
FIN7’s initial access techniques have diversified to include software supply chain compromise and the use of stolen credentials, in addition to their traditional phishing techniques. FIN7 also continued to leverage PowerShell throughout their intrusions, including in a new backdoor called POWERPLANT, which FIN7 has continually developed over the last two years. It has also observed FIN7 use POWERPLANT as their first stage malware instead of LOADOUT and/or GRIFFON in newer intrusions. Data theft extortion or ransomware deployment following FIN7-attributed activity at multiple organizations, as well as technical overlaps, suggests that FIN7 actors have been associated with various ransomware operations over time.
ALLOY TAURUS
Description
Alloy Taurus is a Chinese nation-state-affiliated threat actor that focuses on cyberespionage and is best known for targeting major telecommunications companies. To compromise targeted networks, the threat actor targets unpatched internet-facing services using publicly available exploits and have been known to target known vulnerabilities. Alloy Taurus has unleashed a variants of PingPull malware to target Windows and Linux systems. The Linux malware variant is being used along with another backdoor malware, called Sword2033, in a campaign targeting multiple entities in South Africa and Nepal.
EQUATION GROUP
Description
The Equation group uses multiple malware platforms, some of which surpass the well-known “Regin” threat in complexity and sophistication. The Equation group is one of the most sophisticated cyber attack groups in the world and they are the most advanced threat actor. Researchers call this threat actor the Equation group because of their love for encryption algorithms and obfuscation strategies and the sophisticated methods used throughout their operations. The Equation group uses the RC5 and RC6 encryption algorithms quite extensively throughout their creations. They also use simple XOR, substitution tables, RC4 and AES. The Equation group uses a vast C&C infrastructure that includes more than 300 domains and more than 100 servers. The servers are hosted in multiple countries, including the US, UK, Italy, Germany, Netherlands, Panama, Costa Rica, Malaysia, Colombia and Czech Republic.
PLATINUM
Description
The group, considered an advanced persistent threat, has been active since at least 2009, targets victims via spear-phishing attacks against government officials' private email addresses, zero-day exploits, and hot-patching vulnerabilities. Upon gaining access to the victims' computers, the group steals economically sensitive information. PLATINUM kept a very low profile until it abused the Microsoft Windows hot patching system which was detected and publicly reported in April 2016. In June 2017, PLATINUM became notable for exploiting the serial over LAN (SOL) capabilities of Intel's Active Management Technology to perform data exfiltration. The attack technique of this group is that once having control of a target's computer, PLATINUM actors can move through the target's network using specially built malware modules. These have either been written by one of the multiple teams working under the Platinum group umbrella, or they could have been sold through any number of outside sources that Platinum has been dealing with since 2009. The piece of malware most widely used by PLATINUM was nicknamed Dispind by Microsoft. This piece of malware can install a keylogger, a piece of software that records (and may also be able to inject) keystrokes. PLATINUM also uses other malware like "JPIN" which installs itself into the %appdata% folder of a computer so that it can obtain information, load a keylogger, download files and updates, and perform other tasks like extracting files that could contain sensitive information. "Adbupd" is another malware program utilised by PLATINUM, and is similar to the two previously mentioned. It is known for its ability to support plugins, so it can be specialised, making it versatile enough to adapt to various protection mechanisms.
EVASIVE PANDA
Description
Evasive Panda (also known as BRONZE HIGHLAND and Daggerfly) is a Chinese-speaking APT group, active since at least 2012. The group implements its own custom malware framework with a modular architecture that allows its backdoor, known as MgBot, to receive modules to spy on its victims and enhance its capabilities. It has also found several malicious Android applications installs the trojan known as KSRemote were also part of the toolset used by this APT group.
APT25
Description
APT25 group targets Wifi, physical connection, file shares, peer to peer networks which are present in business Hotels or Business centers. They compromise the hotel servers and upload malicious code. The group uses spear phishing emails and peer to peer networks to compromise the victim initially to redirect to the malwares. The group uses forged digital certificates to convince victims to download malwares hosted on the servers. After the initial compromise the threat actors install malwares on the victim machines. The malwares can range from keyloggers to banking trojans. Gootkit is one of the most well known tools used by the attack group. After completing the mission the victim machine is the attackers clean up the tools used by them to avoid getting identified. Arsenal / Toolkit / Threat attribution LINGBO, PLAYWORK, MADWOFL, MIRAGE, TOUGHROW, TOYSNAKE, SABERTOOTH, LNEXSMAR, GOOTKIT
APT23
Description
APT23 is an attack group known for perpetrating attacks against government institutions, military agencies, hospitals, and the banking industry targeting air-gapped environments and has been active since 2011. APT23 has used spear phishing messages to compromise victim networks, including education-related phishing lures. APT23 actors are not known to use zero-day exploits, but this group has leveraged those exploits once they have been made public. APT23 prefers to target military hospitals and national banks as initial footholds and laterally move to a physically isolated network in order to steal information related to defense- and marine-related intelligence. The group has also taken its time to monitor their targets and study their network environments in order to steal intelligence from physically isolated networks Arsenal / Toolkit NONGMIN, USBFERRY
UNC1878
Description
UNC1878 was responsible for the attack that rocked the Universal Health Services (UHS), a Fortune 500 hospital and healthcare services provider. UNC1878 usually gains initial access via phishing campaigns. Once they’ve gained initial access, they target credentials and extend their access. UNC1878 performs extensive active directory reconnaissance using public tools like Bloodhound, AdFind, and PowerSploit, which all provide detection opportunities. The end goal is to deploy RYUK ransomware, Previously, UNC1878 had a very particular modus operandi, they would gain initial access with TrickBot, then deploy Cobalt Strike BEACON, followed by the eventual deployment of RYUK ransomware.
APT30
Description
APT30 predominantly targets entities that may satisfy governmental intelligence collection requirements. The vast majority of APT30’s victims are in Southeast Asia. Much of their social engineering efforts suggest the group is particularly interested in regional political, military, and economic issues, disputed territories, and media organizations and journalists who report on topics pertaining to China and the government’s legitimacy. This group has used tools like Backspace, Neteagle, Shipshape, Spaceship, Flashflood to maintain, establish foothold and persistence. The group’s primary goal appears to be sensitive information theft for government espionage by performing the following actions: The ability to steal information (such as specific file types), the ability to infect removable drives with the potential to jump air gaps, placing the toolkits in “hide” mode to remain stealthy on the victim host, presumably for long-term persistence. Arsenal / Toolkit BACKSPACE, NETEAGLE, SHIPSHAPE, SPACESHIP, FLASHFLOOD, MILKMAID, ORANGEADE, CREAMSICLE, BACKBEND, GEMCUTTER
NEWSPENGUIN
Description
Threat actor dubbed "NewsPenguin" has been linked to a phishing campaign targeting Pakistani entities by leveraging the upcoming international maritime expo as a lure. The attacker sent out targeted phishing emails with a weaponized document attached to the victim. The document utilizes a remote template injection technique and embedded malicious Visual Basic for Applications (VBA) macro code to deliver the next stage of the attack, which leads to the final payload execution.
WINTER VIVERN
Description
Winter Vivern was first documented by DomainTools in 2021 when it was seen targeting government organizations in Lithuania, Slovakia, the Vatican, and India. In recent campaigns observed, the hackers target individuals working in the governments of Poland, Italy, Ukraine, and India. The threat actor employs various tactics, such as phishing websites, credential phishing, and deployment of malicious documents, that are tailored to the targeted organization’s specific needs. This results in the deployment of custom loaders and malicious documents, which enable unauthorized access to sensitive systems and information. Winter Vivern APT falls into a category of scrappy threat actors, being quite resourceful and able to accomplish a lot with potentially limited resources while willing to be flexible and creative in their approach to problem-solving. One malware family of recent activity is "APERETIF", named by CERT-UA based on the development PDB path inside the sample. APERETIF is a trojan, automating the collection of victim details, maintaining access, and beaconing outbound the actor-controlled domain. The samples align with the theme of attacks mimicking a virus scanner, presenting users with the fake scan results similar to the script loaders.
FLAX TYPHOON
Description
Flax Typhoon gains and maintains long-term access to Taiwanese organizations’ networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks. Flax Typhoon focuses on persistence, lateral movement, and credential access. Flax Typhoon is known to use the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther virtual private network (VPN) client. Additionally, Flax Typhoon primarily relies on living-off-the-land techniques and hands-on-keyboard activity. Flax Typhoon achieves initial access by exploiting known vulnerabilities in public-facing servers and deploying web shells like China Chopper. Following initial access, Flax Typhoon uses command-line tools to first establish persistent access over the remote desktop protocol, then deploy a VPN connection to actor-controlled network infrastructure, and finally collect credentials from compromised systems. Flax Typhoon further uses this VPN access to scan for vulnerabilities on targeted systems and organizations from the compromised systems.
UNFADING SEA HAZE
Description
Active since 2018, "Unfading Sea Haze" threat group has a wide variety of custom tools in its arsenal, which comprises variants of "Gh0st RAT" such as "SilentGh0st" and its evolutionary successor "InsidiousGh0st", "TranslucentGh0st", "FluffyGh0st", and "EtherealGh0st", the latter three of which are modular and adopt a plugin-based approach. One specific technique employed by "Unfading Sea Haze" – running JScript code through a tool called "SharpJSHandler" – resembled a feature found in the 'FunnySwitch' backdoor. Unfading Sea Haze has been observed regaining access to the same entities through spear-phishing emails containing booby-trapped archives. These archive files come fitted with Windows shortcut (LNK) files that, when launched, set off the infection process by executing a command that's designed to retrieve the next-stage payload from a remote server. This payload is a backdoor dubbed 'SerialPktdoor' that's engineered to run PowerShell scripts, enumerate directors, download/upload files, and delete files. At least since September 2022, Unfading Sea Haze is known to incorporate commercially available Remote Monitoring and Management [RMM] tools such as 'ITarian RMM' to gain a foothold on victim networks. Also put to use is a loader known as Ps2dllLoader that can bypass the Antimalware Scan Interface (AMSI) and acts as a conduit to deliver "SharpJSHandler", which operates by listening for HTTP requests and executes the encoded JavaScript code using Microsoft.JScript library. Present among the complex arsenal of malicious agents and tools used by Unfading Sea Haze is a third backdoor referred to as "SharpZulip" that utilizes the Zulip messaging service API to fetch commands for execution from a stream called "NDFUIBNFWDNSA."
GREYENERGY
Description
GreyEnergy is a cyber-espionage group dubbed GreyEnergy successor to the BlackEnergy APT group which went ‘underground‘ a few years ago after terrorizing Ukraine until 2015. The group is closely related to TeleBots, responsible for NotPetya. The group is using a unique family of malware that we detect as GreyEnergy. The design and architecture of the malware are very similar to those of the BlackEnergy malware. GreyEnergy group deployed a NotPetya-like worm in December 2016, and a more advanced version of this malware was used later by the TeleBots group in the notorious June 2017 attack. The GreyEnergy group’s activity, we have mostly seen the attackers use two initial infection vectors. The first one is relevant for organizations with self-hosted web services. The second infection vector is the use of spearphishing emails with malicious attachments. The malicious documents have been dropping “GreyEnergy mini”, a lightweight first-stage backdoor that does not require administrative privileges. After compromising a computer with GreyEnergy mini, attackers map the network and collect passwords in order to obtain domain administrator privileges. With these privileges, the attackers can control the whole network. The GreyEnergy group uses fairly standard tools for these tasks: Nmap and Mimikatz. Once attackers are done with the initial network mapping, they can deploy their flagship backdoor – the main GreyEnergy malware which requires administrator privileges, which must already have been obtained before this stage is reached. According to the research, the GreyEnergy actors deploy this backdoor mainly on two types of endpoints: servers with high uptime, and workstations used to control ICS environments. To make communication with command and control (C&C) servers stealthier, the malicious actors deploy additional software on internal servers in the compromised network, so each server would act as a proxy. Such a proxy C&C redirects requests from infected nodes inside the network to an external C&C server on the internet.
HELLSING
Description
Hellsing threat actor uses a trail of spear-phishing emails with malicious attachments designed to propagate espionage malware among different organizations. If a victim opens the malicious attachment, their system becomes infected with a custom backdoor capable of downloading and uploading files, updating and uninstalling itself. It is observed that Hellsing threat actor uses a RAR, ZIP and 7ZIP archives in the attacks – the 7ZIP archives with passwords were probably introduced as a way to bypass the recent security features on Gmail, which block password-protected archives with executables inside. Once the Hellsing attackers compromise a computer, they deploy other tools which can be used for gathering further information about the victim or doing lateral movement. One such tool is “test:exe”. This tool is used to gather information and test available proxies. Another tool used by the attackers is called “xKat”. This is a powerful file deletion and process killer which uses a driver (Dbgv.sys) to perform the operations. Each backdoor has a command and control server inside as well as a version number and a campaign or victim identifier. It is suspected that Hellsing group have targeted the APT 30.
LONGHORN
Description
The Longhorn group is a well-resourced hacking team that operated on a standard Monday to Friday working week in an American time zone. The nature of the targets and their Techniques, Tactics, and Procedures (TTPs) suggests the Longhorn group is a state-sponsored crew. Longhorn has used a range of backdoor Trojans in addition to zero-day vulnerabilities to compromise its targets. While active since at least 2011, with some evidence of activity dating back as far as 2007, Longhorn first discovered its activity in 2014 with the use of a zero-day exploit (CVE-2014-4148) embedded in a Word document to infect a target with Plexor. Before deploying malware to a target, the Longhorn group will preconfigure it with what appears to be target-specific code words and distinct C&C domains and IP addresses for communications back to the attackers. Longhorn tools have embedded capitalized code words, internally referenced as 'groupid' and 'siteid', which may be used to identify campaigns and victims. Longhorn’s malware has an extensive list of commands for remote control of the infected computer. Most of the malware can also be customized with additional plugins and modules. Longhorn’s malware also appears to be specifically built for espionage-type operations, with detailed system fingerprinting, discovery, and exfiltration capabilities. The malware uses a high degree of operational security, communicating externally at only select times, with upload limits on exfiltrated data, and randomization of communication intervals—all attempts to stay under the radar during intrusions. Some of the tools used by this threat actor were released by Wikileaks under the name 'Vault 7'.
UNC4841
Description
UNC4841 has primarily relied upon three principal code families to establish and maintain a presence on an ESG appliance, following the successful exploitation of CVE-2023-2868. The code families include SALTWATER, SEASPY, and SEASIDE were identified in the majority of UNC4841 intrusions. All three code families attempt to masquerade as legitimate Barracuda ESG modules or services, a trend that UNC4841 has continued. UNC4841 was able to format TAR files in a particular manner to trigger a command injection attack that enabled them to remotely execute system commands with the privileges of the Email Security Gateway product. UNC4841 attached files with a ".tar" extension in the filename, whereas in later emails they used different file extensions such as ".jpg" or ".dat". Post initial compromise, UNC4841 aggressively target specific data of interest for exfiltration, and in some cases, leverage access to an ESG appliance to conduct lateral movement into the victim network, or to send mail to other victim appliances.
WIZARDSPIDER
Description
WizardSpider is a Russian-based financially motivated criminal group that has been conducting ransomware campaigns since August 2018. The gang works in multiple teams, conducting simultaneous operations with different ransom payloads. This group has more malware and hacktools than any other gang associated with Ransomware This group has a record of financially damaging actions across many sectors. They’ve been known to attack educational institutions, and both state and local government organizations. While the Ryuk ransomware has long been their weapon of choice, the group’s newest tools have them in a position to attack many more public sector organizations at a time when they’re incredibly vulnerable. Arsenal / Toolkit ADFIND, BLOODHOUND, COBALTSTRIKE, DYRE, EMOTET, TRICKBOT, EMPIRE, ICEDID, MIMIKATZ, NET, RYUK
GHOSTEMPEROR
Description
GhostEmperor APT group uses various attack methods, including spear-phishing, malicious email attachments, and network vulnerability exploits. This threat actor uses various tools and techniques to remain unnoticed, including fake domain names, encrypted communication channels, and multi-staged propagation of malicious programs. They also use remote access tools (RAT) and custom-developed malware to gain access to the victim's systems and control them. GhostEmperor usually aims to steal data or conduct espionage.
APT35
Description
APT35 is an Iranian government-sponsored cyber espionage team that conducts long-term, resource-intensive operations to collect strategic intelligence. APT35 has relied on sophisticated tools, including publicly available webshells and penetration testing tools, suggesting a relatively nascent development capability. APT35 typically relies on spearphishing attacks to initially compromise an organization. It also observed the group using compromised accounts with credentials harvested from prior operations, strategic web compromises, and password spray attacks against externally facing web applications as additional techniques to gain initial access. APT35 has been observed leveraging Log4Shell attacks to drop a PowerShell-based framework dubbed CharmPower backdoor. TA453 continues to adapt its malware arsenal, deploying novel file types and targeting new operating systems, specifically sending Mac malware to one of its recent targets.
APT3
Description
APT3 is a China-based threat group linked to the Chinese Ministry of State Security (China's Intelligence Services) that was first discovered in 2010. The group was responsible for several popular cyber espionage campaigns, including Operation Clandestine Wolf (2015), Clandestine Fox (2014), and Double Tap (2014). APT3 has a history of using browser-based exploits such as zero-days to infiltrate inside the targeted network. After successfully exploiting and infiltrating into a targeted host, they quickly dump credentials, move sideways to additional hosts, and install the custom backdoors (like RemoteCMD, OSInfo, and ShotPut), as well as custom-built malware. The group also used variants of the sophisticated hacking tools connected to other popular groups, including the Equation Group. The group is known to steal critical information from private organizations or government entities, to fulfill the larger Chinese political economic or military goals. The threat actors are interested in the exfiltration of essential government documents to gain a strategic and competitive advantage for the Chinese government and private organizations. For instance, at present when several ambitious projects of China are unfolding, like One Belt One Road (OBOR) projects, the APT3 could be seen targeting the project’s regional opponents. Arsenal / Toolkit SHOTPUT, SOGU, PLUGX, OSINFO, REMOTECMD, DOUBLEPULSAR, FUZZBUNCH, ETERNALBLUE, ETERNALSYNERGY, ETERNALROMANCE, COOKIECUTTER
SILENCE GROUP
Description
Silence APT group is a Russian-language-speaking group appears to be evolving into a major threat to banks and financial institutions everywhere, but especially in Asia, Europe, Russia, and the former Soviet Union states. Like most APTs, Silence uses phishing emails to infect their victims. In October 2018, however, Silence implemented new tactics, that is the gang began sending out reconnaissance emails as part of a preparatory stage for their attacks. Silence’s “recon” looks like a “mail delivery failed” message that usually contains a link without a malicious payload. Such “recon” emails allow cybercriminals to obtain a list of valid emails for future attacks and get information about the cybersecurity solutions used by a targeted company all the while remaining undetected. At the initial infection stage, in addition to their infamous primary loader Silence.Downloader (aka TrueBot), the cybercriminals started using Ivoke, a fileless loader, written in PowerShell. Another new tool in Silence’s arsenal is a previously unknown PowerShell agent based on Empire and dnscat2 projects, dubbed EmpireDNSAgent or simply EDA. The Trojan is used during the lateral movement stage and is designed to control compromised systems by performing tasks through the command shell and tunneling traffic using the DNS protocol. In addition to its custom Atmosphere Trojan, Silence also started using xfs-disp:exe which is also a Trojan deployed during the attack execution stage. Silence has also changed their encryption alphabets, string encryption, and commands for the bot and the main module. Moreover, the actor has completely rewritten TrueBot loader, the first-stage module.
DOPPEL SPIDER
Description
Doppel Spider, a threat actor affiliated with Evil Corp and was first discovered by CrowdStrike. Doppel Spider with moderate confidence was comprised of former operators from the GOLD DRAKE threat group. Doppel Spider adopted the name DoppelPaymer for their ransomware after security researchers used the moniker to refer to it publicly. Intrusions largely relied on the modified Dridex malware, colloquially referred to as Dridex 2.0, for both initial access and lateral movement. The threat group uses spam emails, sometimes delivered using the Cutwail v2 botnet, to deliver Dridex onto victims' networks. Additionally, PowerShell Empire or Cobalt Strike were also deployed into the environment to augment the capabilities of Dridex.
APT2
Description
APT2 is a Chinese cyber espionage group responsible for a series of cyberespionage operations originating in Shanghai linked to the activity of the People’s Liberation Army 3rd General Staff Department 12th Bureau Unit 61486. APT 2 targets firms in the technology (communications, space, aerospace), research, defense, and government sectors in the United States for espionage purposes. The tools and infrastructure it uses overlap with PLA Unit 61398. APT2 is a determined adversary group, conducting intelligence-gathering operations targeting the Government, Defense, Research, and Technology sectors in the United States, with specific targeting of the US Defense and European satellite and aerospace industries. The PLA’s GSD Third Department is generally acknowledged to be China’s premier Signals Intelligence (SIGINT) collection and analysis agency, and the 12th Bureau Unit 61486, headquartered in Shanghai, supports China’s space surveillance network. Arsenal / Toolkit MOOSE, WARP, MSUPDATER, 3PARA RAT, 4H RAT, HTTPCLIENT, PNGDOWNER, SEARCHFIRE
BLACKTECH
Description
BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. It has been observed that it develops new tools, including the Consock malware discovered in 2018, the Waterbear loader found in 2020 and various ELF variants of the TSCookie malware. BlackTech’s attack chain typically starts with a spearphishing email sent to the target, which spoofs the address of a legitimate company and was found using a downloader called Flagpro and backdoor called BTSDoor. According to the researchers BlackTech's operations are concentrated on espionage, corporate data mining and information exfiltration.
DRAGONOK
Description
According to the researchers, DragonOK APT is more focused on high-tech and manufacturing companies in Japan and Taiwan with the likely goal of economic espionage. It seems that the groups, while operating in distinctly different regions, either collaborate, receive the same training, share a common toolkit supply chain, or some combination of these scenarios. Which means they are employing a ‘production line’-type approach to initiating cyber attacks to breach defenses. The DragonOK APT campaigns uses custom-built backdoors and remote-administration tools (RATs) to infiltrate their targets’ networks. DragonOK use the HUC Packet Transmit Tool (HTRAN) proxy tool to hide their geographical locations, and use password-protected documents and large file sizes to disguise their attacks. Among the tools used by the group are Mongall, Nflog, PoisonIvy and CT/NewCT/NewCT2. Later, researchers have discovered that DragonOK APT has updated its toolset, and the decoy documents it has used in attacks suggest that its list of targets may have been expanded to include Russia and Tibet.
APT36
Description
APT36 (also known as Transparent Tribe) is continuously updating its arsenal while adding new tools and new TTPs. APT-36 has registered several domains spoofing Indian government organization sites to launch credential harvesting and phishing attacks.
APT20
Description
APT20 is a China-based hacking group, likely working to support the interests of the Chinese government and tasked with obtaining information for espionage purposes. APT20 generally targets the software token in use in the victim’s organization during their intrusion to achieve their goal of exfiltrating data, sabotaging systems, maintaining access and jumping to additional targets. With access to the victim’s network through legitimate VPN accounts and the stolen credentials to highly privileged accounts in one or multiple domains the actor then uses a mix of (custom developed) backdoors and open source tools to connect to and through compromised systems Arsenal / Toolkit QIAC, SOGU, GH0ST, ZXSHELL, POISON IVY, BEACON, HOMEUNIX, STEW, MIMIKATZ, WEBSHELL, SOCKET TUNNEL, XSERVER, BLOODHOUND, KEETHIEF, KERBEROAST, PLUGX, PROCDUMP, PSEXEC, SHARPHOUND, SMBEXEC, LIVING OFF THE LAND, HASH, FLYZAP, GOLFPRO, SAFEPUTT, CAKELOG, CANDYCLOG, COOKIECLOG, CETTRA
TA428
Description
Researchers initially identified email campaigns with malicious RTF document attachments targeting East Asian government agencies in March 2019. These campaigns originated from adversary-operated free email sender accounts at yahoo[.]co[.].jp and yahoo[.]com. Sender addresses often imitated common names found in the languages of targeted entities. Spear phishing emails included malicious .doc attachments that were actually RTF files saved with .doc file extensions. The lures used in the subjects, attachment names, and attachment content in several cases utilized information technology themes specific to Asia such as governmental or public training documents relating to IT. On one specific occasion an email utilized the subject “ITU Asia-Pacific Online CoE Training Course on ‘Conformity & Interoperability in 5G’ for the Asia-Pacific Region, 15-26 April 2019” and the attachment name “190315_annex 1 online_course_agenda_coei_c&i.doc”. The conference referenced in the lure was an actual event likely selected due to its relevance to potential victims. This is significant as countries in the APAC region continue to adopt Chinese 5G technology in government as well as heavy equipment industries. This actor worked together with Emissary Panda, APT 27, LuckyMouse, Bronze Union in Operation StealthyTrident. Additionally, this APT group utilizes Poison Ivy payloads that share overlapping command and control (C&C) infrastructure with the identified Cotx campaigns.
MUDDYWATER
Description
MuddyWater also known as MERCURY, Earth Vetala, Static Kitten, Seedworm, and TEMP.Zagros, MuddyWater is an Iranian APT and a subservient element within the Iranian Ministry of Intelligence and Security (MOIS). These APT conducts broad cyber campaigns, exploiting publicly reported vulnerabilities and using open-source tools and strategies to gain access to their target’s systems. It uses several malware variants such as PowGoop, Canopy, Small Sieve, POWERSTATS, and Mori. Additionally, it also uses malicious documents to deploy Remote Access Trojans (RATs) on vulnerable systems. In one of the attacks discovered by the researchers, MuddyWater hosts the maldocs on attacker-controlled or public media-sharing websites which are downloaded by malicious PDFs. The PDFs are distributed via email and are designed to trick targets into downloading and opening them. In addition to that, MuddyWater frequently relies on the use of DNS to contact their C2 servers, while the initial contact with hosting servers is done via HTTP. Their initial payloads usually use PowerShell, Visual Basic and JavaScript scripting along with living-off-the-land binaries (LoLBins) and remote connection utilities to assist in the initial stages of the infection.
DNSPIONAGE
Description
In one of the campaign observed by the researchers, the DNSpoinage group utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor supports HTTP and DNS communication with the attackers. In a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let's Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. The threat actors behind the DNSpionage campaign continue to change their tactics, likely in an attempt to improve the efficiency of their operations. Later, researchers have observed some changes to the actors' tactics, techniques and procedures (TTPs), including the use of a new reconnaissance phase that selectively chooses which targets to infect with malware. In April 2019, the actors found using a new malware called as "Karkoff." The malware supports HTTP and DNS communication to the C2 server. The HTTP communication is hidden in the comments in the HTML code.
APT37
Description
APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. It has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New APT37’s primary mission is covert intelligence gathering in support of North Korea’s strategic military, political and economic interests. This is based on consistent targeting of South Korean public and private entities and social engineering. The group recently expanded targeting scope also appears to have direct relevance to North Korea’s strategic interests. It uses a variety of techniques for command and control. They leverage compromised servers, messaging platforms and cloud service providers to avoid detection. It also uses various legitimate platforms as command and control for its malware tools.
DARK PINK
Description
Dark Pink is an Advanced Persistent Threat (APT) group active in the ASEAN region. The group started its operations in mid-2021, and the attacks increased a year later using a custom toolkit, created to steal important information from compromised networks. The group started its operations in mid-2021, and the attacks increased a year later using a custom toolkit, created to steal important information from compromised networks. The initial access vector for the campaign of Dark Pink was targeted spear-phishing emails, and the core goal of the threat actors, who leverage an almost-entirely custom toolkit, is corporate espionage, as they attempt to exfiltrate files, microphone audio, and messenger data from infected devices and networks. The operators deploy TelePowerBot and KamiKakaBot loader malware, which can execute commands sent via a Telegram bot. The attack mainly uses the ISO file as the initial malicious payload. After running, the Powershell command is added to the local registry, and finally the Powershell backdoor named PowerDism is loaded to steal local information and execute arbitrary commands. The attack chain used by the attackers also loaded a remote template file with malicious macro code for exploiting the CVE-2017-0199 vulnerability. Additionally, the group also uses Ctealer and Cucky tools to steal credentials and cookies from web browsers.
APT19
Description
When APT19 was first discovered, it was using CVE-2017-0199(vulnerability in MSOffice), Macro-enabled Microsoft Excel (XLSM) documents, and an application whitelisting bypass to the XLSM documents for initial compromise. The group was sometimes known to use flash 0 day exploits in the initial phase of compromise. Commonly used techniques for initial compromise include Drive-by Compromise, Spear-Phishing emails. The group uses tools like Derusbi, Mivast, Bergard, China Chopper, Sakula, Cobalt strike to establish, maintain foothold and persistence. The malwares used by the group use DLL side loading, modify system processes, use script interpreter in order to maintain stealth and remain persistent in the system. It is known to use the Scanbox framework, Taskllist, net, StreamEx to perform Reconnaissance attacks on the victim network in order to carry out lateral movement. The malwares used in the attack use base64 encoding to encrypt the infiltrated data. Arsenal / Toolkit BERGARD TROJAN, DERUSBI, TXER, SAKULA/SAKUREL, SCANBOX FRAMEWORK, CHINA CHOPPER, WCE, COBALT STRIKE, MIVAST, TASKLIST, STREAMEX
APT24
Description
APT24 group is known to have targeted organizations headquartered in countries including the U.S. and Taiwan usually for the goal of intellectual property theft. APT24 has used tools like PITTYTIGER, ENFAL, TAIDOOR, PITTYTIGER, CT RAT, MM RAT (AKA TROJ/GOLDSUN-B), PALADIN RAT (A VARIANT OF GH0ST RAT) to maintain, establish foothold and persistence. This group has historically used the RAR archive utility to encrypt and compress stolen data prior to transferring it out of the network. Data theft exfiltrated from this actor mainly focused on documents with political significance, suggesting its intent is to monitor the positions of various nation states on issues applicable to China’s ongoing territorial or sovereignty dispute Arsenal / Toolkit PITTYTIGER, ENFAL, TAIDOOR, CT RAT, MM RAT (AKA TROJ/GOLDSUN-B), PALADIN RAT (A VARIANT OF GH0ST RAT)
LAZARUS GROUP
Description
The Lazarus hacking group is one of the top cybersecurity threats from North Korea. Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman.
ROCKET KITTEN
Description
Researchers have first identified the group as Ajax Security Team and found that the group appears to have been formed in 2010 by the hacker personas "Cair3x" and "HUrr!c4nE!". By 2012, the threat actor group turned their focus to Iran's political opponents.Their targeted attack campaigns, dubbed "Rocket Kitten", have been known since mid-2014. By 2013 or 2014, Rocket Kitten had shifted its focus to malware-based cyberespionage. Security firm Check Point describes Rocket Kitten as an attacker group of Iranian origin. Rocket Kitten's code uses Persian language references. The group's targets are involved in defense, diplomacy, international affairs, security, policy research, human rights, and journalism. According to Check Point, the group has targeted Iranian dissidents, the Saudi royal family, Israeli nuclear scientists and NATO officials. Security researchers found that they carried out a common pattern of spearphishing campaigns reflecting the interests and activities of the Iranian security apparatus. Other researchers determined that Rocket Kitten's attacks bore a similarity to those attributed to Iran's Revolutionary Guards. Intelligence officials from the Middle East and Europe linked Rocket Kitten to the Iranian military establishment. Rocket Kitten favours a Remote Access Trojan, and by 2015, researchers found it was using customised malware.
SILENT CHOLLIMA
Description
Silent Chollima is considered a sub-set of Lazarus Group and it has been attributed to North Korea's Reconnaissance General Bureau. The group prioritises attacks on South Korean institutions with an emphasis on financial gain and cyber espionage. From 2017, the Silent Chollima Group shifted their focus to attacks for monetary gain against financial institutions as well as a previous operation that compromised ATMs in South Korea. The first major destructive attack that we detected from Silent Chollima occurred on July 4, 2009 when large DDoS attacks were launched against over thirty websites in the U.S and South Korea, including those of the White House, Pentagon, and major e-commerce and financial services companies. In the later phase of the attack, Silent Chollima actors deployed a wiper malware on thousands of machines in South Korea that resulted in large-scale data deletion and temporary incapacitation of those machines. For the next five years, Silent Chollima actors repeatedly launched similar data destructive attacks against South Korean businesses and government organizations. The group also used an ActiveX zero-day exploit for watering hole attacks on South Korean websites they called this “Operation GoldenAxe”.
APT27
Description
APT27 is an advanced persistent threat (APT) group that has been focused primarily on cyberespionage for more than a decade. APT27 group is known for extensively using watering hole and spear-phishing attacks to target its victims. Active since at least 2010, APT27 leverages custom malware and exploits multiple vulnerabilities to achieve its objectives. The attackers also leveraged DLL sideloading in that campaign to load their HyperBro malware. Budworm also continues to use a known SysUpdate malware which targets both Windows and Linux platform. This group is always active with advanced capabilities by continuously updating its tactics, techniques, and procedures.
UAC-0050
Description
UAC-0050 is a threat actor that has been active since 2020, targeting government agencies in Ukraine. The group’s weapon of choice is RemcosRAT, a notorious malware for remote surveillance and control, which has been at the forefront of its espionage arsenal. In the recent operational twist, the UAC-0050 group has integrated a pipe method for interprocess communication, showcasing their advanced adaptability. The employment of RemcosRAT and the innovative use of pipe methods for data movement spotlight the group's focus on stealth and intelligence gathering. In another case, the mass distribution of e-mails with malicious attachments in the form of attached RAR archives protected by a password was discovered. If such an archive is opened and the executable files run, the computer may be infected with 'RemcosRAT' or 'MeduzaStealer'.
TICK
Description
Tick, has maintained a low profile, appearing to be active for at least 10 years prior to discovery. Tick APT employed spear-phishing emails and compromised a number of Japanese websites in order to infect a new wave of victims. The group is highly selective in its approach and only appears to deploy its full range of tools once it establishes that the compromised organization is an intended target. Tick also uses a range of hacktools to map the victim’s network and attempt to escalate privileges further. Stalker Panda aka Tick has been observed using several different RATs that seem to be exclusive to the group. The RATs the group uses are Elirks, SharpServer, Blogspot, and the XUni platform.
TODDYCAT
Description
ToddyCat is an advanced APT actor that started its activities in December 2020 and has been responsible for multiple sets of attacks against high-profile entities in Europe and Asia. At initial-stage of its activity, they were compromising selected Exchange servers in Taiwan and Vietnam using an unknown exploit that led to the creation of a well-known China Chopper web shell, which was in turn used to initiate a multi-stage infection chain. The custom loaders were used that time to stage the final execution of the passive backdoor named "Samurai". In some specific cases, the Samurai backdoor was also used to launch another sophisticated malicious program named "Ninja". This tool is probably a component of an unknown post-exploitation toolkit exclusively used by ToddyCat. In the latest campaign, it leverages spear-phishing emails to deliver archive files utilizing DLL side-loading schemes, most notably hijacking dal_keepalives.dll in Audinate’s Dante Discovery software (CVE-2022-23748). It also deploys "CurKeep" backdoor with some loaders named CurLu loader and CurLog. Another notable backdoor is also been injects in few cases named 'StylerServ,' which acts as a passive listener that monitors traffic on five ports (60810 through 60814) for a specific XOR-encrypted configuration file.
APT10
Description
APT10 is a threat group targeting providers of managed IT infrastructure services. This group is a significant threat to organizations producing intellectual property in industry verticals that have been identified as strategically important by the Chinese state; or to any organizations who provide managed IT infrastructure services to those who do. The scale and persistence of this activity is indicative of a well-resourced and capable actor, although it also raises questions around the organizational structure of Chinese threat groups and the degree to which access and infrastructure might be being shared across threat groups. APT10 is most commonly attributed via open source research to the Chinese Ministry of State Security (MSS). MSS attacks are typically, but not limited to: intelligence targets surrounding trade negotiations, research and development in competition with Chinese commercial entities, and high value counter intelligence targets overseas. APT10 was found stealing financial information from US firms, seeking to give domestic Chinese enterprises an edge in international deals, along with getting information about Tokyo's policy toward resolving the North Korean nuclear situation from Japanese defense firms. Arsenal / Toolkit ANEL, CHCHES, COBALT STRIKE, PLUGX, POISONIVY, QUASARRAT, REDLEAVES, HAYMAKER, SNUGRIDE, BUGJUICE
APT17
Description
APT17 is a chinese hacker group that has targeted information across a range of industry verticals that include technology, hospitality and entertainment, manufacturing, not-for-profit environmental groups, human rights groups and government The primary goal of APT17 was to gain access to and potentially modify source code repositories at these high tech, security and defense contractor companies The threat group took advantage of the ability to create profiles and post in forums to embed encoded C2 for malware communication. This technique can make it difficult for network security professionals to determine the true location of the CnC, and allow the CnC infrastructure to remain active for a longer period. Arsenal / Toolkit 9002, BLACKCOFFEE, DEPUTYDOG, DERUSBI, GH0STHTTPSDROPPER, HIKIT, INTERNALCMD, PLUGX, POISONIVY, ZXSHELL, HYDRA
APT43
Description
A new North Korean hacking group has been revealed to be targeting government organizations, academics, and think tanks in the United States, Europe, Japan, and South Korea for the past five years. The moderately-sophisticated threat actor is tracked as APT43 and is seen engaging in espionage and financially-motivated cybercrime operations that help fund its activities. Attack chains mounted by APT43 involve spear-phishing emails containing tailored lures to entice victims. These messages are sent using spoofed and fraudulent personas that masquerade as key individuals within the target's area of expertise to gain their trust. The ultimate goal of the attacks is to facilitate credential collection campaigns through domains that mimic a wide range of legitimate services and use the gathered data to create online personas. APT43's operations are actualized through a large arsenal of custom and publicly available malware such as LATEOP, FastFire, gh0st RAT, Quasar RAT, Amadey, and an Windows-based downloader called PENCILDOWN.
DARK CARACAL
Description
Dark Caracal has been conducting a multi-platform, APT-level surveillance operation targeting individuals and institutions globally. Dark Caracal threat actors seem to use phishing and Office-based macros as their primary method of infection. One of the primary signatures of the Dark Caracal threat group is their use of the Bandook Trojan. Written in both Delphi and C++, Bandook has a long history, starting in 2007 as a commercially available RAT. Bandook’s execution flow starts with a loader, written in Delphi, that uses the Process Hollowing technique to create a new instance of an Internet Explorer process and inject a malicious payload into it. The payload contacts the C&C server, sends basic information about the infected machine, and waits for additional commands from the server. Pallas and FinFisher was also used by Dark Caracal APT. Pallas is mobile surveillanceware that was custom-developed by Dark Caracal. FinFisher is a commercial software used to steal information and spy on affected victims. Dark Caracal also used a multiplatform tool named CrossRAT, which is able to target Windows, OSX, and Linux.
DONOT GROUP
Description
Donot Group, also known as APT-C-35, is believed to have a government background in a South Asian country. The Donot group often executes shellcode to download subsequent DLL components by carrying macros in documents. These DLLs can further download malicious components such as Trojan plugin managers and Trojan plugins. The group mainly uses malicious programs developed in C++, python, .net, and other languages. The campaigns of Donot Team are motivated by espionage, using their signature malware: the 'yty' malware framework, whose main purpose is to collect and exfiltrate data. Researchers have also observed activity involving the 'BackConfig' malware used by the Hangover threat group.
APT15
Description
APT15 is known to use spear phishing email which can contain malware, or link to malicious download to gain initial access. The group was known to use the exploits related to the CVE-2012-4681(JRE), CVE-2010-3333(MSOffice) CVE-2010-2883(Adobe reader) to compromise the target. The APT15 group is known to use the Syria theme and London Olympics themes in their phishing emails. During the years APT19 used different malware families. From 2012-2015 it used Tidepool. During 2016-17 it used the RoyalDNS and RoyalCLI backdoors against the UK government. During Dec 2018 it used Mirage RAT. Another malware Okrum was attributed to the group which was used against diplomatic missions in Slovakia, Belgium, Chile, Guatemala and Brazil. Other malwares used by the group include Mirage, Ketrican, IWEBRat, PlugX, BS2005, Endcmd, Sogu, RoyalDNS, RoyalCLI. It uses Tidepool RAT, winzip to infiltrate critical information from the victim machine. The malware uses Mimikatz, DriveLateralview, Netsess, ProcDump, PSExec in later stages of the attack to carry out lateral movement within the victim organization. Arsenal / Toolkit / Threat attribution MIRAGE, NVIDIA PROGRAM, PLUGX, XSLCMD, TIDEPOOL, BS2005, ROYALCLI, ROYALDNS, IWEBRAT, ENFAL, ENDCMD, QUICKHEAL, SOGU, CYFREE, MIRAGE, NOISEMAKER, SWALLOWFLY, OKRUM, KETRICAN, MIMIKATZ, WNZIP, DRIVELETTERVIEW, PROCDUMP, PSEXEC
GUI-VIL
Description
GUI-vil is a financially motivated threat group sourcing from Indonesia whose primary objective is performing unauthorized cryptocurrency mining activities. Leveraging compromised credentials, the group has been observed exploiting Amazon Web Services (AWS) EC2 instances to facilitate their illicit crypto mining operations. The group displays a preference for Graphical User Interface (GUI) tools, specifically an older version of S3 Browser (version 9.5.5, released January of 2021) for their initial operations. Upon gaining AWS Management Console access, they conduct their operations directly through the web browser. In their typical attack lifecycle, GUI-vil initially performs reconnaissance by monitoring public sources for exposed AWS keys (GitHub, Pastebin) and scanning for vulnerable GitLab instances. Initial compromises are predominantly achieved via exploiting known vulnerabilities such as CVE-2021-22205, or via using publicly exposed credentials. GUI-vil, unlike many groups focused on crypto mining, apply a personal touch when establishing a foothold in an environment. They attempt to masquerade as legitimate users by creating usernames that match the victim’s naming standard, or in some cases taking over existing users by creating login profiles for a user where none existed (takeover activity appearing as iam:GetLoginProfile failure followed by successful iam:CreateLoginProfile). The group's primary mission, financially driven, is to create EC2 instances to facilitate their crypto mining activities. In many cases the profits they make from crypto mining are just a sliver of the expense the victim organizations have to pay for running the EC2 instances. Once an EC2 instance is created they connect to it via SSH, install required packages, then install and launch XMRIG cryptominer.
CAMARO DRAGON
Description
Researchers have analyzed a custom firmware image affiliated with the Chinese state-sponsored actor Camaro Dragon. The firmware image contained several malicious components, including a custom MIPS32 ELF implant dubbed Horse Shell. In addition to the implant, a passive backdoor providing attackers with a shell to infected devices was found. This shares similarities with previously reported activities conducted by state-sponsored Chinese threat actors, namely Mustang Panda. The comprehensive analysis of these attacks has uncovered a malicious firmware implant tailored for TP-Link routers. The implant features several malicious components, including a custom backdoor named Horse Shell that enables the attackers to maintain persistent access, build anonymous infrastructure and enable lateral movement into compromised networks. The backdoor malware is deployed in a custom and malicious firmware designed specifically for TP-Link routers so that the hackers can launch attacks appearing to originate from residential networks. The deployed malware allows the threat actors full access to the device, including running shell commands, uploading and downloading files, and using it as a SOCKS proxy to relay communication between devices. When the Horse Shell backdoor implant is initialized, it will instruct the OS not to terminate its process when the SIGPIPE, SIGINT, or SIGABRT commands are issued, and to be converted into a daemon to run in the background. The backdoor will then connect to the command and control (C2) server to send the victim's machine profile, including the user name, OS version, time, device information, IP address, MAC address, and supported implant features.
MAGNET GLOBIN
Description
Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector. Some of the devices or services targeted by the hackers are Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893, Apache ActiveMQ, ConnectWise ScreenConnect, Qlik Sense (CVE-2023-41265, CVE-2023-41266, CVE-2023-48365), and Magento (CVE-2022-24086). Magnet Goblin exploits the flaws to infect servers with custom malware, particularly "NerbianRAT" and "MiniNerbian", as well as a custom variant of the "WARPWIRE" JavaScript stealer. The actor’s arsenal also includes MiniNerbian, a small Linux backdoor, and remote monitoring and management (RMM) tools for Windows like ScreenConnect and AnyDesk.
EARTH BERBEROKA
Description
Earth Berberoka is a threat group originating from China that mainly focuses on targeting gambling websites. Aside from using tried-and-tested malware families that have been upgraded, such as PlugX and Gh0st RAT, Earth Berberoka has also developed a brand-new complex, multistage malware family, which has been dubbed PuppetLoader. This loader uses some interesting techniques: It hijacks loaded modules to launch malicious code, and hides malicious payloads and modules in modified bitmap image (BMP) files. Earth Berberoka uses multiple malware families that target the Windows, Linux, and macOS platforms. Researchers have also found Windows and macOS samples known as oRAT malware written in the Go language. The malware drops a DMG (disk image) file and a fake chat app built using the Electron JS framework. Earth Berberoka’s use of portable frameworks and languages such as Electron JS and Golang to target multiple platforms Some of the malware families used by this APT are existed for more than 10 years and that the group has enhanced, while others are malware families that it seemingly built specifically for this campaign. Earth Berberoka also used open-source malware families such as the Pupy RAT and the Reptile rootkit.
RED MENSHEN
Description
First discovered in 2021, Red Menshen is a China-based APT group that has been conducting cyber espionage operations against government agencies, military organizations, corporations, and more. Red Menshen is a highly effective group that has been found targeting a variety of organizations across the globe. The group is known for its use of custom-built tools. One of the tools used by Red Menshen is BPFDoor, a custom backdoor that has been observed in attacks against organizations in the US, South Korea, Hong Kong, Turkey, India, Viet Nam, Myanmar, and more. BPFDoor is used by the group to gain unauthorized access to targeted systems and carry out post-exploitation activities, such as stealing sensitive information and moving laterally within the network. It allows a threat actor to backdoor a system for remote code execution, without opening any new network ports or firewall rules. BPFDoor is a highly evasive backdoor that doesn't open any inbound network ports, doesn't use an outbound command and control (C2), and renames its own process in Linux which makes it difficult for security systems to detect. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant.
SIDECOPY
Description
SideCopy has been targeting the Indian and Afghan governments with espionage attacks. Its name comes from its infection chain that tries to mimic that of the SideWinder APT. It has been reported that this actor has similarities with Transparent Tribe (APT36) and possibly is a subdivision of this actor. The lures used by SideCopy APT are usually archive files that have embedded one of these files: Lnk, Microsoft Publisher or Trojanized Applications. The group has also steals sensitive Google, Twitter, and Facebook credentials and access to government portals. It has been reported that this actor has similarities with Transparent Tribe (APT36) and possibly is a subdivision of this actor.
UAC-0056
Description
UAC-0056 espionage group is using a Graphiron information stealing malware against targets in Ukraine. The malware is written in Go and is designed to harvest a wide range of information from the infected computer, including system information, credentials, screenshots, and files. Like Graphiron, many of UAC-0056’s earlier tools were written in Go. Graphiron appears to be the latest piece of malware authored by the same developers. UAC-0056 has also used a malware framework called Elephant. The malware consists of at least four different components that are used for stealing credentials, documents, and to provide remote access to the infected machine. The group’s usual infection vector is spear-phishing emails, which are then used to deliver a range of payloads to targets. Few other custom tools used by the group are OutSteel, GrimPlant and GraphSteel. Threat actor was also observed targeting Ukraine with Cobalt Strike and WhisperGate wiper malware.
GREENBUG
Description
The group most likely uses spear-phishing attacks to compromise targeted organizations. Here attackers use multiple tools to compromise other systems on the network after gaining an initial access, and steal user names and passwords from operating systems, email accounts, and web browsers. In 2017, the credentials collected by the Greenbug group APT were used in attacks of another Iranian APT group deploying destructive Shamoon wiper malware. The new campaign observed which was started in April 2019 and lasted for more than a year targeting telecommunications companies in South Asia. Greenbug APT often uses off-the-shelf and living-off-the-land tools, it seems the group is interested in gaining access to database servers includes stealing credentials and then use them to test connectivity to the servers. Their focus on stealing credentials and on establishing connections with database servers shows that the group is aiming to achieve high-level access to a victim’s network – the access that if exploited could cause havoc on a compromised network very quickly. This level of access, if leveraged by actors using disruptive malware or ransomware, could shut down an organization’s entire network very quickly. The group also found using a custom information-stealing remote access Trojan (RAT) known as Trojan.Ismdoor as well as a selection of hacking tools to steal sensitive credentials from compromised organizations.
APT18
Description
APT18 threat actors also known as Dynamite Panda, Threat Group-0416, Wekby, and Scandium have been closely associated with espionage and information theft from the targeted entities. Most of APT18’s malicious activities have focused on organizations in North America, specifically the United States. APT18 has been very visible in healthcare sector attacks and carried out a community health systems campaign, resulting in a data breach. They have also been involved in medical espionage while finding and exfiltrating patient data from medical device databases. APT18 has exfiltrated PHI data from vulnerable health systems. This data exfiltration has included patient information, medical device operational data believed to be used for industrial espionage, and intellectual property rights, including advanced proprietary designs. In one of the APT18 campaign, the threat actors launched phishing campaign to target a zero-day vulnerability (CVE-2015-5119) which had been inadvertently leaked against many industry sectors, including defense, construction, engineering, energy, health, education, biotechnology, aerospace, high technology, non-profit, telecommunications, and transportation.
IMPERIAL KITTEN
Description
IMPERIAL KITTEN is known for a variety of tactics and techniques, including phishing, social engineering and strategic web compromises. The threat actor uses both custom and off-the-shelf malware including PowerShell backdoors and infostealers in order to gather information about victim systems. The threat actor has previously used macro enabled documents that drop a VBS script, commonly referred to as LEMPO, which establishes persistence, performs reconnaissance, and exfiltrates sensitive information. The threat actor often favours exfiltration of sensitive information to an actor-controlled email account via SMTPS or IMAP, and has been observed using both dedicated mailboxes and third party services for their email accounts. In the recent campaign, the Imperial Kitten has launched phishing attacks in October using a 'job recruitment' theme in emails carrying a malicious Microsoft Excel attachment. When opening the document, the malicious macro code within extracts two batch files that create persistence through registry modifications and and run Python payloads for reverse shell access. The attacker then moves laterally on the network using tools like 'PAExec' to execute processes remotely and 'NetScan' for network reconnaissance. Additionally, they employ 'ProcDump' to obtain credentials from the system memory. Communication with the C2 server is achieved using the custom malware "IMAPLoader" and "StandardKeyboard", both relying on email to exchange information. StandardKeyboard malware persists on the compromised machine as the Windows Service Keyboard Service and executes base64-encoded commands received from the C2.
EARTH LUSCA
Description
Earth Lusca, a suspected Chinese hacker group, was found spying on strategic targets as well as performing financially-motivated attacks for several years. Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.
ASYLUM AMBUSCADE
Description
Asylum Ambuscade is a cybercrime group that has been performing cyberespionage operations on the side. Threat actors were first publicly outed in March 2022 after the group targeted European government staff involved in helping Ukrainian refugees, just a few weeks after the start of the Russia-Ukraine war. The compromise chain starts with a spear-phishing email that has a malicious Excel spreadsheet attachment. Malicious VBA code therein downloads an MSI package from a remote server and installs SunSeed, a downloader written in Lua. Experts observed some variations in the attachments. In June 2022, the group used an exploit of the Follina vulnerability (CVE-2022-30190) instead of malicious VBA code. Then, if the machine is deemed interesting, the attackers deploy the next stage: AHKBOT. This is a downloader written in AutoHotkey that can be extended with plugins, also written in AutoHotkey, in order to spy on the victim’s machine. Additionally, the threat actor started deploying a new tool named Nodebot in March 2023, which appears to be the Node.js port of AHKBOT. The malware's function continues to include screenshot capturing, password exfiltration from Internet Explorer, Firefox, and Chromium-based browsers, and fetching additional AutoHotkey plugins onto the breached device. The plugins fetched by the malware feature specific functionality such as downloading a VMProtect-packed Cobalt Strike loader, installing Chrome to accommodate hVNC operations, starting a keylogger, deploying a Rhadamanthys infostealer, launching a commercially available RAT, and more.
EARTH KARAHANG
Description
Earth Krahang abuses its presence on breached government infrastructure to attack other governments, builds VPN servers on compromised systems, and performs brute-forcing to crack passwords for valuable email accounts. The attackers exploit vulnerable internet-facing servers and use spear-phishing emails to deploy custom backdoors for cyberespionage. The threat actors employ open-source tools to scan public-facing servers for specific vulnerabilities, such as CVE-2023-32315 (Openfire) and CVE-2022-21587 (Control Web Panel). By exploiting these flaws, they deploy webshells to gain unauthorized access and establish persistence within victim networks. Alternatively, they use spear-phishing as an initial access vector, with the messages themed around geopolitical topics to lure the recipients into opening the attachments or clicking on the links. Once inside the network, Earth Krahang uses the compromised infrastructure to host malicious payloads, proxy attack traffic, and use hacked government email accounts to target its colleagues or other governments with spear-phishing emails. Having established their presence on the network, "Eath Krahang" deploys malware and tools such as "Cobalt Strike", "RESHELL", and "XDealer", which provide command execution and data collection capabilities. "XDealer" is the more sophisticated and complex of the two backdoors as it supports Linux and Windows and can take screenshots, log keystrokes, and intercept clipboard data.
MOONSTONE SLEET
Description
"Moonstone Sleet" is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a malicious game, and deliver a new custom ransomware. The similarities with Lazarus include extensively reusing code from known malware such as "Comebacker", which was first observed in January 2021 in connection with a campaign targeting security researchers working on vulnerability research and development. To support its diverse goals, "Moonstone Sleet" is also known to pursue employment in software development positions at multiple legitimate companies, likely in an attempt to generate illicit revenue for the sanctions-hit country or gain covert access to organizations. Attack chains observed in August 2023 involved the use of a modified version of PuTTY – a tactic adopted by the Lazarus Group in late 2022 as part of "Operation Dream Job" – via LinkedIn and Telegram as well as developer freelancing platforms. Often, the actor sent targets a *.ZIP archive containing two files- a trojanized version of 'putty:exe' and 'url.txt', which contained an IP address and a password. If the provided IP and password were entered by the user into the PuTTY application, the application would decrypt an embedded payload, then load and execute it. The trojanized PuTTY executable is designed to drop a custom installer dubbed "SplitLoader" that initiates a sequence of intermediate stages in order to ultimately launch a Trojan loader that's responsible for executing a portable executable received from a C2 server. Alternate attack sequences have entailed the use of malicious npm packages that are delivered through LinkedIn or freelancing websites, often masquerading as a fake company to send *.ZIP files invoking a malicious npm package under the guise of a technical skills assessment. These npm packages are configured to connect to an actor-controlled IP address and drop payloads similar to SplitLoader, or facilitate credential theft from the Windows Local Security Authority Subsystem Service (LSASS) process. Other attacks detected by Microsoft since February 2024 have utilized a malicious tank game called DeTankWar that's distributed to targets via email or messaging platforms, while lending a layer of legitimacy by setting up fake websites and accounts on X (formerly Twitter).
- SETOPLOCK
- MACDEFENDER
- VENOMPROXY
- CUBA RANSOMWARE
- DARKVNC
- MASSCAN
- KAIJI
- GOGGLES
- SHARKTOOL
- SPIKE
- EVILGINX2
- MATIEX
- DDOSCLIENT
- TRAITOR
- URSNIF
- RTTYSTOOL
- NETSUPPORT
- REVERSESSHTOOL
- EVILCLIPPYTOOL
- MIMIKATZ
- KUBESPLOIT
- GOWITNES
- BROWSERGHOST
- SHLAYER
- TORTOISESHELL
- SCARECROW
- TROJAN
- DISMAP
- MARSSTEALER
- HUPIGON
- NUPIC
- KEKEO
- PERSEUS
- DNSDIG
- COLLABFILTRATORTOOL
- PHANT0M
- TMATE
- DARKCLOUD
- INSTALLMIEZ
- DEIMOSC2
- CUTTLEFISH
- KERBRUTE
- LIMELOGGER
- LUMMA
- SILLYRAT
- PCREDZTOOL
- EVILTREETOOL
- GAFGYT
- EXPLOSIVERAT
- GETSHELL
- SHARPCLOUD
- MATA
- LINIKATZ
- NANOCORE
- ZGRAB
- CRYPTBOT
- SIGWHATEVER
- DREAMBUS
- PWDUMP7TOOL
- DARKWATCHMANRAT
- K8TOOLS
- NTDSDUMP
- STEALC
- HTTPBROWSER
- PRIV8STEALER
- PLUGX
- HIDDENWASP
- ROOTKIT
- AURORA
- TXPORTMAP
- NANODUMP
- HABITSRAT
- DIAMORPHINE
- WOOLAGENT
- WOGRAT
- FALCONZEROTOOL
- FIREBIRDRAT
- SUTERUSU
- NIMSCANTOOL
- GOST
- BLACKENERGY
- SSHBOT
- NOTROBIN
- IMMINENTRATTOOL
- FGDUMP
- SILVERCLIENTRAT
- REVERSERAT
- BLACKMATTER
- WINPEAS
- SHARPELEVATOR
- LINUXPRIVCHECKER
- SNAKEKEYLOGGER
- ROGUEROBIN
- DOK
- HIVE
- TYPHONREBORN
- MUGHTHESEC
- ASYNCRAT
- ETERNITYSTEALER
- CREATEMOUNTPOINT
- HANUMAN
- REDXOR
- ADWAREMACGENERIC
- WINDTAIL
- ELECTRORAT
- CHISEL
- SHARPDECRYPTPWDTOOL
- SWIFTBELT
- SIDEWINDER
- SCAVENGER
- VIRUS
- SMAUG
- FORMBOOK
- FRITZFROG
- ROOTRAT
- KMSDBOT
- DRIDEX
- DEMONIZEDSHELL
- CHAOSRAT
- OSAMINER
- REMOTENETCAT
- NJRAT
- ETERNITY RANSOMWARE
- RANSOMEXX
- TILDEB
- MOKES
- BUNDLORE
- URELAS
- OBLIQUERAT
- DARKVISION
- SHARPLAPS
- PRISM
- LDAPDOMAINDUMPTOOL
- HYPERBRO
- NODESTEALER
- HASHCAT
- SCARLETSTEALER
- VSEARCH
- CVE202226134
- QNAPCRYPT
- DAZZLESPY
- NIUB
- MIRAI
- FRPTOOL
- MOLERAT
- CHROPEX
- PHORPHIEX
- TITANSTEALER
- GOSECRETSDUMP
- ZARP
- EXEREMO
- PLEAD
- WHITESNAKE
- PIKABOT
- SNAPEKIT
- FIREELF
- MACMA
- GREENCAT
- GADGETTOJSCIPT
- KANDYKORN
- LINPEASTOOL
- ZHTRAP
- RESPONDER
- TEAMTNTWORM
- SPACECOLON
- ROTTENPOTATONG
- REMCOS RAT
- AMASSTOOL
- REALST
- PURELANDSTEALER
- COINMINER
- TROJANDOWNLOADERSMALL
- BLACKCAPGRABBERTOOL
- EGGSHELL
- PHEMEDRONE
- KOMPLEX
- HEADCRAB
- ANDROM
- MYDOOM
- STANTINKO
- HYPERSCRAPE
- FYSBIS
- SPECULOOS
- BLUEBLOOD
- PANCHAN
- PAMSPY
- REDGOBOT
- DISKKNIGHT
- IODINE
- LOCKBIT
- REDGHOSTTOOL
- SECTOPRAT
- ARDAMAXTOOL
- ACCESSCHK
- SHELLBOT
- XEYTAN
- REVENGERAT
- NETSUPPORTMANAGERRAT
- NGROK
- 3PARARAT
- OCEANLOTUS
- ENUM4LINUXTOOL
- RUBEUS
- BABARRAT
- MELOFEE
- PTERODO
- ONIONPOISON
- FAKEAV
- CADDYWIPER
- QUICKBOOKSDOWNLODER
- EARTHWORMTOOL
- PAEXEC
- DCRAT
- SYSTEMBC
- CORDMIX
- OOPSIE
- FREEZETOOL
- BUMBLEBEE
- MAMI
- NOMERCY
- SUBFINDERTOOL
- POWERSHDLL
- RUNNINGRAT
- WEBC2
- GIMMICK
- LINENUMTOOL
- JASKAGO
- NPSTOOL
- BOOMMIC
- TOFSEE
- HACKTOOL
- WOODYRAT
- GMERTOOL
- EXPLOITSCANTOOL
- BABUK
- ICEFOG
- WELLMESS
- YTDOWNLOADER
- RATTEGORAT
- SHELLCODELOADER
- HANCITOR
- BLACKNET
- EXPLOIT
- GANIW
- DAIRY
- BANNERGRABBERTOOL
- WOLFSBANE
- CLOUDBRUTE
- CHROMELOADER
- NCAT
- XMRIG
- METASPLOIT
- SEATBELT
- SUDOKILLERTOOL
- BOOTKITS
- STRATUSREDTEAMTOOL
- FFRAT
- DARKCOMET
- HTTPDOSTOOL
- EPICENTERRAT
- INTELLIADMIN
- CRIMSONRAT
- PROMETEI
- SNOWLIGHT
- SPECTRALBLUR
- SIGLOADER
- VANILLARAT
- CHINA CHOPPER
- SNOOPY
- ZGRAT
- BLACKRAT
- CLOUDMENSIS
- CYBERGATE
- FBOT
- GH0STRAT
- CLICKER
- BACKSTAB
- SSHBACKDOOR
- TRICKBOT
- OFFENSIVEPH
- CETARAT
- GWISINLOCKER
- FREAKOUT
- NIRSOFTHACKTOOL
- AZORULT
- BEROOT
- LAZAGNE
- TYPHON
- CROSSRAT
- NMAP
- IMPACKET
- MANDIBULE
- BABYSPLOITTOOL
- SQUIRRELWAFFLE
- DROVORUB
- COSMICDUKE
- FSYSNA
- ORCUS
- DONUT
- COBALT STRIKE
- TSUNAMI
- BROWSERBANDIT
- GTFONOW
- ORAT
- CREDRAPTOR
- GOBFUSCATE
- ECH0RAIX RANSOMWARE
- NOTPETYA
- WINGO AGENT
- FIERCE
- RSHELL
- BRUTERATEL
- RACCOON
- NESHTA
- NUKESPED
- CHAOSKUBE
- RANSOMWARE
- PASS THE HASH
- SHARPSOCKS
- LSASSUNHOOKER
- BOTB
- BACKDOOR
- TARSIP
- NETSPYTOOL
- REALTIMESPY
- MOONWALKTOOL
- BPFDOOR
- MSETUP
- ISAACWIPER
- XIEBROC2
- TOKENVATOR
- 3CXTROJANLOADER
- QUARKSPWDUMP
- VULTURI
- PGMINER
- POETRAT
- GODROPPER
- KEBRUTE
- AMADEY
- KERANGER
- SUPERBEARRAT
- PORTSCANTOOL
- HYDROMAC
- REKOOBE
- QBOT
- BISCUIT
- ISMDOOR
- HTTPXTOOL
- ORBIT
- GOOGLECALENDARRAT
- CHAOS RANSOMWARE
- 3CXDROPPER
- EC2STEPSHELL
- PUMAKIT
- EBURY
- COPPERPHISH
- GOLANGSTEALER
- GECON
- HAWKEYE
- SUPERSHELL
- FIREWOOD
- QUASAR RAT
- CREATESYMLINK
- FONTONLAKE
- ANTHRAXSTEALER
- NOMINATUSSTORM
- ALCHIMIST
- DBATLOADER
- BROWSEREXTENSION
- MILLENNIUMRAT
- ADFINDTOOL
- CERTUTIL
- EXTENTBRO
- STEALERIUMSTEALER
- MANJUSAKA
- GOHTRAN
- MEXLIB
- BOOTKITTY
- DARKSIDE
- RPCVIEW
- INFOSTEALER
- WEBMONITORRAT
- MICROSOCK5TOOL
- AURIGA
- CINOSHI
- NET
- DRAT
- SCHEDULERUNNER
- XORDDOS
- PUPY
- SHARPKNOT
- PACUTOOL
- CLOUDC2TOOL
- SNAKETURLA
- KCNSCREW
- WSTUNNEL
- EVILOSX
- COPPERSTEALER
- NEWSREELS
- ANDROXGHOST
- SSHBRUTEFORCETOOL
- DOTSTEALER
- HYROMAC
- CRACKMAPEXEC
- DETARAT
- MARGULASRAT
- BLADABINDI
- RACOONSTEALER
- DUMPERT
- SOCELARS
- MEDUZA
- UMBRALSTEALER
- CHIMNEYSWEEP
- AIRCRACKTOOL
- HERMETICWIPER
- REMOTEUTILITY
- STRELASTEALER
- HELLSING
- AMMYADMIN
- COLDSTEALER
- LINWINPWNTOOL
- KEETHIEF
- MINEBRIDGE
- SHARPSECDUMPTOOL
- PORTAINER
- MACSHELLSWIFTTOOL
- MACSTEALER
- YAMABOT
- GANDCRAB
- BLUSTEALER
- SHODENTOOL
- CHAMELDOH
- VENOM RAT
- PROXYTOOL
- BOTENAGO
- PNSCAN
- CUTWAIL
- GORSAIR
- OSXTROJAN
- PLATYPUS
- DUCKLOGS
- VNC
- RCLONETOOL
- JOKERSPY
- KUBESCAPE
- SIDEWALK
- JLORAT
- HVNC
- HACKBROWSERDATATOOL
- EREBUS
- PROXYTROJAN
- KINSING
- BLOODHOUND
- DARKTORTILLA
- MYTHIC
- RISEPROSTEALER
- SPACE
- S7SCANNER
- CRYPTOCLIPPY
- BLUEFOXSTEALER
- THEIFQUEST
- PASSMARK
- AVBYPASSTOOL
- SHARPKATZ
- TZEEBOT
- CVE20222588
- ZXSHELL
- WHISPERGATE
- SNAKE
- KUTAKI
- SIMPS
- INSTALLCORE
- TELLYOUTHEPASS
- BLUESHELL
- XTREMERAT
- AGENTTESLA
- HTRAN
- FSCAN
- HAVOCTOOL
- REZER0
- GCLEANER
- KILLDISK
- NIMBO-C2
- FLAGPRO
- FLOODER
- B1TXOR20
- SNEAK
- WINEGGDROP
- TIGERRAT
- SKILLFORMAT
- XAGENT
- HLOADER
- ELYSIUMSTEALER
- MACINST
- GRAVITYRAT
- EXELA
- HEALER
- CLIPBANKER
- PASSCAT
- GSECDUMP
- KUBESTRIKER
- SANDMAN
- SANDCAT
- HAMMERTOSS
- PNGDOWNER
- BLUESKY RANSOMWARE
- EZURI
- GINZOSTEALER
- DIRTYCOW
- REVERSESHELL
- AOBOKEYLOGGER
- CALISTO
- DUMMY
- IOX
- BACKDOORIT
- NBTSCAN
- KILLAV
- FABOOKIE
- ALIENREVERSE
- NIMPLANT
- CCAT
- STORMKITTY
- PEIRATES
- LIGHTNINGFRAMEWORK
- SAITAMA
- SYMBIOTE
- SPARKRAT
- ZURU
- UTILITY
- BORATRAT
- DARKGATE
- PERSIANRAT
- DNSPIONAGE
- EDRSILENCER
- DONPAPI
- ZLOADER
- REZLT
- COMMANDOCAT
- XWORM
- TNTBOTINGER
- PASSTHEHASHTOOL
- OLYMPIC DESTROYER
- BANDOOK
- PROCDUMPTOOL
- KEYLOGGER
- GEACON
- EVILGINX
- SWEETPOTATO
- PUTTY
- DISGOMOJI
- RAPPERBOT
- KLINGON RAT
- EMP3R0R
- MERCURIALGRABBER
- LIMERAT
- BADNEWS
- LIMECRYPTER
- DINODASRAT
- DUCKTAIL
- KOBALOS
- CVE20214034
- KRAKEN
- KONNI
- TROJANSPYKEYSTEAL
- MICROBACKDOOR
- ADLOADER
- RUSTSCAN
- MIMIPENGUINTOOL
- DOHTOOL
- VEILEVASION
- ICEDID
- CACHEDUMP
- BISTROMATH
- SILVERSPARROW
- MESSAGETAP
- ERBIUMSTEALER
- VIDAR
- RYUK
- SATDOS
- DUMPINGLSASS
- KUBISCAN
- SSHHACKTOOL
- RBOT
- CALLME
- GOTROJ
- QWIXXRAT
- BANDITSTEALER
- WINDAPSEARCHTOOL
- REVSOCKSTOOL
- NETWIRE
- NLTEST
- STARSYPOUND
- CROATIARAT
- EXARAMEL
- UNIXPRIVESCCHECKTOOL
- RUSTDESKTOOL
- STOWAWAY
- APPLEJEUS
- STEALTHWORKER
- NUCLEITOOL
- PENGUINTURLA
- GREENLAMBERT
- REDLINESTEALER
- ZMAP
- BLACKCAT RANSOMWARE
- REMOTEADMIN
- FATALRAT
- BUNNYLOADER
- DNSCAT
- GREENSTONE
- CLOUDDUKE
- WATCHDOG
- PWDUMPX
- BELLARAT
- DYRE
- EDRSANDBLAST
- GULOADER
- SHARPUP
- MQSTTANGBACKDOOR
- FIRESEARCH
- FICKERSTEALER
- SHARPIMPLANTTOOL
- SKIBIDI
- STAGER
- MOZI
- LUCASTEALER
- RHADAMANTHYSSTEALER
- LOKI
- OCTOPUSC2
- ENUMERATEDOMAINDATA
- VENOMRAT
- ORIONSTEALER
- EMOTET
- DJVU RANSOMWARE
- BUTERAT
- ZIGGY
- FINFISHER
- SAKULA
- HUCPORTSCANNER
- BIFROSTTOOL
- SHARPZEROLOGON
- GOMIR
- LOCKSMITHTOOL
- TROJANDOWNLOADER
- VSINGLE
- IPSTORM
- TROLLATOOL
- CARETO
- ISRSTEALER
- BLACKMOON
- LIGOLONG
- KRASUERAT
- ALMONDRAT
- DRAGON CASTLE
- SHARPNOPSEXEC
- ANCHORDNS
- ZARAZASTEALER
- OSF
- KURAYSTEALER
- NERBIANRAT
- WARZONE RAT
- MINTLUKS
- RUDEMINER
- PANDORAHVNC
- LEMURLOOT
- AUTORUN
- JANICAB
- PYBOT
- RPCCLIENTTOOL
- SDBBOT
- CVE20222586
- MIKEC2TOOL
- SNIPERSPY
- ADIDNSDUMPTOOL
- RUSTBUCKET
- EVILGNOME
- SHELLDOWNLOADER8220
- LADONGO
- WEASELC2
- BLOOPTOOL
- TEAMVIEWER
- SHARPDPAPI
- FKOTHSPAYLOAD
- SSHSNAKETOOL
- INSEKT
- XPERTRAT
- HTTPCLIENT
- BLACKGUARD
- AGELOCKER
- DOUBLEPULSAR
- P2PINFECT
- TABMSGSQL
- SOLARMARKER
- NEWCORE RAT
- WATSON
- MBROVERWRITE
- DDOSTF
- INTERNALMONOLOGUE
- PSEXEC
- WINDOWS CREDENTIAL EDITOR
- TELEPOWERBOT
- LAPLASCLIPPER
- DOKI
- EXPLOITSUGGESTERTOOL
- YARAT
- DESTOVER
- PARALLAX
- EMPIRE
- SPONSOR
- SLIVERIMPLANTTOOL
- RHOMBUS
- BIBIWIPER
- POISONIVY
- MERLIN
- LINKC2
- PONY
- SAPPHIRESTEALER
- GOSCANSSH
- DTRACK
- HWACHA
- PYVERVIEW
- COMMONMAGIC
- GETSYMBOL
- PING
- UPDATEAGENT
- HEAVENSGATE
- BLACKBASTA
- SETOPLOCK
- MACDEFENDER
- VENOMPROXY
- CUBA RANSOMWARE
- DARKVNC
- MASSCAN
- KAIJI
- GOGGLES
- SHARKTOOL
- SPIKE
- EVILGINX2
- MATIEX
- DDOSCLIENT
- TRAITOR
- URSNIF
- RTTYSTOOL
- NETSUPPORT
- REVERSESSHTOOL
- EVILCLIPPYTOOL
- MIMIKATZ
- KUBESPLOIT
- GOWITNES
- BROWSERGHOST
- SHLAYER
- TORTOISESHELL
- SCARECROW
- TROJAN
- DISMAP
- MARSSTEALER
- HUPIGON
- NUPIC
- KEKEO
- PERSEUS
- DNSDIG
- COLLABFILTRATORTOOL
- PHANT0M
- TMATE
- DARKCLOUD
- INSTALLMIEZ
- DEIMOSC2
- CUTTLEFISH
- KERBRUTE
- LIMELOGGER
- LUMMA
- SILLYRAT
- PCREDZTOOL
- EVILTREETOOL
- GAFGYT
- EXPLOSIVERAT
- GETSHELL
- SHARPCLOUD
- MATA
- LINIKATZ
- NANOCORE
- ZGRAB
- CRYPTBOT
- SIGWHATEVER
- DREAMBUS
- PWDUMP7TOOL
- DARKWATCHMANRAT
- K8TOOLS
- NTDSDUMP
- STEALC
- HTTPBROWSER
- PRIV8STEALER
- PLUGX
- HIDDENWASP
- ROOTKIT
- AURORA
- TXPORTMAP
- NANODUMP
- HABITSRAT
- DIAMORPHINE
- WOOLAGENT
- WOGRAT
- FALCONZEROTOOL
- FIREBIRDRAT
- SUTERUSU
- NIMSCANTOOL
- GOST
- BLACKENERGY
- SSHBOT
- NOTROBIN
- IMMINENTRATTOOL
- FGDUMP
- SILVERCLIENTRAT
- REVERSERAT
- BLACKMATTER
- WINPEAS
- SHARPELEVATOR
- LINUXPRIVCHECKER
- SNAKEKEYLOGGER
- ROGUEROBIN
- DOK
- HIVE
- TYPHONREBORN
- MUGHTHESEC
- ASYNCRAT
- ETERNITYSTEALER
- CREATEMOUNTPOINT
- HANUMAN
- REDXOR
- ADWAREMACGENERIC
- WINDTAIL
- ELECTRORAT
- CHISEL
- SHARPDECRYPTPWDTOOL
- SWIFTBELT
- SIDEWINDER
- SCAVENGER
- VIRUS
- SMAUG
- FORMBOOK
- FRITZFROG
- ROOTRAT
- KMSDBOT
- DRIDEX
- DEMONIZEDSHELL
- CHAOSRAT
- OSAMINER
- REMOTENETCAT
- NJRAT
- ETERNITY RANSOMWARE
- RANSOMEXX
- TILDEB
- MOKES
- BUNDLORE
- URELAS
- OBLIQUERAT
- DARKVISION
- SHARPLAPS
- PRISM
- LDAPDOMAINDUMPTOOL
- HYPERBRO
- NODESTEALER
- HASHCAT
- SCARLETSTEALER
- VSEARCH
- CVE202226134
- QNAPCRYPT
- DAZZLESPY
- NIUB
- MIRAI
- FRPTOOL
- MOLERAT
- CHROPEX
- PHORPHIEX
- TITANSTEALER
- GOSECRETSDUMP
- ZARP
- EXEREMO
- PLEAD
- WHITESNAKE
- PIKABOT
- SNAPEKIT
- FIREELF
- MACMA
- GREENCAT
- GADGETTOJSCIPT
- KANDYKORN
- LINPEASTOOL
- ZHTRAP
- RESPONDER
- TEAMTNTWORM
- SPACECOLON
- ROTTENPOTATONG
- REMCOS RAT
- AMASSTOOL
- REALST
- PURELANDSTEALER
- COINMINER
- TROJANDOWNLOADERSMALL
- BLACKCAPGRABBERTOOL
- EGGSHELL
- PHEMEDRONE
- KOMPLEX
- HEADCRAB
- ANDROM
- MYDOOM
- STANTINKO
- HYPERSCRAPE
- FYSBIS
- SPECULOOS
- BLUEBLOOD
- PANCHAN
- PAMSPY
- REDGOBOT
- DISKKNIGHT
- IODINE
- LOCKBIT
- REDGHOSTTOOL
- SECTOPRAT
- ARDAMAXTOOL
- ACCESSCHK
- SHELLBOT
- XEYTAN
- REVENGERAT
- NETSUPPORTMANAGERRAT
- NGROK
- 3PARARAT
- OCEANLOTUS
- ENUM4LINUXTOOL
- RUBEUS
- BABARRAT
- MELOFEE
- PTERODO
- ONIONPOISON
- FAKEAV
- CADDYWIPER
- QUICKBOOKSDOWNLODER
- EARTHWORMTOOL
- PAEXEC
- DCRAT
- SYSTEMBC
- CORDMIX
- OOPSIE
- FREEZETOOL
- BUMBLEBEE
- MAMI
- NOMERCY
- SUBFINDERTOOL
- POWERSHDLL
- RUNNINGRAT
- WEBC2
- GIMMICK
- LINENUMTOOL
- JASKAGO
- NPSTOOL
- BOOMMIC
- TOFSEE
- HACKTOOL
- WOODYRAT
- GMERTOOL
- EXPLOITSCANTOOL
- BABUK
- ICEFOG
- WELLMESS
- YTDOWNLOADER
- RATTEGORAT
- SHELLCODELOADER
- HANCITOR
- BLACKNET
- EXPLOIT
- GANIW
- DAIRY
- BANNERGRABBERTOOL
- WOLFSBANE
- CLOUDBRUTE
- CHROMELOADER
- NCAT
- XMRIG
- METASPLOIT
- SEATBELT
- SUDOKILLERTOOL
- BOOTKITS
- STRATUSREDTEAMTOOL
- FFRAT
- DARKCOMET
- HTTPDOSTOOL
- EPICENTERRAT
- INTELLIADMIN
- CRIMSONRAT
- PROMETEI
- SNOWLIGHT
- SPECTRALBLUR
- SIGLOADER
- VANILLARAT
- CHINA CHOPPER
- SNOOPY
- ZGRAT
- BLACKRAT
- CLOUDMENSIS
- CYBERGATE
- FBOT
- GH0STRAT
- CLICKER
- BACKSTAB
- SSHBACKDOOR
- TRICKBOT
- OFFENSIVEPH
- CETARAT
- GWISINLOCKER
- FREAKOUT
- NIRSOFTHACKTOOL
- AZORULT
- BEROOT
- LAZAGNE
- TYPHON
- CROSSRAT
- NMAP
- IMPACKET
- MANDIBULE
- BABYSPLOITTOOL
- SQUIRRELWAFFLE
- DROVORUB
- COSMICDUKE
- FSYSNA
- ORCUS
- DONUT
- COBALT STRIKE
- TSUNAMI
- BROWSERBANDIT
- GTFONOW
- ORAT
- CREDRAPTOR
- GOBFUSCATE
- ECH0RAIX RANSOMWARE
- NOTPETYA
- WINGO AGENT
- FIERCE
- RSHELL
- BRUTERATEL
- RACCOON
- NESHTA
- NUKESPED
- CHAOSKUBE
- RANSOMWARE
- PASS THE HASH
- SHARPSOCKS
- LSASSUNHOOKER
- BOTB
- BACKDOOR
- TARSIP
- NETSPYTOOL
- REALTIMESPY
- MOONWALKTOOL
- BPFDOOR
- MSETUP
- ISAACWIPER
- XIEBROC2
- TOKENVATOR
- 3CXTROJANLOADER
- QUARKSPWDUMP
- VULTURI
- PGMINER
- POETRAT
- GODROPPER
- KEBRUTE
- AMADEY
- KERANGER
- SUPERBEARRAT
- PORTSCANTOOL
- HYDROMAC
- REKOOBE
- QBOT
- BISCUIT
- ISMDOOR
- HTTPXTOOL
- ORBIT
- GOOGLECALENDARRAT
- CHAOS RANSOMWARE
- 3CXDROPPER
- EC2STEPSHELL
- PUMAKIT
- EBURY
- COPPERPHISH
- GOLANGSTEALER
- GECON
- HAWKEYE
- SUPERSHELL
- FIREWOOD
- QUASAR RAT
- CREATESYMLINK
- FONTONLAKE
- ANTHRAXSTEALER
- NOMINATUSSTORM
- ALCHIMIST
- DBATLOADER
- BROWSEREXTENSION
- MILLENNIUMRAT
- ADFINDTOOL
- CERTUTIL
- EXTENTBRO
- STEALERIUMSTEALER
- MANJUSAKA
- GOHTRAN
- MEXLIB
- BOOTKITTY
- DARKSIDE
- RPCVIEW
- INFOSTEALER
- WEBMONITORRAT
- MICROSOCK5TOOL
- AURIGA
- CINOSHI
- NET
- DRAT
- SCHEDULERUNNER
- XORDDOS
- PUPY
- SHARPKNOT
- PACUTOOL
- CLOUDC2TOOL
- SNAKETURLA
- KCNSCREW
- WSTUNNEL
- EVILOSX
- COPPERSTEALER
- NEWSREELS
- ANDROXGHOST
- SSHBRUTEFORCETOOL
- DOTSTEALER
- HYROMAC
- CRACKMAPEXEC
- DETARAT
- MARGULASRAT
- BLADABINDI
- RACOONSTEALER
- DUMPERT
- SOCELARS
- MEDUZA
- UMBRALSTEALER
- CHIMNEYSWEEP
- AIRCRACKTOOL
- HERMETICWIPER
- REMOTEUTILITY
- STRELASTEALER
- HELLSING
- AMMYADMIN
- COLDSTEALER
- LINWINPWNTOOL
- KEETHIEF
- MINEBRIDGE
- SHARPSECDUMPTOOL
- PORTAINER
- MACSHELLSWIFTTOOL
- MACSTEALER
- YAMABOT
- GANDCRAB
- BLUSTEALER
- SHODENTOOL
- CHAMELDOH
- VENOM RAT
- PROXYTOOL
- BOTENAGO
- PNSCAN
- CUTWAIL
- GORSAIR
- OSXTROJAN
- PLATYPUS
- DUCKLOGS
- VNC
- RCLONETOOL
- JOKERSPY
- KUBESCAPE
- SIDEWALK
- JLORAT
- HVNC
- HACKBROWSERDATATOOL
- EREBUS
- PROXYTROJAN
- KINSING
- BLOODHOUND
- DARKTORTILLA
- MYTHIC
- RISEPROSTEALER
- SPACE
- S7SCANNER
- CRYPTOCLIPPY
- BLUEFOXSTEALER
- THEIFQUEST
- PASSMARK
- AVBYPASSTOOL
- SHARPKATZ
- TZEEBOT
- CVE20222588
- ZXSHELL
- WHISPERGATE
- SNAKE
- KUTAKI
- SIMPS
- INSTALLCORE
- TELLYOUTHEPASS
- BLUESHELL
- XTREMERAT
- AGENTTESLA
- HTRAN
- FSCAN
- HAVOCTOOL
- REZER0
- GCLEANER
- KILLDISK
- NIMBO-C2
- FLAGPRO
- FLOODER
- B1TXOR20
- SNEAK
- WINEGGDROP
- TIGERRAT
- SKILLFORMAT
- XAGENT
- HLOADER
- ELYSIUMSTEALER
- MACINST
- GRAVITYRAT
- EXELA
- HEALER
- CLIPBANKER
- PASSCAT
- GSECDUMP
- KUBESTRIKER
- SANDMAN
- SANDCAT
- HAMMERTOSS
- PNGDOWNER
- BLUESKY RANSOMWARE
- EZURI
- GINZOSTEALER
- DIRTYCOW
- REVERSESHELL
- AOBOKEYLOGGER
- CALISTO
- DUMMY
- IOX
- BACKDOORIT
- NBTSCAN
- KILLAV
- FABOOKIE
- ALIENREVERSE
- NIMPLANT
- CCAT
- STORMKITTY
- PEIRATES
- LIGHTNINGFRAMEWORK
- SAITAMA
- SYMBIOTE
- SPARKRAT
- ZURU
- UTILITY
- BORATRAT
- DARKGATE
- PERSIANRAT
- DNSPIONAGE
- EDRSILENCER
- DONPAPI
- ZLOADER
- REZLT
- COMMANDOCAT
- XWORM
- TNTBOTINGER
- PASSTHEHASHTOOL
- OLYMPIC DESTROYER
- BANDOOK
- PROCDUMPTOOL
- KEYLOGGER
- GEACON
- EVILGINX
- SWEETPOTATO
- PUTTY
- DISGOMOJI
- RAPPERBOT
- KLINGON RAT
- EMP3R0R
- MERCURIALGRABBER
- LIMERAT
- BADNEWS
- LIMECRYPTER
- DINODASRAT
- DUCKTAIL
- KOBALOS
- CVE20214034
- KRAKEN
- KONNI
- TROJANSPYKEYSTEAL
- MICROBACKDOOR
- ADLOADER
- RUSTSCAN
- MIMIPENGUINTOOL
- DOHTOOL
- VEILEVASION
- ICEDID
- CACHEDUMP
- BISTROMATH
- SILVERSPARROW
- MESSAGETAP
- ERBIUMSTEALER
- VIDAR
- RYUK
- SATDOS
- DUMPINGLSASS
- KUBISCAN
- SSHHACKTOOL
- RBOT
- CALLME
- GOTROJ
- QWIXXRAT
- BANDITSTEALER
- WINDAPSEARCHTOOL
- REVSOCKSTOOL
- NETWIRE
- NLTEST
- STARSYPOUND
- CROATIARAT
- EXARAMEL
- UNIXPRIVESCCHECKTOOL
- RUSTDESKTOOL
- STOWAWAY
- APPLEJEUS
- STEALTHWORKER
- NUCLEITOOL
- PENGUINTURLA
- GREENLAMBERT
- REDLINESTEALER
- ZMAP
- BLACKCAT RANSOMWARE
- REMOTEADMIN
- FATALRAT
- BUNNYLOADER
- DNSCAT
- GREENSTONE
- CLOUDDUKE
- WATCHDOG
- PWDUMPX
- BELLARAT
- DYRE
- EDRSANDBLAST
- GULOADER
- SHARPUP
- MQSTTANGBACKDOOR
- FIRESEARCH
- FICKERSTEALER
- SHARPIMPLANTTOOL
- SKIBIDI
- STAGER
- MOZI
- LUCASTEALER
- RHADAMANTHYSSTEALER
- LOKI
- OCTOPUSC2
- ENUMERATEDOMAINDATA
- VENOMRAT
- ORIONSTEALER
- EMOTET
- DJVU RANSOMWARE
- BUTERAT
- ZIGGY
- FINFISHER
- SAKULA
- HUCPORTSCANNER
- BIFROSTTOOL
- SHARPZEROLOGON
- GOMIR
- LOCKSMITHTOOL
- TROJANDOWNLOADER
- VSINGLE
- IPSTORM
- TROLLATOOL
- CARETO
- ISRSTEALER
- BLACKMOON
- LIGOLONG
- KRASUERAT
- ALMONDRAT
- DRAGON CASTLE
- SHARPNOPSEXEC
- ANCHORDNS
- ZARAZASTEALER
- OSF
- KURAYSTEALER
- NERBIANRAT
- WARZONE RAT
- MINTLUKS
- RUDEMINER
- PANDORAHVNC
- LEMURLOOT
- AUTORUN
- JANICAB
- PYBOT
- RPCCLIENTTOOL
- SDBBOT
- CVE20222586
- MIKEC2TOOL
- SNIPERSPY
- ADIDNSDUMPTOOL
- RUSTBUCKET
- EVILGNOME
- SHELLDOWNLOADER8220
- LADONGO
- WEASELC2
- BLOOPTOOL
- TEAMVIEWER
- SHARPDPAPI
- FKOTHSPAYLOAD
- SSHSNAKETOOL
- INSEKT
- XPERTRAT
- HTTPCLIENT
- BLACKGUARD
- AGELOCKER
- DOUBLEPULSAR
- P2PINFECT
- TABMSGSQL
- SOLARMARKER
- NEWCORE RAT
- WATSON
- MBROVERWRITE
- DDOSTF
- INTERNALMONOLOGUE
- PSEXEC
- WINDOWS CREDENTIAL EDITOR
- TELEPOWERBOT
- LAPLASCLIPPER
- DOKI
- EXPLOITSUGGESTERTOOL
- YARAT
- DESTOVER
- PARALLAX
- EMPIRE
- SPONSOR
- SLIVERIMPLANTTOOL
- RHOMBUS
- BIBIWIPER
- POISONIVY
- MERLIN
- LINKC2
- PONY
- SAPPHIRESTEALER
- GOSCANSSH
- DTRACK
- HWACHA
- PYVERVIEW
- COMMONMAGIC
- GETSYMBOL
- PING
- UPDATEAGENT
- HEAVENSGATE
- BLACKBASTA
SETOPLOCK
Description
SetOpLock is a tool, designed to establish an oplock on a file or directory, pausing until it receives user approval to release it. Malicious actors employ this tool with ill intent.
MACDEFENDER
Description
Mac Defender (also known as Mac Protector, Mac Security, Mac Guard,Mac Shield,and FakeMacDef) is an internet rogue security program that targets computers running macOS. Macdefender is a adware and comes with Fake antivirus application.Rather than protect against viruses,Mac Defender hijacks the user's Internet browser to display sites related to pornography, and also exposes the user to identity theft. Users typically encounter the program when opening an image found on a search engine. It appears as a pop-up indicating that viruses have been detected on the users' computer and suggests they download a program which, if installed, provides the users' personal information to unauthorized third parties
VENOMPROXY
Description
VenomProxy is a multi-hop proxy made for penetration testers using Golang. It can be used to proxy network traffic to a multi-layer intranet, and easily manage intranet nodes. It has an SSH tunnel and can be used to upload and download files.
CUBA RANSOMWARE
Description
Cuba ransomware targets Windows OS to encrypt sensitive data in the victim machines. This malware was first identified in 2019. The malware contains directory path and filenames exclude them for avoiding infection. Additionally it contains a process list for terminating the processes if they are running in the victim PC.
DARKVNC
Description
DarkVNC is a malicious version of VNC used to silently remote-control a victim. The module will create a new Window Desktop to keep hidden the malicious VNC instance. This technique is usually adopted to bypass anti-fraud engines on personal banking websites by impersonating the victim’s computer and logging in with stolen credentials without raising alerts on the bank’s side.
MASSCAN
Description
Masscan is a port scanner that uses its own ad hoc TCP/IP allowing arbitrary port and address ranges using asynchronous transmission, similar to port scanners like scanrand, unicornscan, and ZMap. The main features supported by Masscan is 1. Scalable: Probably the most important feature of Masscan is its ability to transmit up to 10 million packets per second through its asynchronous architecture. 2. Portability: The software can be compiled and run on all three major operating systems: Windows, MacOS and Linux. 3. Banner checking: Apart from merely performing port scans, the tool can also complete TCP connections to fetch basic banner information. 4. Nmap Compatibility: Masscan was developed with the goal of making the tool’s usage and output as similar to Nmap’s as possible. This enables users to translate their Nmap knowledge quickly.
KAIJI
Description
Kaiji spreads exclusively via SSH brute forcing by targeting the root user only. Once a SSH connection is established, a bash script is executed which sets up the environment for the malware: A /usr/bin/lib directory is created and then Kaiji is installed under the filename ‘netstat’, ‘ps’, ‘ls’, or some other system tool name. Kaiji consists of an arsenal of multiple DDoS attacks such as ipspoof and synack attacks, an ssh bruteforcer module to continue the spread, and another ssh spreader which relies on hijacking local SSH keys to infect known hosts which the server has connected to in the past. Once the malware is executed, it copies itself to /tmp/seeintlog and launches a second instance which commences its malicious operations. It then uses central goroutines for the implant’s operation.
GOGGLES
Description
Goggle is a downloader malware that is used to download encrypted malware used by APT1. The payload malware is in encoded form and hosted on the CnC using jpg extension. The malware can be executed as an exe or installed as a service. The payload is downloaded into %TEMP% and %WINDIR%temp.
SHARKTOOL
Description
The Shark tool is a network traffic analysis tool used for packet sniffing and protocol analysis which allows users to capture and inspect data packets on a network, providing insights into network activity, protocols, and potential security issues. Shark is commonly employed by network administrators and security professionals for troubleshooting and monitoring network performance.
SPIKE
Description
SPIKE is a fuzzer creation kit, which provides an API to create custom fuzzers for network based protocols using the C programming language. SPIKE defines a number of primitives that it makes available to C coders, which allows it to construct fuzzed messages called "SPIKES" that can be sent to a network service to hopefully induce errors.
EVILGINX2
Description
evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection. This particular version is a complete re-implementation in golang, which includes the web server and DNS server. An older version used modified nginx, hence the name.
MATIEX
Description
Matiex is a keylogger that is capable of voice recording, log keystrokes, steal clipboard data and take screenshots. It exfiltrates the victim’s data via telegram, SMTP, FTP. It is sold in the underground market at $25, $60 and $99. Here are some of the features listed by the sellers in the underground market: -4 delivery mechanism- FTP, Discord, SMTP, Telegram -60 password recoveries -Voice logger -Auto Updates -Multi Binder -Unicode support -Startup and installation -Self Destruction -6 disablers -Assembly Cloner -Icon Changer -32 bit and 64 bit support
DDOSCLIENT
Description
DDosClient is a DDOS client that has been used by ChinaZ APT group. First discovered in 2015 by MalwareMustDie, the source code for this malware had been uploaded to Github, now no longer available. It is a C++ malware.
TRAITOR
Description
Traitor packages up a bunch of methods to exploit local misconfigurations and vulnerabilities in order to pop a root shell. It exploits most sudo privileges listed in GTFOBins to pop a root shell, as well as exploiting issues like a writable docker.sock, or the recent dirty pipe (CVE-2022-0847).
URSNIF
Description
Ursnif is a banking trojan first seen around 2016 known to be distributed through spear phishing emails, malicious links and exploit kits. The malware tries to steal banking credentials targeting several well known banks. Other than banking the malware can have other functionalities like backdoor, spyware, backdoor. Ursnif is known to connect to CnC using internet explorer COM objects. The malware is armored with several evasion techniques against sandboxes, antiviruses. It can perform the following actions 1. Steals computer data, computer name, system local, operating system (OS) version and running processes 2. Steals user credentials, financial and banking information 3. Able to communicate with C&C server to download additional malware components 4. Executes backdoor commands from a remote malicious user to connect to malicious websites for sending and receiving information
RTTYSTOOL
Description
Rttys is a server component of the rtty project that allows remote terminal access to devices via a web interface. It is written in Go and provides a secure way to manage multiple devices through a centralized server. With rttys, users can execute commands, transfer files, and access terminals from anywhere using a web browser. It supports SSL for secure connections and can be configured for various authentication methods. rttys is ideal for remote maintenance of distributed Linux devices.
NETSUPPORT
Description
NetSupport is a remote administrator tool which could be used by threat actors to perform malicious activities. NetSupport RAT is delivered through Fake browser update. RAT has the following capabilities: Country details System info Files upload/Download Remote monitoring
REVERSESSHTOOL
Description
ReverseSSHTool is a statically-linked SSH server provides a reverse connection feature, enhancing remote access capabilities. Tailored for HackTheBox challenges, CTFs, or similar scenarios, it simplifies remote management and troubleshooting, especially behind restrictive network configurations. With robust encryption, it ensures secure data transmission, offering efficiency and reliability for various testing and educational purposes.
EVILCLIPPYTOOL
Description
Evil Clippy is a red teaming tool that leverages macro-enabled Office documents to deliver malicious payloads by disguising itself as a seemingly harmless helper while bypassing traditional antivirus solutions. Evil Clippy enables red teamers and penetration testers to conduct stealthy attacks, making it a useful tool for adversary emulation and security testing.
MIMIKATZ
Description
Mimikatz is an open source tool that exploits Windows single sign-on (SSO) functionality to harvest credentials. Until Windows 10, Windows by default used a feature called WDigest that loads encrypted passwords into memory, but also loads the secret key to decrypt them. WDigest has been a useful feature for authenticating large numbers of users on an enterprise or government network, but also lets Mimikatz exploit this feature by dumping memory and extracting the passwords. In 2013, Microsoft made it possible to disable this feature as of Windows 8.1, and it is disabled by default in Windows 10. However, Windows still ships with WDigest, and an attacker who gains administrative privileges can simply turn it on and run Mimikatz for lateral movement. Mimikatz can perform credential-gathering techniques such as Pass-the-Hash, Pass-the-Ticket, Pass the Key, Kerberos Golden Ticket, Kerberos Silver Ticket and Pass-the-Cache. As the source code is readily available, several modified versions of Mimikatz that even include Python, Powershell, are created to evade detection by most antivirus products.
KUBESPLOIT
Description
Kubesploit is a cross-platform post-exploitation Command & Control (C2) server and agent for containerized environments. It utilizes the Go interpreter Yaegi for dynamic module execution and offers various modules for container and Kubernetes security testing. A dedicated Kubernetes environment in Katacoda is available for experimentation.Written in Golang, it is built on the Merlin project by Russel Van Tuyl (@Ne0nd0g) and uses HTTP/2 for communication.
GOWITNES
Description
Gowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line, with a handy report viewer to process results. Gowitness has several features which make it a standout within the group of HTTP screenshot tools. The most notable feature is that gowitness can perform differential comparison matching across the set of screenshots that are captured using perception hashing. Malware has the following capabilities: Capture the screenshot from the current viewport.
BROWSERGHOST
Description
BrowserGhost is a Chrome, Firefox and Edge data harvester which is capable of retrieving login data, bookmarks, cookie and history from these browsers.
SHLAYER
Description
Shlayer is a malvertising-focused trojan mainly targeting macOS machines.This malware mainly arrives with adware bundlers using shell scripts to install their adware payload. They are also distributed using compromised Google search results. Upon installation, the disk image mounts and displays instructions for finalizing the installation. The Shlayer app mostly hides as a password-protected .zip file, which is then hidden with a bash shell script to evade antivirus software detection. It can then escalate to communicate with a command and control server that would then download additional malware. These second-stage samples bombard users with ads, and also intercept browser searches in order to modify the search results to promote more ads. Some variants of Shlayer run only once per installer, probably to hinder analysis. Even when run on a different machine an installer that has already been run will not drop the payload again.
TORTOISESHELL
Description
Tortoiseshell is a backdoor operational since July 2018, can download and execute additional tools and commands. After infiltrating a victim's computer, Tortoiseshell installs various information-gathering tools, including those mentioned earlier, to extract a diverse set of data about the machine, such as IP configuration, running applications, system details, and network connectivity.
SCARECROW
Description
ScareCrow is a framework designed for generating payloads that can be incorporated into a genuine Windows process without injecting them, thereby evading Application Whitelisting controls.ScareCrow can focus on these DLLs and modify them in-memory by making use of the API function VirtualProtect. This function alters the permissions of a portion of a process's memory from Execute-Read to Read-Write-Execute. Since this code is open source, malicious actors can misuse this tool to exploit it and gain access to a victim's machine.
TROJAN
Description
Trojan is a type of malware that disguises themselves as legitimate files to gain access to user's device. Since a Trojan is delivered inside a legitimate file, it’s very difficult to detect. Trojans are used to spy on user, steal data, and infect other programs.
DISMAP
Description
Dismap is a versatile asset discovery tool that swiftly identifies protocols, fingerprints web/tcp/udp information, and locates asset types on both internal and external networks.This open-source tool, compiled in Go language, offers cross-platform support for Linux, MacOS, and Windows operating systems.
MARSSTEALER
Description
MarsStealer is a trojan crafted to breach cryptocurrency wallets with the intent of siphoning digital assets.Mars Stealer has been identified as a revamped iteration of Oski malware, which ceased activity in mid-2020. Typically, it spreads through conventional means like spam emails, compressed files, or download links. MarsStealer has following capabilities: Credit card information, Automatic filling of the browser data, Browser extension data, Crypto wallets, Access to crypto extension information.
HUPIGON
Description
Hupigon is a backdoor malware that enables remote access to compromised systems, allowing unauthorized users to execute commands, delete files, download and run files, and terminate processes by opening ports or connecting to servers. Hupigon has following features: Accessing webcam keystrokes Initiate communication from the compromised computer to send messages. grabbed credentials
NUPIC
Description
Nupic malware targets windows systems to steal sensitive system information. Nupic malware is attributed to Aogin Dragon threat actor which has administered activities since 2013, focusing government, School/College and telecommunications industries in Southeast Asia. Some more features of Nupic malware are as follows: Allows attackers to upload and download files remotely. Allows attackers to read the victim's logic drive information. Allows attackers to enumerate disk and get unused space Allows attacker to enumerate all running process Allows attackers to Create or Terminate Process Allows attackers to Create or Delete Files/Folder
KEKEO
Description
Kekeo is a little toolbox for raw Kerberos interaction and abuse. Microsoft requires it to support scenarios where users authenticate via Kerberos to one system and information needs to be updated on another system implementing unconstrained delegation. Systems which are configured for unconstrained delegation will have the TGT (Ticket Granting Ticket) stored into LSASS memory for the purpose of enabling the user to access the end resource. Some other features of Kekeo toolkit: Domain controller Accessing Processes and Tokens and services Getting Credentials from LSASS
PERSEUS
Description
Trojan.Perseus is a bad program to take your charge card details, online banking qualifications, and also various other data for illegal functions. This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. This Trojan adds the following processes: cmd:exe /C schtasks /create /sc minute /mo 1 /tn "Mangers" /tr "%AppDataLocal%MangerFolder:exe" schtasks /create /sc minute /mo 1 /tn "Mangers" /tr "%AppDataLocal%MangerFolder:exe" Malware has the following capabilities: Applications take too long to start. Computer keeps crashing. Display lot of pop-up ads
DNSDIG
Description
The DnsDig Backdoor is a customized version of the open source tool DNS.NET Resolver used by Lyceum APT Group. The malware leverages a DNS attack technique called "DNS Hijacking" in which an attacker- controlled DNS server manipulates the response of DNS queries and resolves them as per their malicious requirements. The malware has the capabilities like Upload/Download Files and execution of system commands on the infected machine by abusing DNS records, including TXT records for incoming commands and A records for data exfiltration.
COLLABFILTRATORTOOL
Description
This is written in python and having user interface using java swing packages. This UI used to Exfiltrate blind remote code execution output over DNS via Burp Collaborator. By selecting platform from the dropdown menu, user can enter the desired command, and press Execute. A payload will be generated for the platform that user has chosen.
PHANT0M
Description
Phant0m is a hacking tool designed to identify and terminate processes associated with the Event Log service.Phant0m exists in two forms: a standalone EXE and a Reflective DLL, and it is an open-source project accessible on GitHub. Consequently, threat actors can exploit this tool for nefarious purposes.
TMATE
Description
Tmate application is mainly used to share terminal over SSH.Tmate is built on top of tmux(terminal multiplexer). The attacker could use tmate to establish a reverse shell to tmate.io from the container.
DARKCLOUD
Description
DarkCloud Stealer is a type of malware distributed worldwide through spam operations designed to steal sensitive information from a victim’s device.This stealer is written in the programming language VisualBasic.It is spread through various methods, such as spam emails, web worms, and unsuspecting downloads from the internet. It also has the ability to kill antivirus programs and is used for both cryptocurrency mining and stealing wallet information.
INSTALLMIEZ
Description
InstallMiez is a typical adware infection seen in macOS whose main purpose is gaining revenue for its creators by displaying several ads. This adware mostly enters the system via a deceptive software marketing method called ‘bundling’. This is when users are manipulated to believe that they are installing an update or a free program on their computers, and they are installing malware instead. The installers used by the malware are prone to change offering a variety of adware bundled products including freeware, shareware and open source tools.
DEIMOSC2
Description
Deimos C2 is a post-exploitation Command and Control solution which functions as a comprehensive framework, facilitating the remote access, payload creation, and communication with compromised machines by multiple attackers.Deimos C2 generates payloads requiring manual execution on compromised servers, achieved through various tactics like social engineering, exploitation, or brute-force methods. After deployment, threat actors attain equivalent system access to the executing user account, be it administrator or regular user level, while abstaining from any form of active or privilege escalation.
CUTTLEFISH
Description
Cuttlefish malware operates stealthily, leveraging zero-click attacks to intercept data on network edges where it employs HTTP and DNS hijacking, targeting private IP addresses, and passively sniffs packets until triggered by specific rules. Exfiltration occurs via proxy or VPN tunnels through compromised routers, evading detection with stolen credentials routed through the compromised infrastructure.
KERBRUTE
Description
Kerbrute is a utility designed to efficiently discover valid Active Directory user accounts by employing Kerberos Pre-Authentication brute force techniques. his open-source tool is accessible on GitHub, making it a potential tool for threat actors to exploit in order to gain unauthorized access to a victim's system. Usage of Kerbrute tool: bruteuser - Bruteforce a single user's password from a wordlist bruteforce - Read username:password combos from a file or stdin and test them passwordspray - Test a single password against a list of users userenum - Enumerate valid domain usernames via Kerberos
LIMELOGGER
Description
LimeLogger is a C# program designed to capture keystrokes from targeted devices.The LimeLogger code is openly available on GitHub, making it susceptible to abuse by threat actors who may exploit it for malicious purposes. One instance of such abuse involved the combination of LimeLogger with additional functions within the AsyncRAT trojan.
LUMMA
Description
Lumma is a Remote Access Trojan (RAT) which allows attackers to control victim machines. This can take away both system and sensitive data from the victim’s machine target Crypto wallets info and 2FA extensions login credentials on web browsers PII on web browser financial information saved on web browsers
SILLYRAT
Description
SillyRAT is a cross-platform Remote Administration Tool(RAT) which captures keylogs and screenshots from the victim system. The RAT accepts commands alongside arguments to either perform as the server who accepts connections or to perform as the client/target who establishes connections to the server.
PCREDZTOOL
Description
PCredz is a network security tool designed for extracting sensitive information like credit card numbers and various types of authentication credentials from network traffic.It supports capturing data from both pcap files and live network interfaces, making it useful for analyzing historical network traffic or monitoring real-time communications.PCredz logs the extracted information in a hashcat-compatible format and maintains a detailed log file, enhancing its utility for security professionals and researchers.
EVILTREETOOL
Description
Eviltree is an tool available in python and windows executable for analyzing directory structures. It's really handy to have a standalone alternative of the command for post-exploitation enumeration as it is not pre-installed on every Linux distro and is kind of limited on Windows.
GAFGYT
Description
Gafgyt malware is an advanced version of Mirai malware, gafgyt malware is mainly used for launching large-scale distributed denial of service (DDoS) attacks. It also exploits multiple vulnerabilities in IOT devices. First seen in 2014, Gafgyt has a history of exploiting vulnerabilities in devices like D-Link,ASUS,Huawei routers.
EXPLOSIVERAT
Description
ExplosiveRAT is an infostealer which steals system information from victims' machines. ExplosiveRAT gathers following information from victim machines: IP/Network details System info Local user details Domain user details Connected system with network Directories and files details
GETSHELL
Description
GetShell is a backdoor which comes as a part of malware attacks on multiple platforms. Some of the features of GetShell backdoor are: 1. Comes in various platforms like Windows,MAC OS. 2. Steals sensitive data from the system. 3. Uses TOR as C2.
SHARPCLOUD
Description
SharpCloud is a straightforward C# tool designed to verify the presence of credential files associated with Amazon Web Services, Microsoft Azure, and Google Compute.This open-source code is accessible on a GitHub project. Consequently, malicious actors could potentially misuse this tool to extract credentials from a victim's machine.
MATA
Description
MATA (MataNet)is a comprehensive multi-platform targeted malware framework able to target Windows, Linux and macOS operating systems.The MATA malware framework possesses several components, such as loader, orchestrator and plugins. The orchestrator can load 15 plugins at the same time.The main functionality of the orchestrator is loading each plugin file and executing them in memory in three ways: 1. Download the plugin from the specified HTTP or HTTPS server 2. Load the AES-encrypted plugin file from a specified disk path 3. Download the plugin file from the current MataNet connection For covert communication, they employ TLS1.2 connections with the help of the “openssl-1.1.0f” open source library, which is statically linked inside this module. Additionally, the traffic between MataNet nodes is encrypted with a random RC4 session key. MataNet implements both client and server mode. In server mode the certificate file “c_2910.cls” and the private key file “k_3872.cls” are loaded for TLS encryption. The Linux version of MATA has a logsend plugin. This plugin implements an interesting new feature, a “scan” command that tries to establish a TCP connection on ports 8291 (used for administration of MikroTik RouterOS devices) and 8292 (“Bloomberg Professional” software) and random IP addresses excluding addresses belonging to private networks. Any successful connection is logged and sent to the C2. Like another strain running on a different platform, the macOS MATA malware also runs on a plugin basis. Its plugin list is almost identical to the Linux version, except that it also contains a plugin named “plugin_socks”. The “plugin_socks” plugin is similar to “plugin_reverse_p2p” and is responsible for configuring proxy servers.
LINIKATZ
Description
LiniKatzV2, a bash script, facilitates post-exploitation tasks on UNIX systems joined to Active Directory. It requires root privileges and extracts hashed files, Kerberos tickets, clear passwords in RAM, NTLM machine hash, and AES machine keys. Optionally, it can retrieve configuration files. Some actions may depend on a user's connection to the UNIX system.
NANOCORE
Description
Nanocore is a Remote Access Trojan which has capability to manipulate credential files, hijack webcam and can harvest credentials. It was first seen in 2013. In 2015 it was seen to be associated with phishing emails targeting Asia and the Middle East. It was known to target the Energy Sector. The mail id used in the spoofing emails were the email id of South Korean oil companies. The RAT was developed by Taylor Huddleston, aka Aeonhacks who was arrested later. Cracked version of the RAT was rented and sold in the underground market. The RAT had the following capabilities: 1. Remote system monitoring with audio and video feeds. 2. Reverse proxy connection 3. Plugin support 4. 24/7 support for the victims
ZGRAB
Description
Zgrab is a fast application-layer network scanner designed for completing large Internet-wide surveys. It is built to work with ZMap (ZMap identifies L4 responsive hosts and used Zgrab to perform in-depth, follow-up L7 handshakes). ZGrab outputs detailed transcripts of network handshakes.
CRYPTBOT
Description
CryptBot is an infostealer that was detected in the wild in 2019 and is designed to steal information from Windows operating systems. Compromised web pages that offer cracked versions of popular video games and other software are being used as a hosting and distribution platform for CryptBot. CryptBot has the following capabilities: Cryptocurrency wallet Login credentials Browser Cookies Browser history Credit card details OS and hardware information Installed software
SIGWHATEVER
Description
Sigwhatever is a tool that has the capability to steal NETNTLM Hashes via Outlook Signatures in email, getting hashes capturing NETNTLM hashes from network communications. Email that allows an attacker to steal the victim's NetNTLMv2 hashes without requiring any interaction from the user - clicking the email to preview it is enough for the hashes to be stolen. Capturing NetNTLM hashes from network communications is nothing new. There are several ways of doing this. The most common way is via SBM. SMB is a protocol for file sharing purposes, and we can force SMB communications to an attacker using tools to capture the authentication attempt and extract the password hash. Malware has the following capabilities: Stole Hashes
DREAMBUS
Description
DreamBus has a modular design with regular deployment of new modules and updates and exhibits worm-like behavior that is highly effective in propagating itself across the internet and laterally through an internal network. These techniques include numerous modules that exploit implicit trust, weak passwords, and unauthenticated remote code execution (RCE) vulnerabilities in popular applications, including Secure Shell (SSH), IT administration tools, a variety of cloud-based applications, and databases. These particular applications are targeted because they often run on systems that have powerful underlying hardware with significant amounts of memory and powerful CPUs—all of which allow threat actors to maximize their ability to monetize these resources through mining cryptocurrency. Most command-and-control (C&C) components are hosted through TOR or on an anonymous file-sharing service such as oshi[.]at and leverage the HTTP protocol.
PWDUMP7TOOL
Description
Pwdump7 is a hacking tool that functions by retrieving the SAM and SYSTEM binary files from the filesystem, from which it subsequently extracts the associated password hashes.One notable capability of pwdump7 is its ability to extract information from protected files.
DARKWATCHMANRAT
Description
DarkWatchManRAT is a trojan that allows attackers to remotely control compromised systems and steal sensitive information like credentials and credit card details. Initially identified in 2021, DarkWatchman primarily targeted users in Russia. This RAT malware propagates via a phishing website, where a password-protected archive file and its corresponding password are provided on the same page. DarkWatchmanRAT has following capabilities: keystrokes clipboard data system information
K8TOOLS
Description
K8tools is an openly accessible toolkit that offers a diverse range of functionalities, encompassing privilege escalation, password cracking, scanning, and vulnerability exploitation.Additionally, K8tools encompasses exploits for numerous well-known vulnerabilities found in different systems.
NTDSDUMP
Description
NTDSDump is a hack tool which could be used to dump credentials hashes from NTDS.dit file. NTDS is a part of the Windows file which contains all data and credential details. The attackers can abuse this tool and gather sensitive information from victims' machines.
STEALC
Description
Stealc is an infostealer that focuses on gathering data from cryptocurrency wallets' web browsers, extensions, and desktop applications. This stealer, written in C and utilizing WinAPI functions and additionally it targets messenger apps and email clients. The stealer obtains sensitive data from web browsers by downloading seven genuine third-party DLLs: sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll, and msvcp140.dll. Subsequently, it transfers the collected information to its command-and-control (C2) server by exfiltrating each file individually through HTTP POST requests.
HTTPBROWSER
Description
HttpBrowser is a malicious remote access trojan (RAT)that has been used by several threat groups and believed to be of Chinese origin. The RAT is also known to install the PlugX RAT during lateral movement in the victim environment after compromise. Upon execution, HttpBrowser collects the following details of the victm’s machine: computer: Machine hostname [username] lanip: IP address of the infected machine uid: An encoded value that has the Machine GUID and its volume serial number os: Windows Major version, Windows Minor version, System architecture HttpBrowser also allows the threat actor to log keystrokes and open connections to infected computers, allowing an attacker to send new commands, download other malware, or steal sensitive data.
PRIV8STEALER
Description
Priv8Stealer is a compiled C# binary designed to capture credentials, cookies, bookmark data from browsers, and extract FTP client details.The threat actor is targeting a list of applications, including Discord, Crypto Wallets, Telegram, FileZilla, Steam, VPNs, and browsers, to collect sensitive data. This is also collected victim system details.The gathered information is then transmitted to the attacker's Telegram channel.
PLUGX
Description
PlugX is a modular RAT with a rich user interface to the attackers. that is known to misuse legitimate executables. Plugx is found using DLL side loading technique. The plugx has three components: a malicious DLL, a binary file containing malicious code loaded by the DLL and a legitimate file that loads the malicious DLL. After the initial connection to the CnC the attacker can do the following on the victim machine: 1. Get machine information 2. Start plugin manager 3. Send plugin information 4. Uninstall Adversaries can use PlugX builder to create custom variants of PlugX. The build can provide the following capabilities to the adversaries: 1. Build PlugX payloads 2. Proxy connections 3. Create persistence mechanism for the malware 4. Enable keylogging and screen capture 5. Interface to manage compromised victims There are different modules in PlugX that provide different capabilities. 1. Disk module to manage file system 2. Network browser module to browse network and carry out lateral movement using SMB 3. Registry module to view and later registry 4. Capture module to capture screen 5. Portmap module to enable attacker port forwarding 6. Sql module to connect to sql servers
HIDDENWASP
Description
HiddenWasp is a fully developed suite of malware that includes a trojan, rootkit and an initial deployment script. The malware is used for targeted attacks against victims who have already been infected. HiddenWasp has the ability to download and execute code, upload files and perform a variety of commands, for the sole purpose of gaining remote control over the infected system. HiddenWasp authors have adopted large portions of code from various publicly available open-source malware, such as Mirai and the Azazel rootkit, and there are similarities between the malware and other Chinese malware families. After the handshake is completed, the trojan will proceed to handle C2 requests and will perform different operations accordingly.
ROOTKIT
Description
A rootkit is a malicious software that allows an unauthorized user to have privileged access to a computer and to restricted areas of its software. The rootkit can perform the following actions - Privilege escalation attack - Hide their presence during an attack by - Process hiding - File hiding - Event hiding - Network hiding
AURORA
Description
Aurora is an infostealer and it was identified in April 2022. This malware is mostly distributed through infected email attachment,malicious online advertisement ,social engineering ,and cracked applications.Aurora often targets browsers, email clients, messengers, FTPs, password managers, VPNs and gathers sensitive information and sends it to the c2 server. This stealer also monitors clipboards and tracks crypto wallet transactions. This trojan steals the following information from the victims machine Crypto wallet OS info Hardware ID Graphical card information CPU name and vendor Screen information IP info
TXPORTMAP
Description
TXPortMap is a tool compiled in the Go programming language that serves as a tool for conducting port scanning and identifying device fingerprints.Since this code is open source and publicly accessible on GitHub, there is a risk that individuals with malicious intent could misuse this tool.
NANODUMP
Description
Nanodump is a tool to create minidumps which can be used by adversaries to dump credentials from lsass. Below are some features on Nanodump: -Uses syscalls -Attackers used it to remotely extract the dump without writing it to disk on victim machine -It has invalid signature to avoid detection -It does not dump DLL’s in lsass which reduces the size of the dumps
HABITSRAT
Description
HabitsRAT is a Golang based backdoor that allows the malware operator to execute arbitrary code on the infected machine.This malware was found targeting Linux servers and Microsoft Exchange servers. To protect itself from being taken over by others, the attacker’s commands are signed by a private key that only the attacker has access to. The malware does not execute commands that are not signed by the correct key. The RAT uses public-key cryptography to both encrypt and authenticate the commands from the C2 server thereby allowing the attacker to control the compromised machine remotely. To protect its C2 communication, the data is encrypted and signed using PGP.
DIAMORPHINE
Description
Diamorphine is a LKM rootkit for Linux Kernels. The rootkit is used by threat actors to hide malicious processes or elevate privileges on the compromised machines. Diamorphine leverages magic packets allowing it to run arbitrary commands on the infected endpoint.
WOOLAGENT
Description
WoolAgent is a trojan that is distributed via phishing campaigns.since the beginning of 2014, a group of attackers with Iranian roots has been using malware to target specific individuals, with the help of ongoing spear phishing campaigns. There is a credential stealer based on .NET that targets specific storage locations on a compromised computer to extract credentials, which are then sent to a Gmail account via email.
WOGRAT
Description
WogRAT is a backdoor malware distributed through aNotepad, targeting both Windows and Linux systems where in Linux, it collects basic system information and communicates with the command-and-control server to execute commands, download/upload files, and send results along with leveraging the Tiny SHell's routine for evasion.Upon execution, it disguises itself under the guise of legitimate processes, commonly adopting the name [kblockd] Functionally, it gathers essential system data and forwards it to the command-and-control (C&C) server, while receiving commands through a reverse shell server instead of directly from the C&C.
FALCONZEROTOOL
Description
Falconzero is a stealthy, targeted Windows Loader for delivering second-stage payloads(shellcode)to the host machine undetected.It gives stealthy shellcode injection technique without allocating RWX memory pages in victim process to evade AV/EDRs.
FIREBIRDRAT
Description
FireBird is a Remote Access Trojan(RAT) which could be used to steal sensitive information from victims' machines. This malware spreads through spam campaigns,cracking tools and untrusted download channels. It can steal credentials from browsers and crypto wallets. This malware allows the attacker to control and install or uninstall the applications in the victim machines.
SUTERUSU
Description
Suterusu is a LKM rootkit for Linux Kernels. The rootkit is used by threat actors to hide malicious processes, files and ports on the compromised machines. Suterusu also installs additional modules that are specified during compile time.
NIMSCANTOOL
Description
NimScan, a port scanner developed in Nim, is a publicly available open-source project for quick and basic port scanning.This tool can be exploited by malicious actors for illicit purposes, enabling them to spy on a victim machine's network ports.
GOST
Description
Gost is a network port monitoring tool written in the Go programming language that can monitor multiple ports simultaneously. This source code is publicly available on a GitHub project, potentially leading to its misuse by threat actors for malicious purposes.
BLACKENERGY
Description
BalckEnergy is a Trojan used to carry out DDOS attacks specially designed as Industrial Control Systems(ICS). It was first seen in wild in 2007 and is known to be involved in espionage and information destruction activities. BalckEnergy had various versions. The first version seen in 2007 was just a HTTP backdoor. The second version which appreciated in 2010, used sophisticated techniques like rootkit and process injection. The third version of BlackEnergy was capable of carrying out DDos attacks and had capabilities to exfiltrate. BlackEnergy was initially spread using macro enabled malicious documents, ppts, Java updates, Infected Juniper Spams, fake flash player, fake device drivers. he attackers using Blackenergy were known to install malicious SCADA plugins. The third version of BlackEnergy was CVE-2014-4114 which was used against MSOffice applications. Later versions of BlackEnergy ships with various other capabilities which includes network discovery, data theft.
SSHBOT
Description
An SSH bot typically refers to a type of malicious software that attempts to gain unauthorized access to computer systems or servers using the SSH (Secure Shell) protocol. SSH is a secure method for remote login and command execution on a networked device, and SSH bots are often used in cyberattacks to carry out various malicious activities, such as:Brute Force Attacks: SSH bots may repeatedly try to guess usernames and passwords to gain access to a system. They automate the process of trying various combinations of login credentials.
NOTROBIN
Description
Notrobin is a utility written in Go and compiled to an ELF binary that provides backdoor access to the compromised system. Upon execution, Notrobin ensures that it is running from the path /var/nstmp/.nscache/httpd. If not, the utility copies itself to this path, spawns the new copy, and then exits itself. This provides detection cover by migrating the process from /tmp/, a suspicious place for long-running processes to execute, to an apparently NetScaler-related, hidden directory. Every second, it searches the directory /netscaler/portal/scripts/ for entries created within the last 14 days and deletes them, unless the filename or file content contains a hardcoded key. This routine cleans the system of publicly known payloads, such as PersonalBookmark.pl. Eight times per second, it searches for files with an .xml extension in the directory /netscaler/portal/templates/. This is the directory into which exploits for CVE-2019-19781 write templates containing attacker commands. Notrobin deletes files that contain either of the strings block or BLOCK, which likely match potential exploit code, such as that found in the ProjectZeroIndia exploit.
IMMINENTRATTOOL
Description
ImminentRAT Monitor marketed as a legitimate remote access tool since 2012, has been exploited by threat actors to monitor victims' activities. Beginning in 2014, Imminent Monitor introduced support for third-party plugins, the initial plugin enabling the capability to disable the webcam indicator light during monitoring. IMMINENTRAT has following capability: File manager Process manager Clipboard manager Registry manager Startup manager Command prompt Remote webcam monitoring Remote microphone monitoring Password recovery
FGDUMP
Description
FgDump is a newer version of pwdump which is used for extracting NTLM and Lanman passwords on Windows which can be used by adversaries for lateral movement. It can also display password history. The tool disables antivirus before executing its functionality. It then runs pwdump, cachedump, pstgdump tool.
SILVERCLIENTRAT
Description
SilverClientRAT is a malicious trojan crafted with the purpose of clandestinely acquiring keylogger activity and pilfering essential system information, such as machine name, user name, OS version, and other relevant data.The SilverClientRAT exhibits intrusive behavior by illicitly accessing the victim's camera and closely monitoring their activities. Additionally, it attempts to stealthily install hidden applications, such as Remote applications and browsers. This trojan poses a serious threat to user privacy and security, as it can exploit various methods to gather and misuse confidential information without the victim's knowledge or consent.
REVERSERAT
Description
ReverseRAT is a Remote Access Trojan capable of creating a Reverse Shell, known to be used in the SideCopy attack against India. It opens up the reverse shell to the attacker using Windows Interpreter cmd. The RAT is also capable of detecting attachment and detachment of removable drives.
BLACKMATTER
Description
BlackMatter Ransomware targets Windows OS to encrypt the victim's personal data. It was first seen in July 2021. It enumerates the running process and kills the process in the victim machine by comparing the hardcoded process list. It creates an auto startup registry entry to execute each time a user logs into the system.
WINPEAS
Description
Winpeas is a C# program which could be used to find vulnerability and get access to Windows Privilege folders and files. The attackers use this binary to change the windows permissions in order to do malicious activities on the victim machine. The following windows privilege files/folder could be accessed by the Winpeas: System Info Network Info Process Info Windows Credential Registry Info DLL Hijacking WMIC access
SHARPELEVATOR
Description
SharpElevator is c# compiled binary which could be used to UAC bypass. The source code of binary is available publicly. The attackers could abuse this tool and gain required details from the victim machines.
LINUXPRIVCHECKER
Description
Linuxprivchecker is designed to enumerate basic system info and search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text passwords and applicable exploits.This is to help users further learn how these privilege escalations work and keep it in line with the rules, for self directed exploitation, laid out for the OSCP, HTB, and other CTFs/exams
SNAKEKEYLOGGER
Description
Snake Keylogger is an infostealer that can steal sensitive information from the victim machine which includes clipboard data, keystrokes, screenshots. It was spread through spam emails with zip attachments containing malicious executables with .SCR extension. The subject of email is similar to those of bank statements or credit card statements. The malicious binaries are mostly .Net compiled executables. The malware can infiltrate other data from the victim machine. The keylogger sends this data using various mechanisms which includes FTP, SMTP, pastebin, telegram.
ROGUEROBIN
Description
RogueRobin malware is able to act as a dropper, but also insure some basic trojan functionalities, like stealing files and executing remote commands. DarkHydrus compiled RogueRobin with an extra command that allows it to use Google Drive as a secondary method for sending their instructions. The command is called 'x_mode' and it is disabled by default. However, the adversary can turn it on via DNS tunneling channel, which is the main communication line with the C2 server. Immediately after activation, the trojan receives a list of settings stored in variables set when sending the 'x_mode' command; these values allow it to exchange information through Google Drive: URL for downloading, uploading, updating files, and the authentication details. Malware has the following capabilities: Steal system information. Upload Data Gather credit card information. Stealer Data
DOK
Description
Dok is a malware that can eavesdrop on secure HTTPS traffic by redirecting a victim’s traffic through a malicious proxy server. Upon installation and persistence, the malware will install brew, a package manager for OS X, which will be used to install additional tools – Tor and Socat. The malware can also perform the following tasks 1. Give the current user admin privileges immediately on demand without prompting for a password 2. Proceed to install a new root certificate in the victim system, which allows the attacker to intercept the victim’s traffic using a Man in The Middle (MiTM) attack 3. Install LaunchAgents will redirect requests to 127.0.0.1 through Tor
HIVE
Description
Hive ransomware encrypts the files on the victim network. After compromising a victim network,Hive ransomware exfiltrates the sensitive data from victim PC.
TYPHONREBORN
Description
TyphonReborn is an infostealer that is capable of stealing browser credentials, saved autofill information in browser forms, and crypto wallets. It was first seen in August 2022. Stealer as the following capabilities: USername of machine OS information Antivirus information Network information System language Keylogging Screenshot
MUGHTHESEC
Description
The adware currently spreads as a file called Player.dmg that installs a legit version of the Adobe Flash Player for Mac, but also an unwanted app named Advanced Mac Cleaner, and two Safari extensions named Safe Finder and Booking.com adware is currently spread via malicious ads and popups on shady websites.
ASYNCRAT
Description
AsyncRAT is an open source remote access tool(RAT) that can be used to monitor and access computers remotely. It can be used by adversaries to control the victim's computer. AsyncRAT can be delivered through phishing, exploit kits etc. AsyncRAT has the following features which can be used to cause harm to the victim: -Infiltrate data using SFTP -Password recovery from installed softwares -Screen recorder and viewer -Keylogger -Anti-analysis techniques -Stop antivirus on victim
ETERNITYSTEALER
Description
EternityStealer steals sensitive data from victim machines like credentials, cookies, credit card details. The threat actor collects those details and sends them to a Telegram channel. EternityStealer has the following capabilities: Messengers FTP clients Gaming software Email clients Cryptocurrency extensions and Wallet
CREATEMOUNTPOINT
Description
CreateMountPoint is a tool for easily creating mount points (junctions or reparse points) with custom paths, surpassing the limitations of the built-in MKLINK tool. This tool can be exploited by malicious individuals for nefarious purposes.
HANUMAN
Description
Hanuman is a backdoor trojan that allows unauthorized access to an infected victime system. Attackers run remote commands via network and gather system related information.
REDXOR
Description
RedXOR is a backdoor that masquerades itself as polkit daemon which is used in targeted attacks. Upon execution RedXOR forks off a child process allowing the parent process to exit. The purpose is to detach the process from the shell. The new child determines if it has been executed as the root user or as another user on the system The malware communicates with the C2 server over a TCP socket. The C2 server tells the malware to execute different commands via a command code that is returned in the “JSESSIONID” cookie. When the malware first contacts the C2 server it sends a password encoded in the request body to collect the system information. Alongside this, the malware has network tunneling, shell functionality and also can be updated by the threat actor.
ADWAREMACGENERIC
Description
Adware is unwanted software designed to show advertisements up on the user screen, most often within a web browser. The outcome of this is slowing of Mac machines, cramping the screen with multiple pop-ups banners. It is also fundamental not to forget that the advertisements linked to Adware.MAC.Generic may not be trustworthy, and you should avoid them at all costs.
WINDTAIL
Description
WindTail can be described as the first-stage macOS implant utilized by the WINDSHIFT APT.It uses methods such as malicious emails to deliver the malware to victims.: WindTail appears to have the capability to collect files from the infected system. It identifies specific file types based on their extensions (e.g., doc, db, rtf) and archives them using macOS's built-in zip utility. It then exfiltrates these files, possibly to a remote server, using the 'curl' network utility.
ELECTRORAT
Description
ElectroRAT is a malware that aims to collect private keys to access victims’ wallets. As part of its behavioral flow, contacts raw pastebin pages to retrieve the C&C IP address. ElectroRAT is extremely intrusive. It has various capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files and executing commands on the victim’s console. The malware has similar capabilities for its Windows, Linux and MacOS variants.
CHISEL
Description
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. Single binary, can be used to evade firewalls and uses SSH for encryption.
SHARPDECRYPTPWDTOOL
Description
SharpDecryptPwd is a command line tool that collects and displays account credentials. If the compromised system has applications like Navicat, TeamViewer, FileZilla, WinSCP, Xmanager (Xshell, Xftp), or similar programs installed and stores frequently used user account credentials in a configuration file, SharpDecryptPwd can decrypt and reveal these credentials.
SWIFTBELT
Description
SwiftBelt is a macOS enumeration tool. It does not utilize any command line utilities and instead uses Swift code (leveraging the Cocoa Framework, Foundation libraries, OSAKit libraries, etc.) to perform system enumeration. This can be leveraged on the offensive side to perform enumeration once you gain access to a macOS host. Following are the capabilities of this tool : SystemInfo : For getting system information. Clipboard : Dump clipboard contents. RunningApps : List all running apps. ListUsers : List local user accounts. LaunchAgents : List launch agents, launch daemons. BrowserHistory: Attempt to pull Safari, Firefox, Chrome, and Quarantine history SlackExtract : Check if Slack is present and if so read cookie, downloads, and workspaces info. ShellHistory : Read shell (Bash or Zsh) history content. Bookmarks : Read Chrome saved bookmarks.
SIDEWINDER
Description
SideWinder has been seen launching spear phishing attacks to infiltrate government and business organizations, gaining access to system information and files.The attacks predominantly distribute malicious attachments, though the group has also employed credential phishing as a technique. The malware gathers system information, storing it as a JSON file on the disk, and subsequently transmits it to the C2 server.
SCAVENGER
Description
Scavenger is a multi-threaded post-exploitation scanning tool for scavenging systems, finding most frequently used files and folders as well as interesting files containing sensitive information.Scavenger confronts a challenging issue typically faced by Penetration Testing consultants during internal penetration tests; the issue of having too much access to too many systems with limited days for testing.
VIRUS
Description
A virus is a computer programme designed to infiltrate your system and corrupt or change your files and data. A virus might corrupt or delete data on your computer. Viruses can also replicate themselves.
SMAUG
Description
Smaug is a completely customizable and multiplatform Golang based Ransomware as a Service. SMAUG also has offline capabilities, meaning that the payload does not have to have any amount of connectivity in order to execute and encrypt The SMAUG operators currently charge a 20% service fee. However, there is also a registration fee which is quite steep when compared to other “fully-public” services.There are some possible exceptions to getting around the registration fee. On some forums where SMAUG is advertising, the developers state that free memberships will be given to the first five customers with a certain number of posts, and the ability to prove their past work (attacks). In SMAUG’s service advertisements, they state “Infecting CIS is forbidden and will result in a ban”. CIS is the ‘Commonwealth of Independent States’ or also the group of independent countries that were once part of the Soviet Union. This suggested us that the developers behind this malware is likely from Russia.
FORMBOOK
Description
Formbook is an information stealer malware that uses form grabbing technique to steal data from web forms. It is spread through malicious attachments in spam emails. The theme used in the spams is invoice payment. The formbook executable is sent as an email attachment in a zip file. The executable has an icon that looks like a pdf. The formbook executable contains an autoit script that decrypts the formbook and loads it in memory. Formbook copies itself to system directories with random names if it runs with higher privilege. If it runs with lower privilege it copies itself to appdata folder or temp folder. Formbook stays persistent by creating entry into windows registry. Fombook injects itself into explorer:exe and then deletes the original executable. It injects into applications from which it wants to steal credentials. It injects into well known browsers like firefox, chrome email clients like thunderbird and outlook. It sets browser hook, keyboard hook and monitor clipboard activities to steal credentials and data from the monitored applications.
FRITZFROG
Description
FritzFrog is a highly sophisticated peer-to-peer (P2P) botnet that has been actively breaching SSH servers worldwide. With its decentralized infrastructure, it distributes control among all its nodes. In this network with no single point-of-failure, peers constantly communicate with each other to keep the network alive, resilient and up-to-date. P2P communication is done over an encrypted channel, using AES for symmetric encryption and the Diffie-Hellman protocol for key exchange. Unlike other P2P botnets, FritzFrog combines a set of properties that makes it unique: it is fileless, as it assembles and executes payloads in-memory. It is more aggressive in its brute-force attempts, yet stays efficient by distributing targets evenly within the network. FritzFrog has a special combination of properties, which makes it unique in the threat landscape: Fileless – FritzFrog operates with no working directory, and file transfers are done in-memory using blobs. Constantly updating – databases of targets and breached machines are exchanged seamlessly. Aggressive – Brute-force is based on an extensive dictionary. By comparison, DDG, a recently discovered P2P botnet, used only the username “root”. Efficient – Targets are evenly distributed among nodes. Proprietary– The P2P protocol is completely proprietary, relying on no known P2P protocols such as μTP.
ROOTRAT
Description
RootRat is a trojan stealer written in Go language that operates by taking control of the victim's machine and extracting sensitive data, such as credentials. This trojan captures screenshots, uploads files from the victim's system, and has the capability to initiate actions such as shutting down or restarting machines, among other functionalities.
KMSDBOT
Description
KmsdBot is a golang-based botnet that attacks machines using weak SSH credentials. It has cryptocurrency mining and DDoS capabilities. The malware attacks using UDP, TCP, HTTP POST, and GET, along with a command and control infrastructure (C2), which communicates over TCP.
DRIDEX
Description
Dridex is a banking trojan which was first seen in 2014 targeting windows. Dridex is a DLL which is assumed to be derived from Bugat aka Cridex Source code. Dridex variants are known to use multiple code injection techniques AtomBombing, DLL order hijacking, process hollowing, PE injection and thread execution hijacking. It’s primary purpose is to steal banking credentials. It has the following capabilities: Create Web injects which can create extra fields in banking web page which is loaded in the browser Redirect to malicious pages which look like legitimate banking website Dridex has several modules which have different task which includes: 1. Find peers 2. Download updates and configuration 3. Download modules from CnC The different modules can implement these functionalities: 4. VNC module for remote access to attackers 5. keylogger 6. Steal banking credentials 7. Password harvesting
DEMONIZEDSHELL
Description
DemonizedShell is a Linux persistence tool with advanced features, including SSH key generation, APT, Crontab, and systemd persistence where it incorporates a modified LKM rootkit, ICMP backdoor, LD_PRELOAD for privilege escalation, and static binaries for various purposes. Users are urged to use it responsibly for educational purposes, and contributions are welcome through contacting the developer on Twitter.
CHAOSRAT
Description
Chaos-RAT is a Remote Access Trojan written in Golang, that includes Reverse Shell, File Download/Upload, and Screenshot capabilities in Linux. It is also cross-platform. It also includes persistence and keylogger modules specifically in Windows.
OSAMINER
Description
OSAMiner is a well-known OS X and macOS cryptomining Trojan that has been circulating since 2015.OSAMiner uses Open Scripting Architecture scripts to accomplish its goals. OSAMiner is typically distributed with pirated software, including productivity applications like Microsoft Office, or games like League of Legends. It is also not uncommon to see cryptomining trojans like this distributed through fake software updates, or email campaigns prompting the victim to install a new piece of software or update a common application. OSAMiner's main purpose is cryptojacking. In addition to evading detection, Specifically, the Activity Monitor app, and common anti-malware applications, OSAMiner downloads and runs the open-source Monero miner XMR-STAK-RX. Another script prevents the infected system from entering sleep mode, thereby maximizing the processing power afforded the miner. Once OSAMiner is installed and operating, the infected system may experience difficulty opening the Activity Monitor app, high CPU usage, and even system crashes.
REMOTENETCAT
Description
RemoteNetcat is a remote administrator tool which could be used by threat actors to perform malicious activities. Attackers send this tool along with other malware by spam mail or file sharing. Once this tool is installed in victime machine, the attacker gains all the access of victime machine.Thereafter it uploads and downloads files, executes shell codes and monitors the victim machine.
NJRAT
Description
NjRat also known as bladabindi is a remote access trojan that is capable of logging keystrokes, stealing credentials stored in browsers, accessing webcam, and creating a reverse shell. It can even upload download files, execute commands, and manipulate the registry on the victim computer. Latest versions are even capable of stealing Cryptocurrency wallets. It was first seen in 2013 and known to be used by threat actors in the Middle East. It was programmed using .net. Some of the variants use .net obfuscators to evade antiviruses and are even used in targeted attacks
ETERNITY RANSOMWARE
Description
Eternity is a ransomware which encrypt documets with the help of military grade encryption algorithm. The Eternity Stealer steals passwords, cookies, credit cards, and crypto-wallets from the victim’s machine and sends them to the TA’s Telegram Bot. The features of the stealer malware mentioned on the TAs website and Telegram channel are: - Browsers collection (Passwords, CreditCards, Cookies, AutoFill, Tokens, History, Bookmarks): - Chrome, Firefox, Edge, Opera, Chromium, Vivaldi, IE, and +20 more. - Email clients: Thunderbird, Outlook, FoxMail, PostBox, MailBird. - Messengers: Telegram, Discord, WhatsApp, Signal, Pidgin, RamBox. - Cold cryptocurrency wallets: Atomic, Binance, Coinomi, Electrum, Exodus, Guarda, Jaxx, Wasabi, Zcash, BitcoinCore, DashCore, DogeCore, LiteCore, MoneroCore. - Browser cryptocurrency extensions: MetaMask, BinanceChain, Coinbase Wallet, and 30+ more. - Password managers: KeePass, NordPass, LastPass, BitWarden, 1Password, RoboForm and 10+ more. - VPN clients: WindscribeVPN, NordVPN, EarthVPN, ProtonVPN, OpenVPN, AzireVPN. - FTP clients: FileZilla, CoreFTP, WinSCP, Snowflake, CyberDuck. - Gaming software: Steam session, Twitch, OBS broadcasting keys. - System credentials: Credman passwords, Vault passwords, Networks passwords).
RANSOMEXX
Description
RansomEXX is a highly targeted Trojan. Each sample of the malware contains a hardcoded name of the victim organization. Moreover, both the encrypted file extension and the email address for contacting the extortionists make use of the victim’s name. When launched, the trojan generates a 256-bit key and uses it to encrypt all the files belonging to the victim that it can reach using the AES block cipher in ECB mode. The AES key is encrypted by a public RSA-4096 key embedded in the Trojan’s body and appended to each encrypted file. Additionally, the malware launches a thread that regenerates and re-encrypts the AES key. Apart from encrypting the files and leaving ransom notes, the sample has none of the additional functionality that other threat actors tend to use.
TILDEB
Description
Tildeb is included in the Shadow Brokers' leaked arsenal, designed to exploit Windows NT 4.0 OS and Microsoft Exchange Server vulnerabilities.Although it primarily targets older systems, an external traffic capture report reveals successful communication with a hardcoded IP address, suggesting active deployment of the Trojan. This malware is typically introduced to a system through secondary malware delivery or user-initiated downloads from malicious websites, enabling remote malicious users to take control of the compromised system.
MOKES
Description
OSX.Mokes is a general purpose backdoor that has been around since 2016. Most recently OSX.Mokes was spread by a 0-day exploit for Firefox sent out in a targeted attack as phishing mails. This threat serves as a backdoor Trojan, which allows its operators to compromise a system, exploit it, monitor the user, and collect sensitive data that will then be transferred to their C&C (Command & Control) servers. Following are the capabilities of this malware : 1.Collect keystrokes. 2.Take screencaps of the desktop and active windows. 3.Record audio using the user’s microphone. 4.Record video using the user’s webcam. 5.Collect documents from the user’s desktop. 6:execute remote commands on the system.
BUNDLORE
Description
Bundlore is an installer which bundles legitimate applications with offers for additional unwanted third party applications.Upon installation, the disk image mounts the installer and drops multiple unwanted applications under the guise of installing one legitimate application. Bundleware operators like Bundlore profit from their installers in several ways. - Adware allows them to directly publish advertisements and collect payment for views like a traditional advertising network—and advertisers can bypass things like content review for malicious scripts (“malvertising”). - The adwares can also change links on pages to redirect them, stealing “clicks” to get paid for forwarding a “customer” to a specific site or download through an affiliate code added to the referring link. Because they change the page from within the browser itself, the user gets no security warnings about mixed content on the page. - Adware browser extensions can completely replace websites with another website allowing the operator to cash in on a referral for delivering the search
URELAS
Description
Urelas is a Trojan that attempts to fetch additional malware from the internet and is concealed using Packman for runtime compression. This Trojan gathered sensitive data from the victim's system, including information about the operating system version and installed software. Additionally, it surveils specific card game applications, capturing screenshots and transmitting details about your computer to a remote server.
OBLIQUERAT
Description
ObliqueRAT is a malicious remote access trojan (RAT) that can perform the following in the victim's machine 1. Ability to execute arbitrary commands on an infected endpoint. 2. Ability to exfiltrate files. 3. Ability to drop additional files. 4. Ability to terminate processes on the infected endpoint etc. ObliqueRAT initially gathers fingerprints of the system and then communicates with the command and control server (C2) to obtain command codes and send back executed command outputs. The C2 acknowledgements are as follows: 1. "ack0" = Acknowledgment of the command code received as well as an indicator of successful command execution. 2. "nak0" = Indicates failure to execute functionality without providing reason for failure to the C2.
DARKVISION
Description
DarkVision is the name of a Remote Administration Trojan (RAT), designed to provide unauthorized access to a victim's computer. The RAT allows attackers to control the infected computer remotely, giving them access to sensitive data and the ability to perform a range of malicious actions. Once installed on a victim's computer, DarkVision creates a backdoor that allows the attacker to access and control the system remotely. The attacker can use the RAT to steal sensitive data, plant additional malware, and use the infected computer as part of a larger botnet. It enables threat actors to view the victim's desktop, control mouse movements, and type in keystrokes, record all keystrokes made on the target system, including usernames, passwords, and other sensitive information. Malware has the following capabilities: Steal sensitive information. Record keystrokes. Control mouse movements.
SHARPLAPS
Description
harplaps is a hacktool which recovers LAPS password From LDAP. This binary executes within the Cobalt Strike session using execute-assembly utility. This tool is a c# compiled binary and open source. The attacker can modify and use this tool for the malicious purposes.
PRISM
Description
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It executes commands from a remote malicious user, effectively compromising the affected system.
LDAPDOMAINDUMPTOOL
Description
ldapdomaindumpTool is used for extracting and parsing information from an Active Directory domain using the LDAP protocol.This tool is designed to help with reconnaissance during penetration testing of internal networks.
HYPERBRO
Description
HyperBro is an in-memory RAT mostly attributed to Emissary Panda threat actor(APT27). Hyperbro has the following capabilities: 1. Can inject shellcode into newly created process 2. Take screenshots 3. List services and their configuration 4. It uses HTTPS for CnC communication 5. Uses legitimate applications for DLL sideloading 6. Can download files 7. Can start or stop service
NODESTEALER
Description
NodeStealer is a Python-based Trojan designed to target and extract sensitive information, such as Facebook account credentials and other login details, from compromised computers. In May 2023, NodeStealer emerged as a JavaScript-based malware with the ability to steal cookies and passwords from web browsers, leading to the compromise of Facebook, Gmail, and Outlook accounts. In addition to harvesting credentials and cookies from a range of web browsers, regardless of their source, the stealer is programmed to collect system metadata and transmit this data through Telegram.
HASHCAT
Description
Hashcat is a password recovery utility supporting five unique modes of attack for over 300 highly-optimized hashing algorithms. It supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking. The following are other techniques that are used to break passwords: 1. Lookup Tables: Hashes are pre-compiled through a dictionary and then kept into a lookup table procedure with their communicating password. 2. Reverse Lookup: This rush allows a cyber rusher, without having to pre-compile a lookup, to bid a dictionary or brute-force rush to several hashes during the same time. 3. Rainbow Tables: A time-memory strategy is Rainbow tables. Except that they compromise hash cracking speed to render the lookup tables smaller, they are comparable to lookup tables. 4. Hashing with Salt: The hashes are aimless with this way by adding or prepending a random string known as "salt." This is appended before hashing the password.
SCARLETSTEALER
Description
ScarletStealer is a Trojan designed to specifically target crypto wallets, extracting sensitive information from the victim's system and then disseminating the stolen data through a Telegram channel. The detection of this Trojan took place in November 2023, and the threat actor is actively promoting the stealer through a Telegram channel.
VSEARCH
Description
VSearch is a family of adware that targets MacOS systems. This adware that is usually installed by bundlers.VSearch may cause text on a website visited on an affected system to be turned into hyperlinks and it may show popups not related to any sites that are open in the browser.
CVE202226134
Description
CVE202226134 is an unauthenticated remote code execution vulnerability in Confluence Server and Data Center.
QNAPCRYPT
Description
QnapCrypt is a ransomware family that was found to target Network Attached Storage (NAS) devices from Taiwanese companies QNAP Systems and Synology. Some features of QnapCrypt are as follows: 1. Uses TOR as C2 infrastructure 2. Ransom note gets fetched from C2. 3. Also performs GeoIP check and System Locale check. 4. Will not perform encryption if it believes the system is Ukranian,Belarusian and Russian.
DAZZLESPY
Description
DazzleSpy is a full-featured backdoor that provides attackers a large set of functionalities on a compromised macOS machine. The following commands are supported by DazzelSpy - heartbeat - Sends heartbeat response. - info - Collects information about compromised computer - searchFile - Searches for the specified file on the compromised computer. - scanFiles - Enumerates files in Desktop, Downloads, and Documents folders. - cmd - Executes the supplied shell command. - restartCMD - Restarts shell session. - restart - Depending on the supplied parameter: restarts C&C command session, shell session or RDP session, or cleans possible malware traces - processInfo - Enumerates running processes. - keychain - Dumps the keychain using a CVE-2019-8526 exploit - downloadFileInfo - Enumerates the supplied folder - downloadFile - Exfiltrates a file from the supplied path. - file - File operations: provides information, renames, removes, moves, or runs a file at the supplied path. - uninstall - Deletes itself from the compromised computer. - RDPInfo - Provides information about a remote screen session. - RDP - Starts or ends a remote screen session. - mouseEvent - Provides mouse events for a remote screen session. - acceptFileInfo - Prepares for file transfer - acceptFile - Writes the supplied file to disk - socks5 - Starts or ends SOCKS5 session (not implemented). - recoveryInfo - These seem like file recovery functions that involve scanning a partition.
NIUB
Description
NiuB is a golang compiled RAT which mainly targets *nix based systems and servers. It was first seen in October 2020 during which it targeted Oracle Weblogic that were vulnerable to CVE-2019-2725. The malware collects information about the infected machine and sends it to the C2 server. It can execute shell commands and download and execute other malicious binaries.
MIRAI
Description
Mirai scans the Internet for IoT devices that run on the ARC processor. This processor runs a stripped-down version of the Linux operating system. If the default username-and-password combo is not changed, Mirai is able to log into the device and infect it. As the source code is available, it has given birth to variants such as the Okiru, the Satori, the Masuta and the PureMasuta. The PureMasuta, for example, is able to weaponize the HNAP bug in D-Link devices. The OMG strain, on the other hand, transforms IoT devices into proxies that allow cybercriminals to remain anonymous. The botnet performs the following functions 1. Launch both HTTP flood and network-level attacks 2. Upon infecting a device, Mirai looks for other malware on that device and wipes it out, in order to claim the gadget as its own
FRPTOOL
Description
frp is a fast reverse proxy that helps expose a machine behind a NAT or firewall to the Internet. Used in Alchimist as part of the tools in the server.
MOLERAT
Description
Molerat target government organizations around the world, largely been associated with attacks involving unauthorized access and sensitive data collection. Description Molerat target government organizations around the world, largely been associated with attacks involving unauthorized access and sensitive data collection. MoleNet enabled the attackers to profile the OS of the infected machine and submit the resulting information to the C2. The malware also came with the ability to download additional payloads from the C2 and to establish persistence using PowerShell. Malware has the following capabilities: Information sends to C2 server. Upload collected data. Screenshot.
CHROPEX
Description
Chropex is a browser hijacker that can modify the victim's web browser settings to show search results that promote unwanted software, fake giveaways and surveys, and adult games and dating sites. The Chrome variant sideloads a malicious Chrome extension with the purpose of hijacking browser activity and delivering custom ad content. Typically, adware shows advertisements that do not originate from the websites you are visiting.
PHORPHIEX
Description
Phorphiex is a worm which spreads via network and removable drives. This worm has been known since 2016. This worm affected 160 countries from December 2020 to February 2021. This malware is delivered through phishing mail with .zip or other archive file attachments or unwanted software. Worm modifying registry keys to disable firewall and antivirus functionality, overriding proxy and browser settings.This malware may download other malwares like infostealer, ransomware, Miner.
TITANSTEALER
Description
Titan is an information stealer. It may steal usernames, passwords, and other login information from web browsers, installed clients. Also, it may be designed to log keystrokes, steal clipboard data, crypto-wallet information, and more. "Titan Stealer" panel appears to be new with apparently no references online, vendor reports, or social media mentions by other researchers. Malware is distributed by hiding it in installers for pirated software, cracking tools, game cheats, code generators, etc. It is designed to log keystrokes, steal clipboard data, and information. The malware can steal information such as Operating System name, passwords, from the compromised machine and also steals saved credentials, cookies from the browser. Malware has the following capabilities: Stolen passwords, cookies Stolen Banking information Harvest data screenshots, data Gather wallet information Identity theft
GOSECRETSDUMP
Description
Gosecretsdump is a compiled binary written in the Go programming language, designed to extract information from SAM and SYSTEM backup files. This tool only functions on a localhost and is not intended for remote machine use. Gosecretsdump is an open-source GitHub project, but it can be exploited by attackers for malicious purposes.
ZARP
Description
Zarp is a network attack tool centered around the exploitation of local networks. The tool opens up the possibility for very complex attack scenarios on live networks quickly, cleanly, and quietly. Zarp can be used by the attackers to gain insight into any network and leverage the sensitive information of the network for attacks.
EXEREMO
Description
Exeremo is a malware written in Go,which identifies related SSH servers, spreads the malware, adds infection markers, and executes additional payloads. Exeremo extracts usernames, hosts, and private keys used in SSH connections from compromised servers. It achieves this by issuing inline shell commands from Go functions within the binary.
PLEAD
Description
Plead is an information theft campaign with a penchant for confidential documents. Active since 2012, it has targeted Taiwanese government agencies and private organizations. The toolset includes the Plead backdoor and the Drigo exfiltration tool. Plead uses spear-phishing emails to deliver and install their backdoor, either as an attachment or through links to cloud storage services. Some of the cloud storage accounts used to deliver Plead are also used as drop off points for exfiltrated documents stolen by Drigo. Plead malware is usually equipped with 5 command groups as follows. CFileManager (group number 0): commands for operation on files CFileTransfer (group number 1): commands for sending/receiving files CRemoteShell (group number 2): commands for remote shell CPortForwardManager (group number 3): commands for proxy mode No name (group number 0xFF): commands for malware control
WHITESNAKE
Description
Whitesnake is a Trojan that infiltrates systems through deceptive PDF email attachments, enabling it to pilfer sensitive data, including passwords, cookies, credit card details, screenshots, and other personal and financial information. After gathering and compressing the pilfered files, the Stealer transmits them to a Telegram bot. The WhiteSnake stealer can not only gain access to cryptocurrency wallets in designated directories but also extract data from browser extensions associated with crypto wallets.
PIKABOT
Description
Pikabot is a backdoor that gathers victim's system and network-related information via a command-and-control server. In early 2023, this malware was discovered utilizing an antidebug technique to evade detection in virtual environments. Pikabot has following capability: User/Groups information Windows build information Generic host information Domain controllers information Process information Kill process
SNAPEKIT
Description
Snapekit is a rootkit which specifically targets Arch Linux systems. It hooks various syscalls, hides its payload, and evades detection by dropping in user space while dodging analysis tools & debuggers.
FIREELF
Description
FireELF is an opensource fileless linux malware framework thats crossplatform and allows users to easily create and manage payloads.By default is comes with 'memfd_create' which is a new way to run linux elf executables completely from memory, without having the binary touch the harddrive.
MACMA
Description
Macma is a backdoor implant that installs Keylogger and AV capture components on the target device. Macma binaries contained code which could escape the Safari sandbox, elevate privileges, and download a second stage from the C2. After downloading the payload, it removes the quarantine attribute of the file to bypass Gatekeeper. It then elevated privileges to install the payload. Notable features for this backdoor include: - Victim device fingerprinting - Screen capture - File download/upload - Executing terminal commands - Audio recording - Keylogging The keylogger module creates text files of captured keystrokes from any text input field, including Spotlight, Finder, Safari, Mail, Messages and other apps that have text fields for passwords. Macma payload is perfectly functional malware capable of exfiltrating data and spying on macOS users.
GREENCAT
Description
GreenCat is a backdoor attributed to APT1. It communicates back to the web based CnC using SSL. Most of the time it is installed into %SystemRoot%Tasks or %WinDir%Tasks directories. It has the following features: 1. Interactive shell 2. Gather system information 3. Upload and download files 4. Create and kill process 5. Communicates with hard coded CnC using SSL on port 443 6. Replace windows existing services
GADGETTOJSCIPT
Description
GadgetToJScript serves as a hacking utility, facilitating the creation of payloads in multiple compatible formats, including HTA, JS, VBS, and VBA macros. The sourode is publically available in github project. The Hacktool function: Delegates are exclusively employed for initiating the execution of payloads during the deserialization process Serialized gadgets or the length of streams is dynamically calculated during runtime and automatically incorporated into the generated WSH (Windows Script Host) scripts. It generates VBS/VBA as well as JS/HTA scripts, depending on the registration-free activation of .NET-based COM components.
KANDYKORN
Description
KANDYKORN is a advanced implant found targeting blockchain engineers of an unnamed crypto exchange platform via Discord with a novel macOS malware dubbed KANDYKORN. This intrusion attempts to reflectively load a binary into memory on a macOS endpoint. The intrusion was traced to a Python application posing as a cryptocurrency arbitrage bot delivered via a direct message on a public Discord server. This are the capabilities of malware: Conduct encrypted command and control Conduct system enumeration Upload and execute additional payloads Compress and exfil data Kill processes Run arbitrary system commands through an interactive pseudoterminal
LINPEASTOOL
Description
linPEAS is a popular open-source script/tool used to assist in identifying potential paths for local privilege escalation on Linux and Unix-based systems. The script is designed to be run on a target Linux system, and it performs various checks and analyses to discover potential vulnerabilities or misconfigurations that could be exploited to gain higher levels of access and privileges on the system.
ZHTRAP
Description
ZHTrap is a botnet malware which exploits various existing vulnerabilities in IOT devices later doing DDos attacks.ZHTrap also uses honeypots to look for more infected devices around. Some capabilities of ZHTrap botnet are: 1. Uses TOR as C2 infrastructure 2. Ddos attacks 3. Telnet scanning 4. Exploiting multiple existing vulnerabilities in devices like Netgear, MVPower DVR etc.
RESPONDER
Description
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2. Responder also has built in Extended Security NTLMSSP and Basic HTTP authentication.
TEAMTNTWORM
Description
TeamTNT Worm is a malware that belongs to TNT group of attackers which targets misconfigured Docker environments and systems.Using malicious shell-scripts, crypto-mining worm is deployed to the misconfigured systems. Additional features of the TeamTNT related malwares: Steals AWS credentials Scans for open Docker APIs using masscan tool Tries to stop the Alibaba Cloud Security tools Contains code copied from another worm named Kinsing Deploys punk.py – A SSH post-exploitation tool,Diamorphine Rootkit. Also deploys Tsunami IRC Backdoor.
SPACECOLON
Description
Spacecolon is Hacktool which allows CosmicBeetle to disable security products, extract sensitive information and gain access to further information using any of the additional third-party tools it can access. The main component of Spacecolon used by its operators is ScHackTool. Using its GUI, it allows its operators to orchestrate the attack, downloading and executing additional tools to the compromised machine on demand as desired.
ROTTENPOTATONG
Description
RottenPotatoNG is a standalone compiled vc+ binary tool that acquires a handle to a privileged token.This is an open-source GitHub project's code, which serves a valuable purpose in penetration testing, but unfortunately, some threat actors exploit it for malicious activities.
REMCOS RAT
Description
Remcos is a Remote Access Tool developed for surveillance purposes by a company - Breaking Security. It was first seen to be sold in underground forums in 2016. It was known to be spread through phishing emails. Remcos has the following capabilities: 1. UAC bypass 2. Audio capture 3. Download upload files to and from victim machine 4. Keylogging 5. Modify registry 6. Capture screen 7. Video capture
AMASSTOOL
Description
The AmassTool provides an in-depth attack surface management framework for security professionals, offering network mapping and external asset discovery through open-source intelligence gathering. Key components include a Collection Engine for detailed attack surface mapping, the Amass Tool for command-line execution, an Asset Database for data storage, and the Open Asset Model for standardized communication of Internet-exposed assets. The project has received support from corporate entities and positive testimonials, emphasizing its value in infrastructure enumeration for tasks like external enumeration projects and attack surface assessments.
REALST
Description
The Realst is malware is used in massive campaign targeting Apple computers The malware is distributed to both macOS and Windows users in the form of fakek blockchain games using names syuch as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend. The games area promoted on social media in reality game installer infect device with info stealing malware. This type of malware will steal data from victim's web browsers and cryptocurrency wallet app and send them back to threat actors using c2 (command and control). Following are the capabilities of malware : Steal browser credentials and app data ( Firefox, Chrome, Opera, Brave, Vivaldi, and the Telegram app Steal crypto wallet data Harvest keychain credentials Screen capture
PURELANDSTEALER
Description
A MacOS stealer trying to steal steal Zoom,chrome,Exodus and other cryptowallets etc. The campaign was spread by malspam which introduced them to “PureLand”. It leads to a RedLine Stealer for Windows and an unknown stealer for macOS.
COINMINER
Description
Cryptocurrency mining is a process of gathering cryptocurrency as a reward for work that you complete. Depending on the hardware and resources available, several mining methods like CPU mining, GPU mining, FPGA mining, ASC mining and cloud mining are used for coin mining. Upon verification of these mining transactions, a coin is generated using a public ledger, known as the blockchain. Coin miner is an application that mines cryptocurrency by harnessing CPU cycles (mostly servers), thereby creating a reduced device performance, overheating and increased fan activity. Leveraging the computing power for coin mining has turned out to be a digital parasite and a lucrative business model for threat actors and adware vendors using coin miner implants that eats away CPU cycles. Such mining attacks always lead to drastic consequences in a corporate environment that is always equipped with robust hardware and has an abundant power supply. The high CPU usage of corporate resources can potentially lead to disruption of critical business as the infrastructure becomes slow or unresponsive and may even result in an unexpected shutdown.
TROJANDOWNLOADERSMALL
Description
Small is a downloader trojan which downloads other malware from the attacker server. It tries to download and install any malware like keylogger,Password Stealer,damaging the victim system. The downloaded payload monitors the system network and gathers sensitive information.
BLACKCAPGRABBERTOOL
Description
BlackCapGrabber is an opensource malicious software tool designed for cybercriminal activities, including information theft and credential harvesting.It uses a dual hook technique, where the author of the code receives a copy of the stolen information, essentially stealing from the attacker using the malware.
EGGSHELL
Description
EggShell is a Backdoor that has functionality of recording the victim’s microphone, camera and keyboard, as well as the ability to upload and download files. Several custom variants of EggShell backdoor were installed on the developer’s macOS computer along with a persistence mechanism. This was done using XcodeSpy - a malicious Xcode project. The EggShell backdoors use a simple string encryption technique. Decryption involves passing an encrypted string to the [StringUtil decode:] method, which encodes the encrypted string in base64, then iterates over each byte, adding 0xf0 to it. This produces a printable ASCII character code which is then concatenated to produce the full string.
PHEMEDRONE
Description
Phemedrone is an information stealer designed to gather system information, capture files, and steal data from web browsers and applications. Phemedrone stealer is designed to work on both x32 and x64 systems. The stealer utilizes an HTTP host to send all logs, allowing the attacker to collect the stolen information remotely. The malware is equipped with configurable anti-analysis, anti-virtual machine, anti-debugger, and mutex functionalities to evade detection. It has the capability to grab various sensitive data, including cookies, passwords, autofill data, and credit card details from Chromium-based and Gecko-based browsers. Also, it can grab sessions from popular platforms like Telegram, Steam, and Discord. Moreover, it can steal files from infected systems. Malware has the following capabilities: Collection of data from browsers Grab Sensitive data Steal credit card details.
KOMPLEX
Description
Komplex is a malware created by Sofacy group to compromise individuals using OS X devices. This malware was created by the Sofacy Group and is apparently targeting the aerospace industry. Komplex waits for an Internet connection and attempts to send a GET request to Google to confirm it’s not running in an anti-analysis/sandbox environment. After confirming an active Internet connection, the Komplex payload begins carrying out its main functionality Once all components are in place and Komplex is up and running, it can download, install and execute additional malware, as well as delete files.
HEADCRAB
Description
HeadCrab is an evolving malware targeting Redis database servers since 2021, actively adapting to refine its tactics for cryptocurrency mining. HeadCrab infiltrates Redis servers, creating a botnet for cryptocurrency mining, executing shell commands, and exfiltrating data to a remote server.HeadCrab 2.0 introduces fileless loader mechanisms and uses Redis MGET command for command-and-control communications, enhancing its stealth and posing challenges for detection.
ANDROM
Description
Androm is a bot commonly employed for loading other types of malware onto a computer that has been compromised. The malware gathers information about the computer name, the name of the user who is currently logged in and details about the system drivers. That information is shared to the attacker server. malware has the ability to access and modify both files and directories, as well as the registry.
MYDOOM
Description
MyDoom is a worm affecting Windows which was first seen in 2004. It was associated with the Mtmail worm and spreads through SMTP. Most of the MyDoom emails come through emails from China. The spam emails which deliver myDoom can have the following headers: -Test -Hi -Hello -Server Report -Mail Transaction Failed -Status -Error MyDoom emails use social engineering and have attachments where extensions are faked by adding a fake extension name within the file name like Attachment.txt:exe where exe is the real extension while txt is the fake extension.
STANTINKO
Description
Stantinko group is known for targeting Windows operating systems with ongoing campaigns dating back to 2012. The group’s malware mainly consists of coin-miners and adware botnets. The attack flow of this malware is as follows 1. An infected client sends a POST or NOTIFY HTTP request to the proxy 2. The proxy parses the request and passes on a POST request to the attacker’s server 3. The attacker’s server replies to the proxy and the proxy passes on the response to the client 4. A non-infected machine sends a GET request to the proxy 5. The proxy replies with a 301 Redirect to a preconfigured URL The malware is being used as a proxy agent and is activated through some clients (the bots) also installed on compromised web servers or users’ computers around the world.
HYPERSCRAPE
Description
Hyperscrape is a tool which could be used to steal user data from google, yahoo and outlook accounts. The tool has been programmed in C# and is still under development. Threat actors use this tool in their own environment to download the inbox of the victim account with grabbed credentials.
FYSBIS
Description
Fybis implements plug-in and controller modules as distinct classes. During the installation,it attempts to gain root privileges. If it succeeds, the malware is installed in the folder /bin/.If it does not succeed, another module is installed in ~/.config/dbus-notifier as an executable file Once it is launched, the Trojan verifies that its copy is not running and that the malware itself is not launched using the command interpreter nash.It searches the active process list for the systemd process. If this process is found, it recursively traverses the “/usr/lib/systemd/” directory and checks every file for the “/bin/rsyncd” string. Otherwise, it runs a search for the “/bin/rsyncd” string within the files found in the /etc/ folder. The malware activates streams for every plug-in that waits for the package containing a command. It also activates one stream to monitor database status, and another one to exchange data with the command and control server. When it establishes a connection to the command and control server, it sets the request period time equal to the specified dwell time for the standby mode. Once the payload is received, it changes the request period to the dwell time value for the active mode.
SPECULOOS
Description
Speculoos is a backdoor that does not appear to natively be able to maintain persistence, so it is likely it requires the adversary to use a separate component or additional step to maintain their foothold. Upon execution, the payload enters a loop that calls a function to communicate with the following command and control (C2) domain over TCP/443 After successfully connecting to the C2 and completing the TLS handshake, Speculoos will perform an initial system enumeration to fingerprint the victim system then send the data back to the C2 server. After a successful response, it will enter a loop to begin receiving commands for the adversary to execute on the victim system.
BLUEBLOOD
Description
BlueBlood is a monitoring program that logs several activities in the victim machine. Blueblood is a part of FlexiSPY - an advanced spy software that allows you to intercept calls, make spy calls and capture passwords. Blue Blood keylogger module records and flags the text and sends it off to you along with a screen shot of the login page so you can see the password as it was originally typed in. Blueblood can specify individual applications and domains to be cleared of cached information, forcing the user to retype their password. This granular approach means that the user is unlikely to become suspicious as only one app or domain will ask them to enter their password again.
PANCHAN
Description
Panchan is a sophisticated peer-to-peer botnet primarily targeting Linux servers in telecom and education sectors for crypto mining using advanced infection methods via SSH key theft and brute force. It spreads across networks and has unique concurrency features to execute modules and evade detection. The malware employs an admin panel, godmode, for customized mining configurations and deploys miners directly in memory, masking its presence and complicating identification.
PAMSPY
Description
Pamspy leverage eBPF technologies to dump credentials in Linux
REDGOBOT
Description
REDGOBOT is a golang-based botnet capable of various DDoS attacks, including HTTP POST and GET flooding, ICMP and TCP Flooding and others. It can also execute anything on the victim machine.
DISKKNIGHT
Description
Disk Knight installs a file into the Windows directory and prevents the launch of any other process on the computer. Once the Disk Knight program is installed and starts protecting the computer, it will copy itself to every inserted “unprotected” USB key, making it “protected”. Furthermore, if the newly protected USB key is subsequently inserted into another computer, Disk Knight will run and install itself onto the computer, all without the user’s consent. This behavior and the lack of control from the user side makes Disk Knight a computer virus. DiskKnight installs a file into the Windows directory and creates an autorun entry for it. Once run it changes the shell variable to ensure every process is run through its own Knight application. The purpose of this program is to block applications started from external memory devices. Malware has the following capabilities: Block applications.
IODINE
Description
Iodine is a tool that lets users tunnel IPv4 data through a DNS server. The Iodine tool can be usable in different situations where internet access is firewalled, but DNS queries are allowed. Attackers might use this tool to bypass firewall rules and restrictions.
LOCKBIT
Description
LockBit Ransomware targets Windows OS to encrypt the victim's personal data. It was first seen in September 2019. It enumerates the running process and kills the process in the victim machine by comparing the hardcoded process list. Malware deleted shadow copy and recycle bin files in victims machines.
REDGHOSTTOOL
Description
RedGhostTool is a Linux post-exploitation framework, crafted to ensure seamless persistence, thorough reconnaissance, efficient privilege escalation, and a discreet departure without leaving a trace. Function to generate various encoded reverse shells in netcat, bash, python, php, ruby, perl. Function to log keystrokes of a ssh process using strace. Function to grab mass reconaissance/information on system.
SECTOPRAT
Description
SectopRAT is a sophisticated .NET Remote Access Trojan (RAT) with extensive features, including stealth functions, system profiling, data theft (browser and crypto-wallet), hidden desktop creation for browser session control, and robust anti-VM and anti-emulator capabilities. SectopRAT has following capabilities: Grabbed OS Name and Version Grabbed Graphics Card Name and Vram Size Grabbed CPU Version and Number Of Cores Grabbed victim web data(URL, Credentials) Mac Address
ARDAMAXTOOL
Description
Ardamax Keylogger tool developed by Ardamax Software and its captures and encrypts user activity for exclusive administrative access. Ardamax Keylogger captures a wide range of user activities including keystrokes, visited websites, chats, instant messages, clipboard contents, webcam, and microphone usage. Although originally a legitimate program, Ardamax Keylogger is often exploited by cyber criminals who deceive users into unwittingly installing the software, enabling them to track and monitor victims' activities.
ACCESSCHK
Description
Accesschk is windows Sysinternal tools that can be used to find out the access the users have to various resources like file, directory, registries. It can be used by adversaries to carry out reconnaissance attack.
SHELLBOT
Description
ShellBot malware targets poorly managed Linux SSH servers, using hexadecimal IP addresses to evade detection and enabling DDoS attacks and other malicious activities from compromised servers. Administrators should enforce strong, frequently changed passwords, apply the latest patches, and use firewalls to restrict access.
XEYTAN
Description
Xeytan is a keylogger first seen in 2019 and is known to be used in the Sidecopy attack against India.
REVENGERAT
Description
Revenge RAT is a post exploitation tool that is installed on the victim machine. Revenge RAT can monitor keystrokes, capture cameras, steal credentials, modify registry and file system and take screenshots. It was first seen publicly in 2016. The RAT has been compiled with .net compiler. The RAT is delivered through malspam or downloaded by other malwares. Revenge RAT can also execute other malwares and it can ingest other malwares into the system. The RAT can even be used in DDOS attacks. Revenge RAT also checks for the presence of Antiviruses and security tools and does not activate if it finds the presence of these. The campaigns that involve Revenge RAT hide their communication and use Dynamic Domain Name System (DDNS) to hide their communication with CnC servers. It is also known to abuse portmap to hide the CnC communication. Revenge RAT has the following capabilities: 1. Screen capture 2. Keylogging 3. Video capture 4. Credential dumping 5. Audio capture Below is the list of commands: 1. PNC: Reset the stopwatch 2. P: Send the active windows to the CnC 3. IE: Check for installed plugins 4. LP: Invoke plugin 5. UNV: uninstall, restart the RAT
NETSUPPORTMANAGERRAT
Description
NetSupportManagerRAT is a legitimate remote application tool that cybercriminals exploit for nefarious purposes. Various threat actors are currently utilizing NetSupport RAT, which has been observed being distributed through spam emails cleverly disguised as invoices, shipment documents, and purchase orders. Once RAT is installed, the threat actor obtains full control over the compromised system. This RAT offers a range of default features, including remote screen control, system control functionalities like screen capturing, clipboard sharing, web history collection, file management, and executing commands. Consequently, the threat actor can engage in a multitude of malicious activities, such as extracting user credentials and installing supplementary malware.
NGROK
Description
Ngrok is a cross-platform software mainly used for tunneling and file sharing. Ngrok is a secure tunnel from a public endpoint to a locally running web service. Ngrok captures and analyzes all traffic over the tunnel for later inspection and replay.
3PARARAT
Description
3Para is a Remote access Trojan coded in VC++ associated with Putter Panda(APT 2) threat actor. The RAT is a DLL with exported filename as ssdpsvc.dll, msacem.dll, mrpmsg.dll. The RAT creates a file mapping with name “&*sdKJfhksdf89*dIUKJdsF&*sdfsdf78sdfsd” to avoid multiple instance of the RAT running in the system. The malware used a byte-wise subtraction-based algorithm to decode details of CnC server. The RAT remains dormant in order to avoid Sandbox detection. 3PARA RAT uses HTTP for communication with the CnC. Following commands are used by 3PARA RAT: 1. CCommandAttrib - retrieve file attributes on the system 2. CCommandCD - Change current working directory 3. CCommandCMD - execute command on victim 4. CCommandNOP - List current working directory
OCEANLOTUS
Description
OSX.OceanLotus is a general purpose backdoor attributed to a Vietnamese APT. It is spread through malicious documents with an obfuscated macro that triggers a dropper, which in turn fetches the backdoor as the final payload. OceanLotus was responsible for targeted attacks against organizations from industries such as media, research, and construction. The sample arrives as a bundle in a zip archive. It uses the icon of Word Documents. OceanLotus has the following capabilities: 1.he app bundle and dropper delete themselves after execution 2.The backdoor changes the permission of the file it wants to execute to +x 3.Readable strings were encrypted 4.The app bundle is disguised as a doc file to trick users into executing it. 5.The backdoor modifies the date and time of the dropped files using the “touch” command 6.The backdoor collects various information to send to the C&C server 7.The backdoor encrypts the data before exfiltration
ENUM4LINUXTOOL
Description
Enum4linux is a tool for enumerating information from Windows and Samba systems.It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.
RUBEUS
Description
Rubeus is a C# toolset for raw Kerberos interaction and abuses. Rubeus doesn't have any code to touch LSASS, so its functionality is limited to extracting Kerberos tickets through use of the LsaCallAuthenticationPackage() API. From a non-elevated standpoint, the session keys for TGTs are not returned (by default) so only service tickets extracted will be usable (the tgtdeleg command uses a Kekeo trick to get a usable TGT for the current user). In a high-integrity context, a GetSystem equivalent utilizing token duplication is run to elevate to SYSTEM, and a fake logon application is registered with the LsaRegisterLogonProcess() API call. This allows for privileged enumeration and extraction of all tickets currently registered with LSA on the system, resulting in base64 encoded .kirbi's being output for later reuse. It support the following functionalities - Ticket requests and renewals - Constrained delegation abuse: - Ticket Forgery - Ticket management - Ticket extraction and harvesting - Roasting
BABARRAT
Description
Babar threat is capable of injecting its code in active processes, obtain files from specific directories, and execute remote commands. Description Babar threat is capable of injecting its code in active processes, obtain files from specific directories, and execute remote commands. Babar malware, as there was not sufficient data on its activity and features. Upon Researcher result, the creators of the Babar threat would often utilize it alongside another one of their custom-made hacking tools called Trojan.EvilBunny. The Babar malware is a RAT (Remote Access Trojan), whose main goal is carrying out reconnaissance operations. Once the Babar malware has infected the targeted system, the Babar RAT may remain active for prolonged periods, sometimes even months, and operate silently. The Babar would use various tricks to gain persistence on the compromised PC, even if the system is rebooted, and evade detection by firewall utilities and anti-malware applications that may be active on the host. Malware has the following capabilities: Collect the keystrokes. Collect sensitive data.
MELOFEE
Description
Melofee is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, SelfForwardServer,a file transfer and port forwarding tool, and a Command and Control (C2) server. This malware is linked to chinese state sponsored APT groups, in particular the notorious Winnti group.
PTERODO
Description
Pterodo is a backdoor that enters a system either as a file dropped by another type of malware or as a file that users unknowingly download when visiting malicious websites.This malware has been associated with a Russian-based espionage group, known as Shuckworm, Armageddon or Gamaredon, which has primarily focused on targeting Ukraine since 2014. This trojan is primarily used for information gathering, but it is likely that it can be used for other malicious purposes as well. This is a possibility because Pterodo malware attacks are frequently being updated to evade AV/EDR detection and operate more efficiently.
ONIONPOISON
Description
Onionpoison is a threat group that sends youtube videos with malicious links to the victims. Once the payload gets downloaded via the malicious link, it starts stealing sensitive data from victim and sends that data to c2 server The payload malware has the following capabilities: Computername MAchine Guid Current username MAC address of network adapters Running process Browser history Installed software details
FAKEAV
Description
FAKEAV is a trojan gains access to systems via compromised websites, spammed links, manipulated search results, malicious content on social media, and misleading ads, frequently assisted by the download of other malware. Multiple actors contribute to the dissemination of FAKEAV malware. In addition to the creators of the fraudulent anti-malware file, there are traffic redirectors, site compromisers, bot herders, exploit kit creators, and other entities in the cybercriminal underground ecosystem that play a role in promoting and profiting from FAKEAV operations. This Trojan utilizes registry shell spawning by introducing specific registry entries, enabling it to run concurrently with other applications, ensuring persistence and continuous execution.
CADDYWIPER
Description
Caddywiper is a wiper that wipes data from disk rendering the system useless known to be used against Ukraine. It also wipes the MBR in the process of wiping. Caddywiper is spread through Microsoft Group Policy(GPO). Before wiping the data it makes sure that the system is not a domain controller using DsRoleGetPrimaryDomainInformation API.
QUICKBOOKSDOWNLODER
Description
QuickBooksDownloder scamming malware is spreads via Google Ads and its enabling attackers to remotely access victims' machines, exfiltrate sensitive data, and plant backdoors. Ongoing phishing attacks aimed at QuickBooks customers involve impersonating the company and enticing them with fraudulent account suspension warnings. Phishing messages impersonating the QuickBooks support team claim that due to unverified information on the recipient's account, a temporary hold has been placed, prompting them to click a "Complete Verification" button that leads to a phishing site harvesting personal information or distributing malware. QuickBooks clarifies that the sender is unauthorized and not associated with Intuit.
EARTHWORMTOOL
Description
EarthwormTool is a comprehensive set of portable network penetration tools, featuring two core functions: SOCKS v5 service establishment and port forwarding which facilitates complete network penetration in complex network environments.Utilizing "forward," "reverse," and "multi-level cascading" techniques, EW can open up network tunnels, overcoming network restrictions and loosening soil for firewalls. However, due to its significant negative impact, further updates have been permanently halted. The toolkit offers various executable files tailored for different operating systems like Linux, Windows, MacOS, and Arm-Linux, with ongoing maintenance for additional platform support. An example of a command using the tool is as follows we:exe -s rssocks -d [ip address] -e [port number]
PAEXEC
Description
Paexec is an open source remote application tool as a substitute to microsoft application, PsExec. This tool supports copying files, remote execution and full access to any Windows machine. The attackers could abuse this tool to gather some sensitive information from victims' machine.
DCRAT
Description
DCRat is a C# program and an open source remote access tool(RAT) that can be used to monitor and access computers remotely. This malware is delivered through a MS office file that contains a malicious macro script.It also steals sensitive data from the victim machine and sends the data to the attacker C2C. The following access are available in DCRat: Get clipboard data screenshot Monitoring and access the process WebCam Access Keylogger Shutdown or restart machine Install or uninstall new application TCP/UDP network trace
SYSTEMBC
Description
Systembc is a Remote Access Trojan which is spread through other malware like emotet or SmokeLoader. This threat was identified in 2019. This malware acts as a proxy and downloads other malwares via proxy internet and installed in victime machines and also communicates with the C&C server via the Tor network.
CORDMIX
Description
Cordmix is a trojan that silently downloads and installs other programs without user knowledge. Description Cordmix is a trojan that silently downloads and installs other programs without user knowledge. This could include the installation of additional malware or malware components to an affected computer. This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Malware has the following capabilities: Receive instruction from a remote attacker. Upload data taken from the affected computer. Receive configuration or other data.
OOPSIE
Description
OopsIE is a tool employed by the threat actor group OilRig, allowing them to remotely execute commands on compromised systems and transfer files to and from the victim's machine. The OopsIE Trojan is typically delivered to its intended victim, often through a link embedded in a spear-phishing email. The Trojan was obtained directly from the command and control server associated with OopsIE, indicating that this server served a dual purpose, including staging.
FREEZETOOL
Description
Freeze.rs is a specialized payload creation tool designed to bypass EDR (Endpoint Detection and Response) security measures, enabling the discreet execution of shellcode. This tool employs a variety of tactics not only to eliminate Userland EDR hooks but also to execute shellcode in a manner that evades detection by other endpoint monitoring systems.
BUMBLEBEE
Description
Bumblebee is a malware which is linked with several threat groups.The Bumblebee is used as a replacement for BazarLoader malware. Bumblebee downloads malwares like Cobalt Strike,Sliver,Ransomware etc. It also steals sensitive data from victim machine and sends the data to the attacker C2C.
MAMI
Description
MaMi is a malware that attempts to hijack victim's DNS requests by injecting its own DNS servers into an infected system. It also installs a malicious root certificate authority (root CA) so that secure HTTPS requests can also be hijacked by the malware without scary warnings appearing in the victim’s browsers. The combination of hijacking DNS and injecting a root CA make it possible for the malware creator to engage in “man-in-the-middle” (MitM) attacks against a victim. An attacker could potentially do things such as spy on everything a victim does online, see every bit of data typed into “secure” Web forms, and inject malware or advertisements into any Web page (even if the page uses HTTPS). The malware also appears to have the capability (or at least incomplete attempts at adding the capability) to execute AppleScript code, simulate mouse clicks, and take screenshots. It also appears to contain code for installing a method of persistence called a LaunchAgent.
NOMERCY
Description
NoMercy is a malware which could be used to gather sensitive information from the victim machines. This stealer often collects screenshot, keystrokes, webcam photo, Running process, Installed application, Device audio, and network information to send to the attacker server.
SUBFINDERTOOL
Description
SubfinderTool is a specialized subdomain discovery tool designed for passive reconnaissance where it efficiently retrieves valid subdomains associated with a target domain from various online sources. With a modular architecture, compliance with licenses, and an emphasis on speed, Subfinder is favored by penetration testers and bug bounty hunters for its effectiveness in subdomain enumeration.
POWERSHDLL
Description
PowerShdll is a tool that operates without the need for direct access to powershell:exe, as it leverages PowerShell automation DLLs. When a payload is embedded, all other arguments will be disregarded, and the payload will be executed when PowerShdll is run. The source code for this tool can be found on a GitHub project. Malicious actors have misused this tool to execute malicious files.
RUNNINGRAT
Description
RunningRAT is a trojan that gives cybercriminals the ability to remotely access and control a victim's computer. RAT has the following capabilities: Keylogger Delete files Compress files Clear event logs Restart/Shutdown the victim computer Copy clipboard data
WEBC2
Description
WebC2 backdoors are often packaged with spear phishing emails. This backdoor is designed to retrieve a webpage from a C2 server. It expects the webpage to contain special HTML tags to interpret the data between the tags as commands. Older versions of WEBC2 read data between HTML comments. Over time, WEBC2 variants have evolved to read data contained within other types of tags. WEBC2 backdoors typically give APT threat actors a short and rudimentary set of commands to issue to victim systems, including: 1. Opening an interactive command shell (usually Windows’ cmd:exe) 2. Download and execute a file 3. Sleep (i.e. remain inactive) for a specified amount of time APT threat actors were using WebC2 backdoors as early as July 2006. Some of the known WebC2 families are 1. WEBC2-AUSOV 2. WEBC2-ADSPACE 3. WEBC2-BOLID 4. WEBC2-CLOVER 5. WEBC2-CSON 6. WEBC2-DIV 7. WEBC2-GREENCAT 8. WEBC2-HEAD 9. WEBC2-KT3 10. WEBC2-QBP 11. WEBC2-RAVE 12. WEBC2-TABLE 13. WEBC2-TOCK 14. WEBC2-UGX 15. WEBC2-YAHOO 16. WEBC2-Y21K
GIMMICK
Description
Gimmick is a multi-platform malware that heavily abuses Google Drive services and is used by a Chinese espionage group to carry out attacks in Asia. There are three custom ObjectiveC classes in the malware that manage critical aspects of the C2 protocol: DriveManager, FileManager, and GCDTimerManager. DriveManager has the following functions: - Manage the Google Drive and proxy sessions. - Maintain a local map of the Google Drive directory hierarchy in memory. - Manage locks for synchronizing tasks on the Google Drive session. - Handle download and upload tasks to and from the Google Drive session. The malware also creates several named dispatch queues for managing specific C2-related tasks - SendBaseinfoQueue - list_request_queue - ls_cmd_queue - ReadCmdQueue - CredsCheck - DriveClearTrashQueue - DriveDownQueue - DriveUploadQueue - DriveFailUploadQueue - fileListQueue
LINENUMTOOL
Description
Linux enumeration tools for pentesting and CTFs This shell script will show relevant information about the security of the local Linux system, helping to escalate privileges. It can also monitor processes to discover recurrent program executions. It monitors while it is executing all the other tests so you save some time.
JASKAGO
Description
JaskaGO is malware stealer developed using Golang it can mimic legitimate software installers and various security tools, making JaskaGO a particularly stealthy threat to both Windows and macOS operating systems. The malware is equipped with an extensive array of commands from its Command and Control (C&C) server. JaskaGO can persist in different methods in infected system. This malware has following capabilities : Anti VM Browser stealer Crypto currency stealer Can steal data such as files on the system For the macOS : disable Gatekeeper Create .plist for persistence in /Library/LaunchDaemons/
NPSTOOL
Description
NPS is a lightweight, high-performance, powerful intranet penetration proxy server, with a powerful web management terminal. IT is a a port forwarding and intranet penetration proxy server.
BOOMMIC
Description
BOOMMIC is a shellcode downloader written in C that communicates over HTTP to co-opted infrastructure used for C2.APT29 was observed leveraging BOOMMIC to further establish a foothold within the environment. APT29 executed BOOMMIC through DLL Side Loading of a modified version.dll by a legitimate Java binary, jucheck:exe.
TOFSEE
Description
Tofsee is a trojan that is capable of performing DDoS attacks, mining cryptocurrency, sending spam emails, and stealing account credentials. Tofsee delivered through phishing mail or third party bundle software. After reaching victime machine it spreads themselves via social media like Twitter, Facebook, Skype and USB drives. Additionally tofsee tries to install crypto mining applications and used victime machine for mining purposes.
HACKTOOL
Description
Hacktool is typically a program, crack, or keygen used by hackers for activating/installing pirated software or to gain access to a computer without authorization. HackTool programs are used to create new users in the list of permitted system visitors, and to delete information from system logs in order to hide the malicious user’s presence on the system. Hacking tools have different capabilities that have been designed to penetrate systems. These programs are also used to analyze and collect network packets to carry out specific malicious actions. Malware has the following capabilities: Disable system utils. Downloads file Compromise web servers Steal credentials and cookies from web browsers.
WOODYRAT
Description
Woodyrat is a remote access trojan that steals sensitive information from the target machine. This trojan spreads through phishing emails with attachment either archive or office document file. After its successful installation, it collects victim information like OS, computer name, username, OS build version, running process list, powershell info, antivirus software. Later, the information is sent to the attacker server.
GMERTOOL
Description
GMER is a security tool developed by a reputable security researcher, designed to identify and eliminate rootkits. GMER is a legitimate and free security tool designed to detect and remove rootkits from Windows-based systems. Rootkits are malicious software that hide themselves and other malware on a computer, making them difficult to detect. It is a powerful tool, but it should be used with caution and by experienced users, as it deals with low-level system components.
EXPLOITSCANTOOL
Description
Exploitscantool is used for advanced scanning capabilities to identify potential vulnerabilities and provides a platform for executing exploits, enabling users to demonstrate the impact of identified vulnerabilities and assess the system's resilience against attacks.Designed specifically for Linux environments, the ExploitScan Tool seamlessly integrates with existing systems, ensuring compatibility and ease of use for Linux-based users.
BABUK
Description
Babuk Ransomware targets Windows OS to encrypt the victim's personal data. It was first seen in 2021. This malware has a separate extension list of files to be encrypted. The source code of malware is available publicly.
ICEFOG
Description
Icefog is an advanced persistent threat that has been active since at least 2011, targeting mostly Japan and South Korea. The known targets include governmental institutions, military contractors, maritime and shipbuilding groups, telecom operators, industrial and high-tech companies and mass media. The name “Icefog'' comes from a string used in the command-and-control server name in one of the samples. The command-and-control software is named “Dagger Three'', in the Chinese language.The “Icefog” backdoor set (also known as “Fucobha”) is an interactive espionage tool that is directly controlled by the attackers. There are versions for both Microsoft Windows and Mac OS X.
WELLMESS
Description
WellMess is a malware found in Windows and Linux which can communicate to the C2 server over HTTP, HTTPS and DNS. This malware allows a remote operator to establish encrypted command and control (C2) sessions and to securely pass and execute scripts on an infected system. The tags, value and description of the cookie is listed below Tag Value Description head G Send a beacon to the C2 to maintain the connection head C Start downloading multiple chunks of data from the C2 Title integer The number of chunks to be downloaded from the C2 when in C mode service p Calculate a new AES key and send it to the C2 service f Tells the malware the received data is to be decoded as base64 rather than UTF8 service u Updates the user agent used in communications to be a string sent from the C2 service m Updates the maximum size of data to be sent in one POST request to the C2 service hi Updates the wait time used by the G tag service pr Changes the enabled protocol list service fu Writes a file to the victim Service fd Sends a file from the victim to the C2 service No Value The contents from the C2 are executed as either command line or PowerShell script commands.
YTDOWNLOADER
Description
YTDownloader is an adware program that displays pop-up ads and unwanted advertisements not originating from the sites you are browsing. YTD Video Downloader is advertised as a program that will allow you to easily download videos from YouTube. Though this may sound like a useful service, the YTD Video Downloader program can be intrusive and will display advertisements whether you want them to or not. These YTD Video Downloader advertisements developed by GreenTree Applications will be shown as boxes containing coupons, as underlined keywords (in-text ads), pop-up ads or advertising banners.
RATTEGORAT
Description
RattegoRAT is a binary written in the Go programming language, capable of monitoring and executing commands on a victim's machine.This binary was detected in early January 2024. This RAT has the capability to monitor networks and extract sensitive data from the victim's system.
SHELLCODELOADER
Description
ShellcodeLoader can effectively evade antivirus software by executing malicious code while remaining undetected.This open-source GitHub project offers a versatile array of loading modes, providing 13 options for 32-bit systems and 12 for 64-bit systems. These various loading modes can be exploited by threat actors to carry out malicious activities.
HANCITOR
Description
Hancitor is a malware loader that can install other malwares on the victim machine. The malware also has infostealer capabilities. Hancitor uses tools like cobalt strike with DLL binary executed using rundll32. Hancitor is known to download other malwares which includes Pony and Ficker Stealer. The malware is also known to have a malspam component which can send spam mails in bulk.
BLACKNET
Description
Blacknet is a Remote Access Trojan(RAT) that adds the victim machine to the Blacknet botnet and is capable of keylogging, password stealing. It is known to reuse code from limelogger keylogger, Plasma RAT and Chrome Retriever, XMRMiner etc . It has the following capabilities: 1.Keylogging 2.Password stealing from various apps which include browsers, FTP, bitcoin wallets. 3. Capture screenshots and send to the attacker Blacknet is compiled to mimic svchost. It has anti-vm and anti-analysis techniques.
EXPLOIT
Description
An exploit is a code that takes advantage of vulnerabilities for malicious purposes. Exploits target vulnerabilities, which are essentially flaws or weaknesses in a system's defenses. Common targets for exploits include operating systems, web browsers, and various applications, where hidden vulnerabilities can compromise the integrity and security of computer systems. Exploits can cause unintended or unanticipated behavior in systems, potentially leading to severe security breaches.
GANIW
Description
Ganiw is a malware which conducts various types of Ddos attacks.It mostly targets MIPS architecture. Some features of GANIW: 1. DNS amplification 2. Ddos attacks 3. Targets vulnerable DNS servers 4. Hard coded IP addresses
DAIRY
Description
Dairy is a backdoor used by APT1 that can be used to download files, list processes etc. It also provides reverse shell capabilities which can aid the attacker to connect to the victim machine. The malware can also aid itself to the configuration files which are present in the whitelisting apps of Windows Firewall.
BANNERGRABBERTOOL
Description
A banner grabber tool is a network utility used to extract information, like service details and version numbers, from a remote server or service by making initial contact and analysing the response headers. It aids in understanding the target system's configuration and can be valuable for security assessments. Banner grabbing helps identify potential vulnerabilities and improve overall network security.
WOLFSBANE
Description
WolfsBane backdoor uses a modified open-source BEURK userland rootkit to hide its activities. This rootkit abuses the LD_PRELOAD mechanism to load itself into new processes.
CLOUDBRUTE
Description
CloudBrute is a utility designed to locate a company's infrastructure, files, and applications across major cloud providers like Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, and Linode, serving as a valuable resource for bug bounty hunters, red teamers, and penetration testers.The threat actor employed this tool to pinpoint vulnerabilities in the victim machine. Features of this tool: Cloud detection (IPINFO API and Source Code) Supports all major providers Black-Box (unauthenticated) Fast (concurrent) Modular and easily customizable Cross Platform (windows, linux, mac) User-Agent Randomization Proxy Randomization (HTTP, Socks5)
CHROMELOADER
Description
Chromeloader is a browser extension trojan that hijacks victim search queries. It was first seen in January 2022.This chrome extension serves as spyware, adware, and also collecting all search queries from the victim machines. It also redirects or shows advertisements based on victim query.
NCAT
Description
Ncat is a versatile network tool, can be exploited by threat actors to surreptitiously monitor victim machines through both connect and listen modes. The tool is accessible for free on the internet. Netcat utility program offers an extensive array of commands for network management and monitoring traffic data flow between systems. Ncat has following capabilities: Port Scanning with Netcat Commands Create a Chat or Web Server Verbose Scan with Netcat Commands HTTP Requests with Netcat Commands TCP Server and TCP Client Commands ITEM with NetCat Commands Prevent DNS Lookup with Netcat Commands Shell Scripting with Netcat Launching Reverse (Backdoor) Shells
XMRIG
Description
Xmrig is an open sourced Monero CPU Miner used to mine Monero cryptocurrency. It is supported in multiple operating systems like Windows, Linux and MacOS. Of all the mining-based currency models, Monero miner is most commonly used and deployed by threat actors. Monero is a preferred choice because of the following: 1. Privacy – Monero supports Stealth Addresses and Ring Confidential Transactions to apply privacy to every single transaction 2. Faster Block Computation – Traditionally Monero blocks are produced at an average of every 2 minutes, and Bitcoin blocks are produced at an average of every 10 minutes 3. Mining – Monero provides an egalitarian mining process and also the feasibility of CPU mining and browser-based mining for generating coins yielding a profitable revenue to its users The command line options supported by XMRIG miner are as follows -a, --algo=ALGO specify the algorithm to use Cryptonight, Cryptonight-lite, cryptonight-heavy -o, --url=URL URL of mining server -O, --userpass=U:P username:password pair for mining server -u, --user=USERNAME username for mining server -p, --pass=PASSWORD password for mining server --rig-id=ID rig identifier for pool-side statistics (needs pool support) -k, --keepalive send keepalived for prevent timeout (needs pool support) --nicehash enable nicehash.com support --tls enable SSL/TLS support (needs pool support) --tls-fingerprint=F pool TLS certificate fingerprint, if set enable strict certificate pinning -r, --retries=N number of times to retry before switch to backup server (default: 5) -R, --retry-pause=N time to pause between retries (default: 5) --opencl-devices=N list of OpenCL devices to use. --opencl-launch=IxW list of launch config, intensity and worksize --opencl-strided-index=N list of strided_index option values for each thread --opencl-mem-chunk=N list of mem_chunk option values for each thread --opencl-comp-mode=N list of comp_mode option values for each thread --opencl-affinity=N list of affinity GPU threads to a CPU --opencl-platform=N OpenCL platform index --opencl-loader=N path to OpenCL-ICD-Loader (OpenCL.dll or libOpenCL.so) --print-platforms print available OpenCL platforms and exit --no-cache disable OpenCL cache --no-color disable colored output --variant algorithm PoW variant --donate-level=N donate level, default 5% (5 minutes in 100 minutes) --user-agent set custom user-agent string for pool -B, --background run the miner in the background -c, --config=FILE load a JSON-format configuration file -l, --log-file=FILE log all output to a file -S, --syslog use system log for output messages --print-time=N print hashrate report every N seconds --api-port=N port for the miner API --api-access-token=T access token for API --api-worker-id=ID custom worker-id for API --api-id=ID custom instance ID for API --api-ipv6 enable IPv6 support for API --api-no-restricted enable full remote access (only if API token set) --dry-run test configuration and exit -h, --help display this help and exit -V, --version output version information and exit Leveraging the computing power for Monero coin mining is turning out to be a lucrative business model for threat actors and adware vendors. The advantage of being anonymous with Monero has induced this adoption as threat actors always prefer to stay under the radar.
METASPLOIT
Description
Metasploit is a widely-used open-source penetration testing framework that assists security professionals in identifying and exploiting vulnerabilities in computer systems and networks. It offers an extensive collection of exploits, payloads, and auxiliary modules to conduct security testing and research. Metasploit allows ethical hackers and researchers to assess the security posture of target systems and help organizations enhance their defenses against potential threats. However, it must be used responsibly and legally with proper authorization to avoid any unauthorized or malicious activities.
SEATBELT
Description
Seatbelt is a hacktool that has the capability to collect the system and user data. Seatbelt:exe is part of the GhostPack suite of tools that will perform a lot of “safety checks” on the Windows host and collect system data that could be useful for potential privilege escalation or persistence methods. The following command will run all checks on the system and store the output in a file. Malware has the following capabilities: Steal user data. Collect System data.
SUDOKILLERTOOL
Description
SUDO_KILLER is a tool that can be used for privilege escalation on linux environment by abusing SUDO in several ways. The tool helps to identify misconfiguration within sudo rules, vulnerability within the version of sudo being used (CVEs and vulns) and the use of dangerous binary, all of these could be abused to elevate privilege to ROOT.
BOOTKITS
Description
Bootkits write to the MBR to gain persistence at a level below the operating system. Description A bootkit is malicious code that runs before the OS boots. The main goal of a bootkit is to gain a foothold in the system and shield other malware from detection by security tools. Bootkit malware for attacks on BIOS-based devices can be injected directly into the MBR, VBR, or IPL. A bootkit can also be embedded into the firmware itself. Bootkit delivery route is through websites, including the drive-by compromise technique. It often creates the environment for the stealthy introduction of kernel-level rootkits. Malware is distributed by hiding it in installers for websites. The malware can target such as MBR and take control of VBR or UEFI, from the compromised machine and also steals data and gathers information. Malware has the following capabilities: Target Master Boot Record Gathering information Control Volume Boot Record, or UEFI Escalation of system privileges. Steal data from online gaming accounts
STRATUSREDTEAMTOOL
Description
Stratus Red Team is an advanced, cross platform self-contained binary tool meticulously crafted for simulating detailed offensive attack techniques, specifically tailored for cloud environments.It facilitates the rigorous validation of threat detection rules by providing a seamless means to execute attacks, such as the nuanced act of stopping a CloudTrail Trail for Defense Evasion. Its comprehensive approach includes mapping attack techniques to the MITRE ATT&CK framework, ensuring a standardized and insightful evaluation of security measures. Developed by Datadog, Stratus Red Team stands out as a sophisticated tool for enhancing cloud security through targeted testing and validation.
FFRAT
Description
FFRat is used to gain access to networks, facilitate the distribution of malware, establish communication with command and control servers (C&C), and extract data. This RAT propagates via targeted phishing emails. It collects data on the victim's current operating system and scans for prevalent security measures, such as antivirus or anti-malware software. FF-RAT, a proxy-aware Remote Access Trojan (RAT), has demonstrated its efficacy in targeted assaults across diverse sectors, including government, aerospace, gaming, IT, and telecommunications.
DARKCOMET
Description
Darkcomet is a RAT that has the capability to collect sensitive data from victims. This RAT gets silently installed on the victim machines. The RAT spies network activities, steals credentials and disables antivirus programs. This RAT gets delivered via trojans, unwanted third party software bundles and phishing emails.
HTTPDOSTOOL
Description
HttpDoSTool typically refers to a tool or software used for Denial of Service (DoS) attacks, which are malicious attempts to disrupt the regular functioning of a network or server by overwhelming it with a flood of traffic or requests. They can be used to target websites, online services, or computer systems, causing them to become unresponsive or slow down significantly.
EPICENTERRAT
Description
EpicenterRAT is a Remote Access Trojan first seen around 2016 and known to be used in the SideCopy attack. It has the following capabilities: -It can uninstall itself -reboot and log off system -gather system information -gather list of antiviruses installed on system -redirect keyboard and mouse activities to itself
INTELLIADMIN
Description
IntelliAdmin is a remote administrator tool which could be used by threat actors to perform malicious activities.This tool is distributed by attackers through spam emails or file sharing, alongside other malware. Once it is installed on a victim's machine, the attacker is able to gain complete access to it. They can then upload and download files, execute shell codes, and monitor the victim's activities.
CRIMSONRAT
Description
Crimson RAT is a remote access trojan targeted against Indian diplomatic and military organizations. It was first seen in 2016. It was also used against financial, healthcare and space technology sectors. Crimson RAT is coded in the .net programming language. It was spread using spam campaigns. It is capable of stealing system information and credentials, taking screenshots, executing commands, log keystrokes etc. It uses a customized protocol for CnC communication. Following is the list of some important CnC commands associated with Crimson RAT: 1. Getavs - list of running antiviruses 2. Thumb - get thumbnail image 3. Filez - get file meta info 4. Dowf - download file from CnC 5. Cscreen - take screenshot 6. Screen - screen capture continuously 7. Runf - execute command
PROMETEI
Description
Prometei is a multi-modular botnet with multiple ways to spread and a payload focused on providing financial benefits for the attacker by mining the Monero online currency. The actor employs various methods to spread across the network, like SMB with stolen credentials, psexec, WMI and SMB exploits. The adversary also uses several crafted tools that helps the botnet increase the amount of systems participating in its Monero-mining pool. The botnet has more than 15 executable modules that all get downloaded and driven by the main module, which constantly communicates with the command and control (C2) server over HTTP. Apart from a large focus on spreading across the environment, Prometei also tries to recover administrator passwords. The discovered passwords are sent to the C2 and then reused by other modules that attempt to verify the validity of the passwords on other systems using SMB and RDP protocols.
SNOWLIGHT
Description
SNOWLIGHT is a sophisticated Linux-based downloader utilizing raw sockets to establish communication with a command-and-control server over TCP port 443 where it employs a binary protocol for communication, with some variants using a fake HTTP header initially. Upon successful connection, it downloads a secondary ELF file, which is XOR decoded and executed directly into memory using Linux's sys_memfd_create and fexecve functions, avoiding disk writes.
SPECTRALBLUR
Description
SpectralBlur is backdoor which is linked to TA444 APT group & early iteration of KANDYKORN (aka SockRacket).
SIGLOADER
Description
SigLoader is a tool that allows for the modification of authenticode signed PE files, such as exe or dll, by embedding data without breaking the file signature or integrity checks.SigInject is a tool that encrypts and injects shellcode into a PE file's certificate table while preserving the file's signature and certificate validity. The encryption key is outputted for use with SigLoader, a basic loader that takes the modified PE file path and decryption key as inputs. SigLoader then extracts and decrypts the embedded shellcode, making it available for use with a shellcode injection technique of your choosing.
VANILLARAT
Description
VanillaRat is a sophisticated remote administration tool developed in C#, designed for monitoring a target machine's network activities, processes, and additional functionalities.The source code is openly accessible on the GitHub project, making it susceptible to misuse by threat actors for malicious purposes. The rat has following capabilities: Remote Desktop Viewer File Browser (Including downloading, drag and drop uploading, and file opening) Computer Information Hardware Usage Information (CPU usage, disk usage, available ram) Screen Locker Live Keylogger Clipboard Text Audio Recorder Process Killer Remote Shell
CHINA CHOPPER
Description
China Chopper is a webshell that helps attackers to maintain access and control on compromised web servers. It was mostly observed to be installed in Microsoft IIS web servers and Apache web servers. These web servers were mostly compromised using file inclusion or remote code execution in the Oracle weblogic or Wordpress web applications hosted on these web servers. The China Chopper provides a user interface to the attacker with which the attacker can execute malicious activities on the compromised web server.The attackers can execute remote command host malwares on the compromised servers and leverage it for any other malicious activities.The shell provides the attackers the capability to access the files and database hosted on the server. The webshell generates server side code that can be added to target websites.
SNOOPY
Description
Snoopy is a backdoor trojan that can be executed both as a command line tool and as a daemon (though it needs to be launched with the -d flag for that). The backdoor’s internal version is 3.0.1-2.20170303. It opens HTTP and/or DNS services on a compromised system, and allows tunneling of the traffic, operating both as a reverse SOCKS5 proxy server, and client. When run with -h option, the tool prints the following syntax: Usage: rrtserver [OPTIONS] -h option will print out the usage above -d will run the tool as daemon -s allows to specify a server address to bind the listening socket to, its port number, and what protocol is used (-s IPv4[:PORT:{udp|tcp}:{dns|http|none}]) The backdoor initiated components are: view-shell : pty (pseudo terminal) that allows remote shell view-file : file manager that accepts three commands - get, put, others view-proxy : proxy server that accepts the following commands: 'exit' or 'quit' - quit proxy server, 'socks5' - starts SOCKS5 proxy server, 'rcsocks-cmd: socks is closed.' - closes SOCKS proxy. view-pipe : p2p communicator,that receives commands 'pwd', 'exit', 'quit', 'connect' view-myproto : 'ping'/'pong' depending on a flag "rrootkit-negotiation: hello", "rrootkit-negotiation: ok, go on". loop-notifier – creates a pipe, a data channel for inter-process communication (IPC)
ZGRAT
Description
zgRAT is a remote access trojan that can spy on the victim machine that steals credentials, keylogging, screenshots, etc. This malware could have been distributed via spam emails or other malware. zgRAT has the following capabilities: Install additional malicious software onto a system. Provide remote access to the victim's PC Transfer victim computer's data, such as usernames and browsing history, to a remote malicious hacker. Victims see injected advertising banners when browsing certain web pages Fake software or updates are recommended through browser popups.
BLACKRAT
Description
Blackrat is a VB.NET-based Windows botnet featuring a PHP panel, designed for password theft, keylogging, cryptojacking and more. This open-source GitHub project has been utilized by malicious actors as a threat vector. The Rat has following capabilities: DDOS attacks Screenshot Grabbed cookies Grabbed credentials Grabbed Bitcoin wallets Execute script and commands
CLOUDMENSIS
Description
CloudMensis is spyware that has capabilities to collect sensitive info from machines. This spyware uses pCloud, Yandex Disk, and DropBox services for command-and-control (C2) CloudMensis is malware for macOS developed in Objective-C. This malware supports both Intel and Apple silicon architectures. The first stage downloads and executes the more featureful second stage from a cloud storage provider. CloudMensis has the following capabilities: exfiltrating documents keystrokes and screen captures exfiltrate documents screenshots email attachments
CYBERGATE
Description
CyberGate is a Remote Access Trojan (RAT) designed to illicitly obtain confidential data such as passwords, files, record audio and take photos using the webcam. In addition, CyberGate can be utilized for the unauthorized installation of harmful programs on the infiltrated systems. By utilizing key logging, CyberGate can covertly capture login credentials, personal information, and banking details, enabling unauthorized access to accounts and financial transactions.
FBOT
Description
Fbot is a linux botnet malware which is based on Mirai malware. Fbot shares a lot of functionalities of mirai.Fbot mostly targets vulnerable IOT devices and smart devices. Some features of Fbot malware are: - Obfuscates the strings it uses for its operation. - Decrypts its payload in a host machine using the XOR encryption. - For brute-force attacks, fbot fetches credentials from the C2.
GH0STRAT
Description
Gh0stRAT is an open source Remote Access Trojan which is used by attackers to control the victim machine and can provide live webcam feeds, log keystrokes, upload and download files. Gh0stRAT is attributed to threat actors operating from China. Gh0st RAT encrypts its communication with Command and control servers using proprietary protocol. Gh0st RAT provides a Graphical User interface to the attacker with which the attacker can easily control the victim. Some key functionality of Gh0stRAT are: - Webcam access - File Manager for file system access -Dial-up/VPN for data infiltration -Multithreaded DDOS attack using TCP/UDP/HTTP/ICMP protocols -Adding a new user and registry keys for RDP sessions After the connection to C&C server is established the following information about the victim machine is sent to the server. -Version information -Socket name -Processor Count/Write Speed -System Info -Memory status -Version description of capture driver -Antivirus installed on the system The information is sent to the server by encoding with zlib compression. Here are some of the commands used by Gh0st RAT. -COMMAND_KILLPROCESS -COMMAND_SESSION -COMMAND_DELETE_FILE -COMMAND_DELETE_DIRECTORY -COMMAND_SYSTEM -COMMAND_AUDIO -COMMAND_WEBCAM -COMMAND_OPEN_URL_HIDE -COMMAND_REPLAY_HEARTBEAT -COMMAND_UPDATE_SERVER -COMMAND_ACTIVED
CLICKER
Description
Clicker is a trojan which arrives on a system either as a file dropped by some other malware or as a file downloaded by users when visiting malicious sites. The malware may download other malware from the internet. This trojan steals the following information from the victims machine MAC address OS info Volume serial number Internet cookies
BACKSTAB
Description
Backstab is a tool which could be used to kill protected processes using legitimate driver. This tool loads this driver during execution time, and gets the advantage to access all protected processes and handles. The attackers could use this tool for killing security processes for performing malicious activities.
SSHBACKDOOR
Description
An SSH backdoor is a covert method used by attackers to gain unauthorized remote access to a system via the Secure Shell (SSH) protocol. These hidden pathways are difficult to detect and pose significant security threats. Preventive measures include regular system audits and robust access controls to mitigate the risk of exploitation. Detection requires vigilant monitoring and thorough security protocols to safeguard against malicious activity.
TRICKBOT
Description
Trickbot is a banking trojan that targets banks in the United States, Canada, UK, Germany and Australia. Trickbot was first seen in 2016 and is mostly known to spread through phishing emails. It is known to be derived from Dyre. Initial varianets of Trickbot were programmed using C++. Trickbot not only targets banks but also has capability to steal credentials. 1.Below are some of the capabilities of Trickbot: 2Collects information about the victim machine and sends it to the attacker 3.Collects outlook email address 4.Also known to have VNC component which can be used by attackers for remote 5.controlling victim machine 6.Can communicate over HTTPS with the CnC server 7.Can steal password from web browsers 8.Can steal passwords from keepass password manager Trickbot has several modules for executing the above capabilities. Following are the names of the modules: -systeminfo64 -networkDll64 -psfin64 -wormDll64 -sharedll64 -pwgrab64 -injectDll64 -importDll64 -vncDll64 -newBCtestDll64
OFFENSIVEPH
Description
OffensivePH is a post-exploitation tool that utilizes an old Process Hacker driver to bypass several user-mode access controls. OffensivePH will drop the old Process Hacker driver into the current directory with the name as kph.sys and create a service to install the driver. After execution service and file should be deleted automatically. OffensivePH has the following capabilities: Kill processes Thread Hijack Inject shellcode into a new services Read Process Environment Block
CETARAT
Description
CetaRAT is a Remote Access Trojan written in C# first seen in 2019 and known to be used in the SideCopy attack. CetaRAT has the following capabilities: -download and execute other malwares -execute commands on victim machine -rename, delete files -Take screenshots -steal clipboard data -kill processes on victim -encrypt CnC communication with RC4
GWISINLOCKER
Description
Gwisinlocker ransomware family targets Linux-based systems. The malware, dubbed GwisinLocker was detected in successful campaigns targeting South Korean industrial and pharmaceutical firms. The malware is notable for being a new malware variant produced by a previously little known threat actor, dubbed “Gwisin” — a Korean word meaning ‘ghost’ or ‘spirit’ and targeting systems running the open source Linux operating system.
FREAKOUT
Description
FreakOut Malware creates an IRC botnet which performs malicious activities like DDoS attacks, coin-mining and exploit multiple vulnerabilities.
NIRSOFTHACKTOOL
Description
Nirsoft contains a set of hacktools for windows which could be used by the attackers for malicious purposes. These tools are small and free utilities for Password Recovery Utilities, Network Monitoring Tools, Internet Related Utilities, Command-Line Utilities, Desktop Utilities, Freeware System Tools. The attacker can use any one of the utilities and easily get the sensitive information from the victim's machine.
AZORULT
Description
Azorult is an infostealer that can steal stored credentials, browser cookies and history, cryptocurrency information etc. It was first seen in 2016. It is mostly known to be spread through phishing mails. It can carry out the following activities on victim machine: 1. Steals information stored in various softwares like FTP clients, email clients, browsers 2. Steals bitcoin wallets 3. Steal data from messengers like skype 4. Act as backdoor and execute commands on victim machine Download updates
BEROOT
Description
BeRoot is a post-exploitation utility designed to identify prevalent misconfiguration and vulnerabilities that can be exploited to gain elevated privileges. Its primary objective is not to conduct a comprehensive host configuration assessment (such as listing all services, processes, network connections, etc.), but rather to specifically highlight information that could serve as potential avenues for privilege escalation.
LAZAGNE
Description
LaZagne is a post-exploitation tool used to recover stored passwords on a system. This a tool that has been developed for the purpose of finding these passwords for the most commonly-used software in Windows, Linux and macOS Upon installation, LaZagne directly injects the Python code in the memory without writing anything on disk, checks which application is installed on the target system and then it runs a specific script targeting the password for that particular application.
TYPHON
Description
Typhon is a stealer threat that can compromise confidential information belonging to its victims. Description Typhon is a stealer threat that can compromise confidential information belonging to its victims. The data-stealing capabilities of Typhon allow it to compromise a wide range of confidential information. Typhon can extract data from numerous applications, chat and messaging clients, VPNs, gaming applications and more. It can collect victims' browsing histories, downloads, bookmarked pages, cookies, account credentials, credit card numbers and other data saved in the browser. The hackers also could try to collect cryptocurrency wallets from Google Chrome or Edge browser extensions. Malware has the following capabilities: Steal Browser Histories. Steal Credit card number. Collect Account credential. Take screenshots.
CROSSRAT
Description
CrossRAT is a cross platform malware written in Java, targeting Windows, Linux and MacOS. There are signs that imply that the malware was developed by/for the Dark Caracal APT group. The infection vector is through a malicious document that arrives in a phishing campaign. If macros are enabled, a malicious code will be executed to download and infect the system. This malware can manipulate the file system, take screenshots, download and execute additional files.
NMAP
Description
Nmap is a network scanning tool that uses IP packets to identify all the devices connected to a network and provides information on the services, operating systems on those devices. Nmap can perform following types of scanning against the target IP: -NULL Scan -UDP scan -XMAS scan -TCP scan -FIN scan -RPC scan
IMPACKET
Description
Impacket is a collection of Python classes for working with network protocols which is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object-oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.
MANDIBULE
Description
Mandibule is a program designed for injecting ELF files into remote processes. This injector project is a command-line tool that offers the capability to perform self-injection or inject payloads into other projects. Like most command-line tools, it provides a usage guide detailing supported parameters and outputs informative debug messages to keep users informed about the injection process
BABYSPLOITTOOL
Description
Babysploit is an open-source penetration testing framework designed for ethical hacking and security testing. It offers a range of tools and modules for exploitation, post-exploitation, and vulnerability assessment to help professionals assess and improve the security of computer systems and networks.
SQUIRRELWAFFLE
Description
SquirrelWaffle is a downloader that downloads cobalt strike, Qbot. It is mainly known to be distributed using spam emails. The malware was first observed in 2021. The spam emails contain word documents as attachments which lead to download Squirrelwaffle. The malware provides an initial foothold for downloading other malware.
DROVORUB
Description
When deployed on a victim machine, the Drovorub implant provides the capability for direct communications with actor controlled C2 infrastructure, file download and upload capabilities, execution of arbitrary commands as "root", and port forwarding of network traffic to other hosts on the network. The kernel module rootkit uses a variety of means to hide itself and the implant on infected devices, and persists through reboot of an infected machine unless UEFI secure boot is enabled in “Full” or “Thorough” mode The functionality of the toolset is as follows Drovorub-client → Implant Drovorub-kernel module → Rootkit Drovorub-agent → Port Forwarding and File Transfer Tool Drovorub-server → Command and Control (C2) Server
COSMICDUKE
Description
CosmicDuke is an infostealer that specifically aims to steal sensitive information from governmental entities.After successfully infecting a victim, CosmicDuke is capable of collecting sensitive information through various means, such as keylogging, stealing clipboard contents, taking screenshots, and stealing passwords for popular chat, email, and web browsing programs. Furthermore, CosmicDuke provides the attacker with the ability to download and run other types of malware on the compromised system.
FSYSNA
Description
Fsysna is a trojan that creates remote access connections, records keystrokes, gathers system details, and manages file transfers, among other activities. The malware is disseminated through methods such as spam emails, phishing links, third-party tools, or websites. Fsysna has following capabilities: Dropping other malware DDoS attack Monitoring and control Process
ORCUS
Description
Orcus is a Remote Access Trojan(RAT) which can steal browser cookies and passwords. This RAT spreads through phishing mail with a malicious download link. Orcus RAT has the following capabilities: Keylogger Screenshot Remote shell code execution Webcam monitor Record audio Password stealers VM Detection HVNC Reverse Proxy Advanced Plugin System
DONUT
Description
Donut is a hacktool that allows position-independent execution of various file types and can be either staged or embedded for in-memory execution. Once the file is loaded and executed in memory, its original reference is deleted to thwart memory scanners.Since this code is open source, malicious actors can exploit it to extract data from a victim's machine.
COBALT STRIKE
Description
Cobalt Strike is an exploitation framework developed to aid red teamers which is misused by adversaries to generate custom malwares. Cobalt Strike has server and client components. The generated payload is known as beacon which is installed on the victim machine. The server component of Cobalt strike has a listener running on the CnC server that listens to the beacon callbacks. There can be multiple listeners installed in the CnC server, The listener is customized by the attacker which makes it harder to detect. The beacons are used in post exploitation and they can mimic popular services like gmail and bing to avoid detection. Cobalt strike offers different kinds of beacons. DNS beacon, SMB Beacon are some of the cobalt strike beacons. Cobalt strike provides a configuration file known as Malleable C2 which defines how the beacon should behave. There are beacons which can act as Remote access Tools(RAT). Here are some of the cobalt strike beacon commands: powershell and powershell-import 1. powerpick 2. jump psexec 3. jump psexec_psh 4. jump winrm 5. remote-exec wmi 6. remote-exec powershell The cobalt strike framework can create custom listeners which can be used to hide the CnC communication. There are options to set proxy, customise HTTP header for CnC communication. DNS listener allows beacons to communicate covertly with CnC SMB listeners can be used during lateral movement. Other listeners include HTTP/HTTPS, DNS, Foreign HTTPS, External C2, TCP, SMB.
TSUNAMI
Description
Tsunami is a cross platform based distributed denial-of-service (DDoS) flooder malware receives data and instructions for further action from the Internet or another remote computer within its own network.
It can perform the following actions in a victims machine
1. Download files from a remote computer and/or the Internet
2. Execute shell commands
3. Perform DoS/DDoS attacks
The IRC commands that can be sent to the client are as follows:
TSUNAMI
BROWSERBANDIT
Description
BrowserBandit is a credential stealer that is capable of stealing login credentials from web browsers.The attackers were able to extract site/domain names and credentials from various popular browsers installed on the victims' machines. Additionally, they regularly sent screenshots of the victim's machine to the attackers through a Telegram channel.
GTFONOW
Description
GTFONow is a Unix privilege escalation tool, ideal for CTFs and real-world pentests where it automatically exploits misconfigured sudo, suid, sgid permissions, capabilities, and converts file read/write primitives into shells. The tool can steal SSH keys, write to cron, and use LD_PRELOAD.
ORAT
Description
The oRAT malware has been attributed to a new APT group that targets gambling sites. oRAT malware is developed using the Go language and targets macOS users. The oRAT malware is distributed via a Disk Image masquerading as a collection of Bitget Apps. After running the installer and finding that it did not provide whatever they were expecting, users are likely to become suspicious. This might suggest the campaign was broadly targeted and that the threat actors were playing a numbers game.
CREDRAPTOR
Description
Credraptor is an infostealer that can extract login information from a web browser. This stealer gathers stored credentials from famous browsers like Google Chrome, Internet Explorer, Mozilla Firefox and Opera.In addition to its role as an information thief, this stealer operates as a keylogger, recording the keystrokes of its victims.
GOBFUSCATE
Description
Gobfuscate is a Go binary that obfuscates source code making a lot of information difficult or impossible to decipher from the binary. This tool can obfuscate the following elements of Go source code with random character substitutions 1. Package Names; 2. Global Variable Names; 3. Function Names; 4. Type Names; 5. Method Names. Usage: gobfuscate [flags] pkg_name out_path -keeptests → keep _test.go files -noencrypt → no encrypted package name for go build command (works when main package has CGO code) -nostatic → do not statically link -outdir → output a full GOPATH -padding string → use a custom padding for hashing sensitive information (otherwise a random padding will be used) -tags string → tags are passed to the go compiler -verbose → verbose mode -winhide → hide windows GUI In addition, Gobfuscate replaces all strings used in the code with XOR encodings, assigning each string an XOR Decoding function that dynamically decodes strings during program execution.
ECH0RAIX RANSOMWARE
Description
Ech0raix is a ransomware which targets *nix based devices and systems. To achieve this, attackers leverage CVE-2021-28799 to deliver the new eCh0raix ransomware variant to QNAP devices.
NOTPETYA
Description
NotPetya is a ransomware seen around 2017 which had similarities with the Petya. NotPetya makes sure the data is not recoverable. NotPetya is known to carry out lateral movement using SMBv1 exploits EternalBlue and EternalRomance. Here are some of the capabilities of NotPetya Ransomware: 1. MBR encrypting 2. Encrypts MFT table 3. Token Impersonation 4. Network enumeration 5. Remote command execution using WMIC and PSExec 6. Employs anti-forensics techniques 7. Credential theft 8. Has wiper capabilities and can destroy data on the system
WINGO AGENT
Description
Wingo Agent is a trojan which is compiled by wingo. This malware delivered through Spam mail or unknown third party software. After successfully installing this malware in victime machines, gather sensitive data from victime machines like PC name,OS details, MAC address and more.
FIERCE
Description
Fierce is a DNS reconnaissance tool for locating non-contiguous IP space. It also helps in locating hostnames against specified domains. It is meant specifically to locate likely targets both inside and outside a corporate network.
RSHELL
Description
The rshell executable is a standard backdoor and implements functions typical of similar backdoors: “MìMì” Messenger’s MacOS version has been trojanized to download and execute a Mach-O binary dubbed “rshell”. MiMi (mimi = 秘密 = secret in Chinese) is an instant messaging application designed especially for Chinese users, with implementations for major desktop and mobile operating system. Installer is replaced with a malicious version retrieving the rshell sample Following are capabilities of rshell : Collect OS information and send it to command and control (C&C) server Receive commands from the C&C server to execute Send command execution results back to the C&C
BRUTERATEL
Description
Brute Ratel is a penetration testing and red team simulation tool. It was first seen in December 2020. This tool has a specific function on evading Endpoint Detection and Response(EDR) and Antivirus detection. It can be used by adversaries to control the victim's computer. The following functions are available in Brute Ratel: Port scan Screenshot Create new service Evade EDR and AV Monitoring all network port like HTTP,HTTPS,SMB, TCP, WMI, WinRM, Upload and Download files
RACCOON
Description
Raccoon is an infostealer that can steal credentials related to browsers, crypto wallet, credit card and cookies. It was first seen in November 2019. This stealer gets delivered via exploit kit and phishing Campaigns. Once reached to the victim machines, it collects machine id or username, config id etc and sends them to the attacker server.
NESHTA
Description
Neshta is a file infector that targets windows executable. This virus may attack removable media storage and network shares. It also steals sensitive information and downloads other malware.This malware is usually delivered through spam mail, untrusted web link or removable media.
NUKESPED
Description
NUKESPED is a backdoor Trojan, which targets Mac users in Korea The group of cyber criminals who designed and spread this malware is called Lazarus. NUKESPED is a backdoor Trojan, which targets Mac users in Korea The group of cyber criminals who designed and spread this malware is called Lazarus. They distributed this malicious software through an Excel document ,pdf doc etc using a Mac App bundle, which contains legitimate and malicious versions of Adobe Flash Player files.
CHAOSKUBE
Description
Chaoskube is a tool designed to enhance the resilience of Kubernetes clusters by introducing chaos engineering practices where it randomly terminates Kubernetes pods to simulate failures, allowing developers and operations teams to test the robustness and recovery mechanisms of their applications. Periodically selects and kills pods in a Kubernetes cluster to simulate unexpected failures. Helps identify weaknesses in the system by exposing hidden issues that only manifest under failure conditions.
RANSOMWARE
Description
Ransomware is a malware that encrypts sensitive information on your system and asks for ransom in exchange of restoring the encrypted data.
PASS THE HASH
Description
PASS_THE-HASH is a set of utilities that can manipulate the Windows logon session maintained by LSA(Local Security Authority) which can be used by attackers for lateral movement. It can list the login sessions for users who are logged in remotely using RDP. I can also change current username, domain name, and NTLM hashes at runtime. The toolset consists of three tools IAM:exe, WHOSTHERE:exe and GENHASH:exe. IAM:exe: The tool can change current NTLM credential by using only password hashes WHOTHERE:exe: This tool is going to list the logon sessions with NTLM credentials which included user name, domain name and hashes. GENHASH:exe: The tool can generate LM and NT Hash of a password
SHARPSOCKS
Description
SharpSocks is a compiled binary in C# that enables the creation of an internal SOCKS4 backconnect proxy. The source code for this project is openly available on GitHub as an open-source repository. Although there are many SOCKS proxy implementations available for this purpose, they are typically integrated into various C2 frameworks. The original objective of SharpSocks was to be "framework agnostic", meaning it could be installed on a system regardless of whether an implant was active or not.
LSASSUNHOOKER
Description
LsassUnhooker is a small C# program designed to evade detection by Endpoint Detection and Response (EDR) mechanisms by circumventing their hooks and extracting the data from the lsass process. Malicious actors employ this tool to exploit vulnerabilities and obtain unauthorized access to target machines, potentially compromising sensitive credentials in the process.
BOTB
Description
BOtB is a post-exploitation container based CLI tool that performs the following 1. Exploit common container vulnerabilities 2. Perform common container post exploitation actions 3. Provide capability when certain tools or binaries are not available in the Container 4. Use BOtB's capabilities with CI/CD technologies to test container deployments 5. Perform the above in either a manual or automated approach The capabilities of this tool are as follows 1. Perform a container breakout via exposed Docker daemons (docker.sock) 2. Perform a container breakout via CVE-2019-5736 3. Perform a privileged container breakout via enabled CAPS and SYSCALLS 4. Extract data from Linux Kernel Keyrings via abusing the Keyctl syscall through permissive seccomp profiles 5. Identify Kubernetes Service Accounts secrets and attempt to use them 6. Identify metadata services endpoints 7. Scrape metadata info from GCP metadata endpoints 8. Analyze and identify sensitive strings in ENV and process in the ProcFS 9. Find and Identify UNIX Domain Sockets 10. Identify UNIX domain sockets which support HTTP 11. Find and identify the Docker Daemon on UNIX domain sockets or on an interface 12. Hijack host binaries with a custom payload 13. Perform actions in CI/CD mode and only return exit codes > 0 14. Push data to an S3 bucket 15. Force BOtB to always return a Exit Code of 0 (useful for non-blocking CI/CD) 16. Perform the above from the CLI arguments or from a YAML config file 17. Perform reverse DNS lookup
BACKDOOR
Description
Backdoors are used to provide an attacker with initial access to an organization’s environment. If a system administrator or other legitimate user has created a backdoor on the system, an attacker that discovers this backdoor may use it for their own purposes. Alternatively, if an attacker identifies a vulnerability that would allow them to deploy their own backdoor on a system, then they can use the backdoor to expand their access and capabilities on the system. With this remote access, they can also steal sensitive data, deploy ransomware, spyware, or other malware, and take other malicious actions on the system.
TARSIP
Description
Tarsip is a backdoor used by APT1 Group which can communicate using encrypted HTTP headers. Tarsip has the following capabilities: -File uploading -File downloading -Interactive command shell -Process enumeration -Process creation -Process termination Tarsip has two variants tarsip-moon and tarsip-eclipse which can be distinguished from each other by the pdb files present in the string.
NETSPYTOOL
Description
Netspy serves as a rapid network reconnaissance tool designed to swiftly identify accessible network segments within an internal network.This tool streamlines the process of discovering reachable network areas, providing a quick overview of the internal network's landscape.Utilizing Netspy, users can efficiently detect and map out the accessible network segments, aiding in network security assessments and troubleshooting.
REALTIMESPY
Description
RealtimeSpy software as a cloud-based surveillance and remote spy tool. cloud-based account where users can view the images and data that the tool uploaded from the target machine and allows you to remotely install the monitoring system on any computer you own and access the activity logs from anywhere at any time via your own personal Realtime-Spy account. Realtime-Spy can log and record anything your child or employee does on your computer, as well as display, in real-time, what they are doing and typing. Realtime-Spy is a remote spy software solution that requires no physical installation, runs in complete stealth, and allows you to truly view activity logs from any location at any time
MOONWALKTOOL
Description
Moonwalktool is specifically designed for enhancing stealth and obfuscating traces during Linux exploitation and penetration testing. Its primary purpose is to leave behind minimal to no evidence on system logs and filesystem timestamps.
BPFDOOR
Description
BPFDOOR is a Linux binary that creates a bind shell that listens to connections stealthily using BPF bytecode, thereby creating a backdoor. It also involves timestomping to evade detection, and deletes itself after it starts.
MSETUP
Description
Msetup is a multi application that has the potential to download either adware or trojans with spy-related capabilities onto the targeted machine.Certain setups disable specific antivirus software and proceed to download a large number of applications, browser extensions, or trojan-related programs. These types of applications typically disguise themselves as legitimate setups, initially installing known applications while silently engaging in additional activities.
ISAACWIPER
Description
IsaacWiper is a wiper that can wipe out logical and physical drives and was used against Ukraine. The malware is a DLL file calling the export “_Start@4” using rundll32. Upon execution, a log file “C:ProgramDatalog.txt” is created to log the failure and successes to the malware execution
XIEBROC2
Description
XiebroC2 is a versatile cybersecurity tool comprising a Golang-based client and a .NET 8.0 Teamserver.and the client supports various functions like shell management, file operations, and network monitoring, with extensive customization through Lua scripting.The Teamserver facilitates hosting and customization, while the Controller provides a lightweight interface for real-time session management. Notably, the use of Golang for the client enhances evasion against static analysis by antivirus software.
TOKENVATOR
Description
Tokenvator is a tool to Elevate Privilege using Windows Tokens. This tool has two methods of operation – interactive and argument modes. Tokenvator is used to access and manipulate Windows authentication tokens.
3CXTROJANLOADER
Description
3cxTrojanLoader is a loader that covertly attaches itself to legitimate executable files and activates when the file is launched on the victim computer. The Loader downloads and runs malicious payload from the internet on the compromised machines. The payload, in this case, is designed to extract sensitive information from popular web browsers (Chrome, Edge, Brave, and Firefox).
QUARKSPWDUMP
Description
Quarks PwDump is a tool to dump various types of Windows credentials: local account, domain accounts, cached domain credentials and bitlocker. It extracts Local accounts NT/LM hashes, history Domain accounts NT/LM hashes, history stored in NTDS.dit file, Cached domain credentials, Bitlocker recovery information (recovery passwords & key packages) stored in NTDS.dit.
The command line options of the tool is as follows
quarks-pwdump:exe
VULTURI
Description
Vulturi is a Trojan that has the capability to extract sensitive information from a victim's machine, such as operating system details, process names, and credentials stored in web browsers, among other data points. This trojan has the ability to retrieve sensitive information from various sources, including VPN details, cookies, browsing history, web browser credentials, and even credit card details and cryptocurrency wallet information.
PGMINER
Description
PGMiner is a cryptocurrency mining botnet delivered via a PostgreSQL RCE vulnerability The attack flow of this malware is as follows 1. Delete the PostgreSQL table right after code launch to achieve fileless execution. 2. Collect system information and send it to the command and control (C2) server for victim identification. 3. Employ traditional and novel approaches to download curl binary in case the command is not available on the victim’s machine. 4. Impersonate the “tracepath” process to hide its presence. 5. Attempt to kill competitor programs for better monetization. PGMiner can potentially be disruptive, as PostgreSQL is widely adopted in PDMS. With additional effort, the malware could target all major operating systems
POETRAT
Description
PoetRAT is a malicious remote access trojan (RAT), written in Python and is split into multiple parts.The RAT is composed of two main scripts that need to work together.
"Frown.py" → responsible for the communications with the command and control (C2).
"Smile.py" → responsible for the interpretation and execution of the C2 commands. The available commands are:
ls - listing files
cd - change current directory
sysinfo - get information about the system
download - upload file into the C2 using ftp
upload - download from C2 file into the victim from
shot - takes a screenshot and uploads it to the C2 using ftp
1. cp - copies files
2. mv - moves files
3. link - creates links between files
4. register - makes changes in the registry
5. hide - hides a file or unhides it depending on its current state
6. compress - compresses files using zip function
7. jobs - performs actions, like kill, clear, terminate on processes. By default will list all processes.
8.
GODROPPER
Description
Godropper uses fileless techniques to drop malicious payloads. It uses the ezuri crypter to pack the payloads. Once executed it drops the payloads on the fly using th combination of memfd and write syscalls.
KEBRUTE
Description
Kebrute is a toolkit to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication. It is a Golang based cross-platform toolkits Kerbrute has three main commands: bruteuser - Bruteforce a single user's password from a wordlist bruteforce - Read username:password combos from a file or stdin and test them passwordspray - Test a single password against a list of users userenum - Enumerate valid domain usernames via Kerberos
AMADEY
Description
Amadey is a trojan which could be used to install other malwares and also gather sensitive information from the victim machines. After infecting the victim machine, it first collects username,os version name, Host Name, OS type, Antivirus check and malware build version to send to the attacker server. After that it downloads and installs other malwares like keylogger,Spyware or ransomware.
KERANGER
Description
KeRanger is a fully functional ransomware that primarily affects Mac OS X based operating systems If a user installs the ransomware, an embedded executable file is run on the system. KeRanger then waits for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of documents and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data. KeRanger encrypts each file by creating an encrypted version that uses the .encrypted extension. To encrypt each file, KeRanger starts by generating a random number (RN) and encrypts the RN with the RSA key retrieved from the C2 server using the RSA algorithm.
SUPERBEARRAT
Description
SuperBearRAT Trojan has been detected in a meticulously targeted assault aimed at a journalist.The SuperBear attack commenced by disseminating a harmful attachment via spam, which took the form of an LNK-format document. Upon opening this file, the victim was shown a legitimate Microsoft Word document (DOCX), all while a malicious PowerShell command ran discreetly in the background, initiating the infection process. This Remote Access Trojan (RAT) has the capability to extract data pertaining to system processes and the compromised system, as well as to accept and carry out Shell commands.
PORTSCANTOOL
Description
A port scanning hack tool is a software used by hackers to identify open ports on a target system which helps them discover potential vulnerabilities that can be exploited for unauthorized access. While such tools have legitimate uses in network administration, their misuse for malicious activities raises significant cybersecurity concerns.
HYDROMAC
Description
Hydromac is a macOS malware leaked from a Flashcards app. This malware is likely distributed to macOS users via online malvertising (malicious ads) campaigns and has the capability to download and execute other programs Upon installation, Hydromac gathers details about a victim's hardware setup and sends this info to its command and control server. The malware also has an overlap of functionalities families like Tarmac,Mughthesec. Based on the activities, the malware is likely linked to malvertising affiliates.
REKOOBE
Description
Rekoobe Trojan for linux mostly targets SPARC architectures and some of its variants also infected x86 and x86-64 architectures. Some more features of Rekoobe malware agent are as follows: Remote code execution Affects systems with Intel chips Config is stored using XOR encryption algorithm to evade detection.
QBOT
Description
Qbot is also known as Qakbot and Pinkslipbot is a Credential stealing malware. Qbot was first seen in the wild in 2008. Qbot can steal banking credentials and other information. It is also known to install other malwares which includes ransomwares. Qbot injects it’s payload into explorer:exe and executes from there. Qbot is known to identify antiviruses, virtual machines and sandboxes to evade detection. It is known to target the following banks: 1. Citi 2. Capital one bank 3. First Horizon Bank 4. Sun trust Bank 5. Wells Fargo 6. JP Morgan
BISCUIT
Description
Biscuit is a malware associated with the APT1 group which can provide full access of the victim machine to the attacker. It uses custom protocol to communicate with the attacker and communicates with the CnC every 10 to 30 minutes. It has the gives the attacker the following capabilities: 1. Provides interactive shell to the attacker 2. Enumerate windows server in the network 3. Manipulate process 4. File transfer to and from the victim 5. Uses custom protocol to communicate with CnC
ISMDOOR
Description
Ismdoor opens a backdoor on the compromised computer, leveraging Windows PowerShell for command and control. Its ability to install other malware as well as collect system data from infected computers. Greenbug has targeted organizations mainly located in the Middle Eastern region and belonging to aviation, energy, education and government sectors. The group uses a remote access trojan (RAT ) called Ismdoor to stream information. Along with Ismdoor this group employs hosts of other hacking tools to steal credentials. The attacks starts through an email luring the recipient into downloading a RAR archive. The Ismdoor malware is hidden inside this RAR file using an NTFS feature called alternate data streams (ADS) which is used to store file information in the file system, Malware has the following capabilities: Steal usernames and passwords steals Email account Steal Browser credentials
HTTPXTOOL
Description
HttpxTool is a fast and versatile HTTP toolkit designed for identifying and fingerprinting web services exposed to the internet. It utilizes the retryable http library for reliable results and supports multi-threading for increased efficiency in scanning. The tool is commonly used for reconnaissance and enumeration of web services.
ORBIT
Description
Orbit malware infects all the running processes that are running on the victim machine. It has rootkit capabilities as well. The orbit dropper installs the payload and prepares the environment for the malware execution. As a defence evasive mechanism, the malware also hooks certain syscalls like execve, open, openat to prevent them from outputting information that might reveal the existence of the malicious shared library.
GOOGLECALENDARRAT
Description
Google Calendar RAT is a PoC of Command&Control (C2) over Google Calendar Events which creates a 'Covert Channel' by exploiting the event descriptions in Google Calendar. This tool has been developed for those circumstances where it is difficult to create an entire red teaming infrastructure. To use GRC, only a Gmail account is required.
CHAOS RANSOMWARE
Description
Chaos ransomware is a c# compiled binary which targets Windows OS to encrypt sensitive data in the victim machines. It was first seen in June 2021. This malware is the .Net version of Ryuk ransomware. This malware has a separate extension list of files to be encrypted. Also, it contains directory paths to exclude them for avoiding infection.
3CXDROPPER
Description
3CXDropper is a malicious Dynamic Library which is loaded into 3CXDesktopApp and downloads payload from C2. This is a supply chain attack spread through very Popular app called 3CXDesktop app. The 3CX Phone System is the software-based private branch exchange Phone system The 3CX Desktop app for macOS comes with DMF file with malicious DYLIB (dynamic Library) with this application. This malicious library named libffmpeg.dylib then downloads the 2nd stage payloads.
EC2STEPSHELL
Description
EC2StepShell, an AWS post-exploitation utility, facilitates obtaining high-privilege reverse shells on both public and private EC2 instances.Leveraging AWS infrastructure, EC2StepShell streamlines the process of executing commands on EC2 instances, providing a robust mechanism for post-exploitation activities.By utilizing AWS SSM (Systems Manager), EC2StepShell enables the seamless execution of commands, enhancing the efficiency of retrieving results from EC2 instances.
PUMAKIT
Description
PUMAKIT is a complex and stealthy threat that uses advanced techniques like syscall hooking, memory-resident execution, and unique privilege escalation methods.
EBURY
Description
Ebury is a backdoor that is used to steal OpenSSH credentials and maintain access to a compromised server. Ebury comes in two different shapes: a malicious library and a patch to the main OpenSSH binaries. The malicious library is a modified version of libkeyutils.so. This shared library is loaded by all OpenSSH executables files such as ssh, sshd and ssh-agent The credentials are intercepted as follows Password from successful login to the infected server: Whenever someone logs in a system infected with Linux/Ebury, the sshd daemon will save the password and send it to the exfiltration server. Any password login attempt to the infected server: Even if the attempt is unsuccessful, the username and password used will be sent to the operators. They will be formatted differently, however, allowing the operators to differentiate these invalid credentials from the valid ones. Password on successful login from the infected server: When someone uses the ssh client on an infected server, Linux/Ebury will intercept the password and send it to its exfiltration server. Private key passphrase: When the ssh client on an infected server prompts the user for an private key passphrase, the passphrase will be sent to the remote exfiltration server. Unencrypted private key: When a private key is used to authenticate to a remote server, the unencrypted version is intercepted by the malware. Unlike passwords, it will not send the key to the exfiltration server. Instead, it will store its memory and wait for the operators to fetch the key with the Xcat command. Private keys added to the OpenSSH agent with ssh-add: The keys added to an OpenSSH agent are also intercepted by the malware. Both the unencrypted key itself and the passphrase typed by the user will be logged. Whatever the credential type, Linux/Ebury will add all relevant information for the operators to be able to use it, like the username, the target IP address and its OpenSSH listening port. Alongside this, the additional commands used are Xcat: print all the passwords, passphrases, and keys saved in the shared memory and exit. Xver: print the installed Linux/Ebury version and exit. Xver also accepts an optional four (4) byte argument. If present, it will set the exfiltration server IP address to the given one. Xbnd: Xbnd takes a four (4) byte argument. When creating a tunnel to a remote host, bind the client socket to the specified interface IP address.
COPPERPHISH
Description
CopperPhish campaign distributed malware through PPI networks utilizing free anonymous file sharing platforms. The CopperPhish phishing kit employs two distinct methods of persistence, involving credential verification and confirmation codes in order to guarantee successful phishing of valid credentials before completing its operation and terminating. Once the victim clicks on the advertisements masquerading as download links, they are redirected to a PPI network's crafted download page, where they unknowingly download PrivateLoader—a malicious file that proceeds to download and execute a variety of malware.
GOLANGSTEALER
Description
Golangstealer is used by sidecopy APT attacks for scanning and stealing of the host directory of the target victim. These samples steal documents from the infected Linux system and uploads them to C2. The files are uploaded to the C2 via HTTP POST request, a field in the post data contains username and IP address of the infected system. The sample uses the “.config/autostart” directory to achieve persistence.
GECON
Description
Gecon is a CobaltStrike's Beacon implementation using Go language. It can be used as a CobalStrike Beacon to interact with CobaltStrike to control compromised hosts. Geacon only focuses on protocol analysis with the following functionalities: 1. Executing commands 2. Uploading 3. Downloading 4. File browser 5. Switching the current working directory 6. Exiting the current process.
HAWKEYE
Description
Hawkeye keylogger is a malware that can tap keystrokes, steal credentials from browsers email clients, and capture screenshots. It is known to spread through phishing emails which use themes like purchase order, invoice, Payment advice, Covid containing the malware executable as attachment. The malware has been coded in .Net and uses ConfuserEx and Cassandra protector to protect itself and also known to use forensic softwares like WebBrowserPassView and MailPassView applications from Nirsoft to steal passwords saved in browsers. Some of it’s versions are also capable of disabling Windows Defender. The malware has the following features and capabilities -It can steal credential from web browsers -Can steal information stored in Cryptocurrency wallets -Keylogging -Stealing clipboard data -Screen capture
SUPERSHELL
Description
Supershell is a Command and Control (C2) remote control platform accessible via web services which enables the establishment of a reverse SSH tunnel, providing a comprehensive interactive shell. This platform supports payloads designed for multi-platform architectures. Supershell allows you to share the obtained Shell with your partners. The Shells are all embedded in the browser page. The shared Shell adopts a separate authentication method, and there is no need to provide your partners with the identity authentication credentials of the management platform.
FIREWOOD
Description
FireWood backdoor is the Linux continuation of the Project Wood backdoor. It communicates with the kernel drivers using the Netlink protocol. FireWood communicates with its C&C server via TCP and is capable of executing several commands.
QUASAR RAT
Description
Quasar RAT is a open source windows Remote Administration tool written in C#. It was meant to administrate employees in an organization but unfortunately adversaries use it for their malicious intentions. The RAT has support from windows Vista to Windows 10. Here are some of the features of the RAT: TCP network stream (IPv4 & IPv6 support) Fast network serialization (Protocol Buffers) Compressed (QuickLZ) & Encrypted (TLS) communication 1. UPnP Support 2. Task Manager 3. File Manager 4. Startup Manager 5. Remote Desktop 6. Remote Shell 7. Remote Execution 8. System Information 9. Registry Editor 10. System Power Commands (Restart, Shutdown, Standby) 11. Keylogger (Unicode Support) 12. Reverse Proxy (SOCKS5) 13. Password Recovery (Common Browsers and FTP Clients)
CREATESYMLINK
Description
CreateSymlink is a tool that creates file system-level symbolic links, often used for exploiting privileged services and applications without requiring administrator privileges.This tool exists because it doesn't need administrator privileges to create symbolic links, making it accessible to many applications operating in restricted environments. Furthermore, it can create links to directories, providing some advantages over standard junctions in specific situations, despite file-level symbolic links being available in Vista and later Windows versions.
FONTONLAKE
Description
Fontonlake malware provides remote access to the operators, collect credentials, and serve as a proxy server. To collect data (for instance ssh credentials) or conduct other malicious activity, this malware family uses modified legitimate binaries that are adjusted to load further components. In fact, to conceal its existence, FontOnLake’s presence is always accompanied by a rootkit. The binaries such as cat, kill or sshd are commonly used on Linux systems and can additionally serve as a persistence mechanism.
ANTHRAXSTEALER
Description
AnthraxStealer is a trojan, designed to unlawfully obtain confidential information such as login credentials, cryptocurrency wallet data, credit card details, and other sensitive data. The stealer code written in the C# programming language. AnthraxStealer has following capabilities: Browsers cookies Login credentails FTP Credential Screenshot
NOMINATUSSTORM
Description
NominatusStorm Ransomware targets Windows OS to encrypt the victim's personal data. This malware is delivered through a third party application or a hacktool or cracked application.This malware has a separate extension list of files to be infected.
ALCHIMIST
Description
"Alchimist" is a 64-bit Linux executable written in GoLang and packed with assets including resources for the web interface and Insekt RAT payloads compiled for Windows , macOS and Linux. Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payload to the remote machines. A golang binary that implements a single-file C2 framework. Drops multiple binaries, Mach-O dropper embedded with an exploit to target a known vulnerability CVE-2021-4034, a privilege escalation issue in polkit's pkexec utility, and a Mach-O bind shell backdoor. The key capabilities include capture screenshots, perform remote shellcode execution run arbitrary commands.
DBATLOADER
Description
Dbatloader is a basic trojan loader, which could be used for the downloading and execution of payloads. Dbatloader is compiled using the Delphi programming language. It is spread through spam emails and is known to evade detection by antivirus and endpoint detection and response (EDR) systems. This malware infects legitimate processes by injecting itself into them, making it difficult to detect and remove.
BROWSEREXTENSION
Description
Browser extension is an unwanted application which shows ads or pop ups in the web browser. This extension comes along with a bundle of third party software and gives suggestions to use unwanted applications. It also redirects to phishing sites and gathers sensitive data from victim browsers based on victim’s input.
MILLENNIUMRAT
Description
MillenniumRAT is a trojan that can clandestinely obtain browser credentials, browsing history and credit card information and then transmits this pilfered data to the attacker through a Telegram bot. MillenniumRAT has following capabilities: Screenshot System info (CPU, GPU, RAM, Country, city, IP, Mac Address etc) Telegram data Access Files&Folders System shutdown or restart
ADFINDTOOL
Description
AdfindTool is a free command line utility that can be used by adversaries to gather information from active directory. Adfind is used by FIN6, Wizard Spider, Menupass, UNC2452 threat groups. 1. 1. Adfind has the following capabilities: 2. Enumerate domain users 3. Gather information about organizational units 4. Find domain domain trusts 5. Query active directory for devices in the network 6. Can extract subnet information from Active Directory
CERTUTIL
Description
CertUtil is a windows built in utility installed which is used to download and update certificates.Adversaries can use it to download and decrypt malware payloads.
The following command can be used by Adversaries to download malwares.
Certutil -urlcache -split -f http://
EXTENTBRO
Description
Extenbro is a DNS (Domain Name System) changer trojan that gets spread via unwanted third party software. It is used to block access to websites of security applications. This malware will change DNS settings, so the antivirus software will not be able to get the latest updates.Extenbro downloads and installs other PUP (Potentially Unwanted Program) like adware bundler or spyware in the victim machines.
STEALERIUMSTEALER
Description
Stealerium Stealer is trojan, that can steal confidential information such as keystrokes, screenshots, and login details of cryptocurrency wallets. The code for this software can be found on a Github repository. stealer has the following capabilities: AntiAnalysis System info Browser information (credentials, cookies, history) Scan wifi network File grabber Keylogger Desktop & Webcam screenshot Crypto Wallets Process list Product key
MANJUSAKA
Description
Manjusaka is a post-exploitation attack framework. This is an alternative tool for Cobalt Strike. This framework allows an attacker to take screenshots of victim machines, file access, network monitoring, steal system information like HardDisk,Volume Information, Process and system time.
GOHTRAN
Description
gohtran is a connection bouncer, proxy that forwards connections from victims to the attacker. It is a golang version of a C++ bouncer called HTran. Part of Alchimist, was found in the tools of the server.
MEXLIB
Description
Mexlib is a hacktool that has the capability to take snapshots of the running process in the system. Mexlib also allows an attacker to take a screenshot, Keylogger, remote shellcode execution and download files from the attacker C2 server.
BOOTKITTY
Description
Bootkitty bypasses Secure Boot to exploit kernel integrity checks. The bootkit's main goal is to disable the kernel's signature verification feature and to preload ELF binaries via the Linux init process.
DARKSIDE
Description
DarkSide ransomware mainly targets and encrypts EsXi devices that are used to manage VMs running on a system.This ransomware encrypts system files related to vmware virtual machines including the files with the extension: vmdk, vswp, vmem, vmsn, nvram, vmsd, vmss, vmx, vmxf, log. Files are encrypted using the ChaCha20 algorithm with a 32-byte key and 8-byte nonce, uniquely generated per file. The ChaCha20 key and nonce are then encrypted using a 4096-bit RSA public key that is embedded in the ransomware. To speed up the encryption process, Darkside also has a configurable encryption size that can be used to control how much of each file is encrypted.
RPCVIEW
Description
RpcView is an open-source tool to explore and decompile RPC functionalities present on a Microsoft Windows system. It was first seen in 2017 and still actively developed. This is able to enumerate all the RPC servers that are running on a machine and it provides all the collected information.
INFOSTEALER
Description
Infostealers are malwares that can steal credentials from browsers, FTP clients, email clients etc from victim machines. Infostealers can steal the following information: -Credentials Browsers -Browser history -Browser cookies -credentials saved in FTP clients like filezilla -credentials stores in Email clients -Cryptocurrency wallets -log keystrokes Several infostealers are known to send the stolen data to the C2.
WEBMONITORRAT
Description
WebMonitorRAT is a Remote Access Trojan (RAT) capable of extracting sensitive information such as system details, network data, processes information, and functioning as a keylogger on the victim's machine.Attackers employed tactics such as distributing counterfeit Zoom installers to deceive users into installing them, subsequently capturing sensitive data, recording videos, and coercively demanding ransom from victims. The assailant exploited Discord and Slack applications for malicious purposes.
MICROSOCK5TOOL
Description
MicroSocks is a lightweight SOCKS5 server for tunneling connections through remote boxes, offering efficient resource usage and robust handling of resource exhaustion. Its ease of setup and operation via the command line makes it user-friendly, requiring no configuration file or complex parameters. Ideal for scenarios where SSH tunneling isn't sufficient, MicroSocks provides a quick and efficient solution for managing connections.
AURIGA
Description
Auriga is a malware used by APT1 that is known to share functionality with BANGAT backdoor used by the same APT group. Auriga has a driver that is used to inject malicious DLL into existing processes and can create rootkits. 1. Auriga has the following capabilities: 2. Hide process and connections 3. Spawn interactive shells 4. Log off current users 5. Shut down the machine
CINOSHI
Description
Cinoshi possesses a stealer, botnet, clipper, and cryptominer in their arsenal. Offering free services like the stealer and web panel is unusual for a Malware-as-a-Service (MaaS) platform. The malware possesses the following capabilities: steal browser data (passwords, cookies, cards) Crypto wallet information steal sensitive info of victime Screenshot
NET
Description
Net is a windows build in utility to manage the Network which adversaries can misuse to gather network information. Net utility provides the following capabilities to the attacker: 1. Account discovery of local and domain account 2. Create local and domain account 3. Remove network shares 4. Discover password policies 5. Find network connection for a particular host 6. Can be used for lateral movement 7. Discover network share 8. Can be used to start of stop windows services
DRAT
Description
DRAT is a Trojan created to discreetly gather system data, such as user names and operating system specifics, while also keeping a watchful eye on files and running processes. The trojan made its way to the victim through either a spam or phishing link, was downloaded, or was deployed by another trojan. This trojan has following capabilities: User name OS details Access Files or Directories Disk info Upload/Download files Execute process
SCHEDULERUNNER
Description
ScheduleRunner is a C# tool for scheduling tasks with both persistence and lateral movement capabilities. As an open-source project, ScheduleRunner is vulnerable to potential misuse by threat actors, who can leverage its capabilities to create scheduled tasks that can evade detection by tools and remain hidden from the Task Scheduler.
XORDDOS
Description
XorDdos is a linux based malware which is used to launch larger scale Ddos attacks.It also has rootkit capabilities. It is named on the basis of its feature of using XOR encryption algorithm while C2 communication. Some of its capabilities are: 1. Self-deletion on execution. 2. Obfuscated strings for defense evasion. 3. XOR encryption algorithm while C2 communication. 4. Cron usage for persistence/task scheduling. 5. Rootkit capability.
PUPY
Description
Pupy is a multi-platform Remote Access trojan (RAT) utilized by advanced persistent threat (APT) groups. It features an all-in-memory execution guideline and leaves a very low footprint. Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions from memory.
SHARPKNOT
Description
Sharpknot trojan operates on Windows systems and is launched through the command line. After activation, the Sharpknot malware initially tries to disable the "System Event Notification" and "Alerter" services. It then proceeds to overwrite and erase the Master Boot Record (MBR) as well as files on physically linked storage devices and mapped network shares. Subsequently, the malware restarts the system, rendering it useless.
PACUTOOL
Description
Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments. Created and maintained by Rhino Security Labs, Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality. Current modules enable a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, etc.
CLOUDC2TOOL
Description
Cloud C2 is a self-hosted web-based command and control suite for networked Hak5 gear that lets attackers to target the systems including Windows,linux and Mac.Cloud C² is designed for penetration testing purposes, allowing users to manage Hak5 devices remotely from a web-based interface. After setting up the Cloud C² server on a public-facing machine, such as a Virtual Private Server (VPS), and provisioning the Hak5 devices, users can access the Cloud C² web interface to manage the devices remotely.
SNAKETURLA
Description
Turla is one of the most advanced APTs in the world it is famous for developing new and very advanced techniques to avoid detection and to ensure the persistence on the targeted network. In June 2019, Turla Group was found to have infiltrated the computer network operations infrastructure of APT34, an Iranian threat group. This amounted to the effective takeover of the computer network operations of a nation-state group by state actors from another country. Following are the capabilities of malware: steal files, steal data, credentials stored in system, view the computer’s screen in real time, log key strokes.
KCNSCREW
Description
KCNScrew is a serial box package that has cracks and patches. It functions as a software serial number querying tool for macOS. It has the following features - Ability to crack, patch, cage, serialize and enable Mac software - Giving the download link to the software setup on demand - Has a great list of how to crack or patch and crack software - Ability to get direct activation without visiting the publisher’s site - Supports most software activation publisher sites - Ability to get crack, serial, key, keygen and software - Ability to search and download various software activator - Having an independent search engine
WSTUNNEL
Description
Wstunnel establishes a TCP socket tunnel over a web socket connection, for circumventing strict firewalls.
EVILOSX
Description
EvilOSX is a potent Remote Administrator Tool (RAT) designed for macOS/OSX platforms, allowing for unauthorized remote control. EvilOSX offers a range of post-exploitation modules, enabling attackers to gather information, capture webcam snapshots, access iCloud tokens, record audio, and monitor clipboard data on compromised macOS systems.
COPPERSTEALER
Description
CopperStealer is a credential stealer and backdoor which is generally seen distributed as a PUA or cracked software. It has two separate components- a stealer and a Remote Desktop. The stealer component steals web browser data from Chrome, Firefox, Edge, Yandex, Opera and Brave. It also gathers some user data from applications like Steam, Telegram, Discord etc. The Remote Desktop component adds a new user account, enables RDP communication and adds Microsoft Defender exclusions for further executions. It uses some genuine libraries/utilities like ThunderFW tool, N2N utility, rdpwrap tool and openvpn TAP dll for communicating with C2.
NEWSREELS
Description
NewsReels is HTTP backdoor used by APT1 group. NewsReels decodes two strings from its resource section which are used as CnC URL’s. One of the URL used as beacon and other is used to get commands. Newsreels is capable of the following: Download upload files Provide interactive shell to the attacker. Create and kill processes
ANDROXGHOST
Description
AndroxGhost is a Python malware specializing in SMTP abuse, targeting applications to extract AWS keys from exposed .env files. It can perform activities like scanning, credential exploitation, and webshell deployment. The malware checks email sending limits and, if successful, automates tasks to escalate privileges in the AWS management console, including creating users and assigning admin privileges. Attribution is challenging due to multiple variants and potential code modifications by different entities.
SSHBRUTEFORCETOOL
Description
An SSH brute force tool is a cybersecurity tool designed for testing the security of SSH (Secure Shell) authentication by attempting multiple login combinations. It systematically generates and tries various username and password combinations to identify weak credentials.SSH brute force tools are often used by security professionals to assess and enhance the resilience of SSH-protected systems against unauthorized access.
DOTSTEALER
Description
DotStealer is a malicious trojan designed to gather sensitive information from the victim's system, including credentials, credit card details, system information, and cryptocurrency wallet data. DotStealer has following features: system info (OS,process details,IP details,Hardware) screenshot Crypto wallet Shutdown/restart Accessing process The gathered information is transmitted through a Telegram bot.
HYROMAC
Description
Hydromac is a macOS malware leaked from a Flashcards app. This malware is likely distributed to macOS users via online malvertising (malicious ads) campaigns and has the capability to download and execute other programs Upon installation, Hydromac gathers details about a victim's hardware setup and sends this info to its command and control server. The malware also has an overlap of functionalities families like Tarmac,Mughthesec. Based on the activities, the malware is likely linked to malvertising affiliates.
CRACKMAPEXEC
Description
CrackMapExec is a powerful post-exploitation tool used by penetration testers and security professionals which has combined functionalities of various tools, allowing users to perform reconnaissance, credential brute-forcing, and lateral movement within a Windows network, aiding in assessing security vulnerabilities and gaining deeper access to target systems. The tool leverages various protocols and techniques to efficiently discover and exploit vulnerabilities within a targeted network.
DETARAT
Description
DetaRAT is a Remote Access Trojan written in C# and known to be used in the SideCopy Attack against Indian government. It has the following capabilities: -rename , move, delete files and folders -control mouse clicks -Record Audio -retrieve hosts file -get and set clipboard data -exfiltrate information of softwares installed -read registry information - send system information to the victim like IP, MAC Address, processor
MARGULASRAT
Description
MargulasRAT is a Remote Access Trojan used in the Sidecopy attack against the Indian government. It is dropped to the victim machine using a dropper coded in C#. The dropper pretends itself to be a VPN software used by the Indian government. The RAT can take screenshots, update itself and download other malwares.
BLADABINDI
Description
Bladabindi is the detection for a family of backdoors that steal sensitive information from the affected system. BLADABINDI was spread through deceptive installers, disguised as the Windscribe VPN installation setups. The bundled installer consisted of the legitimate Windscribe VPN install setup, a malicious file containing the backdoor. Also, Bladabindi variants could capture keyboard presses, control computer cameras and later send collected sensitive information to remote attackers. Bladabindi variant propagates by copying itself into the root folder of a removable drive and creating a shortcut file with the name and folder icon of the drive. When the user clicks on the shortcut, the malware gets executed and Windows Explorer. Malware can also log or capture keystrokes to steal credentials like usernames and passwords. Malware has the following capabilities: Stolen Usernames, passwords Steal your sensitive information. Stolen passwords and banking information Infect computer's camera to record.
RACOONSTEALER
Description
RacoonStealer is an infostealer that can steal credentials, information in cryptocurrency wallets, credit card information. It’s activity was first seen in 2019. It is coded in C++ and has both 32 and 64 bit versions. It is sold underground as Malware-as-a-service(MaaS) at a very low price. It is mainly known to spread through Exploit kits and Phishing campaigns. It seems to have been developed by attackers who are based out of Russia or speak Russian as it is known to be promoted in Russian underground forums. Racoon infiltrates the following data to the attacker: -Credit card information -Email ID’s -Email content -Credentials -Browser Cookies -System information
DUMPERT
Description
Dumpert is a tool that can be used by adversaries to dump credentials from lsass memory by using direct system calls. Direct system calls can be used to evade API hooks created by Anti-Malware products. It can also unhook API hooks created by security products.Dumpert has an exe and DLL version. The Dll version can be executed by using the command rundll32:exe utflank-Dumpert.dll,Dump. It also has a sRDI version that can be used with cobalt strike.
SOCELARS
Description
Socelars is a spyware that can steal information from victim machines also known to steal facebook and amazon session cookies. It targets cookies stored in Chrome, firefox. It is mainly delivered through drive by download, spam campaigns, free file hosting sites and downloaders.
MEDUZA
Description
Meduza is a trojan stealer that gathers sensitive data such as browser cookies, histories, crypto wallet information, and more from infected machines. The code for Meduza is written in VC++. Meduza has following capabilities: User name and Computer name Windows details Browser Cookies and history Cryptocurrency Extension and Wallet DiscordToken Login details
UMBRALSTEALER
Description
UmbralStealer is a compiled C# program designed to covertly extract sensitive data such as browser history and cookies from a targeted computer.Since this code is open-source, anyone can exploit it and in addition, the stolen data is further transmitted through Discord webhooks. UmbralStealer has the following capabilities: Captures Passwords and Cookies from Browsers (Brave, Chrome, Chromium, Comodo, Edge, EpicPrivacy, Iridium, Opera, OperaGx, Slimjet, UR, Vivaldi, Yandex) Captures Discord Tokens. Captures Roblox Cookies. Captures Minecraft Session Files. Captures system Info. Captures Webcam Photos. Captures IP Address. Captures Screenshot(s) of All Monitors. Add to Startup. Anti-Virtual Machine. Self Destruct.
CHIMNEYSWEEP
Description
Chimneysweep is a backdoor which collects sensitive information from victim machines. The malware is capable of taking screenshots of victim machines, logging the keystrokes and storing them in a file. Later it sends the list to the attacker server.
AIRCRACKTOOL
Description
Aircrack-ng is a powerful and widely used wireless network security tool that assists in assessing the vulnerability of Wi-Fi networks by analyzing their encryption protocols and attempting to crack their passwords. It is a valuable resource for both penetration testers and network administrators to enhance wireless network protection.
HERMETICWIPER
Description
HermeticWiper is a wiper or killdisk malware targeting Ukrainian organizations impacting the MBR which resulted in boot failure. The malware was found with a digital certificate issued in the name of “Hermetica Digital Ltd” which seemed to be a fake organization. HermeticWiper uses a benign EaseUs partition manager driver “empndrv.sys”. Different versions of the driver which are meant for different versions of Windows are embedded in the resource section of the driver. It is also known to disable the crash dump “HKLMSYSTEMCurrentControlSetControlCrashControl CrashDumpEnabled”. It also disables Volume Shadow Service(VSS). It installs the driver by creating a random service name. The installed driver is used to corrupt the MBR.
REMOTEUTILITY
Description
Remote utility is a remote administrator tool which could be used by threat actors to perform malicious activities. This tool was delivered through spam mail with password protected archive files. Once successfully installed in the victim machine, it gets connected to pre configured IP domains. Thereafter it uploads and downloads files, executes shell codes and monitors the victim machine.
STRELASTEALER
Description
StrelaStealer is a trojan, which aims to gather credentials from Outlook and Thunderbird. In November 2022, a malware was detected that had spread through an ISO attachment. The StrelaStealer malware looks for 'logins.json' and 'key4.db' files, which contain usernames, passwords, and password databases in the '%APPDATA%ThunderbirdProfiles' directory. It then transfers the stolen information to a C2 server.
HELLSING
Description
Hellsing is infected with a custom backdoor capable of downloading and uploading files, updating and uninstalling itself. Hellsing is a small cyberespionage group targeting mostly government and diplomatic organizations in Asia. Hellsing attackers compromise a computer, they deploy other tools which can be used for gathering further information about the victim machine. The Hellsing APT group is currently active in the APAC region, hitting targets mainly in the South China Sea area, with a focus on Malaysia, the Philippines and Indonesia. Earlier these APT groups accidentally hit each other while stealing address books from victims and then mass-mailing everyone on each of these lists. Malware has the following capabilities: download files. upload files. update itself. uninstall itself.
AMMYADMIN
Description
Ammyadmin is a remote administrator tool which could be used by threat actors to perform malicious activities. This tool is delivered through phishing mail. RAT has the following capabilities: Recording screenshots Keylogging Access clipboard data Remote monitoring
COLDSTEALER
Description
Coldstealer is an infostealer written in .NET which can steal credentials from browsers,FTP clients etc. It was first seen in 2022. This malware spreads through third party or cracked softwares. Coldstealer has the following stealing capabilities: Cryptocurrency wallet info FTP server info System information (OS, System language, Processor type) Browser info
LINWINPWNTOOL
Description
linWinPwn streamlines Active Directory Enumeration and Vulnerability checks using various tools. It's ideal for time-limited access to AD environments, automating enumeration, and minimizing artifacts. It achieves this through SSH tunneling from Windows to Linux, allowing the use of linWinPwn with proxychains
KEETHIEF
Description
KeeThief is a tool designed for extracting key data from KeePass password manager through code injection and memory manipulation.Since KeeThief is an open-source project available on GitHub, malicious actors could potentially misuse this tool for malicious purposes.
MINEBRIDGE
Description
MineBridge is a RAT first seen in 2020 which targets financial institutions in the United States and South Korea. Minebridge is also known to target security researchers. The initial variants of Minebridge were coded in C++ and were mostly spread through phishing campaigns. Recent variant of Minebridge is known to hide behind teamviewer and uses DLL side loading technique to evade antiviruses. It uses a self extracting archive that contains teamviewer and the malicious DLL which is used for DLL side loading. Here is a list of minebridge CnC commands: 1. runexe_command 2. runexe_URL 3. rundll_command 4. rundll_URL 5. update_command 6. update_URL 7. restart_command4 8. terminate_command 9. kill_command 10. Shutdown_command 11. Reboot_command
SHARPSECDUMPTOOL
Description
SharpSecDump ia a port of remote SAM + SECURITY registry hive dumping to retrieve cached credential data.SharpSecDump is an open-source code written in the C# programming language. Due to its open nature, there is a possibility that individuals may exploit this tool to illicitly acquire credential data from a targeted machine.
PORTAINER
Description
Portainer is a user interface (UI) management tool that offers a convenient way to manage multiple Docker environments. Portainer allows you to manage all your Docker resources. It is compatible with the standalone Docker engine and with Docker Swarm mode. Portainer is meant to be as simple to deploy as it is to use.
MACSHELLSWIFTTOOL
Description
MacShellSwift is a proof-of-concept MacOS post-exploitation tool written in Swift, employing encrypted sockets for communication.enabling blue teamers to proactively assess macOS post-exploitation techniques leveraging internal macOS calls. The tool provides several useful functionalities, including simulating fake Keychain authentication prompts to capture user credentials, extracting interesting IP addresses from bash history, checking for the presence of osquery on the host and executing osquery commands, retrieving clipboard contents, setting up persistence with Launch Agent, removing persistence, viewing processes with network connections, obtaining internal addresses assigned to the macOS host, listing user accounts on the host, downloading files of interest (with appropriate permissions), and checking for common EDR/AV vendors on the macOS host.
MACSTEALER
Description
MacStealer is malware that steals your Browsers credentials, cookies, passwords and keychain dump from Mac and also Collect System files and send over to C2 such as telegram. MacStealer is malware thats comes in popular applications as DMG file. After executing application this malware will steal your browser data further it will dump keychain and also collect data available on your system. Then it will zip that file and send all data over through C2. The Cyble Labs-discovered Atomic macOS stealer (AMOS) is still active in all aspects but has gained GO language capabilities. To steal information from victims machine.
YAMABOT
Description
Yamabot steals sensitive info from the victim PC. It is written in Golang. YamaBot communicates with the C2 server using HTTP requests.Yamabot after getting connected to C2, sends the request, which includes information in its cookie header.
GANDCRAB
Description
GANDCRAB ransomware is a type of malware that encrypts a victim's files and demands ransom payment in order to regain access to their data. It is ransomware-as-a-service, developed by a team of malefactors and rented to other crooks, who try to encrypt as many targets as they can. Some versions of GandCrab ransomware have flaws that allow decryption. After executing this ransom all of the data on your computer has been encrypted, and you can pay the ransom (likely in bitcoins) to get it back. If users don’t know how to deal with cryptocurrencies, the gang that orchestrated the attack kindly provides a live chat window to teach you how to purchase the necessary amount and pay the ransom. Malware has the following capabilities: Encrypts data. steals banking information. Steal online account credentials.
BLUSTEALER
Description
Blustealer is c# compiled binary which could be used to steal browser cookies and credit card details from the victim machines. This stealer was identified in May 2021.This trojan spreads through malspam campaigns, phishing email and social media links. It steals sensitive information from victims' machines like browser cookies, login credential information, credit card info, cryptocurrency.
SHODENTOOL
Description
Shodan Eye is Ethical Hacking Tool, this tool collects all information about all devices that are directly connected to the internet with the specified keywords. It is a search engine that lets the user find specific types of computers (webcams, routers, servers, etc.) connected to the internet using a variety of filters. Some have also described it as a search engine of service banners, which are metadata that the server sends back to the client.
CHAMELDOH
Description
ChamelDoH, DNS-over-HTTPS provides encrypted communication between an infected device and the command and control server, making malicious queries indistinguishable from regular HTTPS traffic.DoH can also help bypassing local DNS servers by using DoH-compatible servers provided by reputable organizations. The Chinese threat group named as 'ChamelGang' is infecting Linux devices with this unknown implant 'ChamelDoH,' allowing DNS-over-HTTPS communications with attackers' servers. The Linux implant written in C++, expands the threat actor's intrusion arsenal and, by extension.
VENOM RAT
Description
Venom RAT is a clone of Quasar RAT family which is a open source windows Remote Administration tool written in C#. Following additional capabilities were added to an already extensive list of what Quasar RAT can do: Rootkit hiding processes and files VNC connection RDP connection Generic Stealer Code of this rootkit can be found on github, https://github.com/bytecode77/r77-rootkit. This rootkit will hide anything (process, files, etc) with prefix $77 hence names of running VenomRAT binaries will start with $77.
PROXYTOOL
Description
Proxytool is a network tool for port forward & intranet proxy. It acts as an intermediary between a client and a server. Proxies are used for various purposes such as improving network performance, enabling access to restricted or blocked websites, hiding the client's IP address and location, and enhancing privacy and security. There are different types of proxy tools, including web proxy, reverse proxy, open proxy, and others.
BOTENAGO
Description
BotenaGo functions as a backdoor malware with 33 exploits targeting routers and IoT devices, establishes a reverse shell, loads payloads, and executes commands from a remote server, allowing attackers to compromise and control vulnerable devices. Its source code availability amplifies the risk of new variants and potential widespread attacks."
PNSCAN
Description
Pnscan is a tool that can be used to survey IPv4 TCP network services. It can be used to survey the installed versions of SSH, FTP, SMTP, Web, IDENT and possibly other services. Host ranges can be specified with Pnscan, both as a CIDR - network name or IP address / mask bit length and as a range.
CUTWAIL
Description
Cutwail is a spam bot, which can send other malwares through spam mail.It was first seen in 2007. This trojan sends spam mail with either malicious links or attachments to victime machines. Attachments might contain Ursnif ,Dridex ,Ransomware etc. This trojan also performs distributed denial of service (DDoS) attacks against various government sites.
GORSAIR
Description
Gorsair is a penetration testing tool for discovering and remotely accessing Docker APIs from vulnerable Docker containers.Once it has access to the docker daemon, you can use Gorsair to directly execute commands on remote containers.Gorsair is written in golang and could be used for all operating systems.
OSXTROJAN
Description
OSXTrojanGen is a Trojan horses that can infect Mac computers and steal information, install other viruses or spy on you. It spread generally through disk image containing an application bundle. This malware implants the sliver for C2 communication. Sliver is an open source red team framework written in Go that supports C2 communications over a variety of protocols. The covid binary is also a Go executable, packed with UPX and built using Macdriver, another open-source project available on Github that provides a toolkit for working with Apple frameworks and APIs in Go. Following are the capabilities : Activate your camera or microphone. Log your keystrokes. Read your IP and MAC addresses. Copy files from your Mac. Delete files from your Mac. Steal AppleID passwords and IDs. Steal saved passwords on your browser. Download other viruses on your Mac without your knowledge. Open-Source or Publicly-available Software Used by Malware : Sliver Macdriver Go UPX
PLATYPUS
Description
A modern multiple reverse shell sessions/clients manager via terminal written in go. Creates a config.yml with all required information, and can run in the background, ignoring SIGTERM.
DUCKLOGS
Description
DuckLogs is an infostealer capable of taking screenshots, stealing credentials, cookies, histories from victime browser. This is c# compiled binary available in cybercrime forum with different types of plans. Malware has the following capabilities: Stealer (Browser, Email, Messenger, Game, File, FTP, VPN,Crypto wallet, System info) Remote control Keylogger Screenshot Clipper (crypto wallet)
VNC
Description
Virtual Network Computing (VNC) is a UI based remote desktop sharing application. It uses the Remote FrameBuffer protocol (RFB). VNC is platform independent. It is based on the client server model where the server can be installed on the victim while the client is controlled by the attacker. VNC can be used by adversaries to monitor victims remotely.
RCLONETOOL
Description
Rclone really looks after your data. It preserves timestamps and verifies checksums at all times. Transfers over limited bandwidth; intermittent connections, or subject to quota can be restarted, from the last good file transferred. You can check the integrity of your files. Where possible, rclone employs server-side transfers to minimise local bandwidth use and transfers from one provider to another without using local disk. Rclone mounts any local, cloud or virtual filesystem as a disk on Windows, macOS, linux and FreeBSD, and also serves these over SFTP, HTTP, WebDAV, FTP and DLNA. Rclone is mature, open-source software originally inspired by rsync and written in Go. The friendly support community is familiar with varied use cases. Official Ubuntu, Debian, Fedora, Brew and Chocolatey repos. include rclone. For the latest version downloading from rclone.org is recommended.
JOKERSPY
Description
JokerSpy is backdoor is used to get system information from machine. It checks for permissions managed by Apple's TCC (Transparency, Consent and Control), such as Full Disk Access, Screen Recording and Accessibility. The backdoor also includes a 'get basic nformation' function that extracts specific details about the system, such as hostname, username, OS version, Python version and much more. When executed, the script attempts to connect to one of the server URLs in order to send these details over. If the first URL is not available, it then attempts to contact the second one.
KUBESCAPE
Description
Kubescape is an open-source tool for performing Kubernetes security scans where it helps in identifying misconfigurations and vulnerabilities in Kubernetes clusters.Kubescape offers comprehensive misconfiguration and vulnerability scanning, risk analysis, and security compliance indicators, presenting results in context with actionable cues for users. Designed for DevSecOps practitioners and platform engineers, it features an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities, saving Kubernetes users and admins valuable time, effort, and resources.
SIDEWALK
Description
Sidewalk is a trojan which targets linux based operating systems. Some features of Sidewalk are: Number of threads to manage sending and receiving asynchronous messages along with heartbeats. ChaCha20 is used twice for encryption with LZ4 compression. Contains a module TaskSchedulerMod, which operates as a built-in cron utility.
JLORAT
Description
JLORAT is a file stealer written in Rust that gathers system information, runs commands issued by the C2 server, upload and download files, and capture screenshots. JLORAT copies itself under %AppData% and sets up persistence via a registry RUN key. It also creates a mutex to ensure atomic execution (“whatever”, as in the default usage example for the “single-instance” Rust library that is embedded). The backdoor starts by gathering information on the victim machine, such as the system information, current user and public IP address. The information is sent via an HTTP POST request to the C2 on a non-standard port. More precisely, on September 13, 2022, around 05:40 UTC, an operator attempted to deploy several known Tomiris implants via Telemiris: first a Python Meterpreter loader, then JLORAT. Malware has the following capabilities: Gathers system information Capture screenshots Upload and download files.
HVNC
Description
HVNC stands for hidden virtual network computing is a module which can be used by malwares to gain full access to the victim machine from a remote location. The module is known to be used by malwares like dridex, Neverquest, gozi. VNC’s have two components, one client and one server. The server is usually hosted on the victim machine while the client stays with the attacker. The module can capture screenshots, log keystrokes etc. Here are some of the commands used in by a hVNC modules: - Hvnc_start_explorer - Hvnc_start_run - Hvnc_start_ff - Hvnc_start_chrome - Hvnc_start_ie
HACKBROWSERDATATOOL
Description
HackBrowserData is a tool for decrypting and exporting browser data such passwords, history, cookies, bookmarks, credit cards, download records, local Storage and extension from the browser. It supports the most popular browsers on the market and runs on Windows, macOS and Linux.
EREBUS
Description
Erebus is a ransomware which infects linux servers.Erebus traverses various sensitive directories in the system like /var/www/,/proc/,/etc/,/bin/,/boot/ to encrypt the files.Erebus scrambles the file with RC4 encryption in 500kB blocks with randomly generated keys
PROXYTROJAN
Description
Proxy Trojan is distributed by hacked apps obtained from pirated websites and is used to perform numerous crimes such as the purchase of weapons, drugs, and other illegal products. Attackers can use this type of virus to gain money by organizing a network of proxy servers, as well as to commit different crimes on the victim's behalf, such as attacks on websites, companies, and other users, as well as the purchase of weapons, drugs, and other illegal products.
KINSING
Description
Kinsing is a Golang-based Linux based cryptominer that contains cryptominers and a shell script to laterally spread Kinsing across the container network. The Golang libraries used are as follows Go-resty → HTTP and REST client library, used to communicate with a Command and Control (C&C) server. gopsutil → Process utility library, used for system and processes monitoring. osext → extension to the standard ‘os’ package, used to execute binaries. diskv → A disk-backed key-value store, for storage. These libraries are used to set up communication with a command-and-control (C2) server, monitor systems and processes, and establish a disk-backed key-value storage area to hold data. The shell script is used to spread across the container network passively collects data from /.ssh/config, .bash_history, /.ssh/known_hosts, and the like, then attempts to connect to each host using every possible user and key combination through SSH.
BLOODHOUND
Description
Bloodhound is an open source Active Directory Reconnaissance(AD) tool that can discover relationships in an AD and find attack paths. It relies on graph theory to find the shortest path to traverse and elevate privileges in a domain. Bloodhound is a web application which runs as a desktop application. It uses Neo4j database. Bloodhound collects data from using an injector called sharphound. Sharphound collects information about user’s active sessions, AD Permissions, information of users in the AD etc.
DARKTORTILLA
Description
DarkTortilla appears to be a sophisticated and extensively customizable crypter built on the .NET framework, potentially in operation since at least August 2015. The trojan propagated by means of spam emails containing malevolent attachments. DarkTortilla has following capability: System information login details Cookies info FTP clients info
MYTHIC
Description
Mythic is a multiplayer, command and control platform for red teaming operations. Some of its features are: Cross-platform. Post-exploit. Red teaming framework designed to provide a collaborative and user friendly interface for operators.
RISEPROSTEALER
Description
RisePro Stealer is an MAAS info-stealer that is capable of stealing browser credentials, saved autofill information in browser forms, victim, system information, Credit Card info, Crypto-Wallet information and passwords. RisePro is a malware-as-a-service info-stealer, first identified in 2022. It is distributed through fake cracks sites operated by the PrivateLoader pay-per-install (PPI) malware distribution service. Currently, RisePro is available for purchase via Telegram, where users can also interact with the developer and the infected hosts. Capabilities of RiseProStealer: RisePro attempts to steal a wide variety of data; such as Web browsers, Browser extensions Credit Card info Crypto Wallet
SPACE
Description
Space is a DDoS client that targets Linux machines, ZTE and Huawei routers in particular. It includes modules to terminate the machine, flush iptables, kill all programs connected to the internet, and evade Honeypot detection. It also has two types of DDoS attacks, SYN and PSH-SYN.
S7SCANNER
Description
S7scanner tool enumerates Siemens S7 PLCs on a TCP/IP stack or LLC network. S7scan is based on the "PLCScan" utility which is used for scanning PLC devices over s7comm or modbus protocols. Some of the new features in the S7Scanner: - Support of low-level LLC protocol; - Showing protection configuration of PLCs; - Improvements of default COTP TSAP checking procedure in order to find all PLCs within racks; - Improved stability.
CRYPTOCLIPPY
Description
CryptoClippy is a clipboard-based stealer that reroutes funds to threat actors' controlled crypto-wallets by exploiting clipboard information. CryptoClippy has demonstrated significant advancements in its development, transitioning beyond mere crypto wallet theft to engaging in reconnaissance activities and extracting crucial payment application data and transaction information from unsuspecting individuals in Brazil. This evolution signifies a notable escalation in the sophistication and capabilities of CryptoClippy, posing an increased threat to users' financial security and privacy.
BLUEFOXSTEALER
Description
BluefoxStealer is a trojan that can steal credentials from browsers, FTP clients, crypto wallet etc from victim machines. It was first seen in December 2021. Once Treat actor stole sensitive information from the victim's machine and sold it on an underground market for further attack. Stealer has the following capabilities: Steal browser password and cookies Credentials of crypto wallet Files Download/Upload Capture screenshots
THEIFQUEST
Description
TheifQuest is a malware that targets macOS devices, encrypts files, and installs keyloggers in affected systems. Upon a successful installation, ThiefQuest copies itself into ~/Library/AppQuest/com.apple.questd and creates a launch agent property list at ~/Library/LaunchAgents/com.apple.questd.plist with a RunAtLoad key set to true to automatically get launched whenever the victim logs into the system. The malware also supports commands that afford a remote attacker complete and continuing access over an infected system. Once file encryption is complete, it creates a text file named READ_ME_NOW.txt with the ransom instructions.
PASSMARK
Description
PASSMARK is a PSWtool that allows users to view saved passwords from their browser. The tool can be exploited by threat actors to obtain sensitive information from a victim's computer.
AVBYPASSTOOL
Description
AVBypassTool is used to automate the process of creating a shellcode, injecting it into a template, and compiling the service executable which would bypass Antivirus software.The core technique involves modifying a service executable template to directly incorporate the shellcode, avoiding traditional injection methods. This eliminates the need for a preset buffer allocation and nopsleds (a sequence of no-operation instructions), making the size of the shellcode the default buffer space.
SHARPKATZ
Description
Sharpkatz is an open source hacktool which could be used to recover credential data. This tool allows users to recover user credentials from the following providers: Msv Kerberos Tspkg Credman WDigest sam database The attackers can abuse this tool for malicious purposes and gathering sensitive information from the victim machines.
TZEEBOT
Description
Tzeebot is a backdoor that enables unauthorized access to a victim's computer by a threat actor. The group of malicious individuals focuses on attacking organizations operating in the fields of government, energy, and technology, either based in Saudi Arabia or having business connections with the country. Tzeebot has following capability: Deleting/Uploading files Downloading and running files keystrokes Modifying your system settings Running or stopping applications
CVE20222588
Description
A use-after-free flaw was found in route4_change in the net/sched/cls_route.c filter implementation in the Linux kernel. This flaw allows a local user to crash the system and possibly lead to a local privilege escalation problem.
ZXSHELL
Description
ZXSHELL is a downloadable backdoor from Chinese hacker sites that enables port scans, keylogging, screenshot capture, and other malicious activities. The malware can establish HTTP or SOCKS proxies, initiate reverse command shells, conduct SYN floods, and manage file transfers, deletions, and executions. Its publicly accessible version offers a user-friendly graphical interface for malicious users to interact with compromised systems.
WHISPERGATE
Description
Whispergate is a wiper targeting Ukraine which overwrites the MBR(Master Boot Record) and files. Other than overwriting MBR it is also capable of overwriting files.The machine is rendered unbootable post infection.The malware does not have a mechanism to recover the lost files unlike Ransomwares. The instance of the malware was first seen in Jan 2022. The malware is similar to NetPetya. Post infection it displays a ransom note.
SNAKE
Description
Snake trojan specifically targets government entities or NATCO countries, gathering system information from infected machines and establishing an immediate connection with the attacker's server. The attackers employ a combination of direct spear-phishing emails and watering hole attacks to infect their targets. Watering holes refer to frequently visited websites by potential victims, which are pre-compromised by the attackers and injected with malicious code. The injected code varies based on the visitor's IP address, such as serving Java or browser exploits, counterfeit Adobe Flash Player software with forged signatures, or a fake version of Microsoft Security Essentials. After compromising a victim system, the attackers receive a concise summary of information and subsequently send pre-configured batch files containing a sequence of commands for execution. Furthermore, they upload customized lateral movement tools, including a dedicated keylogger, a RAR archiver, and standard utilities like a Microsoft DNS query tool.
KUTAKI
Description
Kutaki is a data stealer that uses old-school techniques to detect sandboxes and debugging. Kutaki information stealer and keylogger that was hidden inside a legitimate Visual Basic application and delivered as an OLE package within a weaponised Office document. Preparing the machine for data-theft by backdooring a legitimate application. Malware has the following capabilities: Stealer (Browser Password) Remote control Harvest data from keyboards, clipboards, microphones, and screenshots C2 Server AntiVM
SIMPS
Description
Simps is a botnet that uses several DDOS modules from Mirai and Gafgyt. Simps botnet( and Keksec group) compromise victims' machines in an attempt to create a network of remotely controlled bots for launching DDOS attacks. The binaries of this malware use modules from Gafgyt and Mirai which gives the attacker an advantage to combine, reuse and add new functionalities to the malware by modifying the source code of Mirai and Gafgyt. Based on our analysis and observations, we believe that Simps Botnet is in its early stages of development. Simps Botnet is associated with the Keksec group. This was identified based on the discussions and the malwares developed and used by the users of the “Simps Net” Discord server group.
INSTALLCORE
Description
Install Core is an installer which bundles legitimate applications with offers for additional third party applications that may be unwanted by the user. These applications are most commonly software bundlers or installers for applications such as toolbars, adware, or system optimizers. The developer behind InstallCore is ironSource, a company that builds monetization, engagement, analytics, and discovery tools for app developers, device manufacturers, mobile carriers, and advertisers. InstallCore is available for Windows and Mac systems. Installcore binaries can also affect the quality of your computing experience. It mainly Injects into browsers, Changes browser settings, Changes browser shortcuts and also installs browser extensions.
TELLYOUTHEPASS
Description
TellYouThePass is a Linux ransomware that harvests SSH keys and moves laterally throughout the victim network. Some features of TellYouThePass ransomware: -The ransom notes are written to a file called "README.html". -It encrypts the HOME directory in linux. -It uses a combination of RSA-1024 and AES-256 for encrypting the files. -The extension used by the ransomware is '.locked'.
BLUESHELL
Description
BlueShell is a Go-written remote control tool that periodically attempts to establish a rebound connection with a specified C&C address and operates bsServer on the C&C side. The bsClient can be connected to realize continuous control of the target drone. The main functions currently supported are: Loop continuous control Cross-platform, support Linux, Windows, MacOS Interactive Shell Rebound, Linux supports Tab completion, VIM, Ctrl+C and other interactive operations
XTREMERAT
Description
XtremeRAT has been around since 2010 or earlier, was created by someone known as xtremecoder. The RAT can be instructed by a remote attacker to perform a range of actions, including managing files (such as downloading, uploading, and executing them), managing the registry (such as adding, deleting, querying, and modifying it), carrying out shell commands, controlling the computer (such as shutting it down or logging on/off), and capturing screenshots. Moreover, it is capable of logging the keystrokes made on the compromised system.
AGENTTESLA
Description
AgentTesla is an infostealer code in .NET which can steal data from browsers, FTP clients etc, download managers etc. Some of the older versions were observed to be compiled using other programming languages like VB, VC as well. It was first seen in 2014 and mostly seen to be spread using phishing emails. AgentTesla has the following capabilities: 1. Keylogging 2. harvest credentials from VPN clients 3. harvest credentials from FTP clients 4. Harvest credentials from email clients 5. Harvest credentials from browser 6. Steal wifi passwords. It can harvest credentials from registry as well as configuration files of FTP clients, VPC clients and so on. It can infiltrate the harvested credentials to the CnC server using FTP or SMTP.
HTRAN
Description
HTran also known as HUC Packet Transmitter was authored by "lion", a well-known Chinese hacker and member of "HUC", the Honker Union of China. This tool facilitates TCP connections between the victim and a hop point controlled by an attacker. Malicious cyber actors can use this technique to redirect their packets through multiple compromised hosts running HTran, to gain greater access to hosts in a network. HTran can run in several modes, each of which forwards traffic across a network by bridging two TCP sockets. They differ in terms of where the TCP sockets are initiated from, either locally or remotely. The three modes are: 1. Server (listen) – Both TCP sockets initiated remotely; 2. Client (slave) – Both TCP sockets initiated locally; and 3. Proxy (tran) – One TCP socket initiated remotely, the other initiated locally, upon receipt of traffic from the first connection. HTran can inject itself into running processes and install a rootkit to hide network connections from the host operating system. Using these features, it also creates Windows registry entries to ensure that HTran maintains persistent access to the victim network.
FSCAN
Description
Fscan is an intranet scanning tool, which is convenient for one-click automation and all-round missed scanning. It supports host survival detection, port scanning, blasting of common services, ms17010, redis batch write public key, scheduled task rebound shell, read win network card information, web fingerprint identification, web vulnerability scanning, netbios detection, domain control identification and other functions.
HAVOCTOOL
Description
Havoc is written in go language. It is a modern and malleable post-exploitation command and control framework. It has different Features like client module is of cross platform, TeamServer feature written in go language which can generate payloads like exe, dll, shellcode. Also has customizable c2 profiles.
REZER0
Description
ReZer0 is a C# compiled binary, functions as a loader designed to obfuscate payloads from both analysts and antivirus scanners.The ReZer0 loader is adept at either embedding malware or retrieving it from remote servers, showcasing its capability to deliver encrypted payloads and perform anti-sandbox checks. The strategy of employing multiple loaders is commonly employed by malware distributors to elude antivirus detection and security scanners.
GCLEANER
Description
Gcleaner is a fake system cleaner application which could be used to deliver infostealer malware in victim systems. This application cleans temporary files, cookies, browser history, and junk files. This helps to run PC faster but this as trap can be used to install other infostealer trojan (AZORult). AZORult tries to read browser credentials, Histories, cookies, personal information, and steals crypto wallets.
KILLDISK
Description
Killdisk is a wiper malware designed to wipe data in the hard disks. It was mainly designed to work against Scada devices. It was first used in 2015 against which led to a power outage in Ukraine for 6 hours. It was also used against Ukranian Banks, Financial institutions in Latin America. Like other wiper malwares it was used in the final stage to destroy forensics evidences. Killdisk needs to run as administrator to accomplish its task. The attacker probably used the credentials collected in earlier stages of attack to execute killdisk with full privileges. Killdisk deletes system files to make the system unbootable. It also overwrites files on the system with particular extensions. The extensions can include those of media files, database files, archives, virtual machines etc.
NIMBO-C2
Description
Nimbo-C2 agent is cross-platform, written in Nim, and incorporates .NET on Windows by dynamically loading the CLR into the process. This is opensource project. Features of Nimbo-C2: Build EXE, DLL, ELF payloads. Auto-completion in the C2 Console for convenient interaction. In-memory Powershell commands execution. File download and upload commands. Screenshot taking, clipboard stealing, audio recording, and keylogger. Shellcode injection using indirect syscalls. UAC bypass methods.
FLAGPRO
Description
Flagpro is spread using spear phishing attacks. The phishing email contains a password protected zip file which contains an xlsm file and the password is mentioned in the email body. The xlsm file leads to download of the final payload. FlagPro has the following functionality: -Download execute malwares or tools used by attackers -Execute OS commands -Steal windows Credentials Typically it downloads files and saves them locally with the following name “~MY[0-9A-F].tmp” in the Temp Directory. Flagpro communicates with CnC using HTTP protocol.
FLOODER
Description
Flooder malware conducts various types of DDOS attacks, it also includes UDP bypass techniques. Some more features of flooder: Various types of Ddos attacks like UDP, TCP, ICMP. Includes UDP bypass method. Uses argument/parameter while executing.
B1TXOR20
Description
B1txor20 is a linux backdoor which targets ARM and x64 CPU architectures. It spreads via the log4j vulnerability. B1txor20 uses DNS tunneling technology to build C2 communication channels. Some of its features are: Installs rootkit named M3T4M0RPH1N3 Reverse shell Socks5 proxy Uses Base64 to encode the network packets
SNEAK
Description
Sneak can be dropped in a cloud environment to leak and exfiltrate sensitive data from the instance metadata service.
WINEGGDROP
Description
WinEggDrop is an open-source SYN/TCP port scanner with a focus on simplicity, speed, and power, available on a Git project. This tool can be employed by threat actors for malicious activities, such as covertly scanning the ports of a victim's machine for spying purposes.
TIGERRAT
Description
TigerRAT trojan can manipulate files, execute commands, log keystrokes, and remotely control the screen. This RAT is coded in C++ and it can extract the computer name, Windows version, adapter information, and username of the infected system. TigerRAT has the following capabilities: Collecting Driver info Collecting List of files details Deleting files Uploading/Downloading files Taking Screen capture
SKILLFORMAT
Description
SkillFormat is a Adload adware family that hijacks the browser redirecting to adware results.SkillFormat generates advertisements and promotes a fake search engine address, and thus functions as adware and a browser hijacker. Additionally, it is possible that SkillFormat gathers information relating to users' browsing habits and other data SkillFormat promotes a fake search engine and functions as a browser hijacker. This serves as a typical browser hijacker by changing the default search engine, homepage, and new tab to the address of its associated fake search engine. In most cases, these search engines do not generate unique, individual results, or they generate those that can include links to dubious pages.
XAGENT
Description
XAgent is a spyware and malware program that employs phishing attacks and the program is designed to "hop" from device to device. It is designed to collect and transmit hacked files from machines to servers operated by hackers. XAgent can exfiltrate information from compromised computers via HTTP and email, working alongside other components in the toolkit. Once connected to the C&C, the malware uses POST requests to send information to the C&C and monitors the GET requests for commands. The X-Agent backdoor (aka Sofacy) was associated with several espionage campaigns attributed to the APT group Fancy Bear, designed to compromise Windows, Linux, macOS, iOS and Android OS systems.
HLOADER
Description
Hloader is a trojan written in a swift language, and this payload attempts to masquerade as a legitimate application. Hloader is written in a swift language, and this payload attempts to masquerade as a legitimate application. HLOADER is seen as /Discord(fake) app is a simple loader used as a persistence mechanism masquerading as the legitimate Discord app for the loading of SUGARLOADER. and used to execute Mach-O binary files from memory without writing them to disk.
ELYSIUMSTEALER
Description
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts. They typically target various communication (e.g. email, social media, social networking, messaging, etc.) and data storage/sharing accounts, and ones that deal with financial information (e.g. e-commerce, online money transfers, cryptocurrency, banking, etc.). . Elysium stealers can also exfiltrate data stored in the infected system. Should the content acquired from the compromised device and/or data storage accounts be particularly sensitive/compromising, this malware can have keylogging capabilities as well. Malware can also log or capture keystrokes to steal credentials like usernames and passwords. Malware has the following capabilities: Stolen Usernames, passwords. Steal your sensitive information. Stolen passwords and banking information. Victim's computer was added to a botnet.
MACINST
Description
MacInst is an unwanted macOS adware using resources of an affiliate program called “macdownloadpro.com”. Websites of numerous “partners” taking part in this program are usually packed with different advertising modules, and visiting such webpages leads to multiple tabs being open in the browser window. Once installed, it makes the browser unusual for the users by the several alterations like internet setting, browser setting, homepage setting etc. It also assigns the homepage and default search with a fake search engine which shows unwanted or unrelated search results to purchase third party rogue software programs.
GRAVITYRAT
Description
GravityRAT is Remote Access Trojan (RAT) known to target India and steal data from the infected devices. GravityRAT collects and performs the following actions 1. MAC Address 2. Computer name 3. Username 4. IP address 5. Date 6. Steal files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf and .pdf 7. The volumes mapped on the system
EXELA
Description
Exela is a trojan stealer, capable of pilfering screen captures, keylogging, and various other data from the compromised computer. This newly discovered stealer, named Exela, was first detected and identified in the year 2023. The stealer has following capabilities: Creditcard details Web browser details (Cookies,History ) Discord details screenshot keylogger
HEALER
Description
Healer is a compiled binary written in C# that aims to deactivate Windows Defender antivirus functionalities.This trojan is downloaded or delivered onto the target system through another trojan. Its main objective is to disable both the Windows update feature and Windows Defender, allowing the threat actor to execute shell code or introduce additional malicious files into the victim's system.
CLIPBANKER
Description
Clipbanker is a trojan that steals finance related information from the target machine. This trojan arrives at the victim machine through other malware. This trojan steals sensitive information like Browser history, cookies,outlook data, crypto wallet, skype, telegram address,clipboard data.
PASSCAT
Description
PassCat is a Windows native C/C++ application that is open source and has the ability to access and retrieve locally stored passwords on a computer. This tool extracts credentials from the following applications: FileZilla Windows Wireless Network WinSCP Pidgin Windows Credential Manager Vault Files Internet Explorer Browser Google Chrome Browser Opera Browser Firefox Browser
GSECDUMP
Description
Gsecdump allows users to dump the Windows SAM database, cached domain credentials, LSA details and active logon sessions. Gsecdump can perform the following command line actions OPTIONS -h / --help → Shows this text 1. -a / --dump_all → Dump all secrets 2. -s / --dump_hashes → Dump hashes from SAM/AD 3. -l / --dump_lsa → Dump LSA secrets 4. -u / --dump_usedhashes → Dump hashes from active logon sessions 5. -w / --dump_wireless → Dump Microsoft wireless connections 6. -S / --system → Force elevation to SYSTEM
KUBESTRIKER
Description
Kubestriker is an open-source security auditing tool specifically designed for Kubernetes environments where it scans clusters for potential vulnerabilities and misconfigurations, helping to identify risks before they're exploited. With its comprehensive checks and reporting capabilities, Kubestriker enhances Kubernetes security posture for organizations.
SANDMAN
Description
Sandman is a red team tool designed for penetration testing on secure networks where it functions as a stager, utilizing the often overlooked NTP protocol to execute predefined shellcode from a specified server. This approach takes advantage of the widespread accessibility of NTP, simulating potential security vulnerabilities for assessment within ethical boundaries.
SANDCAT
Description
Sandcat is go Lang based binary used as plugins in MITRE Caldera emulation. CALDERA breach & emulation tool designed to easily automate adversary emulation, assist manual red-teams and automate incident response. Sandcat binary is executed to victims machine to get communicate with caldera C2 framework after successful registration of victims machine with Caldera framework various Red Teaming actives can be performed
HAMMERTOSS
Description
HAMMERTOSS have devised a particularly effective tool. APT29 tries to undermine the detection of the malware by adding layers of obfuscation and mimicking the behavior of legitimate users. HAMMERTOSS uses Twitter, GitHub, and cloud storage services to relay commands and extract data from compromised networks
PNGDOWNER
Description
PNGDowner is a tool coded in VC++ and used a download utility by PutterPanda Threat group(APT2). The malware initially connects to microsoft.com using user agent Mozilla/4.0 (Compatible; MsIE 6.0;). If it fails to connect it will try to extract proxy credentials and use it for connecting to CnC. It has the following pdb names in the file: 1. Y:Visual studio 2005Projectsbranch-downerdownerreleasedowner.pdb, 2. Z:Visual studio 2005Projectspngdownerreleasepngdowner.pdb 3. Z:Visual studio 2005Projectsdownerreleasedowner.pdb
BLUESKY RANSOMWARE
Description
Bluesky ransomware targets Windows OS and uses multithreading to encrypt the victim's data fastly. This ransomware code matches with existing conti ransomware code. This malware has a separate extension list of files to be encrypted. Also, it contains directory path and filenames to exclude them for avoiding infection.
EZURI
Description
Ezuri is a Simple Linux ELF Runtime Crypter.
GINZOSTEALER
Description
GinzoStealer is an infostealer that has the capability to steal system information as well as cryptocurrency wallet information from an infected machine. It was first seen in 2022. The malware possesses the following capabilities: Telegram sessions Gathers cookies and passwords from browser (Opera, Chrome, Opera GX, Firefox ) System files System info Crypto wallet
DIRTYCOW
Description
DirtyCOW(copy-on-write) is a vulnerability that exploits and affects linux kernels created before 2018,its a local privilege escalation bug which exploits a race condition in the implementation of copy on write mechanism in linux kernel memory management system. Some malwares might try to exploit this vulnerability for privilege escalation later doing other malicious activities with higher privileges.
REVERSESHELL
Description
Reverse shell is a shell session established on a connection that is initiated from a remote machine. Adversaries use various types of reverse shell in their malwares to establish connection from the victim system so that additional commands could be executed on the victim machine. Reverse shells are of various types like TCP reverse shell, HTTP reverse shell, python reverse shell, GO language reverse shell ,meterpreter based reverse shell which is generated using msfvenom utility.
AOBOKEYLOGGER
Description
Aobo Keylogger is an easy-to-install application that records every keystroke entered on a computer.Users can purchase it from the company called AoBo software. It is advertised as a tool which allows users to monitor kids, employees. However, research shows that AoBo opens shared AirPort access, records keystrokes, passwords and sends logs to a remote server. If distributed by cyber criminals, this keylogger could be misused for malicious purposes.
CALISTO
Description
Calisto is a malware that fraudulently disguises itself as a security softwares, performing as backdoor and information stealer. Upon installation, Calisto uses a hidden directory named .calisto to store: 1. Keychain storage data 2. Data extracted from the user login/password window 3. Information about the network connection 4. Data from Google Chrome: history, bookmarks, cookies Alongside this, Calisto has backdoor capabilities that can perform the following functions 1. Enable remote login 2. Enable screen sharing 3. Configure remote login permissions for the user 4. Allow remote login to all
DUMMY
Description
Dummy is a shell script that is kept running by a launch daemon. The shell script itself uses Python to open a reverse shell to port 1337 on a malicious server, giving the hacker behind the malware continued access to the computer. Dummy was spread on crypto mining chat groups by chat users posing as admins, who posted a shell script for users to run that downloaded the installer for Dummy.
IOX
Description
IOX is a tool for port forward & intranet proxy. The source code of the tool is available publicly. Tool has the following capabilities: Traffic encryption Humanized CLI option Logic optimization UDP traffic forward TCP multiplexing in reverse proxy mode
BACKDOORIT
Description
Backdoorit is a multiplatform RAT written in Go programming language. The main purpose of this malware is stealing Minecraft related files, Visual Studio and Intellij projects. Some commands allow it to steal arbitrary files and information, install other malware in the system or run arbitrary commands (run, run-binary, etc.) and take screenshots of the user activity (screenshot, ssfile and so on).
NBTSCAN
Description
Nbtscan is a command line tool for scanning IP networks for NetBIOS name information.It sends NetBIOS status query to each address in the supplied range and lists output in human readable form. For each acknowledged host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.
KILLAV
Description
KillAv is a hacking tool designed to terminate processes by exploiting the zam64.sys driver.This hacking tool has compiled a list of antivirus (AV) and endpoint detection and response (EDR) process names. Once it detects any of these processes, it initiates their termination. The source code is publicly accessible on a Git repository.
FABOOKIE
Description
Fabookie is a trojan created to steal Facebook accounts, also it harvests sensitive details from infected computers. Fabookie’s malicious files can invade Windows operating systems in a stealthy manner, via fake applications and infected sites. This type of malware can seriously damage an infected computer, as it may steal sensitive information and open a backdoor to more threats. Fabookie’s access to a computer enables it to create several malicious files that may compromise both the system and the network. Malware has the following capabilities: Capturing keyboard input Collecting system information Steal Facebook accounts.
ALIENREVERSE
Description
Alienreverse is a backdoor implant that includes file stealing,the ability to download and execute further modules.This is developed in C++ and has included several other public tools, such as EarthWorm and socks_proxy.
NIMPLANT
Description
A light first-stage C2 implant written in Nim and Python with Wide selection of commands focused on early-stage operations including local enumeration, file or registry management, and web interactions.Easy deployment of more advanced functionality or payloads via inline-execute, shinject (using dynamic invocation), or in-thread execute-assembly.
CCAT
Description
Cloud Container Attack Tool(CCAT) is an open source security tool for testing security of container environments. Some of the features of CCAT Container Escape Features Amazon ECS Attack Features Amazon EKS Attack Features Azure Container Related Attack Features GCP Container Related Attack Features OpenShift Container Related Attack Features IBM Cloud Container Related Attack Features Alibaba Cloud Container Related Attack Features
STORMKITTY
Description
StormKitty is c# compiled binary which could be used to steal browser cookies and credit card details from the victim machines. The source code of info stealer is available publicly. Stealer has the following capabilities: System information Steals credit card details, history, cookies, saved credentials of web browser Keylogger Screenshot Steals crypto wallet credentials Wifi network details Screenshot
PEIRATES
Description
Peirates is a penetration testing tool for Kubernetes, focused on privilege escalation and lateral movement. This tool automates known techniques to steal and collect service accounts, obtain further code execution, and gain control of the cluster. Peirates supports the following functions 1. Gain a reverse shell on a node, using a hostPath-mounting pod 2. Pull service account tokens from bucket storage (GCS-only) 3. Pull service account tokens from secrets 4. Run a token-dumping command on all pods, abusing Kubelets 5. Gain IAM credentials from an AWS or GCP Metadata server 6. Transfer itself into another pod, allowing lateral movement
LIGHTNINGFRAMEWORK
Description
LightningFramework is a malicious framework containing other malicious components like sshhijacker,rootkit. The framework contains a malicious downloader module which is used to fetch the other malicious components and execute the core module. The downloader then contacts the C2 to fetch the following modules and plugins: Linux.Plugin.Lightning.SsHijacker Linux.Plugin.Lightning.Sshd Linux.Plugin.Lightning.Nethogs Linux.Plugin.Lightning.iftop Linux.Plugin.Lightning.iptraf Lightning.Core
SAITAMA
Description
Saitama is a Backdoor malware written in .Net that utilizes a backdoor to exploit the DNS protocol for its Command and Control (C2) communication. The malware propagates through spear-phishing emails containing Microsoft Office attachments.This malware employs Windows Management Instrumentation (WMI) for pinging the C2 server, a less frequently utilized method compared to more common tools like PowerShell or CMD. Additionally, this function is invoked multiple times throughout the macro execution and essentially functions as a state monitor to observe and record the ongoing activities during the attack.
SYMBIOTE
Description
Symbiote malware targets linux systems and hides malicious network connections. The initial vector symbiote malware seems to be through the modification of the /etc/ld.so.preload file. Symbiote malware is a shared object library that gets loaded into the system in order to hook libc and libpcap functions. Symbiote malware also abuses eBPF for hijacking the process which uses BPF functionality for monitoring the network packets.
SPARKRAT
Description
SparkRAT is an opensource web-based, cross-platform and multifunctional RAT that allow you to control all your devices via browser anywhere. This RAT supports over 20 commands that it can employ to carry out operations, take control of the infected machine, alter processes and files, and steal various forms of information. It communicates with the C&C server via the WebSocket protocol.
ZURU
Description
Zuru is a malware that gets installed via SEO poisoning and uses a python script to collect various information from an infected macOS endpoint. It was reported that seekers of several macOS applications, notably including iTerm2, a third-party Terminal app for Mac—may have unintentionally downloaded an OSX/ZuRu Trojan horse. If a user is tricked into this, OSX/ZuRu get installed and runs a Python script that collects various information from an infected Mac as follows - User’s macOS Keychain database - User’s bash and zsh Terminal command history - User’s iTerm2 saved state - User’s ssh keys and known hosts - System’s /etc/hosts file
UTILITY
Description
Utility tools such as curl,nmap,tcpdump etc are powerful command-line applications widely used in Windows, macOS, and Linux operating systems to perform tasks like data transfers and network scanning, providing essential functionalities for developers, system administrators, and security professionals. This includes tools like curl,nmap,tcpdump, wget,- netcat, ftp,sftp,scp,ssh,telnet, kubectl
BORATRAT
Description
BoratRat is a unique malware with capabilities of RAT, spyware and Ransomware. It also gives the capability to attackers to carry out DDos attacks. The attackers named it after the comedy movie Borat. Below is the list of other capabilities of Borart RAT: - Steal discord tokens - play audio, interchange mouse button clicks, hide desktop - keystroke logging - enable disable webcam light - Turn off the monitor - steal browser credentials
DARKGATE
Description
DarkGate is the payload having various capabilities, including HVNC (Hidden Virtual Network Computing), crypto miner setup, browser history and cookie theft, RDP (Remote Desktop Protocol), and AnyDesk (a remote desktop software). The malware is cunningly delivered via an MSI file that harbors two concealed files containing encoded shellcode. Once executed, DarkGate unravels its true capabilities, which include unique decoding methods for two embedded strings that disclose vital information about the malware's command and control (C2) communication and configuration.DarkGate doesn't stop there; it employs sophisticated obfuscation techniques, such as Loop XOR and custom Base64 decoding, to camouflage its network activity, making detection and analysis more challenging.
PERSIANRAT
Description
PersianRAT is a trojan designed to collect sensitive information from a victim's machine, including PC details, server information, IP address, user data, Windows OS version, architecture, CPU, GPU, and country.The entity responsible for this website(TA) engages in the sale of various malicious tools, such as Remote Access Trojans (RATs), loaders, and crypters.
DNSPIONAGE
Description
DNSpionage is a remote administrative tool that allows supports HTTP and DNS communication with the threat attackers. This malware is usually dropped by the malicious document. Iit supports DNS tunneling as a covert channel to communicate with the attackers' infrastructure.
EDRSILENCER
Description
EDRSilencer is a tool which uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.
DONPAPI
Description
Donpapi is an open source tool for dumping all secrets of victim machines. This tool collects sensitive information like Windows credentials, RDP credentials, Browser cookies and credentials, VNC credentials, Wifi password, etc.
ZLOADER
Description
Zloader malware has evolved multiple times from a simple banking trojan to acting as a loader for ransomware or other malware families. ZLoader uses defense evasion capabilities like disabling security and antivirus tools. The zloader operators further sell the command and control to other affiliate groups, such as ransomware operators. Its capabilities include capturing screenshots, collecting cookies, stealing credentials and banking data, performing reconnaissance, launching persistence mechanisms, misusing legitimate security tools, and providing remote access to attackers.
REZLT
Description
Rezlt trojan captures remote desktop information from the victim's machine and sends it through a Telegram channel. Rezlt has the following capabilities: OSversion information RAM details Public IP address RDP machine credentials
COMMANDOCAT
Description
Commando Cat is a novel cryptojacking campaign which leverages Docker for initial access through the deployment of a seemingly harmless container, crafted via the Commando Project, the attackers breach the Docker environment and then execute a series of payloads on the Docker host, including a credential stealer aimed at cloud service provider credentials such as AWS, GCP, and Azure. Additionally, the campaign employs diverse advanced techniques, such as a unique process hiding method and a Docker Registry blackhole, highlighting its sophisticated nature.
XWORM
Description
XWorm is capable of dropping several malicious payloads at various points on the system, adding or changing registry entries, and executing commands. On execution, the malware sleeps for one second and checks for mutexes, virtual machines, debuggers, emulators, sandbox environments, and Anyrun. The malware terminates itself. XWorm installs itself in the start-up folder and creates a scheduled task entry in the AppData folder. The malware creates an autorun entry in the registry to ensure it will automatically run whenever the system is restarted. After establishing persistence, it contacts the C2 server. The C&C domain system is then notified of new system information through a new thread. Malware has the following capabilities: Adding and deleting files Capture keylogging, screen capture Perform ransomware operations.
TNTBOTINGER
Description
TNTBotinger is a malware that belongs to TNT group of attackers which targets misconfigured Docker environments and systems.Using malicious shell-scripts, crypto-mining worm is deployed to the misconfigured systems. Additional features of the TeamTNT related malwares: Steals AWS credentials Scans for open Docker APIs using masscan tool Tries to stop the Alibaba Cloud Security tools Contains code copied from another worm named Kinsing Deploys punk.py – A SSH post-exploitation tool,Diamorphine Rootkit. Also deploys Tsunami IRC Backdoor.
PASSTHEHASHTOOL
Description
Pass-the-Hash (PtH) is a cyberattack technique where an attacker, after obtaining password hashes from compromised systems, uses those hashes to authenticate and gain unauthorized access to other systems without needing to know the original passwords, exploiting the way Windows stores and uses hashed credentials. Here’s a complete list of tools that come with the Pass-The-Hash toolkit: pth-net: tool for administration of Samba and remote CIFS servers pth-rpcclient: tool for executing client side MS-RPC functions pth-smbclient: ftp-like client to access SMB/CIFS resources on servers pth-smbget: wget-like utility for download files over SMB pth-sqsh: interactive database shell for MS SQL servers pth-winexe: SMB client to execute interactive commands on remote computer pth-wmic: WMI client to execute queries on remote computer pth-wmis: WMI client to execute a command on remote computer pth-curl: curl with built-in NTLM support (deprecated / curl contains this natively)
OLYMPIC DESTROYER
Description
Olympic Destroyer is a Wiper malware that was first seen in 2018 which was targeted against Olympic Games in Pyeongchang, South Korea. It was delivered using spear phishing emails which have documents with embedded macros. Olympic destroyer used WMI and PSExec for lateral movement. It uses named pipes to for interprocess communication. It uses the following windows tools: 1. Bcdedit:exe to prevent booting in recovery mode 2. Wevtutil:exe to destroy event logs in order to destroy forensic evidence 3. Vssadmin to delete shadow copies which makes it harder for recovery
BANDOOK
Description
Bandook is a remote access trojan with capabilities including screen capturing, shell execution, file access, and more. This RAT was initially observed in 2007 and coded in Delphi and C++. Its propagation occurs via targeted spear phishing emails. Bandook has following capabilities: Download and execute binaries Retrieve list of system drivers Retrieve list of files Upload files Download files Retrieve victim IP
PROCDUMPTOOL
Description
Procdump is a Sysinternals utility which can be used to dump process memory. Processes like lsass:exe store credentials in their memory. Adversaries can dump the lsass:exe memory using procdump and extract passwords by using other tools like Mimikatz. The extracted credentials can further be used to carry out lateral movement. Procdump is also now available for linux.
KEYLOGGER
Description
The term ‘keylogger’ itself is neutral, and the word describes the program’s function. Most sources define a keylogger as a software program designed to secretly monitor and log all keystrokes. This definition is not altogether correct, since a keylogger doesn’t have to be software – it can also be a device. Keylogging devices are much rarer than keylogging software, but it is important to keep their existence in mind when thinking about information security. Most modern keyloggers are considered to be legitimate software or hardware and are sold on the open market. Developers and vendors offer a long list of cases in which it would be legal and appropriate to use keyloggers, including: 1. Parental control: parents can track what their children do on the Internet, and can opt to be notified if there are any attempts to access websites containing adult or otherwise inappropriate content. 2. Jealous spouses or partners can use a keylogger to track the actions of their better half on the Internet if they suspect them of “virtual cheating”. 3. Company security: tracking the use of computers for non-work-related purposes, or the use of workstations after hours. 4. Company security: using keyloggers to track the input of key words and phrases associated with commercial information which could damage the company (materially or otherwise) if disclosed. 5. Other security (e.g. law enforcement): using keylogger records to analyze and track incidents linked to the use of personal computers. Unlike other types of malicious program, keyloggers present no threat to the system itself. Nevertheless, they can pose a serious threat to users, as they can be used to intercept passwords and other confidential information entered via the keyboard. As a result, cyber criminals can get PIN codes and account numbers for e-payment systems, passwords to online gaming accounts, email addresses, user names, email passwords etc.
GEACON
Description
Geacon is a project that first appeared four years ago on Github as a Go implementation of Cobalt Strike Beacon. The compiled Geacon binary has a multitude of functions for tasks such as network communications, encryption, decryption, downloading further payloads and exfiltrating data. The user is presented with a two-page decoy document embedded in the Geacon binary. A PDF is opened displaying a resume for an individual named “Xu Yiqing” Some other payload is embedded in a trojan masquerading as SecureLink, an enterprise-level application for secure remote support. The binary only targets Intel devices.
EVILGINX
Description
Evilginx is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.
SWEETPOTATO
Description
SweetPotato is a hacking tool that comprises a range of distinct native Windows privilege escalation methods, spanning from service account exploitation to achieving SYSTEM-level access. This open-source code is available within a GitHub project, which means that malicious individuals could potentially exploit this tool to gain unauthorized access to a victim's machine
PUTTY
Description
Putty is a free tool that can be used as a SSH and Telnet client on windows and Linux. It uses an xterm emulator. Adversaries can use it as a tool for encrypted communication.
DISGOMOJI
Description
DISGOMOJI is a sophisticated malware developed by UTA0137, a threat actor targeting government organizations and is derived from discord-c2, it utilizes emoji-based commands for stealthy communication and includes features for exfiltrating sensitive data like browser information and documents. UTA0137 continually updates DISGOMOJI, integrating tools like Zenity for social engineering and enhancing its capability to evade detection and maintain persistence in targeted networks.
RAPPERBOT
Description
RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication. The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR.
KLINGON RAT
Description
Klingon RAT is a GoLang based Remote Access Trojans (RATs). The RAT is well-featured and resilient due to its multiple methods of persistence and privilege escalation. It was determined that the RAT is being used by cybercriminals for financial gain. Its distribution method includes infected email attachments, malicious online advertisements, social engineering, software 'cracks'.
EMP3R0R
Description
Emp3r0r is a post-exploitation linux framework that contains post-exploitation tools and stealth modules. It uploads its own bash and many other post-exploitation tools. This tool can perform the following tasks Perfect reverse shell Auto persistence via various methods Post-exploitation tools like nmap, socat, are integrated with reverse shell Credential harvesting Process injection Shellcode injection and dropper ELF patcher Hide processes and files via libc hijacking Port mapping, socks5 proxy Auto root LPE suggest System info collecting File management Log cleaner Stealth connection Anti-antivirus Internet access checker Autoproxy for semi-isolated networks Interoperability with metasploit / Cobalt Strike
MERCURIALGRABBER
Description
Mercurial Grabber is an open-source C# malware builder developed in May 2021 and uploaded on Github as a public repository. However, Threat actors have been using this repo to target people and steal info by modifying some code in the repository Mercurial Grabber is an open-source stealer targeting Chrome, Discord and some game clients. This Stealer can also steal the cookies of Roblox and the session data of the popular game Minecraft. The malware can steal information such as Operating System name, processor information, GPU information, disk, and memory details from the compromised machine and also steals saved credentials from the Chrome browser by reading the .db file Malware has the following capabilities: Stealer (Browser Password and cookies) Windows product keys Harvest data screenshots ,Geolocation ,Hardware information and IP address AntiVM Uses AES GCM encryption technique
LIMERAT
Description
LimeRAT is a Remote Access Tool(RAT) that is capable of encrypting files like ransomware, install cryptominers and add the malware to a botnet. Recently it is known to spread from Excel macros. It has been coded in .net. Other capabilities of the malware includes: 1. Spread through USB drives 2. Uninstall itself in case detectsVM 3. Locks screen 4. Steal data from victim PC
BADNEWS
Description
Badnews is a backdoor with capability to monitor keystrokes, take screenshots and steal documents. The malware uses social media websites as CnC. The malware drops 4 files to temp for storing various stolen information: -9PT568.dat - stores computer hardware profile -TPX498.dat - stores keystrokes -edg499.dat - screen capture -TPX499.dat - saves path to document files
LIMECRYPTER
Description
LimeCrypter stands as an open-source tool rooted in C#, designed to facilitate the injection of legitimate processes.Hosted within a Git repository, the source code of this tool is readily available to the public. This accessibility introduces a concerning possibility: ill-intentioned actors could misuse the tool, harnessing its capabilities to serve malicious purposes.
DINODASRAT
Description
DinodasRAT is a C++-based remote access trojan equipped with diverse functionalities that enable a malicious actor to surreptitiously monitor and gather confidential data from a target's computer.This campaign exhibited a focused approach, with threat actors tailoring their emails to lure their intended victim organization. Following the successful infiltration of the initial few computers using DinodasRAT, the perpetrators then proceeded to pivot within the target's internal network, once more employing the DinodasRAT backdoor for their malicious activities.
DUCKTAIL
Description
Ducktail trojan is purposefully developed to acquire browser cookies and exploit active social media sessions in order to pilfer sensitive information from the targeted individual's social media account.Threat Actors employ well-known file-sharing platforms like Dropbox, Google Drive, and Microsoft OneDrive as hosting platforms for their malware. Their primary strategy revolves around utilizing social engineering techniques to lure victims into downloading and running the malicious payload. The Ducktail trojan targets the following web browsers and captures victim sensitive details, which are then transmitted to the attacker's Telegram channel. Google Chrome Microsoft Edge Brave Browser Mozilla Firefox
KOBALOS
Description
Kobalos is a backdoor that is portable to many operating systems including Linux, BSD, Solaris, and possibly AIX and Windows and has been targeting high performance computing (HPC) clusters, among other high-profile targets. This usually propagates in the form of a trojanized OpenSSH(SSH credential stealer) client. Kobalos has the following features to access the compromised systems and hide the tracks of its usage Access to the compromised system → Generic commands to read from and write to the file system and spawn a terminal to execute arbitrary commands Reachability → Functionalities related to establishing network connectivity between the operators and the running Kobalos malware Authentication and network encryption → Clients must possess an RSA-512 private key and a password to authenticate Alternate port → Allows the operator to choose to continue the communication on another TCP connection using RC4 keys Proxying to other compromised machines → operators can use multiple Kobalos-compromised machines to reach their targets
CVE20214034
Description
CVE20214034 is a Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec. It's a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. Vulnerability once exploited, allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.
KRAKEN
Description
Kraken is malware that enables threat actors to secretly gather sensitive data from various web browsers and applications from victims machines. Kraken has diverse functions enabling threat actors to execute commands, manipulate web content, disable system tasks, Command Prompt, Windows Registry, and terminate processes on infected systems.It adopts a common information stealing technique, primarily targeting and extracting login credentials from popular email clients such as Outlook, Foxmail, and Thunderbird. In addition, Kraken scans for FileZilla credentials, an FTP client utilized for file transfer, and facilitates exfiltration through various channels. It supports three specific methods for data transfer: FTP, SMTP, and Telegram Bot.
KONNI
Description
Konni is a remote access trojan (RAT) that can extract information and execute commands on infiltrated devices. It is capable of gaining initial access, delivering payloads, and establishing persistence within victims’ networks. Konni is a RAT discovered in 2014, potentially linked to North Korean APT, spreads through phishing emails or malicious MS Office files.This APT group remains active, continually developing the Konni RAT for further damage. The RAT has following capabilities: Keylogger clipboard stealer Browser profiles and cookies Process details
TROJANSPYKEYSTEAL
Description
The free tool that is used by threat actors in this case is called ResignTool, an application in macOS that is used mainly to change the signing information on .ipa files. The malicious actors see this as an avenue to steal information as the file is open-source. Following are the capabilities : Launch Daemon created for persistence routine Launch Agent created for persistence routine Requires victim to run the malware pkg file Uses chmod to modify dropped file execution privileges Uses xattr utility to remove quarantine attribute Steals keychain information
MICROBACKDOOR
Description
Microbackdoor is an open source backdoor malware which targets Windows OS. Microbackdoor gathers file lists, system information, network activities and sends those information to the attacker server. Also, the attacker via this backdoor can uninstall programs from victim machines and can execute shellcode.
ADLOADER
Description
AdLoader is an adware that generates revenue for their creators by displaying advertisements on users’ computers. AdLoad is distributed through various rogue installers of potentially unwanted applications (PUAs) and adware. It is capable of avoiding detection by built-in macOS security tools and a number of third party antivirus programs and other security suites of this type. The removal of AdLoad involves the cleanup of components such as launch agent, daemon, cron job files, and processes in "/var/root".
RUSTSCAN
Description
RustScan is a modern take on the port scanner. It can be used for bad purpose to find out the port for malicious purpose
MIMIPENGUINTOOL
Description
A tool to dump the login password from the current linux desktop user. Adapted from the idea behind the popular Windows tool mimikatz. Takes advantage of cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords.
DOHTOOL
Description
DNS over HTTPS (DoH) is a protocol that encrypts DNS queries and transmitted over the HTTPS protocol, serving both legitimate purposes such as improved privacy, enhanced security, and bypassing censorship, as well as illegitimate ones like covert command and control communication, evading network monitoring, and data exfiltration. Its dual nature presents challenges in striking a balance between user privacy and security while countering potential misuse for malicious activities.
VEILEVASION
Description
Veil-Evasion is a tool designed to generate metasploit payloads that bypass common anti-virus solutions. Veil-Evasion can turn an arbitrary script or piece of shellcode into an executable that will evade detections by common antivirus products.
ICEDID
Description
IcedID is a modular banking trojan that targets user financial information and is capable of acting as a dropper for other malware. First seen in 2017, IcedID malware uses Man in the browser to steal banking credentials and intercept banking transactions. IcedID relies on web injects that can modify the banking web pages in the browser for the purpose of stealing data. It was mainly known to target banks across the United States, United Kingdom and Canada. IcedID is mainly delivered through malicious documents which arrive as attachments of spam emails. IcedID has similarities with other banking trojans which includes gozi, zeus. The variants of IcedID which were seen around 2020 were used as post exploitation tools and could download other malwares including ransomwares. IcedID has the following capabilities: 1. Can steal cookies in IE and Edge from the cookie files 2. Steals cookies from firefox and chrome Uses the following system commands to 1. net view /all 2. ipconfig /all 3. net group “Domain Admins” /domain 4. Systeminfo 5. net view /all /domain 6. nltest /domain_trusts /all_trusts 7. nltest /domain_trusts
CACHEDUMP
Description
Cachedump is a tool that extracts cached passwords from the windows registry which might be used by adversaries to carry out lateral movement. The tool is also available as a metasploit module. It can be used to dump active directory passwords, logon passwords and can be used by adversaries for lateral movement.
BISTROMATH
Description
Bistromath is an infostealer, which can steal data from victime machines like keylogger,webcam etc.The Lazarus Group is believed to be responsible for this malware, which is typically spread through spam emails containing a Microsoft Office attachment. Bistromath has the following capabilities: File and Process manipulation Exfiltration Control Service shell access Screenshot Capture Microphone Capture Webcam Control Keylogging Browser Credentials
SILVERSPARROW
Description
SilverSparrow is the first known macOS malware to include native code for Apple’s new M1 chips. Silver Sparrow is very likely an adware that has two versions – one that targets Intel-based Macs, and one that is built to infect both the older and M1-based devices. Most notably, it uses JavaScript for execution – a rarity in the macOS malware world. Once Silver Sparrow infects a system, the malware just waits for new commands from its operators.The operators of this malware sent out a silent “kill” command to cause the malware to delete itself.
MESSAGETAP
Description
MESSAGETAP is an ELF data miner initially loaded by an installation script. Once installed, the malware checks for the existence of two files: keyword_parm.txt and parm.txt and attempts to read the configuration files every 30 seconds.
The first file (parm.txt) is a file containing two lists:
1.a. imsiMap: This list contains International Mobile Subscriber Identity (IMSI) numbers. IMSI numbers identify subscribers on a cellular network.
1.b. phoneMap: The phoneMap list contains phone numbers.
2. The second file (keyword_parm.txt) is a list of keywords that is read into keywordVec.
The malware parses and extracts SMS message data from the network traffic as follows:
1. SMS message contents
2. The IMSI number
3. The source and destination phone numbers
The malware searches the SMS message contents for keywords from the keywordVec list, compares the IMSI number with numbers from the imsiMap list, and checks the extracted phone numbers with the numbers in the phoneMap list.
1. The malware searches the SMS message contents for keywords from the keywordVec list. If the SMS message text contains one of the keywordVec values, the contents are XORed and saved to a path with the following format:/etc/
ERBIUMSTEALER
Description
Erbiumstealer is an infostealer that can steal credential info, crypto wallet, etc from the victim system.It was first seen in July 2022. The stealer gathers following information from victim machines: System info (PC name, CPU, Disk, MAC, RAM,Windows license info and more) Password, cookies,history,autofill Wallet credential Screenshot FTP client Telegram
VIDAR
Description
Vidar is an information stealer that can steal banking information, saved browser passwords and login credentials. Vidar was first seen in 2018. Vidar is delivered through spam mails, keygens and cracked softwares. It downloads it’s configuration file from the CnC server and acts according to the configuration. The configuration gives a list of browsers which are targeted, what information to steal like cookies, wallets etc. It uses freebl3.dll, mozglue.dll, msvcp140.dll, nss3.dll to extract data from the system in order to steal it.
RYUK
Description
Ryuk is a Ransomware specially designed to target enterprises and is associated with the Wizard spider threat group. It was first seen in 2018. Ryuk Ransomware was mostly known to be downloaded from Trickbot or Emotet. The ransomware is known to use RSA 4096-bit key or AES-256 bits to encrypt files. The encrypted files are changed to extension “ryk”. Ryuk avoid encrypting executables, links. The files with the following extensions dll, lnk, hrmlog, ini, or exe are not encrypted by Ryuk. It also does not encrypt system critical directories like System32, Directories where browsers are installed and Recycle Bin. Ryuk uses various VSSAdmin commands to delete the shadow copy backups: 1. vssadmin Delete Shadows /all /quiet 2. vssadmin resize shadowstorage 3. vssadmin resize shadowstorage Ryuk also uses the following WMI commands to delete backups: Cmd:exe /c WMIC:exe shadowcopy delete Ryuk uses HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun for persistence. Ryuk drops a copy of PsExec to the system which it uses for lateral movement. Ryuk uses icacls to give full permission to C: and D: drives so that it can encrypt all files.
SATDOS
Description
Satdos is a linux malware which performs various types of DDOS attacks like UDP, Syn,TCP. Satdos tries to disable firewalls installed in the user’s system and tries to alter firewall rules. Satdos also checks for cpu info as a defense evasion mechanism.
DUMPINGLSASS
Description
DumpingLSASS is an open source tool for dumping credentials from LSASS. The tool contains anti-debug and anti-vm techniques. It dumps LSASS by unhooking MiniDumpWriteDump by getting a fresh DbgHelp.dll copy from the disk. This code doesn't bypass RunAsPPL but tries to evade antivirus and EDR.
KUBISCAN
Description
KubiScan is a tool that aids cluster administrators in identifying exploitable permissions that attackers could use to compromise Kubernetes clusters. It is particularly useful in large environments with numerous permissions that are difficult to manage. By collecting data on risky roles, clusterroles, rolebindings, clusterrolebindings, users, and pods, KubiScan automates traditionally manual processes, providing administrators with the visibility needed to mitigate risks effectively.
SSHHACKTOOL
Description
SSH HackTool is a HackTool that targets the SSH protocol. HackTool is a different kind of Riskware that is not malicious by nature but can be used by Threat Actors to do activities like unauthorized access, fetch system, and network-related information.
RBOT
Description
Rbot is a remote administration tool, enabling unauthorized access and control of a computer over a network or the Internet, often without the user's awareness or consent, when employed for malicious purposes. The Trojans, operated through IRC, perform various tasks such as monitoring networks for valuable data packets (e.g., FTP and e-payment passwords), scanning for unpatched vulnerabilities in common services, conducting DoS attacks, initiating SOCKS and HTTP servers on compromised machines, and providing detailed information about victim machines, including passwords for computer games, to the program user.
CALLME
Description
CallMe is a malware based on a publicly available tool called Tiny shell and designed to run on Apple OSX. This Trojan was delivered in targeted attacks on Uyghur activists
The Trojan uses AES to encrypt the communication channel of the C2 server, which will provide one of three commands to carry out activities on the compromised system.
1. Get a file from the system and upload it to the C2 server.
2. Put a file on the system from the C2 server. File is saved to a specified filename in
GOTROJ
Description
GOTROJ is a Golang-written RAT that can perform tasks like running arbitrary commands, listing processes, collecting system data, and establishing persistence by installing a service.Threat actors have utilized this tool to extract system information from compromised machines.
QWIXXRAT
Description
QwixxRAT is a trojan designed to extract browser cookies, histories, credit card information and capture keylogger activities from targeted devices.This C# compiled binary RAT collects data and transmits it via the attacker's Telegram channel. QwixxRAT has following capabilities: Screenshot Webcam snap keylogger Browser data System info FTP details
BANDITSTEALER
Description
Bandit stealer trojan retrieves browser and crypto wallet credentials from the victim's device and transmits them via a Telegram channel. Bandit stealer has the following capabilities: This malware can steal following information from victims machine System details Credit card information Browser information Crypto wallet information
WINDAPSEARCHTOOL
Description
WindapsearchTool is a Python script designed to assist in enumerating users, groups, and computers in a Windows domain by utilizing LDAP queries.Windows Domain Controllers typically support basic LDAP operations on port 389/tcp. With any valid domain account, regardless of privileges, it is possible to perform LDAP queries against a domain controller to retrieve Active Directory-related information.This tool can be used for various purposes, such as system administration, security assessments, or gathering information about the Active Directory infrastructure in a Windows domain
REVSOCKSTOOL
Description
A RevsocksTool is a networking tool or software that enables you to establish a connection from a remote server or machine back to your local network through socks5 tunneler with SSL/TLS and proxy support.This can be useful for various purposes, such as bypassing network restrictions, accessing resources on a private network, or maintaining a secure connection to your local network from a remote location.
NETWIRE
Description
NetWire is a multiplatform Remote Administration Tool (RAT) primarily focused on password stealing and has been exclusively used by criminal and APT groups. NetWire RAT is a widely used off-the-shelf malware used by cybercriminals groups and Business Email Compromise (BEC) scammers. This includes features such as stealing credentials, recording audio, screen capture, and keystroke logging, among others. Keylog files are stored on the infected machine in an obfuscated form. Cyber criminals use NetWire as a keylogger, which can capture inputs from USB card readers and other peripheral devices. It also records key presses to steal credentials for online accounts and various applications such as email, web browsers, and so on. Recorded logins and passwords are used to steal account details and make purchases, transactions, send scam emails to other people in attempts to extort money, and so on. Recorded keystrokes might also include data/information such as telephone numbers, addresses, Social Security numbers, and other details that could be misused to steal the victim's identity. Additionally, cyber criminals use NetWire to steal payment card data, which can be used to make fraudulent purchases, or is sold to other parties who also misuse the data to make purchases.
NLTEST
Description
NlTest is a command line utility for windows that can be used by adversaries to list domain controllers and enumerate domain trusts. It is associated with the wizard spider threat group. The following nltest commands can be used by attackers: 1. nltest /domain_trusts - domain trust discovery 2. Nltest /dclist - Nltest may be used to enumerate remote domain controllers using options 3. Nltest /dsgetdc - Nltest may be used to enumerate remote domain controllers using options 4. nltest /parentdomain - enumerate parent domain of local machine
STARSYPOUND
Description
Starsypound is a toolkit used by APT1 group that provides an interactive remote shell to the victim. Once activated, the malware sends "*(SY)#
CROATIARAT
Description
CroatiaRAT is a remote access trojan designed to extract system information from an infected computer.The attacker obtained the CPU identification number, serial number, and process identification number.
EXARAMEL
Description
Exaramal is a cross platform backdoor that can run on windows and linux. Exaramal is known to be associated with the Sandworm attack group. Exaramal tries to identify debugging tools which can be used by malware analysts in the system. Exaramal Windows version stores configuration required by the malware in the registry in XML format. The configuration stores information about files related to the malware, CnC server etc. Exaramal on windows is capable of 1. Executing VB Script files 2. Execute shell commands 3. Create files on the victim machine 4. Starts a service wsmprovav with the description "Windows Check AV" to masquerade as a legitimate service. 5. Exfiltration is done in phases using Exaramal along with mimikatz, CredRaptor. The linux version of Exaramal is coded in GO programming language. It is capable of the following: 1. Uses HTTPS for CnC communication 2. Can execute shell commands on victim machine 3. Has commands to download from remote server 4. Has hardcoded locations under systemd to achieve persistence
UNIXPRIVESCCHECKTOOL
Description
Unix-privesc-checker is a shell script designed for Unix systems,identifying misconfigurations that may allow local users to escalate privileges or access local applications. It checks file permissions and settings, focusing on writable home directories, readable /etc/shadow, weak permissions on cron jobs, writable configuration and device files, readable files in home directories, and more. The script, intended for security auditors, system administrators, and penetration testers, emphasizes the need for legal authorization. While comprehensive, it has limitations, and users are encouraged to perform manual audits for a thorough assessment.
RUSTDESKTOOL
Description
RustDeskTool is a legitimate remote desktop application built in Rust language and its exploited by threat actors to surveil target machines. Requiring no configuration, RustDesk is an open-source tool that can be utilized as a remote desktop application.RustDesk offers the flexibility of relay server options.
STOWAWAY
Description
Stowaway is a multi-level proxy tool written in Go language and designed for penetration testers. Users can use this program to proxy external traffic to the intranet through multiple nodes, break through the intranet access restrictions, construct a tree-like node network, and easily implement management functions
APPLEJEUS
Description
AppleJeus is a malware designed to operate and appear as legitimate crypto trading software, targeting victims who seek to trade cryptocurrencies. They are backdoored cryptocurrency apps associated with a group named “Hidden Cobra”. In most instances, the malicious application is seen on both Windows and Mac operating systems appearing to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate. In addition to infecting victims through legitimate-looking websites, HIDDEN COBRA actors also use phishing, social networking, and social engineering techniques to lure users into downloading the malware.
STEALTHWORKER
Description
StealthWorker is a brute-force malware that mainly targets popular web services and platforms like Wordpress, Drupal, Jumla. Some other features of StealthWorker malware: Mainly targets web services like Wordpress,Drupal,Jumla,PostgreSQL. Searches for login paths also.
NUCLEITOOL
Description
NucleiTool is a fast and customizable vulnerability scanner that operates based on a simple YAML-based Domain-Specific Language (DSL). It is designed for security engineers and developers to efficiently scan and identify vulnerabilities across a large number of hosts while minimizing false positives.
PENGUINTURLA
Description
Turla, a well-established collective, is one of the most advanced APTs in the world that is mostly known for developing advanced techniques to infiltrate networks and avoid detection. They tend to target different sectors, such as government, defense, and education sectors around the Globe. PenguinTurla is a backdoor that sits dormant until attackers send it unusually crafted packets that contain "magic numbers" in their sequence numbers able to run arbitrary commands even though it requires no elevated system privileges. Its functionality includes hidden network communications, arbitrary remote command execution, and remote management.
GREENLAMBERT
Description
Longhorn, which we internally refer to as “The Lamberts”, first came to the attention of the ITSec community in 2014, when our colleagues from FireEye discovered an attack using a zero day vulnerability (CVE-2014-4148). Gray Lambert is the most recent tool in the Lamberts’ arsenal. It is a network-driven backdoor. Before deploying malware to a target, the Longhorn group will preconfigure it with what appears to be target-specific code words and distinct C&C domains and IP addresses for communications back to the attackers
REDLINESTEALER
Description
Redline Stealer is an infostealer that is capable of stealing browser credentials, saved autofill information in browser forms, and cryptocurrency wallets. Here are some more capabilities: -Steal saved credentials in FTP clients -Steal credentials from Instant Messengers like Telegram -Collect system information and infiltrate it to the attacker -Can upload and download files to and from victim -Execute arbitrary commands on victim machine -Can steal cryptocurrency information from wallet.dat and chrome extensions. BraveWallet, GuardaWallet, BitAppWallet, MathWallet are some of Chrome extensions that are targeted by the stealer.
ZMAP
Description
Zmap is a network scanning tool which is capable of scanning the IP addresses at a very high speed. ZMap operates on GNU/Linux, Mac OS, and BSD. ZMap currently has fully implemented probe modules for TCP SYN scans, ICMP, DNS queries, UPnP, BACNET, and can send a large number of UDP probes.
BLACKCAT RANSOMWARE
Description
Blackcat ransomware also known as ALPHV targets ESXi servers to encrypt sensitive PC data. BlackCat is one of the first ransomware written in the Rust programming language and operates under a ransomware-as-a-service (RaaS) model. BlackCat can target and encrypt Windows and Linux devices and VMWare instances.
REMOTEADMIN
Description
RemoteAdministration also known as Radmin is a tool used to gain admin access on a remote target machine. Some of the groups like Belarusian Cyber-Partisans have used this tool. The tool is known to use a named pipe .pipeRemCom_communicaton.
FATALRAT
Description
FatalRAT is a trojan that can intercept keystrokes, alter screen resolution, download/run files, execute shell commands, and steal/delete browser data.Threat Actors distribute their malware by creating counterfeit websites that resemble popular applications such as Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao, and WPS Office. The malware obtains data from a compromised computer and transmits it to the command-and-control (C&C) center, which includes the victim's external IP address, username, and other relevant information.
BUNNYLOADER
Description
BunnyLoader is a Malware-as-a-Service (MaaS) threat that steals sensitive data from infected systems. It logs keystrokes, monitors the clipboard for cryptocurrency wallet addresses, and transmits stolen data to a command-and-control server.
DNSCAT
Description
DNScat is designed to create an encrypted command-and-control (C&C) channel over the DNS protocol. The client is designed to be run on a compromised machine. It's written in C and has the minimum possible dependencies. When the client is run, typically the domain name is specified. All requests will be sent to the local DNS server, which are then redirected to the authoritative DNS server for that domain.
GREENSTONE
Description
Green stone is a stealer that targets Windows PCs. This bot was observed in july 2022. It gets delivered via doc,docx file. Once successfully installed in the victim machine, first it checks the internet connectivity, after that it collects system information and takes a screenshot of the victim system. Later it sends those to attacker server.
CLOUDDUKE
Description
CloudDuke is a trojan which can utilize a multidropper technique to infect its intended victims.The perpetrator is utilizing spear-phishing emails that contain a self-extracting archive attachment disguised as a voicemail, as a means to carry out their attack. The CloudDuke second stage dropper, upon completing its operation successfully, utilizes Onedrive cloud storage as a means to obtain a payload
WATCHDOG
Description
WatchDog, taken from the name of a Linux daemon called watchdogd is a miner composed of a three-part Go Language binary set and a bash or PowerShell script file. The binaries perform specific functionality, The first binary emulates the Linux watchdogd daemon functionality by ensuring that the mining process does not hang, overload or terminate unexpectedly. The second Go binary downloads a configurable list of IP addresses net ranges before providing the functionality of targeted exploitation operations of identified NIX or Windows systems discovered during the scanning operation. The third Go binary script will initiate a mining operation on either Windows or NIX operating systems (OS) using custom configurations from the initiated bash or PowerShell script. WatchDog’s usage of Go binaries allows it to perform the stated operations across different operating systems using the same binaries, i.e. Windows and NIX, as long as the Go Language platform is installed on the target system.
PWDUMPX
Description
PWDumpX is a password and Hash dumping toolIt has the capability to dump passwords even from remote hosts. Adversaries can use the tool for lateral movement. Below command shows the usage of PWDumpX.
Usage: PWDumpX [-clph]
BELLARAT
Description
BellaRAT is a post-exploitation data mining tool and remote administration tool for macOS. It functions as a SSL/TLS encrypted reverse shell that can be dropped on any system running macOS. BellaRAT offers the following features - Pseudo-TTY - emulates an SSH instance - Auto installer - a persistent reverse shell in a hidden location on the hard drive, undetectable by anti-viruses. - Upload / Download any file[s] - Reverse VNC Connection. - Stream and save the computer's microphone input. - Login / keychain password phishing through system prompt. - Apple ID password phishing through iTunes prompt. - iCloud Token Extraction. - Accessing all iCloud services of the user through extracted tokens or passwords. - Google Chrome Password Extraction. - Chrome and Safari History Extraction. - Auto Keychain decryption upon discovery of kc password. - macOS Chat History. - iTunes iOS Backup enumeration.
DYRE
Description
Dyre is a banking trojan first seen in 2014 which has capabilities of Remote Access Tool(RAT) as well as credential stealing from browsers. It can steal credentials by hooking into browsers and can bypass Man in the Middle Attack(MITM). Drye implements MITM attack by hooking into browsers and using a technique called form grabbing. The malware which has hooked into the browser can send credentials and other information related to a banking transaction to the attacker when the victim is carrying a banking transaction. The malware can even alter the web page of the bank in the browser and insert fake fields like ATM pin into the page. When the victim inputs the information into these fake fields and submits the web page the information goes to the attacker. Dyre targets specific banks. This information basically includes information about the structure of the web page which includes forms and fields in the web page. The trojan stores this information in a configuration file which can be updated from the CnC server.
EDRSANDBLAST
Description
EDRSandBlast is a C compiled hacktool which could be used to bypass EDR Detection and LSASS protections. This tool helps to get credential dumps of LSASS. The threat actors could abuse this tool and gain required details from the victim machines.
GULOADER
Description
Guloader is a vb compiled trojan which could be used to download other malware. This malware spreads through spam mail with MSoffice attachment or Archive formats. Threat actor first verified running environment is not a virtual or debug environment, after that Guloader starts to download other c# compiled binary like Agenttesla,FormBook,NanoCore and more.
SHARPUP
Description
Sharpup is a C# program which could be used to find vulnerability in the victim system. Sharpup will test vulnerability checks in victim machines either in the administrator’s group or non admin group. The following vulnerability check and permission access are available in sharpup: AlwaysInstallElevated CachedGPPPassword DomainGPPPassword HijackablePaths McAfeeSitelistFiles ModifiableScheduledTask ModifiableServiceBinaries ModifiableServiceRegistryKeys ModifiableServices ProcessDLLHijack RegistryAutoLogons RegistryAutoruns TokenPrivileges UnattendedInstallFiles UnquotedServicePath
MQSTTANGBACKDOOR
Description
MQsTTang is a barebones backdoor that allows the attacker to execute arbitrary commands on a victim’s machine. MQsTTang communicates with its C&C server over the MQTT protocol. This new MQsTTang backdoor provides a kind of remote shell without any of the bells and whistles associated with the group’s other malware families. The Chinese cyber espionage hacking group Mustang Panda was seen deploying a new custom backdoor named 'MQsTTang' in attacks starting this year, and it appears to be targeting political and governmental organizations in Taiwan, Australia, Europe, and Asia. Mustang Panda is an advanced persistent threat (APT) group known to target organizations worldwide in data theft attacks using customized versions of the PlugX malware. Malware has the following capabilities: Attacked NGOs, religious institutions. Targeting political and governmental organizations
FIRESEARCH
Description
FireSearch is a browser hijacker that will change your browser search engine. Upon installation, the installer modifies the search page and redirects the search queries to websites that are filled with web links and promotions. The adware also gathers data from the victim machine for monetization purposes and sharing with third parties.
FICKERSTEALER
Description
FickerStealer is an infostealer that can steal credentials stored in browsers, FTP clients and Cryptocurrency wallets. Ficker is delivered to the victim machines using phishing emails with macros. It is also spread from cracks and keygens. The malware is also targeted towards certain countries and does not execute if it finds the country code in the computer related to Russia, Ukraine, Kazakhstan, Uzbekistan, Armenia, Belarus, Azerbaijan. It can steal the following information: -Winscp passwords -Putty passwords -Browser passwords -Browser history -Messenger credentials -Bitcoin wallet information
SHARPIMPLANTTOOL
Description
The goal of Nuages is to be a C2 framework where users must create handlers and implants on-the-fly and the back end pieces are open source. Because of this, it only offers an open source framework for creating and managing suitable implants that can make use of all the previously created back-end resources rather than a method for actually creating implants. Nuages abstracts the various layers so that the implemented payloads are unaffected by the handlers or implants that transport them. There are more number of implants are used to execute over the client/victim machine.
SKIBIDI
Description
The Skibidi malware exploits CVE-2023-1389 in TP-Link Archer AX21 and CVE-2024-21887 in Ivanti Connect Secure to infiltrate networks where it targets various Linux architectures,the malware then connects to a C2 server, listening for file events and sending results back to the attacker. Its execution is marked by displaying the string you're not skibidi enough and decoding XOR-encoded strings.It evades detection by using techniques like ptrace and prctl to manipulate processes.https://www.fortinet.com/blog/threat-research/growing-threat-of-malware-concealed-behind-cloud-services
STAGER
Description
Stager is a Sidecopy APT Golang-based linux malware that is masqueraded as a PDF which downloads the decoy to the target directory “/.local/share” and opens it,also downloads the Ares RAT agent as “/.local/share/updates” and executes it.Create a crontab to maintain persistence through system reboot under the current username.
MOZI
Description
Mozi is a malware that evolved from the source code of several known malware families and attacks IoT devices. The Mozi malware family is evolved from the source code of several known malware families – Gafgyt, Mirai and IoT Reaper – that have been brought together to form a peer-to-peer (P2P) botnet capable of DDoS attacks, data exfiltration and command or payload execution. Mozi attacks IoT devices – predominantly routers and DVRs that are either unpatched or have weak telnet passwords. The main instructions include: 1. DDoS attack 2. Collecting Bot Information 3. Execute the payload of the specified URL 4. Update the sample from the specified URL 5. Execute system or custom commands
LUCASTEALER
Description
Luca stealer targets multiple Chromium-based browsers, chat applications, crypto wallets, and gaming applications and has the added functionality of stealing victims’ files. This malicious program can steal information from over thirty Chromium-based browsers. From these applications, Luca can obtain Internet cookies, account log-in credentials (usernames/passwords), and credit card numbers. Additionally, the stealer can extract data from password manager and cryptowallet browser extensions compatible with over twenty browsers. This malware also targets various messaging applications like Telegram, Discord, ICQ, Skype, Element, etc. Malware has the following capabilities: Stolen passwords and banking information Capture screenshots Steal Discord tokens
RHADAMANTHYSSTEALER
Description
Rhadamanthys Stealer is a malware that is designed to steal sensitive information from infected devices. It is written in the C++ programming language and was first detected in August 2022. When installed on a device, it can gather information such as registry data, computer system details, and browser data, and send this information to a command and control server controlled by the attacker. This type of malware, known as an info stealer, is typically used for cyber espionage and identity theft. This trojan steals the following information from the victims machine Browser Credentials Crypto credentials Cookies Email clients Geoip
LOKI
Description
Loki is an infostealer that was first seen in 2016 and is capable of stealing credentials, disabling notifications, data exfiltration and MITM attack. Loki also had ransomware capabilities in the 2017 variant. Loki was spread using phishing and spam emails especially targeting corporates. Lokibot has the following capabilities: -Steal credentials from password stores and web browsers -Exfiltrate stolen data -Copy itself to a hidden file and directory -Keylogging -Base64 encoded strings for obfuscation -Use of packing methods for obfuscation -Process hollowing -System information discovery -System network configuration discovery -System user discovery
OCTOPUSC2
Description
Octopus C2 is a Python-based open-source pre-operation command and control (C2) server and it facilitates control of an Octopus PowerShell agent via HTTP/S for discreet information gathering before red team engagements. Octopus ensures stealthiness using AES-256 encrypted channels, supporting features like system command execution, file operations, and endpoint situational awareness. The framework accommodates custom listeners, diverse payloads, and operates on various Windows versions with PowerShell 2.0 and higher.
ENUMERATEDOMAINDATA
Description
EnumerateDomainData is a C# compiled binary program similar to PowerView that extracts domain and system information from a target systems. The PowerView is a PowerShell utility that enables obtaining network situational awareness of Windows domains. EnumerateDomainData (EDD) was created by consolidating various implementations of functionalities from diverse projects, thereby assembling the tool using different existing resources. EDD has following capabilities: Forest/Domain Information Computer Information User Information
VENOMRAT
Description
VenomRAT is utilized for achieving complete access and remote manipulation of a target's computer system, which encompasses controlling the mouse and keyboard, accessing files, and utilizing network resources, among other functionalities. This RAT is responsible for gathering sensitive information from targeted individuals, including passwords, browsing history, autofill data, bookmarks, and cookies from multiple web browsers. This data is then transmitted to the attacker's command and control (C&C) server. VenomRAT has following capabilities: Remote Keylogger Downloading and executing binary Retrieve system information Controlling File manager, Task manager, and Registry editor Executing remote Shell commands Monitoring TCP connection Disabling Windows Defender
ORIONSTEALER
Description
Orion is an information stealer. It steals credentials, information in cryptocurrency wallets, credit card information. Orion is the name of a malicious tool classified as Stealer that can steal confidential information such as keystrokes, screenshots, and login details of cryptocurrency wallets and also disabled security tools and system utility. . Malware has the following capabilities: Gathering information Capture screenshots Credentials of crypto wallet. Disable security tools. Desktop & Webcam screenshot Take Wifi and PC info.
EMOTET
Description
Emotet is a banking trojan first seen in 2014 which can steal credentials stored in browsers and other data. It is known to spread through spam emails with malicious links or macro based word document attachments. Emotet has the following capabilities: 1. Download and execute other malware which may include ransomwares and banking trojans 2. Can steal passwords from browsers email clients using legitimate softwares like nirsoft Mail passview 3. Can steal network passwords using legitimate softwares like nirsoft 4. Network Password Recovery 4. Steal email headers and body and use them in phishing emails 5. Send phishing campaigns from compromised hosts 6. Carry out lateral movement using SMB Emotet employs several ent-analysis and anti-detection techniques as listed below: 1. Use polymorphic packers 2. Anti-VM techniques 3. Encrypted CnC
DJVU RANSOMWARE
Description
Djvu is a ransomware to encrypt sensitive data in the victim machines. This malware was first identified in 2018. This malware spreads via unwanted third party applications like windows update or activator, keygen, fake application setup. The malware contains file extensions and filenames exclude them for avoiding infection.
BUTERAT
Description
Buterat malware suffers from an insecure permissions issue leading to an escalation of privileges vulnerability Due to granting insecure permissions, this threat can lead to escalation of privileges, thus giving a malicious hacker unauthorized access and control of the affected PCs of the network. This malware commonly includes establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files, dropping other malware into the infected system, performing denial-of-service (DoS) attacks, and running/terminating processes. Malware has the following capabilities: Attempts to modify proxy settings Harvests cookies for information gathering Blocking the launching of :exe files of anti-malware programs
ZIGGY
Description
Ziggy is a Golang malware that contains AES encrypted IRC bot. The IRC bot is also capable of doing DDOS attacks. The IRC bot gets decrypted during runtime. Ziggy malware was known to be used by TEAMTNT group - A group of attackers which targets misconfigured Docker environments and systems.
FINFISHER
Description
FinFisher tools for tactical intelligence gathering, strategic intelligence gathering, and deployment methods and exploitation. The FinSpy tool was written with multiple capabilities in mind, with everything from keylogger, audio recording, camera and screenshot tools to a remote access shell, file enumeration and exfiltration functions. Following are the capabilities of malware : -Turn on the microphone and record or transmit everything it hears. -Record or transmit in real time everything the user types on the keyboard. -Turn on the camera and record or transmit images. -Take screenshots or capture a section of the screen the user clicks. -Steal e-mails from the Thunderbird, Outlook, Apple Mail. -Intercept contacts, chats, calls, and files in Skype.
SAKULA
Description
Sakula is a trojan distributed through compromised websites exploiting a zero-day vulnerability in Internet Explorer, empowers adversaries to execute interactive commands and download/execute additional components. Sakula has following Capabilities: Download and execute payload Invoke remote shell upload file path uninstall application change c2
HUCPORTSCANNER
Description
HUC Port scanner is a port scanning tool used for reconnaissance purposes by attackers
BIFROSTTOOL
Description
Bifrost is an Objective-C project specifically designed for macOS, intended to facilitate interaction with the Heimdal krb5 APIs where its primary objective is to enhance security testing related to Kerberos on macOS devices by leveraging native APIs, without the need for additional frameworks or packages on the target system.The project is organized as a static library, which can be altered to a dylib if necessary. To demonstrate the functionality of the Bifrost library, there's also a simple console project called "bifrostconsole" that utilizes the Bifrost library.
SHARPZEROLOGON
Description
SharpZeroLogon is a hacking tool that exploits a cryptographic flaw in Netlogon to bypass authentication and potentially compromise a Domain Controller's Domain Admin privileges by resetting its machine account. This code is written in C# and is accessible within a GitHub project. Threat actors utilize this tool to exploit vulnerabilities and gain unauthorized access to victim machines.
GOMIR
Description
Gomir is a backdoor that communicates with its C&C server through periodic HTTP POST requests containing a unique infection ID and it supports 17 commands for activities such as executing shell commands, changing directories, collecting system information, and exfiltrating files. It uses a custom encryption algorithm for command communication. Additionally, Gomir can act as a reverse proxy, allowing remote attackers to access network endpoints on the infected machine.
LOCKSMITHTOOL
Description
LockSmith is an Objective-C CLI tool for interacting with the macOS file-based Keychains through native APIs. The tool accepts various arguments, including account, label, keyClass (default: genp), debug, force, validate, partitionID, and popups. These arguments enable specific search criteria and additional functionalities, such as decrypting entries, validating trusted applications, and handling popups.
TROJANDOWNLOADER
Description
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files. A trojan-downloader is a type of trojan that installs itself to the system and waits until an Internet connection becomes available to connect to a remote server or website in order to download additional programs (usually malware
VSINGLE
Description
VSingle malware accesses GitHub to obtain new C2 servers. VSingle has three hard-coded C2 servers. The first communication sends the uid containing a hashed value of the hostname, kernel release number, and an octet of IP address combined. The data sent by the C2 server in response to the request will be stored in a directory.
IPSTORM
Description
IPStorm spreads itself by conducting dictionary-based, brute-force password guessing attacks against SSH servers, and also by accessing open Android Debug Bridge (ADB) ports. To ensure the malware can connect to the p2p network, it adds a rule to the firewall. For the networking part, the malware uses “libp2p”. The underlying protocol used by the library is “protobuf”. The malware uses the PubSub functionality provided by the project. It uses two topics: “info” and “cmd”. To find other peers, it uses libp2p’s support for distributed hash tables (DHT). The new bot uses a hardcoded string to advertise its presence and to find other peers. The malware has support for downloading and uploading files. It is performed by sending the content over the PubSub network. Each bot in the network serves its executable file and the threat actor uses this method to distribute newer versions of the bot. It also has a “reverse shell” (called “backshell” by the author) functionality.
TROLLATOOL
Description
Troll-A is a command-line tool designed for extracting secrets like passwords, API keys, and tokens from WARC (Web ARChive) files. It employs the Gitleaks ruleset to detect 166 types of secrets, ensuring comprehensive scanning. With concurrent processing and optimized regular expressions, it delivers high performance, handling a Common Crawl archive swiftly. Troll-A is distributed as prebuilt binaries, a Docker image, or in source form for versatile deployment.
CARETO
Description
Careto is a toolset used by the attackers to intercept communication channels and collects the most vital information from the infected system. In addition to built-in functionalities, the operators of Careto can upload additional modules which can perform any malicious task. Given the nature of the known victims, the impact is potentially very high. Careto is a highly modular system; it supports plugins and configuration files which allow it to perform a large number of functions. The key capabilities include 1. Stealth rootkit to hide its files and network traffic 2. Sophisticated information-gathering tools to enumerate hardware and software configurations 3. User account information stealing 4. PGP key theft 5. Uploading of user files 6. Downloading of new and updated malware The malware collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files.
ISRSTEALER
Description
ISRStealer is a VB-written variant derived from Hackhound Stealer, is commonly packaged in a .NET-wrapper. ISR Stealer, a keystroke logging program, captures all keyboard inputs, compromising sensitive data like logins, passwords, and personal information. Threat Actors leverage this to hijack accounts, conduct fraudulent transactions, spread spam, and perpetrate identity theft, leading to severe consequences such as financial loss and privacy breaches. If unintentionally installed, prompt removal is crucial to prevent potential harm.
BLACKMOON
Description
Blackmoon is a banking trojan that steals sensitive information from the target machine. This trojan spreads through spam mail or exploit kit or via third party software. The malware was first identified in 2014. This trojan redirects to the phishing site of the bank login page and steals credential data entered by the victim on the page. BlackMoon has the following capabilities: Victim IP addresses MAC addresses operating systems details Geolocations Infection machine timestamps
LIGOLONG
Description
Ligolo-ng is a tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a tun interface. Ligolo-ng is a tool that can be used to establish tunnels using reverse TCP/TLS connections directly over the tun interface. This tool is useful as it does not require the use of SOCKS proxies (and therefore does not require modifications to proxychains configurations like many other tools or pivoting techniques do). By running a Ligolo-ng agent on the remote machine, a connection can be made back to the attacker Kali machine and a tunnel is established.
KRASUERAT
Description
Krasue RAT is a Linux Remote Access Trojan targeting organisations in Thailand since 2021 and is known for its stealthy behavior where it features embedded rootkits, uses RTSP messages for communication, and is likely deployed in later stages of cyber attacks, posing a significant threat to critical systems. The malware's origins are linked to the XorDdos Linux Trojan, indicating potential shared authorship or source code access.
ALMONDRAT
Description
Almond RAT is a C# based RAT that is used by threat actors to monitor and access computers remotely. Bitter Rat is delivered through Spam mail with MS office file attachment. The final payload is deployed by the Bitter rat which is Almond RAT. The Almond RAT malware was first seen in May 2022. Almond RAT has the following capabilities: System discovery Data exfiltration Information gathering Persistence
DRAGON CASTLE
Description
The APT campaign Operation Dragon Castling is targeting what appears to be betting companies in South East Asia, more specifically companies located in Taiwan, the Philippines, and Hong Kong. It drops MulCom backdoor in its operations and also utilize zero days vulnerabilities to exploit victim machine.
SHARPNOPSEXEC
Description
SharpNoPSExec is an open source tool that selects a service randomly, which is either disabled or manually started.This tool, coded in C# is a compiled program inspired by PSExec, capable of lateral movement without disk access or service creation, in order to evade detection.
ANCHORDNS
Description
Anchor_DNS is a specific tool or module within the Trickbot toolkit that facilitates communication between infected machines and the command and control (C2) servers using DNS queries.. The AnchorDNS tool operates by creating DNS queries that encode information about the infected host, such as the Linux version, public IP address, and a payload. These queries are sent to the C2 servers, which then respond with encoded information that the malware can decode and process. This communication method allows the malware to avoid direct IP-based detection and tracing, making it more challenging for security measures to intercept the communication.Anchor_DNS is part of the broader strategy employed by the Trickbot malware family to establish persistence, gather information, and potentially deliver additional payloads for malicious activities. The information you've provided in your previous messages outlines the behavior and characteristics of this malware module in detail. It's essential for organizations to be aware of such threats and take appropriate measures to protect their systems and networks against Trickbot and its various components.
ZARAZASTEALER
Description
Zaraza stealer is a credential stealer that is capable of stealing credentials from web browsers.The attackers were able to extract site/domain names and credentials from various popular browsers installed on the victims' machines. Additionally, they regularly sent screenshots of the victim's machine to the attackers through a Telegram channel.
OSF
Description
Linux OSF is a virus which infects elf executables in the current working directory and /bin directory. It also creates a backdoor in the victim PC. This virus adds malicious code to the legit ELFs in the victim system. If this virus gets executed with high privilege, it targets ELFs in /bin directory. Another feature of this virus is that it checks for system uptime and if uptime is less than 5 minutes it stops its execution as a defense evasive mechanism from test machines.
KURAYSTEALER
Description
KurayStealer is a malware capable of stealing credentials and sending it over to a discord channel via websockets. The builder is written in python which is capable of harvesting the passwords and screenshots and sends it over to the attackers discord channel via webhooks. Based on the free or vip user and the input of the webhook, the builder drops a file named DualMTS.py, DualMTS_VIP.py in the machine. DualMTS.py attempts replace the string “api/webhooks” with “Kisses” in betterdiscord in an attempt to bypass the protection and send webhooks seamlessly. The file DualMTS.py then attempts to take the screenshot of the machine using the python module ‘pyautogui’. Alongside this, it also takes the geo-location of the machine. It also harvests the passwords and tokens from a list of browsers and applications. The harvested computername, geo-location, ipaddress, credentials and the screenshot of the victim machine is sent over to the discord channel via webhooks
NERBIANRAT
Description
Nerbian RAT is a remote access Trojan(RAT) which has configuration settings in it’s binary and is capable of keystroke looking, screen capture etc. The RAT uses lot of open source codes to implement it’s functionality. Here is a list. -github.com/lxn/win -github.com/go-ole/go-ole -github.com/StackExchange/wmi -github.com/digitalocean/go-smbios/smbios -github.com/AllenDang/w32.init - github.com/kbinani/screenshot/ It carries out it’s CnC functionality using SSL.
WARZONE RAT
Description
Warzone RAT is a Remote Access tool developed in C++. The RAT has a wide range of capabilities which includes keylogging, Remote Desktop, webcam capture, live and offline keylogger. The latest version of warzone can bypass User Access Control(UAC) even on the latest version of Windows 10 and is armed with capabilities to bypass Windows Defender Antivirus. WarzoneRAT has been observed to be used as a stage payload in APT attacks carried out by some of the APT groups. The authors of the RAT rent out the malware. Here are the features listed by the malware authors on their website. 1. Native, independent stub 2. Remote Desktop 3. Hidden Remote Desktop - HRDP 4. Privilege Escalation - UAC Bypass 5. Remote WebCam 6. Password Recovery 7. File Manager 8. Download & Execute 9. Live Keylogger 10. Offline Keylogger 11. Remote Shell 12. Process Manager 13. Reverse Proxy 14. Automatic Tasks 15. Mass Execute 16. Smart Updater 17. HRDP WAN Direct Connection 18. Persistence 19. Windows Defender Bypass The RAT is sold in different flavors which include RAT poison, custom cryptors and is also sold with silent doc and excel exploit.
MINTLUKS
Description
Mintluks is a trojan designed to steal sensitive personal information, including usernames and passwords, and then transmit the pilfered data to an unauthorized hacker. Mintluks has following capabilities: Send the captured information to an email address specified by the user. Steal passwords from browsers (Chrome,Firefox,Filezilla,IMVU,Steam). Access files
RUDEMINER
Description
RudeMiner is a cryptominer which infects a device's physical resources to mine digital currency. Additionally, the malware also ensures persistence via manipulating the rc.local file in the system.
PANDORAHVNC
Description
Pandora Hidden Virtual Network(HVNC) is a tool used against Ukraine as a Remote Access Tool(RAT). It has the following features as described on it’s website: -Hidden Access to victim machine -Hidden Desktop -hidden browser -hidden startup -hidden applications -hidden powershell
LEMURLOOT
Description
Lemurloot is a C# web shell designed for the MOVEit Transfer platform, enabling authentication with a predefined password and executing commands for downloading files, extracting Azure system settings, and retrieving detailed record information. Organizations are facing ongoing attacks where Threat actor are exploiting a newly discovered vulnerability, known as CVE-2023-34362, in the MOVEit Transfer file transfer software. MOVEit Transfer, developed by Ipswitch (a subsidiary of Progress Software Corporation), is a managed file transfer (MFT) solution that ensures secure file transfers between businesses, partners, and customers through protocols such as SFTP, SCP, and HTTP-based uploads. These attacks aim to steal sensitive data from targeted entities.
AUTORUN
Description
This is an infector that modifies systems to a significant degree. Virus:Win32/Autorun.NE drops a virus copy as HelpMe:exe when it is executed. The virus spreads by making a copy of itself in the root of every drive as "AutoRun:exe" and maintaining persistence by altering the winlogon entry registry. It also makes a link leading to the dropped copy of "HelpMe:exe" into the Windows starting folder as soft.lnk. Next, the virus creates a "autorun.inf" autorun configuration file that points to "AutoRun:exe". The infection is started automatically when the drive is accessed from a computer that has the Autorun feature enabled. All Windows files, even those that cannot be executed, are infected. For example, files with the following extensions were found to be infected by this virus: exe, txt, inf, ini, bat, sys, url, and lnk. Extensions are concealed.
JANICAB
Description
Janicab is the oldest malware family being used by Deathstalker. The malware is written in Python and it uses py2app for distribution This malware persists a python script as a cron job. 1.Python installer first saves any existing cron jobs into a temporary file named '/tmp/dump'. 2.Appends its new job to this file. 3.Once the new cron job has been added 'python (~/.t/runner.pyc)' runs every minute.
PYBOT
Description
PYbot is a basic open source denial of service botnet system written in Python 3, consists of a connect and control server and a bot malware script.
RPCCLIENTTOOL
Description
RPCclient is a utility initially developed to test MS-RPC functionality in Samba. It could be used to samba service enumeration/abuse. It has undergone several stages of development and stability. Many system administrators have written scripts around it to manage Windows NT clients from their UNIX workstation.
SDBBOT
Description
SDBBOT is a remote access trojan and it is coded using the C++ programming language. This trojan is designed to gather sensitive information such as computer names, domain names, country codes, and the operating system versions. SDBBOT has the following capabilities: Shutdown or restart machine Command control execution Record video Sleep system driver Managing files and directories
CVE20222586
Description
A use-after-free flaw was found in nf_tables cross-table in the net/netfilter/nf_tables_api.c function in the Linux kernel. This flaw allows a local, privileged attacker to cause a use-after-free problem at the time of table deletion, possibly leading to local privilege escalation.
MIKEC2TOOL
Description
This tool is created for demonstration of supply chain attack by Mike. This is POC kind of tool available on the github. Mikec2 is an open-source C2 client server project. client machine is interact with the victim's computer and run instructions and executables on it. The source code is written such a way that user can extend their functionality like stealing data, controlling client machine and system level changes. All collected data shown on the web in well organized manner.
SNIPERSPY
Description
SniperSpy is computer monitoring software to monitor children or employees' online activities. The software saves screenshots along with text logs of chats, websites, keystrokes in any language. It allows the user to remotely view everything the online activities of what a child or employee does while they use your computer. Adversaries use this software in victims' machines to harvest personal and confidential information.
ADIDNSDUMPTOOL
Description
AdidnsdumpTool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks.By default any user in Active Directory can enumerate all DNS records in the Domain or Forest DNS zones, similar to a zone transfer.
RUSTBUCKET
Description
RustBucket is macOS malware family that communicates with command and control (C2) servers to download and execute various payloads. Malware was compiled AppleScript applications that contained various suspicious commands within an unsigned application named Internal PDF Viewer.app Last stage of binary is written in a rust language for both ARM and x86 architectures. This payload allows the attacker to carry out further objectives on the system.
EVILGNOME
Description
EvilGnome presents itself to unwitting Linux users as a legitimate GNOME extension. Legitimate extensions help to extend Linux functionality, but instead of a healthy boost in system functionality, EvilGnome begins spying on users with an array of functionalities uncommon for most Linux malware types. EvilGnome begins its malicious deeds when a user installs this Gnome shell extension and a persistence archiving shell script is added to the crontab. It is delivered as a self-extracting archive shell script created with a shell script that generates compressed tar archives which are self-extractable. Once installed, this malware achieves persistence by running gnome-shell-ext.sh in crontab once a minute. The script then executes gnome-shell-ext.sh and launches the main executable. It contains a spy agent with five modules as described below ShooterSound or ShooterAudio: This module captures audio on the targeted Linux system’s microphone and can upload to C2. It used PulseAuido to capture audio from the microphone. By default, the maximum recording of audio is set to 80,000 bits, which is fairly small and can be enlarged by C2 ShooterImage: This module captures desktop screenshots and can upload them to C2. It can open a connection to XOrg Display Server (Gnome desktop backend) and can take desktop screenshots with the cairo open-source library ShooterFile: This module scans the targeted Linux system for new files and can upload them to C2. It uses a filter list to scan the targeted system’s filesystem, which can ignore specific files and folders altogether ShooterKey: This module is currently disabled by its authors and has yet to be used. ShooterPing: This module communicated with C2 from which it receives its malicious commands. C2 commands include downloading and executing a new file, setting filters for file scanning, downloading and setting new runtime configurations, exfiltrating output to C2, and stopping shooter modules
SHELLDOWNLOADER8220
Description
ShellDownloader8220 is a shell script is associated with the 8220 Gang's attack, exploiting a Docker daemon vulnerability where it downloads a main payload, establishes persistence through cron jobs, and employs defense evasion techniques. The script also includes functions for network scanning and lateral movement, showcasing a sophisticated and evolving attack strategy. The attackers employ techniques to disable security tools, modify firewall rules, and change SELinux mode to permissive, aiming to evade detection. They also delete log files to hide their activities.The shell script is part of a broader campaign by the 8220 Gang, known for exploiting vulnerabilities such as the critical Confluence vulnerability (CVE-2022-26134).
LADONGO
Description
Ladongo is an open-source penetration scanner framework. Some features of this framework: fingerprint recognition port scanning remote execution high-risk vulnerability detection and SmbGhost remote execution of SshCmd password cracking SmbScan survival detection/information collection/fingerprint identification PingScan HttpTitle WeblogicScan
WEASELC2
Description
WEASEL is an in-memory implant designed for stealth and evasion, with a client capable of sending host information to a controlled DNS zone and the server, equipped with a CLI, establishes bidirectional communication with clients, tasking them with executing commands. Successfully used in operations, WEASEL serves as a stage 1 payload, difficult to detect, and aims to regain access when more conspicuous stages are compromised. However, it has limitations, including the lack of automatic obfuscation and the absence of multi-player support in the server.
BLOOPTOOL
Description
Simple denial of service attack against Windows machines by sending random spoofed ICMP packets similar to a weaker protocol as of ssping or jolt. esult: Freezes the users machine or a CPU usage will rise to extreme.
TEAMVIEWER
Description
Teamviewer is a tool created for the purpose of team conferencing and has features like remote desktop sharing. Team viewer has both audio conferencing features as well and files and folders can be accessed on remote computers. This tool has also been misused by adversaries to control the victim's computer.
SHARPDPAPI
Description
SharpDPAPI is a tool designed to extract the DPAPI backup key from a domain controller. In the event that domain administrator privileges, or their equivalent, have been acquired, the DPAPI backup key for the domain can be obtained using the "backupkey" command or through the use of Mimikatz. Threat actors can misuse this C# compiled binary tool available on GitHub to compromise victim machines and gain unauthorized access.
FKOTHSPAYLOAD
Description
Fkoths is presented as a 64-bit Golang ELF, exhibits two distinct functionalities where one aspect involves scanning and deleting Docker images from specific repositories, possibly to erase traces of initial access and another function alters the host's /etc/hosts file to impede outbound requests to the Docker registry, hindering further image acquisition.These actions align with tactics observed in similar cyber campaigns, indicating a deliberate effort to evade detection and complicate forensic analysis.
SSHSNAKETOOL
Description
SSH-Snake automates SSH network traversal, swiftly mapping dependencies and vulnerabilities, connecting systems via private keys, streamlining reconnaissance efforts.Automated attempts to SSH into all identified destinations using the discovered private keys.Continuation of the process on successfully accessed destinations, recursively exploring their networks.
INSEKT
Description
Insekt RAT is the beacon and RAT found as part of the Alchimist campaign.
XPERTRAT
Description
XpertRAT is a Remote Administration Trojan, a malicious program that allows cyber criminals to remotely access and control infected computers. XpertRAT can steal credentials and system information, including operating system versions and running processes, and communicate with command and control (C&C) servers to exfiltrate data, download additional malware components, and execute arbitrary commands. Malware has the following capabilities: Sensitive Data Exposure. Information Theft. Keylogging
HTTPCLIENT
Description
HTTPClient is a tool used to Putter Panda(APT2) threat actor used as a backup or second stage tool. It uses HTTP for CnC communication. When started it attempts to connect to www.microsoft.com using the hard-coded user agent Mozilla/4.0 (Compatible; MsIE 6.0;) before connecting to the CnC server.
BLACKGUARD
Description
Blackguard is an infostealer capable of taking screenshots, stealing credentials from installed softwares like browsers, FTP Clients. It is also capable of stealing credentials from VPN clients, Crypto wallets, messengers. Currently it is sold in the underground market for $700 for lifetime. It has been programmed in .net. It is capable of evading antiviruses and sandboxes and is loaded with anti-techniques.
AGELOCKER
Description
Agelocker Ransomware attempts to encrypt the files of victims by using the “Age” encryption tool and is known to target QNAP NAS, Linux and macOS devices. This malware specifically targets Network Attached Storage (NAS) users with older versions of QTS, a Linux-based operating system deployed by the company with its products. AgeLocker utilizes the 'Age' encryption tool created by a Google employee to encrypt victim's files. Age uses the X25519 (an ECDH curve), ChaChar20-Poly1305, and HMAC-SHA256 algorithms, which makes it a very secure method to encrypt a file.
DOUBLEPULSAR
Description
DoublePulsar is a trojan implant often used with the EternalBlue exploit, notorious for enabling cyberattacks such as WannaCry ransomware. Many of the Windows exploits exposed in the NSA leak target vulnerabilities within the SMB (Server Message Block) protocol, which facilitates file-sharing functionality among Windows-based computers.
P2PINFECT
Description
P2PInfect is is a peer-to-peer botnet which spreads through SSH brute-forcing, employs persistence mechanisms like cron jobs, and uses evasion techniques to maintain control.It has experienced rapid growth, with a significant increase in initial access attempts, and is spread globally, with a high concentration of activity in China. P2Pinfect has evolved with incremental updates, including persistence mechanisms and evasion techniques.
TABMSGSQL
Description
Tabsmsgsql is a backdoor used by APT1 group. It has the following capabilities: 1. It can download and upload files to the CnC 2. Provide capability to attackers to execute commands on the victim machine. 3. Communicate with CnC using HTTP
SOLARMARKER
Description
Solarmarker is an information stealer written in .NET that can log keystrokes, steal data and credentials stored in browsers. Solarmarker was first observed in September 2020. Solarmarker was known to be spread through SEO poisoning. Solarmarker is a modularized trojan with modules named Mars, Uranus, Jupyter. These modules are responsible for various functionalities of solarmaker. The modules help solarmarker to achieve the following capabilities: 1. Harvest credentials 2. Steal passwords, cookies and autocompletion data from browsers 3. It extracts certificates and key databases from firefox.
NEWCORE RAT
Description
NewCore RAT is a Windows Remote Access Tool typically attributed to Goblin Panda Threat Group. It is a DLL file and is suspected to be derived from the open source backdoors PcCleint and PcCortr. NewCore RAT has the following capabilities: 1. Copy files 2. Delete files 3. Execute files 4. Search files 5. Download files 6. Upload files 7. Retrieve disk list 8. Retrieve directory list 9. Retrieve file information 10. Retrieve disk information 11. Rename files 12. Screen monitoring 13. Start command shell 14. Shutdown/Reboot
WATSON
Description
Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.
MBROVERWRITE
Description
MBROVERWRITE overwrites the MBR(Master Boot Record) causing the machine to load the sector overwritten after being initialized. This type of malwares causes an infection in the Basic Input/Output System (BIOS) using Disk Operating System (DOS) commands to infect the disk.
DDOSTF
Description
The malware DDOSTF targets mainly Linux machines running Elasticsearch servers, but it also attacks and infects Windows systems where the infected machines point to ddos.tf. This malware is part of a bigger botnet, used mainly to launch DDoS attacks.
INTERNALMONOLOGUE
Description
Internal Monologue is a hacking tool used for obtaining NTLM hashes without directly accessing the LSASS process. This open-source tool can be exploited by attackers for malicious purposes.
PSEXEC
Description
PsExec allows redirects of the input and output of a remotely started executable through the use of SMB and the hidden $ADMIN share on the remote system The fundamental behavior of PsExec follows a simple pattern: 1. Establish an SMB network connection to a target system using administrator credentials 2. Push a copy of a receiver process named PSEXESVC:exe to the target system’s ADMIN$ share 3. Launches PSEXESVC:exe, which sends input and output to a named pipe - \.pipepsexesvc Attackers often use PsExec to perform lateral movement. After establishing a foothold and getting the credentials of the victims environment, the attacker can run PsExec on the compromised host and execute commands on another host.
WINDOWS CREDENTIAL EDITOR
Description
Windows Credentials Editor(WCE) is a security tool from Ampliasecurity that can list logon sessions and alter associated credentials. Adversaries can misuse to manipulate all kinds of credentials LM/NT Hash, plaintext passwords, and Kerberos tickets. The tool can be used in pass-the-hash attacks on windows. It can obtain the hashes from memory and reuse it for lateral movement in the network. Attackers can use the tool to compromise the entire domain in case one of the machines in the network is compromised. Attackers can leverage the following features the tool: 1. Carry out pass-the-hash attacks 2. Steal NTLM credentials from memory 3. Steal Kerberos tickets from windows 4. Dump cleartext passwords stored by Windows authentication packages
TELEPOWERBOT
Description
TelePowerBot is a registry implant that launches via a script at system boot and connects to a Telegram channel from where it receives PowerShell commands to execute. TelePowerBot also comes with information stealing capabilities, targeting data stored in Chrome-based and Firefox browsers. This malware has also been found to use self-made stealers, Ctealer and Cucky, to steal victim credentials from web browsers. Malware has the following capabilities: Stealing confidential documentation Infects USB devices Steal credentials and cookies from web browsers.
LAPLASCLIPPER
Description
LaplasClipper is an infostealer which could steal crypto wallets. This malware monitors clipboard activity of victime machines and tries to get cryptocurrency wallet addresses. Once a crypto wallet address is found, the attacker replaces it with the Threat Actors crypto wallet address. he following crypto wallet targeted by an attacker. Bitcoin Bitcoin Cash Litecoin Ethereum Dogecoin Monero Ripple Zcash Dash Ronin Tron Steam Trade URL Tezos Cardano Cosmos Qtum
DOKI
Description
Doki is multi-threaded malware that uses the embedTLS library for cryptographic functions and network communication. When executed, the malware will create a seperate thread in order to handle all C2 communications. The malware starts by generating a C2 domain using its unique DGA. In order to construct the C2 address the malware performs the following steps: Query dogechain.info API → A Dogecoin cryptocurrency block explorer, for the value that was sent out (spent) from a hardcoded wallet address that is controlled by the attacker. The query format is: https://dogechain.info/api/v1/address/sent/{address} Performs SHA256 on the value returned under “sent” Save the first 12 characters from the hex-string representation of the SHA256 value, to be used as the subdomain. Construct the full address by appending the subdomain to ddns.net. An example domain would be: 6d77335c4f23[.]ddns[.]net
EXPLOITSUGGESTERTOOL
Description
This package contains a Linux privilege escalation auditing tool. It’s designed to assist in detecting security deficiencies for given Linux kernel/Linux-based machine. It provides following functionality: Assessing kernel exposure on publicly known exploits Tool assesses (using heuristics methods discussed in details here) exposure of the given kernel on every publicly known Linux kernel exploit. For each exploit, exposure is calculated Verifying state of kernel hardening security measures LES can check for most of security settings available by your Linux kernel. It verifies not only the kernel compile-time configurations (CONFIGs) but also verifies run-time settings (sysctl) giving more complete picture of security posture for running kernel. This functionality is modern continuation of –kernel switch from checksec.sh tool by Tobias Klein.
YARAT
Description
Yarat is an infostealer which steals system information from the victim's machines. This malware spreads through MS office documents with malicious macros and this macros drops the malicious yaratdll along with legitimate applications. It also gathers system related information like bios,Network, OS, Browser, Software information.
DESTOVER
Description
The Destover droppers install and run EldoS RawDisk drivers to evade NTFS security permissions and overwrite disk data and the MBR itself. The destructive "wiper" malware that was used to infect and erase hard drives. They are also used by Lazarus threat group
PARALLAX
Description
Parallax RAT is a remote access trojan that is capable of controlling multiple remote computers at once and is also capable of downloading and executing other malwares and stealing credentials. The RAT can steal credentials stored in browsers like chrome, firefox and email clients like outlook and thunderbird. It is known to install ransomwares on the victim machine. Some versions of the RAT are also known to install cryptocurrencies which eat up a lot of system resources
EMPIRE
Description
Empire is a powershell post exploitation framework with multiple modules facilitating access to the attacker. The beauty of it lies in it can work without the presence of powershell:exe. It can be used against windows servers and desktops. It can give the following capabilities to the attacker: 1. Bypass antivirus 2. Run commands in memory to evade antivirus 3. Privilege escalation 4. Network reconnaissance 5. Host reconnaissance Empire has three components: 6. Listener - listens on the attacker’s machine 7. Agent - installed on victim which is constantly connected to the listener 8. Stager - executes malicious code on the agent
SPONSOR
Description
Sponsor malware gathers diverse information about the host and transmits it to a central server known as the C&C server. It receives a unique node ID, which it stores in a file named "node.txt". The information it gathers includes the host's name, time zone, language settings, hardware details like motherboard and processor information, and software specifics such as the operating system version and installation type. Sponsor malware is distributed by exploiting a known vulnerability in Microsoft Exchange servers. This vulnerability is a well-documented security flaw, and cybercriminals have exploited it as a means of initial access. Once the vulnerability is exploited successfully, they gain a foothold on the compromised systems, allowing them to introduce and activate the Sponsor backdoor. Malware has the following capabilities: Stolen passwords. Victim's computer added to a botnet. Data encryption.
SLIVERIMPLANTTOOL
Description
Sliver is an open-source adversary emulation and red team framework, designed for security testing where its implants offer C2 over various protocols like Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS, featuring dynamic compilation with unique asymmetric encryption keys for each binary. Supporting MacOS, Windows, and Linux, both server and client components ensure comprehensive compatibility while the implants are specifically designed for MacOS, Windows, and Linux, with potential functionality on other Golang compiler targets
RHOMBUS
Description
Rhombus is an IOT malware which drops malicious backdoor files in the victim PC and also infects ls cmdline utility. Some other features of Rhombus malware are - Disabling SeLinux - Uses cron for schedule task/persistence. - Uses encoded/obfuscated strings for defense evasion.
BIBIWIPER
Description
BiBiWiper executes with the potential to devastate entire systems, using multiple threads and a queue to corrupt files and directories.Its destructive capacity, when granted root access, includes overwriting, renaming, and selectively excluding file types in a high-speed, multi-threaded operation.
POISONIVY
Description
PoisonIvy is a Remote Access Trojan(RAT) first recognised in 2005. It was known to be used in Nitro campaigns which used to target government organizations, human rights associations, defence organizations. It has capability to spy the activities of the victim and steal credentials. Like other RAT’s poison IVY has a server and client component. The attacker sets up the server. Then he sends the client part of the RAT to the victim via phishing email. After the client is installed on the victim, it can download the poison modules from the CnC server. The attacker is provided with a GUI with which he can remotely access the victim’s machine.
MERLIN
Description
Merlin is a cross-platform post-exploitation Command & Control server and agent written in Go. Some features of Merlin: Supported C2 Protocols: http/1.1 clear-text, http/1.1 over TLS, HTTP/2, HTTP/2 clear-text (h2c), http/3 (http/2 over QUIC) Domain Fronting Executes .NET assemblies in-process with invoke-assembly or in a sacrificial process with execute-assembly. Executes arbitrary Windows executables (PE) in a sacrificial process with execute-pe. Various shellcode execution techniques merlin uses: CreateThread, CreateRemoteThread, RtlCreateUserThread, QueueUserAPC.
LINKC2
Description
linkc2 is a command and control framework written in Rust, supporting MacOS, Linux, and Windows implants which features HTTPS communication, process injection, in-memory .NET assembly and Windows PE execution, integration with SharpCollection tools, and sRDI implementation for shellcode generation.
PONY
Description
Pony is an infostealer that is capable of stealing credentials of specific applications and cryptocurrency.This trojan gets delivered through spam mail, phishing, and bundles of third party software. Once this trojan reaches the target machines, it collects all sensitive data and sends it to the attacker server.
SAPPHIRESTEALER
Description
SapphireStealer is a Trojan designed to covertly capture login credentials stored in web browsers and also to clandestinely capture screenshots of the victim's computer.This Trojan, known as SapphireStealer, infiltrates a victim's computer and systematically extracts specific extension-format files from their storage. Once gathered, these files are surreptitiously transmitted to a designated Telegram bot, enabling unauthorized access to and distribution of the compromised data.
GOSCANSSH
Description
GoScanSSH is a malware family written in the Go programming language, known for targeting Linux-based SSH servers exposed on the internet where it employs SSH credential brute-force attacks to compromise systems using weak or default credentials and exhibits characteristics such as unique malware binaries and Tor2Web-based command and control infrastructure.The malware underscores the need for securing SSH servers and monitoring potential vulnerabilities.
DTRACK
Description
Dtrack is a Remote Access Trojan(RAT) known to be used by the North Korean Lazarus group. It was known to be used against the Indian nuclear power plant “Kudankulam Nuclear Power Plant” (KNPP). It’s variants are also known to target financial and research institutions. It has keylogging capabilities like other RAT’s. The RAT generates a unique ID for the victim machine on which it is installed. Malware collects the following information from the victim machine: -ipconfig output -netstat output -netsh output -browser history It is known to be inducted in the network using phishing emails. It’s variants like ATMDtrack are known to target Indian ATM’s and steal data from debit cards.
HWACHA
Description
Hwacha is a tool to quickly execute payloads on *Nix based systems. It easily collects artifacts or executes shellcode on an entire subnet of systems for which credentials are obtained. Some of the features of Hwacha are - Collects SSH private keys from the target. - Collects shell history files from the target. - Execute meterpreter agent on the target. - Enumerates sudo privileges on the target.
PYVERVIEW
Description
Pywerview provides a list of domain users which were added to the local administrators group of a machine.
COMMONMAGIC
Description
CommonMagic framework encompasses multiple modules, enabling screenshot capture and USB drive data collection. CommonMagic, distributed via spear phishing, gathers diverse file types (.doc, .docx, .ods, .odt, .pdf, .rar, .rtf, .txt, .xls, .xlsx, .zip) from connected USB devices, capturing screenshots to extract sensitive information such as banking details, login credentials, personal data, and private messages.
GETSYMBOL
Description
GetSymbol hacktool was employed by North Korean threat actors who initially built trust with their targets through social media, transitioned to encrypted messaging, and exploited a software vulnerability, subsequently reporting the issue to the vendor for remediation. Apart from focusing on researchers using 0-day exploits, the threat actors developed a standalone Windows tool aimed at fetching debugging symbols from servers of major companies like Microsoft, Google, Mozilla, and Citrix, meant for reverse engineering purposes. While it initially appears to be a useful utility, this tool harbors the capability to fetch and execute malicious code from a domain controlled by attackers.
PING
Description
Ping is a windows built in utility that can be used by adversaries for remote system discovery. Ping has several options that can be used to enumerate the network. Here are few -t Ping the specified host until stopped. -a resolve hostnames -4 use ipv4 -6 use ipv6 -n specify how many pings to send
UPDATEAGENT
Description
UpdateAgent is a malware that can distribute secondary payloads onto a OSX machine and also disable GateKeeper. UpdateAgent can impersonate legitimate software and can use various Mac device functionalities. It can bypass Gatekeeper which Apple created to make sure only trusted apps can run on Macs. The malware can make use of existing user permissions to perform activities in the background and delete the evidence afterward. UpdateAgent can also use public cloud services such as Amazon S3 and CloudFront to host its malicious payloads. Microsoft alerted Amazon, which removed the malicious URLs on its platform. Because of its mimicking capabilities, people are likely to be infected via “drive-by downloads” or ad popups. Once installed, UpdateAgent starts to collect system information that is then sent to its command-and-control (C2) server.
HEAVENSGATE
Description
HeavensGate situated in the WoW64 environment, is a segment call gate facilitating the transition from 32bit compatibility mode to 64bit mode, allowing threads to invoke kernel mode functions in a 64bit Windows kernel. This gate is injected into a legitimate process to evade detection by AV/EDR systems.
BLACKBASTA
Description
BlackBasta is a cross platform ransomware which targets windows and ESXi servers. Some of its features are: Cross-platform. Deletes volume shadow copies. Utilizes the ChaCha20 algorithm to encrypt files.
- A to Z
- Z to A
| Name | Platform | Description | Created On | Created On | Last Run Time |
|---|---|---|---|---|---|
| QSC | All | New modular framework in Cloud | Nov 09, 2024 | Nov 09, 2024 | Nov 09, 2024 |
| CVE-2024-38213 | All | From Crumbs to Full Compromise | Nov 09, 2024 | Nov 09, 2024 | Nov 09, 2024 |
| BlueNoroff used macOS malware | All | SentinelLabs researchers identify | Nov 09, 2024 | Nov 09, 2024 | Nov 09, 2024 |
| WINELOADER Analysis | All | APT29, also known as Cozy Bear | Nov 09, 2024 | Nov 09, 2024 | Nov 09, 2024 |
See Uptycs in action
Find and remove critical risks in your modern attack surface - cloud, containers, and endpoints - all from a single UI and data model. Let our team of experts show you how.
