JUST RELEASED: ATT&CK for Industrial Control Systems


PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control. [1] [2]

ID: G0011
Version: 1.0
Created: 31 May 2017
Last Modified: 25 March 2019

Techniques Used

Domain ID Name Use
Enterprise T1078 Valid Accounts

PittyTiger attempts to obtain legitimate credentials during operations.[1]


ID Name References Techniques
S0032 gh0st RAT [1] [2] Command-Line Interface, Commonly Used Port, DLL Side-Loading, File Deletion, Indicator Removal on Host, Input Capture, New Service, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Rundll32, Screen Capture, Standard Cryptographic Protocol
S0008 gsecdump [1] Credential Dumping
S0010 Lurid [2] Custom Cryptographic Protocol, Data Compressed
S0002 Mimikatz [1] Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0012 PoisonIvy [2] Application Window Discovery, Command-Line Interface, Data from Local System, Data Staged, Input Capture, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Rootkit, Standard Cryptographic Protocol, Uncommonly Used Port