JUST RELEASED: ATT&CK for Industrial Control Systems


Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.[1]

ID: G0084
Version: 1.0
Created: 30 January 2019
Last Modified: 16 April 2019

Techniques Used

Domain ID Name Use
Enterprise T1002 Data Compressed

Gallmaker has used WinZip, likely to archive data prior to exfiltration.[1]

Enterprise T1173 Dynamic Data Exchange

Gallmaker attempted to exploit Microsoft’s DDE protocol in order to gain access to victim machines and for execution.[1]

Enterprise T1027 Obfuscated Files or Information

Gallmaker obfuscated shellcode used during execution.[1]

Enterprise T1086 PowerShell

Gallmaker used PowerShell to download additional payloads.[1]

Enterprise T1064 Scripting

Gallmaker used PowerShell scripts for execution.[1]

Enterprise T1193 Spearphishing Attachment

Gallmaker sent emails with malicious Microsoft Office documents attached.[1]

Enterprise T1204 User Execution

Gallmaker sent victims a lure document with a warning that asked victims to "enable content" for execution.[1]