{"description": "Enterprise techniques used by MirrorFace, ATT&CK group G1054 (v1.0)", "name": "MirrorFace (G1054)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has used native Windows tools to obtain domain user information.(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.002", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has used the the PuTTY suite Secure Copy Protocol (SCP) client for file transfer.(Citation: ESET MirrorFace DEC 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has used rar.exe and the Makecab utility to archive files of interest prior to exfiltration.(Citation: ESET MirrorFace DEC 2022)(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1217", "comment": "During [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) exported Chrome web data including contact information, keywords, autofill data, and stored credit card information.(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "During [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) used PowerShell in execution chains to drop additional files such as embedded CAB files.(Citation: Trend Micro Earth Kasha Anel NOV 2024)(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has used `cmd.exe` for malware execution, file discovery, and manual file manipulation.(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: Trend Micro Earth Kasha Updates APR 2025)(Citation: JPCERT MirrorFace JUL 2024)(Citation: JPCERT MirrorFace JUL 2024)\n\nDuring [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) used `cmd.exe` to run PowerShell commands to drop additional files on the compromised host.(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has used remote templates with VBA code in malware infection chains.(Citation: ITOCHU LODEINFO JAN 2024)\n\nDuring [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) used Word templates containing VBA code for malware execution.(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1586", "showSubtechniques": true}, {"techniqueID": "T1586.002", "comment": "During [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) used compromised accounts to send spearphishing emails.(Citation: Trend Micro Earth Kasha Anel NOV 2024)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) gathered data and files of interest from victim's systems.(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.002", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has gathered data and files of interest on a single victim machine.(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1587", "showSubtechniques": true}, {"techniqueID": "T1587.001", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has created and continued to develop custom strains of malware including [LODEINFO](https://attack.mitre.org/software/S9020).(Citation: ESET MirrorFace DEC 2022)\n\nDuring [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) used  custom malware, as well as customized variants of publicly available tools.(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1686", "showSubtechniques": true}, {"techniqueID": "T1686.003", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) can modify the system firewall to allow communication to certain ports.(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1685", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has disabled Windows Defender in compromised environments.(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1685.005", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has deleted Windows event logs.(Citation: JPCERT MirrorFace JUL 2024)\n\nDuring [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) cleared Windows event logs post compromise.(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1482", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has run `nltest.exe  /domain_trusts` on compromised systems to discover domain relationships.(Citation: Trend Micro Earth Kasha NOV 2024)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1114", "showSubtechniques": true}, {"techniqueID": "T1114.001", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has exfiltrated stored emails from compromised hosts.(Citation: ESET MirrorFace DEC 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1585", "showSubtechniques": true}, {"techniqueID": "T1585.002", "comment": "During [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) used free email providers such as Gmail for spearphishing.(Citation: Trend Micro Earth Kasha Anel NOV 2024)(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1585.003", "comment": "During [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) established OneDrive accounts to host malicious payloads.(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1048", "showSubtechniques": true}, {"techniqueID": "T1048.002", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has used Secure File Transfer Protocol (SFTP) for file exfiltration.(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1190", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has exploited vulnerabilities in Fortigate and Array AG devices for initial access.(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has run commands to check the content of folders on compromised hosts and has specifically targeted files with .doc, .ppt, .xls, .jtd, .eml, .xps, and .pdf extensions.(Citation: ESET MirrorFace DEC 2022)(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: JPCERT MirrorFace JUL 2024)\n\n\nDuring [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) enumerated file system details in compromised environments.(Citation: Trend Micro Earth Kasha Anel NOV 2024)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1591", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has placed specific content in phishing emails to target members of particular political parties.(Citation: ESET MirrorFace DEC 2022)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has used legitimate EXE files to load malicious DLLs via sideloading.(Citation: Kaspersky LODEINFO OCT 2022)(Citation: ESET MirrorFace DEC 2022)(Citation: ITOCHU LODEINFO JAN 2024)(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has deleted directories containing malware and archives with files collected from the victim environment.(Citation: ESET MirrorFace DEC 2022)(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: Trend Micro Earth Kasha Updates APR 2025)(Citation: JPCERT MirrorFace JUL 2024)\n\nDuring [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) deleted delivered tools and files from compromised hosts.(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.008", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has crafted malware payloads to appear as Privacy-Enhanced Mail (PEM) files.(Citation: ITOCHU LODEINFO JAN 2024)\n\nDuring [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) disguised LNK and SFX (self-extracting) files as Word documents to lure victims into opening malicious files.(Citation: Trend Micro Earth Kasha Anel NOV 2024)(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1556", "showSubtechniques": true}, {"techniqueID": "T1556.002", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has used a tool named MRSAStealer as a password filter to collect credentials on password changes.(Citation: ESET MirrorFace DEC 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has used Base64 encoded shellcode in infection chains to evade detection.(Citation: ITOCHU LODEINFO JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has used tools including the Secure Copy Protocol (SCP) client from PuTTY and [Cobalt Strike](https://attack.mitre.org/software/S0154).(Citation: ESET MirrorFace DEC 2022)(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: JPCERT MirrorFace JUL 2024)\n\nDuring [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) deployed multiple publicly available tools including PuTTY, [FRP](https://attack.mitre.org/software/S1144), and [Rubeus](https://attack.mitre.org/software/S1071).(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1137", "showSubtechniques": true}, {"techniqueID": "T1137.001", "comment": "During [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) loaded malicious Word templates containing VBA code leading to installation of [UPPERCUT](https://attack.mitre.org/software/S0275).(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has dumped LSASS memory for credential access.(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.002", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has used vssadmin to copy registry hives including SAM.(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.003", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has dumped NTDS.dit through volume shadow copies.(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has sent spearphishing emails with malicious attachments to deliver malware payloads.(Citation: Kaspersky LODEINFO OCT 2022)(Citation: ESET MirrorFace DEC 2022)(Citation: ITOCHU LODEINFO JAN 2024)\n\nDuring [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) distributed crafted spearphishing emails containing malicious attachments.(Citation: ESET MirrorFace 2025)(Citation: Trend Micro Earth Kasha Anel NOV 2024)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has embedded OneDrive URLs in emails leading to malicious file installation.(Citation: Trend Micro Earth Kasha Updates APR 2025)\n\nDuring [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) sent spearphishing emails with malicious OneDrive links.(Citation: Trend Micro Earth Kasha Anel NOV 2024)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has used [Tasklist](https://attack.mitre.org/software/S0057) on compromised hosts for discovery.(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has used the GO Simple Tunnel (GOST) proxy tool.(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1219", "comment": "During [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) used remote access tools including PuTTY.(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1219.001", "comment": "During [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) abused the remote tunnels of Visual Studio Code (VS Code) to deliver malware.(Citation: ESET MirrorFace 2025)\n", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has used RDP to exfiltrate files of interest.(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has used SMB to copy malware between systems in compromised environments.(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has used [Ping](https://attack.mitre.org/software/S0097) for system discovery.(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1684", "showSubtechniques": true}, {"techniqueID": "T1684.001", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has sent targeted emails purporting to be from a Japanese political party\u2019s PR department.(Citation: ESET MirrorFace DEC 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1608", "showSubtechniques": true}, {"techniqueID": "T1608.005", "comment": "During [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) used links to direct victims to malicious files hosted on OneDrive.(Citation: Trend Micro Earth Kasha Anel NOV 2024)(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has abused a known Microsoft digital signature verification issues to append encrypted data to digital signatures that still appear to be validly signed.(Citation: ESET MirrorFace DEC 2022)\n\nDuring [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) abused a signed McAfee executable to load [UPPERCUT](https://attack.mitre.org/software/S0275).(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has employed malicious macros and native Windows tools such as csvde.exe, nltest.exe and quser.exe for discovery.(Citation: ITOCHU LODEINFO JAN 2024)(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: JPCERT MirrorFace JUL 2024)\n\n\nDuring [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) collected system information.(Citation: Trend Micro Earth Kasha Anel NOV 2024)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has deployed shellcode to check for Japanese Microsoft Office settings.(Citation: ITOCHU LODEINFO JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has used [ipconfig](https://attack.mitre.org/software/S0100) for reconnaissance.(Citation: JPCERT MirrorFace JUL 2024)\n\nDuring [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) used [Arp](https://attack.mitre.org/software/S0099) and `dir` for discovery in compromised environments.(Citation: Trend Micro Earth Kasha Anel NOV 2024)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has used Windows native tools to enumerate user information.(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has used [Tasklist](https://attack.mitre.org/software/S0057) for discovery post compromise.(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1221", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has used remote template injection to retrieve malicious payloads from the C2.(Citation: ITOCHU LODEINFO JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1127", "showSubtechniques": true}, {"techniqueID": "T1127.001", "comment": "During [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) used MSBuild to compile and execute its FaceXInjector injection tool.(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "During [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) lured users into executing malicious payloads with links to resources hosted on OneDrive.(Citation: Trend Micro Earth Kasha Anel NOV 2024)(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has lured victims into opening crafted Word, Excel, and SFX files for execution.(Citation: Kaspersky LODEINFO OCT 2022)(Citation: ESET MirrorFace DEC 2022)(Citation: ITOCHU LODEINFO JAN 2024)(Citation: Trend Micro Earth Kasha Updates APR 2025)\n\nDuring [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) lured victims into executing malicious payloads by opening email attachments.(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[MirrorFace](https://attack.mitre.org/groups/G1054) has leveraged WMIC on targeted systems post compromise.(Citation: JPCERT MirrorFace JUL 2024)\n\nDuring [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) used WMI to proxy execution of [UPPERCUT](https://attack.mitre.org/software/S0275).(Citation: ESET MirrorFace 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by MirrorFace", "color": "#66b1ff"}, {"label": "used by a campaign attributed to MirrorFace", "color": "#ff6666"}, {"label": "used by MirrorFace and used by a campaign attributed to MirrorFace", "color": "#ff66f4"}]}