Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Command-Line Interface

Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. [1] One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task).

Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.

ID: T1059

Tactic: Execution

Platform:  Linux, macOS, Windows

Permissions Required:  User, Administrator, SYSTEM

Data Sources:  Process monitoring, Process command-line parameters

Supports Remote:  No

Version: 1.0

Examples

NameDescription
4H RAT

4H RAT has the capability to create a remote shell.[2]

adbupd

adbupd can run a copy of cmd.exe.[3]

admin@338

Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.[4]

ADVSTORESHELL

ADVSTORESHELL can create a remote shell and run a given command.[5][6]

APT1

APT1 has used the Windows command shell to execute commands.[7]

APT28

APT28 uses cmd.exe to execute commands.[8]

APT3

An APT3 downloader uses the Windows command "cmd.exe" /C whoami. The group also uses a tool to execute commands on remote computers.[9][10]

APT37

APT37 has used the command-line interface.[11][12]

BACKSPACE

Adversaries can direct BACKSPACE to execute from the command-line on infected hosts, or have BACKSPACE create a reverse shell.[13]

BADNEWS

BADNEWS is capable of executing commands via cmd.exe.[14][15]

Bandook

Bandook is capable of spawning a Windows command shell.[16]

Bankshot

Bankshot uses the command-line interface to execute arbitrary commands.[17][18]

Bisonal

Bisonal can launch cmd.exe to execute commands on the system.[19]

BLACKCOFFEE

BLACKCOFFEE has the capability to create a reverse shell.[20]

BRONZE BUTLER

BRONZE BUTLER uses the command-line interface.[21]

CallMe

CallMe has the capability to create a reverse shell on victims.[22]

Carbanak

Carbanak has a command to create a reverse shell.[23]

Chaos

Chaos provides a reverse shell connection on 8338/TCP, encrypted via AES.[24]

China Chopper

China Chopper is capable of opening a command terminal.[25]

CHOPSTICK

CHOPSTICK is capable of performing remote command execution.[26][5]

cmd

cmd is used to execute programs and other actions at the command-line interface.[27]

Cobalt Strike

Cobalt Strike uses a command-line interface to interact with systems.[28]

CozyCar

A module in CozyCar allows arbitrary commands to be executed by invoking C:\Windows\System32\cmd.exe.[29]

Daserf

Daserf can execute shell commands.[30][21]

Derusbi

Derusbi is capable of creating a remote Bash shell and executing commands.[31][32]

Dipsind

Dipsind can spawn remote shells.[3]

DownPaper

DownPaper uses the command line.[33]

Dragonfly 2.0

Dragonfly 2.0 used command line for execution.[34]

Emissary

Emissary has the capability to create a remote shell and execute specified commands.[35]

Felismus

Felismus uses command line for execution.[36]

FELIXROOT

FELIXROOT opens a remote shell to execute commands on the infected system.[37]

FIN7

FIN7 used cmd.exe to launch commands on the victim’s machine.[38]

FIN8

FIN8 executes commands remotely via cmd.exe.[39]

gh0st

gh0st RAT is able to open a command shell.[40]

Gold Dragon

Gold Dragon uses cmd.exe to execute commands for discovery.[41]

Gorgon Group

Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.[42]

GravityRAT

GravityRAT executes commands remotely on the infected host.[43]

H1N1

H1N1 kills and disables services by using cmd.exe.[44]

HARDRAIN

HARDRAIN uses cmd.exe to execute netshcommands.[45]

hcdLoader

hcdLoader provides command-line access to the compromised system.[46]

Helminth

Helminth can provide a remote shell.[47]

Hi-Zor

Hi-Zor has the ability to create a reverse shell.[48]

HOMEFRY

uses a command-line interface.[32]

Honeybee

Several commands are supported by the Honeybee's implant via the command-line interface and there’s also a utility to execute any custom command on an infected endpoint.[49]

HTTPBrowser

HTTPBrowser is capable of spawning a reverse shell on a victim.[50]

httpclient

httpclient opens cmd.exe on the victim.[2]

InnaputRAT

InnaputRAT launches a shell to execute commands on the victim’s machine.[51]

InvisiMole

InvisiMole can launch a remote shell to execute commands.[52]

JPIN

JPIN can use the command-line utility cacls.exe to change file permissions.[3]

Kasidet

Kasidet can execute commands using cmd.exe.[53]

Kazuar

Kazuar uses cmd.exe and /bin/bash to execute commands on the victim’s machine.[54]

Ke3chang

Malware used by Ke3chang can run commands on the command-line interface.[55][56]

KEYMARBLE

KEYMARBLE can execute shell commands using cmd.exe.[57]

Koadic

Koadic can open an interactive command-shell to perform command line functions on victim machines.[58]

KOMPROGO

KOMPROGO is capable of creating a reverse shell.[59]

Lazarus Group

Lazarus Group malware uses cmd.exe to execute commands on victims.[60][61][62][63]

Leviathan

Leviathan uses a backdoor known as BADFLICK that is is capable of generating a reverse shell.[32]

Linfo

Linfo creates a backdoor through which remote attackers can start a remote shell.[64]

Magic Hound

Magic Hound has used the command-line interface.[65]

Matroyshka

Matroyshka is capable of providing Meterpreter shell access.[66]

menuPass

menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.[67][68][69]

MirageFox

MirageFox has the capability to execute commands using cmd.exe.[70]

Mis-Type

Mis-Type uses cmd.exe to run commands for enumerating the host.[71]

Misdat

Misdat is capable of providing shell functionality to the attacker to execute commands.[71]

Mivast

Mivast has the capability to open a remote shell and run basic commands.[72]

MoonWind

MoonWind can execute commands via an interactive command shell.[73]

Mosquito

Mosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.[74]

MURKYTOP

uses the command-line interface.[32]

NavRAT

NavRAT leverages cmd.exe to perform discovery techniques.[75]

NETEAGLE

NETEAGLE allows adversaries to execute shell commands on the infected host.[13]

OilRig

OilRig has used the command-line interface for execution.[76][77][78][79]

OopsIE

OopsIE uses the command prompt to execute commands on the victim's machine.[77][80]

Orz

Orz can execute shell commands.[81]

Patchwork

Patchwork ran a reverse shell with Meterpreter.[82]

PHOREAL

PHOREAL is capable of creating reverse shell.[59]

Pisloader

Pisloader uses cmd.exe to set the Registry Run key value. It also has a command to spawn a command shell.[83]

PLAINTEE

PLAINTEE uses cmd.exe to execute commands on the victim’s machine.[84]

PlugX

PlugX allows actors to spawn a reverse shell on a victim.[50]

PoisonIvy

PoisonIvy creates a backdoor through which remote attackers can open a command-line interface.[85]

PowerDuke

PowerDuke runs cmd.exe /c and sends the output to its C2.[86]

POWRUNER

POWRUNER can execute commands from its C2 server.[76]

Proxysvc

Proxysvc executes a binary on the system and logs the results into a temp file by using: cmd.exe /c " > %temp%\PM* .tmp 2>&1".[87]

Pteranodon

Pteranodon can execute commands on the victim.[88]

QUADAGENT

QUADAGENT uses cmd.exe to execute scripts and commands on the victim’s machine.[89]

QuasarRAT

QuasarRAT can launch a remote shell to execute commands on the victim’s machine.[90]

Rancor

Rancor has used cmd.exe to execute commmands.[84]

RATANKBA

RATANKBA uses cmd.exe to execute commands.[91][92]

RedLeaves

RedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell.[68][93]

RGDoor

RGDoor uses cmd.exe to execute commands on the victim’s machine.[94]

RogueRobin

RogueRobin uses a command prompt to run a PowerShell script from Excel.[95]

RTM

RTM uses the command line and rundll32.exe to execute.[96]

Sakula

Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell.[97]

SeaDuke

SeaDuke is capable of executing commands.[98]

SEASHARPEE

SEASHARPEE can execute commands on victims.[79]

SNUGRIDE

SNUGRIDE is capable of executing commands and spawning a reverse shell.[93]

Sowbug

Sowbug has used command line during its intrusions.[99]

StreamEx

StreamEx has the ability to remotely execute commands.[100]

Suckfly

Several tools used by Suckfly have been command-line driven.[101]

TDTESS

TDTESS provides a reverse shell on the victim.[66]

TEXTMATE

TEXTMATE executes cmd.exe to provide a reverse shell to adversaries.[102][103]

Threat Group-1314

Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.[104]

Threat Group-3390

Threat Group-3390 has used command-line interfaces for execution.[25]

TinyZBot

TinyZBot supports execution from the command-line.[105]

TURNEDUP

TURNEDUP is capable of creating a reverse shell.[106]

TYPEFRAME

TYPEFRAME can execute commands using a shell.[107]

Umbreon

Umbreon provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet[108]

UPPERCUT

UPPERCUT uses cmd.exe to execute commands on the victim’s machine.[109]

Volgmer

Volgmer can execute commands on the victim's machine.[110][111]

Wiarp

Wiarp creates a backdoor through which remote attackers can open a command line interface.[112]

WINERACK

WINERACK can create a reverse shell that utilizes statically-linked Wine cmd.exe code to emulate Windows command prompt commands.[11]

XTunnel

XTunnel has been used to execute remote commands.[26]

ZLib

ZLib has the ability to execute shell commands.[71]

Mitigation

Audit and/or block command-line interpreters by using whitelisting [113] tools, like AppLocker, [114] [115] or Software Restriction Policies [116] where appropriate. [117]

Detection

Command-line interface activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.

References

  1. Wikipedia. (2016, June 26). Command-line interface. Retrieved June 27, 2016.
  2. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  3. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  4. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  5. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  6. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  7. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  8. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  9. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  10. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  11. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  12. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  13. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  14. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  15. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  16. Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.
  17. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  18. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  19. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  20. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  21. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  22. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  23. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  24. Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018.
  25. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  26. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  27. Microsoft. (n.d.). Cmd. Retrieved April 18, 2016.
  28. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  29. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  30. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  31. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  32. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  33. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
  34. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  35. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  36. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  37. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  38. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  39. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  40. FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.
  41. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  42. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  43. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  44. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  45. US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
  46. Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
  47. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  48. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  49. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  50. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  51. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  52. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  53. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  54. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  55. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  56. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  57. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  58. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  59. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  1. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  2. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  3. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  4. US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
  5. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  6. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  7. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  8. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  9. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  10. Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017.
  11. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.
  12. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  13. Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
  14. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  15. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  16. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  17. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  18. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  19. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  20. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  21. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  22. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  23. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  24. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  25. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  26. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  27. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  28. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  29. Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  30. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  31. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  32. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  33. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  34. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  35. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
  36. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  37. Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  38. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  39. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  40. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  41. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  42. DiMaggio, J.. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016.
  43. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  44. Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
  45. Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016.
  46. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  47. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  48. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  49. Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.
  50. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  51. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  52. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  53. Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.
  54. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  55. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  56. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  57. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  58. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.