Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

System Information Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

Windows

Example commands and utilities that obtain this information include ver, Systeminfo, and dir within cmd for identifying information based on present files and directories.

Mac

On Mac, the systemsetup command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the system_profiler gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.

ID: T1082

Tactic: Discovery

Platform:  Linux, macOS, Windows

Permissions Required:  User

Data Sources:  Process monitoring, Process command-line parameters

CAPEC ID:  CAPEC-311

Version: 1.0

Examples

NameDescription
4H RAT

4H RAT sends an OS version identifier in its beacons.[1]

admin@338

admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: ver >> %temp%\download systeminfo >> %temp%\download[2]

ADVSTORESHELL

ADVSTORESHELL can run Systeminfo to gather information about the victim.[3][4]

APT19

APT19 collected system architecture information. APT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine.[5][6]

APT3

APT3 has a tool that can obtain information about the local system.[7][8]

APT32

APT32 collects the OS version and computer name.[9]

APT37

APT37 collects the computer name, the BIOS model, and execution path.[10]

Backdoor.Oldrea

Backdoor.Oldrea collects information about the OS and computer name.[11]

BACKSPACE

During its initial execution, BACKSPACE extracts operating system information from the infected host.[12]

BADCALL

BADCALL collects the computer name and host name on the compromised system.[13]

Bankshot

Bankshot gathers system information, network addresses, disk type, disk free space, and the operation system version.[14][15]

Bisonal

Bisonal has a command to gather system information from the victim’s machine.[16]

BlackEnergy

BlackEnergy has used Systeminfo to gather the OS version, as well as information on the system configuration, BIOS, the motherboard, and the processor.[17][18]

Brave Prince

Brave Prince collects hard drive content and system configuration information.[19]

BUBBLEWRAP

BUBBLEWRAP collects system information, including the operating system version and hostname.[2]

ChChes

ChChes collects the victim hostname, window resolution, and Microsoft Windows version.[20][21]

cmd

cmd can be used to find information about the operating system.[22]

Comnie

Comnie collects the hostname of the victim machine.[23]

CORESHELL

CORESHELL collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server.[24]

CozyCar

A system info module in CozyCar gathers information on the victim host’s configuration.[25]

Crimson

Crimson contains a command to collect the victim PC name and operating system.[26]

Derusbi

Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system.[27]

DownPaper

DownPaper collects the victim host name and serial number, and then sends the information to the C2 server.[28]

DustySky

DustySky extracts basic information about the operating system.[29]

Elise

Elise executes systeminfo after initial communication is made to the remote server.[30]

Emissary

Emissary has the capability to execute ver, systeminfo, and gpresult commands.[31]

FALLCHILL

FALLCHILL can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim.[32]

Felismus

Felismus collects the system information, including hostname and OS version, and sends it to the C2 server.[33]

FELIXROOT

FELIXROOT collects the victim’s computer name, processor architecture, OS version, and volume serial number.[34]

FinFisher

FinFisher checks if the victim OS is 32 or 64-bit.[35][36]

Gamaredon Group

A Gamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.[37]

Gold Dragon

Gold Dragon collects endpoint information using the systeminfo command.[19]

GravityRAT

GravityRAT collects the MAC address, computer name, and CPU information.[38]

HALFBAKED

HALFBAKED can obtain information about the OS, processor, and BIOS.[39]

HAPPYWORK

can collect system information, including computer name, system manufacturer, IsDebuggerPresent state, and execution path.[40]

Honeybee

Honeybee gathers computer name and information using the systeminfo command.[41]

Hydraq

Hydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed.[42]

InnaputRAT

InnaputRAT gathers volume drive information and system information.[43]

InvisiMole

InvisiMole can gather information on the mapped drives, OS version, computer name, and memory size.[44]

JHUHUGIT

JHUHUGIT obtains a build identifier as well as victim hard drive information from Windows registry key HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum. Another JHUHUGIT variant gathers the victim storage volume serial number and the storage device name.[45][46]

JPIN

JPIN can obtain system information such as OS version and disk space.[47]

KARAE

KARAE can collect system information.[40]

Kasidet

Kasidet has the ability to obtain a victim's system name and operating system version.[48]

Kazuar

Kazuar gathers information on the system and local drives.[49]

Ke3chang

Ke3chang performs operating system information discovery using systeminfo.[50][51]

KEYMARBLE

KEYMARBLE has the capability to collect the computer name, language settings, the OS version, CPU information, disk devices, and time elapsed since system start.[52]

KOMPROGO

KOMPROGO is capable of retrieving information about the infected system.[53]

Kwampirs

Kwampirs collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands systeminfo, net config workstation, hostname, ver, set, and date /t.[54]

Lazarus Group

Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by Lazarus Group also collects disk space information and sends it to its C2 server.[55][56][57][58][59]

Linfo

Linfo creates a backdoor through which remote attackers can retrieve system information.[60]

Magic Hound

Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.[61]

MirageFox

MirageFox can collect CPU and architecture information from the victim’s machine.[62]

Mis-Type

The initial beacon packet for Mis-Type contains the operating system version and file system of the victim.[63]

Misdat

The initial beacon packet for Misdat contains the operating system version of the victim.[63]

MobileOrder

MobileOrder has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information.[64]

MoonWind

MoonWind can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution.[65]

More_eggs

More_eggs has the capability to gather the OS version and computer name.[66]

MURKYTOP

has the capability to retrieve information about the OS.[67]

Naid

Naid collects a unique identifier (UID) from a compromised host.[68]

NanHaiShu

NanHaiShu can gather the victim computer name and serial number.[69]

NavRAT

NavRAT uses systeminfo on a victim’s machine.[70]

NDiskMonitor

NDiskMonitor obtains the victim computer name and encrypts the information to send over its C2 channel.[71]

NETWIRE

NETWIRE can discover and collect victim system information.[72]

OilRig

OilRig has run hostname and systeminfo on a victim.[73][74]

OopsIE

OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks.[75]

Orz

Orz can gather the victim OS version and whether it is 64 or 32 bit.[69]

OSInfo

OSInfo discovers information about the infected machine.[7]

Pasam

Pasam creates a backdoor through which remote attackers can retrieve information such as hostname and free disk space.[76]

Patchwork

Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server. Patchwork also enumerated all available drives on the victim's machine.[77][71]

PinchDuke

PinchDuke gathers system configuration information.[78]

Pisloader

Pisloader has a command to collect victim system information, including the system name and OS version.[79]

PLAINTEE

PLAINTEE collects general system enumeration data about the infected machine and checks the OS version.[80]

POORAIM

POORAIM can identify system information, including battery status.[40]

PowerDuke

PowerDuke has commands to get information about the victim's name, build, version, serial number, and memory usage.[81]

POWERSTATS

POWERSTATS can retrieve OS name/architecture and computer/domain name information from compromised hosts.[82]

POWRUNER

POWRUNER may collect information about the system by running hostname and systeminfo on a victim.[83]

Prikormka

A module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory.[84]

Proxysvc

Proxysvc collects the OS version, country name, MAC address, computer name, physical memory statistics, and volume information for all drives on the system.[59]

Pupy

Pupy can grab a system’s information including the OS version, architecture, etc.[85]

QuasarRAT

QuasarRAT has a command to gather system information from the victim’s machine.[86]

RATANKBA

RATANKBA gathers information about the OS architecture, OS name, and OS version/Service pack.[87][88]

Reaver

Reaver collects system information from the victim, including CPU speed, computer name, volume serial number, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information.[89]

RedLeaves

RedLeaves can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information.[21][90]

Remsec

Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.[91]

RogueRobin

RogueRobin gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name.[92]

ROKRAT

ROKRAT gathers the computer name and checks the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems.[93][94]

RTM

RTM can obtain the computer name, OS version, and default language identifier.[95]

RunningRAT

RunningRAT gathers the OS version, logical drives information, processor information, and volume information.[19]

S-Type

The initial beacon packet for S-Type contains the operating system version and file system of the victim.[63]

Shamoon

Shamoon obtains the victim's operating system version and keyboard layout and sends the information to the C2 server.[96]

SHUTTERSPEED

SHUTTERSPEED can collect system information.[40]

SLOWDRIFT

SLOWDRIFT collects and sends system information to its C2.[40]

SOUNDBITE

SOUNDBITE is capable of gathering system information.[53]

Sowbug

Sowbug obtained OS version and hardware configuration from a victim.[97]

SslMM

SslMM sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date.[98]

Stealth Falcon

Stealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory.[99]

StreamEx

StreamEx has the ability to enumerate system information.[100]

SynAck

SynAck gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries.[101]

Sys10

Sys10 collects the computer name, OS versioning information, and OS install date and sends the information to the C2.[98]

Systeminfo

Systeminfo can be used to gather information about the operating system.[102]

T9000

T9000 gathers and beacons the operating system build number and CPU Architecture (32-bit/64-bit) during installation.[103]

TrickBot

TrickBot gathers the OS version, CPU type, amount of RAM available from the victim’s machine.[104][105]

Turla

Turla surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands.[106]

TURNEDUP

TURNEDUP is capable of gathering system information.[107]

TYPEFRAME

TYPEFRAME can gather the disk volume information.[108]

Unknown Logger

Unknown Logger can obtain information about the victim computer name, physical memory, country, and date.[109]

UPPERCUT

UPPERCUT has the capability to gather the system’s hostname and OS version.[110]

VERMIN

VERMIN collects the OS name, machine name, and architecture information.[111]

Volgmer

Volgmer can gather system information, the computer name, OS version, drive and serial information from the victim's machine.[112][113][114]

WINDSHIELD

WINDSHIELD can gather the victim computer name.[53]

WINERACK

WINERACK can gather information about the host.[40]

Wingbird

Wingbird checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit.[115]

WinMM

WinMM collects the system name, OS version including service pack, and system install date and sends the information to the C2 server.[98]

XAgentOSX

XAgentOSX contains the getInstalledAPP function to run ls -la /Applications to gather what applications are installed.[116]

yty

yty gathers the computer name, the serial number of the main disk volume, CPU information, Microsoft Windows version, and runs the command systeminfo.[117]

Zebrocy

Zebrocy collects the computer name and serial number for the storage volume C:.[118]

ZeroT

ZeroT gathers the victim's computer name, Windows version, and system language, and then sends it to its C2 server.[119]

ZLib

ZLib has the ability to enumerate system information.[63]

Mitigation

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting [120] tools, like AppLocker, [121] [122] or Software Restriction Policies [123] where appropriate. [124]

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

  1. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  2. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  3. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  4. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  5. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  6. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
  7. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  8. Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.
  9. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
  10. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  11. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  12. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  13. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  14. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  15. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  16. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  17. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  18. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  19. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  20. Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  21. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  22. Microsoft. (n.d.). Dir. Retrieved April 18, 2016.
  23. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  24. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  25. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  26. Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  27. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  28. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
  29. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  30. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  31. Falcone, R. and Miller-Osborn, J.. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
  32. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  33. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  34. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  35. FinFisher. (n.d.). Retrieved December 20, 2017.
  36. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  37. Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  38. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  39. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  40. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  41. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  42. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  43. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  44. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  45. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  46. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  47. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  48. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  49. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  50. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  51. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  52. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  53. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  54. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  55. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  56. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  57. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  58. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  59. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  60. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  61. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  62. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.
  1. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  2. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  3. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  4. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  5. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  6. Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.
  7. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  8. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  9. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  10. McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.
  11. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  12. Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.
  13. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  14. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  15. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  16. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  17. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  18. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  19. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  20. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  21. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  22. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  23. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  24. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  25. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  26. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  27. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
  28. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  29. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  30. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  31. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
  32. Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018.
  33. Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  34. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  35. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  36. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved December 17, 2015.
  37. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  38. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  39. Ivanov, A. et al.. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  40. Microsoft. (n.d.). Systeminfo. Retrieved April 8, 2016.
  41. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  42. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  43. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
  44. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  45. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  46. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  47. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  48. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  49. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  50. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  51. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  52. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
  53. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
  54. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  55. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  56. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  57. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  58. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  59. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  60. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  61. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  62. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.