Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

File and Directory Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

Windows

Example utilities used to obtain this information are dir and tree. [1] Custom tools may also be used to gather file and directory information and interact with the Windows API.

Mac and Linux

In Mac and Linux, this kind of discovery is accomplished with the ls, find, and locate commands.

ID: T1083

Tactic: Discovery

Platform:  Linux, macOS, Windows

Permissions Required:  User, Administrator, SYSTEM

Data Sources:  File monitoring, Process monitoring, Process command-line parameters

Version: 1.0

Examples

NameDescription
3PARA RAT

3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.[2]

4H RAT

4H RAT has the capability to obtain file and directory listings.[2]

admin@338

admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: dir c:\ >> %temp%\download dir "c:\Documents and Settings" >> %temp%\download dir "c:\Program Files\" >> %temp%\download dir d:\ >> %temp%\download[3]

ADVSTORESHELL

ADVSTORESHELL can list files and directories.[4][5]

APT28

APT28 has used Forfiles to locate PDF, Excel, and Word documents during. The group also searched a compromised DCCC computer for specific terms.[6][7]

APT3

APT3 has a tool that looks for files and directories on the local file system.[8][9]

AutoIt backdoor

AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.[10]

Backdoor.Oldrea

Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.[11]

BACKSPACE

BACKSPACE allows adversaries to search for files.[12]

BADNEWS

BADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory.[13]

Bankshot

Bankshot searches for files on the victim's machine.[14]

BBSRAT

BBSRAT can list file and directory information.[15]

BLACKCOFFEE

BLACKCOFFEE has the capability to enumerate files.[16]

BlackEnergy

BlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry. BlackEnergy has searched for given file types.[17][18]

Brave Prince

Brave Prince gathers file and directory information from the victim’s machine.[19]

BRONZE BUTLER

BRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.[20]

ChChes

ChChes collects the victim's %TEMP% directory path and version of Internet Explorer.[21]

China Chopper

China Chopper can list directory contents.[22]

CHOPSTICK

An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.[4]

cmd

cmd can be used to find files and directories with native functionality such as dir commands.[23]

CORALDECK

CORALDECK searches for specified files.[24]

CosmicDuke

CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.[25]

Crimson

Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.[26]

CrossRAT

CrossRAT can list all files on a system.

Dark Caracal

Dark Caracal collected file listings of all default Windows directories.[27]

DDKONG

DDKONG lists files on the victim’s machine.[28]

Derusbi

Derusbi is capable of obtaining directory, file, and drive listings.[29][22]

Dragonfly 2.0

Dragonfly 2.0 used a batch script to gather folder and file names from victim hosts.[30]

Dust Storm

Dust Storm has used Android backdoors capable of enumerating specific files on the infected devices.[31]

DustySky

DustySky scans the victim for files that contain certain keywords from a list that is obtained from the C2 as a text file. It also collects information about installed software.[32]

Elise

A variant of Elise executes dir C:\progra~1 when initially run.[33]

ELMER

ELMER is capable of performing directory listings.[34]

FALLCHILL

FALLCHILL can search files on a victim.[35]

FinFisher

FinFisher enumerates directories and scans for certain files.[36][37]

FLASHFLOOD

FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system and removable media.[12]

Forfiles

Forfiles can be used to locate certain types of files/directories in a system.(ex: locate all files with a specific extension, name, and/or age)[6]

FruitFly

FruitFly looks for specific files and file types.[38]

GeminiDuke

GeminiDuke collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user's home folder, files and folders present in any user's My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs.[39]

Gold Dragon

Gold Dragon lists the directories for Desktop, program files, and the user’s recently accessed files.[19]

GravityRAT

GravityRAT collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.[40]

Honeybee

Honeybee's service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords.[41]

HTTPBrowser

HTTPBrowser is capable of listing files, folders, and drives on a victim.[42][43]

Hydraq

Hydraq creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives.[44][45]

InnaputRAT

InnaputRAT enumerates directories and obtains file attributes on a system.[46]

InvisiMole

InvisiMole can lists information about files in a directory.[47]

JPIN

JPIN can enumerate drives and their types. It can also change file permissions using cacls.exe.[48]

Kasidet

Kasidet has the ability to search for a given filename on a victim.[49]

Kazuar

Kazuar finds a specified directory, lists the files and metadata about those files.[50]

Ke3chang

Ke3chang uses command-line interaction to search files and directories.[51]

KEYMARBLE

KEYMARBLE has a command to search for files on the victim’s machine.[52]

Kwampirs

Kwampirs collects a list of files and directories in C:\ with the command dir /s /a c:\ >> "C:\windows\TEMP[RANDOM].tmp".[53]

Lazarus Group

Several Lazarus Group malware samples use a common function to identify target files by their extension. Lazarus Group malware families can also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.[54][55]

Leafminer

Leafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.[56]

Linfo

Linfo creates a backdoor through which remote attackers can list contents of drives and search for files.[57]

Magic Hound

Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.[58]

Misdat

Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.[31]

MobileOrder

MobileOrder has a command to upload to its C2 server information about files on the victim mobile device, including SD card size, installed app list, SMS content, contacts, and calling history.[59]

MoonWind

MoonWind has a command to return a directory listing for a specified directory.[60]

NDiskMonitor

NDiskMonitor can obtain a list of all files and directories as well as logical drives.[13]

NETEAGLE

NETEAGLE allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.[12]

Orz

Orz can gather victim drive information.[61]

OwaAuth

OwaAuth has a command to list its directory and logical drives.[42]

Pasam

Pasam creates a backdoor through which remote attackers can retrieve lists of files.[62]

Patchwork

A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.[63][13]

PinchDuke

PinchDuke searches for files created within a certain timeframe and whose file extension matches a predefined list.[39]

Pisloader

Pisloader has commands to list drives on the victim machine and to list file information for a given directory.[64]

POORAIM

POORAIM can conduct file browsing.[24]

PowerDuke

PowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space.[65]

POWRUNER

POWRUNER may enumerate user directories on a victim.[66]

Prikormka

A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.[67]

Proxysvc

Proxysvc lists files in directories.[55]

Psylo

Psylo has commands to enumerate all storage devices and to find all files that start with a particular string.[59]

Pteranodon

Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.[68]

Pupy

Pupy can walk through directories and recursively search for strings in files.[69]

RARSTONE

RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.[70]

RedLeaves

RedLeaves can enumerate and search for files and directories.[71][21]

Remsec

Remsec is capable of listing contents of folders on the victim. Remsec also searches for custom network encryption software on victims.[72][73][74]

Rover

Rover automatically searches for files on local drives based on a predefined list of file extensions.[75]

RTM

RTM can scan victim drives to look for specific banking software on the machine to determine next actions. It also looks at browsing history and open tabs for specific strings.[76]

Shamoon

Shamoon attempts to access the ADMIN$, C$\Windows, D$\Windows, and E$\Windows shares on the victim with its current privileges.[77]

SHOTPUT

SHOTPUT has a command to obtain a directory listing.[78]

Smoke Loader

Smoke Loader recursively searches through directories for files.[79]

SOUNDBITE

SOUNDBITE is capable of enumerating and manipulating files and directories.[80]

Sowbug

Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.[81]

SPACESHIP

SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.[12]

StreamEx

StreamEx has the ability to enumerate drive types.[82]

SynAck

SynAck checks its directory location in an attempt to avoid launching in a sandbox.[83][84]

TINYTYPHON

TINYTYPHON searches through the drive containing the OS, then all drive letters C through to Z, for documents matching certain extensions.[10]

TrickBot

TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip[85]

Turla

Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, and in the Program Files directory.[86]

TYPEFRAME

TYPEFRAME can search directories for files on the victim’s machine.[87]

UPPERCUT

UPPERCUT has the capability to gather the victim's current directory.[88]

USBStealer

USBStealer searches victim drives for files matching certain extensions (".skr",".pkr" or ".key") or names.[89][90]

Volgmer

Volgmer can list directories on a victim.[91]

WINERACK

WINERACK can enumerate files and directories.[24]

WinMM

WinMM sets a WH_CBT Windows hook to search for and capture files on the victim.[92]

XAgentOSX

XAgentOSX contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory.[93]

yty

yty gathers information on victim’s drives and has a plugin for document listing.[94]

ZLib

ZLib has the ability to enumerate files and drives.[31]

Mitigation

File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting [95] tools, like AppLocker, [1] [96] or Software Restriction Policies [97] where appropriate. [98]

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

  1. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  2. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  3. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  4. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  5. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  6. Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
  7. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  8. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  9. Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.
  10. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  11. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  12. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  13. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  14. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  15. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  16. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  17. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  18. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  19. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  20. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  21. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  22. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  23. Microsoft. (n.d.). Dir. Retrieved April 18, 2016.
  24. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  25. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  26. Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  27. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  28. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  29. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  30. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  31. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  32. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  33. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  34. Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
  35. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  36. FinFisher. (n.d.). Retrieved December 20, 2017.
  37. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  38. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  39. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  40. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  41. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  42. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  43. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  44. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  45. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  46. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  47. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  48. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  49. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  1. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  2. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  3. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  4. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  5. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  6. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  7. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  8. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  9. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  10. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  11. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  12. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  13. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  14. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  15. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  16. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  17. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  18. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  19. Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  20. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  21. Camba, A. (2013, February 27). BKDR_RARSTONE: New RAT to Watch Out For. Retrieved January 8, 2016.
  22. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  23. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  24. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  25. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  26. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  27. Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  28. FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.
  29. Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.
  30. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
  31. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  32. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  33. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  34. Ivanov, A. et al.. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  35. Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018.
  36. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  37. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  38. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  39. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  40. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  41. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  42. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  43. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved December 17, 2015.
  44. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  45. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  46. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  47. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  48. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  49. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.