Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).
On Windows, adversaries may use various utilities to download tools, such as copy
, finger
, certutil, and PowerShell commands such as IEX(New-Object Net.WebClient).downloadString()
and Invoke-WebRequest
. On Linux and macOS systems, a variety of utilities also exist, such as curl
, scp
, sftp
, tftp
, rsync
, finger
, and wget
.[1]
Adversaries may also abuse installers and package managers, such as yum
or winget
, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows search-ms
protocol handler, to deliver malicious files to victims through remote file searches invoked by User Execution (typically after interacting with Phishing lures).[2]
Files can also be transferred using various Web Services as well as native or otherwise present tools on the victim system.[3] In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.[4]
ID | Name | Description |
---|---|---|
C0028 | 2015 Ukraine Electric Power Attack |
During the 2015 Ukraine Electric Power Attack, Sandworm Team pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data. [5] |
S0469 | ABK | |
S1028 | Action RAT |
Action RAT has the ability to download additional payloads onto an infected machine.[7] |
S0331 | Agent Tesla |
Agent Tesla can download additional files for execution on the victim’s machine.[8][9] |
S0092 | Agent.btz |
Agent.btz attempts to download an encrypted binary from a specified domain.[10] |
G0130 | Ajax Security Team |
Ajax Security Team has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.[11] |
S1025 | Amadey |
Amadey can download and execute files to further infect a host machine with additional malware.[12] |
S0504 | Anchor | |
G0138 | Andariel |
Andariel has downloaded additional tools and malware onto compromised hosts.[15] |
S1074 | ANDROMEDA | |
G0099 | APT-C-36 |
APT-C-36 has downloaded binary data from a specified domain after the malicious document is opened.[17] |
G0026 | APT18 | |
G0007 | APT28 |
APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.[19][20][21][22][23] |
G0016 | APT29 |
APT29 has downloaded additional tools and malware onto compromised networks.[24][25][26][27] |
G0022 | APT3 | |
G0050 | APT32 |
APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.[29] |
G0064 | APT33 |
APT33 has downloaded additional files and programs from its C2 server.[30][31] |
G0067 | APT37 |
APT37 has downloaded second stage malware from compromised websites.[32][33][34][35] |
G0082 | APT38 |
APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.[36] |
G0087 | APT39 | |
G0096 | APT41 |
APT41 used certutil to download additional files.[39][40][41] APT41 downloaded post-exploitation tools such as Cobalt Strike via command shell following initial access.[42] |
G0143 | Aquatic Panda |
Aquatic Panda has downloaded additional malware onto compromised hosts.[43] |
S0456 | Aria-body |
Aria-body has the ability to download additional payloads from C2.[44] |
S0373 | Astaroth |
Astaroth uses certutil and BITSAdmin to download additional malware. [45][46][47] |
S1087 | AsyncRAT | |
S0438 | Attor |
Attor can download additional plugins, updates and other files. [49] |
S0347 | AuditCred | |
S0473 | Avenger |
Avenger has the ability to download files from C2 to a compromised host.[6] |
S0344 | Azorult |
Azorult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes.[51][52] |
S0414 | BabyShark |
BabyShark has downloaded additional files from the C2.[53][54] |
S0475 | BackConfig |
BackConfig can download and execute additional payloads on a compromised host.[55] |
S0093 | Backdoor.Oldrea |
Backdoor.Oldrea can download additional modules from C2.[56] |
G0135 | BackdoorDiplomacy |
BackdoorDiplomacy has downloaded additional files and tools onto a compromised host.[57] |
S0642 | BADFLICK | |
S1081 | BADHATCH |
BADHATCH has the ability to load a second stage malicious DLL file onto a compromised machine.[59] |
S0128 | BADNEWS |
BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.[60][61][62] |
S0337 | BadPatch | |
S0234 | Bandook | |
S0239 | Bankshot |
Bankshot uploads files and secondary payloads to the victim's machine.[65] |
S0534 | Bazar |
Bazar can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as Cobalt Strike.[66][67][68][69] |
S0470 | BBK |
BBK has the ability to download files from C2 to the infected host.[6] |
S0574 | BendyBear |
BendyBear is designed to download an implant from a C2 server.[70] |
S0017 | BISCUIT |
BISCUIT has a command to download a file from the C2 server.[71] |
S0268 | Bisonal |
Bisonal has the capability to download files to execute on the victim’s machine.[72][73][74] |
S0190 | BITSAdmin |
BITSAdmin can be used to create BITS Jobs to upload and/or download files.[75] |
G1002 | BITTER |
BITTER has downloaded additional malware and tools onto a compromised host.[76][77] |
S0564 | BlackMould |
BlackMould has the ability to download files to the victim's machine.[78] |
S0520 | BLINDINGCAN |
BLINDINGCAN has downloaded files to a victim machine.[79] |
S0657 | BLUELIGHT | |
S0486 | Bonadan |
Bonadan can download additional modules from the C2 server.[80] |
S0360 | BONDUPDATER |
BONDUPDATER can download or upload files from its C2 server.[81] |
S0635 | BoomBox |
BoomBox has the ability to download next stage malware components to a compromised system.[82] |
S0651 | BoxCaon | |
S0204 | Briba | |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).[85] |
S1063 | Brute Ratel C4 |
Brute Ratel C4 can download files to compromised hosts.[86] |
S0471 | build_downer |
build_downer has the ability to download files from C2 to the infected host.[6] |
S1039 | Bumblebee |
Bumblebee can download and execute additional payloads including through the use of a |
S0482 | Bundlore |
Bundlore can download and execute new versions of itself.[90] |
S1118 | BUSHWALK |
BUSHWALK can write malicious payloads sent through a web request’s command parameter.[91][92] |
C0010 | C0010 |
During C0010, UNC3890 actors downloaded tools and malware onto a compromised host.[93] |
C0015 | C0015 |
During C0015, the threat actors downloaded additional tools and files onto a compromised network.[94] |
C0017 | C0017 |
During C0017, APT41 downloaded malicious payloads onto compromised systems.[95] |
C0018 | C0018 |
During C0018, the threat actors downloaded additional tools, such as Mimikatz and Sliver, as well as Cobalt Strike and AvosLocker ransomware onto the victim network.[96][97] |
C0021 | C0021 |
During C0021, the threat actors downloaded additional tools and files onto victim machines.[98][99] |
C0026 | C0026 |
During C0026, the threat actors downloaded malicious payloads onto select compromised hosts.[16] |
C0027 | C0027 |
During C0027, Scattered Spider downloaded tools using victim organization systems.[100] |
S0274 | Calisto |
Calisto has the capability to upload and download files to the victim's machine.[101] |
S0077 | CallMe |
CallMe has the capability to download a file to the victim from the C2 server.[102] |
S0351 | Cannon | |
S0484 | Carberp |
Carberp can download and execute new plugins from the C2 server. [104][105] |
S0348 | Cardinal RAT |
Cardinal RAT can download and execute additional payloads.[106] |
S0465 | CARROTBALL |
CARROTBALL has the ability to download and install a remote payload.[107] |
S0462 | CARROTBAT |
CARROTBAT has the ability to download and execute a remote file via certutil.[108] |
S0572 | Caterpillar WebShell |
Caterpillar WebShell has a module to download and upload files to the system.[109] |
S0160 | certutil |
certutil can be used to download files from a given URL.[110][111] |
S0631 | Chaes |
Chaes can download additional files onto an infected machine.[112] |
S0674 | CharmPower |
CharmPower has the ability to download additional modules to a compromised host.[113] |
S0144 | ChChes |
ChChes is capable of downloading files, including additional modules.[114][115][116] |
G0114 | Chimera |
Chimera has remotely copied tools and malware onto targeted systems.[117] |
S0020 | China Chopper |
China Chopper's server component can download remote files.[118][119][120][121][122] |
S0023 | CHOPSTICK |
CHOPSTICK is capable of performing remote file transmission.[123] |
S0667 | Chrommme | |
G1021 | Cinnamon Tempest |
Cinnamon Tempest has downloaded files, including Cobalt Strike, to compromised hosts.[125] |
S0054 | CloudDuke |
CloudDuke downloads and executes additional malware from either a Web address or a Microsoft OneDrive account.[26] |
S0106 | cmd |
cmd can be used to copy files to/from a remotely connected external system.[126] |
G0080 | Cobalt Group |
Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers.[127][3] The group's JavaScript backdoor is also capable of downloading files.[128] |
S0154 | Cobalt Strike |
Cobalt Strike can deliver additional payloads to victim machines.[129][130] |
S0369 | CoinTicker |
CoinTicker executes a Python script to download its second stage.[131] |
S0608 | Conficker |
Conficker downloads an HTTP server to the infected machine.[132] |
G0142 | Confucius |
Confucius has downloaded additional files and payloads onto a compromised host following initial access.[133][134] |
S0492 | CookieMiner |
CookieMiner can download additional scripts from a web server.[135] |
S0137 | CORESHELL |
CORESHELL downloads another dropper from its C2 server.[136] |
S0614 | CostaBricks |
CostaBricks has been used to load SombRAT onto a compromised host.[137] |
C0004 | CostaRicto |
During CostaRicto, the threat actors downloaded malware and tools onto a compromised host.[137] |
S1023 | CreepyDrive |
CreepyDrive can download files to the compromised host.[138] |
S0115 | Crimson |
Crimson contains a command to retrieve files from its C2 server.[139][140][141] |
S0498 | Cryptoistic |
Cryptoistic has the ability to send and receive files.[142] |
S0527 | CSPY Downloader |
CSPY Downloader can download additional tools to a compromised host.[143] |
S0625 | Cuba | |
C0029 | Cutting Edge |
During Cutting Edge, threat actors leveraged exploits to download remote files to Ivanti Connect Secure VPNs.[145] |
S0687 | Cyclops Blink |
Cyclops Blink has the ability to download files to target systems.[146][147] |
S0497 | Dacls | |
S1014 | DanBot |
DanBot can download additional files to a targeted system.[149] |
S0334 | DarkComet |
DarkComet can load any files onto the infected machine to execute.[150][151] |
S1111 | DarkGate |
DarkGate retrieves cryptocurrency mining payloads and commands in encrypted traffic from its command and control server.[152] DarkGate uses Windows Batch scripts executing the |
G0012 | Darkhotel |
Darkhotel has used first-stage payloads that download additional malware from C2 servers.[154] |
S1066 | DarkTortilla |
DarkTortilla can download additional packages for keylogging, cryptocurrency mining, and other capabilities; it can also retrieve malicious payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.[155] |
S0187 | Daserf | |
S0255 | DDKONG |
DDKONG downloads and uploads files on the victim’s machine.[157] |
S0616 | DEATHRANSOM |
DEATHRANSOM can download files to a compromised host.[158] |
S0354 | Denis |
Denis deploys additional backdoors and hacking tools to the system.[159] |
S0659 | Diavol |
Diavol can receive configuration updates and additional payloads including wscpy.exe from C2.[160] |
S0200 | Dipsind | |
S1088 | Disco | |
S1021 | DnsSystem |
DnsSystem can download files to compromised systems after receiving a command with the string |
S0213 | DOGCALL | |
S0600 | Doki | |
S0695 | Donut |
Donut can download and execute previously staged shellcode payloads.[166] |
S0472 | down_new |
down_new has the ability to download files to the compromised host.[6] |
S0134 | Downdelph |
After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.[167] |
G0035 | Dragonfly |
Dragonfly has copied and installed tools for operations once in the victim environment.[168] |
S0694 | DRATzarus |
DRATzarus can deploy additional tools onto an infected machine.[169] |
S0547 | DropBook |
DropBook can download and execute additional files.[170][171] |
S0502 | Drovorub | |
S0567 | Dtrack |
Dtrack’s can download and upload a file to the victim’s computer.[173][174] |
S0024 | Dyre |
Dyre has a command to download and executes additional files.[175] |
S0624 | Ecipekac |
Ecipekac can download additional payloads to a compromised host.[176] |
S0554 | Egregor |
Egregor has the ability to download files from its C2 server.[177][178] |
G0066 | Elderwood |
The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.[179] |
S0081 | Elise |
Elise can download additional files from the C2 server for execution.[180] |
G1003 | Ember Bear |
Ember Bear has used tools to download malicious code.[181] |
S0082 | Emissary |
Emissary has the capability to download files from the C2 server.[182] |
S0363 | Empire |
Empire can upload and download to and from a victim machine.[183] |
S0404 | esentutl | |
S0396 | EvilBunny |
EvilBunny has downloaded additional Lua scripts from the C2.[185] |
S0568 | EVILNUM |
EVILNUM can download and upload files to the victim's computer.[186][187] |
G0120 | Evilnum |
Evilnum can deploy additional components or tools as needed.[186] |
S0401 | Exaramel for Linux |
Exaramel for Linux has a command to download a file from and to a remote C2 server.[188][189] |
S0569 | Explosive |
Explosive has a function to download a file to the infected system.[190] |
S0171 | Felismus | |
S0267 | FELIXROOT |
FELIXROOT downloads and uploads files to and from the victim’s machine.[192][193] |
G1016 | FIN13 |
FIN13 has downloaded additional tools and malware to compromised systems.[194][195] |
G0046 | FIN7 |
FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.[196][197][198] |
G0061 | FIN8 |
FIN8 has used remote code execution to download subsequent payloads.[199][200] |
S0696 | Flagpro |
Flagpro can download additional malware from the C2 server.[201] |
S0381 | FlawedAmmyy |
FlawedAmmyy can transfer files from C2.[202] |
S0661 | FoggyWeb |
FoggyWeb can receive additional malicious components from an actor controlled C2 server and execute them on a compromised AD FS server.[203] |
G0117 | Fox Kitten |
Fox Kitten has downloaded additional tools including PsExec directly to endpoints.[204] |
C0001 | Frankenstein |
During Frankenstein, the threat actors downloaded files and tools onto a victim machine.[205] |
S0095 | ftp |
ftp may be abused by adversaries to transfer tools or files from an external system into a compromised environment.[206][207] |
S1044 | FunnyDream |
FunnyDream can download additional files onto a compromised host.[208] |
C0007 | FunnyDream |
During FunnyDream, the threat actors downloaded additional droppers and backdoors onto a compromised system.[208] |
S0628 | FYAnti |
FYAnti can download additional payloads to a compromised host.[176] |
G0093 | GALLIUM |
GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN.[209][78] |
G0047 | Gamaredon Group |
Gamaredon Group has downloaded additional malware and tools onto a compromised host.[210][211][212][213] |
S0168 | Gazer | |
S0666 | Gelsemium |
Gelsemium can download additional plug-ins to a compromised host.[124] |
S0032 | gh0st RAT |
gh0st RAT can download files to the victim’s machine.[216][217] |
S0249 | Gold Dragon |
Gold Dragon can download additional components from the C2 server.[218] |
S0493 | GoldenSpy |
GoldenSpy constantly attempts to download and execute files from the remote C2, including GoldenSpy itself if not found on the system.[219] |
S0588 | GoldMax |
GoldMax can download and execute additional files.[220][221] |
G0078 | Gorgon Group |
Gorgon Group malware can download additional files from C2 servers.[222] |
S0531 | Grandoreiro |
Grandoreiro can download its second stage from a hardcoded URL within the loader's code.[223][224] |
S0342 | GreyEnergy |
GreyEnergy can download additional modules and payloads.[193] |
S0632 | GrimAgent |
GrimAgent has the ability to download and execute additional payloads.[225] |
S0561 | GuLoader |
GuLoader can download further malware for execution on the victim's machine.[226] |
S0132 | H1N1 |
H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.[227] |
G0125 | HAFNIUM |
HAFNIUM has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host.[228][121] |
S0499 | Hancitor |
Hancitor has the ability to download additional files from C2.[229] |
S0214 | HAPPYWORK |
can download and execute a second-stage payload.[32] |
S0170 | Helminth | |
G1001 | HEXANE |
HEXANE has downloaded additional payloads and malicious scripts onto a compromised host.[231] |
S0087 | Hi-Zor |
Hi-Zor has the ability to upload and download files from its C2 server.[232] |
S0394 | HiddenWasp |
HiddenWasp downloads a tar compressed archive from a download server to the system.[233] |
S0009 | Hikit |
Hikit has the ability to download files to a compromised host.[234] |
S0601 | Hildegard |
Hildegard has downloaded additional scripts that build and run Monero cryptocurrency miners.[235] |
S0376 | HOPLIGHT |
HOPLIGHT has the ability to connect to a remote host in order to upload and download files.[236] |
S0431 | HotCroissant |
HotCroissant has the ability to upload a file from the command and control (C2) server to the victim machine.[237] |
S0070 | HTTPBrowser |
HTTPBrowser is capable of writing a file to the compromised system from the C2 server.[238] |
S0203 | Hydraq |
Hydraq creates a backdoor through which remote attackers can download files and additional malware components.[239][240] |
S0398 | HyperBro | |
S0483 | IcedID |
IcedID has the ability to download additional modules and a configuration file from C2.[242][243] |
G0136 | IndigoZebra |
IndigoZebra has downloaded additional files and tools from its C2 server.[83] |
G0119 | Indrik Spider |
Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host.[244][245] |
S0604 | Industroyer |
Industroyer downloads a shellcode payload from a remote C2 server and loads it into memory.[246] |
S0260 | InvisiMole |
InvisiMole can upload files to the victim's machine for operations.[247][248] |
S0015 | Ixeshe | |
S0528 | Javali | |
S0044 | JHUHUGIT |
JHUHUGIT can retrieve an additional payload from its C2 server.[250][251] JHUHUGIT has a command to download files to the victim’s machine.[252] |
S0201 | JPIN | |
S0283 | jRAT | |
S0648 | JSS Loader |
JSS Loader has the ability to download malicious executables to a compromised host.[256] |
S0215 | KARAE |
KARAE can upload and download files, including second-stage malware.[32] |
S0088 | Kasidet |
Kasidet has the ability to download and execute additional files.[257] |
S0265 | Kazuar |
Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary.[258] |
G0004 | Ke3chang |
Ke3chang has used tools to download files to compromised machines.[259] |
S0585 | Kerrdown |
Kerrdown can download specific payloads to a compromised host based on OS architecture.[260] |
S0487 | Kessel |
Kessel can download additional modules from the C2 server.[80] |
S1020 | Kevin | |
S0387 | KeyBoy | |
S0271 | KEYMARBLE |
KEYMARBLE can upload files to the victim’s machine and can download additional payloads.[263] |
S0526 | KGH_SPY |
KGH_SPY has the ability to download and execute code from remote servers.[143] |
G0094 | Kimsuky |
Kimsuky has downloaded additional scripts, tools, and malware onto victim systems.[40][264] |
S0599 | Kinsing |
Kinsing has downloaded additional lateral movement scripts from C2.[265] |
S0437 | Kivars | |
S0250 | Koadic | |
S0669 | KOCTOPUS |
KOCTOPUS has executed a PowerShell command to download a file to the system.[268] |
S0356 | KONNI |
KONNI can download files and execute them on the victim’s machine.[269][270] |
S0236 | Kwampirs | |
G0032 | Lazarus Group |
Lazarus Group has downloaded files, malware, and tools from its C2 onto a compromised host.[272][273][274][142][148][275][276][277][278][279] |
G0140 | LazyScripter |
LazyScripter had downloaded additional tools to a compromised host.[268] |
G0065 | Leviathan |
Leviathan has downloaded additional scripts and files from adversary-controlled servers.[280][118] |
S0395 | LightNeuron |
LightNeuron has the ability to download and execute additional files.[281] |
S0211 | Linfo |
Linfo creates a backdoor through which remote attackers can download files onto compromised hosts.[282] |
S0513 | LiteDuke | |
S0680 | LitePower |
LitePower has the ability to download payloads containing system commands to a compromised host.[284] |
S0681 | Lizar |
Lizar can download additional plugins, files, and tools.[285] |
S0447 | Lokibot |
Lokibot downloaded several staged items onto the victim's machine.[286] |
S0451 | LoudMiner | |
S0042 | LOWBALL |
LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.[288] |
S0532 | Lucifer |
Lucifer can download and execute a replica of itself using certutil.[289] |
G1014 | LuminousMoth |
LuminousMoth has downloaded additional malware and tools onto a compromised host.[290][291] |
S0409 | Machete |
Machete can download additional files for execution on the victim’s machine.[292] |
S1016 | MacMa |
MacMa has downloaded additional files, including an exploit for used privilege escalation.[293][294] |
S1048 | macOS.OSAMiner |
macOS.OSAMiner has used |
S1060 | Mafalda |
Mafalda can download additional files onto the compromised host.[295] |
G0059 | Magic Hound |
Magic Hound has downloaded additional code and files from servers onto victims.[296][297][298][299] |
S0652 | MarkiRAT |
MarkiRAT can download additional files and tools from its C2 server, including through the use of BITSAdmin.[300] |
S0500 | MCMD |
MCMD can upload additional files to a compromised host.[301] |
S0459 | MechaFlounder |
MechaFlounder has the ability to upload and download files to and from a compromised host.[302] |
S0530 | Melcoz |
Melcoz has the ability to download additional files to a compromised host.[47] |
G0045 | menuPass |
menuPass has installed updates and new malware on victims.[303][304] |
G1013 | Metador |
Metador has downloaded tools and malware onto a compromised system.[305] |
S1059 | metaMain |
metaMain can download files onto compromised systems.[305][295] |
S0455 | Metamorfo |
Metamorfo has used MSI files to download additional files to execute.[306][307][308][309] |
S0688 | Meteor |
Meteor has the ability to download additional files for execution on the victim's machine.[310] |
S0339 | Micropsia |
Micropsia can download and execute an executable from the C2 server.[311][312] |
S1015 | Milan |
Milan has received files from C2 and stored them in log folders beginning with the character sequence |
S0051 | MiniDuke |
MiniDuke can download additional encrypted backdoors onto the victim via GIF files.[314][283] |
S0084 | Mis-Type |
Mis-Type has downloaded additional malware and files onto a compromised host.[315] |
S0083 | Misdat | |
S0080 | Mivast |
Mivast has the capability to download and execute .exe files.[316] |
S0079 | MobileOrder |
MobileOrder has a command to download a file from the C2 server to the victim mobile device's SD card.[102] |
S0553 | MoleNet | |
G0021 | Molerats |
Molerats used executables to download malicious files from different sources.[317][318] |
S1026 | Mongall | |
S0284 | More_eggs |
More_eggs can download and launch additional payloads.[320][321] |
G1009 | Moses Staff |
Moses Staff has downloaded and installed web shells to following path |
S0256 | Mosquito | |
G0069 | MuddyWater |
MuddyWater has used malware that can upload additional files to the victim’s machine.[324][325][326][327] |
G0129 | Mustang Panda |
Mustang Panda has downloaded additional executables following the initial infection stage.[328] |
G1020 | Mustard Tempest |
Mustard Tempest has deployed secondary payloads and third stage implants to compromised hosts.[329] |
S0228 | NanHaiShu | |
S0336 | NanoCore |
NanoCore has the capability to download and activate additional modules for execution.[330][331] |
S0247 | NavRAT | |
S0272 | NDiskMonitor |
NDiskMonitor can download and execute a file from given URL.[62] |
S0630 | Nebulae | |
S0691 | Neoichor |
Neoichor can download additional files onto a compromised host.[259] |
S0210 | Nerex |
Nerex creates a backdoor through which remote attackers can download files onto a compromised host.[179] |
S0457 | Netwalker |
Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload.[334] |
S0198 | NETWIRE |
NETWIRE can downloaded payloads from C2 to the compromised host.[335][336] |
S0118 | Nidiran | |
C0002 | Night Dragon |
During Night Dragon, threat actors used administrative utilities to deliver Trojan components to remote systems.[338] |
S1090 | NightClub |
NightClub can load multiple additional plugins on an infected host.[162] |
S0385 | njRAT | |
S0353 | NOKKI | |
G0133 | Nomadic Octopus |
Nomadic Octopus has used malicious macros to download additional files to the victim's machine.[342] |
S0340 | Octopus |
Octopus can download additional files and tools onto the victim’s machine.[343][344][342] |
G0049 | OilRig | |
S0439 | Okrum |
Okrum has built-in commands for uploading, downloading, and executing files to the system.[346] |
S0264 | OopsIE |
OopsIE can download files from its C2 server to the victim's machine.[347][348] |
C0022 | Operation Dream Job |
During Operation Dream Job, Lazarus Group downloaded multistage malware and tools onto a compromised host.[169][349][350] |
C0006 | Operation Honeybee |
During Operation Honeybee, the threat actors downloaded additional malware and malicious scripts onto a compromised host.[351] |
C0013 | Operation Sharpshooter |
During Operation Sharpshooter, additional payloads were downloaded after a target was infected with a first-stage downloader.[352] |
C0014 | Operation Wocao |
During Operation Wocao, threat actors downloaded additional files to the infected system.[353] |
S0229 | Orz | |
S0402 | OSX/Shlayer |
OSX/Shlayer can download payloads, and extract bytes from files. OSX/Shlayer uses the |
S0352 | OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.[358][359] |
S1017 | OutSteel | |
S0598 | P.A.S. Webshell |
P.A.S. Webshell can upload and download files to and from compromised hosts.[189] |
S0626 | P8RAT |
P8RAT can download additional payloads to a target system.[176] |
S0664 | Pandora |
Pandora can load additional drivers and files onto a victim machine.[360] |
S0208 | Pasam |
Pasam creates a backdoor through which remote attackers can upload files.[361] |
G0040 | Patchwork |
Patchwork payloads download additional files from the C2 server.[362][62] |
S0587 | Penquin |
Penquin can execute the command code |
S0643 | Peppy | |
S0501 | PipeMon |
PipeMon can install additional modules via C2 commands.[364] |
S0124 | Pisloader |
Pisloader has a command to upload a file to the victim machine.[365] |
S0254 | PLAINTEE |
PLAINTEE has downloaded and executed additional plugins.[157] |
G0068 | PLATINUM |
PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.[366] |
S0435 | PLEAD |
PLEAD has the ability to upload and download files to and from an infected host.[367] |
S0013 | PlugX |
PlugX has a module to download and execute files on the compromised machine.[368][369] |
S0428 | PoetRAT |
PoetRAT has the ability to copy files and download/upload files into C2 channels using FTP and HTTPS.[370][371] |
S0012 | PoisonIvy |
PoisonIvy creates a backdoor through which remote attackers can upload files.[372] |
S0518 | PolyglotDuke |
PolyglotDuke can retrieve payloads from the C2 server.[283] |
S0453 | Pony |
Pony can download additional files onto the infected system.[373] |
S0150 | POSHSPY |
POSHSPY downloads and executes additional PowerShell code and Windows binaries.[374] |
S0139 | PowerDuke | |
S1012 | PowerLess |
PowerLess can download additional payloads to a compromised host.[376] |
S0685 | PowerPunch |
PowerPunch can download payloads from adversary infrastructure.[213] |
S0145 | POWERSOURCE |
POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims.[377] |
S0223 | POWERSTATS |
POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server.[378] |
S0184 | POWRUNER |
POWRUNER can download or upload files from its C2 server.[345] |
S0613 | PS1 |
CostaBricks can download additional payloads onto a compromised host.[137] |
S0078 | Psylo |
Psylo has a command to download a file to the system from its C2 server.[102] |
S0147 | Pteranodon |
Pteranodon can download and execute additional files.[210][379][380] |
S0196 | PUNCHBUGGY |
PUNCHBUGGY can download additional files and payloads to compromised hosts.[381][382] |
S0192 | Pupy | |
S0650 | QakBot |
QakBot has the ability to download additional components and malware.[384][385][386][387][388][389] |
S0262 | QuasarRAT |
QuasarRAT can download files to the victim’s machine and execute them.[390][391] |
S0686 | QuietSieve |
QuietSieve can download and execute payloads on a target host.[213] |
S0629 | RainyDay | |
G0075 | Rancor |
Rancor has downloaded additional malware, including by using certutil.[157] |
S0055 | RARSTONE |
RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.[392] |
S0241 | RATANKBA | |
S0662 | RCSession |
RCSession has the ability to drop additional files to an infected machine.[395] |
S0495 | RDAT | |
S0153 | RedLeaves |
RedLeaves is capable of downloading a file from a specified URL.[397] |
S0511 | RegDuke | |
S0332 | Remcos |
Remcos can upload and download files to and from the victim’s machine.[398] |
S0166 | RemoteCMD |
RemoteCMD copies a file over to the remote system before execution.[399] |
S0592 | RemoteUtilities |
RemoteUtilities can upload and download files to and from a target machine.[327] |
S0125 | Remsec |
Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.[400][401] |
S0379 | Revenge RAT |
Revenge RAT has the ability to upload and download files.[402] |
S0496 | REvil |
REvil can download a copy of itself from an attacker controlled IP address to the victim machine.[403][404][405] |
S0258 | RGDoor |
RGDoor uploads and downloads files to and from the victim’s machine.[406] |
G0106 | Rocke |
Rocke used malware to download additional malicious files to the target system.[407] |
S0270 | RogueRobin |
RogueRobin can save a new file to the system from the C2 server.[408][409] |
S0240 | ROKRAT |
ROKRAT can retrieve additional malicious payloads from its C2 server.[410][411][35][412] |
S0148 | RTM | |
S0085 | S-Type |
S-Type can download additional files onto a compromised host.[315] |
S1018 | Saint Bot |
Saint Bot can download additional files onto a compromised host.[181] |
S0074 | Sakula | |
S1099 | Samurai |
Samurai has been used to deploy other malware including Ninja.[122] |
G0034 | Sandworm Team |
Sandworm Team has pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data.[416][417] |
S1085 | Sardonic |
Sardonic has the ability to upload additional malicious files to a compromised machine.[418] |
S0461 | SDBbot |
SDBbot has the ability to download a DLL from C2 to a compromised host.[419] |
S0053 | SeaDuke | |
S0345 | Seasalt | |
S0185 | SEASHARPEE |
SEASHARPEE can download remote files onto victims.[421] |
S0382 | ServHelper |
ServHelper may download additional files to execute.[422][423] |
S0639 | Seth-Locker |
Seth-Locker has the ability to download and execute files on a compromised host.[424] |
S0596 | ShadowPad | |
S0140 | Shamoon |
Shamoon can download an executable to run on the victim.[426] |
S1019 | Shark |
Shark can download additional files from its C2 via HTTP or DNS.[313][427] |
S1089 | SharpDisco |
SharpDisco has been used to download a Python interpreter to |
S0546 | SharpStage |
SharpStage has the ability to download and execute additional payloads via a DropBox API.[170][171] |
S0450 | SHARPSTATS |
SHARPSTATS has the ability to upload and download files.[428] |
S0444 | ShimRat | |
S0445 | ShimRatReporter |
ShimRatReporter had the ability to download additional payloads.[429] |
S0217 | SHUTTERSPEED |
SHUTTERSPEED can download and execute an arbitary executable.[32] |
S0589 | Sibot |
Sibot can download and execute a payload onto a compromised system.[220] |
G1008 | SideCopy |
SideCopy has delivered trojanized executables via spearphishing emails that contacts actor-controlled servers to download malicious payloads.[7] |
S0610 | SideTwist |
SideTwist has the ability to download additional files.[430] |
G0121 | Sidewinder |
Sidewinder has used LNK files to download remote files to the victim's network.[431][432] |
G0091 | Silence |
Silence has downloaded additional modules and malware to victim’s machines.[433] |
S0692 | SILENTTRINITY |
SILENTTRINITY can load additional files and tools, including Mimikatz.[434] |
S0468 | Skidmap |
Skidmap has the ability to download files on an infected host.[435] |
S1110 | SLIGHTPULSE |
RAPIDPULSE can transfer files to and from compromised hosts.[436] |
S0633 | Sliver |
Sliver can upload files from the C2 server to the victim machine using the |
S0533 | SLOTHFULMEDIA |
SLOTHFULMEDIA has downloaded files onto a victim machine.[438] |
S0218 | SLOWDRIFT | |
S1035 | Small Sieve |
Small Sieve has the ability to download files.[439] |
S0226 | Smoke Loader |
Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.[440] |
S0649 | SMOKEDHAM |
SMOKEDHAM has used Powershell to download UltraVNC and ngrok from third-party file sharing sites.[441] |
S1086 | Snip3 |
Snip3 can download additional payloads to compromised systems.[442][443] |
S1124 | SocGholish |
SocGholish can download additional malware to infected hosts.[444][445] |
S0627 | SodaMaster |
SodaMaster has the ability to download additional payloads from C2 to the targeted system.[176] |
C0024 | SolarWinds Compromise |
During the SolarWinds Compromise, APT29 downloaded additional malware, such as TEARDROP and Cobalt Strike, onto a compromised host following initial access.[446] |
S0615 | SombRAT |
SombRAT has the ability to download and execute additional payloads.[137][158][447] |
S0516 | SoreFang |
SoreFang can download additional payloads from C2.[448][449] |
S0374 | SpeakUp |
SpeakUp downloads and executes additional files from a remote server. [450] |
S0646 | SpicyOmelette |
SpicyOmelette can download malicious files from threat actor controlled AWS URL's.[451] |
S0390 | SQLRat |
SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk.[452] |
S1030 | Squirrelwaffle |
Squirrelwaffle has downloaded and executed additional encoded payloads.[453][454] |
S1112 | STEADYPULSE |
STEADYPULSE can add lines to a Perl script on a targeted server to import additional Perl modules.[455] |
S0380 | StoneDrill |
StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.[456] |
S1034 | StrifeWater |
StrifeWater can download updates and auxiliary modules.[457] |
S0491 | StrongPity |
StrongPity can download files to specified targets.[458] |
S0559 | SUNBURST |
SUNBURST delivered different payloads, including TEARDROP in at least one instance.[446] |
S1064 | SVCReady |
SVCReady has the ability to download additional tools such as the RedLine Stealer to an infected host.[459] |
S0663 | SysUpdate |
SysUpdate has the ability to download files to a compromised host.[360][460] |
G1018 | TA2541 |
TA2541 has used malicious scripts and macros with the ability to download additional payloads.[461] |
G0092 | TA505 |
TA505 has downloaded additional malware to execute on victim systems.[462][423][463] |
G0127 | TA551 |
TA551 has retrieved DLLs and installer binaries for malware execution from C2.[464] |
S0011 | Taidoor |
Taidoor has downloaded additional files onto a compromised host.[465] |
S0586 | TAINTEDSCRIBE |
TAINTEDSCRIBE can download additional modules from its C2 server.[466] |
S0164 | TDTESS |
TDTESS has a command to download and execute an additional file.[467] |
G0139 | TeamTNT |
TeamTNT has the |
S0595 | ThiefQuest |
ThiefQuest can download and execute payloads in-memory or from disk.[470] |
G0027 | Threat Group-3390 |
Threat Group-3390 has downloaded additional malware and tools, including through the use of |
S0665 | ThreatNeedle |
ThreatNeedle can download additional tools to enable lateral movement.[275] |
S0668 | TinyTurla |
TinyTurla has the ability to act as a second-stage dropper used to infect the system with additional malware.[472] |
S0671 | Tomiris |
Tomiris can download files and execute them on a victim's system.[473] |
G0131 | Tonto Team |
Tonto Team has downloaded malicious DLLs which served as a ShadowPad loader.[474] |
S0266 | TrickBot |
TrickBot downloads several additional files and saves them to the victim's machine.[475][476] |
S0094 | Trojan.Karagany |
Trojan.Karagany can upload, download, and execute files on the victim.[477][478] |
G0081 | Tropic Trooper |
Tropic Trooper has used a delivered trojan to download additional files.[479] |
S0436 | TSCookie |
TSCookie has the ability to upload and download files to and from the infected host.[480] |
S0647 | Turian |
Turian can download additional files and tools from its C2.[57] |
G0010 | Turla |
Turla has used shellcode to download Meterpreter after compromising a victim.[481] |
S0199 | TURNEDUP | |
S0263 | TYPEFRAME |
TYPEFRAME can upload and download files to the victim’s machine.[483] |
S0333 | UBoatRAT |
UBoatRAT can upload and download files to the victim’s machine.[484] |
S0130 | Unknown Logger |
Unknown Logger is capable of downloading remote files.[60] |
S0275 | UPPERCUT |
UPPERCUT can download and upload files to and from the victim’s machine.[485] |
S0022 | Uroburos |
Uroburos can use a |
S0386 | Ursnif |
Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads.[487][488] |
S0476 | Valak |
Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and NetSupport Manager RAT-based malware.[489][490] |
S0636 | VaporRage |
VaporRage has the ability to download malicious shellcode to compromised systems.[82] |
S0207 | Vasport | |
S0442 | VBShower |
VBShower has the ability to download VBS files to the target computer.[492] |
S0257 | VERMIN |
VERMIN can download and upload files to the victim's machine.[493] |
G0123 | Volatile Cedar |
Volatile Cedar can deploy additional tools.[109] |
S0180 | Volgmer |
Volgmer can download remote files and additional payloads to the victim's machine.[494][495][496] |
S0670 | WarzoneRAT |
WarzoneRAT can download and execute additional files.[497] |
S0579 | Waterbear |
Waterbear can receive and load executables from remote C2 servers.[498] |
S0109 | WEBC2 | |
S0515 | WellMail |
WellMail can receive data and executable scripts from C2.[500] |
S0514 | WellMess | |
S0689 | WhisperGate |
WhisperGate can download additional stages of malware from a Discord CDN channel.[502][503][504][505] |
G0107 | Whitefly |
Whitefly has the ability to download additional tools from the C2.[506] |
S0206 | Wiarp |
Wiarp creates a backdoor through which remote attackers can download files.[507] |
G0112 | Windshift |
Windshift has used tools to deploy additional payloads to compromised hosts.[508] |
S0430 | Winnti for Linux |
Winnti for Linux has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. [509] |
S0141 | Winnti for Windows |
The Winnti for Windows dropper can place malicious payloads on targeted systems.[510] |
G0044 | Winnti Group |
Winnti Group has downloaded an auxiliary program named ff.exe to infected machines.[511] |
S1115 | WIREFIRE |
WIREFIRE has the ability to download files to compromised devices.[512] |
G0090 | WIRTE |
WIRTE has downloaded PowerShell code from the C2 server to be executed.[513] |
G0102 | Wizard Spider |
Wizard Spider can transfer malicious payloads such as ransomware to compromised machines.[514] |
S1065 | Woody RAT |
Woody RAT can download files from its C2 server, including the .NET DLLs, |
S0341 | Xbash |
Xbash can download additional malicious files from its C2 server.[516] |
S0653 | xCaon |
xCaon has a command to download files to the victim's machine.[83] |
S0658 | XCSSET |
XCSSET downloads browser specific AppleScript modules using a constructed URL with the |
S0388 | YAHOYAH |
YAHOYAH uses HTTP GET requests to download other files that are executed in memory.[518] |
S0251 | Zebrocy |
Zebrocy obtains additional code to execute on the victim's machine, including the downloading of a secondary payload.[519][103][520][21] |
S0230 | ZeroT |
ZeroT can download additional payloads onto the victim.[521] |
S0330 | Zeus Panda |
Zeus Panda can download additional malware plug-in modules and execute them on the victim’s machine.[522] |
S1114 | ZIPLINE |
ZIPLINE can download files to be saved on the compromised system.[512][91] |
G0128 | ZIRCONIUM |
ZIRCONIUM has used tools to download malicious files to compromised hosts.[523] |
S0086 | ZLib | |
S0672 | Zox | |
S0412 | ZxShell |
ZxShell has a command to transfer files from a remote host.[524] |
S1013 | ZxxZ |
ID | Mitigation | Description |
---|---|---|
M1031 | Network Intrusion Prevention |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[525] |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments for suspicious activity associated with downloading external content. |
DS0022 | File | File Creation |
Monitor for file creation and files transferred into the network |
DS0029 | Network Traffic | Network Connection Creation |
Monitor for newly constructed network connections that are sent or received by untrusted hosts or creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious. |
Network Traffic Content |
Monitor network traffic content for files and other potentially malicious content, especially data coming in from abnormal/unknown domain and IPs. |
||
Network Traffic Flow |
Monitor network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |