From enterprise
Jump to: navigation, search

Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK. Some instances of software have multiple names associated with the same instance due to various organizations tracking the same set of software by different names. Software entries are tagged with enterprise techniques and may be mapped to Groups.

Software is broken down into three high-level categories:

Tool - Commercial, open-source, or publicly available software that could be used by a defender, pen tester, red teamer, or an adversary for malicious purposes that generally is not found on an enterprise system. Examples include PsExec, Metasploit, Mimikatz, etc.

Utility - Software generally available as part of an operating system that is already present in an environment. Adversaries tend to leverage existing functionality on systems to gather information and perform actions. Examples include Windows utilities such as Net, netstat, Tasklist, etc.

Malware - Commercial, custom closed source, or open source software intended to be used for malicious purposes by adversaries. Examples include PlugX, CHOPSTICK, etc.

Software List

This is the list of software tracked in ATT&CK:

Software NameAliasesDescription
3PARA RAT3PARA RAT3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda.1
4H RAT4H RAT4H RAT is malware that has been used by Putter Panda since at least 2007.1
ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase.23
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version.4
Agent.btzAgent.btzAgent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008.5
Arp displays information about a system's Address Resolution Protocol (ARP) cache.6
AutoIt backdoorAutoIt backdoorAutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352.7 This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.
BACKSPACE is a backdoor used by APT30 that dates back to at least 2005.8
BADNEWSBADNEWSBADNEWS is malware that has been used by the actors responsible for the MONSOON campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control.7
BBSRATBBSRATBBSRAT is malware with remote access tool functionality that has been used in targeted compromises.9
BISCUITBISCUITBISCUIT is a backdoor that has been used by APT1 since as early as 2007.10
BLACKCOFFEEBLACKCOFFEEBLACKCOFFEE is malware that has been used by APT17 since at least 2013.11
BOOTRASHBOOTRASHBOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that target the financial sector.12
BS2005BS2005BS2005 is malware that was used by Ke3chang in spearphishing campaigns since at least 2011.13
BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities.14
Backdoor.Oldrea is a backdoor used by Dragonfly. It appears to be custom malware authored by the group or specifically for it.15
Black Energy
BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3.16
CALENDARCALENDARCALENDAR is malware used by APT1 that mimics legitimate Gmail Calendar traffic.10
CHOPSTICK is malware family of modular backdoors used by APT28. It has been used from at least November 2012 to August 2016 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases.17318
CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL. It has also been referred to as Sofacy, though that term has been used widely to refer to both the group APT28 and malware families associated with the group.1718
CachedumpCachedumpCachedump is a publicly-available tool that program extracts cached password hashes from a system’s registry.10
CallMeCallMeCallMe is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell.19
Carbanak is a remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines.20
ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool.212223
Cherry PickerCherry PickerCherry Picker is a point of sale (PoS) memory scraper.24
China ChopperChina ChopperChina Chopper is a Web shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.25 It has been used by several threat groups, including Threat Group-3390.4
CloudDuke is malware that was used by APT29 in 2015.2627
Cobalt StrikeCobalt StrikeCobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.28 In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.28
ComRATComRATComRAT is a remote access tool suspected of being a decedent of Agent.btz and used by Turla.2930
CosmicDuke is malware that was used by APT29 from 2010 to 2015.26
CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality.26
Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims.31
Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi.3233
DerusbiDerusbiDerusbi is malware used by multiple Chinese APT groups.3435 Both Windows and Linux variants have been observed.36
DownPaperDownPaperDownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware.37
Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between 2013 and 2015.38
DuquDuquDuqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network.39
NeD Worm
DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015.4041
DyreDyreDyre is a Trojan that usually targets banking information.42
ELMERELMERELMER is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by APT16.43
Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU.44
EmissaryEmissaryEmissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio.45
Epic is a backdoor that has been used by Turla.46
EvilGrabEvilGrabEvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPass via malicious Microsoft Office documents as part of spearphishing campaigns.23
FALLCHILLFALLCHILLFALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website.47
FLASHFLOODFLASHFLOODFLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.8
FLIPSIDEFLIPSIDEFLIPSIDE is a simple tool similar to Plink that is used by FIN5 to maintain access to victims.48
FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.49
FakeMFakeMFakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic.19
FelismusFelismusFelismus is a modular backdoor that has been used by Sowbug.5051
FgdumpFgdumpFgdump is a Windows password hash dumper.10
FinFisherFinFisherFinFisher is a government-grade commercial surveillance reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations.5253
Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries.54
GLOOXMAIL is malware used by APT1 that mimics legitimate Jabber/XMPP traffic.10
Gazer is a backdoor used by Turla since at least 2016.55
GeminiDukeGeminiDukeGeminiDuke is malware that was used by APT29 from 2009 to 2012.26
H1N1H1N1H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality.56
HALFBAKEDHALFBAKEDHALFBAKED is a malware family consisting of multiple components intended to establish persistence in victim networks.57
HAMMERTOSS is a backdoor that was used by APT29 in 2015.5826
Custom HDoor
HDoor is malware that has been customized and used by the Naikon group.59
HIDEDRVHIDEDRVHIDEDRV is a rootkit used by APT28. It has been deployed along with Downdelph to execute and hide that malware.3860
HUC Packet Transmit Tool
HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. 61
Token Control
HTTPBrowser is malware that has been used by several threat groups.624 It is believed to be of Chinese origin.35
Hacking Team UEFI RootkitHacking Team UEFI RootkitHacking Team UEFI Rootkit is a rootkit developed by the company Hacking Team as a method of persistence for remote access software.63
HelminthHelminthHelminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable.64
Hi-ZorHi-ZorHi-Zor is a remote access tool (RAT) that has characteristics similar to Sakula. It was used in a campaign named INOCNATION.65
HikitHikitHikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.34
ISMInjectorISMInjectorISMInjector is a Trojan used to install another OilRig backdoor, ISMAgent.66
IxesheIxesheIxeshe is a malware family that has been used since 2009 to attack targets in East Asia.67
JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware.2686918
JanicabJanicabJanicab is an OS X trojan that relied on a valid developer ID and oblivious users to install it.70
KOMPROGOKOMPROGOKOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management.71
KasidetKasidetKasidet is a backdoor that has been dropped by using malicious VBA macros.72
KomplexKomplexKomplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX7374.
LOWBALLLOWBALLLOWBALL is malware used by admin@338. It was used in August 2015 in email messages targeting Hong Kong-based media organizations.14
LslsassLslsassLslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process.10
Lurid is a malware family that has been used by several groups, including PittyTiger, in targeted attacks as far back as 2006.7576
MatroyshkaMatroyshkaMatroyshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences.7778
MimiPenguinMimiPenguinMimiPenguin is a credential dumper, similar to Mimikatz, designed specifically for Linux platforms.79
MimikatzMimikatzMimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.8081
Miner-C is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread.82
MiniDukeMiniDukeMiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multiple downloader and backdoor components. The loader has been used with other MiniDuke components as well as in conjunction with CosmicDuke and PinchDuke.26
Mis-TypeMis-TypeMis-Type is a backdoor hybrid that was used by Dust Storm in 2012.83
MisdatMisdatMisdat is a backdoor that was used by Dust Storm from 2010 to 2011.83
MivastMivastMivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach.84
MobileOrderMobileOrderMobileOrder is a Trojan intended to compromise Android mobile devices. It has been used by Scarlet Mimic.19
MoonWindMoonWindMoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand.85
NETEAGLENETEAGLENETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.”8
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.86 Net has a great deal of functionality,87 much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through Windows admin shares using net use commands, and interacting with services.
Net CrawlerNet Crawler
Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler.88
NetTravelerNetTravelerNetTraveler is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013.89
Nidiran is a custom backdoor developed and used by Suckfly. It has been delivered via strategic web compromise.90
OLDBAIT is a credential harvester used by APT28.1718
OSInfoOSInfoOSInfo is a custom tool used by APT3 to do internal discovery on a victim's computer and network. 91
OnionDukeOnionDukeOnionDuke is malware that was used by APT29 from 2013 to 2015.26
OwaAuthOwaAuthOwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390.4
P2P ZeuSP2P ZeuS
Peer-to-Peer ZeuS
Gameover ZeuS
P2P ZeuS is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture.92
PHOREALPHOREALPHOREAL is a signature backdoor used by APT32.71
POSHSPYPOSHSPYPOSHSPY is a backdoor that has been used by APT29 since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors.93
POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped.9495
POWRUNERPOWRUNERPOWRUNER is a PowerShell script that sends and receives commands to and from the C2 server.96
Pass-The-Hash ToolkitPass-The-Hash ToolkitPass-The-Hash Toolkit is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems.10
PinchDukePinchDukePinchDuke is malware that was used by APT29 from 2008 to 2010.26
Ping is an operating system utility commonly used to troubleshoot and verify network connections.97
PisloaderPisloaderPisloader is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by APT18 and is similar to another malware family, HTTPBrowser, that has been used by the group.98
PlugX is a remote access tool (RAT) that uses modular plugins.99 It has been used by multiple threat groups.1001014
Poison Ivy
PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.102
Power LoaderPower Loader
Power Loader is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz.103104
PowerDukePowerDukePowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros.105
PrikormkaPrikormkaPrikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008.106
PsExecPsExecPsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.107108
PsyloPsyloPsylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristics as FakeM.19
PteranodonPteranodonPteranodon is a custom backdoor used by Gamaredon Group.109
RARSTONERARSTONERARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX.110
RIPTIDERIPTIDERIPTIDE is a proxy-aware backdoor used by APT12.111
ROCKBOOTROCKBOOTROCKBOOT is a Bootkit that has been used by an unidentified, suspected China-based group.112
RTMRTMRTM is custom malware written in Delphi. It is used by the group of the same name (RTM).113
RawPOS is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008.114115116 FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD.48117
ReaverReaverReaver is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the "Five Poisons," which are movements the Chinese government considers dangerous. The malware is unique due to its final payload being in the form of a Control panel item.118
RedLeaves is a malware family used by menuPass. The code overlaps with PlugX and may be based upon the open source tool Trochilus.23119
Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information.120 Utilities such as Reg are known to be used by persistent threats.121
ReginReginRegin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003.122
RemoteCMDRemoteCMDRemoteCMD is a custom tool used by APT3 to execute commands on a remote system similar to SysInternal's PSEXEC functionality. 91
Remsec is a modular backdoor that has been used by Strider and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua.123
ResponderResponderResponder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.124
RoverRoverRover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan.125
S-TypeS-TypeS-Type is a backdoor that was used by Dust Storm from 2013 to 2014.83
SEASHARPEESEASHARPEESEASHARPEE is a Web shell that has been used by APT34.126
SHIPSHAPESHIPSHAPESHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.8
SHOTPUT is a custom backdoor used by APT3.127
SNUGRIDESNUGRIDESNUGRIDE is a backdoor that has been used by menuPass as first stage malware.119
SOUNDBITESOUNDBITESOUNDBITE is a signature backdoor used by APT32.71
SPACESHIPSPACESHIPSPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.8
Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015.128
SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with CozyCar.26
Shamoon is malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. The 2.0 version was seen in 2016 targeting Middle Eastern states.129130
Skeleton KeySkeleton KeySkeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password.131 Functionality similar to Skeleton Key is included as a module in Mimikatz.
SslMMSslMMSslMM is a full-featured backdoor used by Naikon that has multiple variants.59
StarloaderStarloaderStarloader is a loader component that has been observed loading Felismus and associated tools.50
StreamExStreamExStreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites.132
SykipotSykipotSykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims.133 The group using this malware has also been referred to as Sykipot.134
Sys10Sys10Sys10 is a backdoor that was used throughout 2013 by Naikon.59
Systeminfo is a Windows utility that can be used to gather detailed information about a computer.135
T9000T9000T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations.136137
TDTESSTDTESSTDTESS is a 64-bit .NET binary backdoor used by CopyKittens.77
TEXTMATE is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with POWERSOURCE in February 2017.94
TINYTYPHONTINYTYPHONTINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm.7
TaidoorTaidoorTaidoor is malware that has been used since at least 2010, primarily to target Taiwanese government organizations.138
TasklistTasklistThe Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface.139
TinyZBotTinyZBotTinyZBot is a bot written in C# that was developed by Cleaver.88
TorTorTor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination.140
Trojan.KaraganyTrojan.KaraganyTrojan.Karagany is a backdoor primarily used for recon. The source code for it was leaked in 2010 and it is sold on underground forums.15
Trojan.MebromiTrojan.MebromiTrojan.Mebromi is BIOS-level malware that takes control of the victim before MBR.141
TruvasysTruvasysTruvasys is first-stage malware that has been used by PROMETHIUM. It is a collection of modules written in the Delphi programming language.14214353
UACMeUACMeUACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.144
USB Stealer
USBStealer is malware that has used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL.1452
Unknown LoggerUnknown LoggerUnknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign.7
UroburosUroburosUroburos is a rootkit used by Turla.46
VolgmerVolgmerVolgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing.146
WEBC2WEBC2WEBC2 is a backdoor used by APT1 to retrieve a Web page from a predetermined C2 server.147
WINDSHIELDWINDSHIELDWINDSHIELD is a signature backdoor used by APT32.71
WinMMWinMMWinMM is a full-featured, simple backdoor used by Naikon.59
Windows Credential EditorWindows Credential Editor
Windows Credential Editor is a password dumping tool.148
WingbirdWingbirdWingbird is a backdoor appears to be a new version of commercial software FinFisher, which is marketed to government agencies. It is reportedly used to attack individual computers instead of networks. It was used by NEODYMIUM in a May 2016 campaign.53143
WinntiWinntiWinnti is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, Winnti Group; however, reporting indicates a second distinct group, Axiom, also uses the malware.149150151
WiperWiperWiper is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies.152
XAgentOSXXAgentOSXXAgentOSX is a trojan that has been used by APT28 on OS X and appears to be a port of their standard CHOPSTICK or XAgent trojan.73
XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee.1531543
ZLibZLibZLib is a full-featured backdoor that was used as a second-stage implant by Dust Storm from 2014 to 2015. It is malware and should not be confused with the compression library from which its name is derived.83
Zeroaccess is a kernel-mode Rootkit that attempts to add victims to the ZeroAccess botnet, often for monetary gain.155
at is used to schedule tasks on a system to run at a specified date or time.156
Certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services.157
cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities.158 Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir159), deleting files (e.g., del160), and copying files (e.g., copy161).
dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain.162 It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.
gh0stgh0stgh0st is a remote access tool (RAT). The source code is public and it has been used by many groups.163
gsecdumpgsecdumpgsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems.164
hcdLoaderhcdLoaderhcdLoader is a remote access tool (RAT) that has been used by APT18.165
httpclienthttpclienthttpclient is malware used by Putter Panda. It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool.1
ifconfigifconfigifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system.166
ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration.167
meekmeekmeek is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.
nbtstat is a utility used to troubleshoot NetBIOS name resolution.168
netsh is a scripting utility used to interact with networking components on local or remote systems.169
netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics.170
pngdownerpngdownerpngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple "download-and- execute" utility.1
pwdumppwdumppwdump is a credential dumper.171
route can be used to find or change information within the local system IP routing table.172
schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time.173
xCmdxCmdxCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems.174


  1. a b c d  Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  2. a b c  Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  3. a b c  ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  4. a b c d e  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
  5. ^  Gostev, A.. (2014, March 12). Agent.btz: a Source of Inspiration?. Retrieved April 8, 2016.
  6. ^  Microsoft. (n.d.). Arp. Retrieved April 17, 2016.
  7. a b c d  Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  8. a b c d e  FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  9. ^  Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  10. a b c d e f g  Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  11. ^  FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  12. ^  Mandiant. (2016, February). M-Trends 2016. Retrieved January 4, 2017.
  13. ^  Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  14. a b  FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  15. a b  Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  16. ^  F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  17. a b c  FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  18. a b c d  FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
  19. a b c d  Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  20. ^  Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 3, 2015.
  21. ^  Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  22. ^  Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
  23. a b c  PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  24. ^  Merritt, E.. (2015, November 16). Shining the Spotlight on Cherry Picker PoS Malware. Retrieved April 20, 2016.
  25. ^  Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
  26. a b c d e f g h i  F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  27. ^  Lozhkin, S.. (2015, July 16). Minidionis – one more APT with a usage of cloud drives. Retrieved April 5, 2017.
  28. a b  Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  29. ^  Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
  30. ^  Rascagneres, P. (2015, May). Tools used by the Uroburos actors. Retrieved August 18, 2016.
  31. ^  Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  32. ^  Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  33. ^  Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  34. a b  Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  35. a b  ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.
  36. ^  Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  37. ^  ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
  38. a b  ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  39. ^  Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  40. ^  ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  41. ^  ClearSky Cybersecurity. (2016, June 9). Operation DustySky – Part 2. Retrieved August 3, 2016.
  42. ^  Raff, A. (2015, April 30). New Dyre Version- Yet Another Malware Evading Sandboxes. Retrieved July 18, 2016.
  43. ^  Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
  44. ^  Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  45. ^  Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  46. a b  Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  47. ^  US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  48. a b  Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  49. ^  Wikipedia. (2016, June 15). File Transfer Protocol. Retrieved July 20, 2016.
  50. a b  Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  51. ^  Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  52. ^  FinFisher. (n.d.). Retrieved December 20, 2017.
  53. a b c  Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
  54. ^  Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
  55. ^  ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  56. ^  Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016.
  57. ^  Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  58. ^  FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
  59. a b c d  Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved December 17, 2015.
  60. ^  Rascagnères, P.. (2016, October 27). Rootkit analysis: Use case on HideDRV. Retrieved March 9, 2017.
  61. ^  Haq, T., Moran, N., Vashisht, S., Scott, M. (2014, September). OPERATION QUANTUM ENTANGLEMENT. Retrieved November 4, 2015.
  62. ^  Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
  63. ^  Lin, P. (2015, July 13). Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems. Retrieved December 11, 2015.
  64. ^  Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  65. ^  Fidelis Threat Research Team. (2016, January 27). Introducing Hi-Zor RAT. Retrieved March 24, 2016.
  66. ^  Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
  67. ^  Moran, N., & Villeneuve, N. (2013, August 12). Survival of the Fittest: New York Times Attackers Evolve Quickly [Blog]. Retrieved November 12, 2014.
  68. ^  F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016.
  69. ^  ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  70. ^  Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017.
  71. a b c d  Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  72. ^  Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  73. a b  Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  74. ^  Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
  75. ^  Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015.
  76. ^  Villeneuve, N., Sancho, D. (2011). THE “LURID” DOWNLOADER. Retrieved November 12, 2014.
  77. a b  ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  78. ^  Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  79. ^  Gregal, H. (2017, May 12). MimiPenguin. Retrieved December 5, 2017.
  80. ^  Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.
  81. ^  Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.
  82. ^  Cimpanu, C.. (2016, September 9). Cryptocurrency Mining Malware Discovered Targeting Seagate NAS Hard Drives. Retrieved October 12, 2016.
  83. a b c d  Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  84. ^  DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016.
  85. ^  Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  86. ^  Microsoft. (2006, October 18). Net.exe Utility. Retrieved September 22, 2015.
  87. ^  Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
  88. a b  Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  89. ^  Kaspersky Lab's Global Research and Analysis Team. (n.d.). The NetTraveler (aka ‘Travnet’). Retrieved November 12, 2014.
  90. ^  DiMaggio, J.. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016.
  91. a b  Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  92. ^  SecureWorks. (2013). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015.
  93. ^  Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  94. a b  Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  95. ^  Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
  96. ^  Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  97. ^  Microsoft. (n.d.). Ping. Retrieved April 8, 2016.
  98. ^  Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  99. ^  Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
  100. ^  Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.
  101. ^  Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015.
  102. ^  FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.
  103. ^  MalwareTech. (2013, August 13). PowerLoader Injection – Something truly amazing. Retrieved December 16, 2017.
  104. ^  Matrosov, A. (2013, March 19). Gapz and Redyms droppers based on Power Loader code. Retrieved December 16, 2017.
  105. ^  Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  106. ^  Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  107. ^  Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015.
  108. ^  Pilkington, M.. (2012, December 17). Protecting Privileged Domain Accounts: PsExec Deep-Dive. Retrieved August 17, 2016.
  109. ^  Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  110. ^  Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
  111. ^  Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.
  112. ^  Andonov, D., et al. (2015, December 7). Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record. Retrieved May 13, 2016.
  113. ^  Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  114. ^  Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017.
  115. ^  TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017.
  116. ^  Visa. (2015, March). Visa Security Alert: "RawPOS" Malware Targeting Lodging Merchants. Retrieved October 6, 2017.
  117. ^  Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017.
  118. ^  Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
  119. a b  FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  120. ^  Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.
  121. ^  Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  122. ^  Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  123. ^  Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.
  124. ^  Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017.
  125. ^  Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  126. ^  Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  127. ^  Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
  128. ^  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  129. ^  FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.
  130. ^  Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  131. ^  Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved February 2, 2015.
  132. ^  Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  133. ^  Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016.
  134. ^  Blasco, J. (2013, March 21). New Sykipot developments [Blog]. Retrieved November 12, 2014.
  135. ^  Microsoft. (n.d.). Systeminfo. Retrieved April 8, 2016.
  136. ^  Moran, N. and Lanstein, A.. (2014, March 25). Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370. Retrieved April 15, 2016.
  137. ^  Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  138. ^  Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
  139. ^  Microsoft. (n.d.). Tasklist. Retrieved December 23, 2015.
  140. ^  Roger Dingledine, Nick Mathewson and Paul Syverson. (2004). Tor: The Second-Generation Onion Router. Retrieved December 21, 2017.
  141. ^  Ge, L. (2011, September 9). BIOS Threat is Showing up Again!. Retrieved November 14, 2014.
  142. ^  Microsoft. (2017, September 15). Backdoor:Win32/Truvasys.A!dha. Retrieved November 30, 2017.
  143. a b  Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017.
  144. ^  UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.
  145. ^  Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  146. ^  US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  147. ^  Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  148. ^  Amplia Security. (n.d.). Windows Credentials Editor (WCE) F.A.Q.. Retrieved December 17, 2015.
  149. ^  Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  150. ^  Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017.
  151. ^  Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  152. ^  Dell SecureWorks. (2013, March 21). Wiper Malware Analysis Attacking Korean Financial Sector. Retrieved May 13, 2015.
  153. ^  Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  154. ^  Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016.
  155. ^  Wyke, J. (2012, April). ZeroAccess. Retrieved July 18, 2016.
  156. ^  Microsoft. (n.d.). At. Retrieved April 28, 2016.
  157. ^  Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.
  158. ^  Microsoft. (n.d.). Cmd. Retrieved April 18, 2016.
  159. ^  Microsoft. (n.d.). Dir. Retrieved April 18, 2016.
  160. ^  Microsoft. (n.d.). Del. Retrieved April 22, 2016.
  161. ^  Microsoft. (n.d.). Copy. Retrieved April 26, 2016.
  162. ^  Microsoft. (n.d.). Dsquery. Retrieved April 18, 2016.
  163. ^  FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.
  164. ^  TrueSec. (n.d.). gsecdump v2.0b5. Retrieved September 29, 2015.
  165. ^  Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
  166. ^  Wikipedia. (2016, January 26). ifconfig. Retrieved April 17, 2016.
  167. ^  Microsoft. (n.d.). Ipconfig. Retrieved April 17, 2016.
  168. ^  Microsoft. (n.d.). Nbtstat. Retrieved April 17, 2016.
  169. ^  Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017.
  170. ^  Microsoft. (n.d.). Netstat. Retrieved April 17, 2016.
  171. ^  Wikipedia. (1985, June 22). pwdump. Retrieved June 22, 2016.
  172. ^  Microsoft. (n.d.). Route. Retrieved April 17, 2016.
  173. ^  Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016.
  174. ^  Rayaprolu, A.. (2011, April 12). xCmd an Alternative to PsExec. Retrieved August 10, 2016.