Software

From ATT&CK
Jump to: navigation, search

Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK. Some instances of software have multiple names associated with the same instance due to various organizations tracking the same set of software by different names. Software entries are tagged with ATT&CK techniques and may be mapped to Groups.

Software List

This is the list of software tracked in ATT&CK:

Software NameAliasesDescription
3PARA RAT3PARA RAT3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda.1
4H RAT4H RAT4H RAT is malware that has been used by Putter Panda since at least 2007.1
ADVSTORESHELLADVSTORESHELL
NETUI
EVILTOSS
AZZY
Sedreco
ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase.23
ASPXSpyASPXSpy
ASPXTool
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version.4
Agent.btzAgent.btzAgent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008.5
ArpArp
arp.exe
Arp displays information about a system's Address Resolution Protocol (ARP) cache.6
AutoItAutoItAutoIt is a backdoor that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352.7
BACKSPACEBACKSPACE
Lecna
BACKSPACE is a backdoor used by APT30 that dates back to at least 2005.8
BADNEWSBADNEWSBADNEWS is malware that has been used by the actors responsible for the MONSOON campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control.7
BBSRATBBSRATBBSRAT is malware with remote access tool functionality that has been used in targeted compromises.9
BISCUITBISCUITBISCUIT is a backdoor that has been used by APT1 since as early as 2007.10
BLACKCOFFEEBLACKCOFFEEBLACKCOFFEE is malware that has been used by APT17 since at least 2013.11
BOOTRASHBOOTRASHBOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that target the financial sector.12
BS2005BS2005BS2005 is malware that was used by Ke3chang in spearphishing campaigns since at least 2011.13
BUBBLEWRAPBUBBLEWRAP
Backdoor.APT.FakeWinHTTPHelper
BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities.14
Backdoor.OldreaBackdoor.Oldrea
Havex
Backdoor.Oldrea is a backdoor used by Dragonfly. It appears to be custom malware authored by the group or specifically for it.15
BlackEnergyBlackEnergy
Black Energy
BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3.16
CALENDARCALENDARCALENDAR is malware used by APT1 that mimics legitimate Gmail Calendar traffic.10
CHOPSTICKCHOPSTICK
SPLM
Xagent
X-Agent
webhp
CHOPSTICK is malware family of modular backdoors used by APT28. It has been used from at least November 2012 to August 2016 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases.17318
CORESHELLCORESHELL
SOURFACE
CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL. It has also been referred to as Sofacy, though that term has been used widely to refer to both the group APT28 and malware families associated with the group.1718
CachedumpCachedumpCachedump is a publicly-available tool that program extracts cached password hashes from a system’s registry.10
CallMeCallMeCallMe is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell.19
CarbanakCarbanakCarbanak is a remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines.20
Cherry PickerCherry PickerCherry Picker is a point of sale (PoS) memory scraper.21
China ChopperChina ChopperChina Chopper is a Web shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.22 It has been used by several threat groups, including Threat Group-3390.4
CloudDukeCloudDuke
MiniDionis
CloudLook
CloudDuke is malware that was used by APT29 in 2015.23
ComRATComRATComRAT is a remote access tool suspected of being a decedent of Agent.btz and used by Turla.2425
CosmicDukeCosmicDuke
TinyBaron
BotgenStudios
NemesisGemina
CosmicDuke is malware that was used by APT29 from 2010 to 2015.23
CozyCarCozyCar
CozyDuke
CozyBear
Cozer
EuroAPT
CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality.23
CrimsonCrimson
MSIL/Crimson
Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims.26
DerusbiDerusbiDerusbi is malware used by multiple Chinese APT groups.2728 Both Windows and Linux variants have been observed.29
DowndelphDowndelph
Delphacy
Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between 2013 and 2015.30
DuquDuquDuqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network.31
DustySkyDustySky
NeD Worm
DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015.3233
DyreDyreDyre is a Trojan that usually targets banking information.34
ELMERELMERELMER is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by APT16.35
EliseElise
BKDR_ESILE
Page
Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU.36
EmissaryEmissaryEmissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio.37
EpicEpic
Tavdig
Wipbot
WorldCupSec
TadjMakhal
Epic is a backdoor that has been used by Turla.38
FLASHFLOODFLASHFLOODFLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.8
FTPFTP
ftp.exe
FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.39
FakeMFakeMFakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic.19
FgdumpFgdumpFgdump is a Windows password hash dumper.10
GLOOXMAILGLOOXMAIL
Trojan.GTALK
GLOOXMAIL is malware used by APT1 that mimics legitimate Jabber/XMPP traffic.10
GeminiDukeGeminiDukeGeminiDuke is malware that was used by APT29 from 2009 to 2012.23
H1N1H1N1H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality.40
HAMMERTOSSHAMMERTOSS
HammerDuke
NetDuke
HAMMERTOSS is a backdoor that was used by APT29 in 2015.4123
HDoorHDoor
Custom HDoor
HDoor is malware that has been customized and used by the Naikon group.42
HIDEDRVHIDEDRVHIDEDRV is a rootkit used by APT28. It has been deployed along with Downdelph to execute and hide that malware.30
HTRANHTRAN
HUC Packet Transmit Tool
HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. 43
HTTPBrowserHTTPBrowser
Token Control
HttpDump
HTTPBrowser is malware that has been used by several threat groups.444 It is believed to be of Chinese origin.28
Hacking Team UEFI RootkitHacking Team UEFI RootkitHacking Team UEFI Rootkit is a rootkit developed by the company Hacking Team as a method of persistence for remote access software.45
Hi-ZorHi-ZorHi-Zor is a remote access tool (RAT) that has characteristics similar to Sakula. It was used in a campaign named INOCNATION.46
HikitHikitHikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.27
IxesheIxesheIxeshe is a malware family that has been used since 2009 to attack targets in East Asia.47
JHUHUGITJHUHUGIT
Seduploader
JKEYSKW
Sednit
GAMEFISH
JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware.2484918
KasidetKasidetKasidet is a backdoor that has been dropped by using malicious VBA macros.50
LOWBALLLOWBALLLOWBALL is malware used by admin@338. It was used in August 2015 in email messages targeting Hong Kong-based media organizations.14
LslsassLslsassLslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process.10
LuridLurid
Enfal
Lurid is a malware family that has been used by several groups, including PittyTiger, in targeted attacks as far back as 2006.5152
MimikatzMimikatzMimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.5354
Miner-CMiner-C
Mal/Miner-C
PhotoMiner
Miner-C is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread.55
MiniDukeMiniDukeMiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multiple downloader and backdoor components. The loader has been used with other MiniDuke components as well as in conjunction with CosmicDuke and PinchDuke.23
Mis-TypeMis-TypeMis-Type is a backdoor hybrid that was used by Dust Storm in 2012.56
MisdatMisdatMisdat is a backdoor that was used by Dust Storm from 2010 to 2011.56
MivastMivastMivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach.57
MobileOrderMobileOrderMobileOrder is a Trojan intended to compromise Android mobile devices. It has been used by Scarlet Mimic.19
NETEAGLENETEAGLENETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.”8
NetNet
net.exe
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.58 Net has a great deal of functionality,59 much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through Windows admin shares using net use commands, and interacting with services.
Net CrawlerNet Crawler
NetC
Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler.60
NetTravelerNetTravelerNetTraveler is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013.61
NidiranNidiran
Backdoor.Nidiran
Nidiran is a custom backdoor developed and used by Suckfly. It has been delivered via strategic web compromise.62
OLDBAITOLDBAIT
Sasfis
OLDBAIT is a credential harvester used by APT28.1718
OnionDukeOnionDukeOnionDuke is malware that was used by APT29 from 2013 to 2015.23
OwaAuthOwaAuthOwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390.4
P2P ZeuSP2P ZeuS
Peer-to-Peer ZeuS
Gameover ZeuS
P2P ZeuS is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture.63
Pass-The-Hash ToolkitPass-The-Hash ToolkitPass-The-Hash Toolkit is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems.10
PinchDukePinchDukePinchDuke is malware that was used by APT29 from 2008 to 2010.23
PingPing
ping.exe
Ping is an operating system utility commonly used to troubleshoot and verify network connections.64
PisloaderPisloaderPisloader is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by APT18 and is similar to another malware family, HTTPBrowser, that has been used by the group.65
PlugXPlugX
Sogu
Kaba
PlugX is a remote access tool (RAT) that uses modular plugins.66 It has been used by multiple threat groups.67684
PoisonIvyPoisonIvy
Poison Ivy
PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.69
PowerDukePowerDukePowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros.70
PrikormkaPrikormkaPrikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008.71
PsExecPsExecPsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.7273
PsyloPsyloPsylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristics as FakeM.19
RARSTONERARSTONERARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX.74
RIPTIDERIPTIDERIPTIDE is a proxy-aware backdoor used by APT12.75
ROCKBOOTROCKBOOTROCKBOOT is a Bootkit that has been used by an unidentified, suspected China-based group.76
RegReg
reg.exe
Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information.77 Utilities such as Reg are known to be used by persistent threats.78
ReginReginRegin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003.79
RemsecRemsec
Backdoor.Remsec
ProjectSauron
Remsec is a modular backdoor that has been used by Strider and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua.80
RoverRoverRover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan.81
S-TypeS-TypeS-Type is a backdoor that was used by Dust Storm from 2013 to 2014.56
SHIPSHAPESHIPSHAPESHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.8
SHOTPUTSHOTPUT
Backdoor.APT.CookieCutter
Pirpi
SHOTPUT is a custom backdoor used by APT3.82
SPACESHIPSPACESHIPSPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.8
SakulaSakula
Sakurel
VIPER
Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015.83
SeaDukeSeaDuke
SeaDaddy
SeaDesk
SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with CozyCar.23
ShamoonShamoon
Disttrack
Shamoon is malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. The 2.0 version was seen in 2016 targeting Middle Eastern states.8485
Skeleton KeySkeleton KeySkeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password.86 Functionality similar to Skeleton Key is included as a module in Mimikatz.
SslMMSslMMSslMM is a full-featured backdoor used by Naikon that has multiple variants.42
SykipotSykipotSykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims.87 The group using this malware has also been referred to as Sykipot.88
Sys10Sys10Sys10 is a backdoor that was used throughout 2013 by Naikon.42
SysteminfoSysteminfo
systeminfo.exe
Systeminfo is a Windows utility that can be used to gather detailed information about a computer.89
T9000T9000T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations.9091
TINYTYPHONTINYTYPHONTINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm.7
TaidoorTaidoorTaidoor is malware that has been used since at least 2010, primarily to target Taiwanese government organizations.92
TasklistTasklistThe Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface.93
TinyZBotTinyZBotTinyZBot is a bot written in C# that was developed by Cleaver.60
Trojan.KaraganyTrojan.KaraganyTrojan.Karagany is a backdoor primarily used for recon. The source code for it was leaked in 2010 and it is sold on underground forums.15
Trojan.MebromiTrojan.MebromiTrojan.Mebromi is BIOS-level malware that takes control of the victim before MBR.94
UACMeUACMeUACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.95
USBStealerUSBStealer
USB Stealer
Win32/USBStealer
USBStealer is malware that has used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL.962
Unknown LoggerUnknown LoggerUnknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign.7
UroburosUroburosUroburos is a rootkit used by Turla.38
WEBC2WEBC2WEBC2 is a backdoor used by APT1 to retrieve a Web page from a predetermined C2 server.97
WinMMWinMMWinMM is a full-featured, simple backdoor used by Naikon.42
Windows Credential EditorWindows Credential Editor
WCE
Windows Credential Editor is a password dumping tool.98
WiperWiperWiper is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies.99
XTunnelXTunnel
X-Tunnel
XAPS
XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee.1001013
ZLibZLibZLib is a full-featured backdoor that was used as a second-stage implant by Dust Storm from 2014 to 2015. It is malware and should not be confused with the compression library from which its name is derived.56
ZeroaccessZeroaccess
Trojan.Zeroaccess
Zeroaccess is a kernel-mode Rootkit that attempts to add victims to the ZeroAccess botnet, often for monetary gain.102
atat
at.exe
at is used to schedule tasks on a system to run at a specified date or time.103
cmdcmd
cmd.exe
cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities.104 Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir105), deleting files (e.g., del106), and copying files (e.g., copy107).
dsquerydsquery
dsquery.exe
dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain.108 It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.
gh0stgh0stgh0st is a remote access tool (RAT). The source code is public and it has been used by many groups.109
gsecdumpgsecdumpgsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems.110
hcdLoaderhcdLoaderhcdLoader is a remote access tool (RAT) that has been used by APT18.111
httpclienthttpclienthttpclient is malware used by Putter Panda. It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool.1
ifconfigifconfigifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system.112
ipconfigipconfig
ipconfig.exe
ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration.113
nbtstatnbtstat
nbtstat.exe
nbtstat is a utility used to troubleshoot NetBIOS name resolution.114
netshnetsh
netsh.exe
netsh is a scripting utility used to interact with networking components on local or remote systems.115
netstatnetstat
netstat.exe
netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics.116
pngdownerpngdownerpngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple "download-and- execute" utility.1
pwdumppwdumppwdump is a credential dumper.117
routeroute
route.exe
route can be used to find or change information within the local system IP routing table.118
schtasksschtasks
schtasks.exe
schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time.119
xCmdxCmdxCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems.120

References

  1. a b c d  Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  2. a b c  Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  3. a b c  ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  4. a b c d e  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
  5. ^  Gostev, A.. (2014, March 12). Agent.btz: a Source of Inspiration?. Retrieved April 8, 2016.
  6. ^  Microsoft. (n.d.). Arp. Retrieved April 17, 2016.
  7. a b c d  Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  8. a b c d e  FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  9. ^  Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  10. a b c d e f g  Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  11. ^  FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  12. ^  Mandiant. (2016, February). M-Trends 2016. Retrieved January 4, 2017.
  13. ^  Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  14. a b  FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  15. a b  Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  16. ^  F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  17. a b c  FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  18. a b c d  FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
  19. a b c d  Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  20. ^  Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 3, 2015.
  21. ^  Merritt, E.. (2015, November 16). Shining the Spotlight on Cherry Picker PoS Malware. Retrieved April 20, 2016.
  22. ^  Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
  23. a b c d e f g h i  F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  24. ^  Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
  25. ^  Rascagneres, P. (2015, May). Tools used by the Uroburos actors. Retrieved August 18, 2016.
  26. ^  Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  27. a b  Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  28. a b  ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.
  29. ^  Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  30. a b  ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  31. ^  Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  32. ^  ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  33. ^  ClearSky Cybersecurity. (2016, June 9). Operation DustySky – Part 2. Retrieved August 3, 2016.
  34. ^  Raff, A. (2015, April 30). New Dyre Version- Yet Another Malware Evading Sandboxes. Retrieved July 18, 2016.
  35. ^  Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
  36. ^  Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  37. ^  Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  38. a b  Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  39. ^  Wikipedia. (2016, June 15). File Transfer Protocol. Retrieved July 20, 2016.
  40. ^  Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016.
  41. ^  FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
  42. a b c d  Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved December 17, 2015.
  43. ^  Haq, T., Moran, N., Vashisht, S., Scott, M. (2014, September). OPERATION QUANTUM ENTANGLEMENT. Retrieved November 4, 2015.
  44. ^  Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
  45. ^  Lin, P. (2015, July 13). Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems. Retrieved December 11, 2015.
  46. ^  Fidelis Threat Research Team. (2016, January 27). Introducing Hi-Zor RAT. Retrieved March 24, 2016.
  47. ^  Moran, N., & Villeneuve, N. (2013, August 12). Survival of the Fittest: New York Times Attackers Evolve Quickly [Blog]. Retrieved November 12, 2014.
  48. ^  F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016.
  49. ^  ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  50. ^  Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  51. ^  Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015.
  52. ^  Villeneuve, N., Sancho, D. (2011). THE “LURID” DOWNLOADER. Retrieved November 12, 2014.
  53. ^  Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.
  54. ^  Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.
  55. ^  Cimpanu, C.. (2016, September 9). Cryptocurrency Mining Malware Discovered Targeting Seagate NAS Hard Drives. Retrieved October 12, 2016.
  56. a b c d  Gross, J. (2016, February 23). Operation Dust Storm. Retrieved February 25, 2016.
  57. ^  DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016.
  58. ^  Microsoft. (2006, October 18). Net.exe Utility. Retrieved September 22, 2015.
  59. ^  Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
  60. a b  Cylance. (2014, December). Operation Cleaver. Retrieved December 4, 2014.
  61. ^  Kaspersky Lab's Global Research and Analysis Team. (n.d.). The NetTraveler (aka ‘Travnet’). Retrieved November 12, 2014.
  62. ^  DiMaggio, J.. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016.
  63. ^  SecureWorks. (2013). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015.
  64. ^  Microsoft. (n.d.). Ping. Retrieved April 8, 2016.
  65. ^  Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  66. ^  Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
  67. ^  Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.
  68. ^  Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015.
  69. ^  FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.
  70. ^  Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  71. ^  Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  72. ^  Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015.
  73. ^  Pilkington, M.. (2012, December 17). Protecting Privileged Domain Accounts: PsExec Deep-Dive. Retrieved August 17, 2016.
  74. ^  Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
  75. ^  Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.
  76. ^  Andonov, D., et al. (2015, December 7). Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record. Retrieved May 13, 2016.
  77. ^  Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.
  78. ^  Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  79. ^  Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  80. ^  Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.
  81. ^  Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  82. ^  Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
  83. ^  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  84. ^  FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.
  85. ^  Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  86. ^  Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved February 2, 2015.
  87. ^  Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016.
  88. ^  Blasco, J. (2013, March 21). New Sykipot developments [Blog]. Retrieved November 12, 2014.
  89. ^  Microsoft. (n.d.). Systeminfo. Retrieved April 8, 2016.
  90. ^  Moran, N. and Lanstein, A.. (2014, March 25). Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370. Retrieved April 15, 2016.
  91. ^  Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  92. ^  Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
  93. ^  Microsoft. (n.d.). Tasklist. Retrieved December 23, 2015.
  94. ^  Ge, L. (2011, September 9). BIOS Threat is Showing up Again!. Retrieved November 14, 2014.
  95. ^  UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.
  96. ^  Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  97. ^  Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  98. ^  Amplia Security. (n.d.). Windows Credentials Editor (WCE) F.A.Q.. Retrieved December 17, 2015.
  99. ^  Dell SecureWorks. (2013, March 21). Wiper Malware Analysis Attacking Korean Financial Sector. Retrieved May 13, 2015.
  100. ^  Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  101. ^  Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016.
  102. ^  Wyke, J. (2012, April). ZeroAccess. Retrieved July 18, 2016.
  103. ^  Microsoft. (n.d.). At. Retrieved April 28, 2016.
  104. ^  Microsoft. (n.d.). Cmd. Retrieved April 18, 2016.
  105. ^  Microsoft. (n.d.). Dir. Retrieved April 18, 2016.
  106. ^  Microsoft. (n.d.). Del. Retrieved April 22, 2016.
  107. ^  Microsoft. (n.d.). Copy. Retrieved April 26, 2016.
  108. ^  Microsoft. (n.d.). Dsquery. Retrieved April 18, 2016.
  109. ^  FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.
  110. ^  TrueSec. (n.d.). gsecdump v2.0b5. Retrieved September 29, 2015.
  111. ^  Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
  112. ^  Wikipedia. (2016, January 26). ifconfig. Retrieved April 17, 2016.
  113. ^  Microsoft. (n.d.). Ipconfig. Retrieved April 17, 2016.
  114. ^  Microsoft. (n.d.). Nbtstat. Retrieved April 17, 2016.
  115. ^  Microsoft. (2005, January 21). The Netsh Command-Line Utility. Retrieved April 20, 2016.
  116. ^  Microsoft. (n.d.). Netstat. Retrieved April 17, 2016.
  117. ^  Wikipedia. (1985, June 22). pwdump. Retrieved June 22, 2016.
  118. ^  Microsoft. (n.d.). Route. Retrieved April 17, 2016.
  119. ^  Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016.
  120. ^  Rayaprolu, A.. (2011, April 12). xCmd an Alternative to PsExec. Retrieved August 10, 2016.