Software

From enterprise
Jump to: navigation, search

Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK. Some instances of software have multiple names associated with the same instance due to various organizations tracking the same set of software by different names. Software entries are tagged with enterprise techniques and may be mapped to Groups.

Software is broken down into three high-level categories:

Tool - Commercial, open-source, or publicly available software that could be used by a defender, pen tester, red teamer, or an adversary for malicious purposes that generally is not found on an enterprise system. Examples include PsExec, Metasploit, Mimikatz, etc.

Utility - Software generally available as part of an operating system that is already present in an environment. Adversaries tend to leverage existing functionality on systems to gather information and perform actions. Examples include Windows utilities such as Net, netstat, Tasklist, etc.

Malware - Commercial, custom closed source, or open source software intended to be used for malicious purposes by adversaries. Examples include PlugX, CHOPSTICK, etc.

Software List

This is the list of software tracked in ATT&CK:

Software NameAliasesDescription
3PARA RAT3PARA RAT3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda.CrowdStrike Putter Panda
4H RAT4H RAT4H RAT is malware that has been used by Putter Panda since at least 2007.CrowdStrike Putter Panda
ADVSTORESHELLADVSTORESHELL
NETUI
EVILTOSS
AZZY
Sedreco
ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase.Kaspersky SofacyESET Sednit Part 2
ASPXSpyASPXSpy
ASPXTool
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version.Dell TG-3390
Agent.btzAgent.btzAgent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008.Securelist Agent.btz
ArpArp
arp.exe
Arp displays information about a system's Address Resolution Protocol (ARP) cache.TechNet Arp
AutoItAutoItAutoIt is a backdoor that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352.Forcepoint Monsoon
BACKSPACEBACKSPACE
Lecna
BACKSPACE is a backdoor used by APT30 that dates back to at least 2005.FireEye APT30
BADNEWSBADNEWSBADNEWS is malware that has been used by the actors responsible for the MONSOON campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control.Forcepoint Monsoon
BBSRATBBSRATBBSRAT is malware with remote access tool functionality that has been used in targeted compromises.Palo Alto Networks BBSRAT
BISCUITBISCUITBISCUIT is a backdoor that has been used by APT1 since as early as 2007.Mandiant APT1
BLACKCOFFEEBLACKCOFFEEBLACKCOFFEE is malware that has been used by APT17 since at least 2013.FireEye APT17
BOOTRASHBOOTRASHBOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that target the financial sector.MTrends 2016
BS2005BS2005BS2005 is malware that was used by Ke3chang in spearphishing campaigns since at least 2011.Villeneuve et al 2014
BUBBLEWRAPBUBBLEWRAP
Backdoor.APT.FakeWinHTTPHelper
BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities.FireEye admin@338
Backdoor.OldreaBackdoor.Oldrea
Havex
Backdoor.Oldrea is a backdoor used by Dragonfly. It appears to be custom malware authored by the group or specifically for it.Symantec Dragonfly
BlackEnergyBlackEnergy
Black Energy
BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3.F-Secure BlackEnergy 2014
CALENDARCALENDARCALENDAR is malware used by APT1 that mimics legitimate Gmail Calendar traffic.Mandiant APT1
CHOPSTICKCHOPSTICK
SPLM
Xagent
X-Agent
webhp
CHOPSTICK is malware family of modular backdoors used by APT28. It has been used from at least November 2012 to August 2016 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases.FireEye APT28ESET Sednit Part 2FireEye APT28 January 2017
CORESHELLCORESHELL
SOURFACE
CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL. It has also been referred to as Sofacy, though that term has been used widely to refer to both the group APT28 and malware families associated with the group.FireEye APT28FireEye APT28 January 2017
CachedumpCachedumpCachedump is a publicly-available tool that program extracts cached password hashes from a system’s registry.Mandiant APT1
CallMeCallMeCallMe is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell.Scarlet Mimic Jan 2016
CarbanakCarbanak
Anunak
Carbanak is a remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines.Kaspersky Carbanak
ChChesChChes
Scorpion
HAYMAKER
ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool.Palo Alto menuPass Feb 2017JPCERT ChChes Feb 2017PWC Cloud Hopper Technical Annex April 2017
Cherry PickerCherry PickerCherry Picker is a point of sale (PoS) memory scraper.Trustwave Cherry Picker
China ChopperChina ChopperChina Chopper is a Web shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.Lee 2013 It has been used by several threat groups, including Threat Group-3390.Dell TG-3390
CloudDukeCloudDuke
MiniDionis
CloudLook
CloudDuke is malware that was used by APT29 in 2015.F-Secure The DukesSecurelist Minidionis July 2015
Cobalt StrikeCobalt StrikeCobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.cobaltstrike manual

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.cobaltstrike manual

The list of techniques below focuses on Cobalt Strike’s ATT&CK-relevant tactics.
ComRATComRATComRAT is a remote access tool suspected of being a decedent of Agent.btz and used by Turla.Symantec WaterbugNorthSec 2015 GData Uroburos Tools
CosmicDukeCosmicDuke
TinyBaron
BotgenStudios
NemesisGemina
CosmicDuke is malware that was used by APT29 from 2010 to 2015.F-Secure The Dukes
CozyCarCozyCar
CozyDuke
CozyBear
Cozer
EuroAPT
CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality.F-Secure The Dukes
CrimsonCrimson
MSIL/Crimson
Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims.Proofpoint Operation Transparent Tribe March 2016
DerusbiDerusbiDerusbi is malware used by multiple Chinese APT groups.AxiomThreatConnect Anthem Both Windows and Linux variants have been observed.Fidelis Turbo
DowndelphDowndelph
Delphacy
Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between 2013 and 2015.ESET Sednit Part 3
DuquDuquDuqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network.Symantec W32.Duqu
DustySkyDustySky
NeD Worm
DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015.DustySkyDustySky2
DyreDyreDyre is a Trojan that usually targets banking information.Raff 2015
ELMERELMERELMER is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by APT16.FireEye EPS Awakens Part 2
EliseElise
BKDR_ESILE
Page
Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU.Lotus Blossom Jun 2015
EmissaryEmissaryEmissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio.Lotus Blossom Dec 2015
EpicEpic
Tavdig
Wipbot
WorldCupSec
TadjMakhal
Epic is a backdoor that has been used by Turla.Kaspersky Turla
EvilGrabEvilGrabEvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPass via malicious Microsoft Office documents as part of spearphishing campaigns.PWC Cloud Hopper Technical Annex April 2017
FLASHFLOODFLASHFLOODFLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.FireEye APT30
FTPFTP
ftp.exe
FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.Wikipedia FTP
FakeMFakeMFakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic.Scarlet Mimic Jan 2016
FgdumpFgdumpFgdump is a Windows password hash dumper.Mandiant APT1
FlameFlame
Flamer
sKyWIper
Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries.Kaspersky Flame
GLOOXMAILGLOOXMAIL
Trojan.GTALK
GLOOXMAIL is malware used by APT1 that mimics legitimate Jabber/XMPP traffic.Mandiant APT1
GeminiDukeGeminiDukeGeminiDuke is malware that was used by APT29 from 2009 to 2012.F-Secure The Dukes
H1N1H1N1H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality.Cisco H1N1 Part 1
HALFBAKEDHALFBAKEDHALFBAKED is a malware family consisting of multiple components intended to establish persistence in victim networks.FireEye FIN7 April 2017
HAMMERTOSSHAMMERTOSS
HammerDuke
NetDuke
HAMMERTOSS is a backdoor that was used by APT29 in 2015.FireEye APT29F-Secure The Dukes
HDoorHDoor
Custom HDoor
HDoor is malware that has been customized and used by the Naikon group.Baumgartner Naikon 2015
HIDEDRVHIDEDRVHIDEDRV is a rootkit used by APT28. It has been deployed along with Downdelph to execute and hide that malware.ESET Sednit Part 3Sekoia HideDRV Oct 2016
HTRANHTRAN
HUC Packet Transmit Tool
HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. Operation Quantum Entanglement
HTTPBrowserHTTPBrowser
Token Control
HttpDump
HTTPBrowser is malware that has been used by several threat groups.ThreatStream Evasion AnalysisDell TG-3390 It is believed to be of Chinese origin.ThreatConnect Anthem
Hacking Team UEFI RootkitHacking Team UEFI RootkitHacking Team UEFI Rootkit is a rootkit developed by the company Hacking Team as a method of persistence for remote access software.TrendMicro Hacking Team UEFI
Hi-ZorHi-ZorHi-Zor is a remote access tool (RAT) that has characteristics similar to Sakula. It was used in a campaign named INOCNATION.Fidelis Hi-Zor
HikitHikitHikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.Axiom
IxesheIxesheIxeshe is a malware family that has been used since 2009 to attack targets in East Asia.Moran 2013
JHUHUGITJHUHUGIT
Seduploader
JKEYSKW
Sednit
GAMEFISH
JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware.Kaspersky SofacyF-Secure Sofacy 2015ESET Sednit Part 1FireEye APT28 January 2017
JanicabJanicabJanicab is an OS X trojan that relied on a valid developer ID and oblivious users to install it.Janicab
KOMPROGOKOMPROGOKOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management.FireEye APT32 May 2017
KasidetKasidetKasidet is a backdoor that has been dropped by using malicious VBA macros.Zscaler Kasidet
KomplexKomplexKomplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSXXAgentOSXSofacy Komplex Trojan.
LOWBALLLOWBALLLOWBALL is malware used by admin@338. It was used in August 2015 in email messages targeting Hong Kong-based media organizations.FireEye admin@338
LslsassLslsassLslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process.Mandiant APT1
LuridLurid
Enfal
Lurid is a malware family that has been used by several groups, including PittyTiger, in targeted attacks as far back as 2006.Villeneuve 2014Villeneuve 2011
MimikatzMimikatzMimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.Deply MimikatzAdsecurity Mimikatz Guide
Miner-CMiner-C
Mal/Miner-C
PhotoMiner
Miner-C is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread.Softpedia MinerC
MiniDukeMiniDukeMiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multiple downloader and backdoor components. The loader has been used with other MiniDuke components as well as in conjunction with CosmicDuke and PinchDuke.F-Secure The Dukes
Mis-TypeMis-TypeMis-Type is a backdoor hybrid that was used by Dust Storm in 2012.Cylance Dust Storm
MisdatMisdatMisdat is a backdoor that was used by Dust Storm from 2010 to 2011.Cylance Dust Storm
MivastMivastMivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach.Symantec Black Vine
MobileOrderMobileOrderMobileOrder is a Trojan intended to compromise Android mobile devices. It has been used by Scarlet Mimic.Scarlet Mimic Jan 2016
MoonWindMoonWindMoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand.Palo Alto MoonWind March 2017
NETEAGLENETEAGLENETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.”FireEye APT30
NetNet
net.exe
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.Microsoft Net Utility Net has a great deal of functionality,Savill 1999 much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through Windows admin shares using net use commands, and interacting with services.
Net CrawlerNet Crawler
NetC
Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler.Cylance Cleaver
NetTravelerNetTravelerNetTraveler is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013.Kaspersky NetTraveler
NidiranNidiran
Backdoor.Nidiran
Nidiran is a custom backdoor developed and used by Suckfly. It has been delivered via strategic web compromise.Symantec Suckfly March 2016
OLDBAITOLDBAIT
Sasfis
OLDBAIT is a credential harvester used by APT28.FireEye APT28FireEye APT28 January 2017
OnionDukeOnionDukeOnionDuke is malware that was used by APT29 from 2013 to 2015.F-Secure The Dukes
OwaAuthOwaAuthOwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390.Dell TG-3390
P2P ZeuSP2P ZeuS
Peer-to-Peer ZeuS
Gameover ZeuS
P2P ZeuS is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture.Dell P2P ZeuS
PHOREALPHOREALPHOREAL is a signature backdoor used by APT32.FireEye APT32 May 2017
POSHSPYPOSHSPYPOSHSPY is a backdoor that has been used by APT29 since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors.FireEye POSHSPY April 2017
POWERSOURCEPOWERSOURCE
DNSMessenger
POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped.FireEye FIN7 March 2017Cisco DNSMessenger March 2017
Pass-The-Hash ToolkitPass-The-Hash ToolkitPass-The-Hash Toolkit is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems.Mandiant APT1
PinchDukePinchDukePinchDuke is malware that was used by APT29 from 2008 to 2010.F-Secure The Dukes
PingPing
ping.exe
Ping is an operating system utility commonly used to troubleshoot and verify network connections.TechNet Ping
PisloaderPisloaderPisloader is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by APT18 and is similar to another malware family, HTTPBrowser, that has been used by the group.Palo Alto DNS Requests
PlugXPlugX
Sogu
Kaba
PlugX is a remote access tool (RAT) that uses modular plugins.Lastline PlugX Analysis It has been used by multiple threat groups.FireEye Clandestine Fox Part 2New DragonOKDell TG-3390
PoisonIvyPoisonIvy
Poison Ivy
PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.FireEye Poison Ivy
PowerDukePowerDukePowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros.Volexity PowerDuke November 2016
PrikormkaPrikormkaPrikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008.ESET Operation Groundbait
PsExecPsExecPsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.Russinovich SysinternalsSANS PsExec
PsyloPsyloPsylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristics as FakeM.Scarlet Mimic Jan 2016
PteranodonPteranodonPteranodon is a custom backdoor used by Gamaredon Group.Palo Alto Gamaredon Feb 2017
RARSTONERARSTONERARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX.Aquino RARSTONE
RIPTIDERIPTIDERIPTIDE is a proxy-aware backdoor used by APT12.Moran 2014
ROCKBOOTROCKBOOTROCKBOOT is a Bootkit that has been used by an unidentified, suspected China-based group.FireEye Bootkits
RTMRTMRTM is custom malware written in Delphi. It is used by the group of the same name (RTM).ESET RTM Feb 2017
RedLeavesRedLeaves
BUGJUICE
RedLeaves is a malware family used by menuPass. The code overlaps with PlugX and may be based upon the open source tool Trochilus.PWC Cloud Hopper Technical Annex April 2017FireEye APT10 April 2017
RegReg
reg.exe
Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information.Microsoft Reg Utilities such as Reg are known to be used by persistent threats.Windows Commands JPCERT
ReginReginRegin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003.Kaspersky Regin
RemsecRemsec
Backdoor.Remsec
ProjectSauron
Remsec is a modular backdoor that has been used by Strider and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua.Symantec Strider Blog
RoverRoverRover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan.Palo Alto Rover
S-TypeS-TypeS-Type is a backdoor that was used by Dust Storm from 2013 to 2014.Cylance Dust Storm
SHIPSHAPESHIPSHAPESHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.FireEye APT30
SHOTPUTSHOTPUT
Backdoor.APT.CookieCutter
Pirpi
SHOTPUT is a custom backdoor used by APT3.FireEye Clandestine Wolf
SNUGRIDESNUGRIDESNUGRIDE is a backdoor that has been used by menuPass as first stage malware.FireEye APT10 April 2017
SOUNDBITESOUNDBITESOUNDBITE is a signature backdoor used by APT32.FireEye APT32 May 2017
SPACESHIPSPACESHIPSPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.FireEye APT30
SakulaSakula
Sakurel
VIPER
Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015.Dell Sakula
SeaDukeSeaDuke
SeaDaddy
SeaDesk
SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with CozyCar.F-Secure The Dukes
ShamoonShamoon
Disttrack
Shamoon is malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. The 2.0 version was seen in 2016 targeting Middle Eastern states.FireEye Shamoon Nov 2016Palo Alto Shamoon Nov 2016
Skeleton KeySkeleton KeySkeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password.Dell Skeleton Functionality similar to Skeleton Key is included as a module in Mimikatz.
SslMMSslMMSslMM is a full-featured backdoor used by Naikon that has multiple variants.Baumgartner Naikon 2015
StreamExStreamExStreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites.Cylance Shell Crew Feb 2017
SykipotSykipotSykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims.Alienvault Sykipot DOD Smart Cards The group using this malware has also been referred to as Sykipot.Blasco 2013
Sys10Sys10Sys10 is a backdoor that was used throughout 2013 by Naikon.Baumgartner Naikon 2015
SysteminfoSysteminfo
systeminfo.exe
Systeminfo is a Windows utility that can be used to gather detailed information about a computer.TechNet Systeminfo
T9000T9000T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations.FireEye admin@338 March 2014Palo Alto T9000 Feb 2016
TEXTMATEDNSMessenger
TEXTMATE
TEXTMATE is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with POWERSOURCE in February 2017.FireEye FIN7 March 2017
TINYTYPHONTINYTYPHONTINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm.Forcepoint Monsoon
TaidoorTaidoorTaidoor is malware that has been used since at least 2010, primarily to target Taiwanese government organizations.TrendMicro Taidoor
TasklistTasklistThe Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface.Microsoft Tasklist
TinyZBotTinyZBotTinyZBot is a bot written in C# that was developed by Cleaver.Cylance Cleaver
Trojan.KaraganyTrojan.KaraganyTrojan.Karagany is a backdoor primarily used for recon. The source code for it was leaked in 2010 and it is sold on underground forums.Symantec Dragonfly
Trojan.MebromiTrojan.MebromiTrojan.Mebromi is BIOS-level malware that takes control of the victim before MBR.Ge 2011
UACMeUACMeUACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.Github UACMe
USBStealerUSBStealer
USB Stealer
Win32/USBStealer
USBStealer is malware that has used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL.ESET Sednit USBStealer 2014Kaspersky Sofacy
Unknown LoggerUnknown LoggerUnknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign.Forcepoint Monsoon
UroburosUroburosUroburos is a rootkit used by Turla.Kaspersky Turla
WEBC2WEBC2WEBC2 is a backdoor used by APT1 to retrieve a Web page from a predetermined C2 server.Mandiant APT1 Appendix
WINDSHIELDWINDSHIELDWINDSHIELD is a signature backdoor used by APT32.FireEye APT32 May 2017
WinMMWinMMWinMM is a full-featured, simple backdoor used by Naikon.Baumgartner Naikon 2015
Windows Credential EditorWindows Credential Editor
WCE
Windows Credential Editor is a password dumping tool.Amplia WCE
WinntiWinntiWinnti is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, Winnti Group; however, reporting indicates a second distinct group, Axiom, also uses the malware.Kaspersky Winnti April 2013Microsoft Winnti Jan 2017Novetta Winnti April 2015
WiperWiperWiper is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies.Dell Wiper
XAgentOSXXAgentOSXXAgentOSX is a trojan that has been used by APT28 on OS X and appears to be a port of their standard CHOPSTICK or XAgent trojan.XAgentOSX
XTunnelXTunnel
X-Tunnel
XAPS
XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee.Crowdstrike DNC June 2016Invincea XTunnelESET Sednit Part 2
ZLibZLibZLib is a full-featured backdoor that was used as a second-stage implant by Dust Storm from 2014 to 2015. It is malware and should not be confused with the compression library from which its name is derived.Cylance Dust Storm
ZeroaccessZeroaccess
Trojan.Zeroaccess
Zeroaccess is a kernel-mode Rootkit that attempts to add victims to the ZeroAccess botnet, often for monetary gain.Sophos ZeroAccess
atat
at.exe
at is used to schedule tasks on a system to run at a specified date or time.TechNet At
certutilcertutil
certutil.exe
Certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services.TechNet Certutil
cmdcmd
cmd.exe
cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities.TechNet Cmd Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dirTechNet Dir), deleting files (e.g., delTechNet Del), and copying files (e.g., copyTechNet Copy).
dsquerydsquery
dsquery.exe
dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain.TechNet Dsquery It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.
gh0stgh0stgh0st is a remote access tool (RAT). The source code is public and it has been used by many groups.FireEye Hacking Team
gsecdumpgsecdumpgsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems.TrueSec Gsecdump
hcdLoaderhcdLoaderhcdLoader is a remote access tool (RAT) that has been used by APT18.Dell Lateral Movement
httpclienthttpclienthttpclient is malware used by Putter Panda. It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool.CrowdStrike Putter Panda
ifconfigifconfigifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system.Wikipedia Ifconfig
ipconfigipconfig
ipconfig.exe
ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration.TechNet Ipconfig
nbtstatnbtstat
nbtstat.exe
nbtstat is a utility used to troubleshoot NetBIOS name resolution.TechNet Nbtstat
netshnetsh
netsh.exe
netsh is a scripting utility used to interact with networking components on local or remote systems.TechNet Netsh
netstatnetstat
netstat.exe
netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics.TechNet Netstat
pngdownerpngdownerpngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple "download-and- execute" utility.CrowdStrike Putter Panda
pwdumppwdumppwdump is a credential dumper.Wikipedia pwdump
routeroute
route.exe
route can be used to find or change information within the local system IP routing table.TechNet Route
schtasksschtasks
schtasks.exe
schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time.TechNet Schtasks
xCmdxCmdxCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems.xCmd