Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK. Some instances of software have multiple names associated with the same instance due to various organizations tracking the same set of software by different names. Software entries are tagged with enterprise techniques and may be mapped to Groups.
Software is broken down into three high-level categories:
Tool - Commercial, open-source, or publicly available software that could be used by a defender, pen tester, red teamer, or an adversary for malicious purposes that generally is not found on an enterprise system. Examples include PsExec, Metasploit, Mimikatz, etc.
Utility - Software generally available as part of an operating system that is already present in an environment. Adversaries tend to leverage existing functionality on systems to gather information and perform actions. Examples include Windows utilities such as Net, netstat, Tasklist, etc.
This is the list of software tracked in ATT&CK:
|3PARA RAT||3PARA RAT||3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda.1|
|4H RAT||4H RAT||4H RAT is malware that has been used by Putter Panda since at least 2007.1|
|ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase.23|
|ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version.4|
|Agent.btz||Agent.btz||Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008.5|
|Arp displays information about a system's Address Resolution Protocol (ARP) cache.6|
|AutoIt backdoor||AutoIt backdoor||AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352.7 This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.|
|BACKSPACE is a backdoor used by APT30 that dates back to at least 2005.8|
|BADNEWS||BADNEWS||BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control.7|
|BBSRAT||BBSRAT||BBSRAT is malware with remote access tool functionality that has been used in targeted compromises.9|
|BISCUIT||BISCUIT||BISCUIT is a backdoor that has been used by APT1 since as early as 2007.10|
|BITSAdmin||BITSAdmin||is a command line tool used to create and manage BITS Jobs.11|
|BLACKCOFFEE||BLACKCOFFEE||BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013.1213|
|BOOTRASH||BOOTRASH||BOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that target the financial sector.14|
|BS2005||BS2005||BS2005 is malware that was used by Ke3chang in spearphishing campaigns since at least 2011.15|
|BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities.16|
|Backdoor.Oldrea is a backdoor used by Dragonfly. It appears to be custom malware authored by the group or specifically for it.17|
|BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3.18|
|Briba||Briba||Briba is a trojan used by Elderwood to open a backdoor and download files on to compromised hosts.1920|
|CALENDAR||CALENDAR||CALENDAR is malware used by APT1 that mimics legitimate Gmail Calendar traffic.10|
|CCBkdr||CCBkdr||CCBkdr is malware that was injected into a signed version of CCleaner and distributed from CCleaner's distribution website.2122|
|CHOPSTICK is malware family of modular backdoors used by APT28. It has been used from at least November 2012 to August 2016 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases.23324|
|CORALDECK||CORALDECK||is an exfiltration tool used by APT37.25|
|CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL. It has also been referred to as Sofacy, though that term has been used widely to refer to both the group APT28 and malware families associated with the group.2324|
|Cachedump||Cachedump||Cachedump is a publicly-available tool that program extracts cached password hashes from a system’s registry.10|
|CallMe||CallMe||CallMe is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell.26|
|Carbanak is a remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines.27|
|ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool.282930|
|Chaos||Chaos||Chaos is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets.31|
|Cherry Picker||Cherry Picker||Cherry Picker is a point of sale (PoS) memory scraper.32|
|China Chopper||China Chopper||China Chopper is a Web shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.33 It has been used by several threat groups.413|
|CloudDuke is malware that was used by APT29 in 2015.3435|
|Cobalt Strike||Cobalt Strike||Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.36 In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.36|
|ComRAT||ComRAT||ComRAT is a remote access tool suspected of being a decedent of Agent.btz and used by Turla.3738|
|CosmicDuke is malware that was used by APT29 from 2010 to 2015.34|
|CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality.34|
|Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims.39|
|DOGCALL||DOGCALL||is a backdoor used by APT37 that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit.25|
|Darkmoon||Darkmoon||is a rootkit trojan used by Elderwood to open a backdoor on compromised hosts.1940|
|Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi.4142|
|Derusbi is malware used by multiple Chinese APT groups.4344 Both Windows and Linux variants have been observed.45|
|Dipsind||Dipsind||Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM.46|
|DownPaper||DownPaper||DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware.47|
|Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between 2013 and 2015.48|
|Duqu||Duqu||Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network.49|
|DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015.5051|
|Dyre||Dyre||Dyre is a Trojan that usually targets banking information.52|
|ELMER||ELMER||ELMER is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by APT16.53|
|Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU.54|
|Emissary||Emissary||Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio.55|
|Epic is a backdoor that has been used by Turla.56|
|EvilGrab||EvilGrab||EvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPass via malicious Microsoft Office documents as part of spearphishing campaigns.30|
|FALLCHILL||FALLCHILL||FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website.57|
|FLASHFLOOD||FLASHFLOOD||FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.8|
|FLIPSIDE||FLIPSIDE||FLIPSIDE is a simple tool similar to Plink that is used by FIN5 to maintain access to victims.58|
|FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.59|
|FakeM||FakeM||FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic.26|
|Felismus||Felismus||Felismus is a modular backdoor that has been used by Sowbug.6061|
|Fgdump||Fgdump||Fgdump is a Windows password hash dumper.10|
|FinFisher is a government-grade commercial surveillance reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird.62636465|
|Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries.66|
|Forfiles||Forfiles||Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts.67|
|GLOOXMAIL is malware used by APT1 that mimics legitimate Jabber/XMPP traffic.10|
|Gazer is a backdoor used by Turla since at least 2016.68|
|GeminiDuke||GeminiDuke||GeminiDuke is malware that was used by APT29 from 2009 to 2012.34|
|H1N1||H1N1||H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality.69|
|HALFBAKED||HALFBAKED||HALFBAKED is a malware family consisting of multiple components intended to establish persistence in victim networks.70|
|HAMMERTOSS is a backdoor that was used by APT29 in 2015.7134|
|HAPPYWORK||HAPPYWORK||is a downloader used by APT37 to target South Korean government and financial victims in November 2016.25|
|HDoor is malware that has been customized and used by the Naikon group.72|
|HIDEDRV||HIDEDRV||HIDEDRV is a rootkit used by APT28. It has been deployed along with Downdelph to execute and hide that malware.4873|
|HOMEFRY||HOMEFRY||HOMEFRY is a 64-bit Windows password dumper/cracker that has previously been used in conjunction with other Leviathan backdoors.13|
HUC Packet Transmit Tool
|HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. 74|
|HTTPBrowser is malware that has been used by several threat groups.754 It is believed to be of Chinese origin.44|
|Hacking Team UEFI Rootkit||Hacking Team UEFI Rootkit||Hacking Team UEFI Rootkit is a rootkit developed by the company Hacking Team as a method of persistence for remote access software.76|
|Havij||Havij||Havij is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries.77|
|Helminth||Helminth||Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable.78|
|Hi-Zor||Hi-Zor||Hi-Zor is a remote access tool (RAT) that has characteristics similar to Sakula. It was used in a campaign named INOCNATION.79|
|Hikit||Hikit||Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.43|
|Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17.8019818283848586|
|ISMInjector||ISMInjector||ISMInjector is a Trojan used to install another OilRig backdoor, ISMAgent.87|
|Invoke-PSImage||Invoke-PSImage||Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords.88|
|Ixeshe||Ixeshe||Ixeshe is a malware family that has been used since 2009 to attack targets in East Asia.89|
|JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware.2909124|
|JPIN||JPIN||JPIN is a custom-built backdoor family used by PLATINUM. Evidence suggests developers of JPIN and Dipsind code bases were related in some way.46|
|Janicab||Janicab||Janicab is an OS X trojan that relied on a valid developer ID and oblivious users to install it.92|
|KARAE||KARAE||is a backdoor typically used by APT37 as first-stage malware.25|
|KOMPROGO||KOMPROGO||KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management.93|
|Kasidet||Kasidet||Kasidet is a backdoor that has been dropped by using malicious VBA macros.94|
|Komplex||Komplex||Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX9596.|
|LOWBALL||LOWBALL||LOWBALL is malware used by admin@338. It was used in August 2015 in email messages targeting Hong Kong-based media organizations.16|
|Linfo||Linfo||is a rootkit trojan used by Elderwood to open a backdoor on compromised hosts.1997|
|Lslsass||Lslsass||Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process.10|
|Lurid is a malware family that has been used by several groups, including PittyTiger, in targeted attacks as far back as 2006.9899|
|MURKYTOP||MURKYTOP||MURKYTOP is a reconnaissance tool used by Leviathan.13|
|Matroyshka||Matroyshka||Matroyshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences.100101|
|MimiPenguin||MimiPenguin||MimiPenguin is a credential dumper, similar to Mimikatz, designed specifically for Linux platforms.102|
|Mimikatz||Mimikatz||Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.103104|
|Miner-C is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread.105|
|MiniDuke||MiniDuke||MiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multiple downloader and backdoor components. The loader has been used with other MiniDuke components as well as in conjunction with CosmicDuke and PinchDuke.34|
|Mis-Type||Mis-Type||Mis-Type is a backdoor hybrid that was used by Dust Storm in 2012.106|
|Misdat||Misdat||Misdat is a backdoor that was used by Dust Storm from 2010 to 2011.106|
|Mivast||Mivast||Mivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach.107|
|MobileOrder||MobileOrder||MobileOrder is a Trojan intended to compromise Android mobile devices. It has been used by Scarlet Mimic.26|
|MoonWind||MoonWind||MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand.108|
|NETEAGLE||NETEAGLE||NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.”8|
|NETWIRE||NETWIRE||is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.109110111|
|Naid||Naid||Naid is a trojan used by Elderwood to open a backdoor on compromised hosts.19112|
|Nerex||Nerex||is a Trojan used by Elderwood to open a backdoor on compromised hosts.19114|
|The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.115
Net has a great deal of functionality,116 much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through Windows admin shares using |
|Net Crawler||Net Crawler|
|Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler.117|
|NetTraveler||NetTraveler||NetTraveler is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013.118|
|Nidiran is a custom backdoor developed and used by Suckfly. It has been delivered via strategic web compromise.119|
|OLDBAIT is a credential harvester used by APT28.2324|
|OSInfo||OSInfo||OSInfo is a custom tool used by APT3 to do internal discovery on a victim's computer and network. 120|
|OnionDuke||OnionDuke||OnionDuke is malware that was used by APT29 from 2013 to 2015.34|
|OwaAuth||OwaAuth||OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390.4|
|P2P ZeuS||P2P ZeuS|
|P2P ZeuS is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture.121|
|PHOREAL||PHOREAL||PHOREAL is a signature backdoor used by APT32.93|
|POORAIM||POORAIM||POORAIM is a backdoor used by APT37 in campaigns since at least 2014.25|
|POSHSPY||POSHSPY||POSHSPY is a backdoor that has been used by APT29 since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors.122|
|POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped.123124|
|POWERSTATS||POWERSTATS||POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater.125|
|POWRUNER||POWRUNER||POWRUNER is a PowerShell script that sends and receives commands to and from the C2 server.126|
|PUNCHBUGGY||PUNCHBUGGY||PUNCHBUGGY is a dynamic-link library (DLL) downloader utilized by FIN8.127128|
|PUNCHTRACK is non-persistent point of sale (POS) system malware utilized by FIN8 to scrape payment card data.127128|
|Pasam||Pasam||Pasam is a trojan used by Elderwood to open a backdoor on compromised hosts.19129|
|Pass-The-Hash Toolkit||Pass-The-Hash Toolkit||Pass-The-Hash Toolkit is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems.10|
|PinchDuke||PinchDuke||PinchDuke is malware that was used by APT29 from 2008 to 2010.34|
|Ping is an operating system utility commonly used to troubleshoot and verify network connections.130|
|Pisloader||Pisloader||Pisloader is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by APT18 and is similar to another malware family, HTTPBrowser, that has been used by the group.131|
|PlugX is a remote access tool (RAT) that uses modular plugins.132 It has been used by multiple threat groups.1331344|
|PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.135|
|Power Loader||Power Loader|
|Power Loader is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz.136137|
|PowerDuke||PowerDuke||PowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros.138|
|PowerSploit||PowerSploit||PowerSploit is an open source, offensive security framework compromised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration.139140141|
|Prikormka||Prikormka||Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008.142|
|PsExec||PsExec||PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.143144|
|Psylo||Psylo||Psylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristics as FakeM.26|
|Pteranodon||Pteranodon||Pteranodon is a custom backdoor used by Gamaredon Group.145|
|Pupy||Pupy||Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. 146 It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.).146 Pupy is publicly available on GitHub. 146|
|RARSTONE||RARSTONE||RARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX.147|
|RIPTIDE||RIPTIDE||RIPTIDE is a proxy-aware backdoor used by APT12.148|
|ROCKBOOT||ROCKBOOT||ROCKBOOT is a Bootkit that has been used by an unidentified, suspected China-based group.149|
|RTM||RTM||RTM is custom malware written in Delphi. It is used by the group of the same name (RTM).150|
|RawPOS is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008.151152153 FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD.58154|
|Reaver||Reaver||Reaver is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the "Five Poisons," which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of .155|
|RedLeaves is a malware family used by menuPass. The code overlaps with PlugX and may be based upon the open source tool Trochilus.30156|
|Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information.157 Utilities such as Reg are known to be used by persistent threats.158|
|Regin||Regin||Regin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003.159|
|RemoteCMD||RemoteCMD||RemoteCMD is a custom tool used by APT3 to execute commands on a remote system similar to SysInternal's PSEXEC functionality. 120|
|Remsec is a modular backdoor that has been used by Strider and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua.160|
|Responder||Responder||Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.161|
|Rover||Rover||Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan.162|
|S-Type||S-Type||S-Type is a backdoor that was used by Dust Storm from 2013 to 2014.106|
|SDelete||SDelete||is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools.163|
|SEASHARPEE||SEASHARPEE||SEASHARPEE is a Web shell that has been used by APT34.164|
|SHIPSHAPE||SHIPSHAPE||SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.8|
|SHOTPUT is a custom backdoor used by APT3.165|
|SHUTTERSPEED||SHUTTERSPEED||SHUTTERSPEED is a backdoor used by APT37.25|
|SLOWDRIFT||SLOWDRIFT||SLOWDRIFT is a backdoor used by APT37 against academic and strategic victims in South Korea.25|
|SNUGRIDE||SNUGRIDE||SNUGRIDE is a backdoor that has been used by menuPass as first stage malware.156|
|SOUNDBITE||SOUNDBITE||SOUNDBITE is a signature backdoor used by APT32.93|
|SPACESHIP||SPACESHIP||SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.8|
|Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015.166|
|SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with CozyCar.34|
|Shamoon is malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. The 2.0 version was seen in 2016 targeting Middle Eastern states.167168|
|Skeleton Key||Skeleton Key||Skeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password.169 Functionality similar to Skeleton Key is included as a module in Mimikatz.|
|Smoke Loader||Smoke Loader|
|Smoke Loader is a bot that has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. 170|
|SslMM||SslMM||SslMM is a full-featured backdoor used by Naikon that has multiple variants.72|
|Starloader||Starloader||Starloader is a loader component that has been observed loading Felismus and associated tools.60|
|StreamEx||StreamEx||StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites.171|
|Sykipot||Sykipot||Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims.172 The group using this malware has also been referred to as Sykipot.173|
|Sys10||Sys10||Sys10 is a backdoor that was used throughout 2013 by Naikon.72|
|Systeminfo is a Windows utility that can be used to gather detailed information about a computer.174|
|T9000||T9000||T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations.175176|
|TDTESS||TDTESS||TDTESS is a 64-bit .NET binary backdoor used by CopyKittens.100|
|TEXTMATE is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with POWERSOURCE in February 2017.123|
|TINYTYPHON||TINYTYPHON||TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm.7|
|TURNEDUP||TURNEDUP||TURNEDUP is a non-public backdoor. It has been dropped by APT33's DROPSHOT malware (also known as Stonedrill). 109111|
|Taidoor||Taidoor||Taidoor is malware that has been used since at least 2010, primarily to target Taiwanese government organizations.177|
|Tasklist||Tasklist||The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface.178|
|TinyZBot||TinyZBot||TinyZBot is a bot written in C# that was developed by Cleaver.117|
|Tor||Tor||Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination.179|
|Trojan.Karagany||Trojan.Karagany||Trojan.Karagany is a backdoor primarily used for recon. The source code for it was leaked in 2010 and it is sold on underground forums.17|
|Trojan.Mebromi||Trojan.Mebromi||Trojan.Mebromi is BIOS-level malware that takes control of the victim before MBR.180|
|Truvasys||Truvasys||Truvasys is first-stage malware that has been used by PROMETHIUM. It is a collection of modules written in the Delphi programming language.18118263|
|UACMe||UACMe||UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.183|
|USBStealer is malware that has used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL.1842|
|Umbreon||Umbreon||A Linux rootkit that provides backdoor access and hides from defenders.|
|Unknown Logger||Unknown Logger||Unknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign.7|
|Uroburos||Uroburos||Uroburos is a rootkit used by Turla.56|
|Vasport||Vasport||is a trojan used by Elderwood to open a backdoor on compromised hosts.19185|
|Volgmer||Volgmer||Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing.186|
|WEBC2||WEBC2||WEBC2 is a backdoor used by APT1 to retrieve a Web page from a predetermined C2 server.187|
|WINDSHIELD||WINDSHIELD||WINDSHIELD is a signature backdoor used by APT32.93|
|WINERACK||WINERACK||is a backdoor used by APT37.25|
|Wiarp||Wiarp||is a trojan used by Elderwood to open a backdoor on compromised hosts.19188|
|WinMM||WinMM||WinMM is a full-featured, simple backdoor used by Naikon.72|
|Windows Credential Editor||Windows Credential Editor|
|Windows Credential Editor is a password dumping tool.189|
|Winexe||Winexe||is a lightweight, open source tool similar to PsExec designed to allow system administrators to execute commands on remote servers.190 is unique in that it is a GNU/Linux based client.191|
|Wingbird||Wingbird||Wingbird is a backdoor that appears to be a version of commercial software FinFisher. It is reportedly used to attack individual computers instead of networks. It was used by NEODYMIUM in a May 2016 campaign.63182|
|Winnti||Winnti||Winnti is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, Winnti Group; however, reporting indicates a second distinct group, Axiom, also uses the malware.192193194|
|Wiper||Wiper||Wiper is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies.195|
|XAgentOSX||XAgentOSX||XAgentOSX is a trojan that has been used by APT28 on OS X and appears to be a port of their standard CHOPSTICK or XAgent trojan.95|
|XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee.1961973|
|ZLib||ZLib||ZLib is a full-featured backdoor that was used as a second-stage implant by Dust Storm from 2014 to 2015. It is malware and should not be confused with the compression library from which its name is derived.106|
|ZeroT||ZeroT||ZeroT is a Trojan used by TA459, often in conjunction with PlugX.198199|
|Zeroaccess is a kernel-mode Rootkit that attempts to add victims to the ZeroAccess botnet, often for monetary gain.200|
|adbupd||adbupd||adbupd is a backdoor used by PLATINUM that is similar to Dipsind.46|
|at is used to schedule tasks on a system to run at a specified date or time.201|
|Certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services.202|
|cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities.203
Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., |
|dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain.207 It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.|
|gh0st||gh0st||gh0st is a remote access tool (RAT). The source code is public and it has been used by many groups.208|
|gsecdump||gsecdump||gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems.209|
|hcdLoader||hcdLoader||hcdLoader is a remote access tool (RAT) that has been used by APT18.210|
|httpclient||httpclient||httpclient is malware used by Putter Panda. It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool.1|
|ifconfig||ifconfig||ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system.211|
|ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration.212|
|meek||meek||meek is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.|
|nbtstat is a utility used to troubleshoot NetBIOS name resolution.213|
|netsh is a scripting utility used to interact with networking components on local or remote systems.214|
|netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics.215|
|pngdowner||pngdowner||pngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple "download-and- execute" utility.1|
|pwdump||pwdump||pwdump is a credential dumper.216|
|route can be used to find or change information within the local system IP routing table.217|
|schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time.218|
|spwebmember||spwebmember||spwebmember is a Microsoft SharePoint enumeration and data dumping tool written in .NET.219|
|sqlmap||sqlmap||sqlmap is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws.220|
|xCmd||xCmd||xCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems.221|
- Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
- Gostev, A.. (2014, March 12). Agent.btz: a Source of Inspiration?. Retrieved April 8, 2016.
- Microsoft. (n.d.). Arp. Retrieved April 17, 2016.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
- Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
- Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.
- FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Mandiant. (2016, February). M-Trends 2016. Retrieved January 4, 2017.
- Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
- FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
- Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
- O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
- Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.
- Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved March 9, 2018.
- Rosenberg, J. (2017, September 20). Evidence Aurora Operation Still Active: Supply Chain Attack Through CCleaner. Retrieved February 13, 2018.
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
- FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
- Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
- Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 3, 2015.
- Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
- Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Merritt, E.. (2015, November 16). Shining the Spotlight on Cherry Picker PoS Malware. Retrieved April 20, 2016.
- Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
- F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- Lozhkin, S.. (2015, July 16). Minidionis – one more APT with a usage of cloud drives. Retrieved April 5, 2017.
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
- Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
- Rascagneres, P. (2015, May). Tools used by the Uroburos actors. Retrieved August 18, 2016.
- Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
- Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
- Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
- Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
- Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
- ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.
- Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
- Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
- ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
- ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
- Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
- ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
- ClearSky Cybersecurity. (2016, June 9). Operation DustySky – Part 2. Retrieved August 3, 2016.
- Raff, A. (2015, April 30). New Dyre Version- Yet Another Malware Evading Sandboxes. Retrieved July 18, 2016.
- Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
- Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
- Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
- Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
- US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
- Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
- Wikipedia. (2016, June 15). File Transfer Protocol. Retrieved July 20, 2016.
- Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
- Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
- FinFisher. (n.d.). Retrieved December 20, 2017.
- Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
- Jiang, G., et al. (2017, September 12). FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY. Retrieved February 15, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
- Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
- Microsoft. (2016, August 31). Forfiles. Retrieved January 22, 2018.
- ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
- Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016.
- Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
- FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
- Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved December 17, 2015.
- Rascagnères, P.. (2016, October 27). Rootkit analysis: Use case on HideDRV. Retrieved March 9, 2017.
- Haq, T., Moran, N., Vashisht, S., Scott, M. (2014, September). OPERATION QUANTUM ENTANGLEMENT. Retrieved November 4, 2015.
- Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
- Lin, P. (2015, July 13). Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems. Retrieved December 11, 2015.
- Ganani, M. (2015, May 14). Analysis of the Havij SQL Injection tool. Retrieved March 19, 2018.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Fidelis Threat Research Team. (2016, January 27). Introducing Hi-Zor RAT. Retrieved March 24, 2016.
- Petrovsky, O. (2016, August 30). “9002 RAT” -- a second building on the left. Retrieved February 20, 2018.
- Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
- ASERT. (2015, August). ASERT Threat Intelligence Report – Uncovering the Seven Pointed Dagger. Retrieved March 19, 2018.
- Moran, N. et al.. (2013, November 10). Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method. Retrieved March 19, 2018.
- Huss, D. & Mesa, M. (2017, August 25). Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures. Retrieved March 19, 2018.
- Moran, N. (2013, May 20). Ready for Summer: The Sunshop Campaign. Retrieved March 19, 2018.
- Falcone, R. & Miller-Osborn, J. (2015, September 23). Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media. Retrieved March 19, 2018.
- Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
- Adams, B. (2017, December 17). Invoke-PSImage. Retrieved April 10, 2018.
- Moran, N., & Villeneuve, N. (2013, August 12). Survival of the Fittest: New York Times Attackers Evolve Quickly [Blog]. Retrieved November 12, 2014.
- F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016.
- ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
- Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017.
- Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
- Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
- Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
- Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
- Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
- Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015.
- Villeneuve, N., Sancho, D. (2011). THE “LURID” DOWNLOADER. Retrieved November 12, 2014.
- ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
- Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
- Gregal, H. (2017, May 12). MimiPenguin. Retrieved December 5, 2017.
- Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.
- Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.
- Cimpanu, C.. (2016, September 9). Cryptocurrency Mining Malware Discovered Targeting Seagate NAS Hard Drives. Retrieved October 12, 2016.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
- DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016.
- Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
- O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
- McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.
- Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
- Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.
- Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
- Ladley, F. (2012, May 15). Backdoor.Nerex. Retrieved February 23, 2018.
- Microsoft. (2006, October 18). Net.exe Utility. Retrieved September 22, 2015.
- Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
- Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
- Kaspersky Lab's Global Research and Analysis Team. (n.d.). The NetTraveler (aka ‘Travnet’). Retrieved November 12, 2014.
- DiMaggio, J.. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016.
- Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
- SecureWorks. (2013). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015.
- Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
- Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
- Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
- Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
- Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
- Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
- Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
- Microsoft. (n.d.). Ping. Retrieved April 8, 2016.
- Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
- Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
- Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.
- Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015.
- FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.
- MalwareTech. (2013, August 13). PowerLoader Injection – Something truly amazing. Retrieved December 16, 2017.
- Matrosov, A. (2013, March 19). Gapz and Redyms droppers based on Power Loader code. Retrieved December 16, 2017.
- Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
- PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
- Graeber, M. (2014, July 8). PowerSploit. Retrieved February 6, 2018.
- PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
- Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
- Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015.
- Pilkington, M.. (2012, December 17). Protecting Privileged Domain Accounts: PsExec Deep-Dive. Retrieved August 17, 2016.
- Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
- Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.
- Andonov, D., et al. (2015, December 7). Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record. Retrieved May 13, 2016.
- Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017.
- TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017.
- Visa. (2015, March). Visa Security Alert: "RawPOS" Malware Targeting Lodging Merchants. Retrieved October 6, 2017.
- Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017.
- Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
- FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
- Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
- Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.
- Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017.
- Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
- Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February 8, 2018.
- Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
- Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
- FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
- Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved February 2, 2015.
- Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
- Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
- Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016.
- Blasco, J. (2013, March 21). New Sykipot developments [Blog]. Retrieved November 12, 2014.
- Microsoft. (n.d.). Systeminfo. Retrieved April 8, 2016.
- Moran, N. and Lanstein, A.. (2014, March 25). Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370. Retrieved April 15, 2016.
- Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
- Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
- Microsoft. (n.d.). Tasklist. Retrieved December 23, 2015.
- Roger Dingledine, Nick Mathewson and Paul Syverson. (2004). Tor: The Second-Generation Onion Router. Retrieved December 21, 2017.
- Ge, L. (2011, September 9). BIOS Threat is Showing up Again!. Retrieved November 14, 2014.
- Microsoft. (2017, September 15). Backdoor:Win32/Truvasys.A!dha. Retrieved November 30, 2017.
- Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017.
- UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.
- Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
- Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018.
- US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
- Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
- Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.
- Amplia Security. (n.d.). Windows Credentials Editor (WCE) F.A.Q.. Retrieved December 17, 2015.
- Skalkotos, N. (2013, September 20). WinExe. Retrieved January 22, 2018.
- Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
- Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
- Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017.
- Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
- Dell SecureWorks. (2013, March 21). Wiper Malware Analysis Attacking Korean Financial Sector. Retrieved May 13, 2015.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016.
- Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
- Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
- Wyke, J. (2012, April). ZeroAccess. Retrieved July 18, 2016.
- Microsoft. (n.d.). At. Retrieved April 28, 2016.
- Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.
- Microsoft. (n.d.). Cmd. Retrieved April 18, 2016.
- Microsoft. (n.d.). Dir. Retrieved April 18, 2016.
- Microsoft. (n.d.). Del. Retrieved April 22, 2016.
- Microsoft. (n.d.). Copy. Retrieved April 26, 2016.
- Microsoft. (n.d.). Dsquery. Retrieved April 18, 2016.
- FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.
- TrueSec. (n.d.). gsecdump v2.0b5. Retrieved September 29, 2015.
- Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
- Wikipedia. (2016, January 26). ifconfig. Retrieved April 17, 2016.
- Microsoft. (n.d.). Ipconfig. Retrieved April 17, 2016.
- Microsoft. (n.d.). Nbtstat. Retrieved April 17, 2016.
- Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017.
- Microsoft. (n.d.). Netstat. Retrieved April 17, 2016.
- Wikipedia. (1985, June 22). pwdump. Retrieved June 22, 2016.
- Microsoft. (n.d.). Route. Retrieved April 17, 2016.
- Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016.
- Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
- Damele, B., Stampar, M. (n.d.). sqlmap. Retrieved March 19, 2018.
- Rayaprolu, A.. (2011, April 12). xCmd an Alternative to PsExec. Retrieved August 10, 2016.