Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK. Some instances of software have multiple names associated with the same instance due to various organizations tracking the same set of software by different names. Software entries are tagged with ATT&CK techniques and may be mapped to Groups.
Software is broken down into three high-level categories:
Tool - Commercial, open-source, or publicly available software that could be used by a defender, pen tester, red teamer, or an adversary for malicious purposes that generally is not found on an enterprise system. Examples include PsExec, Metasploit, Mimikatz, etc.
Utility - Software generally available as part of an operating system that is already present in an environment. Adversaries tend to leverage existing functionality on systems to gather information and perform actions. Examples include Windows utilities such as Net, netstat, Tasklist, etc.
This is the list of software tracked in ATT&CK:
|3PARA RAT||3PARA RAT||3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda.1|
|4H RAT||4H RAT||4H RAT is malware that has been used by Putter Panda since at least 2007.1|
|ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase.23|
|ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version.4|
|Agent.btz||Agent.btz||Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008.5|
|Arp displays information about a system's Address Resolution Protocol (ARP) cache.6|
|AutoIt||AutoIt||AutoIt is a backdoor that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352.7|
|BACKSPACE is a backdoor used by APT30 that dates back to at least 2005.8|
|BADNEWS||BADNEWS||BADNEWS is malware that has been used by the actors responsible for the MONSOON campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control.7|
|BBSRAT||BBSRAT||BBSRAT is malware with remote access tool functionality that has been used in targeted compromises.9|
|BISCUIT||BISCUIT||BISCUIT is a backdoor that has been used by APT1 since as early as 2007.10|
|BLACKCOFFEE||BLACKCOFFEE||BLACKCOFFEE is malware that has been used by APT17 since at least 2013.11|
|BOOTRASH||BOOTRASH||BOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that target the financial sector.12|
|BS2005||BS2005||BS2005 is malware that was used by Ke3chang in spearphishing campaigns since at least 2011.13|
|BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities.14|
|Backdoor.Oldrea is a backdoor used by Dragonfly. It appears to be custom malware authored by the group or specifically for it.15|
|BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3.16|
|CALENDAR||CALENDAR||CALENDAR is malware used by APT1 that mimics legitimate Gmail Calendar traffic.10|
|CHOPSTICK is malware family of modular backdoors used by APT28. It has been used from at least November 2012 to August 2016 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases.17318|
|CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL. It has also been referred to as Sofacy, though that term has been used widely to refer to both the group APT28 and malware families associated with the group.1718|
|Cachedump||Cachedump||Cachedump is a publicly-available tool that program extracts cached password hashes from a system’s registry.10|
|CallMe||CallMe||CallMe is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell.19|
|Carbanak is a remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines.20|
|ChChes||ChChes||ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool.2122|
|Cherry Picker||Cherry Picker||Cherry Picker is a point of sale (PoS) memory scraper.23|
|China Chopper||China Chopper||China Chopper is a Web shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.24 It has been used by several threat groups, including Threat Group-3390.4|
|CloudDuke is malware that was used by APT29 in 2015.25|
|ComRAT||ComRAT||ComRAT is a remote access tool suspected of being a decedent of Agent.btz and used by Turla.2627|
|CosmicDuke is malware that was used by APT29 from 2010 to 2015.25|
|CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality.25|
|Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims.28|
|Derusbi||Derusbi||Derusbi is malware used by multiple Chinese APT groups.2930 Both Windows and Linux variants have been observed.31|
|Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between 2013 and 2015.32|
|Duqu||Duqu||Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network.33|
|DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015.3435|
|Dyre||Dyre||Dyre is a Trojan that usually targets banking information.36|
|ELMER||ELMER||ELMER is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by APT16.37|
|Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU.38|
|Emissary||Emissary||Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio.39|
|Epic is a backdoor that has been used by Turla.40|
|FLASHFLOOD||FLASHFLOOD||FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.8|
|FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.41|
|FakeM||FakeM||FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic.19|
|Fgdump||Fgdump||Fgdump is a Windows password hash dumper.10|
|Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries.42|
|GLOOXMAIL is malware used by APT1 that mimics legitimate Jabber/XMPP traffic.10|
|GeminiDuke||GeminiDuke||GeminiDuke is malware that was used by APT29 from 2009 to 2012.25|
|H1N1||H1N1||H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality.43|
|HAMMERTOSS is a backdoor that was used by APT29 in 2015.4425|
|HDoor is malware that has been customized and used by the Naikon group.45|
|HIDEDRV||HIDEDRV||HIDEDRV is a rootkit used by APT28. It has been deployed along with Downdelph to execute and hide that malware.3246|
HUC Packet Transmit Tool
|HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. 47|
|HTTPBrowser is malware that has been used by several threat groups.484 It is believed to be of Chinese origin.30|
|Hacking Team UEFI Rootkit||Hacking Team UEFI Rootkit||Hacking Team UEFI Rootkit is a rootkit developed by the company Hacking Team as a method of persistence for remote access software.49|
|Hi-Zor||Hi-Zor||Hi-Zor is a remote access tool (RAT) that has characteristics similar to Sakula. It was used in a campaign named INOCNATION.50|
|Hikit||Hikit||Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.29|
|Ixeshe||Ixeshe||Ixeshe is a malware family that has been used since 2009 to attack targets in East Asia.51|
|JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware.2525318|
|Kasidet||Kasidet||Kasidet is a backdoor that has been dropped by using malicious VBA macros.54|
|LOWBALL||LOWBALL||LOWBALL is malware used by admin@338. It was used in August 2015 in email messages targeting Hong Kong-based media organizations.14|
|Lslsass||Lslsass||Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process.10|
|Lurid is a malware family that has been used by several groups, including PittyTiger, in targeted attacks as far back as 2006.5556|
|Mimikatz||Mimikatz||Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.5758|
|Miner-C is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread.59|
|MiniDuke||MiniDuke||MiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multiple downloader and backdoor components. The loader has been used with other MiniDuke components as well as in conjunction with CosmicDuke and PinchDuke.25|
|Mis-Type||Mis-Type||Mis-Type is a backdoor hybrid that was used by Dust Storm in 2012.60|
|Misdat||Misdat||Misdat is a backdoor that was used by Dust Storm from 2010 to 2011.60|
|Mivast||Mivast||Mivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach.61|
|MobileOrder||MobileOrder||MobileOrder is a Trojan intended to compromise Android mobile devices. It has been used by Scarlet Mimic.19|
|MoonWind||MoonWind||MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand.62|
|NETEAGLE||NETEAGLE||NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.”8|
|The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.63
Net has a great deal of functionality,64 much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through Windows admin shares using |
|Net Crawler||Net Crawler|
|Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler.65|
|NetTraveler||NetTraveler||NetTraveler is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013.66|
|Nidiran is a custom backdoor developed and used by Suckfly. It has been delivered via strategic web compromise.67|
|OLDBAIT is a credential harvester used by APT28.1718|
|OnionDuke||OnionDuke||OnionDuke is malware that was used by APT29 from 2013 to 2015.25|
|OwaAuth||OwaAuth||OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390.4|
|P2P ZeuS||P2P ZeuS|
|P2P ZeuS is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture.68|
|POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped.6970|
|Pass-The-Hash Toolkit||Pass-The-Hash Toolkit||Pass-The-Hash Toolkit is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems.10|
|PinchDuke||PinchDuke||PinchDuke is malware that was used by APT29 from 2008 to 2010.25|
|Ping is an operating system utility commonly used to troubleshoot and verify network connections.71|
|Pisloader||Pisloader||Pisloader is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by APT18 and is similar to another malware family, HTTPBrowser, that has been used by the group.72|
|PlugX is a remote access tool (RAT) that uses modular plugins.73 It has been used by multiple threat groups.74754|
|PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.76|
|PowerDuke||PowerDuke||PowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros.77|
|Prikormka||Prikormka||Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008.78|
|PsExec||PsExec||PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.7980|
|Psylo||Psylo||Psylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristics as FakeM.19|
|Pteranodon||Pteranodon||Pteranodon is a custom backdoor used by Gamaredon Group.81|
|RARSTONE||RARSTONE||RARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX.82|
|RIPTIDE||RIPTIDE||RIPTIDE is a proxy-aware backdoor used by APT12.83|
|ROCKBOOT||ROCKBOOT||ROCKBOOT is a Bootkit that has been used by an unidentified, suspected China-based group.84|
|RTM||RTM||RTM is custom malware written in Delphi. It is used by the group of the same name (RTM).85|
|Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information.86 Utilities such as Reg are known to be used by persistent threats.87|
|Regin||Regin||Regin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003.88|
|Remsec is a modular backdoor that has been used by Strider and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua.89|
|Rover||Rover||Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan.90|
|S-Type||S-Type||S-Type is a backdoor that was used by Dust Storm from 2013 to 2014.60|
|SHIPSHAPE||SHIPSHAPE||SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.8|
|SHOTPUT is a custom backdoor used by APT3.91|
|SPACESHIP||SPACESHIP||SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.8|
|Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015.92|
|SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with CozyCar.25|
|Shamoon is malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. The 2.0 version was seen in 2016 targeting Middle Eastern states.9394|
|Skeleton Key||Skeleton Key||Skeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password.95 Functionality similar to Skeleton Key is included as a module in Mimikatz.|
|SslMM||SslMM||SslMM is a full-featured backdoor used by Naikon that has multiple variants.45|
|StreamEx||StreamEx||StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites.96|
|Sykipot||Sykipot||Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims.97 The group using this malware has also been referred to as Sykipot.98|
|Sys10||Sys10||Sys10 is a backdoor that was used throughout 2013 by Naikon.45|
|Systeminfo is a Windows utility that can be used to gather detailed information about a computer.99|
|T9000||T9000||T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations.100101|
|TEXTMATE is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with POWERSOURCE in February 2017.69|
|TINYTYPHON||TINYTYPHON||TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm.7|
|Taidoor||Taidoor||Taidoor is malware that has been used since at least 2010, primarily to target Taiwanese government organizations.102|
|Tasklist||Tasklist||The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface.103|
|TinyZBot||TinyZBot||TinyZBot is a bot written in C# that was developed by Cleaver.65|
|Trojan.Karagany||Trojan.Karagany||Trojan.Karagany is a backdoor primarily used for recon. The source code for it was leaked in 2010 and it is sold on underground forums.15|
|Trojan.Mebromi||Trojan.Mebromi||Trojan.Mebromi is BIOS-level malware that takes control of the victim before MBR.104|
|UACMe||UACMe||UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.105|
|USBStealer is malware that has used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL.1062|
|Unknown Logger||Unknown Logger||Unknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign.7|
|Uroburos||Uroburos||Uroburos is a rootkit used by Turla.40|
|WEBC2||WEBC2||WEBC2 is a backdoor used by APT1 to retrieve a Web page from a predetermined C2 server.107|
|WinMM||WinMM||WinMM is a full-featured, simple backdoor used by Naikon.45|
|Windows Credential Editor||Windows Credential Editor|
|Windows Credential Editor is a password dumping tool.108|
|Winnti||Winnti||Winnti is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, Winnti Group; however, reporting indicates a second distinct group, Axiom, also uses the malware.109110111|
|Wiper||Wiper||Wiper is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies.112|
|XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee.1131143|
|ZLib||ZLib||ZLib is a full-featured backdoor that was used as a second-stage implant by Dust Storm from 2014 to 2015. It is malware and should not be confused with the compression library from which its name is derived.60|
|Zeroaccess is a kernel-mode Rootkit that attempts to add victims to the ZeroAccess botnet, often for monetary gain.115|
|at is used to schedule tasks on a system to run at a specified date or time.116|
|cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities.117
Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., |
|dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain.121 It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.|
|gh0st||gh0st||gh0st is a remote access tool (RAT). The source code is public and it has been used by many groups.122|
|gsecdump||gsecdump||gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems.123|
|hcdLoader||hcdLoader||hcdLoader is a remote access tool (RAT) that has been used by APT18.124|
|httpclient||httpclient||httpclient is malware used by Putter Panda. It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool.1|
|ifconfig||ifconfig||ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system.125|
|ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration.126|
|nbtstat is a utility used to troubleshoot NetBIOS name resolution.127|
|netsh is a scripting utility used to interact with networking components on local or remote systems.128|
|netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics.129|
|pngdowner||pngdowner||pngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple "download-and- execute" utility.1|
|pwdump||pwdump||pwdump is a credential dumper.130|
|route can be used to find or change information within the local system IP routing table.131|
|schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time.132|
|xCmd||xCmd||xCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems.133|
- Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
- Gostev, A.. (2014, March 12). Agent.btz: a Source of Inspiration?. Retrieved April 8, 2016.
- Microsoft. (n.d.). Arp. Retrieved April 17, 2016.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
- Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
- FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
- Mandiant. (2016, February). M-Trends 2016. Retrieved January 4, 2017.
- Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
- FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
- Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
- Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
- Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 3, 2015.
- Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
- Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
- Merritt, E.. (2015, November 16). Shining the Spotlight on Cherry Picker PoS Malware. Retrieved April 20, 2016.
- Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
- F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
- Rascagneres, P. (2015, May). Tools used by the Uroburos actors. Retrieved August 18, 2016.
- Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
- Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
- ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.
- Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
- ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
- Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
- ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
- ClearSky Cybersecurity. (2016, June 9). Operation DustySky – Part 2. Retrieved August 3, 2016.
- Raff, A. (2015, April 30). New Dyre Version- Yet Another Malware Evading Sandboxes. Retrieved July 18, 2016.
- Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
- Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
- Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
- Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
- Wikipedia. (2016, June 15). File Transfer Protocol. Retrieved July 20, 2016.
- Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
- Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016.
- FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
- Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved December 17, 2015.
- Rascagnères, P.. (2016, October 27). Rootkit analysis: Use case on HideDRV. Retrieved March 9, 2017.
- Haq, T., Moran, N., Vashisht, S., Scott, M. (2014, September). OPERATION QUANTUM ENTANGLEMENT. Retrieved November 4, 2015.
- Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
- Lin, P. (2015, July 13). Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems. Retrieved December 11, 2015.
- Fidelis Threat Research Team. (2016, January 27). Introducing Hi-Zor RAT. Retrieved March 24, 2016.
- Moran, N., & Villeneuve, N. (2013, August 12). Survival of the Fittest: New York Times Attackers Evolve Quickly [Blog]. Retrieved November 12, 2014.
- F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016.
- ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
- Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
- Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015.
- Villeneuve, N., Sancho, D. (2011). THE “LURID” DOWNLOADER. Retrieved November 12, 2014.
- Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.
- Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.
- Cimpanu, C.. (2016, September 9). Cryptocurrency Mining Malware Discovered Targeting Seagate NAS Hard Drives. Retrieved October 12, 2016.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved February 25, 2016.
- DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016.
- Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
- Microsoft. (2006, October 18). Net.exe Utility. Retrieved September 22, 2015.
- Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
- Cylance. (2014, December). Operation Cleaver. Retrieved December 4, 2014.
- Kaspersky Lab's Global Research and Analysis Team. (n.d.). The NetTraveler (aka ‘Travnet’). Retrieved November 12, 2014.
- DiMaggio, J.. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016.
- SecureWorks. (2013). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015.
- Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
- Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
- Microsoft. (n.d.). Ping. Retrieved April 8, 2016.
- Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
- Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
- Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.
- Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015.
- FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.
- Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
- Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
- Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015.
- Pilkington, M.. (2012, December 17). Protecting Privileged Domain Accounts: PsExec Deep-Dive. Retrieved August 17, 2016.
- Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
- Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
- Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.
- Andonov, D., et al. (2015, December 7). Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record. Retrieved May 13, 2016.
- Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
- Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.
- Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
- Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
- FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
- Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved February 2, 2015.
- Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
- Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016.
- Blasco, J. (2013, March 21). New Sykipot developments [Blog]. Retrieved November 12, 2014.
- Microsoft. (n.d.). Systeminfo. Retrieved April 8, 2016.
- Moran, N. and Lanstein, A.. (2014, March 25). Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370. Retrieved April 15, 2016.
- Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
- Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
- Microsoft. (n.d.). Tasklist. Retrieved December 23, 2015.
- Ge, L. (2011, September 9). BIOS Threat is Showing up Again!. Retrieved November 14, 2014.
- UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.
- Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
- Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
- Amplia Security. (n.d.). Windows Credentials Editor (WCE) F.A.Q.. Retrieved December 17, 2015.
- Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
- Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017.
- Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
- Dell SecureWorks. (2013, March 21). Wiper Malware Analysis Attacking Korean Financial Sector. Retrieved May 13, 2015.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016.
- Wyke, J. (2012, April). ZeroAccess. Retrieved July 18, 2016.
- Microsoft. (n.d.). At. Retrieved April 28, 2016.
- Microsoft. (n.d.). Cmd. Retrieved April 18, 2016.
- Microsoft. (n.d.). Dir. Retrieved April 18, 2016.
- Microsoft. (n.d.). Del. Retrieved April 22, 2016.
- Microsoft. (n.d.). Copy. Retrieved April 26, 2016.
- Microsoft. (n.d.). Dsquery. Retrieved April 18, 2016.
- FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.
- TrueSec. (n.d.). gsecdump v2.0b5. Retrieved September 29, 2015.
- Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
- Wikipedia. (2016, January 26). ifconfig. Retrieved April 17, 2016.
- Microsoft. (n.d.). Ipconfig. Retrieved April 17, 2016.
- Microsoft. (n.d.). Nbtstat. Retrieved April 17, 2016.
- Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017.
- Microsoft. (n.d.). Netstat. Retrieved April 17, 2016.
- Wikipedia. (1985, June 22). pwdump. Retrieved June 22, 2016.
- Microsoft. (n.d.). Route. Retrieved April 17, 2016.
- Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016.
- Rayaprolu, A.. (2011, April 12). xCmd an Alternative to PsExec. Retrieved August 10, 2016.