Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
ID | Name | Description |
---|---|---|
S0469 | ABK | |
S0331 | Agent Tesla |
Agent Tesla can download additional files for execution on the victim’s machine.[2][3] |
S0092 | Agent.btz |
Agent.btz attempts to download an encrypted binary from a specified domain.[4] |
G0130 | Ajax Security Team |
Ajax Security Team has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.[5] |
S0504 | Anchor | |
G0138 | Andariel |
Andariel has downloaded additional tools and malware onto compromised hosts.[8] |
G0099 | APT-C-36 |
APT-C-36 has downloaded binary data from a specified domain after the malicious document is opened.[9] |
G0026 | APT18 | |
G0007 | APT28 |
APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.[11][12][13][14][15] |
G0016 | APT29 |
APT29 has downloaded additional tools, such as TEARDROP malware and Cobalt Strike, to a compromised host following initial access.[16] |
G0022 | APT3 | |
G0050 | APT32 |
APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.[18] |
G0064 | APT33 |
APT33 has downloaded additional files and programs from its C2 server.[19][20] |
G0067 | APT37 |
APT37 has downloaded second stage malware from compromised websites.[21][22][23][24] |
G0082 | APT38 |
APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.[25] |
G0087 | APT39 | |
G0096 | APT41 |
APT41 used certutil to download additional files.[28][29][30] |
S0456 | Aria-body |
Aria-body has the ability to download additional payloads from C2.[31] |
S0373 | Astaroth |
Astaroth uses certutil and BITSAdmin to download additional malware. [32][33][34] |
S0438 | Attor |
Attor can download additional plugins, updates and other files. [35] |
S0347 | AuditCred | |
S0473 | Avenger |
Avenger has the ability to download files from C2 to a compromised host.[1] |
S0344 | Azorult |
Azorult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes.[37][38] |
S0414 | BabyShark |
BabyShark has downloaded additional files from the C2.[39][40] |
S0475 | BackConfig |
BackConfig can download and execute additional payloads on a compromised host.[41] |
G0135 | BackdoorDiplomacy |
BackdoorDiplomacy has downloaded additional files and tools onto a compromised host.[42] |
S0642 | BADFLICK | |
S0128 | BADNEWS |
BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.[44][45][46] |
S0337 | BadPatch | |
S0234 | Bandook | |
S0239 | Bankshot |
Bankshot uploads files and secondary payloads to the victim's machine.[49] |
S0534 | Bazar |
Bazar can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as Cobalt Strike.[50][51][52][53] |
S0470 | BBK |
BBK has the ability to download files from C2 to the infected host.[1] |
S0574 | BendyBear |
BendyBear is designed to download an implant from a C2 server.[54] |
S0017 | BISCUIT |
BISCUIT has a command to download a file from the C2 server.[55] |
S0268 | Bisonal |
Bisonal has the capability to download files to execute on the victim’s machine.[56][57] |
S0190 | BITSAdmin |
BITSAdmin can be used to create BITS Jobs to upload and/or download files.[58] |
S0564 | BlackMould |
BlackMould has the ability to download files to the victim's machine.[59] |
S0520 | BLINDINGCAN |
BLINDINGCAN has downloaded files to a victim machine.[60] |
S0657 | BLUELIGHT | |
S0486 | Bonadan |
Bonadan can download additional modules from the C2 server.[61] |
S0360 | BONDUPDATER |
BONDUPDATER can download or upload files from its C2 server.[62] |
S0635 | BoomBox |
BoomBox has the ability to download next stage malware components to a compromised system.[63] |
S0651 | BoxCaon | |
S0204 | Briba | |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).[66] |
S0471 | build_downer |
build_downer has the ability to download files from C2 to the infected host.[1] |
S0482 | Bundlore |
Bundlore can download and execute new versions of itself.[67] |
S0274 | Calisto |
Calisto has the capability to upload and download files to the victim's machine.[68] |
S0077 | CallMe |
CallMe has the capability to download a file to the victim from the C2 server.[69] |
S0351 | Cannon | |
S0484 | Carberp |
Carberp can download and execute new plugins from the C2 server. [71][72] |
S0348 | Cardinal RAT |
Cardinal RAT can download and execute additional payloads.[73] |
S0465 | CARROTBALL |
CARROTBALL has the ability to download and install a remote payload.[74] |
S0462 | CARROTBAT |
CARROTBAT has the ability to download and execute a remote file via certutil.[75] |
S0572 | Caterpillar WebShell |
Caterpillar WebShell has a module to download and upload files to the system.[76] |
S0160 | certutil |
certutil can be used to download files from a given URL.[77][78] |
S0631 | Chaes |
Chaes can download additional files onto an infected machine.[79] |
S0144 | ChChes |
ChChes is capable of downloading files, including additional modules.[80][81][82] |
G0114 | Chimera |
Chimera has remotely copied tools and malware onto targeted systems.[83] |
S0020 | China Chopper |
China Chopper's server component can download remote files.[84][85][86] |
S0023 | CHOPSTICK |
CHOPSTICK is capable of performing remote file transmission.[87] |
S0054 | CloudDuke |
CloudDuke downloads and executes additional malware from either a Web address or a Microsoft OneDrive account.[88] |
S0106 | cmd |
cmd can be used to copy files to/from a remotely connected external system.[89] |
G0080 | Cobalt Group |
Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers.[90][91] The group's JavaScript backdoor is also capable of downloading files.[92] |
S0154 | Cobalt Strike |
Cobalt Strike can deliver additional payloads to victim machines.[93][94] |
S0369 | CoinTicker |
CoinTicker executes a Python script to download its second stage.[95] |
S0608 | Conficker |
Conficker downloads an HTTP server to the infected machine.[96] |
S0492 | CookieMiner |
CookieMiner can download additional scripts from a web server.[97] |
S0137 | CORESHELL | |
S0614 | CostaBricks |
CostaBricks has been used to load SombRAT onto a compromised host.[99] |
S0115 | Crimson |
Crimson contains a command to retrieve files from its C2 server.[100][101] |
S0498 | Cryptoistic |
Cryptoistic has the ability to send and receive files.[102] |
S0527 | CSPY Downloader |
CSPY Downloader can download additional tools to a compromised host.[103] |
S0625 | Cuba | |
S0497 | Dacls | |
S0334 | DarkComet |
DarkComet can load any files onto the infected machine to execute.[106][107] |
G0012 | Darkhotel |
Darkhotel has used first-stage payloads that download additional malware from C2 servers.[108] |
S0187 | Daserf | |
S0255 | DDKONG |
DDKONG downloads and uploads files on the victim’s machine.[110] |
S0616 | DEATHRANSOM |
DEATHRANSOM can download files to a compromised host.[111] |
S0354 | Denis |
Denis deploys additional backdoors and hacking tools to the system.[112] |
S0200 | Dipsind | |
S0213 | DOGCALL | |
S0600 | Doki | |
S0472 | down_new |
down_new has the ability to download files to the compromised host.[1] |
S0134 | Downdelph |
After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.[116] |
G0074 | Dragonfly 2.0 |
Dragonfly 2.0 copied and installed tools for operations once in the victim environment.[117][118] |
S0547 | DropBook |
DropBook can download and execute additional files.[119][120] |
S0502 | Drovorub | |
S0567 | Dtrack |
Dtrack’s can download and upload a file to the victim’s computer.[122][123] |
S0024 | Dyre |
Dyre has a command to download and executes additional files.[124] |
S0624 | Ecipekac |
Ecipekac can download additional payloads to a compromised host.[125] |
S0554 | Egregor |
Egregor has the ability to download files from its C2 server.[126][127] |
G0066 | Elderwood |
The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.[128] |
S0081 | Elise |
Elise can download additional files from the C2 server for execution.[129] |
S0082 | Emissary |
Emissary has the capability to download files from the C2 server.[130] |
S0363 | Empire |
Empire can upload and download to and from a victim machine.[131] |
S0404 | esentutl | |
S0396 | EvilBunny |
EvilBunny has downloaded additional Lua scripts from the C2.[133] |
S0568 | EVILNUM |
EVILNUM can download and upload files to the victim's computer.[134][135] |
G0120 | Evilnum |
Evilnum can deploy additional components or tools as needed.[134] |
S0401 | Exaramel for Linux |
Exaramel for Linux has a command to download a file from and to a remote C2 server.[136][137] |
S0569 | Explosive |
Explosive has a function to download a file to the infected system.[138] |
S0171 | Felismus | |
S0267 | FELIXROOT |
FELIXROOT downloads and uploads files to and from the victim’s machine.[140][141] |
G0046 | FIN7 |
FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.[142][143] |
G0061 | FIN8 |
FIN8 has used remote code execution to download subsequent payloads.[144][145] |
G0117 | Fox Kitten |
Fox Kitten has downloaded additional tools including PsExec directly to endpoints.[146] |
G0101 | Frankenstein |
Frankenstein has uploaded and downloaded files to utilize additional plugins.[147] |
S0628 | FYAnti |
FYAnti can download additional payloads to a compromised host.[125] |
G0093 | GALLIUM |
GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN.[148][59] |
G0047 | Gamaredon Group |
Tools used by Gamaredon Group are capable of downloading and executing additional payloads.[149][150][151] |
S0168 | Gazer | |
S0032 | gh0st RAT |
gh0st RAT can download files to the victim’s machine.[154][155] |
S0249 | Gold Dragon |
Gold Dragon can download additional components from the C2 server.[156] |
S0493 | GoldenSpy |
GoldenSpy constantly attempts to download and execute files from the remote C2, including GoldenSpy itself if not found on the system.[157] |
S0588 | GoldMax |
GoldMax can download and execute additional files.[158][159] |
G0078 | Gorgon Group |
Gorgon Group malware can download additional files from C2 servers.[160] |
S0531 | Grandoreiro |
Grandoreiro can download its second stage from a hardcoded URL within the loader's code.[161][162] |
S0342 | GreyEnergy |
GreyEnergy can download additional modules and payloads.[141] |
S0632 | GrimAgent |
GrimAgent has the ability to download and execute additional payloads.[163] |
S0561 | GuLoader |
GuLoader can download further malware for execution on the victim's machine.[164] |
S0132 | H1N1 |
H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.[165] |
G0125 | HAFNIUM |
HAFNIUM has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host.[166] |
S0499 | Hancitor |
Hancitor has the ability to download additional files from C2.[167] |
S0214 | HAPPYWORK |
can download and execute a second-stage payload.[21] |
S0170 | Helminth | |
S0087 | Hi-Zor |
Hi-Zor has the ability to upload and download files from its C2 server.[169] |
S0394 | HiddenWasp |
HiddenWasp downloads a tar compressed archive from a download server to the system.[170] |
S0601 | Hildegard |
Hildegard has downloaded additional scripts that build and run Monero cryptocurrency miners.[171] |
S0376 | HOPLIGHT |
HOPLIGHT has the ability to connect to a remote host in order to upload and download files.[172] |
S0431 | HotCroissant |
HotCroissant has the ability to upload a file from the command and control (C2) server to the victim machine.[173] |
S0070 | HTTPBrowser |
HTTPBrowser is capable of writing a file to the compromised system from the C2 server.[174] |
S0203 | Hydraq |
Hydraq creates a backdoor through which remote attackers can download files and additional malware components.[175][176] |
S0398 | HyperBro | |
S0483 | IcedID |
IcedID has the ability to download additional modules and a configuration file from C2.[178][179] |
G0136 | IndigoZebra |
IndigoZebra has downloaded additional files and tools from its C2 server.[64] |
G0119 | Indrik Spider |
Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host.[180][181] |
S0604 | Industroyer |
Industroyer downloads a shellcode payload from a remote C2 server and loads it into memory.[182] |
S0260 | InvisiMole |
InvisiMole can upload files to the victim's machine for operations.[183][184] |
S0015 | Ixeshe | |
S0528 | Javali | |
S0044 | JHUHUGIT |
JHUHUGIT can retrieve an additional payload from its C2 server.[186][187] JHUHUGIT has a command to download files to the victim’s machine.[188] |
S0201 | JPIN | |
S0283 | jRAT | |
S0648 | JSS Loader |
JSS Loader has the ability to download malicious executables to a compromised host.[192] |
S0215 | KARAE |
KARAE can upload and download files, including second-stage malware.[21] |
S0088 | Kasidet |
Kasidet has the ability to download and execute additional files.[193] |
S0265 | Kazuar |
Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary.[194] |
S0585 | Kerrdown |
Kerrdown can download specific payloads to a compromised host based on OS architecture.[195] |
S0487 | Kessel |
Kessel can download additional modules from the C2 server.[61] |
S0387 | KeyBoy | |
S0271 | KEYMARBLE |
KEYMARBLE can upload files to the victim’s machine and can download additional payloads.[198] |
S0526 | KGH_SPY |
KGH_SPY has the ability to download and execute code from remote servers.[103] |
G0094 | Kimsuky |
Kimsuky has used scripts to download additional tools from compromised domains to victim systems.[29] |
S0599 | Kinsing |
Kinsing has downloaded additional lateral movement scripts from C2.[199] |
S0437 | Kivars | |
S0250 | Koadic | |
S0356 | KONNI |
KONNI can download files and execute them on the victim’s machine.[202] |
S0236 | Kwampirs | |
G0032 | Lazarus Group |
Several Lazarus Group malware families are capable of downloading and executing binaries from its C2 server.[204][205][206][102][105] |
G0065 | Leviathan |
Leviathan has downloaded additional scripts and files from adversary-controlled servers.[207][84] |
S0395 | LightNeuron |
LightNeuron has the ability to download and execute additional files.[208] |
S0211 | Linfo |
Linfo creates a backdoor through which remote attackers can download files onto compromised hosts.[209] |
S0513 | LiteDuke | |
S0447 | Lokibot |
Lokibot downloaded several staged items onto the victim's machine.[211] |
S0451 | LoudMiner | |
S0042 | LOWBALL |
LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.[213] |
S0532 | Lucifer |
Lucifer can download and execute a replica of itself using certutil.[214] |
S0409 | Machete |
Machete can download additional files for execution on the victim’s machine.[215] |
G0059 | Magic Hound |
Magic Hound has downloaded additional code and files from servers onto victims.[216] |
S0652 | MarkiRAT |
MarkiRAT can download additional files and tools from its C2 server, including through the use of BITSAdmin.[217] |
S0500 | MCMD |
MCMD can upload additional files to a compromised host.[218] |
S0459 | MechaFlounder |
MechaFlounder has the ability to upload and download files to and from a compromised host.[219] |
S0530 | Melcoz |
Melcoz has the ability to download additional files to a compromised host.[34] |
G0045 | menuPass |
menuPass has installed updates and new malware on victims.[220][221] |
S0455 | Metamorfo |
Metamorfo has used MSI files to download additional files to execute.[222][223][224][225] |
S0339 | Micropsia |
Micropsia can download and execute an executable from the C2 server.[226][227] |
S0051 | MiniDuke |
MiniDuke can download additional encrypted backdoors onto the victim via GIF files.[228][210] |
S0083 | Misdat | |
S0080 | Mivast |
Mivast has the capability to download and execute .exe files.[230] |
S0079 | MobileOrder |
MobileOrder has a command to download a file from the C2 server to the victim mobile device's SD card.[69] |
S0553 | MoleNet | |
G0021 | Molerats |
Molerats used executables to download malicious files from different sources.[231][232] |
S0284 | More_eggs |
More_eggs can download and launch additional payloads.[233][234] |
S0256 | Mosquito | |
G0069 | MuddyWater |
MuddyWater has used malware that can upload additional files to the victim’s machine.[236][237][238][239] |
G0129 | Mustang Panda |
Mustang Panda has downloaded additional executables following the initial infection stage.[240] |
S0228 | NanHaiShu | |
S0336 | NanoCore |
NanoCore has the capability to download and activate additional modules for execution.[241][242] |
S0247 | NavRAT | |
S0272 | NDiskMonitor |
NDiskMonitor can download and execute a file from given URL.[46] |
S0630 | Nebulae | |
S0210 | Nerex |
Nerex creates a backdoor through which remote attackers can download files onto a compromised host.[128] |
S0457 | Netwalker |
Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload.[245] |
S0198 | NETWIRE |
NETWIRE can downloaded payloads from C2 to the compromised host.[246][247] |
S0118 | Nidiran | |
S0385 | njRAT | |
S0353 | NOKKI | |
G0133 | Nomadic Octopus |
Nomadic Octopus has used malicious macros to download additional files to the victim's machine.[252] |
S0340 | Octopus |
Octopus can download additional files and tools onto the victim’s machine.[253][254][252] |
G0049 | OilRig | |
S0439 | Okrum |
Okrum has built-in commands for uploading, downloading, and executing files to the system.[256] |
S0264 | OopsIE |
OopsIE can download files from its C2 server to the victim's machine.[257][258] |
G0116 | Operation Wocao |
Operation Wocao can download additional files to the infected system.[259] |
S0229 | Orz | |
S0402 | OSX/Shlayer |
OSX/Shlayer can download payloads, and extract bytes from files. OSX/Shlayer uses the |
S0352 | OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.[264][265] |
S0598 | P.A.S. Webshell |
P.A.S. Webshell can upload and download files to and from compromised hosts.[137] |
S0626 | P8RAT |
P8RAT can download additional payloads to a target system.[125] |
S0208 | Pasam |
Pasam creates a backdoor through which remote attackers can upload files.[266] |
G0040 | Patchwork |
Patchwork payloads download additional files from the C2 server.[267][46] |
S0587 | Penquin |
Penquin can execute the command code |
S0643 | Peppy | |
S0501 | PipeMon |
PipeMon can install additional modules via C2 commands.[269] |
S0124 | Pisloader |
Pisloader has a command to upload a file to the victim machine.[270] |
S0254 | PLAINTEE |
PLAINTEE has downloaded and executed additional plugins.[110] |
G0068 | PLATINUM |
PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.[271] |
S0435 | PLEAD |
PLEAD has the ability to upload and download files to and from an infected host.[272] |
S0013 | PlugX |
PlugX has a module to download and execute files on the compromised machine.[273] |
S0428 | PoetRAT |
PoetRAT has the ability to copy files and download/upload files into C2 channels using FTP and HTTPS.[274][275] |
S0012 | PoisonIvy |
PoisonIvy creates a backdoor through which remote attackers can upload files.[276] |
S0518 | PolyglotDuke |
PolyglotDuke can retrieve payloads from the C2 server.[210] |
S0453 | Pony |
Pony can download additional files onto the infected system.[277] |
S0150 | POSHSPY |
POSHSPY downloads and executes additional PowerShell code and Windows binaries.[278] |
S0139 | PowerDuke | |
S0145 | POWERSOURCE |
POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims.[280] |
S0223 | POWERSTATS |
POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server.[281] |
S0184 | POWRUNER |
POWRUNER can download or upload files from its C2 server.[255] |
S0078 | Psylo |
Psylo has a command to download a file to the system from its C2 server.[69] |
S0147 | Pteranodon |
Pteranodon can download and execute additional files.[149] |
S0196 | PUNCHBUGGY |
PUNCHBUGGY can download additional files and payloads to compromised hosts.[282][283] |
S0192 | Pupy | |
S0650 | QakBot |
QakBot has the ability to download additional components and malware.[285][286][287][288][289][290] |
S0262 | QuasarRAT |
QuasarRAT can download files to the victim’s machine and execute them.[291][292] |
S0629 | RainyDay | |
G0075 | Rancor |
Rancor has downloaded additional malware, including by using certutil.[110] |
S0055 | RARSTONE |
RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.[293] |
S0241 | RATANKBA | |
S0495 | RDAT | |
S0153 | RedLeaves |
RedLeaves is capable of downloading a file from a specified URL.[297] |
S0511 | RegDuke | |
S0332 | Remcos |
Remcos can upload and download files to and from the victim’s machine.[298] |
S0166 | RemoteCMD |
RemoteCMD copies a file over to the remote system before execution.[299] |
S0592 | RemoteUtilities |
RemoteUtilities can upload and download files to and from a target machine.[239] |
S0125 | Remsec |
Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.[300][301] |
S0379 | Revenge RAT |
Revenge RAT has the ability to upload and download files.[302] |
S0496 | REvil |
REvil can download a copy of itself from an attacker controlled IP address to the victim machine.[303][304][305] |
S0258 | RGDoor |
RGDoor uploads and downloads files to and from the victim’s machine.[306] |
G0106 | Rocke |
Rocke used malware to download additional malicious files to the target system.[307] |
S0270 | RogueRobin |
RogueRobin can save a new file to the system from the C2 server.[308][309] |
S0240 | ROKRAT |
ROKRAT retrieves additional malicious payloads from the C2 server.[310][311] |
S0148 | RTM | |
S0074 | Sakula | |
G0034 | Sandworm Team |
Sandworm Team has pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data.[315][316] |
S0461 | SDBbot |
SDBbot has the ability to download a DLL from C2 to a compromised host.[317] |
S0053 | SeaDuke | |
S0345 | Seasalt | |
S0185 | SEASHARPEE |
SEASHARPEE can download remote files onto victims.[319] |
S0382 | ServHelper |
ServHelper may download additional files to execute.[320][321] |
S0639 | Seth-Locker |
Seth-Locker has the ability to download and execute files on a compromised host.[322] |
S0596 | ShadowPad | |
S0140 | Shamoon |
Shamoon can download an executable to run on the victim.[324] |
G0104 | Sharpshooter |
Sharpshooter downloaded additional payloads after a target was infected with a first-stage downloader.[325] |
S0546 | SharpStage |
SharpStage has the ability to download and execute additional payloads via a DropBox API.[119][120] |
S0450 | SHARPSTATS |
SHARPSTATS has the ability to upload and download files.[326] |
S0444 | ShimRat | |
S0445 | ShimRatReporter |
ShimRatReporter had the ability to download additional payloads.[327] |
S0217 | SHUTTERSPEED |
SHUTTERSPEED can download and execute an arbitary executable.[21] |
S0589 | Sibot |
Sibot can download and execute a payload onto a compromised system.[158] |
S0610 | SideTwist |
SideTwist has the ability to download additional files.[328] |
G0121 | Sidewinder |
Sidewinder has used LNK files to download remote files to the victim's network.[329][330] |
G0091 | Silence |
Silence has downloaded additional modules and malware to victim’s machines.[331] |
S0468 | Skidmap |
Skidmap has the ability to download files on an infected host.[332] |
S0633 | Sliver |
Sliver can upload files from the C2 server to the victim machine using the |
S0533 | SLOTHFULMEDIA |
SLOTHFULMEDIA has downloaded files onto a victim machine.[334] |
S0218 | SLOWDRIFT | |
S0226 | Smoke Loader |
Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.[335] |
S0649 | SMOKEDHAM |
SMOKEDHAM has used Powershell to download UltraVNC and Ngrok from third-party file sharing sites.[336] |
S0627 | SodaMaster |
SodaMaster has the ability to download additional payloads from C2 to the targeted system.[125] |
S0615 | SombRAT |
SombRAT has the ability to download and execute additional payloads.[99][111][337] |
S0516 | SoreFang |
SoreFang can download additional payloads from C2.[338][339] |
S0374 | SpeakUp |
SpeakUp downloads and executes additional files from a remote server. [340] |
S0646 | SpicyOmelette |
SpicyOmelette can download malicious files from threat actor controlled AWS URL's.[341] |
S0390 | SQLRat |
SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk.[342] |
S0380 | StoneDrill |
StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.[343] |
S0491 | StrongPity |
StrongPity can download files to specified targets.[344] |
S0559 | SUNBURST |
SUNBURST delivered different payloads, including TEARDROP in at least one instance.[16] |
G0092 | TA505 |
TA505 has downloaded additional malware to execute on victim systems.[345][321][346] |
G0127 | TA551 |
TA551 has retrieved DLLs and installer binaries for malware execution from C2.[347] |
S0011 | Taidoor |
Taidoor has downloaded additional files onto a compromised host.[348] |
S0586 | TAINTEDSCRIBE |
TAINTEDSCRIBE can download additional modules from its C2 server.[349] |
S0164 | TDTESS |
TDTESS has a command to download and execute an additional file.[350] |
G0139 | TeamTNT |
TeamTNT has the curl command and batch scripts to download new tools.[351] |
S0595 | ThiefQuest |
ThiefQuest can download and execute payloads in-memory or from disk.[352] |
G0027 | Threat Group-3390 |
After re-establishing access to a victim network, Threat Group-3390 actors download tools including gsecdump and WCE that are staged temporarily on websites that were previously compromised but never used.[174] |
G0131 | Tonto Team |
Tonto Team has downloaded malicious DLLs which served as a ShadowPad loader.[353] |
S0266 | TrickBot |
TrickBot downloads several additional files and saves them to the victim's machine.[354][355] |
S0094 | Trojan.Karagany |
Trojan.Karagany can upload, download, and execute files on the victim.[356][357] |
G0081 | Tropic Trooper |
Tropic Trooper has used a delivered trojan to download additional files.[358] |
S0436 | TSCookie |
TSCookie has the ability to upload and download files to and from the infected host.[359] |
S0647 | Turian |
Turian can download additional files and tools from its C2.[42] |
G0010 | Turla |
Turla has used shellcode to download Meterpreter after compromising a victim.[360] |
S0199 | TURNEDUP | |
S0263 | TYPEFRAME |
TYPEFRAME can upload and download files to the victim’s machine.[362] |
S0333 | UBoatRAT |
UBoatRAT can upload and download files to the victim’s machine.[363] |
S0130 | Unknown Logger |
Unknown Logger is capable of downloading remote files.[44] |
S0275 | UPPERCUT |
UPPERCUT can download and upload files to and from the victim’s machine.[364] |
S0386 | Ursnif |
Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads.[365][366] |
S0476 | Valak |
Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and NetSupport Manager RAT-based malware.[367][368] |
S0636 | VaporRage |
VaporRage has the ability to download malicious shellcode to compromised systems.[63] |
S0207 | Vasport | |
S0442 | VBShower |
VBShower has the ability to download VBS files to the target computer.[370] |
S0257 | VERMIN |
VERMIN can download and upload files to the victim's machine.[371] |
G0123 | Volatile Cedar |
Volatile Cedar can deploy additional tools.[76] |
S0180 | Volgmer |
Volgmer can download remote files and additional payloads to the victim's machine.[372][373][374] |
S0579 | Waterbear |
Waterbear can receive and load executables from remote C2 servers.[375] |
S0109 | WEBC2 | |
S0515 | WellMail |
WellMail can receive data and executable scripts from C2.[377] |
S0514 | WellMess | |
G0107 | Whitefly |
Whitefly has the ability to download additional tools from the C2.[380] |
S0206 | Wiarp |
Wiarp creates a backdoor through which remote attackers can download files.[381] |
G0112 | Windshift |
Windshift has used tools to deploy additional payloads to compromised hosts.[382] |
S0430 | Winnti for Linux |
Winnti for Linux has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. [383] |
G0090 | WIRTE |
WIRTE has downloaded PowerShell code from the C2 server to be executed.[384] |
S0341 | Xbash |
Xbash can download additional malicious files from its C2 server.[385] |
S0653 | xCaon |
xCaon has a command to download files to the victim's machine.[64] |
S0658 | XCSSET |
XCSSET downloads browser specific AppleScript modules using a constructed URL with the |
S0388 | YAHOYAH |
YAHOYAH uses HTTP GET requests to download other files that are executed in memory.[387] |
S0251 | Zebrocy |
Zebrocy obtains additional code to execute on the victim's machine, including the downloading of a secondary payload.[388][70][389][13] |
S0230 | ZeroT |
ZeroT can download additional payloads onto the victim.[390] |
S0330 | Zeus Panda |
Zeus Panda can download additional malware plug-in modules and execute them on the victim’s machine.[391] |
G0128 | ZIRCONIUM |
ZIRCONIUM has used tools to download malicious files to compromised hosts.[392] |
S0086 | ZLib | |
S0412 | ZxShell |
ZxShell has a command to transfer files from a remote host.[393] |
ID | Mitigation | Description |
---|---|---|
M1031 | Network Intrusion Prevention |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[394] |
ID | Data Source | Data Component |
---|---|---|
DS0022 | File | File Creation |
DS0029 | Network Traffic | Network Connection Creation |
Network Traffic Content | ||
Network Traffic Flow |
Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[394]