1. Home
  2. Techniques
  3. Enterprise
  4. Abuse Elevation Control Mechanism
  5. Bypass User Account Control

Abuse Elevation Control Mechanism: Bypass User Account Control

ID Name
T1548.001 Setuid and Setgid
T1548.002 Bypass User Account Control
T1548.003 Sudo and Sudo Caching
T1548.004 Elevated Execution with Prompt

Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. [1]

If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated Component Object Model objects without prompting the user through the UAC notification box. [2] [3] An example of this is use of Rundll32 to load a specifically crafted DLL which loads an auto-elevated Component Object Model object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.[4]

Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods[5] that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:

  • eventvwr.exe can auto-elevate and execute a specified binary or script.[6][7]

Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.[8]

Angreifer können die UAC-Mechanismen umgehen, um die Prozessrechte auf dem System zu erhöhen. Die Windows-Benutzerkontensteuerung (UAC) ermöglicht es einem Programm, seine Berechtigungen zu erhöhen (verfolgt als Integritätsstufen von niedrig bis hoch), um eine Aufgabe mit Administratorrechten auszuführen, möglicherweise indem der Benutzer zur Bestätigung aufgefordert wird. Die Auswirkungen auf den Benutzer reichen von der Verweigerung des Vorgangs unter hoher Erzwingung bis hin zur Erlaubnis, die Aktion auszuführen, wenn der Benutzer der lokalen Administratorengruppe angehört und die Eingabeaufforderung überspringt oder ein Administratorkennwort eingeben muss, um die Aktion abzuschliessen. (Zitat: TechNet How UAC Works)

Wenn die UAC-Schutzstufe eines Computers nicht auf die höchste Stufe eingestellt ist, können bestimmte Windows-Programme die Berechtigungen erhöhen oder einige erweiterte Component Object Model-Objekte ausführen, ohne dass der Benutzer über das UAC-Benachrichtigungsfeld dazu aufgefordert wird. (Zitat: TechNet Inside UAC) (Zitat: MSDN COM Elevation) Ein Beispiel hierfür ist die Verwendung von Rundll32 zum Laden einer speziell gestalteten DLL, die ein automatisch erhöhtes Component Object Model Objekt lädt und eine Dateioperation in einem geschützten Verzeichnis durchführt, für die normalerweise ein erhöhter Zugriff erforderlich wäre. Bösartige Software kann auch in einen vertrauenswürdigen Prozess eingeschleust werden, um erhöhte Rechte zu erlangen, ohne dass der Benutzer dazu aufgefordert wird.(Zitat: Davidson Windows)

Es wurden bereits viele Methoden entdeckt, um die UAC zu umgehen. Die Github-Readme-Seite für UACME enthält eine umfangreiche Liste von Methoden (Zitat: Github UACMe), die entdeckt und implementiert wurden, aber es handelt sich dabei nicht unbedingt um eine umfassende Liste von Umgehungsmethoden. Es werden regelmässig weitere Umgehungsmethoden entdeckt und einige davon in freier Wildbahn eingesetzt, wie z.B.:

  • eventvwr.exe kann ein bestimmtes Binärprogramm oder Skript automatisch auslösen und ausführen.(Zitat: enigma0x3 Fileless UAC Bypass)(Zitat: Fortinet Fareit)

Eine weitere Umgehung ist durch einige seitliche Bewegungstechniken möglich, wenn die Anmeldeinformationen für ein Konto mit Administratorrechten bekannt sind, da die UAC ein Sicherheitssystem für ein einzelnes System ist und die Privilegien oder die Integrität eines Prozesses, der auf einem System läuft, auf entfernten Systemen unbekannt sind und standardmässig auf hohe Integrität eingestellt sind.(Zitat: SANS UAC Bypass)

Les adversaires peuvent contourner les mécanismes UAC pour élever les privilèges des processus sur le système. Le contrôle de compte d'utilisateur (UAC) de Windows permet à un programme d'élever ses privilèges (suivis comme des niveaux d'intégrité allant de faible à élevé) pour exécuter une tâche sous des autorisations de niveau administrateur, éventuellement en demandant à l'utilisateur une confirmation. L'impact sur l'utilisateur va du refus de l'opération en cas d'application élevée à l'autorisation de l'utilisateur d'effectuer l'action s'il fait partie du groupe des administrateurs locaux et clique sur l'invite ou l'autorisation de saisir un mot de passe d'administrateur pour effectuer l'action. (Citation : TechNet How UAC Works)

Si le niveau de protection UAC d'un ordinateur n'est pas réglé sur le niveau le plus élevé, certains programmes Windows peuvent élever les privilèges ou exécuter certains objets [Component Object Model] (/techniques/T1559/001) élevés sans que l'utilisateur ne soit invité à passer par la boîte de notification UAC. (Citation : TechNet Inside UAC) (Citation : MSDN COM Elevation) Un exemple de ceci est l'utilisation de Rundll32 pour charger une DLL spécifiquement conçue qui charge un objet Component Object Model élevé automatiquement et exécute une opération de fichier dans un répertoire protégé qui nécessiterait normalement un accès élevé. Un logiciel malveillant peut également être injecté dans un processus de confiance pour obtenir des privilèges élevés sans que l'utilisateur ne soit invité à le faire. (Citation : Davidson Windows)

De nombreuses méthodes ont été découvertes pour contourner l'UAC. La page readme de Github pour UACME contient une liste exhaustive des méthodes(Citation : Github UACMe) qui ont été découvertes et implémentées, mais il ne s'agit pas d'une liste exhaustive des contournements. Des méthodes de contournement supplémentaires sont régulièrement découvertes et certaines utilisées dans la nature, telles que :

  • eventvwr.exe peut s'élever automatiquement et exécuter un binaire ou un script spécifié.(Citation : enigma0x3 Fileless UAC Bypass)(Citation : Fortinet Fareit)

Un autre contournement est possible par le biais de certaines techniques de mouvement latéral si les informations d'identification d'un compte avec des privilèges d'administrateur sont connues, puisque l'UAC est un mécanisme de sécurité à système unique, et que le privilège ou l'intégrité d'un processus s'exécutant sur un système sera inconnu sur les systèmes distants et par défaut à intégrité élevée.(Citation : SANS UAC Bypass)

Gli avversari possono bypassare i meccanismi UAC per elevare i privilegi dei processi sul sistema. Windows User Account Control (UAC) permette ad un programma di elevare i suoi privilegi (tracciati come livelli di integrità che vanno da basso ad alto) per eseguire un compito con permessi di livello amministratore, eventualmente chiedendo all'utente una conferma. L'impatto per l'utente varia dal negare l'operazione sotto alti privilegi a permettere all'utente di eseguire l'azione se è nel gruppo di amministratori locali e clicca attraverso la richiesta o permettendo di inserire una password di amministratore per completare l'azione. (Citazione: TechNet How UAC Works)

Se il livello di protezione UAC di un computer è impostato su qualsiasi cosa che non sia il livello più alto, alcuni programmi di Windows possono elevare i privilegi o eseguire alcuni oggetti Component Object Model elevati senza richiedere all'utente attraverso la casella di notifica UAC. (Citazione: TechNet Inside UAC) (Citazione: MSDN COM Elevation) Un esempio è l'uso di Rundll32 per caricare una DLL appositamente creata che carica un oggetto Component Object Model auto-elevato ed esegue un'operazione di file in una directory protetta che in genere richiederebbe un accesso elevato. Il software maligno può anche essere iniettato in un processo fidato per ottenere privilegi elevati senza chiedere all'utente.(Citazione: Davidson Windows)

Sono stati scoperti molti metodi per bypassare l'UAC. La pagina readme di Github per UACME contiene un ampio elenco di metodi (Citazione: Github UACMe) che sono stati scoperti e implementati, ma potrebbe non essere un elenco completo di bypass. Ulteriori metodi di bypass vengono regolarmente scoperti e alcuni usati in natura, come ad esempio:

  • eventvwr.exe può auto-elevare ed eseguire un binario o uno script specificato.(Citazione: enigma0x3 Fileless UAC Bypass)(Citazione: Fortinet Fareit)

Un altro bypass è possibile attraverso alcune tecniche di movimento laterale se si conoscono le credenziali di un account con privilegi di amministratore, dato che UAC è un meccanismo di sicurezza a sistema singolo, e il privilegio o l'integrità di un processo in esecuzione su un sistema sarà sconosciuto su sistemi remoti e predefinito ad alta integrità.(Citazione: SANS UAC Bypass)

Login
ID: T1548.002
Sub-technique of:  T1548
Platforms: Windows
Permissions Required: Administrator, User
Effective Permissions: Administrator
Defense Bypassed: Windows User Account Control
Contributors: Casey Smith; Stefan Kanthak
Version: 2.0
Created: 30 January 2020
Last Modified: 22 July 2020
Translations:  DE FR IT EN
Provided by LAYER 8

Procedure Examples

ID Name Description
S0584 AppleJeus

AppleJeus has presented the user with a UAC prompt to elevate privileges while installing.[9]
G0016 APT29

APT29 has bypassed UAC.[10]
G0067 APT37

APT37 has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges.[11]
S0129 AutoIt backdoor

AutoIt backdoor attempts to escalate privileges by bypassing User Access Control.[12]
S0640 Avaddon

Avaddon bypasses UAC using the CMSTPLUA COM interface.[13]

S0606 Bad Rabbit

Bad Rabbit has attempted to bypass UAC and gain elevated administrative privileges.[14]
S0570 BitPaymer

BitPaymer can suppress UAC prompts by setting the HKCU\Software\Classes\ms-settings\shell\open\command registry key on Windows 10 or HKCU\Software\Classes\mscfile\shell\open\command on Windows 7 and launching the eventvwr.msc process, which launches BitPaymer with elevated privileges.[15]
S0089 BlackEnergy

BlackEnergy attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatibility setting found in Windows 7 and later.[16]
G0060 BRONZE BUTLER

BRONZE BUTLER has used a Windows 10 specific tool and xxmm to bypass UAC for privilege escalation.[17][18]
G0080 Cobalt Group

Cobalt Group has bypassed UAC.[19]
S0154 Cobalt Strike

Cobalt Strike can use a number of known techniques to bypass Windows UAC.[20][21]
S0527 CSPY Downloader

CSPY Downloader can bypass UAC using the SilentCleanup task to execute the binary with elevated privileges.[22]
S0134 Downdelph

Downdelph bypasses UAC to escalate privileges by using a custom "RedirectEXE" shim database.[23]
S0363 Empire

Empire includes various modules to attempt to bypass UAC for escalation of privileges.[24]
G0120 Evilnum

Evilnum has used PowerShell to bypass UAC.[25]
S0182 FinFisher

FinFisher performs UAC bypass.[26][27]
S0531 Grandoreiro

Grandoreiro can bypass UAC by registering as the default handler for .MSC files.[28]
S0132 H1N1

H1N1 bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe).[29]
G0072 Honeybee

Honeybee uses a combination of NTWDBLIB.dll and cliconfg.exe to bypass UAC protections using DLL hijacking.[30]
S0260 InvisiMole

InvisiMole can use fileless UAC bypass and create an elevated COM object to escalate privileges.[31][32]
S0250 Koadic

Koadic has 2 methods for elevating integrity. It can bypass UAC through eventvwr.exe and sdclt.exe.[33]
S0356 KONNI

KONNI bypassed UAC with the "AlwaysNotify" settings.[34]
S0447 Lokibot

Lokibot has utilized multiple techniques to bypass UAC.[35]
G0069 MuddyWater

MuddyWater uses various techniques to bypass UAC.[36]
G0040 Patchwork

Patchwork bypassed User Access Control (UAC).[37]
S0501 PipeMon

PipeMon installer can use UAC bypass techniques to install the payload.[38]
S0254 PLAINTEE

An older variant of PLAINTEE performs UAC bypass.[39]
S0378 PoshC2

PoshC2 can utilize multiple methods to bypass UAC.[40]
S0192 Pupy

Pupy can bypass Windows UAC through either DLL hijacking, eventvwr, or appPaths.[41]
S0458 Ramsay

Ramsay can use UACMe for privilege escalation.[42][43]

S0332 Remcos

Remcos has a command for UAC bypassing.[44]
S0148 RTM

RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.[45]
S0074 Sakula

Sakula contains UAC bypass code for both 32- and 64-bit systems.[46]
S0140 Shamoon

Shamoon attempts to disable UAC remote restrictions by modifying the Registry.[47]
S0444 ShimRat

ShimRat has hijacked the cryptbase.dll within migwiz.exe to escalate privileges. This prevented the User Access Control window from appearing.[48]
G0027 Threat Group-3390

A Threat Group-3390 tool can use a public UAC bypass method to elevate privileges.[49]
S0116 UACMe

UACMe contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.[5]
S0612 WastedLocker

WastedLocker can perform a UAC bypass if it is not executed with administrator rights or if the infected host runs Windows Vista or later.[50]
S0230 ZeroT

Many ZeroT samples can perform UAC bypass by using eventvwr.exe to execute a malicious file.[51]

Mitigations

ID Mitigation Description
M1047 Audit

Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.[5]
M1026 Privileged Account Management

Remove users from the local administrator group on systems.
M1051 Update Software

Consider updating Windows to the latest version and patch level to utilize the latest protective measures against UAC bypass.[5]
M1052 User Account Control

Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL Search Order Hijacking.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation
Process Metadata
DS0024 Windows Registry Windows Registry Key Modification

There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Monitor process API calls for behavior that may be indicative of Process Injection and unusual loaded DLLs through DLL Search Order Hijacking, which indicate attempts to gain access to higher privileged processes.

Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example:

  • The eventvwr.exe bypass uses the [HKEY_CURRENT_USER]\Software\Classes\mscfile\shell\open\command Registry key.[6]

  • The sdclt.exe bypass uses the [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe and [HKEY_CURRENT_USER]\Software\Classes\exefile\shell\runas\command\isolatedCommand Registry keys.[52][53]

Analysts should monitor these Registry settings for unauthorized changes.

Es gibt viele Möglichkeiten, die UAC zu umgehen, wenn sich ein Benutzer in der lokalen Administratorgruppe eines Systems befindet, so dass es schwierig sein könnte, alle Varianten gezielt zu erkennen. Sie sollten sich darauf konzentrieren, den Schaden einzudämmen und genügend Informationen über Prozessstarts und Aktionen zu sammeln, die vor und nach einer UAC-Umgehung durchgeführt werden könnten. Überwachen Sie Prozess-API-Aufrufe auf Verhaltensweisen, die auf Process Injection und ungewöhnlich geladene DLLs durch DLL Search Order Hijacking hinweisen, die auf Versuche hinweisen, Zugriff auf höher privilegierte Prozesse zu erhalten.

Einige Methoden zur Umgehung der UAC beruhen auf der Änderung bestimmter, für den Benutzer zugänglicher Registry-Einstellungen. Zum Beispiel:

  • Die Umgehung von eventvwr.exe verwendet den Registrierungsschlüssel [HKEY_CURRENT_USER]\Software\Classes\mscfile\shell\open\command.(Zitat: enigma0x3 Fileless UAC Bypass)

  • Die Umgehung von sdclt.exe verwendet die Registrierungsschlüssel [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe und [HKEY_CURRENT_USER]\Software\Classes\exefile\shell\runas\command\isolatedCommand Registrierungsschlüssel.(Zitat: enigma0x3 sdclt app paths)(Zitat: enigma0x3 sdclt bypass)

Analysten sollten diese Registry-Einstellungen auf nicht autorisierte Änderungen überwachen.

Il existe de nombreuses façons de contourner l'UAC lorsqu'un utilisateur fait partie du groupe des administrateurs locaux sur un système, il peut donc être difficile de cibler la détection sur toutes les variations. Les efforts devraient probablement porter sur l'atténuation et la collecte de suffisamment d'informations sur les lancements de processus et les actions qui pourraient être effectuées avant et après un contournement de l'UAC. Surveillez les appels d'API de processus à la recherche d'un comportement qui pourrait indiquer une [injection de processus] (/techniques/T1055) et des DLL chargées de manière inhabituelle par le biais d'un [détournement de l'ordre de recherche de DLL] (/techniques/T1574/001), ce qui indique des tentatives d'accès à des processus à privilèges plus élevés.

Certaines méthodes de contournement de l'UAC reposent sur la modification de paramètres de registre spécifiques et accessibles à l'utilisateur. Par exemple :

  • Le contournement de eventvwr.exe utilise la clé de registre [HKEY_CURRENT_USER]\Software\Classes\mscfile\shell\open\command.(Citation : enigma0x3 Fileless UAC Bypass)

  • Le contournement de sdclt.exe utilise les clés de registre [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe et [HKEY_CURRENT_USER]\Software\Classes\exefile\shell\runas\command\isolatedCommand clés de registre.(Citation : enigma0x3 sdclt app paths)(Citation : enigma0x3 sdclt bypass)

Les analystes doivent surveiller ces paramètres de Registre pour détecter toute modification non autorisée.

Ci sono molti modi per eseguire bypass di UAC quando un utente è nel gruppo di amministratori locali su un sistema, quindi può essere difficile puntare al rilevamento su tutte le varianti. È probabile che gli sforzi si concentrino sulla mitigazione e sulla raccolta di informazioni sufficienti sui lanci di processo e sulle azioni che potrebbero essere eseguite prima e dopo l'esecuzione di un bypass UAC. Monitorare le chiamate API di processo per un comportamento che può essere indicativo di Process Injection e DLL caricate in modo insolito attraverso DLL Search Order Hijacking, che indicano tentativi di ottenere accesso a processi con privilegi superiori.

Alcuni metodi di bypass dell'UAC si basano sulla modifica di impostazioni di registro specifiche e accessibili all'utente. Per esempio:

  • Il bypass eventvwr.exe usa la chiave di registro [HKEY_CURRENT_USER]\Software\Classes\mscfile\shell\open\command.(Citazione: enigma0x3 Fileless UAC Bypass)

  • Il bypass sdclt.exe usa il [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe e [HKEY_CURRENT_USER]\Software\Classes\exefile\shell\runas\command\isolatedCommand chiavi di registro.(Citazione: enigma0x3 sdclt app paths)(Citazione: enigma0x3 sdclt bypass)

Gli analisti dovrebbero monitorare queste impostazioni del registro per cambiamenti non autorizzati.

References

  1. Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016.
  2. Russinovich, M. (2009, July). User Account Control: Inside Windows 7 User Account Control. Retrieved July 26, 2016.
  3. Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July 26, 2016.
  4. Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November 12, 2014.
  5. UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.
  6. Nelson, M. (2016, August 15). "Fileless" UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016.
  7. Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016.
  8. Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June 3, 2016.
  9. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  10. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  11. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  12. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  13. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  14. Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
  15. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  16. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  17. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  18. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  19. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  20. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  21. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  22. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  23. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  24. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  25. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  26. FinFisher. (n.d.). Retrieved December 20, 2017.
  27. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  1. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  2. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  3. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  4. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  5. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  6. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  7. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
  8. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  9. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  10. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  11. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  12. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  13. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  14. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  15. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  16. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  17. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
  18. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  19. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  20. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  21. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  22. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  23. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  24. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  25. Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved May 25, 2017.
  26. Nelson, M. (2017, March 17). "Fileless" UAC Bypass Using sdclt.exe. Retrieved May 25, 2017.