ID | Name |
---|---|
T1588.001 | Malware |
T1588.002 | Tool |
T1588.003 | Code Signing Certificates |
T1588.004 | Digital Certificates |
T1588.005 | Exploits |
T1588.006 | Vulnerabilities |
Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.[1]
Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).
ID | Name | Description |
---|---|---|
G0099 | APT-C-36 |
APT-C-36 obtained and used a modified variant of Imminent Monitor.[2] |
G0006 | APT1 |
APT1 has used various open-source tools for privilege escalation purposes.[3] |
G0073 | APT19 |
APT19 has obtained and used publicly-available tools like Empire.[4][5] |
G0007 | APT28 |
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.[6][7][8] |
G0016 | APT29 |
APT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike.[9][10][11] |
G0050 | APT32 |
APT32 has obtained and used tools such as Mimikatz and Cobalt Strike, and a variety of other open-source tools from GitHub.[12][13] |
G0064 | APT33 |
APT33 has obtained and leveraged publicly-available tools for early intrusion activities.[14][15] |
G0082 | APT38 |
APT38 has obtained and used open-source tools such as Mimikatz.[16] |
G0087 | APT39 |
APT39 has modified and used customized versions of publicly-available tools like PLINK and Mimikatz.[17][18] |
G0096 | APT41 |
APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, and Windows Credential Editor.[19] |
G0135 | BackdoorDiplomacy |
BackdoorDiplomacy has obtained a variety of open-source reconnaissance and red team tools for discovery and lateral movement.[20] |
G0108 | Blue Mockingbird |
Blue Mockingbird has obtained and used tools such as Mimikatz.[21] |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has obtained and used open-source tools such as Mimikatz, gsecdump, and Windows Credential Editor.[22] |
G0008 | Carbanak |
Carbanak has obtained and used open-source tools such as PsExec and Mimikatz.[23] |
G0114 | Chimera |
Chimera has obtained and used tools such as BloodHound, Cobalt Strike, Mimikatz, and PsExec.[24][25] |
G0003 | Cleaver |
Cleaver has obtained and used open-source tools such as PsExec, Windows Credential Editor, and Mimikatz.[26] |
G0080 | Cobalt Group |
Cobalt Group has obtained and used a variety of tools including Mimikatz, PsExec, Cobalt Strike, and SDelete.[27] |
G0052 | CopyKittens |
CopyKittens has used Metasploit and Empire for post-exploitation activities.[28] |
G0132 | CostaRicto |
CostaRicto has obtained open source tools to use in their operations.[29] |
G0079 | DarkHydrus |
DarkHydrus has obtained and used tools such as Mimikatz, Empire, and Cobalt Strike.[30] |
G0105 | DarkVishnya |
DarkVishnya has obtained and used tools such as Impacket, Winexe, and PsExec.[31] |
G0035 | Dragonfly |
Dragonfly has obtained and used tools such as Mimikatz, CrackMapExec, and PsExec.[32] |
G0137 | Ferocious Kitten |
Ferocious Kitten has obtained open source tools for its operations, including JsonCPP and Psiphon.[33] |
G0051 | FIN10 |
FIN10 has relied on publicly-available software to gain footholds and establish persistence in victim environments.[34] |
G0053 | FIN5 |
FIN5 has obtained and used a customized version of PsExec, as well as use other tools such as pwdump, SDelete, and Windows Credential Editor.[35] |
G0037 | FIN6 |
FIN6 has obtained and used tools such as Mimikatz, Cobalt Strike, and AdFind.[36][37] |
G0101 | Frankenstein |
Frankenstein has obtained and used Empire to deploy agents.[38] |
G0093 | GALLIUM |
GALLIUM has used a variety of widely-available tools, which in some cases they modified to add functionality and/or subvert antimalware solutions.[39] |
G0078 | Gorgon Group |
Gorgon Group has obtained and used tools such as QuasarRAT and Remcos.[40] |
G0100 | Inception |
Inception has obtained and used open-source tools such as LaZagne.[41] |
G0136 | IndigoZebra |
IndigoZebra has acquired open source tools such as NBTscan and Meterpreter for their operations.[42][43] |
G0004 | Ke3chang | |
G0094 | Kimsuky |
Kimsuky has obtained and used tools such as Mimikatz and PsExec.[45] |
G0077 | Leafminer |
Leafminer has obtained and used tools such as LaZagne, Mimikatz, PsExec, and MailSniper.[46] |
G0059 | Magic Hound |
Magic Hound has obtained and used open-source penetration testing tools like Havij, sqlmap, Metasploit, and Mimikatz.[47][48] |
G0045 | menuPass |
menuPass has used and modified open-source tools like Impacket, Mimikatz, and pwdump.[49] |
G0069 | MuddyWater |
MuddyWater has made use of legitimate tools ConnectWise and RemoteUtilities for access to target environments.[50] |
G0014 | Night Dragon |
Night Dragon has obtained and used tools such as gsecdump.[51] |
G0040 | Patchwork |
Patchwork has obtained and used open-source tools such as QuasarRAT.[52] |
G0011 | PittyTiger |
PittyTiger has obtained and used tools such as Mimikatz and gsecdump.[53] |
G0034 | Sandworm Team |
Sandworm Team has acquired open-source tools for some of it's operations; for example it acquired Invoke-PSImage to establish an encrypted channel from a compromised host to Sandworm Team's C2 server as part of its preparation for the 2018 Winter Olympics attack.[54] |
G0091 | Silence |
Silence has obtained and modified versions of publicly-available tools like Empire and PsExec.[55] [56] |
G0122 | Silent Librarian |
Silent Librarian has obtained free and publicly available tools including SingleFile and HTTrack to copy login pages of targeted organizations.[57][58] |
G0088 | TEMP.Veles |
TEMP.Veles has obtained and used tools such as Mimikatz and PsExec.[59] |
G0027 | Threat Group-3390 |
Threat Group-3390 has obtained and used tools such as Impacket, pwdump, Mimikatz, gsecdump, NBTscan, and Windows Credential Editor.[60] [61] |
G0076 | Thrip |
Thrip has obtained and used tools such as Mimikatz and PsExec.[62] |
G0010 | Turla |
Turla has obtained and customized publicly-available tools like Mimikatz.[63] |
G0107 | Whitefly | |
G0090 | WIRTE |
WIRTE has obtained and used Empire for post-exploitation activities.[65] |
G0102 | Wizard Spider |
Wizard Spider has obtained and used publicly-available post-exploitation frameworks and tools like Metasploit, Empire, Mimikatz.[66] |
ID | Mitigation | Description |
---|---|---|
M1056 | Pre-compromise |
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
ID | Data Source | Data Component |
---|---|---|
DS0004 | Malware Repository | Malware Metadata |
In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in Cobalt Strike payloads.[67]
Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.