From 16366f68938d96e690ad4516eb6dd56c5854b980 Mon Sep 17 00:00:00 2001 From: niclas Date: Tue, 5 Mar 2024 16:24:29 +0100 Subject: [PATCH] Chg [tidal] add associated to name --- clusters/tidal-groups.json | 560 +++++++++--------- clusters/tidal-software.json | 940 +++++++++++++++--------------- tools/tidal-api/models/cluster.py | 4 +- 3 files changed, 752 insertions(+), 752 deletions(-) diff --git a/clusters/tidal-groups.json b/clusters/tidal-groups.json index c07c474..346f911 100644 --- a/clusters/tidal-groups.json +++ b/clusters/tidal-groups.json @@ -44,7 +44,7 @@ } ], "uuid": "9585b539-c040-40a6-a94c-fcf8afa786e2", - "value": "Operation Woolen-Goldfish" + "value": "Operation Woolen-Goldfish - Associated Group" }, { "description": "[[FireEye Operation Saffron Rose 2013](https://app.tidalcyber.com/references/2f4c0941-d14e-4eb8-828c-f1d9a1e14a95)]", @@ -58,7 +58,7 @@ } ], "uuid": "81051e64-7fde-44c5-816e-a85b25a02e11", - "value": "AjaxTM" + "value": "AjaxTM - Associated Group" }, { "description": "[[CrowdStrike Flying Kitten ](https://app.tidalcyber.com/references/ab669ded-e659-4313-b5ab-8c5362562f39)]", @@ -72,7 +72,7 @@ } ], "uuid": "aea21266-a894-40a3-a8cd-2eb2136859d8", - "value": "Flying Kitten" + "value": "Flying Kitten - Associated Group" }, { "description": "[[FireEye Operation Saffron Rose 2013](https://app.tidalcyber.com/references/2f4c0941-d14e-4eb8-828c-f1d9a1e14a95)]", @@ -86,7 +86,7 @@ } ], "uuid": "c7e17231-5a22-49f8-a174-b15d5143b169", - "value": "Operation Saffron Rose" + "value": "Operation Saffron Rose - Associated Group" }, { "description": "Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between [Ajax Security Team](https://app.tidalcyber.com/groups/e38bcb42-12c1-4202-a794-ec26cd830caa) and Rocket Kitten.[[Check Point Rocket Kitten](https://app.tidalcyber.com/references/71da7d4c-f1f8-4f5c-a609-78a414851baf)][[IranThreats Kittens Dec 2017](https://app.tidalcyber.com/references/8338ad75-89f2-47d8-b85b-7cbf331bd7cd)]", @@ -100,7 +100,7 @@ } ], "uuid": "ed2a8933-1662-460c-b400-db7a03921659", - "value": "Rocket Kitten" + "value": "Rocket Kitten - Associated Group" }, { "description": "[Ajax Security Team](https://app.tidalcyber.com/groups/e38bcb42-12c1-4202-a794-ec26cd830caa) is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 [Ajax Security Team](https://app.tidalcyber.com/groups/e38bcb42-12c1-4202-a794-ec26cd830caa) transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.[[FireEye Operation Saffron Rose 2013](https://app.tidalcyber.com/references/2f4c0941-d14e-4eb8-828c-f1d9a1e14a95)]", @@ -145,7 +145,7 @@ } ], "uuid": "045b431e-ca2a-4b1b-a6fa-758127ce2b4e", - "value": "Silent Chollima" + "value": "Silent Chollima - Associated Group" }, { "description": "[Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46) has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. [Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46)'s notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.[[FSI Andariel Campaign Rifle July 2017](https://app.tidalcyber.com/references/bde61ee9-16f9-4bd9-a847-5cc9df21335c)][[IssueMakersLab Andariel GoldenAxe May 2017](https://app.tidalcyber.com/references/10a21964-d31f-40af-bf32-5ccd7d8c99a2)][[AhnLab Andariel Subgroup of Lazarus June 2018](https://app.tidalcyber.com/references/bbc66e9f-98f9-4e34-b568-2833ea536f2e)][[TrendMicro New Andariel Tactics July 2018](https://app.tidalcyber.com/references/b667eb44-8c2f-4319-bc93-f03610214b8b)][[CrowdStrike Silent Chollima Adversary September 2021](https://app.tidalcyber.com/references/835283b5-af3b-4baf-805e-da8ebbe8b5d2)]\n\n[Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46) is considered a sub-set of [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08), and has been attributed to North Korea's Reconnaissance General Bureau.[[Treasury North Korean Cyber Groups September 2019](https://app.tidalcyber.com/references/54977bb2-2929-41d7-bdea-06d39dc76174)]\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups.", @@ -232,7 +232,7 @@ } ], "uuid": "8a3ffc59-378f-447a-bd67-129659941a20", - "value": "Storm-1359" + "value": "Storm-1359 - Associated Group" }, { "description": "Anonymous Sudan is an apparent hacktivist collective that has primarily used distributed denial of service (DDoS) and website defacement attacks in support of its ideology, which appears to largely align with Russian state interests. The group regularly cross-promotes communications with Killnet, another hacktivist group that appears to share similar ideologies and methods of operation.[[Flashpoint Anonymous Sudan Timeline](/references/2e7060d2-f7bc-457e-a2e6-12897d503ea6)] Researchers assess that the group is affiliated with neither the Anonymous hacktivist group nor Sudan.[[CyberCX Anonymous Sudan June 19 2023](/references/68ded9b7-3042-44e0-8bf7-cdba2174a3d8)]\n\nSince emerging in January 2023, Anonymous Sudan has claimed and is believed to be responsible for a considerable number of DDoS attacks affecting victims in a wide range of geographic locations and sectors.[[Flashpoint Anonymous Sudan Timeline](/references/2e7060d2-f7bc-457e-a2e6-12897d503ea6)] It claimed responsibility for a series of early June 2023 DDoS attacks that caused temporary interruptions to Microsoft Azure, Outlook, and OneDrive services. Microsoft security researchers attributed those attacks to the Storm-1359 group.[[The Hacker News Microsoft DDoS June 19 2023](/references/2ee27b55-b7a7-40a8-8c0b-5e28943cd273)][[Microsoft DDoS Attacks Response June 2023](/references/d64e941e-785b-4b23-a7d0-04f12024b033)] Like Killnet, Anonymous Sudan claimed responsibility for disruptive attacks against computer networks in Israel following a series of air- and land-based attacks in the Gaza Strip in October 2023.[[FalconFeedsio Tweet October 9 2023](/references/e9810a28-f060-468b-b4ea-ffed9403ae8b)]", @@ -297,7 +297,7 @@ } ], "uuid": "b618f5c9-c399-4b6e-a614-12a383ba363c", - "value": "Comment Group" + "value": "Comment Group - Associated Group" }, { "description": "[[CrowdStrike Putter Panda](https://app.tidalcyber.com/references/413962d0-bd66-4000-a077-38c2677995d1)]", @@ -311,7 +311,7 @@ } ], "uuid": "22829c72-7358-468d-b661-da019a020d6e", - "value": "Comment Panda" + "value": "Comment Panda - Associated Group" }, { "description": "[[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]", @@ -325,7 +325,7 @@ } ], "uuid": "88a50fe2-ab89-4dc3-8c47-0b0661f5c8e2", - "value": "Comment Crew" + "value": "Comment Crew - Associated Group" }, { "description": "[APT1](https://app.tidalcyber.com/groups/5307bba1-2674-4fbd-bfd5-1db1ae06fc5f) is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. [[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]", @@ -405,7 +405,7 @@ } ], "uuid": "583a2f5d-33db-48b0-9809-5183f4d4dbec", - "value": "DynCalc" + "value": "DynCalc - Associated Group" }, { "description": "[[Meyers Numbered Panda](https://app.tidalcyber.com/references/988dfcfc-0c16-4129-9523-a77539291951)] [[Moran 2014](https://app.tidalcyber.com/references/15ef155b-7628-4b18-bc53-1d30be4eac5d)]", @@ -419,7 +419,7 @@ } ], "uuid": "3a506347-4e45-4afe-a15a-3c5697ecf07b", - "value": "IXESHE" + "value": "IXESHE - Associated Group" }, { "description": "[[Meyers Numbered Panda](https://app.tidalcyber.com/references/988dfcfc-0c16-4129-9523-a77539291951)]", @@ -433,7 +433,7 @@ } ], "uuid": "5142b9b1-ad6a-4d7b-b982-9b200169dfe5", - "value": "Numbered Panda" + "value": "Numbered Panda - Associated Group" }, { "description": "[[Moran 2014](https://app.tidalcyber.com/references/15ef155b-7628-4b18-bc53-1d30be4eac5d)]", @@ -447,7 +447,7 @@ } ], "uuid": "1f696314-a0e0-4bc2-8b82-26d7f98bb308", - "value": "DNSCALC" + "value": "DNSCALC - Associated Group" }, { "description": "[APT12](https://app.tidalcyber.com/groups/225314a7-8f40-48d4-9cff-3ec39b177762) is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.[[Meyers Numbered Panda](https://app.tidalcyber.com/references/988dfcfc-0c16-4129-9523-a77539291951)]", @@ -525,7 +525,7 @@ } ], "uuid": "3df7e342-600a-4312-8e16-5496890302d5", - "value": "Deputy Dog" + "value": "Deputy Dog - Associated Group" }, { "description": "[APT17](https://app.tidalcyber.com/groups/5f083251-f5dc-459a-abfc-47a1aa7f5094) is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. [[FireEye APT17](https://app.tidalcyber.com/references/a303f97a-72dd-4833-bac7-a421addc3242)]", @@ -580,7 +580,7 @@ } ], "uuid": "5fdf8c44-69f3-4d9b-9258-0bb7758be2e9", - "value": "TG-0416" + "value": "TG-0416 - Associated Group" }, { "description": "[[ThreatStream Evasion Analysis](https://app.tidalcyber.com/references/de6bc044-6275-4cab-80a1-feefebd3c1f0)][[Anomali Evasive Maneuvers July 2015](https://app.tidalcyber.com/references/471ae30c-2753-468e-8e4d-6e7a3be599c9)]", @@ -594,7 +594,7 @@ } ], "uuid": "637ac710-fc16-472c-a832-4cac678250f8", - "value": "Dynamite Panda" + "value": "Dynamite Panda - Associated Group" }, { "description": "[[ThreatStream Evasion Analysis](https://app.tidalcyber.com/references/de6bc044-6275-4cab-80a1-feefebd3c1f0)]", @@ -608,7 +608,7 @@ } ], "uuid": "3a92b51b-3fb6-4792-99f3-dfd2e16f9d8b", - "value": "Threat Group-0416" + "value": "Threat Group-0416 - Associated Group" }, { "description": "[APT18](https://app.tidalcyber.com/groups/a0c31021-b281-4c41-9855-436768299fe7) is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. [[Dell Lateral Movement](https://app.tidalcyber.com/references/fcc9b52a-751f-4985-8c32-7aaf411706ad)]", @@ -657,7 +657,7 @@ } ], "uuid": "6d83a49f-9211-4cba-ac43-e00ac72377db", - "value": "Codoso" + "value": "Codoso - Associated Group" }, { "description": "[[Unit 42 C0d0so0 Jan 2016](https://app.tidalcyber.com/references/c740fc1c-093e-4389-890e-1fd88a824df4)]", @@ -671,7 +671,7 @@ } ], "uuid": "89f839e7-602e-4862-9f93-1092acec19e7", - "value": "C0d0so0" + "value": "C0d0so0 - Associated Group" }, { "description": "[[FireEye APT Groups](https://app.tidalcyber.com/references/5b6b909d-870a-4d14-85ec-6aa14e598740)]", @@ -685,7 +685,7 @@ } ], "uuid": "e5363e5c-073d-4bb4-9c68-9944251ff7a8", - "value": "Codoso Team" + "value": "Codoso Team - Associated Group" }, { "description": "[[Dark Reading Codoso Feb 2015](https://app.tidalcyber.com/references/c24035b1-2021-44ae-b01e-651e44526737)]", @@ -699,7 +699,7 @@ } ], "uuid": "1447143d-e8bf-448d-92df-67f19ac2e850", - "value": "Sunshop Group" + "value": "Sunshop Group - Associated Group" }, { "description": "[APT19](https://app.tidalcyber.com/groups/713e2963-fbf4-406f-a8cf-6a4489d90439) is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. [[FireEye APT19](https://app.tidalcyber.com/references/d75508b1-8b85-47c9-a087-bc64e8e4cb33)] Some analysts track [APT19](https://app.tidalcyber.com/groups/713e2963-fbf4-406f-a8cf-6a4489d90439) and [Deep Panda](https://app.tidalcyber.com/groups/43f826a1-e8c8-47b8-9b00-38e1b3e4293b) as the same group, but it is unclear from open source information if the groups are the same. [[ICIT China's Espionage Jul 2016](https://app.tidalcyber.com/references/1a824860-6978-454d-963a-a56414a4312b)] [[FireEye APT Groups](https://app.tidalcyber.com/references/5b6b909d-870a-4d14-85ec-6aa14e598740)] [[Unit 42 C0d0so0 Jan 2016](https://app.tidalcyber.com/references/c740fc1c-093e-4389-890e-1fd88a824df4)]", @@ -762,7 +762,7 @@ } ], "uuid": "9d19037b-5996-473a-9c75-1896ba436adc", - "value": "VIOLIN PANDA" + "value": "VIOLIN PANDA - Associated Group" }, { "description": "", @@ -778,7 +778,7 @@ } ], "uuid": "f233d85e-9274-4e5d-9eb8-57fa3dc6bebf", - "value": "TH3Bug" + "value": "TH3Bug - Associated Group" }, { "description": "[[Unit 42 ATOM Crawling Taurus](/references/75098b2c-4928-4e3f-9bcc-b4f6b8de96f8)]", @@ -794,7 +794,7 @@ } ], "uuid": "c8c1b25e-4066-44c1-bb17-f561c86d8202", - "value": "Crawling Taurus" + "value": "Crawling Taurus - Associated Group" }, { "description": "[[Mandiant APT Groups List](/references/c984fcfc-1bfd-4b1e-9034-a6ff3e6ebf97)]", @@ -810,7 +810,7 @@ } ], "uuid": "276fd84a-14fa-4040-9a98-f5eb09a24f3f", - "value": "Twivy" + "value": "Twivy - Associated Group" }, { "description": "APT20 is a suspected China-attributed espionage actor. It has attacked organizations in a wide range of verticals for data theft. These operations appear to be motivated by the acquisition of intellectual property but also collection of information around individuals with particular political interests.[[Mandiant APT Groups List](/references/c984fcfc-1bfd-4b1e-9034-a6ff3e6ebf97)] Researchers attributed, with medium confidence, the years-long Operation Wocao espionage campaign to APT20.[[FoxIT Wocao December 2019](/references/aa3e31c7-71cd-4a3f-b482-9049c9abb631)]", @@ -886,7 +886,7 @@ } ], "uuid": "fc8d868d-e3df-486d-8efb-eed4d3554abe", - "value": "IRON TWILIGHT" + "value": "IRON TWILIGHT - Associated Group" }, { "description": "This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://app.tidalcyber.com/software/d50ef3fc-7d1c-4a82-b1cf-2319d83da3ae).[[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)][[SecureWorks TG-4127](https://app.tidalcyber.com/references/5f401c82-4e16-43a1-b234-48918fe7df9f)][[Kaspersky Sofacy](https://app.tidalcyber.com/references/46226f98-c762-48e3-9bcd-19ff14184bb5)][[Ars Technica GRU indictment Jul 2018](https://app.tidalcyber.com/references/a1192cb3-4536-4900-93c7-a127ca06c690)]", @@ -900,7 +900,7 @@ } ], "uuid": "78e2b73c-4042-4c78-af27-c289450e9db1", - "value": "Sednit" + "value": "Sednit - Associated Group" }, { "description": "This designation has been used in reporting both to refer to the threat group and its associated malware.[[FireEye APT28](https://app.tidalcyber.com/references/c423b2b2-25a3-4a8d-b89a-83ab07c0cd20)][[SecureWorks TG-4127](https://app.tidalcyber.com/references/5f401c82-4e16-43a1-b234-48918fe7df9f)][[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)][[ESET Sednit Part 3](https://app.tidalcyber.com/references/7c2be444-a947-49bc-b5f6-8f6bec870c6a)][[Ars Technica GRU indictment Jul 2018](https://app.tidalcyber.com/references/a1192cb3-4536-4900-93c7-a127ca06c690)][[Talos Seduploader Oct 2017](https://app.tidalcyber.com/references/2db77619-72df-461f-84bf-2d1c3499a5c0)]", @@ -914,7 +914,7 @@ } ], "uuid": "8983bc4c-26f9-4d1b-a32d-5b198f90cc24", - "value": "Sofacy" + "value": "Sofacy - Associated Group" }, { "description": "[[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)][[Kaspersky Sofacy](https://app.tidalcyber.com/references/46226f98-c762-48e3-9bcd-19ff14184bb5)][[ESET Sednit Part 3](https://app.tidalcyber.com/references/7c2be444-a947-49bc-b5f6-8f6bec870c6a)][[Ars Technica GRU indictment Jul 2018](https://app.tidalcyber.com/references/a1192cb3-4536-4900-93c7-a127ca06c690)][[Talos Seduploader Oct 2017](https://app.tidalcyber.com/references/2db77619-72df-461f-84bf-2d1c3499a5c0)][[Symantec APT28 Oct 2018](https://app.tidalcyber.com/references/777bc94a-6c21-4f8c-9efa-a1cf52ececc0)][[Securelist Sofacy Feb 2018](https://app.tidalcyber.com/references/3a043bba-2451-4765-946b-c1f3bf4aea36)][[Cybersecurity Advisory GRU Brute Force Campaign July 2021](https://app.tidalcyber.com/references/e70f0742-5f3e-4701-a46b-4a58c0281537)]", @@ -928,7 +928,7 @@ } ], "uuid": "78894876-29d5-4feb-9afa-d7ab2955b81b", - "value": "Fancy Bear" + "value": "Fancy Bear - Associated Group" }, { "description": "[[Accenture SNAKEMACKEREL Nov 2018](https://app.tidalcyber.com/references/c38d021c-d84c-4aa7-b7a5-be47e18df1d8)]", @@ -942,7 +942,7 @@ } ], "uuid": "7f58eb05-a22c-4df9-a8ad-6e3dfa97e511", - "value": "SNAKEMACKEREL" + "value": "SNAKEMACKEREL - Associated Group" }, { "description": "[[Symantec APT28 Oct 2018](https://app.tidalcyber.com/references/777bc94a-6c21-4f8c-9efa-a1cf52ececc0)]", @@ -956,7 +956,7 @@ } ], "uuid": "7f1b55a8-6645-4262-ba7f-8f3e9d372f10", - "value": "Swallowtail" + "value": "Swallowtail - Associated Group" }, { "description": "[[Talos Seduploader Oct 2017](https://app.tidalcyber.com/references/2db77619-72df-461f-84bf-2d1c3499a5c0)]", @@ -970,7 +970,7 @@ } ], "uuid": "cf66714e-7dc7-44dc-b594-c7ee99610bc2", - "value": "Group 74" + "value": "Group 74 - Associated Group" }, { "description": "[[SecureWorks TG-4127](https://app.tidalcyber.com/references/5f401c82-4e16-43a1-b234-48918fe7df9f)][[ESET Sednit Part 3](https://app.tidalcyber.com/references/7c2be444-a947-49bc-b5f6-8f6bec870c6a)][[TrendMicro Pawn Storm Dec 2020](https://app.tidalcyber.com/references/3bc249cd-f29a-4a74-a179-a6860e43683f)] ", @@ -984,7 +984,7 @@ } ], "uuid": "c9b8f211-b713-4e51-8442-e494c4c56e8b", - "value": "Pawn Storm" + "value": "Pawn Storm - Associated Group" }, { "description": "[[Kaspersky Sofacy](https://app.tidalcyber.com/references/46226f98-c762-48e3-9bcd-19ff14184bb5)][[ESET Sednit Part 3](https://app.tidalcyber.com/references/7c2be444-a947-49bc-b5f6-8f6bec870c6a)][[Microsoft STRONTIUM Aug 2019](https://app.tidalcyber.com/references/7efd3c8d-5e69-4b6f-8edb-9186abdf0e1a)][[Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020](https://app.tidalcyber.com/references/0a65008c-acdd-40fa-af1a-3d9941af8eac)][[TrendMicro Pawn Storm Dec 2020](https://app.tidalcyber.com/references/3bc249cd-f29a-4a74-a179-a6860e43683f)][[Cybersecurity Advisory GRU Brute Force Campaign July 2021](https://app.tidalcyber.com/references/e70f0742-5f3e-4701-a46b-4a58c0281537)]", @@ -998,7 +998,7 @@ } ], "uuid": "f7c8de7a-3322-48b4-917c-e2ffd433890b", - "value": "STRONTIUM" + "value": "STRONTIUM - Associated Group" }, { "description": "[[U.S. Federal Bureau of Investigation 2 27 2024](/references/962fb031-dfd1-43a7-8202-3a2231b0472b)]", @@ -1014,7 +1014,7 @@ } ], "uuid": "5ef741d0-4089-4ca7-aed9-da91b36b75c9", - "value": "Forest Blizzard" + "value": "Forest Blizzard - Associated Group" }, { "description": "[[ESET Sednit Part 3](https://app.tidalcyber.com/references/7c2be444-a947-49bc-b5f6-8f6bec870c6a)][[Talos Seduploader Oct 2017](https://app.tidalcyber.com/references/2db77619-72df-461f-84bf-2d1c3499a5c0)][[Talos Seduploader Oct 2017](https://app.tidalcyber.com/references/2db77619-72df-461f-84bf-2d1c3499a5c0)]", @@ -1028,7 +1028,7 @@ } ], "uuid": "afa355ce-eb36-498d-b9e4-e0d6bce1573f", - "value": "Tsar Team" + "value": "Tsar Team - Associated Group" }, { "description": "[[SecureWorks TG-4127](https://app.tidalcyber.com/references/5f401c82-4e16-43a1-b234-48918fe7df9f)]", @@ -1042,7 +1042,7 @@ } ], "uuid": "f31dcaf0-e808-4073-9b57-88030e5842bb", - "value": "Threat Group-4127" + "value": "Threat Group-4127 - Associated Group" }, { "description": "[[SecureWorks TG-4127](https://app.tidalcyber.com/references/5f401c82-4e16-43a1-b234-48918fe7df9f)]", @@ -1056,7 +1056,7 @@ } ], "uuid": "8d33359e-a3fc-4423-a84a-82081e99fb82", - "value": "TG-4127" + "value": "TG-4127 - Associated Group" }, { "description": "[APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[[NSA/FBI Drovorub August 2020](https://app.tidalcyber.com/references/d697a342-4100-4e6b-95b9-4ae3ba80924b)][[Cybersecurity Advisory GRU Brute Force Campaign July 2021](https://app.tidalcyber.com/references/e70f0742-5f3e-4701-a46b-4a58c0281537)] This group has been active since at least 2004.[[DOJ GRU Indictment Jul 2018](https://app.tidalcyber.com/references/d65f371b-19d0-49de-b92b-94a2bea1d988)][[Ars Technica GRU indictment Jul 2018](https://app.tidalcyber.com/references/a1192cb3-4536-4900-93c7-a127ca06c690)][[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)][[FireEye APT28](https://app.tidalcyber.com/references/c423b2b2-25a3-4a8d-b89a-83ab07c0cd20)][[SecureWorks TG-4127](https://app.tidalcyber.com/references/5f401c82-4e16-43a1-b234-48918fe7df9f)][[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)][[GRIZZLY STEPPE JAR](https://app.tidalcyber.com/references/4b26d274-497f-49bc-a2a5-b93856a49893)][[Sofacy DealersChoice](https://app.tidalcyber.com/references/ec157d0c-4091-43f5-85f1-a271c4aac1fc)][[Palo Alto Sofacy 06-2018](https://app.tidalcyber.com/references/a32357eb-3226-4bee-aeed-d2fbcfa52da0)][[Symantec APT28 Oct 2018](https://app.tidalcyber.com/references/777bc94a-6c21-4f8c-9efa-a1cf52ececc0)][[ESET Zebrocy May 2019](https://app.tidalcyber.com/references/f8b837fb-e46c-4153-8e86-dc4b909b393a)]\n\n[APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)] In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[[US District Court Indictment GRU Oct 2018](https://app.tidalcyber.com/references/56aeab4e-b046-4426-81a8-c3b2323492f0)] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666). ", @@ -1224,7 +1224,7 @@ } ], "uuid": "573520e2-7034-4610-b254-f58fd4330e9c", - "value": "StellarParticle" + "value": "StellarParticle - Associated Group" }, { "description": "[[MSTIC NOBELIUM Mar 2021](https://app.tidalcyber.com/references/8688a0a9-d644-4b96-81bb-031f1f898652)][[MSTIC NOBELIUM May 2021](https://app.tidalcyber.com/references/047ec63f-1f4b-4b57-9ab5-8a5cfcc11f4d)][[MSTIC Nobelium Toolset May 2021](https://app.tidalcyber.com/references/52464e69-ff9e-4101-9596-dd0c6404bf76)][[MSRC Nobelium June 2021](https://app.tidalcyber.com/references/1588799f-a5d2-46bc-978d-f10ed7ceb15c)]", @@ -1238,7 +1238,7 @@ } ], "uuid": "a51f4654-cba5-4052-8d79-a8671339eb9e", - "value": "NOBELIUM" + "value": "NOBELIUM - Associated Group" }, { "description": "[[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)][[ESET Dukes October 2019](https://app.tidalcyber.com/references/fbc77b85-cc5a-4c65-956d-b8556974b4ef)][[NCSC APT29 July 2020](https://app.tidalcyber.com/references/28da86a6-4ca1-4bb4-a401-d4aa469c0034)][[Cybersecurity Advisory SVR TTP May 2021](https://app.tidalcyber.com/references/e18c1b56-f29d-4ea9-a425-a6af8ac6a347)][[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)]", @@ -1252,7 +1252,7 @@ } ], "uuid": "0742ac72-9dc7-40ba-b568-1185187d93a8", - "value": "Cozy Bear" + "value": "Cozy Bear - Associated Group" }, { "description": "[[Secureworks IRON HEMLOCK Profile](https://app.tidalcyber.com/references/36191a48-4661-42ea-b194-2915c9b184f3)]", @@ -1266,7 +1266,7 @@ } ], "uuid": "1e5b89db-5d7c-40f0-86a2-ab7affabd6c3", - "value": "IRON HEMLOCK" + "value": "IRON HEMLOCK - Associated Group" }, { "description": "[[Volexity SolarWinds](https://app.tidalcyber.com/references/355cecf8-ef3e-4a6e-a652-3bf26fe46d88)]", @@ -1280,7 +1280,7 @@ } ], "uuid": "c0b8d1d5-4412-44b7-ba21-d2f0c96be941", - "value": "Dark Halo" + "value": "Dark Halo - Associated Group" }, { "description": "[[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)][[ESET Dukes October 2019](https://app.tidalcyber.com/references/fbc77b85-cc5a-4c65-956d-b8556974b4ef)][[NCSC APT29 July 2020](https://app.tidalcyber.com/references/28da86a6-4ca1-4bb4-a401-d4aa469c0034)][[Cybersecurity Advisory SVR TTP May 2021](https://app.tidalcyber.com/references/e18c1b56-f29d-4ea9-a425-a6af8ac6a347)]", @@ -1294,7 +1294,7 @@ } ], "uuid": "b9af22de-f6b0-4b07-9182-1d43179e1d31", - "value": "The Dukes" + "value": "The Dukes - Associated Group" }, { "description": "[[Unit 42 SolarStorm December 2020](https://app.tidalcyber.com/references/ecbb602a-2427-5eba-8c2b-25d90c95f166)]", @@ -1308,7 +1308,7 @@ } ], "uuid": "7a10ed9e-6744-5657-bc4f-dfea05a89105", - "value": "SolarStorm" + "value": "SolarStorm - Associated Group" }, { "description": "[[PWC WellMess July 2020](https://app.tidalcyber.com/references/22794e37-3c55-444a-b659-e5a1a6bc2da0)][[PWC WellMess C2 August 2020](https://app.tidalcyber.com/references/3afca6f1-680a-46ae-8cea-10b6b870d5e7)]", @@ -1322,7 +1322,7 @@ } ], "uuid": "e6294fb3-cd59-57de-a0a6-d19f4d2a1560", - "value": "Blue Kitsune" + "value": "Blue Kitsune - Associated Group" }, { "description": "[[Mandiant APT29 Eye Spy Email Nov 22](https://app.tidalcyber.com/references/452ca091-42b1-5bef-8a01-921c1f46bbee)]", @@ -1336,7 +1336,7 @@ } ], "uuid": "d381c0b3-36d6-5619-9111-e392345eb22d", - "value": "UNC3524" + "value": "UNC3524 - Associated Group" }, { "description": "[[Microsoft Midnight Blizzard January 19 2024](/references/91b48ddd-9e3f-4d36-a262-3b52145b3db2)]", @@ -1352,7 +1352,7 @@ } ], "uuid": "4f1c2576-e3bb-4cd0-8d9f-df4cde4db79d", - "value": "Midnight Blizzard" + "value": "Midnight Blizzard - Associated Group" }, { "description": "[[Secureworks IRON RITUAL Profile](https://app.tidalcyber.com/references/c1ff66d6-3ea3-4347-8a8b-447cd8b48dab)]", @@ -1366,7 +1366,7 @@ } ], "uuid": "f26c70ba-7879-4083-bfd0-ec34bdb80416", - "value": "IRON RITUAL" + "value": "IRON RITUAL - Associated Group" }, { "description": "[[SentinelOne NobleBaron June 2021](https://app.tidalcyber.com/references/98cf2bb0-f36c-45af-8d47-bf26aca3bb09)]", @@ -1380,7 +1380,7 @@ } ], "uuid": "7a8aa751-21a3-4fdc-b19b-2810ffb4f44f", - "value": "NobleBaron" + "value": "NobleBaron - Associated Group" }, { "description": "[[FireEye SUNBURST Backdoor December 2020](https://app.tidalcyber.com/references/d006ed03-a8af-4887-9356-3481d81d43e4)]", @@ -1394,7 +1394,7 @@ } ], "uuid": "b9ef525d-16a2-4896-8205-6da397b37245", - "value": "UNC2452" + "value": "UNC2452 - Associated Group" }, { "description": "[[Microsoft Unidentified Dec 2018](https://app.tidalcyber.com/references/896c88f9-8765-4b60-b679-667b338757e3)]", @@ -1408,7 +1408,7 @@ } ], "uuid": "f60a21a2-2a87-4e54-99df-f78ab1a7fd26", - "value": "YTTRIUM" + "value": "YTTRIUM - Associated Group" }, { "description": "[[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)]", @@ -1422,7 +1422,7 @@ } ], "uuid": "c71bf5f1-a297-4b10-8d66-3f61bd0b2a25", - "value": "CozyDuke" + "value": "CozyDuke - Associated Group" }, { "description": "[APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[[White House Imposing Costs RU Gov April 2021](https://app.tidalcyber.com/references/c2bf9e2f-cd0a-411d-84bc-61454a369c6b)][[UK Gov Malign RIS Activity April 2021](https://app.tidalcyber.com/references/7fe5a605-c33e-4d3d-b787-2d1f649bee53)] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) reportedly compromised the Democratic National Committee starting in the summer of 2015.[[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)][[GRIZZLY STEPPE JAR](https://app.tidalcyber.com/references/4b26d274-497f-49bc-a2a5-b93856a49893)][[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)][[UK Gov UK Exposes Russia SolarWinds April 2021](https://app.tidalcyber.com/references/ffbd83d7-9d4f-42b9-adc0-eb144045aef2)]\n\nIn April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a) to the SVR; public statements included citations to [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447), Cozy Bear, and The Dukes.[[NSA Joint Advisory SVR SolarWinds April 2021](https://app.tidalcyber.com/references/43d9c469-1d54-454b-ba67-74e7f1de9c10)][[UK NSCS Russia SolarWinds April 2021](https://app.tidalcyber.com/references/f49e6780-8caa-4c3c-8d68-47a2cc4319a1)] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[[FireEye SUNBURST Backdoor December 2020](https://app.tidalcyber.com/references/d006ed03-a8af-4887-9356-3481d81d43e4)][[MSTIC NOBELIUM Mar 2021](https://app.tidalcyber.com/references/8688a0a9-d644-4b96-81bb-031f1f898652)][[CrowdStrike SUNSPOT Implant January 2021](https://app.tidalcyber.com/references/3a7b71cf-961a-4f63-84a8-31b43b18fb95)][[Volexity SolarWinds](https://app.tidalcyber.com/references/355cecf8-ef3e-4a6e-a652-3bf26fe46d88)][[Cybersecurity Advisory SVR TTP May 2021](https://app.tidalcyber.com/references/e18c1b56-f29d-4ea9-a425-a6af8ac6a347)][[Unit 42 SolarStorm December 2020](https://app.tidalcyber.com/references/ecbb602a-2427-5eba-8c2b-25d90c95f166)]", @@ -1591,7 +1591,7 @@ } ], "uuid": "d447bfdc-0a5c-4651-9070-2b3b87ac2128", - "value": "Gothic Panda" + "value": "Gothic Panda - Associated Group" }, { "description": "[[PWC Pirpi Scanbox](https://app.tidalcyber.com/references/4904261a-a3a9-4c3e-b6a7-079890026ee2)]", @@ -1605,7 +1605,7 @@ } ], "uuid": "feff078c-cd96-4e56-90a7-4310ae8e48cb", - "value": "Pirpi" + "value": "Pirpi - Associated Group" }, { "description": "[[FireEye Clandestine Wolf](https://app.tidalcyber.com/references/dbb779c4-4d75-4fb4-ad3a-7d1f0f74e26f)] [[Recorded Future APT3 May 2017](https://app.tidalcyber.com/references/a894d79f-5977-4ef9-9aa5-7bfec795ceb2)] [[Symantec Buckeye](https://app.tidalcyber.com/references/dbf3ce3e-bcf2-4e47-ad42-839e51967395)]", @@ -1619,7 +1619,7 @@ } ], "uuid": "bceffa47-b63a-4ebf-bded-33cb633c5ea7", - "value": "UPS Team" + "value": "UPS Team - Associated Group" }, { "description": "[[Symantec Buckeye](https://app.tidalcyber.com/references/dbf3ce3e-bcf2-4e47-ad42-839e51967395)]", @@ -1633,7 +1633,7 @@ } ], "uuid": "4149bb91-e34b-4d22-80f1-e8adfab0d17f", - "value": "Buckeye" + "value": "Buckeye - Associated Group" }, { "description": "[[Recorded Future APT3 May 2017](https://app.tidalcyber.com/references/a894d79f-5977-4ef9-9aa5-7bfec795ceb2)] [[Symantec Buckeye](https://app.tidalcyber.com/references/dbf3ce3e-bcf2-4e47-ad42-839e51967395)]", @@ -1647,7 +1647,7 @@ } ], "uuid": "9eac64b2-f6ac-4a34-98c9-b159337fbea8", - "value": "Threat Group-0110" + "value": "Threat Group-0110 - Associated Group" }, { "description": "[[Recorded Future APT3 May 2017](https://app.tidalcyber.com/references/a894d79f-5977-4ef9-9aa5-7bfec795ceb2)] [[Symantec Buckeye](https://app.tidalcyber.com/references/dbf3ce3e-bcf2-4e47-ad42-839e51967395)]", @@ -1661,7 +1661,7 @@ } ], "uuid": "a62a6f94-d301-4cf8-b67e-662fd7f91d73", - "value": "TG-0110" + "value": "TG-0110 - Associated Group" }, { "description": "[APT3](https://app.tidalcyber.com/groups/9da726e6-af02-49b8-8ebe-7ea4235513c9) is a China-based threat group that researchers have attributed to China's Ministry of State Security.[[FireEye Clandestine Wolf](https://app.tidalcyber.com/references/dbb779c4-4d75-4fb4-ad3a-7d1f0f74e26f)][[Recorded Future APT3 May 2017](https://app.tidalcyber.com/references/a894d79f-5977-4ef9-9aa5-7bfec795ceb2)] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[[FireEye Clandestine Wolf](https://app.tidalcyber.com/references/dbb779c4-4d75-4fb4-ad3a-7d1f0f74e26f)][[FireEye Operation Double Tap](https://app.tidalcyber.com/references/4b9af128-98da-48b6-95c7-8d27979c2ab1)] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[[Symantec Buckeye](https://app.tidalcyber.com/references/dbf3ce3e-bcf2-4e47-ad42-839e51967395)]\n\nIn 2017, MITRE developed an APT3 Adversary Emulation Plan.[[APT3 Adversary Emulation Plan](https://app.tidalcyber.com/references/64c01921-c33f-402e-b30d-a2ba26583a24)]", @@ -1764,7 +1764,7 @@ } ], "uuid": "60ed0464-1075-4f6d-b72d-4aaa2892d2c9", - "value": "OceanLotus" + "value": "OceanLotus - Associated Group" }, { "description": "[[ESET OceanLotus](https://app.tidalcyber.com/references/a7bcbaca-10c1-403a-9eb5-f111af1cbf6a)][[Cybereason Oceanlotus May 2017](https://app.tidalcyber.com/references/1ef3025b-d4a9-49aa-b744-2dbea10a0abf)][[ESET OceanLotus Mar 2019](https://app.tidalcyber.com/references/b2745f5c-a181-48e1-b1cf-37a1ffe1fdf0)][[Amnesty Intl. Ocean Lotus February 2021](https://app.tidalcyber.com/references/a54a2f68-8406-43ab-8758-07edd49dfb83)]", @@ -1778,7 +1778,7 @@ } ], "uuid": "6be3ad40-e776-4127-81d2-c24a7e2b6778", - "value": "APT-C-00" + "value": "APT-C-00 - Associated Group" }, { "description": "[[Cybereason Oceanlotus May 2017](https://app.tidalcyber.com/references/1ef3025b-d4a9-49aa-b744-2dbea10a0abf)]", @@ -1792,7 +1792,7 @@ } ], "uuid": "510b8ec4-efad-41e0-8f0b-68c70a3d92e0", - "value": "SeaLotus" + "value": "SeaLotus - Associated Group" }, { "description": "[APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[[FireEye APT32 May 2017](https://app.tidalcyber.com/references/b72d017b-a70f-4003-b3d9-90d79aca812d)][[Volexity OceanLotus Nov 2017](https://app.tidalcyber.com/references/ed9f5545-377f-4a12-92e4-c0439cc5b037)][[ESET OceanLotus](https://app.tidalcyber.com/references/a7bcbaca-10c1-403a-9eb5-f111af1cbf6a)]", @@ -1861,7 +1861,7 @@ } ], "uuid": "51ec6111-08b2-4294-a3a6-6d3f04161b62", - "value": "HOLMIUM" + "value": "HOLMIUM - Associated Group" }, { "description": "[[Symantec Elfin Mar 2019](https://app.tidalcyber.com/references/55671ede-f309-4924-a1b4-3d597517b27e)]", @@ -1875,7 +1875,7 @@ } ], "uuid": "b757d8cd-0b22-4604-81a6-1cd3dd53084c", - "value": "Elfin" + "value": "Elfin - Associated Group" }, { "description": "[[Microsoft Peach Sandstorm September 14 2023](/references/98a631f4-4b95-4159-b311-dee1216ec208)]", @@ -1891,7 +1891,7 @@ } ], "uuid": "5d178cb0-a072-4b2f-9c28-13642fb30c03", - "value": "Peach Sandstorm" + "value": "Peach Sandstorm - Associated Group" }, { "description": "[APT33](https://app.tidalcyber.com/groups/99bbbe25-45af-492f-a7ff-7cbc57828bac) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. [[FireEye APT33 Sept 2017](https://app.tidalcyber.com/references/70610469-db0d-45ab-a790-6e56309a39ec)] [[FireEye APT33 Webinar Sept 2017](https://app.tidalcyber.com/references/9b378592-5737-403d-8a07-27077f5b2d61)]", @@ -1949,7 +1949,7 @@ } ], "uuid": "81c1b801-4fc4-4602-89c0-91f59afd3f67", - "value": "InkySquid" + "value": "InkySquid - Associated Group" }, { "description": "[[Securelist ScarCruft Jun 2016](https://app.tidalcyber.com/references/04961952-9bac-48f3-adc7-40a3a2bcee84)][[FireEye APT37 Feb 2018](https://app.tidalcyber.com/references/4d575c1a-4ff9-49ce-97cd-f9d0637c2271)][[Securelist ScarCruft May 2019](https://app.tidalcyber.com/references/2dd5b872-a4ab-4b77-8457-a3d947298fc0)]", @@ -1963,7 +1963,7 @@ } ], "uuid": "83962063-25d5-498b-8d40-168df6e8e85a", - "value": "ScarCruft" + "value": "ScarCruft - Associated Group" }, { "description": "[[FireEye APT37 Feb 2018](https://app.tidalcyber.com/references/4d575c1a-4ff9-49ce-97cd-f9d0637c2271)]", @@ -1977,7 +1977,7 @@ } ], "uuid": "0e5a5a21-ca65-4b92-91d8-c6ffe8d39dd8", - "value": "Reaper" + "value": "Reaper - Associated Group" }, { "description": "[[FireEye APT37 Feb 2018](https://app.tidalcyber.com/references/4d575c1a-4ff9-49ce-97cd-f9d0637c2271)]", @@ -1991,7 +1991,7 @@ } ], "uuid": "1cbfa64f-c394-402f-9c1f-d66e33b2b2f7", - "value": "Group123" + "value": "Group123 - Associated Group" }, { "description": "[[FireEye APT37 Feb 2018](https://app.tidalcyber.com/references/4d575c1a-4ff9-49ce-97cd-f9d0637c2271)]", @@ -2005,7 +2005,7 @@ } ], "uuid": "66d651c2-e379-45a4-a7eb-4e838f8b2819", - "value": "TEMP.Reaper" + "value": "TEMP.Reaper - Associated Group" }, { "description": "[[CrowdStrike Richochet Chollima September 2021](https://app.tidalcyber.com/references/69a23467-c55c-43a3-951d-c208e6ead6f7)]", @@ -2019,7 +2019,7 @@ } ], "uuid": "62533eef-3762-5920-b3da-392fcd2d4d02", - "value": "Ricochet Chollima" + "value": "Ricochet Chollima - Associated Group" }, { "description": "[APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66) has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[[FireEye APT37 Feb 2018](https://app.tidalcyber.com/references/4d575c1a-4ff9-49ce-97cd-f9d0637c2271)][[Securelist ScarCruft Jun 2016](https://app.tidalcyber.com/references/04961952-9bac-48f3-adc7-40a3a2bcee84)][[Talos Group123](https://app.tidalcyber.com/references/bf8b2bf0-cca3-437b-a640-715f9cc945f7)]\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups.", @@ -2097,7 +2097,7 @@ } ], "uuid": "dd64bbe7-4d35-4622-a92f-23255765c525", - "value": "Stardust Chollima" + "value": "Stardust Chollima - Associated Group" }, { "description": "[[SecureWorks NICKEL GLADSTONE profile Sept 2021](https://app.tidalcyber.com/references/c78a8379-04a4-4558-820d-831ad4f267fd)]", @@ -2111,7 +2111,7 @@ } ], "uuid": "25b6512f-c60e-480f-81a0-c2ec4ba31ac8", - "value": "NICKEL GLADSTONE" + "value": "NICKEL GLADSTONE - Associated Group" }, { "description": "[[CISA AA20-239A BeagleBoyz August 2020](https://app.tidalcyber.com/references/a8a2e3f2-3967-4e82-a36a-2436c654fb3f)]", @@ -2125,7 +2125,7 @@ } ], "uuid": "b8b8afb0-04b2-41b3-b756-d652b65c530d", - "value": "BeagleBoyz" + "value": "BeagleBoyz - Associated Group" }, { "description": "[[Kaspersky Lazarus Under The Hood Blog 2017](https://app.tidalcyber.com/references/a1e1ab6a-8db0-4593-95ec-78784607dfa0)]", @@ -2139,7 +2139,7 @@ } ], "uuid": "cf196249-7d25-4d5a-b2c9-2b34f045feba", - "value": "Bluenoroff" + "value": "Bluenoroff - Associated Group" }, { "description": "[APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.[[CISA AA20-239A BeagleBoyz August 2020](https://app.tidalcyber.com/references/a8a2e3f2-3967-4e82-a36a-2436c654fb3f)] Active since at least 2014, [APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b) stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.[[CISA AA20-239A BeagleBoyz August 2020](https://app.tidalcyber.com/references/a8a2e3f2-3967-4e82-a36a-2436c654fb3f)][[FireEye APT38 Oct 2018](https://app.tidalcyber.com/references/7c916329-af56-4723-820c-ef932a6e3409)][[DOJ North Korea Indictment Feb 2021](https://app.tidalcyber.com/references/d702653f-a9da-4a36-8f84-97caeb445266)][[Kaspersky Lazarus Under The Hood Blog 2017](https://app.tidalcyber.com/references/a1e1ab6a-8db0-4593-95ec-78784607dfa0)]\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups.", @@ -2240,7 +2240,7 @@ } ], "uuid": "6ca4e51d-aa35-4a77-b3ba-7eb8634808f7", - "value": "ITG07" + "value": "ITG07 - Associated Group" }, { "description": "Activities associated with APT39 largely align with a group publicly referred to as Chafer.[[FireEye APT39 Jan 2019](https://app.tidalcyber.com/references/ba366cfc-cc04-41a5-903b-a7bb73136bc3)][[Symantec Chafer Dec 2015](https://app.tidalcyber.com/references/0a6166a3-5649-4117-97f4-7b8b5b559929)][[Dark Reading APT39 JAN 2019](https://app.tidalcyber.com/references/b310dfa4-f4ee-4a0c-82af-b0fdef1a1f58)][[FBI FLASH APT39 September 2020](https://app.tidalcyber.com/references/76869199-e9fa-41b4-b045-41015e6daaec)][[Dept. of Treasury Iran Sanctions September 2020](https://app.tidalcyber.com/references/0c8ff80a-6b1d-4212-aa40-99aeef04ce05)][[DOJ Iran Indictments September 2020](https://app.tidalcyber.com/references/f30a77dd-d1d0-41b8-b82a-461dd6cd126f)]", @@ -2254,7 +2254,7 @@ } ], "uuid": "d9944d22-b092-4f28-a27d-328d77ad7790", - "value": "Chafer" + "value": "Chafer - Associated Group" }, { "description": "[[Crowdstrike GTR2020 Mar 2020](https://app.tidalcyber.com/references/a2325ace-e5a1-458d-80c1-5037bd7fa727)]", @@ -2268,7 +2268,7 @@ } ], "uuid": "94ad9c24-d673-4f4c-8d3d-eb57a3d6aa6a", - "value": "Remix Kitten" + "value": "Remix Kitten - Associated Group" }, { "description": "[APT39](https://app.tidalcyber.com/groups/a57b52c7-9f64-4ffe-a7c3-0de738fb2af1) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. [APT39](https://app.tidalcyber.com/groups/a57b52c7-9f64-4ffe-a7c3-0de738fb2af1) has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.[[FireEye APT39 Jan 2019](https://app.tidalcyber.com/references/ba366cfc-cc04-41a5-903b-a7bb73136bc3)][[Symantec Chafer Dec 2015](https://app.tidalcyber.com/references/0a6166a3-5649-4117-97f4-7b8b5b559929)][[FBI FLASH APT39 September 2020](https://app.tidalcyber.com/references/76869199-e9fa-41b4-b045-41015e6daaec)][[Dept. of Treasury Iran Sanctions September 2020](https://app.tidalcyber.com/references/0c8ff80a-6b1d-4212-aa40-99aeef04ce05)][[DOJ Iran Indictments September 2020](https://app.tidalcyber.com/references/f30a77dd-d1d0-41b8-b82a-461dd6cd126f)]", @@ -2326,7 +2326,7 @@ } ], "uuid": "160cc195-b382-4bb1-807c-2e1592fbe105", - "value": "Wicked Panda" + "value": "Wicked Panda - Associated Group" }, { "description": "[APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://app.tidalcyber.com/groups/6932662a-53a7-4e43-877f-6e940e2d744b).[[FireEye APT41 Aug 2019](https://app.tidalcyber.com/references/20f8e252-0a95-4ebd-857c-d05b0cde0904)][[Group IB APT 41 June 2021](https://app.tidalcyber.com/references/a2bf43a0-c7da-4cb9-8f9a-b34fac92b625)]\n", @@ -2420,7 +2420,7 @@ } ], "uuid": "3a48eb6e-2b44-4004-af10-459f5ee4352a", - "value": "Blind Eagle" + "value": "Blind Eagle - Associated Group" }, { "description": "[APT-C-36](https://app.tidalcyber.com/groups/153c14a6-31b7-44f2-892e-6d9fdc152267) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.[[QiAnXin APT-C-36 Feb2019](https://app.tidalcyber.com/references/cae075ea-42cb-4695-ac66-9187241393d1)]", @@ -2478,7 +2478,7 @@ } ], "uuid": "a975effb-1b65-4dd5-85ba-b0d12d94b7a8", - "value": "Group 72" + "value": "Group 72 - Associated Group" }, { "description": "[Axiom](https://app.tidalcyber.com/groups/90f4d3f9-3fe3-4a64-8dc1-172c6d037dca) is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between [Axiom](https://app.tidalcyber.com/groups/90f4d3f9-3fe3-4a64-8dc1-172c6d037dca) and [Winnti Group](https://app.tidalcyber.com/groups/6932662a-53a7-4e43-877f-6e940e2d744b) but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.[[Kaspersky Winnti April 2013](https://app.tidalcyber.com/references/2d4834b9-61c4-478e-919a-317d97cd2c36)][[Kaspersky Winnti June 2015](https://app.tidalcyber.com/references/86504950-0f4f-42bc-b003-24f60ae97c99)][[Novetta Winnti April 2015](https://app.tidalcyber.com/references/cbe8373b-f14b-4890-99fd-35ffd7090dea)]", @@ -2615,7 +2615,7 @@ } ], "uuid": "fd4b4e28-6f0c-43a5-b42d-6d2488d1ff93", - "value": "T-APT-17" + "value": "T-APT-17 - Associated Group" }, { "description": "[BITTER](https://app.tidalcyber.com/groups/3a02aa1b-851a-43e1-b83b-58037f3c7025) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://app.tidalcyber.com/groups/3a02aa1b-851a-43e1-b83b-58037f3c7025) has primarily targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.[[Cisco Talos Bitter Bangladesh May 2022](https://app.tidalcyber.com/references/097583ed-03b0-41cd-bf85-66d473f46439)][[Forcepoint BITTER Pakistan Oct 2016](https://app.tidalcyber.com/references/9fc54fb0-b7d9-49dc-b6dd-ab4cb2cd34fa)]", @@ -2801,7 +2801,7 @@ } ], "uuid": "25cec21f-c276-4d0c-adef-6313bd752e07", - "value": "Palmerworm" + "value": "Palmerworm - Associated Group" }, { "description": "[[U.S. CISA BlackTech September 27 2023](/references/309bfb48-76d1-4ae9-9c6a-30b54658133c)]", @@ -2817,7 +2817,7 @@ } ], "uuid": "e3baf8a3-d4bb-4ef0-add7-39bc238b0c12", - "value": "Temp.Overboard" + "value": "Temp.Overboard - Associated Group" }, { "description": "[[U.S. CISA BlackTech September 27 2023](/references/309bfb48-76d1-4ae9-9c6a-30b54658133c)]", @@ -2833,7 +2833,7 @@ } ], "uuid": "c1769626-608d-42b4-b0dc-67520181e8a6", - "value": "Circuit Panda" + "value": "Circuit Panda - Associated Group" }, { "description": "[[U.S. CISA BlackTech September 27 2023](/references/309bfb48-76d1-4ae9-9c6a-30b54658133c)]", @@ -2849,7 +2849,7 @@ } ], "uuid": "4e472ebd-7685-409e-a41d-b9034d04583f", - "value": "Radio Panda" + "value": "Radio Panda - Associated Group" }, { "description": "[BlackTech](https://app.tidalcyber.com/groups/528ab2ea-b8f1-44d8-8831-2a89fefd97cb) is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. [BlackTech](https://app.tidalcyber.com/groups/528ab2ea-b8f1-44d8-8831-2a89fefd97cb) has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.[[TrendMicro BlackTech June 2017](https://app.tidalcyber.com/references/abb9cb19-d30e-4048-b106-eb29a6dad7fc)][[Symantec Palmerworm Sep 2020](https://app.tidalcyber.com/references/84ecd475-8d3f-4e7c-afa8-2dff6078bed5)][[Reuters Taiwan BlackTech August 2020](https://app.tidalcyber.com/references/77293f88-e336-4786-b042-7f0080bbff32)]", @@ -2928,7 +2928,7 @@ } ], "uuid": "84db787e-f59b-4318-be71-17bf3c55effa", - "value": "REDBALDKNIGHT" + "value": "REDBALDKNIGHT - Associated Group" }, { "description": "[[Trend Micro Daserf Nov 2017](https://app.tidalcyber.com/references/4ca0e6a9-8c20-49a0-957a-7108083a8a29)][[Symantec Tick Apr 2016](https://app.tidalcyber.com/references/3e29cacc-2c05-4f35-8dd1-948f8aee6713)][[Trend Micro Tick November 2019](https://app.tidalcyber.com/references/93adbf0d-5f5e-498e-aca1-ed3eb11561e7)]", @@ -2942,7 +2942,7 @@ } ], "uuid": "19c5a727-c2a1-411d-ad3c-b96b62dd72ea", - "value": "Tick" + "value": "Tick - Associated Group" }, { "description": "[BRONZE BUTLER](https://app.tidalcyber.com/groups/5825a840-5577-4ffc-a08d-3f48d64395cb) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[[Trend Micro Daserf Nov 2017](https://app.tidalcyber.com/references/4ca0e6a9-8c20-49a0-957a-7108083a8a29)][[Secureworks BRONZE BUTLER Oct 2017](https://app.tidalcyber.com/references/c62d8d1a-cd1b-4b39-95b6-68f3f063dacf)][[Trend Micro Tick November 2019](https://app.tidalcyber.com/references/93adbf0d-5f5e-498e-aca1-ed3eb11561e7)]", @@ -3000,7 +3000,7 @@ } ], "uuid": "060c0532-780d-4e42-9023-2ac385f369d7", - "value": "Anunak" + "value": "Anunak - Associated Group" }, { "description": "[Carbanak](https://app.tidalcyber.com/groups/72d9bea7-9ca1-43e6-8702-2fb7fb1355de) is a cybercriminal group that has used [Carbanak](https://app.tidalcyber.com/software/4cb9294b-9e4c-41b9-b640-46213a01952d) malware to target financial institutions since at least 2013. [Carbanak](https://app.tidalcyber.com/groups/72d9bea7-9ca1-43e6-8702-2fb7fb1355de) may be linked to groups tracked separately as [Cobalt Group](https://app.tidalcyber.com/groups/58db02e6-d908-47c2-bc82-ed58ada61331) and [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) that have also used [Carbanak](https://app.tidalcyber.com/software/4cb9294b-9e4c-41b9-b640-46213a01952d) malware.[[Kaspersky Carbanak](https://app.tidalcyber.com/references/2f7e77db-fe39-4004-9945-3c8943708494)][[FireEye FIN7 April 2017](https://app.tidalcyber.com/references/6ee27fdb-1753-4fdf-af72-3295b072ff10)][[Europol Cobalt Mar 2018](https://app.tidalcyber.com/references/f9d1f2ab-9e75-48ce-bcdf-b7119687feef)][[Secureworks GOLD NIAGARA Threat Profile](https://app.tidalcyber.com/references/b11276cb-f6dd-4e91-90cd-9c287fb3e6b1)][[Secureworks GOLD KINGSWOOD Threat Profile](https://app.tidalcyber.com/references/36035bbb-1609-4461-be27-ef4a920b814c)]", @@ -3085,7 +3085,7 @@ } ], "uuid": "91b42715-7646-497a-a146-50bdffad8f71", - "value": "Threat Group 2889" + "value": "Threat Group 2889 - Associated Group" }, { "description": "[[Dell Threat Group 2889](https://app.tidalcyber.com/references/de7003cb-5127-4fd7-9475-d69e0d7f5cc8)]", @@ -3099,7 +3099,7 @@ } ], "uuid": "18e47f6e-b3e3-40e9-8cc1-589f3b8dca36", - "value": "TG-2889" + "value": "TG-2889 - Associated Group" }, { "description": "[Cleaver](https://app.tidalcyber.com/groups/c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07) is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. [[Cylance Cleaver](https://app.tidalcyber.com/references/f0b45225-3ec3-406f-bd74-87f24003761b)] Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). [[Dell Threat Group 2889](https://app.tidalcyber.com/references/de7003cb-5127-4fd7-9475-d69e0d7f5cc8)]", @@ -3168,7 +3168,7 @@ } ], "uuid": "14e60fe8-a70e-4b49-9e0c-d0417e2a8a2e", - "value": "GOLD KINGSWOOD" + "value": "GOLD KINGSWOOD - Associated Group" }, { "description": "[[Talos Cobalt Group July 2018](https://app.tidalcyber.com/references/7cdfd0d1-f7e6-4625-91ff-f87f46f95864)] [[Crowdstrike Global Threat Report Feb 2018](https://app.tidalcyber.com/references/6c1ace5b-66b2-4c56-9301-822aad2c3c16)][[Morphisec Cobalt Gang Oct 2018](https://app.tidalcyber.com/references/0a0bdd4b-a680-4a38-967d-3ad92f04d619)]", @@ -3182,7 +3182,7 @@ } ], "uuid": "497264f0-60ec-4515-b123-4d17701d4bd8", - "value": "Cobalt Gang" + "value": "Cobalt Gang - Associated Group" }, { "description": "[[Crowdstrike Global Threat Report Feb 2018](https://app.tidalcyber.com/references/6c1ace5b-66b2-4c56-9301-822aad2c3c16)]", @@ -3196,7 +3196,7 @@ } ], "uuid": "5d356315-296c-4c79-b2e4-d4dcdcf59551", - "value": "Cobalt Spider" + "value": "Cobalt Spider - Associated Group" }, { "description": "[Cobalt Group](https://app.tidalcyber.com/groups/58db02e6-d908-47c2-bc82-ed58ada61331) is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. [Cobalt Group](https://app.tidalcyber.com/groups/58db02e6-d908-47c2-bc82-ed58ada61331) has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.[[Talos Cobalt Group July 2018](https://app.tidalcyber.com/references/7cdfd0d1-f7e6-4625-91ff-f87f46f95864)][[PTSecurity Cobalt Group Aug 2017](https://app.tidalcyber.com/references/f4ce1b4d-4f01-4083-8bc6-931cbac9ac38)][[PTSecurity Cobalt Dec 2016](https://app.tidalcyber.com/references/2de4d38f-c99d-4149-89e6-0349a4902aa2)][[Group IB Cobalt Aug 2017](https://app.tidalcyber.com/references/2d9ef1de-2ee6-4500-a87d-b55f83e65900)][[Proofpoint Cobalt June 2017](https://app.tidalcyber.com/references/c4922659-88b2-4311-9c9b-dc9b383d746a)][[RiskIQ Cobalt Nov 2017](https://app.tidalcyber.com/references/ebf961c5-bd68-42f3-8fd3-000946c7ae9c)][[RiskIQ Cobalt Jan 2018](https://app.tidalcyber.com/references/7d48b679-d44d-466e-b12b-16f0f9858d15)] Reporting indicates there may be links between [Cobalt Group](https://app.tidalcyber.com/groups/58db02e6-d908-47c2-bc82-ed58ada61331) and both the malware [Carbanak](https://app.tidalcyber.com/software/4cb9294b-9e4c-41b9-b640-46213a01952d) and the group [Carbanak](https://app.tidalcyber.com/groups/72d9bea7-9ca1-43e6-8702-2fb7fb1355de).[[Europol Cobalt Mar 2018](https://app.tidalcyber.com/references/f9d1f2ab-9e75-48ce-bcdf-b7119687feef)]", @@ -3263,7 +3263,7 @@ } ], "uuid": "f223d10c-171d-4aa7-ab2c-7ff2acaf88f1", - "value": "Confucius APT" + "value": "Confucius APT - Associated Group" }, { "description": "[Confucius](https://app.tidalcyber.com/groups/d0f29889-7a9c-44d8-abdc-480b371f7b2b) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between [Confucius](https://app.tidalcyber.com/groups/d0f29889-7a9c-44d8-abdc-480b371f7b2b) and [Patchwork](https://app.tidalcyber.com/groups/32385eba-7bbf-439e-acf2-83040e97165a), particularly in their respective custom malware code and targets.[[TrendMicro Confucius APT Feb 2018](https://app.tidalcyber.com/references/d1d5a708-75cb-4d41-b2a3-d035a14ac956)][[TrendMicro Confucius APT Aug 2021](https://app.tidalcyber.com/references/5c16aae9-d253-463b-8bbc-f14402ce77e4)][[Uptycs Confucius APT Jan 2021](https://app.tidalcyber.com/references/d74f2c25-cd53-4587-b087-7ba0b8427dc4)]", @@ -3451,7 +3451,7 @@ } ], "uuid": "c110892f-9eae-4ffe-bf16-55437d814f3a", - "value": "DUBNIUM" + "value": "DUBNIUM - Associated Group" }, { "description": "[Darkhotel](https://app.tidalcyber.com/groups/efa1d922-8f48-43a6-89fe-237e1f3812c8) is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. [Darkhotel](https://app.tidalcyber.com/groups/efa1d922-8f48-43a6-89fe-237e1f3812c8) has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.[[Kaspersky Darkhotel](https://app.tidalcyber.com/references/3247c03a-a57c-4945-9b85-72a70719e1cd)][[Securelist Darkhotel Aug 2015](https://app.tidalcyber.com/references/5a45be49-f5f1-4d5b-b7da-0a2f38194ec1)][[Microsoft Digital Defense FY20 Sept 2020](https://app.tidalcyber.com/references/cdf74af5-ed71-4dfd-bc49-0ccfa40b65ea)]", @@ -3544,7 +3544,7 @@ } ], "uuid": "cf629343-dce6-40db-b07e-e9667c7fe3a1", - "value": "WebMasters" + "value": "WebMasters - Associated Group" }, { "description": "[[RSA Shell Crew](https://app.tidalcyber.com/references/6872a6d3-c4ab-40cf-82b7-5c5c8e077189)]", @@ -3558,7 +3558,7 @@ } ], "uuid": "07485906-ee31-42d3-aa65-60f8c8715978", - "value": "PinkPanther" + "value": "PinkPanther - Associated Group" }, { "description": "[[RSA Shell Crew](https://app.tidalcyber.com/references/6872a6d3-c4ab-40cf-82b7-5c5c8e077189)]", @@ -3572,7 +3572,7 @@ } ], "uuid": "d2cec0e9-74c2-4095-a6d5-9996d8ad24a0", - "value": "Shell Crew" + "value": "Shell Crew - Associated Group" }, { "description": "[[RSA Shell Crew](https://app.tidalcyber.com/references/6872a6d3-c4ab-40cf-82b7-5c5c8e077189)]", @@ -3586,7 +3586,7 @@ } ], "uuid": "b7f392bf-d2bb-4074-bcfd-68a459d04a7a", - "value": "KungFu Kittens" + "value": "KungFu Kittens - Associated Group" }, { "description": "[[Symantec Black Vine](https://app.tidalcyber.com/references/0b7745ce-04c0-41d9-a440-df9084a45d09)]", @@ -3600,7 +3600,7 @@ } ], "uuid": "55740e18-3c5e-4481-95ec-e2cc8810d3ee", - "value": "Black Vine" + "value": "Black Vine - Associated Group" }, { "description": "[Deep Panda](https://app.tidalcyber.com/groups/43f826a1-e8c8-47b8-9b00-38e1b3e4293b) is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. [[Alperovitch 2014](https://app.tidalcyber.com/references/72e19be9-35dd-4199-bc07-bd9d0c664df6)] The intrusion into healthcare company Anthem has been attributed to [Deep Panda](https://app.tidalcyber.com/groups/43f826a1-e8c8-47b8-9b00-38e1b3e4293b). [[ThreatConnect Anthem](https://app.tidalcyber.com/references/61ecd0b4-6cac-4d9f-8e8c-3d488fef6fec)] This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. [[RSA Shell Crew](https://app.tidalcyber.com/references/6872a6d3-c4ab-40cf-82b7-5c5c8e077189)] [Deep Panda](https://app.tidalcyber.com/groups/43f826a1-e8c8-47b8-9b00-38e1b3e4293b) also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. [[Symantec Black Vine](https://app.tidalcyber.com/references/0b7745ce-04c0-41d9-a440-df9084a45d09)] Some analysts track [Deep Panda](https://app.tidalcyber.com/groups/43f826a1-e8c8-47b8-9b00-38e1b3e4293b) and [APT19](https://app.tidalcyber.com/groups/713e2963-fbf4-406f-a8cf-6a4489d90439) as the same group, but it is unclear from open source information if the groups are the same. [[ICIT China's Espionage Jul 2016](https://app.tidalcyber.com/references/1a824860-6978-454d-963a-a56414a4312b)]", @@ -3673,7 +3673,7 @@ } ], "uuid": "3209f44c-6706-4886-aee8-91f2ab14b10d", - "value": "Berserk Bear" + "value": "Berserk Bear - Associated Group" }, { "description": "[[Secureworks IRON LIBERTY July 2019](https://app.tidalcyber.com/references/c666200d-5392-43f2-9ad0-1268d7b2e86f)][[Gigamon Berserk Bear October 2021](https://app.tidalcyber.com/references/06b6cbe3-8e35-4594-b36f-76b503c11520)][[DOJ Russia Targeting Critical Infrastructure March 2022](https://app.tidalcyber.com/references/768a0ec6-b767-4044-acad-82834508640f)][[UK GOV FSB Factsheet April 2022](https://app.tidalcyber.com/references/27e7d347-9d85-4897-9e04-33f58acc5687)]", @@ -3687,7 +3687,7 @@ } ], "uuid": "8e8f69f2-0bc1-4090-965b-1ee0e1e3cca9", - "value": "Crouching Yeti" + "value": "Crouching Yeti - Associated Group" }, { "description": "[[Symantec Dragonfly](https://app.tidalcyber.com/references/9514c5cd-2ed6-4dbf-aa9e-1c425e969226)][[Secureworks IRON LIBERTY July 2019](https://app.tidalcyber.com/references/c666200d-5392-43f2-9ad0-1268d7b2e86f)][[Secureworks MCMD July 2019](https://app.tidalcyber.com/references/f7364cfc-5a3b-4538-80d0-cae65f3c6592)][[Secureworks Karagany July 2019](https://app.tidalcyber.com/references/61c05edf-24aa-4399-8cdf-01d27f6595a1)][[Gigamon Berserk Bear October 2021](https://app.tidalcyber.com/references/06b6cbe3-8e35-4594-b36f-76b503c11520)][[DOJ Russia Targeting Critical Infrastructure March 2022](https://app.tidalcyber.com/references/768a0ec6-b767-4044-acad-82834508640f)][[UK GOV FSB Factsheet April 2022](https://app.tidalcyber.com/references/27e7d347-9d85-4897-9e04-33f58acc5687)]", @@ -3701,7 +3701,7 @@ } ], "uuid": "acc95a06-1553-4f73-a582-f40dc1187b58", - "value": "Energetic Bear" + "value": "Energetic Bear - Associated Group" }, { "description": "[[Mandiant Ukraine Cyber Threats January 2022](https://app.tidalcyber.com/references/6f53117f-2e94-4981-be61-c3da4b783ce2)][[Gigamon Berserk Bear October 2021](https://app.tidalcyber.com/references/06b6cbe3-8e35-4594-b36f-76b503c11520)]", @@ -3715,7 +3715,7 @@ } ], "uuid": "2e1aa161-b0c0-431a-b974-735bb781c05a", - "value": "TEMP.Isotope" + "value": "TEMP.Isotope - Associated Group" }, { "description": "[[Dragos DYMALLOY ](https://app.tidalcyber.com/references/d2785c6e-e0d1-4e90-a2d5-2c302176d5d3)][[UK GOV FSB Factsheet April 2022](https://app.tidalcyber.com/references/27e7d347-9d85-4897-9e04-33f58acc5687)]", @@ -3729,7 +3729,7 @@ } ], "uuid": "a9bba2d1-7fc8-43a0-8442-a12cde99329e", - "value": "DYMALLOY" + "value": "DYMALLOY - Associated Group" }, { "description": "[[Secureworks IRON LIBERTY July 2019](https://app.tidalcyber.com/references/c666200d-5392-43f2-9ad0-1268d7b2e86f)][[UK GOV FSB Factsheet April 2022](https://app.tidalcyber.com/references/27e7d347-9d85-4897-9e04-33f58acc5687)]", @@ -3743,7 +3743,7 @@ } ], "uuid": "5d23fa1e-ece1-4111-a5e3-7d9eb3a8c214", - "value": "TG-4192" + "value": "TG-4192 - Associated Group" }, { "description": "[[Secureworks IRON LIBERTY July 2019](https://app.tidalcyber.com/references/c666200d-5392-43f2-9ad0-1268d7b2e86f)][[Secureworks MCMD July 2019](https://app.tidalcyber.com/references/f7364cfc-5a3b-4538-80d0-cae65f3c6592)][[Secureworks Karagany July 2019](https://app.tidalcyber.com/references/61c05edf-24aa-4399-8cdf-01d27f6595a1)][[UK GOV FSB Factsheet April 2022](https://app.tidalcyber.com/references/27e7d347-9d85-4897-9e04-33f58acc5687)]", @@ -3757,7 +3757,7 @@ } ], "uuid": "8e252d57-69fb-4e48-a094-838e24fe620e", - "value": "IRON LIBERTY" + "value": "IRON LIBERTY - Associated Group" }, { "description": "[Dragonfly](https://app.tidalcyber.com/groups/472080b0-e3d4-4546-9272-c4359fe856e1) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.[[DOJ Russia Targeting Critical Infrastructure March 2022](https://app.tidalcyber.com/references/768a0ec6-b767-4044-acad-82834508640f)][[UK GOV FSB Factsheet April 2022](https://app.tidalcyber.com/references/27e7d347-9d85-4897-9e04-33f58acc5687)] Active since at least 2010, [Dragonfly](https://app.tidalcyber.com/groups/472080b0-e3d4-4546-9272-c4359fe856e1) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.[[Symantec Dragonfly](https://app.tidalcyber.com/references/9514c5cd-2ed6-4dbf-aa9e-1c425e969226)][[Secureworks IRON LIBERTY July 2019](https://app.tidalcyber.com/references/c666200d-5392-43f2-9ad0-1268d7b2e86f)][[Symantec Dragonfly Sept 2017](https://app.tidalcyber.com/references/11bbeafc-ed5d-4d2b-9795-a0a9544fb64e)][[Fortune Dragonfly 2.0 Sept 2017](https://app.tidalcyber.com/references/b56c5b41-b8e0-4fef-a6d8-183bb283dc7c)][[Gigamon Berserk Bear October 2021](https://app.tidalcyber.com/references/06b6cbe3-8e35-4594-b36f-76b503c11520)][[CISA AA20-296A Berserk Bear December 2020](https://app.tidalcyber.com/references/c7bc4b25-2043-4f43-8320-590f82d0e09a)][[Symantec Dragonfly 2.0 October 2017](https://app.tidalcyber.com/references/a0439d4a-a3ea-4be5-9a01-f223ca259681)]", @@ -3869,7 +3869,7 @@ } ], "uuid": "f52f1ae7-3df5-479c-b487-b214c2946fe3", - "value": "TAG-22" + "value": "TAG-22 - Associated Group" }, { "description": "[Earth Lusca](https://app.tidalcyber.com/groups/646e35d2-75de-4c1d-8ad3-616d3e155c5e) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://app.tidalcyber.com/groups/646e35d2-75de-4c1d-8ad3-616d3e155c5e) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://app.tidalcyber.com/groups/646e35d2-75de-4c1d-8ad3-616d3e155c5e) operations may be financially motivated.[[TrendMicro EarthLusca 2022](https://app.tidalcyber.com/references/f6e1bffd-e35b-4eae-b9bf-c16a82bf7004)]\n\n[Earth Lusca](https://app.tidalcyber.com/groups/646e35d2-75de-4c1d-8ad3-616d3e155c5e) has used malware commonly used by other Chinese threat groups, including [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) and the [Winnti Group](https://app.tidalcyber.com/groups/6932662a-53a7-4e43-877f-6e940e2d744b) cluster, however security researchers assess [Earth Lusca](https://app.tidalcyber.com/groups/646e35d2-75de-4c1d-8ad3-616d3e155c5e)'s techniques and infrastructure are separate.[[TrendMicro EarthLusca 2022](https://app.tidalcyber.com/references/f6e1bffd-e35b-4eae-b9bf-c16a82bf7004)]", @@ -3898,7 +3898,7 @@ } ], "uuid": "512f83c6-b369-4d53-82b6-5b27f60e970e", - "value": "Elderwood Gang" + "value": "Elderwood Gang - Associated Group" }, { "description": "[[CSM Elderwood Sept 2012](https://app.tidalcyber.com/references/6b79006d-f6de-489c-82fa-8c3c28d652ef)]", @@ -3912,7 +3912,7 @@ } ], "uuid": "a34e5489-2c79-4363-8cbb-2073f310cadc", - "value": "Beijing Group" + "value": "Beijing Group - Associated Group" }, { "description": "[[CSM Elderwood Sept 2012](https://app.tidalcyber.com/references/6b79006d-f6de-489c-82fa-8c3c28d652ef)]", @@ -3926,7 +3926,7 @@ } ], "uuid": "54369a73-2715-48b3-8897-26380a48683e", - "value": "Sneaky Panda" + "value": "Sneaky Panda - Associated Group" }, { "description": "[Elderwood](https://app.tidalcyber.com/groups/51146bb6-7478-44a3-8f08-19adcdceffca) is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. [[Security Affairs Elderwood Sept 2012](https://app.tidalcyber.com/references/ebfc56c5-0490-4b91-b49f-548c00a59162)] The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. [[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)] [[CSM Elderwood Sept 2012](https://app.tidalcyber.com/references/6b79006d-f6de-489c-82fa-8c3c28d652ef)]", @@ -3988,7 +3988,7 @@ } ], "uuid": "58a29d72-e635-443b-868d-5970497a02be", - "value": "Saint Bear" + "value": "Saint Bear - Associated Group" }, { "description": "[[CrowdStrike Ember Bear Profile March 2022](https://app.tidalcyber.com/references/0639c340-b495-4d91-8418-3069f3fe0df1)]", @@ -4002,7 +4002,7 @@ } ], "uuid": "458c2ae1-5ddf-40d6-9f57-e38ce07f7af0", - "value": "Lorec53" + "value": "Lorec53 - Associated Group" }, { "description": "[[Mandiant UNC2589 March 2022](https://app.tidalcyber.com/references/63d89139-9dd4-4ed6-bf6e-8cd872c5d034)]", @@ -4016,7 +4016,7 @@ } ], "uuid": "d3f83fae-e133-4e00-a53b-f881f0a1f6e0", - "value": "UNC2589" + "value": "UNC2589 - Associated Group" }, { "description": "[[CrowdStrike Ember Bear Profile March 2022](https://app.tidalcyber.com/references/0639c340-b495-4d91-8418-3069f3fe0df1)]", @@ -4030,7 +4030,7 @@ } ], "uuid": "00c980c7-47ad-409d-bb62-374e5a078de8", - "value": "UAC-0056" + "value": "UAC-0056 - Associated Group" }, { "description": "[[CrowdStrike Ember Bear Profile March 2022](https://app.tidalcyber.com/references/0639c340-b495-4d91-8418-3069f3fe0df1)]", @@ -4044,7 +4044,7 @@ } ], "uuid": "8196a760-2ea4-40a0-8229-405f43247543", - "value": "Lorec Bear" + "value": "Lorec Bear - Associated Group" }, { "description": "[[CrowdStrike Ember Bear Profile March 2022](https://app.tidalcyber.com/references/0639c340-b495-4d91-8418-3069f3fe0df1)]", @@ -4058,7 +4058,7 @@ } ], "uuid": "097d6980-041e-42b0-b1b0-219f70381167", - "value": "Bleeding Bear" + "value": "Bleeding Bear - Associated Group" }, { "description": "[Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021. [Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) has primarily focused their operations against Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations. Security researchers assess [Ember Bear](https://app.tidalcyber.com/groups/407274be-1820-4a84-939e-629313f4de1d) likely conducted the [WhisperGate](https://app.tidalcyber.com/software/791f0afd-c2c4-4e23-8aee-1d14462667f5) destructive wiper attacks against Ukraine in early 2022.[[CrowdStrike Ember Bear Profile March 2022](https://app.tidalcyber.com/references/0639c340-b495-4d91-8418-3069f3fe0df1)][[Mandiant UNC2589 March 2022](https://app.tidalcyber.com/references/63d89139-9dd4-4ed6-bf6e-8cd872c5d034)][[Palo Alto Unit 42 OutSteel SaintBot February 2022 ](https://app.tidalcyber.com/references/b0632490-76be-4018-982d-4b73b3d13881)] ", @@ -4245,7 +4245,7 @@ } ], "uuid": "4a4dfd05-0243-4a4d-a4f5-043a8098034d", - "value": "Pistachio Tempest" + "value": "Pistachio Tempest - Associated Group" }, { "description": "FIN12 is a financially motivated threat actor group believed to be responsible for multiple high-profile ransomware attacks since 2018. The group has attacked victims in various sectors and locations, including multiple attacks on healthcare entities. An October 2021 Mandiant assessment indicated 85% of the group's victims were U.S.-based, and the large majority of them were large enterprises with more than $300 million in annual revenue. The report also assessed that initial access brokers partnering with FIN12 target a wider range of organizations and allow FIN12 actors to select victims for further malicious activity.[[Mandiant FIN12 Group Profile October 07 2021](/references/7af84b3d-bbd6-449f-b29b-2f14591c9f05)]\n\nFIN12's toolset has reportedly shifted over time. Cobalt Strike has been observed in most intrusions. While TrickBot and Empire were common post-exploitation tools historically, French authorities observed the group using SystemBC alongside Cobalt Strike during a March 2023 hospital center intrusion. Ryuk, and to a lesser degree Conti, were traditionally used ransomware payloads, with the former used in a series of attacks on U.S. healthcare entities in 2020. However, a French CERT assessment published in 2023 linked the group to multiple more recent incidents it investigated and analyzed, which featured deployment of various ransomware families, including Hive, Nokoyawa, Play, Royal, and BlackCat, along with Emotet and BazarLoader malware for initial footholds.[[Mandiant FIN12 Group Profile October 07 2021](/references/7af84b3d-bbd6-449f-b29b-2f14591c9f05)][[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]\n\n**Related Vulnerabilities**: CVE-2023-21746, CVE-2022-24521, CVE-2021-34527, CVE-2019-0708, CVE-2020-1472[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]", @@ -4307,7 +4307,7 @@ } ], "uuid": "0bf8168b-e8b6-547b-ba47-a500a4f64a5b", - "value": "Elephant Beetle" + "value": "Elephant Beetle - Associated Group" }, { "description": "[FIN13](https://app.tidalcyber.com/groups/570198e3-b59c-5772-b1ee-15d7ea14d48a) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://app.tidalcyber.com/groups/570198e3-b59c-5772-b1ee-15d7ea14d48a) achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.[[Mandiant FIN13 Aug 2022](https://app.tidalcyber.com/references/ebd9d479-1954-5a4a-b7f0-d5372489733c)][[Sygnia Elephant Beetle Jan 2022](https://app.tidalcyber.com/references/932897a6-0fa4-5be3-bf0b-20d6ddad238e)]", @@ -4393,7 +4393,7 @@ } ], "uuid": "b7091e08-25be-44de-a445-d81ca9fdc073", - "value": "Skeleton Spider" + "value": "Skeleton Spider - Associated Group" }, { "description": "[[Security Intelligence ITG08 April 2020](https://app.tidalcyber.com/references/32569f59-14fb-4581-8a42-3bf49fb189e9)]", @@ -4407,7 +4407,7 @@ } ], "uuid": "5b35e532-aaed-4e3b-bb9f-452e3c7fa8bb", - "value": "Magecart Group 6" + "value": "Magecart Group 6 - Associated Group" }, { "description": "[[Security Intelligence More Eggs Aug 2019](https://app.tidalcyber.com/references/f0a0286f-adb9-4a6e-85b5-5b0f45e6fbf3)]", @@ -4421,7 +4421,7 @@ } ], "uuid": "6e65d12f-a1d8-4f49-9e47-c6a58f950e7f", - "value": "ITG08" + "value": "ITG08 - Associated Group" }, { "description": "[FIN6](https://app.tidalcyber.com/groups/fcaadc12-7c17-4946-a9dc-976ed610854c) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.[[FireEye FIN6 April 2016](https://app.tidalcyber.com/references/8c0997e1-b285-42dd-9492-75065eac8f8b)][[FireEye FIN6 Apr 2019](https://app.tidalcyber.com/references/e8a2bc6a-04e3-484e-af67-5f57656c7206)]", @@ -4473,7 +4473,7 @@ } ], "uuid": "89f19c2d-3449-4c67-9f1b-710217bc2a6f", - "value": "GOLD NIAGARA" + "value": "GOLD NIAGARA - Associated Group" }, { "description": "ITG14 shares campaign overlap with [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff).[[IBM Ransomware Trends September 2020](https://app.tidalcyber.com/references/eb767436-4a96-4e28-bd34-944842d7593e)]", @@ -4487,7 +4487,7 @@ } ], "uuid": "f67c4cea-6f4e-43c9-ab46-2075a57c4aaf", - "value": "ITG14" + "value": "ITG14 - Associated Group" }, { "description": "[[CrowdStrike Carbon Spider August 2021](https://app.tidalcyber.com/references/36f0ddb0-94af-494c-ad10-9d3f75d1d810)]", @@ -4501,7 +4501,7 @@ } ], "uuid": "7bdc9be3-109a-42e5-88ff-6260c6407478", - "value": "Carbon Spider" + "value": "Carbon Spider - Associated Group" }, { "description": "[FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) is a financially-motivated threat group that has been active since 2013. [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://app.tidalcyber.com/software/9314531e-bf46-4cba-9c19-198279ccf9cd) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://app.tidalcyber.com/groups/72d9bea7-9ca1-43e6-8702-2fb7fb1355de) Group, but there appears to be several groups using [Carbanak](https://app.tidalcyber.com/software/4cb9294b-9e4c-41b9-b640-46213a01952d) malware and are therefore tracked separately.[[FireEye FIN7 March 2017](https://app.tidalcyber.com/references/7987bb91-ec41-42f8-bd2d-dabc26509a08)][[FireEye FIN7 April 2017](https://app.tidalcyber.com/references/6ee27fdb-1753-4fdf-af72-3295b072ff10)][[FireEye CARBANAK June 2017](https://app.tidalcyber.com/references/39105492-6044-460c-9dc9-3d4473ee862e)][[FireEye FIN7 Aug 2018](https://app.tidalcyber.com/references/54e5f23a-5ca6-4feb-8046-db2fb71b400a)][[CrowdStrike Carbon Spider August 2021](https://app.tidalcyber.com/references/36f0ddb0-94af-494c-ad10-9d3f75d1d810)][[Mandiant FIN7 Apr 2022](https://app.tidalcyber.com/references/be9919c0-ca52-593b-aea0-c5e9a262b570)]", @@ -4585,7 +4585,7 @@ } ], "uuid": "5cd4a69b-7a62-5091-be06-e73477878441", - "value": "Syssphinx" + "value": "Syssphinx - Associated Group" }, { "description": "[FIN8](https://app.tidalcyber.com/groups/b3061284-0335-4dcb-9f8e-a3b0412fd46f) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected [FIN8](https://app.tidalcyber.com/groups/b3061284-0335-4dcb-9f8e-a3b0412fd46f) switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.[[FireEye Obfuscation June 2017](https://app.tidalcyber.com/references/6d1089b7-0efe-4961-8abc-22a882895377)][[FireEye Fin8 May 2016](https://app.tidalcyber.com/references/2079101c-d988-430a-9082-d25c475b2af5)][[Bitdefender Sardonic Aug 2021](https://app.tidalcyber.com/references/8e9d05c9-6783-5738-ac85-a444810a8074)][[Symantec FIN8 Jul 2023](https://app.tidalcyber.com/references/9b08b7f0-1a33-5d76-817f-448fac0d165a)]", @@ -4638,7 +4638,7 @@ } ], "uuid": "70b3c377-6e46-45d1-bc24-edb920ad535d", - "value": "Pioneer Kitten" + "value": "Pioneer Kitten - Associated Group" }, { "description": "[[CISA AA20-259A Iran-Based Actor September 2020](https://app.tidalcyber.com/references/1bbc9446-9214-4fcd-bc7c-bf528370b4f8)][[CrowdStrike PIONEER KITTEN August 2020](https://app.tidalcyber.com/references/4fce29cc-ddab-4b96-b295-83c282a87564)]", @@ -4652,7 +4652,7 @@ } ], "uuid": "89d106ad-e7dc-4b3c-8bbb-b8acbf45d47e", - "value": "UNC757" + "value": "UNC757 - Associated Group" }, { "description": "[[Dragos PARISITE ](https://app.tidalcyber.com/references/15e974db-51a9-4ec1-9725-cff8bb9bc2fa)][[ClearkSky Fox Kitten February 2020](https://app.tidalcyber.com/references/a5ad6321-897a-4adc-9cdd-034a2538e3d6)][[CrowdStrike PIONEER KITTEN August 2020](https://app.tidalcyber.com/references/4fce29cc-ddab-4b96-b295-83c282a87564)]", @@ -4666,7 +4666,7 @@ } ], "uuid": "580af0b1-0ed3-461e-8144-c95364116faa", - "value": "Parisite" + "value": "Parisite - Associated Group" }, { "description": "[Fox Kitten](https://app.tidalcyber.com/groups/7094468a-2310-48b5-ad24-e669152bd66d) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. [Fox Kitten](https://app.tidalcyber.com/groups/7094468a-2310-48b5-ad24-e669152bd66d) has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.[[ClearkSky Fox Kitten February 2020](https://app.tidalcyber.com/references/a5ad6321-897a-4adc-9cdd-034a2538e3d6)][[CrowdStrike PIONEER KITTEN August 2020](https://app.tidalcyber.com/references/4fce29cc-ddab-4b96-b295-83c282a87564)][[Dragos PARISITE ](https://app.tidalcyber.com/references/15e974db-51a9-4ec1-9725-cff8bb9bc2fa)][[ClearSky Pay2Kitten December 2020](https://app.tidalcyber.com/references/6e09bc1a-8a5d-4512-9176-40eed91af358)]", @@ -4746,7 +4746,7 @@ } ], "uuid": "90e2eeaa-23b5-4bc5-a277-af26f9ee2326", - "value": "Operation Soft Cell" + "value": "Operation Soft Cell - Associated Group" }, { "description": "[GALLIUM](https://app.tidalcyber.com/groups/15ff1ce0-44f0-4f1d-a4ef-83444570e572) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Security researchers have identified [GALLIUM](https://app.tidalcyber.com/groups/15ff1ce0-44f0-4f1d-a4ef-83444570e572) as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[[Cybereason Soft Cell June 2019](https://app.tidalcyber.com/references/620b7353-0e58-4503-b534-9250a8f5ae3c)][[Microsoft GALLIUM December 2019](https://app.tidalcyber.com/references/5bc76b47-ff68-4031-a347-f2dc0daba203)][[Unit 42 PingPull Jun 2022](https://app.tidalcyber.com/references/ac6491ab-6ef1-4091-8a15-50e2cbafe157)]", @@ -4796,7 +4796,7 @@ } ], "uuid": "24e4dcfa-128c-455f-9eb9-088ec37b31ca", - "value": "Primitive Bear" + "value": "Primitive Bear - Associated Group" }, { "description": "[[Symantec Shuckworm January 2022](https://app.tidalcyber.com/references/3abb9cfb-8927-4447-b904-6ed071787bef)]", @@ -4810,7 +4810,7 @@ } ], "uuid": "a5b946ca-ce53-4011-bf46-975390ab31d0", - "value": "Shuckworm" + "value": "Shuckworm - Associated Group" }, { "description": "[[Secureworks IRON TILDEN Profile](https://app.tidalcyber.com/references/45969d87-02c1-4074-b708-59f4c3e39426)]", @@ -4824,7 +4824,7 @@ } ], "uuid": "27cc58cd-ad07-4921-9dcc-bd3d81ab4164", - "value": "IRON TILDEN" + "value": "IRON TILDEN - Associated Group" }, { "description": "[[Microsoft Actinium February 2022](https://app.tidalcyber.com/references/5ab658db-7f71-4213-8146-e22da54160b3)]", @@ -4838,7 +4838,7 @@ } ], "uuid": "42979c45-dfcb-4be8-8c6b-2428f87fb96b", - "value": "ACTINIUM" + "value": "ACTINIUM - Associated Group" }, { "description": "[[Symantec Shuckworm January 2022](https://app.tidalcyber.com/references/3abb9cfb-8927-4447-b904-6ed071787bef)]", @@ -4852,7 +4852,7 @@ } ], "uuid": "c06e119e-26b7-46f1-bf6c-35b68f091152", - "value": "Armageddon" + "value": "Armageddon - Associated Group" }, { "description": "[[Microsoft Actinium February 2022](https://app.tidalcyber.com/references/5ab658db-7f71-4213-8146-e22da54160b3)]", @@ -4866,7 +4866,7 @@ } ], "uuid": "5c73e944-4ec1-4b9f-92c6-134952b224cd", - "value": "DEV-0157" + "value": "DEV-0157 - Associated Group" }, { "description": "[Gamaredon Group](https://app.tidalcyber.com/groups/41e8b4a4-2d31-46ee-bc56-12375084d067) is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013. The name [Gamaredon Group](https://app.tidalcyber.com/groups/41e8b4a4-2d31-46ee-bc56-12375084d067) comes from a misspelling of the word \"Armageddon\", which was detected in the adversary's early campaigns.[[Palo Alto Gamaredon Feb 2017](https://app.tidalcyber.com/references/3f9a6343-1db3-4696-99ed-f22c6eabee71)][[TrendMicro Gamaredon April 2020](https://app.tidalcyber.com/references/3800cfc2-0260-4b36-b629-7a336b9f9f10)][[ESET Gamaredon June 2020](https://app.tidalcyber.com/references/6532664d-2311-4b38-8960-f43762471729)][[Symantec Shuckworm January 2022](https://app.tidalcyber.com/references/3abb9cfb-8927-4447-b904-6ed071787bef)][[Microsoft Actinium February 2022](https://app.tidalcyber.com/references/5ab658db-7f71-4213-8146-e22da54160b3)]\n\nIn November 2021, the Ukrainian government publicly attributed [Gamaredon Group](https://app.tidalcyber.com/groups/41e8b4a4-2d31-46ee-bc56-12375084d067) to Russia's Federal Security Service (FSB) Center 18.[[Bleepingcomputer Gamardeon FSB November 2021](https://app.tidalcyber.com/references/c565b025-df74-40a9-9535-b630ca06f777)][[Microsoft Actinium February 2022](https://app.tidalcyber.com/references/5ab658db-7f71-4213-8146-e22da54160b3)]", @@ -4993,7 +4993,7 @@ } ], "uuid": "7f1fa605-10cc-5317-a88c-b174f3ad7596", - "value": "Pinchy Spider" + "value": "Pinchy Spider - Associated Group" }, { "description": "[GOLD SOUTHFIELD](https://app.tidalcyber.com/groups/b4d068ac-9b68-4cd8-bf0c-019f910ef8e3) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://app.tidalcyber.com/software/9314531e-bf46-4cba-9c19-198279ccf9cd) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://app.tidalcyber.com/groups/b4d068ac-9b68-4cd8-bf0c-019f910ef8e3) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://app.tidalcyber.com/groups/b4d068ac-9b68-4cd8-bf0c-019f910ef8e3) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.[[Secureworks REvil September 2019](https://app.tidalcyber.com/references/8f4e2baf-4227-4bbd-bfdb-5598717dcf88)][[Secureworks GandCrab and REvil September 2019](https://app.tidalcyber.com/references/46b5d57b-17be-48ff-b723-406f6a55d84a)][[Secureworks GOLD SOUTHFIELD](https://app.tidalcyber.com/references/01d1ffaa-16b3-41c4-bb5a-afe2b41f1142)][[CrowdStrike Evolution of Pinchy Spider July 2021](https://app.tidalcyber.com/references/7578541b-1ae3-58d0-a8b9-120bd6cd96f5)]", @@ -5070,7 +5070,7 @@ } ], "uuid": "956cc6a9-b4e2-40ec-aa22-5dc90e2ab2d0", - "value": "Operation Exchange Marauder" + "value": "Operation Exchange Marauder - Associated Group" }, { "description": "[HAFNIUM](https://app.tidalcyber.com/groups/1bcc9382-ccfe-4b04-91f3-ef1250df5e5b) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://app.tidalcyber.com/groups/1bcc9382-ccfe-4b04-91f3-ef1250df5e5b) primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.[[Microsoft HAFNIUM March 2020](https://app.tidalcyber.com/references/6a986c46-79a3-49c6-94d2-d9b1f5db08f3)][[Volexity Exchange Marauder March 2021](https://app.tidalcyber.com/references/ef0626e9-281c-4770-b145-ffe36e18e369)]", @@ -5117,7 +5117,7 @@ } ], "uuid": "140137f2-039a-4ade-a043-039b2093e25e", - "value": "Lyceum" + "value": "Lyceum - Associated Group" }, { "description": "[[ClearSky Siamesekitten August 2021](https://app.tidalcyber.com/references/9485efce-8d54-4461-b64e-0d15e31fbf8c)]", @@ -5131,7 +5131,7 @@ } ], "uuid": "05b6f4a6-e54d-42db-a47e-4bcfae56c0f6", - "value": "Siamesekitten" + "value": "Siamesekitten - Associated Group" }, { "description": "[[Accenture Lyceum Targets November 2021](https://app.tidalcyber.com/references/127836ce-e459-405d-a75c-32fd5f0ab198)]", @@ -5145,7 +5145,7 @@ } ], "uuid": "16662d03-d9bf-448d-9fef-40af53a2bc76", - "value": "Spirlin" + "value": "Spirlin - Associated Group" }, { "description": "[HEXANE](https://app.tidalcyber.com/groups/eecf7289-294f-48dd-a747-7705820f4735) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://app.tidalcyber.com/groups/eecf7289-294f-48dd-a747-7705820f4735)'s TTPs appear similar to [APT33](https://app.tidalcyber.com/groups/99bbbe25-45af-492f-a7ff-7cbc57828bac) and [OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2) but due to differences in victims and tools it is tracked as a separate entity.[[Dragos Hexane](https://app.tidalcyber.com/references/11838e67-5032-4352-ad1f-81ba0398a14f)][[Kaspersky Lyceum October 2021](https://app.tidalcyber.com/references/b3d13a82-c24e-4b47-b47a-7221ad449859)][[ClearSky Siamesekitten August 2021](https://app.tidalcyber.com/references/9485efce-8d54-4461-b64e-0d15e31fbf8c)][[Accenture Lyceum Targets November 2021](https://app.tidalcyber.com/references/127836ce-e459-405d-a75c-32fd5f0ab198)]", @@ -5203,7 +5203,7 @@ } ], "uuid": "42936511-3367-4000-b700-cba2ed0a5c6c", - "value": "Inception Framework" + "value": "Inception Framework - Associated Group" }, { "description": "[[Kaspersky Cloud Atlas December 2014](https://app.tidalcyber.com/references/41a9b3e3-0953-4bde-9e1d-c2f51de1120e)]", @@ -5217,7 +5217,7 @@ } ], "uuid": "ec26e42e-45f7-4d88-ae4b-f141dd03e192", - "value": "Cloud Atlas" + "value": "Cloud Atlas - Associated Group" }, { "description": "[Inception](https://app.tidalcyber.com/groups/d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.[[Unit 42 Inception November 2018](https://app.tidalcyber.com/references/5cb98fce-f386-4878-b69c-5c6440ad689c)][[Symantec Inception Framework March 2018](https://app.tidalcyber.com/references/166f5c44-7d8c-45d5-8d9f-3b8bd21a2af3)][[Kaspersky Cloud Atlas December 2014](https://app.tidalcyber.com/references/41a9b3e3-0953-4bde-9e1d-c2f51de1120e)]", @@ -5306,7 +5306,7 @@ } ], "uuid": "bc61566f-d467-43bd-bea8-b04d6eb26318", - "value": "Evil Corp" + "value": "Evil Corp - Associated Group" }, { "description": "[Indrik Spider](https://app.tidalcyber.com/groups/3c7ad595-1940-40fc-b9ca-3e649c1e5d87) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://app.tidalcyber.com/groups/3c7ad595-1940-40fc-b9ca-3e649c1e5d87) initially started with the [Dridex](https://app.tidalcyber.com/software/e3cd4405-b698-41d9-88e4-fff29e7a19e2) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://app.tidalcyber.com/software/e7dec940-8701-4c06-9865-5b11c61c046d), [WastedLocker](https://app.tidalcyber.com/software/0ba6ee8d-2b29-4980-8e55-348ea05f00ad), and Hades ransomware. Following U.S. sanctions and an indictment in 2019, [Indrik Spider](https://app.tidalcyber.com/groups/3c7ad595-1940-40fc-b9ca-3e649c1e5d87) changed their tactics and diversified their toolset.[[Crowdstrike Indrik November 2018](https://app.tidalcyber.com/references/0f85f611-90db-43ba-8b71-5d0d4ec8cdd5)][[Crowdstrike EvilCorp March 2021](https://app.tidalcyber.com/references/4b77d313-ef3c-4d2f-bfde-609fa59a8f55)][[Treasury EvilCorp Dec 2019](https://app.tidalcyber.com/references/074a52c4-26d9-4083-9349-c14e2639c1bc)]", @@ -5352,7 +5352,7 @@ } ], "uuid": "3c0dfd27-fc7a-48c5-a431-6f62f3f9319a", - "value": "Vixen Panda" + "value": "Vixen Panda - Associated Group" }, { "description": "[[NCC Group APT15 Alive and Strong](https://app.tidalcyber.com/references/02a50445-de06-40ab-9ea4-da5c37e066cd)][[APT15 Intezer June 2018](https://app.tidalcyber.com/references/0110500c-bf67-43a5-97cb-16eb6c01040b)]", @@ -5366,7 +5366,7 @@ } ], "uuid": "6231a5a9-ca9a-435e-abf3-a78478484513", - "value": "Playful Dragon" + "value": "Playful Dragon - Associated Group" }, { "description": "[[NCC Group APT15 Alive and Strong](https://app.tidalcyber.com/references/02a50445-de06-40ab-9ea4-da5c37e066cd)]", @@ -5380,7 +5380,7 @@ } ], "uuid": "fa320745-a2e5-4f54-8cb6-c0056e18805e", - "value": "APT15" + "value": "APT15 - Associated Group" }, { "description": "[[NCC Group APT15 Alive and Strong](https://app.tidalcyber.com/references/02a50445-de06-40ab-9ea4-da5c37e066cd)]", @@ -5394,7 +5394,7 @@ } ], "uuid": "95a17f0a-d6ca-4d82-add7-96f97104a471", - "value": "Mirage" + "value": "Mirage - Associated Group" }, { "description": "[[NCC Group APT15 Alive and Strong](https://app.tidalcyber.com/references/02a50445-de06-40ab-9ea4-da5c37e066cd)]", @@ -5408,7 +5408,7 @@ } ], "uuid": "85d23b10-4d88-41b5-a1e6-628faf4dfcdd", - "value": "GREF" + "value": "GREF - Associated Group" }, { "description": "[[APT15 Intezer June 2018](https://app.tidalcyber.com/references/0110500c-bf67-43a5-97cb-16eb6c01040b)]", @@ -5422,7 +5422,7 @@ } ], "uuid": "53e4969e-6d5f-447a-b589-cf4ec546985b", - "value": "RoyalAPT" + "value": "RoyalAPT - Associated Group" }, { "description": "[[Microsoft NICKEL December 2021](https://app.tidalcyber.com/references/29a46bb3-f514-4554-ad9c-35f9a5ad9870)]", @@ -5436,7 +5436,7 @@ } ], "uuid": "dac81780-75d0-4e20-91a5-d6f9f4e21de3", - "value": "NICKEL" + "value": "NICKEL - Associated Group" }, { "description": "[Ke3chang](https://app.tidalcyber.com/groups/26c0925f-1a3c-4df6-b27a-62b9731299b8) is a threat group attributed to actors operating out of China. [Ke3chang](https://app.tidalcyber.com/groups/26c0925f-1a3c-4df6-b27a-62b9731299b8) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.[[Mandiant Operation Ke3chang November 2014](https://app.tidalcyber.com/references/bb45cf96-ceae-4f46-a0f5-08cd89f699c9)][[NCC Group APT15 Alive and Strong](https://app.tidalcyber.com/references/02a50445-de06-40ab-9ea4-da5c37e066cd)][[APT15 Intezer June 2018](https://app.tidalcyber.com/references/0110500c-bf67-43a5-97cb-16eb6c01040b)][[Microsoft NICKEL December 2021](https://app.tidalcyber.com/references/29a46bb3-f514-4554-ad9c-35f9a5ad9870)]", @@ -5584,7 +5584,7 @@ } ], "uuid": "11901dae-ceb9-4469-8529-f517d6489ca8", - "value": "STOLEN PENCIL" + "value": "STOLEN PENCIL - Associated Group" }, { "description": "[[Cybereason Kimsuky November 2020](https://app.tidalcyber.com/references/ecc2f5ad-b2a8-470b-b919-cb184d12d00f)][[Malwarebytes Kimsuky June 2021](https://app.tidalcyber.com/references/9a497c56-f1d3-4889-8c1a-14b013f14668)]", @@ -5598,7 +5598,7 @@ } ], "uuid": "c6cbcc71-4931-460b-8676-b638be841995", - "value": "Thallium" + "value": "Thallium - Associated Group" }, { "description": "[[Cybereason Kimsuky November 2020](https://app.tidalcyber.com/references/ecc2f5ad-b2a8-470b-b919-cb184d12d00f)][[Malwarebytes Kimsuky June 2021](https://app.tidalcyber.com/references/9a497c56-f1d3-4889-8c1a-14b013f14668)]", @@ -5612,7 +5612,7 @@ } ], "uuid": "983f8775-5730-4400-92b3-ef3643b2b33c", - "value": "Black Banshee" + "value": "Black Banshee - Associated Group" }, { "description": "[[Zdnet Kimsuky Dec 2018](https://app.tidalcyber.com/references/b17acdc3-0163-4c98-b5fb-a457a7e6b58d)][[ThreatConnect Kimsuky September 2020](https://app.tidalcyber.com/references/45d64462-2bed-46e8-ac52-9d4914608a93)][[Malwarebytes Kimsuky June 2021](https://app.tidalcyber.com/references/9a497c56-f1d3-4889-8c1a-14b013f14668)]", @@ -5626,7 +5626,7 @@ } ], "uuid": "983d7efc-068e-41b2-96da-524af88985a8", - "value": "Velvet Chollima" + "value": "Velvet Chollima - Associated Group" }, { "description": "[Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. [Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1) has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.[[EST Kimsuky April 2019](https://app.tidalcyber.com/references/8e52db6b-5ac3-448a-93f6-96a21787a346)][[BRI Kimsuky April 2019](https://app.tidalcyber.com/references/b72dd3a1-62ca-4a05-96a8-c4bddb17db50)][[Cybereason Kimsuky November 2020](https://app.tidalcyber.com/references/ecc2f5ad-b2a8-470b-b919-cb184d12d00f)][[Malwarebytes Kimsuky June 2021](https://app.tidalcyber.com/references/9a497c56-f1d3-4889-8c1a-14b013f14668)][[CISA AA20-301A Kimsuky](https://app.tidalcyber.com/references/685aa213-7902-46fb-b90a-64be5c851f73)]\n\n[Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[[Netscout Stolen Pencil Dec 2018](https://app.tidalcyber.com/references/6d3b31da-a784-4da0-91dd-b72c04fd520a)][[EST Kimsuky SmokeScreen April 2019](https://app.tidalcyber.com/references/15213a3c-1e9f-47fa-9864-8ef2707c7fb6)][[AhnLab Kimsuky Kabar Cobra Feb 2019](https://app.tidalcyber.com/references/4035e871-9291-4d7f-9c5f-d8482d4dc8a7)]\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups.", @@ -5689,7 +5689,7 @@ } ], "uuid": "fc95e9b7-ae40-4a2f-b1f6-a42facc3c237", - "value": "DEV-0537" + "value": "DEV-0537 - Associated Group" }, { "description": "[LAPSUS$](https://app.tidalcyber.com/groups/0060bb76-6713-4942-a4c0-d4ae01ec2866) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://app.tidalcyber.com/groups/0060bb76-6713-4942-a4c0-d4ae01ec2866) specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[[BBC LAPSUS Apr 2022](https://app.tidalcyber.com/references/6c9f4312-6c9d-401c-b20f-12ce50c94a96)][[MSTIC DEV-0537 Mar 2022](https://app.tidalcyber.com/references/a9ce7e34-6e7d-4681-9869-8e8f2b5b0390)][[UNIT 42 LAPSUS Mar 2022](https://app.tidalcyber.com/references/50f4c1ed-b046-405a-963d-a113324355a3)]", @@ -5724,7 +5724,7 @@ } ], "uuid": "df5caef8-2e25-4ddd-ae58-2c9ad119834d", - "value": "HIDDEN COBRA" + "value": "HIDDEN COBRA - Associated Group" }, { "description": "[[CrowdStrike Labyrinth Chollima Feb 2022](https://app.tidalcyber.com/references/ffe31bbf-a40d-4285-96a0-53c54298a680)]", @@ -5738,7 +5738,7 @@ } ], "uuid": "a7be1337-efab-48a8-9bf4-6f300291d150", - "value": "Labyrinth Chollima" + "value": "Labyrinth Chollima - Associated Group" }, { "description": "[[US-CERT HIDDEN COBRA June 2017](https://app.tidalcyber.com/references/8e57cea3-ee37-4507-bb56-7445050ec8ca)]", @@ -5752,7 +5752,7 @@ } ], "uuid": "618bd388-b295-4076-a63e-c1e2515dab4e", - "value": "Guardians of Peace" + "value": "Guardians of Peace - Associated Group" }, { "description": "[[Microsoft ZINC disruption Dec 2017](https://app.tidalcyber.com/references/99831838-fc8f-43fa-9c87-6ccdf5677c34)]", @@ -5766,7 +5766,7 @@ } ], "uuid": "4fc58da4-8398-43f9-b037-fd873ed5864e", - "value": "ZINC" + "value": "ZINC - Associated Group" }, { "description": "[[Secureworks NICKEL ACADEMY Dec 2017](https://app.tidalcyber.com/references/aa7393ad-0760-4f27-a068-17beba17bbe3)]", @@ -5780,7 +5780,7 @@ } ], "uuid": "b7b671c3-2339-4521-a12d-b57821ad5c12", - "value": "NICKEL ACADEMY" + "value": "NICKEL ACADEMY - Associated Group" }, { "description": "", @@ -5796,7 +5796,7 @@ } ], "uuid": "972c0eea-6037-4aac-ac22-e1e991898dcb", - "value": "Diamond Sleet" + "value": "Diamond Sleet - Associated Group" }, { "description": "[Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.[[US-CERT HIDDEN COBRA June 2017](https://app.tidalcyber.com/references/8e57cea3-ee37-4507-bb56-7445050ec8ca)][[Treasury North Korean Cyber Groups September 2019](https://app.tidalcyber.com/references/54977bb2-2929-41d7-bdea-06d39dc76174)] The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. [[Novetta Blockbuster](https://app.tidalcyber.com/references/bde96b4f-5f98-4ce5-a507-4b05d192b6d7)]\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) instead of tracking clusters or subgroups, such as [Andariel](https://app.tidalcyber.com/groups/2cc997b5-5076-4eef-9974-f54387614f46), [APT37](https://app.tidalcyber.com/groups/013fdfdc-aa32-4779-8f6e-7920615cbf66), [APT38](https://app.tidalcyber.com/groups/dfbce236-735c-436d-b433-933bd6eae17b), and [Kimsuky](https://app.tidalcyber.com/groups/37f317d8-02f0-43d4-8a7d-7a65ce8aadf1). ", @@ -5888,7 +5888,7 @@ } ], "uuid": "044d8fd0-faad-4e9f-bc5a-807e7147a331", - "value": "Raspite" + "value": "Raspite - Associated Group" }, { "description": "[Leafminer](https://app.tidalcyber.com/groups/b5c28235-d441-40d9-8da2-d49ba2f2568b) is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. [[Symantec Leafminer July 2018](https://app.tidalcyber.com/references/01130af7-a2d4-435e-8790-49933e041451)]", @@ -5938,7 +5938,7 @@ } ], "uuid": "e7a109ad-fa21-4fcf-a1fb-2a497146db2b", - "value": "Kryptonite Panda" + "value": "Kryptonite Panda - Associated Group" }, { "description": "[[CISA AA21-200A APT40 July 2021](https://app.tidalcyber.com/references/3a2dbd8b-54e3-406a-b77c-b6fae5541b6d)][[SecureWorks BRONZE MOHAWK n.d.](https://app.tidalcyber.com/references/b741fe9a-4b08-44b9-b6e7-5988eee486a3)]", @@ -5952,7 +5952,7 @@ } ], "uuid": "5b71f978-8056-47a9-b4f9-d2520fc396a0", - "value": "BRONZE MOHAWK" + "value": "BRONZE MOHAWK - Associated Group" }, { "description": "FireEye reporting on TEMP.Periscope (which was combined into APT40) indicated TEMP.Periscope was reported upon as Leviathan.[[CISA AA21-200A APT40 July 2021](https://app.tidalcyber.com/references/3a2dbd8b-54e3-406a-b77c-b6fae5541b6d)][[Proofpoint Leviathan Oct 2017](https://app.tidalcyber.com/references/f8c2b67b-c097-4b48-8d95-266a45b7dd4d)][[FireEye Periscope March 2018](https://app.tidalcyber.com/references/8edb5d2b-b5c4-4d9d-8049-43dd6ca9ab7f)][[FireEye APT40 March 2019](https://app.tidalcyber.com/references/8a44368f-3348-4817-aca7-81bfaca5ae6d)]", @@ -5966,7 +5966,7 @@ } ], "uuid": "06d1c9bb-8951-4e14-a775-9a248d6390cf", - "value": "APT40" + "value": "APT40 - Associated Group" }, { "description": "[[CISA AA21-200A APT40 July 2021](https://app.tidalcyber.com/references/3a2dbd8b-54e3-406a-b77c-b6fae5541b6d)][[Accenture MUDCARP March 2019](https://app.tidalcyber.com/references/811d433d-27a4-4411-8ec9-b3a173ba0033)]", @@ -5980,7 +5980,7 @@ } ], "uuid": "97a136d2-2bb1-44ed-a33b-cf87374b24a7", - "value": "MUDCARP" + "value": "MUDCARP - Associated Group" }, { "description": "[[CISA AA21-200A APT40 July 2021](https://app.tidalcyber.com/references/3a2dbd8b-54e3-406a-b77c-b6fae5541b6d)][[MSTIC GADOLINIUM September 2020](https://app.tidalcyber.com/references/ee352214-421f-4778-ac28-949142a8ef2a)]", @@ -5994,7 +5994,7 @@ } ], "uuid": "82ac97dc-8c3e-4fd1-a7a1-76b8513143e1", - "value": "Gadolinium" + "value": "Gadolinium - Associated Group" }, { "description": "[Leviathan](https://app.tidalcyber.com/groups/eadd78e3-3b5d-430a-b994-4360b172c871) was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.[[CISA AA21-200A APT40 July 2021](https://app.tidalcyber.com/references/3a2dbd8b-54e3-406a-b77c-b6fae5541b6d)][[FireEye APT40 March 2019](https://app.tidalcyber.com/references/8a44368f-3348-4817-aca7-81bfaca5ae6d)]", @@ -6008,7 +6008,7 @@ } ], "uuid": "c9c9a804-2635-4a47-b63c-9ad5363454a3", - "value": "TEMP.Jumper" + "value": "TEMP.Jumper - Associated Group" }, { "description": "[Leviathan](https://app.tidalcyber.com/groups/eadd78e3-3b5d-430a-b994-4360b172c871) was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.[[CISA AA21-200A APT40 July 2021](https://app.tidalcyber.com/references/3a2dbd8b-54e3-406a-b77c-b6fae5541b6d)][[FireEye Periscope March 2018](https://app.tidalcyber.com/references/8edb5d2b-b5c4-4d9d-8049-43dd6ca9ab7f)][[FireEye APT40 March 2019](https://app.tidalcyber.com/references/8a44368f-3348-4817-aca7-81bfaca5ae6d)]", @@ -6022,7 +6022,7 @@ } ], "uuid": "58f19fca-8c3b-424a-8e1d-cb3996f36417", - "value": "TEMP.Periscope" + "value": "TEMP.Periscope - Associated Group" }, { "description": "[Leviathan](https://app.tidalcyber.com/groups/eadd78e3-3b5d-430a-b994-4360b172c871) is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[[CISA AA21-200A APT40 July 2021](https://app.tidalcyber.com/references/3a2dbd8b-54e3-406a-b77c-b6fae5541b6d)] Active since at least 2009, [Leviathan](https://app.tidalcyber.com/groups/eadd78e3-3b5d-430a-b994-4360b172c871) has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.[[CISA AA21-200A APT40 July 2021](https://app.tidalcyber.com/references/3a2dbd8b-54e3-406a-b77c-b6fae5541b6d)][[Proofpoint Leviathan Oct 2017](https://app.tidalcyber.com/references/f8c2b67b-c097-4b48-8d95-266a45b7dd4d)][[FireEye Periscope March 2018](https://app.tidalcyber.com/references/8edb5d2b-b5c4-4d9d-8049-43dd6ca9ab7f)]", @@ -6109,7 +6109,7 @@ } ], "uuid": "d35be61a-d6d9-4572-8d1f-60367e982f88", - "value": "Water Selkie" + "value": "Water Selkie - Associated Group" }, { "description": "This object represents the LockBit Ransomware-as-a-Service (\"RaaS\") apex group and the behaviors associated with its various affiliate ransomware operators. Specific affiliate operations defined by the research community will be tracked as separate objects.\n\nRansomware labeled \"LockBit\" was first observed in 2020. LockBit developers have introduced multiple versions of the LockBit encryption tool. According to the U.S. Cybersecurity and Infrastructure Security Agency (\"CISA\"), the following major LockBit variants have been observed (first-observed dates in parentheses): ABCD (LockBit malware's predecessor; September 2019), LockBit (January 2020), LockBit 2.0 (June 2021), LockBit Linux-ESXi Locker (October 2021), LockBit 3.0 (March 2022), LockBit Green (a variant that incorporates source code from Conti ransomware; January 2023), and variants capable of targeting macOS environments (April 2023). As of June 2023, CISA reported that the web panel that offers affiliates access to LockBit malware explicitly listed the LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker variants.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]\n\nSince emerging in 2020, the LockBit group and its affiliates have carried out a very large number of attacks involving a wide range of victims around the world. In June 2023, the U.S. Federal Bureau of Investigation reported it had identified 1,700 LockBit attacks since 2020.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)] According to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, LockBit actors publicly claimed 970 victims in 2022 (576 associated with the LockBit 2.0 variant and 394 associated with LockBit 3.0), the most of any extortion threat that year. Through April 2023, LockBit had claimed 406 victims, more than double the number of the next threat (Clop, with 179 victims).[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)] CISA reported in June 2023 that U.S. ransoms paid to LockBit since January 2020 totaled $91 million.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]\n\nLockBit affiliate operators are known to use a wide variety of techniques during their attacks. Initial access for LockBit infections has occurred via most methods (including a number of vulnerability exploits), and operators are known to abuse a range of free and open-source software tools for a variety of post-exploitation activities. In addition to victim data encryption, LockBit actors routinely exfiltrate victim data and threaten to leak this data for extortion purposes.\n\n**Related Vulnerabilities**: CVE-2021-22986, CVE-2023-0669, CVE-2023-27350, CVE-2021-44228, CVE-2021-22986, CVE-2020-1472, CVE-2019-0708, CVE-2018-13379[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", @@ -6237,7 +6237,7 @@ } ], "uuid": "68a87557-6166-4fd7-8a18-4a4e43f9b949", - "value": "Spring Dragon" + "value": "Spring Dragon - Associated Group" }, { "description": "[[Accenture Dragonfish Jan 2018](https://app.tidalcyber.com/references/f692c6fa-7b3a-4d1d-9002-b1a59f7116f4)]", @@ -6251,7 +6251,7 @@ } ], "uuid": "e2890e51-1bc8-4302-9251-149a3f547d36", - "value": "DRAGONFISH" + "value": "DRAGONFISH - Associated Group" }, { "description": "[Lotus Blossom](https://app.tidalcyber.com/groups/2849455a-cf39-4a9f-bd89-c2b3c1e5dd52) is a threat group that has targeted government and military organizations in Southeast Asia. [[Lotus Blossom Jun 2015](https://app.tidalcyber.com/references/46fdb8ca-b14d-43bd-a20f-cae7b26e56c6)]", @@ -6312,7 +6312,7 @@ } ], "uuid": "4656c093-80f5-4f33-a695-09180101d3d9", - "value": "APT-C-43" + "value": "APT-C-43 - Associated Group" }, { "description": "[[Cylance Machete Mar 2017](https://app.tidalcyber.com/references/92a9a311-1e0b-4819-9856-2dfc8dbfc08d)]", @@ -6326,7 +6326,7 @@ } ], "uuid": "b5f7c7c6-f079-4e6e-95a5-4fde667b9705", - "value": "El Machete" + "value": "El Machete - Associated Group" }, { "description": "[Machete](https://app.tidalcyber.com/groups/a3be79a2-3d4f-4697-a8a1-83f0884220af) is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. [Machete](https://app.tidalcyber.com/groups/a3be79a2-3d4f-4697-a8a1-83f0884220af) generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.[[Cylance Machete Mar 2017](https://app.tidalcyber.com/references/92a9a311-1e0b-4819-9856-2dfc8dbfc08d)][[Securelist Machete Aug 2014](https://app.tidalcyber.com/references/fc7be240-bd15-4ec4-bc01-f8891d7210d9)][[ESET Machete July 2019](https://app.tidalcyber.com/references/408d5e33-fcb6-4d21-8be9-7aa5a8bd3385)][[360 Machete Sep 2020](https://app.tidalcyber.com/references/682c843d-1bb8-4f30-9d2e-35e8d41b1976)]", @@ -6398,7 +6398,7 @@ } ], "uuid": "618f578f-a73b-4f47-b123-8c3877325675", - "value": "Phosphorus" + "value": "Phosphorus - Associated Group" }, { "description": "[[Proofpoint TA453 March 2021](https://app.tidalcyber.com/references/5ba4217c-813b-4cc5-b694-3a4dcad776e4)][[Proofpoint TA453 July2021](https://app.tidalcyber.com/references/a987872f-2176-437c-a38f-58676b7b12de)][[Check Point APT35 CharmPower January 2022](https://app.tidalcyber.com/references/81dce660-93ea-42a4-902f-0c6021d30f59)]", @@ -6412,7 +6412,7 @@ } ], "uuid": "69d9316e-daa7-4fe4-86e0-c79c4ab27c5e", - "value": "TA453" + "value": "TA453 - Associated Group" }, { "description": "[[ClearSky Charming Kitten Dec 2017](https://app.tidalcyber.com/references/23ab1ad2-e9d4-416a-926f-6220a59044ab)][[Eweek Newscaster and Charming Kitten May 2014](https://app.tidalcyber.com/references/a3407cd2-d579-4d64-8f2e-162c31a99534)][[ClearSky Kittens Back 2 Oct 2019](https://app.tidalcyber.com/references/f5114978-2528-4199-a586-0158c5f8a138)][[ClearSky Kittens Back 3 August 2020](https://app.tidalcyber.com/references/a10c6a53-79bb-4454-b444-cfb9136ecd36)][[Proofpoint TA453 March 2021](https://app.tidalcyber.com/references/5ba4217c-813b-4cc5-b694-3a4dcad776e4)][[Check Point APT35 CharmPower January 2022](https://app.tidalcyber.com/references/81dce660-93ea-42a4-902f-0c6021d30f59)]", @@ -6426,7 +6426,7 @@ } ], "uuid": "2a379f9c-0c8b-4066-8131-dfc6aad03b30", - "value": "Charming Kitten" + "value": "Charming Kitten - Associated Group" }, { "description": "Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).[[Unit 42 Magic Hound Feb 2017](https://app.tidalcyber.com/references/f1ef9868-3ddb-4289-aa92-481c35517920)][[FireEye APT35 2018](https://app.tidalcyber.com/references/71d3db50-4a20-4d8e-a640-4670d642205c)]", @@ -6440,7 +6440,7 @@ } ], "uuid": "1701d47b-d0ad-47dd-965e-0f50737c34ef", - "value": "Newscaster" + "value": "Newscaster - Associated Group" }, { "description": "[[Secureworks COBALT ILLUSION Threat Profile](https://app.tidalcyber.com/references/8d9a5b77-2516-4ad5-9710-4c8165df2882)]", @@ -6454,7 +6454,7 @@ } ], "uuid": "9a6d6b98-17f3-445d-94dc-fb6e942245c3", - "value": "COBALT ILLUSION" + "value": "COBALT ILLUSION - Associated Group" }, { "description": "[[IBM ITG18 2020](https://app.tidalcyber.com/references/523b7a1e-88ef-4440-a7b3-3fd0b8d5e199)]", @@ -6468,7 +6468,7 @@ } ], "uuid": "ae8cdb8b-d572-427b-93ad-195a3d41a08a", - "value": "ITG18" + "value": "ITG18 - Associated Group" }, { "description": "[[FireEye APT35 2018](https://app.tidalcyber.com/references/71d3db50-4a20-4d8e-a640-4670d642205c)][[Certfa Charming Kitten January 2021](https://app.tidalcyber.com/references/c38a8af6-3f9b-40c3-8122-a2a51eb50664)][[Check Point APT35 CharmPower January 2022](https://app.tidalcyber.com/references/81dce660-93ea-42a4-902f-0c6021d30f59)]", @@ -6482,7 +6482,7 @@ } ], "uuid": "b908442f-7e76-48d9-ba6f-448ce1e8b071", - "value": "APT35" + "value": "APT35 - Associated Group" }, { "description": "[Magic Hound](https://app.tidalcyber.com/groups/7a9d653c-8812-4b96-81d1-b0a27ca918b4) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[[FireEye APT35 2018](https://app.tidalcyber.com/references/71d3db50-4a20-4d8e-a640-4670d642205c)][[ClearSky Kittens Back 3 August 2020](https://app.tidalcyber.com/references/a10c6a53-79bb-4454-b444-cfb9136ecd36)][[Certfa Charming Kitten January 2021](https://app.tidalcyber.com/references/c38a8af6-3f9b-40c3-8122-a2a51eb50664)][[Secureworks COBALT ILLUSION Threat Profile](https://app.tidalcyber.com/references/8d9a5b77-2516-4ad5-9710-4c8165df2882)][[Proofpoint TA453 July2021](https://app.tidalcyber.com/references/a987872f-2176-437c-a38f-58676b7b12de)]", @@ -6651,7 +6651,7 @@ } ], "uuid": "54b7d2ff-e1e3-49f7-8cb5-a9089b9f9807", - "value": "Stone Panda" + "value": "Stone Panda - Associated Group" }, { "description": "[[PWC Cloud Hopper April 2017](https://app.tidalcyber.com/references/fe741064-8cd7-428b-bdb9-9f2ab7e92489)][[DOJ APT10 Dec 2018](https://app.tidalcyber.com/references/3ddc68b4-53f1-4fa5-b7f3-4e5d7d9661f2)][[District Court of NY APT10 Indictment December 2018](https://app.tidalcyber.com/references/79ccbc74-b9c4-4dc8-91ae-1d15c4db563b)]", @@ -6665,7 +6665,7 @@ } ], "uuid": "3eb5f80a-0069-4f3f-9c25-6139254b307c", - "value": "CVNX" + "value": "CVNX - Associated Group" }, { "description": "[[Symantec Cicada November 2020](https://app.tidalcyber.com/references/28a7bbd8-d664-4234-9311-2befe0238b5b)]", @@ -6679,7 +6679,7 @@ } ], "uuid": "f7cac76e-8c1f-43ca-8769-9fb573fe6328", - "value": "Cicada" + "value": "Cicada - Associated Group" }, { "description": "[[DOJ APT10 Dec 2018](https://app.tidalcyber.com/references/3ddc68b4-53f1-4fa5-b7f3-4e5d7d9661f2)][[District Court of NY APT10 Indictment December 2018](https://app.tidalcyber.com/references/79ccbc74-b9c4-4dc8-91ae-1d15c4db563b)]", @@ -6693,7 +6693,7 @@ } ], "uuid": "30f0cb4f-7bb5-4794-8843-bd925bafeb59", - "value": "POTASSIUM" + "value": "POTASSIUM - Associated Group" }, { "description": "[[Palo Alto menuPass Feb 2017](https://app.tidalcyber.com/references/ba4f7d65-73ec-4726-b1f6-f2443ffda5e7)][[Accenture Hogfish April 2018](https://app.tidalcyber.com/references/c8e9fee1-9981-499f-a62f-ffe59f4bb1e7)][[FireEye APT10 Sept 2018](https://app.tidalcyber.com/references/5f122a27-2137-4016-a482-d04106187594)][[DOJ APT10 Dec 2018](https://app.tidalcyber.com/references/3ddc68b4-53f1-4fa5-b7f3-4e5d7d9661f2)][[Symantec Cicada November 2020](https://app.tidalcyber.com/references/28a7bbd8-d664-4234-9311-2befe0238b5b)]", @@ -6707,7 +6707,7 @@ } ], "uuid": "f18b971c-5d70-4884-8069-983324946274", - "value": "APT10" + "value": "APT10 - Associated Group" }, { "description": "[[PWC Cloud Hopper April 2017](https://app.tidalcyber.com/references/fe741064-8cd7-428b-bdb9-9f2ab7e92489)][[DOJ APT10 Dec 2018](https://app.tidalcyber.com/references/3ddc68b4-53f1-4fa5-b7f3-4e5d7d9661f2)][[District Court of NY APT10 Indictment December 2018](https://app.tidalcyber.com/references/79ccbc74-b9c4-4dc8-91ae-1d15c4db563b)]", @@ -6721,7 +6721,7 @@ } ], "uuid": "31fc92e8-3de5-47a2-a63e-37cb82fd8bdb", - "value": "Red Apollo" + "value": "Red Apollo - Associated Group" }, { "description": "[[Accenture Hogfish April 2018](https://app.tidalcyber.com/references/c8e9fee1-9981-499f-a62f-ffe59f4bb1e7)]", @@ -6735,7 +6735,7 @@ } ], "uuid": "cdd6a361-e7b5-48a0-a866-96ccc79f9dda", - "value": "HOGFISH" + "value": "HOGFISH - Associated Group" }, { "description": "[menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[[DOJ APT10 Dec 2018](https://app.tidalcyber.com/references/3ddc68b4-53f1-4fa5-b7f3-4e5d7d9661f2)][[District Court of NY APT10 Indictment December 2018](https://app.tidalcyber.com/references/79ccbc74-b9c4-4dc8-91ae-1d15c4db563b)]\n\n[menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[[Palo Alto menuPass Feb 2017](https://app.tidalcyber.com/references/ba4f7d65-73ec-4726-b1f6-f2443ffda5e7)][[Crowdstrike CrowdCast Oct 2013](https://app.tidalcyber.com/references/2062a229-58b3-4610-99cb-8907e7fbb350)][[FireEye Poison Ivy](https://app.tidalcyber.com/references/c189447e-a903-4dc2-a38b-1f4accc64e20)][[PWC Cloud Hopper April 2017](https://app.tidalcyber.com/references/fe741064-8cd7-428b-bdb9-9f2ab7e92489)][[FireEye APT10 April 2017](https://app.tidalcyber.com/references/2d494df8-83e3-45d2-b798-4c3bcf55f675)][[DOJ APT10 Dec 2018](https://app.tidalcyber.com/references/3ddc68b4-53f1-4fa5-b7f3-4e5d7d9661f2)][[District Court of NY APT10 Indictment December 2018](https://app.tidalcyber.com/references/79ccbc74-b9c4-4dc8-91ae-1d15c4db563b)]", @@ -6911,7 +6911,7 @@ } ], "uuid": "d33e9c35-2176-44c8-8d5e-77ed5de472b2", - "value": "Operation Molerats" + "value": "Operation Molerats - Associated Group" }, { "description": "[[DustySky](https://app.tidalcyber.com/references/b9e0770d-f54a-4ada-abd1-65c45eee00fa)][[Kaspersky MoleRATs April 2019](https://app.tidalcyber.com/references/38216a34-5ffd-4e79-80b1-7270743b728e)][[Cybereason Molerats Dec 2020](https://app.tidalcyber.com/references/81a10a4b-c66f-4526-882c-184436807e1d)]", @@ -6925,7 +6925,7 @@ } ], "uuid": "7399d632-1b1d-47da-8f8e-0f8decd62bf7", - "value": "Gaza Cybergang" + "value": "Gaza Cybergang - Associated Group" }, { "description": "[Molerats](https://app.tidalcyber.com/groups/679b7b6b-9659-4e56-9ffd-688a6fab01b6) is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.[[DustySky](https://app.tidalcyber.com/references/b9e0770d-f54a-4ada-abd1-65c45eee00fa)][[DustySky2](https://app.tidalcyber.com/references/4a3ecdec-254c-4eb4-9126-f540bb21dffe)][[Kaspersky MoleRATs April 2019](https://app.tidalcyber.com/references/38216a34-5ffd-4e79-80b1-7270743b728e)][[Cybereason Molerats Dec 2020](https://app.tidalcyber.com/references/81a10a4b-c66f-4526-882c-184436807e1d)]", @@ -7033,7 +7033,7 @@ } ], "uuid": "ac24e233-2250-477b-a4cb-6ae018d5836b", - "value": "Static Kitten" + "value": "Static Kitten - Associated Group" }, { "description": "[[FireEye MuddyWater Mar 2018](https://app.tidalcyber.com/references/82cddfa6-9463-49bb-8bdc-0c7d6b0e1472)][[Anomali Static Kitten February 2021](https://app.tidalcyber.com/references/710ed789-de1f-4601-a8ba-32147827adcb)][[Trend Micro Muddy Water March 2021](https://app.tidalcyber.com/references/16b4b834-2f44-4bac-b810-f92080c41f09)]", @@ -7047,7 +7047,7 @@ } ], "uuid": "b4215569-ec22-43ad-839a-67cd09030e2e", - "value": "TEMP.Zagros" + "value": "TEMP.Zagros - Associated Group" }, { "description": "[[Anomali Static Kitten February 2021](https://app.tidalcyber.com/references/710ed789-de1f-4601-a8ba-32147827adcb)]", @@ -7061,7 +7061,7 @@ } ], "uuid": "d4cd493f-b88d-4687-b040-60be94e42a65", - "value": "MERCURY" + "value": "MERCURY - Associated Group" }, { "description": "[[Symantec MuddyWater Dec 2018](https://app.tidalcyber.com/references/a8e58ef1-91e1-4f93-b2ff-faa7a6365f5d)][[Anomali Static Kitten February 2021](https://app.tidalcyber.com/references/710ed789-de1f-4601-a8ba-32147827adcb)][[Trend Micro Muddy Water March 2021](https://app.tidalcyber.com/references/16b4b834-2f44-4bac-b810-f92080c41f09)]", @@ -7075,7 +7075,7 @@ } ], "uuid": "9c03d056-8c91-43c9-a9e9-ef7c82b12bca", - "value": "Seedworm" + "value": "Seedworm - Associated Group" }, { "description": "[[Trend Micro Muddy Water March 2021](https://app.tidalcyber.com/references/16b4b834-2f44-4bac-b810-f92080c41f09)]", @@ -7089,7 +7089,7 @@ } ], "uuid": "a862ce87-d79a-485a-8ba2-c7c843e60422", - "value": "Earth Vetala" + "value": "Earth Vetala - Associated Group" }, { "description": "[MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[[CYBERCOM Iranian Intel Cyber January 2022](https://app.tidalcyber.com/references/671e1559-c7dc-4cb4-a9a1-21776f2ae56a)] Since at least 2017, [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6) has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.[[Unit 42 MuddyWater Nov 2017](https://app.tidalcyber.com/references/dcdee265-2e46-4f40-95c7-6a2683edb23a)][[Symantec MuddyWater Dec 2018](https://app.tidalcyber.com/references/a8e58ef1-91e1-4f93-b2ff-faa7a6365f5d)][[ClearSky MuddyWater Nov 2018](https://app.tidalcyber.com/references/a5f60f45-5df5-407d-9f68-bc5f7c42ee85)][[ClearSky MuddyWater June 2019](https://app.tidalcyber.com/references/9789d60b-a417-42dc-b690-24ccb77b8658)][[Reaqta MuddyWater November 2017](https://app.tidalcyber.com/references/ecd28ccf-edb6-478d-a8f1-da630df42127)][[DHS CISA AA22-055A MuddyWater February 2022](https://app.tidalcyber.com/references/e76570e1-43ab-4819-80bc-895ede67a205)][[Talos MuddyWater Jan 2022](https://app.tidalcyber.com/references/a2d79c6a-16d6-4dbd-b8a5-845dcc36212d)]", @@ -7180,7 +7180,7 @@ } ], "uuid": "04d6b7f4-19e6-41a7-b76a-2e82a7d69e3e", - "value": "TA416" + "value": "TA416 - Associated Group" }, { "description": "[[Recorded Future REDDELTA July 2020](https://app.tidalcyber.com/references/e2bc037e-d483-4670-8281-70e51b16effe)][[Proofpoint TA416 Europe March 2022](https://app.tidalcyber.com/references/5731d7e4-dd19-4d08-b493-7b1a467599d3)]", @@ -7194,7 +7194,7 @@ } ], "uuid": "6e798bec-4713-4242-88ec-e4a77b29db22", - "value": "RedDelta" + "value": "RedDelta - Associated Group" }, { "description": "[[Secureworks BRONZE PRESIDENT December 2019](https://app.tidalcyber.com/references/019889e0-a2ce-476f-9a31-2fc394de2821)]", @@ -7208,7 +7208,7 @@ } ], "uuid": "ed80cd5e-afc8-4f59-b567-ec97fdc37a37", - "value": "BRONZE PRESIDENT" + "value": "BRONZE PRESIDENT - Associated Group" }, { "description": "[Mustang Panda](https://app.tidalcyber.com/groups/4a4641b1-7686-49da-8d83-00d8013f4b47) is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. [Mustang Panda](https://app.tidalcyber.com/groups/4a4641b1-7686-49da-8d83-00d8013f4b47) has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.[[Crowdstrike MUSTANG PANDA June 2018](https://app.tidalcyber.com/references/35e72170-b1ec-49c9-aefe-a24fc4302fa6)][[Anomali MUSTANG PANDA October 2019](https://app.tidalcyber.com/references/70277fa4-60a8-475e-993a-c74241b76127)][[Secureworks BRONZE PRESIDENT December 2019](https://app.tidalcyber.com/references/019889e0-a2ce-476f-9a31-2fc394de2821)] ", @@ -7345,7 +7345,7 @@ } ], "uuid": "2e09d081-dcb5-4b3e-8dca-2b64dc37cc2b", - "value": "DustSquad" + "value": "DustSquad - Associated Group" }, { "description": "\n[Nomadic Octopus](https://app.tidalcyber.com/groups/5f8c6ee0-f302-403b-b712-f1e3df064c0c) is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. [Nomadic Octopus](https://app.tidalcyber.com/groups/5f8c6ee0-f302-403b-b712-f1e3df064c0c) has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.[[Security Affairs DustSquad Oct 2018](https://app.tidalcyber.com/references/0e6b019c-cf8e-40a7-9e7c-6a7dc5309dc6)][[Securelist Octopus Oct 2018](https://app.tidalcyber.com/references/77407057-53f1-4fde-bc74-00f73d417f7d)][[ESET Nomadic Octopus 2018](https://app.tidalcyber.com/references/50dcb3f0-1461-453a-aab9-38c2e259173f)]", @@ -7380,7 +7380,7 @@ } ], "uuid": "d840e923-ef0c-45d6-926f-e12016d1fe54", - "value": "IRN2" + "value": "IRN2 - Associated Group" }, { "description": "This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.[[Unit 42 QUADAGENT July 2018](https://app.tidalcyber.com/references/320f49df-7b0a-4a6a-8542-17b0f56c94c9)][[FireEye APT34 Dec 2017](https://app.tidalcyber.com/references/88f41728-08ad-4cd8-a418-895738d68b04)][[Check Point APT34 April 2021](https://app.tidalcyber.com/references/593e8f9f-88ec-4bdc-90c3-1a320fa8a041)]", @@ -7394,7 +7394,7 @@ } ], "uuid": "17ac9e60-dfad-4ee5-a61c-7b7ee6686a73", - "value": "APT34" + "value": "APT34 - Associated Group" }, { "description": "[[Secureworks COBALT GYPSY Threat Profile](https://app.tidalcyber.com/references/f1c21834-7536-430b-8539-e68373718b4d)]", @@ -7408,7 +7408,7 @@ } ], "uuid": "e8d4a791-a117-4e1e-8a7a-8a90422d4a90", - "value": "COBALT GYPSY" + "value": "COBALT GYPSY - Associated Group" }, { "description": "[[Unit 42 QUADAGENT July 2018](https://app.tidalcyber.com/references/320f49df-7b0a-4a6a-8542-17b0f56c94c9)][[Crowdstrike Helix Kitten Nov 2018](https://app.tidalcyber.com/references/3fc0d7ad-6283-4cfd-b72f-5ce47594531e)]", @@ -7422,7 +7422,7 @@ } ], "uuid": "8779d808-ed34-44bc-a3e3-8b0954bc8022", - "value": "Helix Kitten" + "value": "Helix Kitten - Associated Group" }, { "description": "[[Unit42 OilRig Playbook 2023](https://app.tidalcyber.com/references/e38902bb-9bab-5beb-817b-668a67a76541)]", @@ -7436,7 +7436,7 @@ } ], "uuid": "9cbeb785-fe7e-5bf7-b860-bf1bf8bf7f09", - "value": "Evasive Serpens" + "value": "Evasive Serpens - Associated Group" }, { "description": "[OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[[Palo Alto OilRig April 2017](https://app.tidalcyber.com/references/fb561cdd-03f6-4867-b5b5-7e4deb11f0d0)][[ClearSky OilRig Jan 2017](https://app.tidalcyber.com/references/f19f9ad4-bb31-443b-9c26-87946469a0c3)][[Palo Alto OilRig May 2016](https://app.tidalcyber.com/references/53836b95-a30a-4e95-8e19-e2bb2f18c738)][[Palo Alto OilRig Oct 2016](https://app.tidalcyber.com/references/14bbb07b-caeb-4d17-8e54-047322a5930c)][[Unit42 OilRig Playbook 2023](https://app.tidalcyber.com/references/e38902bb-9bab-5beb-817b-668a67a76541)][[FireEye APT34 Dec 2017](https://app.tidalcyber.com/references/88f41728-08ad-4cd8-a418-895738d68b04)][[Unit 42 QUADAGENT July 2018](https://app.tidalcyber.com/references/320f49df-7b0a-4a6a-8542-17b0f56c94c9)]", @@ -7553,7 +7553,7 @@ } ], "uuid": "938d3a61-cb8b-4ec3-9bf0-f27833a0f96f", - "value": "Chinastrats" + "value": "Chinastrats - Associated Group" }, { "description": "MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign. [[Forcepoint Monsoon](https://app.tidalcyber.com/references/ea64a3a5-a248-44bb-98cd-f7e3d4c23d4e)] [[PaloAlto Patchwork Mar 2018](https://app.tidalcyber.com/references/2609e461-1e23-4dc2-aa44-d09f4acb8c6e)]", @@ -7567,7 +7567,7 @@ } ], "uuid": "23ef9d36-8cb3-4992-abda-709777b97cc3", - "value": "MONSOON" + "value": "MONSOON - Associated Group" }, { "description": "It is believed that the actors behind [Patchwork](https://app.tidalcyber.com/groups/32385eba-7bbf-439e-acf2-83040e97165a) are the same actors behind Operation Hangover. [[Forcepoint Monsoon](https://app.tidalcyber.com/references/ea64a3a5-a248-44bb-98cd-f7e3d4c23d4e)] [[Operation Hangover May 2013](https://app.tidalcyber.com/references/fd581c0c-d93e-4396-a372-99cde3cd0c7c)]", @@ -7581,7 +7581,7 @@ } ], "uuid": "364de163-80dc-4f0f-8b42-837ae97a2088", - "value": "Operation Hangover" + "value": "Operation Hangover - Associated Group" }, { "description": "[Patchwork](https://app.tidalcyber.com/groups/32385eba-7bbf-439e-acf2-83040e97165a) and the Hangover Group have both been referenced as aliases for the threat group associated with Operation Monsoon.[[PaloAlto Patchwork Mar 2018](https://app.tidalcyber.com/references/2609e461-1e23-4dc2-aa44-d09f4acb8c6e)][[Unit 42 BackConfig May 2020](https://app.tidalcyber.com/references/f26629db-c641-4b6b-abbf-b55b9cc91cf1)][[Forcepoint Monsoon](https://app.tidalcyber.com/references/ea64a3a5-a248-44bb-98cd-f7e3d4c23d4e)]", @@ -7595,7 +7595,7 @@ } ], "uuid": "2c043629-b8f6-475f-a436-abc01aad9421", - "value": "Hangover Group" + "value": "Hangover Group - Associated Group" }, { "description": "[[Symantec Patchwork](https://app.tidalcyber.com/references/a6172463-56e2-49f2-856d-f4f8320d7c6e)] [[Securelist Dropping Elephant](https://app.tidalcyber.com/references/2efa655f-ebd3-459b-9fd7-712d3f4ba1f8)] [[PaloAlto Patchwork Mar 2018](https://app.tidalcyber.com/references/2609e461-1e23-4dc2-aa44-d09f4acb8c6e)] [[Volexity Patchwork June 2018](https://app.tidalcyber.com/references/d3ed7dd9-0941-4160-aa6a-c0244c63560f)]", @@ -7609,7 +7609,7 @@ } ], "uuid": "8f4890c6-6db0-4536-8624-35cb02bb94a7", - "value": "Dropping Elephant" + "value": "Dropping Elephant - Associated Group" }, { "description": "[Patchwork](https://app.tidalcyber.com/groups/32385eba-7bbf-439e-acf2-83040e97165a) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. [Patchwork](https://app.tidalcyber.com/groups/32385eba-7bbf-439e-acf2-83040e97165a) has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. [Patchwork](https://app.tidalcyber.com/groups/32385eba-7bbf-439e-acf2-83040e97165a) was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.[[Cymmetria Patchwork](https://app.tidalcyber.com/references/d4e43b2c-a858-4285-984f-f59db5c657bd)] [[Symantec Patchwork](https://app.tidalcyber.com/references/a6172463-56e2-49f2-856d-f4f8320d7c6e)][[TrendMicro Patchwork Dec 2017](https://app.tidalcyber.com/references/15465b26-99e1-4956-8c81-cda3388169b8)][[Volexity Patchwork June 2018](https://app.tidalcyber.com/references/d3ed7dd9-0941-4160-aa6a-c0244c63560f)]", @@ -7819,7 +7819,7 @@ } ], "uuid": "aa5e87f3-6e59-4abf-aeba-a49eb9d495f3", - "value": "StrongPity" + "value": "StrongPity - Associated Group" }, { "description": "[PROMETHIUM](https://app.tidalcyber.com/groups/cc798766-8662-4b55-8536-6d057fbc58f0) is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. [PROMETHIUM](https://app.tidalcyber.com/groups/cc798766-8662-4b55-8536-6d057fbc58f0) has demonstrated similarity to another activity group called [NEODYMIUM](https://app.tidalcyber.com/groups/3a660ef3-9954-4252-8946-f903f3f42d0c) due to overlapping victim and campaign characteristics.[[Microsoft NEODYMIUM Dec 2016](https://app.tidalcyber.com/references/87c9f8e4-f8d1-4f19-86ca-6fd18a33890b)][[Microsoft SIR Vol 21](https://app.tidalcyber.com/references/619b9cf8-7201-45de-9c36-834ccee356a9)][[Talos Promethium June 2020](https://app.tidalcyber.com/references/188d990e-f0be-40f2-90f3-913dfe687d27)]", @@ -7858,7 +7858,7 @@ } ], "uuid": "bab4d1df-a6c6-40ae-b583-83c4492cbbd2", - "value": "APT2" + "value": "APT2 - Associated Group" }, { "description": "[[CrowdStrike Putter Panda](https://app.tidalcyber.com/references/413962d0-bd66-4000-a077-38c2677995d1)]", @@ -7872,7 +7872,7 @@ } ], "uuid": "9975905f-c429-4911-800d-d21e9a29b3f8", - "value": "MSUpdater" + "value": "MSUpdater - Associated Group" }, { "description": "[Putter Panda](https://app.tidalcyber.com/groups/6005f4a9-fe26-4237-a44e-3f6cbb1fe75c) is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). [[CrowdStrike Putter Panda](https://app.tidalcyber.com/references/413962d0-bd66-4000-a077-38c2677995d1)]", @@ -8078,7 +8078,7 @@ } ], "uuid": "4316121a-b50b-40bc-bb4b-2c6fc9ec127b", - "value": "Telebots" + "value": "Telebots - Associated Group" }, { "description": "[[Secureworks IRON VIKING ](https://app.tidalcyber.com/references/900753b3-c5a2-4fb5-ab7b-d38df867077b)][[US District Court Indictment GRU Unit 74455 October 2020](https://app.tidalcyber.com/references/77788d05-30ff-4308-82e6-d123a3c2fd80)][[UK NCSC Olympic Attacks October 2020](https://app.tidalcyber.com/references/93053f1b-917c-4573-ba20-99fcaa16a2dd)]", @@ -8092,7 +8092,7 @@ } ], "uuid": "eeb7e31b-93e9-4244-a31a-6ce9116a4b70", - "value": "IRON VIKING" + "value": "IRON VIKING - Associated Group" }, { "description": "[[CrowdStrike VOODOO BEAR](https://app.tidalcyber.com/references/ce07d409-292d-4e8e-b1af-bd5ba46c1b95)][[US District Court Indictment GRU Unit 74455 October 2020](https://app.tidalcyber.com/references/77788d05-30ff-4308-82e6-d123a3c2fd80)][[UK NCSC Olympic Attacks October 2020](https://app.tidalcyber.com/references/93053f1b-917c-4573-ba20-99fcaa16a2dd)]", @@ -8106,7 +8106,7 @@ } ], "uuid": "819b7ba2-f3be-4649-b499-525f8c0579eb", - "value": "Voodoo Bear" + "value": "Voodoo Bear - Associated Group" }, { "description": "[[Dragos ELECTRUM](https://app.tidalcyber.com/references/494f7056-7a39-4fa0-958d-fb1172d01852)][[UK NCSC Olympic Attacks October 2020](https://app.tidalcyber.com/references/93053f1b-917c-4573-ba20-99fcaa16a2dd)]", @@ -8120,7 +8120,7 @@ } ], "uuid": "483450ad-d811-4f3e-85db-f2761fa308a6", - "value": "ELECTRUM" + "value": "ELECTRUM - Associated Group" }, { "description": "[[NCSC Sandworm Feb 2020](https://app.tidalcyber.com/references/d876d037-9d24-44af-b8f0-5c1555632b91)][[UK NCSC Olympic Attacks October 2020](https://app.tidalcyber.com/references/93053f1b-917c-4573-ba20-99fcaa16a2dd)]", @@ -8134,7 +8134,7 @@ } ], "uuid": "42a50ea5-66f1-4802-b2a0-3fe6ea4f42d4", - "value": "BlackEnergy (Group)" + "value": "BlackEnergy (Group) - Associated Group" }, { "description": "[[iSIGHT Sandworm 2014](https://app.tidalcyber.com/references/63622990-5467-42b2-8f45-b675dfc4dc8f)] [[F-Secure BlackEnergy 2014](https://app.tidalcyber.com/references/5f228fb5-d959-4c4a-bb8c-f9dc01d5af07)][[UK NCSC Olympic Attacks October 2020](https://app.tidalcyber.com/references/93053f1b-917c-4573-ba20-99fcaa16a2dd)]", @@ -8148,7 +8148,7 @@ } ], "uuid": "5f428057-fad5-4ba5-bd2e-ff0505184371", - "value": "Quedagh" + "value": "Quedagh - Associated Group" }, { "description": "[[Microsoft Prestige ransomware October 2022](https://app.tidalcyber.com/references/b57e1181-461b-5ada-a739-873ede1ec079)]", @@ -8162,7 +8162,7 @@ } ], "uuid": "84c4e254-d02f-5141-b0c6-d52618177024", - "value": "IRIDIUM" + "value": "IRIDIUM - Associated Group" }, { "description": "[Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[[US District Court Indictment GRU Unit 74455 October 2020](https://app.tidalcyber.com/references/77788d05-30ff-4308-82e6-d123a3c2fd80)][[UK NCSC Olympic Attacks October 2020](https://app.tidalcyber.com/references/93053f1b-917c-4573-ba20-99fcaa16a2dd)] This group has been active since at least 2009.[[iSIGHT Sandworm 2014](https://app.tidalcyber.com/references/63622990-5467-42b2-8f45-b675dfc4dc8f)][[CrowdStrike VOODOO BEAR](https://app.tidalcyber.com/references/ce07d409-292d-4e8e-b1af-bd5ba46c1b95)][[USDOJ Sandworm Feb 2020](https://app.tidalcyber.com/references/fefa7321-cd60-4c7e-a9d5-c723d88013f2)][[NCSC Sandworm Feb 2020](https://app.tidalcyber.com/references/d876d037-9d24-44af-b8f0-5c1555632b91)]\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://app.tidalcyber.com/software/2538e0fe-1290-4ae1-aef9-e55d83c9eb23) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://app.tidalcyber.com/software/073b5288-11d6-4db0-9f2c-a1816847d15c) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[[US District Court Indictment GRU Unit 74455 October 2020](https://app.tidalcyber.com/references/77788d05-30ff-4308-82e6-d123a3c2fd80)][[UK NCSC Olympic Attacks October 2020](https://app.tidalcyber.com/references/93053f1b-917c-4573-ba20-99fcaa16a2dd)] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5).[[US District Court Indictment GRU Oct 2018](https://app.tidalcyber.com/references/56aeab4e-b046-4426-81a8-c3b2323492f0)]", @@ -8267,7 +8267,7 @@ } ], "uuid": "a8be581c-10b8-5d79-b35b-ebc47e511597", - "value": "Roasted 0ktapus" + "value": "Roasted 0ktapus - Associated Group" }, { "description": "[[U.S. CISA Scattered Spider November 16 2023](/references/9c242265-c28c-4580-8e6a-478d8700b092)]", @@ -8283,7 +8283,7 @@ } ], "uuid": "890f22c5-6e7f-461f-8099-bb7d7c062d27", - "value": "Starfraud" + "value": "Starfraud - Associated Group" }, { "description": "[[U.S. CISA Scattered Spider November 16 2023](/references/9c242265-c28c-4580-8e6a-478d8700b092)]", @@ -8299,7 +8299,7 @@ } ], "uuid": "d850076d-6caa-46f2-958d-4e93f43b88f6", - "value": "UNC3944" + "value": "UNC3944 - Associated Group" }, { "description": "[[U.S. CISA Scattered Spider November 16 2023](/references/9c242265-c28c-4580-8e6a-478d8700b092)]", @@ -8315,7 +8315,7 @@ } ], "uuid": "36002039-b1dc-46bd-affe-fd37edae375c", - "value": "Scatter Swine" + "value": "Scatter Swine - Associated Group" }, { "description": "[[U.S. CISA Scattered Spider November 16 2023](/references/9c242265-c28c-4580-8e6a-478d8700b092)]", @@ -8331,7 +8331,7 @@ } ], "uuid": "fd282f3e-0aba-4f40-873f-1b1e56f55591", - "value": "Muddled Libra" + "value": "Muddled Libra - Associated Group" }, { "description": "[Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. During campaigns [Scattered Spider](https://app.tidalcyber.com/groups/3d77fb6c-cfb4-5563-b0be-7aa1ad535337) has leveraged targeted social-engineering techniques and attempted to bypass popular endpoint security tools.[[CrowdStrike Scattered Spider Profile](https://app.tidalcyber.com/references/a865a984-7f7b-5f82-ac4a-6fac79a2a753)][[CrowdStrike Scattered Spider BYOVD January 2023](https://app.tidalcyber.com/references/d7d86f5d-1f02-54b0-b6f4-879878563245)][[Crowdstrike TELCO BPO Campaign December 2022](https://app.tidalcyber.com/references/382785e1-4ef3-506e-b74f-cd07df9ae46e)]", @@ -8431,7 +8431,7 @@ } ], "uuid": "3e580fae-6d8a-4c1c-b132-ddf47d0ff6c9", - "value": "T-APT-04" + "value": "T-APT-04 - Associated Group" }, { "description": "[[Cyble Sidewinder September 2020](https://app.tidalcyber.com/references/25d8d6df-d3b9-4f57-bce0-d5285660e746)]", @@ -8445,7 +8445,7 @@ } ], "uuid": "023a26e3-77a9-44b3-932f-23c82100881c", - "value": "Rattlesnake" + "value": "Rattlesnake - Associated Group" }, { "description": "[Sidewinder](https://app.tidalcyber.com/groups/44f8bd4e-a357-4a76-b031-b7455a305ef0) is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.[[ATT Sidewinder January 2021](https://app.tidalcyber.com/references/d6644f88-d727-4f62-897a-bfa18f86380d)][[Securelist APT Trends April 2018](https://app.tidalcyber.com/references/587f5195-e696-4a3c-8c85-90b9c002cd11)][[Cyble Sidewinder September 2020](https://app.tidalcyber.com/references/25d8d6df-d3b9-4f57-bce0-d5285660e746)]", @@ -8498,7 +8498,7 @@ } ], "uuid": "4e28aead-8a85-4ae2-88d0-fa21fc7aa6a0", - "value": "Whisper Spider" + "value": "Whisper Spider - Associated Group" }, { "description": "[Silence](https://app.tidalcyber.com/groups/b534349f-55a4-41b8-9623-6707765c3c50) is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.[[Cyber Forensicator Silence Jan 2019](https://app.tidalcyber.com/references/c328d6d3-5e8b-45a6-8487-eecd7e8cbf7e)][[SecureList Silence Nov 2017](https://app.tidalcyber.com/references/004a8877-7e57-48ad-a6ce-b9ad8577cc68)] ", @@ -8545,7 +8545,7 @@ } ], "uuid": "c39d60d6-bb43-47e5-bc8d-e73fa1ef8c1d", - "value": "TA407" + "value": "TA407 - Associated Group" }, { "description": "[[Secureworks COBALT DICKENS August 2018](https://app.tidalcyber.com/references/addbb46b-b2b5-4844-b4be-f6294cf51caa)][[Secureworks COBALT DICKENS September 2019](https://app.tidalcyber.com/references/45815e4d-d678-4823-8315-583893e263e6)][[Proofpoint TA407 September 2019](https://app.tidalcyber.com/references/e787e9af-f496-442a-8b36-16056ff8bfc1)][[Malwarebytes Silent Librarian October 2020](https://app.tidalcyber.com/references/9bb8ddd0-a8ec-459b-9983-79ccf46297ca)]", @@ -8559,7 +8559,7 @@ } ], "uuid": "1a968e44-b931-4373-96f8-ecb976540fd3", - "value": "COBALT DICKENS" + "value": "COBALT DICKENS - Associated Group" }, { "description": "[Silent Librarian](https://app.tidalcyber.com/groups/0e7bd4da-7974-49c9-b213-116bd7157761) is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of [Silent Librarian](https://app.tidalcyber.com/groups/0e7bd4da-7974-49c9-b213-116bd7157761) are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).[[DOJ Iran Indictments March 2018](https://app.tidalcyber.com/references/7dfdccd5-d035-4678-89c1-f5f1630d7a79)][[Phish Labs Silent Librarian](https://app.tidalcyber.com/references/d79d0510-4d49-464d-8074-daedd186f1c1)][[Malwarebytes Silent Librarian October 2020](https://app.tidalcyber.com/references/9bb8ddd0-a8ec-459b-9983-79ccf46297ca)]", @@ -8716,7 +8716,7 @@ } ], "uuid": "bb2eac9b-3dfc-487a-8dff-b8de5f6e3041", - "value": "ProjectSauron" + "value": "ProjectSauron - Associated Group" }, { "description": "[Strider](https://app.tidalcyber.com/groups/deb573c6-071a-4b50-9e92-4aa648d8bdc1) is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.[[Symantec Strider Blog](https://app.tidalcyber.com/references/664eac41-257f-4d4d-aba5-5d2e8e2117a7)][[Kaspersky ProjectSauron Blog](https://app.tidalcyber.com/references/baeaa632-3fa5-4d2b-9537-ccc7674fd7d6)]", @@ -8832,7 +8832,7 @@ } ], "uuid": "4f21a323-28d3-498d-8cfe-a1835eebd561", - "value": "Hive0065" + "value": "Hive0065 - Associated Group" }, { "description": "[TA505](https://app.tidalcyber.com/groups/b3220638-6682-4a4e-ab64-e7dc4202a3f1) is a cyber criminal group that has been active since at least 2014. [TA505](https://app.tidalcyber.com/groups/b3220638-6682-4a4e-ab64-e7dc4202a3f1) is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving [Clop](https://app.tidalcyber.com/software/5321aa75-924c-47ae-b97a-b36f023abf2a).[[Proofpoint TA505 Sep 2017](https://app.tidalcyber.com/references/c1fff36f-802b-4436-abce-7f2787c148db)][[Proofpoint TA505 June 2018](https://app.tidalcyber.com/references/e48dec7b-5635-4ae0-b0db-229660806c06)][[Proofpoint TA505 Jan 2019](https://app.tidalcyber.com/references/b744f739-8810-4fb9-96e3-6488f9ed6305)][[NCC Group TA505](https://app.tidalcyber.com/references/45e0b869-5447-491b-9e8b-fbf63c62f5d6)][[Korean FSI TA505 2020](https://app.tidalcyber.com/references/d4e2c109-341c-45b3-9d41-3eb980724524)]", @@ -8880,7 +8880,7 @@ } ], "uuid": "2d829442-7a16-46ab-9d4d-b92cd1f0be7e", - "value": "Shathak" + "value": "Shathak - Associated Group" }, { "description": "[[Secureworks GOLD CABIN](https://app.tidalcyber.com/references/778babec-e7d3-4341-9e33-aab361f2b98a)]", @@ -8894,7 +8894,7 @@ } ], "uuid": "f9c58990-a69d-4edc-ad9d-ec74412da18a", - "value": "GOLD CABIN" + "value": "GOLD CABIN - Associated Group" }, { "description": "[TA551](https://app.tidalcyber.com/groups/8951bff3-c444-4374-8a9e-b2115d9125b2) is a financially-motivated threat group that has been active since at least 2018. [[Secureworks GOLD CABIN](https://app.tidalcyber.com/references/778babec-e7d3-4341-9e33-aab361f2b98a)] The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. [[Unit 42 TA551 Jan 2021](https://app.tidalcyber.com/references/8e34bf1e-86ce-4d52-a6fa-037572766e99)]", @@ -8967,7 +8967,7 @@ } ], "uuid": "cbba6443-46cd-4602-87ff-1142995202ab", - "value": "XENOTIME" + "value": "XENOTIME - Associated Group" }, { "description": "[TEMP.Veles](https://app.tidalcyber.com/groups/3a54b8dc-a231-4db8-96da-1c0c1aa396f6) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing [TRITON](https://app.tidalcyber.com/software/), a malware framework designed to manipulate industrial safety systems.[[FireEye TRITON 2019](https://app.tidalcyber.com/references/49c97b85-ca22-400a-9dc4-6290cc117f04)][[FireEye TEMP.Veles 2018](https://app.tidalcyber.com/references/e41151fa-ea11-43ca-9689-c65aae63a8d2)][[FireEye TEMP.Veles JSON April 2019](https://app.tidalcyber.com/references/491783dc-7a6b-42a6-b923-c4439117e7e4)]", @@ -9025,7 +9025,7 @@ } ], "uuid": "a3bf437b-2805-424a-8122-b1f07f68c3c2", - "value": "TG-1314" + "value": "TG-1314 - Associated Group" }, { "description": "[Threat Group-1314](https://app.tidalcyber.com/groups/0f86e871-0c6c-4227-ae28-3f3696d6ae9d) is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. [[Dell TG-1314](https://app.tidalcyber.com/references/79fc7568-b6ff-460b-9200-56d7909ed157)]", @@ -9054,7 +9054,7 @@ } ], "uuid": "acc5d023-b5f9-40c0-9061-8424c14334a4", - "value": "Earth Smilodon" + "value": "Earth Smilodon - Associated Group" }, { "description": "[[Dell TG-3390](https://app.tidalcyber.com/references/dfd2d832-a6c5-40e7-a554-5a92f05bebae)][[Nccgroup Emissary Panda May 2018](https://app.tidalcyber.com/references/e279c308-fabc-47d3-bdeb-296266c80988)][[Hacker News LuckyMouse June 2018](https://app.tidalcyber.com/references/de78446a-cb46-4422-820b-9ddf07557b1a)]", @@ -9068,7 +9068,7 @@ } ], "uuid": "851cfd6f-8ca5-4048-b5a0-c23729456f12", - "value": "TG-3390" + "value": "TG-3390 - Associated Group" }, { "description": "[[SecureWorks BRONZE UNION June 2017](https://app.tidalcyber.com/references/42adda47-f5d6-4d34-9b3d-3748a782f886)][[Nccgroup Emissary Panda May 2018](https://app.tidalcyber.com/references/e279c308-fabc-47d3-bdeb-296266c80988)]", @@ -9082,7 +9082,7 @@ } ], "uuid": "621b8362-b819-40af-8534-80efd9af3fd1", - "value": "BRONZE UNION" + "value": "BRONZE UNION - Associated Group" }, { "description": "[[Hacker News LuckyMouse June 2018](https://app.tidalcyber.com/references/de78446a-cb46-4422-820b-9ddf07557b1a)][[Trend Micro Iron Tiger April 2021](https://app.tidalcyber.com/references/d0890d4f-e7ca-4280-a54e-d147f6dd72aa)]", @@ -9096,7 +9096,7 @@ } ], "uuid": "0aec785f-db69-49f4-ad4f-68fe226a5399", - "value": "Iron Tiger" + "value": "Iron Tiger - Associated Group" }, { "description": "[[Securelist LuckyMouse June 2018](https://app.tidalcyber.com/references/f974708b-598c-46a9-aac9-c5fbdd116c2a)][[Hacker News LuckyMouse June 2018](https://app.tidalcyber.com/references/de78446a-cb46-4422-820b-9ddf07557b1a)][[Trend Micro Iron Tiger April 2021](https://app.tidalcyber.com/references/d0890d4f-e7ca-4280-a54e-d147f6dd72aa)]", @@ -9110,7 +9110,7 @@ } ], "uuid": "869b23ab-c9a6-4fa3-abc8-2982707e68d7", - "value": "LuckyMouse" + "value": "LuckyMouse - Associated Group" }, { "description": "[[Gallagher 2015](https://app.tidalcyber.com/references/b1540c5c-0bbc-4b9d-9185-fae224ba31be)][[Nccgroup Emissary Panda May 2018](https://app.tidalcyber.com/references/e279c308-fabc-47d3-bdeb-296266c80988)][[Securelist LuckyMouse June 2018](https://app.tidalcyber.com/references/f974708b-598c-46a9-aac9-c5fbdd116c2a)][[Hacker News LuckyMouse June 2018](https://app.tidalcyber.com/references/de78446a-cb46-4422-820b-9ddf07557b1a)][[Unit42 Emissary Panda May 2019](https://app.tidalcyber.com/references/3a3ec86c-88da-40ab-8e5f-a7d5102c026b)][[Trend Micro Iron Tiger April 2021](https://app.tidalcyber.com/references/d0890d4f-e7ca-4280-a54e-d147f6dd72aa)]", @@ -9124,7 +9124,7 @@ } ], "uuid": "6892414f-3428-4ff4-bb27-cefb2c7177e4", - "value": "Emissary Panda" + "value": "Emissary Panda - Associated Group" }, { "description": "[[Nccgroup Emissary Panda May 2018](https://app.tidalcyber.com/references/e279c308-fabc-47d3-bdeb-296266c80988)][[Securelist LuckyMouse June 2018](https://app.tidalcyber.com/references/f974708b-598c-46a9-aac9-c5fbdd116c2a)][[Hacker News LuckyMouse June 2018](https://app.tidalcyber.com/references/de78446a-cb46-4422-820b-9ddf07557b1a)][[Trend Micro Iron Tiger April 2021](https://app.tidalcyber.com/references/d0890d4f-e7ca-4280-a54e-d147f6dd72aa)]", @@ -9138,7 +9138,7 @@ } ], "uuid": "bc77908c-dcb0-4d07-933d-a1dded911306", - "value": "APT27" + "value": "APT27 - Associated Group" }, { "description": "[Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5) is a Chinese threat group that has extensively used strategic Web compromises to target victims.[[Dell TG-3390](https://app.tidalcyber.com/references/dfd2d832-a6c5-40e7-a554-5a92f05bebae)] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[[SecureWorks BRONZE UNION June 2017](https://app.tidalcyber.com/references/42adda47-f5d6-4d34-9b3d-3748a782f886)][[Securelist LuckyMouse June 2018](https://app.tidalcyber.com/references/f974708b-598c-46a9-aac9-c5fbdd116c2a)][[Trend Micro DRBControl February 2020](https://app.tidalcyber.com/references/4dfbf26d-023b-41dd-82c8-12fe18cb10e6)]", @@ -9261,7 +9261,7 @@ } ], "uuid": "aee5a88d-6695-4221-a4fb-1f7aa1bfdcd4", - "value": "BRONZE HUNTLEY" + "value": "BRONZE HUNTLEY - Associated Group" }, { "description": "[[Kaspersky CactusPete Aug 2020](https://app.tidalcyber.com/references/1c393964-e717-45ad-8eb6-5df5555d3c70)][[CrowdStrike Manufacturing Threat July 2020](https://app.tidalcyber.com/references/5ed6a702-dcc5-4021-95cc-5b720dbd8774)]", @@ -9275,7 +9275,7 @@ } ], "uuid": "7e6588d8-8d1e-4ed0-a233-38f3b37c2aad", - "value": "Karma Panda" + "value": "Karma Panda - Associated Group" }, { "description": "[[TrendMicro Tonto Team October 2020](https://app.tidalcyber.com/references/140e6b01-6b98-4f82-9455-0c84b3856b86)]", @@ -9289,7 +9289,7 @@ } ], "uuid": "9f9382c1-edc9-434c-945a-71bfdf28ca6f", - "value": "Earth Akhlut" + "value": "Earth Akhlut - Associated Group" }, { "description": "[[Kaspersky CactusPete Aug 2020](https://app.tidalcyber.com/references/1c393964-e717-45ad-8eb6-5df5555d3c70)]", @@ -9303,7 +9303,7 @@ } ], "uuid": "70c9c7d6-d51a-4c73-823f-fffd0d75f63e", - "value": "CactusPete" + "value": "CactusPete - Associated Group" }, { "description": "[Tonto Team](https://app.tidalcyber.com/groups/9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c) is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. [Tonto Team](https://app.tidalcyber.com/groups/9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c) has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).[[Kaspersky CactusPete Aug 2020](https://app.tidalcyber.com/references/1c393964-e717-45ad-8eb6-5df5555d3c70)][[ESET Exchange Mar 2021](https://app.tidalcyber.com/references/c83f1810-22bb-4def-ab2f-3f3d67703f47)][[FireEye Chinese Espionage October 2019](https://app.tidalcyber.com/references/d37c069c-7fb8-44e1-8377-da97e8bbcf67)][[ARS Technica China Hack SK April 2017](https://app.tidalcyber.com/references/c9c647b6-f4fb-44d6-9376-23c1ae9520b4)][[Trend Micro HeartBeat Campaign January 2013](https://app.tidalcyber.com/references/f42a36c2-1ca5-49ff-a7ec-7de90379a6d5)][[Talos Bisonal 10 Years March 2020](https://app.tidalcyber.com/references/6844e59b-d393-43df-9978-e3e3cc7b8db6)]", @@ -9368,7 +9368,7 @@ } ], "uuid": "150aeea7-b49e-49cf-a884-f9e0f69a6742", - "value": "Mythic Leopard" + "value": "Mythic Leopard - Associated Group" }, { "description": "[[Secureworks COPPER FIELDSTONE Profile](https://app.tidalcyber.com/references/d7f5f154-3638-47c1-8e1e-a30a6504a735)]", @@ -9382,7 +9382,7 @@ } ], "uuid": "4db20d24-3005-4fbb-af6e-94bb3841c25b", - "value": "COPPER FIELDSTONE" + "value": "COPPER FIELDSTONE - Associated Group" }, { "description": "[[Talos Transparent Tribe May 2021](https://app.tidalcyber.com/references/5d58c285-bc7d-4a8a-a96a-ac7118c1089d)]", @@ -9396,7 +9396,7 @@ } ], "uuid": "da9e7789-2d64-4684-87b9-8185f11b7410", - "value": "APT36" + "value": "APT36 - Associated Group" }, { "description": "[[Unit 42 ProjectM March 2016](https://app.tidalcyber.com/references/adee82e6-a74a-4a91-ab5a-97847b135ca3)][[Kaspersky Transparent Tribe August 2020](https://app.tidalcyber.com/references/42c7faa2-f664-4e4a-9d23-93c88a09da5b)]", @@ -9410,7 +9410,7 @@ } ], "uuid": "6d979811-8a41-4407-be4b-b657a3bd3d20", - "value": "ProjectM" + "value": "ProjectM - Associated Group" }, { "description": "[Transparent Tribe](https://app.tidalcyber.com/groups/441b91d1-256a-4763-bac6-8f1c76764a25) is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.[[Proofpoint Operation Transparent Tribe March 2016](https://app.tidalcyber.com/references/8e39d0da-114f-4ae6-8130-ca1380077d6a)][[Kaspersky Transparent Tribe August 2020](https://app.tidalcyber.com/references/42c7faa2-f664-4e4a-9d23-93c88a09da5b)][[Talos Transparent Tribe May 2021](https://app.tidalcyber.com/references/5d58c285-bc7d-4a8a-a96a-ac7118c1089d)]", @@ -9489,7 +9489,7 @@ } ], "uuid": "72ad17b4-d973-48c4-aae9-5a95aaf2ee88", - "value": "KeyBoy" + "value": "KeyBoy - Associated Group" }, { "description": "[[Crowdstrike Pirate Panda April 2020](https://app.tidalcyber.com/references/f71410b4-5f79-439a-ae9e-8965f9bc577f)]", @@ -9503,7 +9503,7 @@ } ], "uuid": "7157a2fe-6e59-40ae-a7de-4961444f9c56", - "value": "Pirate Panda" + "value": "Pirate Panda - Associated Group" }, { "description": "[Tropic Trooper](https://app.tidalcyber.com/groups/0a245c5e-c1a8-480f-8655-bb2594e3266b) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://app.tidalcyber.com/groups/0a245c5e-c1a8-480f-8655-bb2594e3266b) focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.[[TrendMicro Tropic Trooper Mar 2018](https://app.tidalcyber.com/references/5d69d122-13bc-45c4-95ab-68283a21b699)][[Unit 42 Tropic Trooper Nov 2016](https://app.tidalcyber.com/references/cad84e3d-9506-44f8-bdd9-d090e6ce9b06)][[TrendMicro Tropic Trooper May 2020](https://app.tidalcyber.com/references/4fbc1df0-f174-4461-817d-0baf6e947ba1)]", @@ -9555,7 +9555,7 @@ } ], "uuid": "58827a83-6a90-4cee-8b9a-7c033bf90dee", - "value": "Waterbug" + "value": "Waterbug - Associated Group" }, { "description": "WhiteBear is a designation used by Securelist to describe a cluster of activity that has overlaps with activity described by others as Turla, but appears to have a separate focus.[[Securelist WhiteBear Aug 2017](https://app.tidalcyber.com/references/44626060-3d9b-480e-b4ea-7dac27878e5e)][[Talos TinyTurla September 2021](https://app.tidalcyber.com/references/94cdbd73-a31a-4ec3-aa36-de3ea077c1c7)]", @@ -9569,7 +9569,7 @@ } ], "uuid": "9cea8cef-dd46-4997-baba-d2dea899e193", - "value": "WhiteBear" + "value": "WhiteBear - Associated Group" }, { "description": "[[Secureworks IRON HUNTER Profile](https://app.tidalcyber.com/references/af5cb7da-61e0-49dc-8132-c019ce5ea6d3)]", @@ -9583,7 +9583,7 @@ } ], "uuid": "1bf28831-a2fd-4dc5-885c-9cdf84d43535", - "value": "IRON HUNTER" + "value": "IRON HUNTER - Associated Group" }, { "description": "[[Leonardo Turla Penquin May 2020](https://app.tidalcyber.com/references/09d8bb54-6fa5-4842-98aa-6e9656a19092)]", @@ -9597,7 +9597,7 @@ } ], "uuid": "3cf95a2f-a7b8-4061-b477-16729657f8f3", - "value": "Group 88" + "value": "Group 88 - Associated Group" }, { "description": "[[Accenture HyperStack October 2020](https://app.tidalcyber.com/references/680f2a0b-f69d-48bd-93ed-20ee2f79e3f7)]", @@ -9611,7 +9611,7 @@ } ], "uuid": "4087cefb-c0d4-401b-aa6c-dca93aed1c3c", - "value": "Belugasturgeon" + "value": "Belugasturgeon - Associated Group" }, { "description": "[[CrowdStrike VENOMOUS BEAR](https://app.tidalcyber.com/references/ee400057-2b26-4464-96b4-484c9eb9d5c2)][[ESET Turla PowerShell May 2019](https://app.tidalcyber.com/references/68c0f34b-691a-4847-8d49-f18b7f4e5188)][[Talos TinyTurla September 2021](https://app.tidalcyber.com/references/94cdbd73-a31a-4ec3-aa36-de3ea077c1c7)]", @@ -9625,7 +9625,7 @@ } ], "uuid": "e934559a-b3c1-4e72-a5c9-e1abd7b2ae78", - "value": "Snake" + "value": "Snake - Associated Group" }, { "description": "[[CrowdStrike VENOMOUS BEAR](https://app.tidalcyber.com/references/ee400057-2b26-4464-96b4-484c9eb9d5c2)]", @@ -9639,7 +9639,7 @@ } ], "uuid": "7a2f17eb-6674-461d-89c4-6f40e1b6cdf5", - "value": "Krypton" + "value": "Krypton - Associated Group" }, { "description": "[[CrowdStrike VENOMOUS BEAR](https://app.tidalcyber.com/references/ee400057-2b26-4464-96b4-484c9eb9d5c2)][[Talos TinyTurla September 2021](https://app.tidalcyber.com/references/94cdbd73-a31a-4ec3-aa36-de3ea077c1c7)]", @@ -9653,7 +9653,7 @@ } ], "uuid": "3637113f-d45f-4c97-aec0-16eaa7e3fc62", - "value": "Venomous Bear" + "value": "Venomous Bear - Associated Group" }, { "description": "[Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as [Uroburos](https://app.tidalcyber.com/software/89ffc27c-b81f-473a-87d6-907cacdce61c).[[Kaspersky Turla](https://app.tidalcyber.com/references/535e9f1a-f89e-4766-a290-c5b8100968f8)][[ESET Gazer Aug 2017](https://app.tidalcyber.com/references/9d1c40af-d4bc-4d4a-b667-a17378942685)][[CrowdStrike VENOMOUS BEAR](https://app.tidalcyber.com/references/ee400057-2b26-4464-96b4-484c9eb9d5c2)][[ESET Turla Mosquito Jan 2018](https://app.tidalcyber.com/references/cd177c2e-ef22-47be-9926-61e25fd5f33b)][[Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023](https://app.tidalcyber.com/references/1931b80a-effb-59ec-acae-c0f17efb8cad)]", @@ -9873,7 +9873,7 @@ } ], "uuid": "3dc34f21-1b3f-4952-97e9-c9df61379962", - "value": "Lebanese Cedar" + "value": "Lebanese Cedar - Associated Group" }, { "description": "[Volatile Cedar](https://app.tidalcyber.com/groups/7c3ef21c-0e1c-43d5-afb0-3a07c5a66937) is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. [Volatile Cedar](https://app.tidalcyber.com/groups/7c3ef21c-0e1c-43d5-afb0-3a07c5a66937) has been operating since 2012 and is motivated by political and ideological interests.[[CheckPoint Volatile Cedar March 2015](https://app.tidalcyber.com/references/a26344a2-63ca-422e-8cf9-0cf22a5bee72)][[ClearSky Lebanese Cedar Jan 2021](https://app.tidalcyber.com/references/53944d48-caa9-4912-b42d-94a3789ed15b)]", @@ -9961,7 +9961,7 @@ } ], "uuid": "a7d8b128-d997-5d59-9aa2-9db35ff658c7", - "value": "BRONZE SILHOUETTE" + "value": "BRONZE SILHOUETTE - Associated Group" }, { "description": "[[U.S. CISA Volt Typhoon February 7 2024](/references/c74f5ecf-8810-4670-b778-24171c078724)]", @@ -9977,7 +9977,7 @@ } ], "uuid": "33ec6e60-3e48-4ad8-9960-d59af6260c52", - "value": "Vanguard Panda" + "value": "Vanguard Panda - Associated Group" }, { "description": "[[U.S. CISA Volt Typhoon February 7 2024](/references/c74f5ecf-8810-4670-b778-24171c078724)]", @@ -9993,7 +9993,7 @@ } ], "uuid": "dba5e3cd-8c54-4129-a4f3-adcb1ded182a", - "value": "Dev-0391" + "value": "Dev-0391 - Associated Group" }, { "description": "[[U.S. CISA Volt Typhoon February 7 2024](/references/c74f5ecf-8810-4670-b778-24171c078724)]", @@ -10009,7 +10009,7 @@ } ], "uuid": "b38b4cff-e574-4d39-b2c5-365bcb14b7b6", - "value": "UNC3236" + "value": "UNC3236 - Associated Group" }, { "description": "[[U.S. CISA Volt Typhoon February 7 2024](/references/c74f5ecf-8810-4670-b778-24171c078724)]", @@ -10025,7 +10025,7 @@ } ], "uuid": "950dd0a9-0045-4956-bf7b-3b3be491b086", - "value": "Voltzite" + "value": "Voltzite - Associated Group" }, { "description": "[[U.S. CISA Volt Typhoon February 7 2024](/references/c74f5ecf-8810-4670-b778-24171c078724)]", @@ -10041,7 +10041,7 @@ } ], "uuid": "c93b36a8-c2b7-4f54-830e-86040830a9f5", - "value": "Insidious Taurus" + "value": "Insidious Taurus - Associated Group" }, { "description": "[Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. [Volt Typhoon](https://app.tidalcyber.com/groups/4ea1245f-3f35-5168-bd10-1fc49142fd4e) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[[Microsoft Volt Typhoon May 2023](https://app.tidalcyber.com/references/8b74f0b7-9719-598c-b3ee-61d734393e6f)][[Joint Cybersecurity Advisory Volt Typhoon June 2023](https://app.tidalcyber.com/references/14872f08-e219-5c0d-a2d7-43a3ba348b4b)][[Secureworks BRONZE SILHOUETTE May 2023](https://app.tidalcyber.com/references/77624549-e170-5894-9219-a15b4aa31726)]", @@ -10149,7 +10149,7 @@ } ], "uuid": "9e192d35-5371-4e21-bc63-62e10a8a5a44", - "value": "Bahamut" + "value": "Bahamut - Associated Group" }, { "description": "[Windshift](https://app.tidalcyber.com/groups/4e880d01-313a-4926-8470-78c48824aa82) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.[[SANS Windshift August 2018](https://app.tidalcyber.com/references/97eac0f2-d528-4f7c-8425-7531eae4fc39)][[objective-see windtail1 dec 2018](https://app.tidalcyber.com/references/7a32c962-8050-45de-8b90-8644be5109d9)][[objective-see windtail2 jan 2019](https://app.tidalcyber.com/references/e6bdc679-ee0c-4f34-b5bc-0d6a26485b36)]", @@ -10185,7 +10185,7 @@ } ], "uuid": "453f7dbf-bde7-4cf3-af5d-a6ac10335980", - "value": "Blackfly" + "value": "Blackfly - Associated Group" }, { "description": "[Winnti Group](https://app.tidalcyber.com/groups/6932662a-53a7-4e43-877f-6e940e2d744b) is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.[[Kaspersky Winnti April 2013](https://app.tidalcyber.com/references/2d4834b9-61c4-478e-919a-317d97cd2c36)][[Kaspersky Winnti June 2015](https://app.tidalcyber.com/references/86504950-0f4f-42bc-b003-24f60ae97c99)][[Novetta Winnti April 2015](https://app.tidalcyber.com/references/cbe8373b-f14b-4890-99fd-35ffd7090dea)] Some reporting suggests a number of other groups, including [Axiom](https://app.tidalcyber.com/groups/90f4d3f9-3fe3-4a64-8dc1-172c6d037dca), [APT17](https://app.tidalcyber.com/groups/5f083251-f5dc-459a-abfc-47a1aa7f5094), and [Ke3chang](https://app.tidalcyber.com/groups/26c0925f-1a3c-4df6-b27a-62b9731299b8), are closely linked to [Winnti Group](https://app.tidalcyber.com/groups/6932662a-53a7-4e43-877f-6e940e2d744b).[[401 TRG Winnti Umbrella May 2018](https://app.tidalcyber.com/references/e3f1f2e4-dc1c-4d9c-925d-47013f44a69f)]", @@ -10256,7 +10256,7 @@ } ], "uuid": "1a9f2244-d35f-45d1-8f53-d1421498006d", - "value": "TEMP.MixMaster" + "value": "TEMP.MixMaster - Associated Group" }, { "description": "[[CrowdStrike Ryuk January 2019](https://app.tidalcyber.com/references/df471757-2ce0-48a7-922f-a84c57704914)][[CrowdStrike Grim Spider May 2019](https://app.tidalcyber.com/references/103f2b78-81ed-4096-a67a-dedaffd67e9b)]", @@ -10270,7 +10270,7 @@ } ], "uuid": "2924354f-bbaa-4c1b-8af0-a78976b1eff2", - "value": "Grim Spider" + "value": "Grim Spider - Associated Group" }, { "description": "[[FireEye KEGTAP SINGLEMALT October 2020](https://app.tidalcyber.com/references/59162ffd-cb95-4757-bb1e-0c2a4ad5c083)]", @@ -10284,7 +10284,7 @@ } ], "uuid": "e0313186-a5f5-4bb0-94a0-b2b5d496bbc6", - "value": "UNC1878" + "value": "UNC1878 - Associated Group" }, { "description": "[[Mandiant FIN12 Oct 2021](https://app.tidalcyber.com/references/4514d7cc-b999-5711-a398-d90e5d3570f2)]", @@ -10298,7 +10298,7 @@ } ], "uuid": "91e61805-508f-536c-8e8e-89a5a24ae511", - "value": "FIN12" + "value": "FIN12 - Associated Group" }, { "description": "[[Secureworks Gold Blackburn Mar 2022](https://app.tidalcyber.com/references/b6b27fa9-488c-5b6d-8e12-fe8371846cd3)]", @@ -10312,7 +10312,7 @@ } ], "uuid": "c521ebb3-4303-5fef-a1fb-bd0e9f6a79a7", - "value": "GOLD BLACKBURN" + "value": "GOLD BLACKBURN - Associated Group" }, { "description": "[[IBM X-Force ITG23 Oct 2021](https://app.tidalcyber.com/references/d796e773-7335-549f-a79b-a2961f85a8ec)]", @@ -10326,7 +10326,7 @@ } ], "uuid": "e03d13ed-35ac-59e3-afa0-b06cdf5eb534", - "value": "ITG23" + "value": "ITG23 - Associated Group" }, { "description": "[[Secureworks Gold Blackburn Mar 2022](https://app.tidalcyber.com/references/b6b27fa9-488c-5b6d-8e12-fe8371846cd3)]", @@ -10340,7 +10340,7 @@ } ], "uuid": "c049da64-915b-58ee-abf1-9d485159d2e0", - "value": "Periwinkle Tempest" + "value": "Periwinkle Tempest - Associated Group" }, { "description": "[Wizard Spider](https://app.tidalcyber.com/groups/0b431229-036f-4157-a1da-ff16dfc095f8) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) since at least 2016. [Wizard Spider](https://app.tidalcyber.com/groups/0b431229-036f-4157-a1da-ff16dfc095f8) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[[CrowdStrike Ryuk January 2019](https://app.tidalcyber.com/references/df471757-2ce0-48a7-922f-a84c57704914)][[DHS/CISA Ransomware Targeting Healthcare October 2020](https://app.tidalcyber.com/references/984e86e6-32e4-493c-8172-3d29de4720cc)][[CrowdStrike Wizard Spider October 2020](https://app.tidalcyber.com/references/5c8d67ea-63bc-4765-b6f6-49fa5210abe6)]", @@ -10445,7 +10445,7 @@ } ], "uuid": "f17739da-dd35-4e1e-ab48-e27d9cd08caf", - "value": "APT31" + "value": "APT31 - Associated Group" }, { "description": "[ZIRCONIUM](https://app.tidalcyber.com/groups/5e34409e-2f55-4384-b519-80747d02394c) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.[[Microsoft Targeting Elections September 2020](https://app.tidalcyber.com/references/1d7070fd-01be-4776-bb21-13368a6173b1)][[Check Point APT31 February 2021](https://app.tidalcyber.com/references/84ac99ef-106f-44e9-97f0-3eda90570932)]", diff --git a/clusters/tidal-software.json b/clusters/tidal-software.json index e096371..e68ae49 100644 --- a/clusters/tidal-software.json +++ b/clusters/tidal-software.json @@ -79,7 +79,7 @@ } ], "uuid": "b7942342-d390-408d-8d11-edff76322ff3", - "value": "7-zip" + "value": "7-zip - Associated Software" }, { "description": "7-Zip is a tool used to compress files into an archive.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", @@ -195,7 +195,7 @@ } ], "uuid": "9a77d9ce-dd34-4ff9-8b26-c74ef5055a2f", - "value": "AccCheckConsole.exe" + "value": "AccCheckConsole.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Verifies UI accessibility requirements\n\n**Author:** bohops\n\n**Paths:**\n* C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.22000.0\\x86\\AccChecker\\AccCheckConsole.exe\n* C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.22000.0\\x64\\AccChecker\\AccCheckConsole.exe\n* C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.22000.0\\arm\\AccChecker\\AccCheckConsole.exe\n* C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.22000.0\\arm64\\AccChecker\\AccCheckConsole.exe\n\n**Resources:**\n* [https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340](https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340)\n* [https://twitter.com/bohops/status/1477717351017680899](https://twitter.com/bohops/status/1477717351017680899)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_susp_acccheckconsole.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml)\n* IOC: Sysmon Event ID 1 - Process Creation\n* Analysis: [https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340](https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340)[[AccCheckConsole.exe - LOLBAS Project](/references/de5523bd-e735-4751-84e9-a1be1d2980ec)]", @@ -312,7 +312,7 @@ } ], "uuid": "200ecd1e-c1a6-41a3-bb9a-ee687334c2c1", - "value": "AddinUtil.exe" + "value": "AddinUtil.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** .NET Tool used for updating cache files for Microsoft Office Add-Ins.\n\n**Author:** Michael McKinley @MckinleyMike\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddinUtil.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\AddinUtil.exe\n\n**Resources:**\n* [https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html](https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_addinutil_suspicious_cmdline.yml](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml)\n* Sigma: [proc_creation_win_addinutil_uncommon_child_process.yml](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml)\n* Sigma: [proc_creation_win_addinutil_uncommon_cmdline.yml](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml)\n* Sigma: [proc_creation_win_addinutil_uncommon_dir_exec.yml](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml)[[AddinUtil.exe - LOLBAS Project](/references/91af546d-0a56-4c17-b292-6257943a8aba)]", @@ -422,7 +422,7 @@ } ], "uuid": "1db1d4d7-d442-457d-afb9-5c3dcb21645a", - "value": "adplus.exe" + "value": "adplus.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Debugging tool included with Windows Debugging Tools\n\n**Author:** mr.d0x\n\n**Paths:**\n* C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64\\adplus.exe\n* C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x86\\adplus.exe\n\n**Resources:**\n* [https://mrd0x.com/adplus-debugging-tool-lsass-dump/](https://mrd0x.com/adplus-debugging-tool-lsass-dump/)\n* [https://twitter.com/nas_bench/status/1534916659676422152](https://twitter.com/nas_bench/status/1534916659676422152)\n* [https://twitter.com/nas_bench/status/1534915321856917506](https://twitter.com/nas_bench/status/1534915321856917506)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_adplus.yml](https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml)\n* IOC: As a Windows SDK binary, execution on a system may be suspicious[[adplus.exe - LOLBAS Project](/references/d407ca0a-7ace-4dc5-947d-69a1e5a1d459)]", @@ -580,7 +580,7 @@ } ], "uuid": "0c7f7926-3935-46ea-b430-3841acab3120", - "value": "Advpack.dll" + "value": "Advpack.dll - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Utility for installing software and drivers with rundll32.exe\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\advpack.dll\n* c:\\windows\\syswow64\\advpack.dll\n\n**Resources:**\n* [https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/](https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/)\n* [https://twitter.com/ItsReallyNick/status/967859147977850880](https://twitter.com/ItsReallyNick/status/967859147977850880)\n* [https://twitter.com/bohops/status/974497123101179904](https://twitter.com/bohops/status/974497123101179904)\n* [https://twitter.com/moriarty_meng/status/977848311603380224](https://twitter.com/moriarty_meng/status/977848311603380224)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)\n* Splunk: [detect_rundll32_application_control_bypass___advpack.yml](https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml)[[Advpack.dll - LOLBAS Project](/references/837ccb3c-316d-4d96-8a33-b5df40870aba)]", @@ -621,7 +621,7 @@ } ], "uuid": "60d36859-4803-4a84-8ce6-b7aead8b0dd8", - "value": "AZZY" + "value": "AZZY - Associated Software" }, { "description": "", @@ -635,7 +635,7 @@ } ], "uuid": "87b3c2d9-49fa-4f4d-bcc0-91c610aafd3e", - "value": "EVILTOSS" + "value": "EVILTOSS - Associated Software" }, { "description": "", @@ -649,7 +649,7 @@ } ], "uuid": "aee4bdbe-dcdb-456e-b198-a9ec4dd0dea9", - "value": "NETUI" + "value": "NETUI - Associated Software" }, { "description": "", @@ -663,7 +663,7 @@ } ], "uuid": "66cd7902-e578-4054-8dc4-a5e027e914b4", - "value": "Sedreco" + "value": "Sedreco - Associated Software" }, { "description": "[ADVSTORESHELL](https://app.tidalcyber.com/software/ef7f4f5f-6f30-4059-87d1-cd8375bf1bee) is a spying backdoor that has been used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. [[Kaspersky Sofacy](https://app.tidalcyber.com/references/46226f98-c762-48e3-9bcd-19ff14184bb5)] [[ESET Sednit Part 2](https://app.tidalcyber.com/references/aefb9eda-df5a-437f-af2a-ec1b6c04628b)]", @@ -750,7 +750,7 @@ } ], "uuid": "15123fcb-0ba8-492a-bada-552d828af096", - "value": "AgentExecutor.exe" + "value": "AgentExecutor.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Intune Management Extension included on Intune Managed Devices\n\n**Author:** Eleftherios Panos\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Intune Management Extension\n\n**Resources:**\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_agentexecutor.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml)\n* Sigma: [proc_creation_win_lolbin_agentexecutor_susp_usage.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml)[[AgentExecutor.exe - LOLBAS Project](/references/633d7f25-df9d-4619-9aa9-92d1d9d225d7)]", @@ -851,7 +851,7 @@ } ], "uuid": "4c66b92a-bfac-4f12-a319-3a16b59f9408", - "value": "Anchor_DNS" + "value": "Anchor_DNS - Associated Software" }, { "description": "[Anchor](https://app.tidalcyber.com/software/9521c535-1043-4b82-ba5d-e5eaeca500ee) is one of a family of backdoor malware that has been used in conjunction with [TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) on selected high profile targets since at least 2018.[[Cyberreason Anchor December 2019](https://app.tidalcyber.com/references/a8dc5598-9963-4a1d-a473-bee8d2c72c57)][[Medium Anchor DNS July 2020](https://app.tidalcyber.com/references/de246d53-385f-44be-bf0f-25a76442b835)]", @@ -979,7 +979,7 @@ } ], "uuid": "705af422-c1e8-48e4-97e1-8693ac97e3da", - "value": "AppInstaller.exe" + "value": "AppInstaller.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Tool used for installation of AppX/MSIX applications on Windows 10\n\n**Author:** Wade Hickey\n\n**Paths:**\n* C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\\AppInstaller.exe\n\n**Resources:**\n* [https://twitter.com/notwhickey/status/1333900137232523264](https://twitter.com/notwhickey/status/1333900137232523264)\n\n**Detection:**\n* Sigma: [dns_query_win_lolbin_appinstaller.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml)[[AppInstaller.exe - LOLBAS Project](/references/9a777e7c-e76c-465c-8b45-67503e715f7e)]", @@ -1082,7 +1082,7 @@ } ], "uuid": "b2e6135b-4a85-48a4-b654-8348a9e6a9b7", - "value": "Appvlp.exe" + "value": "Appvlp.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Application Virtualization Utility Included with Microsoft Office 2016\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Program Files\\Microsoft Office\\root\\client\\appvlp.exe\n* C:\\Program Files (x86)\\Microsoft Office\\root\\client\\appvlp.exe\n\n**Resources:**\n* [https://github.com/MoooKitty/Code-Execution](https://github.com/MoooKitty/Code-Execution)\n* [https://twitter.com/moo_hax/status/892388990686347264](https://twitter.com/moo_hax/status/892388990686347264)\n* [https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/](https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/)\n* [https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/](https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_appvlp.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml)[[Appvlp.exe - LOLBAS Project](/references/b0afe3e8-9f1d-4295-8811-8dfbe993c337)]", @@ -1147,7 +1147,7 @@ } ], "uuid": "993a4563-9d3f-41b3-b677-430dbaf9bf30", - "value": "arp.exe" + "value": "arp.exe - Associated Software" }, { "description": "[Arp](https://app.tidalcyber.com/software/45b51950-6190-4572-b1a2-7c69d865251e) displays and modifies information about a system's Address Resolution Protocol (ARP) cache. [[TechNet Arp](https://app.tidalcyber.com/references/7714222e-8046-4884-b460-493d9ef46305)]", @@ -1213,7 +1213,7 @@ } ], "uuid": "dd35fa20-68de-455d-8994-914b23cf51a6", - "value": "Aspnet_Compiler.exe" + "value": "Aspnet_Compiler.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** ASP.NET Compilation Tool\n\n**Author:** Jimmy (@bohops)\n\n**Paths:**\n* c:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_compiler.exe\n* c:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_compiler.exe\n\n**Resources:**\n* [https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/](https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/)\n* [https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8)\n\n**Detection:**\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* Sigma: [proc_creation_win_lolbin_aspnet_compiler.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_aspnet_compiler.yml)[[Aspnet_Compiler.exe - LOLBAS Project](/references/15864c56-115e-4163-b816-03bdb9bfd5c5)]", @@ -1253,7 +1253,7 @@ } ], "uuid": "70694414-648a-487b-8eaf-beb2cc5ea348", - "value": "ASPXTool" + "value": "ASPXTool - Associated Software" }, { "description": "[ASPXSpy](https://app.tidalcyber.com/software/a0cce010-9158-45e5-978a-f002e5c31a03) is a Web shell. It has been modified by [Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5) actors to create the ASPXTool version. [[Dell TG-3390](https://app.tidalcyber.com/references/dfd2d832-a6c5-40e7-a554-5a92f05bebae)]", @@ -1311,7 +1311,7 @@ } ], "uuid": "02f01a87-3a6f-4344-9241-653118990361", - "value": "Guildma" + "value": "Guildma - Associated Software" }, { "description": "[Astaroth](https://app.tidalcyber.com/software/ea719a35-cbe9-4503-873d-164f68ab4544) is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. [[Cybereason Astaroth Feb 2019](https://app.tidalcyber.com/references/eb4dc1f8-c6e7-4d6c-9258-b03a0ae64d2e)][[Cofense Astaroth Sept 2018](https://app.tidalcyber.com/references/d316c581-646d-48e7-956e-34e2f957c67d)][[Securelist Brazilian Banking Malware July 2020](https://app.tidalcyber.com/references/ccc34875-93f3-40ed-a9ee-f31b86708507)]", @@ -1386,7 +1386,7 @@ } ], "uuid": "96ce505e-9144-473a-b197-0846ae712de8", - "value": "at.exe" + "value": "at.exe - Associated Software" }, { "description": "[at](https://app.tidalcyber.com/software/af01dc7b-a2bc-4fda-bbfe-d2be889c2860) is used to schedule tasks on a system to run at a specified date or time.[[TechNet At](https://app.tidalcyber.com/references/31b40c09-d68f-4889-b585-c077bd9cef28)][[Linux at](https://app.tidalcyber.com/references/3e3a84bc-ab6d-460d-8abc-cafae6eaaedd)]", @@ -1446,7 +1446,7 @@ } ], "uuid": "15e08d84-1977-4cc5-a73a-bd1cadff4bf0", - "value": "Atbroker.exe" + "value": "Atbroker.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Helper binary for Assistive Technology (AT)\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\Atbroker.exe\n* C:\\Windows\\SysWOW64\\Atbroker.exe\n\n**Resources:**\n* [http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/](http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_susp_atbroker.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml)\n* Sigma: [registry_event_susp_atbroker_change.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml)\n* IOC: Changes to HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration\n* IOC: Changes to HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs\n* IOC: Unknown AT starting C:\\Windows\\System32\\ATBroker.exe /start malware[[Atbroker.exe - LOLBAS Project](/references/b0c21b56-6591-49c3-8e67-328ddb7b436d)]", @@ -1561,7 +1561,7 @@ } ], "uuid": "cf4b3cc1-c60a-43ac-8599-fce5dbade473", - "value": "Roptimizer" + "value": "Roptimizer - Associated Software" }, { "description": "[AuditCred](https://app.tidalcyber.com/software/d0c25f14-5eb3-40c1-a890-2ab1349dff53) is a malicious DLL that has been used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) during their 2018 attacks.[[TrendMicro Lazarus Nov 2018](https://app.tidalcyber.com/references/4c697316-c13a-4243-be18-c0e059e4168c)]", @@ -1773,7 +1773,7 @@ } ], "uuid": "b9d20905-d9b0-41e8-8012-52cab3e626f1", - "value": "Babyk" + "value": "Babyk - Associated Software" }, { "description": "[[Sogeti CERT ESEC Babuk March 2021](https://app.tidalcyber.com/references/e85e3bd9-6ddc-4d0f-a16c-b525a75baa7e)][[McAfee Babuk February 2021](https://app.tidalcyber.com/references/bb23ca19-78bb-4406-90a4-bf82bd467e04)]", @@ -1787,7 +1787,7 @@ } ], "uuid": "30583664-1270-4dab-bff3-83f394740ca8", - "value": "Vasa Locker" + "value": "Vasa Locker - Associated Software" }, { "description": "[Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1) is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of [Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1) employ a \"Big Game Hunting\" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.[[Sogeti CERT ESEC Babuk March 2021](https://app.tidalcyber.com/references/e85e3bd9-6ddc-4d0f-a16c-b525a75baa7e)][[McAfee Babuk February 2021](https://app.tidalcyber.com/references/bb23ca19-78bb-4406-90a4-bf82bd467e04)][[CyberScoop Babuk February 2021](https://app.tidalcyber.com/references/0a0aeacd-0976-4c84-b40d-5704afca9f0e)]", @@ -1898,7 +1898,7 @@ } ], "uuid": "044ca42d-c9cf-4f75-b119-1df3c80a3afd", - "value": "Havex" + "value": "Havex - Associated Software" }, { "description": "[Backdoor.Oldrea](https://app.tidalcyber.com/software/f7cc5974-767c-4cb4-acc7-36295a386ce5) is a modular backdoor that used by [Dragonfly](https://app.tidalcyber.com/groups/472080b0-e3d4-4546-9272-c4359fe856e1) against energy companies since at least 2013. [Backdoor.Oldrea](https://app.tidalcyber.com/software/f7cc5974-767c-4cb4-acc7-36295a386ce5) was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.[[Symantec Dragonfly](https://app.tidalcyber.com/references/9514c5cd-2ed6-4dbf-aa9e-1c425e969226)][[Gigamon Berserk Bear October 2021](https://app.tidalcyber.com/references/06b6cbe3-8e35-4594-b36f-76b503c11520)][[Symantec Dragonfly Sept 2017](https://app.tidalcyber.com/references/11bbeafc-ed5d-4d2b-9795-a0a9544fb64e)]", @@ -1941,7 +1941,7 @@ } ], "uuid": "4f538bd5-3e2a-44f7-b58e-97219284df55", - "value": "Lecna" + "value": "Lecna - Associated Software" }, { "description": "[BACKSPACE](https://app.tidalcyber.com/software/d0daaa00-68e1-4568-bb08-3f28bcd82c63) is a backdoor used by [APT30](https://app.tidalcyber.com/groups/be45ff95-6c74-4000-bc39-63044673d82f) that dates back to at least 2005. [[FireEye APT30](https://app.tidalcyber.com/references/c48d2084-61cf-4e86-8072-01e5d2de8416)]", @@ -2143,7 +2143,7 @@ } ], "uuid": "1679c995-7141-40ac-a327-b5afc8f275c8", - "value": "Win32/Diskcoder.D" + "value": "Win32/Diskcoder.D - Associated Software" }, { "description": "[Bad Rabbit](https://app.tidalcyber.com/software/a1d86d8f-fa48-43aa-9833-7355750e455c) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://app.tidalcyber.com/software/a1d86d8f-fa48-43aa-9833-7355750e455c) has also targeted organizations and consumers in Russia. [[Secure List Bad Rabbit](https://app.tidalcyber.com/references/f4cec03a-ea94-4874-9bea-16189e967ff9)][[ESET Bad Rabbit](https://app.tidalcyber.com/references/a9664f01-78f0-4461-a757-12f54ec99a56)][[Dragos IT ICS Ransomware](https://app.tidalcyber.com/references/60187301-8d70-4023-8e6d-59cbb1468f0d)] ", @@ -2219,7 +2219,7 @@ } ], "uuid": "0bcd5b61-4408-4a35-9b8f-310cd23a4ca2", - "value": "Trojan Manuscript" + "value": "Trojan Manuscript - Associated Software" }, { "description": "[Bankshot](https://app.tidalcyber.com/software/24b8471d-698f-48cc-b47a-8fbbaf28b293) is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) used the [Bankshot](https://app.tidalcyber.com/software/24b8471d-698f-48cc-b47a-8fbbaf28b293) implant in attacks against the Turkish financial sector. [[McAfee Bankshot](https://app.tidalcyber.com/references/c748dc6c-8c19-4a5c-840f-3d47955a6c78)]", @@ -2267,7 +2267,7 @@ } ], "uuid": "fe0ff225-66b8-4629-86e3-9b4ce9bf6eb8", - "value": "Bash.exe" + "value": "Bash.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** File used by Windows subsystem for Linux\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\bash.exe\n* C:\\Windows\\SysWOW64\\bash.exe\n\n**Resources:**\n* [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n\n**Detection:**\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* Sigma: [proc_creation_win_lolbin_bash.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml)\n* IOC: Child process from bash.exe[[Bash.exe - LOLBAS Project](/references/7d3efbc7-6abf-4f3f-aec8-686100bb90ad)]", @@ -2339,7 +2339,7 @@ } ], "uuid": "480398ef-e3b0-4434-b409-bc6bae0a56ea", - "value": "Team9" + "value": "Team9 - Associated Software" }, { "description": "[[FireEye KEGTAP SINGLEMALT October 2020](https://app.tidalcyber.com/references/59162ffd-cb95-4757-bb1e-0c2a4ad5c083)][[CrowdStrike Wizard Spider October 2020](https://app.tidalcyber.com/references/5c8d67ea-63bc-4765-b6f6-49fa5210abe6)]", @@ -2353,7 +2353,7 @@ } ], "uuid": "7de93c0d-efb9-481c-b1dc-ea5d786c47f9", - "value": "KEGTAP" + "value": "KEGTAP - Associated Software" }, { "description": "[Bazar](https://app.tidalcyber.com/software/b35d9817-6ead-4dbd-a2fa-4b8e217f8eac) is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. [Bazar](https://app.tidalcyber.com/software/b35d9817-6ead-4dbd-a2fa-4b8e217f8eac) reportedly has ties to [TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.[[Cybereason Bazar July 2020](https://app.tidalcyber.com/references/8819875a-5139-4dae-94c8-e7cc9f847580)]", @@ -2487,7 +2487,7 @@ } ], "uuid": "0a62aa36-aeba-4d97-bddb-d24cdb7d6093", - "value": "Bginfo.exe" + "value": "Bginfo.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Background Information Utility included with SysInternals Suite\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* No fixed path\n\n**Resources:**\n* [https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/](https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_bginfo.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)[[Bginfo.exe - LOLBAS Project](/references/ca1eaac2-7449-4a76-bec2-9dc5971fd808)]", @@ -2607,7 +2607,7 @@ } ], "uuid": "cf8ab2a9-cef3-450b-ba43-5611d3202347", - "value": "FriedEx" + "value": "FriedEx - Associated Software" }, { "description": "[[Crowdstrike Indrik November 2018](https://app.tidalcyber.com/references/0f85f611-90db-43ba-8b71-5d0d4ec8cdd5)]", @@ -2621,7 +2621,7 @@ } ], "uuid": "3591563f-70f1-4bbc-aef8-7aa686e0fd48", - "value": "wp_encrypt" + "value": "wp_encrypt - Associated Software" }, { "description": "[BitPaymer](https://app.tidalcyber.com/software/e7dec940-8701-4c06-9865-5b11c61c046d) is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. [BitPaymer](https://app.tidalcyber.com/software/e7dec940-8701-4c06-9865-5b11c61c046d) uses a unique encryption key, ransom note, and contact information for each operation. [BitPaymer](https://app.tidalcyber.com/software/e7dec940-8701-4c06-9865-5b11c61c046d) has several indicators suggesting overlap with the [Dridex](https://app.tidalcyber.com/software/e3cd4405-b698-41d9-88e4-fff29e7a19e2) malware and is often delivered via [Dridex](https://app.tidalcyber.com/software/e3cd4405-b698-41d9-88e4-fff29e7a19e2).[[Crowdstrike Indrik November 2018](https://app.tidalcyber.com/references/0f85f611-90db-43ba-8b71-5d0d4ec8cdd5)]", @@ -2674,7 +2674,7 @@ } ], "uuid": "0f4e83eb-bc61-485f-8e30-f28a051996fa", - "value": "Bitsadmin.exe" + "value": "Bitsadmin.exe - Associated Software" }, { "description": "[BITSAdmin](https://app.tidalcyber.com/software/52a20d3d-1edd-4f17-87f0-b77c67d260b4) is a command line tool used to create and manage [BITS Jobs](https://app.tidalcyber.com/technique/6b278e5d-7383-42a4-9425-2da79bbe43e0). [[Microsoft BITSAdmin](https://app.tidalcyber.com/references/5b8c2a8c-f01e-491a-aaf9-504ee7a1caed)]", @@ -2773,7 +2773,7 @@ } ], "uuid": "e7af71b4-73c3-405a-9521-d239aa60eb20", - "value": "ALPHV" + "value": "ALPHV - Associated Software" }, { "description": "[[ACSC BlackCat Apr 2022](https://app.tidalcyber.com/references/3b85eaeb-6bf5-529b-80a4-439ceb6c5d6d)]", @@ -2787,7 +2787,7 @@ } ], "uuid": "1db491da-16a4-4a9c-9b7c-c7e46f1a1dd0", - "value": "Noberus" + "value": "Noberus - Associated Software" }, { "description": "[BlackCat](https://app.tidalcyber.com/software/691369e5-ef74-5ff9-bc20-34efeb4b6c5b) is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, [BlackCat](https://app.tidalcyber.com/software/691369e5-ef74-5ff9-bc20-34efeb4b6c5b) has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.[[Microsoft BlackCat Jun 2022](https://app.tidalcyber.com/references/55be1ca7-fdb7-5d76-a9c8-5f44a0d00b0e)][[Sophos BlackCat Jul 2022](https://app.tidalcyber.com/references/481a0106-d5b6-532c-8f5b-6c0c477185f4)][[ACSC BlackCat Apr 2022](https://app.tidalcyber.com/references/3b85eaeb-6bf5-529b-80a4-439ceb6c5d6d)]", @@ -2882,7 +2882,7 @@ } ], "uuid": "2efd4571-2913-4ea3-95f8-b2e1aef4f953", - "value": "Black Energy" + "value": "Black Energy - Associated Software" }, { "description": "[BlackEnergy](https://app.tidalcyber.com/software/908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. [[F-Secure BlackEnergy 2014](https://app.tidalcyber.com/references/5f228fb5-d959-4c4a-bb8c-f9dc01d5af07)]", @@ -3267,7 +3267,7 @@ } ], "uuid": "afc6d47c-4375-47c6-bc69-ae0faf2df0bd", - "value": "BRc4" + "value": "BRc4 - Associated Software" }, { "description": "[Brute Ratel C4](https://app.tidalcyber.com/software/23043b44-69a6-5cdf-8f60-5a68068680c7) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://app.tidalcyber.com/software/23043b44-69a6-5cdf-8f60-5a68068680c7) was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of [Brute Ratel C4](https://app.tidalcyber.com/software/23043b44-69a6-5cdf-8f60-5a68068680c7) was leaked in the cybercriminal underground, leading to its use by threat actors.[[Dark Vortex Brute Ratel C4](https://app.tidalcyber.com/references/47992cb5-df11-56c2-b266-6f58d75f8315)][[Palo Alto Brute Ratel July 2022](https://app.tidalcyber.com/references/a9ab0444-386b-5baf-84e1-0e6df4a21296)][[MDSec Brute Ratel August 2022](https://app.tidalcyber.com/references/dfd12595-0056-5b4a-b753-624fac1bb3a6)][[SANS Brute Ratel October 2022](https://app.tidalcyber.com/references/9544e762-6f72-59e7-8384-5bbef13bfe96)][[Trend Micro Black Basta October 2022](https://app.tidalcyber.com/references/6e4a1565-4a30-5a6b-961c-226a6f1967ae)]", @@ -3331,7 +3331,7 @@ } ], "uuid": "ad8fc8bb-3562-4a56-b132-be625b1dc208", - "value": "Backdoor.APT.FakeWinHTTPHelper" + "value": "Backdoor.APT.FakeWinHTTPHelper - Associated Software" }, { "description": "[BUBBLEWRAP](https://app.tidalcyber.com/software/2be4e3d2-e8c5-4406-8041-2c17bdb3a547) is a full-featured, second-stage backdoor used by the [admin@338](https://app.tidalcyber.com/groups/8567136b-f84a-45ed-8cce-46324c7da60e) group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. [[FireEye admin@338](https://app.tidalcyber.com/references/f3470275-9652-440e-914d-ad4fc5165413)]", @@ -3435,7 +3435,7 @@ } ], "uuid": "2fc667d6-96ca-4414-95d7-3ce49383508a", - "value": "OSX.Bundlore" + "value": "OSX.Bundlore - Associated Software" }, { "description": "[Bundlore](https://app.tidalcyber.com/software/e9873bf1-9619-4c62-b4cf-1009e83de186) is adware written for macOS that has been in use since at least 2015. Though categorized as adware, [Bundlore](https://app.tidalcyber.com/software/e9873bf1-9619-4c62-b4cf-1009e83de186) has many features associated with more traditional backdoors.[[MacKeeper Bundlore Apr 2019](https://app.tidalcyber.com/references/4d631c9a-4fd5-43a4-8b78-4219bd371e87)]", @@ -3647,7 +3647,7 @@ } ], "uuid": "b0ac8d42-1536-4b96-b0d5-8052308d2177", - "value": "Anunak" + "value": "Anunak - Associated Software" }, { "description": "[Carbanak](https://app.tidalcyber.com/software/4cb9294b-9e4c-41b9-b640-46213a01952d) is a full-featured, remote backdoor used by a group of the same name ([Carbanak](https://app.tidalcyber.com/groups/72d9bea7-9ca1-43e6-8702-2fb7fb1355de)). It is intended for espionage, data exfiltration, and providing remote access to infected machines. [[Kaspersky Carbanak](https://app.tidalcyber.com/references/2f7e77db-fe39-4004-9945-3c8943708494)] [[FireEye CARBANAK June 2017](https://app.tidalcyber.com/references/39105492-6044-460c-9dc9-3d4473ee862e)]", @@ -3935,7 +3935,7 @@ } ], "uuid": "4e9c6329-2df3-4815-bf21-8f18de3046b0", - "value": "Cdb.exe" + "value": "Cdb.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Debugging tool included with Windows Debugging Tools.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64\\cdb.exe\n* C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x86\\cdb.exe\n\n**Resources:**\n* [http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html](http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html)\n* [https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options)\n* [https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda](https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda)\n* [https://mrd0x.com/the-power-of-cdb-debugging-tool/](https://mrd0x.com/the-power-of-cdb-debugging-tool/)\n* [https://twitter.com/nas_bench/status/1534957360032120833](https://twitter.com/nas_bench/status/1534957360032120833)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_cdb.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)[[Cdb.exe - LOLBAS Project](/references/e61b035f-6247-47e3-918c-2892815dfddf)]", @@ -3978,7 +3978,7 @@ } ], "uuid": "53a36e49-d37d-4572-9f4c-f738db27d9a5", - "value": "CertOC.exe" + "value": "CertOC.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used for installing certificates\n\n**Author:** Ensar Samil\n\n**Paths:**\n* c:\\windows\\system32\\certoc.exe\n* c:\\windows\\syswow64\\certoc.exe\n\n**Resources:**\n* [https://twitter.com/sblmsrsn/status/1445758411803480072?s=20](https://twitter.com/sblmsrsn/status/1445758411803480072?s=20)\n* [https://twitter.com/sblmsrsn/status/1452941226198671363?s=20](https://twitter.com/sblmsrsn/status/1452941226198671363?s=20)\n\n**Detection:**\n* Sigma: [proc_creation_win_certoc_load_dll.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml)\n* IOC: Process creation with given parameter\n* IOC: Unsigned DLL load via certoc.exe\n* IOC: Network connection via certoc.exe[[CertOC.exe - LOLBAS Project](/references/b906498e-2773-419b-8c6d-3e974925ac18)]", @@ -4021,7 +4021,7 @@ } ], "uuid": "e15e8ff8-4ca9-4c89-9a3a-b89e41623204", - "value": "CertReq.exe" + "value": "CertReq.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used for requesting and managing certificates\n\n**Author:** David Middlehurst\n\n**Paths:**\n* C:\\Windows\\System32\\certreq.exe\n* C:\\Windows\\SysWOW64\\certreq.exe\n\n**Resources:**\n* [https://dtm.uk/certreq](https://dtm.uk/certreq)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_susp_certreq_download.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml)\n* IOC: certreq creates new files\n* IOC: certreq makes POST requests[[CertReq.exe - LOLBAS Project](/references/be446484-8ecc-486e-8940-658c147f6978)]", @@ -4062,7 +4062,7 @@ } ], "uuid": "9d959b69-ce56-418b-b074-90d83062ca28", - "value": "certutil.exe" + "value": "certutil.exe - Associated Software" }, { "description": "[certutil](https://app.tidalcyber.com/software/2fe21578-ee31-4ee8-b6ab-b5f76f97d043) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. [[TechNet Certutil](https://app.tidalcyber.com/references/8d095aeb-c72c-49c1-8482-dbf4ce9203ce)]", @@ -4239,7 +4239,7 @@ } ], "uuid": "c65b2f44-b691-46e9-90da-2014a929ab35", - "value": "HAYMAKER" + "value": "HAYMAKER - Associated Software" }, { "description": "[[PWC Cloud Hopper Technical Annex April 2017](https://app.tidalcyber.com/references/da6c8a72-c732-44d5-81ac-427898706eed)]", @@ -4253,7 +4253,7 @@ } ], "uuid": "0b494f14-2546-4b8f-b688-9472f7e8dc7d", - "value": "Scorpion" + "value": "Scorpion - Associated Software" }, { "description": "[ChChes](https://app.tidalcyber.com/software/3f2283ef-67c2-49a3-98ac-1aa9f0499361) is a Trojan that appears to be used exclusively by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322). It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. [[Palo Alto menuPass Feb 2017](https://app.tidalcyber.com/references/ba4f7d65-73ec-4726-b1f6-f2443ffda5e7)] [[JPCERT ChChes Feb 2017](https://app.tidalcyber.com/references/657b43aa-ead2-41d3-911a-d714d9b28e19)] [[PWC Cloud Hopper Technical Annex April 2017](https://app.tidalcyber.com/references/da6c8a72-c732-44d5-81ac-427898706eed)]", @@ -4458,7 +4458,7 @@ } ], "uuid": "cbdaa2bf-7ffb-4e48-9e8e-c06b42199d44", - "value": "Backdoor.SofacyX" + "value": "Backdoor.SofacyX - Associated Software" }, { "description": "[[ESET Sednit Part 2](https://app.tidalcyber.com/references/aefb9eda-df5a-437f-af2a-ec1b6c04628b)] [[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]", @@ -4472,7 +4472,7 @@ } ], "uuid": "14492dd1-4146-47ad-9ea0-5e6e934b625c", - "value": "SPLM" + "value": "SPLM - Associated Software" }, { "description": "[[ESET Sednit Part 2](https://app.tidalcyber.com/references/aefb9eda-df5a-437f-af2a-ec1b6c04628b)] [[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]", @@ -4486,7 +4486,7 @@ } ], "uuid": "ceb44e2f-ffbb-4316-90a2-f011a3dcad57", - "value": "Xagent" + "value": "Xagent - Associated Software" }, { "description": "[[ESET Sednit Part 2](https://app.tidalcyber.com/references/aefb9eda-df5a-437f-af2a-ec1b6c04628b)] [[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]", @@ -4500,7 +4500,7 @@ } ], "uuid": "fabf19bb-0fc7-451c-8c69-4b6c706b4e3f", - "value": "X-Agent" + "value": "X-Agent - Associated Software" }, { "description": "[[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]", @@ -4514,7 +4514,7 @@ } ], "uuid": "472502d3-e94a-4045-a232-33733d6e30aa", - "value": "webhp" + "value": "webhp - Associated Software" }, { "description": "[CHOPSTICK](https://app.tidalcyber.com/software/01c6c49a-f7c8-44cd-a377-4dfd358ffeba) is a malware family of modular backdoors used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5). It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. [[FireEye APT28](https://app.tidalcyber.com/references/c423b2b2-25a3-4a8d-b89a-83ab07c0cd20)] [[ESET Sednit Part 2](https://app.tidalcyber.com/references/aefb9eda-df5a-437f-af2a-ec1b6c04628b)] [[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)] [[DOJ GRU Indictment Jul 2018](https://app.tidalcyber.com/references/d65f371b-19d0-49de-b92b-94a2bea1d988)] It is tracked separately from the [X-Agent for Android](https://app.tidalcyber.com/software/).", @@ -4629,7 +4629,7 @@ } ], "uuid": "351a3856-6bc0-4712-923b-8e921785b95b", - "value": "CL_Invocation.ps1" + "value": "CL_Invocation.ps1 - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Aero diagnostics script\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\diagnostics\\system\\AERO\\CL_Invocation.ps1\n* C:\\Windows\\diagnostics\\system\\Audio\\CL_Invocation.ps1\n* C:\\Windows\\diagnostics\\system\\WindowsUpdate\\CL_Invocation.ps1\n\n**Resources:**\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_cl_invocation.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml)\n* Sigma: [posh_ps_cl_invocation_lolscript.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml)[[CL_Invocation.ps1 - LOLBAS Project](/references/a53e093a-973c-491d-91e3-bc7804d87b8b)]", @@ -4671,7 +4671,7 @@ } ], "uuid": "9c4d1519-33eb-4280-aa2e-aca22b8e822c", - "value": "CL_LoadAssembly.ps1" + "value": "CL_LoadAssembly.ps1 - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** PowerShell Diagnostic Script\n\n**Author:** Jimmy (@bohops)\n\n**Paths:**\n* C:\\Windows\\diagnostics\\system\\Audio\\CL_LoadAssembly.ps1\n\n**Resources:**\n* [https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/](https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbas_cl_loadassembly.yml](https://github.com/SigmaHQ/sigma/blob/ff6c54ded6b52f379cec11fe17c1ccb956faa660/rules/windows/process_creation/proc_creation_win_lolbas_cl_loadassembly.yml)[[CL_LoadAssembly.ps1 - LOLBAS Project](/references/31a14027-1181-49b9-87bf-78a65a551312)]", @@ -4713,7 +4713,7 @@ } ], "uuid": "06c669e0-0111-45c3-868d-0b5fad1d1b42", - "value": "CL_Mutexverifiers.ps1" + "value": "CL_Mutexverifiers.ps1 - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Proxy execution with CL_Mutexverifiers.ps1\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\diagnostics\\system\\WindowsUpdate\\CL_Mutexverifiers.ps1\n* C:\\Windows\\diagnostics\\system\\Audio\\CL_Mutexverifiers.ps1\n* C:\\Windows\\diagnostics\\system\\WindowsUpdate\\CL_Mutexverifiers.ps1\n* C:\\Windows\\diagnostics\\system\\Video\\CL_Mutexverifiers.ps1\n* C:\\Windows\\diagnostics\\system\\Speech\\CL_Mutexverifiers.ps1\n\n**Resources:**\n* [https://twitter.com/pabraeken/status/995111125447577600](https://twitter.com/pabraeken/status/995111125447577600)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_cl_mutexverifiers.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_cl_mutexverifiers.yml)[[CL_Mutexverifiers.ps1 - LOLBAS Project](/references/75b89502-21ed-4920-95cc-212eaf17f281)]", @@ -4790,7 +4790,7 @@ } ], "uuid": "4f8334fd-987a-4d3a-b7cf-e5e1800eee90", - "value": "MiniDionis" + "value": "MiniDionis - Associated Software" }, { "description": "", @@ -4804,7 +4804,7 @@ } ], "uuid": "f714e1f8-1a16-46cc-981c-26729d500770", - "value": "CloudLook" + "value": "CloudLook - Associated Software" }, { "description": "[CloudDuke](https://app.tidalcyber.com/software/b3dd424b-ee96-449c-aa52-abbc7d4dfb86) is malware that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) in 2015. [[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)] [[Securelist Minidionis July 2015](https://app.tidalcyber.com/references/af40a05e-02fb-4943-b3ff-9a292679e93d)]", @@ -4854,7 +4854,7 @@ } ], "uuid": "2757101d-84c7-4acc-be12-2f2a7b79bc2e", - "value": "cmd.exe" + "value": "cmd.exe - Associated Software" }, { "description": "[cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. [[TechNet Cmd](https://app.tidalcyber.com/references/dbfc01fe-c300-4c27-ab9a-a20508c1e04b)]\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir [[TechNet Dir](https://app.tidalcyber.com/references/f1eb8631-6bea-4688-a5ff-a388b1fdceb0)]), deleting files (e.g., del [[TechNet Del](https://app.tidalcyber.com/references/01fc44b9-0eb3-4fd2-b755-d611825374ae)]), and copying files (e.g., copy [[TechNet Copy](https://app.tidalcyber.com/references/4e0d4b94-6b4c-4104-86e6-499b6aa7ba78)]).", @@ -5032,7 +5032,7 @@ } ], "uuid": "adcf033c-3514-40b4-81fc-d0534cd0d050", - "value": "Cmdkey.exe" + "value": "Cmdkey.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** creates, lists, and deletes stored user names and passwords or credentials.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\cmdkey.exe\n* C:\\Windows\\SysWOW64\\cmdkey.exe\n\n**Resources:**\n* [https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation](https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation)\n* [https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey)\n\n**Detection:**\n* Sigma: [proc_creation_win_cmdkey_recon.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml)[[Cmdkey.exe - LOLBAS Project](/references/c9ca075a-8327-463d-96ec-adddf6f1a7bb)]", @@ -5079,7 +5079,7 @@ } ], "uuid": "ceb926c4-0b32-4073-bfd8-b7fc05cd1d62", - "value": "cmdl32.exe" + "value": "cmdl32.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Connection Manager Auto-Download\n\n**Author:** Elliot Killick\n\n**Paths:**\n* C:\\Windows\\System32\\cmdl32.exe\n* C:\\Windows\\SysWOW64\\cmdl32.exe\n\n**Resources:**\n* [https://github.com/LOLBAS-Project/LOLBAS/pull/151](https://github.com/LOLBAS-Project/LOLBAS/pull/151)\n* [https://twitter.com/ElliotKillick/status/1455897435063074824](https://twitter.com/ElliotKillick/status/1455897435063074824)\n* [https://elliotonsecurity.com/living-off-the-land-reverse-engineering-methodology-plus-tips-and-tricks-cmdl32-case-study/](https://elliotonsecurity.com/living-off-the-land-reverse-engineering-methodology-plus-tips-and-tricks-cmdl32-case-study/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_cmdl32.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml)\n* IOC: Reports of downloading from suspicious URLs in %TMP%\\config.log\n* IOC: Useragent Microsoft(R) Connection Manager Vpn File Update[[cmdl32.exe - LOLBAS Project](/references/2628e452-caa1-4058-a405-7c4657fa3245)]", @@ -5122,7 +5122,7 @@ } ], "uuid": "7daa8928-e3ff-4e2c-9a33-df39bec265e1", - "value": "Cmstp.exe" + "value": "Cmstp.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Installs or removes a Connection Manager service profile.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\cmstp.exe\n* C:\\Windows\\SysWOW64\\cmstp.exe\n\n**Resources:**\n* [https://twitter.com/NickTyrer/status/958450014111633408](https://twitter.com/NickTyrer/status/958450014111633408)\n* [https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80](https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80)\n* [https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e](https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e)\n* [https://oddvar.moe/2017/08/15/research-on-cmstp-exe/](https://oddvar.moe/2017/08/15/research-on-cmstp-exe/)\n* [https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1](https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1)\n* [https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp)\n\n**Detection:**\n* Sigma: [proc_creation_win_cmstp_execution_by_creation.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml)\n* Sigma: [proc_creation_win_uac_bypass_cmstp.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml)\n* Splunk: [cmlua_or_cmstplua_uac_bypass.yml](https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml)\n* Elastic: [defense_evasion_suspicious_managedcode_host_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* IOC: Execution of cmstp.exe without a VPN use case is suspicious\n* IOC: DotNet CLR libraries loaded into cmstp.exe\n* IOC: DotNet CLR Usage Log - cmstp.exe.log[[Cmstp.exe - LOLBAS Project](/references/86c21dcd-464a-4870-8aae-25fcaccc889d)]", @@ -5369,7 +5369,7 @@ } ], "uuid": "74673d53-5fe4-4e98-ade5-b4a545d2373c", - "value": "code.exe" + "value": "code.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** VSCode binary, also portable (CLI) version\n\n**Author:** PfiatDe\n\n**Paths:**\n* %LOCALAPPDATA%\\Programs\\Microsoft VS Code\\Code.exe\n* C:\\Program Files\\Microsoft VS Code\\Code.exe\n* C:\\Program Files (x86)\\Microsoft VS Code\\Code.exe\n\n**Resources:**\n* [https://badoption.eu/blog/2023/01/31/code_c2.html](https://badoption.eu/blog/2023/01/31/code_c2.html)\n* [https://code.visualstudio.com/docs/remote/tunnels](https://code.visualstudio.com/docs/remote/tunnels)\n* [https://code.visualstudio.com/blogs/2022/12/07/remote-even-better](https://code.visualstudio.com/blogs/2022/12/07/remote-even-better)\n\n**Detection:**\n* IOC: Websocket traffic to global.rel.tunnels.api.visualstudio.com\n* IOC: Process tree: code.exe -> cmd.exe -> node.exe -> winpty-agent.exe\n* IOC: File write of code_tunnel.json which is parametizable, but defaults to: %UserProfile%\\.vscode-cli\\code_tunnel.json[[code.exe - LOLBAS Project](/references/4a93063b-f3a3-4726-870d-b8f744651363)]", @@ -5432,7 +5432,7 @@ } ], "uuid": "6044424d-3732-4cac-85a8-b4059f4e0af4", - "value": "Colorcpl.exe" + "value": "Colorcpl.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary that handles color management\n\n**Author:** Arjan Onwezen\n\n**Paths:**\n* C:\\Windows\\System32\\colorcpl.exe\n* C:\\Windows\\SysWOW64\\colorcpl.exe\n\n**Resources:**\n* [https://twitter.com/eral4m/status/1480468728324231172](https://twitter.com/eral4m/status/1480468728324231172)\n\n**Detection:**\n* Sigma: [file_event_win_susp_colorcpl.yml](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml)\n* IOC: colorcpl.exe writing files[[Colorcpl.exe - LOLBAS Project](/references/53ff662d-a0b3-41bd-ab9e-a9bb8bbdea25)]", @@ -5524,7 +5524,7 @@ } ], "uuid": "07f103cf-9a8a-4f68-a96b-877113e6c538", - "value": "Comsvcs.dll" + "value": "Comsvcs.dll - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** COM+ Services\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\comsvcs.dll\n\n**Resources:**\n* [https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/](https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_process_dump_via_comsvcs.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml)\n* Sigma: [proc_access_win_lsass_dump_comsvcs_dll.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml)\n* Elastic: [credential_access_cmdline_dump_tool.toml](https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml)\n* Splunk: [dump_lsass_via_comsvcs_dll.yml](https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/dump_lsass_via_comsvcs_dll.yml)[[Comsvcs.dll - LOLBAS Project](/references/2eb2756d-5a49-4df3-9e2f-104c41c645cd)]", @@ -5579,7 +5579,7 @@ } ], "uuid": "a8d8ea16-3ec8-41bb-a27a-7f67511a78ee", - "value": "Kido" + "value": "Kido - Associated Software" }, { "description": "[[SANS Conficker](https://app.tidalcyber.com/references/2dca2274-5f25-475a-b87d-97f3e3a525de)] ", @@ -5593,7 +5593,7 @@ } ], "uuid": "2871c307-fede-464e-b25e-ad6051d25c63", - "value": "Downadup" + "value": "Downadup - Associated Software" }, { "description": "[Conficker](https://app.tidalcyber.com/software/ef33f1fa-18a3-4b30-b359-17b7930f43a7) is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.[[SANS Conficker](https://app.tidalcyber.com/references/2dca2274-5f25-475a-b87d-97f3e3a525de)] In 2016, a variant of [Conficker](https://app.tidalcyber.com/software/ef33f1fa-18a3-4b30-b359-17b7930f43a7) made its way on computers and removable disk drives belonging to a nuclear power plant.[[Conficker Nuclear Power Plant](https://app.tidalcyber.com/references/83b8c3c4-d67a-48bd-8614-1c703a8d969b)]", @@ -5638,7 +5638,7 @@ } ], "uuid": "45ba655d-a1fc-4305-abed-38f72ef3a832", - "value": "ConfigSecurityPolicy.exe" + "value": "ConfigSecurityPolicy.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.\n\n**Author:** Ialle Teixeira\n\n**Paths:**\n* C:\\Program Files\\Windows Defender\\ConfigSecurityPolicy.exe\n* C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2008.9-0\\ConfigSecurityPolicy.exe\n\n**Resources:**\n* [https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads](https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads)\n* [https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads](https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads)\n* [https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor](https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor)\n* [https://twitter.com/NtSetDefault/status/1302589153570365440?s=20](https://twitter.com/NtSetDefault/status/1302589153570365440?s=20)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_configsecuritypolicy.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml)\n* IOC: ConfigSecurityPolicy storing data into alternate data streams.\n* IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS.\n* IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe.\n* IOC: User Agent is \"MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)\"[[ConfigSecurityPolicy.exe - LOLBAS Project](/references/30b8a5d8-596c-4ab3-b3db-b799cc8923e1)]", @@ -5681,7 +5681,7 @@ } ], "uuid": "8a24ebd6-9351-4197-8728-6aa45e3dfce3", - "value": "Conhost.exe" + "value": "Conhost.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Console Window host\n\n**Author:** Wietze Beukema\n\n**Paths:**\n* c:\\windows\\system32\\conhost.exe\n\n**Resources:**\n* [https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/](https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/)\n* [https://twitter.com/Wietze/status/1511397781159751680](https://twitter.com/Wietze/status/1511397781159751680)\n* [https://twitter.com/embee_research/status/1559410767564181504](https://twitter.com/embee_research/status/1559410767564181504)\n* [https://twitter.com/ankit_anubhav/status/1561683123816972288](https://twitter.com/ankit_anubhav/status/1561683123816972288)\n\n**Detection:**\n* IOC: conhost.exe spawning unexpected processes\n* Sigma: [proc_creation_win_conhost_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml)[[Conhost.exe - LOLBAS Project](/references/5ed807c1-15d1-48aa-b497-8cd74fe5b299)]", @@ -5722,7 +5722,7 @@ } ], "uuid": "0280eeae-b087-48c3-937c-2edf419f6835", - "value": "ScreenConnect" + "value": "ScreenConnect - Associated Software" }, { "description": "[ConnectWise](https://app.tidalcyber.com/software/6f9bb24d-cce2-49de-bedd-1849d9bde7a0) is a legitimate remote administration tool that has been used since at least 2016 by threat actors including [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6) and [GOLD SOUTHFIELD](https://app.tidalcyber.com/groups/b4d068ac-9b68-4cd8-bf0c-019f910ef8e3) to connect to and conduct lateral movement in target environments.[[Anomali Static Kitten February 2021](https://app.tidalcyber.com/references/710ed789-de1f-4601-a8ba-32147827adcb)][[Trend Micro Muddy Water March 2021](https://app.tidalcyber.com/references/16b4b834-2f44-4bac-b810-f92080c41f09)]", @@ -5837,7 +5837,7 @@ } ], "uuid": "94e2981f-681e-4bb8-bcef-98f8ed60f4ed", - "value": "Control.exe" + "value": "Control.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary used to launch controlpanel items in Windows\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\control.exe\n* C:\\Windows\\SysWOW64\\control.exe\n\n**Resources:**\n* [https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/](https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/)\n* [https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/](https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/)\n* [https://twitter.com/bohops/status/955659561008017409](https://twitter.com/bohops/status/955659561008017409)\n* [https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items](https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items)\n* [https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/](https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/)\n\n**Detection:**\n* Sigma: [proc_creation_win_exploit_cve_2021_40444.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml)\n* Sigma: [proc_creation_win_rundll32_susp_control_dll_load.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* Elastic: [defense_evasion_execution_control_panel_suspicious_args.toml](https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml)\n* Elastic: [defense_evasion_unusual_dir_ads.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml)\n* IOC: Control.exe executing files from alternate data streams\n* IOC: Control.exe executing library file without cpl extension\n* IOC: Suspicious network connections from control.exe[[Control.exe - LOLBAS Project](/references/d0c821b9-7d37-4158-89fa-0dabe6e06800)]", @@ -5929,7 +5929,7 @@ } ], "uuid": "462f4c43-12e3-4901-b741-72e8c6e6e98a", - "value": "coregen.exe" + "value": "coregen.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within \"C:\\Program Files (x86)\\Microsoft Silverlight\\5.1.50918.0\\\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight.\n\n**Author:** Martin Sohn Christensen\n\n**Paths:**\n* C:\\Program Files\\Microsoft Silverlight\\5.1.50918.0\\coregen.exe\n* C:\\Program Files (x86)\\Microsoft Silverlight\\5.1.50918.0\\coregen.exe\n\n**Resources:**\n* [https://www.youtube.com/watch?v=75XImxOOInU](https://www.youtube.com/watch?v=75XImxOOInU)\n* [https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html](https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html)\n\n**Detection:**\n* Sigma: [image_load_side_load_coregen.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/image_load/image_load_side_load_coregen.yml)\n* IOC: coregen.exe loading .dll file not in \"C:\\Program Files (x86)\\Microsoft Silverlight\\5.1.50918.0\\\"\n* IOC: coregen.exe loading .dll file not named coreclr.dll\n* IOC: coregen.exe command line containing -L or -l\n* IOC: coregen.exe command line containing unexpected/invald assembly name\n* IOC: coregen.exe application crash by invalid assembly name[[coregen.exe - LOLBAS Project](/references/f24d4cf5-9ca9-46bd-bd43-86b37e2a638a)]", @@ -5970,7 +5970,7 @@ } ], "uuid": "8af3037f-732c-433e-8689-701593604bae", - "value": "Sofacy" + "value": "Sofacy - Associated Software" }, { "description": "[[FireEye APT28](https://app.tidalcyber.com/references/c423b2b2-25a3-4a8d-b89a-83ab07c0cd20)] [[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)][[Securelist Sofacy Feb 2018](https://app.tidalcyber.com/references/3a043bba-2451-4765-946b-c1f3bf4aea36)]", @@ -5984,7 +5984,7 @@ } ], "uuid": "36d5d0ca-1bfc-45b1-ac54-2da2e1b2a5c7", - "value": "SOURFACE" + "value": "SOURFACE - Associated Software" }, { "description": "[CORESHELL](https://app.tidalcyber.com/software/3b193f62-2b49-4eff-bdf4-501fb8a28274) is a downloader used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5). The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.[[FireEye APT28](https://app.tidalcyber.com/references/c423b2b2-25a3-4a8d-b89a-83ab07c0cd20)] [[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]", @@ -6034,7 +6034,7 @@ } ], "uuid": "b46da8df-d944-4bf0-b715-dad7dbc6d658", - "value": "TinyBaron" + "value": "TinyBaron - Associated Software" }, { "description": "", @@ -6048,7 +6048,7 @@ } ], "uuid": "f5f9ef72-8f34-47d6-a767-86b3b07ce00e", - "value": "BotgenStudios" + "value": "BotgenStudios - Associated Software" }, { "description": "", @@ -6062,7 +6062,7 @@ } ], "uuid": "d7724aad-70a0-40a8-ad43-a92bedb8f8fd", - "value": "NemesisGemina" + "value": "NemesisGemina - Associated Software" }, { "description": "[CosmicDuke](https://app.tidalcyber.com/software/43b317c6-5b4f-47b8-b7b4-15cd6f455091) is malware that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) from 2010 to 2015. [[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]", @@ -6137,7 +6137,7 @@ } ], "uuid": "58e77779-2cc6-4570-95a7-fb59b089ab28", - "value": "CozyDuke" + "value": "CozyDuke - Associated Software" }, { "description": "", @@ -6151,7 +6151,7 @@ } ], "uuid": "49b8f0f4-77aa-4c7e-925d-054102c7178b", - "value": "CozyBear" + "value": "CozyBear - Associated Software" }, { "description": "", @@ -6165,7 +6165,7 @@ } ], "uuid": "60187172-ade3-4d87-8d51-3b064838867d", - "value": "Cozer" + "value": "Cozer - Associated Software" }, { "description": "", @@ -6179,7 +6179,7 @@ } ], "uuid": "8b01f729-fa16-4bd7-b5d3-2d84a1ecb32b", - "value": "EuroAPT" + "value": "EuroAPT - Associated Software" }, { "description": "[CozyCar](https://app.tidalcyber.com/software/c2353daa-fd4c-44e1-8013-55400439965a) is malware that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. [[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]", @@ -6279,7 +6279,7 @@ } ], "uuid": "8a49e7dc-04ce-44d3-919d-91700e11e1c9", - "value": "Createdump.exe" + "value": "Createdump.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft .NET Runtime Crash Dump Generator (included in .NET Core)\n\n**Author:** mr.d0x, Daniel Santos\n\n**Paths:**\n* C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\*\\createdump.exe\n* C:\\Program Files (x86)\\dotnet\\shared\\Microsoft.NETCore.App\\*\\createdump.exe\n* C:\\Program Files\\Microsoft Visual Studio\\*\\Community\\dotnet\\runtime\\shared\\Microsoft.NETCore.App\\6.0.0\\createdump.exe\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\*\\Community\\dotnet\\runtime\\shared\\Microsoft.NETCore.App\\6.0.0\\createdump.exe\n\n**Resources:**\n* [https://twitter.com/bopin2020/status/1366400799199272960](https://twitter.com/bopin2020/status/1366400799199272960)\n* [https://docs.microsoft.com/en-us/troubleshoot/developer/webapps/aspnetcore/practice-troubleshoot-linux/lab-1-3-capture-core-crash-dumps](https://docs.microsoft.com/en-us/troubleshoot/developer/webapps/aspnetcore/practice-troubleshoot-linux/lab-1-3-capture-core-crash-dumps)\n\n**Detection:**\n* Sigma: [proc_creation_win_proc_dump_createdump.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml)\n* Sigma: [proc_creation_win_renamed_createdump.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml)\n* IOC: createdump.exe process with a command line containing the lsass.exe process id[[Createdump.exe - LOLBAS Project](/references/f3ccacc1-3b42-4042-9a5c-f5b483a5e801)]", @@ -6397,7 +6397,7 @@ } ], "uuid": "349d3f77-068f-4300-98b9-05245f5f3a7a", - "value": "MSIL/Crimson" + "value": "MSIL/Crimson - Associated Software" }, { "description": "[Crimson](https://app.tidalcyber.com/software/3b3f296f-20a6-459a-98c5-62ebdee3701f) is a remote access Trojan that has been used by [Transparent Tribe](https://app.tidalcyber.com/groups/441b91d1-256a-4763-bac6-8f1c76764a25) since at least 2016.[[Proofpoint Operation Transparent Tribe March 2016](https://app.tidalcyber.com/references/8e39d0da-114f-4ae6-8130-ca1380077d6a)][[Kaspersky Transparent Tribe August 2020](https://app.tidalcyber.com/references/42c7faa2-f664-4e4a-9d23-93c88a09da5b)]", @@ -6522,7 +6522,7 @@ } ], "uuid": "909a545e-eec1-4c0d-a57e-a183bf036bb6", - "value": "Csc.exe" + "value": "Csc.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary file used by .NET to compile C# code\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Csc.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Csc.exe\n\n**Resources:**\n* [https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe](https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe)\n\n**Detection:**\n* Sigma: [proc_creation_win_csc_susp_parent.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml)\n* Sigma: [proc_creation_win_csc_susp_folder.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml)\n* Elastic: [defense_evasion_dotnet_compiler_parent_process.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml)\n* Elastic: [defense_evasion_execution_msbuild_started_unusal_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml)\n* IOC: Csc.exe should normally not run as System account unless it is used for development.[[Csc.exe - LOLBAS Project](/references/276c9e55-4673-426d-8f49-06edee2e3b30)]", @@ -6569,7 +6569,7 @@ } ], "uuid": "589c7b11-190b-4cd3-b8c4-cf623697d207", - "value": "Cscript.exe" + "value": "Cscript.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary used to execute scripts in Windows\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\cscript.exe\n* C:\\Windows\\SysWOW64\\cscript.exe\n\n**Resources:**\n* [https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)\n* [https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/](https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/)\n\n**Detection:**\n* Sigma: [proc_creation_win_wscript_cscript_script_exec.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml)\n* Sigma: [file_event_win_net_cli_artefact.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml)\n* Elastic: [defense_evasion_unusual_dir_ads.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml)\n* Elastic: [command_and_control_remote_file_copy_scripts.toml](https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml)\n* Elastic: [defense_evasion_suspicious_managedcode_host_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml)\n* Splunk: [wscript_or_cscript_suspicious_child_process.yml](https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: Cscript.exe executing files from alternate data streams\n* IOC: DotNet CLR libraries loaded into cscript.exe\n* IOC: DotNet CLR Usage Log - cscript.exe.log[[Cscript.exe - LOLBAS Project](/references/428b6223-63b7-497f-b13a-e472b4583a9f)]", @@ -6612,7 +6612,7 @@ } ], "uuid": "bebeee27-af58-4daa-ae34-c432ba0aaf0d", - "value": "csi.exe" + "value": "csi.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Command line interface included with Visual Studio.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* c:\\Program Files (x86)\\Microsoft Visual Studio\\2017\\Community\\MSBuild\\15.0\\Bin\\Roslyn\\csi.exe\n* c:\\Program Files (x86)\\Microsoft Web Tools\\Packages\\Microsoft.Net.Compilers.X.Y.Z\\tools\\csi.exe\n\n**Resources:**\n* [https://twitter.com/subTee/status/781208810723549188](https://twitter.com/subTee/status/781208810723549188)\n* [https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/](https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/)\n\n**Detection:**\n* Sigma: [proc_creation_win_csi_execution.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_csi_execution.yml)\n* Sigma: [proc_creation_win_csi_use_of_csharp_console.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)[[csi.exe - LOLBAS Project](/references/b810ee91-de4e-4c7b-8fa8-24dca95133e5)]", @@ -6714,7 +6714,7 @@ } ], "uuid": "642284c2-5216-47f6-994b-98ff2fa839b9", - "value": "CustomShellHost.exe" + "value": "CustomShellHost.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** A host process that is used by custom shells when using Windows in Kiosk mode.\n\n**Author:** Wietze Beukema\n\n**Paths:**\n* C:\\Windows\\System32\\CustomShellHost.exe\n\n**Resources:**\n* [https://twitter.com/YoSignals/status/1381353520088113154](https://twitter.com/YoSignals/status/1381353520088113154)\n* [https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher)\n\n**Detection:**\n* IOC: CustomShellHost.exe is unlikely to run on normal workstations\n* Sigma: [proc_creation_win_lolbin_customshellhost.yml](https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml)[[CustomShellHost.exe - LOLBAS Project](/references/96324ab1-7eb8-42dc-b19a-fa1d9f85e239)]", @@ -6839,7 +6839,7 @@ } ], "uuid": "cc96486b-d19d-4819-8265-9203a28ba6c9", - "value": "Krademok" + "value": "Krademok - Associated Software" }, { "description": "[[TrendMicro DarkComet Sept 2014](https://app.tidalcyber.com/references/fb365600-4961-43ed-8292-1c07cbc530ef)]", @@ -6853,7 +6853,7 @@ } ], "uuid": "afb90bbd-2299-4f3a-a9a8-792f4401e08f", - "value": "DarkKomet" + "value": "DarkKomet - Associated Software" }, { "description": "[[TrendMicro DarkComet Sept 2014](https://app.tidalcyber.com/references/fb365600-4961-43ed-8292-1c07cbc530ef)]", @@ -6867,7 +6867,7 @@ } ], "uuid": "f319bc98-ef43-47ef-8572-601f0be6fb68", - "value": "Fynloski" + "value": "Fynloski - Associated Software" }, { "description": "[[TrendMicro DarkComet Sept 2014](https://app.tidalcyber.com/references/fb365600-4961-43ed-8292-1c07cbc530ef)]", @@ -6881,7 +6881,7 @@ } ], "uuid": "abbedb20-272b-4278-ab46-8e46e7cd70ed", - "value": "FYNLOS" + "value": "FYNLOS - Associated Software" }, { "description": "[DarkComet](https://app.tidalcyber.com/software/74f88899-56d0-4de8-97de-539b3590ab90) is a Windows remote administration tool and backdoor.[[TrendMicro DarkComet Sept 2014](https://app.tidalcyber.com/references/fb365600-4961-43ed-8292-1c07cbc530ef)][[Malwarebytes DarkComet March 2018](https://app.tidalcyber.com/references/6a765a99-8d9f-4076-8741-6415a5ab918b)]", @@ -7017,7 +7017,7 @@ } ], "uuid": "dae98258-e7d1-4e13-9c88-13d5fe07bf89", - "value": "Nioupale" + "value": "Nioupale - Associated Software" }, { "description": "[[Trend Micro Daserf Nov 2017](https://app.tidalcyber.com/references/4ca0e6a9-8c20-49a0-957a-7108083a8a29)]", @@ -7031,7 +7031,7 @@ } ], "uuid": "82694e7e-140d-4ee6-93a0-03af069029cf", - "value": "Muirim" + "value": "Muirim - Associated Software" }, { "description": "[Daserf](https://app.tidalcyber.com/software/fad65026-57c4-4d4f-8803-87178dd4b887) is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. [[Trend Micro Daserf Nov 2017](https://app.tidalcyber.com/references/4ca0e6a9-8c20-49a0-957a-7108083a8a29)] [[Secureworks BRONZE BUTLER Oct 2017](https://app.tidalcyber.com/references/c62d8d1a-cd1b-4b39-95b6-68f3f063dacf)]", @@ -7080,7 +7080,7 @@ } ], "uuid": "c64f5d2e-d645-4dd8-bc8f-9e515f8f80c3", - "value": "DataSvcUtil.exe" + "value": "DataSvcUtil.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application.\n\n**Author:** Ialle Teixeira\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework64\\v3.5\\DataSvcUtil.exe\n\n**Resources:**\n* [https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe](https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe)\n* [https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services](https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services)\n* [https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services](https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml)\n* IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory.\n* IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS.\n* IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil.[[DataSvcUtil.exe - LOLBAS Project](/references/0c373780-3202-4036-8c83-f3d468155b35)]", @@ -7172,7 +7172,7 @@ } ], "uuid": "a5895370-3911-4fd5-a61d-5e7cdf4eaa7b", - "value": "DEADEYE.EMBED" + "value": "DEADEYE.EMBED - Associated Software" }, { "description": "[[Mandiant APT41](https://app.tidalcyber.com/references/e54415fe-40c2-55ff-9e75-881bc8a912b8)]", @@ -7186,7 +7186,7 @@ } ], "uuid": "f55765f5-c5b6-4b6d-a50d-f96793569149", - "value": "DEADEYE.APPEND" + "value": "DEADEYE.APPEND - Associated Software" }, { "description": "[DEADEYE](https://app.tidalcyber.com/software/e9533664-90c5-5b40-a40e-a69a2eda8bc9) is a malware launcher that has been used by [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) since at least May 2021. [DEADEYE](https://app.tidalcyber.com/software/e9533664-90c5-5b40-a40e-a69a2eda8bc9) has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).[[Mandiant APT41](https://app.tidalcyber.com/references/e54415fe-40c2-55ff-9e75-881bc8a912b8)]", @@ -7287,7 +7287,7 @@ } ], "uuid": "95c59305-52c1-4d55-a9cd-8ce48e7a3a30", - "value": "DefaultPack.EXE" + "value": "DefaultPack.EXE - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.\n\n**Author:** @checkymander\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft\\DefaultPack\\\n\n**Resources:**\n* [https://twitter.com/checkymander/status/1311509470275604480.](https://twitter.com/checkymander/status/1311509470275604480.)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_defaultpack.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml)\n* IOC: DefaultPack.EXE spawned an unknown process[[DefaultPack.EXE - LOLBAS Project](/references/106efc3e-5816-44ae-a384-5e026e68ab89)]", @@ -7388,7 +7388,7 @@ } ], "uuid": "92b622fe-1002-49f7-87ca-e97046f6ed40", - "value": "PHOTO" + "value": "PHOTO - Associated Software" }, { "description": "[Derusbi](https://app.tidalcyber.com/software/9222aa77-922e-43c7-89ad-71067c428fb2) is malware used by multiple Chinese APT groups.[[Novetta-Axiom](https://app.tidalcyber.com/references/0dd428b9-849b-4108-87b1-20050b86f420)][[ThreatConnect Anthem](https://app.tidalcyber.com/references/61ecd0b4-6cac-4d9f-8e8c-3d488fef6fec)] Both Windows and Linux variants have been observed.[[Fidelis Turbo](https://app.tidalcyber.com/references/f19877f1-3e0f-4c68-b6c9-ef5b0bd470ed)]", @@ -7449,7 +7449,7 @@ } ], "uuid": "670ed300-364b-45ad-ad7f-732d13365571", - "value": "Desk.cpl" + "value": "Desk.cpl - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Desktop Settings Control Panel\n\n**Author:** Hai Vaknin\n\n**Paths:**\n* C:\\Windows\\System32\\desk.cpl\n* C:\\Windows\\SysWOW64\\desk.cpl\n\n**Resources:**\n* [https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt](https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt)\n* [https://twitter.com/pabraeken/status/998627081360695297](https://twitter.com/pabraeken/status/998627081360695297)\n* [https://twitter.com/VakninHai/status/1517027824984547329](https://twitter.com/VakninHai/status/1517027824984547329)\n* [https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files](https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files)\n\n**Detection:**\n* Sigma: [file_event_win_new_src_file.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/file/file_event/file_event_win_new_src_file.yml)\n* Sigma: [proc_creation_win_lolbin_rundll32_installscreensaver.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml)\n* Sigma: [registry_set_scr_file_executed_by_rundll32.yml](https://github.com/SigmaHQ/sigma/blob/940f89d43dbac5b7108610a5bde47cda0d2a643b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml)[[Desk.cpl - LOLBAS Project](/references/487a54d9-9f90-478e-b305-bd041af55e12)]", @@ -7492,7 +7492,7 @@ } ], "uuid": "75e0d2df-7f93-4b5a-b085-4d2dfdac1348", - "value": "Desktopimgdownldr.exe" + "value": "Desktopimgdownldr.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows binary used to configure lockscreen/desktop image\n\n**Author:** Gal Kristal\n\n**Paths:**\n* c:\\windows\\system32\\desktopimgdownldr.exe\n\n**Resources:**\n* [https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/](https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/)\n\n**Detection:**\n* Sigma: [proc_creation_win_desktopimgdownldr_susp_execution.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml)\n* Sigma: [file_event_win_susp_desktopimgdownldr_file.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml)\n* Elastic: [command_and_control_remote_file_copy_desktopimgdownldr.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml)\n* IOC: desktopimgdownldr.exe that creates non-image file\n* IOC: Change of HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PersonalizationCSP\\LockScreenImageUrl[[Desktopimgdownldr.exe - LOLBAS Project](/references/1df3aacf-76c4-472a-92c8-2a85ae9e2860)]", @@ -7535,7 +7535,7 @@ } ], "uuid": "5a91980c-cdb3-4dde-b38d-175c5af960f3", - "value": "DeviceCredentialDeployment.exe" + "value": "DeviceCredentialDeployment.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Device Credential Deployment\n\n**Author:** Elliot Killick\n\n**Paths:**\n* C:\\Windows\\System32\\DeviceCredentialDeployment.exe\n\n**Resources:**\nNone Provided\n\n**Detection:**\n* IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation\n* Sigma: [proc_creation_win_lolbin_device_credential_deployment.yml](https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml)[[DeviceCredentialDeployment.exe - LOLBAS Project](/references/fef281e8-8138-4420-b11b-66d1e6a19805)]", @@ -7578,7 +7578,7 @@ } ], "uuid": "34e99ddb-8992-4b3a-acaf-e95bf601777e", - "value": "Devinit.exe" + "value": "Devinit.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Visual Studio 2019 tool\n\n**Author:** mr.d0x\n\n**Paths:**\n* C:\\Program Files\\Microsoft Visual Studio\\*\\Community\\Common7\\Tools\\devinit\\devinit.exe\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\*\\Community\\Common7\\Tools\\devinit\\devinit.exe\n\n**Resources:**\n* [https://twitter.com/mrd0x/status/1460815932402679809](https://twitter.com/mrd0x/status/1460815932402679809)\n\n**Detection:**\n* Sigma: [proc_creation_win_devinit_lolbin_usage.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml)[[Devinit.exe - LOLBAS Project](/references/27343583-c17d-4c11-a7e3-14d725756556)]", @@ -7621,7 +7621,7 @@ } ], "uuid": "9fcdac31-4219-4b10-83e6-b1c85f96de60", - "value": "Devtoolslauncher.exe" + "value": "Devtoolslauncher.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary will execute specified binary. Part of VS/VScode installation.\n\n**Author:** felamos\n\n**Paths:**\n* c:\\windows\\system32\\devtoolslauncher.exe\n\n**Resources:**\n* [https://twitter.com/_felamos/status/1179811992841797632](https://twitter.com/_felamos/status/1179811992841797632)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_devtoolslauncher.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml)\n* IOC: DeveloperToolsSvc.exe spawned an unknown process[[Devtoolslauncher.exe - LOLBAS Project](/references/cb263978-019c-40c6-b6de-61db0e7a8941)]", @@ -7663,7 +7663,7 @@ } ], "uuid": "02bce9ff-2975-4b0a-a8ab-8aaba3660803", - "value": "devtunnel.exe" + "value": "devtunnel.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary to enable forwarded ports on windows operating systems.\n\n**Author:** Kamran Saifullah\n\n**Paths:**\n* C:\\Users\\\\AppData\\Local\\Temp\\.net\\devtunnel\\\n* C:\\Users\\\\AppData\\Local\\Temp\\DevTunnels\n\n**Resources:**\n* [https://code.visualstudio.com/docs/editor/port-forwarding](https://code.visualstudio.com/docs/editor/port-forwarding)\n\n**Detection:**\n* IOC: devtunnel.exe binary spawned\n* IOC: *.devtunnels.ms\n* IOC: *.*.devtunnels.ms\n* Analysis: [https://cydefops.com/vscode-data-exfiltration](https://cydefops.com/vscode-data-exfiltration)[[devtunnel.exe - LOLBAS Project](/references/657c8b4c-1eee-4997-8461-c7592eaed9e8)]", @@ -7726,7 +7726,7 @@ } ], "uuid": "92344064-ad27-4fa5-8d50-fa56ff279213", - "value": "Dfshim.dll" + "value": "Dfshim.dll - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** ClickOnce engine in Windows used by .NET\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Dfsvc.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Dfsvc.exe\n* C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Dfsvc.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Dfsvc.exe\n\n**Resources:**\n* [https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf](https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf)\n* [https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe](https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)[[Dfshim.dll - LOLBAS Project](/references/30503e42-6047-46a9-8189-e6caa5f4deb0)]", @@ -7769,7 +7769,7 @@ } ], "uuid": "a9e71535-14ff-4715-a9f4-fac62b04753e", - "value": "Dfsvc.exe" + "value": "Dfsvc.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** ClickOnce engine in Windows used by .NET\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Dfsvc.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Dfsvc.exe\n* C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Dfsvc.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Dfsvc.exe\n\n**Resources:**\n* [https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf](https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf)\n* [https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe](https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)[[Dfsvc.exe - LOLBAS Project](/references/7f3a78c0-68b2-4a9d-ae6a-6e63e8ddac3f)]", @@ -7812,7 +7812,7 @@ } ], "uuid": "6e0bb5fd-f650-4ba0-bd6f-d6b90b1a7777", - "value": "Diantz.exe" + "value": "Diantz.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary that package existing files into a cabinet (.cab) file\n\n**Author:** Tamir Yehuda\n\n**Paths:**\n* c:\\windows\\system32\\diantz.exe\n* c:\\windows\\syswow64\\diantz.exe\n\n**Resources:**\n* [https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_diantz_ads.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml)\n* Sigma: [proc_creation_win_lolbin_diantz_remote_cab.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml)\n* IOC: diantz storing data into alternate data streams.\n* IOC: diantz getting a file from a remote machine or the internet.[[diantz.exe_lolbas](/references/66652db8-5594-414f-8a6b-83d708a0c1fa)]", @@ -7930,7 +7930,7 @@ } ], "uuid": "84346cb2-601a-45ff-9d88-f0516cfaa688", - "value": "Diskshadow.exe" + "value": "Diskshadow.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\diskshadow.exe\n* C:\\Windows\\SysWOW64\\diskshadow.exe\n\n**Resources:**\n* [https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/](https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_diskshadow.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_diskshadow.yml)\n* Sigma: [proc_creation_win_susp_shadow_copies_deletion.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml)\n* Elastic: [credential_access_cmdline_dump_tool.toml](https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml)\n* IOC: Child process from diskshadow.exe[[Diskshadow.exe - LOLBAS Project](/references/27a3f0b4-e699-4319-8b52-8eae4581faa2)]", @@ -7972,7 +7972,7 @@ } ], "uuid": "16a67a60-df5f-443e-b0f3-07254ce0b923", - "value": "Dnscmd.exe" + "value": "Dnscmd.exe - Associated Software" }, { "description": "Dnscmd is a Windows command-line utility used to manage DNS servers.[[Dnscmd Microsoft](/references/24b1cb7b-357f-470f-9715-fa0ec3958cbb)]", @@ -8053,7 +8053,7 @@ } ], "uuid": "2e252d44-c667-4570-950b-255c7f291f24", - "value": "dnx.exe" + "value": "dnx.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** .Net Execution environment file included with .Net.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* N/A\n\n**Resources:**\n* [https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/](https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_dnx.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dnx.yml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)[[dnx.exe - LOLBAS Project](/references/50652a27-c47b-41d4-a2eb-2ebf74e5bd09)]", @@ -8121,7 +8121,7 @@ } ], "uuid": "83b39733-9672-4272-922f-7883d91ca94b", - "value": "Retefe" + "value": "Retefe - Associated Software" }, { "description": "[Dok](https://app.tidalcyber.com/software/dfa14314-3c64-4a10-9889-0423b884f7aa) is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user's network traffic (i.e. [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9)).[[objsee mac malware 2017](https://app.tidalcyber.com/references/08227ae5-4086-4c31-83d9-459c3a097754)][[hexed osx.dok analysis 2019](https://app.tidalcyber.com/references/96f9d36a-01a5-418e-85f4-957e58d49c1b)][[CheckPoint Dok](https://app.tidalcyber.com/references/8c178fd8-db34-45c6-901a-a8b2c178d809)]", @@ -8212,7 +8212,7 @@ } ], "uuid": "d9e30f26-11a6-48f5-bb26-d9b624b6b1d0", - "value": "Dotnet.exe" + "value": "Dotnet.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** dotnet.exe comes with .NET Framework\n\n**Author:** felamos\n\n**Paths:**\n* C:\\Program Files\\dotnet\\dotnet.exe\n\n**Resources:**\n* [https://twitter.com/_felamos/status/1204705548668555264](https://twitter.com/_felamos/status/1204705548668555264)\n* [https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc](https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc)\n* [https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/](https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/)\n* [https://learn.microsoft.com/en-us/dotnet/fsharp/tools/fsharp-interactive/](https://learn.microsoft.com/en-us/dotnet/fsharp/tools/fsharp-interactive/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_dotnet.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: dotnet.exe spawned an unknown process[[Dotnet.exe - LOLBAS Project](/references/8abe21ad-88d1-4a5c-b79e-8216b4b06862)]", @@ -8253,7 +8253,7 @@ } ], "uuid": "48f30a38-0b80-45ad-9f80-d99c96c79cf4", - "value": "Delphacy" + "value": "Delphacy - Associated Software" }, { "description": "[Downdelph](https://app.tidalcyber.com/software/f7b64b81-f9e7-46bf-8f63-6d7520da832c) is a first-stage downloader written in Delphi that has been used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) in rare instances between 2013 and 2015. [[ESET Sednit Part 3](https://app.tidalcyber.com/references/7c2be444-a947-49bc-b5f6-8f6bec870c6a)]", @@ -8373,7 +8373,7 @@ } ], "uuid": "614ca144-20e8-4387-b723-4a5f3cd7164b", - "value": "Bugat v5" + "value": "Bugat v5 - Associated Software" }, { "description": "[Dridex](https://app.tidalcyber.com/software/e3cd4405-b698-41d9-88e4-fff29e7a19e2) is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated [Dridex](https://app.tidalcyber.com/software/e3cd4405-b698-41d9-88e4-fff29e7a19e2) had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. [Dridex](https://app.tidalcyber.com/software/e3cd4405-b698-41d9-88e4-fff29e7a19e2) was created from the source code of the Bugat banking Trojan (also known as Cridex).[[Dell Dridex Oct 2015](https://app.tidalcyber.com/references/f81ce947-d875-4631-9709-b54c8b5d25bc)][[Kaspersky Dridex May 2017](https://app.tidalcyber.com/references/52c48bc3-2b53-4214-85c3-7e5dd036c969)][[Treasury EvilCorp Dec 2019](https://app.tidalcyber.com/references/074a52c4-26d9-4083-9349-c14e2639c1bc)]", @@ -8480,7 +8480,7 @@ } ], "uuid": "dc0ffa58-c5d3-4ea4-ab3f-4e9e75bc92b8", - "value": "dsdbutil.exe" + "value": "dsdbutil.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory.\n\n**Author:** Ekitji\n\n**Paths:**\n* C:\\Windows\\System32\\dsdbutil.exe\n* C:\\Windows\\SysWOW64\\dsdbutil.exe\n\n**Resources:**\n* [https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358](https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358)\n* [https://www.netwrix.com/ntds_dit_security_active_directory.html](https://www.netwrix.com/ntds_dit_security_active_directory.html)\n\n**Detection:**\n* IOC: Event ID 4688\n* IOC: dsdbutil.exe process creation\n* IOC: Event ID 4663\n* IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit\n* IOC: Event ID 4656\n* IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit\n* Analysis: None Provided\n* Sigma: None Provided\n* Elastic: None Provided\n* Splunk: None Provided\n* BlockRule: None Provided[[dsdbutil.exe - LOLBAS Project](/references/fc982faf-a37d-4d0b-949c-f7a27adc3030)]", @@ -8520,7 +8520,7 @@ } ], "uuid": "8e9c7640-e49f-42ea-b28f-a00e4019fb4c", - "value": "dsquery.exe" + "value": "dsquery.exe - Associated Software" }, { "description": "[dsquery](https://app.tidalcyber.com/software/06402bdc-a4a1-4e4a-bfc4-09f2c159af75) is a command-line utility that can be used to query Active Directory for information from a system within a domain. [[TechNet Dsquery](https://app.tidalcyber.com/references/bbbb4a45-2963-4f04-901a-fb2752800e12)] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.", @@ -8601,7 +8601,7 @@ } ], "uuid": "cf43ff32-746a-44c9-9fbe-aa50b747f5a8", - "value": "Dump64.exe" + "value": "Dump64.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Memory dump tool that comes with Microsoft Visual Studio\n\n**Author:** mr.d0x\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\Installer\\Feedback\\dump64.exe\n\n**Resources:**\n* [https://twitter.com/mrd0x/status/1460597833917251595](https://twitter.com/mrd0x/status/1460597833917251595)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_dump64.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml)\n* IOC: As a Windows SDK binary, execution on a system may be suspicious[[Dump64.exe - LOLBAS Project](/references/b0186447-a6d5-40d7-a11d-ab2e9fb93087)]", @@ -8644,7 +8644,7 @@ } ], "uuid": "2aeee11b-2b25-4b93-ad2f-1bb60ac491a4", - "value": "DumpMinitool.exe" + "value": "DumpMinitool.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Dump tool part Visual Studio 2022\n\n**Author:** mr.d0x\n\n**Paths:**\n* C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\IDE\\Extensions\\TestPlatform\\Extensions\n\n**Resources:**\n* [https://twitter.com/mrd0x/status/1511415432888131586](https://twitter.com/mrd0x/status/1511415432888131586)\n\n**Detection:**\n* Sigma: [proc_creation_win_dumpminitool_execution.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml)\n* Sigma: [proc_creation_win_dumpminitool_susp_execution.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml)\n* Sigma: [proc_creation_win_devinit_lolbin_usage.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml)[[DumpMinitool.exe - LOLBAS Project](/references/4634e025-c005-46fe-b97c-5d7dda455ba0)]", @@ -8706,7 +8706,7 @@ } ], "uuid": "f41beff8-0ae1-48d6-bb13-b47c4763f4d1", - "value": "NeD Worm" + "value": "NeD Worm - Associated Software" }, { "description": "[DustySky](https://app.tidalcyber.com/software/77506f02-104f-4aac-a4e0-9649bd7efe2e) is multi-stage malware written in .NET that has been used by [Molerats](https://app.tidalcyber.com/groups/679b7b6b-9659-4e56-9ffd-688a6fab01b6) since May 2015. [[DustySky](https://app.tidalcyber.com/references/b9e0770d-f54a-4ada-abd1-65c45eee00fa)] [[DustySky2](https://app.tidalcyber.com/references/4a3ecdec-254c-4eb4-9126-f540bb21dffe)][[Kaspersky MoleRATs April 2019](https://app.tidalcyber.com/references/38216a34-5ffd-4e79-80b1-7270743b728e)]", @@ -8754,7 +8754,7 @@ } ], "uuid": "71444288-becb-435f-b1f9-b4abce44d092", - "value": "Dxcap.exe" + "value": "Dxcap.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** DirectX diagnostics/debugger included with Visual Studio.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\dxcap.exe\n* C:\\Windows\\SysWOW64\\dxcap.exe\n\n**Resources:**\n* [https://twitter.com/harr0ey/status/992008180904419328](https://twitter.com/harr0ey/status/992008180904419328)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_susp_dxcap.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml)[[Dxcap.exe - LOLBAS Project](/references/7611eb7a-46b7-4c76-9728-67c1fbf20e17)]", @@ -8795,7 +8795,7 @@ } ], "uuid": "5cad75f1-7395-4eb1-9370-c36857b4fcb4", - "value": "Dyzap" + "value": "Dyzap - Associated Software" }, { "description": "[[Sophos Dyreza April 2015](https://app.tidalcyber.com/references/50f9aa49-dde5-42c9-ba5c-f42281a71b7e)]", @@ -8809,7 +8809,7 @@ } ], "uuid": "ee1346ac-a3e0-45dd-963c-497fca47c3e8", - "value": "Dyreza" + "value": "Dyreza - Associated Software" }, { "description": "[Dyre](https://app.tidalcyber.com/software/38e012f7-fb3a-4250-a129-92da3a488724) is a banking Trojan that has been used for financial gain. \n [[Symantec Dyre June 2015](https://app.tidalcyber.com/references/a9780bb0-302f-44c2-8252-b53d94da24e6)][[Malwarebytes Dyreza November 2015](https://app.tidalcyber.com/references/0a5719f2-8a88-44e2-81c5-2d16a39f1f8d)]", @@ -8945,7 +8945,7 @@ } ], "uuid": "3c935fc9-aedf-4800-b6a1-f52612702600", - "value": "HEAVYHAND" + "value": "HEAVYHAND - Associated Software" }, { "description": "[[Securelist APT10 March 2021](https://app.tidalcyber.com/references/90450a1e-59c3-491f-b842-2cf81023fc9e)]", @@ -8959,7 +8959,7 @@ } ], "uuid": "8c68d850-b73d-40d8-9499-26ec1c1dbbb2", - "value": "SigLoader" + "value": "SigLoader - Associated Software" }, { "description": "[[Securelist APT10 March 2021](https://app.tidalcyber.com/references/90450a1e-59c3-491f-b842-2cf81023fc9e)]", @@ -8973,7 +8973,7 @@ } ], "uuid": "a24219ab-2f4a-4922-864c-ea07e354bab2", - "value": "DESLoader" + "value": "DESLoader - Associated Software" }, { "description": "[Ecipekac](https://app.tidalcyber.com/software/6508d3dc-eb22-468c-9122-dcf541caa69c) is a multi-layer loader that has been used by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) since at least 2019 including use as a loader for [P8RAT](https://app.tidalcyber.com/software/1933ad3d-3085-4b1b-82b9-ac51b440e2bf), [SodaMaster](https://app.tidalcyber.com/software/6ecd970c-427b-4421-a831-69f46047d22a), and [FYAnti](https://app.tidalcyber.com/software/be9a2ae5-373a-4dee-9c1e-b54235dafed0).[[Securelist APT10 March 2021](https://app.tidalcyber.com/references/90450a1e-59c3-491f-b842-2cf81023fc9e)]", @@ -9051,7 +9051,7 @@ } ], "uuid": "de4852b9-1f8b-4ef2-b3da-29be62458ea5", - "value": "SNAKEHOSE" + "value": "SNAKEHOSE - Associated Software" }, { "description": "[EKANS](https://app.tidalcyber.com/software/cd7821cb-32f3-4d81-a5d1-0cdee94a15c4) is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. [EKANS](https://app.tidalcyber.com/software/cd7821cb-32f3-4d81-a5d1-0cdee94a15c4) has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in [MegaCortex](https://app.tidalcyber.com/software/d8a4a817-2914-47b0-867c-ad8eeb7efd10).[[Dragos EKANS](https://app.tidalcyber.com/references/c8a018c5-caa3-4af1-b210-b65bbf94c8b2)][[Palo Alto Unit 42 EKANS](https://app.tidalcyber.com/references/dcdd4e48-3c3d-4008-a6f6-390f896f147b)]", @@ -9094,7 +9094,7 @@ } ], "uuid": "87856d15-2fdc-42fd-b8c0-d48505ec5691", - "value": "Page" + "value": "Page - Associated Software" }, { "description": "[[Lotus Blossom Jun 2015](https://app.tidalcyber.com/references/46fdb8ca-b14d-43bd-a20f-cae7b26e56c6)]", @@ -9108,7 +9108,7 @@ } ], "uuid": "12b94df0-6a70-4946-8672-72e770bc12a1", - "value": "BKDR_ESILE" + "value": "BKDR_ESILE - Associated Software" }, { "description": "[Elise](https://app.tidalcyber.com/software/fd5efee9-8710-4536-861f-c88d882f4d24) is a custom backdoor Trojan that appears to be used exclusively by [Lotus Blossom](https://app.tidalcyber.com/groups/2849455a-cf39-4a9f-bd89-c2b3c1e5dd52). It is part of a larger group of\ntools referred to as LStudio, ST Group, and APT0LSTU. [[Lotus Blossom Jun 2015](https://app.tidalcyber.com/references/46fdb8ca-b14d-43bd-a20f-cae7b26e56c6)][[Accenture Dragonfish Jan 2018](https://app.tidalcyber.com/references/f692c6fa-7b3a-4d1d-9002-b1a59f7116f4)]", @@ -9208,7 +9208,7 @@ } ], "uuid": "ee981808-fa0c-462c-b767-e48f1ca7122a", - "value": "Geodo" + "value": "Geodo - Associated Software" }, { "description": "[Emotet](https://app.tidalcyber.com/software/c987d255-a351-4736-913f-91e2f28d0654) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) and [IcedID](https://app.tidalcyber.com/software/7f59bb7c-5fa9-497d-9d8e-ba9349fd9433). Emotet first emerged in June 2014 and has been primarily used to target the banking sector. [[Trend Micro Banking Malware Jan 2019](https://app.tidalcyber.com/references/4fee21e3-1b8f-4e10-b077-b59e2df94633)]", @@ -9260,7 +9260,7 @@ } ], "uuid": "55859df1-5c3b-4b9b-b0d0-39c5c82c59f9", - "value": "EmPyre" + "value": "EmPyre - Associated Software" }, { "description": "[[Github PowerShell Empire](https://app.tidalcyber.com/references/017ec673-454c-492a-a65b-10d3a20dfdab)]", @@ -9274,7 +9274,7 @@ } ], "uuid": "8745d0f6-8771-4588-bd2f-b80d418908ee", - "value": "PowerShell Empire" + "value": "PowerShell Empire - Associated Software" }, { "description": "[Empire](https://app.tidalcyber.com/software/fea655ac-558f-4dd0-867f-9a5553626207) is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) for Windows and Python for Linux/macOS. [Empire](https://app.tidalcyber.com/software/fea655ac-558f-4dd0-867f-9a5553626207) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[[NCSC Joint Report Public Tools](https://app.tidalcyber.com/references/601d88c5-4789-4fa8-a9ab-abc8137f061c)][[Github PowerShell Empire](https://app.tidalcyber.com/references/017ec673-454c-492a-a65b-10d3a20dfdab)][[GitHub ATTACK Empire](https://app.tidalcyber.com/references/b3d6bb33-2b23-4c0a-b8fa-e002a5c7edfc)]", @@ -9421,7 +9421,7 @@ } ], "uuid": "c9f72733-1557-4a9c-9a07-b87e80d84b01", - "value": "Tavdig" + "value": "Tavdig - Associated Software" }, { "description": "[[Kaspersky Turla](https://app.tidalcyber.com/references/535e9f1a-f89e-4766-a290-c5b8100968f8)]", @@ -9435,7 +9435,7 @@ } ], "uuid": "b0614725-7a40-4a46-9d57-79dfd157af91", - "value": "Wipbot" + "value": "Wipbot - Associated Software" }, { "description": "[[Kaspersky Turla](https://app.tidalcyber.com/references/535e9f1a-f89e-4766-a290-c5b8100968f8)]", @@ -9449,7 +9449,7 @@ } ], "uuid": "40bd7e6b-f282-4fac-a707-e21b256e0c52", - "value": "WorldCupSec" + "value": "WorldCupSec - Associated Software" }, { "description": "[[Kaspersky Turla](https://app.tidalcyber.com/references/535e9f1a-f89e-4766-a290-c5b8100968f8)]", @@ -9463,7 +9463,7 @@ } ], "uuid": "eafca858-2534-4dea-b50c-ddf9a9a490f8", - "value": "TadjMakhal" + "value": "TadjMakhal - Associated Software" }, { "description": "[Epic](https://app.tidalcyber.com/software/a7e71387-b276-413c-a0de-4cf07e39b158) is a backdoor that has been used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2). [[Kaspersky Turla](https://app.tidalcyber.com/references/535e9f1a-f89e-4766-a290-c5b8100968f8)]", @@ -9521,7 +9521,7 @@ } ], "uuid": "285440ba-037a-4b5c-a089-e0af02a62236", - "value": "esentutl.exe" + "value": "esentutl.exe - Associated Software" }, { "description": "[esentutl](https://app.tidalcyber.com/software/a7589733-6b04-4215-a4e7-4b62cd4610fa) is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.[[Microsoft Esentutl](https://app.tidalcyber.com/references/08fb9e84-495f-4710-bd1e-417eb8191a10)]", @@ -9575,7 +9575,7 @@ } ], "uuid": "51125aee-d1af-4414-90fa-84b6c977c100", - "value": "Eventvwr.exe" + "value": "Eventvwr.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Displays Windows Event Logs in a GUI window.\n\n**Author:** Jacob Gajek\n\n**Paths:**\n* C:\\Windows\\System32\\eventvwr.exe\n* C:\\Windows\\SysWOW64\\eventvwr.exe\n\n**Resources:**\n* [https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/](https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/)\n* [https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1](https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1)\n* [https://twitter.com/orange_8361/status/1518970259868626944](https://twitter.com/orange_8361/status/1518970259868626944)\n\n**Detection:**\n* Sigma: [proc_creation_win_uac_bypass_eventvwr.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml)\n* Sigma: [registry_set_uac_bypass_eventvwr.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml)\n* Sigma: [file_event_win_uac_bypass_eventvwr.yml](https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml)\n* Elastic: [privilege_escalation_uac_bypass_event_viewer.toml](https://github.com/elastic/detection-rules/blob/d31ea6253ea40789b1fc49ade79b7ec92154d12a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml)\n* Splunk: [eventvwr_uac_bypass.yml](https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/eventvwr_uac_bypass.yml)\n* IOC: eventvwr.exe launching child process other than mmc.exe\n* IOC: Creation or modification of the registry value HKCU\\Software\\Classes\\mscfile\\shell\\open\\command[[Eventvwr.exe - LOLBAS Project](/references/0c09812a-a936-4282-b574-35a00f631857)]", @@ -9774,7 +9774,7 @@ } ], "uuid": "a878dcfe-76d9-435d-8b14-b0490db7e1a8", - "value": "Excel.exe" + "value": "Excel.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Office binary\n\n**Author:** Reegun J (OCBC Bank)\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Office 16\\ClientX86\\Root\\Office16\\Excel.exe\n* C:\\Program Files\\Microsoft Office 16\\ClientX64\\Root\\Office16\\Excel.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office16\\Excel.exe\n* C:\\Program Files\\Microsoft Office\\Office16\\Excel.exe\n* C:\\Program Files (x86)\\Microsoft Office 15\\ClientX86\\Root\\Office15\\Excel.exe\n* C:\\Program Files\\Microsoft Office 15\\ClientX64\\Root\\Office15\\Excel.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office15\\Excel.exe\n* C:\\Program Files\\Microsoft Office\\Office15\\Excel.exe\n* C:\\Program Files (x86)\\Microsoft Office 14\\ClientX86\\Root\\Office14\\Excel.exe\n* C:\\Program Files\\Microsoft Office 14\\ClientX64\\Root\\Office14\\Excel.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office14\\Excel.exe\n* C:\\Program Files\\Microsoft Office\\Office14\\Excel.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office12\\Excel.exe\n* C:\\Program Files\\Microsoft Office\\Office12\\Excel.exe\n* C:\\Program Files\\Microsoft Office\\Office12\\Excel.exe\n\n**Resources:**\n* [https://twitter.com/reegun21/status/1150032506504151040](https://twitter.com/reegun21/status/1150032506504151040)\n* [https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191](https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_office.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_office.yml)\n* IOC: Suspicious Office application Internet/network traffic[[Excel.exe - LOLBAS Project](/references/9a2458f7-63ca-4eca-8c61-b6098ec0798f)]", @@ -9841,7 +9841,7 @@ } ], "uuid": "7ffda0fe-4375-443e-a8c7-df5dabc104f9", - "value": "Expand.exe" + "value": "Expand.exe - Associated Software" }, { "description": "[Expand](https://app.tidalcyber.com/software/5d7a39e3-c667-45b3-987e-3b0ca49cff61) is a Windows utility used to expand one or more compressed CAB files.[[Microsoft Expand Utility](https://app.tidalcyber.com/references/bf73a375-87b7-4603-8734-9f3d8d11967e)] It has been used by [BBSRAT](https://app.tidalcyber.com/software/be4dab36-d499-4ac3-b204-5e309e3a5331) to decompress a CAB file into executable content.[[Palo Alto Networks BBSRAT](https://app.tidalcyber.com/references/8c5d61ba-24c5-4f6c-a208-e0a5d23ebb49)]", @@ -9887,7 +9887,7 @@ } ], "uuid": "f6b34f5e-3bec-4098-98b8-2ea74f184ecc", - "value": "Explorer.exe" + "value": "Explorer.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary used for managing files and system components within Windows\n\n**Author:** Jai Minton\n\n**Paths:**\n* C:\\Windows\\explorer.exe\n* C:\\Windows\\SysWOW64\\explorer.exe\n\n**Resources:**\n* [https://twitter.com/CyberRaiju/status/1273597319322058752?s=20](https://twitter.com/CyberRaiju/status/1273597319322058752?s=20)\n* [https://twitter.com/bohops/status/1276356245541335048](https://twitter.com/bohops/status/1276356245541335048)\n* [https://twitter.com/bohops/status/986984122563391488](https://twitter.com/bohops/status/986984122563391488)\n\n**Detection:**\n* Sigma: [proc_creation_win_explorer_break_process_tree.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml)\n* Sigma: [proc_creation_win_explorer_lolbin_execution.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_explorer_lolbin_execution.yml)\n* Elastic: [initial_access_via_explorer_suspicious_child_parent_args.toml](https://github.com/elastic/detection-rules/blob/f2bc0c685d83db7db395fc3dc4b9729759cd4329/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml)\n* IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious.[[Explorer.exe - LOLBAS Project](/references/9ba3d54c-02d1-45bd-bfe8-939e84d9d44b)]", @@ -9962,7 +9962,7 @@ } ], "uuid": "ef321c97-a66d-4dbc-8ed6-c002e141ffdc", - "value": "Extexport.exe" + "value": "Extexport.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Load a DLL located in the c:\\test folder with a specific name.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Program Files\\Internet Explorer\\Extexport.exe\n* C:\\Program Files (x86)\\Internet Explorer\\Extexport.exe\n\n**Resources:**\n* [http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/](http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_extexport.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml)\n* IOC: Extexport.exe loads dll and is execute from other folder the original path[[Extexport.exe - LOLBAS Project](/references/2aa09a10-a492-4753-bbd8-aacd31e4fee3)]", @@ -10037,7 +10037,7 @@ } ], "uuid": "84483c62-922d-49c5-b688-c106c2496545", - "value": "Extrac32.exe" + "value": "Extrac32.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Extract to ADS, copy or overwrite a file with Extrac32.exe\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\extrac32.exe\n* C:\\Windows\\SysWOW64\\extrac32.exe\n\n**Resources:**\n* [https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/](https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/)\n* [https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)\n* [https://twitter.com/egre55/status/985994639202283520](https://twitter.com/egre55/status/985994639202283520)\n\n**Detection:**\n* Elastic: [defense_evasion_misc_lolbin_connecting_to_the_internet.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml)\n* Sigma: [proc_creation_win_lolbin_extrac32.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml)\n* Sigma: [proc_creation_win_lolbin_extrac32_ads.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml)[[Extrac32.exe - LOLBAS Project](/references/ae632afc-336c-488e-81f6-91ffe1829595)]", @@ -10181,7 +10181,7 @@ } ], "uuid": "78026ff0-63f0-42d8-81de-e02ad8223d68", - "value": "GreyEnergy mini" + "value": "GreyEnergy mini - Associated Software" }, { "description": "[FELIXROOT](https://app.tidalcyber.com/software/4b1a07cd-4c1f-4d93-a454-07fd59b3039a) is a backdoor that has been used to target Ukrainian victims. [[FireEye FELIXROOT July 2018](https://app.tidalcyber.com/references/501057e2-9a31-46fe-aaa0-427218682153)]", @@ -10329,7 +10329,7 @@ } ], "uuid": "8c3183d9-da91-449e-94e5-1814bec72c1b", - "value": "Findstr.exe" + "value": "Findstr.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Write to ADS, discover, or download files with Findstr.exe\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\findstr.exe\n* C:\\Windows\\SysWOW64\\findstr.exe\n\n**Resources:**\n* [https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/](https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/)\n* [https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_findstr.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml)[[Findstr.exe - LOLBAS Project](/references/fc4b7b28-ac74-4a8f-a39d-ce55df5fca08)]", @@ -10378,7 +10378,7 @@ } ], "uuid": "132b2577-e54e-49d4-8579-963dea48bd6a", - "value": "FinSpy" + "value": "FinSpy - Associated Software" }, { "description": "[FinFisher](https://app.tidalcyber.com/software/41f54ce1-842c-428a-977f-518a5b63b4d7) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including [Wingbird](https://app.tidalcyber.com/software/3e70078f-407e-4b03-b604-bdc05b372f37). [[FinFisher Citation](https://app.tidalcyber.com/references/6ef0b8d8-ba98-49ce-807d-5a85d111b027)] [[Microsoft SIR Vol 21](https://app.tidalcyber.com/references/619b9cf8-7201-45de-9c36-834ccee356a9)] [[FireEye FinSpy Sept 2017](https://app.tidalcyber.com/references/142cf7a3-2ca2-4cf3-b95a-9f4b3bc1cdce)] [[Securelist BlackOasis Oct 2017](https://app.tidalcyber.com/references/66121c37-6b66-4ab2-9f63-1adb80dcec62)] [[Microsoft FinFisher March 2018](https://app.tidalcyber.com/references/88c97a9a-ef14-4695-bde0-9de2b5f5343b)]", @@ -10424,7 +10424,7 @@ } ], "uuid": "44e3833b-bf22-4adb-9986-95f4e8898f21", - "value": "Finger.exe" + "value": "Finger.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Displays information about a user or users on a specified remote computer that is running the Finger service or daemon\n\n**Author:** Ruben Revuelta\n\n**Paths:**\n* c:\\windows\\system32\\finger.exe\n* c:\\windows\\syswow64\\finger.exe\n\n**Resources:**\n* [https://twitter.com/DissectMalware/status/997340270273409024](https://twitter.com/DissectMalware/status/997340270273409024)\n* [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11))\n\n**Detection:**\n* Sigma: [proc_creation_win_finger_usage.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_finger_usage.yml)\n* IOC: finger.exe should not be run on a normal workstation.\n* IOC: finger.exe connecting to external resources.[[Finger.exe - LOLBAS Project](/references/e32d01eb-d904-43dc-a7e2-bdcf42f3ebb2)]", @@ -10524,7 +10524,7 @@ } ], "uuid": "4a135c64-23dd-4850-8484-d9805d3663b5", - "value": "Flamer" + "value": "Flamer - Associated Software" }, { "description": "[[Kaspersky Flame](https://app.tidalcyber.com/references/6db8f76d-fe38-43b1-ad85-ad372da9c09d)] [[Crysys Skywiper](https://app.tidalcyber.com/references/ea35f530-b0fd-4e27-a7a9-6ba41566154c)]", @@ -10538,7 +10538,7 @@ } ], "uuid": "9a1c376d-6ef8-4d18-a4ff-e28751d30ae1", - "value": "sKyWIper" + "value": "sKyWIper - Associated Software" }, { "description": "[Flame](https://app.tidalcyber.com/software/87604333-638f-4f4a-94e0-16aa825dd5b8) is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. [[Kaspersky Flame](https://app.tidalcyber.com/references/6db8f76d-fe38-43b1-ad85-ad372da9c09d)]", @@ -10640,7 +10640,7 @@ } ], "uuid": "c6731561-3f22-451d-adf8-4b80ef07ce65", - "value": "BARBWIRE" + "value": "BARBWIRE - Associated Software" }, { "description": "[[The DFIR Report Truebot June 12 2023](/references/a6311a66-bb36-4cad-a98f-2b0b89aafa3d)]", @@ -10656,7 +10656,7 @@ } ], "uuid": "70bf0820-6ce7-4877-a668-6583aef5a4c2", - "value": "GraceWire" + "value": "GraceWire - Associated Software" }, { "description": "[FlawedGrace](https://app.tidalcyber.com/software/c558e948-c817-4494-a95d-ad3207f10e26) is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.[[Proofpoint TA505 Jan 2019](https://app.tidalcyber.com/references/b744f739-8810-4fb9-96e3-6488f9ed6305)]", @@ -10711,7 +10711,7 @@ } ], "uuid": "6f5b39e8-5c52-478c-b9f6-89822c43d859", - "value": "Commander" + "value": "Commander - Associated Software" }, { "description": "FleetDeck is a commercial remote monitoring and management (RMM) tool that enables remote desktop access and “virtual terminal” capabilities. Government and commercial reports indicate that financially motivated adversaries, including BlackCat (AKA ALPHV or Noberus) actors and Scattered Spider (AKA 0ktapus or UNC3944), have used FleetDeck for command and control and persistence purposes during intrusions.[[Cyber Centre ALPHV/BlackCat July 25 2023](/references/610c8f22-1a96-42d2-934d-8467d136eed2)][[CrowdStrike Scattered Spider SIM Swapping December 22 2022](/references/e48760ba-2752-4d30-8f99-152c81f63017)]", @@ -10786,7 +10786,7 @@ } ], "uuid": "91939985-db0a-4ba9-9fd7-9785615cc0f4", - "value": "fltMC.exe" + "value": "fltMC.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Filter Manager Control Program used by Windows\n\n**Author:** John Lambert\n\n**Paths:**\n* C:\\Windows\\System32\\fltMC.exe\n\n**Resources:**\n* [https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon](https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon)\n\n**Detection:**\n* Sigma: [proc_creation_win_fltmc_unload_driver_sysmon.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml)\n* Elastic: [defense_evasion_via_filter_manager.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_via_filter_manager.toml)\n* Splunk: [unload_sysmon_filter_driver.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/unload_sysmon_filter_driver.yml)\n* IOC: 4688 events with fltMC.exe[[fltMC.exe - LOLBAS Project](/references/cf9b4bd3-92f0-405b-85e7-95e65d548b79)]", @@ -10857,7 +10857,7 @@ } ], "uuid": "f283d74b-b2fe-4974-8dc2-d33c93575b2a", - "value": "Forfiles.exe" + "value": "Forfiles.exe - Associated Software" }, { "description": "[Forfiles](https://app.tidalcyber.com/software/c6dc67a6-587d-4700-a7de-bee043a0031a) is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. [[Microsoft Forfiles Aug 2016](https://app.tidalcyber.com/references/fd7eaa47-3512-4dbd-b881-bc679d06cd1b)]", @@ -10906,7 +10906,7 @@ } ], "uuid": "ebc42f24-1194-4e44-baa2-50dfa222162e", - "value": "Trinity" + "value": "Trinity - Associated Software" }, { "description": "[FrameworkPOS](https://app.tidalcyber.com/software/aef7cbbc-5163-419c-8e4b-3f73bed50474) is a point of sale (POS) malware used by [FIN6](https://app.tidalcyber.com/groups/fcaadc12-7c17-4946-a9dc-976ed610854c) to steal payment card data from sytems that run physical POS devices.[[SentinelOne FrameworkPOS September 2019](https://app.tidalcyber.com/references/054d7827-3d0c-40a7-b2a0-1428ad7729ea)]", @@ -11002,7 +11002,7 @@ } ], "uuid": "33c9b15d-da72-49ab-b5a3-918c93ea5208", - "value": "Fsi.exe" + "value": "Fsi.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.\n\n**Author:** Jimmy (@bohops)\n\n**Paths:**\n* C:\\Program Files\\dotnet\\sdk\\[sdk version]\\FSharp\\fsi.exe\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Professional\\Common7\\IDE\\CommonExtensions\\Microsoft\\FSharp\\fsi.exe\n\n**Resources:**\n* [https://twitter.com/NickTyrer/status/904273264385589248](https://twitter.com/NickTyrer/status/904273264385589248)\n* [https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/](https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/)\n\n**Detection:**\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: Fsi.exe execution may be suspicious on non-developer machines\n* Sigma: [proc_creation_win_lolbin_fsharp_interpreters.yml](https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml)[[Fsi.exe - LOLBAS Project](/references/4e14e87f-2ad9-4959-8cb2-8585b67931c0)]", @@ -11053,7 +11053,7 @@ } ], "uuid": "0c8284cf-4e6f-4660-9381-76c08e0a6244", - "value": "FsiAnyCpu.exe" + "value": "FsiAnyCpu.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** 32/64-bit FSharp (F#) Interpreter included with Visual Studio.\n\n**Author:** Jimmy (@bohops)\n\n**Paths:**\n* c:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Professional\\Common7\\IDE\\CommonExtensions\\Microsoft\\FSharp\\fsianycpu.exe\n\n**Resources:**\n* [https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/](https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/)\n\n**Detection:**\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines\n* Sigma: [proc_creation_win_lolbin_fsharp_interpreters.yml](https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml)[[FsiAnyCpu.exe - LOLBAS Project](/references/87031d31-b6d7-4860-b11b-5a0dc8774d92)]", @@ -11096,7 +11096,7 @@ } ], "uuid": "142b3451-bb26-4bb2-8d22-58cccd0f52ee", - "value": "Fsutil.exe" + "value": "Fsutil.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** File System Utility\n\n**Author:** Elliot Killick\n\n**Paths:**\n* C:\\Windows\\System32\\fsutil.exe\n* C:\\Windows\\SysWOW64\\fsutil.exe\n\n**Resources:**\n* [https://twitter.com/0gtweet/status/1720724516324704404](https://twitter.com/0gtweet/status/1720724516324704404)\n\n**Detection:**\n* IOC: fsutil.exe should not be run on a normal workstation\n* IOC: file setZeroData (not case-sensitive) in the process arguments\n* IOC: Sysmon Event ID 1\n* IOC: Execution of process fsutil.exe with trace decode could be suspicious\n* IOC: Non-Windows netsh.exe execution\n* Sigma: [proc_creation_win_susp_fsutil_usage.yml](https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml)[[Fsutil.exe - LOLBAS Project](/references/e2305dac-4245-4fac-8813-69cb210e9cd3)]", @@ -11137,7 +11137,7 @@ } ], "uuid": "4cce70d6-bf60-4943-9342-a9f3f306aea0", - "value": "ftp.exe" + "value": "ftp.exe - Associated Software" }, { "description": "[ftp](https://app.tidalcyber.com/software/062deac9-8f05-44e2-b347-96b59ba166ca) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.[[Microsoft FTP](https://app.tidalcyber.com/references/970f8d16-f5b7-44e2-b81f-738b931c60d9)][[Linux FTP](https://app.tidalcyber.com/references/021ea6bc-abff-48de-a6bb-315dbbfa6147)]", @@ -11228,7 +11228,7 @@ } ], "uuid": "b9e7470c-e179-4efd-b472-ba146d8cf8fa", - "value": "DILLJUICE stage2" + "value": "DILLJUICE stage2 - Associated Software" }, { "description": "[FYAnti](https://app.tidalcyber.com/software/be9a2ae5-373a-4dee-9c1e-b54235dafed0) is a loader that has been used by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) since at least 2020, including to deploy [QuasarRAT](https://app.tidalcyber.com/software/4bab7c2b-5ec4-467e-8df4-f2e6996e136b).[[Securelist APT10 March 2021](https://app.tidalcyber.com/references/90450a1e-59c3-491f-b842-2cf81023fc9e)]", @@ -11299,7 +11299,7 @@ } ], "uuid": "24e22e4a-0c90-48e6-94ed-f212b21f7212", - "value": "WhiteBear" + "value": "WhiteBear - Associated Software" }, { "description": "[Gazer](https://app.tidalcyber.com/software/7a60b984-b0c8-4acc-be24-841f4b652872) is a backdoor used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) since at least 2016. [[ESET Gazer Aug 2017](https://app.tidalcyber.com/references/9d1c40af-d4bc-4d4a-b667-a17378942685)]", @@ -11345,7 +11345,7 @@ } ], "uuid": "b270fcf2-72ea-41c5-89fe-addb6cefd547", - "value": "Gelsevirine" + "value": "Gelsevirine - Associated Software" }, { "description": "[[ESET Gelsemium June 2021](https://app.tidalcyber.com/references/ea28cf8c-8c92-48cb-b499-ffb7ff0e3cf5)]", @@ -11359,7 +11359,7 @@ } ], "uuid": "86499f47-083e-47a5-ad8c-032f54f26359", - "value": "Gelsenicine" + "value": "Gelsenicine - Associated Software" }, { "description": "[[ESET Gelsemium June 2021](https://app.tidalcyber.com/references/ea28cf8c-8c92-48cb-b499-ffb7ff0e3cf5)]", @@ -11373,7 +11373,7 @@ } ], "uuid": "2f00732c-43a7-4253-a5eb-990d8466eb01", - "value": "Gelsemine" + "value": "Gelsemine - Associated Software" }, { "description": "[Gelsemium](https://app.tidalcyber.com/software/9a117508-1d22-4fea-aa65-db670c13a5c9) is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. [Gelsemium](https://app.tidalcyber.com/software/9a117508-1d22-4fea-aa65-db670c13a5c9) has been used by the Gelsemium group since at least 2014.[[ESET Gelsemium June 2021](https://app.tidalcyber.com/references/ea28cf8c-8c92-48cb-b499-ffb7ff0e3cf5)]", @@ -11475,7 +11475,7 @@ } ], "uuid": "396335cb-1404-44f1-9d73-387e468bc781", - "value": "GfxDownloadWrapper.exe" + "value": "GfxDownloadWrapper.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.\n\n**Author:** Jesus Galvez\n\n**Paths:**\n* c:\\windows\\system32\\driverstore\\filerepository\\64kb6472.inf_amd64_3daef03bbe98572b\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_comp.inf_amd64_0e9c57ae3396e055\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_comp.inf_amd64_209bd95d56b1ac2d\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_comp.inf_amd64_3fa2a843f8b7f16d\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_comp.inf_amd64_85c860f05274baa0\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_comp.inf_amd64_f7412e3e3404de80\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_comp.inf_amd64_feb9f1cf05b0de58\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_component.inf_amd64_0219cc1c7085a93f\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_component.inf_amd64_df4f60b1cae9b14a\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dc_comp.inf_amd64_16eb18b0e2526e57\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dc_comp.inf_amd64_1c77f1231c19bc72\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dc_comp.inf_amd64_31c60cc38cfcca28\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dc_comp.inf_amd64_82f69cea8b2d928f\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dc_comp.inf_amd64_b4d94f3e41ceb839\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_0606619cc97463de\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_0e95edab338ad669\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_22aac1442d387216\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_2461d914696db722\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_29d727269a34edf5\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_2caf76dbce56546d\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_353320edb98da643\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_4ea0ed0af1507894\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_56a48f4f1c2da7a7\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_64f23fdadb76a511\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_668dd0c6d3f9fa0e\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_6be8e5b7f731a6e5\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_6dad7e4e9a8fa889\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_6df442103a1937a4\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_767e7683f9ad126c\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_8644298f665a12c4\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_868acf86149aef5d\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_92cf9d9d84f1d3db\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_93239c65f222d453\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_9de8154b682af864\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_a7428663aca90897\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_ad7cb5e55a410add\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_afbf41cf8ab202d7\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_d193c96475eaa96e\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_db953c52208ada71\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_e7523682cc7528cc\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_e9f341319ca84274\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_f3a64c75ee4defb7\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch.inf_amd64_f51939e52b944f4b\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch_comp.inf_amd64_4938423c9b9639d7\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch_comp.inf_amd64_c8e108d4a62c59d5\\\n* c:\\windows\\system32\\driverstore\\filerepository\\cui_dch_comp.inf_amd64_deecec7d232ced2b\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_01ee1299f4982efe\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_02edfc87000937e4\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_0541b698fc6e40b0\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_0707757077710fff\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_0b3e3ed3ace9602a\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_0cff362f9dff4228\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_16ed7d82b93e4f68\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_1a33d2f73651d989\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_1aca2a92a37fce23\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_1af2dd3e4df5fd61\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_1d571527c7083952\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_23f7302c2b9ee813\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_24de78387e6208e4\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_250db833a1cd577e\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_25e7c5a58c052bc5\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_28d80681d3523b1c\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_2dda3b1147a3a572\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_31ba00ea6900d67d\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_329877a66f240808\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_42af9f4718aa1395\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_4645af5c659ae51a\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_48c2e68e54c92258\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_48e7e903a369eae2\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_491d20003583dabe\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_4b34c18659561116\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_51ce968bf19942c2\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_555cfc07a674ecdd\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_561bd21d54545ed3\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_579a75f602cc2dce\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_57f66a4f0a97f1a3\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_587befb80671fb38\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_62f096fe77e085c0\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_6ae0ddbb4a38e23c\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_6bb02522ea3fdb0d\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_6d34ac0763025a06\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_712b6a0adbaabc0a\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_78b09d9681a2400f\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_842874489af34daa\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_88084eb1fe7cebc3\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_89033455cb08186f\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_8a9535cd18c90bc3\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_8c1fc948b5a01c52\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_9088b61921a6ff9f\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_90f68cd0dc48b625\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_95cb371d046d4b4c\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_a58de0cf5f3e9dca\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_abe9d37302f8b1ae\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_acb3edda7b82982f\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_aebc5a8535dd3184\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_b5d4c82c67b39358\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_b846bbf1e81ea3cf\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_babb2e8b8072ff3b\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_bc75cebf5edbbc50\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_be91293cf20d4372\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_c11f4d5f0bc4c592\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_c4e5173126d31cf0\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_c4f600ffe34acc7b\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_c8634ed19e331cda\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_c9081e50bcffa972\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_ceddadac8a2b489e\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_d4406f0ad6ec2581\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_d5877a2e0e6374b6\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_d8ca5f86add535ef\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_e8abe176c7b553b5\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_eabb3ac2c517211f\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_f8d8be8fea71e1a0\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_fe5e116bb07c0629\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64.inf_amd64_fe73d2ebaa05fb95\\\n* c:\\windows\\system32\\driverstore\\filerepository\\igdlh64_kbl_kit127397.inf_amd64_e1da8ee9e92ccadb\\\n* c:\\windows\\system32\\driverstore\\filerepository\\k127153.inf_amd64_364f43f2a27f7bd7\\\n* c:\\windows\\system32\\driverstore\\filerepository\\k127153.inf_amd64_3f3936d8dec668b8\\\n* c:\\windows\\system32\\driverstore\\filerepository\\k127793.inf_amd64_3ab7883eddccbf0f\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki129523.inf_amd64_32947eecf8f3e231\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki126950.inf_amd64_fa7f56314967630d\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki126951.inf_amd64_94804e3918169543\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki126973.inf_amd64_06dde156632145e3\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki126974.inf_amd64_9168fc04b8275db9\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki127005.inf_amd64_753576c4406c1193\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki127018.inf_amd64_0f67ff47e9e30716\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki127021.inf_amd64_0d68af55c12c7c17\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki127171.inf_amd64_368f8c7337214025\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki127176.inf_amd64_86c658cabfb17c9c\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki127390.inf_amd64_e1ccb879ece8f084\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki127678.inf_amd64_8427d3a09f47dfc1\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki127727.inf_amd64_cf8e31692f82192e\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki127807.inf_amd64_fc915899816dbc5d\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki127850.inf_amd64_6ad8d99023b59fd5\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki128602.inf_amd64_6ff790822fd674ab\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki128916.inf_amd64_3509e1eb83b83cfb\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki129407.inf_amd64_f26f36ac54ce3076\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki129633.inf_amd64_d9b8af875f664a8c\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki129866.inf_amd64_e7cdca9882c16f55\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki130274.inf_amd64_bafd2440fa1ffdd6\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki130350.inf_amd64_696b7c6764071b63\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki130409.inf_amd64_0d8d61270dfb4560\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki130471.inf_amd64_26ad6921447aa568\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki130624.inf_amd64_d85487143eec5e1a\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki130825.inf_amd64_ee3ba427c553f15f\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki130871.inf_amd64_382f7c369d4bf777\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki131064.inf_amd64_5d13f27a9a9843fa\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki131176.inf_amd64_fb4fe914575fdd15\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki131191.inf_amd64_d668106cb6f2eae0\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki131622.inf_amd64_0058d71ace34db73\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki132032.inf_amd64_f29660d80998e019\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki132337.inf_amd64_223d6831ffa64ab1\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki132535.inf_amd64_7875dff189ab2fa2\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki132544.inf_amd64_b8c1f31373153db4\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki132574.inf_amd64_54c9b905b975ee55\\\n* c:\\windows\\system32\\driverstore\\filerepository\\ki132869.inf_amd64_052eb72d070df60f\\\n* c:\\windows\\system32\\driverstore\\filerepository\\kit126731.inf_amd64_1905c9d5f38631d9\\\n\n**Resources:**\n* [https://www.sothis.tech/author/jgalvez/](https://www.sothis.tech/author/jgalvez/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml)\n* IOC: [Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.](Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.)[[GfxDownloadWrapper.exe - LOLBAS Project](/references/5d97b7d7-428e-4408-a4d3-00f52cf4bf15)]", @@ -11515,7 +11515,7 @@ } ], "uuid": "f1c8627e-d1bb-4a15-997c-08d5c8626718", - "value": "Moudoor" + "value": "Moudoor - Associated Software" }, { "description": "[[Novetta-Axiom](https://app.tidalcyber.com/references/0dd428b9-849b-4108-87b1-20050b86f420)]", @@ -11529,7 +11529,7 @@ } ], "uuid": "d468e609-3469-4308-9fb9-b6ca8655a1b6", - "value": "Mydoor" + "value": "Mydoor - Associated Software" }, { "description": "[gh0st RAT](https://app.tidalcyber.com/software/269ef8f5-35c8-44ba-afe4-63f4c6431427) is a remote access tool (RAT). The source code is public and it has been used by multiple groups.[[FireEye Hacking Team](https://app.tidalcyber.com/references/c1e798b8-6771-4ba7-af25-69c640321e40)][[Arbor Musical Chairs Feb 2018](https://app.tidalcyber.com/references/bddf44bb-7a0a-498b-9831-7b73cf9a582e)][[Nccgroup Gh0st April 2018](https://app.tidalcyber.com/references/4476aa0a-b1ef-4ac6-9e44-5721a0b3e92b)]", @@ -11612,7 +11612,7 @@ } ], "uuid": "b7246af4-31b1-42b4-aafd-853a5fd9fbbf", - "value": "Trojan.GTALK" + "value": "Trojan.GTALK - Associated Software" }, { "description": "[GLOOXMAIL](https://app.tidalcyber.com/software/09fdec78-5253-433d-8680-294ba6847be9) is malware used by [APT1](https://app.tidalcyber.com/groups/5307bba1-2674-4fbd-bfd5-1db1ae06fc5f) that mimics legitimate Jabber/XMPP traffic. [[Mandiant APT1](https://app.tidalcyber.com/references/865eba93-cf6a-4e41-bc09-de9b0b3c2669)]", @@ -11765,7 +11765,7 @@ } ], "uuid": "c3ca0824-88bf-4489-bd93-7598044d1088", - "value": "SUNSHUTTLE" + "value": "SUNSHUTTLE - Associated Software" }, { "description": "[GoldMax](https://app.tidalcyber.com/software/b05a9763-4288-4656-bf4e-ba02bb8b35d6) is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. [GoldMax](https://app.tidalcyber.com/software/b05a9763-4288-4656-bf4e-ba02bb8b35d6) was discovered in early 2021 during the investigation into the [SolarWinds Compromise](https://app.tidalcyber.com/campaigns/8bde8146-0656-5800-82e6-e24e008e4f4a), and has likely been used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least mid-2019. [GoldMax](https://app.tidalcyber.com/software/b05a9763-4288-4656-bf4e-ba02bb8b35d6) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.[[MSTIC NOBELIUM Mar 2021](https://app.tidalcyber.com/references/8688a0a9-d644-4b96-81bb-031f1f898652)][[FireEye SUNSHUTTLE Mar 2021](https://app.tidalcyber.com/references/1cdb8a1e-fbed-4db3-b273-5f8f45356dc1)][[CrowdStrike StellarParticle January 2022](https://app.tidalcyber.com/references/149c1446-d6a1-4a63-9420-def9272d6cb9)]", @@ -11842,7 +11842,7 @@ } ], "uuid": "34cc45e9-f8c3-4b2d-b8b5-ace1aec167b2", - "value": "Gpscript.exe" + "value": "Gpscript.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by group policy to process scripts\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\gpscript.exe\n* C:\\Windows\\SysWOW64\\gpscript.exe\n\n**Resources:**\n* [https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/](https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_gpscript.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml)\n* IOC: Scripts added in local group policy\n* IOC: Execution of Gpscript.exe after logon[[Gpscript.exe - LOLBAS Project](/references/619f57d9-d93b-4e9b-aae0-6ce89d91deb6)]", @@ -12210,7 +12210,7 @@ } ], "uuid": "cd5e2212-64ec-4bf0-a533-6143542c8df5", - "value": "HammerDuke" + "value": "HammerDuke - Associated Software" }, { "description": "", @@ -12224,7 +12224,7 @@ } ], "uuid": "44c91046-4527-471e-b0d4-a83660594c93", - "value": "NetDuke" + "value": "NetDuke - Associated Software" }, { "description": "[HAMMERTOSS](https://app.tidalcyber.com/software/cc07f03f-9919-4856-9b30-f4d88940b0ec) is a backdoor that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) in 2015. [[FireEye APT29](https://app.tidalcyber.com/references/78ead31e-7450-46e8-89cf-461ae1981994)] [[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]", @@ -12274,7 +12274,7 @@ } ], "uuid": "0616b745-4181-419f-b723-d60034b7c1b5", - "value": "Chanitor" + "value": "Chanitor - Associated Software" }, { "description": "[Hancitor](https://app.tidalcyber.com/software/4eee3272-07fa-48ee-a7b9-9dfee3e4550a) is a downloader that has been used by [Pony](https://app.tidalcyber.com/software/555b612e-3f0d-421d-b2a7-63eb2d1ece5f) and other information stealing malware.[[Threatpost Hancitor](https://app.tidalcyber.com/references/70ad77af-88aa-4f06-a9cb-df9608157841)][[FireEye Hancitor](https://app.tidalcyber.com/references/65a07c8c-5b29-445f-8f01-6e577df4ea62)]", @@ -12431,7 +12431,7 @@ } ], "uuid": "69aa0c3f-0b9e-44f5-b1fe-0b155cff0a5f", - "value": "Custom HDoor" + "value": "Custom HDoor - Associated Software" }, { "description": "[HDoor](https://app.tidalcyber.com/software/f155b6f9-258d-4446-8867-fe5ee26d8c72) is malware that has been customized and used by the [Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) group. [[Baumgartner Naikon 2015](https://app.tidalcyber.com/references/09302b4f-7f71-4289-92f6-076c685f0810)]", @@ -12535,7 +12535,7 @@ } ], "uuid": "5375e2bd-be8e-4c7b-8173-74ff4f3598b4", - "value": "DriveSlayer" + "value": "DriveSlayer - Associated Software" }, { "description": "[[CISA AA22-057A Destructive Malware February 2022](https://app.tidalcyber.com/references/18684085-c156-4610-8b1f-cc9646f2c06e)][[Symantec Ukraine Wipers February 2022](https://app.tidalcyber.com/references/3ed4cd00-3387-4b80-bda8-0a190dc6353c)]", @@ -12549,7 +12549,7 @@ } ], "uuid": "85c3ad5c-ab5d-47b7-ba05-88daf017f1bd", - "value": "Trojan.Killdisk" + "value": "Trojan.Killdisk - Associated Software" }, { "description": "[HermeticWiper](https://app.tidalcyber.com/software/f0456f14-4913-4861-b4ad-5e7f3960040e) is a data wiper that has been used since at least early 2022, primarily against Ukraine with additional activity observed in Latvia and Lithuania. Some sectors targeted include government, financial, defense, aviation, and IT services.[[SentinelOne Hermetic Wiper February 2022](https://app.tidalcyber.com/references/96825555-1936-4ee3-bb25-423dc16a9116)][[Symantec Ukraine Wipers February 2022](https://app.tidalcyber.com/references/3ed4cd00-3387-4b80-bda8-0a190dc6353c)][[Crowdstrike DriveSlayer February 2022](https://app.tidalcyber.com/references/4f01e901-58f8-4fdb-ac8c-ef4b6bfd068e)][[ESET Hermetic Wiper February 2022](https://app.tidalcyber.com/references/07ef66e8-195b-4afe-a518-ce9e77220038)][[Qualys Hermetic Wiper March 2022](https://app.tidalcyber.com/references/2b25969b-2f0b-4204-9277-596e80c4e626)]", @@ -12649,7 +12649,7 @@ } ], "uuid": "8e6a3da3-bab4-40d8-b501-b6a986cbf2df", - "value": "Hh.exe" + "value": "Hh.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary used for processing chm files in Windows\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\hh.exe\n* C:\\Windows\\SysWOW64\\hh.exe\n\n**Resources:**\n* [https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/](https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/)\n\n**Detection:**\n* Sigma: [proc_creation_win_hh_chm_execution.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml)\n* Sigma: [proc_creation_win_hh_html_help_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml)\n* Elastic: [execution_via_compiled_html_file.toml](https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/execution_via_compiled_html_file.toml)\n* Elastic: [execution_html_help_executable_program_connecting_to_the_internet.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml)\n* Splunk: [detect_html_help_spawn_child_process.yml](https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_html_help_spawn_child_process.yml)\n* Splunk: [detect_html_help_url_in_command_line.yml](https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_html_help_url_in_command_line.yml)[[Hh.exe - LOLBAS Project](/references/4e09bfcf-f5be-46c5-9ebf-8742ac8d1edc)]", @@ -12898,7 +12898,7 @@ } ], "uuid": "033ae561-8c4e-4b67-995b-b408c39a5c31", - "value": "HUC Packet Transmit Tool" + "value": "HUC Packet Transmit Tool - Associated Software" }, { "description": "[HTRAN](https://app.tidalcyber.com/software/b98d9fe7-9aa3-409a-bf5c-eadb01bac948) is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. [[Operation Quantum Entanglement](https://app.tidalcyber.com/references/c94f9652-32c3-4975-a9c0-48f93bdfe790)][[NCSC Joint Report Public Tools](https://app.tidalcyber.com/references/601d88c5-4789-4fa8-a9ab-abc8137f061c)]", @@ -12949,7 +12949,7 @@ } ], "uuid": "e0a43dd6-f2c2-4468-bbb8-7413097b6cf3", - "value": "Token Control" + "value": "Token Control - Associated Software" }, { "description": "[[ThreatConnect Anthem](https://app.tidalcyber.com/references/61ecd0b4-6cac-4d9f-8e8c-3d488fef6fec)]", @@ -12963,7 +12963,7 @@ } ], "uuid": "ae7376fa-b847-4417-bb29-f0316d507a30", - "value": "HttpDump" + "value": "HttpDump - Associated Software" }, { "description": "[HTTPBrowser](https://app.tidalcyber.com/software/c4fe23f7-f18c-40f6-b431-0b104b497eaa) is malware that has been used by several threat groups. [[ThreatStream Evasion Analysis](https://app.tidalcyber.com/references/de6bc044-6275-4cab-80a1-feefebd3c1f0)] [[Dell TG-3390](https://app.tidalcyber.com/references/dfd2d832-a6c5-40e7-a554-5a92f05bebae)] It is believed to be of Chinese origin. [[ThreatConnect Anthem](https://app.tidalcyber.com/references/61ecd0b4-6cac-4d9f-8e8c-3d488fef6fec)]", @@ -13039,7 +13039,7 @@ } ], "uuid": "6289f8d1-0b84-47ff-ba58-cfd3e14776d7", - "value": "Roarur" + "value": "Roarur - Associated Software" }, { "description": "[[Novetta-Axiom](https://app.tidalcyber.com/references/0dd428b9-849b-4108-87b1-20050b86f420)]", @@ -13053,7 +13053,7 @@ } ], "uuid": "dd780c01-a937-4658-83bd-46a65c054c94", - "value": "HomeUnix" + "value": "HomeUnix - Associated Software" }, { "description": "[[Novetta-Axiom](https://app.tidalcyber.com/references/0dd428b9-849b-4108-87b1-20050b86f420)]", @@ -13067,7 +13067,7 @@ } ], "uuid": "af34fe17-6c8c-4acb-af9a-e5690b6badf2", - "value": "HydraQ" + "value": "HydraQ - Associated Software" }, { "description": "[[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)][[Symantec Trojan.Hydraq Jan 2010](https://app.tidalcyber.com/references/10bed842-400f-4276-972d-5fca794ea778)]", @@ -13081,7 +13081,7 @@ } ], "uuid": "259df672-c6da-4aa9-9bdb-4bc2031ad5c4", - "value": "Aurora" + "value": "Aurora - Associated Software" }, { "description": "[[Novetta-Axiom](https://app.tidalcyber.com/references/0dd428b9-849b-4108-87b1-20050b86f420)]", @@ -13095,7 +13095,7 @@ } ], "uuid": "6c573ae8-c8be-47df-8f2c-37cf44682526", - "value": "MdmBot" + "value": "MdmBot - Associated Software" }, { "description": "[[Novetta-Axiom](https://app.tidalcyber.com/references/0dd428b9-849b-4108-87b1-20050b86f420)]", @@ -13109,7 +13109,7 @@ } ], "uuid": "18a743ce-f743-41af-8769-af48e3e327b8", - "value": "Homux" + "value": "Homux - Associated Software" }, { "description": "[[Novetta-Axiom](https://app.tidalcyber.com/references/0dd428b9-849b-4108-87b1-20050b86f420)]", @@ -13123,7 +13123,7 @@ } ], "uuid": "bfb0d570-1fd7-406c-bce3-f9185b1049cf", - "value": "HidraQ" + "value": "HidraQ - Associated Software" }, { "description": "[[Novetta-Axiom](https://app.tidalcyber.com/references/0dd428b9-849b-4108-87b1-20050b86f420)]", @@ -13137,7 +13137,7 @@ } ], "uuid": "909a0326-a18f-4c92-8f57-f3dc18df4cd5", - "value": "McRat" + "value": "McRat - Associated Software" }, { "description": "[[MicroFocus 9002 Aug 2016](https://app.tidalcyber.com/references/a4d6bdd1-e70c-491b-a569-72708095c809)]", @@ -13151,7 +13151,7 @@ } ], "uuid": "b5319b1f-bc11-4e2b-8018-f5cb021fbc4f", - "value": "9002 RAT" + "value": "9002 RAT - Associated Software" }, { "description": "[Hydraq](https://app.tidalcyber.com/software/4ffbca79-358a-4ba5-bfbb-dc1694c45646) is a data-theft trojan first used by [Elderwood](https://app.tidalcyber.com/groups/51146bb6-7478-44a3-8f08-19adcdceffca) in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including [APT17](https://app.tidalcyber.com/groups/5f083251-f5dc-459a-abfc-47a1aa7f5094).[[MicroFocus 9002 Aug 2016](https://app.tidalcyber.com/references/a4d6bdd1-e70c-491b-a569-72708095c809)][[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)][[Symantec Trojan.Hydraq Jan 2010](https://app.tidalcyber.com/references/10bed842-400f-4276-972d-5fca794ea778)][[ASERT Seven Pointed Dagger Aug 2015](https://app.tidalcyber.com/references/a8f323c7-82bc-46e6-bd6c-0b631abc644a)][[FireEye DeputyDog 9002 November 2013](https://app.tidalcyber.com/references/68b5a913-b696-4ca5-89ed-63453023d2a2)][[ProofPoint GoT 9002 Aug 2017](https://app.tidalcyber.com/references/b796f889-400c-440b-86b2-1588fd15f3ae)][[FireEye Sunshop Campaign May 2013](https://app.tidalcyber.com/references/ec246c7a-3396-46f9-acc4-a100cb5e5fe6)][[PaloAlto 3102 Sept 2015](https://app.tidalcyber.com/references/db340043-43a7-4b16-a570-92a0d879b2bf)]", @@ -13342,7 +13342,7 @@ } ], "uuid": "a211a6fa-b203-46df-b2d2-244a92bd310c", - "value": "Ie4uinit.exe" + "value": "Ie4uinit.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Executes commands from a specially prepared ie4uinit.inf file.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* c:\\windows\\system32\\ie4uinit.exe\n* c:\\windows\\sysWOW64\\ie4uinit.exe\n* c:\\windows\\system32\\ieuinit.inf\n* c:\\windows\\sysWOW64\\ieuinit.inf\n\n**Resources:**\n* [https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/](https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/)\n\n**Detection:**\n* IOC: ie4uinit.exe copied outside of %windir%\n* IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir%\n* Sigma: [proc_creation_win_lolbin_ie4uinit.yml](https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml)[[Ie4uinit.exe - LOLBAS Project](/references/01f9a368-5933-47a1-85a9-e5883a5ca266)]", @@ -13385,7 +13385,7 @@ } ], "uuid": "da3647b2-1431-4292-affb-9e24d647a6fe", - "value": "Ieadvpack.dll" + "value": "Ieadvpack.dll - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\ieadvpack.dll\n* c:\\windows\\syswow64\\ieadvpack.dll\n\n**Resources:**\n* [https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/](https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/)\n* [https://twitter.com/pabraeken/status/991695411902599168](https://twitter.com/pabraeken/status/991695411902599168)\n* [https://twitter.com/0rbz_/status/974472392012689408](https://twitter.com/0rbz_/status/974472392012689408)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)\n* Splunk: [detect_rundll32_application_control_bypass___advpack.yml](https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml)[[Ieadvpack.dll - LOLBAS Project](/references/79943a49-23d6-499b-a022-7c2f8bd68aee)]", @@ -13428,7 +13428,7 @@ } ], "uuid": "8d176fe1-a0f6-48a6-a0d8-ac71faddcc0c", - "value": "iediagcmd.exe" + "value": "iediagcmd.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Diagnostics Utility for Internet Explorer\n\n**Author:** manasmbellani\n\n**Paths:**\n* C:\\Program Files\\Internet Explorer\\iediagcmd.exe\n\n**Resources:**\n* [https://twitter.com/Hexacorn/status/1507516393859731456](https://twitter.com/Hexacorn/status/1507516393859731456)\n\n**Detection:**\n* Sigma: [https://github.com/manasmbellani/mycode_public/blob/master/sigma/rules/win_proc_creation_lolbin_iediagcmd.yml](https://github.com/manasmbellani/mycode_public/blob/master/sigma/rules/win_proc_creation_lolbin_iediagcmd.yml)\n* IOC: Sysmon Event ID 1\n* IOC: Execution of process iediagcmd.exe with /out could be suspicious[[iediagcmd.exe - LOLBAS Project](/references/de238a18-2275-497e-adcf-453a016a24c4)]", @@ -13470,7 +13470,7 @@ } ], "uuid": "77a7429e-b1bb-4172-9fc5-3a37a4cedddc", - "value": "Ieexec.exe" + "value": "Ieexec.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ieexec.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\ieexec.exe\n\n**Resources:**\n* [https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/](https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_ieexec_download.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_misc_lolbin_connecting_to_the_internet.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* IOC: Network connections originating from ieexec.exe may be suspicious[[Ieexec.exe - LOLBAS Project](/references/91f31525-585d-4b71-83d7-9b7c2feacd34)]", @@ -13512,7 +13512,7 @@ } ], "uuid": "567ab907-8765-400b-8dd5-61182ddd8db6", - "value": "Ieframe.dll" + "value": "Ieframe.dll - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Internet Browser DLL for translating HTML code.\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\ieframe.dll\n* c:\\windows\\syswow64\\ieframe.dll\n\n**Resources:**\n* [http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/](http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/)\n* [https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/](https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/)\n* [https://twitter.com/bohops/status/997690405092290561](https://twitter.com/bohops/status/997690405092290561)\n* [https://windows10dll.nirsoft.net/ieframe_dll.html](https://windows10dll.nirsoft.net/ieframe_dll.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)[[Ieframe.dll - LOLBAS Project](/references/aab9c80d-1f1e-47ba-954d-65e7400054df)]", @@ -13571,7 +13571,7 @@ } ], "uuid": "1ffb9eb7-4c5b-4d88-93a5-79f250715502", - "value": "OSX/MacDownloader" + "value": "OSX/MacDownloader - Associated Software" }, { "description": "[iKitten](https://app.tidalcyber.com/software/71098f6e-a2c0-434f-b991-6c079fd3e82d) is a macOS exfiltration agent [[objsee mac malware 2017](https://app.tidalcyber.com/references/08227ae5-4086-4c31-83d9-459c3a097754)].", @@ -13612,7 +13612,7 @@ } ], "uuid": "49269d59-3a99-4362-83ea-41207ee591b4", - "value": "Ilasm.exe" + "value": "Ilasm.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** used for compile c# code into dll or exe.\n\n**Author:** Hai vaknin (lux)\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ilasm.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ilasm.exe\n\n**Resources:**\n* [https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt](https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt)\n\n**Detection:**\n* IOC: Ilasm may not be used often in production environments (such as on endpoints)\n* Sigma: [proc_creation_win_lolbin_ilasm.yml](https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml)[[Ilasm.exe - LOLBAS Project](/references/347a1f01-02ce-488e-9100-862971c1833f)]", @@ -13655,7 +13655,7 @@ } ], "uuid": "12fa3dba-d84c-490d-bb72-88b54edf663c", - "value": "IMEWDBLD.exe" + "value": "IMEWDBLD.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft IME Open Extended Dictionary Module\n\n**Author:** Wade Hickey\n\n**Paths:**\n* C:\\Windows\\System32\\IME\\SHARED\\IMEWDBLD.exe\n\n**Resources:**\n* [https://twitter.com/notwhickey/status/1367493406835040265](https://twitter.com/notwhickey/status/1367493406835040265)\n\n**Detection:**\n* Sigma: [net_connection_win_imewdbld.yml](https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/network_connection/net_connection_win_imewdbld.yml)[[IMEWDBLD.exe - LOLBAS Project](/references/9d1d6bc1-61cf-4465-b3cb-b6af36769027)]", @@ -13823,7 +13823,7 @@ } ], "uuid": "4bf0e893-5e72-48aa-898a-7dfeffa7781a", - "value": "CRASHOVERRIDE" + "value": "CRASHOVERRIDE - Associated Software" }, { "description": "[[ESET Industroyer](https://app.tidalcyber.com/references/9197f712-3c53-4746-9722-30e248511611)]", @@ -13837,7 +13837,7 @@ } ], "uuid": "5e72df38-9dd3-4b0a-a0da-d98cd732e823", - "value": "Win32/Industroyer" + "value": "Win32/Industroyer - Associated Software" }, { "description": "[Industroyer](https://app.tidalcyber.com/software/09398a7c-aee5-44af-b99d-f73d3b39c299) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[[ESET Industroyer](https://app.tidalcyber.com/references/9197f712-3c53-4746-9722-30e248511611)] [Industroyer](https://app.tidalcyber.com/software/09398a7c-aee5-44af-b99d-f73d3b39c299) was used in the attacks on the Ukrainian power grid in December 2016.[[Dragos Crashoverride 2017](https://app.tidalcyber.com/references/c8f624e3-2ba2-4564-bd1c-f06b9a6a8bce)] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[[Dragos Crashoverride 2018](https://app.tidalcyber.com/references/d14442d5-2557-4a92-9a29-b15a20752f56)]", @@ -13914,7 +13914,7 @@ } ], "uuid": "54922044-3d2e-4885-b314-2c0e2628fd75", - "value": "Infdefaultinstall.exe" + "value": "Infdefaultinstall.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary used to perform installation based on content inside inf files\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\Infdefaultinstall.exe\n* C:\\Windows\\SysWOW64\\Infdefaultinstall.exe\n\n**Resources:**\n* [https://twitter.com/KyleHanslovan/status/911997635455852544](https://twitter.com/KyleHanslovan/status/911997635455852544)\n* [https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/](https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/)\n* [https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/](https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/)\n\n**Detection:**\n* Sigma: [proc_creation_win_infdefaultinstall_execute_sct_scripts.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)[[Infdefaultinstall.exe - LOLBAS Project](/references/5e83d17c-dbdd-4a6c-a395-4f921b68ebec)]", @@ -13977,7 +13977,7 @@ } ], "uuid": "91100384-d619-4bf1-9f83-7ffc16d777f2", - "value": "Installutil.exe" + "value": "Installutil.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\InstallUtil.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\InstallUtil.exe\n* C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe\n\n**Resources:**\n* [https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/](https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/)\n* [https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12](https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12)\n* [https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md)\n* [https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/](https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/)\n* [https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/](https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/)\n* [https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool](https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool)\n\n**Detection:**\n* Sigma: [proc_creation_win_instalutil_no_log_execution.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml)\n* Sigma: [proc_creation_win_lolbin_installutil_download.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml)\n* Elastic: [defense_evasion_installutil_beacon.toml](https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)[[LOLBAS Installutil](/references/7dfb2c45-862a-4c25-a65a-55abea4b0e44)]", @@ -14020,7 +14020,7 @@ } ], "uuid": "0ea31764-5a77-4510-b873-ca1e8bdaf90e", - "value": "Interact.sh" + "value": "Interact.sh - Associated Software" }, { "description": "According to joint Cybersecurity Advisory AA23-250A (September 2023), Interactsh is \"an open-source tool for detecting external interactions (communication)\". The Advisory further states that the tool is \"used to detect callbacks from target systems for specified vulnerabilities and commonly used during the reconnaissance stages of adversary activity\".[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]", @@ -14389,7 +14389,7 @@ } ], "uuid": "c1808fee-703d-4116-8d6e-7d181244c928", - "value": "Trojan.Sofacy" + "value": "Trojan.Sofacy - Associated Software" }, { "description": "This designation has been used in reporting both to refer to the threat group ([APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5)) and its associated malware.[[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]", @@ -14403,7 +14403,7 @@ } ], "uuid": "04241120-45d5-4261-a13b-4816d2dfc8a7", - "value": "Sednit" + "value": "Sednit - Associated Software" }, { "description": "[[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)][[Talos Seduploader Oct 2017](https://app.tidalcyber.com/references/2db77619-72df-461f-84bf-2d1c3499a5c0)]", @@ -14417,7 +14417,7 @@ } ], "uuid": "59124557-6250-48b8-aaf8-3fc51df2c993", - "value": "Seduploader" + "value": "Seduploader - Associated Software" }, { "description": "[[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]", @@ -14431,7 +14431,7 @@ } ], "uuid": "771f1cd5-dac6-43c9-8c93-9f70ce4137e1", - "value": "JKEYSKW" + "value": "JKEYSKW - Associated Software" }, { "description": "[[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]", @@ -14445,7 +14445,7 @@ } ], "uuid": "fb803c34-1dbd-4bb4-b397-faec053abe77", - "value": "GAMEFISH" + "value": "GAMEFISH - Associated Software" }, { "description": "[[Unit 42 Sofacy Feb 2018](https://app.tidalcyber.com/references/0bcc2d76-987c-4a9b-9e00-1400eec4e606)]", @@ -14459,7 +14459,7 @@ } ], "uuid": "111fc9b5-1c08-4256-ab5b-7adf2a8bd81e", - "value": "SofacyCarberp" + "value": "SofacyCarberp - Associated Software" }, { "description": "[JHUHUGIT](https://app.tidalcyber.com/software/d50ef3fc-7d1c-4a82-b1cf-2319d83da3ae) is malware used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5). It is based on Carberp source code and serves as reconnaissance malware. [[Kaspersky Sofacy](https://app.tidalcyber.com/references/46226f98-c762-48e3-9bcd-19ff14184bb5)] [[F-Secure Sofacy 2015](https://app.tidalcyber.com/references/56a95d3c-5268-4e69-b669-7055fb38d570)] [[ESET Sednit Part 1](https://app.tidalcyber.com/references/a2016103-ead7-46b3-bae5-aa97c45a12b7)] [[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]", @@ -14550,7 +14550,7 @@ } ], "uuid": "88632c03-4d0a-4307-8d96-370a9fa0c49c", - "value": "JSocket" + "value": "JSocket - Associated Software" }, { "description": "[[Kaspersky Adwind Feb 2016](https://app.tidalcyber.com/references/69fd8de4-81bc-4165-b77d-c5fc72cfa699)]", @@ -14564,7 +14564,7 @@ } ], "uuid": "f5019366-a5f7-4b6f-ba22-de56a66dc7ca", - "value": "Unrecom" + "value": "Unrecom - Associated Software" }, { "description": "[[Kaspersky Adwind Feb 2016](https://app.tidalcyber.com/references/69fd8de4-81bc-4165-b77d-c5fc72cfa699)]", @@ -14578,7 +14578,7 @@ } ], "uuid": "45890a41-4d9a-4a8c-8758-9ed70c6355f4", - "value": "jFrutas" + "value": "jFrutas - Associated Software" }, { "description": "[[Kaspersky Adwind Feb 2016](https://app.tidalcyber.com/references/69fd8de4-81bc-4165-b77d-c5fc72cfa699)]", @@ -14592,7 +14592,7 @@ } ], "uuid": "c1239f48-76e5-40c5-897d-80a7d14f8613", - "value": "Adwind" + "value": "Adwind - Associated Software" }, { "description": "[[NCSC Joint Report Public Tools](https://app.tidalcyber.com/references/601d88c5-4789-4fa8-a9ab-abc8137f061c)]", @@ -14606,7 +14606,7 @@ } ], "uuid": "7a75e4bf-a8cf-4fb0-b147-12db5a0bb77a", - "value": "jBiFrost" + "value": "jBiFrost - Associated Software" }, { "description": "[[jRAT Symantec Aug 2018](https://app.tidalcyber.com/references/8aed9534-2ec6-4c9f-b63b-9bb135432cfb)]", @@ -14620,7 +14620,7 @@ } ], "uuid": "4fcf08b4-de50-4ab6-a7ae-a3c3a64f32cc", - "value": "Trojan.Maljava" + "value": "Trojan.Maljava - Associated Software" }, { "description": "[[Kaspersky Adwind Feb 2016](https://app.tidalcyber.com/references/69fd8de4-81bc-4165-b77d-c5fc72cfa699)]", @@ -14634,7 +14634,7 @@ } ], "uuid": "13f9732c-1a38-45ca-9278-4b3266e32997", - "value": "AlienSpy" + "value": "AlienSpy - Associated Software" }, { "description": "[[Kaspersky Adwind Feb 2016](https://app.tidalcyber.com/references/69fd8de4-81bc-4165-b77d-c5fc72cfa699)]", @@ -14648,7 +14648,7 @@ } ], "uuid": "cf5f6829-3cf7-445f-a4a3-dce78fe6034b", - "value": "Frutas" + "value": "Frutas - Associated Software" }, { "description": "[[Kaspersky Adwind Feb 2016](https://app.tidalcyber.com/references/69fd8de4-81bc-4165-b77d-c5fc72cfa699)]", @@ -14662,7 +14662,7 @@ } ], "uuid": "2adef0c3-f776-48c1-9293-d355b9dbefd7", - "value": "Sockrat" + "value": "Sockrat - Associated Software" }, { "description": "[jRAT](https://app.tidalcyber.com/software/42fe9795-5cf6-4ad7-b56e-2aa655377992) is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of [jRAT](https://app.tidalcyber.com/software/42fe9795-5cf6-4ad7-b56e-2aa655377992) have been distributed via a software-as-a-service platform, similar to an online subscription model.[[Kaspersky Adwind Feb 2016](https://app.tidalcyber.com/references/69fd8de4-81bc-4165-b77d-c5fc72cfa699)] [[jRAT Symantec Aug 2018](https://app.tidalcyber.com/references/8aed9534-2ec6-4c9f-b63b-9bb135432cfb)]", @@ -14745,7 +14745,7 @@ } ], "uuid": "adc0e1d8-3291-4c6f-9429-b6a61fb089a7", - "value": "Jsc.exe" + "value": "Jsc.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary file used by .NET to compile JavaScript code to .exe or .dll format\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Jsc.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Jsc.exe\n* C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Jsc.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Jsc.exe\n\n**Resources:**\n* [https://twitter.com/DissectMalware/status/998797808907046913](https://twitter.com/DissectMalware/status/998797808907046913)\n* [https://www.phpied.com/make-your-javascript-a-windows-exe/](https://www.phpied.com/make-your-javascript-a-windows-exe/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_jsc.yml](https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml)\n* IOC: Jsc.exe should normally not run a system unless it is used for development.[[Jsc.exe - LOLBAS Project](/references/ae25ff74-05eb-46d7-9c60-4c149b7c7f1f)]", @@ -14992,7 +14992,7 @@ } ], "uuid": "115076c8-07e5-4bb3-8951-0a1a57666b17", - "value": "OSX/Keydnap" + "value": "OSX/Keydnap - Associated Software" }, { "description": "This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor [[OSX Keydnap malware](https://app.tidalcyber.com/references/d43e0dd1-0946-4f49-bcc7-3ef38445eac3)].", @@ -15056,7 +15056,7 @@ } ], "uuid": "a649459f-dd6d-424f-87c4-aeb8412ca6f6", - "value": "KEYPLUG.LINUX" + "value": "KEYPLUG.LINUX - Associated Software" }, { "description": "[KEYPLUG](https://app.tidalcyber.com/software/ba9e56b9-7904-5ec8-bb39-7f82f7b2e89a) is a modular backdoor written in C++, with Windows and Linux variants, that has been used by [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9) since at least June 2021.[[Mandiant APT41](https://app.tidalcyber.com/references/e54415fe-40c2-55ff-9e75-881bc8a912b8)]", @@ -15125,7 +15125,7 @@ } ], "uuid": "12213e6d-72a5-447e-9e19-2a7eb7e2d81c", - "value": "Win32/KillDisk.NBI" + "value": "Win32/KillDisk.NBI - Associated Software" }, { "description": "", @@ -15139,7 +15139,7 @@ } ], "uuid": "f716a88b-4693-4d43-97b0-c5603202d586", - "value": "Win32/KillDisk.NBH" + "value": "Win32/KillDisk.NBH - Associated Software" }, { "description": "", @@ -15153,7 +15153,7 @@ } ], "uuid": "4b3409dd-72c5-4808-9d11-7806955a7231", - "value": "Win32/KillDisk.NBD" + "value": "Win32/KillDisk.NBD - Associated Software" }, { "description": "", @@ -15167,7 +15167,7 @@ } ], "uuid": "c0b27dd0-0895-4ddb-97da-2d55f2c22ca6", - "value": "Win32/KillDisk.NBC" + "value": "Win32/KillDisk.NBC - Associated Software" }, { "description": "", @@ -15181,7 +15181,7 @@ } ], "uuid": "df0e171c-ed35-4f1d-9ded-a16e58383bd7", - "value": "Win32/KillDisk.NBB" + "value": "Win32/KillDisk.NBB - Associated Software" }, { "description": "[KillDisk](https://app.tidalcyber.com/software/b5532e91-d267-4819-a05d-8c5358995add) is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of [BlackEnergy](https://app.tidalcyber.com/software/908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f) malware during cyber attacks against Ukraine in 2015. [KillDisk](https://app.tidalcyber.com/software/b5532e91-d267-4819-a05d-8c5358995add) has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some [KillDisk](https://app.tidalcyber.com/software/b5532e91-d267-4819-a05d-8c5358995add) variants.[[KillDisk Ransomware](https://app.tidalcyber.com/references/9d22f13d-af6d-47b5-93ed-5e4b85b94978)][[ESEST Black Energy Jan 2016](https://app.tidalcyber.com/references/4d626eb9-3722-4aa4-b95e-1650cc2865c2)][[Trend Micro KillDisk 1](https://app.tidalcyber.com/references/8ae31db0-2744-4366-9747-55fc4679dbf5)][[Trend Micro KillDisk 2](https://app.tidalcyber.com/references/62d9a4c9-e669-4dd4-a584-4f3e3e54f97f)]", @@ -15509,7 +15509,7 @@ } ], "uuid": "b7501271-0611-44a6-b8ee-844345798754", - "value": "Launch-VsDevShell.ps1" + "value": "Launch-VsDevShell.ps1 - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Locates and imports a Developer PowerShell module and calls the Enter-VsDevShell cmdlet\n\n**Author:** Nasreddine Bencherchali\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\Tools\\Launch-VsDevShell.ps1\n* C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\Tools\\Launch-VsDevShell.ps1\n\n**Resources:**\n* [https://twitter.com/nas_bench/status/1535981653239255040](https://twitter.com/nas_bench/status/1535981653239255040)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_launch_vsdevshell.yml](https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml)[[Launch-VsDevShell.ps1 - LOLBAS Project](/references/6e81ff6a-a386-495e-bd4b-cf698b02bce8)]", @@ -15635,7 +15635,7 @@ } ], "uuid": "6c55efe5-a5d3-411d-8993-697f2fc91144", - "value": "Ldifde.exe" + "value": "Ldifde.exe - Associated Software" }, { "description": "Ldifde is a Windows command-line tool that is used to create, modify, and delete directory objects. Ldifde can also be used to \"extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory Domain Services (AD DS) with data from other directory services\".[[Ldifde Microsoft](/references/c47ed0e0-f3e3-41de-9ea7-64fe4e343d9d)]", @@ -15714,7 +15714,7 @@ } ], "uuid": "d24d63ab-a1b5-4e20-9e60-f2df8fba9cb7", - "value": "Level.io" + "value": "Level.io - Associated Software" }, { "description": "[[Mandiant UNC3944 September 14 2023](/references/7420d79f-c6a3-4932-9c2e-c9cc36e2ca35)]", @@ -15730,7 +15730,7 @@ } ], "uuid": "de43630e-5949-4c69-ab58-9e3d44a72386", - "value": "Level Remote Management" + "value": "Level Remote Management - Associated Software" }, { "description": "According to joint Cybersecurity Advisory AA23-320A (November 2023), Level is a publicly available, legitimate tool that \"enables remote monitoring and management of systems\". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.[[U.S. CISA Scattered Spider November 16 2023](/references/9c242265-c28c-4580-8e6a-478d8700b092)]", @@ -15943,7 +15943,7 @@ } ], "uuid": "1eb0bda6-e564-43eb-b440-8da9ffd39909", - "value": "Tirion" + "value": "Tirion - Associated Software" }, { "description": "[Lizar](https://app.tidalcyber.com/software/65d46aab-b3ce-4f5b-b1fc-871db2573fa1) is a modular remote access tool written using the .NET Framework that shares structural similarities to [Carbanak](https://app.tidalcyber.com/software/4cb9294b-9e4c-41b9-b640-46213a01952d). It has likely been used by [FIN7](https://app.tidalcyber.com/groups/4348c510-50fc-4448-ab8d-c8cededd19ff) since at least February 2021.[[BiZone Lizar May 2021](https://app.tidalcyber.com/references/315f47e1-69e5-4dcb-94b2-59583e91dd26)][[Threatpost Lizar May 2021](https://app.tidalcyber.com/references/1b89f62f-586d-4dee-b6dd-e5a5cd090a0e)][[Gemini FIN7 Oct 2021](https://app.tidalcyber.com/references/bbaef178-8577-4398-8e28-604faf0950b4)]", @@ -15998,7 +15998,7 @@ } ], "uuid": "37c1fbc5-58d9-48f5-a06f-887a9d404a18", - "value": "LockBit Black" + "value": "LockBit Black - Associated Software" }, { "description": "Ransomware labeled “LockBit” was first observed in 2020, and since that time, the LockBit group and its affiliates have carried out a very large number of attacks involving a wide range of victims around the world.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]\n\nLockBit developers have introduced multiple versions of the LockBit encryption tool. According to the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), the following major LockBit variants have been observed (first-observed dates in parentheses): ABCD (LockBit malware’s predecessor; September 2019), LockBit (January 2020), LockBit 2.0 (June 2021), LockBit Linux-ESXi Locker (October 2021), LockBit 3.0 (September 2022), LockBit Green (a variant that incorporates source code from Conti ransomware; January 2023), and variants capable of targeting macOS environments (April 2023). As of June 2023, CISA reported that the web panel that offers affiliates access to LockBit malware explicitly listed the LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker variants.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)] According to CISA, LockBit 3.0 (also known as “LockBit Black”) shares code similarities with Blackmatter and BlackCat ransomware and is “more modular and evasive\" than previous LockBit strains.[[U.S. CISA LockBit 3.0 March 2023](/references/06de9247-ce40-4709-a17a-a65b8853758b)]\n\nAccording to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, LockBit actors publicly claimed 970 victims in 2022 (394 associated with LockBit 3.0), the most of any extortion threat that year. Through April 2023, LockBit had claimed 406 victims (all associated with LockBit 3.0), more than double the number of the next threat (Clop, with 179 victims).[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]\n\n**Delivered By**: Cobalt Strike[[Sentinel Labs LockBit 3.0 July 2022](/references/9a73b140-b483-4274-a134-ed1bb15ac31c)], PsExec[[NCC Group Research Blog August 19 2022](/references/8c1fbe98-5fc1-4e67-9b96-b740ffc9b1ae)]\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit\n\n**Malware Bazaar (Samples & IOCs)**: https://bazaar.abuse.ch/browse/tag/lockbit/\n\n**PulseDive (IOCs)**: https://pulsedive.com/threat/LockBit", @@ -16082,7 +16082,7 @@ } ], "uuid": "79b93082-8ee8-49c9-a5c4-4cf5309a6a5c", - "value": "Rescue" + "value": "Rescue - Associated Software" }, { "description": "LogMeIn provides multiple freely available tools that can be used for remote access to systems, including the flagship Rescue tool.[[LogMeIn Homepage](/references/e113b544-82ad-4099-ab4e-7fc8b78f54bd)] Adversary groups, including the Royal ransomware operation and LAPSUS$, have used LogMeIn remote access software for initial access to and persistence within victim networks.[[CISA Royal AA23-061A March 2023](/references/81baa61e-13c3-51e0-bf22-08383dbfb2a1)][[CSRB LAPSUS$ July 24 2023](/references/f8311977-303c-4d05-a7f4-25b3ae36318b)]", @@ -16340,7 +16340,7 @@ } ], "uuid": "4905b225-105e-4aec-af6e-16466cc7b717", - "value": "Enfal" + "value": "Enfal - Associated Software" }, { "description": "[Lurid](https://app.tidalcyber.com/software/0cc9e24b-d458-4782-a332-4e4fd68c057b) is a malware family that has been used by several groups, including [PittyTiger](https://app.tidalcyber.com/groups/60936d3c-37ed-4116-a407-868da3aa4446), in targeted attacks as far back as 2006. [[Villeneuve 2014](https://app.tidalcyber.com/references/a156e24e-0da5-4ac7-b914-29f2f05e7d6f)] [[Villeneuve 2011](https://app.tidalcyber.com/references/ed5a2ec0-8328-40db-9f58-7eaac4ad39a0)]", @@ -16383,7 +16383,7 @@ } ], "uuid": "a4493a61-fd76-4668-83e3-f708beb2c553", - "value": "Pyark" + "value": "Pyark - Associated Software" }, { "description": "[Machete](https://app.tidalcyber.com/software/be8a1630-9562-41ad-a621-65989f961a10) is a cyber espionage toolset used by [Machete](https://app.tidalcyber.com/groups/a3be79a2-3d4f-4697-a8a1-83f0884220af). It is a Python-based backdoor targeting Windows machines that was first observed in 2010.[[ESET Machete July 2019](https://app.tidalcyber.com/references/408d5e33-fcb6-4d21-8be9-7aa5a8bd3385)][[Securelist Machete Aug 2014](https://app.tidalcyber.com/references/fc7be240-bd15-4ec4-bc01-f8891d7210d9)][[360 Machete Sep 2020](https://app.tidalcyber.com/references/682c843d-1bb8-4f30-9d2e-35e8d41b1976)]", @@ -16426,7 +16426,7 @@ } ], "uuid": "09e6536d-b970-43ae-a1ac-cea3a523635c", - "value": "DazzleSpy" + "value": "DazzleSpy - Associated Software" }, { "description": "[[Objective-See MacMa Nov 2021](https://app.tidalcyber.com/references/7240261e-d901-4a68-b6fc-deec308e8a50)]", @@ -16440,7 +16440,7 @@ } ], "uuid": "246b0d77-743e-413a-8e7a-76a5a4b391de", - "value": "OSX.CDDS" + "value": "OSX.CDDS - Associated Software" }, { "description": "[MacMa](https://app.tidalcyber.com/software/7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb) is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. [MacMa](https://app.tidalcyber.com/software/7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb) has been observed in the wild since November 2021.[[ESET DazzleSpy Jan 2022](https://app.tidalcyber.com/references/212012ac-9084-490f-8dd2-5cc9ac6e6de1)]", @@ -16579,7 +16579,7 @@ } ], "uuid": "be6d153d-2288-4519-bade-cca6c8ae2aa8", - "value": "Makecab.exe" + "value": "Makecab.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary to package existing files into a cabinet (.cab) file\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\makecab.exe\n* C:\\Windows\\SysWOW64\\makecab.exe\n\n**Resources:**\n* [https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)\n\n**Detection:**\n* Sigma: [proc_creation_win_susp_alternate_data_streams.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml)\n* Elastic: [defense_evasion_misc_lolbin_connecting_to_the_internet.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml)\n* IOC: Makecab retrieving files from Internet\n* IOC: Makecab storing data into alternate data streams[[Makecab.exe - LOLBAS Project](/references/6473e36b-b5ad-4254-b46d-38c53ccbe446)]", @@ -16635,7 +16635,7 @@ } ], "uuid": "8c479a90-537a-4661-ba2a-7e9e7ca5d04a", - "value": "Manage-bde.wsf" + "value": "Manage-bde.wsf - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Script for managing BitLocker\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\manage-bde.wsf\n\n**Resources:**\n* [https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712](https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712)\n* [https://twitter.com/bohops/status/980659399495741441](https://twitter.com/bohops/status/980659399495741441)\n* [https://twitter.com/JohnLaTwC/status/1223292479270600706](https://twitter.com/JohnLaTwC/status/1223292479270600706)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_manage_bde.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml)\n* IOC: Manage-bde.wsf should not be invoked by a standard user under normal situations[[Manage-bde.wsf - LOLBAS Project](/references/74d5483e-2268-464c-a048-bb1f25bbfc4f)]", @@ -16731,7 +16731,7 @@ } ], "uuid": "e74db115-407d-44dd-906e-2163f2a50e29", - "value": "Mavinject.exe" + "value": "Mavinject.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by App-v in Windows\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\mavinject.exe\n* C:\\Windows\\SysWOW64\\mavinject.exe\n\n**Resources:**\n* [https://twitter.com/gN3mes1s/status/941315826107510784](https://twitter.com/gN3mes1s/status/941315826107510784)\n* [https://twitter.com/Hexcorn/status/776122138063409152](https://twitter.com/Hexcorn/status/776122138063409152)\n* [https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/](https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_mavinject_process_injection.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml)\n* IOC: mavinject.exe should not run unless APP-v is in use on the workstation[[LOLBAS Mavinject](/references/4ba7fa89-006b-4fbf-aa6c-6775842c97a4)]", @@ -17055,7 +17055,7 @@ } ], "uuid": "10ba04c6-5c6e-4b8e-b855-3d02ce26808b", - "value": "Casbaneiro" + "value": "Casbaneiro - Associated Software" }, { "description": "[Metamorfo](https://app.tidalcyber.com/software/ca607087-25ad-4a91-af83-608646cccbcb) is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.[[Medium Metamorfo Apr 2020](https://app.tidalcyber.com/references/356defac-b976-41c1-aac8-5d6ff0c80e28)][[ESET Casbaneiro Oct 2019](https://app.tidalcyber.com/references/a5cb3ee6-9a0b-4e90-bf32-be7177a858b1)] ", @@ -17149,7 +17149,7 @@ } ], "uuid": "d9cc6ddb-3c47-45f9-8caf-8124ca55945f", - "value": "Mftrace.exe" + "value": "Mftrace.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Trace log generation tool for Media Foundation Tools.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.16299.0\\x86\n* C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.16299.0\\x64\n* C:\\Program Files (x86)\\Windows Kits\\10\\bin\\x86\n* C:\\Program Files (x86)\\Windows Kits\\10\\bin\\x64\n\n**Resources:**\n* [https://twitter.com/0rbz_/status/988911181422186496](https://twitter.com/0rbz_/status/988911181422186496)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_mftrace.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml)[[Mftrace.exe - LOLBAS Project](/references/b6d42cc9-1bf0-4389-8654-90b8d4e7ff49)]", @@ -17215,7 +17215,7 @@ } ], "uuid": "9ddd8ae4-93ff-41ce-b8f2-ac035a25411f", - "value": "Microsoft.NodejsTools.PressAnyKey.exe" + "value": "Microsoft.NodejsTools.PressAnyKey.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Part of the NodeJS Visual Studio tools.\n\n**Author:** mr.d0x\n\n**Paths:**\n* C:\\Program Files\\Microsoft Visual Studio\\*\\Community\\Common7\\IDE\\Extensions\\Microsoft\\NodeJsTools\\NodeJsTools\\Microsoft.NodejsTools.PressAnyKey.exe\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\*\\Community\\Common7\\IDE\\Extensions\\Microsoft\\NodeJsTools\\NodeJsTools\\Microsoft.NodejsTools.PressAnyKey.exe\n\n**Resources:**\n* [https://twitter.com/mrd0x/status/1463526834918854661](https://twitter.com/mrd0x/status/1463526834918854661)\n\n**Detection:**\n* Sigma: [proc_creation_win_renamed_pressanykey.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml)\n* Sigma: [proc_creation_win_pressanykey_lolbin_execution.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml)[[Microsoft.NodejsTools.PressAnyKey.exe - LOLBAS Project](/references/25c46948-a648-4c3c-b442-e700df68fa20)]", @@ -17258,7 +17258,7 @@ } ], "uuid": "26fae087-2715-4a16-8583-ffe1e0040044", - "value": "Microsoft.Workflow.Compiler.exe" + "value": "Microsoft.Workflow.Compiler.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** A utility included with .NET that is capable of compiling and executing C# or VB.net code.\n\n**Author:** Conor Richard\n\n**Paths:**\n* C:\\Windows\\Microsoft.Net\\Framework64\\v4.0.30319\\Microsoft.Workflow.Compiler.exe\n\n**Resources:**\n* [https://twitter.com/mattifestation/status/1030445200475185154](https://twitter.com/mattifestation/status/1030445200475185154)\n* [https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb](https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb)\n* [https://gist.github.com/mattifestation/3e28d391adbd7fe3e0c722a107a25aba#file-workflowcompilerdetectiontests-ps1](https://gist.github.com/mattifestation/3e28d391adbd7fe3e0c722a107a25aba#file-workflowcompilerdetectiontests-ps1)\n* [https://gist.github.com/mattifestation/7ba8fc8f724600a9f525714c9cf767fd#file-createcompilerinputxml-ps1](https://gist.github.com/mattifestation/7ba8fc8f724600a9f525714c9cf767fd#file-createcompilerinputxml-ps1)\n* [https://www.forcepoint.com/blog/security-labs/using-c-post-powershell-attacks](https://www.forcepoint.com/blog/security-labs/using-c-post-powershell-attacks)\n* [https://www.fortynorthsecurity.com/microsoft-workflow-compiler-exe-veil-and-cobalt-strike/](https://www.fortynorthsecurity.com/microsoft-workflow-compiler-exe-veil-and-cobalt-strike/)\n* [https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15](https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_workflow_compiler.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml)\n* Splunk: [suspicious_microsoft_workflow_compiler_usage.yml](https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml)\n* Splunk: [suspicious_microsoft_workflow_compiler_rename.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations.\n* IOC: The presence of csc.exe or vbc.exe as child processes of Microsoft.Workflow.Compiler.exe\n* IOC: Presence of \"[[Microsoft.Workflow.Compiler.exe - LOLBAS Project](/references/1e659b32-a06f-45dc-a1eb-03f1a42c55ef)]", @@ -17299,7 +17299,7 @@ } ], "uuid": "e94603e8-5352-4ef9-9970-e2ac9ede79b4", - "value": "James" + "value": "James - Associated Software" }, { "description": "[Milan](https://app.tidalcyber.com/software/57545dbc-c72a-409d-a373-bc35e25160cd) is a backdoor implant based on [DanBot](https://app.tidalcyber.com/software/131c0eb2-9191-4ccd-a2d6-5f36046a8f2f) that was written in Visual C++ and .NET. [Milan](https://app.tidalcyber.com/software/57545dbc-c72a-409d-a373-bc35e25160cd) has been used by [HEXANE](https://app.tidalcyber.com/groups/eecf7289-294f-48dd-a747-7705820f4735) since at least June 2020.[[ClearSky Siamesekitten August 2021](https://app.tidalcyber.com/references/9485efce-8d54-4461-b64e-0d15e31fbf8c)][[Kaspersky Lyceum October 2021](https://app.tidalcyber.com/references/b3d13a82-c24e-4b47-b47a-7221ad449859)]", @@ -17755,7 +17755,7 @@ } ], "uuid": "08c13774-647c-472d-8e6e-d1fb2f21e67d", - "value": "Mmc.exe" + "value": "Mmc.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Load snap-ins to locally and remotely manage Windows systems\n\n**Author:** @bohops\n\n**Paths:**\n* C:\\Windows\\System32\\mmc.exe\n* C:\\Windows\\SysWOW64\\mmc.exe\n\n**Resources:**\n* [https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/](https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/)\n* [https://offsec.almond.consulting/UAC-bypass-dotnet.html](https://offsec.almond.consulting/UAC-bypass-dotnet.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_mmc_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml)\n* Sigma: [file_event_win_uac_bypass_dotnet_profiler.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml)[[Mmc.exe - LOLBAS Project](/references/490b6769-e386-4a3d-972e-5a919cb2f6f5)]", @@ -17895,7 +17895,7 @@ } ], "uuid": "d2877108-0856-4969-8eb5-421cd2d7acf8", - "value": "SKID" + "value": "SKID - Associated Software" }, { "description": "[[Security Intelligence More Eggs Aug 2019](https://app.tidalcyber.com/references/f0a0286f-adb9-4a6e-85b5-5b0f45e6fbf3)][[Visa FIN6 Feb 2019](https://app.tidalcyber.com/references/9e9e8811-1d8e-4400-8688-e634f859c4e0)]", @@ -17909,7 +17909,7 @@ } ], "uuid": "8e995f3c-8e8d-4f7e-b91c-9c9d02ae1448", - "value": "Terra Loader" + "value": "Terra Loader - Associated Software" }, { "description": "[[Security Intelligence More Eggs Aug 2019](https://app.tidalcyber.com/references/f0a0286f-adb9-4a6e-85b5-5b0f45e6fbf3)]", @@ -17923,7 +17923,7 @@ } ], "uuid": "96f03902-3d1b-49cf-a0df-8add8434f012", - "value": "SpicyOmelette" + "value": "SpicyOmelette - Associated Software" }, { "description": "[More_eggs](https://app.tidalcyber.com/software/69f202e7-4bc9-4f4f-943f-330c053ae977) is a JScript backdoor used by [Cobalt Group](https://app.tidalcyber.com/groups/58db02e6-d908-47c2-bc82-ed58ada61331) and [FIN6](https://app.tidalcyber.com/groups/fcaadc12-7c17-4946-a9dc-976ed610854c). Its name was given based on the variable \"More_eggs\" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. [[Talos Cobalt Group July 2018](https://app.tidalcyber.com/references/7cdfd0d1-f7e6-4625-91ff-f87f46f95864)][[Security Intelligence More Eggs Aug 2019](https://app.tidalcyber.com/references/f0a0286f-adb9-4a6e-85b5-5b0f45e6fbf3)]", @@ -18040,7 +18040,7 @@ } ], "uuid": "78bdf160-7b3c-4832-a3fc-1caa419309c7", - "value": "MpCmdRun.exe" + "value": "MpCmdRun.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary part of Windows Defender. Used to manage settings in Windows Defender\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2008.4-0\\MpCmdRun.exe\n* C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2008.7-0\\MpCmdRun.exe\n* C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2008.9-0\\MpCmdRun.exe\n\n**Resources:**\n* [https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus)\n* [https://twitter.com/mohammadaskar2/status/1301263551638761477](https://twitter.com/mohammadaskar2/status/1301263551638761477)\n* [https://twitter.com/Oddvarmoe/status/1301444858910052352](https://twitter.com/Oddvarmoe/status/1301444858910052352)\n* [https://twitter.com/NotMedic/status/1301506813242867720](https://twitter.com/NotMedic/status/1301506813242867720)\n\n**Detection:**\n* Sigma: [win_susp_mpcmdrun_download.yml](https://github.com/SigmaHQ/sigma/blob/159bf4bbc103cc2be3fef4b7c2e7c8b23b63fd10/rules/windows/process_creation/win_susp_mpcmdrun_download.yml)\n* Elastic: [command_and_control_remote_file_copy_mpcmdrun.toml](https://github.com/elastic/detection-rules/blob/6ef5c53b0c15e344f0f2d1649941391aea6fa253/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml)\n* IOC: MpCmdRun storing data into alternate data streams.\n* IOC: MpCmdRun retrieving a file from a remote machine or the internet that is not expected.\n* IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe.\n* IOC: Monitor for the creation of %USERPROFILE%\\AppData\\Local\\Temp\\MpCmdRun.log\n* IOC: User Agent is \"MpCommunication\"[[MpCmdRun.exe - LOLBAS Project](/references/2082d5ca-474f-4130-b275-c1ac5e30064c)]", @@ -18082,7 +18082,7 @@ } ], "uuid": "7e97093f-629d-4de9-8c28-3adc429e3abb", - "value": "Msbuild.exe" + "value": "Msbuild.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used to compile and execute code\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Msbuild.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Msbuild.exe\n* C:\\Windows\\Microsoft.NET\\Framework\\v3.5\\Msbuild.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v3.5\\Msbuild.exe\n* C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Msbuild.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Msbuild.exe\n* C:\\Program Files (x86)\\MSBuild\\14.0\\bin\\MSBuild.exe\n\n**Resources:**\n* [https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md)\n* [https://github.com/Cn33liz/MSBuildShell](https://github.com/Cn33liz/MSBuildShell)\n* [https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/](https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/)\n* [https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/](https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/)\n* [https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191](https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191)\n* [https://github.com/LOLBAS-Project/LOLBAS/issues/165](https://github.com/LOLBAS-Project/LOLBAS/issues/165)\n* [https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-response-files](https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-response-files)\n* [https://www.daveaglick.com/posts/msbuild-loggers-and-logging-events](https://www.daveaglick.com/posts/msbuild-loggers-and-logging-events)\n\n**Detection:**\n* Sigma: [file_event_win_shell_write_susp_directory.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml)\n* Sigma: [proc_creation_win_msbuild_susp_parent_process.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml)\n* Sigma: [net_connection_win_silenttrinity_stager_msbuild_activity.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml)\n* Splunk: [suspicious_msbuild_spawn.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_msbuild_spawn.yml)\n* Splunk: [suspicious_msbuild_rename.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_msbuild_rename.yml)\n* Splunk: [msbuild_suspicious_spawned_by_script_process.yml](https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml)\n* Elastic: [defense_evasion_msbuild_beacon_sequence.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_msbuild_beacon_sequence.toml)\n* Elastic: [defense_evasion_msbuild_making_network_connections.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_msbuild_making_network_connections.toml)\n* Elastic: [defense_evasion_execution_msbuild_started_by_script.toml](https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml)\n* Elastic: [defense_evasion_execution_msbuild_started_by_office_app.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml)\n* Elastic: [defense_evasion_execution_msbuild_started_renamed.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: Msbuild.exe should not normally be executed on workstations[[LOLBAS Msbuild](/references/de8e0741-255b-4c41-ba50-248ac5acc325)]", @@ -18125,7 +18125,7 @@ } ], "uuid": "98ecedd7-7044-41c6-b9df-5b8c88b41713", - "value": "Msconfig.exe" + "value": "Msconfig.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\msconfig.exe\n\n**Resources:**\n* [https://twitter.com/pabraeken/status/991314564896690177](https://twitter.com/pabraeken/status/991314564896690177)\n\n**Detection:**\n* Sigma: [proc_creation_win_uac_bypass_msconfig_gui.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml)\n* Sigma: [file_event_win_uac_bypass_msconfig_gui.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml)\n* IOC: mscfgtlc.xml changes in system32 folder[[Msconfig.exe - LOLBAS Project](/references/a073d2fc-d20d-4a52-944e-85ff89f04978)]", @@ -18168,7 +18168,7 @@ } ], "uuid": "69a34cf5-5e76-48b5-b1c0-9ab895dbd9f9", - "value": "Msdeploy.exe" + "value": "Msdeploy.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft tool used to deploy Web Applications.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Program Files (x86)\\IIS\\Microsoft Web Deploy V3\\msdeploy.exe\n\n**Resources:**\n* [https://twitter.com/pabraeken/status/995837734379032576](https://twitter.com/pabraeken/status/995837734379032576)\n* [https://twitter.com/pabraeken/status/999090532839313408](https://twitter.com/pabraeken/status/999090532839313408)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_msdeploy.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml)[[Msdeploy.exe - LOLBAS Project](/references/e563af9a-5e49-4612-a52b-31f22f76193c)]", @@ -18211,7 +18211,7 @@ } ], "uuid": "19e717f8-ecab-48e6-83c0-90d8d20e875d", - "value": "Msdt.exe" + "value": "Msdt.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft diagnostics tool\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\Msdt.exe\n* C:\\Windows\\SysWOW64\\Msdt.exe\n\n**Resources:**\n* [https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/](https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/)\n* [https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/](https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/)\n* [https://twitter.com/harr0ey/status/991338229952598016](https://twitter.com/harr0ey/status/991338229952598016)\n* [https://twitter.com/nas_bench/status/1531944240271568896](https://twitter.com/nas_bench/status/1531944240271568896)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_msdt_answer_file.yml](https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml)\n* Sigma: [proc_creation_win_msdt_arbitrary_command_execution.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)[[Msdt.exe - LOLBAS Project](/references/3eb1750c-a2f2-4d68-b060-ceb32f44f5fe)]", @@ -18254,7 +18254,7 @@ } ], "uuid": "79b9559f-79c5-4e40-85a9-6238400bb523", - "value": "Msedge.exe" + "value": "Msedge.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Edge browser\n\n**Author:** mr.d0x\n\n**Paths:**\n* c:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe\n* c:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n\n**Resources:**\n* [https://twitter.com/mrd0x/status/1478116126005641220](https://twitter.com/mrd0x/status/1478116126005641220)\n* [https://twitter.com/mrd0x/status/1478234484881436672](https://twitter.com/mrd0x/status/1478234484881436672)\n\n**Detection:**\n* Sigma: [proc_creation_win_browsers_msedge_arbitrary_download.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_browsers_msedge_arbitrary_download.yml)\n* Sigma: [proc_creation_win_browsers_chromium_headless_file_download.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml)[[Msedge.exe - LOLBAS Project](/references/6169c12e-9753-4e48-8213-aff95b0f6a95)]", @@ -18297,7 +18297,7 @@ } ], "uuid": "51e2b302-2fa7-42c4-a559-6a77d987d48b", - "value": "msedge_proxy.exe" + "value": "msedge_proxy.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Edge Browser\n\n**Author:** Mert Daş\n\n**Paths:**\n* C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge_proxy.exe\n\n**Resources:**\nNone Provided\n\n**Detection:**\nNone Provided[[msedge_proxy.exe - LOLBAS Project](/references/a6fd4727-e22f-4157-9a5f-1217cb876b32)]", @@ -18339,7 +18339,7 @@ } ], "uuid": "0a528d20-d553-4d8d-a63c-14a0bcbd442f", - "value": "msedgewebview2.exe" + "value": "msedgewebview2.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** msedgewebview2.exe is the executable file for Microsoft Edge WebView2, which is a web browser control used by applications to display web content.\n\n**Author:** Matan Bahar\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\114.0.1823.43\\msedgewebview2.exe\n\n**Resources:**\n* [https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf](https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf)\n\n**Detection:**\n* IOC: msedgewebview2.exe spawned with any of the following: --gpu-launcher, --utility-cmd-prefix, --renderer-cmd-prefix, --browser-subprocess-path[[msedgewebview2.exe - LOLBAS Project](/references/8125ece7-10d1-4e79-8ea1-724fe46a3c97)]", @@ -18381,7 +18381,7 @@ } ], "uuid": "061ab2c8-f37a-4a57-95b4-9cc05d00f7e2", - "value": "Mshta.exe" + "value": "Mshta.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows to execute html applications. (.hta)\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\mshta.exe\n* C:\\Windows\\SysWOW64\\mshta.exe\n\n**Resources:**\n* [https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4](https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4)\n* [https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct)\n* [https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/](https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/)\n* [https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/](https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/)\n\n**Detection:**\n* Sigma: [proc_creation_win_mshta_susp_pattern.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml)\n* Sigma: [proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml)\n* Sigma: [proc_creation_win_mshta_lethalhta_technique.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml)\n* Sigma: [proc_creation_win_mshta_javascript.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml)\n* Sigma: [file_event_win_net_cli_artefact.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml)\n* Sigma: [image_load_susp_script_dotnet_clr_dll_load.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml)\n* Elastic: [defense_evasion_mshta_beacon.toml](https://github.com/elastic/detection-rules/blob/f8f643041a584621e66cf8e6d534ad3db92edc29/rules/windows/defense_evasion_mshta_beacon.toml)\n* Elastic: [lateral_movement_dcom_hta.toml](https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/lateral_movement_dcom_hta.toml)\n* Elastic: [defense_evasion_suspicious_managedcode_host_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml)\n* Splunk: [suspicious_mshta_activity.yml](https://github.com/splunk/security_content/blob/08ed88bd88259c03c771c30170d2934ed0a8f878/stories/suspicious_mshta_activity.yml)\n* Splunk: [detect_mshta_renamed.yml](https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_mshta_renamed.yml)\n* Splunk: [suspicious_mshta_spawn.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_mshta_spawn.yml)\n* Splunk: [suspicious_mshta_child_process.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_mshta_child_process.yml)\n* Splunk: [detect_mshta_url_in_command_line.yml](https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_mshta_url_in_command_line.yml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: mshta.exe executing raw or obfuscated script within the command-line\n* IOC: General usage of HTA file\n* IOC: msthta.exe network connection to Internet/WWW resource\n* IOC: DotNet CLR libraries loaded into mshta.exe\n* IOC: DotNet CLR Usage Log - mshta.exe.log[[LOLBAS Mshta](/references/915a4aef-800e-4c68-ad39-df67c3dbaf75)]", @@ -18480,7 +18480,7 @@ } ], "uuid": "1a75f478-ea4b-4beb-a2d0-7b51e7368cb6", - "value": "Mshtml.dll" + "value": "Mshtml.dll - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft HTML Viewer\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\mshtml.dll\n* c:\\windows\\syswow64\\mshtml.dll\n\n**Resources:**\n* [https://twitter.com/pabraeken/status/998567549670477824](https://twitter.com/pabraeken/status/998567549670477824)\n* [https://windows10dll.nirsoft.net/mshtml_dll.html](https://windows10dll.nirsoft.net/mshtml_dll.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)[[Mshtml.dll - LOLBAS Project](/references/1a135e0b-5a79-4a4c-bc70-fd8f3f84e1f0)]", @@ -18523,7 +18523,7 @@ } ], "uuid": "925dfacc-a078-4d5e-bddb-fd5e4e204b71", - "value": "Msiexec.exe" + "value": "Msiexec.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows to execute msi files\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\msiexec.exe\n* C:\\Windows\\SysWOW64\\msiexec.exe\n\n**Resources:**\n* [https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/](https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/)\n* [https://twitter.com/PhilipTsukerman/status/992021361106268161](https://twitter.com/PhilipTsukerman/status/992021361106268161)\n* [https://badoption.eu/blog/2023/10/03/MSIFortune.html](https://badoption.eu/blog/2023/10/03/MSIFortune.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_msiexec_web_install.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml)\n* Sigma: [proc_creation_win_msiexec_masquerading.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* Splunk: [uninstall_app_using_msiexec.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/uninstall_app_using_msiexec.yml)\n* IOC: msiexec.exe retrieving files from Internet[[LOLBAS Msiexec](/references/996cc7ea-0729-4c51-b9c3-b201ec32e984)]", @@ -18586,7 +18586,7 @@ } ], "uuid": "fc985102-ca75-491e-8eac-ba8ce06670e2", - "value": "MsoHtmEd.exe" + "value": "MsoHtmEd.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Office component\n\n**Author:** Nir Chako\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Office 16\\ClientX86\\Root\\Office16\\MSOHTMED.exe\n* C:\\Program Files\\Microsoft Office 16\\ClientX64\\Root\\Office16\\MSOHTMED.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office16\\MSOHTMED.exe\n* C:\\Program Files\\Microsoft Office\\Office16\\MSOHTMED.exe\n* C:\\Program Files (x86)\\Microsoft Office 15\\ClientX86\\Root\\Office15\\MSOHTMED.exe\n* C:\\Program Files\\Microsoft Office 15\\ClientX64\\Root\\Office15\\MSOHTMED.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office15\\MSOHTMED.exe\n* C:\\Program Files\\Microsoft Office\\Office15\\MSOHTMED.exe\n* C:\\Program Files (x86)\\Microsoft Office 14\\ClientX86\\Root\\Office14\\MSOHTMED.exe\n* C:\\Program Files\\Microsoft Office 14\\ClientX64\\Root\\Office14\\MSOHTMED.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSOHTMED.exe\n* C:\\Program Files\\Microsoft Office\\Office14\\MSOHTMED.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office12\\MSOHTMED.exe\n* C:\\Program Files\\Microsoft Office\\Office12\\MSOHTMED.exe\n* C:\\Program Files\\Microsoft Office\\Office12\\MSOHTMED.exe\n\n**Resources:**\nNone Provided\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_msohtmed_download.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml)\n* IOC: Suspicious Office application internet/network traffic[[MsoHtmEd.exe - LOLBAS Project](/references/c39fdefa-4c54-48a9-8357-ffe4dca2a2f4)]", @@ -18629,7 +18629,7 @@ } ], "uuid": "b36cdee2-05cb-44fb-853d-299e0a90165e", - "value": "Mspub.exe" + "value": "Mspub.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Publisher\n\n**Author:** Nir Chako\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Office 16\\ClientX86\\Root\\Office16\\MSPUB.exe\n* C:\\Program Files\\Microsoft Office 16\\ClientX64\\Root\\Office16\\MSPUB.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office16\\MSPUB.exe\n* C:\\Program Files\\Microsoft Office\\Office16\\MSPUB.exe\n* C:\\Program Files (x86)\\Microsoft Office 15\\ClientX86\\Root\\Office15\\MSPUB.exe\n* C:\\Program Files\\Microsoft Office 15\\ClientX64\\Root\\Office15\\MSPUB.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office15\\MSPUB.exe\n* C:\\Program Files\\Microsoft Office\\Office15\\MSPUB.exe\n* C:\\Program Files (x86)\\Microsoft Office 14\\ClientX86\\Root\\Office14\\MSPUB.exe\n* C:\\Program Files\\Microsoft Office 14\\ClientX64\\Root\\Office14\\MSPUB.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.exe\n* C:\\Program Files\\Microsoft Office\\Office14\\MSPUB.exe\n\n**Resources:**\nNone Provided\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_mspub_download.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml)\n* IOC: Suspicious Office application internet/network traffic[[Mspub.exe - LOLBAS Project](/references/41eff63a-fef0-4b4b-86f7-0908150fcfcf)]", @@ -18672,7 +18672,7 @@ } ], "uuid": "9ccccfe2-f653-42f7-9e36-3158781f4e2a", - "value": "msxsl.exe" + "value": "msxsl.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Command line utility used to perform XSL transformations.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* no default\n\n**Resources:**\n* [https://twitter.com/subTee/status/877616321747271680](https://twitter.com/subTee/status/877616321747271680)\n* [https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker](https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker)\n* [https://github.com/RonnieSalomonsen/Use-msxsl-to-download-file](https://github.com/RonnieSalomonsen/Use-msxsl-to-download-file)\n\n**Detection:**\n* Sigma: [proc_creation_win_wmic_xsl_script_processing.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml)\n* Elastic: [defense_evasion_msxsl_beacon.toml](https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_msxsl_beacon.toml)\n* Elastic: [defense_evasion_msxsl_network.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_msxsl_network.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)[[msxsl.exe - LOLBAS Project](/references/4e1ed0a8-60d0-45e2-9592-573b904811f8)]", @@ -19098,7 +19098,7 @@ } ], "uuid": "ef9df548-c7c2-41fd-96f1-acdb9e8a763c", - "value": "net.exe" + "value": "net.exe - Associated Software" }, { "description": "The [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [[Microsoft Net Utility](https://app.tidalcyber.com/references/75998d1c-69c0-40d2-a64b-43ad8efa05da)]\n\n[Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) has a great deal of functionality, [[Savill 1999](https://app.tidalcyber.com/references/e814d4a5-b846-4d68-ac00-7021238d287a)] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through [SMB/Windows Admin Shares](https://app.tidalcyber.com/technique/bc2f2c6c-ffe7-4e78-bbac-369f6781bbdd) using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.", @@ -19274,7 +19274,7 @@ } ], "uuid": "edb7867e-195e-4a88-9198-f118a64af6b0", - "value": "NetC" + "value": "NetC - Associated Software" }, { "description": "[Net Crawler](https://app.tidalcyber.com/software/947c6212-4da8-48dd-9da9-ce4b077dd759) is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using [PsExec](https://app.tidalcyber.com/software/73eb32af-4bd3-4e21-8048-355edc55a9c6) to execute a copy of [Net Crawler](https://app.tidalcyber.com/software/947c6212-4da8-48dd-9da9-ce4b077dd759). [[Cylance Cleaver](https://app.tidalcyber.com/references/f0b45225-3ec3-406f-bd74-87f24003761b)]", @@ -19345,7 +19345,7 @@ } ], "uuid": "f0875544-e774-4ba7-8ed3-c9828ea69fbd", - "value": "netsh.exe" + "value": "netsh.exe - Associated Software" }, { "description": "[netsh](https://app.tidalcyber.com/software/803192b8-747b-4108-ae15-2d7481d39162) is a scripting utility used to interact with networking components on local or remote systems. [[TechNet Netsh](https://app.tidalcyber.com/references/58112a3a-06bd-4a46-8a09-4dba5f42a04f)]", @@ -19531,7 +19531,7 @@ } ], "uuid": "ebe1fe56-5d87-444f-bf06-76d18f19b788", - "value": "Mailto" + "value": "Mailto - Associated Software" }, { "description": "", @@ -19547,7 +19547,7 @@ } ], "uuid": "4ff19645-f405-4bc2-847b-13409fce15cf", - "value": "Koko Ransomware" + "value": "Koko Ransomware - Associated Software" }, { "description": "[Netwalker](https://app.tidalcyber.com/software/5b4b395f-f61a-4bd6-94c1-fb45ed3cd13d) is fileless ransomware written in PowerShell and executed directly in memory.[[TrendMicro Netwalker May 2020](https://app.tidalcyber.com/references/ceda9ef6-e609-4a34-9db1-d2a3ebffb679)]", @@ -19708,7 +19708,7 @@ } ], "uuid": "69d00742-0a78-44e9-ae0e-98d09f52d81d", - "value": "Backdoor.Nidiran" + "value": "Backdoor.Nidiran - Associated Software" }, { "description": "[Nidiran](https://app.tidalcyber.com/software/3ae9acd7-39f8-45c6-b557-c7d9a40eed2c) is a custom backdoor developed and used by [Suckfly](https://app.tidalcyber.com/groups/06549082-ff70-43bf-985e-88c695c7113c). It has been delivered via strategic web compromise. [[Symantec Suckfly March 2016](https://app.tidalcyber.com/references/8711c175-e405-4cb0-8c86-8aaa471e5573)]", @@ -19776,7 +19776,7 @@ } ], "uuid": "f6269ef2-ec83-41f6-9c86-4d507070c7d7", - "value": "Njw0rm" + "value": "Njw0rm - Associated Software" }, { "description": "[[Fidelis njRAT June 2013](https://app.tidalcyber.com/references/6c985470-a923-48fd-82c9-9128b6d59bcb)]", @@ -19790,7 +19790,7 @@ } ], "uuid": "abeccf73-8340-44ca-93eb-4fbd98050cb6", - "value": "LV" + "value": "LV - Associated Software" }, { "description": "[[Fidelis njRAT June 2013](https://app.tidalcyber.com/references/6c985470-a923-48fd-82c9-9128b6d59bcb)][[Trend Micro njRAT 2018](https://app.tidalcyber.com/references/d8e7b428-84dd-4d96-b3f3-70e7ed7f8271)]", @@ -19804,7 +19804,7 @@ } ], "uuid": "77fe7b25-a1a1-488f-b0af-08e6e1508301", - "value": "Bladabindi" + "value": "Bladabindi - Associated Software" }, { "description": "[njRAT](https://app.tidalcyber.com/software/82996f6f-0575-45cd-8f7c-ba1b063d5b9f) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.[[Fidelis njRAT June 2013](https://app.tidalcyber.com/references/6c985470-a923-48fd-82c9-9128b6d59bcb)]", @@ -19940,7 +19940,7 @@ } ], "uuid": "b1dc73c7-6591-430b-9802-5b66758f787c", - "value": "nmap.exe" + "value": "nmap.exe - Associated Software" }, { "description": "According to its project website, \"Nmap (\"Network Mapper\") is a free and open source utility for network discovery and security auditing\".[[Nmap: the Network Mapper](/references/65f1bbaa-8ad1-4ad5-b726-660558d27efc)]", @@ -20026,7 +20026,7 @@ } ], "uuid": "f9b55f54-e33d-4df3-987e-fc10919f9a4d", - "value": "Diskcoder.C" + "value": "Diskcoder.C - Associated Software" }, { "description": "[[Talos Nyetya June 2017](https://app.tidalcyber.com/references/c76e806c-b0e3-4ab9-ba6d-68a9f731f127)][[ESET Telebots June 2017](https://app.tidalcyber.com/references/eb5c2951-b149-4e40-bc5f-b2630213eb8b)]", @@ -20040,7 +20040,7 @@ } ], "uuid": "cfd041ef-c3f4-4a5e-92dc-4fd9b627983f", - "value": "Petrwrap" + "value": "Petrwrap - Associated Software" }, { "description": "[[Talos Nyetya June 2017](https://app.tidalcyber.com/references/c76e806c-b0e3-4ab9-ba6d-68a9f731f127)]", @@ -20054,7 +20054,7 @@ } ], "uuid": "2f3dc4fc-1f8c-40e2-a241-9edd349e24d6", - "value": "GoldenEye" + "value": "GoldenEye - Associated Software" }, { "description": "[[ESET Telebots June 2017](https://app.tidalcyber.com/references/eb5c2951-b149-4e40-bc5f-b2630213eb8b)]", @@ -20068,7 +20068,7 @@ } ], "uuid": "544d9871-b68a-4bb1-99a4-c56777ce208e", - "value": "ExPetr" + "value": "ExPetr - Associated Software" }, { "description": "[[Talos Nyetya June 2017](https://app.tidalcyber.com/references/c76e806c-b0e3-4ab9-ba6d-68a9f731f127)]", @@ -20082,7 +20082,7 @@ } ], "uuid": "2b7f9965-810d-4018-905d-8530af166fb6", - "value": "Nyetya" + "value": "Nyetya - Associated Software" }, { "description": "[NotPetya](https://app.tidalcyber.com/software/2538e0fe-1290-4ae1-aef9-e55d83c9eb23) is malware that was used by [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) in a worldwide attack starting on June 27, 2017. While [NotPetya](https://app.tidalcyber.com/software/2538e0fe-1290-4ae1-aef9-e55d83c9eb23) appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://app.tidalcyber.com/software/2538e0fe-1290-4ae1-aef9-e55d83c9eb23) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://app.tidalcyber.com/software/2538e0fe-1290-4ae1-aef9-e55d83c9eb23) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.[[Talos Nyetya June 2017](https://app.tidalcyber.com/references/c76e806c-b0e3-4ab9-ba6d-68a9f731f127)][[US-CERT NotPetya 2017](https://app.tidalcyber.com/references/6a009850-834b-4178-9028-2745921b6743)][[ESET Telebots June 2017](https://app.tidalcyber.com/references/eb5c2951-b149-4e40-bc5f-b2630213eb8b)][[US District Court Indictment GRU Unit 74455 October 2020](https://app.tidalcyber.com/references/77788d05-30ff-4308-82e6-d123a3c2fd80)]", @@ -20150,7 +20150,7 @@ } ], "uuid": "ed19a544-699c-43c2-a3bb-4503b220354f", - "value": "npcap.exe" + "value": "npcap.exe - Associated Software" }, { "description": "According to its project website, \"Npcap is the Nmap Project's packet capture (and sending) library for Microsoft Windows\".[[Npcap: Windows Packet Capture Library & Driver](/references/c8dc5650-eb37-4bb6-b5b7-e6269c79785c)] Nmap is a utility used for network discovery and security auditing.", @@ -20192,7 +20192,7 @@ } ], "uuid": "39494b87-38c0-4b84-89c9-3bcd45f3bc3f", - "value": "ntdsutil.exe" + "value": "ntdsutil.exe - Associated Software" }, { "description": "Ntdsutil is a Windows command-line tool \"that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).\"[[Ntdsutil Microsoft](/references/34de2f08-0481-4894-80ef-86506d821cf0)]", @@ -20342,7 +20342,7 @@ } ], "uuid": "b227bbff-8291-4e0d-950d-93785e4058ee", - "value": "Odbcconf.exe" + "value": "Odbcconf.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used in Windows for managing ODBC connections\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\odbcconf.exe\n* C:\\Windows\\SysWOW64\\odbcconf.exe\n\n**Resources:**\n* [https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b](https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b)\n* [https://github.com/woanware/application-restriction-bypasses](https://github.com/woanware/application-restriction-bypasses)\n* [https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/](https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/)\n\n**Detection:**\n* Sigma: [proc_creation_win_odbcconf_response_file.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml)\n* Sigma: [proc_creation_win_odbcconf_response_file_susp.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)[[LOLBAS Odbcconf](/references/febcaaec-b535-4347-a4c7-b3284b251897)]", @@ -20389,7 +20389,7 @@ } ], "uuid": "bc428876-7d48-4a33-a080-77916fc66ebc", - "value": "OfflineScannerShell.exe" + "value": "OfflineScannerShell.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows Defender Offline Shell\n\n**Author:** Elliot Killick\n\n**Paths:**\n* C:\\Program Files\\Windows Defender\\Offline\\OfflineScannerShell.exe\n\n**Resources:**\nNone Provided\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbas_offlinescannershell.yml](https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml)\n* IOC: OfflineScannerShell.exe should not be run on a normal workstation[[OfflineScannerShell.exe - LOLBAS Project](/references/8194442f-4f86-438e-bd0c-f4cbda0264b8)]", @@ -20457,7 +20457,7 @@ } ], "uuid": "b710376a-55b9-44c5-8200-c43d2753e16a", - "value": "Sasfis" + "value": "Sasfis - Associated Software" }, { "description": "[OLDBAIT](https://app.tidalcyber.com/software/479814e2-2656-4ea2-9e79-fcdb818f703e) is a credential harvester used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5). [[FireEye APT28](https://app.tidalcyber.com/references/c423b2b2-25a3-4a8d-b89a-83ab07c0cd20)] [[FireEye APT28 January 2017](https://app.tidalcyber.com/references/61d80b8f-5bdb-41e6-b59a-d2d996392873)]", @@ -20533,7 +20533,7 @@ } ], "uuid": "b893fa8c-a561-4e33-b1f5-fb2b176530df", - "value": "OneDriveStandaloneUpdater.exe" + "value": "OneDriveStandaloneUpdater.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** OneDrive Standalone Updater\n\n**Author:** Elliot Killick\n\n**Paths:**\n* %localappdata%\\Microsoft\\OneDrive\\OneDriveStandaloneUpdater.exe\n\n**Resources:**\n* [https://github.com/LOLBAS-Project/LOLBAS/pull/153](https://github.com/LOLBAS-Project/LOLBAS/pull/153)\n\n**Detection:**\n* IOC: HKCU\\Software\\Microsoft\\OneDrive\\UpdateOfficeConfig\\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL\n* IOC: Reports of downloading from suspicious URLs in %localappdata%\\OneDrive\\setup\\logs\\StandaloneUpdate_*.log files\n* Sigma: [registry_set_lolbin_onedrivestandaloneupdater.yml](https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml)[[OneDriveStandaloneUpdater.exe - LOLBAS Project](/references/3d7dcd68-a7b2-438c-95bb-b7523a39c6f7)]", @@ -20632,7 +20632,7 @@ } ], "uuid": "a3c7988f-9ac2-4f7a-ab9d-eb91e905e7a0", - "value": "OpenConsole.exe" + "value": "OpenConsole.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Console Window host for Windows Terminal\n\n**Author:** Nasreddine Bencherchali\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\CommonExtensions\\Microsoft\\Terminal\\ServiceHub\\os64\\OpenConsole.exe\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\CommonExtensions\\Microsoft\\Terminal\\ServiceHub\\os86\\OpenConsole.exe\n* C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\IDE\\CommonExtensions\\Microsoft\\Terminal\\ServiceHub\\os64\\OpenConsole.exe\n\n**Resources:**\n* [https://twitter.com/nas_bench/status/1537563834478645252](https://twitter.com/nas_bench/status/1537563834478645252)\n\n**Detection:**\n* IOC: OpenConsole.exe spawning unexpected processes\n* Sigma: [proc_creation_win_lolbin_openconsole.yml](https://github.com/SigmaHQ/sigma/blob/9e0ef7251b075f15e7abafbbec16d3230c5fa477/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml)[[OpenConsole.exe - LOLBAS Project](/references/e597522a-68ac-4d7e-80c4-db1c66d2da04)]", @@ -20673,7 +20673,7 @@ } ], "uuid": "aa558e34-f3ca-443e-b067-a6a88ee46cf6", - "value": "AIRBREAK" + "value": "AIRBREAK - Associated Software" }, { "description": "[Orz](https://app.tidalcyber.com/software/45a52a29-00c0-458a-b705-1040e06a43f2) is a custom JavaScript backdoor used by [Leviathan](https://app.tidalcyber.com/groups/eadd78e3-3b5d-430a-b994-4360b172c871). It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. [[Proofpoint Leviathan Oct 2017](https://app.tidalcyber.com/references/f8c2b67b-c097-4b48-8d95-266a45b7dd4d)] [[FireEye Periscope March 2018](https://app.tidalcyber.com/references/8edb5d2b-b5c4-4d9d-8049-43dd6ca9ab7f)]", @@ -20744,7 +20744,7 @@ } ], "uuid": "f89703da-6631-4e60-be1c-0ecbe5a6f738", - "value": "Backdoor.MacOS.OCEANLOTUS.F" + "value": "Backdoor.MacOS.OCEANLOTUS.F - Associated Software" }, { "description": "[OSX_OCEANLOTUS.D](https://app.tidalcyber.com/software/a45904b5-0ada-4567-be4c-947146c7f574) is a macOS backdoor used by [APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145). First discovered in 2015, [APT32](https://app.tidalcyber.com/groups/c0fe9859-e8de-4ce1-bc3c-b489e914a145) has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib` files. [OSX_OCEANLOTUS.D](https://app.tidalcyber.com/software/a45904b5-0ada-4567-be4c-947146c7f574) can also determine it's permission level and execute according to access type (`root` or `user`).[[Unit42 OceanLotus 2017](https://app.tidalcyber.com/references/fcaf57f1-6696-54a5-a78c-255c8f6ac235)][[TrendMicro MacOS April 2018](https://app.tidalcyber.com/references/e18ad1a7-1e7e-4aca-be9b-9ee12b41c147)][[Trend Micro MacOS Backdoor November 2020](https://app.tidalcyber.com/references/43726cb8-a169-4594-9323-fad65b9bae97)]", @@ -20790,7 +20790,7 @@ } ], "uuid": "b7c33058-21b0-46df-988c-88dfab53e83a", - "value": "Zshlayer" + "value": "Zshlayer - Associated Software" }, { "description": "[[Intego Shlayer Apr 2018](https://app.tidalcyber.com/references/3ca1254c-db51-4a5d-8242-ffd9e4481c22)][[Malwarebytes Crossrider Apr 2018](https://app.tidalcyber.com/references/80530288-26a3-4c3e-ace1-47510df10fbd)]", @@ -20804,7 +20804,7 @@ } ], "uuid": "1420094e-351e-4294-b59b-52d2da2724b8", - "value": "Crossrider" + "value": "Crossrider - Associated Software" }, { "description": "[OSX/Shlayer](https://app.tidalcyber.com/software/4d91d625-21d8-484a-b63f-0a3daa4ed434) is a Trojan designed to install adware on macOS that was first discovered in 2018.[[Carbon Black Shlayer Feb 2019](https://app.tidalcyber.com/references/d8212691-4a6e-49bf-bc33-740850a1189a)][[Intego Shlayer Feb 2018](https://app.tidalcyber.com/references/46eb883c-e203-4cd9-8f1c-c6ea12bc2742)]", @@ -20922,7 +20922,7 @@ } ], "uuid": "a9205e41-8ef6-4b3a-9477-f6b673668d11", - "value": "Peer-to-Peer ZeuS" + "value": "Peer-to-Peer ZeuS - Associated Software" }, { "description": "", @@ -20936,7 +20936,7 @@ } ], "uuid": "af301e1b-5252-41eb-8802-9c5129d40091", - "value": "Gameover ZeuS" + "value": "Gameover ZeuS - Associated Software" }, { "description": "[P2P ZeuS](https://app.tidalcyber.com/software/916f8a7c-e487-4446-b6ee-c8da712a9569) is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture. [[Dell P2P ZeuS](https://app.tidalcyber.com/references/773d1d91-a93c-4bb3-928b-4c3f82f2c889)]", @@ -20979,7 +20979,7 @@ } ], "uuid": "42353f34-77f6-4928-ae59-e3c9518ef1ba", - "value": "HEAVYPOT" + "value": "HEAVYPOT - Associated Software" }, { "description": "[[Securelist APT10 March 2021](https://app.tidalcyber.com/references/90450a1e-59c3-491f-b842-2cf81023fc9e)]", @@ -20993,7 +20993,7 @@ } ], "uuid": "d1748d73-27f8-4bf1-a8cf-fcc82cebffbc", - "value": "GreetCake" + "value": "GreetCake - Associated Software" }, { "description": "[P8RAT](https://app.tidalcyber.com/software/1933ad3d-3085-4b1b-82b9-ac51b440e2bf) is a fileless malware used by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) to download and execute payloads since at least 2020.[[Securelist APT10 March 2021](https://app.tidalcyber.com/references/90450a1e-59c3-491f-b842-2cf81023fc9e)]", @@ -21177,7 +21177,7 @@ } ], "uuid": "0d76d9ee-8696-42f9-9f34-52f3ad265995", - "value": "Fobushell" + "value": "Fobushell - Associated Software" }, { "description": "[P.A.S. Webshell](https://app.tidalcyber.com/software/4d79530c-2fd9-4438-a8da-74f42119695a) is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.[[ANSSI Sandworm January 2021](https://app.tidalcyber.com/references/5e619fef-180a-46d4-8bf5-998860b5ad7e)]", @@ -21255,7 +21255,7 @@ } ], "uuid": "4a3504d3-5ff3-4aa1-8894-74fabf92d922", - "value": "Pcalua.exe" + "value": "Pcalua.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Program Compatibility Assistant\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\pcalua.exe\n\n**Resources:**\n* [https://twitter.com/KyleHanslovan/status/912659279806640128](https://twitter.com/KyleHanslovan/status/912659279806640128)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_pcalua.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml)[[Pcalua.exe - LOLBAS Project](/references/958064d4-7f9f-46a9-b475-93d6587ed770)]", @@ -21354,7 +21354,7 @@ } ], "uuid": "3bc797f7-59bc-4ce6-8cf9-e533e317aaa8", - "value": "Pcwrun.exe" + "value": "Pcwrun.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Program Compatibility Wizard\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\pcwrun.exe\n\n**Resources:**\n* [https://twitter.com/pabraeken/status/991335019833708544](https://twitter.com/pabraeken/status/991335019833708544)\n* [https://twitter.com/nas_bench/status/1535663791362519040](https://twitter.com/nas_bench/status/1535663791362519040)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_pcwrun_follina.yml](https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml)[[Pcwrun.exe - LOLBAS Project](/references/b5946ca4-1f1b-4cba-af2f-0b99d6fff8b0)]", @@ -21397,7 +21397,7 @@ } ], "uuid": "f464e0cd-7a76-4924-9473-90f334f886ce", - "value": "Pcwutl.dll" + "value": "Pcwutl.dll - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft HTML Viewer\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\pcwutl.dll\n* c:\\windows\\syswow64\\pcwutl.dll\n\n**Resources:**\n* [https://twitter.com/harr0ey/status/989617817849876488](https://twitter.com/harr0ey/status/989617817849876488)\n* [https://windows10dll.nirsoft.net/pcwutl_dll.html](https://windows10dll.nirsoft.net/pcwutl_dll.html)\n\n**Detection:**\n* Analysis: [https://redcanary.com/threat-detection-report/techniques/rundll32/](https://redcanary.com/threat-detection-report/techniques/rundll32/)\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)[[Pcwutl.dll - LOLBAS Project](/references/1050758d-20da-4c4a-83d3-40aeff3db9ca)]", @@ -21468,7 +21468,7 @@ } ], "uuid": "e7c7c852-6196-49e9-b883-ccfd5ae47aca", - "value": "Penquin 2.0" + "value": "Penquin 2.0 - Associated Software" }, { "description": "[[Leonardo Turla Penquin May 2020](https://app.tidalcyber.com/references/09d8bb54-6fa5-4842-98aa-6e9656a19092)]", @@ -21482,7 +21482,7 @@ } ], "uuid": "42c40368-672c-4118-bd35-9935208978e1", - "value": "Penquin_x64" + "value": "Penquin_x64 - Associated Software" }, { "description": "[Penquin](https://app.tidalcyber.com/software/951fad62-f636-4c01-b924-bb0ce87f5b20) is a remote access trojan (RAT) with multiple versions used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) to target Linux systems since at least 2014.[[Kaspersky Turla Penquin December 2014](https://app.tidalcyber.com/references/957edb5c-b893-4968-9603-1a6b8577f3aa)][[Leonardo Turla Penquin May 2020](https://app.tidalcyber.com/references/09d8bb54-6fa5-4842-98aa-6e9656a19092)]", @@ -21556,7 +21556,7 @@ } ], "uuid": "3c004ca1-7436-44e9-85e4-33d55fc74f5e", - "value": "Pester.bat" + "value": "Pester.bat - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used as part of the Powershell pester\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* c:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\bin\\Pester.bat\n* c:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*\\bin\\Pester.bat\n\n**Resources:**\n* [https://twitter.com/Oddvarmoe/status/993383596244258816](https://twitter.com/Oddvarmoe/status/993383596244258816)\n* [https://twitter.com/_st0pp3r_/status/1560072680887525378](https://twitter.com/_st0pp3r_/status/1560072680887525378)\n* [https://twitter.com/_st0pp3r_/status/1560072680887525378](https://twitter.com/_st0pp3r_/status/1560072680887525378)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_pester_1.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml)[[Pester.bat - LOLBAS Project](/references/93f281f6-6fcc-474a-b222-b303ea417a18)]", @@ -21891,7 +21891,7 @@ } ], "uuid": "c29799e7-8d70-4312-890d-39eff939af8c", - "value": "Pktmon.exe" + "value": "Pktmon.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Capture Network Packets on the windows 10 with October 2018 Update or later.\n\n**Author:** Derek Johnson\n\n**Paths:**\n* c:\\windows\\system32\\pktmon.exe\n* c:\\windows\\syswow64\\pktmon.exe\n\n**Resources:**\n* [https://binar-x79.com/windows-10-secret-sniffer/](https://binar-x79.com/windows-10-secret-sniffer/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_pktmon.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml)\n* IOC: .etl files found on system[[Pktmon.exe - LOLBAS Project](/references/8f0ad4ed-869b-4332-b091-7551262cff29)]", @@ -21983,7 +21983,7 @@ } ], "uuid": "d7602f4b-ebea-466b-9e7f-17fe5e7238d6", - "value": "PuTTY Link" + "value": "PuTTY Link - Associated Software" }, { "description": "Plink is a tool used to automate Secure Shell (SSH) actions on Windows.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", @@ -22043,7 +22043,7 @@ } ], "uuid": "c0090129-1ec8-46c2-94da-7094a1d1e8ca", - "value": "DestroyRAT" + "value": "DestroyRAT - Associated Software" }, { "description": "[[Lastline PlugX Analysis](https://app.tidalcyber.com/references/9f7fa262-cede-4f47-94ca-1534c65c86e2)][[FireEye Clandestine Fox Part 2](https://app.tidalcyber.com/references/82500741-984d-4039-8f53-b303845c2849)][[CIRCL PlugX March 2013](https://app.tidalcyber.com/references/8ab89236-6994-43a3-906c-383e294f65d1)]", @@ -22057,7 +22057,7 @@ } ], "uuid": "c3f88c02-a063-443a-a555-c582639f648c", - "value": "Sogu" + "value": "Sogu - Associated Software" }, { "description": "[[Novetta-Axiom](https://app.tidalcyber.com/references/0dd428b9-849b-4108-87b1-20050b86f420)]", @@ -22071,7 +22071,7 @@ } ], "uuid": "6795a6c5-8701-4fbd-b8f4-ff0b5bd04cc2", - "value": "Thoper" + "value": "Thoper - Associated Software" }, { "description": "[[Novetta-Axiom](https://app.tidalcyber.com/references/0dd428b9-849b-4108-87b1-20050b86f420)]", @@ -22085,7 +22085,7 @@ } ], "uuid": "cca25e4e-d315-49e2-bfc1-be1ee4fac071", - "value": "TVT" + "value": "TVT - Associated Software" }, { "description": "[[FireEye Clandestine Fox Part 2](https://app.tidalcyber.com/references/82500741-984d-4039-8f53-b303845c2849)]", @@ -22099,7 +22099,7 @@ } ], "uuid": "6fb9ef48-3016-4f37-8254-1ae52022b6da", - "value": "Kaba" + "value": "Kaba - Associated Software" }, { "description": "[[Lastline PlugX Analysis](https://app.tidalcyber.com/references/9f7fa262-cede-4f47-94ca-1534c65c86e2)][[CIRCL PlugX March 2013](https://app.tidalcyber.com/references/8ab89236-6994-43a3-906c-383e294f65d1)]", @@ -22113,7 +22113,7 @@ } ], "uuid": "7ae0cf0a-daad-490c-90da-fe0e1f09a31c", - "value": "Korplug" + "value": "Korplug - Associated Software" }, { "description": "[PlugX](https://app.tidalcyber.com/software/070b56f4-7810-4dad-b85f-bdfce9c08c10) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.[[Lastline PlugX Analysis](https://app.tidalcyber.com/references/9f7fa262-cede-4f47-94ca-1534c65c86e2)][[FireEye Clandestine Fox Part 2](https://app.tidalcyber.com/references/82500741-984d-4039-8f53-b303845c2849)][[New DragonOK](https://app.tidalcyber.com/references/82c1ed0d-a41d-4212-a3ae-a1d661bede2d)][[Dell TG-3390](https://app.tidalcyber.com/references/dfd2d832-a6c5-40e7-a554-5a92f05bebae)]", @@ -22254,7 +22254,7 @@ } ], "uuid": "6f09dbde-ae7a-4781-b317-286da2c88003", - "value": "Pnputil.exe" + "value": "Pnputil.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used for installing drivers\n\n**Author:** Hai vaknin (lux)\n\n**Paths:**\n* C:\\Windows\\system32\\pnputil.exe\n\n**Resources:**\nNone Provided\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml)[[Pnputil.exe - LOLBAS Project](/references/21d0419a-5454-4808-b7e6-2b1b9de08ed6)]", @@ -22316,7 +22316,7 @@ } ], "uuid": "76cb912d-02e3-4f99-8cde-6f9b3f75f752", - "value": "Breut" + "value": "Breut - Associated Software" }, { "description": "[[FireEye Poison Ivy](https://app.tidalcyber.com/references/c189447e-a903-4dc2-a38b-1f4accc64e20)] [[Symantec Darkmoon Sept 2014](https://app.tidalcyber.com/references/3362a507-03c3-4236-b484-8144248b5cac)]", @@ -22330,7 +22330,7 @@ } ], "uuid": "5f9d7b30-b187-4437-8214-e6e966958553", - "value": "Poison Ivy" + "value": "Poison Ivy - Associated Software" }, { "description": "[[Symantec Darkmoon Sept 2014](https://app.tidalcyber.com/references/3362a507-03c3-4236-b484-8144248b5cac)]", @@ -22344,7 +22344,7 @@ } ], "uuid": "69b67620-b26e-42d3-bb65-b9a3fc734d19", - "value": "Darkmoon" + "value": "Darkmoon - Associated Software" }, { "description": "[PoisonIvy](https://app.tidalcyber.com/software/1d87a695-7989-49ae-ac1a-b6601db565c3) is a popular remote access tool (RAT) that has been used by many groups.[[FireEye Poison Ivy](https://app.tidalcyber.com/references/c189447e-a903-4dc2-a38b-1f4accc64e20)][[Symantec Elderwood Sept 2012](https://app.tidalcyber.com/references/5e908748-d260-42f1-a599-ac38b4e22559)][[Symantec Darkmoon Aug 2005](https://app.tidalcyber.com/references/7088234d-a6fc-49ad-b4fd-2fe8ca333c1d)]", @@ -22662,7 +22662,7 @@ } ], "uuid": "6f48252d-3e86-415b-ab77-8c833d608b47", - "value": "Powerpnt.exe" + "value": "Powerpnt.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Office binary.\n\n**Author:** Reegun J (OCBC Bank)\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Office 16\\ClientX86\\Root\\Office16\\Powerpnt.exe\n* C:\\Program Files\\Microsoft Office 16\\ClientX64\\Root\\Office16\\Powerpnt.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office16\\Powerpnt.exe\n* C:\\Program Files\\Microsoft Office\\Office16\\Powerpnt.exe\n* C:\\Program Files (x86)\\Microsoft Office 15\\ClientX86\\Root\\Office15\\Powerpnt.exe\n* C:\\Program Files\\Microsoft Office 15\\ClientX64\\Root\\Office15\\Powerpnt.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office15\\Powerpnt.exe\n* C:\\Program Files\\Microsoft Office\\Office15\\Powerpnt.exe\n* C:\\Program Files (x86)\\Microsoft Office 14\\ClientX86\\Root\\Office14\\Powerpnt.exe\n* C:\\Program Files\\Microsoft Office 14\\ClientX64\\Root\\Office14\\Powerpnt.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office14\\Powerpnt.exe\n* C:\\Program Files\\Microsoft Office\\Office14\\Powerpnt.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office12\\Powerpnt.exe\n* C:\\Program Files\\Microsoft Office\\Office12\\Powerpnt.exe\n* C:\\Program Files\\Microsoft Office\\Office12\\Powerpnt.exe\n\n**Resources:**\n* [https://twitter.com/reegun21/status/1150032506504151040](https://twitter.com/reegun21/status/1150032506504151040)\n* [https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191](https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_office.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_office.yml)\n* IOC: Suspicious Office application Internet/network traffic[[Powerpnt.exe - LOLBAS Project](/references/23c48ab3-9426-4949-9a35-d1b9ecb4bb47)]", @@ -22755,7 +22755,7 @@ } ], "uuid": "6812793e-6342-4da6-b77f-ed29fab1fd9a", - "value": "DNSMessenger" + "value": "DNSMessenger - Associated Software" }, { "description": "[POWERSOURCE](https://app.tidalcyber.com/software/a4700431-6578-489f-9782-52e394277296) is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. [[FireEye FIN7 March 2017](https://app.tidalcyber.com/references/7987bb91-ec41-42f8-bd2d-dabc26509a08)] [[Cisco DNSMessenger March 2017](https://app.tidalcyber.com/references/49f22ba2-5aca-4204-858e-c2499a7050ae)]", @@ -22898,7 +22898,7 @@ } ], "uuid": "4aaf5b58-a6ca-4ec9-84fc-697469698130", - "value": "Powermud" + "value": "Powermud - Associated Software" }, { "description": "[POWERSTATS](https://app.tidalcyber.com/software/39fc59c6-f1aa-4c93-8e43-1f41563e9d9e) is a PowerShell-based first stage backdoor used by [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6). [[Unit 42 MuddyWater Nov 2017](https://app.tidalcyber.com/references/dcdee265-2e46-4f40-95c7-6a2683edb23a)]", @@ -23063,7 +23063,7 @@ } ], "uuid": "80b9a847-0d74-4c15-b86b-d34e43cfef21", - "value": "Presentationhost.exe" + "value": "Presentationhost.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** File is used for executing Browser applications\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\Presentationhost.exe\n* C:\\Windows\\SysWOW64\\Presentationhost.exe\n\n**Resources:**\n* [https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf](https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf)\n* [https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/](https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_presentationhost_download.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml)\n* Sigma: [proc_creation_win_lolbin_presentationhost.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml)\n* IOC: Execution of .xbap files may not be common on production workstations[[Presentationhost.exe - LOLBAS Project](/references/37539e72-18f5-435a-a949-f9fa5991149a)]", @@ -23159,7 +23159,7 @@ } ], "uuid": "5d8bd4c1-3ab5-4521-8ee8-5da3aad90b7d", - "value": "Print.exe" + "value": "Print.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows to send files to the printer\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\print.exe\n* C:\\Windows\\SysWOW64\\print.exe\n\n**Resources:**\n* [https://twitter.com/Oddvarmoe/status/985518877076541440](https://twitter.com/Oddvarmoe/status/985518877076541440)\n* [https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410](https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410)\n\n**Detection:**\n* Sigma: [proc_creation_win_print_remote_file_copy.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml)\n* IOC: Print.exe retrieving files from internet\n* IOC: Print.exe creating executable files on disk[[Print.exe - LOLBAS Project](/references/696ce89a-b3a1-4993-b30d-33a669a57031)]", @@ -23202,7 +23202,7 @@ } ], "uuid": "91a3db3c-53a5-4ee8-9586-af5d8f95ce4c", - "value": "PrintBrm.exe" + "value": "PrintBrm.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Printer Migration Command-Line Tool\n\n**Author:** Elliot Killick\n\n**Paths:**\n* C:\\Windows\\System32\\spool\\tools\\PrintBrm.exe\n\n**Resources:**\n* [https://twitter.com/elliotkillick/status/1404117015447670800](https://twitter.com/elliotkillick/status/1404117015447670800)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_printbrm.yml](https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml)\n* IOC: PrintBrm.exe should not be run on a normal workstation[[PrintBrm.exe - LOLBAS Project](/references/a7ab6f09-c22f-4627-afb1-c13a963efca5)]", @@ -23245,7 +23245,7 @@ } ], "uuid": "f2c150e6-f4dc-4766-8579-16e739a6ca9b", - "value": "Microsoft Sysinternals ProcDump" + "value": "Microsoft Sysinternals ProcDump - Associated Software" }, { "description": "ProcDump is a tool used to monitor applications for CPU spikes and generate crash dumps.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", @@ -23356,7 +23356,7 @@ } ], "uuid": "e8e39cc1-349c-43ca-b45d-9e8f5ead6be4", - "value": "ProtocolHandler.exe" + "value": "ProtocolHandler.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Office binary\n\n**Author:** Nir Chako\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Office 16\\ClientX86\\Root\\Office16\\ProtocolHandler.exe\n* C:\\Program Files\\Microsoft Office 16\\ClientX64\\Root\\Office16\\ProtocolHandler.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office16\\ProtocolHandler.exe\n* C:\\Program Files\\Microsoft Office\\Office16\\ProtocolHandler.exe\n* C:\\Program Files (x86)\\Microsoft Office 15\\ClientX86\\Root\\Office15\\ProtocolHandler.exe\n* C:\\Program Files\\Microsoft Office 15\\ClientX64\\Root\\Office15\\ProtocolHandler.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office15\\ProtocolHandler.exe\n* C:\\Program Files\\Microsoft Office\\Office15\\ProtocolHandler.exe\n\n**Resources:**\nNone Provided\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_protocolhandler_download.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml)\n* IOC: Suspicious Office application Internet/network traffic[[ProtocolHandler.exe - LOLBAS Project](/references/1f678111-dfa3-4c06-9359-816b9ca12cd0)]", @@ -23420,7 +23420,7 @@ } ], "uuid": "7eaa281e-d584-46da-bf0a-abc1fd34f925", - "value": "Provlaunch.exe" + "value": "Provlaunch.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Launcher process\n\n**Author:** Grzegorz Tworek\n\n**Paths:**\n* c:\\windows\\system32\\provlaunch.exe\n\n**Resources:**\n* [https://twitter.com/0gtweet/status/1674399582162153472](https://twitter.com/0gtweet/status/1674399582162153472)\n\n**Detection:**\n* Sigma: [proc_creation_win_provlaunch_potential_abuse.yml](https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml)\n* Sigma: [proc_creation_win_provlaunch_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml)\n* Sigma: [proc_creation_win_registry_provlaunch_provisioning_command.yml](https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml)\n* Sigma: [registry_set_provisioning_command_abuse.yml](https://github.com/SigmaHQ/sigma/blob/9cb124f841c4358ca859e8474d6e7bb5268284a2/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml)\n* IOC: c:\\windows\\system32\\provlaunch.exe executions\n* IOC: Creation/existence of HKLM\\SOFTWARE\\Microsoft\\Provisioning\\Commands subkeys[[Provlaunch.exe - LOLBAS Project](/references/56a57369-4707-4dff-ad23-431109f24233)]", @@ -23698,7 +23698,7 @@ } ], "uuid": "85383485-01f9-42a5-9b44-c45c03eae766", - "value": "Psr.exe" + "value": "Psr.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows Problem Steps Recorder, used to record screen and clicks.\n\n**Author:** Leon Rodenko\n\n**Paths:**\n* c:\\windows\\system32\\psr.exe\n* c:\\windows\\syswow64\\psr.exe\n\n**Resources:**\n* [https://social.technet.microsoft.com/wiki/contents/articles/51722.windows-problem-steps-recorder-psr-quick-and-easy-documenting-of-your-steps-and-procedures.aspx](https://social.technet.microsoft.com/wiki/contents/articles/51722.windows-problem-steps-recorder-psr-quick-and-easy-documenting-of-your-steps-and-procedures.aspx)\n\n**Detection:**\n* Sigma: [proc_creation_win_psr_capture_screenshots.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml)\n* IOC: psr.exe spawned\n* IOC: suspicious activity when running with \"/gui 0\" flag[[Psr.exe - LOLBAS Project](/references/a00782cf-f6b2-4b63-9d8d-97efe17e11c0)]", @@ -23764,7 +23764,7 @@ } ], "uuid": "e3e379e2-1543-4794-9b89-852ba7f6eac7", - "value": "Pterodo" + "value": "Pterodo - Associated Software" }, { "description": "[Pteranodon](https://app.tidalcyber.com/software/7fed4276-807e-4656-95f5-90878b6e2dbb) is a custom backdoor used by [Gamaredon Group](https://app.tidalcyber.com/groups/41e8b4a4-2d31-46ee-bc56-12375084d067). [[Palo Alto Gamaredon Feb 2017](https://app.tidalcyber.com/references/3f9a6343-1db3-4696-99ed-f22c6eabee71)]", @@ -23812,7 +23812,7 @@ } ], "uuid": "a5f525c2-c9ad-4b97-be30-659bbc34107d", - "value": "Pubprn.vbs" + "value": "Pubprn.vbs - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Proxy execution with Pubprn.vbs\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\pubprn.vbs\n* C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\en-US\\pubprn.vbs\n\n**Resources:**\n* [https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/](https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/)\n* [https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology](https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology)\n* [https://github.com/enigma0x3/windows-operating-system-archaeology](https://github.com/enigma0x3/windows-operating-system-archaeology)\n\n**Detection:**\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* Sigma: [proc_creation_win_lolbin_pubprn.yml](https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml)[[Pubprn.vbs - LOLBAS Project](/references/d2b6b9fd-5f80-41c0-ac22-06b78c86a9e5)]", @@ -23884,7 +23884,7 @@ } ], "uuid": "8f1073b3-4371-488d-b299-7e6f6e6fcae9", - "value": "ShellTea" + "value": "ShellTea - Associated Software" }, { "description": "[PUNCHBUGGY](https://app.tidalcyber.com/software/d8999d60-3818-4d75-8756-8a55531254d8) is a backdoor malware used by [FIN8](https://app.tidalcyber.com/groups/b3061284-0335-4dcb-9f8e-a3b0412fd46f) that has been observed targeting POS networks in the hospitality industry. [[Morphisec ShellTea June 2019](https://app.tidalcyber.com/references/1b6ce918-651a-480d-8305-82bccbf42e96)][[FireEye Fin8 May 2016](https://app.tidalcyber.com/references/2079101c-d988-430a-9082-d25c475b2af5)] [[FireEye Know Your Enemy FIN8 Aug 2016](https://app.tidalcyber.com/references/0119687c-b46b-4b5f-a6d8-affa14258392)]", @@ -23930,7 +23930,7 @@ } ], "uuid": "b81c8997-5615-4fc9-a091-a5842cf69819", - "value": "PSVC" + "value": "PSVC - Associated Software" }, { "description": "[PUNCHTRACK](https://app.tidalcyber.com/software/1638d99b-fbcf-40ec-ac48-802ce5be520a) is non-persistent point of sale (POS) system malware utilized by [FIN8](https://app.tidalcyber.com/groups/b3061284-0335-4dcb-9f8e-a3b0412fd46f) to scrape payment card data. [[FireEye Fin8 May 2016](https://app.tidalcyber.com/references/2079101c-d988-430a-9082-d25c475b2af5)] [[FireEye Know Your Enemy FIN8 Aug 2016](https://app.tidalcyber.com/references/0119687c-b46b-4b5f-a6d8-affa14258392)]", @@ -24114,7 +24114,7 @@ } ], "uuid": "da345299-97db-4e76-b81f-265ebd54cbcb", - "value": "Mespinoza" + "value": "Mespinoza - Associated Software" }, { "description": "[Pysa](https://app.tidalcyber.com/software/e0d5ecce-eca0-4f01-afcc-0c8e92323016) is a ransomware that was first used in October 2018 and has been seen to target particularly high-value finance, government and healthcare organizations.[[CERT-FR PYSA April 2020](https://app.tidalcyber.com/references/4e502db6-2e09-4422-9dcc-1e10e701e122)]", @@ -24157,7 +24157,7 @@ } ], "uuid": "96dcc3d3-057c-4e81-b833-a9f09c1f3194", - "value": "Pinkslipbot" + "value": "Pinkslipbot - Associated Software" }, { "description": "[[Trend Micro Qakbot December 2020](https://app.tidalcyber.com/references/c061ce45-1452-4c11-9586-bd5eb2d718ab)][[Red Canary Qbot](https://app.tidalcyber.com/references/6e4960e7-ae5e-4b68-ac85-4bd84e940634)][[Kaspersky QakBot September 2021](https://app.tidalcyber.com/references/f40cabe3-a324-4b4d-8e95-25c036dbd8b5)][[ATT QakBot April 2021](https://app.tidalcyber.com/references/c7b0b3f3-e9ea-4159-acd1-f6d92ed41828)]", @@ -24171,7 +24171,7 @@ } ], "uuid": "11b32ebe-8ee3-46bc-aaf0-b0761dfa9c0c", - "value": "QBot" + "value": "QBot - Associated Software" }, { "description": "[[Kaspersky QakBot September 2021](https://app.tidalcyber.com/references/f40cabe3-a324-4b4d-8e95-25c036dbd8b5)]", @@ -24185,7 +24185,7 @@ } ], "uuid": "e26ce4bb-2117-4f21-be70-5cb4c448c303", - "value": "QuackBot" + "value": "QuackBot - Associated Software" }, { "description": "[QakBot](https://app.tidalcyber.com/software/9050b418-5ffd-481a-a30d-f9059b0871ea) is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. [QakBot](https://app.tidalcyber.com/software/9050b418-5ffd-481a-a30d-f9059b0871ea) is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably [ProLock](https://app.tidalcyber.com/software/c8af096e-c71e-4751-b203-70c285b7a7bd) and [Egregor](https://app.tidalcyber.com/software/0e36b62f-a6e2-4406-b3d9-e05204e14a66).[[Trend Micro Qakbot December 2020](https://app.tidalcyber.com/references/c061ce45-1452-4c11-9586-bd5eb2d718ab)][[Red Canary Qbot](https://app.tidalcyber.com/references/6e4960e7-ae5e-4b68-ac85-4bd84e940634)][[Kaspersky QakBot September 2021](https://app.tidalcyber.com/references/f40cabe3-a324-4b4d-8e95-25c036dbd8b5)][[ATT QakBot April 2021](https://app.tidalcyber.com/references/c7b0b3f3-e9ea-4159-acd1-f6d92ed41828)]", @@ -24272,7 +24272,7 @@ } ], "uuid": "cc118a28-e714-416e-bf2d-e82525f4782d", - "value": "xRAT" + "value": "xRAT - Associated Software" }, { "description": "[QuasarRAT](https://app.tidalcyber.com/software/4bab7c2b-5ec4-467e-8df4-f2e6996e136b) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://app.tidalcyber.com/software/4bab7c2b-5ec4-467e-8df4-f2e6996e136b) is developed in the C# language.[[GitHub QuasarRAT](https://app.tidalcyber.com/references/c87e4427-af97-4e93-9596-ad5a588aa171)][[Volexity Patchwork June 2018](https://app.tidalcyber.com/references/d3ed7dd9-0941-4160-aa6a-c0244c63560f)]", @@ -24334,7 +24334,7 @@ } ], "uuid": "9f3ab541-3447-4e2e-9f35-f7f1f7328385", - "value": "Tunnus" + "value": "Tunnus - Associated Software" }, { "description": "[QUIETCANARY](https://app.tidalcyber.com/software/52d3515c-5184-5257-bf24-56adccb4cccd) is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.[[Mandiant Suspected Turla Campaign February 2023](https://app.tidalcyber.com/references/d8f43a52-a59e-5567-8259-821b1b6bde43)]", @@ -24431,7 +24431,7 @@ } ], "uuid": "b75127d4-1d6e-49fe-9919-fe5e471be7c2", - "value": "Quser.exe" + "value": "Quser.exe - Associated Software" }, { "description": "According to joint Cybersecurity Advisory AA23-250A (September 2023), Quser is \"a valid program on Windows machines that displays information about user sessions on a Remote Desktop Session Host server\".[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]", @@ -24645,7 +24645,7 @@ } ], "uuid": "4a94b274-9bc0-4c51-82d7-e82f6e107b9c", - "value": "Rasautou.exe" + "value": "Rasautou.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows Remote Access Dialer\n\n**Author:** Tony Lambert\n\n**Paths:**\n* C:\\Windows\\System32\\rasautou.exe\n\n**Resources:**\n* [https://github.com/fireeye/DueDLLigence](https://github.com/fireeye/DueDLLigence)\n* [https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html](https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html)\n\n**Detection:**\n* Sigma: [win_rasautou_dll_execution.yml](https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_rasautou_dll_execution.yml)\n* IOC: rasautou.exe command line containing -d and -p[[Rasautou.exe - LOLBAS Project](/references/dc299f7a-403b-4a22-9386-0be3e160d185)]", @@ -24757,7 +24757,7 @@ } ], "uuid": "d6d49a18-4cf9-4ba3-906c-0091494c42e4", - "value": "FIENDCRY" + "value": "FIENDCRY - Associated Software" }, { "description": "The DUEBREW component is a Perl2Exe binary launcher. [[Mandiant FIN5 GrrCON Oct 2016](https://app.tidalcyber.com/references/2bd39baf-4223-4344-ba93-98aa8453dc11)] [[DarkReading FireEye FIN5 Oct 2015](https://app.tidalcyber.com/references/afe0549d-dc1b-4bcf-9a1d-55698afd530e)]", @@ -24771,7 +24771,7 @@ } ], "uuid": "2f190c9a-f999-4e44-8083-619225ef7890", - "value": "DUEBREW" + "value": "DUEBREW - Associated Software" }, { "description": "The DRIFTWOOD component is a Perl2Exe compiled Perl script used by G0053 after they have identified data of interest on victims. [[Mandiant FIN5 GrrCON Oct 2016](https://app.tidalcyber.com/references/2bd39baf-4223-4344-ba93-98aa8453dc11)] [[DarkReading FireEye FIN5 Oct 2015](https://app.tidalcyber.com/references/afe0549d-dc1b-4bcf-9a1d-55698afd530e)]", @@ -24785,7 +24785,7 @@ } ], "uuid": "61841581-51bc-4559-b87f-e3fbadf40eb7", - "value": "DRIFTWOOD" + "value": "DRIFTWOOD - Associated Software" }, { "description": "[RawPOS](https://app.tidalcyber.com/software/6ea1bf95-fed8-4b94-8071-aa19a3af5e34) is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. [[Kroll RawPOS Jan 2017](https://app.tidalcyber.com/references/cbbfffb9-c378-4e57-a2af-e76e6014ed57)] [[TrendMicro RawPOS April 2015](https://app.tidalcyber.com/references/e483ed86-713b-42c6-ad77-e9b889bbcb81)] [[Visa RawPOS March 2015](https://app.tidalcyber.com/references/a2371f44-0a88-4d68-bbe7-7e79f13f78c2)] FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD. [[Mandiant FIN5 GrrCON Oct 2016](https://app.tidalcyber.com/references/2bd39baf-4223-4344-ba93-98aa8453dc11)] [[DarkReading FireEye FIN5 Oct 2015](https://app.tidalcyber.com/references/afe0549d-dc1b-4bcf-9a1d-55698afd530e)]", @@ -24921,7 +24921,7 @@ } ], "uuid": "c0f4b154-5dac-40e7-b6d0-eb111c1da58c", - "value": "rcsi.exe" + "value": "rcsi.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Non-Interactive command line inerface included with Visual Studio.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* no default\n\n**Resources:**\n* [https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/](https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/)\n\n**Detection:**\n* Sigma: [proc_creation_win_csi_execution.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_csi_execution.yml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)\n* BlockRule: [proc_creation_win_csi_execution.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_csi_execution.yml)[[rcsi.exe - LOLBAS Project](/references/dc02058a-7ed3-4253-a976-6f99b9e91406)]", @@ -25046,7 +25046,7 @@ } ], "uuid": "d6302e6b-9ff5-4278-9d9d-98cbbffb5cc2", - "value": "rdrleakdiag.exe" + "value": "rdrleakdiag.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Windows resource leak diagnostic tool\n\n**Author:** John Dwyer\n\n**Paths:**\n* c:\\windows\\system32\\rdrleakdiag.exe\n* c:\\Windows\\SysWOW64\\rdrleakdiag.exe\n\n**Resources:**\n* [https://twitter.com/0gtweet/status/1299071304805560321?s=21](https://twitter.com/0gtweet/status/1299071304805560321?s=21)\n* [https://www.pureid.io/dumping-abusing-windows-credentials-part-1/](https://www.pureid.io/dumping-abusing-windows-credentials-part-1/)\n* [https://github.com/LOLBAS-Project/LOLBAS/issues/84](https://github.com/LOLBAS-Project/LOLBAS/issues/84)\n\n**Detection:**\n* Sigma: [proc_creation_win_rdrleakdiag_process_dumping.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml)\n* Elastic: [https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html](https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html)\n* Elastic: [credential_access_cmdline_dump_tool.toml](https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml)[[rdrleakdiag.exe - LOLBAS Project](/references/1feff728-2230-4a45-bd64-6093f8b42646)]", @@ -25108,7 +25108,7 @@ } ], "uuid": "07310f3e-ca07-43f8-a5fd-f078bd0b1ae4", - "value": "BUGJUICE" + "value": "BUGJUICE - Associated Software" }, { "description": "[RedLeaves](https://app.tidalcyber.com/software/5264c3ab-14e1-4ae1-854e-889ebde029b4) is a malware family used by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322). The code overlaps with [PlugX](https://app.tidalcyber.com/software/070b56f4-7810-4dad-b85f-bdfce9c08c10) and may be based upon the open source tool Trochilus. [[PWC Cloud Hopper Technical Annex April 2017](https://app.tidalcyber.com/references/da6c8a72-c732-44d5-81ac-427898706eed)] [[FireEye APT10 April 2017](https://app.tidalcyber.com/references/2d494df8-83e3-45d2-b798-4c3bcf55f675)]", @@ -25151,7 +25151,7 @@ } ], "uuid": "7d5f2e75-7ff0-44e4-b8a7-2d817c58ffe0", - "value": "reg.exe" + "value": "reg.exe - Associated Software" }, { "description": "[Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532) is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. [[Microsoft Reg](https://app.tidalcyber.com/references/1e1b21bd-18b3-4c77-8eb8-911b028ab603)]\n\nUtilities such as [Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532) are known to be used by persistent threats. [[Windows Commands JPCERT](https://app.tidalcyber.com/references/9d935f7f-bc2a-4d09-a51a-82074ffd7d77)]", @@ -25235,7 +25235,7 @@ } ], "uuid": "39a11044-91eb-4631-9272-b29b46694271", - "value": "Regasm.exe" + "value": "Regasm.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Part of .NET\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\regasm.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\regasm.exe\n* C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\regasm.exe\n\n**Resources:**\n* [https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/](https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/)\n* [https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/](https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/)\n* [https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_regasm.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml)\n* Elastic: [execution_register_server_program_connecting_to_the_internet.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml)\n* Splunk: [suspicious_regsvcs_regasm_activity.md](https://github.com/splunk/security_content/blob/bc93e670f5dcb24e96fbe3664d6bcad92df5acad/docs/_stories/suspicious_regsvcs_regasm_activity.md)\n* Splunk: [detect_regasm_with_network_connection.yml](https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_regasm_with_network_connection.yml)\n* IOC: regasm.exe executing dll file[[LOLBAS Regasm](/references/b6a3356f-72c2-4ec2-a276-2432eb691055)]", @@ -25306,7 +25306,7 @@ } ], "uuid": "f230afe5-bf37-46ae-9f46-124ad37bb0e3", - "value": "Regedit.exe" + "value": "Regedit.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows to manipulate registry\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\regedit.exe\n\n**Resources:**\n* [https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)\n\n**Detection:**\n* Sigma: [proc_creation_win_regedit_import_keys_ads.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml)\n* IOC: regedit.exe reading and writing to alternate data stream\n* IOC: regedit.exe should normally not be executed by end-users[[Regedit.exe - LOLBAS Project](/references/86e47198-751b-4754-8741-6dd8f2960416)]", @@ -25370,7 +25370,7 @@ } ], "uuid": "16554d65-2a29-4401-9930-cad7f681a7e3", - "value": "Regini.exe" + "value": "Regini.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used to manipulate the registry\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\regini.exe\n* C:\\Windows\\SysWOW64\\regini.exe\n\n**Resources:**\n* [https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)\n\n**Detection:**\n* Sigma: [proc_creation_win_regini_ads.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regini_ads.yml)\n* Sigma: [proc_creation_win_regini_execution.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regini_execution.yml)\n* IOC: regini.exe reading from ADS[[Regini.exe - LOLBAS Project](/references/db2573d2-6ecd-4c5a-b038-2f799f9723ae)]", @@ -25413,7 +25413,7 @@ } ], "uuid": "17ba6fd7-2072-4ef8-955a-87ccea4f9ec9", - "value": "Register-cimprovider.exe" + "value": "Register-cimprovider.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used to register new wmi providers\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\Register-cimprovider.exe\n* C:\\Windows\\SysWOW64\\Register-cimprovider.exe\n\n**Resources:**\n* [https://twitter.com/PhilipTsukerman/status/992021361106268161](https://twitter.com/PhilipTsukerman/status/992021361106268161)\n\n**Detection:**\n* Sigma: [proc_creation_win_susp_register_cimprovider.yml](https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml)\n* IOC: Register-cimprovider.exe execution and cmdline DLL load may be supsicious[[Register-cimprovider.exe - LOLBAS Project](/references/d445d016-c4f1-45c8-929d-913867275417)]", @@ -25456,7 +25456,7 @@ } ], "uuid": "784ed6e9-5db4-4aeb-ac49-a5e402062a89", - "value": "Regsvcs.exe" + "value": "Regsvcs.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* c:\\Windows\\Microsoft.NET\\Framework\\v*\\regsvcs.exe\n* c:\\Windows\\Microsoft.NET\\Framework64\\v*\\regsvcs.exe\n\n**Resources:**\n* [https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/](https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/)\n* [https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/](https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/)\n* [https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_regasm.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml)\n* Elastic: [execution_register_server_program_connecting_to_the_internet.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml)\n* Splunk: [detect_regsvcs_with_network_connection.yml](https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_regsvcs_with_network_connection.yml)[[LOLBAS Regsvcs](/references/3f669f4c-0b94-4b78-ad3e-fd62f7600902)]", @@ -25499,7 +25499,7 @@ } ], "uuid": "400f3e02-f6b9-405a-8cd0-12dcf81cf4e4", - "value": "Regsvr32.exe" + "value": "Regsvr32.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows to register dlls\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\regsvr32.exe\n* C:\\Windows\\SysWOW64\\regsvr32.exe\n\n**Resources:**\n* [https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/](https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/)\n* [https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/](https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/)\n* [https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md)\n\n**Detection:**\n* Sigma: [proc_creation_win_regsvr32_susp_parent.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml)\n* Sigma: [proc_creation_win_regsvr32_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml)\n* Sigma: [proc_creation_win_regsvr32_susp_exec_path_1.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml)\n* Sigma: [proc_creation_win_regsvr32_network_pattern.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml)\n* Sigma: [net_connection_win_regsvr32_network_activity.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml)\n* Sigma: [dns_query_win_regsvr32_network_activity.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml)\n* Sigma: [proc_creation_win_regsvr32_flags_anomaly.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml)\n* Sigma: [file_event_win_net_cli_artefact.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml)\n* Splunk: [detect_regsvr32_application_control_bypass.yml](https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_regsvr32_application_control_bypass.yml)\n* Elastic: [defense_evasion_suspicious_managedcode_host_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml)\n* Elastic: [execution_register_server_program_connecting_to_the_internet.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/execution_register_server_program_connecting_to_the_internet.toml)\n* IOC: regsvr32.exe retrieving files from Internet\n* IOC: regsvr32.exe executing scriptlet (sct) files\n* IOC: DotNet CLR libraries loaded into regsvr32.exe\n* IOC: DotNet CLR Usage Log - regsvr32.exe.log[[LOLBAS Regsvr32](/references/8e32abef-534e-475a-baad-946b6ec681c1)]", @@ -25639,7 +25639,7 @@ } ], "uuid": "fcde468a-6c78-46b0-967a-240fcbe815f6", - "value": "Remote.exe" + "value": "Remote.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Debugging tool included with Windows Debugging Tools\n\n**Author:** mr.d0x\n\n**Paths:**\n* C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64\\remote.exe\n* C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x86\\remote.exe\n\n**Resources:**\n* [https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/](https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/)\n\n**Detection:**\n* IOC: remote.exe process spawns\n* Sigma: [proc_creation_win_lolbin_remote.yml](https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml)[[Remote.exe - LOLBAS Project](/references/9a298f83-80b8-45a3-9f63-6119be6621b4)]", @@ -25730,7 +25730,7 @@ } ], "uuid": "4535e2aa-6351-4200-9e81-ea1a883bc6d3", - "value": "ProjectSauron" + "value": "ProjectSauron - Associated Software" }, { "description": "", @@ -25744,7 +25744,7 @@ } ], "uuid": "818bf505-64bb-43da-88ae-58c60c8590b3", - "value": "Backdoor.Remsec" + "value": "Backdoor.Remsec - Associated Software" }, { "description": "[Remsec](https://app.tidalcyber.com/software/e3729cff-f25e-4c01-a7a1-e8b83e903b30) is a modular backdoor that has been used by [Strider](https://app.tidalcyber.com/groups/deb573c6-071a-4b50-9e92-4aa648d8bdc1) and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. [[Symantec Strider Blog](https://app.tidalcyber.com/references/664eac41-257f-4d4d-aba5-5d2e8e2117a7)]", @@ -25793,7 +25793,7 @@ } ], "uuid": "9e22fb92-6276-4af9-8394-9d6f8a62df9b", - "value": "Replace.exe" + "value": "Replace.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used to replace file with another file\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\replace.exe\n* C:\\Windows\\SysWOW64\\replace.exe\n\n**Resources:**\n* [https://twitter.com/elceef/status/986334113941655553](https://twitter.com/elceef/status/986334113941655553)\n* [https://twitter.com/elceef/status/986842299861782529](https://twitter.com/elceef/status/986842299861782529)\n\n**Detection:**\n* IOC: Replace.exe retrieving files from remote server\n* Sigma: [proc_creation_win_lolbin_replace.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml)[[Replace.exe - LOLBAS Project](/references/82a473e9-208c-4c47-bf38-92aee43238dd)]", @@ -25897,7 +25897,7 @@ } ], "uuid": "6fcd580a-ca00-4d56-95e5-d33d34d9da3a", - "value": "Sodinokibi" + "value": "Sodinokibi - Associated Software" }, { "description": "[[Intel 471 REvil March 2020](https://app.tidalcyber.com/references/b939dc98-e00e-4d47-84a4-3eaaeb5c0abf)][[Kaspersky Sodin July 2019](https://app.tidalcyber.com/references/ea46271d-3251-4bd7-afa8-f1bd7baf9570)]", @@ -25911,7 +25911,7 @@ } ], "uuid": "37fc63a5-5059-4fd9-b598-ae195d9f7d1f", - "value": "Sodin" + "value": "Sodin - Associated Software" }, { "description": "[REvil](https://app.tidalcyber.com/software/9314531e-bf46-4cba-9c19-198279ccf9cd) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://app.tidalcyber.com/groups/b4d068ac-9b68-4cd8-bf0c-019f910ef8e3) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://app.tidalcyber.com/software/9314531e-bf46-4cba-9c19-198279ccf9cd), which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[[Secureworks REvil September 2019](https://app.tidalcyber.com/references/8f4e2baf-4227-4bbd-bfdb-5598717dcf88)][[Intel 471 REvil March 2020](https://app.tidalcyber.com/references/b939dc98-e00e-4d47-84a4-3eaaeb5c0abf)][[Group IB Ransomware May 2020](https://app.tidalcyber.com/references/18d20965-f1f4-439f-a4a3-34437ad1fe14)]", @@ -26316,7 +26316,7 @@ } ], "uuid": "86869abd-b428-4415-91be-d5413eeac0b5", - "value": "Rpcping.exe" + "value": "Rpcping.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used to verify rpc connection\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\rpcping.exe\n* C:\\Windows\\SysWOW64\\rpcping.exe\n\n**Resources:**\n* [https://github.com/vysec/RedTips](https://github.com/vysec/RedTips)\n* [https://twitter.com/vysecurity/status/974806438316072960](https://twitter.com/vysecurity/status/974806438316072960)\n* [https://twitter.com/vysecurity/status/873181705024266241](https://twitter.com/vysecurity/status/873181705024266241)\n* [https://twitter.com/splinter_code/status/1421144623678988298](https://twitter.com/splinter_code/status/1421144623678988298)\n\n**Detection:**\n* Sigma: [proc_creation_win_rpcping_credential_capture.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml)[[Rpcping.exe - LOLBAS Project](/references/dc15a187-4de7-422e-a507-223e89e317b1)]", @@ -26381,7 +26381,7 @@ } ], "uuid": "eca6bc18-bb6c-473e-b034-8362ead4e250", - "value": "Redaman" + "value": "Redaman - Associated Software" }, { "description": "[RTM](https://app.tidalcyber.com/software/1836485e-a3a6-4fae-a15d-d0990788811a) is custom malware written in Delphi. It is used by the group of the same name ([RTM](https://app.tidalcyber.com/groups/666ab5f0-3ef1-4e74-8a10-65c60a7d1acd)). Newer versions of the malware have been reported publicly as Redaman.[[ESET RTM Feb 2017](https://app.tidalcyber.com/references/ab2cced7-05b8-4788-8d3c-8eadb0aaf38c)][[Unit42 Redaman January 2019](https://app.tidalcyber.com/references/433cd55a-f912-4d5a-aff6-92133d08267b)]", @@ -26484,7 +26484,7 @@ } ], "uuid": "8919f626-0b08-4d5c-9872-b95a10b5e06b", - "value": "Rundll32.exe" + "value": "Rundll32.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows to execute dll files\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\rundll32.exe\n* C:\\Windows\\SysWOW64\\rundll32.exe\n\n**Resources:**\n* [https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/](https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/)\n* [https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7](https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7)\n* [https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/](https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/)\n* [https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/](https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/)\n* [https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/](https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/)\n* [https://github.com/sailay1996/expl-bin/blob/master/obfus.md](https://github.com/sailay1996/expl-bin/blob/master/obfus.md)\n* [https://github.com/sailay1996/misc-bin/blob/master/rundll32.md](https://github.com/sailay1996/misc-bin/blob/master/rundll32.md)\n* [https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90](https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90)\n* [https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code](https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code)\n\n**Detection:**\n* Sigma: [net_connection_win_rundll32_net_connections.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml)\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)\n* Elastic: [defense_evasion_unusual_network_connection_via_rundll32.toml](https://github.com/elastic/detection-rules/blob/12577f7380f324fcee06dab3218582f4a11833e7/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml)\n* IOC: Outbount Internet/network connections made from rundll32\n* IOC: Suspicious use of cmdline flags such as -sta[[Rundll32.exe - LOLBAS Project](/references/90aff246-ce27-4f21-96f9-38543718ab07)]", @@ -26603,7 +26603,7 @@ } ], "uuid": "e45aa3ea-628a-4b78-ae7c-bc9c9bf0c2fa", - "value": "Runexehelper.exe" + "value": "Runexehelper.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Launcher process\n\n**Author:** Grzegorz Tworek\n\n**Paths:**\n* c:\\windows\\system32\\runexehelper.exe\n\n**Resources:**\n* [https://twitter.com/0gtweet/status/1206692239839289344](https://twitter.com/0gtweet/status/1206692239839289344)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_runexehelper.yml](https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml)\n* IOC: c:\\windows\\system32\\runexehelper.exe is run\n* IOC: Existence of runexewithargs_output.txt file[[Runexehelper.exe - LOLBAS Project](/references/86ff0379-2b73-4981-9f13-2b02b53bc90f)]", @@ -26667,7 +26667,7 @@ } ], "uuid": "1879fe72-07da-461e-8f70-af95440b65de", - "value": "Runonce.exe" + "value": "Runonce.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Executes a Run Once Task that has been configured in the registry\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\runonce.exe\n* C:\\Windows\\SysWOW64\\runonce.exe\n\n**Resources:**\n* [https://twitter.com/pabraeken/status/990717080805789697](https://twitter.com/pabraeken/status/990717080805789697)\n* [https://cmatskas.com/configure-a-runonce-task-on-windows/](https://cmatskas.com/configure-a-runonce-task-on-windows/)\n\n**Detection:**\n* Sigma: [registry_event_runonce_persistence.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml)\n* Sigma: [proc_creation_win_runonce_execution.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_runonce_execution.yml)\n* Elastic: [persistence_run_key_and_startup_broad.toml](https://github.com/elastic/detection-rules/blob/2926e98c5d998706ef7e248a63fb0367c841f685/rules/windows/persistence_run_key_and_startup_broad.toml)\n* IOC: Registy key add - HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\YOURKEY[[Runonce.exe - LOLBAS Project](/references/b97d4b16-ead2-4cc7-90e5-f8b05d84faf3)]", @@ -26710,7 +26710,7 @@ } ], "uuid": "f5e4afa0-6094-4fd1-8472-a459b5687cc9", - "value": "Runscripthelper.exe" + "value": "Runscripthelper.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Execute target PowerShell script\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\WinSxS\\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\\Runscripthelper.exe\n* C:\\Windows\\WinSxS\\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\\Runscripthelper.exe\n\n**Resources:**\n* [https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc](https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_runscripthelper.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: Event 4014 - Powershell logging\n* IOC: Event 400[[Runscripthelper.exe - LOLBAS Project](/references/6d7151e3-685a-4dc7-a44d-aefae4f3db6a)]", @@ -26819,7 +26819,7 @@ } ], "uuid": "8e87c30d-7a04-431a-9182-8991ed0e4464", - "value": "Sakurel" + "value": "Sakurel - Associated Software" }, { "description": "", @@ -26833,7 +26833,7 @@ } ], "uuid": "b27db543-4db8-4cf6-9321-c511efa7ecb7", - "value": "VIPER" + "value": "VIPER - Associated Software" }, { "description": "[Sakula](https://app.tidalcyber.com/software/a316c704-144a-4d14-8e4e-685bb6ae391c) is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. [[Dell Sakula](https://app.tidalcyber.com/references/e9a2ffd8-7aed-4343-8678-66fc3e758d19)]", @@ -26883,7 +26883,7 @@ } ], "uuid": "accecc38-6a70-4fe4-97a2-86df1e07dbcb", - "value": "Samas" + "value": "Samas - Associated Software" }, { "description": "[SamSam](https://app.tidalcyber.com/software/88831e9f-453e-466f-9510-9acaa1f20368) is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.[[US-CERT SamSam 2018](https://app.tidalcyber.com/references/b9d14fea-2330-4eed-892c-b4e05a35d273)][[Talos SamSam Jan 2018](https://app.tidalcyber.com/references/0965bb64-be96-46b9-b60f-6829c43a661f)][[Sophos SamSam Apr 2018](https://app.tidalcyber.com/references/4da5e9c3-7205-4a6e-b147-be7c971380f0)][[Symantec SamSam Oct 2018](https://app.tidalcyber.com/references/c5022a91-bdf4-4187-9967-dfe6362219ea)]", @@ -26953,7 +26953,7 @@ } ], "uuid": "51b405bf-637a-46e7-960f-44f7e964ca7e", - "value": "Sc.exe" + "value": "Sc.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows to manage services\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\sc.exe\n* C:\\Windows\\SysWOW64\\sc.exe\n\n**Resources:**\n* [https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/](https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/)\n\n**Detection:**\n* Sigma: [proc_creation_win_susp_service_creation.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml)\n* Sigma: [proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml)\n* Sigma: [proc_creation_win_sc_service_path_modification.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml)\n* Splunk: [sc_exe_manipulating_windows_services.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/sc_exe_manipulating_windows_services.yml)\n* Elastic: [lateral_movement_cmd_service.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/lateral_movement_cmd_service.toml)\n* IOC: Unexpected service creation\n* IOC: Unexpected service modification[[Sc.exe - LOLBAS Project](/references/5ce3ef73-f789-4939-a60e-e0a373048bda)]", @@ -26993,7 +26993,7 @@ } ], "uuid": "8e0f3e81-6583-40f4-824c-2f5ba6b7e19d", - "value": "schtasks.exe" + "value": "schtasks.exe - Associated Software" }, { "description": "[schtasks](https://app.tidalcyber.com/software/2aacbf3a-a359-41d2-9a71-76447f0545b5) is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. [[TechNet Schtasks](https://app.tidalcyber.com/references/17c03e27-222d-41b5-9fa2-34f0939e5371)]", @@ -27081,7 +27081,7 @@ } ], "uuid": "371af2c7-299d-48e3-ace1-a3e33ba2fedd", - "value": "Scriptrunner.exe" + "value": "Scriptrunner.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Execute binary through proxy binary to evade defensive counter measures\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\scriptrunner.exe\n* C:\\Windows\\SysWOW64\\scriptrunner.exe\n\n**Resources:**\n* [https://twitter.com/KyleHanslovan/status/914800377580503040](https://twitter.com/KyleHanslovan/status/914800377580503040)\n* [https://twitter.com/NickTyrer/status/914234924655312896](https://twitter.com/NickTyrer/status/914234924655312896)\n* [https://github.com/MoooKitty/Code-Execution](https://github.com/MoooKitty/Code-Execution)\n\n**Detection:**\n* Sigma: [proc_creation_win_servu_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml)\n* IOC: Scriptrunner.exe should not be in use unless App-v is deployed[[Scriptrunner.exe - LOLBAS Project](/references/805d16cc-8bd0-4f80-b0ac-c5b5df51427c)]", @@ -27123,7 +27123,7 @@ } ], "uuid": "922a431d-1ebd-4ad2-a16d-054e3eb24a1f", - "value": "Scrobj.dll" + "value": "Scrobj.dll - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows Script Component Runtime\n\n**Author:** Eral4m\n\n**Paths:**\n* c:\\windows\\system32\\scrobj.dll\n* c:\\windows\\syswow64\\scrobj.dll\n\n**Resources:**\n* [https://twitter.com/eral4m/status/1479106975967240209](https://twitter.com/eral4m/status/1479106975967240209)\n\n**Detection:**\n* IOC: Execution of rundll32.exe with 'GenerateTypeLib' and a protocol handler ('://') on the command line[[Scrobj.dll - LOLBAS Project](/references/c50ff71f-c742-4d63-a18e-e1ce41d55193)]", @@ -27231,7 +27231,7 @@ } ], "uuid": "a2b8e082-e238-4bcc-89e0-f6fe424c1d89", - "value": "SeaDaddy" + "value": "SeaDaddy - Associated Software" }, { "description": "", @@ -27245,7 +27245,7 @@ } ], "uuid": "be5732aa-a2d1-4088-89af-caf36034f360", - "value": "SeaDesk" + "value": "SeaDesk - Associated Software" }, { "description": "[SeaDuke](https://app.tidalcyber.com/software/ae30d58e-21c5-41a4-9ebb-081dc1f26863) is malware that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with [CozyCar](https://app.tidalcyber.com/software/c2353daa-fd4c-44e1-8013-55400439965a). [[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]", @@ -27382,7 +27382,7 @@ } ], "uuid": "8e8fdcd6-5b2f-4672-91fe-740555345883", - "value": "secretsdump.py" + "value": "secretsdump.py - Associated Software" }, { "description": "According to joint Cybersecurity Advisory AA23-319A (November 2023), secretsdump is a Python script \"used to extract credentials and other confidential information from a system\".[[U.S. CISA Rhysida Ransomware November 15 2023](/references/6d902955-d9a9-4ec1-8dd4-264f7594605e)] Secretsdump is publicly available and included as a module of Impacket, a tool for working with network protocols.[[GitHub secretsdump](/references/c29a90a7-016f-49b7-a970-334290964f19)]", @@ -27493,7 +27493,7 @@ } ], "uuid": "87bd69bf-cada-4225-a91e-a32add673522", - "value": "Setres.exe" + "value": "Setres.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Configures display settings\n\n**Author:** Grzegorz Tworek\n\n**Paths:**\n* c:\\windows\\system32\\setres.exe\n\n**Resources:**\n* [https://twitter.com/0gtweet/status/1583356502340870144](https://twitter.com/0gtweet/status/1583356502340870144)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_setres.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml)\n* IOC: Unusual location for choice.exe file\n* IOC: Process created from choice.com binary\n* IOC: Existence of choice.cmd file[[Setres.exe - LOLBAS Project](/references/631de0bd-d536-4183-bc5a-25af83bd795a)]", @@ -27536,7 +27536,7 @@ } ], "uuid": "ff7ceff1-6f98-4a50-9461-368b16d96b4b", - "value": "SettingSyncHost.exe" + "value": "SettingSyncHost.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Host Process for Setting Synchronization\n\n**Author:** Elliot Killick\n\n**Paths:**\n* C:\\Windows\\System32\\SettingSyncHost.exe\n* C:\\Windows\\SysWOW64\\SettingSyncHost.exe\n\n**Resources:**\n* [https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin/](https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_settingsynchost.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml)\n* IOC: SettingSyncHost.exe should not be run on a normal workstation[[SettingSyncHost.exe - LOLBAS Project](/references/57f573f2-1c9b-4037-8f4d-9ae65d13af94)]", @@ -27579,7 +27579,7 @@ } ], "uuid": "ff4e0a76-a50f-4605-9e19-2cb2309bbda7", - "value": "Setupapi.dll" + "value": "Setupapi.dll - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows Setup Application Programming Interface\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\setupapi.dll\n* c:\\windows\\syswow64\\setupapi.dll\n\n**Resources:**\n* [https://github.com/huntresslabs/evading-autoruns](https://github.com/huntresslabs/evading-autoruns)\n* [https://twitter.com/pabraeken/status/994742106852941825](https://twitter.com/pabraeken/status/994742106852941825)\n* [https://windows10dll.nirsoft.net/setupapi_dll.html](https://windows10dll.nirsoft.net/setupapi_dll.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_setupapi_installhinfsection.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml)\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)\n* Splunk: [detect_rundll32_application_control_bypass___setupapi.yml](https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml)[[Setupapi.dll - LOLBAS Project](/references/1a8a1434-fc4a-4c3e-9a9b-fb91692d7efd)]", @@ -27620,7 +27620,7 @@ } ], "uuid": "86e74984-d06d-4b3e-be56-8c3af2060e99", - "value": "POISONPLUG.SHADOW" + "value": "POISONPLUG.SHADOW - Associated Software" }, { "description": "[ShadowPad](https://app.tidalcyber.com/software/5190f50d-7e54-410a-9961-79ab751ddbab) is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by [APT41](https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9), but has since been observed to be used by various Chinese threat activity groups. [[Recorded Future RedEcho Feb 2021](https://app.tidalcyber.com/references/6da7eb8a-aab4-41ea-a0b7-5313d88cbe91)][[Securelist ShadowPad Aug 2017](https://app.tidalcyber.com/references/862877d7-e18c-4613-bdad-0700bf3d45ae)][[Kaspersky ShadowPad Aug 2017](https://app.tidalcyber.com/references/95c9a28d-6056-4f87-9a46-9491318889e2)] ", @@ -27682,7 +27682,7 @@ } ], "uuid": "a834945d-2e57-44e0-9795-8bdc73208f61", - "value": "Disttrack" + "value": "Disttrack - Associated Software" }, { "description": "[Shamoon](https://app.tidalcyber.com/software/840db1db-e262-4d6f-b6e3-2a64696a41c5) is wiper malware that was first used by an Iranian group known as the \"Cutting Sword of Justice\" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Shamoon](https://app.tidalcyber.com/software/840db1db-e262-4d6f-b6e3-2a64696a41c5) has also been seen leveraging [RawDisk](https://app.tidalcyber.com/software/d86a562d-d235-4481-9a3f-273fa3ebe89a) and Filerase to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.[[Palo Alto Shamoon Nov 2016](https://app.tidalcyber.com/references/15007a87-a281-41ae-b203-fdafe02a885f)][[Unit 42 Shamoon3 2018](https://app.tidalcyber.com/references/c2148166-faf4-4ab7-a37e-deae0c88c08d)][[Symantec Shamoon 2012](https://app.tidalcyber.com/references/ac634e99-d951-402b-bb1c-e575753dfda8)][[FireEye Shamoon Nov 2016](https://app.tidalcyber.com/references/44b2eb6b-4902-4ca0-80e5-7333d620e075)]", @@ -27910,7 +27910,7 @@ } ], "uuid": "8a0c4826-3d7a-4eac-9f53-1a82316ea81f", - "value": "Shdocvw.dll" + "value": "Shdocvw.dll - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Shell Doc Object and Control Library.\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\shdocvw.dll\n* c:\\windows\\syswow64\\shdocvw.dll\n\n**Resources:**\n* [http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/](http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/)\n* [https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/](https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/)\n* [https://twitter.com/bohops/status/997690405092290561](https://twitter.com/bohops/status/997690405092290561)\n* [https://windows10dll.nirsoft.net/shdocvw_dll.html](https://windows10dll.nirsoft.net/shdocvw_dll.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)[[Shdocvw.dll - LOLBAS Project](/references/0739d5fe-b460-4ed4-be75-cff422643a32)]", @@ -27953,7 +27953,7 @@ } ], "uuid": "d60406be-9e87-4325-b130-ca74a8e3cb6f", - "value": "Shell32.dll" + "value": "Shell32.dll - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows Shell Common Dll\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\shell32.dll\n* c:\\windows\\syswow64\\shell32.dll\n\n**Resources:**\n* [https://twitter.com/Hexacorn/status/885258886428725250](https://twitter.com/Hexacorn/status/885258886428725250)\n* [https://twitter.com/pabraeken/status/991768766898941953](https://twitter.com/pabraeken/status/991768766898941953)\n* [https://twitter.com/mattifestation/status/776574940128485376](https://twitter.com/mattifestation/status/776574940128485376)\n* [https://twitter.com/KyleHanslovan/status/905189665120149506](https://twitter.com/KyleHanslovan/status/905189665120149506)\n* [https://windows10dll.nirsoft.net/shell32_dll.html](https://windows10dll.nirsoft.net/shell32_dll.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)\n* Splunk: [rundll32_control_rundll_hunt.yml](https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/rundll32_control_rundll_hunt.yml)[[Shell32.dll - LOLBAS Project](/references/9465358f-e0cc-41f0-a7f9-01d5faca8157)]", @@ -27996,7 +27996,7 @@ } ], "uuid": "03cadf3b-6313-4f0f-8ff1-b9944d6f86f2", - "value": "Shimgvw.dll" + "value": "Shimgvw.dll - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Photo Gallery Viewer\n\n**Author:** Eral4m\n\n**Paths:**\n* c:\\windows\\system32\\shimgvw.dll\n* c:\\windows\\syswow64\\shimgvw.dll\n\n**Resources:**\n* [https://twitter.com/eral4m/status/1479080793003671557](https://twitter.com/eral4m/status/1479080793003671557)\n\n**Detection:**\n* IOC: Execution of rundll32.exe with 'ImageView_Fullscreen' and a protocol handler ('://') on the command line[[Shimgvw.dll - LOLBAS Project](/references/aba1cc57-ac30-400f-8b02-db7bf279dfb6)]", @@ -28108,7 +28108,7 @@ } ], "uuid": "1632745f-2d2f-4720-8ce4-53750459cb33", - "value": "Backdoor.APT.CookieCutter" + "value": "Backdoor.APT.CookieCutter - Associated Software" }, { "description": "[[FireEye Clandestine Fox Part 2](https://app.tidalcyber.com/references/82500741-984d-4039-8f53-b303845c2849)]", @@ -28122,7 +28122,7 @@ } ], "uuid": "9e091930-0bc1-48d3-b49a-046d0ef9819c", - "value": "Pirpi" + "value": "Pirpi - Associated Software" }, { "description": "[SHOTPUT](https://app.tidalcyber.com/software/49351818-579e-4298-9137-03b3dc699e22) is a custom backdoor used by [APT3](https://app.tidalcyber.com/groups/9da726e6-af02-49b8-8ebe-7ea4235513c9). [[FireEye Clandestine Wolf](https://app.tidalcyber.com/references/dbb779c4-4d75-4fb4-ad3a-7d1f0f74e26f)]", @@ -28365,7 +28365,7 @@ } ], "uuid": "1defcdcc-c10d-40a8-afb2-5ebc68c4f752", - "value": "JackOfHearts" + "value": "JackOfHearts - Associated Software" }, { "description": "Kaspersky Labs assesses [SLOTHFULMEDIA](https://app.tidalcyber.com/software/563c6534-497e-4d65-828c-420d5bb2041a) is an older variant of a malware family it refers to as the QueenOfClubs.[[Kaspersky IAmTheKing October 2020](https://app.tidalcyber.com/references/fe4050f3-1a73-4e98-9bf1-e8fb73a23b7a)]", @@ -28379,7 +28379,7 @@ } ], "uuid": "dba41372-a48f-412e-ad89-3acdfba47cd0", - "value": "QueenOfClubs" + "value": "QueenOfClubs - Associated Software" }, { "description": "[SLOTHFULMEDIA](https://app.tidalcyber.com/software/563c6534-497e-4d65-828c-420d5bb2041a) is a remote access Trojan written in C++ that has been used by an unidentified \"sophisticated cyber actor\" since at least January 2017.[[CISA MAR SLOTHFULMEDIA October 2020](https://app.tidalcyber.com/references/57c3256c-0d24-4647-9037-fefe1c88ad61)][[Costin Raiu IAmTheKing October 2020](https://app.tidalcyber.com/references/2be88843-ed3a-460e-87c1-85aa50e827c8)] It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.[[USCYBERCOM SLOTHFULMEDIA October 2020](https://app.tidalcyber.com/references/600de668-f128-4368-8667-24ed9a9db47a)][[Kaspersky IAmTheKing October 2020](https://app.tidalcyber.com/references/fe4050f3-1a73-4e98-9bf1-e8fb73a23b7a)] \n\nIn October 2020, Kaspersky Labs assessed [SLOTHFULMEDIA](https://app.tidalcyber.com/software/563c6534-497e-4d65-828c-420d5bb2041a) is part of an activity cluster it refers to as \"IAmTheKing\".[[Kaspersky IAmTheKing October 2020](https://app.tidalcyber.com/references/fe4050f3-1a73-4e98-9bf1-e8fb73a23b7a)] ESET also noted code similarity between [SLOTHFULMEDIA](https://app.tidalcyber.com/software/563c6534-497e-4d65-828c-420d5bb2041a) and droppers used by a group it refers to as \"PowerPool\".[[ESET PowerPool Code October 2020](https://app.tidalcyber.com/references/d583b409-35bd-45ea-8f2a-c0d566a6865b)] ", @@ -28447,7 +28447,7 @@ } ], "uuid": "b4f0c7bd-888f-4b77-a269-0f85b9bd7bb0", - "value": "GRAMDOOR" + "value": "GRAMDOOR - Associated Software" }, { "description": "[Small Sieve](https://app.tidalcyber.com/software/c58028b9-2e79-4bc9-9b04-d24ea4dd4948) is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6) since at least January 2022.[[DHS CISA AA22-055A MuddyWater February 2022](https://app.tidalcyber.com/references/e76570e1-43ab-4819-80bc-895ede67a205)][[NCSC GCHQ Small Sieve Jan 2022](https://app.tidalcyber.com/references/0edb8946-be38-45f5-a27c-bdbebc383d72)]\n\nSecurity researchers have also noted [Small Sieve](https://app.tidalcyber.com/software/c58028b9-2e79-4bc9-9b04-d24ea4dd4948)'s use by UNC3313, which may be associated with [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6).[[Mandiant UNC3313 Feb 2022](https://app.tidalcyber.com/references/ac1a1262-1254-4ab2-a940-2d08b6558e9e)]", @@ -28517,7 +28517,7 @@ } ], "uuid": "e85ca2c7-0bfc-4a70-b696-a7ccf0867ac0", - "value": "Dofoil" + "value": "Dofoil - Associated Software" }, { "description": "[Smoke Loader](https://app.tidalcyber.com/software/2244253f-a4ad-4ea9-a4bf-fa2f4d895853) is a malicious bot application that can be used to load other malware.\n[Smoke Loader](https://app.tidalcyber.com/software/2244253f-a4ad-4ea9-a4bf-fa2f4d895853) has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. [[Malwarebytes SmokeLoader 2016](https://app.tidalcyber.com/references/b619e338-16aa-478c-b227-b22f78d572a3)] [[Microsoft Dofoil 2018](https://app.tidalcyber.com/references/85069317-2c25-448b-9ff4-504e429dc1bf)]", @@ -28630,7 +28630,7 @@ } ], "uuid": "c1e3a23a-0680-4742-80ba-ae402c94ce02", - "value": "DARKTOWN" + "value": "DARKTOWN - Associated Software" }, { "description": "[[Securelist APT10 March 2021](https://app.tidalcyber.com/references/90450a1e-59c3-491f-b842-2cf81023fc9e)]", @@ -28644,7 +28644,7 @@ } ], "uuid": "59a29c95-59db-4106-aef4-704fcb723be6", - "value": "DelfsCake" + "value": "DelfsCake - Associated Software" }, { "description": "[[Securelist APT10 March 2021](https://app.tidalcyber.com/references/90450a1e-59c3-491f-b842-2cf81023fc9e)]", @@ -28658,7 +28658,7 @@ } ], "uuid": "d5ae171f-4dcc-43b5-929f-eaa010c6721a", - "value": "dfls" + "value": "dfls - Associated Software" }, { "description": "[SodaMaster](https://app.tidalcyber.com/software/6ecd970c-427b-4421-a831-69f46047d22a) is a fileless malware used by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322) to download and execute payloads since at least 2020.[[Securelist APT10 March 2021](https://app.tidalcyber.com/references/90450a1e-59c3-491f-b842-2cf81023fc9e)]", @@ -28961,7 +28961,7 @@ } ], "uuid": "04aa2e49-be3f-4fbe-970f-a79c8a1f0463", - "value": "Splashtop Streamer" + "value": "Splashtop Streamer - Associated Software" }, { "description": "Splashtop is a tool used to enable remote connections to network devices for support and administration.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", @@ -29057,7 +29057,7 @@ } ], "uuid": "1931b352-fd83-4da0-ad18-747ffdd69f67", - "value": "Sqldumper.exe" + "value": "Sqldumper.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Debugging utility included with Microsoft SQL.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Program Files\\Microsoft SQL Server\\90\\Shared\\SQLDumper.exe\n* C:\\Program Files (x86)\\Microsoft Office\\root\\vfs\\ProgramFilesX86\\Microsoft Analysis\\AS OLEDB\\140\\SQLDumper.exe\n\n**Resources:**\n* [https://twitter.com/countuponsec/status/910969424215232518](https://twitter.com/countuponsec/status/910969424215232518)\n* [https://twitter.com/countuponsec/status/910977826853068800](https://twitter.com/countuponsec/status/910977826853068800)\n* [https://support.microsoft.com/en-us/help/917825/how-to-use-the-sqldumper-exe-utility-to-generate-a-dump-file-in-sql-se](https://support.microsoft.com/en-us/help/917825/how-to-use-the-sqldumper-exe-utility-to-generate-a-dump-file-in-sql-se)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_susp_sqldumper_activity.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml)\n* Elastic: [credential_access_lsass_memdump_file_created.toml](https://github.com/elastic/detection-rules/blob/f6421d8c534f295518a2c945f530e8afc4c8ad1b/rules/windows/credential_access_lsass_memdump_file_created.toml)\n* Elastic: [credential_access_cmdline_dump_tool.toml](https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml)[[Sqldumper.exe - LOLBAS Project](/references/793d6262-37af-46e1-a6b5-a5262f4a749d)]", @@ -29122,7 +29122,7 @@ } ], "uuid": "152e2ba8-bf02-42f4-abad-3205d6e8e4aa", - "value": "Sqlps.exe" + "value": "Sqlps.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\\100 and 110 are Powershell v2. Microsoft SQL Server\\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Program files (x86)\\Microsoft SQL Server\\100\\Tools\\Binn\\sqlps.exe\n* C:\\Program files (x86)\\Microsoft SQL Server\\110\\Tools\\Binn\\sqlps.exe\n* C:\\Program files (x86)\\Microsoft SQL Server\\120\\Tools\\Binn\\sqlps.exe\n* C:\\Program files (x86)\\Microsoft SQL Server\\130\\Tools\\Binn\\sqlps.exe\n* C:\\Program Files (x86)\\Microsoft SQL Server\\150\\Tools\\Binn\\SQLPS.exe\n\n**Resources:**\n* [https://twitter.com/ManuelBerrueta/status/1527289261350760455](https://twitter.com/ManuelBerrueta/status/1527289261350760455)\n* [https://twitter.com/bryon_/status/975835709587075072](https://twitter.com/bryon_/status/975835709587075072)\n* [https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017](https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017)\n\n**Detection:**\n* Sigma: [proc_creation_win_mssql_sqlps_susp_execution.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml)\n* Sigma: [image_load_dll_system_management_automation_susp_load.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml)\n* Elastic: [execution_suspicious_powershell_imgload.toml](https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/execution_suspicious_powershell_imgload.toml)\n* Splunk: [2021-10-05-suspicious_copy_on_system32.md](https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md)[[Sqlps.exe - LOLBAS Project](/references/31cc851a-c536-4cef-9391-d3c7d3eab64f)]", @@ -29190,7 +29190,7 @@ } ], "uuid": "3c46936b-f9c4-4a3a-bea7-ca48f4a0660b", - "value": "SQLToolsPS.exe" + "value": "SQLToolsPS.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Tool included with Microsoft SQL that loads SQL Server cmdlts. A replacement for sqlps.exe. Successor to sqlps.exe in SQL Server 2016+.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Program files (x86)\\Microsoft SQL Server\\130\\Tools\\Binn\\sqlps.exe\n\n**Resources:**\n* [https://twitter.com/pabraeken/status/993298228840992768](https://twitter.com/pabraeken/status/993298228840992768)\n* [https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017](https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017)\n\n**Detection:**\n* Sigma: [proc_creation_win_mssql_sqltoolsps_susp_execution.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml)\n* Splunk: [2021-10-05-suspicious_copy_on_system32.md](https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md)[[SQLToolsPS.exe - LOLBAS Project](/references/612c9569-80af-48d2-a853-0f6e3f55aa50)]", @@ -29233,7 +29233,7 @@ } ], "uuid": "6a3de9d5-16e9-4467-b916-d4adeff389e1", - "value": "Squirrel.exe" + "value": "Squirrel.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.\n\n**Author:** Reegun J (OCBC Bank) - @reegun21\n\n**Paths:**\n* %localappdata%\\Microsoft\\Teams\\current\\Squirrel.exe\n\n**Resources:**\n* [https://www.youtube.com/watch?v=rOP3hnkj7ls](https://www.youtube.com/watch?v=rOP3hnkj7ls)\n* [https://twitter.com/reegun21/status/1144182772623269889](https://twitter.com/reegun21/status/1144182772623269889)\n* [http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/](http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/)\n* [https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12](https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12)\n* [https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56](https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_squirrel.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml)[[Squirrel.exe - LOLBAS Project](/references/952b5ca5-1251-4e27-bd30-5d55d7d2da5e)]", @@ -29299,7 +29299,7 @@ } ], "uuid": "fa490d4d-26e4-4bb5-97b0-7bf89a8a99ed", - "value": "ssh.exe" + "value": "ssh.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.\n\n**Author:** Akshat Pradhan\n\n**Paths:**\n* c:\\windows\\system32\\OpenSSH\\ssh.exe\n\n**Resources:**\n* [https://gtfobins.github.io/gtfobins/ssh/](https://gtfobins.github.io/gtfobins/ssh/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_ssh.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml)\n* IOC: Event ID 4624 with process name C:\\Windows\\System32\\OpenSSH\\sshd.exe.\n* IOC: command line arguments specifying execution.[[ssh.exe - LOLBAS Project](/references/b1a9af1c-0cfc-4e8a-88ac-7d33cddc26a1)]", @@ -29392,7 +29392,7 @@ } ], "uuid": "38298e66-6bbb-4ecf-b287-ccd3e47c6cd4", - "value": "CANOPY" + "value": "CANOPY - Associated Software" }, { "description": "[STARWHALE](https://app.tidalcyber.com/software/764c6121-2d15-4a10-ac53-b1c431dc8b47) is Windows Script File (WSF) backdoor that has been used by [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6), possibly since at least November 2021; there is also a [STARWHALE](https://app.tidalcyber.com/software/764c6121-2d15-4a10-ac53-b1c431dc8b47) variant written in Golang with similar capabilities. Security researchers have also noted the use of [STARWHALE](https://app.tidalcyber.com/software/764c6121-2d15-4a10-ac53-b1c431dc8b47) by UNC3313, which may be associated with [MuddyWater](https://app.tidalcyber.com/groups/dcb260d8-9d53-404f-9ff5-dbee2c6effe6).[[Mandiant UNC3313 Feb 2022](https://app.tidalcyber.com/references/ac1a1262-1254-4ab2-a940-2d08b6558e9e)][[DHS CISA AA22-055A MuddyWater February 2022](https://app.tidalcyber.com/references/e76570e1-43ab-4819-80bc-895ede67a205)]", @@ -29438,7 +29438,7 @@ } ], "uuid": "ab440fcd-bee3-42f5-a4a9-7edfd5c3992c", - "value": "DROPSHOT" + "value": "DROPSHOT - Associated Software" }, { "description": "[StoneDrill](https://app.tidalcyber.com/software/9eee52a2-5ac1-4561-826c-23ec7fbc7876) is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with [APT33](https://app.tidalcyber.com/groups/99bbbe25-45af-492f-a7ff-7cbc57828bac).[[FireEye APT33 Sept 2017](https://app.tidalcyber.com/references/70610469-db0d-45ab-a790-6e56309a39ec)][[Kaspersky StoneDrill 2017](https://app.tidalcyber.com/references/e2637cb3-c449-4609-af7b-ac78a900cc8b)]", @@ -29486,7 +29486,7 @@ } ], "uuid": "e93f9136-4ef0-4b23-85bd-93f2b56b2316", - "value": "Stordiag.exe" + "value": "Stordiag.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Storage diagnostic tool\n\n**Author:** Eral4m\n\n**Paths:**\n* c:\\windows\\system32\\stordiag.exe\n* c:\\windows\\syswow64\\stordiag.exe\n\n**Resources:**\n* [https://twitter.com/eral4m/status/1451112385041911809](https://twitter.com/eral4m/status/1451112385041911809)\n\n**Detection:**\n* Sigma: [proc_creation_win_stordiag_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml)\n* IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\\windows\\system32\\ or c:\\windows\\syswow64\\[[Stordiag.exe - LOLBAS Project](/references/5e52a211-7ef6-42bd-93a1-5902f5e1c2ea)]", @@ -29605,7 +29605,7 @@ } ], "uuid": "7948eb8a-e138-4365-81c4-aac07e632912", - "value": "W32.Stuxnet" + "value": "W32.Stuxnet - Associated Software" }, { "description": "[Stuxnet](https://app.tidalcyber.com/software/3fdf3833-fca9-4414-8d2e-779dabc4ee31) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://app.tidalcyber.com/software/3fdf3833-fca9-4414-8d2e-779dabc4ee31) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[[Nicolas Falliere, Liam O Murchu, Eric Chien February 2011](https://app.tidalcyber.com/references/a1b371c2-b2b1-5780-95c8-11f8c616dcf3)][[CISA ICS Advisory ICSA-10-272-01](https://app.tidalcyber.com/references/25b3c18c-e017-4773-91dd-b489220d4fcb)][[ESET Stuxnet Under the Microscope](https://app.tidalcyber.com/references/4ec039a9-f843-42de-96ed-185c4e8c2d9f)][[Langer Stuxnet](https://app.tidalcyber.com/references/76b99581-e94d-4e51-8110-80557474048e)] [Stuxnet](https://app.tidalcyber.com/software/3fdf3833-fca9-4414-8d2e-779dabc4ee31) was discovered in 2010, with some components being used as early as November 2008.[[Nicolas Falliere, Liam O Murchu, Eric Chien February 2011](https://app.tidalcyber.com/references/a1b371c2-b2b1-5780-95c8-11f8c616dcf3)] ", @@ -29710,7 +29710,7 @@ } ], "uuid": "a38c6f81-a115-4f16-bcba-7d8c163d4f08", - "value": "Solorigate" + "value": "Solorigate - Associated Software" }, { "description": "[SUNBURST](https://app.tidalcyber.com/software/6b04e98e-c541-4958-a8a5-d433e575ce78) is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) since at least February 2020.[[SolarWinds Sunburst Sunspot Update January 2021](https://app.tidalcyber.com/references/1be1b6e0-1b42-4d07-856b-b6321c17bb88)][[Microsoft Deep Dive Solorigate January 2021](https://app.tidalcyber.com/references/ddd70eef-ab94-45a9-af43-c396c9e3fbc6)]", @@ -29878,7 +29878,7 @@ } ], "uuid": "815e5fef-a5fc-4c84-94d1-c57c2f9991e1", - "value": "Syncappvpublishingserver.vbs" + "value": "Syncappvpublishingserver.vbs - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Script used related to app-v and publishing server\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\SyncAppvPublishingServer.vbs\n\n**Resources:**\n* [https://twitter.com/monoxgas/status/895045566090010624](https://twitter.com/monoxgas/status/895045566090010624)\n* [https://twitter.com/subTee/status/855738126882316288](https://twitter.com/subTee/status/855738126882316288)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml)[[Syncappvpublishingserver.vbs - LOLBAS Project](/references/adb09226-894c-4874-a2e3-fb2c6de30173)]", @@ -29921,7 +29921,7 @@ } ], "uuid": "3dbccfe5-d7f9-494f-9466-6aa4ca5d31c3", - "value": "SyncAppvPublishingServer.exe" + "value": "SyncAppvPublishingServer.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by App-v to get App-v server lists\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\SyncAppvPublishingServer.exe\n* C:\\Windows\\SysWOW64\\SyncAppvPublishingServer.exe\n\n**Resources:**\n* [https://twitter.com/monoxgas/status/895045566090010624](https://twitter.com/monoxgas/status/895045566090010624)\n\n**Detection:**\n* Sigma: [posh_ps_syncappvpublishingserver_exe.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml)\n* Sigma: [posh_pm_syncappvpublishingserver_exe.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml)\n* Sigma: [proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml)\n* IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed[[SyncAppvPublishingServer.exe - LOLBAS Project](/references/ce371df7-aab6-4338-9491-656481cb5601)]", @@ -30037,7 +30037,7 @@ } ], "uuid": "fcadb7cd-ab8b-48e8-aee1-f8aa0ae3649d", - "value": "Syssetup.dll" + "value": "Syssetup.dll - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows NT System Setup\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\syssetup.dll\n* c:\\windows\\syswow64\\syssetup.dll\n\n**Resources:**\n* [https://twitter.com/pabraeken/status/994392481927258113](https://twitter.com/pabraeken/status/994392481927258113)\n* [https://twitter.com/harr0ey/status/975350238184697857](https://twitter.com/harr0ey/status/975350238184697857)\n* [https://twitter.com/bohops/status/975549525938135040](https://twitter.com/bohops/status/975549525938135040)\n* [https://windows10dll.nirsoft.net/syssetup_dll.html](https://windows10dll.nirsoft.net/syssetup_dll.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)\n* Splunk: [detect_rundll32_application_control_bypass___syssetup.yml](https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml)[[Syssetup.dll - LOLBAS Project](/references/3bb7027f-7cbb-47e7-8cbb-cf45604669af)]", @@ -30080,7 +30080,7 @@ } ], "uuid": "bfbd9f5b-1f12-4196-a3d9-0862306cf3a9", - "value": "Coroxy" + "value": "Coroxy - Associated Software" }, { "description": "", @@ -30096,7 +30096,7 @@ } ], "uuid": "11ea8d63-aa36-4c63-a1a3-6950edc006dd", - "value": "DroxiDat" + "value": "DroxiDat - Associated Software" }, { "description": "SystemBC is a commodity backdoor malware used as a Tor proxy and remote access Trojan (RAT). It was used during the high-profile 2021 Colonial Pipeline DarkSide ransomware attack and has since been used as a persistence & lateral movement tool during other ransomware compromises, including intrusions involving Ryuk, Egregor, and Play.[[BlackBerry SystemBC June 10 2021](/references/08186ff9-6ca5-4c09-b5e7-b883eb15fdba)][[Sophos SystemBC December 16 2020](/references/eca1301f-deeb-4a97-8c4e-e61210706116)][[WithSecure SystemBC May 10 2021](/references/4004e072-9e69-4e81-a2b7-840e106cf3d9)][[Trend Micro Play Ransomware September 06 2022](/references/ed02529c-920d-4a92-8e86-be1ed7083991)] According to Mandiant's 2023 M-Trends report, SystemBC was the second most frequently seen malware family in 2022 after only Cobalt Strike Beacon.[[TechRepublic M-Trends 2023](/references/1347e21e-e77d-464d-bbbe-dc4d3f2b07a1)]\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc\n\n**Malware Bazaar (Samples & IOCs)**: https://bazaar.abuse.ch/browse/tag/systembc/\n\n**PulseDive (IOCs)**: https://pulsedive.com/threat/SystemBC", @@ -30227,7 +30227,7 @@ } ], "uuid": "0bfb3ec0-ee20-4de3-a69c-096402a0298b", - "value": "HyperSSL" + "value": "HyperSSL - Associated Software" }, { "description": "[[Trend Micro Iron Tiger April 2021](https://app.tidalcyber.com/references/d0890d4f-e7ca-4280-a54e-d147f6dd72aa)]", @@ -30241,7 +30241,7 @@ } ], "uuid": "0bc0c9e4-a490-4ab1-a1c2-b8fd8dda05ce", - "value": "Soldier" + "value": "Soldier - Associated Software" }, { "description": "[[Trend Micro Iron Tiger April 2021](https://app.tidalcyber.com/references/d0890d4f-e7ca-4280-a54e-d147f6dd72aa)]", @@ -30255,7 +30255,7 @@ } ], "uuid": "01924f4b-e6b3-4118-9b3d-6aac519d4774", - "value": "FOCUSFJORD" + "value": "FOCUSFJORD - Associated Software" }, { "description": "[SysUpdate](https://app.tidalcyber.com/software/148d587c-3b1e-4e71-bdfb-8c37005e7e77) is a backdoor written in C++ that has been used by [Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5) since at least 2020.[[Trend Micro Iron Tiger April 2021](https://app.tidalcyber.com/references/d0890d4f-e7ca-4280-a54e-d147f6dd72aa)]", @@ -30451,7 +30451,7 @@ } ], "uuid": "13f7f0ae-b228-4453-b35e-cded8c9bcbb4", - "value": "Tar.exe" + "value": "Tar.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows to extract and create archives.\n\n**Author:** Brian Lucero\n\n**Paths:**\n* C:\\Windows\\System32\\tar.exe\n\n**Resources:**\n* [https://twitter.com/Cyber_Sorcery/status/1619819249886969856](https://twitter.com/Cyber_Sorcery/status/1619819249886969856)\n\n**Detection:**\n* IOC: tar.exe extracting files from a remote host within the environment[[Tar.exe - LOLBAS Project](/references/e5f54ded-3ec1-49c1-9302-6b9f372d5015)]", @@ -30673,7 +30673,7 @@ } ], "uuid": "7f9ba4e5-1bea-4620-855c-b9cf9e97da07", - "value": "te.exe" + "value": "te.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Testing tool included with Microsoft Test Authoring and Execution Framework (TAEF).\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* no default\n\n**Resources:**\n* [https://twitter.com/gn3mes1s/status/927680266390384640?lang=bg](https://twitter.com/gn3mes1s/status/927680266390384640?lang=bg)\n\n**Detection:**\n* Sigma: [proc_creation_win_susp_use_of_te_bin.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml)[[te.exe - LOLBAS Project](/references/e7329381-319e-4dcc-8187-92882e6f2e12)]", @@ -30715,7 +30715,7 @@ } ], "uuid": "386539ac-dcd7-4484-9dcb-3e4aa849fd7c", - "value": "Teams.exe" + "value": "Teams.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Electron runtime binary which runs the Teams application\n\n**Author:** Andrew Kisliakov\n\n**Paths:**\n* %LOCALAPPDATA%\\Microsoft\\Teams\\current\\Teams.exe\n\n**Resources:**\n* [https://l--k.uk/2022/01/16/microsoft-teams-and-other-electron-apps-as-lolbins/](https://l--k.uk/2022/01/16/microsoft-teams-and-other-electron-apps-as-lolbins/)\n\n**Detection:**\n* IOC: %LOCALAPPDATA%\\Microsoft\\Teams\\current\\app directory created\n* IOC: %LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar file created/modified by non-Teams installer/updater\n* Sigma: [proc_creation_win_susp_electron_exeuction_proxy.yml](https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml)[[Teams.exe - LOLBAS Project](/references/ceee2b13-331f-4019-9c27-af0ce8b25414)]", @@ -30877,7 +30877,7 @@ } ], "uuid": "fcf88411-e0c2-403a-aa70-dc75fd1d488b", - "value": "TestWindowRemoteAgent.exe" + "value": "TestWindowRemoteAgent.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** TestWindowRemoteAgent.exe is the command-line tool to establish RPC\n\n**Author:** Onat Uzunyayla\n\n**Paths:**\n* C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\IDE\\CommonExtensions\\Microsoft\\TestWindow\\RemoteAgent\\TestWindowRemoteAgent.exe\n\n**Resources:**\nNone Provided\n\n**Detection:**\n* IOC: TestWindowRemoteAgent.exe spawning unexpectedly[[TestWindowRemoteAgent.exe - LOLBAS Project](/references/0cc891bc-692c-4a52-9985-39ddb434294d)]", @@ -30917,7 +30917,7 @@ } ], "uuid": "6812793e-6342-4da6-b77f-ed29fab1fd9a", - "value": "DNSMessenger" + "value": "DNSMessenger - Associated Software" }, { "description": "[TEXTMATE](https://app.tidalcyber.com/software/49d0ae81-d51b-4534-b1e0-08371a47ef79) is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with [POWERSOURCE](https://app.tidalcyber.com/software/a4700431-6578-489f-9782-52e394277296) in February 2017. [[FireEye FIN7 March 2017](https://app.tidalcyber.com/references/7987bb91-ec41-42f8-bd2d-dabc26509a08)]", @@ -30963,7 +30963,7 @@ } ], "uuid": "6161f604-0972-427e-802e-b5ac009b94fe", - "value": "EvilQuest" + "value": "EvilQuest - Associated Software" }, { "description": "[[SentinelOne EvilQuest Ransomware Spyware 2020](https://app.tidalcyber.com/references/4dc26c77-d0ce-4836-a4cc-0490b6d7f115)]", @@ -30977,7 +30977,7 @@ } ], "uuid": "6979dd37-4c1c-48bf-a0e1-c8f2a0606962", - "value": "MacRansom.K" + "value": "MacRansom.K - Associated Software" }, { "description": "[ThiefQuest](https://app.tidalcyber.com/software/2ed5f691-68eb-49dd-b730-793dc8a7d134) is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. [ThiefQuest](https://app.tidalcyber.com/software/2ed5f691-68eb-49dd-b730-793dc8a7d134) was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.[[Reed thiefquest fake ransom](https://app.tidalcyber.com/references/b265ef93-c1fb-440d-a9e0-89cf25a3de05)] Even though [ThiefQuest](https://app.tidalcyber.com/software/2ed5f691-68eb-49dd-b730-793dc8a7d134) presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.[[wardle evilquest partii](https://app.tidalcyber.com/references/4fee237c-c2ec-47f5-b382-ec6bd4779281)][[reed thiefquest ransomware analysis](https://app.tidalcyber.com/references/47b49df4-34f1-4a89-9983-e8bc19aadf8c)]", @@ -31296,7 +31296,7 @@ } ], "uuid": "5ad5e21b-789e-4b4e-92d3-377140d7274a", - "value": "Tracker.exe" + "value": "Tracker.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Tool included with Microsoft .Net Framework.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* no default\n\n**Resources:**\n* [https://twitter.com/subTee/status/793151392185589760](https://twitter.com/subTee/status/793151392185589760)\n* [https://attack.mitre.org/wiki/Execution](https://attack.mitre.org/wiki/Execution)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_tracker.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml)[[LOLBAS Tracker](/references/f0e368f1-3347-41ef-91fb-995c3cb07707)]", @@ -31365,7 +31365,7 @@ } ], "uuid": "4a8dc24e-e942-46f3-8026-91c1ed059bbb", - "value": "TSPY_TRICKLOAD" + "value": "TSPY_TRICKLOAD - Associated Software" }, { "description": "[[Trend Micro Totbrick Oct 2016](https://app.tidalcyber.com/references/d6419764-f203-4089-8b38-860c442238e7)] [[Microsoft Totbrick Oct 2017](https://app.tidalcyber.com/references/3abe861b-0e3b-458a-98cf-38450058b4a5)]", @@ -31379,7 +31379,7 @@ } ], "uuid": "aabae1a3-d831-46f4-a65f-ab31f03fd687", - "value": "Totbrick" + "value": "Totbrick - Associated Software" }, { "description": "[TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to [Dyre](https://app.tidalcyber.com/software/38e012f7-fb3a-4250-a129-92da3a488724). [TrickBot](https://app.tidalcyber.com/software/c2bd4213-fc7b-474f-b5a0-28145b07c51d) was developed and initially used by [Wizard Spider](https://app.tidalcyber.com/groups/0b431229-036f-4157-a1da-ff16dfc095f8) for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of \"big game hunting\" ransomware campaigns.[[S2 Grupo TrickBot June 2017](https://app.tidalcyber.com/references/28faff77-3e68-4f5c-974d-dc7c9d06ce5e)][[Fidelis TrickBot Oct 2016](https://app.tidalcyber.com/references/839c02d1-58ec-4e25-a981-0276dbb1acc8)][[IBM TrickBot Nov 2016](https://app.tidalcyber.com/references/092aec63-aea0-4bc9-9c05-add89b4233ff)][[CrowdStrike Wizard Spider October 2020](https://app.tidalcyber.com/references/5c8d67ea-63bc-4765-b6f6-49fa5210abe6)]", @@ -31437,7 +31437,7 @@ } ], "uuid": "e8b885ae-4bf3-42c0-8b9e-a410c08eb441", - "value": "xFrost" + "value": "xFrost - Associated Software" }, { "description": "[[Secureworks Karagany July 2019](https://app.tidalcyber.com/references/61c05edf-24aa-4399-8cdf-01d27f6595a1)]", @@ -31451,7 +31451,7 @@ } ], "uuid": "0ef3a4a1-cad0-45da-9eea-70f85cd888af", - "value": "Karagany" + "value": "Karagany - Associated Software" }, { "description": "[Trojan.Karagany](https://app.tidalcyber.com/software/b88c4891-40da-4832-ba42-6c6acd455bd1) is a modular remote access tool used for recon and linked to [Dragonfly](https://app.tidalcyber.com/groups/472080b0-e3d4-4546-9272-c4359fe856e1). The source code for [Trojan.Karagany](https://app.tidalcyber.com/software/b88c4891-40da-4832-ba42-6c6acd455bd1) originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. [[Symantec Dragonfly](https://app.tidalcyber.com/references/9514c5cd-2ed6-4dbf-aa9e-1c425e969226)][[Secureworks Karagany July 2019](https://app.tidalcyber.com/references/61c05edf-24aa-4399-8cdf-01d27f6595a1)][[Dragos DYMALLOY ](https://app.tidalcyber.com/references/d2785c6e-e0d1-4e90-a2d5-2c302176d5d3)]", @@ -31521,7 +31521,7 @@ } ], "uuid": "7393cb6b-37a3-4f15-8a03-416b14711c2a", - "value": "TRUECORE" + "value": "TRUECORE - Associated Software" }, { "description": "[[The DFIR Report Truebot June 12 2023](/references/a6311a66-bb36-4cad-a98f-2b0b89aafa3d)]", @@ -31537,7 +31537,7 @@ } ], "uuid": "ba587d52-2ee7-4539-9499-aa9338b8c7f9", - "value": "Silence" + "value": "Silence - Associated Software" }, { "description": "Truebot is a botnet often used as a loader for other malware. In July 2023, U.S. authorities released joint Cybersecurity Advisory AA23-187A, which detailed increased observations of new Truebot variants infecting organizations in the United States and Canada. Authorities assessed that Truebot infections are primarily motivated around collection and exfiltration of sensitive victim data for financial gain. Officials also assessed that actors were using both spearphishing emails containing malicious hyperlinks and exploitation of CVE-2022-31199 (a vulnerability in the IT auditing application Netwrix Auditor) to deliver Truebot during these attacks. Additional tools associated with the attacks included Raspberry Robin for initial infections; FlawedGrace and Cobalt Strike for various post-exploitation activities; and Teleport, a custom tool for data exfiltration.[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.silence\n\n**Malware Bazaar (Samples & IOCs)**: https://bazaar.abuse.ch/browse/tag/truebot/\n\n**PulseDive (IOCs)**: https://pulsedive.com/threat/Truebot", @@ -31669,7 +31669,7 @@ } ], "uuid": "05cf2d78-08e4-4a20-ae82-64ff4a3c9c33", - "value": "Ttdinject.exe" + "value": "Ttdinject.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)\n\n**Author:** Maxime Nadeau\n\n**Paths:**\n* C:\\Windows\\System32\\ttdinject.exe\n* C:\\Windows\\Syswow64\\ttdinject.exe\n\n**Resources:**\n* [https://twitter.com/Oddvarmoe/status/1196333160470138880](https://twitter.com/Oddvarmoe/status/1196333160470138880)\n\n**Detection:**\n* Sigma: [create_remote_thread_win_ttdinjec.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml)\n* Sigma: [proc_creation_win_lolbin_ttdinject.yml](https://github.com/SigmaHQ/sigma/blob/7ea6ed3db65e0bd812b051d9bb4fffd27c4c4d0a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml)\n* IOC: Parent child relationship. Ttdinject.exe parent for executed command\n* IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\payload.exe\") from the ttdinject.exe process[[Ttdinject.exe - LOLBAS Project](/references/3146c9c9-9836-4ce5-afe6-ef8f7b4a7b9d)]", @@ -31712,7 +31712,7 @@ } ], "uuid": "148072af-ae62-419f-9c3a-3b9dc4c25a24", - "value": "Tttracer.exe" + "value": "Tttracer.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows 1809 and newer to Debug Time Travel\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\tttracer.exe\n* C:\\Windows\\SysWOW64\\tttracer.exe\n\n**Resources:**\n* [https://twitter.com/oulusoyum/status/1191329746069655553](https://twitter.com/oulusoyum/status/1191329746069655553)\n* [https://twitter.com/mattifestation/status/1196390321783025666](https://twitter.com/mattifestation/status/1196390321783025666)\n* [https://lists.samba.org/archive/cifs-protocol/2016-April/002877.html](https://lists.samba.org/archive/cifs-protocol/2016-April/002877.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_tttracer_mod_load.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml)\n* Sigma: [image_load_tttracer_mod_load.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_tttracer_mod_load.yml)\n* Elastic: [credential_access_cmdline_dump_tool.toml](https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml)\n* IOC: Parent child relationship. Tttracer parent for executed command[[Tttracer.exe - LOLBAS Project](/references/7c88a77e-034e-4847-8bd7-1be3a684a158)]", @@ -31923,7 +31923,7 @@ } ], "uuid": "824e7a25-83a0-4037-b0b5-af5fa1ed299a", - "value": "Unregmp2.exe" + "value": "Unregmp2.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Windows Media Player Setup Utility\n\n**Author:** Wade Hickey\n\n**Paths:**\n* C:\\Windows\\System32\\unregmp2.exe\n* C:\\Windows\\SysWOW64\\unregmp2.exe\n\n**Resources:**\n* [https://twitter.com/notwhickey/status/1466588365336293385](https://twitter.com/notwhickey/status/1466588365336293385)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_unregmp2.yml](https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml)\n* IOC: Low-prevalence binaries, with filename 'wmpnscfg.exe', spawned as child-processes of `unregmp2.exe /HideWMP`[[Unregmp2.exe - LOLBAS Project](/references/9ad11187-bf91-4205-98c7-c7b981e4ab6f)]", @@ -31966,7 +31966,7 @@ } ], "uuid": "c24db3d2-308c-4c4e-a6dd-58258013dc7e", - "value": "Update.exe" + "value": "Update.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* %localappdata%\\Microsoft\\Teams\\update.exe\n\n**Resources:**\n* [https://www.youtube.com/watch?v=rOP3hnkj7ls](https://www.youtube.com/watch?v=rOP3hnkj7ls)\n* [https://twitter.com/reegun21/status/1144182772623269889](https://twitter.com/reegun21/status/1144182772623269889)\n* [https://twitter.com/MrUn1k0d3r/status/1143928885211537408](https://twitter.com/MrUn1k0d3r/status/1143928885211537408)\n* [https://twitter.com/reegun21/status/1291005287034281990](https://twitter.com/reegun21/status/1291005287034281990)\n* [http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/](http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/)\n* [https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12](https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12)\n* [https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56](https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56)\n* [https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_squirrel.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml)\n* IOC: Update.exe spawned an unknown process[[Update.exe - LOLBAS Project](/references/2c85d5e5-2cb2-4af7-8c33-8aaac3360706)]", @@ -32006,7 +32006,7 @@ } ], "uuid": "d41b4a6c-7b79-494f-92e3-ea56db4cf988", - "value": "ANEL" + "value": "ANEL - Associated Software" }, { "description": "[UPPERCUT](https://app.tidalcyber.com/software/a3c211f8-52aa-4bfd-8382-940f2194af28) is a backdoor that has been used by [menuPass](https://app.tidalcyber.com/groups/fb93231d-2ae4-45da-9dea-4c372a11f322). [[FireEye APT10 Sept 2018](https://app.tidalcyber.com/references/5f122a27-2137-4016-a482-d04106187594)]", @@ -32051,7 +32051,7 @@ } ], "uuid": "274b601e-bc26-45b5-9532-3eca488c2c4a", - "value": "Url.dll" + "value": "Url.dll - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Internet Shortcut Shell Extension DLL.\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\url.dll\n* c:\\windows\\syswow64\\url.dll\n\n**Resources:**\n* [https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/](https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/)\n* [https://twitter.com/DissectMalware/status/995348436353470465](https://twitter.com/DissectMalware/status/995348436353470465)\n* [https://twitter.com/bohops/status/974043815655956481](https://twitter.com/bohops/status/974043815655956481)\n* [https://twitter.com/yeyint_mth/status/997355558070927360](https://twitter.com/yeyint_mth/status/997355558070927360)\n* [https://twitter.com/Hexacorn/status/974063407321223168](https://twitter.com/Hexacorn/status/974063407321223168)\n* [https://windows10dll.nirsoft.net/url_dll.html](https://windows10dll.nirsoft.net/url_dll.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)[[Url.dll - LOLBAS Project](/references/0c88fb72-6be5-4a01-af1c-553650779253)]", @@ -32092,7 +32092,7 @@ } ], "uuid": "d2f34441-00b4-41a5-aa43-17428b0fea39", - "value": "Snake" + "value": "Snake - Associated Software" }, { "description": "[Uroburos](https://app.tidalcyber.com/software/89ffc27c-b81f-473a-87d6-907cacdce61c) is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) toolset to collect intelligence on sensitive targets worldwide. [Uroburos](https://app.tidalcyber.com/software/89ffc27c-b81f-473a-87d6-907cacdce61c) has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. [Uroburos](https://app.tidalcyber.com/software/89ffc27c-b81f-473a-87d6-907cacdce61c) is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. [Uroburos](https://app.tidalcyber.com/software/89ffc27c-b81f-473a-87d6-907cacdce61c) has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.[[Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023](https://app.tidalcyber.com/references/1931b80a-effb-59ec-acae-c0f17efb8cad)][[Kaspersky Turla](https://app.tidalcyber.com/references/535e9f1a-f89e-4766-a290-c5b8100968f8)]", @@ -32140,7 +32140,7 @@ } ], "uuid": "18c4205c-8e09-42cb-9caa-0c62560e1977", - "value": "Gozi-ISFB" + "value": "Gozi-ISFB - Associated Software" }, { "description": "[[NJCCIC Ursnif Sept 2016](https://app.tidalcyber.com/references/d57a2efe-8c98-491e-aecd-e051241a1779)][[ProofPoint Ursnif Aug 2016](https://app.tidalcyber.com/references/4cef8c44-d440-4746-b3e8-c8e4d307273d)]", @@ -32154,7 +32154,7 @@ } ], "uuid": "788feb5e-d8f2-4f2b-8796-dd66b230213b", - "value": "Dreambot" + "value": "Dreambot - Associated Software" }, { "description": "[[TrendMicro Ursnif Mar 2015](https://app.tidalcyber.com/references/d02287df-9d93-4cbe-8e59-8f4ef3debc65)]", @@ -32168,7 +32168,7 @@ } ], "uuid": "0a7f6b16-335e-4e61-8c7d-75d08144eae4", - "value": "PE_URSNIF" + "value": "PE_URSNIF - Associated Software" }, { "description": "[Ursnif](https://app.tidalcyber.com/software/3e501609-87e4-4c47-bd88-5054be0f1037) is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, [Spearphishing Attachment](https://app.tidalcyber.com/technique/ba553ad4-5699-4458-ae4e-76e1faa43291)s, and malicious links.[[NJCCIC Ursnif Sept 2016](https://app.tidalcyber.com/references/d57a2efe-8c98-491e-aecd-e051241a1779)][[ProofPoint Ursnif Aug 2016](https://app.tidalcyber.com/references/4cef8c44-d440-4746-b3e8-c8e4d307273d)] [Ursnif](https://app.tidalcyber.com/software/3e501609-87e4-4c47-bd88-5054be0f1037) is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.[[TrendMicro Ursnif Mar 2015](https://app.tidalcyber.com/references/d02287df-9d93-4cbe-8e59-8f4ef3debc65)]", @@ -32257,7 +32257,7 @@ } ], "uuid": "4f016c90-30ea-44b2-8c22-10d2fe2c6954", - "value": "USB Stealer" + "value": "USB Stealer - Associated Software" }, { "description": "", @@ -32271,7 +32271,7 @@ } ], "uuid": "2fbb693a-533b-4afb-91da-7e62ce0b3840", - "value": "Win32/USBStealer" + "value": "Win32/USBStealer - Associated Software" }, { "description": "[USBStealer](https://app.tidalcyber.com/software/50eab018-8d52-46f5-8252-95942c2c0a89) is malware that has been used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with [ADVSTORESHELL](https://app.tidalcyber.com/software/ef7f4f5f-6f30-4059-87d1-cd8375bf1bee). [[ESET Sednit USBStealer 2014](https://app.tidalcyber.com/references/8673f7fc-5b23-432a-a2d8-700ece46bd0f)] [[Kaspersky Sofacy](https://app.tidalcyber.com/references/46226f98-c762-48e3-9bcd-19ff14184bb5)]", @@ -32323,7 +32323,7 @@ } ], "uuid": "8ef743a4-8788-4bb2-8274-499f4c4f9392", - "value": "UtilityFunctions.ps1" + "value": "UtilityFunctions.ps1 - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** PowerShell Diagnostic Script\n\n**Author:** Jimmy (@bohops)\n\n**Paths:**\n* C:\\Windows\\diagnostics\\system\\Networking\\UtilityFunctions.ps1\n\n**Resources:**\n* [https://twitter.com/nickvangilder/status/1441003666274668546](https://twitter.com/nickvangilder/status/1441003666274668546)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbas_utilityfunctions.yml](https://github.com/SigmaHQ/sigma/blob/0.21-688-gd172b136b/rules/windows/process_creation/proc_creation_win_lolbas_utilityfunctions.yml)[[UtilityFunctions.ps1 - LOLBAS Project](/references/8f15755b-2e32-420e-8463-497e3f8d8cfd)]", @@ -32446,7 +32446,7 @@ } ], "uuid": "1ad2a3ea-b488-439c-ab34-5cf15df250f3", - "value": "vbc.exe" + "value": "vbc.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary file used for compile vbs code\n\n**Author:** Lior Adar\n\n**Paths:**\n* C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\vbc.exe\n* C:\\Windows\\Microsoft.NET\\Framework64\\v3.5\\vbc.exe\n\n**Resources:**\nNone Provided\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_visual_basic_compiler.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml)\n* Elastic: [defense_evasion_dotnet_compiler_parent_process.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml)[[vbc.exe - LOLBAS Project](/references/25eb4048-ee6d-44ca-a70b-37605028bd3c)]", @@ -32514,7 +32514,7 @@ } ], "uuid": "36aff35e-5b1e-4d4c-8690-492221812efd", - "value": "Verclsid.exe" + "value": "Verclsid.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used to verify a COM object before it is instantiated by Windows Explorer\n\n**Author:** @bohops\n\n**Paths:**\n* C:\\Windows\\System32\\verclsid.exe\n* C:\\Windows\\SysWOW64\\verclsid.exe\n\n**Resources:**\n* [https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5](https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5)\n* [https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/](https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/)\n\n**Detection:**\n* Sigma: [proc_creation_win_verclsid_runs_com.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml)\n* Splunk: [verclsid_clsid_execution.yml](https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/verclsid_clsid_execution.yml)[[LOLBAS Verclsid](/references/63ac9e95-aad8-4735-9e63-f45d8c499030)]", @@ -32606,7 +32606,7 @@ } ], "uuid": "a11ae9f6-5229-48cb-9350-fcabf73be98e", - "value": "VisualUiaVerifyNative.exe" + "value": "VisualUiaVerifyNative.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.\n\n**Author:** Jimmy (@bohops)\n\n**Paths:**\n* c:\\Program Files (x86)\\Windows Kits\\10\\bin\\[SDK version]\\arm64\\UIAVerify\\VisualUiaVerifyNative.exe\n* c:\\Program Files (x86)\\Windows Kits\\10\\bin\\[SDK version]\\x64\\UIAVerify\\VisualUiaVerifyNative.exe\n* c:\\Program Files (x86)\\Windows Kits\\10\\bin\\[SDK version]\\UIAVerify\\VisualUiaVerifyNative.exe\n\n**Resources:**\n* [https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/](https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/)\n* [https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad](https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad)\n\n**Detection:**\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* Sigma: [proc_creation_win_lolbin_visualuiaverifynative.yml](https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml)\n* IOC: As a Windows SDK binary, execution on a system may be suspicious[[VisualUiaVerifyNative.exe - LOLBAS Project](/references/b17be296-15ad-468f-8157-8cb4093b2e97)]", @@ -32674,7 +32674,7 @@ } ], "uuid": "17acae5f-d999-4a97-8cb1-546118e65b3b", - "value": "VSDiagnostics.exe" + "value": "VSDiagnostics.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Command-line tool used for performing diagnostics.\n\n**Author:** Bobby Cooke\n\n**Paths:**\n* C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Team Tools\\DiagnosticsHub\\Collector\\VSDiagnostics.exe\n\n**Resources:**\n* [https://twitter.com/0xBoku/status/1679200664013135872](https://twitter.com/0xBoku/status/1679200664013135872)\n\n**Detection:**\n* Sigma: [https://github.com/tsale/Sigma_rules/blob/d5b4a09418edfeeb3a2d654f556d5bca82003cd7/LOL_BINs/VSDiagnostics_LoLBin.yml](https://github.com/tsale/Sigma_rules/blob/d5b4a09418edfeeb3a2d654f556d5bca82003cd7/LOL_BINs/VSDiagnostics_LoLBin.yml)[[VSDiagnostics.exe - LOLBAS Project](/references/b4658fc0-af16-45b1-8403-a9676760a36a)]", @@ -32716,7 +32716,7 @@ } ], "uuid": "012ea77d-0d1e-420f-8648-e4872647ea7b", - "value": "Vshadow.exe" + "value": "Vshadow.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** VShadow is a command-line tool that can be used to create and manage volume shadow copies.\n\n**Author:** Ayberk Halaç\n\n**Paths:**\n* C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.XXXXX.0\\x64\\vshadow.exe\n\n**Resources:**\n* [https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample](https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample)\n\n**Detection:**\n* IOC: vshadow.exe usage with -exec parameter[[Vshadow.exe - LOLBAS Project](/references/ae3b1e26-d7d7-4049-b4a7-80cd2b149b7c)]", @@ -32758,7 +32758,7 @@ } ], "uuid": "8b5cb79f-747e-48a5-8946-873ae62a5e0a", - "value": "VSIISExeLauncher.exe" + "value": "VSIISExeLauncher.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Binary will execute specified binary. Part of VS/VScode installation.\n\n**Author:** timwhite\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Common7\\IDE\\Extensions\\Microsoft\\Web Tools\\ProjectSystem\\VSIISExeLauncher.exe\n\n**Resources:**\n* [https://github.com/timwhitez](https://github.com/timwhitez)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_vsiisexelauncher.yml](https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml)\n* IOC: VSIISExeLauncher.exe spawned an unknown process[[VSIISExeLauncher.exe - LOLBAS Project](/references/e2fda344-77b8-4650-a7da-1e422db6d3a1)]", @@ -32801,7 +32801,7 @@ } ], "uuid": "bf3acc6a-9193-48fc-b4bb-5cca12bfa006", - "value": "vsjitdebugger.exe" + "value": "vsjitdebugger.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Just-In-Time (JIT) debugger included with Visual Studio\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* c:\\windows\\system32\\vsjitdebugger.exe\n\n**Resources:**\n* [https://twitter.com/pabraeken/status/990758590020452353](https://twitter.com/pabraeken/status/990758590020452353)\n\n**Detection:**\n* Sigma: [proc_creation_win_susp_use_of_vsjitdebugger_bin.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml)[[vsjitdebugger.exe - LOLBAS Project](/references/94a880fa-70b0-46c3-997e-b22dc9180134)]", @@ -32844,7 +32844,7 @@ } ], "uuid": "f4a64cb4-78af-4343-8d36-1c2e63b943ee", - "value": "vsls-agent.exe" + "value": "vsls-agent.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Agent for Visual Studio Live Share (Code Collaboration)\n\n**Author:** Jimmy (@bohops)\n\n**Paths:**\n* c:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Professional\\Common7\\IDE\\Extensions\\Microsoft\\LiveShare\\Agent\\vsls-agent.exe\n\n**Resources:**\n* [https://twitter.com/bohops/status/1583916360404729857](https://twitter.com/bohops/status/1583916360404729857)\n\n**Detection:**\n* Sigma: [proc_creation_win_vslsagent_agentextensionpath_load.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml)[[vsls-agent.exe - LOLBAS Project](/references/325eab54-bcdd-4a12-ab41-aaf06a0405e9)]", @@ -32887,7 +32887,7 @@ } ], "uuid": "eda03dc8-1816-4701-868f-c3c73ec62384", - "value": "vstest.console.exe" + "value": "vstest.console.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** VSTest.Console.exe is the command-line tool to run tests\n\n**Author:** Onat Uzunyayla\n\n**Paths:**\n* C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\IDE\\CommonExtensions\\Microsoft\\TestWindow\\vstest.console.exe\n* C:\\Program Files (x86)\\Microsoft Visual Studio\\2022\\TestAgent\\Common7\\IDE\\CommonExtensions\\Microsoft\\TestWindow\\vstest.console.exe\n\n**Resources:**\n* [https://learn.microsoft.com/en-us/visualstudio/test/vstest-console-options?view=vs-2022](https://learn.microsoft.com/en-us/visualstudio/test/vstest-console-options?view=vs-2022)\n\n**Detection:**\n* IOC: vstest.console.exe spawning unexpected processes[[vstest.console.exe - LOLBAS Project](/references/70c168a0-9ddf-408d-ba29-885c0c5c936a)]", @@ -32929,7 +32929,7 @@ } ], "uuid": "5de40634-9b96-422d-98e0-db9fe0dad5fb", - "value": "Wab.exe" + "value": "Wab.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows address book manager\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Program Files\\Windows Mail\\wab.exe\n* C:\\Program Files (x86)\\Windows Mail\\wab.exe\n\n**Resources:**\n* [https://twitter.com/Hexacorn/status/991447379864932352](https://twitter.com/Hexacorn/status/991447379864932352)\n* [http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/](http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/)\n\n**Detection:**\n* Sigma: [registry_set_wab_dllpath_reg_change.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml)\n* IOC: WAB.exe should normally never be used[[Wab.exe - LOLBAS Project](/references/c432556e-c7f9-4e36-af7e-d7bea6f51e95)]", @@ -32970,7 +32970,7 @@ } ], "uuid": "6d001330-b6ae-4e34-bd64-f1832b53047a", - "value": "WanaCrypt0r" + "value": "WanaCrypt0r - Associated Software" }, { "description": "[[LogRhythm WannaCry](https://app.tidalcyber.com/references/305d0742-154a-44af-8686-c6d8bd7f8636)][[SecureWorks WannaCry Analysis](https://app.tidalcyber.com/references/522b2a19-1d15-48f8-8801-c64d3abd945a)]", @@ -32984,7 +32984,7 @@ } ], "uuid": "16059e86-c89f-40de-a3e7-cee9f210228c", - "value": "WCry" + "value": "WCry - Associated Software" }, { "description": "[[SecureWorks WannaCry Analysis](https://app.tidalcyber.com/references/522b2a19-1d15-48f8-8801-c64d3abd945a)]", @@ -32998,7 +32998,7 @@ } ], "uuid": "a0cee897-ba88-4c1b-a1c6-f811baf608cc", - "value": "WanaCry" + "value": "WanaCry - Associated Software" }, { "description": "[[SecureWorks WannaCry Analysis](https://app.tidalcyber.com/references/522b2a19-1d15-48f8-8801-c64d3abd945a)]", @@ -33012,7 +33012,7 @@ } ], "uuid": "a4d2e9a7-b785-4385-b85e-51ea8f048de2", - "value": "WanaCrypt" + "value": "WanaCrypt - Associated Software" }, { "description": "[WannaCry](https://app.tidalcyber.com/software/6e7d1bcf-a308-4861-8aa5-0f4c6f126b0a) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.[[LogRhythm WannaCry](https://app.tidalcyber.com/references/305d0742-154a-44af-8686-c6d8bd7f8636)][[US-CERT WannaCry 2017](https://app.tidalcyber.com/references/349b8e9d-7172-4d01-b150-f0371d038b7e)][[Washington Post WannaCry 2017](https://app.tidalcyber.com/references/bbf9b08a-072c-4fb9-8c3c-cb6f91e8940c)][[FireEye WannaCry 2017](https://app.tidalcyber.com/references/34b15fe1-c550-4150-87bc-ac9662547247)]", @@ -33076,7 +33076,7 @@ } ], "uuid": "50fda745-505f-47ca-b141-0ed2a48e5bfe", - "value": "Ave Maria" + "value": "Ave Maria - Associated Software" }, { "description": "", @@ -33090,7 +33090,7 @@ } ], "uuid": "d68a20f3-9abb-4c63-9df4-cb73bf291473", - "value": "Warzone" + "value": "Warzone - Associated Software" }, { "description": "[WarzoneRAT](https://app.tidalcyber.com/software/cfebe868-15cb-4be5-b7ed-38b52f2a0722) is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.[[Check Point Warzone Feb 2020](https://app.tidalcyber.com/references/c214c36e-2bc7-4b98-a74e-529aae99f9cf)][[Uptycs Warzone UAC Bypass November 2020](https://app.tidalcyber.com/references/1324b314-a4d9-43e7-81d6-70b6917fe527)]", @@ -33336,7 +33336,7 @@ } ], "uuid": "eda6736e-ffb9-4ef9-8d1a-38b3848e4ba4", - "value": "Wfc.exe" + "value": "Wfc.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).\n\n**Author:** Jimmy (@bohops)\n\n**Paths:**\n* C:\\Program Files (x86)\\Microsoft SDKs\\Windows\\v10.0A\\bin\\NETFX 4.8 Tools\\wfc.exe\n\n**Resources:**\n* [https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/](https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/)\n\n**Detection:**\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* Sigma: [proc_creation_win_lolbin_wfc.yml](https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml)\n* IOC: As a Windows SDK binary, execution on a system may be suspicious[[Wfc.exe - LOLBAS Project](/references/a937012a-01c8-457c-8808-47c1753e8781)]", @@ -33430,7 +33430,7 @@ } ], "uuid": "e0f8b025-b8bc-4878-b47e-5ea82fc334c8", - "value": "WCE" + "value": "WCE - Associated Software" }, { "description": "[Windows Credential Editor](https://app.tidalcyber.com/software/7c2c44d7-b307-4e13-b181-52352975a6f5) is a password dumping tool. [[Amplia WCE](https://app.tidalcyber.com/references/790ea33a-7a64-488e-ab90-d82e021e0c06)]", @@ -33626,7 +33626,7 @@ } ], "uuid": "d042aa21-d8f6-4cdc-bdd8-b304cbf5b71f", - "value": "winget.exe" + "value": "winget.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows Package Manager tool\n\n**Author:** Paul Sanders\n\n**Paths:**\n* C:\\Users\\user\\AppData\\Local\\Microsoft\\WindowsApps\\winget.exe\n\n**Resources:**\n* [https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html](https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html)\n* [https://docs.microsoft.com/en-us/windows/package-manager/winget/#production-recommended](https://docs.microsoft.com/en-us/windows/package-manager/winget/#production-recommended)\n\n**Detection:**\n* IOC: winget.exe spawned with local manifest file\n* IOC: Sysmon Event ID 1 - Process Creation\n* Analysis: [https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html](https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html)\n* Sigma: [proc_creation_win_winget_local_install_via_manifest.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml)[[winget.exe - LOLBAS Project](/references/5ef334f3-fe6f-4cc1-b37d-d147180a8b8d)]", @@ -33773,7 +33773,7 @@ } ], "uuid": "65478a44-ca42-48cc-a03e-cd67353fc39f", - "value": "winrm.vbs" + "value": "winrm.vbs - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Script used for manage Windows RM settings\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\winrm.vbs\n* C:\\Windows\\SysWOW64\\winrm.vbs\n\n**Resources:**\n* [https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology](https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology)\n* [https://www.youtube.com/watch?v=3gz1QmiMhss](https://www.youtube.com/watch?v=3gz1QmiMhss)\n* [https://github.com/enigma0x3/windows-operating-system-archaeology](https://github.com/enigma0x3/windows-operating-system-archaeology)\n* [https://redcanary.com/blog/lateral-movement-winrm-wmi/](https://redcanary.com/blog/lateral-movement-winrm-wmi/)\n* [https://twitter.com/bohops/status/994405551751815170](https://twitter.com/bohops/status/994405551751815170)\n* [https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404](https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404)\n* [https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf)\n\n**Detection:**\n* Sigma: [proc_creation_win_winrm_awl_bypass.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml)\n* Sigma: [proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml)\n* Sigma: [file_event_win_winrm_awl_bypass.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)[[winrm.vbs - LOLBAS Project](/references/86107810-8a1d-4c13-80f0-c1624143d057)]", @@ -33852,7 +33852,7 @@ } ], "uuid": "5f6ec10f-8c3d-4656-89bc-f349fe8e5149", - "value": "Winword.exe" + "value": "Winword.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Microsoft Office binary\n\n**Author:** Reegun J (OCBC Bank)\n\n**Paths:**\n* C:\\Program Files\\Microsoft Office\\root\\Office16\\winword.exe\n* C:\\Program Files (x86)\\Microsoft Office 16\\ClientX86\\Root\\Office16\\winword.exe\n* C:\\Program Files\\Microsoft Office 16\\ClientX64\\Root\\Office16\\winword.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office16\\winword.exe\n* C:\\Program Files\\Microsoft Office\\Office16\\winword.exe\n* C:\\Program Files (x86)\\Microsoft Office 15\\ClientX86\\Root\\Office15\\winword.exe\n* C:\\Program Files\\Microsoft Office 15\\ClientX64\\Root\\Office15\\winword.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office15\\winword.exe\n* C:\\Program Files\\Microsoft Office\\Office15\\winword.exe\n* C:\\Program Files (x86)\\Microsoft Office 14\\ClientX86\\Root\\Office14\\winword.exe\n* C:\\Program Files\\Microsoft Office 14\\ClientX64\\Root\\Office14\\winword.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office14\\winword.exe\n* C:\\Program Files\\Microsoft Office\\Office14\\winword.exe\n* C:\\Program Files (x86)\\Microsoft Office\\Office12\\winword.exe\n* C:\\Program Files\\Microsoft Office\\Office12\\winword.exe\n* C:\\Program Files\\Microsoft Office\\Office12\\winword.exe\n\n**Resources:**\n* [https://twitter.com/reegun21/status/1150032506504151040](https://twitter.com/reegun21/status/1150032506504151040)\n* [https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191](https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191)\n\n**Detection:**\n* Sigma: [proc_creation_win_office_arbitrary_cli_download.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml)\n* IOC: Suspicious Office application Internet/network traffic[[Winword.exe - LOLBAS Project](/references/6d75b154-a51d-4541-8353-22ee1d12ebed)]", @@ -33945,7 +33945,7 @@ } ], "uuid": "bb8be8ef-1d72-4e76-a111-4ddd0c4aa9d6", - "value": "Wlrmdr.exe" + "value": "Wlrmdr.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows Logon Reminder executable\n\n**Author:** Moshe Kaplan\n\n**Paths:**\n* c:\\windows\\system32\\wlrmdr.exe\n\n**Resources:**\n* [https://twitter.com/0gtweet/status/1493963591745220608](https://twitter.com/0gtweet/status/1493963591745220608)\n* [https://twitter.com/Oddvarmoe/status/927437787242090496](https://twitter.com/Oddvarmoe/status/927437787242090496)\n* [https://twitter.com/falsneg/status/1461625526640992260](https://twitter.com/falsneg/status/1461625526640992260)\n* [https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-notifyicondataw](https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-notifyicondataw)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_wlrmdr.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml)\n* IOC: wlrmdr.exe spawning any new processes[[Wlrmdr.exe - LOLBAS Project](/references/43bebdc3-3072-4a3d-a0b7-0b23f1119136)]", @@ -33988,7 +33988,7 @@ } ], "uuid": "e7d40056-45fd-4e73-a7f4-750253b18d30", - "value": "Wmic.exe" + "value": "Wmic.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** The WMI command-line (WMIC) utility provides a command-line interface for WMI\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\wbem\\wmic.exe\n* C:\\Windows\\SysWOW64\\wbem\\wmic.exe\n\n**Resources:**\n* [https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory](https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory)\n* [https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html](https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html)\n* [https://twitter.com/subTee/status/986234811944648707](https://twitter.com/subTee/status/986234811944648707)\n\n**Detection:**\n* Sigma: [image_load_wmic_remote_xsl_scripting_dlls.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml)\n* Sigma: [proc_creation_win_wmic_xsl_script_processing.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml)\n* Sigma: [proc_creation_win_wmic_squiblytwo_bypass.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml)\n* Sigma: [proc_creation_win_wmic_eventconsumer_creation.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml)\n* Elastic: [defense_evasion_suspicious_wmi_script.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_suspicious_wmi_script.toml)\n* Elastic: [persistence_via_windows_management_instrumentation_event_subscription.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml)\n* Elastic: [defense_evasion_suspicious_managedcode_host_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml)\n* Splunk: [xsl_script_execution_with_wmic.yml](https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/xsl_script_execution_with_wmic.yml)\n* Splunk: [remote_wmi_command_attempt.yml](https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/remote_wmi_command_attempt.yml)\n* Splunk: [remote_process_instantiation_via_wmi.yml](https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/remote_process_instantiation_via_wmi.yml)\n* Splunk: [process_execution_via_wmi.yml](https://github.com/splunk/security_content/blob/08ed88bd88259c03c771c30170d2934ed0a8f878/detections/endpoint/process_execution_via_wmi.yml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: Wmic retrieving scripts from remote system/Internet location\n* IOC: DotNet CLR libraries loaded into wmic.exe\n* IOC: DotNet CLR Usage Log - wmic.exe.log[[LOLBAS Wmic](/references/497e73d4-9f27-4b30-ba09-f152ce866d0f)]", @@ -34078,7 +34078,7 @@ } ], "uuid": "29f24b94-b871-4306-b75b-0a4b01860d0c", - "value": "WorkFolders.exe" + "value": "WorkFolders.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Work Folders\n\n**Author:** Elliot Killick\n\n**Paths:**\n* C:\\Windows\\System32\\WorkFolders.exe\n\n**Resources:**\n* [https://www.ctus.io/2021/04/12/exploading/](https://www.ctus.io/2021/04/12/exploading/)\n* [https://twitter.com/ElliotKillick/status/1449812843772227588](https://twitter.com/ElliotKillick/status/1449812843772227588)\n\n**Detection:**\n* Sigma: [proc_creation_win_susp_workfolders.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml)\n* IOC: WorkFolders.exe should not be run on a normal workstation[[WorkFolders.exe - LOLBAS Project](/references/42cfa3eb-7a8c-482e-b8d8-78ae5c30b843)]", @@ -34121,7 +34121,7 @@ } ], "uuid": "eb4ba697-857a-4e23-9eff-f3aacdaaaa46", - "value": "Wscript.exe" + "value": "Wscript.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used by Windows to execute scripts\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\wscript.exe\n* C:\\Windows\\SysWOW64\\wscript.exe\n\n**Resources:**\n* [https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)\n\n**Detection:**\n* Sigma: [proc_creation_win_wscript_cscript_script_exec.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml)\n* Sigma: [file_event_win_net_cli_artefact.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml)\n* Sigma: [image_load_susp_script_dotnet_clr_dll_load.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml)\n* Elastic: [defense_evasion_unusual_dir_ads.toml](https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml)\n* Elastic: [command_and_control_remote_file_copy_scripts.toml](https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/command_and_control_remote_file_copy_scripts.toml)\n* Elastic: [defense_evasion_suspicious_managedcode_host_process.toml](https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml)\n* Splunk: [wscript_or_cscript_suspicious_child_process.yml](https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: Wscript.exe executing code from alternate data streams\n* IOC: DotNet CLR libraries loaded into wscript.exe\n* IOC: DotNet CLR Usage Log - wscript.exe.log[[Wscript.exe - LOLBAS Project](/references/6c536675-84dd-44c3-8771-70120b413db7)]", @@ -34172,7 +34172,7 @@ } ], "uuid": "b7b8a330-d1f6-48f6-b49a-cbe7a786d1a3", - "value": "Wsl.exe" + "value": "Wsl.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows subsystem for Linux executable\n\n**Author:** Matthew Brown\n\n**Paths:**\n* C:\\Windows\\System32\\wsl.exe\n\n**Resources:**\n* [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* [https://twitter.com/nas_bench/status/1535431474429808642](https://twitter.com/nas_bench/status/1535431474429808642)\n\n**Detection:**\n* Sigma: [proc_creation_win_wsl_lolbin_execution.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml)\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* IOC: Child process from wsl.exe[[Wsl.exe - LOLBAS Project](/references/c147902a-e8e4-449f-8106-9e268d5367d8)]", @@ -34215,7 +34215,7 @@ } ], "uuid": "1736ed77-6f0e-4e70-89b1-8e41a005aae3", - "value": "Wsreset.exe" + "value": "Wsreset.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used to reset Windows Store settings according to its manifest file\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\wsreset.exe\n\n**Resources:**\n* [https://www.activecyber.us/activelabs/windows-uac-bypass](https://www.activecyber.us/activelabs/windows-uac-bypass)\n* [https://twitter.com/ihack4falafel/status/1106644790114947073](https://twitter.com/ihack4falafel/status/1106644790114947073)\n* [https://github.com/hfiref0x/UACME/blob/master/README.md](https://github.com/hfiref0x/UACME/blob/master/README.md)\n\n**Detection:**\n* Sigma: [proc_creation_win_uac_bypass_wsreset_integrity_level.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml)\n* Sigma: [proc_creation_win_uac_bypass_wsreset.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml)\n* Sigma: [registry_event_bypass_via_wsreset.yml#](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml#)\n* Splunk: [wsreset_uac_bypass.yml](https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/wsreset_uac_bypass.yml)\n* IOC: wsreset.exe launching child process other than mmc.exe\n* IOC: Creation or modification of the registry value HKCU\\Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command\n* IOC: Microsoft Defender Antivirus as Behavior:Win32/UACBypassExp.T!gen[[Wsreset.exe - LOLBAS Project](/references/24b73a27-f2ec-4cfa-a9df-59d4d4c1dd89)]", @@ -34258,7 +34258,7 @@ } ], "uuid": "11184347-6e49-4c9c-b730-636f2db7bdf6", - "value": "wt.exe" + "value": "wt.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows Terminal\n\n**Author:** Nasreddine Bencherchali\n\n**Paths:**\n* C:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_\\wt.exe\n\n**Resources:**\n* [https://twitter.com/nas_bench/status/1552100271668469761](https://twitter.com/nas_bench/status/1552100271668469761)\n\n**Detection:**\n* Sigma: [proc_creation_win_windows_terminal_susp_children.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml)[[wt.exe - LOLBAS Project](/references/bbdd85b0-fdbb-4bd2-b962-a915c23c83c2)]", @@ -34300,7 +34300,7 @@ } ], "uuid": "1fa5cc14-037c-4940-9816-76e009769429", - "value": "wuauclt.exe" + "value": "wuauclt.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Windows Update Client\n\n**Author:** David Middlehurst\n\n**Paths:**\n* C:\\Windows\\System32\\wuauclt.exe\n\n**Resources:**\n* [https://dtm.uk/wuauclt/](https://dtm.uk/wuauclt/)\n\n**Detection:**\n* Sigma: [net_connection_win_wuauclt_network_connection.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml)\n* Sigma: [proc_creation_win_lolbin_wuauclt.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml)\n* Sigma: [proc_creation_win_wuauclt_execution.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml)\n* IOC: wuauclt run with a parameter of a DLL path\n* IOC: Suspicious wuauclt Internet/network connections[[wuauclt.exe - LOLBAS Project](/references/09229ea3-ffd8-4d97-9728-f8c683ef6f26)]", @@ -34345,7 +34345,7 @@ } ], "uuid": "469e0e63-774e-4627-8e71-d4b206958acf", - "value": "OSX.Sofacy" + "value": "OSX.Sofacy - Associated Software" }, { "description": "[XAgentOSX](https://app.tidalcyber.com/software/6f411b69-6643-4cc7-9cbd-e15d9219e99c) is a trojan that has been used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) on OS X and appears to be a port of their standard [CHOPSTICK](https://app.tidalcyber.com/software/01c6c49a-f7c8-44cd-a377-4dfd358ffeba) or XAgent trojan. [[XAgentOSX 2017](https://app.tidalcyber.com/references/2dc7a8f1-ccee-46f0-a995-268694f11b02)]", @@ -34491,7 +34491,7 @@ } ], "uuid": "66b2ced3-eab8-4586-91e0-5eedf642953f", - "value": "OSX.DubRobber" + "value": "OSX.DubRobber - Associated Software" }, { "description": "[XCSSET](https://app.tidalcyber.com/software/3672ecfa-20bf-4d69-948d-876be343563f) is a macOS modular backdoor that targets Xcode application developers. [XCSSET](https://app.tidalcyber.com/software/3672ecfa-20bf-4d69-948d-876be343563f) was first observed in August 2020 and has been used to install a backdoor component, modify browser applications, conduct collection, and provide ransomware-like encryption capabilities.[[trendmicro xcsset xcode project 2020](https://app.tidalcyber.com/references/0194bb11-8b97-4d61-8ddb-824077edc7db)]", @@ -34571,7 +34571,7 @@ } ], "uuid": "0baa74ce-ec67-49f5-a3b7-a83e99dd5753", - "value": "xpack.exe" + "value": "xpack.exe - Associated Software" }, { "description": "According to joint Cybersecurity Advisory AA23-250A (September 2023), Xpack is a malicious, \"custom .NET loader that decrypts (AES), loads, and executes accompanying files\".[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]", @@ -34611,7 +34611,7 @@ } ], "uuid": "c2269965-aafe-45b9-9852-4c80af005bfa", - "value": "Trojan.Shunnael" + "value": "Trojan.Shunnael - Associated Software" }, { "description": "[[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)][[Symantec APT28 Oct 2018](https://app.tidalcyber.com/references/777bc94a-6c21-4f8c-9efa-a1cf52ececc0)]", @@ -34625,7 +34625,7 @@ } ], "uuid": "c7a0f216-1bae-4ef7-b37e-5d6df89c8997", - "value": "X-Tunnel" + "value": "X-Tunnel - Associated Software" }, { "description": "[[ESET Sednit Part 2](https://app.tidalcyber.com/references/aefb9eda-df5a-437f-af2a-ec1b6c04628b)]", @@ -34639,7 +34639,7 @@ } ], "uuid": "22ca51f0-cded-4fd9-99c1-5bd55f57bc56", - "value": "XAPS" + "value": "XAPS - Associated Software" }, { "description": "[XTunnel](https://app.tidalcyber.com/software/133136f0-7254-4cec-8710-0ab99d5da4e5) a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) during the compromise of the Democratic National Committee. [[Crowdstrike DNC June 2016](https://app.tidalcyber.com/references/7f4edc06-ac67-4d71-b39c-5df9ce521bbb)] [[Invincea XTunnel](https://app.tidalcyber.com/references/43773784-92b8-4722-806c-4b1fc4278bb0)] [[ESET Sednit Part 2](https://app.tidalcyber.com/references/aefb9eda-df5a-437f-af2a-ec1b6c04628b)]", @@ -34692,7 +34692,7 @@ } ], "uuid": "3305e7bb-d304-4bf6-ad90-70aac0dd564c", - "value": "Xwizard.exe" + "value": "Xwizard.exe - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Execute custom class that has been added to the registry or download a file with Xwizard.exe\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\xwizard.exe\n* C:\\Windows\\SysWOW64\\xwizard.exe\n\n**Resources:**\n* [http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/](http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/)\n* [https://www.youtube.com/watch?v=LwDHX7DVHWU](https://www.youtube.com/watch?v=LwDHX7DVHWU)\n* [https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5](https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5)\n* [https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/](https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/)\n* [https://twitter.com/notwhickey/status/1306023056847110144](https://twitter.com/notwhickey/status/1306023056847110144)\n\n**Detection:**\n* Sigma: [proc_creation_win_lolbin_class_exec_xwizard.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml)\n* Sigma: [proc_creation_win_lolbin_dll_sideload_xwizard.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml)\n* Elastic: [execution_com_object_xwizard.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/execution_com_object_xwizard.toml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)[[Xwizard.exe - LOLBAS Project](/references/573df5d1-83e7-4437-bdad-604f093b3cfd)]", @@ -34785,7 +34785,7 @@ } ], "uuid": "46252b99-2f81-4f99-9896-32fa41445351", - "value": "Zekapab" + "value": "Zekapab - Associated Software" }, { "description": "[Zebrocy](https://app.tidalcyber.com/software/e317b8a6-1722-4017-be33-717a5a93ef1c) is a Trojan that has been used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. [[Palo Alto Sofacy 06-2018](https://app.tidalcyber.com/references/a32357eb-3226-4bee-aeed-d2fbcfa52da0)][[Unit42 Cannon Nov 2018](https://app.tidalcyber.com/references/8c634bbc-4878-4b27-aa18-5996ec968809)][[Unit42 Sofacy Dec 2018](https://app.tidalcyber.com/references/540c4c33-d4c2-4324-94cd-f57646666e32)][[CISA Zebrocy Oct 2020](https://app.tidalcyber.com/references/b7518c4d-6c10-43d2-8e57-d354fb8d4a99)] ", @@ -34903,7 +34903,7 @@ } ], "uuid": "f50a78e0-2256-4642-b267-ecf746252c5a", - "value": "Zipfldr.dll" + "value": "Zipfldr.dll - Associated Software" }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Compressed Folder library\n\n**Author:** LOLBAS Team\n\n**Paths:**\n* c:\\windows\\system32\\zipfldr.dll\n* c:\\windows\\syswow64\\zipfldr.dll\n\n**Resources:**\n* [https://twitter.com/moriarty_meng/status/977848311603380224](https://twitter.com/moriarty_meng/status/977848311603380224)\n* [https://twitter.com/bohops/status/997896811904929792](https://twitter.com/bohops/status/997896811904929792)\n* [https://windows10dll.nirsoft.net/zipfldr_dll.html](https://windows10dll.nirsoft.net/zipfldr_dll.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_rundll32_susp_activity.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml)[[Zipfldr.dll - LOLBAS Project](/references/3bee0640-ea48-4164-be57-ac565d8cbea7)]", @@ -34965,7 +34965,7 @@ } ], "uuid": "3835527c-d5ce-43cc-92a6-2afee915dea6", - "value": "ZoxPNG" + "value": "ZoxPNG - Associated Software" }, { "description": "[[Novetta-Axiom](https://app.tidalcyber.com/references/0dd428b9-849b-4108-87b1-20050b86f420)]", @@ -34979,7 +34979,7 @@ } ], "uuid": "7835d0eb-283d-409e-827f-89579dddb21c", - "value": "Gresim" + "value": "Gresim - Associated Software" }, { "description": "[[Novetta-Axiom](https://app.tidalcyber.com/references/0dd428b9-849b-4108-87b1-20050b86f420)]", @@ -34993,7 +34993,7 @@ } ], "uuid": "df7b9419-47dc-4a77-bad0-3892fe251260", - "value": "ZoxRPC" + "value": "ZoxRPC - Associated Software" }, { "description": "[Zox](https://app.tidalcyber.com/software/75dd9acb-fcff-4b0b-b45b-f943fb589d78) is a remote access tool that has been used by [Axiom](https://app.tidalcyber.com/groups/90f4d3f9-3fe3-4a64-8dc1-172c6d037dca) since at least 2008.[[Novetta-Axiom](https://app.tidalcyber.com/references/0dd428b9-849b-4108-87b1-20050b86f420)]", @@ -35068,7 +35068,7 @@ } ], "uuid": "9be660db-2271-4eed-9e9e-736b2a425a44", - "value": "Sensocode" + "value": "Sensocode - Associated Software" }, { "description": "[ZxShell](https://app.tidalcyber.com/software/eea89ff2-036d-4fa6-bbed-f89502c62318) is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.[[FireEye APT41 Aug 2019](https://app.tidalcyber.com/references/20f8e252-0a95-4ebd-857c-d05b0cde0904)][[Talos ZxShell Oct 2014](https://app.tidalcyber.com/references/41c20013-71b3-4957-98f0-fb919014c93e)]", diff --git a/tools/tidal-api/models/cluster.py b/tools/tidal-api/models/cluster.py index f0487ee..858e50f 100644 --- a/tools/tidal-api/models/cluster.py +++ b/tools/tidal-api/models/cluster.py @@ -238,7 +238,7 @@ class GroupCluster(Cluster): meta=associated_meta, related=associated_related, uuid=associated_group.get("associated_group_id"), - value=associated_group.get("name"), + value=associated_group.get("name") + " - Associated Group", ) self.values.append(value.return_value()) related.append( @@ -339,7 +339,7 @@ class SoftwareCluster(Cluster): meta=associated_meta, related=associated_related, uuid=associated_software.get("associated_software_id"), - value=associated_software.get("name"), + value=associated_software.get("name") + " - Associated Software", ) self.values.append(value.return_value()) related.append(