Trusted Design

Komari Red: The Monitoring Tool with a Built-in Reverse Shell

概要

On April 16, 2026, a threat actor leveraged stolen VPN credentials to access a Windows workstation and deployed a SYSTEM-level backdoor using the Komari agent, an open-source monitoring tool with built-in command-and-control capabilities. The attacker authenticated through an SSLVPN session from IP 45.153.34[.]132 and used Impacket smbexec.py to enable RDP on the target system. The Komari agent was installed as a persistent Windows service named 'Windows Update Service' using NSSM, pulling the installer directly from the official GitHub repository. Komari provides bidirectional control through WebSocket connections, offering arbitrary command execution, interactive reverse shell access, and network probing capabilities by default. Microsoft Defender quarantined an earlier registry dump attempt, forcing the adversary to pivot to this GitHub-based approach. This represents the first publicly documented case of Komari being abused in a real-world intrusion.

Created: 2026-05-01

Indicators

類似Pulses

類似するPulseは見つかりませんでした。

このPulseに関連する脅威アクター (事実ベース)

HAFNIUM

Score: 21.31
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1027.008 - Stripped Payloads
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1134.002 - Create Process with Token
  • T1039 - Data from Network Shared Drive
  • T1134 - Access Token Manipulation
  • T1548.006 - TCC Manipulation
  • T1055.008 - Ptrace System Calls
MITREへのリンク →

menuPass

Score: 27.07
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1491.002 - External Defacement
  • T1584.008 - Network Devices
  • T1527 - Application Access Token
  • T1140 - Deobfuscate/Decode Files or Information
  • T1098.007 - Additional Local or Domain Groups
  • T1547.011 - Plist Modification
  • T1055.004 - Asynchronous Procedure Call
  • T1157 - Dylib Hijacking
  • T1174 - Password Filter DLL
  • T1070.009 - Clear Persistence
  • T1134 - Access Token Manipulation
  • T1548.006 - TCC Manipulation
MITREへのリンク →

Wizard Spider

Score: 36.42
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1584.008 - Network Devices
  • T1543.003 - Windows Service
  • T1038 - DLL Search Order Hijacking
  • T1183 - Image File Execution Options Injection
  • T1083 - File and Directory Discovery
  • T1567.001 - Exfiltration to Code Repository
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1556.009 - Conditional Access Policies
  • T1070.009 - Clear Persistence
  • T1134 - Access Token Manipulation
  • T1548.006 - TCC Manipulation
  • T1027.018 - Invisible Unicode
  • T1556 - Modify Authentication Process
MITREへのリンク →

APT33

Score: 20.84
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1491.002 - External Defacement
  • T1543.003 - Windows Service
  • T1562.012 - Disable or Modify Linux Audit System
  • T1567.001 - Exfiltration to Code Repository
  • T1157 - Dylib Hijacking
  • T1562.001 - Disable or Modify Tools
  • T1039 - Data from Network Shared Drive
  • T1027.018 - Invisible Unicode
  • T1556 - Modify Authentication Process
MITREへのリンク →

Fox Kitten

Score: 25.66
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1491.002 - External Defacement
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1177 - LSASS Driver
  • T1045 - Software Packing
  • T1055.013 - Process Doppelgänging
  • T1097 - Pass the Ticket
  • T1157 - Dylib Hijacking
  • T1656 - Impersonation
  • T1134 - Access Token Manipulation
  • T1548.006 - TCC Manipulation
MITREへのリンク →

CopyKittens

Score: 3.93
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1045 - Software Packing
MITREへのリンク →

Volt Typhoon

Score: 57.29
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1686.003 - Windows Host Firewall
  • T1003.007 - Proc Filesystem
  • T1556.002 - Password Filter DLL
  • T1176 - Software Extensions
  • T1140 - Deobfuscate/Decode Files or Information
  • T1547.005 - Security Support Provider
  • T1562.012 - Disable or Modify Linux Audit System
  • T1555.003 - Credentials from Web Browsers
  • T1134.002 - Create Process with Token
  • T1045 - Software Packing
  • T1083 - File and Directory Discovery
  • T1055.004 - Asynchronous Procedure Call
  • T1157 - Dylib Hijacking
  • T1039 - Data from Network Shared Drive
  • T1584.002 - DNS Server
  • T1070.009 - Clear Persistence
  • T1546.016 - Installer Packages
  • T1134 - Access Token Manipulation
  • T1159 - Launch Agent
  • T1574.002 - DLL Side-Loading
  • T1548.006 - TCC Manipulation
MITREへのリンク →

APT1

Score: 14.39
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1587.003 - Digital Certificates
  • T1543.003 - Windows Service
  • T1003.007 - Proc Filesystem
  • T1098.007 - Additional Local or Domain Groups
  • T1183 - Image File Execution Options Injection
  • T1055.004 - Asynchronous Procedure Call
MITREへのリンク →

Mustang Panda

Score: 68.61
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1037 - Boot or Logon Initialization Scripts
  • T1546.013 - PowerShell Profile
  • T1606.002 - SAML Tokens
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1058 - Service Registry Permissions Weakness
  • T1024 - Custom Cryptographic Protocol
  • T1091 - Replication Through Removable Media
  • T1098.007 - Additional Local or Domain Groups
  • T1546.011 - Application Shimming
  • T1555.003 - Credentials from Web Browsers
  • T1183 - Image File Execution Options Injection
  • T1055.013 - Process Doppelgänging
  • T1055.004 - Asynchronous Procedure Call
  • T1218.012 - Verclsid
  • T1608 - Stage Capabilities
  • T1169 - Sudo
  • T1136.003 - Cloud Account
  • T1565.002 - Transmitted Data Manipulation
  • T1070.009 - Clear Persistence
  • T1134 - Access Token Manipulation
  • T1159 - Launch Agent
  • T1055.005 - Thread Local Storage
  • T1548.006 - TCC Manipulation
  • T1027.018 - Invisible Unicode
  • T1556 - Modify Authentication Process
MITREへのリンク →

Play

Score: 11.30
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1606.002 - SAML Tokens
  • T1140 - Deobfuscate/Decode Files or Information
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1070.009 - Clear Persistence
  • T1134 - Access Token Manipulation
MITREへのリンク →

Chimera

Score: 20.36
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1587.003 - Digital Certificates
  • T1003.007 - Proc Filesystem
  • T1055.004 - Asynchronous Procedure Call
  • T1157 - Dylib Hijacking
  • T1574 - Hijack Execution Flow
  • T1070.009 - Clear Persistence
  • T1134 - Access Token Manipulation
  • T1548.006 - TCC Manipulation
MITREへのリンク →

Sea Turtle

Score: 25.99
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1037 - Boot or Logon Initialization Scripts
  • T1499.003 - Application Exhaustion Flood
  • T1587.003 - Digital Certificates
  • T1063 - Security Software Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1098.007 - Additional Local or Domain Groups
  • T1555.003 - Credentials from Web Browsers
  • T1157 - Dylib Hijacking
  • T1059.013 - Container CLI/API
MITREへのリンク →

APT39

Score: 27.37
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1491.002 - External Defacement
  • T1543.003 - Windows Service
  • T1566.001 - Spearphishing Attachment
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1547.011 - Plist Modification
  • T1055.013 - Process Doppelgänging
  • T1097 - Pass the Ticket
  • T1157 - Dylib Hijacking
  • T1027.004 - Compile After Delivery
  • T1070.009 - Clear Persistence
  • T1134 - Access Token Manipulation
  • T1027.018 - Invisible Unicode
MITREへのリンク →

RedCurl

Score: 25.21
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1587.003 - Digital Certificates
  • T1606.002 - SAML Tokens
  • T1543.003 - Windows Service
  • T1016.002 - Wi-Fi Discovery
  • T1562.012 - Disable or Modify Linux Audit System
  • T1090 - Proxy
  • T1128 - Netsh Helper DLL
  • T1027.004 - Compile After Delivery
  • T1070.009 - Clear Persistence
  • T1027.018 - Invisible Unicode
MITREへのリンク →

APT5

Score: 14.38
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1584.008 - Network Devices
  • T1027.008 - Stripped Payloads
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1055.004 - Asynchronous Procedure Call
  • T1070.009 - Clear Persistence
MITREへのリンク →

Agrius

Score: 13.28
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1584.008 - Network Devices
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1097 - Pass the Ticket
  • T1597 - Search Closed Sources
  • T1134 - Access Token Manipulation
MITREへのリンク →

GALLIUM

Score: 21.31
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1584.008 - Network Devices
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1547.011 - Plist Modification
  • T1055.004 - Asynchronous Procedure Call
  • T1059.004 - Unix Shell
  • T1157 - Dylib Hijacking
  • T1174 - Password Filter DLL
  • T1134 - Access Token Manipulation
MITREへのリンク →

APT41

Score: 50.62
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1584.008 - Network Devices
  • T1140 - Deobfuscate/Decode Files or Information
  • T1562.012 - Disable or Modify Linux Audit System
  • T1177 - LSASS Driver
  • T1045 - Software Packing
  • T1055.004 - Asynchronous Procedure Call
  • T1041 - Exfiltration Over C2 Channel
  • T1048 - Exfiltration Over Alternative Protocol
  • T1097 - Pass the Ticket
  • T1157 - Dylib Hijacking
  • T1208 - Kerberoasting
  • T1027 - Obfuscated Files or Information
  • T1002 - Data Compressed
  • T1070.009 - Clear Persistence
  • T1134 - Access Token Manipulation
  • T1574.002 - DLL Side-Loading
  • T1548.006 - TCC Manipulation
  • T1037.001 - Logon Script (Windows)
MITREへのリンク →

MuddyWater

Score: 31.36
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1546.013 - PowerShell Profile
  • T1543.003 - Windows Service
  • T1140 - Deobfuscate/Decode Files or Information
  • T1518.002 - Backup Software Discovery
  • T1562.012 - Disable or Modify Linux Audit System
  • T1547.011 - Plist Modification
  • T1055.004 - Asynchronous Procedure Call
  • T1218.012 - Verclsid
  • T1597 - Search Closed Sources
  • T1059.013 - Container CLI/API
  • T1027.004 - Compile After Delivery
  • T1159 - Launch Agent
  • T1027.018 - Invisible Unicode
MITREへのリンク →

APT28

Score: 51.26
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1222.002 - Linux and Mac Permissions
  • T1491.002 - External Defacement
  • T1566.002 - Spearphishing Link
  • T1058 - Service Registry Permissions Weakness
  • T1024 - Custom Cryptographic Protocol
  • T1140 - Deobfuscate/Decode Files or Information
  • T1098.007 - Additional Local or Domain Groups
  • T1131 - Authentication Package
  • T1555.003 - Credentials from Web Browsers
  • T1547.011 - Plist Modification
  • T1097 - Pass the Ticket
  • T1157 - Dylib Hijacking
  • T1039 - Data from Network Shared Drive
  • T1197 - BITS Jobs
  • T1070.009 - Clear Persistence
  • T1059.012 - Hypervisor CLI
  • T1588.003 - Code Signing Certificates
  • T1548.006 - TCC Manipulation
  • T1027.018 - Invisible Unicode
  • T1055.008 - Ptrace System Calls
MITREへのリンク →

Turla

Score: 51.40
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1546.013 - PowerShell Profile
  • T1606.002 - SAML Tokens
  • T1063 - Security Software Discovery
  • T1543.003 - Windows Service
  • T1003.007 - Proc Filesystem
  • T1176 - Software Extensions
  • T1131 - Authentication Package
  • T1045 - Software Packing
  • T1055.004 - Asynchronous Procedure Call
  • T1097 - Pass the Ticket
  • T1597 - Search Closed Sources
  • T1218.001 - Compiled HTML File
  • T1059.004 - Unix Shell
  • T1039 - Data from Network Shared Drive
  • T1027.004 - Compile After Delivery
  • T1556.009 - Conditional Access Policies
  • T1059.012 - Hypervisor CLI
  • T1546.016 - Installer Packages
  • T1134 - Access Token Manipulation
  • T1027.018 - Invisible Unicode
MITREへのリンク →

BRONZE BUTLER

Score: 23.38
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1003.007 - Proc Filesystem
  • T1592.004 - Client Configurations
  • T1597 - Search Closed Sources
  • T1027.004 - Compile After Delivery
  • T1070.009 - Clear Persistence
  • T1059.012 - Hypervisor CLI
  • T1134 - Access Token Manipulation
  • T1159 - Launch Agent
  • T1591.001 - Determine Physical Locations
MITREへのリンク →

UNC3886

Score: 36.34
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1606.002 - SAML Tokens
  • T1689 - Downgrade Attack
  • T1556.002 - Password Filter DLL
  • T1140 - Deobfuscate/Decode Files or Information
  • T1546.011 - Application Shimming
  • T1009 - Binary Padding
  • T1021.006 - Windows Remote Management
  • T1597 - Search Closed Sources
  • T1059.004 - Unix Shell
  • T1157 - Dylib Hijacking
  • T1039 - Data from Network Shared Drive
  • T1027.004 - Compile After Delivery
  • T1070.009 - Clear Persistence
MITREへのリンク →

Kimsuky

Score: 101.49
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1037 - Boot or Logon Initialization Scripts
  • T1546.013 - PowerShell Profile
  • T1109 - Component Firmware
  • T1606.002 - SAML Tokens
  • T1213.006 - Databases
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1003.007 - Proc Filesystem
  • T1024 - Custom Cryptographic Protocol
  • T1091 - Replication Through Removable Media
  • T1140 - Deobfuscate/Decode Files or Information
  • T1098.007 - Additional Local or Domain Groups
  • T1546.011 - Application Shimming
  • T1009 - Binary Padding
  • T1131 - Authentication Package
  • T1562.012 - Disable or Modify Linux Audit System
  • T1555.003 - Credentials from Web Browsers
  • T1183 - Image File Execution Options Injection
  • T1134.002 - Create Process with Token
  • T1609 - Container Administration Command
  • T1218.012 - Verclsid
  • T1608 - Stage Capabilities
  • T1654 - Log Enumeration
  • T1041 - Exfiltration Over C2 Channel
  • T1055.014 - VDSO Hijacking
  • T1597 - Search Closed Sources
  • T1027.014 - Polymorphic Code
  • T1690 - Prevent Command History Logging
  • T1027.004 - Compile After Delivery
  • T1197 - BITS Jobs
  • T1656 - Impersonation
  • T1565.002 - Transmitted Data Manipulation
  • T1070.009 - Clear Persistence
  • T1126 - Network Share Connection Removal
  • T1027.018 - Invisible Unicode
  • T1003.003 - NTDS
MITREへのリンク →

APT3

Score: 20.29
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1543.003 - Windows Service
  • T1562.012 - Disable or Modify Linux Audit System
  • T1547.011 - Plist Modification
  • T1177 - LSASS Driver
  • T1055.004 - Asynchronous Procedure Call
  • T1059.004 - Unix Shell
  • T1070.009 - Clear Persistence
  • T1134 - Access Token Manipulation
  • T1027.018 - Invisible Unicode
MITREへのリンク →

FIN8

Score: 18.68
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1543.003 - Windows Service
  • T1157 - Dylib Hijacking
  • T1039 - Data from Network Shared Drive
  • T1027 - Obfuscated Files or Information
  • T1128 - Netsh Helper DLL
  • T1070.009 - Clear Persistence
  • T1134 - Access Token Manipulation
  • T1027.018 - Invisible Unicode
  • T1556 - Modify Authentication Process
MITREへのリンク →

Ke3chang

Score: 31.32
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1584.008 - Network Devices
  • T1606.002 - SAML Tokens
  • T1027.008 - Stripped Payloads
  • T1003.007 - Proc Filesystem
  • T1140 - Deobfuscate/Decode Files or Information
  • T1055.013 - Process Doppelgänging
  • T1198 - SIP and Trust Provider Hijacking
  • T1090 - Proxy
  • T1055.004 - Asynchronous Procedure Call
  • T1157 - Dylib Hijacking
  • T1134 - Access Token Manipulation
  • T1548.006 - TCC Manipulation
MITREへのリンク →

Lotus Blossom

Score: 11.75
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1109 - Component Firmware
  • T1055.004 - Asynchronous Procedure Call
  • T1505 - Server Software Component
  • T1134 - Access Token Manipulation
MITREへのリンク →

FIN13

Score: 29.04
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1584.008 - Network Devices
  • T1606.002 - SAML Tokens
  • T1140 - Deobfuscate/Decode Files or Information
  • T1547.005 - Security Support Provider
  • T1555.003 - Credentials from Web Browsers
  • T1144 - Gatekeeper Bypass
  • T1055.004 - Asynchronous Procedure Call
  • T1134.001 - Token Impersonation/Theft
  • T1548.006 - TCC Manipulation
  • T1686.001 - Cloud Firewall
MITREへのリンク →

Earth Lusca

Score: 36.22
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1546.013 - PowerShell Profile
  • T1543.003 - Windows Service
  • T1003.007 - Proc Filesystem
  • T1091 - Replication Through Removable Media
  • T1140 - Deobfuscate/Decode Files or Information
  • T1098.007 - Additional Local or Domain Groups
  • T1110.003 - Password Spraying
  • T1045 - Software Packing
  • T1055.004 - Asynchronous Procedure Call
  • T1218.012 - Verclsid
  • T1218.001 - Compiled HTML File
  • T1027.004 - Compile After Delivery
  • T1059.012 - Hypervisor CLI
  • T1546.016 - Installer Packages
  • T1134 - Access Token Manipulation
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Magic Hound

Score: 55.22
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1491.002 - External Defacement
  • T1587.003 - Digital Certificates
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1024 - Custom Cryptographic Protocol
  • T1140 - Deobfuscate/Decode Files or Information
  • T1098.007 - Additional Local or Domain Groups
  • T1021.008 - Direct Cloud VM Connections
  • T1016.002 - Wi-Fi Discovery
  • T1547.005 - Security Support Provider
  • T1009 - Binary Padding
  • T1555.003 - Credentials from Web Browsers
  • T1183 - Image File Execution Options Injection
  • T1134.002 - Create Process with Token
  • T1045 - Software Packing
  • T1055.004 - Asynchronous Procedure Call
  • T1597 - Search Closed Sources
  • T1562.001 - Disable or Modify Tools
  • T1027 - Obfuscated Files or Information
  • T1070.009 - Clear Persistence
  • T1059.012 - Hypervisor CLI
  • T1134 - Access Token Manipulation
  • T1027.018 - Invisible Unicode
  • T1547.008 - LSASS Driver
MITREへのリンク →

Aquatic Panda

Score: 11.14
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1003.007 - Proc Filesystem
  • T1144 - Gatekeeper Bypass
  • T1597 - Search Closed Sources
  • T1070.009 - Clear Persistence
MITREへのリンク →

INC Ransom

Score: 15.36
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1140 - Deobfuscate/Decode Files or Information
  • T1083 - File and Directory Discovery
  • T1055.004 - Asynchronous Procedure Call
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1027 - Obfuscated Files or Information
  • T1070.009 - Clear Persistence
MITREへのリンク →

Akira

Score: 13.24
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1137.005 - Outlook Rules
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1027 - Obfuscated Files or Information
  • T1134 - Access Token Manipulation
MITREへのリンク →

ToddyCat

Score: 11.20
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1140 - Deobfuscate/Decode Files or Information
  • T1009 - Binary Padding
  • T1055.004 - Asynchronous Procedure Call
  • T1134 - Access Token Manipulation
  • T1547.008 - LSASS Driver
MITREへのリンク →

APT29

Score: 56.97
Matched TTPs:
  • T1222.002 - Linux and Mac Permissions
  • T1584.008 - Network Devices
  • T1606.002 - SAML Tokens
  • T1543.003 - Windows Service
  • T1202 - Indirect Command Execution
  • T1024 - Custom Cryptographic Protocol
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1547.011 - Plist Modification
  • T1177 - LSASS Driver
  • T1592.004 - Client Configurations
  • T1036.004 - Masquerade Task or Service
  • T1218.012 - Verclsid
  • T1556.008 - Network Provider DLL
  • T1157 - Dylib Hijacking
  • T1039 - Data from Network Shared Drive
  • T1027.004 - Compile After Delivery
  • T1223 - Compiled HTML File
  • T1070.009 - Clear Persistence
  • T1027.018 - Invisible Unicode
  • T1547.008 - LSASS Driver
MITREへのリンク →

Contagious Interview

Score: 57.27
Matched TTPs:
  • T1044 - File System Permissions Weakness
  • T1491.002 - External Defacement
  • T1546.013 - PowerShell Profile
  • T1606.002 - SAML Tokens
  • T1091 - Replication Through Removable Media
  • T1098.007 - Additional Local or Domain Groups
  • T1547.005 - Security Support Provider
  • T1131 - Authentication Package
  • T1021.006 - Windows Remote Management
  • T1183 - Image File Execution Options Injection
  • T1045 - Software Packing
  • T1597 - Search Closed Sources
  • T1562.001 - Disable or Modify Tools
  • T1690 - Prevent Command History Logging
  • T1027.004 - Compile After Delivery
  • T1656 - Impersonation
  • T1565.002 - Transmitted Data Manipulation
  • T1070.009 - Clear Persistence
  • T1126 - Network Share Connection Removal
  • T1027.018 - Invisible Unicode
  • T1547.008 - LSASS Driver
  • T1556 - Modify Authentication Process
MITREへのリンク →

Inception

Score: 11.48
Matched TTPs:
  • T1491.002 - External Defacement
  • T1562.012 - Disable or Modify Linux Audit System
  • T1218.012 - Verclsid
  • T1027.014 - Polymorphic Code
  • T1159 - Launch Agent
MITREへのリンク →

Dark Caracal

Score: 9.32
Matched TTPs:
  • T1491.002 - External Defacement
  • T1048 - Exfiltration Over Alternative Protocol
  • T1059.012 - Hypervisor CLI
  • T1547.008 - LSASS Driver
MITREへのリンク →

Elderwood

Score: 6.17
Matched TTPs:
  • T1491.002 - External Defacement
  • T1543.003 - Windows Service
  • T1059.012 - Hypervisor CLI
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Darkhotel

Score: 6.39
Matched TTPs:
  • T1491.002 - External Defacement
  • T1058 - Service Registry Permissions Weakness
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

Transparent Tribe

Score: 7.68
Matched TTPs:
  • T1491.002 - External Defacement
  • T1543.003 - Windows Service
  • T1098.007 - Additional Local or Domain Groups
  • T1059.012 - Hypervisor CLI
  • T1027.018 - Invisible Unicode
MITREへのリンク →

APT18

Score: 8.24
Matched TTPs:
  • T1491.002 - External Defacement
  • T1157 - Dylib Hijacking
  • T1070.009 - Clear Persistence
  • T1591.001 - Determine Physical Locations
MITREへのリンク →

Leviathan

Score: 34.76
Matched TTPs:
  • T1491.002 - External Defacement
  • T1484.002 - Trust Modification
  • T1543.003 - Windows Service
  • T1024 - Custom Cryptographic Protocol
  • T1140 - Deobfuscate/Decode Files or Information
  • T1098.007 - Additional Local or Domain Groups
  • T1555.003 - Credentials from Web Browsers
  • T1183 - Image File Execution Options Injection
  • T1554 - Compromise Host Software Binary
  • T1055.014 - VDSO Hijacking
  • T1157 - Dylib Hijacking
  • T1027.014 - Polymorphic Code
  • T1059.012 - Hypervisor CLI
  • T1546.016 - Installer Packages
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Sidewinder

Score: 20.83
Matched TTPs:
  • T1491.002 - External Defacement
  • T1546.013 - PowerShell Profile
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1090 - Proxy
  • T1218.012 - Verclsid
  • T1657 - Financial Theft
  • T1159 - Launch Agent
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Lazarus Group

Score: 49.45
Matched TTPs:
  • T1491.002 - External Defacement
  • T1606.002 - SAML Tokens
  • T1543.003 - Windows Service
  • T1098.007 - Additional Local or Domain Groups
  • T1009 - Binary Padding
  • T1183 - Image File Execution Options Injection
  • T1547.011 - Plist Modification
  • T1134.002 - Create Process with Token
  • T1055.004 - Asynchronous Procedure Call
  • T1218.012 - Verclsid
  • T1069.001 - Local Groups
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1562.001 - Disable or Modify Tools
  • T1174 - Password Filter DLL
  • T1070.009 - Clear Persistence
  • T1059.012 - Hypervisor CLI
  • T1546.016 - Installer Packages
  • T1055.005 - Thread Local Storage
  • T1547.008 - LSASS Driver
  • T1556 - Modify Authentication Process
MITREへのリンク →

Saint Bear

Score: 13.56
Matched TTPs:
  • T1491.002 - External Defacement
  • T1546.013 - PowerShell Profile
  • T1091 - Replication Through Removable Media
  • T1134.002 - Create Process with Token
  • T1055.013 - Process Doppelgänging
  • T1597 - Search Closed Sources
  • T1027.018 - Invisible Unicode
MITREへのリンク →

BITTER

Score: 7.18
Matched TTPs:
  • T1491.002 - External Defacement
  • T1091 - Replication Through Removable Media
  • T1098.007 - Additional Local or Domain Groups
  • T1039 - Data from Network Shared Drive
MITREへのリンク →

TA505

Score: 23.52
Matched TTPs:
  • T1491.002 - External Defacement
  • T1546.013 - PowerShell Profile
  • T1527 - Application Access Token
  • T1543.003 - Windows Service
  • T1091 - Replication Through Removable Media
  • T1098.007 - Additional Local or Domain Groups
  • T1016.002 - Wi-Fi Discovery
  • T1562.012 - Disable or Modify Linux Audit System
  • T1597 - Search Closed Sources
  • T1027 - Obfuscated Files or Information
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Higaisa

Score: 3.57
Matched TTPs:
  • T1491.002 - External Defacement
  • T1546.013 - PowerShell Profile
MITREへのリンク →

APT19

Score: 8.45
Matched TTPs:
  • T1491.002 - External Defacement
  • T1055.013 - Process Doppelgänging
  • T1027.014 - Polymorphic Code
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

Threat Group-3390

Score: 24.70
Matched TTPs:
  • T1491.002 - External Defacement
  • T1584.008 - Network Devices
  • T1091 - Replication Through Removable Media
  • T1140 - Deobfuscate/Decode Files or Information
  • T1098.007 - Additional Local or Domain Groups
  • T1555.003 - Credentials from Web Browsers
  • T1055.004 - Asynchronous Procedure Call
  • T1157 - Dylib Hijacking
  • T1039 - Data from Network Shared Drive
  • T1070.009 - Clear Persistence
  • T1059.012 - Hypervisor CLI
  • T1134 - Access Token Manipulation
  • T1591.001 - Determine Physical Locations
MITREへのリンク →

TA2541

Score: 14.77
Matched TTPs:
  • T1491.002 - External Defacement
  • T1543.003 - Windows Service
  • T1091 - Replication Through Removable Media
  • T1098.007 - Additional Local or Domain Groups
  • T1218.012 - Verclsid
  • T1597 - Search Closed Sources
  • T1128 - Netsh Helper DLL
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Malteiro

Score: 3.65
Matched TTPs:
  • T1491.002 - External Defacement
  • T1562.012 - Disable or Modify Linux Audit System
MITREへのリンク →

Storm-1811

Score: 16.89
Matched TTPs:
  • T1491.002 - External Defacement
  • T1543.003 - Windows Service
  • T1098.007 - Additional Local or Domain Groups
  • T1027 - Obfuscated Files or Information
  • T1486 - Data Encrypted for Impact
  • T1565.002 - Transmitted Data Manipulation
  • T1547.008 - LSASS Driver
MITREへのリンク →

Blue Mockingbird

Score: 12.00
Matched TTPs:
  • T1491.002 - External Defacement
  • T1140 - Deobfuscate/Decode Files or Information
  • T1045 - Software Packing
  • T1027.014 - Polymorphic Code
  • T1505 - Server Software Component
MITREへのリンク →

Tropic Trooper

Score: 22.42
Matched TTPs:
  • T1491.002 - External Defacement
  • T1058 - Service Registry Permissions Weakness
  • T1555.003 - Credentials from Web Browsers
  • T1090 - Proxy
  • T1055.004 - Asynchronous Procedure Call
  • T1136.003 - Cloud Account
  • T1128 - Netsh Helper DLL
  • T1070.009 - Clear Persistence
  • T1159 - Launch Agent
MITREへのリンク →

Mofang

Score: 4.40
Matched TTPs:
  • T1491.002 - External Defacement
  • T1543.003 - Windows Service
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Whitefly

Score: 6.03
Matched TTPs:
  • T1491.002 - External Defacement
  • T1055.013 - Process Doppelgänging
  • T1039 - Data from Network Shared Drive
MITREへのリンク →

Moses Staff

Score: 9.27
Matched TTPs:
  • T1491.002 - External Defacement
  • T1606.002 - SAML Tokens
  • T1140 - Deobfuscate/Decode Files or Information
  • T1009 - Binary Padding
  • T1555.003 - Credentials from Web Browsers
MITREへのリンク →

TeamTNT

Score: 25.34
Matched TTPs:
  • T1491.002 - External Defacement
  • T1606.002 - SAML Tokens
  • T1003.007 - Proc Filesystem
  • T1091 - Replication Through Removable Media
  • T1098.007 - Additional Local or Domain Groups
  • T1009 - Binary Padding
  • T1071.003 - Mail Protocols
  • T1110.003 - Password Spraying
  • T1055.004 - Asynchronous Procedure Call
  • T1597 - Search Closed Sources
  • T1070.009 - Clear Persistence
MITREへのリンク →

Putter Panda

Score: 3.39
Matched TTPs:
  • T1491.002 - External Defacement
  • T1597 - Search Closed Sources
MITREへのリンク →

OilRig

Score: 59.45
Matched TTPs:
  • T1491.002 - External Defacement
  • T1606.002 - SAML Tokens
  • T1543.003 - Windows Service
  • T1566.001 - Spearphishing Attachment
  • T1003.007 - Proc Filesystem
  • T1024 - Custom Cryptographic Protocol
  • T1091 - Replication Through Removable Media
  • T1098.007 - Additional Local or Domain Groups
  • T1009 - Binary Padding
  • T1562.012 - Disable or Modify Linux Audit System
  • T1555.003 - Credentials from Web Browsers
  • T1055.013 - Process Doppelgänging
  • T1055.004 - Asynchronous Procedure Call
  • T1048 - Exfiltration Over Alternative Protocol
  • T1097 - Pass the Ticket
  • T1059.004 - Unix Shell
  • T1157 - Dylib Hijacking
  • T1039 - Data from Network Shared Drive
  • T1592.002 - Software
  • T1128 - Netsh Helper DLL
  • T1556.009 - Conditional Access Policies
  • T1070.009 - Clear Persistence
  • T1027.018 - Invisible Unicode
  • T1547.008 - LSASS Driver
  • T1556 - Modify Authentication Process
MITREへのリンク →

APT32

Score: 51.05
Matched TTPs:
  • T1491.002 - External Defacement
  • T1546.013 - PowerShell Profile
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1091 - Replication Through Removable Media
  • T1098.007 - Additional Local or Domain Groups
  • T1547.005 - Security Support Provider
  • T1131 - Authentication Package
  • T1555.003 - Credentials from Web Browsers
  • T1134.002 - Create Process with Token
  • T1055.013 - Process Doppelgänging
  • T1592.004 - Client Configurations
  • T1055.004 - Asynchronous Procedure Call
  • T1218.012 - Verclsid
  • T1562.001 - Disable or Modify Tools
  • T1039 - Data from Network Shared Drive
  • T1027.014 - Polymorphic Code
  • T1174 - Password Filter DLL
  • T1070.009 - Clear Persistence
  • T1059.012 - Hypervisor CLI
  • T1134 - Access Token Manipulation
  • T1027.018 - Invisible Unicode
  • T1556 - Modify Authentication Process
MITREへのリンク →

Moonstone Sleet

Score: 26.60
Matched TTPs:
  • T1491.002 - External Defacement
  • T1606.002 - SAML Tokens
  • T1566.002 - Spearphishing Link
  • T1091 - Replication Through Removable Media
  • T1098.007 - Additional Local or Domain Groups
  • T1183 - Image File Execution Options Injection
  • T1134.002 - Create Process with Token
  • T1027 - Obfuscated Files or Information
  • T1197 - BITS Jobs
  • T1126 - Network Share Connection Removal
  • T1547.008 - LSASS Driver
MITREへのリンク →

FIN6

Score: 32.43
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1063 - Security Software Discovery
  • T1562.012 - Disable or Modify Linux Audit System
  • T1055.013 - Process Doppelgänging
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1039 - Data from Network Shared Drive
  • T1128 - Netsh Helper DLL
  • T1070.009 - Clear Persistence
  • T1505 - Server Software Component
  • T1134 - Access Token Manipulation
  • T1548.006 - TCC Manipulation
  • T1547.008 - LSASS Driver
  • T1556 - Modify Authentication Process
MITREへのリンク →

MoustachedBouncer

Score: 6.41
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1045 - Software Packing
  • T1039 - Data from Network Shared Drive
MITREへのリンク →

TA577

Score: 7.45
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1543.003 - Windows Service
  • T1024 - Custom Cryptographic Protocol
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Winter Vivern

Score: 20.62
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1587.003 - Digital Certificates
  • T1140 - Deobfuscate/Decode Files or Information
  • T1098.007 - Additional Local or Domain Groups
  • T1055.013 - Process Doppelgänging
  • T1090 - Proxy
  • T1218.001 - Compiled HTML File
  • T1059.012 - Hypervisor CLI
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Silence

Score: 14.90
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1547.011 - Plist Modification
  • T1048 - Exfiltration Over Alternative Protocol
  • T1157 - Dylib Hijacking
  • T1562.001 - Disable or Modify Tools
  • T1070.009 - Clear Persistence
  • T1134 - Access Token Manipulation
MITREへのリンク →

LazyScripter

Score: 10.61
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1543.003 - Windows Service
  • T1091 - Replication Through Removable Media
  • T1098.007 - Additional Local or Domain Groups
  • T1218.012 - Verclsid
  • T1027.018 - Invisible Unicode
MITREへのリンク →

FIN7

Score: 31.90
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1606.002 - SAML Tokens
  • T1543.003 - Windows Service
  • T1058 - Service Registry Permissions Weakness
  • T1091 - Replication Through Removable Media
  • T1140 - Deobfuscate/Decode Files or Information
  • T1098.007 - Additional Local or Domain Groups
  • T1009 - Binary Padding
  • T1055.013 - Process Doppelgänging
  • T1218.012 - Verclsid
  • T1584.005 - Botnet
  • T1157 - Dylib Hijacking
  • T1562.001 - Disable or Modify Tools
  • T1027 - Obfuscated Files or Information
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Cobalt Group

Score: 22.42
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1543.003 - Windows Service
  • T1518.002 - Backup Software Discovery
  • T1598.004 - Spearphishing Voice
  • T1039 - Data from Network Shared Drive
  • T1027.014 - Polymorphic Code
  • T1128 - Netsh Helper DLL
  • T1070.009 - Clear Persistence
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Indrik Spider

Score: 18.82
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1606.002 - SAML Tokens
  • T1003.007 - Proc Filesystem
  • T1183 - Image File Execution Options Injection
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1027 - Obfuscated Files or Information
  • T1546.016 - Installer Packages
  • T1134 - Access Token Manipulation
MITREへのリンク →

Molerats

Score: 6.83
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1543.003 - Windows Service
  • T1562.012 - Disable or Modify Linux Audit System
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Leafminer

Score: 11.87
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1562.012 - Disable or Modify Linux Audit System
  • T1101 - Security Support Provider
  • T1059.012 - Hypervisor CLI
  • T1134 - Access Token Manipulation
MITREへのリンク →

TA578

Score: 3.33
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Evilnum

Score: 12.12
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1109 - Component Firmware
  • T1543.003 - Windows Service
  • T1565.002 - Transmitted Data Manipulation
  • T1070.009 - Clear Persistence
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Star Blizzard

Score: 27.32
Matched TTPs:
  • T1546.013 - PowerShell Profile
  • T1109 - Component Firmware
  • T1566.002 - Spearphishing Link
  • T1024 - Custom Cryptographic Protocol
  • T1091 - Replication Through Removable Media
  • T1098.007 - Additional Local or Domain Groups
  • T1547.005 - Security Support Provider
  • T1183 - Image File Execution Options Injection
  • T1609 - Container Administration Command
  • T1657 - Financial Theft
  • T1157 - Dylib Hijacking
MITREへのリンク →

LuminousMoth

Score: 16.79
Matched TTPs:
  • T1109 - Component Firmware
  • T1606.002 - SAML Tokens
  • T1543.003 - Windows Service
  • T1058 - Service Registry Permissions Weakness
  • T1091 - Replication Through Removable Media
  • T1584.005 - Botnet
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Sandworm Team

Score: 57.54
Matched TTPs:
  • T1109 - Component Firmware
  • T1606.002 - SAML Tokens
  • T1063 - Security Software Discovery
  • T1484.002 - Trust Modification
  • T1686.003 - Windows Host Firewall
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1091 - Replication Through Removable Media
  • T1140 - Deobfuscate/Decode Files or Information
  • T1098.007 - Additional Local or Domain Groups
  • T1016.002 - Wi-Fi Discovery
  • T1562.012 - Disable or Modify Linux Audit System
  • T1555.003 - Credentials from Web Browsers
  • T1183 - Image File Execution Options Injection
  • T1134.002 - Create Process with Token
  • T1045 - Software Packing
  • T1055.004 - Asynchronous Procedure Call
  • T1157 - Dylib Hijacking
  • T1562.001 - Disable or Modify Tools
  • T1027 - Obfuscated Files or Information
  • T1070.009 - Clear Persistence
  • T1546.016 - Installer Packages
  • T1134 - Access Token Manipulation
  • T1548.006 - TCC Manipulation
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Scattered Spider

Score: 70.54
Matched TTPs:
  • T1109 - Component Firmware
  • T1685.004 - Disable or Modify Linux Audit System Log
  • T1566.002 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1583.001 - Domains
  • T1547.005 - Security Support Provider
  • T1019 - System Firmware
  • T1144 - Gatekeeper Bypass
  • T1045 - Software Packing
  • T1609 - Container Administration Command
  • T1083 - File and Directory Discovery
  • T1556.008 - Network Provider DLL
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1039 - Data from Network Shared Drive
  • T1027.005 - Indicator Removal from Tools
  • T1027 - Obfuscated Files or Information
  • T1197 - BITS Jobs
  • T1090.004 - Domain Fronting
  • T1565.002 - Transmitted Data Manipulation
  • T1134 - Access Token Manipulation
  • T1027.002 - Software Packing
  • T1548.006 - TCC Manipulation
MITREへのリンク →

APT42

Score: 19.19
Matched TTPs:
  • T1109 - Component Firmware
  • T1543.003 - Windows Service
  • T1091 - Replication Through Removable Media
  • T1098.007 - Additional Local or Domain Groups
  • T1583.001 - Domains
  • T1562.012 - Disable or Modify Linux Audit System
  • T1183 - Image File Execution Options Injection
  • T1128 - Netsh Helper DLL
MITREへのリンク →

Daggerfly

Score: 11.84
Matched TTPs:
  • T1584.008 - Network Devices
  • T1174 - Password Filter DLL
  • T1059.012 - Hypervisor CLI
  • T1546.016 - Installer Packages
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Dragonfly

Score: 46.14
Matched TTPs:
  • T1584.008 - Network Devices
  • T1566.002 - Spearphishing Link
  • T1140 - Deobfuscate/Decode Files or Information
  • T1098.007 - Additional Local or Domain Groups
  • T1009 - Binary Padding
  • T1555.003 - Credentials from Web Browsers
  • T1055.013 - Process Doppelgänging
  • T1657 - Financial Theft
  • T1654 - Log Enumeration
  • T1041 - Exfiltration Over C2 Channel
  • T1097 - Pass the Ticket
  • T1157 - Dylib Hijacking
  • T1531 - Account Access Removal
  • T1027.004 - Compile After Delivery
  • T1070.009 - Clear Persistence
  • T1059.012 - Hypervisor CLI
  • T1546.016 - Installer Packages
  • T1134 - Access Token Manipulation
  • T1548.006 - TCC Manipulation
MITREへのリンク →

Ember Bear

Score: 23.04
Matched TTPs:
  • T1584.008 - Network Devices
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1097 - Pass the Ticket
  • T1597 - Search Closed Sources
  • T1562.001 - Disable or Modify Tools
  • T1656 - Impersonation
  • T1070.009 - Clear Persistence
  • T1134 - Access Token Manipulation
  • T1003.003 - NTDS
MITREへのリンク →

Axiom

Score: 16.33
Matched TTPs:
  • T1499.003 - Application Exhaustion Flood
  • T1140 - Deobfuscate/Decode Files or Information
  • T1177 - LSASS Driver
  • T1157 - Dylib Hijacking
  • T1059.012 - Hypervisor CLI
  • T1160 - Launch Daemon
MITREへのリンク →

HEXANE

Score: 31.96
Matched TTPs:
  • T1499.003 - Application Exhaustion Flood
  • T1024 - Custom Cryptographic Protocol
  • T1091 - Replication Through Removable Media
  • T1098.007 - Additional Local or Domain Groups
  • T1547.005 - Security Support Provider
  • T1562.012 - Disable or Modify Linux Audit System
  • T1183 - Image File Execution Options Injection
  • T1134.002 - Create Process with Token
  • T1055.004 - Asynchronous Procedure Call
  • T1055.014 - VDSO Hijacking
  • T1097 - Pass the Ticket
  • T1134 - Access Token Manipulation
  • T1159 - Launch Agent
MITREへのリンク →

Salt Typhoon

Score: 12.50
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1140 - Deobfuscate/Decode Files or Information
  • T1009 - Binary Padding
  • T1110.003 - Password Spraying
  • T1556 - Modify Authentication Process
MITREへのリンク →

Aoqin Dragon

Score: 5.13
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1058 - Service Registry Permissions Weakness
MITREへのリンク →

Storm-0501

Score: 24.12
Matched TTPs:
  • T1685.004 - Disable or Modify Linux Audit System Log
  • T1686.003 - Windows Host Firewall
  • T1140 - Deobfuscate/Decode Files or Information
  • T1097 - Pass the Ticket
  • T1027 - Obfuscated Files or Information
  • T1027.014 - Polymorphic Code
  • T1090.004 - Domain Fronting
  • T1565.002 - Transmitted Data Manipulation
MITREへのリンク →

Gamaredon Group

Score: 45.03
Matched TTPs:
  • T1527 - Application Access Token
  • T1058 - Service Registry Permissions Weakness
  • T1091 - Replication Through Removable Media
  • T1098.007 - Additional Local or Domain Groups
  • T1045 - Software Packing
  • T1090 - Proxy
  • T1218.012 - Verclsid
  • T1608 - Stage Capabilities
  • T1554 - Compromise Host Software Binary
  • T1055.014 - VDSO Hijacking
  • T1597 - Search Closed Sources
  • T1061 - Graphical User Interface
  • T1562.001 - Disable or Modify Tools
  • T1059.013 - Container CLI/API
  • T1070.009 - Clear Persistence
  • T1027.018 - Invisible Unicode
MITREへのリンク →

BlackTech

Score: 4.28
Matched TTPs:
  • T1543.003 - Windows Service
  • T1140 - Deobfuscate/Decode Files or Information
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Confucius

Score: 5.15
Matched TTPs:
  • T1543.003 - Windows Service
  • T1218.012 - Verclsid
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Machete

Score: 6.91
Matched TTPs:
  • T1543.003 - Windows Service
  • T1027.004 - Compile After Delivery
  • T1059.012 - Hypervisor CLI
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Mustard Tempest

Score: 6.55
Matched TTPs:
  • T1543.003 - Windows Service
  • T1091 - Replication Through Removable Media
  • T1059.012 - Hypervisor CLI
  • T1027.018 - Invisible Unicode
MITREへのリンク →

ZIRCONIUM

Score: 16.71
Matched TTPs:
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1562.012 - Disable or Modify Linux Audit System
  • T1039 - Data from Network Shared Drive
  • T1027.004 - Compile After Delivery
  • T1197 - BITS Jobs
  • T1027.018 - Invisible Unicode
MITREへのリンク →

EXOTIC LILY

Score: 17.47
Matched TTPs:
  • T1543.003 - Windows Service
  • T1091 - Replication Through Removable Media
  • T1098.007 - Additional Local or Domain Groups
  • T1183 - Image File Execution Options Injection
  • T1134.002 - Create Process with Token
  • T1690 - Prevent Command History Logging
  • T1027.018 - Invisible Unicode
  • T1547.008 - LSASS Driver
MITREへのリンク →

Windshift

Score: 9.84
Matched TTPs:
  • T1543.003 - Windows Service
  • T1059.012 - Hypervisor CLI
  • T1159 - Launch Agent
  • T1027.018 - Invisible Unicode
  • T1547.008 - LSASS Driver
MITREへのリンク →

FIN4

Score: 4.23
Matched TTPs:
  • T1543.003 - Windows Service
  • T1157 - Dylib Hijacking
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Patchwork

Score: 13.62
Matched TTPs:
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1562.012 - Disable or Modify Linux Audit System
  • T1059.004 - Unix Shell
  • T1070.009 - Clear Persistence
  • T1059.012 - Hypervisor CLI
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Silent Librarian

Score: 17.49
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1183 - Image File Execution Options Injection
  • T1134.002 - Create Process with Token
  • T1609 - Container Administration Command
  • T1584.005 - Botnet
  • T1157 - Dylib Hijacking
MITREへのリンク →

CURIUM

Score: 15.94
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1555.003 - Credentials from Web Browsers
  • T1183 - Image File Execution Options Injection
  • T1218.001 - Compiled HTML File
  • T1059.012 - Hypervisor CLI
  • T1547.008 - LSASS Driver
MITREへのリンク →

APT38

Score: 40.51
Matched TTPs:
  • T1566.001 - Spearphishing Attachment
  • T1098.007 - Additional Local or Domain Groups
  • T1009 - Binary Padding
  • T1555.003 - Credentials from Web Browsers
  • T1055.004 - Asynchronous Procedure Call
  • T1218.012 - Verclsid
  • T1590 - Gather Victim Network Information
  • T1048 - Exfiltration Over Alternative Protocol
  • T1097 - Pass the Ticket
  • T1597 - Search Closed Sources
  • T1027 - Obfuscated Files or Information
  • T1174 - Password Filter DLL
  • T1493 - Transmitted Data Manipulation
  • T1070.009 - Clear Persistence
  • T1059.012 - Hypervisor CLI
  • T1027.018 - Invisible Unicode
MITREへのリンク →

Poseidon Group

Score: 4.26
Matched TTPs:
  • T1003.007 - Proc Filesystem
  • T1055.004 - Asynchronous Procedure Call
MITREへのリンク →

admin@338

Score: 4.26
Matched TTPs:
  • T1003.007 - Proc Filesystem
  • T1055.004 - Asynchronous Procedure Call
MITREへのリンク →

LAPSUS$

Score: 29.79
Matched TTPs:
  • T1024 - Custom Cryptographic Protocol
  • T1547.005 - Security Support Provider
  • T1562.012 - Disable or Modify Linux Audit System
  • T1134.002 - Create Process with Token
  • T1019 - System Firmware
  • T1045 - Software Packing
  • T1609 - Container Administration Command
  • T1556.008 - Network Provider DLL
  • T1157 - Dylib Hijacking
  • T1039 - Data from Network Shared Drive
  • T1548.006 - TCC Manipulation
MITREへのリンク →

IndigoZebra

Score: 4.18
Matched TTPs:
  • T1024 - Custom Cryptographic Protocol
  • T1098.007 - Additional Local or Domain Groups
MITREへのリンク →

SideCopy

Score: 14.81
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1218.012 - Verclsid
  • T1657 - Financial Theft
  • T1584.002 - DNS Server
  • T1159 - Launch Agent
MITREへのリンク →

BlackByte

Score: 22.26
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1140 - Deobfuscate/Decode Files or Information
  • T1009 - Binary Padding
  • T1555.003 - Credentials from Web Browsers
  • T1134.001 - Token Impersonation/Theft
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1039 - Data from Network Shared Drive
  • T1027 - Obfuscated Files or Information
  • T1070.009 - Clear Persistence
  • T1134 - Access Token Manipulation
MITREへのリンク →

Rocke

Score: 16.89
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1009 - Binary Padding
  • T1597 - Search Closed Sources
  • T1562.001 - Disable or Modify Tools
  • T1059.013 - Container CLI/API
  • T1027.004 - Compile After Delivery
  • T1070.009 - Clear Persistence
  • T1134 - Access Token Manipulation
MITREへのリンク →

BackdoorDiplomacy

Score: 4.97
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1055.004 - Asynchronous Procedure Call
MITREへのリンク →

Medusa Group

Score: 25.97
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1009 - Binary Padding
  • T1555.003 - Credentials from Web Browsers
  • T1183 - Image File Execution Options Injection
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1027 - Obfuscated Files or Information
  • T1128 - Netsh Helper DLL
  • T1598 - Phishing for Information
  • T1070.009 - Clear Persistence
  • T1134 - Access Token Manipulation
  • T1548.006 - TCC Manipulation
MITREへのリンク →

Cinnamon Tempest

Score: 7.58
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1045 - Software Packing
  • T1157 - Dylib Hijacking
  • T1027.004 - Compile After Delivery
MITREへのリンク →

Volatile Cedar

Score: 7.37
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1002 - Data Compressed
MITREへのリンク →

RedEcho

Score: 6.66
Matched TTPs:
  • T1098.007 - Additional Local or Domain Groups
  • T1562.001 - Disable or Modify Tools
  • T1128 - Netsh Helper DLL
MITREへのリンク →

Carbanak

Score: 3.77
Matched TTPs:
  • T1009 - Binary Padding
  • T1157 - Dylib Hijacking
MITREへのリンク →

Velvet Ant

Score: 11.02
Matched TTPs:
  • T1009 - Binary Padding
  • T1055.004 - Asynchronous Procedure Call
  • T1597 - Search Closed Sources
  • T1562.001 - Disable or Modify Tools
  • T1128 - Netsh Helper DLL
MITREへのリンク →

SilverTerrier

Score: 6.91
Matched TTPs:
  • T1131 - Authentication Package
  • T1041 - Exfiltration Over C2 Channel
MITREへのリンク →

Stealth Falcon

Score: 8.02
Matched TTPs:
  • T1562.012 - Disable or Modify Linux Audit System
  • T1055.013 - Process Doppelgänging
  • T1556.009 - Conditional Access Policies
MITREへのリンク →

APT37

Score: 8.50
Matched TTPs:
  • T1562.012 - Disable or Modify Linux Audit System
  • T1055.013 - Process Doppelgänging
  • T1027.004 - Compile After Delivery
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

Ajax Security Team

Score: 4.58
Matched TTPs:
  • T1562.012 - Disable or Modify Linux Audit System
  • T1547.008 - LSASS Driver
MITREへのリンク →

Deep Panda

Score: 12.49
Matched TTPs:
  • T1555.003 - Credentials from Web Browsers
  • T1177 - LSASS Driver
  • T1059.004 - Unix Shell
  • T1027.014 - Polymorphic Code
  • T1134 - Access Token Manipulation
MITREへのリンク →

Tonto Team

Score: 8.95
Matched TTPs:
  • T1555.003 - Credentials from Web Browsers
  • T1547.011 - Plist Modification
  • T1039 - Data from Network Shared Drive
  • T1027.004 - Compile After Delivery
MITREへのリンク →

FIN5

Score: 11.96
Matched TTPs:
  • T1547.011 - Plist Modification
  • T1055.013 - Process Doppelgänging
  • T1097 - Pass the Ticket
  • T1157 - Dylib Hijacking
  • T1070.009 - Clear Persistence
  • T1134 - Access Token Manipulation
MITREへのリンク →

TA551

Score: 7.61
Matched TTPs:
  • T1134.002 - Create Process with Token
  • T1218.012 - Verclsid
  • T1027.014 - Polymorphic Code
MITREへのリンク →

Windigo

Score: 9.19
Matched TTPs:
  • T1045 - Software Packing
  • T1055.013 - Process Doppelgänging
  • T1059.012 - Hypervisor CLI
  • T1159 - Launch Agent
MITREへのリンク →

POLONIUM

Score: 3.77
Matched TTPs:
  • T1045 - Software Packing
  • T1157 - Dylib Hijacking
MITREへのリンク →

Andariel

Score: 3.50
Matched TTPs:
  • T1055.004 - Asynchronous Procedure Call
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

DarkVishnya

Score: 9.46
Matched TTPs:
  • T1097 - Pass the Ticket
  • T1562.001 - Disable or Modify Tools
  • T1213.003 - Code Repositories
MITREへのリンク →

WIRTE

Score: 5.14
Matched TTPs:
  • T1562.001 - Disable or Modify Tools
  • T1027.014 - Polymorphic Code
MITREへのリンク →

PLATINUM

Score: 3.86
Matched TTPs:
  • T1039 - Data from Network Shared Drive
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

DarkHydrus

Score: 4.13
Matched TTPs:
  • T1531 - Account Access Removal
MITREへのリンク →

APT17

Score: 3.44
Matched TTPs:
  • T1656 - Impersonation
MITREへのリンク →

Thrip

Score: 5.67
Matched TTPs:
  • T1565.002 - Transmitted Data Manipulation
  • T1556 - Modify Authentication Process
MITREへのリンク →

RTM

Score: 4.69
Matched TTPs:
  • T1565.002 - Transmitted Data Manipulation
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

Equation

Score: 8.26
Matched TTPs:
  • T1130 - Install Root Certificate
  • T1037.001 - Logon Script (Windows)
MITREへのリンク →

Strider

Score: 4.13
Matched TTPs:
  • T1130 - Install Root Certificate
MITREへのリンク →

このPulseに関連する脅威アクター (推論ベース)

Kimsuky

Score: 0.70
Matched TTPs:
  • T1555.003 - Credentials from Web Browsers
  • T1070.009 - Clear Persistence
  • T1690 - Prevent Command History Logging
  • T1041 - Exfiltration Over C2 Channel
  • T1606.002 - SAML Tokens
  • T1609 - Container Administration Command
  • T1037 - Boot or Logon Initialization Scripts
  • T1140 - Deobfuscate/Decode Files or Information
  • T1565.002 - Transmitted Data Manipulation
  • T1027.018 - Invisible Unicode
  • T1027.004 - Compile After Delivery
  • T1654 - Log Enumeration
  • T1197 - BITS Jobs
  • T1656 - Impersonation
  • T1213.006 - Databases
  • T1183 - Image File Execution Options Injection
  • T1608 - Stage Capabilities
  • T1566.002 - Spearphishing Link
  • T1543.003 - Windows Service
  • T1134.002 - Create Process with Token
  • T1546.011 - Application Shimming
  • T1131 - Authentication Package
  • T1546.013 - PowerShell Profile
  • T1560.001 - Archive via Utility
  • T1055.014 - VDSO Hijacking
  • T1003.007 - Proc Filesystem
  • T1009 - Binary Padding
  • T1126 - Network Share Connection Removal
  • T1024 - Custom Cryptographic Protocol
  • T1003.003 - NTDS
  • T1109 - Component Firmware
  • T1218.012 - Verclsid
  • T1098.007 - Additional Local or Domain Groups
  • T1597 - Search Closed Sources
  • T1027.014 - Polymorphic Code
  • T1091 - Replication Through Removable Media
  • T1562.012 - Disable or Modify Linux Audit System
MITREへのリンク →

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

← Pulse一覧に戻る