Currently viewing ATT&CK v7.2 which was live between July 8, 2020 and October 26, 2020. Learn more about the versioning system or see the live site.
Register to stream the next session of ATT&CKcon Power Hour November 12
TECHNIQUES
PRE-ATT&CK
Priority Definition Planning
Priority Definition Direction
Target Selection
Technical Information Gathering
People Information Gathering
Organizational Information Gathering
Technical Weakness Identification
People Weakness Identification
Organizational Weakness Identification
Adversary OPSEC
Establish & Maintain Infrastructure
Persona Development
Build Capabilities
Test Capabilities
Stage Capabilities
Enterprise
Initial Access
Phishing
Supply Chain Compromise
Valid Accounts
Execution
Command and Scripting Interpreter
Inter-Process Communication
Scheduled Task/Job
System Services
User Execution
Persistence
Account Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create Account
Create or Modify System Process
Event Triggered Execution
Hijack Execution Flow
Office Application Startup
Pre-OS Boot
Scheduled Task/Job
Server Software Component
Traffic Signaling
Valid Accounts
Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create or Modify System Process
Event Triggered Execution
Hijack Execution Flow
Process Injection
Scheduled Task/Job
Valid Accounts
Defense Evasion
Abuse Elevation Control Mechanism
Access Token Manipulation
Execution Guardrails
File and Directory Permissions Modification
Hide Artifacts
Hijack Execution Flow
Impair Defenses
Indicator Removal on Host
Masquerading
Modify Authentication Process
Modify Cloud Compute Infrastructure
Obfuscated Files or Information
Pre-OS Boot
Process Injection
Signed Binary Proxy Execution
Signed Script Proxy Execution
Subvert Trust Controls
Traffic Signaling
Trusted Developer Utilities Proxy Execution
Use Alternate Authentication Material
Valid Accounts
Virtualization/Sandbox Evasion
Credential Access
Brute Force
Credentials from Password Stores
Input Capture
Man-in-the-Middle
Modify Authentication Process
OS Credential Dumping
Steal or Forge Kerberos Tickets
Unsecured Credentials
Discovery
Account Discovery
Permission Groups Discovery
Software Discovery
Virtualization/Sandbox Evasion
Lateral Movement
Remote Service Session Hijacking
Remote Services
Use Alternate Authentication Material
Collection
Archive Collected Data
Data from Information Repositories
Data Staged
Email Collection
Input Capture
Man-in-the-Middle
Command and Control
Application Layer Protocol
Data Encoding
Data Obfuscation
Dynamic Resolution
Encrypted Channel
Proxy
Traffic Signaling
Web Service
Exfiltration
Exfiltration Over Alternative Protocol
Exfiltration Over Other Network Medium
Exfiltration Over Physical Medium
Exfiltration Over Web Service
Impact
Data Manipulation
Defacement
Disk Wipe
Endpoint Denial of Service
Network Denial of Service
Mobile
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Network Effects
Remote Service Effects
  1. Home
  2. Techniques
  3. Enterprise
  4. System Information Discovery

System Information Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Tools such as Systeminfo can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS systemsetup command, but it requires administrative privileges.

Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.[1][2][3]

ID: T1082
Sub-techniques:  No sub-techniques
Tactic: Discovery
Platforms: AWS, Azure, GCP, Linux, Windows, macOS
Permissions Required: User
Data Sources: AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
CAPEC ID: CAPEC-312
Contributors: Praetorian
Version: 2.1
Created: 31 May 2017
Last Modified: 26 March 2020

Procedure Examples

Name Description
4H RAT

4H RAT sends an OS version identifier in its beacons.[17]
admin@338

admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: ver >> %temp%\download systeminfo >> %temp%\download[106]
ADVSTORESHELL

ADVSTORESHELL can run Systeminfo to gather information about the victim.[52][53]
Agent Tesla

Agent Tesla can collect the system's computer name and also has the capability to collect information on the processor, memory, OS, and video card from the system.[139][140][141]
APT18

APT18 can collect system information from the victim’s machine.[221]
APT19

APT19 collected system architecture information. APT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine.[199][200]
APT3

APT3 has a tool that can obtain information about the local system.[127][211]
APT32

APT32 has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server. APT32 executed shellcode to identify the name of the infected host.[207][208][209][210]
APT37

APT37 collects the computer name, the BIOS model, and execution path.[194]
Aria-body

Aria-body has the ability to identify the hostname, computer name, Windows version, processor speed, machine GUID, and disk information on a compromised host.[179]
Astaroth

Astaroth collects the machine name and keyboard language from the system. [142][143]
Attor

Attor monitors the free disk space on the system.[169]
Avenger

Avenger has the ability to identify the host volume ID and the OS architecture on a compromised host.[186]
Azorult

Azorult can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language.[97][98]
BabyShark

BabyShark has executed the ver command.[164]

BackConfig

BackConfig has the ability to gather the victim's computer name.[189]
Backdoor.Oldrea

Backdoor.Oldrea collects information about the OS and computer name.[131]
BACKSPACE

During its initial execution, BACKSPACE extracts operating system information from the infected host.[65]
BADCALL

BADCALL collects the computer name and host name on the compromised system.[128]
BadPatch

BadPatch collects the OS system, OS version, MAC address, and the computer name from the victim’s machine.[125]
Bankshot

Bankshot gathers system information, network addresses, disk type, disk free space, and the operation system version.[118][119]
BISCUIT

BISCUIT has a command to collect the processor type, operation system, computer name, uptime, and whether the system is a laptop or PC.[96]
Bisonal

Bisonal has a command to gather system information from the victim’s machine.[87]
BlackEnergy

BlackEnergy has used Systeminfo to gather the OS version, as well as information on the system configuration, BIOS, the motherboard, and the processor.[38][39]
Blue Mockingbird

Blue Mockingbird has collected hardware details for the victim's system, including CPU and memory information.[226]
Brave Prince

Brave Prince collects hard drive content and system configuration information.[78]
BUBBLEWRAP

BUBBLEWRAP collects system information, including the operating system version and hostname.[106]
build_downer

build_downer has the ability to send system volume information to C2.[186]
Bundlore

Bundlore will enumerate the macOS version to determine which follow-on behaviors to execute.[190]
Cadelspy

Cadelspy has the ability to discover information about the compromised host.[177]
Cannon

Cannon can gather system information from the victim’s machine such as the OS version, machine name, and drive information.[42][44]
Cardinal RAT

Cardinal RAT can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine.[37]
CARROTBAT

CARROTBAT has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture.[182][183]
ChChes

ChChes collects the victim hostname, window resolution, and Microsoft Windows version.[54][55]
cmd

cmd can be used to find information about the operating system.[7]
Comnie

Comnie collects the hostname of the victim machine.[105]
CORESHELL

CORESHELL collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server.[57]
CozyCar

A system info module in CozyCar gathers information on the victim host’s configuration.[122]
Crimson

Crimson contains a command to collect the victim PC name and operating system.[13]
DarkComet

DarkComet can collect the computer name, RAM used, and operating system version from the victim’s machine.[35][36]
Darkhotel

Darkhotel has collected the hostname, OS version, service pack version, and the processor architecture from the victim’s machine.[213]
Denis

Denis collects OS information and the computer name from the victim’s machine.[108][109]
Derusbi

Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system.[129]
down_new

down_new has the ability to identify the system volume information of a compromised host.[186]
DownPaper

DownPaper collects the victim host name and serial number, and then sends the information to the C2 server.[137]
DustySky

DustySky extracts basic information about the operating system.[81]
Dyre

Dyre has the ability to identify the computer name, OS version, and hardware configuration on a compromised host.[187]
Elise

Elise executes systeminfo after initial communication is made to the remote server.[62]
Emissary

Emissary has the capability to execute ver, systeminfo, and gpresult commands.[67]
Empire

Empire can enumerate host system information like OS, architecture, applied patches, and more.[8]
Epic

Epic collects the OS version, hardware information, computer name, available system memory status, disk space information, and system and user language settings.[132]
FALLCHILL

FALLCHILL can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim.[40]
Felismus

Felismus collects the system information, including hostname and OS version, and sends it to the C2 server.[107]
FELIXROOT

FELIXROOT collects the victim’s computer name, processor architecture, OS version, volume serial number, and system type.[85][86]
Final1stspy

Final1stspy obtains victim Microsoft Windows version information and CPU architecture.[23]
FinFisher

FinFisher checks if the victim OS is 32 or 64-bit.[90][91]
FlawedAmmyy

FlawedAmmyy beacons out the victim operating system and computer name during the initial infection.[149]
Frankenstein

Frankenstein has enumerated hosts, looking for the system's machine name.[224]
Fysbis

Fysbis has used the command ls /etc | egrep -e"fedora*|debian*|gentoo*|mandriva*|mandrake*|meego*|redhat*|lsb-*|sun-*|SUSE*|release" to determine which Linux OS version is running.[162]
Gamaredon Group

A Gamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.[195][196]
Get2

Get2 has the ability to identify the computer name and Windows version of an infected host.[181]
Gold Dragon

Gold Dragon collects endpoint information using the systeminfo command.[78]
GravityRAT

GravityRAT collects the MAC address, computer name, and CPU information.[124]
GRIFFON

GRIFFON has used a reconnaissance module that can be used to retrieve information about a victim's computer, including the resolution of the workstation .[165]
HALFBAKED

HALFBAKED can obtain information about the OS, processor, and BIOS.[63]
HAPPYWORK

can collect system information, including computer name, system manufacturer, IsDebuggerPresent state, and execution path.[47]
HAWKBALL

HAWKBALL can collect the OS version, architecture information, and computer name.[158]
Honeybee

Honeybee gathers computer name and information using the systeminfo command.[197]
HOPLIGHT

HOPLIGHT has been observed collecting victim machine information like OS version, drivers, volume information and more.[145]
HotCroissant

HotCroissant has the ability to determine if the current user is an administrator, Windows product name, processor name, screen resolution, and physical RAM of the infected host.[167]
Hydraq

Hydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed.[89]
Inception

Inception has used a reconnaissance module to gather information about the operating system and hardware on the infected host.[223]
InnaputRAT

InnaputRAT gathers volume drive information and system information.[24]
InvisiMole

InvisiMole can gather information on the mapped drives, OS version, computer name, and memory size.[71]
Ixeshe

Ixeshe collects the computer name of the victim's system during the initial infection.[153]
JHUHUGIT

JHUHUGIT obtains a build identifier as well as victim hard drive information from Windows registry key HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum. Another JHUHUGIT variant gathers the victim storage volume serial number and the storage device name.[29][30]
JPIN

JPIN can obtain system information such as OS version and disk space.[11]
jRAT

jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.[146]
KARAE

KARAE can collect system information.[47]
Kasidet

Kasidet has the ability to obtain a victim's system name and operating system version.[115]
Kazuar

Kazuar gathers information on the system and local drives.[64]
Ke3chang

Ke3chang performs operating system information discovery using systeminfo.[192][193]
KeyBoy

KeyBoy can gather extended system information, such as information about the operating system, disks, and memory.[155][156]
KEYMARBLE

KEYMARBLE has the capability to collect the computer name, language settings, the OS version, CPU information, disk devices, and time elapsed since system start.[113]
Kimsuky

Kimsuky has gathered information about the infected computer.[222]
KOMPROGO

KOMPROGO is capable of retrieving information about the infected system.[58]
KONNI

KONNI can gather the OS version, architecture information, connected drives, hostname, and computer name from the victim’s machine and has used systeminfo.exe to get a snapshot of the current system state of the target machine.[135][136]
Kwampirs

Kwampirs collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands systeminfo, net config workstation, hostname, ver, set, and date /t.[60]
Lazarus Group

Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by Lazarus Group also collects disk space information and sends it to its C2 server.[217][218][219][220][74]
LightNeuron

LightNeuron gathers the victim computer name using the Win32 API call GetComputerName.[159]
Linfo

Linfo creates a backdoor through which remote attackers can retrieve system information.[31]
Lokibot

Lokibot has the ability to discover the computer name and Windows product name/version.[173]
LoudMiner

LoudMiner has monitored CPU usage.[175]

Machete

Machete collects the hostname of the target computer.[161]

Magic Hound

Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.[204]
MAZE

MAZE has checked the language of the infected system using the "GetUSerDefaultUILanguage" function.[174]
Micropsia

Micropsia gathers the hostname and OS version from the victim’s machine.[94][95]
MirageFox

MirageFox can collect CPU and architecture information from the victim’s machine.[16]
Mis-Type

The initial beacon packet for Mis-Type contains the operating system version and file system of the victim.[21]
Misdat

The initial beacon packet for Misdat contains the operating system version of the victim.[21]
MobileOrder

MobileOrder has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information.[15]
MoonWind

MoonWind can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution.[114]
More_eggs

More_eggs has the capability to gather the OS version and computer name.[103][104]
MuddyWater

MuddyWater has used malware that can collect the victim’s OS version and machine name.[214][215][216]
MURKYTOP

MURKYTOP has the capability to retrieve information about the OS.[59]
Naid

Naid collects a unique identifier (UID) from a compromised host.[12]
NanHaiShu

NanHaiShu can gather the victim computer name and serial number.[26]
NavRAT

NavRAT uses systeminfo on a victim’s machine.[120]
NDiskMonitor

NDiskMonitor obtains the victim computer name and encrypts the information to send over its C2 channel.[123]
Netwalker

Netwalker can determine the system architecture it is running on to choose which version of the DLL to use.[178]
NETWIRE

NETWIRE can discover and collect victim system information.[100]
njRAT

njRAT enumerates the victim operating system and computer name during the initial infection.[151]
NOKKI

NOKKI can gather information on drives and the operating system on the victim’s machine.[93]
OceanSalt

OceanSalt can collect the computer name from the system.[111]
Octopus

Octopus collects system drive information, the computer name, and the size of the disk.[88]
OilRig

OilRig has run hostname and systeminfo on a victim.[201][202][203]

Okrum

Okrum can collect computer name, locale information, and information about the OS and architecture.[170]
OopsIE

OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks.[22]
Orz

Orz can gather the victim OS version and whether it is 64 or 32 bit.[26]
OSInfo

OSInfo discovers information about the infected machine.[127]
OSX/Shlayer

OSX/Shlayer can collect the macOS version and IOPlatformUUID.[160]
OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D collects the MAC address, computer name, hardware UUID, serial number, and operating system version.[134]
Pasam

Pasam creates a backdoor through which remote attackers can retrieve information such as hostname and free disk space.[126]
Patchwork

Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server. Patchwork also enumerated all available drives on the victim's machine.[191][123]
PinchDuke

PinchDuke gathers system configuration information.[61]
Pisloader

Pisloader has a command to collect victim system information, including the system name and OS version.[102]
PLAINTEE

PLAINTEE collects general system enumeration data about the infected machine and checks the OS version.[112]
PoetRAT

PoetRAT has the ability to gather information about the compromised host.[166]
Pony

Pony has collected the Service Pack, language, and region information to send to the C2.[176]

POORAIM

POORAIM can identify system information, including battery status.[47]
PoshC2

PoshC2 contains modules, such as Get-ComputerInfo, for enumerating common system information.[9]
PowerDuke

PowerDuke has commands to get information about the victim's name, build, version, serial number, and memory usage.[14]
PowerShower

PowerShower has collected system information on the infected host.[171]
POWERSTATS

POWERSTATS can retrieve OS name/architecture and computer/domain name information from compromised hosts.[69][70]
POWRUNER

POWRUNER may collect information about the system by running hostname and systeminfo on a victim.[130]
Prikormka

A module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory.[117]
Proxysvc

Proxysvc collects the OS version, country name, MAC address, computer name, physical memory statistics, and volume information for all drives on the system.[74]
PUNCHBUGGY

PUNCHBUGGY can gather system information such as computer names.[154]

Pupy

Pupy can grab a system’s information including the OS version, architecture, etc.[5]
QuasarRAT

QuasarRAT has a command to gather system information from the victim’s machine.[4]
Ramsay

Ramsay can detect system information to create a hardware profile GUID which acts as a system identifier for operators.[180]

RATANKBA

RATANKBA gathers information about the OS architecture, OS name, and OS version/Service pack.[79][80]
Reaver

Reaver collects system information from the victim, including CPU speed, computer name, volume serial number, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information.[116]
RedLeaves

RedLeaves can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information.[55][56]
Remsec

Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.[18]
Revenge RAT

Revenge RAT collects the CPU information, OS information, and system language.[147]
Rifdoor

Rifdoor has the ability to identify the Windows version on the compromised host.[168]
Rising Sun

Rising Sun can detect the computer name, operating system, and other native system information.[172]

Rocke

Rocke has used uname -m to collect the name and information about the infected system's kernel.[228]
RogueRobin

RogueRobin gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name.[83]
ROKRAT

ROKRAT gathers the computer name and checks the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems.[48][49][50][51]
RTM

RTM can obtain the computer name, OS version, and default language identifier.[66]
RunningRAT

RunningRAT gathers the OS version, logical drives information, processor information, and volume information.[78]
S-Type

The initial beacon packet for S-Type contains the operating system version and file system of the victim.[21]
Sandworm Team

Sandworm Team used a backdoor to enumerate information about the infected system's operating system.[227]

SDBot

SDBot has the ability to identify the OS version, country code, and computer name.[181]
ServHelper

ServHelper will attempt to enumerate Windows version and system architecture.[150]
Shamoon

Shamoon obtains the victim's operating system version and keyboard layout and sends the information to the C2 server.[27][28]
SHARPSTATS

SHARPSTATS has the ability to identify the IP address, machine name, and OS of the compromised host.[70]
ShimRatReporter

ShimRatReporter gathered the operating system name and specific Windows version of an infected machine.[10]
SHUTTERSPEED

SHUTTERSPEED can collect system information.[47]
Skidmap

Skidmap has the ability to check whether the infected system’s OS is Debian or RHEL/CentOS to determine which cryptocurrency miner it should use.[185]
SLOWDRIFT

SLOWDRIFT collects and sends system information to its C2.[47]
SOUNDBITE

SOUNDBITE is capable of gathering system information.[58]
Sowbug

Sowbug obtained OS version and hardware configuration from a victim.[212]
SpeakUp

SpeakUp uses the cat /proc/cpuinfo | grep -c "cpu family" 2>&1 command to gather system information. [144]
SslMM

SslMM sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date.[20]
Stealth Falcon

Stealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory.[198]
StoneDrill

StoneDrill has the capability to discover the system OS, Windows version, architecture and environment.[148]

StreamEx

StreamEx has the ability to enumerate system information.[84]
SynAck

SynAck gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries.[92]
Sys10

Sys10 collects the computer name, OS versioning information, and OS install date and sends the information to the C2.[20]
SYSCON

SYSCON has the ability to use Systeminfo to identify system information.[183]
Systeminfo

Systeminfo can be used to gather information about the operating system.[6]
T9000

T9000 gathers and beacons the operating system build number and CPU Architecture (32-bit/64-bit) during installation.[138]
TajMahal

TajMahal has the ability to identify hardware information, the computer name, and OS information on an infected host.[184]
TrickBot

TrickBot gathers the OS version, CPU type, amount of RAM available from the victim’s machine.[72][73]
Tropic Trooper

Tropic Trooper has detected a target system’s OS version and system volume information.[157][225]
Turla

Turla surveys a system upon check-in to discover operating system configuration details using the systeminfo, gpresult, and set commands.[205][206]
TURNEDUP

TURNEDUP is capable of gathering system information.[121]
TYPEFRAME

TYPEFRAME can gather the disk volume information.[25]
Unknown Logger

Unknown Logger can obtain information about the victim computer name, physical memory, country, and date.[110]
UPPERCUT

UPPERCUT has the capability to gather the system’s hostname and OS version.[101]
Ursnif

Ursnif has used Systeminfo to gather system information.[152]
Valak

Valak can determine the Windows version on a compromised host.[188]
VERMIN

VERMIN collects the OS name, machine name, and architecture information.[82]
Volgmer

Volgmer can gather system information, the computer name, OS version, drive and serial information from the victim's machine.[75][76][77]
WINDSHIELD

WINDSHIELD can gather the victim computer name.[58]
WINERACK

WINERACK can gather information about the host.[47]
Wingbird

Wingbird checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit.[133]
WinMM

WinMM collects the system name, OS version including service pack, and system install date and sends the information to the C2 server.[20]
XAgentOSX

XAgentOSX contains the getInstalledAPP function to run ls -la /Applications to gather what applications are installed.[68]
YAHOYAH

YAHOYAH checks for the system’s Windows OS version and hostname.[157]
yty

yty gathers the computer name, the serial number of the main disk volume, CPU information, Microsoft Windows version, and runs the command systeminfo.[32]
Zebrocy

Zebrocy collects the OS version, computer name and serial number for the storage volume C:. Zebrocy also runs the systeminfo command to gather system information. [41][42][43][44][45][46]
ZeroT

ZeroT gathers the victim's computer name, Windows version, and system language, and then sends it to its C2 server.[19]
Zeus Panda

Zeus Panda collects the OS version, system architecture, computer name, product ID, install date, and information on the keyboard mapping to determine the language used on the system.[33][34]
ZLib

ZLib has the ability to enumerate system information.[21]
zwShell

zwShell can obtain the victim PC name and OS version.[99]
ZxShell

ZxShell can collect the local hostname, operating system details, CPU speed, and total physical memory.[163]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.

References

  1. Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020.
  2. Google. (n.d.). Rest Resource: instance. Retrieved March 3, 2020.
  3. Microsoft. (2019, March 1). Virtual Machines - Get. Retrieved October 8, 2019.
  4. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  5. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  6. Microsoft. (n.d.). Systeminfo. Retrieved April 8, 2016.
  7. Microsoft. (n.d.). Dir. Retrieved April 18, 2016.
  8. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  9. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  10. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  11. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  12. Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.
  13. Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  14. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  15. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  16. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.
  17. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  18. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  19. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  20. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  21. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  22. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  23. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  24. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  25. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  26. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  27. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  28. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
  29. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  30. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  31. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  32. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  33. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.
  34. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  35. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  36. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  37. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  38. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  39. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  40. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  41. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  42. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  43. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  44. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
  45. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  46. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  47. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  48. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
  49. Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018.
  50. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  51. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  52. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  53. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  54. Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  55. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  56. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  57. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  58. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  59. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  60. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  61. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  62. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  63. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  64. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  65. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  66. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  67. Falcone, R. and Miller-Osborn, J.. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
  68. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  69. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  70. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  71. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  72. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  73. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
  74. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  75. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  76. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  77. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
  78. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  79. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  80. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  81. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  82. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  83. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  84. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  85. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  86. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  87. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  88. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  89. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  90. FinFisher. (n.d.). Retrieved December 20, 2017.
  91. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  92. Ivanov, A. et al.. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  93. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  94. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
  95. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  96. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  97. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  98. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.
  99. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  100. McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.
  101. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  102. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  103. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  104. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  105. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  106. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  107. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  108. Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved November 5, 2018.
  109. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  110. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  111. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.
  112. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  113. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  114. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  1. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  2. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
  3. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  4. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  5. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  6. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  7. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  8. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  9. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  10. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  11. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  12. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  13. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  14. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  15. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  16. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  17. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  18. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
  19. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
  20. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  21. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  22. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
  23. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
  24. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  25. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
  26. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  27. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
  28. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  29. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  30. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  31. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  32. Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.
  33. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  34. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  35. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  36. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  37. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  38. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  39. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  40. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  41. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  42. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
  43. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
  44. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
  45. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  46. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
  47. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  48. Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017.
  49. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  50. Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.
  51. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
  52. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  53. US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020.
  54. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  55. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  56. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  57. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
  58. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  59. Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020.
  60. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  61. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
  62. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  63. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
  64. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  65. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  66. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  67. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  68. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.
  69. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
  70. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  71. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  72. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  73. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
  74. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  75. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  76. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  77. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  78. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  79. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  80. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  81. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  82. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
  83. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  84. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  85. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  86. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
  87. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  88. Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.
  89. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
  90. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  91. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  92. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  93. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
  94. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  95. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
  96. Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020.
  97. Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.
  98. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  99. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
  100. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  101. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
  102. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
  103. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  104. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  105. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  106. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  107. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  108. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  109. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
  110. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  111. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  112. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  113. Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020.
  114. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.