T1053.005 Scheduled Task
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.
The deprecated at utility could also be abused by adversaries (ex: At), though at.exe
can not access tasks created with schtasks
or the Control Panel.
An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to System Binary Proxy Execution, adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.1
Item | Value |
---|---|
ID | T1053.005 |
Sub-techniques | T1053.002, T1053.003, T1053.004, T1053.005, T1053.006, T1053.007 |
Tactics | TA0002, TA0003, TA0004 |
Platforms | Windows |
Permissions required | Administrator |
Version | 1.1 |
Created | 27 November 2019 |
Last Modified | 14 April 2022 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0331 | Agent Tesla | Agent Tesla has achieved persistence via scheduled tasks.103 |
S0504 | Anchor | Anchor can create a scheduled task for persistence.57 |
S0584 | AppleJeus | AppleJeus has created a scheduled SYSTEM task that runs when a user logs in.27 |
G0099 | APT-C-36 | APT-C-36 has used a macro function to set scheduled tasks, disguised as those used by Google.124 |
G0016 | APT29 | APT29 used scheduler and schtasks to create new tasks on remote hosts as part of lateral movement.150 They have manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.151 APT29 also created a scheduled task to maintain SUNSPOT persistence when the host booted during the 2020 SolarWinds intrusion.152 They previously used named and hijacked scheduled tasks to also establish persistence.153 |
G0022 | APT3 | An APT3 downloader creates persistence by creating the following scheduled task: schtasks /create /tn “mysc” /tr C:\Users\Public\test.exe /sc ONLOGON /ru “System” .110 |
G0050 | APT32 | APT32 has used scheduled tasks to persist on victim systems.130131105132 |
G0064 | APT33 | APT33 has created a scheduled task to execute a .vbe file multiple times a day.145 |
G0067 | APT37 | APT37 has created scheduled tasks to run malicious scripts on a compromised host.157 |
G0082 | APT38 | APT38 has used Task Scheduler to run programs at system startup or on a scheduled basis for persistence.143 |
G0087 | APT39 | APT39 has created scheduled tasks for persistence.120121122 |
G0096 | APT41 | APT41 used a compromised account to create a scheduled task on a system.13587 |
S0438 | Attor | Attor‘s installer plugin can schedule a new task that loads the dispatcher on boot/logon.97 |
S0414 | BabyShark | BabyShark has used scheduled tasks to maintain persistence.87 |
S0475 | BackConfig | BackConfig has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host.76 |
S0606 | Bad Rabbit | Bad Rabbit’s infpub.dat file creates a scheduled task to launch a malicious executable.107 |
S0128 | BADNEWS | BADNEWS creates a scheduled task to establish by executing a malicious payload every subsequent minute.22 |
S0534 | Bazar | Bazar can create a scheduled task for persistence.7172 |
G0108 | Blue Mockingbird | Blue Mockingbird has used Windows Scheduled Tasks to establish persistence on local and remote hosts.136 |
S0360 | BONDUPDATER | BONDUPDATER persists using a scheduled task that executes every minute.92 |
G0060 | BRONZE BUTLER | BRONZE BUTLER has used schtasks to register a scheduled task to execute malware during lateral movement.134 |
S0335 | Carbon | Carbon creates several tasks for later execution to continue persistence on the victim’s machine.23 |
G0114 | Chimera | Chimera has used scheduled tasks to invoke Cobalt Strike including through batch script schtasks /create /ru “SYSTEM” /tn “update” /tr “cmd /c c:\windows\temp\update.bat” /sc once /f /st and to maintain persistence.146147 |
G0080 | Cobalt Group | Cobalt Group has created Windows tasks to establish persistence.154 |
S0126 | ComRAT | ComRAT has used a scheduled task to launch its PowerShell loader.5253 |
G0142 | Confucius | Confucius has created scheduled tasks to maintain persistence on a compromised host.119 |
S0050 | CosmicDuke | CosmicDuke uses scheduled tasks typically named “Watchmon Service” for persistence.67 |
G0132 | CostaRicto | CostaRicto has used scheduled tasks to download backdoor tools.149 |
S0046 | CozyCar | One persistence mechanism used by CozyCar is to register itself as a scheduled task.81 |
S0538 | Crutch | Crutch has the ability to persist using scheduled tasks.94 |
S0527 | CSPY Downloader | CSPY Downloader can use the schtasks utility to bypass UAC.16 |
S0673 | DarkWatchman | DarkWatchman has created a scheduled task for persistence.70 |
G0035 | Dragonfly | Dragonfly has used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.118 |
S0038 | Duqu | Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.26 |
S0024 | Dyre | Dyre has the ability to achieve persistence by adding a new task in the task scheduler to run every minute.80 |
S0367 | Emotet | Emotet has maintained persistence through a scheduled task. 58 |
S0363 | Empire | Empire has modules to interact with the Windows task scheduler.12 |
S0396 | EvilBunny | EvilBunny has executed commands via scheduled tasks.91 |
G0051 | FIN10 | FIN10 has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.12312 |
G0037 | FIN6 | FIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and FrameworkPOS.160 |
G0046 | FIN7 | FIN7 malware has created scheduled tasks to establish persistence.11111211364 |
G0061 | FIN8 | FIN8 has used scheduled tasks to maintain RDP backdoors.148 |
G0117 | Fox Kitten | Fox Kitten has used Scheduled Tasks for persistence and to load and execute a reverse proxy binary.155156 |
G0101 | Frankenstein | Frankenstein has established persistence through a scheduled task using the command: /Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR , named “WinUpdate”.158 |
G0093 | GALLIUM | GALLIUM established persistence for PoisonIvy by created a scheduled task.167 |
G0047 | Gamaredon Group | Gamaredon Group has created scheduled tasks to launch executables after a designated number of minutes have passed.115116117 |
S0168 | Gazer | Gazer can establish persistence by creating a scheduled task.7374 |
S0588 | GoldMax | GoldMax has used scheduled tasks to maintain persistence.54 |
S0477 | Goopy | Goopy has the ability to maintain persistence by creating scheduled tasks set to run every hour.105 |
S0237 | GravityRAT | GravityRAT creates a scheduled task to ensure it is re-executed everyday.84 |
S0417 | GRIFFON | GRIFFON has used sctasks for persistence. 63 |
S0632 | GrimAgent | GrimAgent has the ability to set persistence using the Task Scheduler.104 |
S0170 | Helminth | Helminth has used a scheduled task for persistence.69 |
S0697 | HermeticWiper | HermeticWiper has the ability to use scheduled tasks for execution.75 |
G0126 | Higaisa | Higaisa dropped and added officeupdate.exe to scheduled tasks.161162 |
S0431 | HotCroissant | HotCroissant has attempted to install a scheduled task named “Java Maintenance64” on startup to establish persistence.56 |
S0483 | IcedID | IcedID has created a scheduled task that executes every hour to establish persistence.89 |
S0260 | InvisiMole | InvisiMole has used scheduled tasks named MSST and \Microsoft\Windows\Autochk\Scheduled to establish persistence.28 |
S0581 | IronNetInjector | IronNetInjector has used a task XML file named mssch.xml to run an IronPython script when a user logs in or when specific system events are created.11 |
S0189 | ISMInjector | ISMInjector creates scheduled tasks to establish persistence.42 |
S0044 | JHUHUGIT | JHUHUGIT has registered itself as a scheduled task to run each time the current user logs in.2425 |
S0648 | JSS Loader | JSS Loader has the ability to launch scheduled tasks to establish persistence.79 |
G0094 | Kimsuky | Kimsuky has downloaded additional malware with scheduled tasks.139 |
S0250 | Koadic | Koadic has used scheduled tasks to add persistence.14 |
G0032 | Lazarus Group | Lazarus Group has used schtasks for persistence including through the periodic execution of a remote XSL script or a dropped VBS payload.125127126 |
S0680 | LitePower | LitePower can create a scheduled task to enable persistence mechanisms.88 |
S0447 | Lokibot | Lokibot embedded the commands schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I inside a batch script.33 |
S0532 | Lucifer | Lucifer has established persistence by creating the following scheduled task schtasks /create /sc minute /mo 1 /tn QQMusic ^ /tr C:Users\%USERPROFILE%\Downloads\spread.exe /F .83 |
S0409 | Machete | The different components of Machete are executed by Windows Task Scheduler.4344 |
G0095 | Machete | Machete has created scheduled tasks to maintain Machete‘s persistence.142 |
S0167 | Matryoshka | Matryoshka can establish persistence by adding a Scheduled Task named “Microsoft Boost Kernel Optimization”.4647 |
S0449 | Maze | Maze has created scheduled tasks using name variants such as “Windows Update Security”, “Windows Update Security Patches”, and “Google Chrome Security Update”, to launch Maze at a specific time.77 |
S0500 | MCMD | MCMD can use scheduled tasks for persistence.13 |
G0045 | menuPass | menuPass has used a script (atexec.py) to execute a command on a target machine via Task Scheduler.114 |
S0688 | Meteor | Meteor execution begins from a scheduled task named Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeAll and it creates a separate scheduled task called mstask to run the wiper only once at 23:55:00.98 |
G0021 | Molerats | Molerats has created scheduled tasks to persistently run VBScripts.159 |
G0069 | MuddyWater | MuddyWater has used scheduled tasks to establish persistence.140 |
G0129 | Mustang Panda | Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.169170171 |
G0019 | Naikon | Naikon has used schtasks.exe for lateral movement in compromised networks.82 |
S0198 | NETWIRE | NETWIRE can create a scheduled task to establish persistence.85 |
S0368 | NotPetya | NotPetya creates a task to reboot the system one hour after infection.55 |
G0049 | OilRig | OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.60106128129 |
S0439 | Okrum | Okrum‘s installer can attempt to achieve persistence by creating a scheduled task.66 |
S0264 | OopsIE | OopsIE creates a scheduled task to run itself every three minutes.6061 |
G0116 | Operation Wocao | Operation Wocao has used scheduled tasks to execute malicious PowerShell code on remote systems.133 |
G0040 | Patchwork | A Patchwork file stealer can run a TaskScheduler DLL to add persistence.141 |
S0194 | PowerSploit | PowerSploit‘s New-UserPersistenceOption Persistence argument can be used to establish via a Scheduled Task/Job.1718 |
S0223 | POWERSTATS | POWERSTATS has established persistence through a scheduled task using the command ”C:\Windows\system32\schtasks.exe” /Create /F /SC DAILY /ST 12:00 /TN MicrosoftEdge /TR “c:\Windows\system32\wscript.exe C:\Windows\temp\Windows.vbe” .65 |
S0184 | POWRUNER | POWRUNER persists through a scheduled task that executes it every minute.108 |
S0147 | Pteranodon | Pteranodon schedules tasks to invoke its components in order to establish persistence.4950 |
S0650 | QakBot | QakBot has the ability to create scheduled tasks for persistence.3435363738394041 |
S0269 | QUADAGENT | QUADAGENT creates a scheduled task to maintain persistence on the victim’s machine.106 |
S0262 | QuasarRAT | QuasarRAT contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot.10 |
S0629 | RainyDay | RainyDay can use scheduled tasks to achieve persistence.82 |
S0458 | Ramsay | Ramsay can schedule tasks via the Windows COM API to maintain persistence.109 |
G0075 | Rancor | Rancor launched a scheduled task to gain persistence using the schtasks /create /sc command.137 |
S0375 | Remexi | Remexi utilizes scheduled tasks as a persistence mechanism.78 |
S0166 | RemoteCMD | RemoteCMD can execute commands remotely by creating a new schedule task on the remote system48 |
S0379 | Revenge RAT | Revenge RAT schedules tasks to run malicious scripts at different intervals.102 |
S0148 | RTM | RTM tries to add a scheduled task to establish persistence.99100 |
S0446 | Ryuk | Ryuk can remotely create a scheduled task to execute itself on a system.86 |
S0111 | schtasks | schtasks is used to schedule tasks on a Windows system to run at a specific date and time.15 |
S0382 | ServHelper | ServHelper contains modules that will use schtasks to carry out malicious operations.90 |
S0140 | Shamoon | Shamoon copies an executable payload to the target system by using SMB/Windows Admin Shares and then scheduling an unnamed task to execute the malware.9596 |
S0546 | SharpStage | SharpStage has a persistence component to write a scheduled task for the payload.32 |
S0589 | Sibot | Sibot has been executed via a scheduled task.54 |
G0091 | Silence | Silence has used scheduled tasks to stage its operation.144 |
S0226 | Smoke Loader | Smoke Loader launches a scheduled task.101 |
S0516 | SoreFang | SoreFang can gain persistence through use of scheduled tasks.68 |
S0390 | SQLRat | SQLRat has created scheduled tasks in %appdata%\Roaming\Microsoft\Templates\ .64 |
G0038 | Stealth Falcon | Stealth Falcon malware creates a scheduled task entitled “IE Web Cache” to execute a malicious file hourly.168 |
S0603 | Stuxnet | Stuxnet schedules a network job to execute two minutes after host infection.51 |
G0088 | TEMP.Veles | TEMP.Veles has used scheduled task XML triggers.138 |
S0671 | Tomiris | Tomiris has used SCHTASKS /CREATE /SC DAILY /TN StartDVL /TR "[path to self]" /ST 10:00 to establish persistence.45 |
S0266 | TrickBot | TrickBot creates a scheduled task on the system that provides persistence.293031 |
S0476 | Valak | Valak has used scheduled tasks to execute additional payloads and to gain persistence on a compromised host.192021 |
G0102 | Wizard Spider | Wizard Spider has used scheduled tasks establish persistence for TrickBot and other malware.163164165166 |
S0248 | yty | yty establishes persistence by creating a scheduled task with the command SchTasks /Create /SC DAILY /TN BigData /TR “ + path_file + “/ST 09:30“ .59 |
S0251 | Zebrocy | Zebrocy has a command to create a scheduled task for persistence.93 |
S0350 | zwShell | zwShell has used SchTasks for execution.62 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1047 | Audit | Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. 8 |
M1028 | Operating System Configuration | Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. 9 |
M1026 | Privileged Account Management | Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. 7 |
M1018 | User Account Management | Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Modification |
DS0009 | Process | Process Creation |
DS0003 | Scheduled Job | Scheduled Job Creation |
References
-
Campbell, B. et al. (2022, March 21). Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain. Retrieved April 11, 2022. ↩
-
Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved December 12, 2017. ↩
-
Microsoft. (2017, May 28). Audit Other Object Access Events. Retrieved June 27, 2019. ↩
-
Microsoft. (n.d.). General Task Registration. Retrieved December 12, 2017. ↩
-
Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. ↩
-
Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017. ↩
-
Microsoft. (2013, May 8). Increase scheduling priority. Retrieved December 18, 2017. ↩
-
Microsoft. (2012, November 15). Domain controller: Allow server operators to schedule tasks. Retrieved December 18, 2017. ↩
-
Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. ↩
-
Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021. ↩
-
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. ↩↩
-
Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. ↩
-
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. ↩
-
Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. ↩
-
PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. ↩
-
PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. ↩
-
Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. ↩
-
Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. ↩
-
Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020. ↩
-
Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018. ↩
-
ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018. ↩
-
ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016. ↩
-
ESET Research. (2015, July 10). Sednit APT Group Meets Hacking Team. Retrieved March 1, 2017. ↩
-
Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015. ↩
-
Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. ↩
-
Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. ↩
-
Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018. ↩
-
Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018. ↩
-
Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018. ↩
-
Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. ↩
-
Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021. ↩
-
Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021. ↩
-
Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021. ↩
-
CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021. ↩
-
Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021. ↩
-
Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021. ↩
-
Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. ↩
-
Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. ↩
-
Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018. ↩
-
ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. ↩
-
Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. ↩
-
Kwiatkoswki, I and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021. ↩
-
ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. ↩
-
Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017. ↩
-
Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. ↩
-
Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. ↩
-
Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022. ↩
-
Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020. ↩
-
Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. ↩
-
CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020. ↩
-
Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. ↩↩
-
Chiu, A. (2016, June 27). New Ransomware Variant “Nyetya” Compromises Systems Worldwide. Retrieved March 26, 2019. ↩
-
Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. ↩
-
Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. ↩
-
US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019. ↩
-
Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018. ↩
-
Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. ↩↩
-
Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018. ↩
-
McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. ↩
-
Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019. ↩
-
Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019. ↩↩
-
ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. ↩
-
Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. ↩
-
F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014. ↩
-
CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. ↩
-
ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017. ↩
-
Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. ↩
-
Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. ↩
-
Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. ↩
-
ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. ↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017. ↩
-
Symantec Threat Hunter Team. (2022, February 24). Ukraine: Disk-wiping Attacks Precede Russian Invasion. Retrieved March 25, 2022. ↩
-
Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. ↩
-
Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020. ↩
-
Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. ↩
-
Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. ↩
-
hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020. ↩
-
F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015. ↩
-
Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. ↩↩
-
Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. ↩
-
Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018. ↩
-
Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign’s Usage of Process Hollowing. Retrieved January 7, 2021. ↩
-
ANSSI. (2021, February 25). RYUK RANSOMWARE. Retrieved March 29, 2021. ↩
-
Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. ↩↩
-
Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022. ↩
-
Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. ↩
-
Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. ↩
-
Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019. ↩
-
Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019. ↩
-
CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020. ↩
-
Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. ↩
-
FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017. ↩
-
Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017. ↩
-
Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. ↩
-
Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022. ↩
-
Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. ↩
-
Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. ↩
-
Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018. ↩
-
Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019. ↩
-
Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020. ↩
-
Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021. ↩
-
Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. ↩↩
-
Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. ↩↩
-
Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021. ↩
-
Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. ↩
-
Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. ↩
-
Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016. ↩
-
Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. ↩
-
Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017. ↩
-
Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. ↩
-
PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. ↩
-
Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. ↩
-
CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022. ↩
-
Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. ↩
-
US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. ↩
-
Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021. ↩
-
Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. ↩
-
Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020. ↩
-
FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. ↩
-
FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017. ↩
-
QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020. ↩
-
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. ↩
-
Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved March 2, 2022. ↩
-
Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. ↩
-
Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019. ↩
-
Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. ↩
-
Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. ↩
-
Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. ↩
-
Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. ↩
-
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩
-
Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. ↩
-
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. ↩
-
Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. ↩
-
Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. ↩
-
Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. ↩
-
KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. ↩
-
Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020. ↩
-
Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. ↩
-
kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020. ↩
-
DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. ↩
-
Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019. ↩
-
Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. ↩
-
Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020. ↩
-
Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. ↩
-
Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. ↩
-
The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. ↩
-
Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. ↩
-
FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. ↩
-
CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. ↩
-
Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016. ↩
-
Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018. ↩
-
CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. ↩
-
ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020. ↩
-
Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. ↩
-
Adamitis, D. et al. (2019, June 4). It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. ↩
-
Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. ↩
-
FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. ↩
-
Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. ↩
-
Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. ↩
-
John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. ↩
-
DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. ↩
-
Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. ↩
-
The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. ↩
-
Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. ↩
-
Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016. ↩
-
Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. ↩
-
Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. ↩
-
Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021. ↩