T1588.002 Tool
Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.1
Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).
Item | Value |
---|---|
ID | T1588.002 |
Sub-techniques | T1588.001, T1588.002, T1588.003, T1588.004, T1588.005, T1588.006 |
Tactics | TA0042 |
Platforms | PRE |
Version | 1.1 |
Created | 01 October 2020 |
Last Modified | 17 October 2021 |
Procedure Examples
ID | Name | Description |
---|---|---|
G0099 | APT-C-36 | APT-C-36 obtained and used a modified variant of Imminent Monitor.60 |
G0006 | APT1 | APT1 has used various open-source tools for privilege escalation purposes.73 |
G0073 | APT19 | APT19 has obtained and used publicly-available tools like Empire.6869 |
G0007 | APT28 | APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.646566 |
G0016 | APT29 | APT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike.171819 |
G0050 | APT32 | APT32 has obtained and used tools such as Mimikatz and Cobalt Strike, and a variety of other open-source tools from GitHub.3738 |
G0064 | APT33 | APT33 has obtained and leveraged publicly-available tools for early intrusion activities.3435 |
G0082 | APT38 | APT38 has obtained and used open-source tools such as Mimikatz.39 |
G0087 | APT39 | APT39 has modified and used customized versions of publicly-available tools like PLINK and Mimikatz.67 |
G0096 | APT41 | APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, and Windows Credential Editor.72 |
G0143 | Aquatic Panda | Aquatic Panda has acquired and used Cobalt Strike in its operations.43 |
G0135 | BackdoorDiplomacy | BackdoorDiplomacy has obtained a variety of open-source reconnaissance and red team tools for discovery and lateral movement.31 |
G0098 | BlackTech | BlackTech has obtained and used tools such as Putty, SNScan, and PsExec for its operations.10 |
G0108 | Blue Mockingbird | Blue Mockingbird has obtained and used tools such as Mimikatz.67 |
G0060 | BRONZE BUTLER | BRONZE BUTLER has obtained and used open-source tools such as Mimikatz, gsecdump, and Windows Credential Editor.61 |
G0008 | Carbanak | Carbanak has obtained and used open-source tools such as PsExec and Mimikatz.21 |
G0114 | Chimera | Chimera has obtained and used tools such as BloodHound, Cobalt Strike, Mimikatz, and PsExec.5657 |
G0003 | Cleaver | Cleaver has obtained and used open-source tools such as PsExec, Windows Credential Editor, and Mimikatz.71 |
G0080 | Cobalt Group | Cobalt Group has obtained and used a variety of tools including Mimikatz, PsExec, Cobalt Strike, and SDelete.4 |
G0052 | CopyKittens | CopyKittens has used Metasploit and Empire for post-exploitation activities.13 |
G0132 | CostaRicto | CostaRicto has obtained open source tools to use in their operations.70 |
G0079 | DarkHydrus | DarkHydrus has obtained and used tools such as Mimikatz, Empire, and Cobalt Strike.25 |
G0105 | DarkVishnya | DarkVishnya has obtained and used tools such as Impacket, Winexe, and PsExec.36 |
G0035 | Dragonfly | Dragonfly has obtained and used tools such as Mimikatz, CrackMapExec, and PsExec.22 |
G0137 | Ferocious Kitten | Ferocious Kitten has obtained open source tools for its operations, including JsonCPP and Psiphon.41 |
G0051 | FIN10 | FIN10 has relied on publicly-available software to gain footholds and establish persistence in victim environments.32 |
G0053 | FIN5 | FIN5 has obtained and used a customized version of PsExec, as well as use other tools such as pwdump, SDelete, and Windows Credential Editor.16 |
G0037 | FIN6 | FIN6 has obtained and used tools such as Mimikatz, Cobalt Strike, and AdFind.89 |
G0101 | Frankenstein | Frankenstein has obtained and used Empire to deploy agents.42 |
G0093 | GALLIUM | GALLIUM has used a variety of widely-available tools, which in some cases they modified to add functionality and/or subvert antimalware solutions.53 |
G0078 | Gorgon Group | Gorgon Group has obtained and used tools such as QuasarRAT and Remcos.48 |
G0100 | Inception | Inception has obtained and used open-source tools such as LaZagne.5 |
G0136 | IndigoZebra | IndigoZebra has acquired open source tools such as NBTscan and Meterpreter for their operations.5455 |
G0004 | Ke3chang | Ke3chang has obtained and used tools such as Mimikatz.59 |
G0094 | Kimsuky | Kimsuky has obtained and used tools such as Nirsoft WebBrowserPassVIew, Mimikatz, and PsExec.1112 |
G0032 | Lazarus Group | Lazarus Group has obtained a variety of tools for their operations, including Responder, PuTTy PSCP, Wake-On-Lan, ChromePass, and dbxcli.505152 |
G0077 | Leafminer | Leafminer has obtained and used tools such as LaZagne, Mimikatz, PsExec, and MailSniper.33 |
G0059 | Magic Hound | Magic Hound has obtained and used open-source penetration testing tools like Havij, sqlmap, Metasploit, and Mimikatz.283029 |
G0045 | menuPass | menuPass has used and modified open-source tools like Impacket, Mimikatz, and pwdump.27 |
G0069 | MuddyWater | MuddyWater has made use of legitimate tools ConnectWise and RemoteUtilities for access to target environments.40 |
G0014 | Night Dragon | Night Dragon has obtained and used tools such as gsecdump.20 |
G0040 | Patchwork | Patchwork has obtained and used open-source tools such as QuasarRAT.58 |
G0011 | PittyTiger | PittyTiger has obtained and used tools such as Mimikatz and gsecdump.74 |
G0034 | Sandworm Team | Sandworm Team has acquired open-source tools for some of it’s operations; for example it acquired Invoke-PSImage to establish an encrypted channel from a compromised host to Sandworm Team‘s C2 server as part of its preparation for the 2018 Winter Olympics attack.44 |
G0091 | Silence | Silence has obtained and modified versions of publicly-available tools like Empire and PsExec.23 24 |
G0122 | Silent Librarian | Silent Librarian has obtained free and publicly available tools including SingleFile and HTTrack to copy login pages of targeted organizations.1415 |
G0088 | TEMP.Veles | TEMP.Veles has obtained and used tools such as Mimikatz and PsExec.26 |
G0027 | Threat Group-3390 | Threat Group-3390 has obtained and used tools such as Impacket, pwdump, Mimikatz, gsecdump, NBTscan, and Windows Credential Editor.6362 |
G0076 | Thrip | Thrip has obtained and used tools such as Mimikatz and PsExec.46 |
G0010 | Turla | Turla has obtained and customized publicly-available tools like Mimikatz.45 |
G0107 | Whitefly | Whitefly has obtained and used tools such as Mimikatz.3 |
G0090 | WIRTE | WIRTE has obtained and used Empire for post-exploitation activities.49 |
G0102 | Wizard Spider | Wizard Spider has obtained and used publicly-available post-exploitation frameworks and tools like Metasploit, Empire, Mimikatz.47 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0004 | Malware Repository | Malware Metadata |
References
-
Recorded Future. (2019, June 20). Out of the Blue: How Recorded Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020. ↩
-
Maynier, E. (2020, December 20). Analyzing Cobalt Strike for Fun and Profit. Retrieved October 12, 2021. ↩
-
Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020. ↩
-
Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018. ↩
-
GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020. ↩
-
Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020. ↩
-
McMillen, D. Sperry, C. (2019, June 14). Observations of ITG07 Cyber Operations. Retrieved May 17, 2021. ↩
-
Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. ↩
-
McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. ↩
-
Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022. ↩
-
ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019. ↩
-
An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. ↩
-
ClearSky and Trend Micro. (2017, July). Operation Wilted Tulip - Exposing a cyber espionage apparatus. Retrieved May 17, 2021. ↩
-
Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021. ↩
-
Counter Threat Unit Research Team. (2019, September 11). COBALT DICKENS Goes Back to School…Again. Retrieved February 3, 2021. ↩
-
Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017. ↩
-
Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016. ↩
-
F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. ↩
-
Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. ↩
-
McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. ↩
-
Kaspersky Lab’s Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018. ↩
-
Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020. ↩
-
Group-IB. (2019, August). Silence 2.0: Going Global. Retrieved May 5, 2020. ↩
-
GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019. ↩
-
Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. ↩
-
Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. ↩
-
PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. ↩
-
Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018. ↩
-
Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. ↩
-
Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. ↩
-
Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 ↩
-
FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017. ↩
-
Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. ↩
-
Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. ↩
-
Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. ↩
-
Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020. ↩
-
Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. ↩
-
Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. ↩
-
Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018. ↩
-
Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021. ↩
-
GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. ↩
-
Adamitis, D. et al. (2019, June 4). It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. ↩
-
Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022. ↩
-
Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. ↩
-
Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019. ↩
-
Security Response Attack Investigation Team. (2018, June 19). Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies. Retrieved July 10, 2018. ↩
-
Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. ↩
-
Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. ↩
-
S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019. ↩
-
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. ↩
-
ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. ↩
-
Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. ↩
-
MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. ↩
-
CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. ↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2017, August 8). APT Trends report Q2 2017. Retrieved February 15, 2018. ↩
-
Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020. ↩
-
Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. ↩
-
Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. ↩
-
Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. ↩
-
QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020. ↩
-
DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018. ↩
-
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. ↩
-
Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. ↩
-
Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. ↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. ↩
-
Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017. ↩
-
Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. ↩
-
The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019. ↩
-
Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018. ↩
-
The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. ↩
-
Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. ↩
-
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. ↩
-
Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. ↩
-
Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015. ↩