Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Python
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Python
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Command and Scripting Interpreter:  Python

ID Название
.001 PowerShell
.002 AppleScript
.003 Командная оболочка Windows
.004 Командная оболочка Unix
.005 Visual Basic
.006 Python
.007 JavaScript/JScript
.008 Интерпретаторы командной строки сетевых устройств
.009 Cloud API
.010 AutoHotKey & AutoIT
.011 Lua
.012 Hypervisor CLI

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020) Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.

ID: T1059.006
Относится к технике:  T1059
Тактика(-и): Execution
Платформы: ESXi, Linux, macOS, Windows
Источники данных: Command: Command Execution, Process: Process Creation
Версия: 1.1
Дата создания: 09 Mar 2020
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
IronNetInjector

IronNetInjector can use IronPython scripts to load payloads with the help of a .NET injector.(Citation: Unit 42 IronNetInjector February 2021 )
DropBook

DropBook is a Python-based backdoor compiled with PyInstaller.(Citation: Cybereason Molerats Dec 2020)
PUNCHBUGGY

PUNCHBUGGY has used python scripts.(Citation: Morphisec ShellTea June 2019)
APT37

APT37 has used Python scripts to execute payloads.(Citation: Volexity InkySquid RokRAT August 2021)
BRONZE BUTLER

BRONZE BUTLER has made use of Python-based remote access tools.(Citation: Trend Micro Tick November 2019)
Donut

Donut can generate shellcode outputs that execute via Python.(Citation: Donut Github)

SpeakUp

SpeakUp uses Python scripts.(Citation: CheckPoint SpeakUp Feb 2019)
Tonto Team

Tonto Team has used Python-based tools for execution.(Citation: TrendMicro Tonto Team October 2020)

reGeorg

reGeorg is a Python-based web shell.(Citation: GitHub reGeorg 2016)
PyDCrypt

PyDCrypt, along with its functions, is written in Python.(Citation: Checkpoint MosesStaff Nov 2021)
ZIRCONIUM

ZIRCONIUM has used Python-based implants to interact with compromised hosts.(Citation: Google Election Threats October 2020)(Citation: Zscaler APT31 Covid-19 October 2020)
Pysa

Pysa has used Python scripts to deploy ransomware.(Citation: CERT-FR PYSA April 2020)
KeyBoy

KeyBoy uses Python scripts for installing files and performing execution.(Citation: CitizenLab KeyBoy Nov 2016)
Rocke

Rocke has used Python-based malware to install and spread their coinminer.(Citation: Anomali Rocke March 2019)
Machete

Machete used multiple compiled Python scripts on the victim’s system. Machete's main backdoor Machete is also written in Python.(Citation: Cylance Machete Mar 2017)(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020)
Remcos

Remcos uses Python scripts.(Citation: Riskiq Remcos Jan 2018)
Neo-reGeorg

Neo-reGeorg is a Python-based web shell.(Citation: GitHub Neo-reGeorg 2019)
TRITON

TRITON was run as trilog.exe, a Py2EXE compiled python script that accepts a single IP address as a flag.(Citation: FireEye TRITON 2017)
Bundlore

Bundlore has used Python scripts to execute payloads.(Citation: MacKeeper Bundlore Apr 2019)
Earth Lusca

Earth Lusca used Python scripts for port scanning or building reverse shells.(Citation: TrendMicro EarthLusca 2022)
Small Sieve

Small Sieve can use Python scripts to execute commands.(Citation: NCSC GCHQ Small Sieve Jan 2022)
Cobalt Strike

Cobalt Strike can use Python to perform execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: CobaltStrike Daddy May 2017)
SILENTTRINITY

SILENTTRINITY is written in Python and can use multiple Python scripts for execution on targeted systems.(Citation: GitHub SILENTTRINITY March 2022)(Citation: GitHub SILENTTRINITY Modules July 2019)
Chaes

Chaes has used Python scripts for execution and the installation of additional files.(Citation: Cybereason Chaes Nov 2020)

MuddyWater

MuddyWater has developed tools in Python including Out1.(Citation: Trend Micro Muddy Water March 2021)

During Operation Wocao, threat actors' backdoors were written in Python and compiled with py2exe.(Citation: FoxIT Wocao December 2019)
MechaFlounder

MechaFlounder uses a python-based payload.(Citation: Unit 42 MechaFlounder March 2019)
Cinnamon Tempest

Cinnamon Tempest has used a customized version of the Impacket wmiexec.py module to create renamed output files.(Citation: Microsoft Ransomware as a Service)

During Cutting Edge, threat actors used a Python reverse shell and the PySoxy SOCKS5 proxy tool.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)(Citation: Mandiant Cutting Edge Part 3 February 2024)
Turian

Turian has the ability to use Python to spawn a Unix shell.(Citation: ESET BackdoorDiplomacy Jun 2021)
Turla

Turla has used IronPython scripts as part of the IronNetInjector toolchain to drop payloads.(Citation: Unit 42 IronNetInjector February 2021 )
Dragonfly 2.0

Dragonfly 2.0 used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)
APT29

APT29 has developed malware variants written in Python.(Citation: Symantec Seaduke 2015)
CoinTicker

CoinTicker executes a Python script to download its second stage.(Citation: CoinTicker 2019)
Pupy

Pupy can use an add on feature when creating payloads that allows you to create custom Python scripts (“scriptlets”) to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc.(Citation: GitHub Pupy)
Ebury

Ebury has used Python to implement its DGA.(Citation: ESET Ebury Oct 2017)

During ShadowRay, threat actors used the Python `pty` module to open reverse shells.(Citation: Oligo ShadowRay Campaign MAR 2024)
APT39

APT39 has used a command line utility and a network scanner written in python.(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020)
Bandook

Bandook can support commands to execute Python-based payloads.(Citation: CheckPoint Bandook Nov 2020)
Machete

Machete is written in Python and is used in conjunction with additional Python scripts.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)(Citation: 360 Machete Sep 2020)
FRAMESTING

FRAMESTING is a Python web shell that can embed in the Ivanti Connect Secure CAV Python package.(Citation: Mandiant Cutting Edge Part 2 January 2024)
PoetRAT

PoetRAT was executed with a Python script and worked in conjunction with additional Python-based post-exploitation tools.(Citation: Talos PoetRAT April 2020)
Cobalt Strike

Cobalt Strike can use Python to perform execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: CobaltStrike Daddy May 2017)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)
UPSTYLE

UPSTYLE is a Python-based application.(Citation: Volexity UPSTYLE 2024)(Citation: Palo Alto MidnightEclipse APR 2024)
CookieMiner

CookieMiner has used python scripts on the user’s system, as well as the Python variant of the Empire agent, EmPyre.(Citation: Unit42 CookieMiner Jan 2019)
Keydnap

Keydnap uses Python for scripting to execute additional commands.(Citation: synack 2016 review)
Operation Wocao

Operation Wocao's backdoors have been written in Python and compiled with py2exe.(Citation: FoxIT Wocao December 2019)
RedCurl

RedCurl has used a Python script to establish outbound communication and to execute commands using SMB port 445.(Citation: trendmicro_redcurl)

Lumma Stealer

Lumma Stealer has used malicious Python scripts to execute payloads.(Citation: Cybereason LumaStealer Undated)
Dragonfly

Dragonfly has used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.(Citation: US-CERT TA18-074A)
Kimsuky

Kimsuky has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data.(Citation: CISA AA20-301A Kimsuky)(Citation: KISA Operation Muzabi)

Контрмеры
Контрмера Описание
Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures. Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures: System Audit: - Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks. Permission Audits: - Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions. Software Audits: - Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives. Configuration Audits: - Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems. Network Audits: - Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.
Antivirus/Antimalware

Antivirus/Antimalware solutions utilize signatures, heuristics, and behavioral analysis to detect, block, and remediate malicious software, including viruses, trojans, ransomware, and spyware. These solutions continuously monitor endpoints and systems for known malicious patterns and suspicious behaviors that indicate compromise. Antivirus/Antimalware software should be deployed across all devices, with automated updates to ensure protection against the latest threats. This mitigation can be implemented through the following measures: Signature-Based Detection: - Implementation: Use predefined signatures to identify known malware based on unique patterns such as file hashes, byte sequences, or command-line arguments. This method is effective against known threats. - Use Case: When malware like "Emotet" is detected, its signature (such as a specific file hash) matches a known database of malicious software, triggering an alert and allowing immediate quarantine of the infected file. Heuristic-Based Detection: - Implementation: Deploy heuristic algorithms that analyze behavior and characteristics of files and processes to identify potential malware, even if it doesn’t match a known signature. - Use Case: If a program attempts to modify multiple critical system files or initiate suspicious network communications, heuristic analysis may flag it as potentially malicious, even if no specific malware signature is available. Behavioral Detection (Behavior Prevention): - Implementation: Use behavioral analysis to detect patterns of abnormal activities, such as unusual system calls, unauthorized file encryption, or attempts to escalate privileges. - Use Case: Behavioral analysis can detect ransomware attacks early by identifying behavior like mass file encryption, even before a specific ransomware signature has been identified. Real-Time Scanning: - Implementation: Enable real-time scanning to automatically inspect files and network traffic for signs of malware as they are accessed, downloaded, or executed. - Use Case: When a user downloads an email attachment, the antivirus solution scans the file in real-time, checking it against both signatures and heuristics to detect any malicious content before it can be opened. Cloud-Assisted Threat Intelligence: - Implementation: Use cloud-based threat intelligence to ensure the antivirus solution can access the latest malware definitions and real-time threat feeds from a global database of emerging threats. - Use Case: Cloud-assisted antivirus solutions quickly identify newly discovered malware by cross-referencing against global threat databases, providing real-time protection against zero-day attacks. **Tools for Implementation**: - Endpoint Security Platforms: Use solutions such as EDR for comprehensive antivirus/antimalware protection across all systems. - Centralized Management: Implement centralized antivirus management consoles that provide visibility into threat activity, enable policy enforcement, and automate updates. - Behavioral Analysis Tools: Leverage solutions with advanced behavioral analysis capabilities to detect malicious activity patterns that don’t rely on known signatures.
Limit Software Installation

Prevent users or groups from installing unauthorized or unapproved software to reduce the risk of introducing malicious or vulnerable applications. This can be achieved through allowlists, software restriction policies, endpoint management tools, and least privilege access principles. This mitigation can be implemented through the following measures: Application Whitelisting - Implement Microsoft AppLocker or Windows Defender Application Control (WDAC) to create and enforce allowlists for approved software. - Whitelist applications based on file hash, path, or digital signatures. Restrict User Permissions - Remove local administrator rights for all non-IT users. - Use Role-Based Access Control (RBAC) to restrict installation permissions to privileged accounts only. Software Restriction Policies (SRP) - Use GPO to configure SRP to deny execution of binaries from directories such as `%AppData%`, `%Temp%`, and external drives. - Restrict specific file types (`.exe`, `.bat`, `.msi`, `.js`, `.vbs`) to trusted directories only. Endpoint Management Solutions - Deploy tools like Microsoft Intune, SCCM, or Jamf for centralized software management. - Maintain a list of approved software, versions, and updates across the enterprise. Monitor Software Installation Events - Enable logging of software installation events and monitor Windows Event ID 4688 and Event ID 11707 for software installs. - Use SIEM or EDR tools to alert on attempts to install unapproved software. Implement Software Inventory Management - Use tools like OSQuery or Wazuh to scan for unauthorized software on endpoints and servers. - Conduct regular audits to detect and remove unapproved software. *Tools for Implementation* Application Whitelisting: - Microsoft AppLocker - Windows Defender Application Control (WDAC) Endpoint Management: - Microsoft Intune - SCCM (System Center Configuration Manager) - Jamf Pro (macOS) - Puppet or Ansible for automation Software Restriction Policies: - Group Policy Object (GPO) - Microsoft Software Restriction Policies (SRP) Monitoring and Logging: - Splunk - OSQuery - Wazuh (open-source SIEM and XDR) - EDRs Inventory Management and Auditing: - OSQuery - Wazuh
Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures: Application Control: - Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`) Script Blocking: - Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`) Executable Blocking: - Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories. Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Обнаружение

Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

Ссылки

  1. Johnson, B, et. al. (2017, December 14). Attackers Deploy New ICS Attack Framework "TRITON" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.
  2. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.
  3. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  4. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  5. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  6. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  7. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
  8. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
  9. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  10. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  11. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  12. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  13. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  14. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  15. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
  16. xl7dev. (2016). reGeorg-master. Retrieved December 3, 2024.
  17. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  18. Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021.
  19. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
  20. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
  21. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  22. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  23. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  24. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  25. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  26. L-Codes. (2019). Neo-reGeorg. Retrieved December 4, 2024.
  27. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  28. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  29. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
  30. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  31. Salvati, M (2019, August 6). SILENTTRINITY. Retrieved March 23, 2022.
  32. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  33. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  34. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  35. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.
  36. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  37. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
  38. Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
  39. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  40. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
  41. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  42. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  43. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
  44. Lumelsly, A. et al. (2024, March 26). ShadowRay: First Known Attack Campaign Targeting AI Workloads Actively Exploited In The Wild. Retrieved December 2, 2024.
  45. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  46. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  47. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  48. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  49. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  50. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  51. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  52. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
  53. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved November 17, 2024.
  54. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024.
  55. Unit 42. (2024, April 12). Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 . Retrieved January 15, 2025.
  56. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  57. Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.
  58. Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024.
  59. Cybereaon Security Services Team. (n.d.). Your Data Is Under New Lummanagement: The Rise of LummaStealer. Retrieved March 22, 2025.
  60. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  61. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.