T1001: T1001
Essential information
- MITRE technique ID
T1001- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:30
- Modified
- 03/04/2026 21:34
- Author / Source
- The MITRE Corporation
Aliases
Data Obfuscation
Platforms
windows macos linux ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | command-and-control |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (38)
-
The MITRE Corporation Confidence 100
[APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations…
First seen 01/01/1970 · Last seen 16/11/5138 · -
TA406 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PolarEdge usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Tonto Team](https://attack.mitre.org/groups/G0131) is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by…
First seen 01/01/1970 · Last seen 16/11/5138 · -
ForumTroll usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
APT-C-26 (Lazarus) relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BADBOX 2.0 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Blackwood relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CL0P relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Earth Berberoka relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong,…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (78)
-
PuppetLoader usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TameCat usesThe MITRE Corporation Confidence 100
[TAMECAT](https://attack.mitre.org/software/S1193) is a malware that is used by [APT42](https://attack.mitre.org/groups/G1044) to execute PowerShell or C# content.(Citation: Mandiant APT42-untangling)
First seen 01/01/1970 · Last seen 16/11/5138 · -
HrServ usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Kubernetes usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SAGEWAVE usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Dreambot usesThe MITRE Corporation Confidence 100
[Ursnif](https://attack.mitre.org/software/S0386) is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)s, and malicious links.(Citation: NJCCIC Ursnif Sept 2016)(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
MidgeDropper usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
FMAPP.exe usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CastleLoader usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LODEINFO usesAlienVault Confidence 100
[LODEINFO](https://attack.mitre.org/software/S9020) is a fileless backdoor malware first identified in 2020 that has been used by actors including [MirrorFace](https://attack.mitre.org/groups/G1054), primarily against media, diplomatic, governmental, and public sector organizations in…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Logtu usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Cobalt Strike usesFamily The MITRE Corporation Confidence 100
[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (20)
-
Threat landscape — Belgium relatedConfidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
-
20 MITREs 8 Malwares 8 Observables 1 APT
-
16 MITREs 7 Malwares 14 Observables 1 APT
-
19 MITREs 6 Malwares 5 Observables 1 APT
-
18 MITREs 10 Observables
-
13 MITREs 4 Malwares 1 APT
-
11 MITREs 2 Malwares 12 Observables 1 APT
-
19 MITREs 2 Malwares
-
16 MITREs 2 Malwares 1 APT
-
9 MITREs 1 Malware 59 Observables 1 APT
-
20 MITREs 3 Malwares 48 Observables 1 APT
-
20 MITREs 3 Malwares 12 Observables 1 APT
Vulnerabilities (CVE) (21)
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An …
- Published
- 14/06/2022
- Modified
- 27/05/2026
Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute …
- Attack vector
- NETWORK
- Complexity
- HIGH
- Published
- 24/04/2017
- Modified
- 22/04/2026
Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic …
- Attack vector
- Network
- Published
- 01/05/2023
- Modified
- 21/12/2025
Microsoft Win32k fails to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in kernel …
- Published
- 03/11/2021
- Modified
- 29/05/2026
Multiple Cisco Small Business RV Series Routers contains a command injection vulnerability in the web-based management interface. Successful exploitation could allow an …
- Attack vector
- Network
- Published
- 03/03/2025
- Modified
- 21/12/2025
Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the …
- Attack vector
- Network
- Published
- 04/09/2025
- Modified
- 21/12/2025
Oracle WebLogic Server contains an unspecified vulnerability, which is assessed to allow for remote code execution, based on this vulnerability being related …
- Published
- 03/11/2021
- Modified
- 20/12/2025
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …
- Attack vector
- Network
- Published
- 29/04/2025
- Modified
- 21/12/2025
Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution.
- Attack vector
- NETWORK
- Published
- 20/12/2025
- Modified
- 22/01/2026
Attack patterns (MITRE) (2)
-
Steganography subtechnique-ofT1001.002 MITRE
-
T1001.003 subtechnique-ofProtocol or Service Impersonation MITRE
Tool (1)
-
evilginx2 usesThe MITRE Corporation Confidence 75
[evilginx2](https://attack.mitre.org/software/S9003) is an open-source adversary-in-the-middle (AiTM) attack framework based on the open-source nginx web server. [evilginx2](https://attack.mitre.org/software/S9003) can be used as a reverse proxy between victims and legitimate web…
Campaign (1)
-
Operation Wocao uses