T1036.005: T1036.005
Essential information
- MITRE technique ID
T1036.005- Confidence
- 100/100
- Revoked
- No
- Published
- 10/02/2020 21:43
- Modified
- 27/03/2026 01:08
- Author / Source
- The MITRE Corporation
Aliases
Match Legitimate Resource Name or Location
Platforms
windows macos linux Containers ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (66)
-
Blue Mockingbird relatedThe MITRE Corporation Confidence 100
[Blue Mockingbird](https://attack.mitre.org/groups/G0108) is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created…
First seen 01/01/1970 · Last seen 16/11/5138 · -
BlueBravo relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CL-CRI-1014 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CL-STA-1009 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CL-STA-1062 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CharmingCypress relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Chimera relatedThe MITRE Corporation Confidence 100
[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline…
First seen 01/01/1970 · Last seen 16/11/5138 · -
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ClickFix relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…
First seen 01/01/1970 · Last seen 16/11/5138 · -
DPRK relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DPRK (North Korea) relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (73)
-
ThiefQuest usesFamily The MITRE Corporation Confidence 100
[ThiefQuest](https://attack.mitre.org/software/S0595) is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. [ThiefQuest](https://attack.mitre.org/software/S0595) was first seen in 2020 distributed via trojanized pirated versions of…
First seen 01/01/1970 · Last seen 16/11/5138 · -
AshTag usesAlienVault Confidence 100
[AshTag](https://attack.mitre.org/software/S9031) is a modular .NET backdoor with multiple features that has been used by [WIRTE](https://attack.mitre.org/groups/G0090) since at least 2025. [AshTag](https://attack.mitre.org/software/S9031) is designed for persistence and remote command execution…
First seen 01/01/1970 · Last seen 16/11/5138 · -
TomBerBil usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Snake Keylogger usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Python bot usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
FileCoder usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CobaltStrike Beacon usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
KONNI usesFamily The MITRE Corporation Confidence 100
[KONNI](https://attack.mitre.org/software/S0356) is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. [KONNI](https://attack.mitre.org/software/S0356) has significant code overlap with…
First seen 01/01/1970 · Last seen 16/11/5138 · -
PowGoop usesFamily The MITRE Corporation Confidence 100
[PowGoop](https://attack.mitre.org/software/S1046) is a loader that consists of a DLL loader and a PowerShell-based downloader; it has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) as their main loader.(Citation: DHS CISA AA22-055A MuddyWater…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Spark RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PoshC2 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CobaltStrike usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
The Crown Prince, Nezha relatedAlienVault Confidence 100 20 MITREs 6 Malwares 9 IOCs 5 Observables
-
AlienVault Confidence 100 20 MITREs 14 IOCs 14 Observables
-
AlienVault Confidence 100 16 MITREs 11 IOCs 11 Observables
-
AlienVault Confidence 100 18 MITREs 1 Malware 4 IOCs 4 Observables
-
AlienVault Confidence 100 18 MITREs 2 Malwares 108 IOCs 103 Observables
-
AlienVault Confidence 100 20 MITREs 7 Malwares 11 IOCs 3 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables
-
AlienVault Confidence 100 19 MITREs 3 Malwares 6 IOCs 1 APT
-
AlienVault Confidence 100 21 MITREs 5 Malwares 60 IOCs 21 Observables 1 APT
-
AlienVault Confidence 100 10 MITREs 4 Malwares 10 IOCs 4 Observables
-
AlienVault Confidence 100 19 MITREs 3 Malwares 4 IOCs 1 APT
-
AlienVault Confidence 100 13 MITREs 2 Malwares 2 IOCs 1 Observable
Vulnerabilities (CVE) (35)
Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x …
- Attack vector
- Network
- Complexity
- Low
- Published
- 24/06/2025
- Modified
- 11/05/2026
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …
- Attack vector
- Network
- Published
- 29/04/2025
- Modified
- 21/12/2025
Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally.
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 14/04/2026
- Modified
- 29/04/2026
targets
Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 12/04/2017
- Modified
- 22/04/2026
Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This …
- Attack vector
- Network
- Published
- 07/02/2025
- Modified
- 21/12/2025
Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread …
- Attack vector
- Network
- Published
- 10/07/2025
- Modified
- 21/12/2025
Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute …
- Attack vector
- NETWORK
- Complexity
- HIGH
- Published
- 24/04/2017
- Modified
- 22/04/2026
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through …
- Attack vector
- Network
- Published
- 14/01/2025
- Modified
- 27/05/2026
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …
- Attack vector
- Network
- Published
- 10/01/2024
- Modified
- 27/05/2026
- Published
- 27/04/2026
- Modified
- 27/04/2026
Tool (1)
-
Brute Ratel C4 usesThe MITRE Corporation Confidence 100
[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by…
Campaign (4)
-
RedPenguin uses
-
C0032 uses
-
SolarWinds Compromise uses
-
HomeLand Justice uses