T1069.001: T1069.001
Essential information
- MITRE technique ID
T1069.001- Confidence
- 100/100
- Revoked
- No
- Published
- 16/12/2025 19:38
- Modified
- 20/04/2026 12:52
- Author / Source
- The MITRE Corporation
Aliases
Local Groups
Platforms
windows macos linux
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | discovery |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (12)
-
The MITRE Corporation Confidence 100
[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33 -
The MITRE Corporation Confidence 100
[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 -
Water Scylla usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 12:56 · Modified 21/12/2025 12:56
-
TA4557/FIN6 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 08:41 · Modified 21/12/2025 08:41
-
Chimera usesThe MITRE Corporation Confidence 100
[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 -
RansomHub usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 04:35 · Modified 21/12/2025 04:35
-
The MITRE Corporation Confidence 100
[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 -
Lunar Spider usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 08:08 · Modified 21/12/2025 17:38
-
The MITRE Corporation Confidence 100
[TA551](https://attack.mitre.org/groups/G0127) is a financially-motivated threat group that has been active since at least 2018. (Citation: Secureworks GOLD CABIN) The group has primarily targeted English, German, Italian, and Japanese …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14 -
admin@338 usesThe MITRE Corporation Confidence 100
[admin@338](https://attack.mitre.org/groups/G0018) is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 -
The MITRE Corporation Confidence 100
[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33 -
The MITRE Corporation Confidence 100
[Tonto Team](https://attack.mitre.org/groups/G0131) is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
Malware (43)
- Kwampirs
-
Cloudflared usesFamilyPublished 04/12/2024 20:55 · Modified 04/12/2024 20:55
-
d3f@ckloader usesFamilyPublished 31/03/2025 05:40 · Modified 31/03/2025 05:40
-
Cobalt Strike usesFamilyPublished 16/12/2024 14:25 · Modified 16/12/2024 14:25
- Nokoyawa
-
RansomHub usesFamilyPublished 07/08/2025 18:57 · Modified 07/08/2025 18:57
-
SocGholish usesFamilyPublished 12/06/2026 21:29 · Modified 12/06/2026 21:29
-
More_eggs - S0284 usesFamilyPublished 11/06/2025 09:28 · Modified 11/06/2025 09:28
-
AnyDesk usesFamilyPublished 10/06/2026 11:58 · Modified 10/06/2026 11:58
-
LockBit usesFamilyPublished 06/05/2026 10:26 · Modified 06/05/2026 10:26
- BlackCat
-
Nitrogen usesFamilyPublished 20/05/2025 19:27 · Modified 20/05/2025 19:27
- FlawedAmmyy
-
LunarWeb usesFamilyPublished 16/05/2024 09:35 · Modified 16/05/2024 09:35
-
PoisonKiller usesFamilyPublished 17/04/2026 23:18 · Modified 17/04/2026 23:18
-
BlackCat - S1068 usesFamilyPublished 06/11/2025 14:16 · Modified 06/11/2025 14:16
-
Brute Ratel C4 usesFamilyPublished 29/09/2025 16:37 · Modified 29/09/2025 16:37
- Sys10
- Caterpillar WebShell
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40
- POWRUNER
-
BlackSuit usesFamilyPublished 07/08/2025 18:57 · Modified 07/08/2025 18:57
-
SectopRAT usesFamilyPublished 26/05/2026 15:20 · Modified 26/05/2026 15:20
-
QDoor usesFamilyPublished 31/03/2025 05:40 · Modified 31/03/2025 05:40
-
ExByte usesFamilyPublished 28/08/2024 14:04 · Modified 28/08/2024 14:04
-
Latrodectus usesFamilyPublished 12/06/2026 21:29 · Modified 12/06/2026 21:29
- Epic
-
Sliver usesFamilyPublished 12/06/2026 21:29 · Modified 12/06/2026 21:29
-
mimikatz usesFamilyPublished 11/05/2026 16:15 · Modified 11/05/2026 16:15
- Helminth
- Emissary
-
ScreenConnect usesFamilyPublished 08/05/2026 02:49 · Modified 08/05/2026 02:49
- JPIN
- Flagpro
- More_eggs
-
Atera usesFamilyPublished 17/04/2026 23:18 · Modified 17/04/2026 23:18
- Gomir
-
SimpleHelp usesFamilyPublished 17/04/2026 23:18 · Modified 17/04/2026 23:18
-
OSInfo usesFamily The MITRE Corporation Confidence 100
[OSInfo](https://attack.mitre.org/software/S0165) is a custom tool used by [APT3](https://attack.mitre.org/groups/G0022) to do internal discovery on a victim's computer and network. (Citation: Symantec Buckeye)
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/01/2018 17:13 · Modified 04/05/2026 16:31 -
Brute Ratel usesFamilyPublished 27/05/2025 10:35 · Modified 27/05/2025 10:35
- Kazuar
-
QakBot usesFamilyPublished 30/05/2024 14:20 · Modified 30/05/2024 14:20
-
BackConnect usesFamilyPublished 29/09/2025 16:37 · Modified 29/09/2025 16:37
Reports (6)
-
1 CVE 18 MITREs 6 Malwares 5 ObservablesPublished 17/04/2026 23:18 · Modified 20/04/2026 10:52
-
25 MITREs 2 Malwares 9 Observables 1 APTPublished 30/06/2025 18:49 · Modified 01/07/2025 08:16
-
32 MITREs 6 MalwaresPublished 31/03/2025 05:40 · Modified 31/03/2025 15:56
-
25 MITREs 2 Malwares 1 APTPublished 14/03/2025 10:16 · Modified 14/03/2025 19:30
-
1 CVE 26 MITREs 4 Malwares 20 Observables 1 APTPublished 04/12/2024 20:55 · Modified 04/12/2024 21:38
-
32 MITREs 6 Malwares 45 ObservablesPublished 01/10/2024 10:05 · Modified 01/10/2024 10:29
Vulnerabilities (CVE) (3)
BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker …
- Attack vector
- Network
- Published
- 13/02/2026
- Modified
- 20/02/2026
Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …
- Attack vector
- Local
- Published
- 03/11/2021
- Modified
- 27/05/2026
Veeam Backup & Replication Cloud Connect component contains a missing authentication for critical function vulnerability that allows an unauthenticated user operating within …
- Attack vector
- Network
- Published
- 22/08/2023
- Modified
- 27/05/2026
Attack patterns (MITRE) (1)
-
T1069 subtechnique-ofPermission Groups Discovery
Tool (4)
-
SILENTTRINITY usesThe MITRE Corporation Confidence 100
[SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a …
Published 16/12/2025 19:37 · Modified 27/03/2026 01:07 -
BloodHound usesThe MITRE Corporation Confidence 100
[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT …
Published 16/12/2025 19:37 · Modified 27/03/2026 01:07 -
PoshC2 usesThe MITRE Corporation Confidence 100
[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while …
Published 23/04/2019 14:31 · Modified 27/03/2026 01:07 -
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft …
Published 16/12/2025 19:37 · Modified 27/03/2026 01:07
Campaign (4)
- Operation Wocao uses
- C0015 uses
- Operation CuckooBees uses
- Operation Digital Eye uses