T1069.002: T1069.002
Essential information
- MITRE technique ID
T1069.002- Confidence
- 100/100
- Revoked
- No
- Published
- 21/02/2020 22:15
- Modified
- 20/04/2026 12:52
- Author / Source
- The MITRE Corporation
Aliases
Domain Groups
Platforms
windows macos linux
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | discovery |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (25)
-
Trigona usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (66)
-
BlackCat - S1068 usesFamily
-
BADHATCH uses
-
PsExec usesFamily
-
SocGholish usesThe MITRE Corporation Confidence 100
[SocGholish](https://attack.mitre.org/software/S1124) is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Atera usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Carbanak - S0030 usesFamily
-
BackConnect usesFamily
-
Rubeus usesFamily
-
Get-DataInfo.ps1 usesFamily
-
QSC framework usesFamily
-
Cloudflared usesFamily
-
Kwampirs uses
Reports (17)
-
AlienVault Confidence 100 13 CVEs 22 MITREs 6 Malwares 5 IOCs 4 Observables
-
AlienVault Confidence 100 3 CVEs 21 MITREs 2 Malwares 8 IOCs 2 Observables
-
AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables
-
AlienVault Confidence 100 1 CVE 20 MITREs 4 Malwares 3 IOCs 3 Observables 1 APT
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
20 MITREs 1 Malware 2 Observables
-
46 MITREs 6 Malwares 27 Observables 1 APT
-
1 CVE 18 MITREs 6 Malwares 5 Observables
-
1 CVE 15 MITREs 1 Malware 5 Observables 1 APT
-
25 MITREs 2 Malwares 9 Observables 1 APT
-
32 MITREs 6 Malwares
-
25 MITREs 2 Malwares 1 APT
Vulnerabilities (CVE) (21)
Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …
- Attack vector
- Local
- Published
- 03/11/2021
- Modified
- 27/05/2026
Veeam Backup & Replication Cloud Connect component contains a missing authentication for critical function vulnerability that allows an unauthenticated user operating within …
- Attack vector
- Network
- Published
- 22/08/2023
- Modified
- 27/05/2026
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 09/06/2026
- Modified
- 24/06/2026
Fortinet FortiOS contains an out-of-bound write vulnerability that allows a remote unauthenticated attacker to execute code or commands via specially crafted HTTP …
- Attack vector
- Network
- Published
- 09/02/2024
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 20/12/2025
BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker …
- Attack vector
- Network
- Published
- 13/02/2026
- Modified
- 20/02/2026
Microsoft SharePoint Server Remote Code Execution Vulnerability
- Attack vector
- NETWORK
- Published
- 11/03/2021
- Modified
- 24/06/2026
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through …
- Attack vector
- Network
- Published
- 14/01/2025
- Modified
- 27/05/2026
Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 13/05/2026
- Modified
- 10/06/2026
Tool (7)
-
BloodHound usesThe MITRE Corporation Confidence 100
[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT…
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
SILENTTRINITY usesThe MITRE Corporation Confidence 100
[SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a…
-
dsquery usesThe MITRE Corporation Confidence 100
[dsquery](https://attack.mitre.org/software/S0105) is a command-line utility that can be used to query Active Directory for information from a system within a domain. (Citation: TechNet Dsquery) It is typically installed…
-
Brute Ratel C4 usesThe MITRE Corporation Confidence 100
[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by…
-
AdFind usesThe MITRE Corporation Confidence 100
[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation:…
-
CrackMapExec usesThe MITRE Corporation Confidence 100
[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted…
Campaign (2)
-
C0015 uses
-
SolarWinds Compromise uses