T1070.006: T1070.006
Essential information
- MITRE technique ID
T1070.006- Confidence
- 100/100
- Revoked
- No
- Published
- 31/01/2020 13:42
- Modified
- 15/04/2026 12:25
- Author / Source
- The MITRE Corporation
Aliases
Timestomp
Platforms
windows macos linux ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (28)
-
The Gentlemen usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020)…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Earth Alux usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April…
First seen 01/01/1970 · Last seen 16/11/5138 · -
BladedFeline usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Rocke usesThe MITRE Corporation Confidence 100
[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes…
First seen 01/01/1970 · Last seen 16/11/5138 · -
CL-STA-1087 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Chimera relatedThe MITRE Corporation Confidence 100
[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Fox Kitten](https://attack.mitre.org/groups/G0117) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Lazarus relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LockBit relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mr_Rot13 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (80)
-
NightClub usesFamily The MITRE Corporation Confidence 100
[NightClub](https://attack.mitre.org/software/S1090) is a modular implant written in C++ that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2014.(Citation: MoustachedBouncer ESET August 2023)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Yurei Ransomware usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Attor usesFamily The MITRE Corporation Confidence 100
[Attor](https://attack.mitre.org/software/S0438) is a Windows-based espionage platform that has been seen in use since 2013. [Attor](https://attack.mitre.org/software/S0438) has a loadable plugin architecture to customize functionality for specific targets.(Citation: ESET Attor…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RAILSETTER usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CowTunnel usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The Gentlemen usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Cpanel-Python usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
FileCoder usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
MemFun usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Cyclops Blink usesFamily The MITRE Corporation Confidence 100
[Cyclops Blink](https://attack.mitre.org/software/S0687) is a modular malware that has been used in widespread campaigns by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least 2019 to target Small/Home Office (SOHO) network devices, including…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Trochilus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Gamshen usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (23)
-
AlienVault Confidence 100 3 CVEs 19 MITREs 9 IOCs 8 Observables
-
AlienVault Confidence 100 17 MITREs 1 Malware 16 IOCs 14 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 3 Malwares 12 IOCs 9 Observables
-
AlienVault Confidence 100 20 MITREs 10 IOCs 10 Observables
-
AlienVault Confidence 100 19 MITREs 11 Malwares 7 IOCs 7 Observables 1 APT
-
19 MITREs 5 Malwares 1 Observable 1 APT
-
AlienVault Confidence 100 1 CVE 20 MITREs 3 Malwares 1 IOC 1 Observable
-
1 CVE 21 MITREs 2 Malwares 1 Observable 1 APT
-
3 CVEs 19 MITREs 7 Malwares 3 Observables
-
AlienVault Confidence 100 20 MITREs 5 Malwares 10 IOCs 10 Observables 1 APT
-
46 MITREs 6 Malwares 27 Observables 1 APT
-
2 CVEs 20 MITREs 10 Malwares 5 Observables 1 APT
Vulnerabilities (CVE) (21)
WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 29/04/2026
- Modified
- 11/05/2026
Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a …
- Attack vector
- NETWORK
- Published
- 07/01/2026
- Modified
- 09/03/2026
A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary …
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 05/06/2026
- Modified
- 25/06/2026
F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, …
- Published
- 10/05/2022
- Modified
- 20/12/2025
targets
Oracle Solaris and Oracle ZFS Storage Appliance Kit contain an unspecified vulnerability causing high impacts to confidentiality, integrity, and availability of affected …
- Published
- 03/11/2021
- Modified
- 20/04/2026
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, which enables threat …
- Attack vector
- Network
- Published
- 08/04/2025
- Modified
- 21/12/2025
targets
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …
- Attack vector
- Network
- Published
- 05/12/2025
- Modified
- 29/05/2026
May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 14/05/2026
- Modified
- 18/06/2026
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware …
- Attack vector
- Network
- Published
- 20/07/2025
- Modified
- 21/12/2025
Progress Telerik UI for ASP.NET AJAX and Sitefinity have a cryptographic weakness in Telerik.Web.UI.dll that can be exploited to disclose encryption keys …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 03/07/2017
- Modified
- 22/04/2026
Campaign (1)
-
Cutting Edge uses
Tool (1)
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…