T1078.002: T1078.002
Essential information
- MITRE technique ID
T1078.002- Confidence
- 100/100
- Revoked
- No
- Published
- 13/03/2020 21:21
- Modified
- 27/03/2026 01:11
- Author / Source
- The MITRE Corporation
Aliases
Domain Accounts
Platforms
windows macos linux ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
| mitre-attack | initial-access |
| mitre-attack | persistence |
| mitre-attack | privilege-escalation |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (48)
-
CL-CRI-1032 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Weaver Ant usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017…
First seen 01/01/1970 · Last seen 16/11/5138 · -
AlienVault Confidence 100
[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Naikon usesThe MITRE Corporation Confidence 100
[Naikon](https://attack.mitre.org/groups/G0019) is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover…
First seen 01/01/1970 · Last seen 16/11/5138 · -
CL-STA-0048 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ransomhouse usesRansomware.Live Confidence 100
No description available
First seen 01/01/1970 · Last seen 16/11/5138 · -
FROZEN#SHADOW usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CrazyHunter usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[APT5](https://attack.mitre.org/groups/G1023) is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia.…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Agenda relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (55)
-
SuperBlack usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Korplug usesThe MITRE Corporation Confidence 100
[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Mimikatz usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HemiGate usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Rust backdoor usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Cobalt Strike usesFamily The MITRE Corporation Confidence 100
[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced…
First seen 01/01/1970 · Last seen 16/11/5138 · -
AdaptixC2 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ShadowPad - S0596 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SSLoad usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Cactus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BlackCat - S1068 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
FaceFish usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (35)
-
AlienVault Confidence 100 20 MITREs 3 Malwares 16 IOCs 10 Observables
-
Threat landscape — Belgium relatedConfidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
5 CVEs 14 MITREs 2 Malwares 5 Observables
-
12 CVEs 20 MITREs 2 Malwares 4 Observables 1 APT
-
26 MITREs 2 Malwares 19 Observables
-
20 MITREs 52 Observables 1 APT
-
12 CVEs 20 MITREs 1 Observable
-
15 MITREs 5 Malwares 1 APT
-
4 MITREs 1 APT
-
15 MITREs
-
9 MITREs 35 Observables 1 APT
Vulnerabilities (CVE) (40)
Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead …
- Attack vector
- Network
- Published
- 13/12/2024
- Modified
- 21/12/2025
When running in Appliance mode, a highly privileged authenticated attacker with access to SCP and SFTP may be able to bypass Appliance …
- Attack vector
- Network
- Published
- 15/10/2025
- Modified
- 04/02/2026
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be …
- Attack vector
- Network
- Published
- 16/06/2025
- Modified
- 21/12/2025
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may …
- Attack vector
- Network
- Published
- 09/06/2025
- Modified
- 27/05/2026
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before …
- Attack vector
- Network
- Published
- 04/04/2025
- Modified
- 21/12/2025
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …
- Attack vector
- Network
- Published
- 29/04/2025
- Modified
- 21/12/2025
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …
- Attack vector
- Network
- Published
- 05/12/2025
- Modified
- 29/05/2026
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 29/01/2026
- Modified
- 10/04/2026
VMware vCenter Server contains a file upload vulnerability in the Analytics service that allows a user with network access to port 443 …
- Published
- 03/11/2021
- Modified
- 21/12/2025
Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.
- Attack vector
- Network
- Published
- 24/10/2025
- Modified
- 21/12/2025
NVIDIA NeMo library for all platforms contains a vulnerability in the model loading component, where an attacker could cause code injection by …
- Attack vector
- LOCAL
- Published
- 13/08/2025
- Modified
- 17/04/2026
Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially …
- Attack vector
- Network
- Published
- 20/10/2025
- Modified
- 27/05/2026
Campaign (8)
-
Operation Wocao uses
-
Operation CuckooBees uses
-
Leviathan Australian Intrusions uses
-
Operation MidnightEclipse uses
-
Night Dragon uses
-
Cutting Edge uses
-
2025 Poland Wiper Attacks uses
-
Operation Ghost uses
Course Of Action (4)
-
User Account Management mitigates
-
Privileged Account Management mitigates
-
User Training mitigates
-
Multi-factor Authentication mitigates