T1087.001: T1087.001
Essential information
- MITRE technique ID
T1087.001- Confidence
- 100/100
- Revoked
- No
- Published
- 21/02/2020 22:07
- Modified
- 21/04/2026 11:28
- Author / Source
- The MITRE Corporation
Aliases
Local Account
Platforms
windows macos linux ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | discovery |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (35)
-
UAC-0006 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Poseidon Group usesThe MITRE Corporation Confidence 100
[Poseidon Group](https://attack.mitre.org/groups/G0033) is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Sukob usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Medusa Group usesThe MITRE Corporation Confidence 100
[Medusa Group](https://attack.mitre.org/groups/G1051) has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[TA551](https://attack.mitre.org/groups/G0127) is a financially-motivated threat group that has been active since at least 2018. (Citation: Secureworks GOLD CABIN) The group has primarily targeted English, German, Italian, and Japanese…
First seen 01/01/1970 · Last seen 16/11/5138 · -
BlackCat usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RedCurl usesThe MITRE Corporation Confidence 100
[RedCurl](https://attack.mitre.org/groups/G1039) is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Lunar Spider usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Cavern Manticore usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (68)
-
Bankshot usesFamily The MITRE Corporation Confidence 100
[Bankshot](https://attack.mitre.org/software/S0239) is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, [Lazarus Group](https://attack.mitre.org/groups/G0032) used the [Bankshot](https://attack.mitre.org/software/S0239)…
First seen 01/01/1970 · Last seen 16/11/5138 · -
SNOWRUST usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HealthKick usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HyperStack usesFamily The MITRE Corporation Confidence 100
[HyperStack](https://attack.mitre.org/software/S0537) is a RPC-based backdoor used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2018. [HyperStack](https://attack.mitre.org/software/S0537) has similarities to other backdoors used by [Turla](https://attack.mitre.org/groups/G0010) including [Carbon](https://attack.mitre.org/software/S0335).(Citation: Accenture HyperStack October 2020)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Grixba usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
InvisibleFerret usesThe MITRE Corporation Confidence 100
[InvisibleFerret](https://attack.mitre.org/software/S1245) is a modular python malware that is leveraged for data exfiltration and remote access capabilities.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November…
First seen 01/01/1970 · Last seen 16/11/5138 · -
TSPY_TRICKLOAD usesThe MITRE Corporation Confidence 100
[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) was developed and initially used by…
First seen 01/01/1970 · Last seen 16/11/5138 · -
mcpAddon.js usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CloudSorcerer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BlackCat - S1068 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Raccoon Stealer usesFamily The MITRE Corporation Confidence 100
[Raccoon Stealer](https://attack.mitre.org/software/S1148) is an information stealer malware family active since at least 2019 as a malware-as-a-service offering sold in underground forums. [Raccoon Stealer](https://attack.mitre.org/software/S1148) has experienced two periods of…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Mimikatz usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (23)
-
AlienVault Confidence 100 23 MITREs 21 IOCs 7 Observables 1 APT
-
AlienVault Confidence 100 2 CVEs 20 MITREs 2 IOCs 2 Observables
-
AlienVault Confidence 100 3 CVEs 19 MITREs 9 IOCs 8 Observables
-
AlienVault Confidence 100 20 MITREs 10 IOCs 10 Observables
-
19 MITREs 3 Malwares 32 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 2 Malwares 1 IOC 1 Observable 1 APT
-
AlienVault Confidence 100 24 MITREs 1 Malware 13 IOCs 13 Observables 1 APT
-
3 CVEs 20 MITREs 13 Malwares 33 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 20 MITREs 17 IOCs 17 Observables 1 APT
-
AlienVault Confidence 100 21 MITREs 2 Malwares 132 IOCs 132 Observables
-
AlienVault Confidence 100 19 MITREs 2 Malwares 14 IOCs 14 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 18 MITREs 4 Malwares 3 IOCs 3 Observables
Vulnerabilities (CVE) (14)
May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 14/05/2026
- Modified
- 18/06/2026
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …
- Attack vector
- Network
- Published
- 25/09/2025
- Modified
- 21/12/2025
Campaign (2)
-
Operation CuckooBees uses
-
Operation Digital Eye uses
Tool (4)
-
Pupy usesThe MITRE Corporation Confidence 100
[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as…
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
BloodHound usesThe MITRE Corporation Confidence 100
[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT…
-
PowerSploit usesThe MITRE Corporation Confidence 100
[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code…
Course Of Action (1)
-
Operating System Configuration mitigates