T1087.001: T1087.001
Essential information
- MITRE technique ID
T1087.001- Confidence
- 100/100
- Revoked
- No
- Published
- 21/02/2020 22:07
- Modified
- 21/04/2026 11:28
- Author / Source
- The MITRE Corporation
Aliases
Local Account
Platforms
windows macos linux ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | discovery |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (35)
-
The MITRE Corporation Confidence 100
[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Gootloader relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
TeamPCP relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Thrip](https://attack.mitre.org/groups/G0076) is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Trigona relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UAT-8302 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
VerdantBamboo relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
play relatedThe MITRE Corporation Confidence 100
Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (68)
-
Bankshot usesFamily The MITRE Corporation Confidence 100
[Bankshot](https://attack.mitre.org/software/S0239) is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, [Lazarus Group](https://attack.mitre.org/groups/G0032) used the [Bankshot](https://attack.mitre.org/software/S0239)…
First seen 01/01/1970 · Last seen 16/11/5138 · -
SNOWRUST usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HealthKick usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HyperStack usesFamily The MITRE Corporation Confidence 100
[HyperStack](https://attack.mitre.org/software/S0537) is a RPC-based backdoor used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2018. [HyperStack](https://attack.mitre.org/software/S0537) has similarities to other backdoors used by [Turla](https://attack.mitre.org/groups/G0010) including [Carbon](https://attack.mitre.org/software/S0335).(Citation: Accenture HyperStack October 2020)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Grixba usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
InvisibleFerret usesThe MITRE Corporation Confidence 100
[InvisibleFerret](https://attack.mitre.org/software/S1245) is a modular python malware that is leveraged for data exfiltration and remote access capabilities.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November…
First seen 01/01/1970 · Last seen 16/11/5138 · -
TSPY_TRICKLOAD usesThe MITRE Corporation Confidence 100
[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) was developed and initially used by…
First seen 01/01/1970 · Last seen 16/11/5138 · -
mcpAddon.js usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CloudSorcerer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BlackCat - S1068 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Raccoon Stealer usesFamily The MITRE Corporation Confidence 100
[Raccoon Stealer](https://attack.mitre.org/software/S1148) is an information stealer malware family active since at least 2019 as a malware-as-a-service offering sold in underground forums. [Raccoon Stealer](https://attack.mitre.org/software/S1148) has experienced two periods of…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Mimikatz usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (23)
-
AlienVault Confidence 100 23 MITREs 21 IOCs 7 Observables 1 APT
-
AlienVault Confidence 100 2 CVEs 20 MITREs 2 IOCs 2 Observables
-
AlienVault Confidence 100 3 CVEs 19 MITREs 9 IOCs 8 Observables
-
AlienVault Confidence 100 20 MITREs 10 IOCs 10 Observables
-
19 MITREs 3 Malwares 32 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 2 Malwares 1 IOC 1 Observable 1 APT
-
AlienVault Confidence 100 24 MITREs 1 Malware 13 IOCs 13 Observables 1 APT
-
3 CVEs 20 MITREs 13 Malwares 33 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 20 MITREs 17 IOCs 17 Observables 1 APT
-
AlienVault Confidence 100 21 MITREs 2 Malwares 132 IOCs 132 Observables
-
AlienVault Confidence 100 19 MITREs 2 Malwares 14 IOCs 14 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 18 MITREs 4 Malwares 3 IOCs 3 Observables
Vulnerabilities (CVE) (14)
May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 14/05/2026
- Modified
- 18/06/2026
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …
- Attack vector
- Network
- Published
- 25/09/2025
- Modified
- 21/12/2025
Campaign (2)
-
Operation CuckooBees uses
-
Operation Digital Eye uses
Tool (4)
-
Pupy usesThe MITRE Corporation Confidence 100
[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as…
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
BloodHound usesThe MITRE Corporation Confidence 100
[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT…
-
PowerSploit usesThe MITRE Corporation Confidence 100
[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code…
Course Of Action (1)
-
Operating System Configuration mitigates