T1087.002: T1087.002
Essential information
- MITRE technique ID
T1087.002- Confidence
- 100/100
- Revoked
- No
- Published
- 21/02/2020 22:08
- Modified
- 15/04/2026 12:25
- Author / Source
- The MITRE Corporation
Aliases
Domain Account
Platforms
windows macos linux
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | discovery |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (50)
-
Qilin relatedRansomware.Live Confidence 100
Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator.…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Storm-0501 relatedThe MITRE Corporation Confidence 100
[Storm-0501](https://attack.mitre.org/groups/G1053) is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. [Storm-0501](https://attack.mitre.org/groups/G1053) has been active since 2021 and has previously been…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Storm-1567 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[TA551](https://attack.mitre.org/groups/G0127) is a financially-motivated threat group that has been active since at least 2018. (Citation: Secureworks GOLD CABIN) The group has primarily targeted English, German, Italian, and Japanese…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The Gentlemen relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ToddyCat relatedThe MITRE Corporation Confidence 100
[ToddyCat](https://attack.mitre.org/groups/G1022) is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets…
First seen 01/01/1970 · Last seen 16/11/5138 · -
UAT-8302 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UTA0137 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Water Scylla relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Weaver Ant relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (68)
-
VBCloud usesFamily
-
Qilin usesFamily
-
ZingDoor usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mallard usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SNOWLIGHT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
W32.Stuxnet usesFamily
-
OSInfo usesFamily The MITRE Corporation Confidence 100
[OSInfo](https://attack.mitre.org/software/S0165) is a custom tool used by [APT3](https://attack.mitre.org/groups/G0022) to do internal discovery on a victim's computer and network. (Citation: Symantec Buckeye)
First seen 01/01/1970 · Last seen 16/11/5138 · -
BackConnect usesFamily
-
Rhysida usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
More_eggs - S0284 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CSharp Streamer usesFamily
-
PortStarter usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (28)
-
AlienVault Confidence 100 13 CVEs 22 MITREs 6 Malwares 5 IOCs 4 Observables
-
AlienVault Confidence 100 3 CVEs 21 MITREs 2 Malwares 8 IOCs 2 Observables
-
AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables
-
AlienVault Confidence 100 3 CVEs 18 MITREs 2 Malwares 26 IOCs 26 Observables 1 APT
-
2 CVEs 22 MITREs 24 Malwares 102 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 18 MITREs 1 Malware 1 IOC 1 Observable 1 APT
-
Threat landscape — Belgium relatedConfidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
3 CVEs 20 MITREs 8 Malwares 17 Observables 1 APT
-
20 MITREs 1 Malware 2 Observables
-
AlienVault Confidence 100 24 MITREs 1 Malware 13 IOCs 13 Observables 1 APT
-
12 CVEs 20 MITREs 2 Malwares 4 Observables 1 APT
Vulnerabilities (CVE) (57)
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 04/04/2026
- Modified
- 09/04/2026
Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.
- Attack vector
- Network
- Published
- 24/10/2025
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 13/05/2026
- Modified
- 10/06/2026
The GameDriverX64.sys kernel-mode anti-cheat driver (v7.23.4.7 and earlier) contains an access control vulnerability in one of its IOCTL handlers. A user-mode process …
- Attack vector
- LOCAL
- Published
- 28/10/2025
- Modified
- 30/01/2026
Fortinet FortiOS contains an out-of-bound write vulnerability that allows a remote unauthenticated attacker to execute code or commands via specially crafted HTTP …
- Attack vector
- Network
- Published
- 09/02/2024
- Modified
- 21/12/2025
OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath …
- Attack vector
- Network
- Published
- 15/07/2024
- Modified
- 21/12/2025
Microsoft Win32k fails to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in kernel …
- Published
- 03/11/2021
- Modified
- 29/05/2026
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be …
- Attack vector
- Network
- Published
- 16/06/2025
- Modified
- 21/12/2025
Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code …
- Published
- 03/11/2021
- Modified
- 20/12/2025
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …
- Attack vector
- Network
- Published
- 25/09/2025
- Modified
- 21/12/2025
BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker …
- Attack vector
- Network
- Published
- 13/02/2026
- Modified
- 20/02/2026
Tool (7)
-
PoshC2 usesThe MITRE Corporation Confidence 100
[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…
-
dsquery usesThe MITRE Corporation Confidence 100
[dsquery](https://attack.mitre.org/software/S0105) is a command-line utility that can be used to query Active Directory for information from a system within a domain. (Citation: TechNet Dsquery) It is typically installed…
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
BloodHound usesThe MITRE Corporation Confidence 100
[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT…
-
AdFind usesThe MITRE Corporation Confidence 100
[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation:…
-
SILENTTRINITY usesThe MITRE Corporation Confidence 100
[SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a…
-
Brute Ratel C4 usesThe MITRE Corporation Confidence 100
[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by…
Course Of Action (1)
-
Operating System Configuration mitigates
Campaign (1)
-
Operation Dream Job uses