T1087.002: T1087.002
Essential information
- MITRE technique ID
T1087.002- Confidence
- 100/100
- Revoked
- No
- Published
- 21/02/2020 22:08
- Modified
- 15/04/2026 12:25
- Author / Source
- The MITRE Corporation
Aliases
Domain Account
Platforms
windows macos linux
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | discovery |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (50)
-
The MITRE Corporation Confidence 100
[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Ministry…
First seen 01/01/1970 · Last seen 16/11/5138 · -
play relatedThe MITRE Corporation Confidence 100
Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (68)
-
VBCloud usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Qilin usesThe MITRE Corporation Confidence 100
[Qilin](https://attack.mitre.org/software/S1242) ransomware is a Ransomware-as-a-Service (RaaS) that has been active since at least 2022 with versions written in Golang and Rust that are capable of targeting Windows or…
First seen 01/01/1970 · Last seen 16/11/5138 · -
ZingDoor usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mallard usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SNOWLIGHT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
W32.Stuxnet usesThe MITRE Corporation Confidence 100
[Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple…
First seen 01/01/1970 · Last seen 16/11/5138 · -
OSInfo usesFamily The MITRE Corporation Confidence 100
[OSInfo](https://attack.mitre.org/software/S0165) is a custom tool used by [APT3](https://attack.mitre.org/groups/G0022) to do internal discovery on a victim's computer and network. (Citation: Symantec Buckeye)
First seen 01/01/1970 · Last seen 16/11/5138 · -
BackConnect usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Rhysida usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
More_eggs - S0284 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CSharp Streamer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PortStarter usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (28)
-
AlienVault Confidence 100 22 MITREs 2 Malwares 29 IOCs 29 Observables
-
3 CVEs 20 MITREs 13 Malwares 33 Observables 1 APT
-
5 CVEs 19 MITREs 7 Malwares 44 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 18 MITREs 4 Malwares 3 IOCs 3 Observables
-
46 MITREs 6 Malwares 27 Observables 1 APT
-
20 MITREs 8 Malwares
-
12 CVEs 20 MITREs 1 Observable
-
25 MITREs 4 Malwares 1 APT
-
25 MITREs 2 Malwares 9 Observables 1 APT
-
26 MITREs 2 Malwares 1 Observable 1 APT
-
25 MITREs 2 Malwares 1 APT
-
1 CVE 26 MITREs 4 Malwares 20 Observables 1 APT
Vulnerabilities (CVE) (57)
Apache Shiro contains a vulnerability which may allow remote attackers to execute code or bypass intended access restrictions via an unspecified request …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 07/06/2016
- Modified
- 24/06/2026
Microsoft Windows Cloud Files Mini Filter Driver contains a privilege escalation vulnerability that could allow an attacker to gain SYSTEM privileges.
- Attack vector
- Local
- Published
- 14/11/2023
- Modified
- 15/06/2026
Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so. This vulnerability could allow remote attackers to execute arbitrary code.
- Attack vector
- Network
- Published
- 10/11/2025
- Modified
- 21/12/2025
Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable …
- Attack vector
- NETWORK
- EPSS
- 0.0003 (P7.6%)
- Published
- 09/01/2026
- Modified
- 17/04/2026
A vulnerability in the K7RKScan.sys driver, part of the K7 Security Anti-Malware suite, allows a local low-privilege user to send crafted IOCTL …
- Attack vector
- LOCAL
- Published
- 11/06/2025
- Modified
- 16/06/2026
The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud allows low-privileged attackers to kill any (Protected Process Light) process via an IOCTL (which …
- Attack vector
- LOCAL
- Published
- 08/01/2024
- Modified
- 16/06/2026
Improper Input Validation vulnerability in TOTOLINK X6000R allows Command Injection, File Manipulation.This issue affects X6000R: through V9.4.0cu.1360_B20241207.
- Published
- 24/09/2025
- Modified
- 24/09/2025
A vulnerability exists in F5OS-A and F5OS-C system that may allow an authenticated attacker with local access to escalate their privileges. A …
- Attack vector
- LOCAL
- Published
- 15/10/2025
- Modified
- 21/12/2025
Microsoft Win32k contains a privilege escalation vulnerability when the Win32k component fails to properly handle objects in memory. Successful exploitation allows an …
- Published
- 03/11/2021
- Modified
- 29/05/2026
Tool (7)
-
PoshC2 usesThe MITRE Corporation Confidence 100
[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…
-
dsquery usesThe MITRE Corporation Confidence 100
[dsquery](https://attack.mitre.org/software/S0105) is a command-line utility that can be used to query Active Directory for information from a system within a domain. (Citation: TechNet Dsquery) It is typically installed…
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
BloodHound usesThe MITRE Corporation Confidence 100
[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT…
-
AdFind usesThe MITRE Corporation Confidence 100
[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation:…
-
SILENTTRINITY usesThe MITRE Corporation Confidence 100
[SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a…
-
Brute Ratel C4 usesThe MITRE Corporation Confidence 100
[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by…
Course Of Action (1)
-
Operating System Configuration mitigates
Campaign (1)
-
Operation Dream Job uses