T1119: T1119
Essential information
- MITRE technique ID
T1119- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:31
- Modified
- 27/03/2026 10:58
- Author / Source
- The MITRE Corporation
Aliases
Automated Collection
Platforms
windows macos linux IaaS Office Suite SaaS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | collection |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (57)
-
The MITRE Corporation Confidence 100
[Confucius](https://attack.mitre.org/groups/G0142) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April…
First seen 01/01/1970 · Last seen 16/11/5138 · -
DPRK relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
EVALUSION relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Earth Alux relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
FAMOUS CHOLLIMA relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Gamaredon relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GoldenJackal relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Grandoreiro relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (75)
-
IcedID - S0483 usesFamily
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Atomic Stealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BH_A006 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Sliver C2 usesFamily
-
GREASE usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RSBINJECT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
OtterCookie usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Beast Ransomware usesFamily
-
Rover usesFamily The MITRE Corporation Confidence 100
[Rover](https://attack.mitre.org/software/S0090) is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. (Citation: Palo…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Lazarus uses
-
FeedLoad uses
Reports (50)
-
AlienVault Confidence 100 10 MITREs 4 Malwares 10 IOCs 4 Observables
-
AlienVault Confidence 100 3 CVEs 21 MITREs 2 Malwares 8 IOCs 2 Observables
-
AlienVault Confidence 100 15 MITREs 2 IOCs 2 Observables
-
20 MITREs 1 Malware
-
18 MITREs 5 Malwares 2 Observables 1 APT
-
AlienVault Confidence 100 23 MITREs 8 Malwares 23 IOCs 23 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 1 Malware 10 IOCs 10 Observables
-
1 CVE 21 MITREs 2 Malwares 1 Observable 1 APT
-
14 MITREs 1 Observable
-
20 MITREs 2 Malwares 10 Observables 1 APT
-
19 MITREs 10 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 2 Malwares 14 IOCs 14 Observables 1 APT
Vulnerabilities (CVE) (43)
Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 …
- Attack vector
- Adjacent
- Published
- 30/09/2022
- Modified
- 20/12/2025
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …
- Attack vector
- Network
- Published
- 10/01/2024
- Modified
- 27/05/2026
WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 29/04/2026
- Modified
- 11/05/2026
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …
- Attack vector
- Network
- Published
- 25/09/2025
- Modified
- 21/12/2025
Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.
- Attack vector
- Local
- Complexity
- Low
- Published
- 15/11/2017
- Modified
- 29/05/2026
Cisco Adaptive Security Appliance and Firepower Threat Defense contain an unauthorized access vulnerability that could allow an unauthenticated, remote attacker to conduct …
- Attack vector
- Network
- Published
- 13/09/2023
- Modified
- 21/12/2025
Microsoft Windows Internet Shortcut Files contains an unspecified vulnerability that allows for a security feature bypass.
- Attack vector
- Network
- Published
- 13/02/2024
- Modified
- 27/05/2026
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An …
- Published
- 10/02/2022
- Modified
- 20/12/2025
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 04/04/2026
- Modified
- 09/04/2026
SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary …
- Attack vector
- Network
- Published
- 13/02/2025
- Modified
- 21/12/2025
May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 14/05/2026
- Modified
- 18/06/2026
Tool (2)
-
PoshC2 usesThe MITRE Corporation Confidence 100
[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…
-
ROADTools usesThe MITRE Corporation Confidence 100
[ROADTools](https://attack.mitre.org/software/S0684) is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.(Citation: ROADtools Github)
Campaign (3)
-
Anthropic AI-orchestrated Campaign uses
-
Frankenstein uses
-
Operation Wocao uses