T1119: T1119
Essential information
- MITRE technique ID
T1119- Confidence
- 100/100
- Revoked
- No
- Published
- 16/12/2025 19:37
- Modified
- 27/03/2026 10:58
- Author / Source
- The MITRE Corporation
Aliases
Automated Collection
Platforms
windows macos linux IaaS Office Suite SaaS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | collection |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (58)
-
The MITRE Corporation Confidence 100
Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of…
First seen 01/01/1970 · Last seen 16/11/5138 · -
TeamPCP usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Ministry…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Earth Berberoka usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mr_Rot13 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SneakyChef usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Banshee usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
alh1mik usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Chimera usesThe MITRE Corporation Confidence 100
[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (122)
-
PlugX - S0013 usesFamily
-
LameHug usesFamily
-
PureLogs usesFamily
-
AllaSenha usesFamily
-
BRUSHLOGGER usesFamily
-
BeaverTail usesFamily
-
JesterStealer uses
-
Valak uses
-
RollSling uses
-
ServHelper uses
-
Polar uses
-
CryptoAITools usesFamily
Reports (50)
-
19 MITREs 2 Malwares 91 Observables
-
19 MITREs 6 Malwares 13 Observables 1 APT
-
AlienVault Confidence 100 24 MITREs 19 IOCs 19 Observables
-
AlienVault Confidence 100 20 MITREs 5 Malwares 15 IOCs 15 Observables 1 APT
-
AlienVault Confidence 100 16 MITREs 4 IOCs 4 Observables 1 APT
-
AlienVault Confidence 100 13 MITREs 2 Malwares 5 IOCs 3 Observables
-
12 MITREs 1 Malware 2 Observables
-
12 MITREs 15 Observables 1 APT
-
12 MITREs 15 Observables 1 APT
-
14 MITREs 1 Malware 3 Observables 1 APT
-
16 MITREs 3 Malwares 1 Observable 1 APT
-
14 MITREs 3 Malwares 10 Observables 1 APT
Vulnerabilities (CVE) (37)
Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution.
- Attack vector
- Network
- Published
- 17/10/2024
- Modified
- 21/12/2025
RARLAB WinRAR contains an unspecified vulnerability that allows an attacker to execute code when a user attempts to view a benign file …
- Attack vector
- Local
- Published
- 24/08/2023
- Modified
- 27/05/2026
Microsoft Windows COM Aggregate Marshaler allows for privilege escalation when an attacker runs a specially crafted application.
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 12/05/2017
- Modified
- 22/04/2026
Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 04/02/2022
- Modified
- 20/12/2025
Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. …
- Attack vector
- Network
- Published
- 02/06/2023
- Modified
- 21/12/2025
An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in …
- Attack vector
- Network
- Published
- 09/09/2024
- Modified
- 21/12/2025
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …
- Attack vector
- Network
- Published
- 10/01/2024
- Modified
- 27/05/2026
Fortinet FortiOS and FortiProxy SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute code or …
- Attack vector
- Network
- Published
- 13/06/2023
- Modified
- 21/12/2025
Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on …
- Published
- 15/02/2024
- Modified
- 21/12/2025
Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …
- Attack vector
- Local
- Published
- 03/11/2021
- Modified
- 27/05/2026
Android Kernel contains a use-after-free vulnerability in binder.c that allows for privilege escalation from an application to the Linux Kernel. This vulnerability …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 …
- Attack vector
- Adjacent
- Published
- 30/09/2022
- Modified
- 20/12/2025
Tool (4)
-
PoshC2 usesThe MITRE Corporation Confidence 100
[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…
-
ROADTools usesThe MITRE Corporation Confidence 100
[ROADTools](https://attack.mitre.org/software/S0684) is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.(Citation: ROADtools Github)
-
ShimRatReporter usesThe MITRE Corporation Confidence 100
[ShimRatReporter](https://attack.mitre.org/software/S0445) is a tool used by suspected Chinese adversary [Mofang](https://attack.mitre.org/groups/G0103) to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as…
-
NPPSPY usesThe MITRE Corporation Confidence 100
NPPSPY is an implementation of a theoretical mechanism first presented in 2004 for capturing credentials submitted to a Windows system via a rogue Network Provider API item. NPPSPY…
Campaign (3)
-
Anthropic AI-orchestrated Campaign uses
-
Frankenstein uses
-
Operation Wocao uses
Course Of Action (2)
-
Remote Data Storage mitigates
-
Encrypt Sensitive Information mitigates