T1129: T1129
Essential information
- MITRE technique ID
T1129- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:31
- Modified
- 27/03/2026 01:08
- Author / Source
- The MITRE Corporation
Aliases
Shared Modules
Platforms
windows macos linux
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | execution |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (29)
-
Raspberry Robin usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
APT36, SideCopy usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lazarus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Andromeda/Gamarue usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TA577 usesThe MITRE Corporation Confidence 100
[TA577](https://attack.mitre.org/groups/G1037) is an initial access broker (IAB) that has distributed [QakBot](https://attack.mitre.org/software/S0650) and [Pikabot](https://attack.mitre.org/software/S1145), and was among the first observed groups distributing [Latrodectus](https://attack.mitre.org/software/S1160) in 2023.(Citation: Latrodectus APR 2024)
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth…
First seen 01/01/1970 · Last seen 16/11/5138 · -
REF8685 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Vo1d usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Hannibal Stealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GhostEmperor usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (87)
-
SHELBYC2 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Numero usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Margulas RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
FlawedGrace usesFamily The MITRE Corporation Confidence 100
[FlawedGrace](https://attack.mitre.org/software/S0383) is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.(Citation: Proofpoint TA505 Jan 2019)
First seen 01/01/1970 · Last seen 16/11/5138 · -
PUNCHBUGGY usesFamily The MITRE Corporation Confidence 100
[PUNCHBUGGY](https://attack.mitre.org/software/S0196) is a backdoor malware used by [FIN8](https://attack.mitre.org/groups/G0061) that has been observed targeting POS networks in the hospitality industry. (Citation: Morphisec ShellTea June 2019)(Citation: FireEye Fin8 May 2016)…
First seen 01/01/1970 · Last seen 16/11/5138 · -
PanthomVAI usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AMOS usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
FlawedAmmyy usesFamily The MITRE Corporation Confidence 100
[FlawedAmmyy](https://attack.mitre.org/software/S0381) is a remote access tool (RAT) that was first seen in early 2016. The code for [FlawedAmmyy](https://attack.mitre.org/software/S0381) was based on leaked source code for a version of…
First seen 01/01/1970 · Last seen 16/11/5138 · -
8Base usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PRIVATELOADER usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Stealc usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Meow usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (37)
-
AlienVault Confidence 100 18 MITREs 3 IOCs 1 APT
-
AlienVault Confidence 100 24 MITREs 4 Malwares 9 IOCs 9 Observables
-
AlienVault Confidence 100 17 MITREs 1 Malware 53 IOCs 53 Observables
-
17 MITREs 3 Malwares 1 Observable
-
19 MITREs 4 Observables
-
2 CVEs 19 MITREs 2 Malwares 14 Observables 1 APT
-
18 MITREs 5 Malwares 28 Observables
-
10 MITREs
-
19 MITREs 1 Malware 8 Observables 1 APT
-
20 MITREs 1 Malware 5 Observables
-
14 MITREs 3 Malwares 1 APT
-
14 MITREs 1 Malware
Vulnerabilities (CVE) (34)
Apple iOS and iPadOS contain a use-after-free vulnerability. An app may be able to execute arbitrary code with kernel privileges.
- Attack vector
- LOCAL
- Published
- 10/01/2024
- Modified
- 15/03/2026
Out of bounds memory access in Mojo in Google Chrome prior to 115.0.5790.98 allowed a remote attacker who had compromised the renderer …
- Attack vector
- NETWORK
- Published
- 02/08/2023
- Modified
- 21/12/2025
Windows Common Log File System Driver Elevation of Privilege Vulnerability
- Attack vector
- LOCAL
- Published
- 13/08/2024
- Modified
- 21/12/2025
The VMware Tanzu Application Service for VMs and Isolation Segment contain an information disclosure vulnerability due to the logging of credentials in …
- Attack vector
- NETWORK
- Published
- 26/07/2023
- Modified
- 21/12/2025
Apple iOS, iPadOS, macOS, tvOS, and Safari WebKit contain a type confusion vulnerability that leads to code execution when processing maliciously crafted …
- Attack vector
- Network
- Complexity
- LOW
- Published
- 23/01/2024
- Modified
- 04/04/2026
Apple iOS, iPadOS, macOS, tvOS, watchOS, and Safari WebKit contain an unspecified vulnerability that can allow a remote attacker to break out …
- Attack vector
- Network
- Published
- 22/05/2023
- Modified
- 03/03/2026
In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support …
- Attack vector
- NETWORK
- Published
- 19/04/2023
- Modified
- 21/12/2025
RARLAB WinRAR contains an unspecified vulnerability that allows an attacker to execute code when a user attempts to view a benign file …
- Attack vector
- Local
- Published
- 24/08/2023
- Modified
- 27/05/2026
Secure Boot Security Feature Bypass Vulnerability
- Attack vector
- LOCAL
- Published
- 11/01/2022
- Modified
- 20/12/2025
Apple iOS, iPadOS, macOS, tvOS, watchOS, and visionOS kernel contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read …
- Attack vector
- Local
- Complexity
- LOW
- Published
- 05/03/2024
- Modified
- 04/04/2026