T1129: T1129
Essential information
- MITRE technique ID
T1129- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:31
- Modified
- 27/03/2026 01:08
- Author / Source
- The MITRE Corporation
Aliases
Shared Modules
Platforms
windows macos linux
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | execution |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (29)
-
The Gentlemen usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CL0P relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Mirai relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Nexus Team relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
NyashTeam and Kapchenka relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[POLONIUM](https://attack.mitre.org/groups/G1005) is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Proton66 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SideCopy relatedThe MITRE Corporation Confidence 100
[SideCopy](https://attack.mitre.org/groups/G1008) is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. [SideCopy](https://attack.mitre.org/groups/G1008)'s name comes from its…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Silver Fox relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Swan Vector relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TA2726, TA2727 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (87)
-
SHELBYC2 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Numero usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Margulas RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
FlawedGrace usesFamily The MITRE Corporation Confidence 100
[FlawedGrace](https://attack.mitre.org/software/S0383) is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.(Citation: Proofpoint TA505 Jan 2019)
First seen 01/01/1970 · Last seen 16/11/5138 · -
PUNCHBUGGY usesFamily The MITRE Corporation Confidence 100
[PUNCHBUGGY](https://attack.mitre.org/software/S0196) is a backdoor malware used by [FIN8](https://attack.mitre.org/groups/G0061) that has been observed targeting POS networks in the hospitality industry. (Citation: Morphisec ShellTea June 2019)(Citation: FireEye Fin8 May 2016)…
First seen 01/01/1970 · Last seen 16/11/5138 · -
PanthomVAI usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AMOS usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
FlawedAmmyy usesFamily The MITRE Corporation Confidence 100
[FlawedAmmyy](https://attack.mitre.org/software/S0381) is a remote access tool (RAT) that was first seen in early 2016. The code for [FlawedAmmyy](https://attack.mitre.org/software/S0381) was based on leaked source code for a version of…
First seen 01/01/1970 · Last seen 16/11/5138 · -
8Base usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PRIVATELOADER usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Stealc usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Meow usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (37)
-
17 MITREs 3 Malwares 1 Observable
-
TINKYWINKEY KEYLOGGER related12 MITREs 1 Malware 3 Observables
-
1 CVE 15 MITREs 2 Malwares 121 Observables 1 APT
-
8 MITREs 3 Malwares 20 Observables
-
7 MITREs 3 Malwares 16 Observables 1 APT
-
10 MITREs 3 Malwares
-
15 MITREs 4 Malwares 48 Observables 1 APT
-
9 MITREs 3 Malwares 28 Observables 1 APT
-
5 MITREs 1 Malware 11 Observables
-
12 MITREs 4 Malwares 96 Observables 1 APT
-
The Shelby Strategy related13 MITREs 2 Malwares 1 APT
-
20 MITREs 3 Malwares 48 Observables 1 APT
Vulnerabilities (CVE) (34)
Privilege escalation vulnerability was discovered in Atera Agent 1.8.4.4 and prior on Windows due to mishandling of privileged APIs.
- Attack vector
- LOCAL
- Published
- 24/07/2023
- Modified
- 21/12/2025
A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.5, iOS 16.6 and iPadOS 16.6, …
- Attack vector
- NETWORK
- Published
- 05/11/2025
- Modified
- 15/03/2026
A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing …
- Attack vector
- NETWORK
- Published
- 13/04/2024
- Modified
- 21/12/2025
Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution.
- Attack vector
- Network
- Published
- 19/07/2023
- Modified
- 27/05/2026
Apple iOS, iPadOS, macOS, tvOS, and watchOS RTKit contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and …
- Attack vector
- Local
- Complexity
- LOW
- Published
- 05/03/2024
- Modified
- 04/04/2026
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.46 and …
- Attack vector
- NETWORK
- Published
- 18/07/2023
- Modified
- 21/12/2025
Reflected Cross-Site Scripting (XSS)
- Attack vector
- NETWORK
- Published
- 19/07/2023
- Modified
- 21/12/2025
Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability allowing an app to modify a sensitive kernel state.
- Attack vector
- Local
- Published
- 26/07/2023
- Modified
- 21/12/2025
Privilege Escalation to root administrator (nsroot)
- Attack vector
- ADJACENT_NETWORK
- Published
- 19/07/2023
- Modified
- 21/12/2025
Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the …
- Attack vector
- NETWORK
- Published
- 03/04/2023
- Modified
- 21/12/2025
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause arbitrary code execution, denial of service and loss …
- Attack vector
- NETWORK
- Published
- 30/01/2023
- Modified
- 21/12/2025
- Published
- 20/12/2025
- Modified
- 20/12/2025