T1129: T1129
Essential information
- MITRE technique ID
T1129- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:31
- Modified
- 27/03/2026 01:08
- Author / Source
- The MITRE Corporation
Aliases
Shared Modules
Platforms
windows macos linux
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | execution |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (29)
-
Raspberry Robin usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
APT36, SideCopy usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lazarus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Andromeda/Gamarue usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TA577 usesThe MITRE Corporation Confidence 100
[TA577](https://attack.mitre.org/groups/G1037) is an initial access broker (IAB) that has distributed [QakBot](https://attack.mitre.org/software/S0650) and [Pikabot](https://attack.mitre.org/software/S1145), and was among the first observed groups distributing [Latrodectus](https://attack.mitre.org/software/S1160) in 2023.(Citation: Latrodectus APR 2024)
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth…
First seen 01/01/1970 · Last seen 16/11/5138 · -
REF8685 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Vo1d usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Hannibal Stealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GhostEmperor usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (87)
-
Matanbuchus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lumma Stealer usesThe MITRE Corporation Confidence 100
[Lumma Stealer](https://attack.mitre.org/software/S1213) is an information stealer malware family in use since at least 2022. [Lumma Stealer](https://attack.mitre.org/software/S1213) is a Malware as a Service (MaaS) where captured data has been…
First seen 01/01/1970 · Last seen 16/11/5138 · -
VersaMem usesFamily The MITRE Corporation Confidence 100
[VersaMem](https://attack.mitre.org/software/S1154) is a web shell designed for deployment to Versa Director servers following exploitation. Discovered in August 2024, [VersaMem](https://attack.mitre.org/software/S1154) was used during [Versa Director Zero Day Exploitation](https://attack.mitre.org/campaigns/C0039) by…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Pickai usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
FoggyWeb usesFamily The MITRE Corporation Confidence 100
[FoggyWeb](https://attack.mitre.org/software/S0661) is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federated Services (AD FS) server. It has been used by…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Yurei Ransomware usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Spark RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TencShell usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Ebury usesFamily The MITRE Corporation Confidence 100
[Ebury](https://attack.mitre.org/software/S0377) is an OpenSSH backdoor and credential stealer targeting Linux servers and container hosts developed by [Windigo](https://attack.mitre.org/groups/G0124). [Ebury](https://attack.mitre.org/software/S0377) is primarily installed through modifying shared libraries (`.so` files) executed…
First seen 01/01/1970 · Last seen 16/11/5138 · -
CreepyDrive usesFamily The MITRE Corporation Confidence 100
[CreepyDrive](https://attack.mitre.org/software/S1023) is a custom implant has been used by [POLONIUM](https://attack.mitre.org/groups/G1005) since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.(Citation: Microsoft POLONIUM June 2022)…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Reverse RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LightSpy usesFamily The MITRE Corporation Confidence 100
First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (37)
-
17 MITREs 3 Malwares 1 Observable
-
TINKYWINKEY KEYLOGGER related12 MITREs 1 Malware 3 Observables
-
1 CVE 15 MITREs 2 Malwares 121 Observables 1 APT
-
8 MITREs 3 Malwares 20 Observables
-
7 MITREs 3 Malwares 16 Observables 1 APT
-
10 MITREs 3 Malwares
-
15 MITREs 4 Malwares 48 Observables 1 APT
-
9 MITREs 3 Malwares 28 Observables 1 APT
-
5 MITREs 1 Malware 11 Observables
-
12 MITREs 4 Malwares 96 Observables 1 APT
-
The Shelby Strategy related13 MITREs 2 Malwares 1 APT
-
20 MITREs 3 Malwares 48 Observables 1 APT
Vulnerabilities (CVE) (34)
Apple tvOS, macOS, Safari, iPadOS and watchOS contain an integer overflow or wraparound vulnerability due to the processing of maliciously crafted web …
- Attack vector
- LOCAL
- Published
- 24/08/2021
- Modified
- 10/03/2026
Cisco NX-OS contains a command injection vulnerability in the command line interface (CLI) that could allow an authenticated, local attacker to execute …
- Attack vector
- Local
- Published
- 02/07/2024
- Modified
- 21/12/2025
Apple iOS, iPadOS, macOS, and watchOS contain a memory initialization vulnerability that may allow a malicious application to disclose kernel memory.
- Published
- 03/11/2021
- Modified
- 03/03/2026
Ivanti Endpoint Manager Mobile (EPMM, previously branded MobileIron Core) contains an authentication bypass vulnerability that allows unauthenticated access to specific API paths. …
- Attack vector
- Network
- Published
- 25/07/2023
- Modified
- 21/12/2025
Use after free in WebRTC in Google Chrome prior to 115.0.5790.98 allowed a remote attacker to potentially exploit heap corruption via a …
- Attack vector
- NETWORK
- Published
- 02/08/2023
- Modified
- 21/12/2025
Apple macOS, iOS, tvOS, Safari, and watchOS contain an unspecified vulnerability in JavaScriptCore that when processing web content may lead to arbitrary …
- Attack vector
- Network
- Published
- 20/10/2025
- Modified
- 03/03/2026
Atera Agent through 1.8.3.6 on Windows Creates a Temporary File in a Directory with Insecure Permissions.
- Attack vector
- LOCAL
- Published
- 24/07/2023
- Modified
- 21/12/2025
Apple iOS. iPadOS, macOS, and watchOS contain an integer overflow vulnerability that could allow an application to execute code with kernel privileges.
- Attack vector
- Local
- Published
- 23/06/2023
- Modified
- 03/03/2026
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an …
- Attack vector
- NETWORK
- Published
- 20/07/2023
- Modified
- 21/12/2025
Apple iOS, iPadOS, macOS, and watchOS contain a type confusion vulnerability that may allow a malicious application to execute code with kernel …
- Published
- 03/11/2021
- Modified
- 03/03/2026
Use after free in WebRTC in Google Chrome prior to 115.0.5790.98 allowed a remote attacker to potentially exploit heap corruption via a …
- Attack vector
- NETWORK
- Published
- 02/08/2023
- Modified
- 21/12/2025
Use after free in Tab Groups in Google Chrome prior to 115.0.5790.98 allowed a remote attacker who convinced a user to engage …
- Attack vector
- NETWORK
- Published
- 02/08/2023
- Modified
- 21/12/2025