T1132: T1132
Essential information
- MITRE technique ID
T1132- Confidence
- 100/100
- Revoked
- No
- Published
- 16/12/2025 19:38
- Modified
- 27/03/2026 01:11
- Author / Source
- The MITRE Corporation
Aliases
Data Encoding
Platforms
windows macos linux ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | command-and-control |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (63)
-
Storm-0249 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…
First seen 01/01/1970 · Last seen 16/11/5138 · -
TA585 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
NET_PA1N Reborn usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mallox usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Punishing Owl usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GreenSpot usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Batavia usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
NewsPenguin usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[AppleJeus](https://attack.mitre.org/groups/G1049) is a North Korean state-sponsored threat group attributed to the Reconnaissance General Bureau. Associated with the broader [Lazarus Group](https://attack.mitre.org/groups/G0032) umbrella of actors, [AppleJeus](https://attack.mitre.org/groups/G1049) has been active since…
First seen 01/01/1970 · Last seen 16/11/5138 · -
UNK_SmudgedSerpent usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (103)
-
ShadowPad - S0596 usesFamily
-
Ntospy uses
-
Dtrack - S0567 usesFamily
-
Wpeeper usesFamily
-
LockBit usesFamily
-
script.py uses
-
HappyDoor usesFamily
-
agent2.malz usesFamily
-
0debug usesFamily
-
CoinMiner usesFamily
-
Latrodectus usesFamily
-
TrackBak usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
15 MITREs 5 Malwares
-
3 CVEs 22 MITREs 5 Malwares 16 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 20 MITREs 6 Malwares 20 IOCs 20 Observables
-
19 MITREs 4 Malwares 46 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 6 IOCs 6 Observables
-
AlienVault Confidence 100 19 MITREs 4 Malwares 31 IOCs 31 Observables
-
AlienVault Confidence 100 20 MITREs 7 Malwares 9 IOCs 9 Observables 1 APT
-
18 MITREs 5 Malwares 20 Observables 1 APT
-
1 CVE 16 MITREs 2 Malwares 1 Observable
-
20 MITREs 2 Malwares 5 Observables 1 APT
-
19 MITREs 2 Malwares 28 Observables 1 APT
-
AlienVault Confidence 100 27 MITREs 1 Malware 6 IOCs 6 Observables
Vulnerabilities (CVE) (73)
Cisco IOS and IOS XE Software improperly validates packet data, allowing an unauthenticated, remote attacker to trigger a reload of an affected …
- Attack vector
- NETWORK
- Published
- 03/11/2021
- Modified
- 14/01/2026
Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute …
- Attack vector
- NETWORK
- Complexity
- HIGH
- Published
- 24/04/2017
- Modified
- 22/04/2026
Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.
- Attack vector
- Local
- Published
- 08/04/2025
- Modified
- 21/12/2025
Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing …
- Attack vector
- NETWORK
- Published
- 21/07/2025
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.
- Published
- 03/11/2021
- Modified
- 29/05/2026
A vulnerability was found in itsourcecode Tailoring Management System 1.0. It has been rated as critical. This issue affects some unknown processing …
- Attack vector
- NETWORK
- Published
- 01/02/2025
- Modified
- 21/12/2025
RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user.
- Published
- 09/12/2025
- Modified
- 21/12/2025
Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an attacker to …
- Published
- 22/10/2025
- Modified
- 21/12/2025
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …
- Attack vector
- Network
- Published
- 10/01/2024
- Modified
- 27/05/2026
A reflected cross-site scripting (XSS) vulnerability was discovered in Output Messenger before 2.0.63, where unsanitized input could be injected into the web …
- Attack vector
- NETWORK
- Published
- 05/05/2025
- Modified
- 21/12/2025
Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Tool (1)
-
Mythic usesThe MITRE Corporation Confidence 100
[Mythic](https://attack.mitre.org/software/S0699) is an open source, cross-platform post-exploitation/command and control platform. [Mythic](https://attack.mitre.org/software/S0699) is designed to "plug-n-play" with various agents and communication channels.(Citation: Mythic Github)(Citation: Mythic SpecterOps)(Citation: Mythc Documentation) Deployed…