T1497.003: T1497.003
Essential information
- MITRE technique ID
T1497.003- Confidence
- 100/100
- Revoked
- No
- Published
- 06/03/2020 22:11
- Modified
- 13/04/2026 17:17
- Author / Source
- The MITRE Corporation
Aliases
Time Based Checks
Platforms
windows macos linux
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
| mitre-attack | discovery |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (22)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UNC5174 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Vect usesRansomware.Live Confidence 100
No description available
First seen 01/01/1970 · Last seen 16/11/5138 · -
SLOW#TEMPEST usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UNK_CraftyCamel usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ShadyPanda usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LofyGang usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DPRK usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Gamaredon usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Winnti usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Clubfoot Wolf usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (80)
-
Metamorfo - S0455 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
NetSupport Manager usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LP-Notes usesAlienVault Confidence 100
[LP-Notes](https://attack.mitre.org/software/S9036) is a C/C++ Windows credential stealer used by [MuddyWater](https://attack.mitre.org/groups/G0069). [LP-Notes](https://attack.mitre.org/software/S9036) was named after the `lp-notes.txt` file that is used to store stolen credentials.(Citation: ESET_MuddyWater_Dec2025)
First seen 01/01/1970 · Last seen 16/11/5138 · -
ValleyRAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RaccoonO365 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GoldenSpy usesFamily The MITRE Corporation Confidence 100
[GoldenSpy](https://attack.mitre.org/software/S0493) is a backdoor malware which has been packaged with legitimate tax preparation software. [GoldenSpy](https://attack.mitre.org/software/S0493) was discovered targeting organizations in China, being delivered with the "Intelligent Tax" software…
First seen 01/01/1970 · Last seen 16/11/5138 · -
SystemBC usesAlienVault Confidence 100
[SystemBC](https://attack.mitre.org/software/S9001) is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.[SystemBC](https://attack.mitre.org/software/S9001) executes a variety…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Latrodectus usesThe MITRE Corporation Confidence 100
[Latrodectus](https://attack.mitre.org/software/S1160) is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. [Latrodectus](https://attack.mitre.org/software/S1160) has most often been distributed…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RuntimeHost usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
XCSSET usesFamily The MITRE Corporation Confidence 100
[XCSSET](https://attack.mitre.org/software/S0658) is a modular macOS malware family delivered through infected Xcode projects and executed when the project is compiled. Active since August 2020, it has been observed installing…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Infinity V+ usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
metaMain usesFamily The MITRE Corporation Confidence 100
[metaMain](https://attack.mitre.org/software/S1059) is a backdoor used by [Metador](https://attack.mitre.org/groups/G1013) to maintain long-term access to compromised machines; it has also been used to decrypt [Mafalda](https://attack.mitre.org/software/S1060) into memory.(Citation: SentinelLabs Metador Sept 2022)(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (31)
-
8 MITREs 4 Malwares 6 Observables
-
Raspberry Robin Analysis related2 CVEs 20 MITREs 2 Malwares 126 Observables
-
9 MITREs 3 Malwares
-
9 MITREs 3 Malwares 12 Observables
-
14 MITREs 1 Malware 6 Observables 1 APT
-
3 CVEs 18 MITREs 4 Malwares 99 Observables 1 APT
-
14 MITREs 1 Malware 24 Observables
Vulnerabilities (CVE) (13)
Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being …
- Attack vector
- Network
- Published
- 27/03/2025
- Modified
- 21/12/2025
Tool (2)
-
Brute Ratel C4 usesThe MITRE Corporation Confidence 100
[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by…
-
evilginx2 usesThe MITRE Corporation Confidence 75
[evilginx2](https://attack.mitre.org/software/S9003) is an open-source adversary-in-the-middle (AiTM) attack framework based on the open-source nginx web server. [evilginx2](https://attack.mitre.org/software/S9003) can be used as a reverse proxy between victims and legitimate web…
Campaign (1)
-
Operation Dream Job uses