T1518.001: T1518.001
Essential information
- MITRE technique ID
T1518.001- Confidence
- 100/100
- Revoked
- No
- Published
- 21/02/2020 22:16
- Modified
- 27/03/2026 01:11
- Author / Source
- The MITRE Corporation
Aliases
Security Software Discovery
Platforms
windows macos linux IaaS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | discovery |
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (55)
-
The MITRE Corporation Confidence 100
[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Tropic Trooper](https://attack.mitre.org/groups/G0081) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://attack.mitre.org/groups/G0081) focuses on targeting government, healthcare,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name…
First seen 01/01/1970 · Last seen 16/11/5138 · -
ToddyCat usesThe MITRE Corporation Confidence 100
[ToddyCat](https://attack.mitre.org/groups/G1022) is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Storm-0501 usesThe MITRE Corporation Confidence 100
[Storm-0501](https://attack.mitre.org/groups/G1053) is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. [Storm-0501](https://attack.mitre.org/groups/G1053) has been active since 2021 and has previously been…
First seen 01/01/1970 · Last seen 16/11/5138 · -
GlassWorm usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Storm-1575 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Water Saci usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TA397 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (82)
-
PhantomNet usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RogueRobin usesFamily The MITRE Corporation Confidence 100
[RogueRobin](https://attack.mitre.org/software/S0270) is a payload used by [DarkHydrus](https://attack.mitre.org/groups/G0079) that has been developed in PowerShell and C#. (Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)
First seen 01/01/1970 · Last seen 16/11/5138 · -
graphnode usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
InvisiMole usesFamily The MITRE Corporation Confidence 100
[InvisiMole](https://attack.mitre.org/software/S0260) is a modular spyware program that has been used by the InvisiMole Group since at least 2013. [InvisiMole](https://attack.mitre.org/software/S0260) has two backdoor modules called RC2FM and RC2CL that…
First seen 01/01/1970 · Last seen 16/11/5138 · -
WarzoneRAT usesFamily The MITRE Corporation Confidence 100
[WarzoneRAT](https://attack.mitre.org/software/S0670) is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.(Citation: Check Point Warzone Feb 2020)(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
FELIXROOT usesFamily The MITRE Corporation Confidence 100
[FELIXROOT](https://attack.mitre.org/software/S0267) is a backdoor that has been used to target Ukrainian victims. (Citation: FireEye FELIXROOT July 2018)
First seen 01/01/1970 · Last seen 16/11/5138 · -
AdaptixC2 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
QakBot - S0650 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
NiceRAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
MarkiRAT usesFamily The MITRE Corporation Confidence 100
[MarkiRAT](https://attack.mitre.org/software/S0652) is a remote access Trojan (RAT) compiled with Visual Studio that has been used by [Ferocious Kitten](https://attack.mitre.org/groups/G0137) since at least 2015.(Citation: Kaspersky Ferocious Kitten Jun 2021)
First seen 01/01/1970 · Last seen 16/11/5138 · -
SSLoad usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LunarWeb usesFamily The MITRE Corporation Confidence 100
[LunarWeb](https://attack.mitre.org/software/S1141) is a backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) together with…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
18 MITREs 2 Malwares 18 Observables 1 APT
-
25 MITREs 2 Observables
-
21 MITREs 3 Malwares 14 Observables 1 APT
-
15 MITREs 4 Malwares
-
14 MITREs 7 Malwares 4 Observables 1 APT
-
25 MITREs 4 Malwares 1 APT
-
1 CVE 16 MITREs 2 Malwares 6 Observables 1 APT
-
TINKYWINKEY KEYLOGGER related12 MITREs 1 Malware 3 Observables
-
1 CVE 21 MITREs 3 Malwares 37 Observables 1 APT
-
Like PuTTY in Admin's Hands related16 MITREs 2 Malwares
-
10 MITREs 2 Malwares 1 APT
-
17 MITREs 2 Malwares 26 Observables 1 APT
Vulnerabilities (CVE) (15)
RoundCube Webmail contains a cross-site scripting vulnerability. This vulnerability could allow a remote attacker to steal and send emails of a victim …
- Attack vector
- Network
- Published
- 09/06/2025
- Modified
- 21/12/2025
Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.
- Attack vector
- Local
- Complexity
- Low
- Published
- 15/11/2017
- Modified
- 29/05/2026
Microsoft Remote Desktop Services, formerly known as Terminal Service, contains an unspecified vulnerability that allows an unauthenticated attacker to connect to the …
- Published
- 03/11/2021
- Modified
- 29/05/2026
Campaign (1)
-
KV Botnet Activity uses
Tool (2)
-
Brute Ratel C4 usesThe MITRE Corporation Confidence 100
[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by…
-
netsh usesThe MITRE Corporation Confidence 100
[netsh](https://attack.mitre.org/software/S0108) is a scripting utility used to interact with networking components on local or remote systems. (Citation: TechNet Netsh)