T1560.001: T1560.001
Essential information
- MITRE technique ID
T1560.001- Confidence
- 100/100
- Revoked
- No
- Published
- 20/02/2020 22:01
- Modified
- 15/04/2026 13:26
- Author / Source
- The MITRE Corporation
Aliases
Archive via Utility
Platforms
windows macos linux
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | collection |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (55)
-
play usesThe MITRE Corporation Confidence 100
Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…
First seen 01/01/1970 · Last seen 16/11/5138 · -
UNC1151 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Sea Turtle](https://attack.mitre.org/groups/G1041) is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. [Sea…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Silent Lynx usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Storm-1567 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[INC Ransom](https://attack.mitre.org/groups/G1032) is a ransomware and data extortion threat group associated with the deployment of [INC Ransomware](https://attack.mitre.org/software/S1139) that has been active since at least July 2023. [INC Ransom](https://attack.mitre.org/groups/G1032)…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Ministry…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
MirrorFace usesAlienVault Confidence 100
[MirrorFace](https://attack.mitre.org/groups/G1054) is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the [menuPass](https://attack.mitre.org/groups/G0045) umbrella based on targeting, tools, and infrastructure overlaps. [MirrorFace](https://attack.mitre.org/groups/G1054) has…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
SHADOW-EARTH-053 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (61)
-
ClickFix usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ccf32 usesFamily The MITRE Corporation Confidence 100
[ccf32](https://attack.mitre.org/software/S1043) is data collection malware that has been used since at least February 2019, most notably during the [FunnyDream](https://attack.mitre.org/campaigns/C0007) campaign; there is also a similar x64 version.(Citation: Bitdefender…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Remcos RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
iKitten usesFamily The MITRE Corporation Confidence 100
[iKitten](https://attack.mitre.org/software/S0278) is a macOS exfiltration agent (Citation: objsee mac malware 2017).
First seen 01/01/1970 · Last seen 16/11/5138 · -
Ramsay usesFamily The MITRE Corporation Confidence 100
[Ramsay](https://attack.mitre.org/software/S0458) is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between [Ramsay](https://attack.mitre.org/software/S0458) and the [Darkhotel](https://attack.mitre.org/groups/G0012)-associated Retro…
First seen 01/01/1970 · Last seen 16/11/5138 · -
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BeaverTail usesThe MITRE Corporation Confidence 100
[BeaverTail](https://attack.mitre.org/software/S1246) is a malware that has both a JavaScript and C++ variant. Active since 2022, [BeaverTail](https://attack.mitre.org/software/S1246) is capable of stealing logins from browsers and serves as a downloader…
First seen 01/01/1970 · Last seen 16/11/5138 · -
MiyaRAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CSharp Streamer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TONESHELL usesThe MITRE Corporation Confidence 100
[TONESHELL](https://attack.mitre.org/software/S1239) is a custom backdoor that has been used since at least Q1 2021.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023) [TONESHELL](https://attack.mitre.org/software/S1239) malware has previously been leveraged…
First seen 01/01/1970 · Last seen 16/11/5138 · -
node-ipc usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GraphSteel usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (36)
-
5 CVEs 19 MITREs 7 Malwares 44 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 3 Malwares 3 IOCs 3 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 1 Malware 13 IOCs 13 Observables
-
20 MITREs 6 Observables
-
9 MITREs 3 Malwares 10 Observables 1 APT
-
17 MITREs 7 Observables
-
14 MITREs 7 Malwares 4 Observables 1 APT
-
25 MITREs 4 Malwares 1 APT
-
32 MITREs 6 Malwares
-
26 MITREs 2 Malwares 1 Observable 1 APT
-
8 MITREs 1 Malware 1 APT
-
15 MITREs 3 Malwares 43 Observables 1 APT
Vulnerabilities (CVE) (18)
SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication …
- Attack vector
- Network
- Complexity
- Low
- Published
- 12/06/2026
- Modified
- 12/06/2026
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 …
- Attack vector
- Adjacent
- Published
- 30/09/2022
- Modified
- 20/12/2025
An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in …
- Attack vector
- Network
- Published
- 09/09/2024
- Modified
- 21/12/2025
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 11/06/2026
- Modified
- 12/06/2026
Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …
- Attack vector
- Local
- Published
- 03/11/2021
- Modified
- 27/05/2026
Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.
- Attack vector
- Network
- Published
- 30/09/2022
- Modified
- 20/12/2025
SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would …
- Attack vector
- Network
- Published
- 23/09/2025
- Modified
- 12/03/2026
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 21/12/2025
A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary …
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 05/06/2026
- Modified
- 25/06/2026
Tool (3)
-
Rclone usesThe MITRE Corporation Confidence 100
[Rclone](https://attack.mitre.org/software/S1040) is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. [Rclone](https://attack.mitre.org/software/S1040) has been used in a…
-
PoshC2 usesThe MITRE Corporation Confidence 100
[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…
-
certutil usesThe MITRE Corporation Confidence 100
[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)
Campaign (6)
-
FunnyDream uses
-
Operation Honeybee uses
-
Operation Dream Job uses
-
C0026 uses
-
Operation CuckooBees uses
-
APT28 Nearest Neighbor Campaign uses
Course Of Action (1)
-
Audit mitigates