T1560.001: T1560.001
Essential information
- MITRE technique ID
T1560.001- Confidence
- 100/100
- Revoked
- No
- Published
- 20/02/2020 22:01
- Modified
- 15/04/2026 13:26
- Author / Source
- The MITRE Corporation
Aliases
Archive via Utility
Platforms
windows macos linux
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | collection |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (54)
-
The MITRE Corporation Confidence 100
[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Agrius](https://attack.mitre.org/groups/G1030) is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
AlienVault Confidence 100
[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Sowbug usesThe MITRE Corporation Confidence 100
[Sowbug](https://attack.mitre.org/groups/G0054) is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. (Citation: Symantec Sowbug…
First seen 01/01/1970 · Last seen 16/11/5138 · -
CL-STA-1062 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lunar Spider usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Mercenary Akula usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
ToddyCat usesThe MITRE Corporation Confidence 100
[ToddyCat](https://attack.mitre.org/groups/G1022) is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Turla, UNC4210 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (60)
-
SocGholish usesThe MITRE Corporation Confidence 100
[SocGholish](https://attack.mitre.org/software/S1124) is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily…
First seen 01/01/1970 · Last seen 16/11/5138 · -
ShadowPad - S0596 usesFamily
-
Latrodectus usesThe MITRE Corporation Confidence 100
[Latrodectus](https://attack.mitre.org/software/S1160) is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. [Latrodectus](https://attack.mitre.org/software/S1160) has most often been distributed…
First seen 01/01/1970 · Last seen 16/11/5138 · -
WindTail usesFamily The MITRE Corporation Confidence 100
[WindTail](https://attack.mitre.org/software/S0466) is a macOS surveillance implant used by [Windshift](https://attack.mitre.org/groups/G0112). [WindTail](https://attack.mitre.org/software/S0466) shares code similarities with Hack Back aka KitM OSX.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Mimikatz usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
KOPILUWAK uses
-
Remcos usesFamily
-
INMemory web shell usesFamily
-
Family
-
PUBLOAD usesFamily
-
GODZILLA usesFamily
-
NOODLERAT usesFamily
Reports (34)
-
AlienVault Confidence 100 2 CVEs 19 MITREs 8 Malwares 57 IOCs 6 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 3 Malwares 6 IOCs 1 APT
-
AlienVault Confidence 100 20 MITREs 6 IOCs 3 Observables
-
AlienVault Confidence 100 1 CVE 18 MITREs 1 Malware 1 IOC 1 Observable 1 APT
-
AlienVault Confidence 100 1 CVE 20 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
-
30 MITREs 1 Malware 3 Observables
-
16 MITREs 2 Malwares 4 Observables
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
AlienVault Confidence 100 20 MITREs 1 Malware 10 IOCs 10 Observables
-
AlienVault Confidence 100 19 MITREs 4 Malwares 8 IOCs 8 Observables
-
5 CVEs 19 MITREs 7 Malwares 44 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 3 Malwares 3 IOCs 3 Observables 1 APT
Vulnerabilities (CVE) (17)
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 …
- Attack vector
- Adjacent
- Published
- 30/09/2022
- Modified
- 20/12/2025
An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in …
- Attack vector
- Network
- Published
- 09/09/2024
- Modified
- 21/12/2025
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 11/06/2026
- Modified
- 12/06/2026
Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …
- Attack vector
- Local
- Published
- 03/11/2021
- Modified
- 27/05/2026
Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.
- Attack vector
- Network
- Published
- 30/09/2022
- Modified
- 20/12/2025
SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would …
- Attack vector
- Network
- Published
- 23/09/2025
- Modified
- 12/03/2026
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 21/12/2025
A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary …
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 05/06/2026
- Modified
- 25/06/2026
SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary …
- Attack vector
- Network
- Published
- 13/02/2025
- Modified
- 21/12/2025
Tool (3)
-
Rclone usesThe MITRE Corporation Confidence 100
[Rclone](https://attack.mitre.org/software/S1040) is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. [Rclone](https://attack.mitre.org/software/S1040) has been used in a…
-
PoshC2 usesThe MITRE Corporation Confidence 100
[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…
-
certutil usesThe MITRE Corporation Confidence 100
[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)
Campaign (6)
-
FunnyDream uses
-
Operation Honeybee uses
-
Operation Dream Job uses
-
C0026 uses
-
Operation CuckooBees uses
-
APT28 Nearest Neighbor Campaign uses
Course Of Action (1)
-
Audit mitigates