T1556.003: Pluggable Authentication Modules
- https://rosesecurityresearch.com/crafting-malicious-pluggable-authentication-modules-for-persistence-privilege-escalation-and-lateral-movement (#772), citable: False
- https://www.mandiant.com/resources/unc2891-overview (#112), citable: True
- https://github.com/Achiefs/fim (#779), citable: False
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (#452), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/citronneur/pamspy (#466), citable: False
- https://github.com/zephrax/linux-pam-backdoor (#181), citable: False
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (#468), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (#460), citable: False (TACTICS OR TECHNIQUES WRONG)
T1056.001: Keylogging
- https://github.com/anko/xkbcat (#691), citable: False
- https://github.com/QuokkaLight/rkduck (#667), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/croemheld/lkm-rootkit (#628), citable: False (TACTICS OR TECHNIQUES WRONG)
T1003: OS Credential Dumping
- https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (#449), citable: False
T1552.005: Cloud Instance Metadata API
missing from ATT&CK
T1110.002: Password Cracking
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64), citable: True (TACTICS OR TECHNIQUES WRONG)
T1003.007: Proc Filesystem
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439), citable: True
- https://github.com/NetSPI/sshkey-grab (#619), citable: False
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (#468), citable: True (TACTICS OR TECHNIQUES WRONG)
T1555.005: Password Managers
- https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/ (#816), citable: False
T1040: Network Sniffing
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.mandiant.com/resources/blog/messagetap-who-is-reading-your-text-messages (#542), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/Eterna1/puszek-rootkit (#670), citable: False
T1558: Steal or Forge Kerberos Tickets
- https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (#449), citable: False
- https://github.com/CiscoCXSecurity/linikatz (#156), citable: False
- https://github.com/CiscoCXSecurity/presentations/raw/master/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf (#241), citable: False
- https://blog.talosintelligence.com/2018/12/PortcullisActiveDirectory.html (#240), citable: False
- https://github.com/fireeye/SSSDKCMExtractor (#520), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/blacklanternsecurity/KCMTicketFormatter (#519), citable: False
T1555: Credentials from Password Stores
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64), citable: True (TACTICS OR TECHNIQUES WRONG)
T1552: Unsecured Credentials
- https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (#692), citable: True
T1552.004: Private Keys
- https://github.com/SecurityFail/kompromat (#813), citable: False
- https://github.com/MegaManSec/SSH-Snake (#791), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.mandiant.com/resources/unc2891-overview (#112), citable: True
- https://sysdig.com/blog/ssh-snake/ (#801), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/NetSPI/sshkey-grab (#619), citable: False
- https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (#800), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (#524), citable: True (TACTICS OR TECHNIQUES WRONG)
T1110.003: Password Spraying
- https://cujo.com/threat-alert-krane-malware/ (#391), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (#119), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (#8), citable: True
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (#716), citable: True
T1649: Steal or Forge Authentication Certificates
- https://github.com/aviat/passe-partout (#704), citable: False
T1552.003: Bash History
- https://www.mandiant.com/resources/unc2891-overview (#112), citable: True
T1212: Exploitation for Credential Access
- https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (#692), citable: True
T1110: Brute Force
- https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (#653), citable: False
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (#586), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (#700), citable: True
- https://asec.ahnlab.com/en/54647/ (#707), citable: True
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720), citable: True (TACTICS OR TECHNIQUES WRONG)
T1003.008: /etc/passwd and /etc/shadow
- https://www.mandiant.com/resources/unc2891-overview (#112), citable: True
T1556: Modify Authentication Process
- https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (#700), citable: True
T1129: Shared Modules
missing from ATT&CK
- https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (#817), citable: True (TACTICS OR TECHNIQUES WRONG)
T1053.003: Cron
- https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/ (#816), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (#618), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (#119), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (#808), citable: True
- https://sansec.io/research/cronrat (#399), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (#95), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (#447), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (#90), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (#321), citable: True
- https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ (#662), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720), citable: True
T1106: Native API
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (#658), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (#817), citable: True (TACTICS OR TECHNIQUES WRONG)
T1610: Deploy Container
missing from ATT&CK
T1053.001: At (Linux)
- https://www.mandiant.com/resources/unc2891-overview (#112), citable: True
T1059: Command and Scripting Interpreter
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (#715), citable: True
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (#510), citable: True
- https://redcanary.com/blog/process-streams/ (#494), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (#527), citable: True
T1204: User Execution
- https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (#719), citable: False
- https://github.com/sad0p/d0zer (#782), citable: False
T1072: Software Deployment Tools
- https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (#790), citable: True
T1059.004: Unix Shell
- https://blog.exatrack.com/melofee/ (#620), citable: True
- https://www.mandiant.com/resources/unc2891-overview (#112), citable: True
- https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (#790), citable: True
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (#808), citable: True
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643), citable: True (TACTICS OR TECHNIQUES WRONG)
T1559: Inter-Process Communication
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (#808), citable: True
T1569: System Services
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (#510), citable: True
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (#527), citable: True
T1569.002: Service Execution
missing from ATT&CK
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (#510), citable: True
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (#527), citable: True
T1486: Data Encrypted for Impact
- https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group (#544), citable: True
- https://blog.polyswarm.io/darkangels-linux-ransomware (#666), citable: True
- https://twitter.com/Unit42_Intel/status/1653760405792014336 (#695), citable: True
- https://cybersec84.wordpress.com/2023/08/15/monti-ransomware-operators-resurface-with-new-linux-variant-improved-evasion-tactics/ (#753), citable: True
- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/ (#638), citable: False
- https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html (#102), citable: True
- https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html (#442), citable: True
- https://github.com/h3xduck/Umbra (#668), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.signalblur.io/through-the-looking-glass (#756), citable: True
- https://github.com/niveb/NoCrypt (#673), citable: False
- https://twitter.com/malwrhunterteam/status/1422972905541996546 (#374), citable: True
- https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (#758), citable: True
- https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html (#546), citable: True
- https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/ (#656), citable: True
- https://blog.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (#496), citable: True
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (#321), citable: True
- https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf (#101), citable: False
- https://www.virustotal.com/gui/file/bf3ebc294870a6e743f021f4e18be75810149a1004b8d7c8a1e91f35562db3f5/detection (#644), citable: True
T1499: Endpoint Denial of Service
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (#586), citable: True
- https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (#623), citable: True
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744), citable: True
- https://spectrum.ieee.org/amp/mirai-botnet-2659993631 (#676), citable: False
- https://asec.ahnlab.com/en/49769/ (#624), citable: True
- https://asec.ahnlab.com/en/50316/ (#621), citable: True
T1496: Resource Hijacking
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (#715), citable: True
- https://github.com/tstromberg/malware-menagerie (#795), citable: False
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (#586), citable: True
- https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (#770), citable: True
- https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (#723), citable: True
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False
- https://ultimacybr.co.uk/2023-10-04-Sysrv/ (#767), citable: True
- https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (#778), citable: True
- https://asec.ahnlab.com/en/54647/ (#707), citable: True
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720), citable: True
T1565.002: Transmitted Data Manipulation
- https://haxrob.net/fastcash-for-linux/ (#815), citable: True
- https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (#312), citable: True
T1485: Data Destruction
- https://cert.gov.ua/article/4501891 (#651), citable: True
- https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (#790), citable: True
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (#119), citable: True
- https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc (#786), citable: True
T1498: Network Denial of Service
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439), citable: True
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (#586), citable: True
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (#129), citable: False
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744), citable: True
- https://spectrum.ieee.org/amp/mirai-botnet-2659993631 (#676), citable: False
- https://blog.xlab.qianxin.com/mirai-tbot-en/ (#788), citable: True
- https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 (#702), citable: True
- https://asec.ahnlab.com/en/54647/ (#707), citable: True
T1490: Inhibit System Recovery
T1561.001: Disk Content Wipe
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (#119), citable: True
- https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc (#786), citable: True
T1529: System Shutdown/Reboot
T1205.002: Socket Filters
- https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (#405), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (#449), citable: False
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (#422), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (#425), citable: True
- https://vms.drweb.com/virus/?i=21004786 (#433), citable: True
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (#658), citable: True
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (#427), citable: True
- https://github.com/h3xduck/TripleCross (#465), citable: False
- https://github.com/vbpf/ebpf-samples (#215), citable: False
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (#99), citable: True
- https://packetstormsecurity.com/files/22121/cd00r.c.html (#597), citable: False
- https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar (#419), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (#803), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643), citable: True
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (#418), citable: False
- https://github.com/noptrix/fbkit (#684), citable: False
- https://twitter.com/CraigHRowland/status/1523266585133457408 (#424), citable: True
- https://pastebin.com/kmmJuuQP (#802), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (#434), citable: True
- https://github.com/citronneur/pamspy (#466), citable: False
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (#441), citable: True
- https://github.com/snapattack/bpfdoor-scanner (#437), citable: False
- https://github.com/wunderwuzzi23/Offensive-BPF (#469), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (#725), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/Gui774ume/ebpfkit (#151), citable: False
- https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (#397), citable: True
- https://twitter.com/ldsopreload/status/1583178316286029824 (#568), citable: False
- https://twitter.com/ldsopreload/status/1582780282758828035 (#571), citable: False
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (#432), citable: True
- https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (#570), citable: False
- https://packetstormsecurity.com/files/23336/Slx2k001.txt.html (#152), citable: False
- https://twitter.com/inversecos/status/1527188391347068928 (#435), citable: False
- https://github.com/aojea/netkat (#464), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (#569), citable: False
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (#420), citable: False
- https://twitter.com/timb_machine/status/1523253031382687744 (#421), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://pastebin.com/raw/kmmJuuQP (#426), citable: False
T1037: Boot or Logon Initialization Scripts
T1556.003: Pluggable Authentication Modules
- https://rosesecurityresearch.com/crafting-malicious-pluggable-authentication-modules-for-persistence-privilege-escalation-and-lateral-movement (#772), citable: False
- https://www.mandiant.com/resources/unc2891-overview (#112), citable: True
- https://github.com/Achiefs/fim (#779), citable: False
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (#452), citable: True
- https://github.com/citronneur/pamspy (#466), citable: False
- https://github.com/zephrax/linux-pam-backdoor (#181), citable: False
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (#468), citable: True
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (#460), citable: False
T1543: Create or Modify System Process
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (#510), citable: True
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (#527), citable: True
T1133: External Remote Services
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (#586), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (#678), citable: True
- https://blog.xlab.qianxin.com/mirai-tbot-en/ (#788), citable: True (TACTICS OR TECHNIQUES WRONG)
T1542.003: Bootkit
- https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (#817), citable: True
- https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (#817), citable: True
T1053.003: Cron
- https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/ (#816), citable: False
- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (#618), citable: True
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (#119), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (#808), citable: True
- https://sansec.io/research/cronrat (#399), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (#95), citable: True
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (#447), citable: True
- https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (#90), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (#321), citable: True
- https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ (#662), citable: False
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720), citable: True
T1098.003: Additional Cloud Roles
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False
T1205: Traffic Signaling
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (#422), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (#425), citable: True
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (#658), citable: True
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (#427), citable: True
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (#99), citable: True
- https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (#803), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643), citable: True
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (#418), citable: False
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (#452), citable: True
- https://twitter.com/CraigHRowland/status/1523266585133457408 (#424), citable: True
- https://pastebin.com/kmmJuuQP (#802), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (#434), citable: True
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (#441), citable: True
- https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (#725), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://twitter.com/ldsopreload/status/1583178316286029824 (#568), citable: False
- https://twitter.com/ldsopreload/status/1582780282758828035 (#571), citable: False
- https://github.com/R3tr074/brokepkg (#777), citable: False
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (#432), citable: True
- https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (#570), citable: False
- https://www.group-ib.com/blog/krasue-rat/ (#797), citable: True
- https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (#569), citable: False
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (#420), citable: False
- https://twitter.com/timb_machine/status/1523253031382687744 (#421), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (#460), citable: False
- https://pastebin.com/raw/kmmJuuQP (#426), citable: False
T1525: Implant Internal Image
missing from ATT&CK
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (#715), citable: True
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False
- https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (#692), citable: True
T1505.003: Web Shell
- https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ (#373), citable: True
- https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (#90), citable: True (TACTICS OR TECHNIQUES WRONG)
T1078.001: Default Accounts
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (#604), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (#586), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744), citable: True (TACTICS OR TECHNIQUES WRONG)
T1574.006: Dynamic Linker Hijacking
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (#808), citable: True
- https://github.com/namazso/linux_injector (#599), citable: False
- https://github.com/dsnezhkov/zombieant (#793), citable: False
- https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (#770), citable: True
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (#452), citable: True
- https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (#817), citable: True
- https://github.com/darrenmartyn/malware_samples (#530), citable: False
- https://github.com/NixOS/patchelf (#443), citable: False
- https://github.com/gianlucaborello/libprocesshider (#776), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://sansec.io/research/nginrat (#94), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (#397), citable: True
- https://github.com/mav8557/Father (#606), citable: False
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (#468), citable: True
- https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (#778), citable: True
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720), citable: True
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (#460), citable: False
T1053.001: At (Linux)
- https://www.mandiant.com/resources/unc2891-overview (#112), citable: True
T1098.004: SSH Authorized Keys
- https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (#814), citable: True
- https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (#700), citable: True
T1205.001: Port Knocking
- https://asec.ahnlab.com/en/55785/ (#733), citable: True
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (#808), citable: True
- https://github.com/croemheld/lkm-rootkit (#628), citable: False
T1554: Compromise Client Software Binary
- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (#618), citable: True
- https://hckng.org/articles/perljam-elf64-virus.html (#735), citable: False
T1136.003: Cloud Account
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False
T1098: Account Manipulation
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False
T1547.006: Kernel Modules and Extensions
- https://github.com/m0nad/Diamorphine (#217), citable: False
- https://www.mandiant.com/resources/unc2891-overview (#112), citable: True
- https://is.muni.cz/el/fi/jaro2011/PV204/um/LinuxRootkits/sys_call_table_complete.htm (#254), citable: False
- https://github.com/QuokkaLight/rkduck (#667), citable: False
- https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html (#683), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/reveng007/reveng_rtkit (#669), citable: False
- https://asec.ahnlab.com/en/55785/ (#733), citable: True
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ (#750), citable: True
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (#99), citable: True
- https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (#770), citable: True
- https://github.com/pmorjan/kmod (#654), citable: False
- https://github.com/h3xduck/Umbra (#668), citable: False
- https://github.com/noptrix/fbkit (#684), citable: False
- http://www.ouah.org/LKM_HACKING.html (#257), citable: False
- https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (#817), citable: True
- https://github.com/niveb/NoCrypt (#673), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://twitter.com/CraigHRowland/status/1593102427276050433 (#587), citable: False
- https://github.com/jermeyyy/rooty (#440), citable: False
- https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (#705), citable: False
- https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html (#575), citable: False
- https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 (#612), citable: True
- https://github.com/jafarlihi/modreveal (#609), citable: False
- https://github.com/Eterna1/puszek-rootkit (#670), citable: False
- https://www.trendmicro.com/en_gb/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html (#111), citable: True
- https://github.com/R3tr074/brokepkg (#777), citable: False
- https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (#778), citable: True
- https://www.group-ib.com/blog/krasue-rat/ (#797), citable: True
- https://github.com/croemheld/lkm-rootkit (#628), citable: False
T1574: Hijack Execution Flow
- https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (#499), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://haxrob.net/fastcash-for-linux/ (#815), citable: True
- https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (#719), citable: False
- https://github.com/hardenedvault/ved-ebpf (#737), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/Gui774ume/krie (#498), citable: False
- https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (#312), citable: True
T1078: Valid Accounts
- https://github.com/MegaManSec/SSH-Snake (#791), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (#653), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://sysdig.com/blog/ssh-snake/ (#801), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (#129), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (#800), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (#678), citable: True
- https://asec.ahnlab.com/en/49769/ (#624), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://blog.xlab.qianxin.com/mirai-tbot-en/ (#788), citable: True (TACTICS OR TECHNIQUES WRONG)
T1546.004: Unix Shell Configuration Modification
- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (#618), citable: True
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (#510), citable: True
- https://github.com/darrenmartyn/malware_samples (#530), citable: False
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (#527), citable: True
- https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ (#655), citable: True
T1100: Web Shell
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (#129), citable: False (TACTICS OR TECHNIQUES WRONG)
T1505: Server Software Component
- https://hckng.org/articles/perljam-elf64-virus.html (#735), citable: False
T1037.004: RC Scripts
- https://www.mandiant.com/resources/unc3524-eye-spy-email (#414), citable: True
- https://blog.exatrack.com/melofee/ (#620), citable: True
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (#693), citable: True
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (#8), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (#814), citable: True
- https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (#90), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720), citable: True
T1543.002: Systemd Service
- https://www.mandiant.com/resources/unc2891-overview (#112), citable: True
- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (#618), citable: True
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (#693), citable: True
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720), citable: True
T1136: Create Account
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False
T1574.002: DLL Side-Loading
missing from ATT&CK
- https://github.com/airman604/jdbc-backdoor (#607), citable: False
T1078.004: Cloud Accounts
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False
T1556: Modify Authentication Process
- https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (#700), citable: True
T1037: Boot or Logon Initialization Scripts
- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (#618), citable: True (TACTICS OR TECHNIQUES WRONG)
T1543: Create or Modify System Process
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (#510), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (#527), citable: True
T1053.003: Cron
- https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/ (#816), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (#618), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (#119), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (#808), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://sansec.io/research/cronrat (#399), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (#95), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (#447), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (#90), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (#321), citable: True
- https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ (#662), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720), citable: True
T1055: Process Injection
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (#461), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://haxrob.net/fastcash-for-linux/ (#815), citable: True
- https://grugq.github.io/docs/ul_exec.txt (#463), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (#462), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (#312), citable: True
T1611: Escape to Host
- https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (#778), citable: True
T1078.001: Default Accounts
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (#604), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (#586), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744), citable: True (TACTICS OR TECHNIQUES WRONG)
T1574.006: Dynamic Linker Hijacking
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (#808), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/namazso/linux_injector (#599), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/dsnezhkov/zombieant (#793), citable: False
- https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (#770), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (#452), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (#817), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/darrenmartyn/malware_samples (#530), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/NixOS/patchelf (#443), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/gianlucaborello/libprocesshider (#776), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://sansec.io/research/nginrat (#94), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (#397), citable: True
- https://github.com/mav8557/Father (#606), citable: False
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (#468), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (#778), citable: True
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720), citable: True
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (#460), citable: False (TACTICS OR TECHNIQUES WRONG)
T1053.001: At (Linux)
- https://www.mandiant.com/resources/unc2891-overview (#112), citable: True (TACTICS OR TECHNIQUES WRONG)
T1548: Abuse Elevation Control Mechanism
- https://twitter.com/ankit_anubhav/status/1490574137370103808 (#483), citable: True
- https://github.com/Frissi0n/GTFONow (#771), citable: False
- https://github.com/Gui774ume/krie (#498), citable: False
- https://github.com/croemheld/lkm-rootkit (#628), citable: False
T1548.001: Setuid and Setgid
- https://www.mandiant.com/resources/unc2891-overview (#112), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/hardenedvault/ved-ebpf (#737), citable: False
- https://github.com/noptrix/fbkit (#684), citable: False
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (#468), citable: True (TACTICS OR TECHNIQUES WRONG)
T1134.004: Parent PID Spoofing
missing from ATT&CK
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (#461), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://grugq.github.io/docs/ul_exec.txt (#463), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (#462), citable: False (TACTICS OR TECHNIQUES WRONG)
T1547.006: Kernel Modules and Extensions
- https://github.com/m0nad/Diamorphine (#217), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.mandiant.com/resources/unc2891-overview (#112), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://is.muni.cz/el/fi/jaro2011/PV204/um/LinuxRootkits/sys_call_table_complete.htm (#254), citable: False
- https://github.com/QuokkaLight/rkduck (#667), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html (#683), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/reveng007/reveng_rtkit (#669), citable: False
- https://asec.ahnlab.com/en/55785/ (#733), citable: True
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ (#750), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (#99), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (#770), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/pmorjan/kmod (#654), citable: False
- https://github.com/h3xduck/Umbra (#668), citable: False
- https://github.com/noptrix/fbkit (#684), citable: False
- http://www.ouah.org/LKM_HACKING.html (#257), citable: False
- https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (#817), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/niveb/NoCrypt (#673), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://twitter.com/CraigHRowland/status/1593102427276050433 (#587), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/jermeyyy/rooty (#440), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (#705), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html (#575), citable: False
- https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 (#612), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/jafarlihi/modreveal (#609), citable: False
- https://github.com/Eterna1/puszek-rootkit (#670), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.trendmicro.com/en_gb/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html (#111), citable: True
- https://github.com/R3tr074/brokepkg (#777), citable: False
- https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (#778), citable: True
- https://www.group-ib.com/blog/krasue-rat/ (#797), citable: True
- https://github.com/croemheld/lkm-rootkit (#628), citable: False
T1574: Hijack Execution Flow
- https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (#499), citable: False
- https://haxrob.net/fastcash-for-linux/ (#815), citable: True
- https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (#719), citable: False
- https://github.com/hardenedvault/ved-ebpf (#737), citable: False
- https://github.com/Gui774ume/krie (#498), citable: False
- https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (#312), citable: True
T1078: Valid Accounts
- https://github.com/MegaManSec/SSH-Snake (#791), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (#653), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://sysdig.com/blog/ssh-snake/ (#801), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (#129), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (#800), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (#678), citable: True
- https://asec.ahnlab.com/en/49769/ (#624), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://blog.xlab.qianxin.com/mirai-tbot-en/ (#788), citable: True (TACTICS OR TECHNIQUES WRONG)
T1055.012: Process Hollowing
missing from ATT&CK
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (#461), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://grugq.github.io/docs/ul_exec.txt (#463), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (#462), citable: False (TACTICS OR TECHNIQUES WRONG)
T1068: Exploitation for Privilege Escalation
- https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (#499), citable: False
- https://github.com/hardenedvault/ved-ebpf (#737), citable: False
- https://github.com/Gui774ume/krie (#498), citable: False
T1546.004: Unix Shell Configuration Modification
- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (#618), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (#510), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/darrenmartyn/malware_samples (#530), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (#527), citable: True
- https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ (#655), citable: True
T1100: Web Shell
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (#129), citable: False (TACTICS OR TECHNIQUES WRONG)
T1055.009: Proc Memory
- https://haxrob.net/fastcash-for-linux/ (#815), citable: True
- https://github.com/NetSPI/sshkey-grab (#619), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (#312), citable: True
T1037.004: RC Scripts
- https://www.mandiant.com/resources/unc3524-eye-spy-email (#414), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://blog.exatrack.com/melofee/ (#620), citable: True
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (#693), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (#8), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (#814), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (#90), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720), citable: True
T1543.002: Systemd Service
- https://www.mandiant.com/resources/unc2891-overview (#112), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (#618), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (#693), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720), citable: True
T1574.002: DLL Side-Loading
missing from ATT&CK
- https://github.com/airman604/jdbc-backdoor (#607), citable: False
T1055.008: Ptrace System Calls
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (#461), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://grugq.github.io/docs/ul_exec.txt (#463), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (#462), citable: False (TACTICS OR TECHNIQUES WRONG)
T1078.004: Cloud Accounts
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False (TACTICS OR TECHNIQUES WRONG)
T1021.005: VNC
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64), citable: True
T1021.004: SSH
- https://github.com/MegaManSec/SSH-Snake (#791), citable: False
- https://www.mandiant.com/resources/unc3524-eye-spy-email (#414), citable: True
- https://www.mandiant.com/resources/unc2891-overview (#112), citable: True
- https://rushter.com/blog/public-ssh-keys/ (#754), citable: False
- https://github.com/QuokkaLight/rkduck (#667), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (#119), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://sysdig.com/blog/ssh-snake/ (#801), citable: True
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (#586), citable: True
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (#8), citable: True
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744), citable: True
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64), citable: True
- https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (#800), citable: False
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (#524), citable: True
T1563.001: SSH Hijacking
- https://github.com/aviat/passe-partout (#704), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (#468), citable: True (TACTICS OR TECHNIQUES WRONG)
T1021.002: SMB/Windows Admin Shares
missing from ATT&CK
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64), citable: True
T1021: Remote Services
- https://cujo.com/threat-alert-krane-malware/ (#391), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (#586), citable: True
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744), citable: True
T1072: Software Deployment Tools
- https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (#790), citable: True
T1205.002: Socket Filters
- https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (#405), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (#449), citable: False
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (#422), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (#425), citable: True
- https://vms.drweb.com/virus/?i=21004786 (#433), citable: True
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (#658), citable: True
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (#427), citable: True
- https://github.com/h3xduck/TripleCross (#465), citable: False
- https://github.com/vbpf/ebpf-samples (#215), citable: False
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (#99), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://packetstormsecurity.com/files/22121/cd00r.c.html (#597), citable: False
- https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar (#419), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (#803), citable: True
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643), citable: True
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (#418), citable: False
- https://github.com/noptrix/fbkit (#684), citable: False
- https://twitter.com/CraigHRowland/status/1523266585133457408 (#424), citable: True
- https://pastebin.com/kmmJuuQP (#802), citable: False
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (#434), citable: True
- https://github.com/citronneur/pamspy (#466), citable: False
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (#441), citable: True
- https://github.com/snapattack/bpfdoor-scanner (#437), citable: False
- https://github.com/wunderwuzzi23/Offensive-BPF (#469), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (#725), citable: True
- https://github.com/Gui774ume/ebpfkit (#151), citable: False
- https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (#397), citable: True
- https://twitter.com/ldsopreload/status/1583178316286029824 (#568), citable: False
- https://twitter.com/ldsopreload/status/1582780282758828035 (#571), citable: False
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (#432), citable: True
- https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (#570), citable: False
- https://packetstormsecurity.com/files/23336/Slx2k001.txt.html (#152), citable: False
- https://twitter.com/inversecos/status/1527188391347068928 (#435), citable: False
- https://github.com/aojea/netkat (#464), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (#569), citable: False
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (#420), citable: False
- https://twitter.com/timb_machine/status/1523253031382687744 (#421), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://pastebin.com/raw/kmmJuuQP (#426), citable: False
T1027.009: Embedded Payloads
- https://asec.ahnlab.com/en/45182/ (#603), citable: True
T1556.003: Pluggable Authentication Modules
- https://rosesecurityresearch.com/crafting-malicious-pluggable-authentication-modules-for-persistence-privilege-escalation-and-lateral-movement (#772), citable: False
- https://www.mandiant.com/resources/unc2891-overview (#112), citable: True
- https://github.com/Achiefs/fim (#779), citable: False
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (#452), citable: True
- https://github.com/citronneur/pamspy (#466), citable: False
- https://github.com/zephrax/linux-pam-backdoor (#181), citable: False
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (#468), citable: True
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (#460), citable: False
T1014: Rootkit
- https://blog.exatrack.com/melofee/ (#620), citable: True
- https://www.mandiant.com/resources/unc2891-overview (#112), citable: True
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/QuokkaLight/rkduck (#667), citable: False
- https://github.com/reveng007/reveng_rtkit (#669), citable: False
- https://github.com/h3xduck/Umbra (#668), citable: False
- https://github.com/noptrix/fbkit (#684), citable: False
- https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (#817), citable: True
- https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (#705), citable: False
- https://github.com/Eterna1/puszek-rootkit (#670), citable: False
- https://github.com/croemheld/lkm-rootkit (#628), citable: False
T1578: Modify Cloud Compute Infrastructure
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False
T1542.003: Bootkit
- https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (#817), citable: True
- https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (#817), citable: True
T1036.005: Match Legitimate Name or Location
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (#510), citable: True
- https://sansec.io/research/cronrat (#399), citable: True
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643), citable: True
- https://github.com/darrenmartyn/malware_samples (#530), citable: False
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (#527), citable: True
- https://asec.ahnlab.com/ko/55070/ (#709), citable: True
- https://asec.ahnlab.com/en/50316/ (#621), citable: True
- https://sansec.io/research/nginrat (#94), citable: True
- https://asec.ahnlab.com/en/55229/ (#722), citable: True
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720), citable: True
T1564: Hide Artifacts
- https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (#817), citable: True
T1070.002: Clear Linux or Mac System Logs
- https://www.mandiant.com/resources/unc2891-overview (#112), citable: True
- https://cujo.com/threat-alert-krane-malware/ (#391), citable: True
- https://packetstormsecurity.com/files/31345/0x333shadow.tar.gz.html (#706), citable: False
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64), citable: True
- https://github.com/Kabot/mig-logcleaner-resurrected (#154), citable: False
- https://asec.ahnlab.com/en/54647/ (#707), citable: True
T1202: Indirect Command Execution
missing from ATT&CK
- https://gist.github.com/timb-machine/7bd75479ee29aee8762952ea16908eb0 (#197), citable: False
- https://sysdig.com/blog/containers-read-only-fileless-malware/ (#415), citable: False
T1140: Deobfuscate/Decode Files or Information
- https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (#770), citable: True
- https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (#723), citable: True
- https://blogs-jpcert-or-jp.translate.goog/ja/2023/07/dangerouspassword_dev.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp (#721), citable: True
- https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (#778), citable: True
T1562: Impair Defenses
- https://github.com/codewhitesec/apollon (#734), citable: False
- https://gist.github.com/timb-machine/602d1a4dace4899babc1b6b5345d24b2 (#550), citable: False
- https://github.com/dsnezhkov/zombieant (#793), citable: False
- https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (#817), citable: True
- https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html (#575), citable: False
- https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (#692), citable: True
- https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/ (#739), citable: False
- https://github.com/codewhitesec/daphne (#740), citable: False
T1036: Masquerading
- https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (#724), citable: True
- https://twitter.com/xnand_/status/1676336329985077249 (#710), citable: True
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (#715), citable: True
- https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (#449), citable: False
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (#693), citable: True
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (#422), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (#425), citable: True
- https://vms.drweb.com/virus/?i=21004786 (#433), citable: True
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (#658), citable: True
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (#427), citable: True
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643), citable: True
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (#418), citable: False
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (#452), citable: True
- https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (#814), citable: True
- https://twitter.com/CraigHRowland/status/1523266585133457408 (#424), citable: True
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (#434), citable: True
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (#441), citable: True
- https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (#686), citable: True
- https://github.com/snapattack/bpfdoor-scanner (#437), citable: False
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False
- https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (#711), citable: False
- https://twitter.com/ldsopreload/status/1583178316286029824 (#568), citable: False
- https://twitter.com/ldsopreload/status/1582780282758828035 (#571), citable: False
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (#432), citable: True
- https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (#570), citable: False
- https://twitter.com/inversecos/status/1527188391347068928 (#435), citable: False
- https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (#569), citable: False
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (#420), citable: False
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (#460), citable: False
- https://pastebin.com/raw/kmmJuuQP (#426), citable: False
T1055: Process Injection
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (#461), citable: False
- https://haxrob.net/fastcash-for-linux/ (#815), citable: True
- https://grugq.github.io/docs/ul_exec.txt (#463), citable: False
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (#462), citable: False
- https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (#312), citable: True
T1205: Traffic Signaling
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (#422), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (#425), citable: True
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (#658), citable: True
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (#427), citable: True
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (#99), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (#803), citable: True
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643), citable: True
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (#418), citable: False
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (#452), citable: True
- https://twitter.com/CraigHRowland/status/1523266585133457408 (#424), citable: True
- https://pastebin.com/kmmJuuQP (#802), citable: False
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (#434), citable: True
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (#441), citable: True
- https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (#725), citable: True
- https://twitter.com/ldsopreload/status/1583178316286029824 (#568), citable: False
- https://twitter.com/ldsopreload/status/1582780282758828035 (#571), citable: False
- https://github.com/R3tr074/brokepkg (#777), citable: False
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (#432), citable: True
- https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (#570), citable: False
- https://www.group-ib.com/blog/krasue-rat/ (#797), citable: True
- https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (#569), citable: False
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (#420), citable: False
- https://twitter.com/timb_machine/status/1523253031382687744 (#421), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (#460), citable: False
- https://pastebin.com/raw/kmmJuuQP (#426), citable: False
T1218: System Binary Proxy Execution
- https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (#719), citable: False
T1070.006: Timestomp
- https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (#803), citable: True
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643), citable: True
T1620: Reflective Code Loading
- https://www.form3.tech/engineering/content/bypassing-ebpf-tools (#584), citable: False
- https://blog.aquasec.com/detecting-ebpf-malware-with-tracee (#745), citable: False
- https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (#499), citable: False
- https://blog.trailofbits.com/2021/11/09/all-your-tracing-are-belong-to-bpf/ (#747), citable: False
- https://github.com/vbpf/ebpf-samples (#215), citable: False
- https://github.com/hardenedvault/ved-ebpf (#737), citable: False
- https://github.com/X-C3LL/memdlopen-lib (#605), citable: False
- https://github.com/trustedsec/ELFLoader (#416), citable: False
- https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (#495), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (#723), citable: True
- https://2018.zeronights.ru/wp-content/uploads/materials/09-ELF-execution-in-Linux-RAM.pdf (#436), citable: False
- https://www.first.org/resources/papers/telaviv2019/Rezilion-Shlomi-Butnaro-Beyond-Whitelisting-Fileless-Attacks-Against-L....pdf (#231), citable: False
- https://blog.trailofbits.com/2023/08/09/use-our-suite-of-ebpf-libraries/ (#736), citable: False
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (#462), citable: False
- https://redcanary.com/blog/ebpf-for-security/ (#270), citable: False
- https://github.com/guitmz/memrun (#592), citable: False
- https://blog.doyensec.com/2022/10/11/ebpf-bypass-security-monitoring.html (#567), citable: False
- https://github.com/Gui774ume/krie (#498), citable: False
- https://github.com/m1m1x/memdlopen (#175), citable: False
- http://archive.hack.lu/2019/Fileless-Malware-Infection-and-Linux-Process-Injection-in-Linux-OS.pdf (#242), citable: False
- https://gist.github.com/timb-machine/7bd75479ee29aee8762952ea16908eb0 (#197), citable: False
- https://github.com/nnsee/fileless-elf-exec (#193), citable: False
- https://sysdig.com/blog/containers-read-only-fileless-malware/ (#415), citable: False
T1497.003: Time Based Evasion
- https://blog.exatrack.com/melofee/ (#620), citable: True
T1599.001: Network Address Translation Traversal
missing from ATT&CK
- https://blog.exatrack.com/melofee/ (#620), citable: True
T1562.004: Disable or Modify System Firewall
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (#8), citable: True
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643), citable: True
T1610: Deploy Container
missing from ATT&CK
T1078.001: Default Accounts
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (#604), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (#586), citable: True
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744), citable: True
T1574.006: Dynamic Linker Hijacking
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (#808), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/namazso/linux_injector (#599), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/dsnezhkov/zombieant (#793), citable: False
- https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (#770), citable: True
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (#452), citable: True
- https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (#817), citable: True
- https://github.com/darrenmartyn/malware_samples (#530), citable: False
- https://github.com/NixOS/patchelf (#443), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/gianlucaborello/libprocesshider (#776), citable: False
- https://sansec.io/research/nginrat (#94), citable: True
- https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (#397), citable: True
- https://github.com/mav8557/Father (#606), citable: False
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (#468), citable: True
- https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (#778), citable: True
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720), citable: True
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (#460), citable: False
T1222: File and Directory Permissions Modification
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (#715), citable: True
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (#693), citable: True
T1548: Abuse Elevation Control Mechanism
- https://twitter.com/ankit_anubhav/status/1490574137370103808 (#483), citable: True
- https://github.com/Frissi0n/GTFONow (#771), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/Gui774ume/krie (#498), citable: False
- https://github.com/croemheld/lkm-rootkit (#628), citable: False
T1548.001: Setuid and Setgid
- https://www.mandiant.com/resources/unc2891-overview (#112), citable: True
- https://github.com/hardenedvault/ved-ebpf (#737), citable: False
- https://github.com/noptrix/fbkit (#684), citable: False
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (#468), citable: True
T1562.006: Indicator Blocking
- https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw (#660), citable: True (TACTICS OR TECHNIQUES WRONG)
T1070: Indicator Removal
- https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (#449), citable: False
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (#422), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (#425), citable: True
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (#658), citable: True
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (#427), citable: True
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643), citable: True
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (#418), citable: False
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (#452), citable: True
- https://twitter.com/CraigHRowland/status/1523266585133457408 (#424), citable: True
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (#434), citable: True
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (#441), citable: True
- https://github.com/snapattack/bpfdoor-scanner (#437), citable: False
- https://twitter.com/ldsopreload/status/1583178316286029824 (#568), citable: False
- https://twitter.com/ldsopreload/status/1582780282758828035 (#571), citable: False
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (#432), citable: True
- https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (#570), citable: False
- https://twitter.com/inversecos/status/1527188391347068928 (#435), citable: False
- https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (#569), citable: False
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (#420), citable: False
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (#460), citable: False
- https://pastebin.com/raw/kmmJuuQP (#426), citable: False
T1036.004: Masquerade Task or Service
T1480: Execution Guardrails
- https://cybersec84.wordpress.com/2023/08/15/monti-ransomware-operators-resurface-with-new-linux-variant-improved-evasion-tactics/ (#753), citable: True
- https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw (#660), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (#623), citable: True
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744), citable: True
T1205.001: Port Knocking
- https://asec.ahnlab.com/en/55785/ (#733), citable: True
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (#808), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/croemheld/lkm-rootkit (#628), citable: False
T1562.003: Impair Command History Logging
- https://blog.exatrack.com/melofee/ (#620), citable: True
- https://cujo.com/threat-alert-krane-malware/ (#391), citable: True
T1134.004: Parent PID Spoofing
missing from ATT&CK
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (#461), citable: False
- https://grugq.github.io/docs/ul_exec.txt (#463), citable: False
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (#462), citable: False
T1562.001: Disable or Modify Tools
- https://github.com/codewhitesec/apollon (#734), citable: False
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/Gui774ume/krie (#498), citable: False
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (#468), citable: True
- https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/ (#739), citable: False
- https://github.com/codewhitesec/daphne (#740), citable: False
T1601: Modify System Image
missing from ATT&CK
- https://github.com/Achiefs/fim (#779), citable: False
- https://github.com/marin-m/vmlinux-to-elf (#726), citable: False
T1574: Hijack Execution Flow
- https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (#499), citable: False
- https://haxrob.net/fastcash-for-linux/ (#815), citable: True
- https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (#719), citable: False
- https://github.com/hardenedvault/ved-ebpf (#737), citable: False
- https://github.com/Gui774ume/krie (#498), citable: False
- https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (#312), citable: True
T1078: Valid Accounts
- https://github.com/MegaManSec/SSH-Snake (#791), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (#653), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://sysdig.com/blog/ssh-snake/ (#801), citable: True
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (#129), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (#800), citable: False
- https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (#678), citable: True
- https://asec.ahnlab.com/en/49769/ (#624), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://blog.xlab.qianxin.com/mirai-tbot-en/ (#788), citable: True (TACTICS OR TECHNIQUES WRONG)
T1055.012: Process Hollowing
missing from ATT&CK
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (#461), citable: False
- https://grugq.github.io/docs/ul_exec.txt (#463), citable: False
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (#462), citable: False
T1027: Obfuscated Files or Information
- https://www.mandiant.com/resources/unc3524-eye-spy-email (#414), citable: True
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://netadr.github.io/blog/a-quick-glimpse-sbz/ (#596), citable: True
- https://mp-weixin-qq-com.translate.goog/s/pd6fUs5TLdBtwUHauclDOQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp (#588), citable: True
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (#510), citable: True
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (#119), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://sysdig.com/blog/ssh-snake/ (#801), citable: True
- https://sansec.io/research/cronrat (#399), citable: True
- https://github.com/trustedsec/ELFLoader (#416), citable: False
- https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (#800), citable: False
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (#527), citable: True
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (#447), citable: True
- https://blog.xlab.qianxin.com/mirai-tbot-en/ (#788), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://sansec.io/research/nginrat (#94), citable: True
- https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html (#789), citable: True
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (#468), citable: True
T1036.003: Rename System Utilities
- https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (#719), citable: False
T1027.004: Compile After Delivery
- https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (#778), citable: True
T1562.008: Disable Cloud Logs
missing from ATT&CK
- https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (#778), citable: True
T1578.002: Create Cloud Instance
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False
T1055.009: Proc Memory
- https://haxrob.net/fastcash-for-linux/ (#815), citable: True
- https://github.com/NetSPI/sshkey-grab (#619), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (#312), citable: True
T1070.004: File Deletion
- https://blog.exatrack.com/melofee/ (#620), citable: True
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (#693), citable: True
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (#510), citable: True
- https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (#803), citable: True
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643), citable: True
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64), citable: True
- https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (#495), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (#527), citable: True
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (#95), citable: True
- https://www.mandiant.com/resources/blog/messagetap-who-is-reading-your-text-messages (#542), citable: True
T1027.002: Software Packing
- https://blog.exatrack.com/melofee/ (#620), citable: True
- https://github.com/NozomiNetworks/upx-recovery-tool (#535), citable: False
- https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf (#625), citable: True
- https://haxrob.net/fastcash-for-linux/ (#815), citable: True
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64), citable: True
- https://github.com/89luca89/pakkero (#718), citable: False
- https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (#723), citable: True
- https://github.com/SilentVoid13/Silent_Packer (#783), citable: False
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720), citable: True
T1622: Debugger Evasion
- https://github.com/0xor0ne/debugoff (#755), citable: False
T1574.002: DLL Side-Loading
missing from ATT&CK
- https://github.com/airman604/jdbc-backdoor (#607), citable: False
T1055.008: Ptrace System Calls
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (#461), citable: False
- https://grugq.github.io/docs/ul_exec.txt (#463), citable: False
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (#462), citable: False
T1027.007: Dynamic API Resolution
missing from ATT&CK
- https://blog.exatrack.com/melofee/ (#620), citable: True
T1564.001: Hidden Files and Directories
- https://blog.exatrack.com/melofee/ (#620), citable: True
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (#693), citable: True
- https://github.com/QuokkaLight/rkduck (#667), citable: False
- https://haxrob.net/fastcash-for-linux/ (#815), citable: True
- https://github.com/reveng007/reveng_rtkit (#669), citable: False
- https://github.com/h3xduck/Umbra (#668), citable: False
- https://github.com/noptrix/fbkit (#684), citable: False
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (#447), citable: True
- https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (#705), citable: False
- https://github.com/Eterna1/puszek-rootkit (#670), citable: False
- https://github.com/R3tr074/brokepkg (#777), citable: False
- https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (#312), citable: True
- https://www.group-ib.com/blog/krasue-rat/ (#797), citable: True
- https://github.com/croemheld/lkm-rootkit (#628), citable: False
T1078.004: Cloud Accounts
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False
T1480.001: Environmental Keying
- https://twitter.com/sethkinghi/status/1397814848549900288 (#717), citable: True
- https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ (#714), citable: True
- https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (#716), citable: True
T1556: Modify Authentication Process
- https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (#700), citable: True
T1567: Exfiltration Over Web Service
- https://haxrob.net/fastcash-for-linux/ (#815), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (#586), citable: True
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744), citable: True
- https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf (#407), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (#312), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (#321), citable: True
- https://www.archcloudlabs.com/projects/debuginfod/ (#796), citable: False
T1020: Automated Exfiltration
- https://github.com/croemheld/lkm-rootkit (#628), citable: False
T1048.001: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (#8), citable: True (TACTICS OR TECHNIQUES WRONG)
T1041: Exfiltration Over C2 Channel
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (#808), citable: True
T1048: Exfiltration Over Alternative Protocol
- https://github.com/QuokkaLight/rkduck (#667), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/DeimosC2/DeimosC2 (#652), citable: False
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (#586), citable: True
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744), citable: True
- https://bazaar.abuse.ch/sample/05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d (#751), citable: False
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (#321), citable: True
- https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (#524), citable: True
T1048.003: Exfiltration Over Unencrypted Non-C2 Protocol
- https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc (#786), citable: True
- https://github.com/croemheld/lkm-rootkit (#628), citable: False
T1033: System Owner/User Discovery
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (#95), citable: True
T1613: Container and Resource Discovery
missing from ATT&CK
T1069: Permission Groups Discovery
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False
T1069.003: Cloud Groups
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False
T1087.002: Domain Account
- https://blog.vibri.us/BeyondTrust-AD-Bridge-Open-Post-Exploitation/ (#635), citable: False
T1007: System Service Discovery
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (#119), citable: True (TACTICS OR TECHNIQUES WRONG)
T1040: Network Sniffing
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64), citable: True
- https://www.mandiant.com/resources/blog/messagetap-who-is-reading-your-text-messages (#542), citable: True
- https://github.com/Eterna1/puszek-rootkit (#670), citable: False
T1082: System Information Discovery
- https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/ (#787), citable: False
- https://blog.exatrack.com/melofee/ (#620), citable: True
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (#715), citable: True
- https://cujo.com/threat-alert-krane-malware/ (#391), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (#693), citable: True
- https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (#790), citable: True
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (#99), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (#447), citable: True
- https://asec.ahnlab.com/en/50316/ (#621), citable: True
- https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html (#789), citable: True
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (#468), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (#716), citable: True
T1497.003: Time Based Evasion
- https://blog.exatrack.com/melofee/ (#620), citable: True
T1580: Cloud Infrastructure Discovery
missing from ATT&CK
- https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (#692), citable: True (TACTICS OR TECHNIQUES WRONG)
T1016: System Network Configuration Discovery
- https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (#516), citable: True
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (#119), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (#95), citable: True
T1083: File and Directory Discovery
- https://blog.exatrack.com/melofee/ (#620), citable: True
- https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (#449), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (#790), citable: True
- https://www.guitmz.com/linux-nasty-elf-virus/ (#642), citable: False (TACTICS OR TECHNIQUES WRONG)
T1619: Cloud Storage Object Discovery
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False
T1057: Process Discovery
- https://blog.exatrack.com/melofee/ (#620), citable: True
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (#693), citable: True
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (#510), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/darrenmartyn/malware_samples (#530), citable: False
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (#527), citable: True
- https://www.guitmz.com/linux-nasty-elf-virus/ (#642), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (#462), citable: False
- https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (#700), citable: True
- https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (#524), citable: True
- https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 (#702), citable: True
- https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (#716), citable: True
T1526: Cloud Service Discovery
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False
T1018: Remote System Discovery
- https://cujo.com/threat-alert-krane-malware/ (#391), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://rushter.com/blog/public-ssh-keys/ (#754), citable: False
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64), citable: True
T1046: Network Service Discovery
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64), citable: True
T1518: Software Discovery
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (#808), citable: True
T1622: Debugger Evasion
- https://github.com/0xor0ne/debugoff (#755), citable: False (TACTICS OR TECHNIQUES WRONG)
T1124: System Time Discovery
missing from ATT&CK
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (#808), citable: True
T1560.001: Archive via Utility
T1056.001: Keylogging
- https://github.com/anko/xkbcat (#691), citable: False
- https://github.com/QuokkaLight/rkduck (#667), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/croemheld/lkm-rootkit (#628), citable: False (TACTICS OR TECHNIQUES WRONG)
T1602: Data from Configuration Repository
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False
T1005: Data from Local System
- https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (#449), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (#808), citable: True
T1560.002: Archive via Library
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (#808), citable: True
T1213.003: Code Repositories
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False
T1602.001: SNMP (MIB Dump)
missing from ATT&CK
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64), citable: True
T1583.008: Malvertising
missing from ATT&CK
- https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (#724), citable: True
- https://twitter.com/xnand_/status/1676336329985077249 (#710), citable: True
- https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (#814), citable: True
- https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (#686), citable: True
- https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (#711), citable: False
T1587.001: Malware
missing from ATT&CK
- https://blog.exatrack.com/melofee/ (#620), citable: True
- https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (#516), citable: True
T1587.002: Code Signing Certificates
missing from ATT&CK
- https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (#817), citable: True
T1608.001: Upload Malware
missing from ATT&CK
- https://blog.exatrack.com/melofee/ (#620), citable: True
T1583.001: Domains
missing from ATT&CK
- https://blog.exatrack.com/melofee/ (#620), citable: True
T1608.002: Upload Tool
missing from ATT&CK
- https://blog.exatrack.com/melofee/ (#620), citable: True
T1588.001: Malware
missing from ATT&CK
- https://blog.exatrack.com/melofee/ (#620), citable: True
T1584: Compromise Infrastructure
missing from ATT&CK
- https://www.mandiant.com/resources/unc3524-eye-spy-email (#414), citable: True
T1608: Stage Capabilities
missing from ATT&CK
- https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (#724), citable: True
- https://twitter.com/xnand_/status/1676336329985077249 (#710), citable: True
- https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (#814), citable: True
- https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (#686), citable: True
- https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (#711), citable: False
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720), citable: True
T1588.002: Tool
missing from ATT&CK
- https://blog.exatrack.com/melofee/ (#620), citable: True
T1585: Establish Accounts
missing from ATT&CK
- https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (#724), citable: True
- https://twitter.com/xnand_/status/1676336329985077249 (#710), citable: True
- https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (#814), citable: True
- https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (#686), citable: True
- https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (#711), citable: False
T1588: Obtain Capabilities
missing from ATT&CK
- https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (#724), citable: True
- https://twitter.com/xnand_/status/1676336329985077249 (#710), citable: True
- https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (#814), citable: True
- https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (#686), citable: True
- https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (#711), citable: False
T1590.002: DNS
missing from ATT&CK
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64), citable: True (TACTICS OR TECHNIQUES WRONG)
T1594: Search Victim-Owned Websites
missing from ATT&CK
- https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (#678), citable: True
T1589: Gather Victim Identity Information
missing from ATT&CK
- https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (#678), citable: True
T1595.002: Vulnerability Scanning
missing from ATT&CK
- https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (#778), citable: True
T1595: Active Scanning
missing from ATT&CK
T1590: Gather Victim Network Information
missing from ATT&CK
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (#8), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64), citable: True (TACTICS OR TECHNIQUES WRONG)
T1593: Search Open Websites/Domains
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False
T1592.002: Software
missing from ATT&CK
- https://blog.exatrack.com/melofee/ (#620), citable: True
T1589.001: Credentials
missing from ATT&CK
- https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (#678), citable: True
T1205.002: Socket Filters
- https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (#405), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (#449), citable: False
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (#422), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (#425), citable: True
- https://vms.drweb.com/virus/?i=21004786 (#433), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (#658), citable: True
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (#427), citable: True
- https://github.com/h3xduck/TripleCross (#465), citable: False
- https://github.com/vbpf/ebpf-samples (#215), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (#99), citable: True
- https://packetstormsecurity.com/files/22121/cd00r.c.html (#597), citable: False
- https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar (#419), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (#803), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643), citable: True
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (#418), citable: False
- https://github.com/noptrix/fbkit (#684), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://twitter.com/CraigHRowland/status/1523266585133457408 (#424), citable: True
- https://pastebin.com/kmmJuuQP (#802), citable: False
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (#434), citable: True
- https://github.com/citronneur/pamspy (#466), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (#441), citable: True
- https://github.com/snapattack/bpfdoor-scanner (#437), citable: False
- https://github.com/wunderwuzzi23/Offensive-BPF (#469), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (#725), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/Gui774ume/ebpfkit (#151), citable: False
- https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (#397), citable: True
- https://twitter.com/ldsopreload/status/1583178316286029824 (#568), citable: False
- https://twitter.com/ldsopreload/status/1582780282758828035 (#571), citable: False
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (#432), citable: True
- https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (#570), citable: False
- https://packetstormsecurity.com/files/23336/Slx2k001.txt.html (#152), citable: False
- https://twitter.com/inversecos/status/1527188391347068928 (#435), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/aojea/netkat (#464), citable: False
- https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (#569), citable: False
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (#420), citable: False
- https://twitter.com/timb_machine/status/1523253031382687744 (#421), citable: False
- https://pastebin.com/raw/kmmJuuQP (#426), citable: False
T1132.001: Standard Encoding
- https://unit42.paloaltonetworks.com/alloy-taurus/ (#646), citable: True
T1071.004: DNS
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (#693), citable: True
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64), citable: True
- http://securelist.com/backdoored-free-download-manager-linux-malware/110465/ (#766), citable: False
T1573.001: Symmetric Cryptography
- https://blog.exatrack.com/melofee/ (#620), citable: True
- https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (#516), citable: True
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (#8), citable: True
- https://unit42.paloaltonetworks.com/alloy-taurus/ (#646), citable: True
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (#95), citable: True
- https://asec.ahnlab.com/ko/55070/ (#709), citable: True
- https://asec.ahnlab.com/en/55229/ (#722), citable: True
T1071: Application Layer Protocol
- https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf (#625), citable: True
- https://github.com/DeimosC2/DeimosC2 (#652), citable: False
- https://x.com/haxrob/status/1762821513680732222 (#810), citable: True
- https://unit42.paloaltonetworks.com/alloy-taurus/ (#646), citable: True
- https://bazaar.abuse.ch/sample/05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d (#751), citable: False
- https://www.group-ib.com/blog/krasue-rat/ (#797), citable: True
- https://www.archcloudlabs.com/projects/debuginfod/ (#796), citable: False
- https://blog.talosintelligence.com/lazarus-collectionrat/ (#752), citable: True
T1205: Traffic Signaling
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (#422), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (#425), citable: True
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (#658), citable: True
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (#427), citable: True
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (#99), citable: True
- https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (#803), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643), citable: True
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (#418), citable: False
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (#452), citable: True
- https://twitter.com/CraigHRowland/status/1523266585133457408 (#424), citable: True
- https://pastebin.com/kmmJuuQP (#802), citable: False
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (#434), citable: True
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (#441), citable: True
- https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (#725), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://twitter.com/ldsopreload/status/1583178316286029824 (#568), citable: False
- https://twitter.com/ldsopreload/status/1582780282758828035 (#571), citable: False
- https://github.com/R3tr074/brokepkg (#777), citable: False
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (#432), citable: True
- https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (#570), citable: False
- https://www.group-ib.com/blog/krasue-rat/ (#797), citable: True
- https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (#569), citable: False
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (#420), citable: False
- https://twitter.com/timb_machine/status/1523253031382687744 (#421), citable: False
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (#460), citable: False
- https://pastebin.com/raw/kmmJuuQP (#426), citable: False
T1572: Protocol Tunneling
- https://blog.exatrack.com/melofee/ (#620), citable: True
- https://x.com/haxrob/status/1762821513680732222 (#810), citable: True
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (#808), citable: True
- https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/ (#690), citable: True
T1092: Communication Through Removable Media
- https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf (#625), citable: True
T1090.002: External Proxy
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (#8), citable: True
T1090: Proxy
- https://blog.exatrack.com/melofee/ (#620), citable: True
- https://www.kroll.com/en/insights/publications/cyber/inside-the-systembc-malware-server (#784), citable: True
- https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html (#789), citable: True
T1102: Web Service
- https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (#723), citable: True
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (#95), citable: True
- https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (#692), citable: True
T1205.001: Port Knocking
- https://asec.ahnlab.com/en/55785/ (#733), citable: True
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (#808), citable: True
- https://github.com/croemheld/lkm-rootkit (#628), citable: False
T1071.002: File Transfer Protocols
- https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (#623), citable: True
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64), citable: True
T1090.003: Multi-hop Proxy
T1001: Data Obfuscation
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64), citable: True
T1571: Non-Standard Port
- https://blog.exatrack.com/melofee/ (#620), citable: True
T1573: Encrypted Channel
- https://github.com/QuokkaLight/rkduck (#667), citable: False
- https://github.com/DeimosC2/DeimosC2 (#652), citable: False
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (#658), citable: True
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643), citable: True
- https://unit42.paloaltonetworks.com/alloy-taurus/ (#646), citable: True
- https://bazaar.abuse.ch/sample/05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d (#751), citable: False
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (#95), citable: True
- https://github.com/R3tr074/brokepkg (#777), citable: False
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (#321), citable: True
- https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (#524), citable: True
- https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (#716), citable: True
- https://blog.talosintelligence.com/lazarus-collectionrat/ (#752), citable: True
T1573.002: Asymmetric Cryptography
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (#808), citable: True
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (#99), citable: True
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (#99), citable: True
T1095: Non-Application Layer Protocol
- https://blog.exatrack.com/melofee/ (#620), citable: True
- https://github.com/QuokkaLight/rkduck (#667), citable: False
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (#586), citable: True
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/h3xduck/Umbra (#668), citable: False
- https://redcanary.com/blog/process-streams/ (#494), citable: False
- https://asec.ahnlab.com/en/50316/ (#621), citable: True
- https://github.com/croemheld/lkm-rootkit (#628), citable: False
T1001.003: Protocol Impersonation
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (#808), citable: True
- https://sansec.io/research/cronrat (#399), citable: True
T1132: Data Encoding
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (#715), citable: True
- https://unit42.paloaltonetworks.com/alloy-taurus/ (#646), citable: True
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (#447), citable: True
T1132.002: Non-Standard Encoding
- https://blog.exatrack.com/melofee/ (#620), citable: True
T1071.001: Web Protocols
- https://blog.exatrack.com/melofee/ (#620), citable: True
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (#715), citable: True
- https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (#516), citable: True
- https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf (#625), citable: True
- https://www.kroll.com/en/insights/publications/cyber/inside-the-systembc-malware-server (#784), citable: True
- https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (#623), citable: True
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64), citable: True
- https://unit42.paloaltonetworks.com/alloy-taurus/ (#646), citable: True
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (#95), citable: True
- https://asec.ahnlab.com/en/49769/ (#624), citable: True
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (#321), citable: True
T1105: Ingress Tool Transfer
- https://cujo.com/threat-alert-krane-malware/ (#391), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (#623), citable: True
- https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (#723), citable: True
- https://asec.ahnlab.com/en/49769/ (#624), citable: True
- http://securelist.com/backdoored-free-download-manager-linux-malware/110465/ (#766), citable: False
- https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (#90), citable: True (TACTICS OR TECHNIQUES WRONG)
T1090.001: Internal Proxy
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (#8), citable: True
T1133: External Remote Services
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (#586), citable: True
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744), citable: True
- https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (#678), citable: True
- https://blog.xlab.qianxin.com/mirai-tbot-en/ (#788), citable: True
T1195.001: Compromise Software Dependencies and Development Tools
- https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/ (#787), citable: False
- https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (#495), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://blog.sonatype.com/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices (#294), citable: False (TACTICS OR TECHNIQUES WRONG)
T1566.001: Spearphishing Attachment
- https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ (#655), citable: True
T1190: Exploit Public-Facing Application
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (#715), citable: True
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (#604), citable: True
- https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (#790), citable: True
- https://spectrum.ieee.org/amp/mirai-botnet-2659993631 (#676), citable: False
- https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (#723), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False
- https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ (#373), citable: True
- https://blog.xlab.qianxin.com/mirai-tbot-en/ (#788), citable: True
- https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ (#714), citable: True
- https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (#90), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (#778), citable: True
- https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (#524), citable: True
- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal (#665), citable: False
- https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 (#702), citable: True
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720), citable: True
T1078.001: Default Accounts
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (#604), citable: True
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (#586), citable: True
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744), citable: True
T1199: Trusted Relationship
- https://rushter.com/blog/public-ssh-keys/ (#754), citable: False
T1078: Valid Accounts
- https://github.com/MegaManSec/SSH-Snake (#791), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439), citable: True
- https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (#653), citable: False
- https://sysdig.com/blog/ssh-snake/ (#801), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (#129), citable: False
- https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (#800), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (#678), citable: True
- https://asec.ahnlab.com/en/49769/ (#624), citable: True
- https://blog.xlab.qianxin.com/mirai-tbot-en/ (#788), citable: True
T1078.004: Cloud Accounts
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677), citable: False