
Graphiron Threat From Nodaria(UAC-0056) To Ukraine
The Russia-linked Nodaria group has installed a new threat, using a wide variety of information from infected computers to play.The Nodaria espionage group (aka UAC-0056) is using a new combination of information stealing malware against browsing in Ukraine. The malware (Infostealer.Graphiron) was designed to gather a wide variety of information written in Go from the infected computer, including system information, credentials, screen content, and files.
Indicators of Compromise
Domains (14)
confirmation-request.infoxbeta.onlineemailreques-secure.infochasereques-secure09.infosecure-transmmisions.infotransfer-currently.infoeumr.siteshell.runnirsoft.mesecure09-authrequest.infopermission-online.infoblue-escorts.comforkscenter.frhelponline-auth.infoHashes (157)
628f41776ae3b2e8343eeb9cdcd019f2b4100aad572f619632ec28042a76c52ba2350acc4fecd1895b6f7ff41b8b0dee700b5f194743b36a35ffc1263005fd0a954deed20a7fb0cd53dbab6bb17ff8bd34559a5a124686c722c1d43016cb2b8b9e5e5e98955263549fbeb629ea0dc72ac8db680855984d51b28c1195e48abff2e68b0228f49d5b0fa0c4ddf9c6f95d7046be8a2e0f87593506124da5b4d6ef31dbfd7a6094fc52a604a74594c9227aab6b6a39b7dc4ec1425c1799ccc808018c818212f23ec1d1c2d5d2c4ac6c724cd63b69ca054713e278ccc3750d9270d1e8c95649d91f94033b5434f730594d29b933087dcaf1ae680bee7077abd021c004f28287deccfe49b557a10dad336f1a6cb206dca7ddd3fcaf51267f49e508965de494441aacd8a0c8b43e7b5411f8ff086184c60b8d4e7d15ea458014cbbd349deb4cfad05c77d8149d7cf79c34f0aa8d4fe0fc36247165c7d96bf443b6a7360a44b7dcfb9ea3aaaeb15a074cd617ee1dfdda2c26b63a80660f94353112ba7071ea16ebbeb9de7cc14c278d1c4dee40bc231cb49cbb2d01c661a40a05d3e667000b206383fd952cff+137 moreIPv4 (10)
178.162.222.4437.58.60.15394.46.175.132185.244.41.109111.90.151.182194.31.98.124178.162.212.2691.242.229.35185.59.221.22645.84.0.116CVEs (4)
CVE-2021-1636CVE-2022-30190CVE-2017-11882CVE-2021-40444APT Groups
SaintBear
Russian Federation
Notes
<div><b>Conclusions</b></div><div>The best protection against modern cyber-attacks is a defense-in-depth architecture. Start with reducing your attack surface and employing automated controls to prevent most security incidents. For the few incidents that get through your defenses, you want to lean on security operations, either in-house or through a managed service, and leverage strong detection and response tools. </div><div><br></div><div>Integrated reputation services can stop an attack during multiple stages – from an initial phishing email, through the execution of a previously unknown payload, through to the successful compromise and subsequent call home to a C&C server. </div>
Mitigation
<div><b><font>Ember Bear</font></b></div><div><b><font><br></font></b></div><div><font style="">Ember Bear is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021. Ember Bear has primarily focused their operations against Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations. Security researchers assess Ember Bear likely conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.[1][2][3]</font></div><div><font style=""><br></font></div><div><font style=""><font><b>Associated Group Descriptions</b></font><br></font></div><div><table class="table table-bordered table-alternate mt-2" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; font-size: 16px; margin-top: 0.5rem !important; background-color: rgb(242, 242, 242) !important;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font color="#262626"><span style="font-weight: 400;">Name</span></font></th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font color="#262626"><span style="font-weight: 400;">Description</span></font></th></tr></thead><tbody style="box-sizing: border-box; background: white; color: rgb(57, 67, 76);"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626">Saint Bear</font></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/who-is-ember-bear/" target="_blank" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">[1]</font></a></span></span></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626">UNC2589</font></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation" target="_blank" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">[2]</font></a></span></span></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626">UAC-0056</font></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/who-is-ember-bear/" target="_blank" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">[1]</font></a></span></span></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626">Lorec53</font></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/who-is-ember-bear/" target="_blank" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">[1]</font></a></span></span></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626">Lorec Bear</font></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/who-is-ember-bear/" target="_blank" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">[1]</font></a></span></span></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626">Bleeding Bear</font></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/who-is-ember-bear/" target="_blank" style="box-sizing: border-box; background-color: transparent;"><font color="#262626" style="">[1]</font></a></span></span></p></td></tr></tbody></table><font><font><b>Techniques Used</b></font></font></div><div><table class="table techniques-used background table-bordered" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; font-size: 16px;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box; border-bottom: 2px solid rgb(222, 226, 230); background: rgb(242, 242, 242);"><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font color="#262626" style=""><span style="font-weight: 400;">Domain</span></font></th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font color="#262626"><span style="font-weight: 400;">ID</span></font></th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font color="#262626"><span style="font-weight: 400;">Name</span></font></th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font color="#262626"><span style="font-weight: 400;">Use</span></font></th></tr></thead><tbody style="box-sizing: border-box;"><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1059</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; background-color: transparent;">PowerShell</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1003" style="box-sizing: border-box; background-color: transparent;">Ember Bear</a> has used PowerShell to download and execute malicious code.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.003</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; background-color: transparent;">Windows Command Shell</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1003" style="box-sizing: border-box; background-color: transparent;">Ember Bear</a> had used <code style="box-sizing: border-box; word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">cmd.exe</code> and Windows Script Host (wscript) to execute malicious code.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059/007" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.007</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/007" style="box-sizing: border-box; background-color: transparent;">JavaScript</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1003" style="box-sizing: border-box; background-color: transparent;">Ember Bear</a> has used JavaScript to execute malicious code on a victim's machine.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1203" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1203</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1203" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Exploitation for Client Execution</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1003" style="box-sizing: border-box; background-color: transparent;">Ember Bear</a> has exploited Microsoft Office vulnerability CVE-2017-11882.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1562</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1562/001" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; background-color: transparent;">Impair Defenses</a>: <a href="https://attack.mitre.org/techniques/T1562/001" style="box-sizing: border-box; background-color: transparent;">Disable or Modify Tools</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1003" style="box-sizing: border-box; background-color: transparent;">Ember Bear</a> has executed a batch script designed to disable Windows Defender on a compromised host.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1105</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Ingress Tool Transfer</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1003" style="box-sizing: border-box; background-color: transparent;">Ember Bear</a> has used tools to download malicious code.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1112</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Modify Registry</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1003" style="box-sizing: border-box; background-color: transparent;">Ember Bear</a> has used an open source batch script to modify Windows Defender registry keys.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1027</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Obfuscated Files or Information</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1003" style="box-sizing: border-box; background-color: transparent;">Ember Bear</a> has obfuscated malware to help avoid detection.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027/001" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027/001" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Binary Padding</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1003" style="box-sizing: border-box; background-color: transparent;">Ember Bear</a> has added extra spaces between JavaScript code characters to increase the overall file size.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027/002" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027/002" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Software Packing</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1003" style="box-sizing: border-box; background-color: transparent;">Ember Bear</a> has packed malware to help avoid detection.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027/010" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.010</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027/010" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Command Obfuscation</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1003" style="box-sizing: border-box; background-color: transparent;">Ember Bear</a> has obfuscated malicious scripts to help avoid detection.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1588" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1588</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1588/002" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1588" style="box-sizing: border-box; background-color: transparent;">Obtain Capabilities</a>: <a href="https://attack.mitre.org/techniques/T1588/002" style="box-sizing: border-box; background-color: transparent;">Tool</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1003" style="box-sizing: border-box; background-color: transparent;">Ember Bear</a> has obtained and used open source scripts from GitHub.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1588/003" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.003</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1588" style="box-sizing: border-box; background-color: transparent;">Obtain Capabilities</a>: <a href="https://attack.mitre.org/techniques/T1588/003" style="box-sizing: border-box; background-color: transparent;">Code Signing Certificates</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1003" style="box-sizing: border-box; background-color: transparent;">Ember Bear</a> has stolen legitimate certificates to sign malicious payloads.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1566</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1566/001" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; background-color: transparent;">Phishing</a>: <a href="https://attack.mitre.org/techniques/T1566/001" style="box-sizing: border-box; background-color: transparent;">Spearphishing Attachment</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1003" style="box-sizing: border-box; background-color: transparent;">Ember Bear</a> has sent spearphishing emails containing malicious attachments in the form of PDFs, Word documents, JavaScript files, and Control Panel File (CPL) executables.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1566/002" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; background-color: transparent;">Phishing</a>: <a href="https://attack.mitre.org/techniques/T1566/002" style="box-sizing: border-box; background-color: transparent;">Spearphishing Link</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1003" style="box-sizing: border-box; background-color: transparent;">Ember Bear</a> has sent spearphishing emails containing malicious links.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1553" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1553</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1553/002" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1553" style="box-sizing: border-box; background-color: transparent;">Subvert Trust Controls</a>: <a href="https://attack.mitre.org/techniques/T1553/002" style="box-sizing: border-box; background-color: transparent;">Code Signing</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1003" style="box-sizing: border-box; background-color: transparent;">Ember Bear</a> has used stolen certificates from Electrum Technologies GmbH to sign payloads.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1218</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1218/002" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/002" style="box-sizing: border-box; background-color: transparent;">Control Panel</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1003" style="box-sizing: border-box; background-color: transparent;">Ember Bear</a> has used control panel files (CPL), delivered via e-mail, for execution.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1204</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1204/001" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/001" style="box-sizing: border-box; background-color: transparent;">Malicious Link</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1003" style="box-sizing: border-box; background-color: transparent;">Ember Bear</a> has attempted to lure users to click on a malicious link within a spearphishing email.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1204/002" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/002" style="box-sizing: border-box; background-color: transparent;">Malicious File</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1003" style="box-sizing: border-box; background-color: transparent;">Ember Bear</a> has attempted to lure victims into executing malicious files.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box; border-bottom: 1px solid rgb(223, 223, 223);"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1102</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Web Service</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1003" style="box-sizing: border-box; background-color: transparent;">Ember Bear</a> has used Discord's content delivery network (CDN) to deliver malware and malicious scripts to a compromised host.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; background-color: transparent;">[3]</a></span></span></font></p></td></tr></tbody></table><font style=""><b style="">Software</b></font><br></div><div><table class="table table-bordered table-alternate mt-2" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; margin-top: 0.5rem !important; background-color: rgb(242, 242, 242) !important;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font style="">ID</font></th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font>Name</font></th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font>References</font></th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font>Techniques</font></th></tr></thead><tbody style="box-sizing: border-box; background: white; color: rgb(57, 67, 76);"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S1017" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>S1017</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S1017" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>OutSteel</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>[3]</font></a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1119" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Automated Collection</a>, <a href="https://attack.mitre.org/techniques/T1020" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Automated Exfiltration</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1041" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over C2 Channel</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Phishing</a>: <a href="https://attack.mitre.org/techniques/T1566/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing Attachment</a>, <a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Phishing</a>: <a href="https://attack.mitre.org/techniques/T1566/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing Link</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malicious File</a>, <a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malicious Link</a></font></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S1018" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>S1018</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S1018" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Saint Bot</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>[3]</font></a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1548" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Abuse Elevation Control Mechanism</a>: <a href="https://attack.mitre.org/techniques/T1548/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Bypass User Account Control</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Visual Basic</a>, <a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>: <a href="https://attack.mitre.org/techniques/T1132/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Standard Encoding</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1622" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Debugger Evasion</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Match Legitimate Name or Location</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>, <a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Native API</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Packing</a>, <a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Phishing</a>: <a href="https://attack.mitre.org/techniques/T1566/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing Link</a>, <a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Phishing</a>: <a href="https://attack.mitre.org/techniques/T1566/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing Attachment</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>: <a href="https://attack.mitre.org/techniques/T1055/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Asynchronous Procedure Call</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>: <a href="https://attack.mitre.org/techniques/T1055/012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Hollowing</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>: <a href="https://attack.mitre.org/techniques/T1055/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dynamic-link Library Injection</a>, <a href="https://attack.mitre.org/techniques/T1012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Query Registry</a>, <a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task/Job</a>: <a href="https://attack.mitre.org/techniques/T1053/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">InstallUtil</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Regsvr32</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1614" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Location Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a>, <a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malicious Link</a>, <a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malicious File</a>, <a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Virtualization/Sandbox Evasion</a>: <a href="https://attack.mitre.org/techniques/T1497/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Checks</a>, <a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Virtualization/Sandbox Evasion</a>: <a href="https://attack.mitre.org/techniques/T1497/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Time Based Evasion</a></font></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0689" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>S0689</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0689" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>WhisperGate</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/who-is-ember-bear/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[1]</a></span></span><span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span></font></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1134" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Access Token Manipulation</a>: <a href="https://attack.mitre.org/techniques/T1134/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create Process with Token</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Visual Basic</a>, <a href="https://attack.mitre.org/techniques/T1485" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Destruction</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1561" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disk Wipe</a>: <a href="https://attack.mitre.org/techniques/T1561/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disk Structure Wipe</a>, <a href="https://attack.mitre.org/techniques/T1561" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disk Wipe</a>: <a href="https://attack.mitre.org/techniques/T1561/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disk Content Wipe</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Impair Defenses</a>: <a href="https://attack.mitre.org/techniques/T1562/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disable or Modify Tools</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>, <a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Native API</a>, <a href="https://attack.mitre.org/techniques/T1135" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Share Discovery</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1542" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Pre-OS Boot</a>: <a href="https://attack.mitre.org/techniques/T1542/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Bootkit</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>: <a href="https://attack.mitre.org/techniques/T1055/012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Hollowing</a>, <a href="https://attack.mitre.org/techniques/T1620" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Reflective Code Loading</a>, <a href="https://attack.mitre.org/techniques/T1518" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Discovery</a>: <a href="https://attack.mitre.org/techniques/T1518/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Software Discovery</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">InstallUtil</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1569" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Services</a>: <a href="https://attack.mitre.org/techniques/T1569/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Service Execution</a>, <a href="https://attack.mitre.org/techniques/T1529" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Shutdown/Reboot</a>, <a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Virtualization/Sandbox Evasion</a>: <a href="https://attack.mitre.org/techniques/T1497/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Checks</a>, <a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Virtualization/Sandbox Evasion</a>: <a href="https://attack.mitre.org/techniques/T1497/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Time Based Evasion</a>, <a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Service</a></font></td></tr></tbody></table></div>