SOC Incident Toolkit
Back to Campaigns
Xworm Enters Through the Door Follina Left Open

Xworm Enters Through the Door Follina Left Open

XwormFollinaRATTrojanChina

Security researchers have identified a new wave of attacks using XWorm malware that exploits the Follina vulnerability. XWorm is a government-sponsored remote access trojan (RAT), the Follina vulnerability is a critical vulnerability in Microsoft Windows systems that was first disclosed in 2022.

Indicators of Compromise

Domains (20)

huhuwarcanoefestival.comassignments.onebarricks.orgtemplate.onetpaerospace.onecodezian.comftp.mgcpakistan.comschedule.onepurepowerinc.nettempla.onemyvigyan.comkbowlingslaw.comkanaskanas.comstnicholaschurch.cazaminkaran.irinvoice.onedepotejarat.irlist.onefour-quadrant.onedirect-trojan.com

Hashes (132)

de30f2ba2d8916db5ce398ed580714e2a8e75376f31dc346b0e3c898ee0ae4cfb79ff504eb6ec509b8b6b870dc2f0113825d859b8a60cadc9c823b64a80dd294c54e8c428f7ad12f846c245d3f3df1ba49cf3c6263d46c697ee100fbe7388416033ea0509130e12f144decb1a913e3dc8b82f6bae1d34ad42938a777d80f3ee4c206de14021f13ab79600168b85894fdb0867b3ed9a1c97646872be823bce7e37325f9869daa5593f3ced37024dc5188243639be9bf99fc32dc69f213812c3c747e8dd41fef63ad0fd0aec01a6b399aeb10a166abdc52f8983b7f034e86d1628efab5faf974e8c33ea9c3bcab0fd09ca462f832240a1bbf6cc034748781b8980771a288f300e2f79dfff9e4ac70c261b3fe96e679cd785dbcceced90590f87734b8a3dbc066a26bd90d4e4db9a480889731b6d2978542b48745136d9e77896ec77c7613c4386ad8135369894fad416d9b89df08dad0c0c1848e2bba528d6b3140a1935cd939e8a07266c43c0482e1fea80c65b7a49cf54356dcb58bc328a12fdd6b485362befb392925282451d65aa23482584a49dd5b0e126218df773dc35d1fa8d1e3147a5fe6056e01f89847441ec46175ba60b24a56b7fbdf2f907251deafd605437a25d51428aade79255036d49adb237144a52fc610984bd5ae8501271c5eef8ff49eff0a9d02adf4a5e36ad3b656a325adc19ae5c66741fcea36e01d1bc27e5a97b800778938af37f41f811fd4fc40af3b2e3f96e8013a7187e5cb4ce1a00a9528823f789cb8aca09c51143c611510279023a5399f5af0495d55eba28+112 more

IPv4 (15)

212.193.30.2305.42.199.23595.216.102.32154.12.234.207109.107.179.248193.149.185.229198.23.172.90165.22.48.183209.126.2.34172.245.45.213212.87.204.8345.133.174.122179.43.187.241209.126.83.213154.12.250.38

CVEs (1)

CVE-2022-30190

Notes

<div><b>Conclusions&nbsp;</b></div><div>Malware developers with little or no responsibilities can create malicious programs and sell them on various forums for monetary gain. Threat actors are provided with highly impactful and dangerous features, such as ransomware and HVNC modules to attract more customers. You must have a system in place to keep yourself abreast with TTPs of newly launched threats or if there are new attack techniques adopted by existing cybercriminal groups.</div><div><br></div>

Mitigation

<b>TTP's</b><br><div><div style="font-size: medium;">The adversary is trying to get into your network.</div><div style="font-size: medium;"><br></div><div style="font-size: medium;">Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.</div><div style="font-size: medium;"><br></div><div><b>Techniques</b></div><div><h6 class="table-object-count" style="box-sizing: border-box; line-height: 1.2; font-size: 1rem; letter-spacing: normal; margin-top: 0px; margin-bottom: 0.5rem; display: flex; justify-content: flex-end; color: rgb(57, 67, 76); font-family: Roboto-Regular, sans-serif;">Techniques: 9</h6><table class="table-techniques" style="box-sizing: border-box; font-size: 16px; border-collapse: collapse; color: rgb(57, 67, 76); font-family: Roboto-Regular, sans-serif;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box; background: rgb(242, 242, 242); border-bottom: 1px solid rgb(223, 223, 223);"><td colspan="2" style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">ID</td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Name</td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Description</td></tr></thead><tbody style="box-sizing: border-box;"><tr class="technique" style="box-sizing: border-box;"><td colspan="2" style="box-sizing: border-box; vertical-align: top; padding: 10px; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1189" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1189</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1189" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Drive-by Compromise</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring&nbsp;<a href="https://attack.mitre.org/techniques/T1550/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Access Token</a>.</td></tr><tr class="technique" style="box-sizing: border-box;"><td colspan="2" style="box-sizing: border-box; vertical-align: top; padding: 10px; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1190" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1190</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1190" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exploit Public-Facing Application</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.</td></tr><tr class="technique" style="box-sizing: border-box;"><td colspan="2" style="box-sizing: border-box; vertical-align: top; padding: 10px; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1133" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1133</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1133" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">External Remote Services</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as&nbsp;<a href="https://attack.mitre.org/techniques/T1021/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Remote Management</a>&nbsp;and&nbsp;<a href="https://attack.mitre.org/techniques/T1021/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">VNC</a>&nbsp;can also be used externally.</td></tr><tr class="technique" style="box-sizing: border-box;"><td colspan="2" style="box-sizing: border-box; vertical-align: top; padding: 10px; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1200" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1200</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1200" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hardware Additions</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e.&nbsp;<a href="https://attack.mitre.org/techniques/T1091" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Replication Through Removable Media</a>), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.</td></tr><tr class="technique" style="box-sizing: border-box;"><td colspan="2" style="box-sizing: border-box; vertical-align: top; padding: 10px; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1566</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Phishing</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.</td></tr><tr class="sub technique" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex; color: rgb(79, 124, 172);"></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1566/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1566/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing Attachment</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon&nbsp;<a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">User Execution</a>&nbsp;to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.</td></tr><tr class="sub technique" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex; color: rgb(79, 124, 172);"></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1566/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1566/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing Link</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.</td></tr><tr class="sub technique" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex; color: rgb(79, 124, 172);"></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1566/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1566/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing via Service</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.</td></tr><tr class="technique" style="box-sizing: border-box;"><td colspan="2" style="box-sizing: border-box; vertical-align: top; padding: 10px; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1091" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1091</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1091" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Replication Through Removable Media</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.</td></tr><tr class="technique" style="box-sizing: border-box;"><td colspan="2" style="box-sizing: border-box; vertical-align: top; padding: 10px; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1195" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1195</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1195" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Supply Chain Compromise</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.</td></tr><tr class="sub technique" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex; color: rgb(79, 124, 172);"></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1195/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1195/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Compromise Software Dependencies and Development Tools</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.</td></tr><tr class="sub technique" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex; color: rgb(79, 124, 172);"></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1195/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1195/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Compromise Software Supply Chain</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.</td></tr><tr class="sub technique" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex; color: rgb(79, 124, 172);"></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1195/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1195/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Compromise Hardware Supply Chain</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.</td></tr><tr class="technique" style="box-sizing: border-box;"><td colspan="2" style="box-sizing: border-box; vertical-align: top; padding: 10px; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1199" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1199</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1199" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Trusted Relationship</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.</td></tr><tr class="technique" style="box-sizing: border-box;"><td colspan="2" style="box-sizing: border-box; vertical-align: top; padding: 10px; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1078" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1078</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1078" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Valid Accounts</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.</td></tr><tr class="sub technique" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex; color: rgb(79, 124, 172);"></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1078/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1078/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Default Accounts</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.</td></tr><tr class="sub technique" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex; color: rgb(79, 124, 172);"></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1078/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1078/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Accounts</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.</td></tr><tr class="sub technique" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex; color: rgb(79, 124, 172);"></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1078/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.003</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1078/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Accounts</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.</td></tr><tr class="sub technique" style="box-sizing: border-box; border-bottom: 1px solid rgb(223, 223, 223); border-left: none;"><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex; color: rgb(79, 124, 172);"></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1078/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.004</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223); color: rgb(79, 124, 172);"><a href="https://attack.mitre.org/techniques/T1078/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cloud Accounts</a></td><td style="box-sizing: border-box; vertical-align: top; padding: 10px; border: 1px solid rgb(223, 223, 223);">Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management systems, such as Windows Active Directory.</td></tr></tbody></table></div></div>