T1556.003: Pluggable Authentication Modules
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine#452), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (timb-machine#468), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/citronneur/pamspy (timb-machine#466), citable: False
- https://www.mandiant.com/resources/unc2891-overview (timb-machine#112), citable: True
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine#460), citable: False (TACTICS OR TECHNIQUES WRONG)
T1056.001: Keylogging
- https://github.com/croemheld/lkm-rootkit (timb-machine#628), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/anko/xkbcat (timb-machine#691), citable: False
- https://github.com/QuokkaLight/rkduck (timb-machine#667), citable: False (TACTICS OR TECHNIQUES WRONG)
T1003: OS Credential Dumping
- https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (timb-machine#449), citable: False
T1552.005: Cloud Instance Metadata API
missing from ATT&CK
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (timb-machine#715), citable: True
T1110.002: Password Cracking
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (timb-machine#64), citable: True (TACTICS OR TECHNIQUES WRONG)
T1003.007: Proc Filesystem
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine#439), citable: True
- https://github.com/NetSPI/sshkey-grab (timb-machine#619), citable: False
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (timb-machine#468), citable: True (TACTICS OR TECHNIQUES WRONG)
T1040: Network Sniffing
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (timb-machine#64), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/Eterna1/puszek-rootkit (timb-machine#670), citable: False
T1558: Steal or Forge Kerberos Tickets
- https://github.com/CiscoCXSecurity/linikatz (timb-machine#156), citable: False
- https://github.com/fireeye/SSSDKCMExtractor (timb-machine#520), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (timb-machine#449), citable: False
- https://github.com/blacklanternsecurity/KCMTicketFormatter (timb-machine#519), citable: False
- https://blog.talosintelligence.com/2018/12/PortcullisActiveDirectory.html (timb-machine#240), citable: False
- https://github.com/CiscoCXSecurity/presentations/raw/master/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf (timb-machine#241), citable: False
T1555: Credentials from Password Stores
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (timb-machine#64), citable: True (TACTICS OR TECHNIQUES WRONG)
T1552: Unsecured Credentials
- https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (timb-machine#692), citable: True
T1552.004: Private Keys
- https://github.com/NetSPI/sshkey-grab (timb-machine#619), citable: False
- https://www.mandiant.com/resources/unc2891-overview (timb-machine#112), citable: True
- https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (timb-machine#524), citable: True (TACTICS OR TECHNIQUES WRONG)
T1110.003: Password Spraying
- https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (timb-machine#716), citable: True
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (timb-machine#64), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://cujo.com/threat-alert-krane-malware/ (timb-machine#391), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (timb-machine#8), citable: True
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (timb-machine#119), citable: True (TACTICS OR TECHNIQUES WRONG)
T1649: Steal or Forge Authentication Certificates
- https://github.com/aviat/passe-partout (timb-machine#704), citable: False
T1552.003: Bash History
- https://www.mandiant.com/resources/unc2891-overview (timb-machine#112), citable: True
T1212: Exploitation for Credential Access
- https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (timb-machine#692), citable: True
T1110: Brute Force
- https://asec.ahnlab.com/en/54647/ (timb-machine#707), citable: True
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (timb-machine#720), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (timb-machine#700), citable: True
- https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (timb-machine#653), citable: False
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (timb-machine#586), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (timb-machine#744), citable: True (TACTICS OR TECHNIQUES WRONG)
T1003.008: /etc/passwd and /etc/shadow
- https://www.mandiant.com/resources/unc2891-overview (timb-machine#112), citable: True
T1556: Modify Authentication Process
- https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (timb-machine#700), citable: True
T1053.003: Cron
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (timb-machine#321), citable: True
- https://sansec.io/research/cronrat (timb-machine#399), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (timb-machine#618), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ (timb-machine#662), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (timb-machine#720), citable: True
- https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (timb-machine#90), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (timb-machine#447), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (timb-machine#95), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (timb-machine#119), citable: True (TACTICS OR TECHNIQUES WRONG)
T1106: Native API
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (timb-machine#643), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (timb-machine#658), citable: True (TACTICS OR TECHNIQUES WRONG)
T1610: Deploy Container
missing from ATT&CK
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (timb-machine#715), citable: True
T1053.001: At (Linux)
- https://www.mandiant.com/resources/unc2891-overview (timb-machine#112), citable: True
T1059: Command and Scripting Interpreter
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (timb-machine#527), citable: True
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (timb-machine#510), citable: True
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (timb-machine#715), citable: True
- https://redcanary.com/blog/process-streams/ (timb-machine#494), citable: False (TACTICS OR TECHNIQUES WRONG)
T1204: User Execution
- https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (timb-machine#719), citable: False
T1059.004: Unix Shell
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (timb-machine#643), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.mandiant.com/resources/unc2891-overview (timb-machine#112), citable: True
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1569: System Services
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (timb-machine#527), citable: True
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (timb-machine#510), citable: True
T1569.002: Service Execution
missing from ATT&CK
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (timb-machine#527), citable: True
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (timb-machine#510), citable: True
T1486: Data Encrypted for Impact
- https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html (timb-machine#442), citable: True
- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/ (timb-machine#638), citable: False
- https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html (timb-machine#546), citable: True
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (timb-machine#321), citable: True
- https://blog.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (timb-machine#496), citable: True
- https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf (timb-machine#101), citable: False
- https://github.com/niveb/NoCrypt (timb-machine#673), citable: False
- https://www.virustotal.com/gui/file/bf3ebc294870a6e743f021f4e18be75810149a1004b8d7c8a1e91f35562db3f5/detection (timb-machine#644), citable: True
- https://github.com/h3xduck/Umbra (timb-machine#668), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://blog.polyswarm.io/darkangels-linux-ransomware (timb-machine#666), citable: True
- https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group (timb-machine#544), citable: True
- https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html (timb-machine#102), citable: True
- https://twitter.com/malwrhunterteam/status/1422972905541996546 (timb-machine#374), citable: True
- https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/ (timb-machine#656), citable: True
T1499: Endpoint Denial of Service
- https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (timb-machine#623), citable: True
- https://asec.ahnlab.com/en/49769/ (timb-machine#624), citable: True
- https://spectrum.ieee.org/amp/mirai-botnet-2659993631 (timb-machine#676), citable: False
- https://asec.ahnlab.com/en/50316/ (timb-machine#621), citable: True
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (timb-machine#586), citable: True
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (timb-machine#744), citable: True
T1496: Resource Hijacking
- https://asec.ahnlab.com/en/54647/ (timb-machine#707), citable: True
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (timb-machine#720), citable: True
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (timb-machine#715), citable: True
- https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (timb-machine#723), citable: True
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (timb-machine#586), citable: True
T1565.002: Transmitted Data Manipulation
- https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (timb-machine#312), citable: True
T1485: Data Destruction
- https://cert.gov.ua/article/4501891 (timb-machine#651), citable: True
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (timb-machine#119), citable: True
T1498: Network Denial of Service
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine#439), citable: True
- https://asec.ahnlab.com/en/54647/ (timb-machine#707), citable: True
- https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 (timb-machine#702), citable: True
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (timb-machine#129), citable: False
- https://spectrum.ieee.org/amp/mirai-botnet-2659993631 (timb-machine#676), citable: False
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (timb-machine#586), citable: True
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (timb-machine#744), citable: True
T1490: Inhibit System Recovery
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (timb-machine#119), citable: True
T1561.001: Disk Content Wipe
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (timb-machine#119), citable: True
T1529: System Shutdown/Reboot
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (timb-machine#119), citable: True
T1205.002: Socket Filters
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (timb-machine#643), citable: True
- https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar (timb-machine#419), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://twitter.com/inversecos/status/1527188391347068928 (timb-machine#435), citable: False
- https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (timb-machine#570), citable: False
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (timb-machine#658), citable: True
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (timb-machine#434), citable: True
- https://twitter.com/ldsopreload/status/1582780282758828035 (timb-machine#571), citable: False
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (timb-machine#422), citable: False
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (timb-machine#418), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (timb-machine#425), citable: True
- https://vms.drweb.com/virus/?i=21004786 (timb-machine#433), citable: True
- https://github.com/aojea/netkat (timb-machine#464), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/Gui774ume/ebpfkit (timb-machine#151), citable: False
- https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (timb-machine#405), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/vbpf/ebpf-samples (timb-machine#215), citable: False
- https://github.com/wunderwuzzi23/Offensive-BPF (timb-machine#469), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/h3xduck/TripleCross (timb-machine#465), citable: False
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (timb-machine#432), citable: True
- https://twitter.com/CraigHRowland/status/1523266585133457408 (timb-machine#424), citable: True
- https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (timb-machine#449), citable: False
- https://github.com/citronneur/pamspy (timb-machine#466), citable: False
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (timb-machine#427), citable: True
- https://packetstormsecurity.com/files/22121/cd00r.c.html (timb-machine#597), citable: False
- https://github.com/noptrix/fbkit (timb-machine#684), citable: False
- https://packetstormsecurity.com/files/23336/Slx2k001.txt.html (timb-machine#152), citable: False
- https://pastebin.com/raw/kmmJuuQP (timb-machine#426), citable: False
- https://twitter.com/ldsopreload/status/1583178316286029824 (timb-machine#568), citable: False
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (timb-machine#99), citable: True
- https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (timb-machine#397), citable: True
- https://github.com/snapattack/bpfdoor-scanner (timb-machine#437), citable: False
- https://twitter.com/timb_machine/status/1523253031382687744 (timb-machine#421), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (timb-machine#725), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (timb-machine#420), citable: False
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (timb-machine#441), citable: True
- https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (timb-machine#569), citable: False
T1037: Boot or Logon Initialization Scripts
- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (timb-machine#618), citable: True
T1556.003: Pluggable Authentication Modules
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine#452), citable: True
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (timb-machine#468), citable: True
- https://github.com/citronneur/pamspy (timb-machine#466), citable: False
- https://www.mandiant.com/resources/unc2891-overview (timb-machine#112), citable: True
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine#460), citable: False
T1543: Create or Modify System Process
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (timb-machine#527), citable: True
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (timb-machine#510), citable: True
T1133: External Remote Services
- https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (timb-machine#678), citable: True
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (timb-machine#586), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (timb-machine#744), citable: True (TACTICS OR TECHNIQUES WRONG)
T1053.003: Cron
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (timb-machine#321), citable: True
- https://sansec.io/research/cronrat (timb-machine#399), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (timb-machine#618), citable: True
- https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ (timb-machine#662), citable: False
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (timb-machine#720), citable: True
- https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (timb-machine#90), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (timb-machine#447), citable: True
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (timb-machine#95), citable: True
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (timb-machine#119), citable: True (TACTICS OR TECHNIQUES WRONG)
T1098.003: Additional Cloud Roles
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False
T1205: Traffic Signaling
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (timb-machine#643), citable: True
- https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (timb-machine#570), citable: False
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (timb-machine#658), citable: True
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (timb-machine#434), citable: True
- https://twitter.com/ldsopreload/status/1582780282758828035 (timb-machine#571), citable: False
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (timb-machine#422), citable: False
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (timb-machine#418), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (timb-machine#425), citable: True
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine#452), citable: True
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (timb-machine#432), citable: True
- https://twitter.com/CraigHRowland/status/1523266585133457408 (timb-machine#424), citable: True
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (timb-machine#427), citable: True
- https://pastebin.com/raw/kmmJuuQP (timb-machine#426), citable: False
- https://twitter.com/ldsopreload/status/1583178316286029824 (timb-machine#568), citable: False
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (timb-machine#99), citable: True
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine#460), citable: False
- https://twitter.com/timb_machine/status/1523253031382687744 (timb-machine#421), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (timb-machine#725), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (timb-machine#420), citable: False
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (timb-machine#441), citable: True
- https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (timb-machine#569), citable: False
T1525: Implant Internal Image
missing from ATT&CK
- https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (timb-machine#692), citable: True
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (timb-machine#715), citable: True
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False
T1505.003: Web Shell
- https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (timb-machine#90), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ (timb-machine#373), citable: True
T1078.001: Default Accounts
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (timb-machine#604), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (timb-machine#586), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (timb-machine#744), citable: True (TACTICS OR TECHNIQUES WRONG)
T1574.006: Dynamic Linker Hijacking
- https://github.com/darrenmartyn/malware_samples (timb-machine#530), citable: False
- https://github.com/NixOS/patchelf (timb-machine#443), citable: False
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (timb-machine#720), citable: True
- https://github.com/namazso/linux_injector (timb-machine#599), citable: False
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine#452), citable: True
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (timb-machine#468), citable: True
- https://github.com/mav8557/Father (timb-machine#606), citable: False
- https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (timb-machine#397), citable: True
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine#460), citable: False
- https://sansec.io/research/nginrat (timb-machine#94), citable: True (TACTICS OR TECHNIQUES WRONG)
T1053.001: At (Linux)
- https://www.mandiant.com/resources/unc2891-overview (timb-machine#112), citable: True
T1098.004: SSH Authorized Keys
- https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (timb-machine#700), citable: True
T1205.001: Port Knocking
- https://github.com/croemheld/lkm-rootkit (timb-machine#628), citable: False
T1554: Compromise Client Software Binary
- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (timb-machine#618), citable: True
- https://hckng.org/articles/perljam-elf64-virus.html (timb-machine#735), citable: False
T1136.003: Cloud Account
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False
T1098: Account Manipulation
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False
T1547.006: Kernel Modules and Extensions
- https://github.com/pmorjan/kmod (timb-machine#654), citable: False
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ (timb-machine#750), citable: True
- https://github.com/niveb/NoCrypt (timb-machine#673), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/croemheld/lkm-rootkit (timb-machine#628), citable: False
- https://github.com/reveng007/reveng_rtkit (timb-machine#669), citable: False
- https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 (timb-machine#612), citable: True
- https://is.muni.cz/el/fi/jaro2011/PV204/um/LinuxRootkits/sys_call_table_complete.htm (timb-machine#254), citable: False
- https://www.trendmicro.com/en_gb/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html (timb-machine#111), citable: True
- https://github.com/h3xduck/Umbra (timb-machine#668), citable: False
- https://github.com/jafarlihi/modreveal (timb-machine#609), citable: False
- https://github.com/QuokkaLight/rkduck (timb-machine#667), citable: False
- https://www.mandiant.com/resources/unc2891-overview (timb-machine#112), citable: True
- https://github.com/noptrix/fbkit (timb-machine#684), citable: False
- http://www.ouah.org/LKM_HACKING.html (timb-machine#257), citable: False
- https://github.com/Eterna1/puszek-rootkit (timb-machine#670), citable: False
- https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html (timb-machine#575), citable: False
- https://twitter.com/CraigHRowland/status/1593102427276050433 (timb-machine#587), citable: False
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (timb-machine#99), citable: True
- https://github.com/jermeyyy/rooty (timb-machine#440), citable: False
- https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html (timb-machine#683), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (timb-machine#705), citable: False
T1574: Hijack Execution Flow
- https://github.com/hardenedvault/ved-ebpf (timb-machine#737), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (timb-machine#312), citable: True
- https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (timb-machine#719), citable: False
- https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (timb-machine#499), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/Gui774ume/krie (timb-machine#498), citable: False
T1078: Valid Accounts
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (timb-machine#678), citable: True
- https://asec.ahnlab.com/en/49769/ (timb-machine#624), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (timb-machine#653), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (timb-machine#129), citable: False (TACTICS OR TECHNIQUES WRONG)
T1546.004: Unix Shell Configuration Modification
- https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ (timb-machine#655), citable: True
- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (timb-machine#618), citable: True
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (timb-machine#527), citable: True
- https://github.com/darrenmartyn/malware_samples (timb-machine#530), citable: False
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (timb-machine#510), citable: True
T1100: Web Shell
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (timb-machine#129), citable: False (TACTICS OR TECHNIQUES WRONG)
T1505: Server Software Component
- https://hckng.org/articles/perljam-elf64-virus.html (timb-machine#735), citable: False
T1037.004: RC Scripts
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.mandiant.com/resources/unc3524-eye-spy-email (timb-machine#414), citable: True
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (timb-machine#720), citable: True
- https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (timb-machine#90), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (timb-machine#693), citable: True
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (timb-machine#8), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1543.002: Systemd Service
- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (timb-machine#618), citable: True
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (timb-machine#720), citable: True
- https://www.mandiant.com/resources/unc2891-overview (timb-machine#112), citable: True
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (timb-machine#693), citable: True
T1136: Create Account
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False
T1574.002: DLL Side-Loading
missing from ATT&CK
- https://github.com/airman604/jdbc-backdoor (timb-machine#607), citable: False
T1078.004: Cloud Accounts
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False
T1556: Modify Authentication Process
- https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (timb-machine#700), citable: True
T1037: Boot or Logon Initialization Scripts
- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (timb-machine#618), citable: True (TACTICS OR TECHNIQUES WRONG)
T1543: Create or Modify System Process
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (timb-machine#527), citable: True
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (timb-machine#510), citable: True (TACTICS OR TECHNIQUES WRONG)
T1053.003: Cron
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (timb-machine#321), citable: True
- https://sansec.io/research/cronrat (timb-machine#399), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (timb-machine#618), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ (timb-machine#662), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (timb-machine#720), citable: True
- https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (timb-machine#90), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (timb-machine#447), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (timb-machine#95), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (timb-machine#119), citable: True (TACTICS OR TECHNIQUES WRONG)
T1055: Process Injection
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (timb-machine#462), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://grugq.github.io/docs/ul_exec.txt (timb-machine#463), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (timb-machine#312), citable: True
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (timb-machine#461), citable: False (TACTICS OR TECHNIQUES WRONG)
T1078.001: Default Accounts
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (timb-machine#604), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (timb-machine#586), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (timb-machine#744), citable: True (TACTICS OR TECHNIQUES WRONG)
T1574.006: Dynamic Linker Hijacking
- https://github.com/darrenmartyn/malware_samples (timb-machine#530), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/NixOS/patchelf (timb-machine#443), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (timb-machine#720), citable: True
- https://github.com/namazso/linux_injector (timb-machine#599), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine#452), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (timb-machine#468), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/mav8557/Father (timb-machine#606), citable: False
- https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (timb-machine#397), citable: True
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine#460), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://sansec.io/research/nginrat (timb-machine#94), citable: True (TACTICS OR TECHNIQUES WRONG)
T1053.001: At (Linux)
- https://www.mandiant.com/resources/unc2891-overview (timb-machine#112), citable: True (TACTICS OR TECHNIQUES WRONG)
T1548: Abuse Elevation Control Mechanism
- https://github.com/croemheld/lkm-rootkit (timb-machine#628), citable: False
- https://twitter.com/ankit_anubhav/status/1490574137370103808 (timb-machine#483), citable: True
- https://github.com/Gui774ume/krie (timb-machine#498), citable: False
T1548.001: Setuid and Setgid
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (timb-machine#468), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/hardenedvault/ved-ebpf (timb-machine#737), citable: False
- https://www.mandiant.com/resources/unc2891-overview (timb-machine#112), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/noptrix/fbkit (timb-machine#684), citable: False
T1134.004: Parent PID Spoofing
missing from ATT&CK
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (timb-machine#462), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://grugq.github.io/docs/ul_exec.txt (timb-machine#463), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (timb-machine#461), citable: False (TACTICS OR TECHNIQUES WRONG)
T1547.006: Kernel Modules and Extensions
- https://github.com/pmorjan/kmod (timb-machine#654), citable: False
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ (timb-machine#750), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/niveb/NoCrypt (timb-machine#673), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/croemheld/lkm-rootkit (timb-machine#628), citable: False
- https://github.com/reveng007/reveng_rtkit (timb-machine#669), citable: False
- https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 (timb-machine#612), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://is.muni.cz/el/fi/jaro2011/PV204/um/LinuxRootkits/sys_call_table_complete.htm (timb-machine#254), citable: False
- https://www.trendmicro.com/en_gb/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html (timb-machine#111), citable: True
- https://github.com/h3xduck/Umbra (timb-machine#668), citable: False
- https://github.com/jafarlihi/modreveal (timb-machine#609), citable: False
- https://github.com/QuokkaLight/rkduck (timb-machine#667), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.mandiant.com/resources/unc2891-overview (timb-machine#112), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/noptrix/fbkit (timb-machine#684), citable: False
- http://www.ouah.org/LKM_HACKING.html (timb-machine#257), citable: False
- https://github.com/Eterna1/puszek-rootkit (timb-machine#670), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html (timb-machine#575), citable: False
- https://twitter.com/CraigHRowland/status/1593102427276050433 (timb-machine#587), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (timb-machine#99), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/jermeyyy/rooty (timb-machine#440), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html (timb-machine#683), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (timb-machine#705), citable: False (TACTICS OR TECHNIQUES WRONG)
T1574: Hijack Execution Flow
- https://github.com/hardenedvault/ved-ebpf (timb-machine#737), citable: False
- https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (timb-machine#312), citable: True
- https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (timb-machine#719), citable: False
- https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (timb-machine#499), citable: False
- https://github.com/Gui774ume/krie (timb-machine#498), citable: False
T1078: Valid Accounts
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (timb-machine#678), citable: True
- https://asec.ahnlab.com/en/49769/ (timb-machine#624), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (timb-machine#653), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (timb-machine#129), citable: False (TACTICS OR TECHNIQUES WRONG)
T1055.012: Process Hollowing
missing from ATT&CK
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (timb-machine#462), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://grugq.github.io/docs/ul_exec.txt (timb-machine#463), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (timb-machine#461), citable: False (TACTICS OR TECHNIQUES WRONG)
T1068: Exploitation for Privilege Escalation
- https://github.com/hardenedvault/ved-ebpf (timb-machine#737), citable: False
- https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (timb-machine#499), citable: False
- https://github.com/Gui774ume/krie (timb-machine#498), citable: False
T1546.004: Unix Shell Configuration Modification
- https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ (timb-machine#655), citable: True
- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (timb-machine#618), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (timb-machine#527), citable: True
- https://github.com/darrenmartyn/malware_samples (timb-machine#530), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (timb-machine#510), citable: True (TACTICS OR TECHNIQUES WRONG)
T1100: Web Shell
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (timb-machine#129), citable: False (TACTICS OR TECHNIQUES WRONG)
T1055.009: Proc Memory
- https://github.com/NetSPI/sshkey-grab (timb-machine#619), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (timb-machine#312), citable: True
T1037.004: RC Scripts
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.mandiant.com/resources/unc3524-eye-spy-email (timb-machine#414), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (timb-machine#720), citable: True
- https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (timb-machine#90), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (timb-machine#693), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (timb-machine#8), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1543.002: Systemd Service
- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (timb-machine#618), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (timb-machine#720), citable: True
- https://www.mandiant.com/resources/unc2891-overview (timb-machine#112), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (timb-machine#693), citable: True (TACTICS OR TECHNIQUES WRONG)
T1574.002: DLL Side-Loading
missing from ATT&CK
- https://github.com/airman604/jdbc-backdoor (timb-machine#607), citable: False
T1055.008: Ptrace System Calls
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (timb-machine#462), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://grugq.github.io/docs/ul_exec.txt (timb-machine#463), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (timb-machine#461), citable: False (TACTICS OR TECHNIQUES WRONG)
T1078.004: Cloud Accounts
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False (TACTICS OR TECHNIQUES WRONG)
T1021.005: VNC
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (timb-machine#64), citable: True
T1021.004: SSH
- https://www.mandiant.com/resources/unc3524-eye-spy-email (timb-machine#414), citable: True
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (timb-machine#64), citable: True
- https://github.com/QuokkaLight/rkduck (timb-machine#667), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.mandiant.com/resources/unc2891-overview (timb-machine#112), citable: True
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (timb-machine#8), citable: True
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (timb-machine#119), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (timb-machine#524), citable: True
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (timb-machine#586), citable: True
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (timb-machine#744), citable: True
T1563.001: SSH Hijacking
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (timb-machine#468), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/aviat/passe-partout (timb-machine#704), citable: False (TACTICS OR TECHNIQUES WRONG)
T1021.002: SMB/Windows Admin Shares
missing from ATT&CK
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (timb-machine#64), citable: True
T1021: Remote Services
- https://cujo.com/threat-alert-krane-malware/ (timb-machine#391), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (timb-machine#586), citable: True
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (timb-machine#744), citable: True
T1205.002: Socket Filters
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (timb-machine#643), citable: True
- https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar (timb-machine#419), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://twitter.com/inversecos/status/1527188391347068928 (timb-machine#435), citable: False
- https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (timb-machine#570), citable: False
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (timb-machine#658), citable: True
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (timb-machine#434), citable: True
- https://twitter.com/ldsopreload/status/1582780282758828035 (timb-machine#571), citable: False
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (timb-machine#422), citable: False
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (timb-machine#418), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (timb-machine#425), citable: True
- https://vms.drweb.com/virus/?i=21004786 (timb-machine#433), citable: True
- https://github.com/aojea/netkat (timb-machine#464), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/Gui774ume/ebpfkit (timb-machine#151), citable: False
- https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (timb-machine#405), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/vbpf/ebpf-samples (timb-machine#215), citable: False
- https://github.com/wunderwuzzi23/Offensive-BPF (timb-machine#469), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/h3xduck/TripleCross (timb-machine#465), citable: False
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (timb-machine#432), citable: True
- https://twitter.com/CraigHRowland/status/1523266585133457408 (timb-machine#424), citable: True
- https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (timb-machine#449), citable: False
- https://github.com/citronneur/pamspy (timb-machine#466), citable: False
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (timb-machine#427), citable: True
- https://packetstormsecurity.com/files/22121/cd00r.c.html (timb-machine#597), citable: False
- https://github.com/noptrix/fbkit (timb-machine#684), citable: False
- https://packetstormsecurity.com/files/23336/Slx2k001.txt.html (timb-machine#152), citable: False
- https://pastebin.com/raw/kmmJuuQP (timb-machine#426), citable: False
- https://twitter.com/ldsopreload/status/1583178316286029824 (timb-machine#568), citable: False
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (timb-machine#99), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (timb-machine#397), citable: True
- https://github.com/snapattack/bpfdoor-scanner (timb-machine#437), citable: False
- https://twitter.com/timb_machine/status/1523253031382687744 (timb-machine#421), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (timb-machine#725), citable: True
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (timb-machine#420), citable: False
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (timb-machine#441), citable: True
- https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (timb-machine#569), citable: False
T1027.009: Embedded Payloads
- https://asec.ahnlab.com/en/45182/ (timb-machine#603), citable: True
T1556.003: Pluggable Authentication Modules
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine#452), citable: True
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (timb-machine#468), citable: True
- https://github.com/citronneur/pamspy (timb-machine#466), citable: False
- https://www.mandiant.com/resources/unc2891-overview (timb-machine#112), citable: True
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine#460), citable: False
T1014: Rootkit
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/croemheld/lkm-rootkit (timb-machine#628), citable: False
- https://github.com/reveng007/reveng_rtkit (timb-machine#669), citable: False
- https://github.com/h3xduck/Umbra (timb-machine#668), citable: False
- https://github.com/QuokkaLight/rkduck (timb-machine#667), citable: False
- https://www.mandiant.com/resources/unc2891-overview (timb-machine#112), citable: True
- https://github.com/noptrix/fbkit (timb-machine#684), citable: False
- https://github.com/Eterna1/puszek-rootkit (timb-machine#670), citable: False
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
- https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (timb-machine#705), citable: False
T1578: Modify Cloud Compute Infrastructure
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False
T1036.005: Match Legitimate Name or Location
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (timb-machine#643), citable: True
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://sansec.io/research/cronrat (timb-machine#399), citable: True
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (timb-machine#527), citable: True
- https://github.com/darrenmartyn/malware_samples (timb-machine#530), citable: False
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (timb-machine#510), citable: True
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (timb-machine#720), citable: True
- https://asec.ahnlab.com/en/55229/ (timb-machine#722), citable: True
- https://asec.ahnlab.com/en/50316/ (timb-machine#621), citable: True
- https://sansec.io/research/nginrat (timb-machine#94), citable: True
- https://asec.ahnlab.com/ko/55070/ (timb-machine#709), citable: True
T1070.002: Clear Linux or Mac System Logs
- https://packetstormsecurity.com/files/31345/0x333shadow.tar.gz.html (timb-machine#706), citable: False
- https://asec.ahnlab.com/en/54647/ (timb-machine#707), citable: True
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (timb-machine#64), citable: True
- https://www.mandiant.com/resources/unc2891-overview (timb-machine#112), citable: True
- https://cujo.com/threat-alert-krane-malware/ (timb-machine#391), citable: True
- https://github.com/Kabot/mig-logcleaner-resurrected (timb-machine#154), citable: False
T1202: Indirect Command Execution
missing from ATT&CK
- https://sysdig.com/blog/containers-read-only-fileless-malware/ (timb-machine#415), citable: False
- https://gist.github.com/timb-machine/7bd75479ee29aee8762952ea16908eb0 (timb-machine#197), citable: False
T1140: Deobfuscate/Decode Files or Information
- https://blogs-jpcert-or-jp.translate.goog/ja/2023/07/dangerouspassword_dev.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp (timb-machine#721), citable: True
- https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (timb-machine#723), citable: True
T1562: Impair Defenses
- https://gist.github.com/timb-machine/602d1a4dace4899babc1b6b5345d24b2 (timb-machine#550), citable: False
- https://github.com/codewhitesec/daphne (timb-machine#740), citable: False
- https://github.com/codewhitesec/apollon (timb-machine#734), citable: False
- https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (timb-machine#692), citable: True
- https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/ (timb-machine#739), citable: False
- https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html (timb-machine#575), citable: False
T1036: Masquerading
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (timb-machine#643), citable: True
- https://twitter.com/xnand_/status/1676336329985077249 (timb-machine#710), citable: True
- https://twitter.com/inversecos/status/1527188391347068928 (timb-machine#435), citable: False
- https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (timb-machine#570), citable: False
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (timb-machine#658), citable: True
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (timb-machine#434), citable: True
- https://twitter.com/ldsopreload/status/1582780282758828035 (timb-machine#571), citable: False
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (timb-machine#422), citable: False
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (timb-machine#418), citable: False
- https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (timb-machine#711), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (timb-machine#425), citable: True
- https://vms.drweb.com/virus/?i=21004786 (timb-machine#433), citable: True
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine#452), citable: True
- https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (timb-machine#686), citable: True
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (timb-machine#432), citable: True
- https://twitter.com/CraigHRowland/status/1523266585133457408 (timb-machine#424), citable: True
- https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (timb-machine#449), citable: False
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (timb-machine#427), citable: True
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (timb-machine#693), citable: True
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (timb-machine#715), citable: True
- https://pastebin.com/raw/kmmJuuQP (timb-machine#426), citable: False
- https://twitter.com/ldsopreload/status/1583178316286029824 (timb-machine#568), citable: False
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine#460), citable: False
- https://github.com/snapattack/bpfdoor-scanner (timb-machine#437), citable: False
- https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (timb-machine#724), citable: True
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (timb-machine#420), citable: False
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (timb-machine#441), citable: True
- https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (timb-machine#569), citable: False
T1055: Process Injection
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (timb-machine#462), citable: False
- https://grugq.github.io/docs/ul_exec.txt (timb-machine#463), citable: False
- https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (timb-machine#312), citable: True
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (timb-machine#461), citable: False
T1205: Traffic Signaling
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (timb-machine#643), citable: True
- https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (timb-machine#570), citable: False
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (timb-machine#658), citable: True
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (timb-machine#434), citable: True
- https://twitter.com/ldsopreload/status/1582780282758828035 (timb-machine#571), citable: False
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (timb-machine#422), citable: False
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (timb-machine#418), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (timb-machine#425), citable: True
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine#452), citable: True
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (timb-machine#432), citable: True
- https://twitter.com/CraigHRowland/status/1523266585133457408 (timb-machine#424), citable: True
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (timb-machine#427), citable: True
- https://pastebin.com/raw/kmmJuuQP (timb-machine#426), citable: False
- https://twitter.com/ldsopreload/status/1583178316286029824 (timb-machine#568), citable: False
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (timb-machine#99), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine#460), citable: False
- https://twitter.com/timb_machine/status/1523253031382687744 (timb-machine#421), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (timb-machine#725), citable: True
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (timb-machine#420), citable: False
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (timb-machine#441), citable: True
- https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (timb-machine#569), citable: False
T1218: System Binary Proxy Execution
- https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (timb-machine#719), citable: False
T1070.006: Timestomp
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (timb-machine#643), citable: True
T1620: Reflective Code Loading
- https://sysdig.com/blog/containers-read-only-fileless-malware/ (timb-machine#415), citable: False
- https://blog.trailofbits.com/2021/11/09/all-your-tracing-are-belong-to-bpf/ (timb-machine#747), citable: False
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (timb-machine#462), citable: False
- https://blog.doyensec.com/2022/10/11/ebpf-bypass-security-monitoring.html (timb-machine#567), citable: False
- https://github.com/guitmz/memrun (timb-machine#592), citable: False
- https://www.form3.tech/engineering/content/bypassing-ebpf-tools (timb-machine#584), citable: False
- https://blog.trailofbits.com/2023/08/09/use-our-suite-of-ebpf-libraries/ (timb-machine#736), citable: False
- http://archive.hack.lu/2019/Fileless-Malware-Infection-and-Linux-Process-Injection-in-Linux-OS.pdf (timb-machine#242), citable: False
- https://github.com/vbpf/ebpf-samples (timb-machine#215), citable: False
- https://github.com/nnsee/fileless-elf-exec (timb-machine#193), citable: False
- https://github.com/X-C3LL/memdlopen-lib (timb-machine#605), citable: False
- https://github.com/hardenedvault/ved-ebpf (timb-machine#737), citable: False
- https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (timb-machine#723), citable: True
- https://blog.aquasec.com/detecting-ebpf-malware-with-tracee (timb-machine#745), citable: False
- https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (timb-machine#495), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/m1m1x/memdlopen (timb-machine#175), citable: False
- https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (timb-machine#499), citable: False
- https://www.first.org/resources/papers/telaviv2019/Rezilion-Shlomi-Butnaro-Beyond-Whitelisting-Fileless-Attacks-Against-L....pdf (timb-machine#231), citable: False
- https://redcanary.com/blog/ebpf-for-security/ (timb-machine#270), citable: False
- https://github.com/Gui774ume/krie (timb-machine#498), citable: False
- https://2018.zeronights.ru/wp-content/uploads/materials/09-ELF-execution-in-Linux-RAM.pdf (timb-machine#436), citable: False
- https://github.com/trustedsec/ELFLoader (timb-machine#416), citable: False
- https://gist.github.com/timb-machine/7bd75479ee29aee8762952ea16908eb0 (timb-machine#197), citable: False
T1497.003: Time Based Evasion
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1599.001: Network Address Translation Traversal
missing from ATT&CK
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1562.004: Disable or Modify System Firewall
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (timb-machine#643), citable: True
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (timb-machine#8), citable: True
T1610: Deploy Container
missing from ATT&CK
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (timb-machine#715), citable: True
T1078.001: Default Accounts
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (timb-machine#604), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (timb-machine#586), citable: True
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (timb-machine#744), citable: True
T1574.006: Dynamic Linker Hijacking
- https://github.com/darrenmartyn/malware_samples (timb-machine#530), citable: False
- https://github.com/NixOS/patchelf (timb-machine#443), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (timb-machine#720), citable: True
- https://github.com/namazso/linux_injector (timb-machine#599), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine#452), citable: True
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (timb-machine#468), citable: True
- https://github.com/mav8557/Father (timb-machine#606), citable: False
- https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (timb-machine#397), citable: True
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine#460), citable: False
- https://sansec.io/research/nginrat (timb-machine#94), citable: True
T1222: File and Directory Permissions Modification
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (timb-machine#693), citable: True
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (timb-machine#715), citable: True
T1548: Abuse Elevation Control Mechanism
- https://github.com/croemheld/lkm-rootkit (timb-machine#628), citable: False
- https://twitter.com/ankit_anubhav/status/1490574137370103808 (timb-machine#483), citable: True
- https://github.com/Gui774ume/krie (timb-machine#498), citable: False
T1548.001: Setuid and Setgid
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (timb-machine#468), citable: True
- https://github.com/hardenedvault/ved-ebpf (timb-machine#737), citable: False
- https://www.mandiant.com/resources/unc2891-overview (timb-machine#112), citable: True
- https://github.com/noptrix/fbkit (timb-machine#684), citable: False
T1562.006: Indicator Blocking
- https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw (timb-machine#660), citable: True (TACTICS OR TECHNIQUES WRONG)
T1070: Indicator Removal
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (timb-machine#643), citable: True
- https://twitter.com/inversecos/status/1527188391347068928 (timb-machine#435), citable: False
- https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (timb-machine#570), citable: False
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (timb-machine#658), citable: True
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (timb-machine#434), citable: True
- https://twitter.com/ldsopreload/status/1582780282758828035 (timb-machine#571), citable: False
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (timb-machine#422), citable: False
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (timb-machine#418), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (timb-machine#425), citable: True
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine#452), citable: True
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (timb-machine#432), citable: True
- https://twitter.com/CraigHRowland/status/1523266585133457408 (timb-machine#424), citable: True
- https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (timb-machine#449), citable: False
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (timb-machine#427), citable: True
- https://pastebin.com/raw/kmmJuuQP (timb-machine#426), citable: False
- https://twitter.com/ldsopreload/status/1583178316286029824 (timb-machine#568), citable: False
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine#460), citable: False
- https://github.com/snapattack/bpfdoor-scanner (timb-machine#437), citable: False
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (timb-machine#420), citable: False
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (timb-machine#441), citable: True
- https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (timb-machine#569), citable: False
T1036.004: Masquerade Task or Service
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (timb-machine#643), citable: True
T1480: Execution Guardrails
- https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (timb-machine#623), citable: True
- https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw (timb-machine#660), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (timb-machine#744), citable: True
T1205.001: Port Knocking
- https://github.com/croemheld/lkm-rootkit (timb-machine#628), citable: False
T1562.003: Impair Command History Logging
- https://cujo.com/threat-alert-krane-malware/ (timb-machine#391), citable: True
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1134.004: Parent PID Spoofing
missing from ATT&CK
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (timb-machine#462), citable: False
- https://grugq.github.io/docs/ul_exec.txt (timb-machine#463), citable: False
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (timb-machine#461), citable: False
T1562.001: Disable or Modify Tools
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (timb-machine#468), citable: True
- https://github.com/codewhitesec/daphne (timb-machine#740), citable: False
- https://github.com/codewhitesec/apollon (timb-machine#734), citable: False
- https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/ (timb-machine#739), citable: False
- https://github.com/Gui774ume/krie (timb-machine#498), citable: False
T1601: Modify System Image
missing from ATT&CK
- https://github.com/marin-m/vmlinux-to-elf (timb-machine#726), citable: False
T1574: Hijack Execution Flow
- https://github.com/hardenedvault/ved-ebpf (timb-machine#737), citable: False
- https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (timb-machine#312), citable: True
- https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (timb-machine#719), citable: False
- https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (timb-machine#499), citable: False
- https://github.com/Gui774ume/krie (timb-machine#498), citable: False
T1078: Valid Accounts
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (timb-machine#678), citable: True
- https://asec.ahnlab.com/en/49769/ (timb-machine#624), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (timb-machine#653), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (timb-machine#129), citable: False (TACTICS OR TECHNIQUES WRONG)
T1055.012: Process Hollowing
missing from ATT&CK
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (timb-machine#462), citable: False
- https://grugq.github.io/docs/ul_exec.txt (timb-machine#463), citable: False
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (timb-machine#461), citable: False
T1027: Obfuscated Files or Information
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://sansec.io/research/cronrat (timb-machine#399), citable: True
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (timb-machine#527), citable: True
- https://mp-weixin-qq-com.translate.goog/s/pd6fUs5TLdBtwUHauclDOQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp (timb-machine#588), citable: True
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (timb-machine#510), citable: True
- https://www.mandiant.com/resources/unc3524-eye-spy-email (timb-machine#414), citable: True
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (timb-machine#468), citable: True
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (timb-machine#447), citable: True
- https://netadr.github.io/blog/a-quick-glimpse-sbz/ (timb-machine#596), citable: True
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (timb-machine#119), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://sansec.io/research/nginrat (timb-machine#94), citable: True
- https://github.com/trustedsec/ELFLoader (timb-machine#416), citable: False
T1036.003: Rename System Utilities
- https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (timb-machine#719), citable: False
T1578.002: Create Cloud Instance
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False
T1055.009: Proc Memory
- https://github.com/NetSPI/sshkey-grab (timb-machine#619), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (timb-machine#312), citable: True
T1070.004: File Deletion
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (timb-machine#643), citable: True
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (timb-machine#527), citable: True
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (timb-machine#510), citable: True
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (timb-machine#64), citable: True
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (timb-machine#693), citable: True
- https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (timb-machine#495), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (timb-machine#95), citable: True
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1027.002: Software Packing
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (timb-machine#720), citable: True
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (timb-machine#64), citable: True
- https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf (timb-machine#625), citable: True
- https://github.com/89luca89/pakkero (timb-machine#718), citable: False
- https://github.com/NozomiNetworks/upx-recovery-tool (timb-machine#535), citable: False
- https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (timb-machine#723), citable: True
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1574.002: DLL Side-Loading
missing from ATT&CK
- https://github.com/airman604/jdbc-backdoor (timb-machine#607), citable: False
T1055.008: Ptrace System Calls
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (timb-machine#462), citable: False
- https://grugq.github.io/docs/ul_exec.txt (timb-machine#463), citable: False
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (timb-machine#461), citable: False
T1027.007: Dynamic API Resolution
missing from ATT&CK
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1564.001: Hidden Files and Directories
- https://github.com/croemheld/lkm-rootkit (timb-machine#628), citable: False
- https://github.com/reveng007/reveng_rtkit (timb-machine#669), citable: False
- https://github.com/h3xduck/Umbra (timb-machine#668), citable: False
- https://github.com/QuokkaLight/rkduck (timb-machine#667), citable: False
- https://github.com/noptrix/fbkit (timb-machine#684), citable: False
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (timb-machine#693), citable: True
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (timb-machine#447), citable: True
- https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (timb-machine#312), citable: True
- https://github.com/Eterna1/puszek-rootkit (timb-machine#670), citable: False
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
- https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (timb-machine#705), citable: False
T1078.004: Cloud Accounts
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False
T1480.001: Environmental Keying
- https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (timb-machine#716), citable: True
- https://twitter.com/sethkinghi/status/1397814848549900288 (timb-machine#717), citable: True
- https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ (timb-machine#714), citable: True
T1556: Modify Authentication Process
- https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (timb-machine#700), citable: True
T1567: Exfiltration Over Web Service
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (timb-machine#321), citable: True
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (timb-machine#586), citable: True
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (timb-machine#744), citable: True
T1020: Automated Exfiltration
- https://github.com/croemheld/lkm-rootkit (timb-machine#628), citable: False
T1048.001: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (timb-machine#8), citable: True (TACTICS OR TECHNIQUES WRONG)
T1048: Exfiltration Over Alternative Protocol
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (timb-machine#321), citable: True
- https://github.com/QuokkaLight/rkduck (timb-machine#667), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (timb-machine#524), citable: True
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (timb-machine#586), citable: True
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (timb-machine#744), citable: True
T1048.003: Exfiltration Over Unencrypted Non-C2 Protocol
- https://github.com/croemheld/lkm-rootkit (timb-machine#628), citable: False
T1033: System Owner/User Discovery
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (timb-machine#95), citable: True
T1613: Container and Resource Discovery
missing from ATT&CK
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (timb-machine#715), citable: True
T1069: Permission Groups Discovery
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False
T1069.003: Cloud Groups
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False
T1087.002: Domain Account
- https://blog.vibri.us/BeyondTrust-AD-Bridge-Open-Post-Exploitation/ (timb-machine#635), citable: False
T1007: System Service Discovery
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (timb-machine#119), citable: True (TACTICS OR TECHNIQUES WRONG)
T1040: Network Sniffing
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (timb-machine#64), citable: True
- https://github.com/Eterna1/puszek-rootkit (timb-machine#670), citable: False
T1082: System Information Discovery
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (timb-machine#716), citable: True
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (timb-machine#468), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://cujo.com/threat-alert-krane-malware/ (timb-machine#391), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (timb-machine#693), citable: True
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (timb-machine#447), citable: True
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (timb-machine#715), citable: True
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (timb-machine#99), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
- https://asec.ahnlab.com/en/50316/ (timb-machine#621), citable: True
T1497.003: Time Based Evasion
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1580: Cloud Infrastructure Discovery
missing from ATT&CK
- https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (timb-machine#692), citable: True (TACTICS OR TECHNIQUES WRONG)
T1016: System Network Configuration Discovery
- https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (timb-machine#516), citable: True
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (timb-machine#95), citable: True
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (timb-machine#119), citable: True (TACTICS OR TECHNIQUES WRONG)
T1083: File and Directory Discovery
- https://www.guitmz.com/linux-nasty-elf-virus/ (timb-machine#642), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (timb-machine#449), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1619: Cloud Storage Object Discovery
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False
T1057: Process Discovery
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (timb-machine#462), citable: False
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (timb-machine#527), citable: True
- https://github.com/darrenmartyn/malware_samples (timb-machine#530), citable: False
- https://www.guitmz.com/linux-nasty-elf-virus/ (timb-machine#642), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (timb-machine#510), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (timb-machine#700), citable: True
- https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (timb-machine#716), citable: True
- https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 (timb-machine#702), citable: True
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (timb-machine#693), citable: True
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
- https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (timb-machine#524), citable: True
T1526: Cloud Service Discovery
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False
T1018: Remote System Discovery
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (timb-machine#64), citable: True
- https://cujo.com/threat-alert-krane-malware/ (timb-machine#391), citable: True (TACTICS OR TECHNIQUES WRONG)
T1046: Network Service Discovery
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (timb-machine#64), citable: True
T1056.001: Keylogging
- https://github.com/croemheld/lkm-rootkit (timb-machine#628), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/anko/xkbcat (timb-machine#691), citable: False
- https://github.com/QuokkaLight/rkduck (timb-machine#667), citable: False (TACTICS OR TECHNIQUES WRONG)
T1602: Data from Configuration Repository
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False
T1005: Data from Local System
- https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (timb-machine#449), citable: False (TACTICS OR TECHNIQUES WRONG)
T1213.003: Code Repositories
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False
T1602.001: SNMP (MIB Dump)
missing from ATT&CK
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (timb-machine#64), citable: True
T1583.008: Malvertising
missing from ATT&CK
- https://twitter.com/xnand_/status/1676336329985077249 (timb-machine#710), citable: True
- https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (timb-machine#711), citable: False
- https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (timb-machine#686), citable: True
- https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (timb-machine#724), citable: True
T1587.001: Malware
missing from ATT&CK
- https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (timb-machine#516), citable: True
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1608.001: Upload Malware
missing from ATT&CK
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1583.001: Domains
missing from ATT&CK
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1608.002: Upload Tool
missing from ATT&CK
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1588.001: Malware
missing from ATT&CK
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1584: Compromise Infrastructure
missing from ATT&CK
- https://www.mandiant.com/resources/unc3524-eye-spy-email (timb-machine#414), citable: True
T1608: Stage Capabilities
missing from ATT&CK
- https://twitter.com/xnand_/status/1676336329985077249 (timb-machine#710), citable: True
- https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (timb-machine#711), citable: False
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (timb-machine#720), citable: True
- https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (timb-machine#686), citable: True
- https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (timb-machine#724), citable: True
T1588.002: Tool
missing from ATT&CK
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1585: Establish Accounts
missing from ATT&CK
- https://twitter.com/xnand_/status/1676336329985077249 (timb-machine#710), citable: True
- https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (timb-machine#711), citable: False
- https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (timb-machine#686), citable: True
- https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (timb-machine#724), citable: True
T1588: Obtain Capabilities
missing from ATT&CK
- https://twitter.com/xnand_/status/1676336329985077249 (timb-machine#710), citable: True
- https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (timb-machine#711), citable: False
- https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (timb-machine#686), citable: True
- https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (timb-machine#724), citable: True
T1590.002: DNS
missing from ATT&CK
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (timb-machine#64), citable: True (TACTICS OR TECHNIQUES WRONG)
T1594: Search Victim-Owned Websites
missing from ATT&CK
- https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (timb-machine#678), citable: True
T1589: Gather Victim Identity Information
missing from ATT&CK
- https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (timb-machine#678), citable: True
T1595: Active Scanning
missing from ATT&CK
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (timb-machine#715), citable: True
T1590: Gather Victim Network Information
missing from ATT&CK
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (timb-machine#64), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (timb-machine#8), citable: True (TACTICS OR TECHNIQUES WRONG)
T1593: Search Open Websites/Domains
missing from ATT&CK
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False
T1592.002: Software
missing from ATT&CK
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1589.001: Credentials
missing from ATT&CK
- https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (timb-machine#678), citable: True
T1205.002: Socket Filters
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (timb-machine#643), citable: True
- https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar (timb-machine#419), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://twitter.com/inversecos/status/1527188391347068928 (timb-machine#435), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (timb-machine#570), citable: False
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (timb-machine#658), citable: True
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (timb-machine#434), citable: True
- https://twitter.com/ldsopreload/status/1582780282758828035 (timb-machine#571), citable: False
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (timb-machine#422), citable: False
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (timb-machine#418), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (timb-machine#425), citable: True
- https://vms.drweb.com/virus/?i=21004786 (timb-machine#433), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/aojea/netkat (timb-machine#464), citable: False
- https://github.com/Gui774ume/ebpfkit (timb-machine#151), citable: False
- https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (timb-machine#405), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/vbpf/ebpf-samples (timb-machine#215), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/wunderwuzzi23/Offensive-BPF (timb-machine#469), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://github.com/h3xduck/TripleCross (timb-machine#465), citable: False
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (timb-machine#432), citable: True
- https://twitter.com/CraigHRowland/status/1523266585133457408 (timb-machine#424), citable: True
- https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (timb-machine#449), citable: False
- https://github.com/citronneur/pamspy (timb-machine#466), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (timb-machine#427), citable: True
- https://packetstormsecurity.com/files/22121/cd00r.c.html (timb-machine#597), citable: False
- https://github.com/noptrix/fbkit (timb-machine#684), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://packetstormsecurity.com/files/23336/Slx2k001.txt.html (timb-machine#152), citable: False
- https://pastebin.com/raw/kmmJuuQP (timb-machine#426), citable: False
- https://twitter.com/ldsopreload/status/1583178316286029824 (timb-machine#568), citable: False
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (timb-machine#99), citable: True
- https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (timb-machine#397), citable: True
- https://github.com/snapattack/bpfdoor-scanner (timb-machine#437), citable: False
- https://twitter.com/timb_machine/status/1523253031382687744 (timb-machine#421), citable: False
- https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (timb-machine#725), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (timb-machine#420), citable: False
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (timb-machine#441), citable: True
- https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (timb-machine#569), citable: False
T1132.001: Standard Encoding
- https://unit42.paloaltonetworks.com/alloy-taurus/ (timb-machine#646), citable: True
T1071.004: DNS
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (timb-machine#64), citable: True
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (timb-machine#693), citable: True
T1573.001: Symmetric Cryptography
- https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (timb-machine#516), citable: True
- https://asec.ahnlab.com/en/55229/ (timb-machine#722), citable: True
- https://unit42.paloaltonetworks.com/alloy-taurus/ (timb-machine#646), citable: True
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (timb-machine#8), citable: True
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (timb-machine#95), citable: True
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
- https://asec.ahnlab.com/ko/55070/ (timb-machine#709), citable: True
T1071: Application Layer Protocol
- https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf (timb-machine#625), citable: True
- https://unit42.paloaltonetworks.com/alloy-taurus/ (timb-machine#646), citable: True
T1205: Traffic Signaling
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (timb-machine#643), citable: True
- https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (timb-machine#570), citable: False
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (timb-machine#658), citable: True
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (timb-machine#434), citable: True
- https://twitter.com/ldsopreload/status/1582780282758828035 (timb-machine#571), citable: False
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (timb-machine#422), citable: False
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (timb-machine#418), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (timb-machine#425), citable: True
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine#452), citable: True
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (timb-machine#432), citable: True
- https://twitter.com/CraigHRowland/status/1523266585133457408 (timb-machine#424), citable: True
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (timb-machine#427), citable: True
- https://pastebin.com/raw/kmmJuuQP (timb-machine#426), citable: False
- https://twitter.com/ldsopreload/status/1583178316286029824 (timb-machine#568), citable: False
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (timb-machine#99), citable: True
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine#460), citable: False
- https://twitter.com/timb_machine/status/1523253031382687744 (timb-machine#421), citable: False
- https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (timb-machine#725), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (timb-machine#420), citable: False
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (timb-machine#441), citable: True
- https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (timb-machine#569), citable: False
T1572: Protocol Tunneling
- https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/ (timb-machine#690), citable: True
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1092: Communication Through Removable Media
T1090.002: External Proxy
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (timb-machine#8), citable: True
T1090: Proxy
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1102: Web Service
- https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (timb-machine#692), citable: True
- https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (timb-machine#723), citable: True
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (timb-machine#95), citable: True
T1205.001: Port Knocking
- https://github.com/croemheld/lkm-rootkit (timb-machine#628), citable: False
T1071.002: File Transfer Protocols
- https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (timb-machine#623), citable: True
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (timb-machine#64), citable: True
T1090.003: Multi-hop Proxy
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (timb-machine#715), citable: True
T1001: Data Obfuscation
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (timb-machine#64), citable: True
T1571: Non-Standard Port
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1573: Encrypted Channel
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (timb-machine#643), citable: True
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (timb-machine#321), citable: True
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (timb-machine#658), citable: True
- https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (timb-machine#716), citable: True
- https://github.com/QuokkaLight/rkduck (timb-machine#667), citable: False
- https://unit42.paloaltonetworks.com/alloy-taurus/ (timb-machine#646), citable: True
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (timb-machine#95), citable: True
- https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (timb-machine#524), citable: True
T1573.002: Asymmetric Cryptography
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (timb-machine#99), citable: True
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (timb-machine#99), citable: True
T1095: Non-Application Layer Protocol
- https://github.com/croemheld/lkm-rootkit (timb-machine#628), citable: False
- https://github.com/h3xduck/Umbra (timb-machine#668), citable: False
- https://github.com/QuokkaLight/rkduck (timb-machine#667), citable: False
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
- https://asec.ahnlab.com/en/50316/ (timb-machine#621), citable: True
- https://redcanary.com/blog/process-streams/ (timb-machine#494), citable: False
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (timb-machine#586), citable: True
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (timb-machine#744), citable: True (TACTICS OR TECHNIQUES WRONG)
T1001.003: Protocol Impersonation
- https://sansec.io/research/cronrat (timb-machine#399), citable: True
T1132: Data Encoding
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (timb-machine#447), citable: True
- https://unit42.paloaltonetworks.com/alloy-taurus/ (timb-machine#646), citable: True
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (timb-machine#715), citable: True
T1132.002: Non-Standard Encoding
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1071.001: Web Protocols
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (timb-machine#321), citable: True
- https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (timb-machine#623), citable: True
- https://asec.ahnlab.com/en/49769/ (timb-machine#624), citable: True
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (timb-machine#64), citable: True
- https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (timb-machine#516), citable: True
- https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf (timb-machine#625), citable: True
- https://unit42.paloaltonetworks.com/alloy-taurus/ (timb-machine#646), citable: True
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (timb-machine#715), citable: True
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (timb-machine#95), citable: True
- https://blog.exatrack.com/melofee/ (timb-machine#620), citable: True
T1105: Ingress Tool Transfer
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (timb-machine#623), citable: True
- https://asec.ahnlab.com/en/49769/ (timb-machine#624), citable: True
- https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (timb-machine#90), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://cujo.com/threat-alert-krane-malware/ (timb-machine#391), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (timb-machine#723), citable: True
T1090.001: Internal Proxy
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (timb-machine#8), citable: True
T1133: External Remote Services
- https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (timb-machine#678), citable: True
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (timb-machine#586), citable: True
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (timb-machine#744), citable: True
T1195.001: Compromise Software Dependencies and Development Tools
- https://blog.sonatype.com/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices (timb-machine#294), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (timb-machine#495), citable: False (TACTICS OR TECHNIQUES WRONG)
T1566.001: Spearphishing Attachment
- https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ (timb-machine#655), citable: True
T1190: Exploit Public-Facing Application
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (timb-machine#720), citable: True
- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal (timb-machine#665), citable: False
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (timb-machine#604), citable: True
- https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (timb-machine#90), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ (timb-machine#714), citable: True
- https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 (timb-machine#702), citable: True
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (timb-machine#715), citable: True
- https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ (timb-machine#373), citable: True
- https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (timb-machine#723), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (timb-machine#677), citable: False
- https://spectrum.ieee.org/amp/mirai-botnet-2659993631 (timb-machine#676), citable: False
- https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (timb-machine#524), citable: True
T1078.001: Default Accounts
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (timb-machine#604), citable: True
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (timb-machine#586), citable: True
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (timb-machine#744), citable: True
T1078: Valid Accounts
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine#439), citable: True
- https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (timb-machine#678), citable: True
- https://asec.ahnlab.com/en/49769/ (timb-machine#624), citable: True
- https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (timb-machine#653), citable: False
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (timb-machine#129), citable: False
T1078.004: Cloud Accounts
missing from ATT&CK