S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
Analyst context for executives and security teams
Cobalt Strike matters because it is a legitimate adversary-simulation and remote access tool whose post-exploitation capabilities span the ATT&CK lifecycle. In practice, this makes it a high-value validation target: if an organization cannot distinguish authorized security testing from unauthorized remote access and post-compromise activity, executives may lack reliable evidence during ransomware, espionage, or supply-chain incident decisions.
Executive priority
Prioritize Cobalt Strike coverage as a resilience and incident-readiness question, not just a malware signature question. ATT&CK relationships show use across ransomware intrusions, public-sector and critical-industry targeting, financially motivated groups, and state-linked groups. Leaders should ask whether security testing tools are governed, whether SOC and IR teams can rapidly validate unauthorized use across Windows, Linux, and macOS, and whether telemetry is sufficient to support audit, legal, and business-continuity decisions during a suspected compromise.
Technical view
ATT&CK provides no official detection guidance for S0154, so defenders should validate coverage against the behaviors implied by a full-featured remote access and post-exploitation platform rather than rely on a single indicator. SOC and IR teams should confirm visibility across supported platforms: process execution, parent-child process relationships, command execution, credential-access tool interaction where applicable because Cobalt Strike can leverage tools such as Mimikatz, network connections associated with remote access, and evidence of lateral or post-exploit activity. Relationship context makes this especially relevant in investigations involving ransomware campaigns, exposed or vulnerable Internet-facing applications, supply-chain compromise, phishing-led intrusions, and activity associated with the listed groups and campaigns.
Likely telemetry
- Endpoint process creation and command-line telemetry on Windows, Linux, and macOS
- Network connection and egress telemetry for remote access sessions
- Authentication and credential-use logs, especially where post-exploitation activity is suspected
- EDR or host audit data showing execution of security tools, dual-use tools, or chained tooling such as Mimikatz
- Server and application logs for incidents that begin from exposed or vulnerable Internet-facing systems
Detection direction
- Inventory and govern legitimate Cobalt Strike use so the SOC can separate approved adversary simulation from suspicious execution.
- Build detections around post-exploitation behavior patterns and telemetry correlation, because ATT&CK does not provide an official detection section for this object.
- Tune alerts with context from relationships: ransomware intrusions, APT campaigns, financially motivated groups, public-sector targeting, supply-chain compromise, exposed servers, and vulnerable Internet-facing applications are all represented in related ATT&CK objects.
- Validate coverage across Windows, Linux, and macOS rather than assuming endpoint controls are Windows-only.
- Treat tool-name or hash-only detection as insufficient; prioritize behavior, execution context, network activity, and credential-use evidence.
Mitigation priorities
- Establish approval, logging, and change-control requirements for any authorized adversary-simulation tooling.
- Ensure endpoint and network telemetry collection is enabled and retained across Windows, Linux, and macOS systems that matter to business operations.
- Harden and monitor Internet-facing applications and exposed servers, since related campaign context includes initial compromise through vulnerable or exposed services.
- Strengthen credential protection and monitoring because Cobalt Strike can leverage other tools such as Mimikatz.
- Prepare IR playbooks that distinguish legitimate testing from unauthorized remote access and post-exploitation activity.
Analyst notes and limits
The supplied ATT&CK object identifies Cobalt Strike as commercial adversary-simulation software with broad post-exploitation capability and relationships to numerous campaigns and groups, including ransomware and state-linked activity. This take emphasizes defensive validation and governance because the tool can be legitimate in one context and suspicious in another.
No official ATT&CK detection text, aliases, labels, or object-specific tactics were provided. Local telemetry, approved-tool inventories, red-team schedules, and incident evidence are required before determining whether observed activity is authorized, malicious, or relevant to a specific threat actor.
Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1090.004 | Domain Fronting Sub-technique | Cobalt Strike has the ability to accept a value for HTTP Host Header to enable domain fronting.CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1548.003 | Sudo and Sudo Caching Sub-technique | Cobalt Strike can use |
| Enterprise | T1553.002 | Code Signing Sub-technique | Cobalt Strike can use self signed Java applets to execute signed applet attacks.CitationTalos Cobalt Strike September 2020CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1059.007 | JavaScript Sub-technique | The Cobalt Strike System Profiler can use JavaScript to perform reconnaissance actions.CitationTalos Cobalt Strike September 2020 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Cobalt Strike can start a VNC-based remote desktop server and tunnel the connection through the already established C2 channel.Citationcobaltstrike manualCitationCybereason Bumblebee August 2022 |
| Enterprise | T1106 | Native API | Cobalt Strike's Beacon payload is capable of running shell commands without |
| Enterprise | T1550.002 | Pass the Hash Sub-technique | Cobalt Strike can perform pass the hash.CitationCobalt Strike TTPs Dec 2017 |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | Cobalt Strike can use known credentials to run commands and spawn processes as a domain user account.Citationcobaltstrike manualCitationCobaltStrike Daddy May 2017CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1027.005 | Indicator Removal from Tools Sub-technique | Cobalt Strike includes a capability to modify the Beacon payload to eliminate known signatures or unpacking methods.Citationcobaltstrike manualCitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Cobalt Strike can use a number of known techniques to bypass Windows UAC.Citationcobaltstrike manualCitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | Cobalt Strike can determine the NetBios name and the IP addresses of targets machines including domain controllers.CitationCyberreason Anchor December 2019CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1569.002 | Service Execution Sub-technique | Cobalt Strike can use PsExec to execute a payload on a remote host. It can also use Service Control Manager to start new services.Citationcobaltstrike manualCitationCobalt Strike TTPs Dec 2017CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1005 | Data from Local System | Cobalt Strike can collect data from a local system.CitationCobalt Strike TTPs Dec 2017CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Cobalt Strike has the ability to load DLLs via reflective injection.CitationTalos Cobalt Strike September 2020CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Cobalt Strike can track key presses with a keylogger module.Citationcobaltstrike manualCitationAmnesty Intl. Ocean Lotus February 2021CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1197 | BITS Jobs | Cobalt Strike can download a hosted "beacon" payload using BITSAdmin.CitationCobaltStrike Scripted Web DeliveryCitationTalos Cobalt Strike September 2020CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | Cobalt Strike can use process hollowing for execution.CitationCobalt Strike TTPs Dec 2017CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1518 | Software Discovery | The Cobalt Strike System Profiler can discover applications through the browser and identify the version of Java the target has.CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1078.003 | Local Accounts Sub-technique | Cobalt Strike can use known credentials to run commands and spawn processes as a local user account.Citationcobaltstrike manualCitationCobaltStrike Daddy May 2017 |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | Cobalt Strike can be configured to have commands relayed over a peer-to-peer network of infected hosts. This can be used to limit the number of egress points, or provide access to a host without direct internet access.Citationcobaltstrike manualCitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1068 | Exploitation for Privilege Escalation | Cobalt Strike can exploit vulnerabilities such as MS14-058.CitationCobalt Strike TTPs Dec 2017CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1113 | Screen Capture | Cobalt Strike's Beacon payload is capable of capturing screenshots.Citationcobaltstrike manualCitationAmnesty Intl. Ocean Lotus February 2021CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1564.010 | Process Argument Spoofing Sub-technique | Cobalt Strike can use spoof arguments in spawned processes that execute beacon commands.CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1112 | Modify Registry | Cobalt Strike can modify Registry values within |
| Enterprise | T1069.002 | Domain Groups Sub-technique | Cobalt Strike can identify targets by querying account groups on a domain contoller.CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1049 | System Network Connections Discovery | Cobalt Strike can produce a sessions report from compromised hosts.CitationTalos Cobalt Strike September 2020 |
| Enterprise | T1001.003 | Protocol or Service Impersonation Sub-technique | Cobalt Strike can leverage the HTTP protocol for C2 communication, while hiding the actual data in either an HTTP header, URI parameter, the transaction body, or appending it to the URI.CitationCobalt Strike Manual 4.3 November 2020 Cobalt Strike has also added Host: ocsp.verisign.com to HTTP headers to mimic Online Certificate Status Protocol (OCSP) traffic.CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1134.004 | Parent PID Spoofing Sub-technique | Cobalt Strike can spawn processes with alternate PPIDs.CitationCobaltStrike Daddy May 2017CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1134.001 | Token Impersonation/Theft Sub-technique | Cobalt Strike can steal access tokens from exiting processes.Citationcobaltstrike manualCitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Cobalt Strike can install a new service.CitationCobalt Strike TTPs Dec 2017 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Cobalt Strike can use VBA to perform execution.CitationCobalt Strike TTPs Dec 2017CitationCobaltStrike Daddy May 2017CitationTalos Cobalt Strike September 2020 |
| Enterprise | T1055 | Process Injection | Cobalt Strike can inject a variety of payloads into processes dynamically chosen by the adversary.Citationcobaltstrike manualCitationCobalt Strike Manual 4.3 November 2020CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1007 | System Service Discovery | Cobalt Strike can enumerate services on compromised hosts.CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1070.006 | Timestomp Sub-technique | Cobalt Strike can timestomp any files or payloads placed on a target machine to help them blend in.Citationcobaltstrike manualCitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1083 | File and Directory Discovery | Cobalt Strike can explore files on a compromised system.CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1071.004 | DNS Sub-technique | Cobalt Strike can use a custom command and control protocol that can be encapsulated in DNS. All protocols use their standard assigned ports.Citationcobaltstrike manualCitationTalos Cobalt Strike September 2020CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1029 | Scheduled Transfer | Cobalt Strike can set its Beacon payload to reach out to the C2 server on an arbitrary and random interval.Citationcobaltstrike manual |
| Enterprise | T1069.001 | Local Groups Sub-technique | Cobalt Strike can use |
| Enterprise | T1059.001 | PowerShell Sub-technique | Cobalt Strike can execute a payload on a remote host with PowerShell. This technique does not write any data to disk.Citationcobaltstrike manualCitationCyberreason Anchor December 2019 Cobalt Strike can also use PowerSploit and other scripting frameworks to perform execution.CitationCobalt Strike TTPs Dec 2017CitationCobaltStrike Daddy May 2017CitationTalos Cobalt Strike September 2020CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1021.004 | SSH Sub-technique | Cobalt Strike can SSH to a remote service.CitationCobalt Strike TTPs Dec 2017CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1620 | Reflective Code Loading | Cobalt Strike's |
| Enterprise | T1018 | Remote System Discovery | Cobalt Strike uses the native Windows Network Enumeration APIs to interrogate and discover targets in a Windows Active Directory network.Citationcobaltstrike manualCitationTalos Cobalt Strike September 2020CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Cobalt Strike can spawn a job to inject into LSASS memory and dump password hashes.CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1685 | Disable or Modify Tools | Cobalt Strike has the ability to use Smart Applet attacks to disable the Java SecurityManager sandbox.CitationTalos Cobalt Strike September 2020CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1012 | Query Registry | Cobalt Strike can query |
| Enterprise | T1087.002 | Domain Account Sub-technique | Cobalt Strike can determine if the user on an infected machine is in the admin or domain admin group.CitationCyberreason Anchor December 2019 |
| Enterprise | T1497.002 | User Activity Based Checks Sub-technique | The Cobalt Strike loader can use the `MessageBoxA` API to prompt for user interaction as an anti-sandbox measure.CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1030 | Data Transfer Size Limits | Cobalt Strike will break large data sets into smaller chunks for exfiltration.Citationcobaltstrike manual |
| Enterprise | T1046 | Network Service Discovery | Cobalt Strike can perform port scans from an infected host.Citationcobaltstrike manualCitationTalos Cobalt Strike September 2020CitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1135 | Network Share Discovery | Cobalt Strike can query shared drives on the local system.CitationCobalt Strike TTPs Dec 2017 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Cobalt Strike can use a custom command and control protocol that can be encapsulated in HTTP or HTTPS. All protocols use their standard assigned ports.Citationcobaltstrike manualCitationTalos Cobalt Strike September 2020CitationCobalt Strike Manual 4.3 November 2020CitationSecurelist APT10 March 2021CitationKaspersky ToddyCat Check Logs October 2023 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Cobalt Strike can use RSA asymmetric encryption with PKCS1 padding to encrypt data sent to the C2 server.CitationTalos Cobalt Strike September 2020 |
| Enterprise | T1185 | Browser Session Hijacking | Cobalt Strike can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates.Citationcobaltstrike manualCitationCobalt Strike Manual 4.3 November 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Cobalt Strike can deobfuscate shellcode using a rolling XOR and decrypt metadata from Beacon sessions.CitationTalos Cobalt Strike September 2020CitationCobalt Strike Manual 4.3 November 2020 The Cobalt Strike loader component can also decrypt the .bss section of the Beacon binary prior to execution.CitationCisco Talos Qilin Ransomware OCT 2025 |
| Enterprise | T1572 | Protocol Tunneling | Cobalt Strike uses a custom command and control protocol that is encapsulated in HTTP, HTTPS, or DNS. In addition, it conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.Citationcobaltstrike manualCitationCobalt Strike Manual 4.3 November 2020 |
Groups, software, and campaigns
G1054: MirrorFace
MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.[1][2][3][4][5][6]
G1053: Storm-0501
Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.[1][2][3][4]
G1046: Storm-1811
Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.[1][2][3][4]
G0129: Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]
G0027: Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
G0050: APT32
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]
G1022: ToddyCat
G0073: APT19
APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. [1] Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same. [2] [3] [4]
G0037: FIN6
G0092: TA505
G0052: CopyKittens
CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.[1][2][3]
G0079: DarkHydrus
DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. [1] [2]
C0015: C0015
C0015 was a ransomware intrusion during which the unidentified attackers used Bazar, Cobalt Strike, and Conti, along with other tools, over a 5 day period. Security researchers assessed the actors likely used the widely-circulated Conti ransomware playbook based on the observed pattern of activity and operator errors.[1]
C0040: APT41 DUST
APT41 DUST was conducted by APT41 from 2023 to July 2024 against entities in Europe, Asia, and the Middle East. APT41 DUST targeted sectors such as shipping, logistics, and media for information gathering purposes. APT41 used previously-observed malware such as DUSTPAN as well as newly observed tools such as DUSTTRAP in APT41 DUST.[1]
C0017: C0017
C0017 was an APT41 campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During C0017, APT41 was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of C0017 are unknown, however APT41 was observed exfiltrating Personal Identifiable Information (PII).[1]
C0021: C0021
C0021 was a spearphishing campaign conducted in November 2018 that targeted public sector institutions, non-governmental organizations (NGOs), educational institutions, and private-sector corporations in the oil and gas, chemical, and hospitality industries. The majority of targets were located in the US, particularly in and around Washington D.C., with other targets located in Europe, Hong Kong, India, and Canada. C0021's technical artifacts, tactics, techniques, and procedures (TTPs), and targeting overlap with previous suspected APT29 activity.[1][2]
C0018: C0018
C0018 was a month-long ransomware intrusion that successfully deployed AvosLocker onto a compromised network. The unidentified actors gained initial access to the victim network through an exposed server and used a variety of open-source tools prior to executing AvosLocker.[1][2]
C0024: SolarWinds Compromise
The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.14 | Current bundle | 10002cfaa9d1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
cobaltstrike manual
Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
Open source URL -
[2]
mitre-attack S0154Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.