S0347: AuditCred
AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.[1]
Analyst context for executives and security teams
AuditCred is a Windows malicious DLL documented by MITRE as used by Lazarus Group during 2018 attacks. Its value for defenders is less about a standalone malware name and more about the behaviors linked to it: obfuscation, process injection, command shell execution, file deletion, discovery, proxying, tool transfer, decoding, and Windows service persistence. For leaders, this points to a need to validate whether endpoint, Windows service, command execution, and network egress evidence is strong enough to reconstruct a stealthy intrusion even when malware-specific detections are unavailable.
Executive priority
Treat AuditCred as a coverage-validation case for Windows intrusion readiness rather than as proof of current exposure. Because ATT&CK provides no official detection text for this malware, decision-makers should ask whether their SOC and incident response teams can detect and investigate the associated behaviors without relying on a named signature. Priority areas are Windows endpoint visibility, service creation/change monitoring, command-line logging, suspicious process injection indicators, file deletion evidence, and outbound proxy/tool-transfer visibility. This also supports audit and compliance conversations around whether logging and retention can prove what happened during a stealthy endpoint compromise.
Technical view
AuditCred is identified as a malicious DLL on Windows. ATT&CK relationships associate it with Encrypted/Encoded File, Process Injection, Windows Command Shell, File Deletion, File and Directory Discovery, Proxy, Ingress Tool Transfer, Deobfuscate/Decode Files or Information, and Windows Service. SOC and detection teams should validate behavior-level analytics across these areas: DLL execution/loading context, unusual service creation or modification, command shell activity with suspicious parent/child process chains, evidence of encoded or decoded payloads, file staging and deletion, discovery commands or file enumeration, unexpected external downloads, and proxy-like network behavior. Because no official detection guidance is supplied, local baselining and testing against benign administrative activity are necessary.
Likely telemetry
- Windows endpoint process creation and command-line logs
- DLL load/module telemetry from EDR or host sensors
- Windows service creation, modification, and registry/service configuration events
- File creation, modification, deletion, and rename events
- Host evidence of encoded, encrypted, or decoded files
Detection direction
- Validate detections for suspicious Windows service creation or modification, especially services pointing to unusual paths or DLL/payload locations.
- Correlate command shell execution with file staging, decoding, deletion, and outbound network activity rather than relying on any single event.
- Tune for process injection indicators where endpoint telemetry supports it, while accounting for legitimate security tools and administrative software that may create similar signals.
- Look for file deletion following tool transfer or execution as a potential anti-forensics pattern, but avoid treating deletion alone as malicious.
- Review proxy and egress monitoring for unexpected intermediary behavior or unusual destinations, especially when paired with host-side execution or transfer evidence.
Mitigation priorities
- Ensure Windows endpoints have sufficient logging and EDR visibility for process execution, DLL activity, service changes, file operations, and network connections.
- Restrict and monitor administrative rights that can create or modify Windows services or execute payloads through command shells.
- Harden egress paths with proxy controls, allowlisting where appropriate, and monitoring for unusual external file transfer activity.
- Maintain retention and incident response procedures that preserve deleted-file evidence, service configuration history, and command execution context.
- Use threat intelligence on Lazarus Group and AuditCred as context for prioritizing validation, but do not depend on malware naming alone for prevention or detection.
Analyst notes and limits
The supplied ATT&CK object is sparse: AuditCred is described as a malicious DLL used by Lazarus Group during 2018 attacks, with Windows as the platform and no official detection text. The most useful defensive content comes from the ATT&CK relationships to techniques that describe likely behaviors defenders can validate. Local environment data is required to determine whether these behaviors are observable, suspicious, or already covered.
This take does not assert current exploitation, customer exposure, specific indicators, or guaranteed detection. It is based only on the supplied ATT&CK fields, external references, and relationships. Technique relationships provide behavioral direction but not complete procedure details, detection logic, or mitigation guarantees.
AuditCred
AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | AuditCred can search through folders and files on the system.CitationTrendMicro Lazarus Nov 2018 |
| Enterprise | T1090 | Proxy | AuditCred can utilize proxy for communications.CitationTrendMicro Lazarus Nov 2018 |
| Enterprise | T1070.004 | File Deletion Sub-technique | AuditCred can delete files from the system.CitationTrendMicro Lazarus Nov 2018 |
| Enterprise | T1055 | Process Injection | AuditCred can inject code from files to other running processes.CitationTrendMicro Lazarus Nov 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | AuditCred can download files and additional malware.CitationTrendMicro Lazarus Nov 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | AuditCred can open a reverse shell on the system to execute commands.CitationTrendMicro Lazarus Nov 2018 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | AuditCred uses XOR and RC4 to perform decryption on the code functions.CitationTrendMicro Lazarus Nov 2018 |
| Enterprise | T1543.003 | Windows Service Sub-technique | AuditCred is installed as a new service on the system.CitationTrendMicro Lazarus Nov 2018 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | AuditCred encrypts the configuration.CitationTrendMicro Lazarus Nov 2018 |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 8391f695187f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TrendMicro Lazarus Nov 2018
Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
Open source URL -
[2]
AuditCred
(Citation: TrendMicro Lazarus Nov 2018)
-
[3]
Roptimizer
(Citation: TrendMicro Lazarus Nov 2018)
-
[4]
mitre-attack S0347Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.