T1556.003: Pluggable Authentication Modules
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine/linux-malware#452), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/citronneur/pamspy (timb-machine/linux-malware#466), citable: False
- https://www.mandiant.com/resources/unc2891-overview (timb-machine/linux-malware#112), citable: True
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine/linux-malware#460), citable: False (TACTICS OR TECHNIQUES WRONG)
T1003: OS Credential Dumping
- https://github.com/CiscoCXSecurity/presentations/blob/master/Auditd%20for%20the%20newly%20threatened.pdf (timb-machine/linux-malware#449), citable: False
T1558: Steal or Forge Kerberos Tickets
- https://github.com/CiscoCXSecurity/linikatz (timb-machine/linux-malware#156), citable: False
- https://github.com/CiscoCXSecurity/presentations/blob/master/Auditd%20for%20the%20newly%20threatened.pdf (timb-machine/linux-malware#449), citable: False
- https://blog.talosintelligence.com/2018/12/PortcullisActiveDirectory.html (timb-machine/linux-malware#240), citable: False
- https://github.com/CiscoCXSecurity/presentations/blob/master/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf (timb-machine/linux-malware#241), citable: False
T1552.004: Private Keys
T1552.003: Bash History
T1003.008: /etc/passwd and /etc/shadow
T1053.003: Cron
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (timb-machine/linux-malware#447), citable: True (TACTICS OR TECHNIQUES WRONG)
T1053.001: At (Linux)
T1059: Command and Scripting Interpreter
- https://redcanary.com/blog/process-streams/ (timb-machine/linux-malware#494), citable: False (TACTICS OR TECHNIQUES WRONG)
T1059.004: Unix Shell
T1486: Data Encrypted for Impact
- https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html (timb-machine/linux-malware#442), citable: True
- https://blog.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (timb-machine/linux-malware#496), citable: True
- https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf (timb-machine/linux-malware#101), citable: True
- https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html (timb-machine/linux-malware#102), citable: True
T1498: Network Denial of Service
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine/linux-malware#439), citable: True
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (timb-machine/linux-malware#129), citable: False
T1556.003: Pluggable Authentication Modules
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine/linux-malware#452), citable: True
- https://github.com/citronneur/pamspy (timb-machine/linux-malware#466), citable: False
- https://www.mandiant.com/resources/unc2891-overview (timb-machine/linux-malware#112), citable: True
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine/linux-malware#460), citable: False
T1053.003: Cron
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (timb-machine/linux-malware#447), citable: True
T1205: Traffic Signaling
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (timb-machine/linux-malware#434), citable: True
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (timb-machine/linux-malware#422), citable: False
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (timb-machine/linux-malware#418), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (timb-machine/linux-malware#425), citable: True
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine/linux-malware#452), citable: True
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (timb-machine/linux-malware#432), citable: True
- https://twitter.com/CraigHRowland/status/1523266585133457408 (timb-machine/linux-malware#424), citable: True
- https://github.com/CiscoCXSecurity/presentations/blob/master/Auditd%20for%20the%20newly%20threatened.pdf (timb-machine/linux-malware#449), citable: False
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (timb-machine/linux-malware#427), citable: True
- https://pastebin.com/raw/kmmJuuQP (timb-machine/linux-malware#426), citable: False
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine/linux-malware#460), citable: False
- https://github.com/snapattack/bpfdoor-scanner (timb-machine/linux-malware#437), citable: False
- https://twitter.com/timb_machine/status/1523253031382687744 (timb-machine/linux-malware#421), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (timb-machine/linux-malware#420), citable: False
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (timb-machine/linux-malware#441), citable: True
T1505.003: Web Shell
- https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ (timb-machine/linux-malware#373), citable: True
T1574.006: Dynamic Linker Hijacking
- https://github.com/NixOS/patchelf (timb-machine/linux-malware#443), citable: False
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine/linux-malware#452), citable: True
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (timb-machine/linux-malware#468), citable: True
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine/linux-malware#460), citable: False
T1053.001: At (Linux)
T1547.006: Kernel Modules and Extensions
- https://www.mandiant.com/resources/unc2891-overview (timb-machine/linux-malware#112), citable: True
- https://github.com/jermeyyy/rooty (timb-machine/linux-malware#440), citable: False
T1078: Valid Accounts
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine/linux-malware#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (timb-machine/linux-malware#129), citable: False (TACTICS OR TECHNIQUES WRONG)
T1100: Web Shell
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine/linux-malware#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (timb-machine/linux-malware#129), citable: False (TACTICS OR TECHNIQUES WRONG)
T1037.004: RC Scripts
- https://www.mandiant.com/resources/unc3524-eye-spy-email (timb-machine/linux-malware#414), citable: True
T1543.002: Systemd Service
T1053.003: Cron
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (timb-machine/linux-malware#447), citable: True (TACTICS OR TECHNIQUES WRONG)
T1055: Process Injection
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (timb-machine/linux-malware#462), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://grugq.github.io/docs/ul_exec.txt (timb-machine/linux-malware#463), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (timb-machine/linux-malware#461), citable: False (TACTICS OR TECHNIQUES WRONG)
T1574.006: Dynamic Linker Hijacking
- https://github.com/NixOS/patchelf (timb-machine/linux-malware#443), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine/linux-malware#452), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (timb-machine/linux-malware#468), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine/linux-malware#460), citable: False (TACTICS OR TECHNIQUES WRONG)
T1053.001: At (Linux)
- https://www.mandiant.com/resources/unc2891-overview (timb-machine/linux-malware#112), citable: True (TACTICS OR TECHNIQUES WRONG)
T1548.001: Setuid and Setgid
- https://www.mandiant.com/resources/unc2891-overview (timb-machine/linux-malware#112), citable: True (TACTICS OR TECHNIQUES WRONG)
T1134.004: Parent PID Spoofing
missing from ATT&CK
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (timb-machine/linux-malware#462), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://grugq.github.io/docs/ul_exec.txt (timb-machine/linux-malware#463), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (timb-machine/linux-malware#461), citable: False (TACTICS OR TECHNIQUES WRONG)
T1547.006: Kernel Modules and Extensions
- https://www.mandiant.com/resources/unc2891-overview (timb-machine/linux-malware#112), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://github.com/jermeyyy/rooty (timb-machine/linux-malware#440), citable: False (TACTICS OR TECHNIQUES WRONG)
T1078: Valid Accounts
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine/linux-malware#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (timb-machine/linux-malware#129), citable: False (TACTICS OR TECHNIQUES WRONG)
T1055.012: Process Hollowing
missing from ATT&CK
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (timb-machine/linux-malware#462), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://grugq.github.io/docs/ul_exec.txt (timb-machine/linux-malware#463), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (timb-machine/linux-malware#461), citable: False (TACTICS OR TECHNIQUES WRONG)
T1100: Web Shell
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine/linux-malware#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (timb-machine/linux-malware#129), citable: False (TACTICS OR TECHNIQUES WRONG)
T1037.004: RC Scripts
- https://www.mandiant.com/resources/unc3524-eye-spy-email (timb-machine/linux-malware#414), citable: True (TACTICS OR TECHNIQUES WRONG)
T1543.002: Systemd Service
- https://www.mandiant.com/resources/unc2891-overview (timb-machine/linux-malware#112), citable: True (TACTICS OR TECHNIQUES WRONG)
T1055.008: Ptrace System Calls
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (timb-machine/linux-malware#462), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://grugq.github.io/docs/ul_exec.txt (timb-machine/linux-malware#463), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (timb-machine/linux-malware#461), citable: False (TACTICS OR TECHNIQUES WRONG)
T1021.004: SSH
- https://www.mandiant.com/resources/unc3524-eye-spy-email (timb-machine/linux-malware#414), citable: True
- https://www.mandiant.com/resources/unc2891-overview (timb-machine/linux-malware#112), citable: True
T1556.003: Pluggable Authentication Modules
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine/linux-malware#452), citable: True
- https://github.com/citronneur/pamspy (timb-machine/linux-malware#466), citable: False
- https://www.mandiant.com/resources/unc2891-overview (timb-machine/linux-malware#112), citable: True
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine/linux-malware#460), citable: False
T1014: Rootkit
T1070.002: Clear Linux or Mac System Logs
T1202: Indirect Command Execution
missing from ATT&CK
- https://sysdig.com/blog/containers-read-only-fileless-malware/ (timb-machine/linux-malware#415), citable: False
- https://gist.github.com/timb-machine/7bd75479ee29aee8762952ea16908eb0 (timb-machine/linux-malware#197), citable: False
T1036: Masquerading
- https://twitter.com/inversecos/status/1527188391347068928 (timb-machine/linux-malware#435), citable: False
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (timb-machine/linux-malware#434), citable: True
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (timb-machine/linux-malware#422), citable: False
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (timb-machine/linux-malware#418), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (timb-machine/linux-malware#425), citable: True
- https://vms.drweb.com/virus/?i=21004786 (timb-machine/linux-malware#433), citable: True
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine/linux-malware#452), citable: True
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (timb-machine/linux-malware#432), citable: True
- https://twitter.com/CraigHRowland/status/1523266585133457408 (timb-machine/linux-malware#424), citable: True
- https://github.com/CiscoCXSecurity/presentations/blob/master/Auditd%20for%20the%20newly%20threatened.pdf (timb-machine/linux-malware#449), citable: False
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (timb-machine/linux-malware#427), citable: True
- https://pastebin.com/raw/kmmJuuQP (timb-machine/linux-malware#426), citable: False
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine/linux-malware#460), citable: False
- https://github.com/snapattack/bpfdoor-scanner (timb-machine/linux-malware#437), citable: False
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (timb-machine/linux-malware#420), citable: False
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (timb-machine/linux-malware#441), citable: True
T1055: Process Injection
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (timb-machine/linux-malware#462), citable: False
- https://grugq.github.io/docs/ul_exec.txt (timb-machine/linux-malware#463), citable: False
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (timb-machine/linux-malware#461), citable: False
T1205: Traffic Signaling
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (timb-machine/linux-malware#434), citable: True
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (timb-machine/linux-malware#422), citable: False
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (timb-machine/linux-malware#418), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (timb-machine/linux-malware#425), citable: True
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine/linux-malware#452), citable: True
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (timb-machine/linux-malware#432), citable: True
- https://twitter.com/CraigHRowland/status/1523266585133457408 (timb-machine/linux-malware#424), citable: True
- https://github.com/CiscoCXSecurity/presentations/blob/master/Auditd%20for%20the%20newly%20threatened.pdf (timb-machine/linux-malware#449), citable: False
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (timb-machine/linux-malware#427), citable: True
- https://pastebin.com/raw/kmmJuuQP (timb-machine/linux-malware#426), citable: False
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine/linux-malware#460), citable: False
- https://github.com/snapattack/bpfdoor-scanner (timb-machine/linux-malware#437), citable: False
- https://twitter.com/timb_machine/status/1523253031382687744 (timb-machine/linux-malware#421), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (timb-machine/linux-malware#420), citable: False
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (timb-machine/linux-malware#441), citable: True
T1620: Reflective Code Loading
- https://sysdig.com/blog/containers-read-only-fileless-malware/ (timb-machine/linux-malware#415), citable: False
- http://archive.hack.lu/2019/Fileless-Malware-Infection-and-Linux-Process-Injection-in-Linux-OS.pdf (timb-machine/linux-malware#242), citable: False
- https://github.com/vbpf/ebpf-samples (timb-machine/linux-malware#215), citable: False
- https://github.com/nnsee/fileless-elf-exec (timb-machine/linux-malware#193), citable: False
- https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (timb-machine/linux-malware#495), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.first.org/resources/papers/telaviv2019/Rezilion-Shlomi-Butnaro-Beyond-Whitelisting-Fileless-Attacks-Against-L....pdf (timb-machine/linux-malware#231), citable: False
- https://redcanary.com/blog/ebpf-for-security/ (timb-machine/linux-malware#270), citable: False
- https://2018.zeronights.ru/wp-content/uploads/materials/09-ELF-execution-in-Linux-RAM.pdf (timb-machine/linux-malware#436), citable: False
- https://github.com/trustedsec/ELFLoader (timb-machine/linux-malware#416), citable: False
- https://gist.github.com/timb-machine/7bd75479ee29aee8762952ea16908eb0 (timb-machine/linux-malware#197), citable: False
T1574.006: Dynamic Linker Hijacking
- https://github.com/NixOS/patchelf (timb-machine/linux-malware#443), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine/linux-malware#452), citable: True
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (timb-machine/linux-malware#468), citable: True
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine/linux-malware#460), citable: False
T1548.001: Setuid and Setgid
T1070: Indicator Removal on Host
- https://twitter.com/inversecos/status/1527188391347068928 (timb-machine/linux-malware#435), citable: False
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (timb-machine/linux-malware#434), citable: True
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (timb-machine/linux-malware#422), citable: False
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (timb-machine/linux-malware#418), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (timb-machine/linux-malware#425), citable: True
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine/linux-malware#452), citable: True
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (timb-machine/linux-malware#432), citable: True
- https://twitter.com/CraigHRowland/status/1523266585133457408 (timb-machine/linux-malware#424), citable: True
- https://github.com/CiscoCXSecurity/presentations/blob/master/Auditd%20for%20the%20newly%20threatened.pdf (timb-machine/linux-malware#449), citable: False
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (timb-machine/linux-malware#427), citable: True
- https://pastebin.com/raw/kmmJuuQP (timb-machine/linux-malware#426), citable: False
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine/linux-malware#460), citable: False
- https://github.com/snapattack/bpfdoor-scanner (timb-machine/linux-malware#437), citable: False
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (timb-machine/linux-malware#420), citable: False
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (timb-machine/linux-malware#441), citable: True
T1134.004: Parent PID Spoofing
missing from ATT&CK
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (timb-machine/linux-malware#462), citable: False
- https://grugq.github.io/docs/ul_exec.txt (timb-machine/linux-malware#463), citable: False
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (timb-machine/linux-malware#461), citable: False
T1078: Valid Accounts
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (timb-machine/linux-malware#439), citable: True (TACTICS OR TECHNIQUES WRONG)
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (timb-machine/linux-malware#129), citable: False (TACTICS OR TECHNIQUES WRONG)
T1055.012: Process Hollowing
missing from ATT&CK
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (timb-machine/linux-malware#462), citable: False
- https://grugq.github.io/docs/ul_exec.txt (timb-machine/linux-malware#463), citable: False
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (timb-machine/linux-malware#461), citable: False
T1027: Obfuscated Files or Information
- https://www.mandiant.com/resources/unc3524-eye-spy-email (timb-machine/linux-malware#414), citable: True
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (timb-machine/linux-malware#447), citable: True
- https://github.com/trustedsec/ELFLoader (timb-machine/linux-malware#416), citable: False
T1070.004: File Deletion
- https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (timb-machine/linux-malware#495), citable: False (TACTICS OR TECHNIQUES WRONG)
T1055.008: Ptrace System Calls
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (timb-machine/linux-malware#462), citable: False
- https://grugq.github.io/docs/ul_exec.txt (timb-machine/linux-malware#463), citable: False
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (timb-machine/linux-malware#461), citable: False
T1564.001: Hidden Files and Directories
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (timb-machine/linux-malware#447), citable: True
T1082: System Information Discovery
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (timb-machine/linux-malware#447), citable: True
T1083: File and Directory Discovery
- https://github.com/CiscoCXSecurity/presentations/blob/master/Auditd%20for%20the%20newly%20threatened.pdf (timb-machine/linux-malware#449), citable: False (TACTICS OR TECHNIQUES WRONG)
T1005: Data from Local System
- https://github.com/CiscoCXSecurity/presentations/blob/master/Auditd%20for%20the%20newly%20threatened.pdf (timb-machine/linux-malware#449), citable: False (TACTICS OR TECHNIQUES WRONG)
T1584: Compromise Infrastructure
missing from ATT&CK
- https://www.mandiant.com/resources/unc3524-eye-spy-email (timb-machine/linux-malware#414), citable: True
T1205: Traffic Signaling
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (timb-machine/linux-malware#434), citable: True
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (timb-machine/linux-malware#422), citable: False
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (timb-machine/linux-malware#418), citable: False
- https://twitter.com/cyb3rops/status/1523227511551033349 (timb-machine/linux-malware#425), citable: True
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine/linux-malware#452), citable: True
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (timb-machine/linux-malware#432), citable: True
- https://twitter.com/CraigHRowland/status/1523266585133457408 (timb-machine/linux-malware#424), citable: True
- https://github.com/CiscoCXSecurity/presentations/blob/master/Auditd%20for%20the%20newly%20threatened.pdf (timb-machine/linux-malware#449), citable: False
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (timb-machine/linux-malware#427), citable: True
- https://pastebin.com/raw/kmmJuuQP (timb-machine/linux-malware#426), citable: False
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine/linux-malware#460), citable: False
- https://github.com/snapattack/bpfdoor-scanner (timb-machine/linux-malware#437), citable: False
- https://twitter.com/timb_machine/status/1523253031382687744 (timb-machine/linux-malware#421), citable: False
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (timb-machine/linux-malware#420), citable: False
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (timb-machine/linux-malware#441), citable: True
T1095: Non-Application Layer Protocol
- https://redcanary.com/blog/process-streams/ (timb-machine/linux-malware#494), citable: False
T1132: Data Encoding
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (timb-machine/linux-malware#447), citable: True
T1195.001: Compromise Software Dependencies and Development Tools
- https://blog.sonatype.com/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices (timb-machine/linux-malware#294), citable: False (TACTICS OR TECHNIQUES WRONG)
- https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (timb-machine/linux-malware#495), citable: False (TACTICS OR TECHNIQUES WRONG)
T1190: Exploit Public-Facing Application
- https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ (timb-machine/linux-malware#373), citable: True
T1078: Valid Accounts