CVE-2015-1701
published 2015-04-21CVE-2015-1701: Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted…
PriorityP187high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
56.20%
98.9th percentile
Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka "Win32k Elevation of Privilege Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Malware uses low-level direct system calls (INT 2Eh and CALL ntdll!KiFastSystemCall) to bypass user-space hooks used by AV and sandboxes. ↗
- →Malware re-encrypts its string literals region with RC4 before process termination to hinder memory dump analysis; look for RC4 key 'dqrChZonUF' in memory. ↗
- →Malware removes filter driver registry entries before reboot to prevent AV drivers from loading early in the boot process; monitor for bulk deletion of filter driver registry keys. ↗
- →Purple Fox exploit chain uses CVE-2015-1701 alongside CVE-2018-8120 via an abused PowerSploit module when the current user lacks admin rights; monitor for PowerSploit module execution followed by msiexec.exe download activity. ↗
- →APT16 delivered CVE-2015-1701 exploit via malicious Microsoft Word documents exploiting an EPS dict copy use-after-free vulnerability; resulting payloads are IRONHALO downloader or ELMER backdoor.
- →Malware checks two hard-coded MAC addresses and terminates if the host matches; also terminates if ZKTeco ZKAccess software is present — these anti-analysis checks can be used as behavioral detection triggers. ↗
- ·The SLUB backdoor issues commands to ALL infected hosts simultaneously via a shared GitHub gist; the attacker cannot target individual machines, meaning command IOCs observed in the gist apply to all victims at once. ↗
- ·Analysts relying solely on sandbox solutions may miss the full functionality of the CVE-2015-1701 sample due to extensive anti-sandboxing techniques; manual analysis or patching of environment checks is required. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Win32k Privilege Escalation Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2015-1701 [HIGH] CWE-264 Microsoft Win32k Privilege Escalation Vulnerability
Vulnerability: Microsoft Win32k Privilege Escalation Vulnerability
Affected: Microsoft Win32k
An unspecified vulnerability exists in the Win32k.sys kernel-mode driver in Microsoft Windows Server that allows a local attacker to execute arbitrary code with elevated privileges.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2015-1701
Remediation Due Date: 2022-03-24
GHSA
GHSA-rq9p-fw9r-ppg4: Win32k
ghsa_unreviewed·2022-05-13
CVE-2015-1701 [HIGH] GHSA-rq9p-fw9r-ppg4: Win32k
Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka "Win32k Elevation of Privilege Vulnerability."
VulnCheck
Microsoft Win32k Privilege Escalation Vulnerability
vulncheck·2015·CVSS 7.8
CVE-2015-1701 [HIGH] CWE-264 Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k Privilege Escalation Vulnerability
An unspecified vulnerability exists in the Win32k.sys kernel-mode driver in Microsoft Windows Server that allows a local attacker to execute arbitrary code with elevated privileges.
Affected: Microsoft Win32k
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html; https://www.cve.org/CVERecord?id=CVE-2015-1701; https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html; https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html; https://www2.fireeye.com/rs/848-DID-242/
Exploit-DB
Microsoft Windows - ClientCopyImage Win32k (MS15-051) (Metasploit)
exploitdb·2015-06-24·CVSS 7.8
CVE-2015-1701 [HIGH] Microsoft Windows - ClientCopyImage Win32k (MS15-051) (Metasploit)
Microsoft Windows - ClientCopyImage Win32k (MS15-051) (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class Metasploit3 'Windows ClientCopyImage Win32k Exploit',
'Description' => %q{
This module exploits improper object handling in the win32k.sys kernel mode driver.
This module has been tested on vulnerable builds of Windows 7 x64 and x86, and
Windows 2008 R2 SP1 x64.
},
'License' => MSF_LICENSE,
'Author' => [
'Unknown', # vulnerability discovery and exploit in the wild
'hfirefox', # Code released on github
'OJ Reeves' # msf module
],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'Platform' => 'win',
'
Exploit-DB
Microsoft Windows - Local Privilege Escalation (MS15-051)
exploitdb·2015-05-18·CVSS 7.8
CVE-2015-1701 [HIGH] Microsoft Windows - Local Privilege Escalation (MS15-051)
Microsoft Windows - Local Privilege Escalation (MS15-051)
---
# Source: https://github.com/hfiref0x/CVE-2015-1701
Win32k LPE vulnerability used in APT attack
Original info: https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
Credits
R136a1 / hfiref0x
## Compiled EXE:
### x86
+ https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou32.exe
+ Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37049-32.exe
### x64
+ https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou64.exe
+ Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37049-64.exe
## Source Code:
+ https://github.com/hfiref0x/CVE-2015-1701/archive/master.zip
+ EDB Mirror: https
Metasploit
Windows ClientCopyImage Win32k Exploit
metasploit
Windows ClientCopyImage Win32k Exploit
Windows ClientCopyImage Win32k Exploit
This module exploits improper object handling in the win32k.sys kernel mode driver. This module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64.
Dfir Report
Inside the Open Directory of the “You Dun” Threat Group
blogs_dfir_report·2024-10-28
Inside the Open Directory of the “You Dun” Threat Group
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Read More
- dragonforce Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs Read More
Services Overview
Threat Hunting
-
Integration
CTI Program Advisory
Incident Response Playbook
About us
Contact Us
Collaboration
Careers
Analysts
Access DFIR Labs
Get in Touch
Public Reports
Products Overview
Threat intel Overview
Threat Feed
Private DFIR Reports
All Intel
Active Defense
DFIR Labs
Case Artifacts
Detection Pack
AI Training Ground
Service Overview
Threat Hunting
Integration
CTI Program Advisory
Incident Response Playbook
Company Overview
About us
Contact Us
Careers
Analyst
SQL Brute Force Leads to BlueSky Ransomware
From OneNote to RansomNote: An Ice Col
Bleepingcomputer
Privilege elevation exploits used in over 50% of insider attacks
blogs_bleepingcomputer·2023-12-08
Privilege elevation exploits used in over 50% of insider attacks
## Privilege elevation exploits used in over 50% of insider attacks
## Bill Toulas
Elevation of privilege flaws are the most common vulnerability leveraged by corporate insiders when conducting unauthorized activities on networks, whether for malicious purposes or by downloading risky tools in a dangerous manner.
A report by Crowdstrike based on data gathered between January 2021 and April 2023 shows that insider threats are on the rise and that using privilege escalation flaws is a significant component of unauthorized activity.
According to the report, 55% of insider threats logged by the company rely on privilege escalation exploits, while the remaining 45% unwittingly introduce risks by downloading or misusing offensive tools.
Rogue insiders typically turn against their employer b
Tenable
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
blogs_tenable·2021-01-21
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
Exploit Developer Spotlight: The Story of PlayBit
blogs_checkpoint·2020-10-26·CVSS 7.8
CVE-2018-8453 [HIGH] Exploit Developer Spotlight: The Story of PlayBit
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Exploit Developer Spotlight: The Story of PlayBit
Research By: Eyal Itkin and Itay Cohen
## Introduction
Exploits have always been an important and integral part of malicious attacks.
Checkpoint
Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
blogs_checkpoint·2020-10-02
CVE-2019-0859 Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
Research by: Itay Cohen, Eyal Itkin
In the past months, our Vulnerability and Malware Research tea
Trendmicro
‘Purple Fox’ Malware Can Rootkit and Abuse PowerShell
blogs_trendmicro·2019-09-09
‘Purple Fox’ Malware Can Rootkit and Abuse PowerShell
Cyber Threats
# ‘Purple Fox’ Malware Can Rootkit and Abuse PowerShell
This new iteration of Purple Fox that we came across, delivered by Rig, has a few new tricks up its sleeve. It retains its rootkit component by abusing publicly available code. It also abuses PowerShell making it capable of fileless infection.
By: Johnlery Triunfante, Earle Maui Earnshaw, Michael Jhon Ofiaza
Sep 09, 2019
Read time: ( words)
Save to Folio
Exploit kits may no longer be as prolific as it was back when their activities were detected in the millions, but their recurring activities in the first half of 2019 indicate that they won’t be going away any time soon. The Rig exploit kit, for instance, is known for delivering various payloads — such as downloader trojans, ransomware, cryptocurrency-mining malwar
Trendmicro
‘Purple Fox’ Malware Can Rootkit and Abuse PowerShell
blogs_trendmicro·2019-09-09
‘Purple Fox’ Malware Can Rootkit and Abuse PowerShell
Cyber Threats
# ‘Purple Fox’ Malware Can Rootkit and Abuse PowerShell
This new iteration of Purple Fox that we came across, delivered by Rig, has a few new tricks up its sleeve. It retains its rootkit component by abusing publicly available code. It also abuses PowerShell making it capable of fileless infection.
By: Johnlery Triunfante, Earle Maui Earnshaw, Michael Jhon Ofiaza
2019/09/09
Read time: ( words)
Save to Folio
Exploit kits may no longer be as prolific as it was back when their activities were detected in the millions, but their recurring activities in the first half of 2019 indicate that they won’t be going away any time soon. The Rig exploit kit, for instance, is known for delivering various payloads — such as downloader trojans, ransomware, cryptocurrency-mining malware,
Talos
China Chopper still active 9 years later
blogs_talos·2019-08-27
China Chopper still active 9 years later
By Paul Rascagneres and Vanja Svajcer.
### Introduction Threats will commonly fade away over time as they're discovered, reported on, and detected. But China Chopper has found a way to stay relevant, active and effective nine years after its initial discovery.China Chopperis a web shell that allows attackers to retain access to an infected system using a client side application which contains all the logic required to control the target. Several threat groups have used China Chopper, and over the past two years, we've seen several different campaigns utilizing this web shell and we chose to document three most active campaigns in this blog post.
We decided to take a closer look at China Chopper after security firm Cybereason reported on a massive attack against telecommunications provide
Trendmicro
New SLUB Backdoor Uses GitHub, Communicates via Slack
blogs_trendmicro·2019-03-07·CVSS 7.5
[HIGH] New SLUB Backdoor Uses GitHub, Communicates via Slack
# New SLUB Backdoor Uses GitHub, Communicates via Slack
We discovered a malware that uses three different online services -- including Slack and GitHub-- as part of its routine. Analysis of the attacker's TTPs lead us to believe that this might be a targeted attack from capable threat actors.
By: Cedric Pernet, Daniel Lunghi, Jaromir Horejsi, Joseph C Chen
2019/03/07
Read time: ( words)
Save to Folio
We recently came across a previously unknown malware that piqued our interest in multiple ways. For starters, we discovered it being spread via watering hole attacks, a technique that involves an attacker compromising a website before adding code to it so visitors are redirected to the infecting code. In this case, each visitor is redirected only once. The infection was done by exploiting
Trendmicro
New SLUB Backdoor Uses GitHub, Communicates via Slack
blogs_trendmicro·2019-03-07·CVSS 7.5
[HIGH] New SLUB Backdoor Uses GitHub, Communicates via Slack
## New SLUB Backdoor Uses GitHub, Communicates via Slack
We discovered a malware that uses three different online services -- including Slack and GitHub-- as part of its routine. Analysis of the attacker's TTPs lead us to believe that this might be a targeted attack from capable threat actors.
By: Cedric Pernet, Daniel Lunghi, Jaromir Horejsi, Joseph C Chen 2019/03/07 Read time: ( words)
Save to Folio
We recently came across a previously unknown malware that piqued our interest in multiple ways. For starters, we discovered it being spread via watering hole attacks , a technique that involves an attacker compromising a website before adding code to it so visitors are redirected to the infecting code. In this case, each visitor is redirected only once. The infection was done by exploitin
Trendmicro
New SLUB Backdoor Uses GitHub, Communicates via Slack
blogs_trendmicro·2019-03-07·CVSS 7.5
[HIGH] New SLUB Backdoor Uses GitHub, Communicates via Slack
## New SLUB Backdoor Uses GitHub, Communicates via Slack
We discovered a malware that uses three different online services -- including Slack and GitHub-- as part of its routine. Analysis of the attacker's TTPs lead us to believe that this might be a targeted attack from capable threat actors.
By: Cedric Pernet, Daniel Lunghi, Jaromir Horejsi, Joseph C Chen Mar 07, 2019 Read time: ( words)
Save to Folio
We recently came across a previously unknown malware that piqued our interest in multiple ways. For starters, we discovered it being spread via watering hole attacks , a technique that involves an attacker compromising a website before adding code to it so visitors are redirected to the infecting code. In this case, each visitor is redirected only once. The infection was done by exploit
Sentinelone
Malware Discovered - SFG: Furtim Malware Analysis
blogs_sentinelone·2016-07-12
Malware Discovered - SFG: Furtim Malware Analysis
###### By Joseph Landry and Udi Shamir
Update, 14-July: There have been a number of stories published since the posting of this blog that have suggested this attack is specifically targeting SCADA energy management systems. We want to emphasize that we do not have any evidence that this is in fact the case. The focus of our analysis was on the characteristics of the malware, not the attribution or target.
The Labs team at SentinelOne recently discovered a sophisticated malware campaign specifically targeting at least one energy company. Upon discovery, the team reverse engineered the code and believes that based on the nature, behavior and sophistication of the malware and the extreme measures it takes to evade detection, it likely points to a nation-state sponsored initiative, potential
Sentinelone
Malware Discovered - SFG: Furtim Malware Analysis
blogs_sentinelone·2016-07-12
Malware Discovered - SFG: Furtim Malware Analysis
## By Joseph Landry and Udi Shamir
Update, 14-July : There have been a number of stories published since the posting of this blog that have suggested this attack is specifically targeting SCADA energy management systems. We want to emphasize that we do not have any evidence that this is in fact the case. The focus of our analysis was on the characteristics of the malware, not the attribution or target.
The Labs team at SentinelOne recently discovered a sophisticated malware campaign specifically targeting at least one energy company. Upon discovery, the team reverse engineered the code and believes that based on the nature, behavior and sophistication of the malware and the extreme measures it takes to evade detection, it likely points to a nation-state sponsored initiative, potentially
Talos
Microsoft Patch Tuesday - May 2015
blogs_talos·2015-05-12·CVSS 4.3
[MEDIUM] Microsoft Patch Tuesday - May 2015
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 13 bulletins being released which address 48 CVEs. Three of the bulletins are listed as Critical and address vulnerabilities in Internet Explorer, GDI+ Font Parsing, and Windows Journal. The remaining ten bulletins are marked as Important and address vulnerabilities in Microsoft Office, Sharepoint, .NET, Silverlight, Service Control Manager, Windows Kernel, VBScript/JScript, Microsoft Management Console, and Secure Channel.
## Bulletins Rated CriticalMS15-043, MS15-044, and MS15-045 are rated Critical.
MS15-043 is this month’s Internet Explorer security bulletin with vulnerabilities in versions 6 through 11 being ad
Talos
Microsoft Patch Tuesday - May 2015
blogs_talos·2015-05-12·CVSS 4.3
[MEDIUM] Microsoft Patch Tuesday - May 2015
## Microsoft Patch Tuesday - May 2015
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 13 bulletins being released which address 48 CVEs. Three of the bulletins are listed as Critical and address vulnerabilities in Internet Explorer, GDI+ Font Parsing, and Windows Journal. The remaining ten bulletins are marked as Important and address vulnerabilities in Microsoft Office, Sharepoint, .NET, Silverlight, Service Control Manager, Windows Kernel, VBScript/JScript, Microsoft Management Console, and Secure Channel.
## Bulletins Rated Critical MS15-043, MS15-044, and MS15-045 are rated Critical.
MS15-043 is this month’s Internet Explorer security bulletin with vulnerabi
Threat Intel
APT28 (APT28, IRON TWILIGHT, SNAKEMACKEREL)
threat_intel
APT28 (APT28, IRON TWILIGHT, SNAKEMACKEREL)
# Threat Actor Profile: APT28
ATT&CK ID: G0007
Also known as: APT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, GruesomeLarch
Suspected origin: Russia
## Overview
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-412
Crowdstrike
How Insiders Use Vulnerabilities Against Organizations
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] How Insiders Use Vulnerabilities Against Organizations
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Threat Intel
APT16
threat_intel·CVSS 7.8
[HIGH] APT16
# Threat Actor: APT16
Suspected state sponsor: China
Known victims (countries): Japan, Taiwan
Target sectors: Private sector
## Description
Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.
## Associated Malware Famil
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
http://seclists.org/fulldisclosure/2020/May/34http://twitter.com/symantec/statuses/590208710527549440http://www.securityfocus.com/bid/74245http://www.securitytracker.com/id/1032155https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-051https://www.exploit-db.com/exploits/37049/https://www.exploit-db.com/exploits/37367/https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.htmlhttp://seclists.org/fulldisclosure/2020/May/34http://twitter.com/symantec/statuses/590208710527549440http://www.securityfocus.com/bid/74245http://www.securitytracker.com/id/1032155https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-051https://www.exploit-db.com/exploits/37049/https://www.exploit-db.com/exploits/37367/https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-1701
2015-04-21
Published
2022-03-03
Added to CISA KEV
Exploited in the wild