TA505

TA505Hive0065Spandex TempestCHIMBORAZO

[TA505](https://attack.mitre.org/groups/G0092) is a cyber criminal group that has been active since at least 2014. [TA505](https://attack.mitre.org/groups/G0092) is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving [Clop](https://attack.mitre.org/software/S0611).(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: NCC Group TA505)(Citation: Korean FSI TA505 2020)

Techniques

Covered

Gaps

94%

Coverage

Coverage33/35

GAPS (2)

T1087.003Email Account T1568.001Fast Flux DNS

COVERED (33)

T1027.002Software Packing1 det.T1027.010Command Obfuscation38 det.T1027.013Encrypted/Encoded File8 det.T1055.001Dynamic-link Library Injection13 det.T1059.001PowerShell368 det.T1059.003Windows Command Shell82 det.T1059.005Visual Basic68 det.T1059.007JavaScript61 det.T1069Permission Groups Discovery31 det.T1071.001Web Protocols80 det.T1078.002Domain Accounts28 det.T1105Ingress Tool Transfer183 det.T1106Native API29 det.T1112Modify Registry203 det.T1140Deobfuscate/Decode Files or Information58 det.T1204.001Malicious Link10 det.T1204.002Malicious File425 det.T1218.007Msiexec33 det.T1218.011Rundll3275 det.T1486Data Encrypted for Impact360 det.T1552.001Credentials In Files61 det.T1553.002Code Signing3 det.T1553.005Mark-of-the-Web Bypass11 det.T1555.003Credentials from Web Browsers16 det.T1559.002Dynamic Data Exchange1 det.T1562.001Disable or Modify Tools311 det.T1566.001Spearphishing Attachment905 det.T1566.002Spearphishing Link904 det.T1583.001Domains61 det.T1588.001Malware2 det.T1588.002Tool13 det.T1608.001Upload Malware3 det.T1685Disable or Modify Tools278 det.