TA505

TA505Hive0065Spandex TempestCHIMBORAZO

[TA505](https://attack.mitre.org/groups/G0092) is a cyber criminal group that has been active since at least 2014. [TA505](https://attack.mitre.org/groups/G0092) is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving [Clop](https://attack.mitre.org/software/S0611).(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: NCC Group TA505)(Citation: Korean FSI TA505 2020)

Techniques

Covered

Gaps

94%

Coverage

Coverage32/34

GAPS (2)

T1087.003Email Account T1568.001Fast Flux DNS

COVERED (32)

T1027.002Software Packing1 det.T1027.010Command Obfuscation31 det.T1027.013Encrypted/Encoded File7 det.T1055.001Dynamic-link Library Injection11 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1059.005Visual Basic66 det.T1059.007JavaScript58 det.T1069Permission Groups Discovery24 det.T1071.001Web Protocols74 det.T1078.002Domain Accounts26 det.T1105Ingress Tool Transfer170 det.T1106Native API27 det.T1112Modify Registry197 det.T1140Deobfuscate/Decode Files or Information55 det.T1204.001Malicious Link9 det.T1204.002Malicious File397 det.T1218.007Msiexec30 det.T1218.011Rundll3273 det.T1486Data Encrypted for Impact339 det.T1552.001Credentials In Files53 det.T1553.002Code Signing3 det.T1553.005Mark-of-the-Web Bypass11 det.T1555.003Credentials from Web Browsers15 det.T1559.002Dynamic Data Exchange1 det.T1562.001Disable or Modify Tools300 det.T1566.001Spearphishing Attachment850 det.T1566.002Spearphishing Link837 det.T1583.001Domains61 det.T1588.001Malware2 det.T1588.002Tool13 det.T1608.001Upload Malware2 det.