{"description": "Enterprise techniques used by UNC3886, ATT&CK group G1048 (v1.0)", "name": "UNC3886 (G1048)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1548", "comment": " [UNC3886](https://attack.mitre.org/groups/G1048) has used vSphere Installation Bundles (VIBs) that contained modified descriptor XML files with the `acceptance-level` set to `partner` which allowed for privilege escalation.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has used Gzip and the Windows command `makecab` to compress files and stolen credentials from victim systems.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)(Citation: Google Cloud Mandiant UNC3886 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has XOR encrypted and Gzip compressed captured credentials.(Citation: Google Cloud Mandiant UNC3886 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1037", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has attempted to bypass digital signature verification checks at startup by adding a command to the startup config `/etc/init.d/localnet` within the rootfs.gz archive of both FortiManager and FortiAnalyzer devices.(Citation: Mandiant Fortinet Zero Day)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1037.004", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has placed a bash installation script into `/etc/rc.local.d/` to establish persistence.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": " [UNC3886](https://attack.mitre.org/groups/G1048) has used a PowerShell script to search memory dumps for credentials.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": " [UNC3886](https://attack.mitre.org/groups/G1048) has executed Windows commands on guest virtual machines through `vmtoolsd.exe`.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": " [UNC3886](https://attack.mitre.org/groups/G1048) has used a bash script to install malicious vSphere Installation Bundles (VIBs).(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)\n\nDuring [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) used malware capable of launching an interactive shell.(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)(Citation: Juniper RedPenguin MAR 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has used Python scripts to enumerate ESXi hosts and guest VMs.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.008", "comment": "During [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) accessed the Junos OS CLI on targeted devices.(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)(Citation: Juniper RedPenguin MAR 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1059.012", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has used the esxcli command line utility to modify firewall rules, install malware, and for artifact removal.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1554", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has trojanized Fortinet firmware and replaced the legitimate `/usr/bin/tac_plus` TACACS+ daemon for Linux with a malicious version containing credential logging functionality.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Mandiant Fortinet Zero Day)\n\nDuring [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) peformed a local memory patching attack to modify the snmpd and mgd Junos OS daemons.(Citation: Juniper RedPenguin MAR 2025)\n", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.005", "comment": " [UNC3886](https://attack.mitre.org/groups/G1048) has targeted KeyPass password database files for credential access.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "\n[UNC3886](https://attack.mitre.org/groups/G1048) has staged captured credentials in `var/log/ldapd.2.gz`.(Citation: Google Cloud Mandiant UNC3886 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "During [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) used malware implants to deobfuscate incoming C2 messages and encoded archives.(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)(Citation: Juniper RedPenguin MAR 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1587", "showSubtechniques": true}, {"techniqueID": "T1587.001", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has deployed custom malware families on Fortinet and VMware systems.(Citation: Mandiant Fortinet Zero Day)\n\nDuring [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) deployed custom malware based on the publicly-available TINYSHELL backdoor.(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)(Citation: Censys RedPenguin MAR 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1587.004", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has used zero-day vulnerabilities CVE-2022-41328 against FortiOS and CVE-2023-20867 and CVE-2023-34048 against VMware vCenter.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Mandiant Fortinet Zero Day)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1686", "comment": " [UNC3886](https://attack.mitre.org/groups/G1048) has used the TABLEFLIP traffic redirection utility and the esxcli command line to modify firewall rules.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Mandiant Fortinet Zero Day)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1685", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has disabled OpenSSL digital signature verification of system files through corruption of boot files.(Citation: Mandiant Fortinet Zero Day)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "During [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) malware used the RC4 cipher to encrypt outgoing C2 messages.(Citation: Juniper RedPenguin MAR 2025)\n", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1675", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) used `vmtoolsd.exe` to run commands on guest virtual machines from a compromised ESXi host.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Mandiant Fortinet Zero Day)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "During [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) uploaded specified files from compromised devices to a remote server. (Citation: Mandiant UNC3886 Juniper Routers MAR 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1190", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has exploited CVE-2022-42475 in FortiOS SSL VPNs to obtain access.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Mandiant Fortinet Zero Day)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1203", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has exoloited CVE-2023-34048 to enable command execution on vCenter servers and CVE-2023-20867 in VMware Tools to execute unauthenticated Guest Operations from ESXi hosts to guest VMs.(Citation: Google Cloud Mandiant UNC3886 2024)\n\nDuring [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) exploited CVE-2025-21590 to bypass Veriexec protections in Junos OS designed to prevent unauthorized binary execution.(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)(Citation: Juniper RedPenguin MAR 2025)\n", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1212", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) exploited CVE-2022-22948 in VMware vCenter to obtain encrypted credentials from the vCenter postgresDB.(Citation: Google Cloud Mandiant UNC3886 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1068", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has exploited zero-day vulnerability CVE-2023-20867 to enable execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1008", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has employed layers of redundancy to maintain access to compromised environments including network devices, hypervisors, and virtual machines.(Citation: Google Cloud Mandiant UNC3886 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": " [UNC3886](https://attack.mitre.org/groups/G1048) has used `vmtoolsd.exe` to enumerate files on guest machines.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.011", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) modified the startup file `/etc/init.d/localnet` to execute the line `nohup /bin/support &` so the script would run when the system was rebooted.(Citation: Mandiant Fortinet Zero Day)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has used the the esxcli command line to remove files created by malicious vSphere Installation Bundles from disk.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)(Citation: Mandiant Fortinet Zero Day)\n\nDuring [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) used malware capaple of removing scripts after execution.(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)\n\n", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has used scripts to timestomp ESXi hosts prior to installing malicious vSphere Installation Bundles (VIBs).(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.007", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has cleared specific events that contained the threat actor\u2019s IP address from multiple log sources.(Citation: Mandiant Fortinet Zero Day)\n\nDuring [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) used an implant to delete logs associated with unauthorized access to targeted Junos OS devices.(Citation: Juniper RedPenguin MAR 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "During [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) used backdoor malware capable of downloading files to compromised infrastructure.(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1570", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has utilzed Python scripts to transfer files between ESXi hosts and guest VMs.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has named a file \u2018fgfm\u2019 in an attempt to disguise it as the legitimate service \u2018fgfmd\u2019 which facilitates communication between FortiManager and the FortiGate firewall.(Citation: Mandiant Fortinet Zero Day)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "During [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) created multiple strains of malware using names to mimic legitimate binaries such as appid, to, irad, lmpad, jdosd, and oemd.(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)\n", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1104", "comment": "During [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) used malware with separate channels to request and carry out tasks from C2.(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1040", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has used the LOOKOVER sniffer to sniff TACACS+ authentication packets.(Citation: Google Cloud Mandiant UNC3886 2024)\n\nDuring [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) used a passive backdoor to act as a libpcap-based packet sniffer.(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)\n", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has deployed backdoors that communicate over TCP to compromised network devices and over VMCI to ESXi hosts.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Mandiant Fortinet Zero Day)\n\n\nDuring [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) leveraged malware that used UDP and TCP sockets for C2.(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)(Citation: Censys RedPenguin MAR 2025)(Citation: Juniper RedPenguin MAR 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "During [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) used a backdoor that binds to port 45678 by default.(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)\n", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.005", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has replaced atomic indicators mentioned in threat intelligence publications, sometimes as quickly as under a week after release.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "During [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) generated Base64-encoded files in the FreeBSD shell environment of targeted Juniper devices.(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)(Citation: Juniper RedPenguin MAR 2025)\n", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.001", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has used the publicly available rootkits [REPTILE](https://attack.mitre.org/software/S1219) and [MEDUSA](https://attack.mitre.org/software/S1220).(Citation: Google Cloud Mandiant UNC3886 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588.004", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has deployed malware using the victim's legitimate TLS certificate obtained from a compromised FortiGate device.(Citation: Google Cloud Mandiant UNC3886 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": " [UNC3886](https://attack.mitre.org/groups/G1048) has used MiniDump to dump process memory and search for cleartext credentials.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1690", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has tampered with and disabled logging services on targeted systems.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)\n\nDuring [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) used malware to clear the `HISTFILE` environmental variable and to inject into Junos OS processes to inhibit logging.(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)(Citation: Juniper RedPenguin MAR 2025)\n", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has run scripts to list all running processes on a guest VM from an ESXi host.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)\n\nDuring [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) used malware capable of reading the PID for the Junos OS snmpd daemon.(Citation: Juniper RedPenguin MAR 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "During [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) exploited CVE-2025-21590 to enable malicious code injection into the memory of legitimate processes.(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)(Citation: Juniper RedPenguin MAR 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "During [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) used malware capable of establishing a SOCKS proxy connection to a specified IP and port.(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)(Citation: Juniper RedPenguin MAR 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "During [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) used infrastructure associated with operational relay box (ORB) networks.(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.004", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has established remote SSH access to targeted ESXi hosts.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Mandiant Fortinet Zero Day)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1014", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has used the publicly available rootkits [REPTILE](https://attack.mitre.org/software/S1219) and [MEDUSA](https://attack.mitre.org/software/S1220) on targeted VMs.(Citation: Google Cloud Mandiant UNC3886 2024)\n\nDuring [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) used rootkits such as [REPTILE](https://attack.mitre.org/software/S1219) and [MEDUSA](https://attack.mitre.org/software/S1220).(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1681", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has replaced indicators mentioned in open-source threat intelligence publications at times under a week after their release.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.006", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has used vSphere Installation Bundles (VIBs) to install malware and establish persistence across ESXi hypervisors.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Mandiant Fortinet Zero Day)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": " [UNC3886](https://attack.mitre.org/groups/G1048) has used rundll32.exe to execute MiniDump for dumping LSASS process memory.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "During [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) leveraged JunoOS CLI queries to obtain the interface index which contains system and network details.(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)(Citation: Juniper RedPenguin MAR 2025)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has used installation scripts to collect the system time on targeted ESXi hosts.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1205", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has used the TABLEFLIP traffic redirection utility to listen for specialized command packets on compromised FortiManager devices.(Citation: Mandiant Fortinet Zero Day)\n\nDuring [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) leveraged malware capable of inpecting packets for a magic-string to activate backdoor functionalities.(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)\n", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1205.001", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) maintained persistence on FortiGate Firewalls through ICMP port knocking.(Citation: Mandiant Fortinet Zero Day)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has used tools to hijack valid SSH accounts.(Citation: Google Cloud Mandiant UNC3886 2024)\n\nDuring [RedPenguin](https://attack.mitre.org/campaigns/C0056), [UNC3886](https://attack.mitre.org/groups/G1048) used legitimate credentials to gain priviliged access to Juniper routers.(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)(Citation: Censys RedPenguin MAR 2025)\n\n", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1078.001", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has harvested and used vCenter Server service accounts.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1673", "comment": "[UNC3886](https://attack.mitre.org/groups/G1048) has used scripts to enumerate ESXi hypervisors and their guest VMs.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by UNC3886", "color": "#66b1ff"}, {"label": "used by a campaign attributed to UNC3886", "color": "#ff6666"}, {"label": "used by UNC3886 and used by a campaign attributed to UNC3886", "color": "#ff66f4"}]}