{"description": "Enterprise techniques used by TONESHELL, ATT&CK software S1239 (v1.1)", "name": "TONESHELL (S1239)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.002", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) included functionality to create sub-processes with a specific user\u2019s token.(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) included functionality to retrieve a list of user accounts.(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has utilized HTTP for a C2 protocol through HTTP POST.(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload) [TONESHELL](https://attack.mitre.org/software/S1239) has also utilized HTTPS for C2.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1010", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has used `GetForegroundWindow` to detect virtualization or sandboxes by calling the API twice and comparing each window handle.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) used WinRAR rar.exe to archive files for exfiltration.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)(Citation: Unit42 Chinese VSCode 06 September 2024) [TONESHELL](https://attack.mitre.org/software/S1239) has also utilized a unique 13-character password consisting of upper lower case and digits to protect RAR archives.(Citation: Unit42 Chinese VSCode 06 September 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has added Registry Run keys to achieve persistence.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has created a reverse shell using `cmd.exe`.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has created a malicious service DISMsrv to maintain persistence.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.002", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has encoded a payload with a random 32-byte key using XOR.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload) [TONESHELL](https://attack.mitre.org/software/S1239) has also encoded payloads with a 256-byte key using XOR.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.003", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) used FakeTLS headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)(Citation: Zscaler)  [TONESHELL](https://attack.mitre.org/software/S1239) variants have utilized FakeTLS headers with the bytes `0x17 0x03 0x03` to represent TLSv1.2 and `0x17 0x03 0x04` for TLSv1.3.(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1622", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has leveraged custom exception handlers to hide code flow and stop execution of a debugger.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1678", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has the ability to pause operations for a specified duration prior to follow-on execution of activities.(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has decoded its payload prior to execution.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025)(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)(Citation: Zscaler)(Citation: Unit42 Chinese VSCode 06 September 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has used RC4 encryption in C2 communications.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload) [TONESHELL](https://attack.mitre.org/software/S1239) variants used a randomly generated variable length (0x20 - 0x200 bytes) rolling XOR key to encrypt and decrypt network packets.(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has an exception handler that executes when ESET antivirus applications `ekrn.exe` and `egui.exe` are not found and directly injects its code into waitfor.exe using Native Windows API including `WriteProcessMemory` and `CreateRemoteThreadEx`.(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1480.001", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has generated unique GUIDs to identify victim devices.(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025)(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)(Citation: Zscaler) [TONESHELL](https://attack.mitre.org/software/S1239) has leveraged environmental keying in payload delivery using the victim computer name and other configuration values.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA) [TONESHELL](https://attack.mitre.org/software/S1239) has also tracked IDs associated with reverse shell subprocesses to manage interactions and terminations from C2.(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025)(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480.002", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has created a mutex to avoid duplicate execution.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has abused legitimate executables to side-load malicious DLLs.(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)(Citation: ATTACKIQ MUSTANG PANDA TONESHELL March 2023)(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025)(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)(Citation: Trend Micro Mustang Panda Earth Preta TONESHELL June 2023) [TONESHELL](https://attack.mitre.org/software/S1239) has also been loaded via DLL side-loading, using legitimate, signed executables to include: FastVD.exe, Bandizip.exe and gpgconf.exe.(Citation: Zscaler)\n\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has deleted payload files received from the C2 server.(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has the ability to download additional files to the victim device.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has capabilities to conduct keylogging.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has facilitated inter-process communication between DLL components via the use of pipes.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023) [TONESHELL](https://attack.mitre.org/software/S1239) has also created a reverse shell using two anonymous pipes to write data to stdin and read data from stdout and stderr.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1680", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has retrieved the disk serial number of the device using WMI query `SELECT volumeserialnumber FROM win32_logicaldisk where Name =\u2019C:` to identify the victim machine.(Citation: ATTACKIQ MUSTANG PANDA TONESHELL March 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has masqueraded as the legitimate Windows utility service DISMsrv (Dism Images Servicing Utility Service).(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has renamed malicious files to mimic legitimate file names and file extensions.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload) [TONESHELL](https://attack.mitre.org/software/S1239) has also masqueraded as legitimate file names to include LogMeIn.dll.(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has utilized Native Windows API functions such as `WriteProcessMemory` and `CreateRemoteThreadEx`.(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025) [TONESHELL](https://attack.mitre.org/software/S1239) has also utilized Windows API functions for creating seed values including `CoCreateGuid` and `GetTickCount`.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)(Citation: Zscaler) [TONESHELL](https://attack.mitre.org/software/S1239) has leveraged the legitimate API function `EnumSystemLocalesA` to run its shellcode through the callback function.(Citation: Palo Alto Networks, Unit 42)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has utilized TCP-based reverse shells.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.001", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has used randomized padding to obfuscate payloads.(Citation: Zscaler)(Citation: Unit42 Chinese VSCode 06 September 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.007", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has utilized a modified DJB2 algorithm to resolve APIs.(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.012", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has been initiated using LNK files that were programmed to display a PDF icon to entice the victim to click on the file to execute an office.exe binary.(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has checked the process name and process path to ensure it matches the expected one prior to triggering a custom exception handler.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload) [TONESHELL](https://attack.mitre.org/software/S1239) has also searched for running antivirus processes to include ESET\u2019s antivirus associated executables ekrn.exe and egui.exe.(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has used DLL injection to execute payloads received from the C2 server.(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has created scheduled tasks to maintain persistence.(Citation: ATTACKIQ MUSTANG PANDA TONESHELL March 2023)(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has conducted screen capturing.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has checked for the presence of ESET antivirus applications `ekrn.exe` and `egui.exe`.(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has used valid legitimate digital signatures and certificates to evade detection.(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has used regsvr32.exe to execute the windows `DLLRegisterServer` function.(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.013", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has injected its malicious payload into a running process through Windows utility Microsoft Application Virtualization Injector `MAVInject.exe`.(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has the ability to retrieve the name of the infected machine.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025)(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has obtained the username from an infected host.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1205", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has utilized a magic value in C2 communications and only executes in memory when response packets match specific values.(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025)(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)(Citation: Trend Micro Mustang Panda Earth Preta TONESHELL June 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.002", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has leveraged `GetForegroundWindow` to detect virtualization or sandboxes by calling the API twice and comparing each window handle.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[TONESHELL](https://attack.mitre.org/software/S1239) has used WMI queries to gather information from the system.(Citation: ATTACKIQ MUSTANG PANDA TONESHELL March 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by TONESHELL", "color": "#66b1ff"}]}