Mimikatz / SQLMap / Havij
This is a defensive tool-intelligence page. It is intended for analyst navigation, source review, and hunt planning. It is not a malware-analysis report and does not contain sample code or binaries.
Summary
- Associated actor(s): Magic Hound
- Tool type(s): Public offensive/security tooling
- Confidence level(s): Medium
- Source ID(s):
SRC-MITRE-G0059
Behavior
| Actor | Behavior Summary |
|---|
| Magic Hound | MITRE reports Magic Hound use of public tools including Mimikatz, sqlmap, Havij, Metasploit, and Plink. |
Hash And IOC Status
| Actor | Status | Reference |
|---|
| Magic Hound | No stable actor-specific hash; use process, command-line, and control-plane telemetry. | SRC-MITRE-G0059 |
Hashes and IOCs on this page are source pointers or representative public indicators. They SHOULD be refreshed from the linked source before operational use and MUST NOT be used alone for actor attribution.
Defensive Hunting Notes
| Actor | Hunting Notes |
|---|
| Magic Hound | Hunt credential dumping, SQL injection tooling on admin hosts, and public tool execution after phishing or edge compromise. |
Handling Notes
| Actor | Handling Notes |
|---|
| Magic Hound | Do not infer actor identity from common public tools. |
Crosslinks
Mapped ATT&CK Techniques For Associated Actor(s)
These detections are mapped through the associated actor or scenario and are not automatically tool-specific. Promote a tool-specific detection only after the behavior is tied to telemetry and test evidence.
These hunts are mapped through the associated actor or scenario and may need narrowing before they are used for this specific tool.
Source Review
| Source | Publisher | Date | Reliability | Type | Last Reviewed |
|---|
SRC-MITRE-G0059 | MITRE ATT&CK | 2026-05-13 | A | Knowledge base | 2026-05-14 |
If a source publishes a large or frequently changing IOC appendix, keep the current IOC list in the source system or TIP and store only the pointer here.