16 posts categorized "#Incident management" Feed

Jan 26, 2016

Windows Commands Abused by Attackers

Hello again, this is Shusei Tomonaga from the Analysis Center.

In Windows OS, various commands (hereafter “Windows commands”) are installed by default. However, what is actually used by general users is just a small part of it. On the other hand, JPCERT/CC has observed that attackers intruding into a network also use Windows commands in order to collect information and/or to spread malware infection within the network. What is worth noting here is the gap between those Window commands used by general users and by attackers. If there is a huge difference, it would be possible to detect or limit the attackers’ behaviour by monitoring/controlling the Windows command execution.

This entry will demonstrate how to mitigate the attack impact by revealing Windows commands that attackers use on the intruded Windows OS, and by restricting the execution of those commands that are unnecessary for general users.

Malware for remote control (Remote Access Tool/Trojan – RAT) has a function to execute shell commands from a remote environment. With this, attackers can execute Windows commands from a remote environment.

Attackers who successfully installed such malware in a network will attempt to take control of the system within the network in the following sequence in order to collect confidential information, etc.

  1. Initial investigation: Collect information of the infected machine
  2. Reconnaissance: Look for information saved in the machine and remote machines within the network
  3. Spread of infection: Infect the machine with other malware or try to access other machines

Windows commands are used in all of the phases above. Respective Windows commands used in each phase are introduced here below.

Initial Investigation

Table 1 lists the commands that are often used by attackers in an attempt to collect information of the infected machine. “Times executed” is derived from the sum of Windows commands used by 3 different attack groups in their respective C&C servers (Please refer to Appendix A, B and C for details).

Table 1: Initial Investigation (Top 10 commands)
RankingCommandTimes executed
1 tasklist 155
2 ver 95
3 ipconfig 76
4 systeminfo 40
5 net time 31
6 netstat 27
7 whoami 22
8 net start 16
9 qprocess 15
10 query 14

Attackers use commands such as “tasklist”, “ver”, “ipconfig” and “systeminfo”, etc., and collect information of the network, process and OS in order to investigate what kind of machine they succeeded in infecting. This is presumably how they make sure that the machine is not a sandbox for malware analysis purposes and so on.


Commands shown in Table 2 are often used to search for confidential information and remote machines within the network.

Table 2: Reconnaissance (Top 10 commands)
RankingCommandTimes executed
1 dir 976
2 net view 236
3 ping 200
4 net use 194
5 type 120
6 net user 95
7 net localgroup 39
8 net group 20
9 net config 16
10 net share 11

Attackers use “dir” and “type” to search for files. Sometimes they collect a list of all the document files in the infected machine by setting appropriate options and arguments for “dir” command.

For searching networks, “net” is used. In particular, the following commands are often seen:

  • net view: Obtain a list of connectable domain resources
  • net user: Manage local/domain accounts
  • net localgroup: Obtain a list of users belonging to local groups
  • net group: Obtain a list of users belonging to certain domain groups
  • net use: Access to resources

Furthermore, the following commands may be used in an environment where Active Directory is used (Please refer to Table 5 in Appendix A). These commands are installed in Windows Server and do not originally exist in client OS such as Windows 7 and 8.1 – but attackers download and install these commands from outside and execute them.

  • dsquery: Search for accounts in Active Directory
  • csvde: Obtain account information in Active Directory

Spread of Infection

To intrude remote machines and spread malware infection within the network, the following commands are often executed:

Table 3: Spread of Infection
RankingCommandTimes executed
1 at 103
2 reg 31
3 wmic 24
4 wusa 7
5 netsh advfirewall 4
6 sc 4
7 rundll32 2

*”wmic” is also used for reconnaissance.

“at” and “wmic” are often used to execute malware on remote machines.

With “at” command, attackers can execute commands on remote machines, by registering tasks to execute files against connectable machines as follows.

at \\[remote host name or IP address] 12:00 cmd /c "C:\windows\temp\mal.exe"

Also, by setting the following options and arguments with “wmic” command, attackers can execute commands on remote machines.

wmic /node:[IP address] /user:”[user name]” /password:”[password]” process call create “cmd /c c:\Windows\System32\net.exe user”

Restricting Execution of Unnecessary Windows Commands

It is fair to say that these Windows commands used by attackers include those that are unused by general users, if carefully selected. With AppLocker and software restriction policy, which restrict such commands from being executed, it would be possible to limit the attackers’ behaviour. For example, if you wish to restrict “net” commands, you can set rules as in Figure 1. (For details of AppLocker configuration, please see Microsoft’s Website [1]).

Figure 1: AppLocker Rules

Also, by enabling AppLocker, events where selected Windows commands were executed or attempted but denied will be recorded in the event logs, which can be utilized for investigation on Windows commands that attackers executed after infecting the machine with malware.

Figure 2: Logs of the Processes Restricted by AppLocker

AppLocker can also just monitor Windows commands [2]. With this, AppLocker cannot prevent unintended Windows commands from being executed, but the execution history will be recorded in the event log. If the users themselves use Windows commands that may be used for attacks, it is a good idea to set AppLocker just for monitoring purpose. (Windows command execution can also be monitored by activating “Audit Process Creation” in the local security policy.)


In targeted attacks, attackers not only use functions implemented in the malware, but also often use Windows commands to pursue their purposes. If such activities can be hindered, spread of incidents can be prevented in a fairly early stage. However, it may be difficult to limit the usage of Windows commands right away – so our recommendation is to start by collecting logs of executed processes by using AppLocker, etc.

Thank you for reading and best wishes for the New Year!

- Shusei Tomonaga


[1] Microsoft - Windows AppLocker

[2] Microsoft – Using Auditing to Track Which Applications Are Used


Appendix A: List of Executed Commands by respective Attack Groups (Attack Group A)
Table 4: Initial Investigation (Attack Group A)
RankingCommandTimes executedOption
1 tasklist 119 /s /v
2 ver 92
3 ipconfig 58 /all
4 net time 30
5 systeminfo 24
6 netstat 22 -ano
7 qprocess 15
8 query 14 user
9 whoami 14 /all
10 net start 10
11 nslookup 4
12 fsutil 3 fsinfo drives
13 time 2 /t
14 set 1

Table 5: Reconnaissance (Attack Group A)
RankingCommandTimes executedOption
1 dir 903
2 net view 226
3 ping 196
4 net use 193
5 type 118
6 net user 74
7 net localgroup 35
8 net group 19
9 net config 16
10 net share 11
11 dsquery 6
12 csvde 5 /f /q
13 nbtstat 5 -a
14 net session 3
15 nltest 3 /dclist
16 wevtutil 2

Table 6: Spread of Infection (Attack Group A)
RankingCommandTimes executedOption
1 at 98
2 reg 29 add export query
3 wmic 24
4 netsh advfirewall 4
5 sc 4 qc query
6 wusa 2
Appendix B: List of Executed Commands by respective Attack Groups (Attack Group B)
Table 7: Initial Investigation (Attack Group B)
RankingCommandTimes executedOption
1 tasklist 29 /m /svc
2 whoami 6
3 ipconfig 5 /all
4 net start 4
5 netstat 3 -ano
6 nslookup 3
7 ver 2
8 time 1 /t

Table 8: Reconnaissance (Attack Group B)
RankingCommandTimes executedOption
1 dir 62
2 net user 21 /domain /add
3 net view 9 /domain
4 ping 4
5 net localgroup 4 /add
6 tree 3 /F
7 type 2
8 net group 1 /domain

Table 9: Spread of Infection (Attack Group B)
RankingCommandTimes executedOption
1 at 5
2 wusa 5
3 reg 2
4 rundll32 2
Appendix C: List of Executed Commands by respective Attack Groups (Attack Group C)
Table 10: Initial Investigation (Attack Group C)
RankingCommandTimes executedOption
1 systeminfo 16
2 ipconfig 13 /all /?
3 tasklist 7
4 netstat 5 -ano
5 whoami 2
6 net start 2
7 arp 1 -a
8 chcp 1
9 net time 1
10 ver 1

Table 11: Reconnaissance (Attack Group C)
RankingCommandTimes executedOption
1 dir 11
2 net user 1 /all /?
3 net view 1
4 qwinsta 1 -ano

*Commands for “Spread of Infection” by Attack Group C are omitted since they did not spread the infection.

Nov 06, 2015

Emdivi and the Rise of Targeted Attacks in Japan

You may well have heard of the May cyber attack in Japan against the Japan Pension Service – a high-profile case seen in the first half of this year, where 1.25 million cases of personal data was exposed. According to the Japan Pension Service, the data leaked included names and ID numbers, and for some cases, dates of birth and home addresses.

The official reports(1) say that the massive leak was caused by attackers hacking Japan Pension Service staff computers through a malicious email attachment, which was disguised as a legitimate document, but in fact was a malware. According to other various sources, the malware used is said to be “Emdivi.” This classic ploy, or targeted attack, has been around for years – however, Japan is recently experiencing a rise in this attack.

According to the National Police Agency, the number of targeted email attacks they have recognized count up to 492 cases in 2013, 1,723 in 2014 and 1,472 in the first half of 2015 alone.

Figure 1: Number of Targeted Attacks Recognized by the National Police Agency [Click to enlarge image]

Source: Cyberspace Threat Landscape in the first half of 2015 https://www.npa.go.jp/kanbou/cybersecurity/H27_kami_jousei.pdf (Japanese only)

Note: The title/figure have been translated by JPCERT/CC


Emdivi is notoriously used in these targeted attacks, and what is distinct is that it specifically focuses on Japanese targets. The Japan Pension Service indeed drew nationwide attention, but Emdivi has victimized several other government and private organizations. This attack campaign, specifically targeting Japan, is also known as “CloudyOmega” named by Symantec, or “Blue Termite” by Kaspersky.

Following this trend, JPCERT/CC newly added a “targeted attack” category in its Incident Handling Report (April – June 2015), to count the number of targeted attack incidents reported to JPCERT/CC.

Figure 2: Category of Incidents Reported to JPCERT/CC (April – June 2015) [Click to enlarge image]



Although targeted attack accounts for a mere 1.4%, the significance and impact of the attack has forced to take as much as half the resource of our Incident Response Group, according to the Group’s Manager. During the quarter, JPCERT/CC notified 66 organizations on the possibility of being victimized by targeted attacks, of which 44 were related to Emdivi. Based on the reports received, JPCERT/CC investigated the malware and attack infrastructures (C&C servers, etc.), and also developed a tool for visualizing the relation of Indicators of Compromise (IOCs) for further analysis. The visualization is shown in Figure 3.

Figure 3: Visualization of the Relation of IOCs [Click to enlarge image]



This tool aims to sort out various information relating to targeted attacks, and to give an overall picture of what is going on. While various campaigns and attack groups have been observed by security related organizations, the same campaign may have different names (as mentioned above), or different campaigns may have similar attack methods. This could cause confusion when you want to find out where a certain piece of indicator information was observed. This tool was developed to resolve this confusion. By registering the IOCs of respective attack campaigns and incidents, and also the relation of the IOCs, it is designed to visualize the big picture of the attack.

Based on these analyses, JPCERT/CC engages in sharing information with organizations that may potentially become the next target, as well as notifying organizations that are presumed to be victimized already. As Emdivi is also known for cleverly hiding itself, there is a high possibility that still several organizations are unaware of the situation, even if they are already infected. JPCERT/CC will continue to make every effort to address such situations in cooperation with other relevant parties.

In the next blog posts, our Analysis Center will introduce technical knowledge on JPCERT/CC’s tools, developed to detect malware in targeted attacks as well as to analyze Emdivi. See you again there!

- Keishi Kubo and Shiori Kubo


(1) Official Reports:

Note: The titles of the reports have been translated by JPCERT/CC

    Oct 21, 2015

    The 5th CERT-RO Annual International Conference in Bucharest and Latest Cyber Security Trends in Romania

    Hello again, it’s Yuka at the Global Coordination Division.

    Following my recent trip to Malaysia to join APCERT Annual General Meeting and Conference 2015, I had my first travel to Europe – and that was to Bucharest, Romania to attend a conference hosted by CERT-RO, the National CSIRT of Romania. They host a conference annually, and this year it was the 5th time for this event, held from 5th - 6th October.

    The programme on the first day morning consisted of two panel discussions, with global and Romanian national focus on cyber security. Experts were invited from different stakeholders to exchange ideas on the recent cyber threats, law enforcement and policies, etc. For the afternoon session, the following CSIRTs around the globe including JPCERT/CC, who have partnerships with CERT-RO, delivered a short presentation about their activities.

    ALCIRT (Albania)

    CERT-EE (Estonia)

    CERT.lv (Latvia)

    KrCERT/CC (South Korea)

    South African Government CSIRT (South Africa)

    I myself presented briefly about JPCERT/CC, its organisation overview, the latest incident statistics and some ongoing projects, including TSUBAME and Cyber Green.


    (Photo of me speaking: provided by CERT-RO)

    It was interesting to hear each CSIRT’s organisational structure, including which ministry they belong to and different range of authority that each CSIRT has over their local ISPs and users. It was also a great opportunity to build bridges to CSIRTs that are located far away from Japan.

    Through the panel sessions in the morning about local trends in cyber security in Romania, and a presentation provided by a CERT-RO colleague in the afternoon, here below are some things that I learned about cyber-related matters in Romania:

    • CERT-RO, established in 2011, is operated under the Ministry of Communications and Information Society.
    • Following the enactment of Romanian Cyber Security Strategy in 2013, the Romanian government (together with CERT-RO) is now preparing cyber security related laws on ISPs’ responsibilities in case of incidents.
    • CERT-RO has been focusing on awareness raising campaigns and trainings in local communities (e.g. incident handling, malware analysis).
    • CERT-RO provides internship programs for students majoring in cyber security related studies.
    • Most common malware observed in Romania are Downadup and Zeus. Statistics show that about 10% of IP addresses located within Romania are infected with conficker.
    • There are many cases where Romanian IP addresses are used for attacks as proxies.

    One of the outcomes of the collaboration between JPCERT/CC and CERT-RO is that we have provided our “IT Security Inoculation kit” based on our discussion during our previous year’s visit to Bucharest. This is a tool that JPCERT/CC has developed for awareness-raising purposes against targeted email attacks with malicious attachments and the like. Designed for implementation at organisations such as companies, it has a feature to send emails that attract the recipients’ attention by indicating relevant topics such as internal business communications, latest news topics, questionnaires, etc., and attempts to induce them to open attached files or click on URLs (which actually is harmless!). It gives warning to those who were trapped about the risks that may involve, and at the same time, allows examiners to keep track of who actually opened the attachments/links. This feature enables examiners to analyse the tendency of examinees’ behaviours, and also how their performance improves if tested repeatedly. Since CERT-RO has been working on awareness-raising programs in the local community, they found the tool useful and implemented it in several organisations within Romania. We are happy that CERT-RO liked it – and hope to keep collaborating in this field and others!

    We would like to thank CERT-RO colleagues again for their kind hospitality and invitation to the great event.

    Thanks for reading and see you soon.

     - Yukako Uchida

    Jul 10, 2015

    The 27th FIRST Annual Conference in Berlin

    Hello, Taki here, and its currently rainy season in Japan.

    Just recently, I attended the 27th FIRST Annual Conference, held on June 14-19 , 2015 in Berlin – a city that I visited for the first time.


    (Photo by Hiroshi Kobayashi)

    I would like to go over some activities that JPCERT/CC was involved in during the conference.

    This year I attended together with 3 colleagues, Yurie Ito, Koichiro (Sparky) Komiyama and Hiroshi Kobayashi. The conference was themed “Unified Security: Improving the Future”, focusing attendees’ collective efforts on improving the future of security together. As usual, it was great to catch up with the various people that work in the industry and also getting to know some new people as well. Many discussions around work over the past year and prospective collaboration over the next year were had.

    JPCERT/CC was involved in 3 different presentations at the conference and I would like to take the time to briefly introduce each of them.

    First, Yurie's presentation was titled, "A Proposal for Cybersecurity Metrics Through Cyber Green". Cyber Green, currently led by JPCERT/CC, is a project that aims to measure the health of the Internet by aggregating data sets of key risk factors, enabling comparisons over time and around the world, in order to identify what can be improved to make the Internet a better place. The presentation centered around the overview of the project, along with some details on the methods as to how the data is collected, analyzed and shown.

    I was a co-presenter in a talk titled, "VRDX-SIG: Global Vulnerability Identification" along with Mr. Art Manion of CERT Coordination Center (CERT/CC) and Dr. Masato Terada of the Hitachi Incident Response Team (HIRT). The FIRST VRDX-SIG (Vulnerability Reporting and Data eXchange Special Interest Group) was chartered in 2013 to study existing practices on how vulnerabilities are identified, tracked and exchanged, and to develop recommendations on how to better the existing practices across disparate vulnerability databases (including Vulnerability Notes Database by CERT/CC, Japan Vulnerability Notes (JVN) by JPCERT/CC and Information-technology Promotion Agency, Japan (IPA), Open Sourced Vulnerability Database (OSVDB) and other vendor security advisories). This talk presented results of the work of the VRDX-SIG, including the creation of a vulnerability database catalog and some findings about vulnerability identification and tracking.

    The last presentation that JPCERT/CC was involved in was a presentation by Hiroshi titled, "Keeping Eyes on Malicious Websites - “ChkDeface” Against Fraudulent Sites". He first talked about some noteworthy features of defaced websites reported to JPCERT/CC, and then introduced a tool called "ChkDeface", developed and implemented at JPCERT/CC, to collect various information on the defaced websites through a secure and efficient monitoring method. JPCERT/CC is planning to share the source code of this tool with some CSIRTs in the FIRST community, and eventually to open source the tool so that it can be practically utilized to trigger deeper discussion among security experts about more precise detection methods ― so here's hoping for a follow-up blog entry when that happens.

    JPCERT/CC was a part of a few working groups as well, including the Energy-SIG, Vulnerability Coordination-SIG and CVSS-BoF in addition to the aforementioned VRDX-SIG. While I am unable to provide any insight about what was actually discussed, I believe that the work being done is worthwhile and when there is any output provided, I hope to notify through this blog or some other forms of communication.

    Lastly, Berlin was a wonderful city, a little colder than I had expected, and hope to create a chance to visit again.

    That's all for today.

    Thank you for reading.


    (Photo by Hiroshi Kobayashi)

    - Takayuki (Taki) Uchiyama

    Jun 30, 2015

    APWG eCrime 2015 and Phishing Trends in Japan

    Hola!  This is Shoko from Incident Response Team.  Last month I attended the APWG eCrime 2015, held from May 26-29 in Barcelona – the cosmopolitan capital of Spain’s Catalonia region, defined by quirky art and architecture, imaginative cuisine and siesta.

    Today, I’d like to share an overview of the APWG eCrime 2015 and my presentation there on “Phishing Trends in Japan.”

    About APWG and APWG eCrime 2015

    You may well know that APWG, founded in 2003 as the Anti-Phishing Working Group, is the global coalition of industry, government and law-enforcement sectors, focused on unifying the global response to cybercrime.  APWG provides a forum to discuss phishing and cybercrime issues, to consider potential technology solutions, and more, with over 2,000 institutions participating worldwide.

    The APWG eCrime (Symposium on Electronic Crime Research) 2015 is one of APWG’s rotation of global meetings, held in Europe this time, bringing together a variety of participants from the law enforcement, financial institutions, security vendors, CSIRTs and more.

    At the event, I joined a panel session focusing on cybercrime trends from APWG members around the globe, namely from MyCERT, CERT.br and CNNIC, and presented on Japanese phishing trends in 2014.

    Phishing Trends in Japan

    The following graph shows the number of phishing incidents reported to JPCERT/CC since 2012.

    Figure 1: Trend of phishing sites observed at JPCERT/CC

    The red block shows the number of overseas brand phishing sites (phishing sites spoofing overseas brand websites), and the blue block shows the number of Japanese brand phishing sites (phishing sites spoofing Japanese brand websites).

    The number of overseas brand phishing sites has always been observed at a certain level, but what is interesting is that the number of Japanese brand phishing sites showed a sharp spike at the end of 2013, and then dropped significantly in August 2014.  There could be several reasons for this, but one noteworthy event is that in November 2014, the Japanese police arrested cyber criminals who had illegally set up malicious infrastructures for phishing purposes.  We assume that the timing of their investigation (prior to the arrest), had some relation to the sudden drop of phishing incidents reported to JPCERT/CC.  At that time, we also worked closely with relevant ISPs to investigate the case, and provided information to relevant parties from a technical standpoint.  This case was also covered in the National Police Agency’s presentation during APWG eCrime 2015. 

    The following graphs show the top categories for overseas and Japanese brand phishing sites.

    Figure 2: Industry breakdown of overseas brand phishing
    Figure 3: Industry breakdown of Japanese brand phishing

    The top category for both is Financial, but interestingly, Gaming comes second for Japanese brand phishing sites.  This could be one unique observation in Japan, as one of the famous gaming superpowers.

    In Summary

    The APWG eCrime 2015 was a significant place to strengthen collaboration among persons/organizations pursing the same goal, and to have productive and lively conversations.  Throughout this experience, I strongly reconfirmed the importance of close collaboration among relevant parties, which is the key to combat against cyber incidents and criminals.

    Well, of course it was Barcelona – Iberian pork and black paella were wonderful, but I would like to add that “agua con gas” (sparkling water) was also good!

    Thank you for reading my post.


    - Shoko Nakai

    Nov 08, 2013

    Information Security Incident Management Standard under Revision

    Hi, it's Masaki Kubo. I’ve just returned from my trip to Incheon, Korea, where we had an ISO/IEC JTC 1/SC 27 meeting on standardization of IT security techniques. JPCERT/CC has been engaged in this standardization effort through the Japanese national body over the past years, and I participated particularly in the revision work of ISO/IEC 27035:2011 on information security incident management.

    ISO/IEC 27035:2011 was published in 2011 and right after its publication, it was called for the so-called "early revision" [1]. Now the experts have divided the document into 3 parts for review:

    - 27035 Part 1:
        Principles of incident management

    - 27035 Part 2:
        Guidelines to plan and prepare for incident response

    - 27035 Part 3:
        Guidelines for incident response operations

    All 3 parts are now in the 3rd Working Draft (WD) stage, and it was just agreed to go into the 4th stage. Since the WD documents are not official ISO documents yet, we still have the right to propose amendments to them. If the documents pass the 4th WD stage, they will then be proceeded to the 1st Committee Draft (CD) [2].

    27035 Part 1 inherits most of the text from the published standard 27035:2011 and is summarized to address only the principles: what is incident management, what steps should be taken to prepare for incidents and to respond to them, etc. Because this part gives the overall structure for 27035 Part 2 and 3, it should be well elaborated, and in this sense, I think it has achieved good maturity for the 3rd WD stage. Incident management phases mentioned in 27035 Part 1 include the following 6 phases:

        - Plan and Prepare
        - Detection and Reporting
        - Assessment and Decision
        - Responses
        - Post Incident Activity
        - Lessons Learnt

    27035 Part 2 gives guidelines to prepare for incidents. Japan contributed several comments to restructure the overall document, which were well accepted by the editor. Now the structure of Part 2 is in sync with the incident management phases referred to in Part 1. Topics covered in this part include:

        - Establishing information security incident management policy
        - Creating information security incident management scheme.
        - Establishing an Incident Response Team (IRT)
        - Defining technical and other support
        - Creating information security incident awareness and training
        - Testing the information security incident management scheme
        - Lessons Learnt

    Although the structure of the document is getting in better shape, it requires more body text, thus we are seeking for more contribution from the national bodies.

    27035 Part 3 gives a guideline for incident handling operations. This is an operational guideline and the current discussion may not be neutral enough for an ISO document. Also, it still lacks the structure that draws ease of comprehension. However, the overall text is improving and I hope it will settle better before we move on to the CD stage.

    There already exists several best practice guides on incident management, and you may question why another one from ISO. One way to answer is we have standardization projects in SC 27/WG 4 around incidents such as digital forensics, data storage security, SIEM, etc., and cannot omit incident management. Another way to answer is there are people who wish to refer to neutral, standardized guidelines, and ISO is the place to offer them.

    JPCERT/CC wishes to continue making contribution to this project, so that the standardization will be in consistency with the practice of the CSIRT community.

    Last but not least, FIRST (Forum of Incident Response and Security Teams) has also established a liaison relationship with ISO/IEC JTC 1/SC 27. If you are a FIRST Member and would like to contribute to this project, please visit FIRST’s website on ISO Activities for further information. Even if you are not a FIRST Member, there are several ways you can submit your comments to ISO:

    - Your organization may have a person who is already involved in the standardization effort so you can work with that person.

    - You can work with your national standardization body.

    Whichever avenue you choose to use, your contribution will be much appreciated.

    - Masaki Kubo

    [1] According to the standard procedure, all international standards are reviewed at least every five years.

    [2] After going through the CD, the documents will go to the Draft International Standard (DIS) stage, and then to the Final Draft International Standard (FDIS) stage, which then finally become issued as official ISO documents.