…up-4127 [7] TG-4127 [7] Forest Blizzard [25] FROZENLAKE [26] GruesomeLarch [27] Campaigns ID Name First Seen Last Seen References Techniques C0051 APT28 Nearest Neighbor Campaign February 2022 [27] November 2024 [27] APT28 Nearest Neighbor Campaign was conducted by APT28 from ear…

…nd executes PowerShell scripts and performs PowerShell commands. [14] [15] [16] C0051 APT28 Nearest Neighbor Campaign During APT28 Nearest Neighbor Campaign , APT28 used PowerShell cmdlet Get-ChildItem to access credentials, among other PowerShell functions deployed. [17] G0016 A…

…dhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018. Faou, M. (2019, Ma…

…16, 2016. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019. Bullock, B., . (2018…

…s: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. Cristian Souza, Eduardo Ovalle, Ashley …

…pril 2025 Version Permalink Live Version Procedure Examples ID Name Description C0051 APT28 Nearest Neighbor Campaign During APT28 Nearest Neighbor Campaign APT28 added rules to a victim's Windows firewall to set up a series of port-forwards allowing traffic to target systems. [5…

…er 26, 2024. Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. MSTIC, C…

….exe utility to export the Active Directory database for credential access. [3] C0051 APT28 Nearest Neighbor Campaign During APT28 Nearest Neighbor Campaign APT28 dumped NTDS.dit through creating volume shadow copies via vssadmin [4] G0096 APT41 APT41 used ntdsutil to obtain a co…

… [5] G0006 APT1 The APT1 group is known to have used RDP during operations. [6] C0051 APT28 Nearest Neighbor Campaign During APT28 Nearest Neighbor Campaign APT28 used RDP for lateral movement. [7] G0022 APT3 APT3 enables the Remote Desktop Protocol for persistence. [8] APT3 has …