Command and Scripting Interpreter: PowerShell, Sub-technique T1059.001 - Enterprise | MITRE ATT&CK®

Command and Scripting Interpreter: PowerShell, Sub-technique T1059.001 - Enterprise | MITRE ATT&CK®
Currently viewing
ATT&CK v17.1
which was live between April 22, 2025 and October 27, 2025.
Learn more about the versioning system
or
see the live site
Techniques
Enterprise
Command and Scripting Interpreter
PowerShell
Command and Scripting Interpreter:
PowerShell
Other sub-techniques of Command and Scripting Interpreter (12)
ID
Name
T1059.001
PowerShell
T1059.002
AppleScript
T1059.003
Windows Command Shell
T1059.004
Unix Shell
T1059.005
Visual Basic
T1059.006
Python
T1059.007
JavaScript
T1059.008
Network Device CLI
T1059.009
Cloud API
T1059.010
AutoHotKey & AutoIT
T1059.011
Lua
T1059.012
Hypervisor CLI
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.
[1]
Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the
Start-Process
cmdlet which can be used to run an executable and the
Invoke-Command
cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
A number of PowerShell-based offensive testing tools are available, including
Empire
PowerSploit
PoshC2
, and PSAttack.
[2]
PowerShell commands/scripts can also be executed without directly invoking the
powershell.exe
binary through interfaces to PowerShell's underlying
System.Management.Automation
assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).
[3]
[4]
[5]
ID:
T1059.001
Sub-technique of:
T1059
Tactic:
Execution
Platforms:
Windows
Contributors:
Mayuresh Dani, Qualys; Praetorian; Ross Brittain
Version:
1.5
Created:
09 March 2020
Last Modified:
15 April 2025
Version Permalink
Live Version
Procedure Examples
ID
Name
Description
C0025
2016 Ukraine Electric Power Attack
During the
2016 Ukraine Electric Power Attack
Sandworm Team
used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.
[6]
C0034
2022 Ukraine Electric Power Attack
During the
2022 Ukraine Electric Power Attack
Sandworm Team
utilized a PowerShell utility called TANKTRAP to spread and launch a wiper using Windows Group Policy.
[7]
S0677
AADInternals
AADInternals
is written and executed via PowerShell.
[8]
S1129
Akira
Akira
will execute PowerShell commands to delete system volume shadow copies.
[9]
[10]
G1024
Akira
Akira
has used PowerShell scripts for credential harvesting and privilege escalation.
[11]
S0622
AppleSeed
AppleSeed
has the ability to execute its payload via PowerShell.
[12]
G0073
APT19
APT19
used PowerShell commands to execute payloads.
[13]
G0007
APT28
APT28
downloads and executes PowerShell scripts and performs PowerShell commands.
[14]
[15]
[16]
C0051
APT28 Nearest Neighbor Campaign
During
APT28 Nearest Neighbor Campaign
APT28
used PowerShell cmdlet
Get-ChildItem
to access credentials, among other PowerShell functions deployed.
[17]
G0016
APT29
APT29
has used encoded PowerShell scripts uploaded to
CozyCar
installations to download and install
SeaDuke
[18]
[19]
[20]
[21]
G0022
APT3
APT3
has used PowerShell on victim systems to download and run payloads after exploitation.
[22]
G0050
APT32
APT32
has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution.
[23]
[24]
[25]
G0064
APT33
APT33
has utilized PowerShell to download files from the C2 server and run various scripts.
[26]
[27]
G0082
APT38
APT38
has used PowerShell to execute commands and other operational tasks.
[28]
G0087
APT39
APT39
has used PowerShell to execute malicious code.
[29]
[30]
G0096
APT41
APT41
leveraged PowerShell to deploy malware families in victims’ environments.
[31]
[32]
G1044
APT42
APT42
has downloaded and executed PowerShell payloads.
[33]
G1023
APT5
APT5
has used PowerShell to accomplish tasks within targeted environments.
[34]
G0143
Aquatic Panda
Aquatic Panda
has downloaded additional scripts and executed Base64 encoded commands in PowerShell.
[35]
S0129
AutoIt backdoor
AutoIt backdoor
downloads a PowerShell script that decodes to a typical shellcode loader.
[36]
S1081
BADHATCH
BADHATCH
can utilize
powershell.exe
to execute commands on a compromised host.
[37]
[38]
S0234
Bandook
Bandook
has used PowerShell loaders as part of execution.
[39]
S0534
Bazar
Bazar
can execute a PowerShell script received from C2.
[40]
[41]
S1070
Black Basta
Black Basta
has used PowerShell scripts for discovery and to execute files over the network.
[42]
[43]
[44]
G1043
BlackByte
BlackByte
used encoded PowerShell commands during operations.
[45]
BlackByte
has used remote PowerShell commands in victim networks.
[46]
S0521
BloodHound
BloodHound
can use PowerShell to pull Active Directory information from the target environment.
[47]
G0108
Blue Mockingbird
Blue Mockingbird
has used PowerShell reverse TCP shells to issue interactive commands over a network connection.
[48]
S0360
BONDUPDATER
BONDUPDATER
is written in PowerShell.
[49]
[50]
G0060
BRONZE BUTLER
BRONZE BUTLER
has used PowerShell for execution.
[51]
S1039
Bumblebee
Bumblebee
can use PowerShell for execution.
[52]
C0018
C0018
During
C0018
, the threat actors used encoded PowerShell scripts for execution.
[53]
[54]
C0021
C0021
During
C0021
, the threat actors used obfuscated PowerShell to extract an encoded payload from within an .LNK file.
[55]
[56]
C0032
C0032
During the
C0032
campaign,
TEMP.Veles
used PowerShell to perform timestomping.
[57]
S0674
CharmPower
CharmPower
can use PowerShell for payload execution and C2 communication.
[58]
G0114
Chimera
Chimera
has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.
[59]
[60]
S1149
CHIMNEYSWEEP
CHIMNEYSWEEP
can invoke the PowerShell command
[Reflection.Assembly]::LoadFile(\"%s\")\n$i=\"\"\n$r=[%s]::%s(\"%s\",[ref] $i)\necho $r,$i\n
to execute secondary payloads.
[61]
G1021
Cinnamon Tempest
Cinnamon Tempest
has used PowerShell to communicate with C2, download files, and execute reconnaissance commands.
[62]
S0660
Clambling
The
Clambling
dropper can use PowerShell to download the malware.
[63]
G0080
Cobalt Group
Cobalt Group
has used powershell.exe to download and execute scripts.
[64]
[65]
[66]
[67]
[68]
[69]
S0154
Cobalt Strike
Cobalt Strike
can execute a payload on a remote host with PowerShell. This technique does not write any data to disk.
[70]
[71]
Cobalt Strike
can also use
PowerSploit
and other scripting frameworks to perform execution.
[72]
[73]
[74]
[75]
S0126
ComRAT
ComRAT
has used PowerShell to load itself every time a user logs in to the system.
ComRAT
can execute PowerShell scripts loaded into memory or from the file system.
[76]
[77]
G0142
Confucius
Confucius
has used PowerShell to execute malicious files and payloads.
[78]
S0591
ConnectWise
ConnectWise
can be used to execute PowerShell commands on target machines.
[79]
G0052
CopyKittens
CopyKittens
has used PowerShell Empire.
[80]
S1155
Covenant
Covenant
can create PowerShell-based launchers for Grunt installation.
[81]
S0488
CrackMapExec
CrackMapExec
can execute PowerShell commands via WMI.
[82]
S1023
CreepyDrive
CreepyDrive
can use Powershell for execution, including the cmdlets
Invoke-WebRequest
and
Invoke-Expression
[83]
S1024
CreepySnail
CreepySnail
can use PowerShell for execution, including the cmdlets
Invoke-WebRequst
and
Invoke-Expression
[83]
S0625
Cuba
Cuba
has been dropped onto systems and used for lateral movement via obfuscated PowerShell scripts.
[84]
G1012
CURIUM
CURIUM
has leveraged PowerShell scripts for initial process execution and data gathering in victim environments.
[85]
G1034
Daggerfly
Daggerfly
used PowerShell to download and execute remote-hosted files on victim systems.
[86]
S1111
DarkGate
DarkGate
has used PowerShell to create a remote shell.
[87]
G0079
DarkHydrus
DarkHydrus
leveraged PowerShell to download and execute additional scripts for execution.
[88]
[89]
G0105
DarkVishnya
DarkVishnya
used PowerShell to create shellcode loaders.
[90]
S0673
DarkWatchman
DarkWatchman
can execute PowerShell commands and has used PowerShell to execute a keylogger.
[91]
G0009
Deep Panda
Deep Panda
has used PowerShell scripts to download and execute programs in memory, without writing to disk.
[92]
S0354
Denis
Denis
has a version written in PowerShell.
[25]
S0695
Donut
Donut
can generate shellcode outputs that execute via PowerShell.
[93]
S0186
DownPaper
DownPaper
uses PowerShell for execution.
[94]
G0035
Dragonfly
Dragonfly
has used PowerShell scripts for execution.
[95]
[96]
G1006
Earth Lusca
Earth Lusca
has used PowerShell to execute commands.
[97]
S0554
Egregor
Egregor
has used an encoded PowerShell command by a service created by
Cobalt Strike
for lateral movement.
[98]
G1003
Ember Bear
Ember Bear
has used PowerShell commands to gather information from compromised systems, such as email servers.
[99]
S0367
Emotet
Emotet
has used Powershell to retrieve the malicious payload and download additional resources like
Mimikatz
[100]
[101]
[102]
[103]
[104]
S0363
Empire
Empire
leverages PowerShell for the majority of its client-side agent tasks.
Empire
also contains the ability to conduct PowerShell remoting with the
Invoke-PSRemoting
module.
[105]
[106]
S0512
FatDuke
FatDuke
has the ability to execute PowerShell scripts.
[107]
S0679
Ferocious
Ferocious
can use PowerShell scripts for execution.
[108]
G0051
FIN10
FIN10
uses PowerShell for execution as well as PowerShell Empire to establish persistence.
[109]
[105]
G1016
FIN13
FIN13
has used PowerShell commands to obtain DNS data from a compromised network.
[110]
G0037
FIN6
FIN6
has used PowerShell to gain access to merchant's networks, and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.
[111]
[112]
[113]
G0046
FIN7
FIN7
used a PowerShell script to launch shellcode that retrieved an additional payload.
[114]
[115]
[116]
[117]
G0061
FIN8
FIN8
's malicious spearphishing payloads are executed as
PowerShell
FIN8
has also used
PowerShell
for lateral movement and credential access.
[118]
[119]
[120]
[121]
S0381
FlawedAmmyy
FlawedAmmyy
has used PowerShell to execute commands.
[122]
G0117
Fox Kitten
Fox Kitten
has used PowerShell scripts to access credential data.
[123]
C0001
Frankenstein
During
Frankenstein
, the threat actors used PowerShell to run a series of Base64-encoded commands that acted as a stager and enumerated hosts.
[124]
G0093
GALLIUM
GALLIUM
used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines.
[125]
G0084
Gallmaker
Gallmaker
used PowerShell to download additional payloads and for execution.
[126]
G0047
Gamaredon Group
Gamaredon Group
has used obfuscated PowerShell scripts for staging.
[127]
S1117
GLASSTOKEN
GLASSTOKEN
can use PowerShell for command execution.
[128]
G0115
GOLD SOUTHFIELD
GOLD SOUTHFIELD
has staged and executed PowerShell scripts on compromised hosts.
[129]
S1138
Gootloader
Gootloader
can use an encoded PowerShell stager to write to the Registry for persistence.
[130]
[131]
G0078
Gorgon Group
Gorgon Group
malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine.
[132]
S0417
GRIFFON
GRIFFON
has used PowerShell to execute the Meterpreter downloader TinyMet.
[133]
G0125
HAFNIUM
HAFNIUM
has used the Exchange Power Shell module
Set-OabVirtualDirectoryPowerShell
to export mailbox data.
[134]
[135]
S0151
HALFBAKED
HALFBAKED
can execute PowerShell scripts.
[114]
S0037
HAMMERTOSS
HAMMERTOSS
is known to use PowerShell.
[136]
S0499
Hancitor
Hancitor
has used PowerShell to execute commands.
[137]
S0170
Helminth
One version of
Helminth
uses a PowerShell script.
[138]
G1001
HEXANE
HEXANE
has used PowerShell-based tools and scripts for discovery and collection on compromised hosts.
[139]
[140]
[141]
C0038
HomeLand Justice
During
HomeLand Justice
, threat actors used PowerShell cmdlets New-MailboxSearch and Get-Recipient for discovery.
[142]
[143]
G0100
Inception
Inception
has used PowerShell to execute malicious commands and payloads.
[144]
[145]
G0119
Indrik Spider
Indrik Spider
has used PowerShell
Empire
for execution of malware.
[146]
[147]
S1132
IPsec Helper
IPsec Helper
can run arbitrary PowerShell commands passed to it.
[148]
S0389
JCry
JCry
has used PowerShell to execute payloads.
[149]
S0648
JSS Loader
JSS Loader
has the ability to download and execute PowerShell scripts.
[150]
C0044
Juicy Mix
During
Juicy Mix
OilRig
used a PowerShell script to steal credentials.
[151]
S0387
KeyBoy
KeyBoy
uses PowerShell commands to download and execute payloads.
[152]
S0526
KGH_SPY
KGH_SPY
can execute PowerShell commands on the victim's machine.
[153]
G0094
Kimsuky
Kimsuky
has executed a variety of PowerShell scripts including Invoke-Mimikatz.
[154]
[155]
[156]
[157]
[158]
S0250
Koadic
Koadic
has used PowerShell to establish persistence.
[159]
S0669
KOCTOPUS
KOCTOPUS
has used PowerShell commands to download additional files.
[159]
S0356
KONNI
KONNI
used PowerShell to download and execute a specific 64-bit version of the malware.
[160]
[161]
G0032
Lazarus Group
Lazarus Group
has used PowerShell to execute commands and malicious code.
[162]
G0140
LazyScripter
LazyScripter
has used PowerShell scripts to execute malicious code.
[159]
G0065
Leviathan
Leviathan
has used PowerShell for execution.
[163]
[164]
[165]
[166]
S0680
LitePower
LitePower
can use a PowerShell script to execute commands.
[108]
S0681
Lizar
Lizar
has used PowerShell scripts.
[167]
S1199
LockBit 2.0
LockBit 2.0
can use the PowerShell module
InvokeGPUpdate
to modify Group Policy.
[168]
[169]
S1202
LockBit 3.0
LockBit 3.0
can use PowerShell to apply Group Policy changes.
[170]
S0447
Lokibot
Lokibot
has used PowerShell commands embedded inside batch scripts.
[171]
S1213
Lumma Stealer
Lumma Stealer
has used PowerShell for initial user execution and other fuctions.
[172]
[173]
[174]
[175]
S1141
LunarWeb
LunarWeb
has the ability to run shell commands via PowerShell.
[176]
S1060
Mafalda
Mafalda
can execute PowerShell commands on a compromised machine.
[177]
G0059
Magic Hound
Magic Hound
has used PowerShell for execution and privilege escalation.
[178]
[179]
[180]
[181]
[182]
G0045
menuPass
menuPass
uses
PowerSploit
to inject shellcode into PowerShell.
[183]
[184]
S0688
Meteor
Meteor
can use PowerShell commands to disable the network adapters on a victim machines.
[185]
S0553
MoleNet
MoleNet
can use PowerShell to set persistence.
[186]
G0021
Molerats
Molerats
used PowerShell implants on target machines.
[187]
S0256
Mosquito
Mosquito
can launch PowerShell Scripts.
[188]
G1019
MoustachedBouncer
MoustachedBouncer
has used plugins to execute PowerShell scripts.
[189]
G0069
MuddyWater
MuddyWater
has used PowerShell for execution.
[190]
[191]
[192]
[193]
[194]
[195]
[196]
[197]
[198]
[199]
G0129
Mustang Panda
Mustang Panda
has used malicious PowerShell scripts to enable execution.
[200]
[201]
S0457
Netwalker
Netwalker
has been written in PowerShell and executed directly in memory, avoiding detection.
[202]
[203]
S0198
NETWIRE
The
NETWIRE
binary has been executed via PowerShell script.
[204]
S0385
njRAT
njRAT
has executed PowerShell commands via auto-run registry key persistence.
[205]
G0133
Nomadic Octopus
Nomadic Octopus
has used PowerShell for execution.
[206]
G0049
OilRig
OilRig
has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.
[49]
[207]
[208]
[209]
C0022
Operation Dream Job
During
Operation Dream Job
Lazarus Group
used PowerShell commands to explore the environment of compromised victims.
[210]
C0014
Operation Wocao
During
Operation Wocao
, threat actors used PowerShell on compromised systems.
[211]
S0352
OSX_OCEANLOTUS.D
OSX_OCEANLOTUS.D
uses PowerShell scripts.
[212]
G0040
Patchwork
Patchwork
used
PowerSploit
to download payloads, run a reverse shell, and execute malware on the victim's machine.
[213]
[214]
C0036
Pikabot Distribution February 2024
Pikabot Distribution February 2024
passed execution from obfuscated JavaScript files to PowerShell scripts to download and install
Pikabot
[215]
S0517
Pillowmint
Pillowmint
has used a PowerShell script to install a shim database.
[216]
G1040
Play
Play
has used Base64-encoded PowerShell scripts to disable Microsoft Defender.
[217]
G0033
Poseidon Group
The
Poseidon Group
's Information Gathering Tool (IGT) includes PowerShell components.
[218]
S0150
POSHSPY
POSHSPY
uses PowerShell to execute various commands, one to execute its payload.
[219]
S1173
PowerExchange
PowerExchange
can use PowerShell to execute commands received from C2.
[220]
S1012
PowerLess
PowerLess
is written in and executed via PowerShell without using powershell.exe.
[221]
S0685
PowerPunch
PowerPunch
has the ability to execute through PowerShell.
[127]
S0441
PowerShower
PowerShower
is a backdoor written in PowerShell.
[144]
S0145
POWERSOURCE
POWERSOURCE
is a PowerShell backdoor.
[222]
[223]
S0194
PowerSploit
PowerSploit
modules are written in and executed via
PowerShell
[224]
[225]
S0393
PowerStallion
PowerStallion
uses PowerShell loops to iteratively check for available commands in its OneDrive C2 server.
[226]
S0223
POWERSTATS
POWERSTATS
uses PowerShell for obfuscation and execution.
[227]
[194]
[228]
[198]
S0371
POWERTON
POWERTON
is written in PowerShell.
[229]
S1046
PowGoop
PowGoop
has the ability to use PowerShell scripts to execute commands.
[198]
S0184
POWRUNER
POWRUNER
is written in PowerShell.
[49]
S1058
Prestige
Prestige
can use PowerShell for payload execution on targeted systems.
[230]
S0613
PS1
PS1
can utilize a PowerShell loader.
[231]
S0196
PUNCHBUGGY
PUNCHBUGGY
has used
PowerShell
scripts.
[232]
S0192
Pupy
Pupy
has a module for loading and executing PowerShell scripts.
[233]
S1032
PyDCrypt
PyDCrypt
has attempted to execute with PowerShell.
[234]
S0583
Pysa
Pysa
has used Powershell scripts to deploy its ransomware.
[235]
S0650
QakBot
QakBot
can use PowerShell to download and execute payloads.
[236]
S0269
QUADAGENT
QUADAGENT
uses PowerShell scripts for execution.
[237]
S1212
RansomHub
RansomHub
can use PowerShell to delete volume shadow copies.
[238]
S0241
RATANKBA
There is a variant of
RATANKBA
that uses a PowerShell script instead of the traditional PE form.
[239]
[240]
G1039
RedCurl
RedCurl
has used PowerShell to execute commands and to download malware.
[241]
[242]
[243]
C0047
RedDelta Modified PlugX Infection Chain Operations
Mustang Panda
used LNK files to execute PowerShell commands leading to eventual
PlugX
installation during
RedDelta Modified PlugX Infection Chain Operations
[244]
S0511
RegDuke
RegDuke
can extract and execute PowerShell scripts from C2 communications.
[107]
S0379
Revenge RAT
Revenge RAT
uses the PowerShell command
Reflection.Assembly
to load itself into memory to aid in execution.
[245]
S0496
REvil
REvil
has used PowerShell to delete volume shadow copies and download files.
[246]
[247]
[248]
[249]
S0270
RogueRobin
RogueRobin
uses a command prompt to run a PowerShell script from Excel.
[88]
To assist in establishing persistence,
RogueRobin
creates
%APPDATA%\OneDrive.bat
and saves the following string to it:
powershell.exe -WindowStyle Hidden -exec bypass -File "%APPDATA%\OneDrive.ps1"
[250]
[88]
G1031
Saint Bear
Saint Bear
relies extensively on PowerShell execution from malicious attachments and related content to retrieve and execute follow-on payloads.
[251]
S1018
Saint Bot
Saint Bot
has used PowerShell for execution.
[251]
G0034
Sandworm Team
Sandworm Team
has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.
[252]
[6]
S1085
Sardonic
Sardonic
has the ability to execute PowerShell commands on a compromised machine.
[253]
S0053
SeaDuke
SeaDuke
uses a module to execute Mimikatz with PowerShell to perform
Pass the Ticket
[18]
S0382
ServHelper
ServHelper
has the ability to execute a PowerShell script to get information from the infected host.
[254]
S0546
SharpStage
SharpStage
can execute arbitrary commands with PowerShell.
[186]
[255]
S0450
SHARPSTATS
SHARPSTATS
has the ability to employ a custom PowerShell script.
[228]
S1178
ShrinkLocker
ShrinkLocker
uses PowerShell to disable protectors used to secure the BitLocker encryption key on victim machines and then delete the key from the system.
[256]
G0121
Sidewinder
Sidewinder
has used PowerShell to drop and execute malware loaders.
[257]
G0091
Silence
Silence
has used PowerShell to download and execute payloads.
[258]
[259]
S0692
SILENTTRINITY
SILENTTRINITY
can use PowerShell to execute commands.
[260]
S0633
Sliver
Sliver
has built-in functionality to launch a Powershell command prompt.
[261]
S0649
SMOKEDHAM
SMOKEDHAM
can execute Powershell commands sent from its C2 server.
[262]
S1086
Snip3
Snip3
can use a PowerShell script for second-stage execution.
[263]
[264]
S0273
Socksbot
Socksbot
can write and execute PowerShell scripts.
[214]
C0024
SolarWinds Compromise
During the
SolarWinds Compromise
APT29
used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and execute other commands.
[265]
[266]
[267]
S1140
Spica
Spica
can use an obfuscated PowerShell command to create a scheduled task for persistence.
[268]
S0390
SQLRat
SQLRat
has used PowerShell to create a Meterpreter session.
[269]
S1030
Squirrelwaffle
Squirrelwaffle
has used PowerShell to execute its payload.
[270]
[271]
G0038
Stealth Falcon
Stealth Falcon
malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server.
[272]
G1046
Storm-1811
Storm-1811
has used PowerShell for multiple purposes, such as using PowerShell scripts executing in an infinite loop to create an SSH connection to a command and control server.
[273]
S1183
StrelaStealer
StrelaStealer
variants have used PowerShell scripts to download or drop payloads, including obfuscated variants to connect to a WebDAV server to download and executed an encrypted DLL for installation.
[274]
S0491
StrongPity
StrongPity
can use PowerShell to add files to the Windows Defender exclusions list.
[275]
G1018
TA2541
TA2541
has used PowerShell to download files and to inject into various Windows processes.
[276]
G0062
TA459
TA459
has used PowerShell for execution of a payload.
[277]
G0092
TA505
TA505
has used PowerShell to download and execute malware and reconnaissance scripts.
[278]
[279]
[280]
[281]
S1193
TAMECAT
TAMECAT
has used PowerShell to download and run additional content.
[282]
G0139
TeamTNT
TeamTNT
has executed PowerShell commands in batch scripts.
[283]
G0027
Threat Group-3390
Threat Group-3390
has used PowerShell for execution.
[284]
[63]
G0076
Thrip
Thrip
leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance.
[285]
G1022
ToddyCat
ToddyCat
has used Powershell scripts to perform post exploit collection.
[286]
G0131
Tonto Team
Tonto Team
has used PowerShell to download additional payloads.
[287]
S1201
TRANSLATEXT
TRANSLATEXT
has used PowerShell to collect system information and to upload the collected data to a Github repository.
[288]
S0266
TrickBot
TrickBot
has been known to use PowerShell to download new payloads, open documents, and upload data to command and control servers.
[289]
C0030
Triton Safety Instrumented System Attack
In the
Triton Safety Instrumented System Attack
TEMP.Veles
used a publicly available PowerShell-based tool, WMImplant.
[290]
S1196
Troll Stealer
Troll Stealer
creates and executes a PowerShell script to delete itself.
[291]
G0010
Turla
Turla
has used PowerShell to execute commands/scripts, in some cases via a custom executable or code from
Empire
's PSInject.
[292]
[226]
[293]
Turla
has also used PowerShell scripts to load and execute malware in memory.
S0386
Ursnif
Ursnif
droppers have used PowerShell in download cradles to download and execute the malware's full executable payload.
[294]
S0476
Valak
Valak
has used PowerShell to download additional modules.
[295]
G1017
Volt Typhoon
Volt Typhoon
has used PowerShell including for remote system discovery.
[296]
[297]
[298]
S0670
WarzoneRAT
WarzoneRAT
can use PowerShell to download files and execute commands.
[299]
[300]
S0514
WellMess
WellMess
can execute PowerShell scripts received from C2.
[301]
[302]
S0689
WhisperGate
WhisperGate
can use PowerShell to support multiple actions including execution and defense evasion.
[303]
[304]
[305]
G1035
Winter Vivern
Winter Vivern
passed execution from document macros to PowerShell scripts during initial access operations.
[306]
Winter Vivern
used batch scripts that called PowerShell commands as part of initial access and installation operations.
[307]
G0090
WIRTE
WIRTE
has used PowerShell for script execution.
[308]
G0102
Wizard Spider
Wizard Spider
has used macros to execute PowerShell scripts to download malware on victim's machines.
[309]
It has also used PowerShell to execute commands and move laterally through a victim network.
[310]
[311]
[312]
[313]
S1065
Woody RAT
Woody RAT
can execute PowerShell commands and scripts with the use of .NET DLL,
WoodyPowerSession
[314]
S0341
Xbash
Xbash
can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution.
[315]
S1151
ZeroCleare
ZeroCleare
can use a malicious PowerShell script to bypass Windows controls.
[316]
S0330
Zeus Panda
Zeus Panda
uses PowerShell to download and execute the payload.
[317]
Mitigations
ID
Mitigation
Description
M1049
Antivirus/Antimalware
Anti-virus can be used to automatically quarantine suspicious files.
M1045
Code Signing
Set PowerShell execution policy to execute only signed scripts.
M1042
Disable or Remove Feature or Program
It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions.
Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.
M1038
Execution Prevention
Use application control where appropriate. PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g.,
Add-Type
).
[318]
M1026
Privileged Account Management
When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.
[319]
PowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can execute through remote PowerShell sessions.
[320]
Detection
ID
Data Source
Data Component
Detects
DS0017
Command
Command Execution
If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations).
[321]
PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.
[322]
An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.
PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe
For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command Enter-PSSession -ComputerName \ creates a remote PowerShell session.
Analytic 1 - Look for unusual PowerShell execution.
sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational| search EventCode=4104| eval suspicious_cmds=if(like(Message, "%-EncodedCommand%") OR like(Message, "%Invoke-Expression%") OR like(Message, "%IEX%") OR like(Message, "%DownloadFile%"), "Yes", "No")| where suspicious_cmds="Yes"
DS0011
Module
Module Load
Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).
[3]
[4]
Analytic 1 - Processes loading PowerShell assemblies
sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational| search EventCode=7 ImageLoaded IN ("C:\Windows\System32\System.Management.Automation.dll", "C:\Windows\System32\powershell.exe")
DS0009
Process
Process Creation
Monitor for newly executed processes that may abuse PowerShell commands and scripts for execution. PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.
Powershell can be used to hide monitored command line execution such as:
net usesc start
Note: - The logic for Analytic 1 is based around detecting on non-interactive Powershell sessions (i.e., those not launched by a user through explorer.exe). This may lead to false positives when used in a production environment, so we recommend tuning any such analytics by including additional logic (e.g., looking for suspicious parent processes) that helps filter such events.- The logic for Analytic 2 is based around detecting on remote Powershell sessions. PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe.
Analytic 1 - Non-interactive Powershell Sessions
(source="
WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="
WinEventLog:Security" EventCode="4688") Image="powershell.exe" AND ParentImage!="explorer.exe"
Analytic 2 - Remote Powershell Sessions
(source="
WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="
WinEventLog:Security" EventCode="4688") Image="wsmprovhost.exe" AND ParentImage="svchost.exe"
Analytic 3 - Powershell Execution
(source="
WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") Image="C:\Windows\
\powershell.exe" ParentImage!="C:\Windows\explorer.exe"|stats values(CommandLine) as "Command Lines" values(ParentImage) as "Parent Images" by ComputerName
Process Metadata
Consider monitoring for Windows event ID (EID) 400, which shows the version of PowerShell executing in the
EngineVersion
field (which may also be relevant to detecting a potential
Downgrade Attack
) as well as if PowerShell is running locally or remotely in the
HostName
field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.
[323]
DS0012
Script
Script Execution
Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
Analytic 1 - Script Block Logging Events
(source=WinEventLog:"Microsoft-Windows-PowerShell/Operational" EventID="4104" AND Image="powershell.exe" AND (CommandLine="-enc
" OR CommandLine="
-ep bypass
" OR CommandLine="
-noni*")
References
Microsoft. (n.d.). Windows PowerShell Scripting. Retrieved April 28, 2016.
Haight, J. (2016, April 21). PS>Attack. Retrieved September 27, 2024.
Warner, J.. (2015, January 6). Inexorable PowerShell – A Red Teamer’s Tale of Overcoming Simple AppLocker Policies. Retrieved December 8, 2018.
Christensen, L.. (2015, December 28). The Evolution of Offensive PowerShell Invocation. Retrieved December 8, 2018.
Babinec, K. (2014, April 28). Executing PowerShell scripts from C#. Retrieved April 22, 2019.
Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.
Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.
CISA et al. (2024, April 18). #StopRansomware: Akira Ransomware. Retrieved December 10, 2024.
Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024.
Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022.
Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.
Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024.
Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.
Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023.
Trend Micro. (2022, September 1). Ransomware Spotlight Black Basta. Retrieved March 8, 2023.
Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.
US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.
Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.
Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.
Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.
Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.
Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020..
Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018.
Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved November 17, 2024.
Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.
Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.
Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
cobbr. (2021, April 21). Covenant. Retrieved September 4, 2024.
byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
Symantec Threat Hunter Team. (2019, September 18). Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks. Retrieved May 20, 2024.
Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
McGraw, T. (2024, December 4). Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware. Retrieved December 9, 2024.
Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020.
Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021.
US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.
Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
Donohue, B.. (2019, February 13). https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/. Retrieved March 25, 2019.
Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved November 17, 2024.
Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved November 17, 2024.
McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.
The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.
Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.
Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved November 17, 2024.
Szappanos, G. & Brandt, A. (2021, March 1). “Gootloader” expands its payload delivery options. Retrieved September 30, 2022.
Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024.
Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved November 17, 2024.
Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
GReAT . (2021, April 27). APT trends report Q1 2021. Retrieved June 6, 2022.
Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.
CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
Weidemann, A. (2021, January 25). New campaign targeting security researchers. Retrieved December 20, 2021.
Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025.
Elsad, A. et al. (2022, June 9). LockBit 2.0: How This RaaS Operates and How to Protect Against It. Retrieved January 24, 2025.
FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
Vishwajeet Kumar, Qualys. (2024, October 20). Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA. Retrieved March 22, 2025.
Cybereaon Security Services Team. (n.d.). Your Data Is Under New Lummanagement: The Rise of LummaStealer. Retrieved March 22, 2025.
Leandro Fróes, Netskope. (2025, January 23). Lumma Stealer: Fake CAPTCHAs & New Techniques to Evade Detection. Retrieved March 22, 2025.
Cara Lin, Fortinet. (2024, January 8). Deceptive Cracked Software Spreads Lumma Variant on YouTube. Retrieved March 22, 2025.
Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
Mandiant. (2018). Mandiant M-Trends 2018. Retrieved November 17, 2024.
DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018.
Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.
Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024.
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved November 17, 2024.
Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.
Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.
Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.
Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
Group IB. (2020, September). LOCK LIKE A PRO. Retrieved November 17, 2024.
Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025.
Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024.
Insikt Group. (2025, January 9). Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain. Retrieved January 14, 2025.
Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved November 17, 2024.
Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.
Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020.
Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
Cristian Souza, Eduardo Ovalle, Ashley Muñoz, & Christopher Zachor. (2024, May 23). ShrinkLocker: Turning BitLocker into ransomware. Retrieved December 7, 2024.
Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved November 17, 2024.
Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
Cybereason Global SOC and Incident Response Team. (n.d.). Sliver C2 Leveraged by Many Threat Actors. Retrieved March 24, 2025.
FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.
Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022.
Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025.
Golo Mühr, Joe Fasulo & Charlotte Hammond, IBM X-Force. (2024, November 12). Strela Stealer: Today’s invoice is tomorrow’s phish. Retrieved December 31, 2024.
Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved September 16, 2024..
Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved October 9, 2024.
AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.
Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
Security Response Attack Investigation Team. (2018, June 19). Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies. Retrieved July 10, 2018.
Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021.
Park, S. (2024, June 27). Kimsuky deploys TRANSLATEXT to target South Korean academia. Retrieved October 14, 2024.
Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021.
FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.
Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022.
PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.
Chad Anderson. (2021, April 27). Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages. Retrieved July 29, 2024.
CERT-UA. (2023, February 1). UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909). Retrieved July 29, 2024.
S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
Kessem, L. (2019, December 4). New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East. Retrieved September 4, 2024.
Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.
PowerShell Team. (2017, November 2). PowerShell Constrained Language Mode. Retrieved March 27, 2023.
Sutherland, S. (2014, September 9). 15 Ways to Bypass the PowerShell Execution Policy. Retrieved September 12, 2024.
Microsoft. (2022, November 17). Just Enough Administration. Retrieved March 27, 2023.
Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.
Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH POWERSHELL LOGGING. Retrieved February 16, 2016.
Hastings, M. (2014, July 16). Investigating PowerShell Attacks. Retrieved December 1, 2021.