…19 also used an HTTP malware variant to communicate over HTTP for C2. [10] [11] G0007 APT28 Later implants used by APT28 , such as CHOPSTICK , use a blend of HTTP, HTTPS, and other legitimate channels for C2, depending on module configuration. [12] [13] G0016 APT29 APT29 has used…

…rformed a watering hole attack on forbes.com in 2014 to compromise targets. [7] G0007 APT28 APT28 has compromised targets via strategic web compromise utilizing custom exploit kits. [8] APT28 used reflected cross-site scripting (XSS) against government websites to redirect users …

…098.006 Additional Container Cluster Roles T1098.007 Additional Local or Domain Groups Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. For example, the Add-MailboxPermission PowerShell cmdlet, available in…

…variant of the ASPXSpy web shell following initial access via exploitation. [4] G0007 APT28 APT28 has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target's Outlook Web Access (OWA) server. [5] G0016 APT29 APT29 has installed web she…

G0007 APT28 APT28 has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263, and CVE-2022-38028 to escalate privileges. [3] [4] [5] [6] G0016 APT29 APT29 has exploited CVE-2021-36934 to escalate privileges on a compromised host. [7] G0050 APT32 APT32 has used CVE-2…

…pril 2025 Version Permalink Live Version Procedure Examples ID Name Description G0007 APT28 APT28 has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263, and CVE-2022-38028 to escalate privileges. [3] [4] [5] [6] G0016 APT29 APT29 has exploited CVE-2021-36934 to…

…pril 2025 Version Permalink Live Version Procedure Examples ID Name Description G0007 APT28 APT28 hosted phishing domains on free services for brief periods of time during campaigns. [2] G1044 APT42 APT42 has used anonymized infrastructure and Virtual Private Servers (VPSs) to in…

…ent Windows:Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design an…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Microsoft Threat Intelligence. (2024, October 31). Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network. Retrieved June…

…ober 2025 Version Permalink Live Version Procedure Examples ID Name Description G0007 APT28 APT28 hosted phishing domains on free services for brief periods of time during campaigns. [2] G1044 APT42 APT42 has used anonymized infrastructure and Virtual Private Servers (VPSs) to in…

… Agrius Agrius engaged in password spraying via SMB in victim environments. [3] G0007 APT28 APT28 has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted acco…

…engaged in various brute forcing activities via SMB in victim environments. [3] G0007 APT28 APT28 can perform brute force attacks to obtain credentials. [4] [1] [5] G0082 APT38 APT38 has used brute force techniques to attempt account access when passwords are unknown or when pass…

…malicious attachments in RTF and XLSM formats to deliver initial exploits. [11] G0007 APT28 APT28 sent spearphishing emails containing malicious Microsoft Office and RAR attachments. [12] [13] [14] [15] [16] [17] [18] G0016 APT29 APT29 has used spearphishing emails with an attach…

…PT19 APT19 has obtained and used publicly-available tools like Empire . [4] [5] G0007 APT28 APT28 has obtained and used open-source tools like Koadic , Mimikatz , and Responder . [6] [7] [8] G0016 APT29 APT29 has obtained and used a variety of tools including Mimikatz , SDelete ,…

…and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611). [6] [7] G0007 APT28 APT28 has exploited Microsoft Office vulnerability CVE-2017-0262 for execution. [8] G0016 APT29 APT29 has used multiple software exploits for common client software, like Microsoft Word, E…