… Scheduler vulnerability to escalate privileges on local Windows machines. [40] G0027 Threat Group-3390 Threat Group-3390 has used CVE-2014-6324 and CVE-2017-0213 to escalate privileges. [41] [42] G0131 Tonto Team Tonto Team has exploited CVE-2019-0803 and MS16-032 to escalate pr…

…2541 TA2541 has used WMI to query targeted systems for security products. [155] G0027 Threat Group-3390 A Threat Group-3390 tool can use WMI to execute a binary. [156] G1022 ToddyCat ToddyCat has used WMI to execute scripts for post exploit document collection. [157] S0386 Ursnif…

…val of memory from processes such as lsass.exe for credential harvesting. [103] G0027 Threat Group-3390 Threat Group-3390 actors have used a modified version of Mimikatz called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers. [104] [105] C…

… Scheduler vulnerability to escalate privileges on local Windows machines. [41] G0027 Threat Group-3390 Threat Group-3390 has used CVE-2014-6324 and CVE-2017-0213 to escalate privileges. [42] [43] G0131 Tonto Team Tonto Team has exploited CVE-2019-0803 and MS16-032 to escalate pr…

…ns a side-loading weakness which is used to load a portion of the malware. [43] G0027 Threat Group-3390 Threat Group-3390 has used DLL side-loading, including by using legitimate Kaspersky antivirus variants in which the DLL acts as a stub loader that loads and executes the shell…

…ent phishing emails with malicious Microsoft Word attachments to victims. [249] G0027 Threat Group-3390 Threat Group-3390 has used e-mail to deliver malicious attachments to victims. [60] S0665 ThreatNeedle ThreatNeedle has been distributed via a malicious Word document within a …

… steal documents from the local system including the print spooler queue. [119] G0027 Threat Group-3390 Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories. [120] S0266 TrickBot TrickBot collects local files and infor…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. Mercer, W, et al. (2020, April 16). PoetRAT:…

… G0139 TeamTNT TeamTNT has executed PowerShell commands in batch scripts. [259] G0027 Threat Group-3390 Threat Group-3390 has used PowerShell for execution. [260] [57] G0076 Thrip Thrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, …

… has encrypted its binaries via AES and encoded files using Base64. [219] [220] G0027 Threat Group-3390 A Threat Group-3390 tool can encrypt payloads using XOR. Threat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retri…

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved Nov…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Ret…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…OFTWARE\Microsoft\CTF existed before decoding its embedded payload. [106] [110] G0027 Threat Group-3390 A Threat Group-3390 tool can read and decrypt stored Registry values. [111] S0668 TinyTurla TinyTurla can query the Registry for its configuration information. [112] S1201 TRAN…