…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…

…ed account. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Fo…

…various WMI queries to check if the sample is running in a sandbox. [138] [139] G0034 Sandworm Team Sandworm Team has used Impacket ’s WMIexec module for remote code execution and VBScript to run WMI queries. [5] [140] S1085 Sardonic Sardonic can use WMI to execute PowerShell com…

… Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware. [78] [79] G0034 Sandworm Team Sandworm Team exploits public-facing applications for initial access and to acquire infrastructure, such as exploitation of the EXIM mail transfer agent in Linux systems. [80] [81]…

… Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware. [69] [70] G0034 Sandworm Team Sandworm Team exploits public-facing applications for initial access and to acquire infrastructure, such as exploitation of the EXIM mail transfer agent in Linux systems. [71] [72]…

… for files on local drives based on a predefined list of file extensions. [106] G0034 Sandworm Team Sandworm Team has exfiltrated internal documents, files, and other data from compromised hosts. [107] S0461 SDBbot SDBbot has the ability to access the file system on a compromised…

…xe -WindowStyle Hidden -exec bypass -File "%APPDATA%\OneDrive.ps1" . [162] [56] G0034 Sandworm Team Sandworm Team has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses. [163] [164] S0053 SeaDuke SeaDuke uses a module to execute Mimikatz with …

…n distributed as malicious attachments within spearphishing emails. [216] [185] G0034 Sandworm Team Sandworm Team has delivered malicious Microsoft Office and ZIP file attachments via spearphishing emails. [217] [218] [219] [220] [221] [222] G1008 SideCopy SideCopy has sent spear…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Pla…

… S0074 Sakula Sakula calls cmd.exe to run various DLL files via rundll32. [104] G0034 Sandworm Team Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe. [105] S0461 SDBbot SDBbot has used rundll32.exe to execute DLLs. [52] S0382 ServHelper ServHelp…

…has the capability to download a VNC module from command and control (C2). [32] G0034 Sandworm Team Sandworm Team has used remote administration tools or remote industrial control system client software for execution and to maliciously release electricity breakers. [33] [34] G101…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. Trend Micro Research. (2023, July 21). Ransomware Spotli…

…loads. [232] S1018 Saint Bot Saint Bot has used PowerShell for execution. [232] G0034 Sandworm Team Sandworm Team has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses. [233] [6] S1085 Sardonic Sardonic has the ability to execute PowerShell c…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Pla…

…Version Procedure Examples ID Name Description G0001 Axiom Axiom has used large groups of compromised machines for use as proxy nodes. [4] G0125 HAFNIUM HAFNIUM has used compromised devices in covert networks to obfuscate communications. [5] C0055 Quad7 Activity Quad7 Activity ha…