…ered via spearphishing emails (often sent from compromised accounts). [60] [61] G0037 FIN6 FIN6 has used malicious documents to lure victims into allowing execution of PowerShell scripts. [62] G0046 FIN7 FIN7 lured victims to double-click on images in the attachments they sent wh…

…f its execution stored in the /tmp folder over FTP using the curl command. [17] G0037 FIN6 FIN6 has sent stolen payment card data to remote servers via HTTP POSTs. [18] G0061 FIN8 FIN8 has used FTP to exfiltrate collected data. [19] S0095 ftp ftp may be used to exfiltrate data se…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…

…e by using the Registry option in PowerShell Empire to add a Run key. [79] [73] G0037 FIN6 FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD. [80] G0046 FIN7 FIN7 malware has created Registry Run and RunOnce keys to …

…as also scanned for internal MS-SQL servers in a compromised network. [31] [32] G0037 FIN6 FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Q…

…3 Empire Empire can exploit vulnerabilities such as MS16-032 and MS16-135. [21] G0037 FIN6 FIN6 has used tools to exploit Windows vulnerabilities in order to escalate privileges. The tools targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local us…

… execute commands and move laterally on compromised Windows machines. [55] [56] G0037 FIN6 FIN6 has used WMI to automate the remote execution of PowerShell scripts. [57] G0046 FIN7 FIN7 has used WMI to install malware on targeted systems. [58] G0061 FIN8 FIN8 's malicious spearph…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Roccia, T., …

…0 FIN10 has executed malicious .bat files containing PowerShell commands. [104] G0037 FIN6 FIN6 has used kill.bat script to disable security tools. [105] G0046 FIN7 FIN7 used the command prompt to launch commands on the victim’s machine. [106] [107] G0061 FIN8 FIN8 has used a Bat…

… S0363 Empire Empire can use PsExec to execute a payload on a remote host. [23] G0037 FIN6 FIN6 has created Windows services to execute encoded PowerShell commands. [24] S0032 gh0st RAT gh0st RAT can execute its service if the Service key exists. If the key does not exist, gh0st …

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…

… for execution as well as PowerShell Empire to establish persistence. [73] [70] G0037 FIN6 FIN6 has used PowerShell to gain access to merchant's networks, and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener. [74] [75] [76] G0046 FIN…

…32Node\Microsoft\Windows\CurrentVersion\Run\hosts to maintain persistence. [95] G0037 FIN6 FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD. [96] G0046 FIN7 FIN7 malware has created Registry Run and RunOnce keys to …

…32Node\Microsoft\Windows\CurrentVersion\Run\hosts to maintain persistence. [99] G0037 FIN6 FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD. [100] G0046 FIN7 FIN7 malware has created Registry Run and RunOnce keys to…

…keys. [8] G0120 Evilnum Evilnum can collect email credentials from victims. [9] G0037 FIN6 FIN6 has used the Stealer One credential stealer to target e-mail and file transfer utilities including FTP. [10] S0526 KGH_SPY KGH_SPY can collect credentials from WINSCP. [11] S0349 LaZag…