…elp gather credentials that are later used for lateral movement. [51] [52] [47] G0049 OilRig OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access. [53] [54] [43] [55] S0439 Okrum Ok…

… RDP and other services securely over internet connections. [37] [38] [39] [40] G0049 OilRig OilRig has used the Plink utility and other tools to create tunnels to C2 servers. [41] [42] [43] [44] S0650 QakBot The QakBot proxy module can encapsulate SOCKS5 protocol within its own …

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Pla…

… use of legitimate credentials and gathered additional victim information. [13] G0049 OilRig OilRig has compromised email accounts to send phishing emails. [14] G1033 Star Blizzard Star Blizzard has used compromised email accounts to conduct spearphishing against contacts of the …

…ry to record the malicious listener for output from the Winlogon process. [135] G0049 OilRig OilRig has used reg.exe to modify system configuration. [136] [137] C0006 Operation Honeybee During Operation Honeybee , the threat actors used batch files that modified registry keys. [1…

…[136] S0340 Octopus Octopus has been delivered via spearsphishing emails. [135] G0049 OilRig OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts. [137] [138] [139] G0040 Patchwork Patchwork has used s…

… Octopus has used HTTP GET and POST requests for C2 communications. [177] [178] G0049 OilRig OilRig has used HTTP for C2. [140] [179] [180] S0439 Okrum Okrum uses HTTP for communication with its C2. [181] S0138 OLDBAIT OLDBAIT can use HTTP for C2. [12] S0052 OnionDuke OnionDuke u…

…nt using cmd.exe. [202] OceanSalt has been executed via malicious macros. [202] G0049 OilRig OilRig has used macros to deliver malware such as QUADAGENT and OopsIE . [203] [204] [205] [206] [207] OilRig has used batch scripts. [203] [204] [205] [206] [207] S0439 Okrum Okrum 's ba…

…elp gather credentials that are later used for lateral movement. [76] [77] [71] G0049 OilRig OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access. [78] [79] [64] [80] S0439 Okrum Ok…

…ctopus Octopus can collect the host IP address from the victim’s machine. [125] G0049 OilRig OilRig has run ipconfig /all on a victim. [126] [127] S0439 Okrum Okrum can collect network information, including the host IP address, DNS, and proxy information. [128] S0365 Olympic Des…

…ETWIRE can retrieve passwords from messaging and mail client applications. [25] G0049 OilRig OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access. [26] [27] [28] [29] S0138 OLDBAIT O…

…t is running as SYSTEM. [138] S0266 TrickBot TrickBot can identify the user and groups the user belongs to on a compromised host. [139] S0094 Trojan.Karagany Trojan.Karagany can gather information about the user on a compromised host. [140] G0081 Tropic Trooper Tropic Trooper use…

…users clicking on a malicious attachment delivered through spearphishing. [129] G0049 OilRig OilRig has delivered macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system. [130] [131] [132] [133] S0402 OSX/Shlayer OSX…

…system user information. [43] S0266 TrickBot TrickBot can identify the user and groups the user belongs to on a compromised host. [214] S0094 Trojan.Karagany Trojan.Karagany can gather information about the user on a compromised host. [215] G0081 Tropic Trooper Tropic Trooper use…

…ctopus Octopus can collect the host IP address from the victim’s machine. [177] G0049 OilRig OilRig has run ipconfig /all on a victim. [178] [179] S0439 Okrum Okrum can collect network information, including the host IP address, DNS, and proxy information. [180] S0365 Olympic Des…