…ROOT FELIXROOT adds a shortcut file to the startup folder for persistence. [97] G0051 FIN10 FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key. [98] [92] G1016 FIN13 FIN13 has used Windows Registry run keys such as, HKEY_LOCAL_MAC…

…[107] S0679 Ferocious Ferocious can use PowerShell scripts for execution. [108] G0051 FIN10 FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence. [109] [105] G1016 FIN13 FIN13 has used PowerShell commands to obtain DNS data from a compromised …

…im’s machine, and can launch a reverse shell for command execution. [128] [129] G0051 FIN10 FIN10 has executed malicious .bat files containing PowerShell commands. [130] G1016 FIN13 FIN13 has leveraged xp_cmdshell and Windows Command Shell to execute commands on a compromised mac…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…