…used the command prompt to launch commands on the victim’s machine. [106] [107] G0061 FIN8 FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities. [108] FIN8 has also executed commands remotely via cmd . [109] [110] G0117 Fox Kitten Fox Kitt…

…8, all of which could allow local users to access kernel-level privileges. [21] G0061 FIN8 FIN8 has exploited the CVE-2016-0167 local vulnerability. [22] [23] G0125 HAFNIUM HAFNIUM has targeted unpatched applications to elevate access in targeted organizations. [24] S0601 Hildega…

…46 FIN7 FIN7 has conducted broad phishing campaigns using malicious links. [55] G0061 FIN8 FIN8 has distributed targeted emails containing links to malicious documents with embedded macros. [56] S0531 Grandoreiro Grandoreiro has been spread via malicious links embedded in e-mails…

… [57] G0046 FIN7 FIN7 has used WMI to install malware on targeted systems. [58] G0061 FIN8 FIN8 's malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. FIN8 has also used WMIC and the Impacket suite for lateral movement, as well as during and po…

…hell script to launch shellcode that retrieved an additional payload. [77] [78] G0061 FIN8 FIN8 's malicious spearphishing payloads are executed as PowerShell . FIN8 has also used PowerShell for lateral movement and credential access. [79] [80] [81] G0117 Fox Kitten Fox Kitten ha…

… launch shellcode that retrieved an additional payload. [107] [108] [109] [110] G0061 FIN8 FIN8 's malicious spearphishing payloads are executed as PowerShell . FIN8 has also used PowerShell for lateral movement and credential access. [111] [112] [113] [114] S0381 FlawedAmmyy Fla…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…om obfuscation of the shellcode invoker in PowerSploit called POWERTRASH. [119] G0061 FIN8 FIN8 's malicious spearphishing payloads are executed as PowerShell . FIN8 has also used PowerShell for lateral movement and credential access. [120] [121] [122] [123] S0381 FlawedAmmyy Fla…

…8, all of which could allow local users to access kernel-level privileges. [22] G0061 FIN8 FIN8 has exploited the CVE-2016-0167 local vulnerability. [23] [24] G0125 HAFNIUM HAFNIUM has targeted unpatched applications to elevate access in targeted organizations. [25] S0601 Hildega…

…system user information. [43] S0266 TrickBot TrickBot can identify the user and groups the user belongs to on a compromised host. [214] S0094 Trojan.Karagany Trojan.Karagany can gather information about the user on a compromised host. [215] G0081 Tropic Trooper Tropic Trooper use…

…[137] G0085 FIN4 FIN4 has used HTTP POST requests to transmit data. [138] [139] G0061 FIN8 FIN8 has used HTTPS for command and control. [140] S0355 Final1stspy Final1stspy uses HTTP for C2. [141] S0696 Flagpro Flagpro can communicate with its C2 using HTTP. [142] S0381 FlawedAmmy…

…he command prompt to launch commands on the victim’s machine. [134] [135] [136] G0061 FIN8 FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities. [137] FIN8 has also executed commands remotely via cmd.exe . [138] [139] [140] S0696 Flagpro F…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015. CISA. (2023, December 18). #Stop…

…ve character-replacement functionalities to obfuscate commands. [4] [114] [115] G0061 FIN8 FIN8 has used environment variables and standard input (stdin) to obfuscate command-line arguments. FIN8 also obfuscates malicious macros delivered as payloads. [4] [116] [117] S0355 Final1…