…esidue (Micro Method) RR:D02-1193 D2007-Standard Test Method for Characteristic Groups in Rubber Extender and Processing Oils and Other Petroleum-Derived Oils by the Clay-Gel Absorption Chromatographic Method RR:D02-1195 D3240-Test Method for Undissolved Water In Aviation Turbine…

…s Group Lazarus Group malware SierraCharlie uses RDP for propagation. [48] [49] G0065 Leviathan Leviathan has targeted RDP credentials and used it to move through the victim environment. [50] G0059 Magic Hound Magic Hound has used Remote Desktop Services to copy tools on targeted…

…emote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. M1042 Disable or Remove Feature or Program Disable the RDP service if it is unnecessary. M1035 Limit Access to Resource Over Network Use remote desktop gateway…

…oup A Lazarus Group malware sample performs reflective DLL injection. [41] [42] G0065 Leviathan Leviathan has utilized techniques like reflective DLL loading to write a DLL into memory and load a shell that provides backdoor access to the victim. [43] S0681 Lizar Lizar has used t…

…Group has exploited Adobe Flash vulnerability CVE-2018-4878 for execution. [22] G0065 Leviathan Leviathan has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882. [50] [51] [52] [53] G0069 MuddyWat…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015. CISA. (2023, December 18). #Stop…

…p malware sample also performs exfiltration over the C2 channel. [50] [51] [52] G0065 Leviathan Leviathan has exfiltrated data over its C2 channel. [53] S0395 LightNeuron LightNeuron exfiltrates data over its email C2 channel. [54] S0447 Lokibot Lokibot has the ability to initiat…

… with spearphishing emails containing malicious Microsoft Word documents. [106] G0065 Leviathan Leviathan has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files. [107] [108] S0447 Lokibot Lokibot is delivered via a malicious XLS attachment …

…ipter LazyScripter has used PowerShell scripts to execute malicious code. [167] G0065 Leviathan Leviathan has used PowerShell for execution. [171] [172] [173] [174] S0680 LitePower LitePower can use a PowerShell script to execute commands. [108] S0681 Lizar Lizar has used PowerSh…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…oading and executing binaries from its C2 server. [204] [205] [206] [102] [105] G0065 Leviathan Leviathan has downloaded additional scripts and files from adversary-controlled servers. [207] [84] S0395 LightNeuron LightNeuron has the ability to download and execute additional fil…

…a malicious Microsoft Word attachment delivered via a spearphishing email. [92] G0065 Leviathan Leviathan has sent spearphishing attachments attempting to get a user to click. [93] [94] S0447 Lokibot Lokibot has tricked recipients into enabling malicious macros by getting victims…

…tence on a system by creating a LNK shortcut in the user’s Startup folder. [20] G0065 Leviathan Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor. [21] [22] S0652 MarkiRAT MarkiRAT can modify the shortcut that launches …

…P utility to gain access to a restricted segment of a compromised network. [19] G0065 Leviathan Leviathan used ssh for internal reconnaissance. [20] C0049 Leviathan Australian Intrusions Leviathan used SSH brute force techniques to move laterally within victim environments during…

…s to execute payloads for persistence and lateral movement. [90] [91] [92] [93] G0065 Leviathan Leviathan has used WMI for execution. [94] S0532 Lucifer Lucifer can use WMI to log into remote machines for propagation. [95] S1141 LunarWeb LunarWeb can use WMI queries for discovery…