… AppleSeed AppleSeed has the ability to execute its payload via PowerShell. [6] G0073 APT19 APT19 used PowerShell commands to execute payloads. [7] G0007 APT28 APT28 downloads and executes PowerShell scripts and performs PowerShell commands. [8] [9] [10] G0016 APT29 APT29 has use…
…t emails with malicious Microsoft Office documents and PDFs attached. [11] [12] G0073 APT19 APT19 sent spearphishing emails with malicious attachments in RTF and XLSM formats to deliver initial exploits. [13] G0007 APT28 APT28 sent spearphishing emails containing malicious Micros…
…pen malicious Microsoft Word and PDF attachment sent via spearphishing. [8] [9] G0073 APT19 APT19 attempted to get users to launch malicious attachments delivered via spearphishing emails. [10] G0007 APT28 APT28 attempted to get users to click on Microsoft Office attachments cont…
…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…
…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…
…tence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key. [12] [13] G0073 APT19 An APT19 HTTP malware variant establishes persistence by setting the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Debug Tools-%LOCALAPPDATA%\ . [14] G0007 APT28 …
…avoid detection. [14] G0026 APT18 APT18 obfuscates strings in the payload. [15] G0073 APT19 APT19 used Base64 to obfuscate commands and the payload. [16] G0007 APT28 APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads wit…
…t is running as SYSTEM. [138] S0266 TrickBot TrickBot can identify the user and groups the user belongs to on a compromised host. [139] S0094 Trojan.Karagany Trojan.Karagany can gather information about the user on a compromised host. [140] G0081 Tropic Trooper Tropic Trooper use…
…RESHELL has used rundll32.exe in a Registry value to establish persistence. [9] G0073 APT19 APT19 configured its payload to inject into the rundll32.exe. [10] G0007 APT28 APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe "C:\Windows\twain_64.dll" . APT28 al…
…RESHELL has used rundll32.exe in a Registry value to establish persistence. [7] G0073 APT19 APT19 configured its payload to inject into the rundll32.exe. [8] G0007 APT28 APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe "C:\Windows\twain_64.dll" APT28 also …
…tence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key. [14] [15] G0073 APT19 An APT19 HTTP malware variant establishes persistence by setting the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Debug Tools-%LOCALAPPDATA%\ [16] G0007 APT28 AP…
…tence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key. [14] [15] G0073 APT19 An APT19 HTTP malware variant establishes persistence by setting the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Debug Tools-%LOCALAPPDATA%\ . [16] G0007 APT28 …
…s. [14] S1025 Amadey Amadey has overwritten registry keys for persistence. [15] G0073 APT19 APT19 uses a Port 22 malware variant to modify several Registry keys. [16] G0050 APT32 APT32 's backdoor has modified the Windows Registry to store the backdoor's configuration. [17] G0082…
…2. [6] S0622 AppleSeed AppleSeed can decode its payload prior to execution. [7] G0073 APT19 An APT19 HTTP malware variant decrypts strings using single-byte XOR keys. [8] G0007 APT28 An APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the ba…
…sed the ipconfig /all command to gather network configuration information. [10] G0073 APT19 APT19 used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim’s machine. [11] G0022 APT3 A keylogging tool used by APT3 gathers…