… System Attack TEMP.Veles used cryptcat binaries to encrypt their traffic. [17] G0081 Tropic Trooper Tropic Trooper has encrypted traffic with the C2 to prevent network detection. [18] Mitigations ID Mitigation Description M1031 Network Intrusion Prevention Network intrusion dete…

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. …

…LL has used DLL injection to execute payloads received from the C2 server. [76] G0081 Tropic Trooper Tropic Trooper has injected a DLL backdoor into dllhost.exe and svchost.exe. [77] [78] G0010 Turla Turla has used Metasploit to perform reflective DLL injection in order to escala…

…il with an Excel sheet containing a malicious macro to deploy the malware [194] G0081 Tropic Trooper Tropic Trooper sent spearphishing emails that contained malicious Microsoft Office and fake installer file attachments. [195] [196] [197] [198] [199] S0476 Valak Valak has been de…

…ON TRITON disguised itself as the legitimate Triconex Trilog application. [126] G0081 Tropic Trooper Tropic Trooper has hidden payloads in Flash directories and fake installer files. [127] S0386 Ursnif Ursnif has used strings from legitimate system files and existing folders for …

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Carbon Black Thre…

… to get users to launch malicious documents to deliver its payload. [190] [191] G0081 Tropic Trooper Tropic Trooper has lured victims into executing malware via malicious e-mail attachments. [192] S0263 TYPEFRAME A Word document delivering TYPEFRAME prompts the user to enable mac…

…t is running as SYSTEM. [138] S0266 TrickBot TrickBot can identify the user and groups the user belongs to on a compromised host. [139] S0094 Trojan.Karagany Trojan.Karagany can gather information about the user on a compromised host. [140] G0081 Tropic Trooper Tropic Trooper use…

…y related programs, and kills the processes for security related programs. [88] G0081 Tropic Trooper Tropic Trooper can search for anti-virus software running on the system. [89] G0010 Turla Turla has obtained information on security software, including security logging informati…

…that masquerades as a legitimate security program installation file. [219] [79] G0081 Tropic Trooper Tropic Trooper has hidden payloads in Flash directories and fake installer files. [220] G0010 Turla Turla has named components of LunarWeb to mimic Zabbix agent logs. [221] S0386 …

…rojan.Karagany can enumerate files and directories on a compromised host. [236] G0081 Tropic Trooper Tropic Trooper has monitored files' modified time. [237] S0436 TSCookie TSCookie has the ability to discover drive information on the infected host. [238] S0647 Turian Turian can …

…ormation regarding the victim's OS, security, and hardware configuration. [300] G0081 Tropic Trooper Tropic Trooper has detected a target system’s OS version and system volume information. [301] [302] S0647 Turian Turian can retrieve system information including OS version, memor…

…ormation regarding the victim's OS, security, and hardware configuration. [428] G0081 Tropic Trooper Tropic Trooper has detected a target system’s OS version and system volume information. [429] [430] S0647 Turian Turian can retrieve system information including OS version, memor…