… enumerated hosts via Empire , gathering various local system information. [52] G0093 GALLIUM GALLIUM collected data from the victim's local system, including password hashes from the SAM hive in the Registry. [53] G0047 Gamaredon Group Gamaredon Group has collected files from in…

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved Nov…

…1 Frankenstein Frankenstein has obtained and used Empire to deploy agents. [38] G0093 GALLIUM GALLIUM has used a variety of widely-available tools, which in some cases they modified to add functionality and/or subvert antimalware solutions. [39] G0078 Gorgon Group Gorgon Group ha…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…

…m environments by using FLIPSIDE to create a proxy for a backup RDP tunnel. [8] G0093 GALLIUM GALLIUM used a modified version of HTRAN to redirect connections between networks. [9] S0260 InvisiMole InvisiMole InvisiMole can identify proxy servers used by the victim and use them f…

… scripts. [126] S0410 Fysbis Fysbis has been encrypted using XOR and RC4. [127] G0093 GALLIUM GALLIUM used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection. [128] G0084 Gallmaker Gallmaker obfuscated she…

…s of Base64-encoded commands that acted as a stager and enumerated hosts. [117] G0093 GALLIUM GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines. [118] G0084 Gallmaker Gallmaker used PowerShell to …

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…s of Base64-encoded commands that acted as a stager and enumerated hosts. [126] G0093 GALLIUM GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines. [127] G0084 Gallmaker Gallmaker used PowerShell to …

…ro has been delivered within ZIP or RAR password-protected archived files. [78] G0093 GALLIUM GALLIUM used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection. [79] G0084 Gallmaker Gallmaker obfuscated shel…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Insikt Group…

…s of base64-encoded commands, that acted as a stager and enumerated hosts. [83] G0093 GALLIUM GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines. [84] G0084 Gallmaker Gallmaker used PowerShell to d…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015. CISA. (2023, December 18). #Stop…

…FinFisher FinFisher uses DLL side-loading to load malicious programs. [17] [18] G0093 GALLIUM GALLIUM used DLL side-loading to covertly load PoisonIvy into memory on the victim machine. [19] S0032 gh0st RAT A gh0st RAT variant has used DLL side-loading. [20] S0477 Goopy Goopy has…

…nt web shell to impacted systems following initial access for persistence. [31] G0093 GALLIUM GALLIUM used Web shells to persist in victim environments and assist in execution and exfiltration. [32] [33] S1117 GLASSTOKEN GLASSTOKEN is a web shell capable of tunneling C2 connectio…