…uding the operating system, version, patches, hotfixes, and service packs. [31] G0096 APT41 APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information. [32] G0143 Aquatic Panda Aquatic Panda has u…

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Carbon Black Thre…

…has used tools with the ability to search for files on a compromised host. [15] G0096 APT41 APT41 has executed file /bin/pwd on exploited victims, perhaps to return architecture related information. [16] S0456 Aria-body Aria-body has the ability to gather metadata from a file and…

…-26411), and Microsoft Edge (CVE-2021-26411) for execution. [17] [18] [19] [20] G0096 APT41 APT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396. [21] S0239 Bankshot Bankshot leverages a known zero…

…[25] G0087 APT39 APT39 has used PowerShell to execute malicious code. [26] [27] G0096 APT41 APT41 leveraged PowerShell to deploy malware families in victims’ environments. [28] [29] G1023 APT5 APT5 has used PowerShell to accomplish tasks within targeted environments. [30] G0143 A…

…ails with malicious attachments to initially compromise victims. [35] [36] [37] G0096 APT41 APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims. [38] S0642 BADFLICK BADFLICK has been distributed via spearphishi…

…omized versions of publicly-available tools like PLINK and Mimikatz . [17] [18] G0096 APT41 APT41 has obtained and used tools such as Mimikatz , pwdump , PowerSploit , and Windows Credential Editor . [19] G0135 BackdoorDiplomacy BackdoorDiplomacy has obtained a variety of open-so…

…[28] G0087 APT39 APT39 has used PowerShell to execute malicious code. [29] [30] G0096 APT41 APT41 leveraged PowerShell to deploy malware families in victims’ environments. [31] [32] G1044 APT42 APT42 has downloaded and executed PowerShell payloads. [33] G1023 APT5 APT5 has used P…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…[22] G0087 APT39 APT39 has used PowerShell to execute malicious code. [23] [24] G0096 APT41 APT41 leveraged PowerShell to deploy malware families in victims’ environments. [25] [26] S0129 AutoIt backdoor AutoIt backdoor downloads a PowerShell script that decodes to a typical shel…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Roccia, T., …

…e unavailable. [6] G0087 APT39 APT39 has used Ncrack to reveal credentials. [7] G0096 APT41 APT41 performed password brute-force attacks on the local admin account. [8] S0572 Caterpillar WebShell Caterpillar WebShell has a module to perform brute force attacks on a system. [9] S0…

…verified, it then requests a connection to 192.184.60[.]229 on TCP port 81. [1] G0096 APT41 APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor. [2] S0031 BACKSPACE BACKSPACE attempts to avoid detection by checking a first stage command and control s…

…Exec and a custom port scanner known as BLUETORCH for network scanning. [6] [7] G0096 APT41 APT41 used a malware variant called WIDETONE to conduct port scans on specified subnets. [8] S0093 Backdoor.Oldrea Backdoor.Oldrea can use a network scanning module to identify ICS-related…

…ails with malicious attachments to initially compromise victims. [38] [39] [40] G0096 APT41 APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims. [41] S0373 Astaroth Astaroth has been delivered via malicious e-m…