…ers. [55] S0520 BLINDINGCAN BLINDINGCAN has executed commands via cmd.exe. [56] G0108 Blue Mockingbird Blue Mockingbird has used batch script files to automate execution and deployment of payloads. [57] S0360 BONDUPDATER BONDUPDATER can read batch commands in a file sent from its…
…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…
…] S0520 BLINDINGCAN BLINDINGCAN has obfuscated code using Base64 encoding. [52] G0108 Blue Mockingbird Blue Mockingbird has obfuscated the wallet address in the payload binary. [53] S0657 BLUELIGHT BLUELIGHT has a XOR-encoded payload. [54] S0635 BoomBox BoomBox can encrypt data u…
… and rundll.exe . S0127 BBSRAT BBSRAT can start, stop, or delete services. [13] G0108 Blue Mockingbird Blue Mockingbird has executed custom-compiled XMRIG miner DLLs by configuring them to execute via the "wercplsupport" service. [14] S1063 Brute Ratel C4 Brute Ratel C4 can creat…
…lackEnergy A BlackEnergy 2 plug-in uses WMI to gather victim host details. [23] G0108 Blue Mockingbird Blue Mockingbird has used wmic.exe to set environment variables. [24] S1063 Brute Ratel C4 Brute Ratel C4 can use WMI to move laterally. [25] S1039 Bumblebee Bumblebee can use W…
…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…
…OS version, and disk information, including type and free space available. [54] G0108 Blue Mockingbird Blue Mockingbird has collected hardware details for the victim's system, including CPU and memory information. [55] S0657 BLUELIGHT BLUELIGHT has collected the computer name and…
…] S0520 BLINDINGCAN BLINDINGCAN has used Rundll32 to load a malicious DLL. [26] G0108 Blue Mockingbird Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using rundll32.exe. [27] S0635 BoomBox BoomBox can use RunDLL32 for execution. [28] S0204 Briba Briba uses rundll3…
…] S0520 BLINDINGCAN BLINDINGCAN has used Rundll32 to load a malicious DLL. [24] G0108 Blue Mockingbird Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using rundll32.exe. [25] S0635 BoomBox BoomBox can use RunDLL32 for execution. [26] S0204 Briba Briba uses rundll3…
…OS version, and disk information, including type and free space available. [68] G0108 Blue Mockingbird Blue Mockingbird has collected hardware details for the victim's system, including CPU and memory information. [69] S0657 BLUELIGHT BLUELIGHT has collected the computer name and…
…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Carbon Black Thre…
…Rabbit has used Mimikatz to harvest credentials from the victim's machine. [23] G0108 Blue Mockingbird Blue Mockingbird has used Mimikatz to retrieve credentials from LSASS memory. [24] G0060 BRONZE BUTLER BRONZE BUTLER has used various tools (such as Mimikatz and WCE) to perform…
…Y_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \LanmanServer\Paramenters [4] G0108 Blue Mockingbird Blue Mockingbird has used Windows Registry modifications to specify a DLL payload. [40] S1226 BOOKWORM BOOKWORM has modified Registry key values as part of its created service D…
…to hide its payload by using legitimate file names such as "iconcache.db". [23] G0108 Blue Mockingbird Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file. [24] G0060 BRONZE BUTLER BRONZE BUTLER has…
…Rabbit has used Mimikatz to harvest credentials from the victim's machine. [17] G0108 Blue Mockingbird Blue Mockingbird has used Mimikatz to retrieve credentials from LSASS memory. [18] G0060 BRONZE BUTLER BRONZE BUTLER has used various tools (such as Mimikatz and WCE) to perform…