…ion has used PowerShell to execute malicious commands and payloads. [150] [151] G0119 Indrik Spider Indrik Spider has used PowerShell Empire for execution of malware. [152] [153] S1245 InvisibleFerret InvisibleFerret has utilized a PowerShell script created in the victim’s home d…

…STEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionPipes . [91] G0119 Indrik Spider Indrik Spider has modified registry keys to prepare for ransomware execution and to disable common administrative utilities. [92] S0260 InvisiMole InvisiMole has a command to creat…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…

…HEXANE has used cloud services, including OneDrive, for data exfiltration. [11] G0119 Indrik Spider Indrik Spider has exfiltrated data using Rclone or MEGASync prior to deploying ransomware. [19] G0094 Kimsuky Kimsuky has exfiltrated stolen files and data to actor-controlled Blog…

… and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL. [53] G0119 Indrik Spider Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors. [54] S0259 InnaputRAT InnaputRAT variants have attempted to appear legitimate…

…on a victim. [138] S0068 httpclient httpclient opens cmd.exe on the victim. [2] G0119 Indrik Spider Indrik Spider has used batch scripts on victim's machines. [139] S0259 InnaputRAT InnaputRAT launches a shell to execute commands on the victim’s machine. [140] S0260 InvisiMole In…

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. …

…a PsExec executable winupd to mimic a legitimate Windows update file. [95] [96] G0119 Indrik Spider Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors. [97] S0259 InnaputRAT InnaputRAT variants have attempted to appear legitimate…

…can perform credential dumping to obtain account and password information. [50] G0119 Indrik Spider Indrik Spider used Cobalt Strike to carry out credential dumping using ProcDump. [51] G0004 Ke3chang Ke3chang has dumped credentials, including by using Mimikatz . [52] [53] [54] G…

… IndigoZebra has downloaded additional files and tools from its C2 server. [64] G0119 Indrik Spider Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host. [180] [181] S0604 Industroyer Industroyer downloads a shellcode payload from a remote C…

…1032 INC Ransom INC Ransom has used cmd.exe to launch malicious payloads. [177] G0119 Indrik Spider Indrik Spider has used batch scripts on victim's machines. [178] [179] S0259 InnaputRAT InnaputRAT launches a shell to execute commands on the victim’s machine. [180] S0260 InvisiM…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved M…

…ice accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators. [2] Detection ID Data Source Data Component Detects DS0026 Active Directory Active Directory Credential Request Monitor for anomalous Kerberos activity, such as e…

… IndigoZebra has downloaded additional files and tools from its C2 server. [85] G0119 Indrik Spider Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host. [257] [258] [259] S0604 Industroyer Industroyer downloads a shellcode payload from a re…