… used PowerShell for execution. [117] [118] [119] [120] [121] [122] [123] [124] G0129 Mustang Panda Mustang Panda has used malicious PowerShell scripts to enable execution. [125] [126] S0457 Netwalker Netwalker has been written in PowerShell and executed directly in memory, avoid…
…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. CISA. (2023, Dece…
…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…
…lenames and Registry key names associated with Windows Defender. [74] [75] [76] G0129 Mustang Panda Mustang Panda has used 'adobeupdate.dat' as a PlugX loader, and a file named 'OneDrive.exe' to load a Cobalt Strike payload. [77] G0019 Naikon Naikon has disguised malicious progra…
…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Roccia, T., …
…FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 20…
… PowerShell backdoor to check for Skype connections on the target machine. [43] G0129 Mustang Panda Mustang Panda has used netstat -ano to determine network connection information. [44] S0102 nbtstat nbtstat can be used to discover current NetBIOS sessions. S0039 Net Commands suc…
…0455 Metamorfo Metamorfo has side-loaded its malicious DLL file. [30] [31] [32] G0129 Mustang Panda Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file. [33] [34] [35] G0019 Naikon Naikon has used DLL side-loading to load malic…
…vent Logs. [248] S0233 MURKYTOP MURKYTOP uses the command-line interface. [171] G0129 Mustang Panda Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection. [249] [250] S0336 NanoCore NanoCore can open a remote command-line interface and execute co…
…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retri…
…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…
…1] G0069 MuddyWater MuddyWater has used HTTP for C2 communications. [242] [243] G0129 Mustang Panda Mustang Panda has communicated with its C2 via HTTP POST requests. [244] [245] [246] [247] S0699 Mythic Mythic supports HTTP-based C2 profiles. [248] S0691 Neoichor Neoichor can us…
…ls with targeted attachments to recipients. [123] [124] [125] [126] [127] [128] G0129 Mustang Panda Mustang Panda has used spearphishing attachments to deliver initial access payloads. [129] [130] G0019 Naikon Naikon has used malicious e-mail attachments to deliver malware. [131]…
…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. …
…ystemTextEncoding to establish persistence. [182] [183] [184] [185] [186] [187] G0129 Mustang Panda Mustang Panda has created the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobelmdyU to maintain persistence. [188] G0019 Naikon Naiko…