…o datirano v razpon 25. in 24. stole- G986–G994, G996–G998, G1001, G1003–G1013, G1016– tja pr. n. št. (sl. 176). Ta datacija se ne ujema z najdbami iz G1018, G1020, G1022, G1024, G1026, G1036–G1037, dragomeljskega žarnogrobiščnega naselja in prav tako ne G1048, G1051, G1055–G1056…

…scacheutil -q group on macOS, and ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups. [1] ID: T1087.002 Sub-technique of: T1087 Tactic: Discovery Platforms: Linux, Wi…

…FIN10 has used RDP to move laterally to systems in the victim environment. [28] G1016 FIN13 FIN13 has remotely accessed compromised environments via Remote Desktop Services (RDS) for lateral movement. [29] G0037 FIN6 FIN6 used RDP to move laterally in victim networks. [30] [31] G…

…emote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. M1042 Disable or Remove Feature or Program Disable the RDP service if it is unnecessary. M1035 Limit Access to Resource Over Network Use remote desktop gateway…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. F-Secure Lab…

…ts. [29] S0363 Empire Empire can perform port scans from an infected host. [30] G1016 FIN13 FIN13 has utilized nmap for reconnaissance efforts. FIN13 has also scanned for internal MS-SQL servers in a compromised network. [31] [32] G0037 FIN6 FIN6 used publicly available tools (in…

… for executing commands over SSH as well as in-memory VNC agent injection. [12] G1016 FIN13 FIN13 has remotely accessed compromised environments via secure shell (SSH) for lateral movement. [13] G0046 FIN7 FIN7 has used SSH to move laterally through victim environments. [14] G011…

…es. [53] S0267 FELIXROOT FELIXROOT uses WMI to query the Windows Registry. [54] G1016 FIN13 FIN13 has utilized WMI to execute commands and move laterally on compromised Windows machines. [55] [56] G0037 FIN6 FIN6 has used WMI to automate the remote execution of PowerShell scripts…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Roccia, T., …

…ts information about the network including the IP address and DHCP server. [89] G1016 FIN13 FIN13 has used nslookup and ipconfig for network reconnaissance efforts. FIN13 has also utilized a compromised Symantec Altiris console and LanDesk account to retrieve network information.…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. Magisa, L. (2020, November 27). New MacOS Backdoor Connecte…

… Ember Bear has used ProxyChains to tunnel protocols to internal networks. [20] G1016 FIN13 FIN13 has utilized web shells and Java tools for tunneling capabilities to and from compromised assets. [21] G0037 FIN6 FIN6 used the Plink command-line utility to create SSH tunnels to C2…

…e by using the Registry option in PowerShell Empire to add a Run key. [94] [88] G1016 FIN13 FIN13 has used Windows Registry run keys such as, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hosts to maintain persistence. [95] G0037 FIN6 FIN6 has used …

…OT FELIXROOT uses HTTP and HTTPS to communicate with the C2 server. [134] [135] G1016 FIN13 FIN13 has used HTTP requests to chain multiple web shells and to contact actor-controlled C2 servers prior to exfiltrating stolen data. [136] [137] G0085 FIN4 FIN4 has used HTTP POST reque…