…e by using the Registry option in PowerShell Empire to add a Run key. [98] [92] G1016 FIN13 FIN13 has used Windows Registry run keys such as, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hosts to maintain persistence. [99] G0037 FIN6 FIN6 has used …

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. …

…for execution as well as PowerShell Empire to establish persistence. [102] [98] G1016 FIN13 FIN13 has used PowerShell commands to obtain DNS data from a compromised network. [103] G0037 FIN6 FIN6 has used PowerShell to gain access to merchant's networks, and a Metasploit PowerShe…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…or execution as well as PowerShell Empire to establish persistence. [109] [105] G1016 FIN13 FIN13 has used PowerShell commands to obtain DNS data from a compromised network. [110] G0037 FIN6 FIN6 has used PowerShell to gain access to merchant's networks, and a Metasploit PowerShe…

…shell , and custom variants of publicly-available web shell examples. [26] [27] G1016 FIN13 FIN13 has utilized obfuscated and open-source web shells such as JspSpy, reGeorg, MiniWebCmdShell, and Vonloesch Jsp File Browser 1.2 to enable remote code execution and to execute command…

…les update.exe and loaded them into the compromise host's "Public" folder. [67] G1016 FIN13 FIN13 has masqueraded WAR files to look like legitimate packages such as, wsexample.war, wsexamples.com, examples.war, and exampl3s.war. [68] G0046 FIN7 FIN7 has attempted to run Darkside …

…0 FIN10 has executed malicious .bat files containing PowerShell commands. [130] G1016 FIN13 FIN13 has leveraged xp_cmdshell and Windows Command Shell to execute commands on a compromised machine. FIN13 has also attempted to leverage the ‘xp_cmdshell’ SQL procedure to execute remo…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…

…E in Microsoft Excel to determine the OS version of the compromised host. [148] G1016 FIN13 FIN13 has collected local host information by utilizing Windows commands systeminfo , fsutil , and fsinfo . FIN13 has also utilized a compromised Symantex Altiris console and LanDesk accou…

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Carbon Black Thre…

…XROOT downloads and uploads files to and from the victim’s machine. [196] [197] G1016 FIN13 FIN13 has downloaded additional tools and malware to compromised systems. [198] [199] G0046 FIN7 FIN7 has downloaded additional malware to execute on the victim's machine, including by usi…

…urveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia a…

…XROOT downloads and uploads files to and from the victim’s machine. [208] [209] G1016 FIN13 FIN13 has downloaded additional tools and malware to compromised systems. [210] [211] G0046 FIN7 FIN7 has downloaded additional malware to execute on the victim's machine, including by usi…

…[131] S0512 FatDuke FatDuke can enumerate directories on target machines. [132] G1016 FIN13 FIN13 has used the Windows dir command to enumerate files and directories in a victim's network. [133] S0182 FinFisher FinFisher enumerates directories and scans for certain files. [134] […