…obalt Strike can recover hashed passwords. [1] Enterprise T1069 .001 Permission Groups Discovery Local Groups Cobalt Strike can use net localgroup to list local groups on a system. [2] .002 Permission Groups Discovery Domain Groups Cobalt Strike can identify targets by querying a…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023. Daniel Stepanic & Salim Bitam…

…gueRobin decodes an embedded executable using base64 and decompresses it. [154] G0034 Sandworm Team Sandworm Team 's VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and deco…

…ocuments exploiting CVE-2017-0199, CVE-2017-11882, and CVE-2017-8570. [63] [64] G0034 Sandworm Team Sandworm Team has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Microsoft Word via crafted TIFF images (CVE-2013-3906). [65] [66] [67] G0121…

…scacheutil -q group on macOS, and ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups. [1] ID: T1087.002 Sub-technique of: T1087 Tactic: Discovery Platforms: Linux, Wi…

…l. [64] S0583 Pysa Pysa can perform OS credential dumping using Mimikatz . [65] G0034 Sandworm Team Sandworm Team 's plainpwd tool is a modified version of Mimikatz and dumps Windows credentials from system memory. [66] [67] G0091 Silence Silence has used the Farse6.1 utility (ba…

…en installed on exposed web servers for access to victim environments. [7] [26] G0034 Sandworm Team Sandworm Team has used webshells including P.A.S. Webshell to maintain access to victim networks. [59] G1041 Sea Turtle Sea Turtle deployed the SnappyTCP web shell during intrusion…

…] G1039 RedCurl RedCurl used LaZagne to obtain passwords from memory. [92] [93] G0034 Sandworm Team Sandworm Team has used its plainpwd tool, a modified version of Mimikatz , and comsvcs.dll to dump Windows credentials from system memory. [94] [95] [96] G0091 Silence Silence has …

…has gained access to a contractor to pivot to the victim’s infrastructure. [14] G0034 Sandworm Team Sandworm Team has used dedicated network connections from one victim organization to gain unauthorized access to a separate organization. [15] Additionally, Sandworm Team has acces…

… email information in advance of phishing operations for targeted attacks. [21] G0034 Sandworm Team Sandworm Team has obtained valid emails addresses while conducting research against target organizations that were subsequently used in spearphishing campaigns. [22] G0122 Silent L…

…ger PittyTiger has obtained and used tools such as Mimikatz and gsecdump . [53] G0034 Sandworm Team Sandworm Team has acquired open-source tools for some of it's operations; for example it acquired Invoke-PSImage to establish an encrypted channel from a compromised host to Sandwo…

…0125 Remsec Remsec can obtain a list of active connections and open ports. [60] G0034 Sandworm Team Sandworm Team had gathered user, IP address, and server data related to RDP sessions on a compromised host. It has also accessed network diagram files useful for understanding how …

…] G1039 RedCurl RedCurl used LaZagne to obtain passwords from memory. [95] [96] G0034 Sandworm Team Sandworm Team has used its plainpwd tool, a modified version of Mimikatz , and comsvcs.dll to dump Windows credentials from system memory. [97] [98] [99] C0058 SharePoint ToolShell…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015. CISA. (2023, December 18). #Stop…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. Mercer, W, et al. (2020, April 16). PoetRAT:…