…obalt Strike can recover hashed passwords. [1] Enterprise T1069 .001 Permission Groups Discovery Local Groups Cobalt Strike can use net localgroup to list local groups on a system. [2] .002 Permission Groups Discovery Domain Groups Cobalt Strike can identify targets by querying a…

…NS EKANS stops processes related to security and management software. [22] [23] G0037 FIN6 FIN6 has deployed a utility script named kill.bat to disable anti-virus. [24] G0047 Gamaredon Group Gamaredon Group has delivered macros which can tamper with Microsoft Office security sett…

…m machines. Ember Bear disables Windows Defender via registry key changes. [40] G0037 FIN6 FIN6 has deployed a utility script named kill.bat to disable anti-virus. [41] G0047 Gamaredon Group Gamaredon Group has delivered macros which can tamper with Microsoft Office security sett…

…m machines. Ember Bear disables Windows Defender via registry key changes. [52] G0037 FIN6 FIN6 has deployed a utility script named kill.bat to disable anti-virus. [53] G0047 Gamaredon Group Gamaredon Group has delivered macros which can tamper with Microsoft Office security sett…

…use other tools such as pwdump , SDelete , and Windows Credential Editor . [35] G0037 FIN6 FIN6 has obtained and used tools such as Mimikatz , Cobalt Strike , and AdFind . [36] [37] G0101 Frankenstein Frankenstein has obtained and used Empire to deploy agents. [38] G0093 GALLIUM …

…3 Empire Empire can exploit vulnerabilities such as MS16-032 and MS16-135. [20] G0037 FIN6 FIN6 has used tools to exploit Windows vulnerabilities in order to escalate privileges. The tools targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local us…

…ments sent from compromised accounts) with embedded malicious macros. [74] [75] G0037 FIN6 FIN6 has targeted victims with e-mails containing malicious attachments. [76] G0046 FIN7 FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached. [77]…

…scacheutil -q group on macOS, and ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups. [1] ID: T1087.002 Sub-technique of: T1087 Tactic: Discovery Platforms: Linux, Wi…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. Trend Micro Research. (2023, July 21). Ransomware Spotli…

…pts collected data with AES and Base64 and then sends it to the C2 server. [24] G0037 FIN6 Following data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration. [25] S0249 Gold Dragon Gold Dragon encrypts data using Base64 before being sen…

…ments sent from compromised accounts) with embedded malicious macros. [94] [95] G0037 FIN6 FIN6 has targeted victims with e-mails containing malicious attachments. [96] G0046 FIN7 FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached. [97]…

…mised environments via Remote Desktop Services (RDS) for lateral movement. [29] G0037 FIN6 FIN6 used RDP to move laterally in victim networks. [30] [31] G0046 FIN7 FIN7 has used RDP to move laterally in victim environments. [32] G0061 FIN8 FIN8 has used RDP for lateral movement. …

…emote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. M1042 Disable or Remove Feature or Program Disable the RDP service if it is unnecessary. M1035 Limit Access to Resource Over Network Use remote desktop gateway…

…FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 20…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Ret…