…obalt Strike can recover hashed passwords. [1] Enterprise T1069 .001 Permission Groups Discovery Local Groups Cobalt Strike can use net localgroup to list local groups on a system. [2] .002 Permission Groups Discovery Domain Groups Cobalt Strike can identify targets by querying a…

… has used multiple proxies to obfuscate network traffic from victims. [12] [13] G0045 menuPass menuPass has used a global service provider's IP as a proxy for C2 traffic from a victim. [14] [15] G0069 MuddyWater MuddyWater has controlled POWERSTATS from behind a proxy network to …

…S0576 MegaCortex MegaCortex has used .cmd scripts on the victim's system. [175] G0045 menuPass menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands. [176] [177] [178…

…S0576 MegaCortex MegaCortex has used .cmd scripts on the victim's system. [230] G0045 menuPass menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands. [231] [232] [233…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…

…d has used Remote Desktop Services to copy tools on targeted systems. [51] [52] G0045 menuPass menuPass has used RDP connections to move across the victim network. [53] [54] S0385 njRAT njRAT has a module for performing remote desktop access. [55] G0049 OilRig OilRig has used Rem…

…emote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. M1042 Disable or Remove Feature or Program Disable the RDP service if it is unnecessary. M1035 Limit Access to Resource Over Network Use remote desktop gateway…

…576 MegaCortex MegaCortex has used a Base64 key to decode its components. [108] G0045 menuPass menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used certutil -decode to decode files on …

…scacheutil -q group on macOS, and ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups. [1] ID: T1087.002 Sub-technique of: T1087 Tactic: Discovery Platforms: Linux, Wi…

… has launched PowerShell scripts for execution and defense evasion. [194] [195] G0045 menuPass menuPass uses PowerSploit to inject shellcode into PowerShell. [196] [197] S0688 Meteor Meteor can use PowerShell commands to disable the network adapters on a victim machines. [198] S0…

…Melcoz has the ability to download additional files to a compromised host. [51] G0045 menuPass menuPass has installed updates and new malware on victims. [347] [348] G1013 Metador Metador has downloaded tools and malware onto a compromised system. [349] S1059 metaMain metaMain ca…

…aterally within victim environments during Leviathan Australian Intrusions [21] G0045 menuPass menuPass has used Putty Secure Copy Client (PSCP) to transfer data. [22] G0049 OilRig OilRig has used Putty to access compromised systems. [23] S1187 reGeorg reGeorg can communicate usi…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015. CISA. (2023, December 18). #Stop…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…