…obalt Strike can recover hashed passwords. [1] Enterprise T1069 .001 Permission Groups Discovery Local Groups Cobalt Strike can use net localgroup to list local groups on a system. [2] .002 Permission Groups Discovery Domain Groups Cobalt Strike can identify targets by querying a…

…ered via spearphishing emails (often sent from compromised accounts). [36] [37] G0046 FIN7 FIN7 has used malicious links to lure victims into downloading malware. [38] G0061 FIN8 FIN8 has used emails with malicious links to lure victims into installing malware. [39] [40] [41] G00…

…6 FIN6 has targeted victims with e-mails containing malicious attachments. [76] G0046 FIN7 FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached. [77] [78] [79] [80] [81] G0061 FIN8 FIN8 has distributed targeted emails containing Word docu…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. Trend Micro Research. (2023, July 21). Ransomware Spotli…

… FELIXROOT FELIXROOT uses Rundll32 for executing the dropper program. [50] [51] G0046 FIN7 FIN7 has used rundll32.exe to execute malware on a compromised network. [52] S0143 Flame Rundll32.exe is used as a way of executing Flame at the command-line. [53] S0381 FlawedAmmyy FlawedA…

… FELIXROOT FELIXROOT uses Rundll32 for executing the dropper program. [48] [49] G0046 FIN7 FIN7 has used rundll32.exe to execute malware on a compromised network. [50] S0143 Flame Rundll32.exe is used as a way of executing Flame at the command-line. [51] S0381 FlawedAmmyy FlawedA…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. F-Secure Lab…

…6 FIN6 has targeted victims with e-mails containing malicious attachments. [96] G0046 FIN7 FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached. [97] [98] [99] [100] [101] G0061 FIN8 FIN8 has distributed targeted emails containing Word do…

…ssed compromised environments via secure shell (SSH) for lateral movement. [13] G0046 FIN7 FIN7 has used SSH to move laterally through victim environments. [14] G0117 Fox Kitten Fox Kitten has used the PuTTY and Plink tools for lateral movement. [15] G0036 GCMAN GCMAN uses Putty …

…r the LogMein event log in an attempt to encrypt files in remote machines. [18] G0046 FIN7 FIN7 has utilized the remote management tool Atera to download malware to a compromised system. [19] G0115 GOLD SOUTHFIELD GOLD SOUTHFIELD has used the cloud-based remote management and mon…

…lish persistence for its downloader tools known as HARDTACK and SHIPBREAD. [80] G0046 FIN7 FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder. [81] [82] S0355 Final1stspy Final1stspy creates a Registry R…

…s documents to lure victims into allowing execution of PowerShell scripts. [62] G0046 FIN7 FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file. [63] [64] [65] G0061 FIN8 FIN8 has used malicious e-mail attachments …

…. [29] G0037 FIN6 FIN6 used RDP to move laterally in victim networks. [30] [31] G0046 FIN7 FIN7 has used RDP to move laterally in victim environments. [32] G0061 FIN8 FIN8 has used RDP for lateral movement. [33] G0117 Fox Kitten Fox Kitten has used RDP to log in and move laterall…

…emote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. M1042 Disable or Remove Feature or Program Disable the RDP service if it is unnecessary. M1035 Limit Access to Resource Over Network Use remote desktop gateway…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…