…scacheutil -q group on macOS, and ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups. [1] ID: T1087.002 Sub-technique of: T1087 Tactic: Discovery Platforms: Linux, Wi…

… [54] S0385 njRAT njRAT has a module for performing remote desktop access. [55] G0049 OilRig OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment. [56] [57] [11] G0040 Patchwork Patchwork attempte…

…emote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. M1042 Disable or Remove Feature or Program Disable the RDP service if it is unnecessary. M1035 Limit Access to Resource Over Network Use remote desktop gateway…

…message via SMTP containing information about newly infected victims. [24] [25] G0049 OilRig OilRig has exfiltrated data via Microsoft Exchange and over FTP separately from its primary C2 channel over DNS. [26] [27] S0428 PoetRAT PoetRAT has used ftp for exfiltration. [28] S1040 …

…s. [18] S0599 Kinsing Kinsing has attempted to brute force hosts over SSH. [19] G0049 OilRig OilRig has used brute force techniques to obtain credentials. [20] [21] C0022 Operation Dream Job During Operation Dream Job Lazarus Group performed brute force attacks against administra…

…ils containing links to compromised websites where malware was downloaded. [87] G0049 OilRig OilRig has sent spearphising emails with malicious links to potential victims. [88] [89] C0022 Operation Dream Job During Operation Dream Job Lazarus Group sent malicious OneDrive links w…

…ted systems through luring users to click on links to malicious URLs. [75] [76] G0049 OilRig OilRig has delivered malicious links to achieve execution on the target system. [77] [78] [79] [80] C0022 Operation Dream Job During Operation Dream Job Lazarus Group lured users into exe…

…. [146] [145] S0385 njRAT njRAT has included a base64 encoded executable. [147] G0049 OilRig OilRig has encrypted and encoded data in its malware, including by using base64. [148] [149] [150] [151] [152] C0022 Operation Dream Job During Operation Dream Job , Lazarus Group encrypt…

…[176] S0340 Octopus Octopus has been delivered via spearsphishing emails. [175] G0049 OilRig OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts. [177] [178] [179] [180] C0022 Operation Dream Job Duri…

… G0133 Nomadic Octopus Nomadic Octopus has used PowerShell for execution. [220] G0049 OilRig OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents. [49] [221] [222] [223] C0022 Operation Dream Job During Ope…

… G0133 Nomadic Octopus Nomadic Octopus has used PowerShell for execution. [191] G0049 OilRig OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents. [43] [192] [193] C0022 Operation Dream Job During Operation…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved Nov…

… S0340 Octopus Octopus has used wmic.exe for local discovery information. [118] G0049 OilRig OilRig has used WMI for execution. [119] S0365 Olympic Destroyer Olympic Destroyer uses WMI to help propagate itself across a network. [120] S0264 OopsIE OopsIE uses WMI to perform discov…