…obalt Strike can recover hashed passwords. [1] Enterprise T1069 .001 Permission Groups Discovery Local Groups Cobalt Strike can use net localgroup to list local groups on a system. [2] .002 Permission Groups Discovery Domain Groups Cobalt Strike can identify targets by querying a…

…. The group also uses a tool to execute commands on remote computers. [19] [20] G0050 APT32 APT32 has used cmd.exe for execution. [21] G0067 APT37 APT37 has used the command-line interface. [22] [23] G0082 APT38 APT38 has used a command-line tunneler, NACHOCHEESE, to give them sh…

…. The group also uses a tool to execute commands on remote computers. [21] [22] G0050 APT32 APT32 has used cmd.exe for execution. [23] G0067 APT37 APT37 has used the command-line interface. [24] [25] G0082 APT38 APT38 has used a command-line tunneler, NACHOCHEESE, to give them sh…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…

…3 APT3 has a tool that can obtain information about the local system. [20] [21] G0050 APT32 APT32 has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor…

…3 APT3 has a tool that can obtain information about the local system. [24] [25] G0050 APT32 APT32 has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor…

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Carbon Black Thre…

… side load DLLs with a valid version of Chrome with one of their tools. [3] [4] G0050 APT32 APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executa…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retri…

…n. [12] [13] G0016 APT29 APT29 has used HTTP for C2 and data exfiltration. [14] G0050 APT32 APT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over …

… other legitimate channels for C2, depending on module configuration. [19] [20] G0050 APT32 APT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over …

…a tool that looks for files and directories on the local file system. [16] [17] G0050 APT32 APT32 's backdoor possesses the capability to list files and directories on a machine. [18] G0082 APT38 APT38 have enumerated files and directories, or searched in specific locations withi…

…g (XSS) against government websites to redirect users to phishing webpages. [9] G0050 APT32 APT32 has infected victims by tricking them into visiting compromised watering hole websites. [10] [11] G0067 APT37 APT37 has used strategic web compromises, particularly of South Korean w…

…a tool that looks for files and directories on the local file system. [11] [12] G0050 APT32 APT32 's backdoor possesses the capability to list files and directories on a machine. [13] G0082 APT38 APT38 have enumerated files and directories, or searched in specific locations withi…

…PT3 APT3 has a tool that can enumerate current network connections. [7] [8] [9] G0050 APT32 APT32 used the netstat -anpo tcp command to display TCP connections on the victim's machine. [10] G0082 APT38 APT38 installed a port monitoring tool, MAPMAKER, to print the active TCP conn…