…ained open source tools for its operations, including JsonCPP and Psiphon. [33] G0051 FIN10 FIN10 has relied on publicly-available software to gain footholds and establish persistence in victim environments. [34] G0053 FIN5 FIN5 has obtained and used a customized version of PsExe…

…t is running as SYSTEM. [138] S0266 TrickBot TrickBot can identify the user and groups the user belongs to on a compromised host. [139] S0094 Trojan.Karagany Trojan.Karagany can gather information about the user on a compromised host. [140] G0081 Tropic Trooper Tropic Trooper use…

… and keyboard. [26] G0035 Dragonfly Dragonfly has moved laterally via RDP. [27] G0051 FIN10 FIN10 has used RDP to move laterally to systems in the victim environment. [28] G1016 FIN13 FIN13 has remotely accessed compromised environments via Remote Desktop Services (RDS) for later…

…emote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. M1042 Disable or Remove Feature or Program Disable the RDP service if it is unnecessary. M1035 Limit Access to Resource Over Network Use remote desktop gateway…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…

…FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 20…

…ROOT FELIXROOT adds a shortcut file to the startup folder for persistence. [78] G0051 FIN10 FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key. [79] [73] G0037 FIN6 FIN6 has used Registry Run keys to establish persistence for its …

…im’s machine, and can launch a reverse shell for command execution. [102] [103] G0051 FIN10 FIN10 has executed malicious .bat files containing PowerShell commands. [104] G0037 FIN6 FIN6 has used kill.bat script to disable security tools. [105] G0046 FIN7 FIN7 used the command pro…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Roccia, T., …

… [71] S0512 FatDuke FatDuke has the ability to execute PowerShell scripts. [72] G0051 FIN10 FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence. [73] [70] G0037 FIN6 FIN6 has used PowerShell to gain access to merchant's networks, and a Metasp…

…system user information. [43] S0266 TrickBot TrickBot can identify the user and groups the user belongs to on a compromised host. [214] S0094 Trojan.Karagany Trojan.Karagany can gather information about the user on a compromised host. [215] G0081 Tropic Trooper Tropic Trooper use…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015. CISA. (2023, December 18). #Stop…

…[100] S0679 Ferocious Ferocious can use PowerShell scripts for execution. [101] G0051 FIN10 FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence. [102] [98] G1016 FIN13 FIN13 has used PowerShell commands to obtain DNS data from a compromised n…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…ROOT FELIXROOT adds a shortcut file to the startup folder for persistence. [93] G0051 FIN10 FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key. [94] [88] G1016 FIN13 FIN13 has used Windows Registry run keys such as, HKEY_LOCAL_MAC…