…Mafalda Mafalda can manipulate the system registry on a compromised host. [113] G0059 Magic Hound Magic Hound has modified Registry settings for security tools. [114] G1051 Medusa Group Medusa Group has modified Registry keys to elevate privileges, maintain persistence and allow …

…Mafalda Mafalda can execute PowerShell commands on a compromised machine. [185] G0059 Magic Hound Magic Hound has used PowerShell for execution and privilege escalation. [186] [187] [188] [189] [190] G1051 Medusa Group Medusa Group has leveraged PowerShell for execution and defen…

…s. [18] S1188 Line Runner Line Runner is a persistent Lua-based web shell. [46] G0059 Magic Hound Magic Hound has used multiple web shells to gain execution. [47] [48] G1051 Medusa Group Medusa Group has utilized webshells to an exploited Microsoft Exchange Server. [49] G1009 Mos…

…rgeted RDP credentials and used it to move through the victim environment. [50] G0059 Magic Hound Magic Hound has used Remote Desktop Services to copy tools on targeted systems. [51] [52] G0045 menuPass menuPass has used RDP connections to move across the victim network. [53] [54…

…emote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. M1042 Disable or Remove Feature or Program Disable the RDP service if it is unnecessary. M1035 Limit Access to Resource Over Network Use remote desktop gateway…

…098.006 Additional Container Cluster Roles T1098.007 Additional Local or Domain Groups Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. For example, the Add-MailboxPermission PowerShell cmdlet, available in…

…f a targeted organization which were used in follow-on phishing campaigns. [17] G0059 Magic Hound Magic Hound has identified high-value email accounts in academia, journalism, NGO's, foreign policy, and national security for targeting. [18] [19] G1036 Moonstone Sleet Moonstone Sl…

…LazyScripter LazyScripter has used rundll32.exe to execute Koadic stagers. [76] G0059 Magic Hound Magic Hound has used rundll32.exe to execute MiniDump from comsvcs.dll when dumping LSASS memory. [77] S0167 Matryoshka Matryoshka uses rundll32.exe in a Registry Run key value for e…

…LazyScripter LazyScripter has used rundll32.exe to execute Koadic stagers. [74] G0059 Magic Hound Magic Hound has used rundll32.exe to execute MiniDump from comsvcs.dll when dumping LSASS memory. [75] S0167 Matryoshka Matryoshka uses rundll32.exe in a Registry Run key value for e…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. Trend Micro Research. (2023, July 21). Ransomware Spotli…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023. Daniel Stepanic & Salim Bitam…

…ocess. [8] S1060 Mafalda Mafalda can dump password hashes from LSASS.exe . [63] G0059 Magic Hound Magic Hound has stolen domain credentials by dumping LSASS process memory using Task Manager, comsvcs.dll, and from a Microsoft Active Directory Domain Controller using Mimikatz . [6…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025. Kaspersky Lab's Global Researc…

… Lucifer Lucifer can scan for open ports including TCP ports 135 and 1433. [49] G0059 Magic Hound Magic Hound has used KPortScan 3.0 to perform SMB, RDP, and LDAP scanning. [50] G0045 menuPass menuPass has used tcping.exe, similar to Ping , to probe port status on systems of inte…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…