…scacheutil -q group on macOS, and ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups. [1] ID: T1087.002 Sub-technique of: T1087 Tactic: Discovery Platforms: Linux, Wi…

…ies CVE-2012-0158, CVE-2014-6352, CVE-2017-0199, and Adobe Flash CVE-2015-5119. G0060 BRONZE BUTLER BRONZE BUTLER has exploited Microsoft Office vulnerabilities CVE-2014-4114, CVE-2018-0802, and CVE-2018-0798 for execution. [23] [24] G0080 Cobalt Group Cobalt Group had exploited …

…nection. [32] S0360 BONDUPDATER BONDUPDATER is written in PowerShell. [33] [34] G0060 BRONZE BUTLER BRONZE BUTLER has used PowerShell for execution. [35] G0114 Chimera Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make …

…ivered by phishing emails containing malicious Microsoft Office documents. [42] G0060 BRONZE BUTLER BRONZE BUTLER used spearphishing emails with malicious Microsoft Word attachments to infect victims. [43] [44] S0631 Chaes Chaes has been delivered by sending victims a phishing em…

…pular sites by injecting JavaScript into the HTML body or a .js file. [18] [19] G0060 BRONZE BUTLER BRONZE BUTLER compromised three Japanese websites using a Flash exploit to perform watering hole attacks. [20] S0482 Bundlore Bundlore has been spread through malicious advertiseme…

…ockingbird Blue Mockingbird has obtained and used tools such as Mimikatz . [21] G0060 BRONZE BUTLER BRONZE BUTLER has obtained and used open-source tools such as Mimikatz , gsecdump , and Windows Credential Editor . [22] G0008 Carbanak Carbanak has obtained and used open-source t…

…g by giving DLLs hardcoded names and placing them in searched directories. [12] G0060 BRONZE BUTLER BRONZE BUTLER has used legitimate applications to side-load malicious DLLs. [13] G0114 Chimera Chimera has used side loading to place malicious DLLs in memory. [14] S0354 Denis Den…

…omBox has gained execution through user interaction with a malicious file. [36] G0060 BRONZE BUTLER BRONZE BUTLER has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails. [37] [38] S0482 Bundlore Bundlore has attempted to get u…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. F-Secure Lab…

… Graph API. [37] S0635 BoomBox BoomBox has used HTTP POST requests for C2. [38] G0060 BRONZE BUTLER BRONZE BUTLER malware has used HTTP for C2. [39] S0043 BUBBLEWRAP BUBBLEWRAP can communicate using HTTP or HTTPS. [40] S0482 Bundlore Bundlore uses HTTP requests for C2. [41] S0030…

…ivered by phishing emails containing malicious Microsoft Office documents. [50] G0060 BRONZE BUTLER BRONZE BUTLER used spearphishing emails with malicious Microsoft Word attachments to infect victims. [51] [52] S1039 Bumblebee Bumblebee has gained execution through luring users i…

…nection. [42] S0360 BONDUPDATER BONDUPDATER is written in PowerShell. [43] [44] G0060 BRONZE BUTLER BRONZE BUTLER has used PowerShell for execution. [45] S1039 Bumblebee Bumblebee can use PowerShell for execution. [46] C0018 C0018 During C0018 , the threat actors used encoded Pow…

…execute arbitrary commands and utilize the "ComSpec" environment variable. [50] G0060 BRONZE BUTLER BRONZE BUTLER has used batch scripts and the command-line interface for execution. [51] S0025 CALENDAR CALENDAR has a command to run cmd.exe to execute commands. [42] S0030 Carbana…

…nection. [48] S0360 BONDUPDATER BONDUPDATER is written in PowerShell. [49] [50] G0060 BRONZE BUTLER BRONZE BUTLER has used PowerShell for execution. [51] S1039 Bumblebee Bumblebee can use PowerShell for execution. [52] C0018 C0018 During C0018 , the threat actors used encoded Pow…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…