…ass ID in the current user Registry hive to enable persistence mechanisms. [72] G0061 FIN8 FIN8 has deleted Registry keys during post compromise cleanup activities. [73] G0047 Gamaredon Group Gamaredon Group has removed security settings for VBA macro execution by changing regist…

…N7 FIN7 has used malicious links to lure victims into downloading malware. [38] G0061 FIN8 FIN8 has used emails with malicious links to lure victims into installing malware. [39] [40] [41] G0047 Gamaredon Group Gamaredon Group has attempted to get users to click on a link pointin…

… [99] G0085 FIN4 FIN4 has used HTTP POST requests to transmit data. [100] [101] G0061 FIN8 FIN8 has used HTTPS for command and control. [102] S0355 Final1stspy Final1stspy uses HTTP for C2. [103] S0381 FlawedAmmyy FlawedAmmyy has used HTTP for C2. [104] G0047 Gamaredon Group A Ga…

…r malicious Microsoft Documents or RTF files attached. [77] [78] [79] [80] [81] G0061 FIN8 FIN8 has distributed targeted emails containing Word documents with embedded malicious macros. [82] [83] [84] G0101 Frankenstein Frankenstein has used spearphishing emails to send trojanize…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. Trend Micro Research. (2023, July 21). Ransomware Spotli…

…malicious Microsoft Documents or RTF files attached. [97] [98] [99] [100] [101] G0061 FIN8 FIN8 has distributed targeted emails containing Word documents with embedded malicious macros. [102] [103] [104] S0696 Flagpro Flagpro has been distributed via spearphishing as an email att…

…achments they sent which would then execute the hidden LNK file. [63] [64] [65] G0061 FIN8 FIN8 has used malicious e-mail attachments to lure victims into executing malware. [66] [67] [68] G0101 Frankenstein Frankenstein has used trojanized Microsoft Word documents sent via email…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…

…6 FIN6 has sent stolen payment card data to remote servers via HTTP POSTs. [18] G0061 FIN8 FIN8 has used FTP to exfiltrate collected data. [19] S0095 ftp ftp may be used to exfiltrate data separate from the main command and control protocol. [20] [21] S0487 Kessel Kessel can exfi…

…FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 20…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Roccia, T., …

…ll script to launch shellcode that retrieves an additional payload. [142] [143] G0061 FIN8 FIN8 has used remote code execution to download subsequent payloads. [144] [145] G0117 Fox Kitten Fox Kitten has downloaded additional tools including PsExec directly to endpoints. [146] G0…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…

…31] G0046 FIN7 FIN7 has used RDP to move laterally in victim environments. [32] G0061 FIN8 FIN8 has used RDP for lateral movement. [33] G0117 Fox Kitten Fox Kitten has used RDP to log in and move laterally in the target environment. [34] [35] G1001 HEXANE HEXANE has used remote d…

…emote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. M1042 Disable or Remove Feature or Program Disable the RDP service if it is unnecessary. M1035 Limit Access to Resource Over Network Use remote desktop gateway…