…tained to attempt access to Group Managed Service Account (gMSA) passwords. [2] G0064 APT33 APT33 has used a variety of publicly available tools like LaZagne to gather credentials. [3] [4] G0087 APT39 APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords. […

…rks. The group has also used downloaded encrypted payloads over HTTP. [15] [16] G0064 APT33 APT33 has used HTTP for command and control. [17] G0067 APT37 APT37 uses HTTPS to conceal C2 communications. [18] G0082 APT38 APT38 used a backdoor, QUICKRIDE, to communicate to the C2 ser…

…rks. The group has also used downloaded encrypted payloads over HTTP. [21] [22] G0064 APT33 APT33 has used HTTP for command and control. [23] G0067 APT37 APT37 uses HTTPS to conceal C2 communications. [24] G0082 APT38 APT38 used a backdoor, QUICKRIDE, to communicate to the C2 ser…

…pril 2025 Version Permalink Live Version Procedure Examples ID Name Description G0064 APT33 APT33 has used a variety of publicly available tools like Gpppassword to gather credentials. [4] [5] S0194 PowerSploit PowerSploit contains a collection of Exfiltration modules that can ha…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015. CISA. (2023, December 18). #Stop…

…ols, PowerShell one-liners, and shellcode loaders for execution. [20] [21] [22] G0064 APT33 APT33 has utilized PowerShell to download files from the C2 server and run various scripts. [23] [24] G0082 APT38 APT38 has used PowerShell to execute commands and other operational tasks.…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Roccia, T., …

… host. [7] G0050 APT32 APT32 has used CVE-2016-7255 to escalate privileges. [8] G0064 APT33 APT33 has used a publicly available exploit for CVE-2017-0213 to escalate privileges on a local system. [9] G1002 BITTER BITTER has exploited CVE-2021-1732 for privilege escalation. [10] […

… host. [7] G0050 APT32 APT32 has used CVE-2016-7255 to escalate privileges. [8] G0064 APT33 APT33 has used a publicly available exploit for CVE-2017-0213 to escalate privileges on a local system. [9] G1002 BITTER BITTER has exploited CVE-2021-1732 for privilege escalation. [10] […

…ols, PowerShell one-liners, and shellcode loaders for execution. [23] [24] [25] G0064 APT33 APT33 has utilized PowerShell to download files from the C2 server and run various scripts. [26] [27] G0082 APT38 APT38 has used PowerShell to execute commands and other operational tasks.…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…0016 APT29 APT29 has conducted brute force password spray attacks. [8] [9] [10] G0064 APT33 APT33 has used password spraying to gain access to target systems. [11] [12] S0606 Bad Rabbit Bad Rabbit ’s infpub.dat file uses NTLM login credentials to brute force Windows machines. [13…

… sent spearphishing emails containing malicious links. [15] [16] [17] [18] [19] G0064 APT33 APT33 has sent spearphishing emails containing links to .hta files. [20] [21] G0087 APT39 APT39 leveraged spearphishing emails with malicious links to initially compromise victims. [22] [2…

…ument that includes an exploit to execute malicious code. (CVE-2017-11882) [14] G0064 APT33 APT33 has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250), and attempted to gain remote code execution via a security bypass vulnerability (CVE-2017-11774). [15] [16]…

…xecutable disguised as a document or spreadsheet. [24] [25] [26] [27] [28] [29] G0064 APT33 APT33 has sent spearphishing e-mails with archive attachments. [30] G0067 APT37 APT37 delivers malware using spearphishing emails with malicious HWP attachments. [31] [32] [33] G0082 APT38…