…obalt Strike can recover hashed passwords. [1] Enterprise T1069 .001 Permission Groups Discovery Local Groups Cobalt Strike can use net localgroup to list local groups on a system. [2] .002 Permission Groups Discovery Domain Groups Cobalt Strike can identify targets by querying a…

…AppleSeed AppleSeed has the ability to execute its payload via PowerShell. [10] G0073 APT19 APT19 used PowerShell commands to execute payloads. [11] G0007 APT28 APT28 downloads and executes PowerShell scripts and performs PowerShell commands. [12] [13] [14] G0016 APT29 APT29 has …

…AppleSeed AppleSeed has the ability to execute its payload via PowerShell. [12] G0073 APT19 APT19 used PowerShell commands to execute payloads. [13] G0007 APT28 APT28 downloads and executes PowerShell scripts and performs PowerShell commands. [14] [15] [16] C0051 APT28 Nearest Ne…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

G0073 APT19 APT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL. [2] G0022 APT3 APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools. [3] [4] G0050 APT32 APT32 ran…

…0026 APT18 APT18 can collect system information from the victim’s machine. [21] G0073 APT19 APT19 collected system architecture information. APT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine. [22]…

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Carbon Black Thre…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retri…

…C2 over HTTP. [14] [15] G0026 APT18 APT18 uses HTTP for C2 communications. [16] G0073 APT19 APT19 used HTTP for C2 communications. APT19 also used an HTTP malware variant to communicate over HTTP for C2. [17] [18] G0007 APT28 Later implants used by APT28 , such as CHOPSTICK , use…

…exploits, to gain initial access to victims within a specific IP range. [5] [6] G0073 APT19 APT19 performed a watering hole attack on forbes.com in 2014 to compromise targets. [7] G0007 APT28 APT28 has compromised targets via strategic web compromise utilizing custom exploit kits…

…e with C2 over HTTP. [8] G0026 APT18 APT18 uses HTTP for C2 communications. [9] G0073 APT19 APT19 used HTTP for C2 communications. APT19 also used an HTTP malware variant to communicate over HTTP for C2. [10] [11] G0007 APT28 Later implants used by APT28 , such as CHOPSTICK , use…

…0026 APT18 APT18 can collect system information from the victim’s machine. [16] G0073 APT19 APT19 collected system architecture information. APT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine. [17]…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. Trend Micro Research. (2023, July 21). Ransomware Spotli…

… APT1 has used various open-source tools for privilege escalation purposes. [3] G0073 APT19 APT19 has obtained and used publicly-available tools like Empire . [4] [5] G0007 APT28 APT28 has obtained and used open-source tools like Koadic , Mimikatz , and Responder . [6] [7] [8] G0…

…nt emails with malicious Microsoft Office documents and PDFs attached. [9] [10] G0073 APT19 APT19 sent spearphishing emails with malicious attachments in RTF and XLSM formats to deliver initial exploits. [11] G0007 APT28 APT28 sent spearphishing emails containing malicious Micros…