…obalt Strike can recover hashed passwords. [1] Enterprise T1069 .001 Permission Groups Discovery Local Groups Cobalt Strike can use net localgroup to list local groups on a system. [2] .002 Permission Groups Discovery Domain Groups Cobalt Strike can identify targets by querying a…

…as sent spearphishing emails with malicious RAR and .LNK attachments. [54] [55] G0079 DarkHydrus DarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that cont…

…as sent spearphishing emails with malicious RAR and .LNK attachments. [73] [74] G0079 DarkHydrus DarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that cont…

…icto CostaRicto has obtained open source tools to use in their operations. [29] G0079 DarkHydrus DarkHydrus has obtained and used tools such as Mimikatz , Empire , and Cobalt Strike . [30] G0105 DarkVishnya DarkVishnya has obtained and used tools such as Impacket , Winexe , and P…

…in an attempt to lure users into clicking on a malicious attachments. [47] [48] G0079 DarkHydrus DarkHydrus has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded. [49] [50] G0074 Dragonfly 2.0 Dragonfly 2.0 has use…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…

…o systems and used for lateral movement via obfuscated PowerShell scripts. [55] G0079 DarkHydrus DarkHydrus leveraged PowerShell to download and execute additional scripts for execution. [56] [57] G0105 DarkVishnya DarkVishnya used PowerShell to create shellcode loaders. [58] G00…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…

… PowerShell to download and execute remote-hosted files on victim systems. [80] G0079 DarkHydrus DarkHydrus leveraged PowerShell to download and execute additional scripts for execution. [81] [82] G0105 DarkVishnya DarkVishnya used PowerShell to create shellcode loaders. [83] S06…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…[86] S1111 DarkGate DarkGate has used PowerShell to create a remote shell. [87] G0079 DarkHydrus DarkHydrus leveraged PowerShell to download and execute additional scripts for execution. [88] [89] G0105 DarkVishnya DarkVishnya used PowerShell to create shellcode loaders. [90] S06…