…obalt Strike can recover hashed passwords. [1] Enterprise T1069 .001 Permission Groups Discovery Local Groups Cobalt Strike can use net localgroup to list local groups on a system. [2] .002 Permission Groups Discovery Domain Groups Cobalt Strike can identify targets by querying a…

…sions. [20] G0114 Chimera Chimera has used RDP to access targeted systems. [21] G0080 Cobalt Group Cobalt Group has used Remote Desktop Protocol to conduct lateral movement. [22] S0154 Cobalt Strike Cobalt Strike can start a VNC-based remote desktop server and tunnel the connecti…

…emote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. M1042 Disable or Remove Feature or Program Disable the RDP service if it is unnecessary. M1035 Limit Access to Resource Over Network Use remote desktop gateway…

… [51] S0054 CloudDuke One variant of CloudDuke uses HTTP and HTTPS for C2. [52] G0080 Cobalt Group Cobalt Group has used HTTPS for C2. [53] [54] [55] S0154 Cobalt Strike Cobalt Strike can use a custom command and control protocol that can be encapsulated in HTTP or HTTPS. All pro…

…lambling The Clambling dropper can use PowerShell to download the malware. [57] G0080 Cobalt Group Cobalt Group has used powershell.exe to download and execute scripts. [58] [59] [60] [61] [62] [63] S0154 Cobalt Strike Cobalt Strike can execute a payload on a remote host with Pow…

… used to execute programs and other actions at the command-line interface. [62] G0080 Cobalt Group Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands. [63] The group has used an exploit toolkit known as Threadkit that launch…

…lambling The Clambling dropper can use PowerShell to download the malware. [63] G0080 Cobalt Group Cobalt Group has used powershell.exe to download and execute scripts. [64] [65] [66] [67] [68] [69] S0154 Cobalt Strike Cobalt Strike can execute a payload on a remote host with Pow…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

… GET request to initialize a follow-on TLS tunnel for command and control. [73] G0080 Cobalt Group Cobalt Group has used HTTPS for C2. [74] [75] [76] S0154 Cobalt Strike Cobalt Strike can use a custom command and control protocol that can be encapsulated in HTTP or HTTPS. All pro…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Roccia, T., …

… used to execute programs and other actions at the command-line interface. [80] G0080 Cobalt Group Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands. [81] The group has used an exploit toolkit known as Threadkit that launch…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…

…md can be used to copy files to/from a remotely connected external system. [89] G0080 Cobalt Group Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers. [90] [91] The group's JavaScript backdoor is also…

…n-source tools such as PsExec , Windows Credential Editor , and Mimikatz . [26] G0080 Cobalt Group Cobalt Group has obtained and used a variety of tools including Mimikatz , PsExec , Cobalt Strike , and SDelete . [27] G0052 CopyKittens CopyKittens has used Metasploit and Empire f…

…Internals PowerShell module to make use of Active Directory features. [36] [37] G0080 Cobalt Group Cobalt Group has used powershell.exe to download and execute scripts. [38] [39] [40] [41] [42] [43] S0154 Cobalt Strike Cobalt Strike can execute a payload on a remote host with Pow…