…e a victim's web browser and deliver malicious code accordingly. [12] [13] [14] G0082 APT38 APT38 has conducted watering holes schemes to gain initial access to victims. [15] [16] G0001 Axiom Axiom has used watering hole attacks to gain access. [17] S0606 Bad Rabbit Bad Rabbit sp…

…d control. [17] G0067 APT37 APT37 uses HTTPS to conceal C2 communications. [18] G0082 APT38 APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS. [19] G0087 APT39 APT39 has used HTTP in communications with C2. [20] [21] G0096 APT41 APT41 used HTTP…

…d control. [23] G0067 APT37 APT37 uses HTTPS to conceal C2 communications. [24] G0082 APT38 APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS. [25] G0087 APT39 APT39 has used HTTP in communications with C2. [26] [27] G0096 APT41 APT41 used HTTP…

…xecution. [21] G0067 APT37 APT37 has used the command-line interface. [22] [23] G0082 APT38 APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine. [24] G0096 APT41 APT41 used cmd.exe /c to execute commands on remote machines. [25] AP…

…xecution. [23] G0067 APT37 APT37 has used the command-line interface. [24] [25] G0082 APT38 APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine. [26] G0096 APT41 APT41 used cmd.exe /c to execute commands on remote machines. [27] AP…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…

…stat -anpo tcp command to display TCP connections on the victim's machine. [10] G0082 APT38 APT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system. [11] G0096 APT41 APT41 has enumerated IP addresses of network resources and used …

…kdoor possesses the capability to list files and directories on a machine. [18] G0082 APT38 APT38 have enumerated files and directories, or searched in specific locations within a compromised host. [19] G0087 APT39 APT39 has used tools with the ability to search for files on a co…

…PT37 APT37 collects the computer name, the BIOS model, and execution path. [26] G0082 APT38 APT38 has attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and service packs. [27] S0456 Aria-body Aria-body has …

…PT37 APT37 collects the computer name, the BIOS model, and execution path. [30] G0082 APT38 APT38 has attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and service packs. [31] G0096 APT41 APT41 uses multipl…

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Carbon Black Thre…

…kdoor possesses the capability to list files and directories on a machine. [13] G0082 APT38 APT38 have enumerated files and directories, or searched in specific locations within a compromised host. [14] G0087 APT39 APT39 has used tools with the ability to search for files on a co…

…0050 APT32 APT32 has used Web shells to maintain access to victim websites. [8] G0082 APT38 APT38 has used web shells for persistence or to ensure redundant access. [9] G0087 APT39 APT39 has installed ANTAK and ASPXSPY web shells. [10] C0040 APT41 DUST APT41 DUST involved use of …

…erShell to download files from the C2 server and run various scripts. [23] [24] G0082 APT38 APT38 has used PowerShell to execute commands and other operational tasks. [25] G0087 APT39 APT39 has used PowerShell to execute malicious code. [26] [27] G0096 APT41 APT41 leveraged Power…

…erShell to download files from the C2 server and run various scripts. [26] [27] G0082 APT38 APT38 has used PowerShell to execute commands and other operational tasks. [28] G0087 APT39 APT39 has used PowerShell to execute malicious code. [29] [30] G0096 APT41 APT41 leveraged Power…