…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023. Daniel Stepanic & Salim Bitam…

…version of Mimikatz and dumps Windows credentials from system memory. [66] [67] G0091 Silence Silence has used the Farse6.1 utility (based on Mimikatz ) to extract credentials from lsass.exe. [68] G0088 TEMP.Veles TEMP.Veles has used Mimikatz and a custom tool, SecHack, to harves…

… and comsvcs.dll to dump Windows credentials from system memory. [94] [95] [96] G0091 Silence Silence has used the Farse6.1 utility (based on Mimikatz ) to extract credentials from lsass.exe. [97] S0692 SILENTTRINITY SILENTTRINITY can create a memory dump of LSASS via the MiniDum…

… C2 server as part of its preparation for the 2018 Winter Olympics attack. [54] G0091 Silence Silence has obtained and modified versions of publicly-available tools like Empire and PsExec . [55] [56] G0122 Silent Librarian Silent Librarian has obtained free and publicly available…

…oolShell Exploitation , threat actors used Mimikatz to dump LSASS memory. [100] G0091 Silence Silence has used the Farse6.1 utility (based on Mimikatz ) to extract credentials from lsass.exe. [101] S0692 SILENTTRINITY SILENTTRINITY can create a memory dump of LSASS via the MiniDu…

…emote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. M1042 Disable or Remove Feature or Program Disable the RDP service if it is unnecessary. M1035 Limit Access to Resource Over Network Use remote desktop gateway…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015. CISA. (2023, December 18). #Stop…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…

…inder Sidewinder has used PowerShell to drop and execute malware loaders. [167] G0091 Silence Silence has used PowerShell to download and execute payloads. [168] [169] S0649 SMOKEDHAM SMOKEDHAM can execute Powershell commands sent from its C2 server. [170] S0273 Socksbot Socksbot…

…user and sending RDP traffic to the attacker through a reverse SSH tunnel. [65] G0091 Silence Silence has used RDP for lateral movement. [66] C0024 SolarWinds Compromise During the SolarWinds Compromise , APT29 used RDP sessions from public-facing systems to internal servers. [67…

…nt e-mails with malicious attachments often crafted for specific targets. [224] G0091 Silence Silence has sent emails with malicious DOCX, CHM, LNK and ZIP attachments. [225] [226] [227] S1086 Snip3 Snip3 has been delivered to victims through malicious e-mail attachments. [228] S…

…ts origin. [24] S0444 ShimRat ShimRat can use pre-configured HTTP proxies. [25] G0091 Silence Silence has used ProxyBot, which allows the attacker to redirect traffic from the current node to the backconnect server via Sock4\Socks5. [26] G0131 Tonto Team Tonto Team has routed the…

…inder Sidewinder has used PowerShell to drop and execute malware loaders. [237] G0091 Silence Silence has used PowerShell to download and execute payloads. [238] [239] S0692 SILENTTRINITY SILENTTRINITY can use PowerShell to execute commands. [240] S0649 SMOKEDHAM SMOKEDHAM can ex…

…610 SideTwist SideTwist can execute shell commands on a compromised host. [257] G0091 Silence Silence has used Windows command-line to run commands. [258] [259] [260] S0623 Siloscape Siloscape can run cmd through an IRC channel. [261] S0533 SLOTHFULMEDIA SLOTHFULMEDIA can open a …

…aths to executables in the Registry to establish persistence. [211] [212] [213] G0091 Silence Silence has used HKCU\Software\Microsoft\Windows\CurrentVersion\Run , HKLM\Software\Microsoft\Windows\CurrentVersion\Run , and the Startup folder to establish persistence. [214] S0226 Sm…