…esidue (Micro Method) RR:D02-1193 D2007-Standard Test Method for Characteristic Groups in Rubber Extender and Processing Oils and Other Petroleum-Derived Oils by the Clay-Gel Absorption Chromatographic Method RR:D02-1195 D3240-Test Method for Undissolved Water In Aviation Turbine…

…obalt Strike can recover hashed passwords. [1] Enterprise T1069 .001 Permission Groups Discovery Local Groups Cobalt Strike can use net localgroup to list local groups on a system. [2] .002 Permission Groups Discovery Domain Groups Cobalt Strike can identify targets by querying a…

…ing a library and a legitimate, signed executable (AcroTranscoder). [5] [6] [7] G0096 APT41 APT41 used legitimate executables to perform DLL side-loading of their malware. [8] S0128 BADNEWS BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable. […

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retri…

…g tool, MAPMAKER, to print the active TCP connections on the local system. [11] G0096 APT41 APT41 has enumerated IP addresses of network resources and used the netstat command as part of network reconnaissance. The group has also used a malware variant, HIGHNOON, to enumerate act…

…e cases employing the rdpwinst tool for mangement of multiple sessions. [8] [9] G0096 APT41 APT41 used RDP for lateral movement. [10] [11] APT41 used NATBypass to expose local RDP ports on compromised systems to the Internet. [12] G1023 APT5 APT5 has moved laterally throughout vi…

…ne tunneler, NACHOCHEESE, to give them shell access to a victim’s machine. [24] G0096 APT41 APT41 used cmd.exe /c to execute commands on remote machines. [25] APT41 used a batch file to install persistence for the Cobalt Strike BEACON loader. [26] S0373 Astaroth Astaroth spawns a…

…ne tunneler, NACHOCHEESE, to give them shell access to a victim’s machine. [26] G0096 APT41 APT41 used cmd.exe /c to execute commands on remote machines. [27] APT41 used a batch file to install persistence for the Cobalt Strike BEACON loader. [28] G1023 APT5 APT5 has used cmd.exe…

…scacheutil -q group on macOS, and ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups. [1] ID: T1087.002 Sub-technique of: T1087 Tactic: Discovery Platforms: Linux, Wi…

…TTPS. [19] G0087 APT39 APT39 has used HTTP in communications with C2. [20] [21] G0096 APT41 APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits. [22] S0456 Aria-body Aria-body has used HTTP in C2 communications. [23] S0473 Avenger Avenger has the a…

…emote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. M1042 Disable or Remove Feature or Program Disable the RDP service if it is unnecessary. M1035 Limit Access to Resource Over Network Use remote desktop gateway…

…TTPS. [25] G0087 APT39 APT39 has used HTTP in communications with C2. [26] [27] G0096 APT41 APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits. [28] C0040 APT41 DUST APT41 DUST used HTTPS for command and control. [29] S0456 Aria-body Aria-body has…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015. CISA. (2023, December 18). #Stop…

…has used tools with the ability to search for files on a compromised host. [20] G0096 APT41 APT41 has executed file /bin/pwd on exploited victims, perhaps to return architecture related information. [21] G1023 APT5 APT5 has used the BLOODMINE utility to discover files with .css, …