…scacheutil -q group on macOS, and ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups. [1] ID: T1087.002 Sub-technique of: T1087 Tactic: Discovery Platforms: Linux, Wi…

…se64 encoded payload and execute obfuscated commands on the infected host. [65] G0114 Chimera Chimera has encoded PowerShell commands. [66] G0080 Cobalt Group Cobalt Group obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4. […

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. Trend Micro Research. (2023, July 21). Ransomware Spotli…

…rbanak Carbanak enables concurrent Remote Desktop Protocol (RDP) sessions. [20] G0114 Chimera Chimera has used RDP to access targeted systems. [21] G0080 Cobalt Group Cobalt Group has used Remote Desktop Protocol to conduct lateral movement. [22] S0154 Cobalt Strike Cobalt Strike…

…emote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. M1042 Disable or Remove Feature or Program Disable the RDP service if it is unnecessary. M1035 Limit Access to Resource Over Network Use remote desktop gateway…

… [34] G0060 BRONZE BUTLER BRONZE BUTLER has used PowerShell for execution. [35] G0114 Chimera Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features. [36] [37] G0080 Cobalt Group Cobalt Grou…

…anak has obtained and used open-source tools such as PsExec and Mimikatz . [23] G0114 Chimera Chimera has obtained and used tools such as BloodHound , Cobalt Strike , Mimikatz , and PsExec . [24] [25] G0003 Cleaver Cleaver has obtained and used open-source tools such as PsExec , …

…FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 20…

…ls to transfer tools and enable RDP connections throughout the environment. [8] G0114 Chimera Chimera has encapsulated Cobalt Strike 's C2 protocol in DNS and HTTPS. [9] G1021 Cinnamon Tempest Cinnamon Tempest has used the Iox and NPS proxy and tunneling tools in combination crea…

…ts C2 server over HTTP and embeds data within the Cookie HTTP header. [47] [48] G0114 Chimera Chimera has used HTTPS for C2 communications. [49] S0020 China Chopper China Chopper 's server component executes code sent via HTTP POST commands. [50] S0023 CHOPSTICK Various implement…

…Shell Caterpillar WebShell has a module to use a port scanner on a system. [17] G0114 Chimera Chimera has used the get -b -e -p command for network scanning as well as a custom Python tool packed into a Windows executable named Get.exe to scan IP ranges for HTTP. [18] S0020 China…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Roccia, T., …

…obalt Strike can recover hashed passwords. [1] Enterprise T1069 .001 Permission Groups Discovery Local Groups Cobalt Strike can use net localgroup to list local groups on a system. [2] .002 Permission Groups Discovery Domain Groups Cobalt Strike can identify targets by querying a…

…tions. [55] S0631 Chaes Chaes has used cmd to execute tasks on the system. [56] G0114 Chimera Chimera has used the Windows Command Shell and batch scripts for execution on compromised hosts. [57] S0020 China Chopper China Chopper 's server component is capable of opening a comman…

… CharmPower can use PowerShell for payload execution and C2 communication. [52] G0114 Chimera Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features. [53] [54] S1149 CHIMNEYSWEEP CHIMNEYSWEE…