… lateral movement. [15] G0036 GCMAN GCMAN uses Putty for lateral movement. [16] G0119 Indrik Spider Indrik Spider has used SSH for lateral movement. [17] S0599 Kinsing Kinsing has used SSH for lateral movement. [18] G0032 Lazarus Group Lazarus Group used SSH and the PuTTy PSCP ut…

…nt Monitor Imminent Monitor has a feature to disable Windows Task Manager. [32] G0119 Indrik Spider Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring. [33] S0201 JPIN JPIN can lower security set…

…G1032 INC Ransom INC Ransom has used RDP to move laterally. [40] [41] [42] [43] G0119 Indrik Spider Indrik Spider has used RDP for lateral movement. [44] S0283 jRAT jRAT can support RDP control. [45] G0094 Kimsuky Kimsuky has used RDP for direct remote point-and-click access. [46…

…emote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. M1042 Disable or Remove Feature or Program Disable the RDP service if it is unnecessary. M1035 Limit Access to Resource Over Network Use remote desktop gateway…

…n retrieve system information, such as CPU speed, from Registry keys. [54] [55] G0119 Indrik Spider Indrik Spider has used a service account to extract copies of the Security Registry hive. [56] S0604 Industroyer Industroyer has a data wiper component that enumerates keys in the …

…obalt Strike can recover hashed passwords. [1] Enterprise T1069 .001 Permission Groups Discovery Local Groups Cobalt Strike can use net localgroup to list local groups on a system. [2] .002 Permission Groups Discovery Domain Groups Cobalt Strike can identify targets by querying a…

…exe to spread to multiple endpoints within a compromised environment. [80] [82] G0119 Indrik Spider Indrik Spider has used WMIC to execute commands on remote computers. [83] S0283 jRAT jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain …

…pients to review modifications in the file which would trigger the attack. [84] G0119 Indrik Spider Indrik Spider has attempted to get users to click on a malicious zipped file. [85] S0260 InvisiMole InvisiMole can deliver trojanized versions of software and documents, relying on…

…ion has used PowerShell to execute malicious commands and payloads. [137] [138] G0119 Indrik Spider Indrik Spider has used PowerShell Empire for execution of malware. [139] [140] S1132 IPsec Helper IPsec Helper can run arbitrary PowerShell commands passed to it. [141] S0389 JCry …

…ingsAdminFlows.exe, a native Windows utility, to disable Windows Defender. [51] G0119 Indrik Spider Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring. [52] Indrik Spider has used MpCmdRun to rev…

…ingsAdminFlows.exe, a native Windows utility, to disable Windows Defender. [64] G0119 Indrik Spider Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring. [65] Indrik Spider has used MpCmdRun to rev…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…INC Ransomware can issue a command to kill a process on compromised hosts. [22] G0119 Indrik Spider Indrik Spider has used PsExec to stop services prior to the execution of ransomware. [23] S0604 Industroyer Industroyer ’s data wiper module writes zeros into the registry keys in …

…ption has used PowerShell to execute malicious commands and payloads. [94] [95] G0119 Indrik Spider Indrik Spider has used PowerShell Empire for execution of malware. [96] [97] S0389 JCry JCry has used PowerShell to execute payloads. [98] S0648 JSS Loader JSS Loader has the abili…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015. CISA. (2023, December 18). #Stop…