…eployed to accessible servers running Internet Information Services (IIS). [14] G0135 BackdoorDiplomacy BackdoorDiplomacy has used web shells to establish an initial foothold and for lateral movement within a victim's system. [15] G1043 BlackByte BlackByte has used ASPX web shell…

…WNetEnumResourceW" to enumerate files in network resources for encryption. [15] G0135 BackdoorDiplomacy BackdoorDiplomacy has used NetCat and PortQry to enumerate network connections and display the status of related TCP and UDP ports. [16] S0089 BlackEnergy BlackEnergy has gathe…

… such as Mimikatz , pwdump , PowerSploit , and Windows Credential Editor . [19] G0135 BackdoorDiplomacy BackdoorDiplomacy has obtained a variety of open-source reconnaissance and red team tools for discovery and lateral movement. [20] G0108 Blue Mockingbird Blue Mockingbird has o…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retri…

…oor.Oldrea can use a network scanning module to identify ICS-related ports. [9] G0135 BackdoorDiplomacy BackdoorDiplomacy has used SMBTouch, a vulnerability scanner, to determine whether a target is vulnerable to EternalBlue malware. [10] S1081 BADHATCH BADHATCH can check for ope…

…BackConfig BackConfig has used compressed and decimal encoded VBS scripts. [43] G0135 BackdoorDiplomacy BackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect. [44] S0534 Bazar Bazar has used XOR, RSA2, and RC4 encrypted files. [45] [46] [47] S0574 BendyBear Be…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…

…to inject itself into another process such as rundll32.exe and dllhost.exe. [5] G0135 BackdoorDiplomacy BackdoorDiplomacy has dropped legitimate software onto a compromised host and used it to execute malicious DLLs. [6] S1081 BADHATCH BADHATCH has the ability to execute a malici…

…Config can download and execute additional payloads on a compromised host. [41] G0135 BackdoorDiplomacy BackdoorDiplomacy has downloaded additional files and tools onto a compromised host. [42] S0642 BADFLICK BADFLICK has download files from its C2 server. [43] S0128 BADNEWS BADN…

…ROFILE%\Adobe\Driver\dwg\ and mimicked the legitimate DHCP service binary. [15] G0135 BackdoorDiplomacy BackdoorDiplomacy has dropped implants in folders named for legitimate software. [16] S0606 Bad Rabbit Bad Rabbit has masqueraded as a Flash Player installer through the execut…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Insikt Group…

…ed strings. [23] S1053 AvosLocker AvosLocker has used XOR-encoded strings. [24] G0135 BackdoorDiplomacy BackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect. [25] G0063 BlackOasis BlackOasis 's first stage shellcode contains a NOP sled with alternative instru…

…3 Backdoor.Oldrea Backdoor.Oldrea can download additional modules from C2. [58] G0135 BackdoorDiplomacy BackdoorDiplomacy has downloaded additional files and tools onto a compromised host. [59] S0642 BADFLICK BADFLICK has download files from its C2 server. [60] S1081 BADHATCH BAD…

…xiom has been observed using SQL injection to gain access to systems. [21] [22] G0135 BackdoorDiplomacy BackdoorDiplomacy has exploited CVE-2020-5902, an F5 BIP-IP vulnerability, to drop a Linux backdoor. BackdoorDiplomacy has also exploited mis-configured Plesk servers. [23] G00…

…urveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia a…