…obalt Strike can recover hashed passwords. [1] Enterprise T1069 .001 Permission Groups Discovery Local Groups Cobalt Strike can use net localgroup to list local groups on a system. [2] .002 Permission Groups Discovery Domain Groups Cobalt Strike can identify targets by querying a…

…23 APT5 APT5 has moved laterally throughout victim environments using RDP. [13] G0143 Aquatic Panda Aquatic Panda leveraged stolen credentials to move laterally via RDP in victim environments. [14] G0001 Axiom Axiom has used RDP during operations. [15] G0108 Blue Mockingbird Blue…

…emote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. M1042 Disable or Remove Feature or Program Disable the RDP service if it is unnecessary. M1035 Limit Access to Resource Over Network Use remote desktop gateway…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retri…

…28] G1023 APT5 APT5 has used cmd.exe for execution on compromised systems. [29] G0143 Aquatic Panda Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to cmd /C . [30] S0373 Astaroth Astaroth spawns a CMD process to execute commands. [31…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…

…ig Workstation to enumerate victim system basic configuration information. [32] G0143 Aquatic Panda Aquatic Panda has used native OS commands to understand privilege levels and system details. [33] S0456 Aria-body Aria-body has the ability to identify the hostname, computer name,…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. Trend Micro Research. (2023, July 21). Ransomware Spotli…

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Carbon Black Thre…

…APT5 has used PowerShell to accomplish tasks within targeted environments. [30] G0143 Aquatic Panda Aquatic Panda has downloaded additional scripts and executed Base64 encoded commands in PowerShell. [31] S0129 AutoIt backdoor AutoIt backdoor downloads a PowerShell script that de…

…APT5 has used PowerShell to accomplish tasks within targeted environments. [34] G0143 Aquatic Panda Aquatic Panda has downloaded additional scripts and executed Base64 encoded commands in PowerShell. [35] S0129 AutoIt backdoor AutoIt backdoor downloads a PowerShell script that de…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…ompromised environments including for enabling access to ESXi host servers. [5] G0143 Aquatic Panda Aquatic Panda used SSH with captured user credentials to move laterally in victim environments. [6] G0098 BlackTech BlackTech has used Putty for remote access. [7] C0032 C0032 Duri…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…

…APT41 has executed files through Windows Management Instrumentation (WMI). [13] G0143 Aquatic Panda Aquatic Panda used WMI for lateral movement in victim environments. [14] S0373 Astaroth Astaroth uses WMIC to execute payloads. [15] S0640 Avaddon Avaddon uses wmic.exe to delete s…