…obalt Strike can recover hashed passwords. [1] Enterprise T1069 .001 Permission Groups Discovery Local Groups Cobalt Strike can use net localgroup to list local groups on a system. [2] .002 Permission Groups Discovery Domain Groups Cobalt Strike can identify targets by querying a…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. Gorelik, M.. (…

…nformation about the operating system and whether an anti-virus is active. [46] G1006 Earth Lusca Earth Lusca used a VBA script to execute WMI. [47] S0605 EKANS EKANS can use Windows Mangement Instrumentation (WMI) calls to execute operations. [48] G1003 Ember Bear Ember Bear has…

…website compromise to deliver a malicious link requiring user interaction. [28] G1006 Earth Lusca Earth Lusca has sent spearphishing emails that required the user to click on a malicious link and subsequently open a decoy document with a malicious loader. [29] G0066 Elderwood Eld…

…s applications such as Microsoft Teams for distributing links to payloads. [39] G1006 Earth Lusca Earth Lusca has sent spearphishing emails to potential targets that contained a malicious link. [40] G0066 Elderwood Elderwood has delivered zero-day exploits and malware to victims …

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. F-Secure Lab…

…a strategic web compromise (SWC) utilizing a custom exploit kit. [27] [28] [29] G1006 Earth Lusca Earth Lusca has performed watering hole attacks. [30] G0066 Elderwood Elderwood has delivered zero-day exploits and malware to victims by injecting malicious code into specific publi…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…

…ified the Registry to perform multiple techniques through the use of Reg . [64] G1006 Earth Lusca Earth Lusca modified the registry using the command reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_SZ /d "[file path]" for persistence. [65] S1247 Embargo E…

… G0035 Dragonfly Dragonfly has used PowerShell scripts for execution. [88] [89] G1006 Earth Lusca Earth Lusca has used PowerShell to execute commands. [90] S0554 Egregor Egregor has used an encoded PowerShell command by a service created by Cobalt Strike for lateral movement. [91…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

… G0035 Dragonfly Dragonfly has used PowerShell scripts for execution. [95] [96] G1006 Earth Lusca Earth Lusca has used PowerShell to execute commands. [97] S0554 Egregor Egregor has used an encoded PowerShell command by a service created by Cobalt Strike for lateral movement. [98…

…unction to obfuscate the name of functions and other parts of the malware. [67] G1006 Earth Lusca Earth Lusca used Base64 to encode strings. [68] S0377 Ebury Ebury has obfuscated its strings with a simple XOR encryption with a static key. [69] S0593 ECCENTRICBANDWAGON ECCENTRICBA…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Insikt Group…