…valne oblike, vel. 0,61 × 0,44 m, gl. 0,12 m. Zasutje: žarnogrobiščne keramike (G1023). temno rjava mehka zemlja. Najdbe: drobci oglja. SE 1363/1364, sek. 25a, kv. 604 SE 1391/1392, sek. 19, kv. 456 Vkop za stojko, ovalne oblike. Jama ovalne oblike, vel. 0,90 × 0,51 m, gl. 0,15 m…

… involved use of web shells such as ANTSWORD and BLUEBEAM for persistence. [11] G1023 APT5 APT5 has installed multiple web shells on compromised servers including on Pulse Secure VPN appliances. [12] [13] S0073 ASPXSpy ASPXSpy is a Web shell. The ASPXTool version used by Threat G…

…ATBypass to expose local RDP ports on compromised systems to the Internet. [12] G1023 APT5 APT5 has moved laterally throughout victim environments using RDP. [13] G0143 Aquatic Panda Aquatic Panda leveraged stolen credentials to move laterally via RDP in victim environments. [14]…

…emote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. M1042 Disable or Remove Feature or Program Disable the RDP service if it is unnecessary. M1035 Limit Access to Resource Over Network Use remote desktop gateway…

…d a batch file to install persistence for the Cobalt Strike BEACON loader. [28] G1023 APT5 APT5 has used cmd.exe for execution on compromised systems. [29] G0143 Aquatic Panda Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to cmd /C …

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…

… on exploited victims, perhaps to return architecture related information. [21] G1023 APT5 APT5 has used the BLOODMINE utility to discover files with .css, .jpg, .png, .gif, .ico, .js, and .jsp extensions in Pulse Secure Connect logs. [22] S0456 Aria-body Aria-body has the abilit…

…raged PowerShell to deploy malware families in victims’ environments. [28] [29] G1023 APT5 APT5 has used PowerShell to accomplish tasks within targeted environments. [30] G0143 Aquatic Panda Aquatic Panda has downloaded additional scripts and executed Base64 encoded commands in P…

…1] [32] G1044 APT42 APT42 has downloaded and executed PowerShell payloads. [33] G1023 APT5 APT5 has used PowerShell to accomplish tasks within targeted environments. [34] G0143 Aquatic Panda Aquatic Panda has downloaded additional scripts and executed Base64 encoded commands in P…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

… APT39 APT39 used secure shell (SSH) to move laterally among their targets. [4] G1023 APT5 APT5 has used SSH for lateral movement in compromised environments including for enabling access to ESXi host servers. [5] G0143 Aquatic Panda Aquatic Panda used SSH with captured user cred…

…he main WINTERLOVE component by injecting it into the iexplore.exe process. [9] G1023 APT5 APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to alter its functionality. [10] C0046 ArcaneDoor ArcaneDoor included injecting code into the AAA…

…s ID Name Description G1044 APT42 APT42 has cleared Chrome browser history. [1] G1023 APT5 APT5 has used the THINBLOOD utility to clear SSL VPN log files located at /home/runtime/logs [2] [3] S0239 Bankshot Bankshot deletes all artifacts associated with the malware from the infec…

…ed account. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Fo…

…FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 20…