…scacheutil -q group on macOS, and ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups. [1] ID: T1087.002 Sub-technique of: T1087 Tactic: Discovery Platforms: Linux, Wi…

… to target downstream customers including a law firm and aviation company. [13] G1039 RedCurl RedCurl has gained access to a contractor to pivot to the victim’s infrastructure. [14] G0034 Sandworm Team Sandworm Team has used dedicated network connections from one victim organizat…

…l. [90] S0583 Pysa Pysa can perform OS credential dumping using Mimikatz . [91] G1039 RedCurl RedCurl used LaZagne to obtain passwords from memory. [92] [93] G0034 Sandworm Team Sandworm Team has used its plainpwd tool, a modified version of Mimikatz , and comsvcs.dll to dump Win…

…2 Qilin Qilin can employ an embedded Mimikatz module to dump LSASS memory. [94] G1039 RedCurl RedCurl used LaZagne to obtain passwords from memory. [95] [96] G0034 Sandworm Team Sandworm Team has used its plainpwd tool, a modified version of Mimikatz , and comsvcs.dll to dump Win…

… can scan for systems that are vulnerable to the EternalBlue exploit. [63] [64] G1039 RedCurl RedCurl has used netstat to check if port 4119 is open. [65] S0125 Remsec Remsec has a plugin that can perform ARP scanning as well as port scanning. [66] G0106 Rocke Rocke conducted sca…

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. CISA. (2023, Dece…

…cor has attached a malicious document to an email to gain initial access. [203] G1039 RedCurl RedCurl has used phishing emails with malicious files to gain initial access. [204] [205] C0047 RedDelta Modified PlugX Infection Chain Operations Mustang Panda leveraged malicious attac…

… through emails with malicious links. [100] [101] [102] [103] [104] [105] [106] G1039 RedCurl RedCurl has used phishing emails with malicious links to gain initial access. [107] [108] C0047 RedDelta Modified PlugX Infection Chain Operations Mustang Panda distributed malicious lin…

…nd control infrastructure, such as IP addresses associated with Tor nodes. [98] G1039 RedCurl RedCurl has used rundll32.exe to execute malicious files. [99] [100] [101] S0148 RTM RTM runs its core DLL file using rundll32.exe. [102] [103] S0074 Sakula Sakula calls cmd.exe to run v…

…ution through users opening malicious links. [90] [91] [92] [93] [94] [95] [96] G1039 RedCurl RedCurl has used malicious links to infect the victim machines. [97] [98] C0047 RedDelta Modified PlugX Infection Chain Operations Mustang Panda distributed hyperlinks that would result …

…d control infrastructure, such as IP addresses associated with Tor nodes. [100] G1039 RedCurl RedCurl has used rundll32.exe to execute malicious files. [101] [102] [103] S0148 RTM RTM runs its core DLL file using rundll32.exe. [104] [105] S0074 Sakula Sakula calls cmd.exe to run …

…A that uses a PowerShell script instead of the traditional PE form. [221] [222] G1039 RedCurl RedCurl has used PowerShell to execute commands and to download malware. [223] [224] [225] S0511 RegDuke RegDuke can extract and execute PowerShell scripts from C2 communications. [100] …

…rs Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. …

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Ret…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…