…obalt Strike can recover hashed passwords. [1] Enterprise T1069 .001 Permission Groups Discovery Local Groups Cobalt Strike can use net localgroup to list local groups on a system. [2] .002 Permission Groups Discovery Domain Groups Cobalt Strike can identify targets by querying a…

…ish an initial foothold and for lateral movement within a victim's system. [15] G1043 BlackByte BlackByte has used ASPX web shells following exploitation of vulnerabilities in services such as Microsoft Exchange. [16] [17] S1118 BUSHWALK BUSHWALK is a web shell that has the abili…

…scacheutil -q group on macOS, and ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups. [1] ID: T1087.002 Sub-technique of: T1087 Tactic: Discovery Platforms: Linux, Wi…

…emote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. M1042 Disable or Remove Feature or Program Disable the RDP service if it is unnecessary. M1035 Limit Access to Resource Over Network Use remote desktop gateway…

…AnyDesk and PuTTy for maintaining remote access to victim environments. [6] [7] G1043 BlackByte BlackByte has used tools such as AnyDesk in victim environments. [8] [9] C0027 C0027 During C0027 Scattered Spider directed victims to run remote monitoring and management (RMM) tools.…

…2 BITTER BITTER has exploited CVE-2021-1732 for privilege escalation. [10] [11] G1043 BlackByte BlackByte has exploited CVE-2024-37085 in VMWare ESXi software for authentication bypass and subsequent privilege escalation. [12] S1181 BlackByte 2.0 Ransomware BlackByte 2.0 Ransomwa…

…2 BITTER BITTER has exploited CVE-2021-1732 for privilege escalation. [10] [11] G1043 BlackByte BlackByte has exploited CVE-2024-37085 in VMWare ESXi software for authentication bypass and subsequent privilege escalation. [12] S1181 BlackByte 2.0 Ransomware BlackByte 2.0 Ransomwa…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015. CISA. (2023, December 18). #Stop…

…xiom Axiom has used VPS hosting providers in targeting of intended victims. [6] G1043 BlackByte BlackByte staged encryption keys on virtual private servers operated by the adversary. [7] C0032 C0032 During the C0032 campaign, TEMP.Veles used Virtual Private Server (VPS) infrastru…

… . [18] S0470 BBK BBK has the ability to inject shellcode into svchost.exe. [3] G1043 BlackByte BlackByte has injected Cobalt Strike into wuauclt.exe during intrusions. [19] BlackByte has injected ransomware into svchost.exe before encryption. [20] S1181 BlackByte 2.0 Ransomware …

…ell scripts for discovery and to execute files over the network. [42] [43] [44] G1043 BlackByte BlackByte used encoded PowerShell commands during operations. [45] BlackByte has used remote PowerShell commands in victim networks. [46] S0521 BloodHound BloodHound can use PowerShell…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…xiom Axiom has used VPS hosting providers in targeting of intended victims. [6] G1043 BlackByte BlackByte staged encryption keys on virtual private servers operated by the adversary. [7] C0032 C0032 During the C0032 campaign, TEMP.Veles used Virtual Private Server (VPS) infrastru…

…ent Windows:Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design an…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. Roccia, T., …