…obalt Strike can recover hashed passwords. [1] Enterprise T1069 .001 Permission Groups Discovery Local Groups Cobalt Strike can use net localgroup to list local groups on a system. [2] .002 Permission Groups Discovery Domain Groups Cobalt Strike can identify targets by querying a…

…scacheutil -q group on macOS, and ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups. [1] ID: T1087.002 Sub-technique of: T1087 Tactic: Discovery Platforms: Linux, Wi…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retri…

…e target environment, allowing them to bypass access control lists (ACLs). [26] G1046 Storm-1811 Storm-1811 has used OpenSSH to establish an SSH tunnel to victims for persistent access. [27] G0139 TeamTNT TeamTNT has used SSH to connect back to victim machines. [28] TeamTNT has a…

…system user information. [43] S0266 TrickBot TrickBot can identify the user and groups the user belongs to on a compromised host. [214] S0094 Trojan.Karagany Trojan.Karagany can gather information about the user on a compromised host. [215] G0081 Tropic Trooper Tropic Trooper use…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. Szappanos…

…OFTWARE\Microsoft\Windows\CurrentVersion\Run\OutlookM registry key. [272] [273] G1046 Storm-1811 Storm-1811 has created Windows Registry Run keys that execute various batch scripts to establish persistence on victim devices. [274] S0491 StrongPity StrongPity can use the HKCU\Soft…

…OFTWARE\Microsoft\Windows\CurrentVersion\Run\OutlookM registry key. [288] [289] G1046 Storm-1811 Storm-1811 has created Windows Registry Run keys that execute various batch scripts to establish persistence on victim devices. [290] S0491 StrongPity StrongPity can use the HKCU\Soft…

…torm-0501 has leveraged PowerShell to execute commands and scripts. [294] [295] G1046 Storm-1811 Storm-1811 has used PowerShell for multiple purposes, such as using PowerShell scripts executing in an infinite loop to create an SSH connection to a command and control server. [296]…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…

…urveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia a…

… it additionally has a function to upload files from the victims machine. [537] G1046 Storm-1811 Storm-1811 has used scripted cURL commands, BITSAdmin , and other mechanisms to retrieve follow-on batch scripts and tools for execution on victim devices. [538] [539] [540] S1183 Str…

… has been distributed through phishing emails containing a malicious URL. [114] G1046 Storm-1811 Storm-1811 has distributed malicious links to victims that redirect to EvilProxy-based phishing sites to harvest credentials. [115] G1018 TA2541 TA2541 has used spearphishing e-mails …