RAG - LangChain and ATT&CK Groups#
Collaborators:
Roberto Rodriguez (@Cyb3rWard0g)
References:
Import Modules#
from langchain.embeddings.openai import OpenAIEmbeddings
from langchain.embeddings.sentence_transformer import SentenceTransformerEmbeddings
from langchain.vectorstores import Chroma
import openai
import os
from dotenv import load_dotenv
import tqdm as notebook_tqdm
Define Initial Variables#
current_directory = os.path.dirname("__file__")
chroma_db = os.path.join(current_directory, "../source-knowledge/chroma_db")
Load Vector DB#
import chromadb
persistent_client = chromadb.PersistentClient(path=chroma_db)
# Define embedding function
embedding_function = SentenceTransformerEmbeddings(model_name="all-mpnet-base-v2")
db = Chroma(
client=persistent_client,
collection_name="groups_collection",
embedding_function=embedding_function,
)
db.get()
C:\Users\RobertoRodriguez\AppData\Local\Programs\Python\Python311\Lib\site-packages\tqdm\auto.py:21: TqdmWarning: IProgress not found. Please update jupyter and ipywidgets. See https://ipywidgets.readthedocs.io/en/stable/user_install.html
from .autonotebook import tqdm as notebook_tqdm
{'ids': ['50b4e4a7-6c5f-11ee-b0d1-6479f0659de9',
'50b4e4a8-6c5f-11ee-94d5-6479f0659de9',
'50b4e4a9-6c5f-11ee-87b4-6479f0659de9',
'50b4e4aa-6c5f-11ee-a51c-6479f0659de9',
'50b4e4ab-6c5f-11ee-978c-6479f0659de9',
'50b4e4ac-6c5f-11ee-93b6-6479f0659de9',
'50b4e4ad-6c5f-11ee-84a2-6479f0659de9',
'50b4e4ae-6c5f-11ee-8b81-6479f0659de9',
'50b4e4af-6c5f-11ee-9060-6479f0659de9',
'50b4e4b0-6c5f-11ee-a63c-6479f0659de9',
'50b4e4b1-6c5f-11ee-96ae-6479f0659de9',
'50b4e4b2-6c5f-11ee-91a2-6479f0659de9',
'50b4e4b3-6c5f-11ee-9dae-6479f0659de9',
'50b4e4b4-6c5f-11ee-a0c7-6479f0659de9',
'50b4e4b5-6c5f-11ee-bab4-6479f0659de9',
'50b4e4b6-6c5f-11ee-9fa5-6479f0659de9',
'50b4e4b7-6c5f-11ee-aeca-6479f0659de9',
'50b4e4b8-6c5f-11ee-99b2-6479f0659de9',
'50b4e4b9-6c5f-11ee-acc7-6479f0659de9',
'50b4e4ba-6c5f-11ee-9ae1-6479f0659de9',
'50b4e4bb-6c5f-11ee-95bd-6479f0659de9',
'50b4e4bc-6c5f-11ee-a00b-6479f0659de9',
'50b4e4bd-6c5f-11ee-acf4-6479f0659de9',
'50b4e4be-6c5f-11ee-8a73-6479f0659de9',
'50b4e4bf-6c5f-11ee-b32c-6479f0659de9',
'50b4e4c0-6c5f-11ee-ab6f-6479f0659de9',
'50b4e4c1-6c5f-11ee-aee7-6479f0659de9',
'50b4e4c2-6c5f-11ee-9e00-6479f0659de9',
'50b4e4c3-6c5f-11ee-ba9f-6479f0659de9',
'50b4e4c4-6c5f-11ee-b160-6479f0659de9',
'50b4e4c5-6c5f-11ee-8b85-6479f0659de9',
'50b4e4c6-6c5f-11ee-905e-6479f0659de9',
'50b4e4c7-6c5f-11ee-997d-6479f0659de9',
'50b4e4c8-6c5f-11ee-87b7-6479f0659de9',
'50b4e4c9-6c5f-11ee-ac78-6479f0659de9',
'50b4e4ca-6c5f-11ee-9c82-6479f0659de9',
'50b4e4cb-6c5f-11ee-8fe8-6479f0659de9',
'50b4e4cc-6c5f-11ee-9a06-6479f0659de9',
'50b4e4cd-6c5f-11ee-a040-6479f0659de9',
'50b4e4ce-6c5f-11ee-8697-6479f0659de9',
'50b4e4cf-6c5f-11ee-842b-6479f0659de9',
'50b4e4d0-6c5f-11ee-8224-6479f0659de9',
'50b4e4d1-6c5f-11ee-a655-6479f0659de9',
'50b4e4d2-6c5f-11ee-b2cd-6479f0659de9',
'50b4e4d3-6c5f-11ee-9d3f-6479f0659de9',
'50b506aa-6c5f-11ee-9fef-6479f0659de9',
'50b506ab-6c5f-11ee-892c-6479f0659de9',
'50b506ac-6c5f-11ee-9e16-6479f0659de9',
'50b506ad-6c5f-11ee-a16e-6479f0659de9',
'50b506ae-6c5f-11ee-9a0c-6479f0659de9',
'50b506af-6c5f-11ee-bc2c-6479f0659de9',
'50b506b0-6c5f-11ee-b5f0-6479f0659de9',
'50b506b1-6c5f-11ee-80bd-6479f0659de9',
'50b506b2-6c5f-11ee-b4f3-6479f0659de9',
'50b506b3-6c5f-11ee-8bea-6479f0659de9',
'50b506b4-6c5f-11ee-882d-6479f0659de9',
'50b506b5-6c5f-11ee-87fc-6479f0659de9',
'50b506b6-6c5f-11ee-b478-6479f0659de9',
'50b506b7-6c5f-11ee-9e5a-6479f0659de9',
'50b506b8-6c5f-11ee-bba0-6479f0659de9',
'50b506b9-6c5f-11ee-8cef-6479f0659de9',
'50b506ba-6c5f-11ee-833d-6479f0659de9',
'50b506bb-6c5f-11ee-9db1-6479f0659de9',
'50b506bc-6c5f-11ee-9836-6479f0659de9',
'50b506bd-6c5f-11ee-a757-6479f0659de9',
'50b506be-6c5f-11ee-8587-6479f0659de9',
'50b506bf-6c5f-11ee-895c-6479f0659de9',
'50b506c0-6c5f-11ee-bbd4-6479f0659de9',
'50b506c1-6c5f-11ee-b9aa-6479f0659de9',
'50b506c2-6c5f-11ee-992e-6479f0659de9',
'50b506c3-6c5f-11ee-b207-6479f0659de9',
'50b506c4-6c5f-11ee-9a0e-6479f0659de9',
'50b506c5-6c5f-11ee-bcd6-6479f0659de9',
'50b506c6-6c5f-11ee-aae6-6479f0659de9',
'50b506c7-6c5f-11ee-a74d-6479f0659de9',
'50b506c8-6c5f-11ee-8280-6479f0659de9',
'50b506c9-6c5f-11ee-b646-6479f0659de9',
'50b506ca-6c5f-11ee-90d8-6479f0659de9',
'50b506cb-6c5f-11ee-a5d7-6479f0659de9',
'50b506cc-6c5f-11ee-99b5-6479f0659de9',
'50b506cd-6c5f-11ee-a607-6479f0659de9',
'50b506ce-6c5f-11ee-8385-6479f0659de9',
'50b506cf-6c5f-11ee-a7d5-6479f0659de9',
'50b506d0-6c5f-11ee-a557-6479f0659de9',
'50b506d1-6c5f-11ee-9848-6479f0659de9',
'50b506d2-6c5f-11ee-b51f-6479f0659de9',
'50b506d3-6c5f-11ee-9b20-6479f0659de9',
'50b506d4-6c5f-11ee-a64f-6479f0659de9',
'50b506d5-6c5f-11ee-afc9-6479f0659de9',
'50b506d6-6c5f-11ee-b7d2-6479f0659de9',
'50b506d7-6c5f-11ee-b8b6-6479f0659de9',
'50b506d8-6c5f-11ee-861a-6479f0659de9',
'50b506d9-6c5f-11ee-b110-6479f0659de9',
'50b506da-6c5f-11ee-b00f-6479f0659de9',
'50b506db-6c5f-11ee-87d2-6479f0659de9',
'50b506dc-6c5f-11ee-aba3-6479f0659de9',
'50b506dd-6c5f-11ee-a17d-6479f0659de9',
'50b506de-6c5f-11ee-9559-6479f0659de9',
'50b506df-6c5f-11ee-8f01-6479f0659de9',
'50b506e0-6c5f-11ee-872c-6479f0659de9',
'50b506e1-6c5f-11ee-96df-6479f0659de9',
'50b506e2-6c5f-11ee-b410-6479f0659de9',
'50b506e3-6c5f-11ee-a381-6479f0659de9',
'50b506e4-6c5f-11ee-85e7-6479f0659de9',
'50b506e5-6c5f-11ee-a194-6479f0659de9',
'50b506e6-6c5f-11ee-9b95-6479f0659de9',
'50b506e7-6c5f-11ee-b0d1-6479f0659de9',
'50b506e8-6c5f-11ee-8849-6479f0659de9',
'50b506e9-6c5f-11ee-b67b-6479f0659de9',
'50b506ea-6c5f-11ee-8301-6479f0659de9',
'50b506eb-6c5f-11ee-bb0a-6479f0659de9',
'50b506ec-6c5f-11ee-8e9f-6479f0659de9',
'50b506ed-6c5f-11ee-9994-6479f0659de9',
'50b506ee-6c5f-11ee-b5fc-6479f0659de9',
'50b506ef-6c5f-11ee-801b-6479f0659de9',
'50b506f0-6c5f-11ee-b09c-6479f0659de9',
'50b506f1-6c5f-11ee-909b-6479f0659de9',
'50b506f2-6c5f-11ee-b435-6479f0659de9',
'50b506f3-6c5f-11ee-a59a-6479f0659de9',
'50b506f4-6c5f-11ee-9f23-6479f0659de9',
'50b506f5-6c5f-11ee-aae1-6479f0659de9',
'50b506f6-6c5f-11ee-bff0-6479f0659de9',
'50b506f7-6c5f-11ee-bb39-6479f0659de9',
'50b506f8-6c5f-11ee-9ae8-6479f0659de9',
'50b506f9-6c5f-11ee-8ff1-6479f0659de9',
'50b506fa-6c5f-11ee-a4da-6479f0659de9',
'50b506fb-6c5f-11ee-9003-6479f0659de9',
'50b506fc-6c5f-11ee-ba28-6479f0659de9',
'50b506fd-6c5f-11ee-aae1-6479f0659de9',
'50b506fe-6c5f-11ee-bd8a-6479f0659de9',
'50b506ff-6c5f-11ee-86ac-6479f0659de9',
'50b50700-6c5f-11ee-accc-6479f0659de9',
'50b50701-6c5f-11ee-95be-6479f0659de9',
'50b50702-6c5f-11ee-b5c6-6479f0659de9',
'50b50703-6c5f-11ee-a542-6479f0659de9',
'50b50704-6c5f-11ee-bc17-6479f0659de9',
'50b50705-6c5f-11ee-8831-6479f0659de9',
'50b50706-6c5f-11ee-8de2-6479f0659de9',
'50b50707-6c5f-11ee-a422-6479f0659de9',
'50b50708-6c5f-11ee-baaa-6479f0659de9',
'50b50709-6c5f-11ee-8a3c-6479f0659de9',
'50b5070a-6c5f-11ee-a18e-6479f0659de9',
'50b5070b-6c5f-11ee-95d5-6479f0659de9',
'50b5070c-6c5f-11ee-9332-6479f0659de9',
'50b5070d-6c5f-11ee-8c48-6479f0659de9',
'50b5070e-6c5f-11ee-a574-6479f0659de9',
'50b5070f-6c5f-11ee-8e59-6479f0659de9',
'50b50710-6c5f-11ee-936d-6479f0659de9',
'50b50711-6c5f-11ee-8573-6479f0659de9',
'50b50712-6c5f-11ee-bfc4-6479f0659de9',
'50b50713-6c5f-11ee-98d5-6479f0659de9',
'50b50714-6c5f-11ee-bea1-6479f0659de9',
'50b50715-6c5f-11ee-9724-6479f0659de9',
'50b50716-6c5f-11ee-9e80-6479f0659de9',
'50b50717-6c5f-11ee-ad77-6479f0659de9',
'50b50718-6c5f-11ee-94f4-6479f0659de9',
'50b50719-6c5f-11ee-b51c-6479f0659de9',
'50b5071a-6c5f-11ee-88d2-6479f0659de9',
'50b5071b-6c5f-11ee-a0ff-6479f0659de9',
'50b5071c-6c5f-11ee-ba33-6479f0659de9',
'50b5071d-6c5f-11ee-8662-6479f0659de9',
'50b5071e-6c5f-11ee-add2-6479f0659de9',
'50b5071f-6c5f-11ee-b93d-6479f0659de9',
'50b50720-6c5f-11ee-bc3b-6479f0659de9',
'50b50721-6c5f-11ee-a760-6479f0659de9',
'50b50722-6c5f-11ee-9202-6479f0659de9',
'50b50723-6c5f-11ee-894a-6479f0659de9',
'50b50724-6c5f-11ee-8d11-6479f0659de9',
'50b50725-6c5f-11ee-aee3-6479f0659de9',
'50b50726-6c5f-11ee-a8af-6479f0659de9',
'50b50727-6c5f-11ee-9a31-6479f0659de9',
'50b50728-6c5f-11ee-84db-6479f0659de9',
'50b50729-6c5f-11ee-b210-6479f0659de9',
'50b5072a-6c5f-11ee-b971-6479f0659de9',
'50b5072b-6c5f-11ee-b17f-6479f0659de9',
'50b5072c-6c5f-11ee-b4c7-6479f0659de9',
'50b5072d-6c5f-11ee-a2a4-6479f0659de9',
'50b5072e-6c5f-11ee-8c17-6479f0659de9',
'50b5072f-6c5f-11ee-84eb-6479f0659de9',
'50b50730-6c5f-11ee-adf3-6479f0659de9',
'50b50731-6c5f-11ee-a7e9-6479f0659de9',
'50b50732-6c5f-11ee-86af-6479f0659de9',
'50b50733-6c5f-11ee-97aa-6479f0659de9',
'50b50734-6c5f-11ee-bfff-6479f0659de9',
'50b50735-6c5f-11ee-ac7f-6479f0659de9',
'50b50736-6c5f-11ee-8d9b-6479f0659de9',
'50b50737-6c5f-11ee-8765-6479f0659de9',
'50b50738-6c5f-11ee-81b0-6479f0659de9',
'50b50739-6c5f-11ee-95f2-6479f0659de9',
'50b5073a-6c5f-11ee-918f-6479f0659de9',
'50b5073b-6c5f-11ee-a971-6479f0659de9',
'50b5073c-6c5f-11ee-86bf-6479f0659de9',
'50b5073d-6c5f-11ee-aff6-6479f0659de9',
'50b5073e-6c5f-11ee-aa6b-6479f0659de9',
'50b5073f-6c5f-11ee-9290-6479f0659de9',
'50b50740-6c5f-11ee-8eb8-6479f0659de9',
'50b50741-6c5f-11ee-ae47-6479f0659de9',
'50b50742-6c5f-11ee-bf76-6479f0659de9',
'50b50743-6c5f-11ee-aaa3-6479f0659de9',
'50b50744-6c5f-11ee-9784-6479f0659de9',
'50b50745-6c5f-11ee-9f8b-6479f0659de9',
'50b50746-6c5f-11ee-bc41-6479f0659de9',
'50b50747-6c5f-11ee-a637-6479f0659de9',
'50b50748-6c5f-11ee-aa26-6479f0659de9',
'50b50749-6c5f-11ee-ba6f-6479f0659de9',
'50b5074a-6c5f-11ee-a8e7-6479f0659de9',
'50b5074b-6c5f-11ee-b4b7-6479f0659de9',
'50b5074c-6c5f-11ee-83f4-6479f0659de9',
'50b5074d-6c5f-11ee-bb11-6479f0659de9',
'50b5074e-6c5f-11ee-af6f-6479f0659de9',
'50b5074f-6c5f-11ee-9b16-6479f0659de9',
'50b50750-6c5f-11ee-afb6-6479f0659de9',
'50b50751-6c5f-11ee-921c-6479f0659de9',
'50b50752-6c5f-11ee-a03f-6479f0659de9',
'50b50753-6c5f-11ee-85ba-6479f0659de9',
'50b50754-6c5f-11ee-ad89-6479f0659de9',
'50b50755-6c5f-11ee-8f96-6479f0659de9',
'50b50756-6c5f-11ee-8493-6479f0659de9',
'50b50757-6c5f-11ee-84d0-6479f0659de9',
'50b50758-6c5f-11ee-9dea-6479f0659de9',
'50b50759-6c5f-11ee-b11d-6479f0659de9',
'50b5075a-6c5f-11ee-9942-6479f0659de9',
'50b5075b-6c5f-11ee-8a2d-6479f0659de9',
'50b5075c-6c5f-11ee-bc89-6479f0659de9',
'50b5075d-6c5f-11ee-ac8e-6479f0659de9',
'50b5075e-6c5f-11ee-a1f7-6479f0659de9',
'50b5075f-6c5f-11ee-a95d-6479f0659de9',
'50b50760-6c5f-11ee-8103-6479f0659de9',
'50b50761-6c5f-11ee-9e87-6479f0659de9',
'50b50762-6c5f-11ee-9ac7-6479f0659de9',
'50b50763-6c5f-11ee-b251-6479f0659de9',
'50b50764-6c5f-11ee-8a2c-6479f0659de9',
'50b50765-6c5f-11ee-a4d1-6479f0659de9',
'50b50766-6c5f-11ee-abdc-6479f0659de9',
'50b50767-6c5f-11ee-97e8-6479f0659de9',
'50b50768-6c5f-11ee-9967-6479f0659de9',
'50b50769-6c5f-11ee-ad68-6479f0659de9',
'50b5076a-6c5f-11ee-a2b0-6479f0659de9',
'50b5076b-6c5f-11ee-bde3-6479f0659de9',
'50b5076c-6c5f-11ee-8630-6479f0659de9',
'50b5076d-6c5f-11ee-8ea5-6479f0659de9',
'50b5076e-6c5f-11ee-9712-6479f0659de9',
'50b5076f-6c5f-11ee-868a-6479f0659de9',
'50b50770-6c5f-11ee-b654-6479f0659de9',
'50b50771-6c5f-11ee-971a-6479f0659de9',
'50b50772-6c5f-11ee-acd7-6479f0659de9',
'50b50773-6c5f-11ee-92e4-6479f0659de9',
'50b50774-6c5f-11ee-930f-6479f0659de9',
'50b50775-6c5f-11ee-b7f4-6479f0659de9',
'50b50776-6c5f-11ee-8b5a-6479f0659de9',
'50b50777-6c5f-11ee-b36d-6479f0659de9',
'50b50778-6c5f-11ee-b752-6479f0659de9',
'50b50779-6c5f-11ee-a428-6479f0659de9',
'50b5077a-6c5f-11ee-90d8-6479f0659de9',
'50b5077b-6c5f-11ee-8103-6479f0659de9',
'50b5077c-6c5f-11ee-8772-6479f0659de9',
'50b5077d-6c5f-11ee-a786-6479f0659de9',
'50b5077e-6c5f-11ee-b8c4-6479f0659de9',
'50b5077f-6c5f-11ee-8d1c-6479f0659de9',
'50b50780-6c5f-11ee-bec4-6479f0659de9',
'50b50781-6c5f-11ee-8f51-6479f0659de9',
'50b50782-6c5f-11ee-84fe-6479f0659de9',
'50b50783-6c5f-11ee-9cdd-6479f0659de9',
'50b50784-6c5f-11ee-9c85-6479f0659de9',
'50b50785-6c5f-11ee-9398-6479f0659de9',
'50b50786-6c5f-11ee-b830-6479f0659de9',
'50b50787-6c5f-11ee-8e41-6479f0659de9',
'50b50788-6c5f-11ee-8908-6479f0659de9',
'50b50789-6c5f-11ee-aadf-6479f0659de9',
'50b5078a-6c5f-11ee-99a0-6479f0659de9',
'50b5078b-6c5f-11ee-858e-6479f0659de9',
'50b5078c-6c5f-11ee-85ce-6479f0659de9',
'50b5078d-6c5f-11ee-9cce-6479f0659de9',
'50b5078e-6c5f-11ee-bd8f-6479f0659de9',
'50b5078f-6c5f-11ee-88e9-6479f0659de9',
'50b50790-6c5f-11ee-8883-6479f0659de9',
'50b50791-6c5f-11ee-b919-6479f0659de9',
'50b50792-6c5f-11ee-927e-6479f0659de9',
'50b50793-6c5f-11ee-8b8b-6479f0659de9',
'50b50794-6c5f-11ee-9051-6479f0659de9',
'50b50795-6c5f-11ee-9507-6479f0659de9',
'50b50796-6c5f-11ee-ac47-6479f0659de9',
'50b50797-6c5f-11ee-b23a-6479f0659de9',
'50b50798-6c5f-11ee-a658-6479f0659de9',
'50b50799-6c5f-11ee-b4b5-6479f0659de9',
'50b5079a-6c5f-11ee-8c5c-6479f0659de9',
'50b5079b-6c5f-11ee-b8a0-6479f0659de9',
'50b5079c-6c5f-11ee-9fb3-6479f0659de9',
'50b5079d-6c5f-11ee-9f7c-6479f0659de9',
'50b5079e-6c5f-11ee-8f9b-6479f0659de9',
'50b5079f-6c5f-11ee-b543-6479f0659de9',
'50b507a0-6c5f-11ee-a94c-6479f0659de9',
'50b507a1-6c5f-11ee-a264-6479f0659de9',
'50b507a2-6c5f-11ee-80fb-6479f0659de9',
'50b507a3-6c5f-11ee-8dad-6479f0659de9',
'50b507a4-6c5f-11ee-b040-6479f0659de9',
'50b507a5-6c5f-11ee-b988-6479f0659de9',
'50b507a6-6c5f-11ee-a95e-6479f0659de9',
'50b507a7-6c5f-11ee-8136-6479f0659de9',
'50b507a8-6c5f-11ee-adc0-6479f0659de9',
'50b507a9-6c5f-11ee-9670-6479f0659de9',
'50b507aa-6c5f-11ee-adf6-6479f0659de9',
'50b507ab-6c5f-11ee-a120-6479f0659de9',
'50b507ac-6c5f-11ee-9f86-6479f0659de9',
'50b507ad-6c5f-11ee-90a2-6479f0659de9',
'50b507ae-6c5f-11ee-9876-6479f0659de9',
'50b507af-6c5f-11ee-9439-6479f0659de9',
'50b507b0-6c5f-11ee-a05a-6479f0659de9',
'50b507b1-6c5f-11ee-896a-6479f0659de9',
'50b507b2-6c5f-11ee-bc72-6479f0659de9',
'50b507b3-6c5f-11ee-9aab-6479f0659de9',
'50b507b4-6c5f-11ee-a27f-6479f0659de9',
'50b507b5-6c5f-11ee-86df-6479f0659de9',
'50b507b6-6c5f-11ee-b049-6479f0659de9',
'50b507b7-6c5f-11ee-a04c-6479f0659de9',
'50b507b8-6c5f-11ee-b771-6479f0659de9',
'50b507b9-6c5f-11ee-b1c6-6479f0659de9',
'50b507ba-6c5f-11ee-83d7-6479f0659de9',
'50b507bb-6c5f-11ee-8ee5-6479f0659de9',
'50b507bc-6c5f-11ee-8dcd-6479f0659de9',
'50b507bd-6c5f-11ee-b15c-6479f0659de9',
'50b507be-6c5f-11ee-96ea-6479f0659de9',
'50b507bf-6c5f-11ee-b35a-6479f0659de9',
'50b507c0-6c5f-11ee-b96f-6479f0659de9',
'50b507c1-6c5f-11ee-8ab1-6479f0659de9',
'50b507c2-6c5f-11ee-bfe8-6479f0659de9',
'50b507c3-6c5f-11ee-b446-6479f0659de9',
'50b507c4-6c5f-11ee-bd4c-6479f0659de9',
'50b507c5-6c5f-11ee-b2fd-6479f0659de9',
'50b507c6-6c5f-11ee-aa5a-6479f0659de9',
'50b507c7-6c5f-11ee-b34c-6479f0659de9',
'50b507c8-6c5f-11ee-90b8-6479f0659de9',
'50b507c9-6c5f-11ee-91a5-6479f0659de9',
'50b507ca-6c5f-11ee-9f30-6479f0659de9',
'50b507cb-6c5f-11ee-a84c-6479f0659de9',
'50b507cc-6c5f-11ee-8c9f-6479f0659de9',
'50b507cd-6c5f-11ee-bac1-6479f0659de9',
'50b507ce-6c5f-11ee-81f7-6479f0659de9',
'50b507cf-6c5f-11ee-9294-6479f0659de9',
'50b507d0-6c5f-11ee-9cb5-6479f0659de9',
'50b507d1-6c5f-11ee-8d7e-6479f0659de9',
'50b507d2-6c5f-11ee-a901-6479f0659de9',
'50b507d3-6c5f-11ee-adf0-6479f0659de9',
'50b507d4-6c5f-11ee-9695-6479f0659de9',
'50b507d5-6c5f-11ee-9189-6479f0659de9',
'50b507d6-6c5f-11ee-9eab-6479f0659de9',
'50b507d7-6c5f-11ee-b74d-6479f0659de9',
'50b507d8-6c5f-11ee-882c-6479f0659de9',
'50b507d9-6c5f-11ee-9e90-6479f0659de9',
'50b507da-6c5f-11ee-84a1-6479f0659de9',
'50b507db-6c5f-11ee-bc77-6479f0659de9',
'50b507dc-6c5f-11ee-9217-6479f0659de9',
'50b507dd-6c5f-11ee-b1af-6479f0659de9',
'50b507de-6c5f-11ee-a385-6479f0659de9',
'50b507df-6c5f-11ee-bdbc-6479f0659de9',
'50b507e0-6c5f-11ee-b712-6479f0659de9',
'50b507e1-6c5f-11ee-98af-6479f0659de9',
'50b507e2-6c5f-11ee-8137-6479f0659de9',
'50b507e3-6c5f-11ee-bba3-6479f0659de9',
'50b507e4-6c5f-11ee-8356-6479f0659de9',
'50b507e5-6c5f-11ee-96e6-6479f0659de9',
'50b507e6-6c5f-11ee-9976-6479f0659de9',
'50b507e7-6c5f-11ee-b99b-6479f0659de9',
'50b507e8-6c5f-11ee-9cf0-6479f0659de9',
'50b507e9-6c5f-11ee-b993-6479f0659de9',
'50b507ea-6c5f-11ee-b723-6479f0659de9',
'50b507eb-6c5f-11ee-b560-6479f0659de9',
'50b507ec-6c5f-11ee-a58d-6479f0659de9',
'50b507ed-6c5f-11ee-961e-6479f0659de9',
'50b507ee-6c5f-11ee-a5d8-6479f0659de9',
'50b507ef-6c5f-11ee-a33b-6479f0659de9',
'50b507f0-6c5f-11ee-a78f-6479f0659de9',
'50b507f1-6c5f-11ee-9339-6479f0659de9',
'50b507f2-6c5f-11ee-b267-6479f0659de9',
'50b507f3-6c5f-11ee-9f35-6479f0659de9',
'50b507f4-6c5f-11ee-a0dd-6479f0659de9',
'50b507f5-6c5f-11ee-a400-6479f0659de9',
'50b52d69-6c5f-11ee-8a60-6479f0659de9',
'50b52d6a-6c5f-11ee-bcec-6479f0659de9',
'50b52d6b-6c5f-11ee-9a12-6479f0659de9',
'50b52d6c-6c5f-11ee-96e2-6479f0659de9',
'50b52d6d-6c5f-11ee-a9f8-6479f0659de9',
'50b52d6e-6c5f-11ee-9d48-6479f0659de9',
'50b52d6f-6c5f-11ee-a9d3-6479f0659de9',
'50b52d70-6c5f-11ee-9d4d-6479f0659de9',
'50b52d71-6c5f-11ee-ac7b-6479f0659de9',
'50b52d72-6c5f-11ee-8bcf-6479f0659de9',
'50b52d73-6c5f-11ee-ab67-6479f0659de9',
'50b52d74-6c5f-11ee-9236-6479f0659de9',
'50b52d75-6c5f-11ee-9f12-6479f0659de9',
'50b52d76-6c5f-11ee-8b58-6479f0659de9',
'50b52d77-6c5f-11ee-8ab1-6479f0659de9',
'50b52d78-6c5f-11ee-87c7-6479f0659de9',
'50b52d79-6c5f-11ee-89c2-6479f0659de9',
'50b52d7a-6c5f-11ee-8fc0-6479f0659de9',
'50b52d7b-6c5f-11ee-a23b-6479f0659de9',
'50b52d7c-6c5f-11ee-8c6f-6479f0659de9',
'50b52d7d-6c5f-11ee-85d0-6479f0659de9',
'50b52d7e-6c5f-11ee-9e45-6479f0659de9',
'50b52d7f-6c5f-11ee-945e-6479f0659de9',
'50b52d80-6c5f-11ee-93f4-6479f0659de9',
'50b52d81-6c5f-11ee-80ce-6479f0659de9',
'50b52d82-6c5f-11ee-955f-6479f0659de9',
'50b52d83-6c5f-11ee-a09d-6479f0659de9',
'50b52d84-6c5f-11ee-962d-6479f0659de9',
'50b52d85-6c5f-11ee-9601-6479f0659de9',
'50b52d86-6c5f-11ee-bd7c-6479f0659de9',
'50b52d87-6c5f-11ee-b71b-6479f0659de9',
'50b52d88-6c5f-11ee-8504-6479f0659de9',
'50b52d89-6c5f-11ee-a906-6479f0659de9',
'50b52d8a-6c5f-11ee-b4d4-6479f0659de9',
'50b52d8b-6c5f-11ee-9f95-6479f0659de9',
'50b52d8c-6c5f-11ee-941b-6479f0659de9',
'50b52d8d-6c5f-11ee-8a9d-6479f0659de9',
'50b52d8e-6c5f-11ee-9695-6479f0659de9',
'50b52d8f-6c5f-11ee-8cdd-6479f0659de9',
'50b52d90-6c5f-11ee-8013-6479f0659de9',
'50b52d91-6c5f-11ee-84f9-6479f0659de9',
'50b52d92-6c5f-11ee-a9ee-6479f0659de9',
'50b52d93-6c5f-11ee-be30-6479f0659de9',
'50b52d94-6c5f-11ee-a52f-6479f0659de9',
'50b52d95-6c5f-11ee-9eb2-6479f0659de9',
'50b52d96-6c5f-11ee-b6d9-6479f0659de9',
'50b52d97-6c5f-11ee-887f-6479f0659de9',
'50b52d98-6c5f-11ee-b20d-6479f0659de9',
'50b52d99-6c5f-11ee-9fd3-6479f0659de9',
'50b52d9a-6c5f-11ee-9d7d-6479f0659de9',
'50b52d9b-6c5f-11ee-a5cd-6479f0659de9',
'50b52d9c-6c5f-11ee-b532-6479f0659de9',
'50b52d9d-6c5f-11ee-879c-6479f0659de9',
'50b52d9e-6c5f-11ee-9087-6479f0659de9',
'50b52d9f-6c5f-11ee-9ea5-6479f0659de9',
'50b52da0-6c5f-11ee-8283-6479f0659de9',
'50b52da1-6c5f-11ee-9d16-6479f0659de9',
'50b52da2-6c5f-11ee-b489-6479f0659de9',
'50b52da3-6c5f-11ee-b99b-6479f0659de9',
'50b52da4-6c5f-11ee-bdcb-6479f0659de9',
'50b52da5-6c5f-11ee-984e-6479f0659de9',
'50b52da6-6c5f-11ee-a373-6479f0659de9',
'50b52da7-6c5f-11ee-86a0-6479f0659de9',
'50b52da8-6c5f-11ee-b898-6479f0659de9',
'50b52da9-6c5f-11ee-b7b8-6479f0659de9',
'50b52daa-6c5f-11ee-b83c-6479f0659de9',
'50b52dab-6c5f-11ee-aad9-6479f0659de9',
'50b52dac-6c5f-11ee-ab9a-6479f0659de9',
'50b52dad-6c5f-11ee-8bca-6479f0659de9',
'50b52dae-6c5f-11ee-b700-6479f0659de9',
'50b52daf-6c5f-11ee-9f9c-6479f0659de9',
'50b52db0-6c5f-11ee-a904-6479f0659de9',
'50b52db1-6c5f-11ee-9cf8-6479f0659de9',
'50b52db2-6c5f-11ee-89d0-6479f0659de9',
'50b52db3-6c5f-11ee-943c-6479f0659de9',
'50b52db4-6c5f-11ee-a9b2-6479f0659de9',
'50b52db5-6c5f-11ee-9388-6479f0659de9',
'50b52db6-6c5f-11ee-b6d7-6479f0659de9',
'50b52db7-6c5f-11ee-9de3-6479f0659de9',
'50b52db8-6c5f-11ee-8273-6479f0659de9',
'50b52db9-6c5f-11ee-8cb4-6479f0659de9',
'50b52dba-6c5f-11ee-b182-6479f0659de9',
'50b52dbb-6c5f-11ee-9fff-6479f0659de9',
'50b52dbc-6c5f-11ee-ab0e-6479f0659de9',
'50b52dbd-6c5f-11ee-9f5e-6479f0659de9',
'50b52dbe-6c5f-11ee-bce4-6479f0659de9',
'50b52dbf-6c5f-11ee-84bb-6479f0659de9',
'50b52dc0-6c5f-11ee-8274-6479f0659de9',
'50b52dc1-6c5f-11ee-af16-6479f0659de9',
'50b52dc2-6c5f-11ee-b170-6479f0659de9',
'50b52dc3-6c5f-11ee-a92e-6479f0659de9',
'50b52dc4-6c5f-11ee-bbb2-6479f0659de9',
'50b52dc5-6c5f-11ee-b164-6479f0659de9',
'50b52dc6-6c5f-11ee-a14f-6479f0659de9',
'50b52dc7-6c5f-11ee-900f-6479f0659de9',
'50b52dc8-6c5f-11ee-9100-6479f0659de9',
'50b52dc9-6c5f-11ee-b433-6479f0659de9',
'50b52dca-6c5f-11ee-b4db-6479f0659de9',
'50b52dcb-6c5f-11ee-989b-6479f0659de9',
'50b52dcc-6c5f-11ee-8fcc-6479f0659de9',
'50b52dcd-6c5f-11ee-84e2-6479f0659de9',
'50b52dce-6c5f-11ee-aa88-6479f0659de9',
'50b52dcf-6c5f-11ee-af41-6479f0659de9',
'50b52dd0-6c5f-11ee-a542-6479f0659de9',
'50b52dd1-6c5f-11ee-b1d2-6479f0659de9',
'50b52dd2-6c5f-11ee-a70b-6479f0659de9',
'50b52dd3-6c5f-11ee-96ee-6479f0659de9',
'50b52dd4-6c5f-11ee-9141-6479f0659de9',
'50b52dd5-6c5f-11ee-b428-6479f0659de9',
'50b52dd6-6c5f-11ee-bc22-6479f0659de9',
'50b52dd7-6c5f-11ee-9f67-6479f0659de9',
'50b52dd8-6c5f-11ee-8444-6479f0659de9',
'50b52dd9-6c5f-11ee-a2a1-6479f0659de9',
'50b52dda-6c5f-11ee-a244-6479f0659de9',
'50b52ddb-6c5f-11ee-851e-6479f0659de9',
'50b52ddc-6c5f-11ee-adc1-6479f0659de9',
'50b52ddd-6c5f-11ee-872b-6479f0659de9',
'50b52dde-6c5f-11ee-8aaa-6479f0659de9',
'50b52ddf-6c5f-11ee-94a7-6479f0659de9',
'50b52de0-6c5f-11ee-ae5c-6479f0659de9',
'50b52de1-6c5f-11ee-bdf9-6479f0659de9',
'50b52de2-6c5f-11ee-ab41-6479f0659de9',
'50b52de3-6c5f-11ee-843b-6479f0659de9',
'50b52de4-6c5f-11ee-bfa6-6479f0659de9',
'50b52de5-6c5f-11ee-9a72-6479f0659de9',
'50b52de6-6c5f-11ee-a8db-6479f0659de9',
'50b52de7-6c5f-11ee-af8e-6479f0659de9',
'50b52de8-6c5f-11ee-b6c2-6479f0659de9',
'50b52de9-6c5f-11ee-8f6e-6479f0659de9',
'50b52dea-6c5f-11ee-acc4-6479f0659de9',
'50b52deb-6c5f-11ee-b3e2-6479f0659de9',
'50b52dec-6c5f-11ee-94b4-6479f0659de9',
'50b52ded-6c5f-11ee-bea1-6479f0659de9',
'50b52dee-6c5f-11ee-9565-6479f0659de9',
'50b52def-6c5f-11ee-8aaf-6479f0659de9',
'50b52df0-6c5f-11ee-bc94-6479f0659de9',
'50b52df1-6c5f-11ee-ab6f-6479f0659de9',
'50b52df2-6c5f-11ee-84f6-6479f0659de9',
'50b52df3-6c5f-11ee-92a0-6479f0659de9',
'50b52df4-6c5f-11ee-b6f8-6479f0659de9',
'50b52df5-6c5f-11ee-b1f9-6479f0659de9',
'50b52df6-6c5f-11ee-8e7c-6479f0659de9',
'50b52df7-6c5f-11ee-afed-6479f0659de9',
'50b52df8-6c5f-11ee-ad06-6479f0659de9',
'50b52df9-6c5f-11ee-bd9f-6479f0659de9',
'50b52dfa-6c5f-11ee-b5b2-6479f0659de9',
'50b52dfb-6c5f-11ee-af60-6479f0659de9',
'50b52dfc-6c5f-11ee-9cb1-6479f0659de9',
'50b52dfd-6c5f-11ee-a5d4-6479f0659de9',
'50b52dfe-6c5f-11ee-840d-6479f0659de9',
'50b52dff-6c5f-11ee-a715-6479f0659de9',
'50b52e00-6c5f-11ee-adae-6479f0659de9',
'50b52e01-6c5f-11ee-a26c-6479f0659de9',
'50b52e02-6c5f-11ee-9a6a-6479f0659de9',
'50b52e03-6c5f-11ee-b22a-6479f0659de9',
'50b52e04-6c5f-11ee-b9bc-6479f0659de9',
'50b52e05-6c5f-11ee-87cb-6479f0659de9'],
'embeddings': None,
'metadatas': [{'source': 'documents\\admin@338.md'},
{'source': 'documents\\admin@338.md'},
{'source': 'documents\\Ajax_Security_Team.md'},
{'source': 'documents\\ALLANITE.md'},
{'source': 'documents\\Andariel.md'},
{'source': 'documents\\Andariel.md'},
{'source': 'documents\\Andariel.md'},
{'source': 'documents\\Aoqin_Dragon.md'},
{'source': 'documents\\Aoqin_Dragon.md'},
{'source': 'documents\\APT-C-36.md'},
{'source': 'documents\\APT-C-36.md'},
{'source': 'documents\\APT1.md'},
{'source': 'documents\\APT1.md'},
{'source': 'documents\\APT1.md'},
{'source': 'documents\\APT12.md'},
{'source': 'documents\\APT16.md'},
{'source': 'documents\\APT17.md'},
{'source': 'documents\\APT18.md'},
{'source': 'documents\\APT18.md'},
{'source': 'documents\\APT19.md'},
{'source': 'documents\\APT19.md'},
{'source': 'documents\\APT19.md'},
{'source': 'documents\\APT28.md'},
{'source': 'documents\\APT28.md'},
{'source': 'documents\\APT28.md'},
{'source': 'documents\\APT28.md'},
{'source': 'documents\\APT28.md'},
{'source': 'documents\\APT28.md'},
{'source': 'documents\\APT28.md'},
{'source': 'documents\\APT28.md'},
{'source': 'documents\\APT28.md'},
{'source': 'documents\\APT28.md'},
{'source': 'documents\\APT28.md'},
{'source': 'documents\\APT28.md'},
{'source': 'documents\\APT28.md'},
{'source': 'documents\\APT28.md'},
{'source': 'documents\\APT28.md'},
{'source': 'documents\\APT28.md'},
{'source': 'documents\\APT28.md'},
{'source': 'documents\\APT29.md'},
{'source': 'documents\\APT29.md'},
{'source': 'documents\\APT29.md'},
{'source': 'documents\\APT29.md'},
{'source': 'documents\\APT29.md'},
{'source': 'documents\\APT29.md'},
{'source': 'documents\\APT29.md'},
{'source': 'documents\\APT29.md'},
{'source': 'documents\\APT29.md'},
{'source': 'documents\\APT3.md'},
{'source': 'documents\\APT3.md'},
{'source': 'documents\\APT3.md'},
{'source': 'documents\\APT3.md'},
{'source': 'documents\\APT3.md'},
{'source': 'documents\\APT3.md'},
{'source': 'documents\\APT30.md'},
{'source': 'documents\\APT32.md'},
{'source': 'documents\\APT32.md'},
{'source': 'documents\\APT32.md'},
{'source': 'documents\\APT32.md'},
{'source': 'documents\\APT32.md'},
{'source': 'documents\\APT32.md'},
{'source': 'documents\\APT32.md'},
{'source': 'documents\\APT32.md'},
{'source': 'documents\\APT32.md'},
{'source': 'documents\\APT32.md'},
{'source': 'documents\\APT32.md'},
{'source': 'documents\\APT32.md'},
{'source': 'documents\\APT33.md'},
{'source': 'documents\\APT33.md'},
{'source': 'documents\\APT33.md'},
{'source': 'documents\\APT33.md'},
{'source': 'documents\\APT33.md'},
{'source': 'documents\\APT33.md'},
{'source': 'documents\\APT37.md'},
{'source': 'documents\\APT37.md'},
{'source': 'documents\\APT37.md'},
{'source': 'documents\\APT37.md'},
{'source': 'documents\\APT37.md'},
{'source': 'documents\\APT38.md'},
{'source': 'documents\\APT38.md'},
{'source': 'documents\\APT38.md'},
{'source': 'documents\\APT38.md'},
{'source': 'documents\\APT38.md'},
{'source': 'documents\\APT38.md'},
{'source': 'documents\\APT38.md'},
{'source': 'documents\\APT38.md'},
{'source': 'documents\\APT39.md'},
{'source': 'documents\\APT39.md'},
{'source': 'documents\\APT39.md'},
{'source': 'documents\\APT39.md'},
{'source': 'documents\\APT39.md'},
{'source': 'documents\\APT39.md'},
{'source': 'documents\\APT39.md'},
{'source': 'documents\\APT39.md'},
{'source': 'documents\\APT41.md'},
{'source': 'documents\\APT41.md'},
{'source': 'documents\\APT41.md'},
{'source': 'documents\\APT41.md'},
{'source': 'documents\\APT41.md'},
{'source': 'documents\\APT41.md'},
{'source': 'documents\\APT41.md'},
{'source': 'documents\\APT41.md'},
{'source': 'documents\\APT41.md'},
{'source': 'documents\\Aquatic_Panda.md'},
{'source': 'documents\\Aquatic_Panda.md'},
{'source': 'documents\\Axiom.md'},
{'source': 'documents\\Axiom.md'},
{'source': 'documents\\Axiom.md'},
{'source': 'documents\\BackdoorDiplomacy.md'},
{'source': 'documents\\BackdoorDiplomacy.md'},
{'source': 'documents\\BackdoorDiplomacy.md'},
{'source': 'documents\\BITTER.md'},
{'source': 'documents\\BITTER.md'},
{'source': 'documents\\BITTER.md'},
{'source': 'documents\\BlackOasis.md'},
{'source': 'documents\\BlackTech.md'},
{'source': 'documents\\BlackTech.md'},
{'source': 'documents\\BlackTech.md'},
{'source': 'documents\\Blue_Mockingbird.md'},
{'source': 'documents\\Blue_Mockingbird.md'},
{'source': 'documents\\Blue_Mockingbird.md'},
{'source': 'documents\\BRONZE_BUTLER.md'},
{'source': 'documents\\BRONZE_BUTLER.md'},
{'source': 'documents\\BRONZE_BUTLER.md'},
{'source': 'documents\\BRONZE_BUTLER.md'},
{'source': 'documents\\BRONZE_BUTLER.md'},
{'source': 'documents\\BRONZE_BUTLER.md'},
{'source': 'documents\\Carbanak.md'},
{'source': 'documents\\Carbanak.md'},
{'source': 'documents\\Chimera.md'},
{'source': 'documents\\Chimera.md'},
{'source': 'documents\\Chimera.md'},
{'source': 'documents\\Chimera.md'},
{'source': 'documents\\Chimera.md'},
{'source': 'documents\\Chimera.md'},
{'source': 'documents\\Cleaver.md'},
{'source': 'documents\\Cobalt_Group.md'},
{'source': 'documents\\Cobalt_Group.md'},
{'source': 'documents\\Cobalt_Group.md'},
{'source': 'documents\\Cobalt_Group.md'},
{'source': 'documents\\Cobalt_Group.md'},
{'source': 'documents\\Cobalt_Group.md'},
{'source': 'documents\\Cobalt_Group.md'},
{'source': 'documents\\Confucius.md'},
{'source': 'documents\\Confucius.md'},
{'source': 'documents\\Confucius.md'},
{'source': 'documents\\CopyKittens.md'},
{'source': 'documents\\CopyKittens.md'},
{'source': 'documents\\CURIUM.md'},
{'source': 'documents\\Darkhotel.md'},
{'source': 'documents\\Darkhotel.md'},
{'source': 'documents\\Darkhotel.md'},
{'source': 'documents\\Darkhotel.md'},
{'source': 'documents\\DarkHydrus.md'},
{'source': 'documents\\DarkHydrus.md'},
{'source': 'documents\\DarkVishnya.md'},
{'source': 'documents\\DarkVishnya.md'},
{'source': 'documents\\Dark_Caracal.md'},
{'source': 'documents\\Dark_Caracal.md'},
{'source': 'documents\\Deep_Panda.md'},
{'source': 'documents\\Deep_Panda.md'},
{'source': 'documents\\Dragonfly.md'},
{'source': 'documents\\Dragonfly.md'},
{'source': 'documents\\Dragonfly.md'},
{'source': 'documents\\Dragonfly.md'},
{'source': 'documents\\Dragonfly.md'},
{'source': 'documents\\Dragonfly.md'},
{'source': 'documents\\Dragonfly.md'},
{'source': 'documents\\Dragonfly.md'},
{'source': 'documents\\Dragonfly.md'},
{'source': 'documents\\Earth_Lusca.md'},
{'source': 'documents\\Earth_Lusca.md'},
{'source': 'documents\\Earth_Lusca.md'},
{'source': 'documents\\Earth_Lusca.md'},
{'source': 'documents\\Earth_Lusca.md'},
{'source': 'documents\\Earth_Lusca.md'},
{'source': 'documents\\Elderwood.md'},
{'source': 'documents\\Elderwood.md'},
{'source': 'documents\\Ember_Bear.md'},
{'source': 'documents\\Ember_Bear.md'},
{'source': 'documents\\Ember_Bear.md'},
{'source': 'documents\\Equation.md'},
{'source': 'documents\\Evilnum.md'},
{'source': 'documents\\Evilnum.md'},
{'source': 'documents\\EXOTIC_LILY.md'},
{'source': 'documents\\EXOTIC_LILY.md'},
{'source': 'documents\\EXOTIC_LILY.md'},
{'source': 'documents\\Ferocious_Kitten.md'},
{'source': 'documents\\FIN10.md'},
{'source': 'documents\\FIN10.md'},
{'source': 'documents\\FIN4.md'},
{'source': 'documents\\FIN4.md'},
{'source': 'documents\\FIN4.md'},
{'source': 'documents\\FIN5.md'},
{'source': 'documents\\FIN5.md'},
{'source': 'documents\\FIN5.md'},
{'source': 'documents\\FIN6.md'},
{'source': 'documents\\FIN6.md'},
{'source': 'documents\\FIN6.md'},
{'source': 'documents\\FIN6.md'},
{'source': 'documents\\FIN6.md'},
{'source': 'documents\\FIN6.md'},
{'source': 'documents\\FIN6.md'},
{'source': 'documents\\FIN7.md'},
{'source': 'documents\\FIN7.md'},
{'source': 'documents\\FIN7.md'},
{'source': 'documents\\FIN7.md'},
{'source': 'documents\\FIN7.md'},
{'source': 'documents\\FIN7.md'},
{'source': 'documents\\FIN7.md'},
{'source': 'documents\\FIN8.md'},
{'source': 'documents\\FIN8.md'},
{'source': 'documents\\FIN8.md'},
{'source': 'documents\\FIN8.md'},
{'source': 'documents\\FIN8.md'},
{'source': 'documents\\Fox_Kitten.md'},
{'source': 'documents\\Fox_Kitten.md'},
{'source': 'documents\\Fox_Kitten.md'},
{'source': 'documents\\Fox_Kitten.md'},
{'source': 'documents\\Fox_Kitten.md'},
{'source': 'documents\\Fox_Kitten.md'},
{'source': 'documents\\Fox_Kitten.md'},
{'source': 'documents\\GALLIUM.md'},
{'source': 'documents\\GALLIUM.md'},
{'source': 'documents\\GALLIUM.md'},
{'source': 'documents\\GALLIUM.md'},
{'source': 'documents\\GALLIUM.md'},
{'source': 'documents\\Gallmaker.md'},
{'source': 'documents\\Gamaredon_Group.md'},
{'source': 'documents\\Gamaredon_Group.md'},
{'source': 'documents\\Gamaredon_Group.md'},
{'source': 'documents\\Gamaredon_Group.md'},
{'source': 'documents\\Gamaredon_Group.md'},
{'source': 'documents\\Gamaredon_Group.md'},
{'source': 'documents\\Gamaredon_Group.md'},
{'source': 'documents\\Gamaredon_Group.md'},
{'source': 'documents\\GCMAN.md'},
{'source': 'documents\\GOLD_SOUTHFIELD.md'},
{'source': 'documents\\GOLD_SOUTHFIELD.md'},
{'source': 'documents\\Gorgon_Group.md'},
{'source': 'documents\\Gorgon_Group.md'},
{'source': 'documents\\Gorgon_Group.md'},
{'source': 'documents\\Group5.md'},
{'source': 'documents\\HAFNIUM.md'},
{'source': 'documents\\HAFNIUM.md'},
{'source': 'documents\\HAFNIUM.md'},
{'source': 'documents\\HAFNIUM.md'},
{'source': 'documents\\HAFNIUM.md'},
{'source': 'documents\\HEXANE.md'},
{'source': 'documents\\HEXANE.md'},
{'source': 'documents\\HEXANE.md'},
{'source': 'documents\\HEXANE.md'},
{'source': 'documents\\HEXANE.md'},
{'source': 'documents\\Higaisa.md'},
{'source': 'documents\\Higaisa.md'},
{'source': 'documents\\Higaisa.md'},
{'source': 'documents\\Higaisa.md'},
{'source': 'documents\\Inception.md'},
{'source': 'documents\\Inception.md'},
{'source': 'documents\\Inception.md'},
{'source': 'documents\\Inception.md'},
{'source': 'documents\\IndigoZebra.md'},
{'source': 'documents\\IndigoZebra.md'},
{'source': 'documents\\Indrik_Spider.md'},
{'source': 'documents\\Indrik_Spider.md'},
{'source': 'documents\\Indrik_Spider.md'},
{'source': 'documents\\Ke3chang.md'},
{'source': 'documents\\Ke3chang.md'},
{'source': 'documents\\Ke3chang.md'},
{'source': 'documents\\Ke3chang.md'},
{'source': 'documents\\Ke3chang.md'},
{'source': 'documents\\Ke3chang.md'},
{'source': 'documents\\Kimsuky.md'},
{'source': 'documents\\Kimsuky.md'},
{'source': 'documents\\Kimsuky.md'},
{'source': 'documents\\Kimsuky.md'},
{'source': 'documents\\Kimsuky.md'},
{'source': 'documents\\Kimsuky.md'},
{'source': 'documents\\Kimsuky.md'},
{'source': 'documents\\Kimsuky.md'},
{'source': 'documents\\Kimsuky.md'},
{'source': 'documents\\Kimsuky.md'},
{'source': 'documents\\Kimsuky.md'},
{'source': 'documents\\Kimsuky.md'},
{'source': 'documents\\Kimsuky.md'},
{'source': 'documents\\LAPSUS$.md'},
{'source': 'documents\\LAPSUS$.md'},
{'source': 'documents\\LAPSUS$.md'},
{'source': 'documents\\LAPSUS$.md'},
{'source': 'documents\\LAPSUS$.md'},
{'source': 'documents\\LAPSUS$.md'},
{'source': 'documents\\Lazarus_Group.md'},
{'source': 'documents\\Lazarus_Group.md'},
{'source': 'documents\\Lazarus_Group.md'},
{'source': 'documents\\Lazarus_Group.md'},
{'source': 'documents\\Lazarus_Group.md'},
{'source': 'documents\\Lazarus_Group.md'},
{'source': 'documents\\Lazarus_Group.md'},
{'source': 'documents\\Lazarus_Group.md'},
{'source': 'documents\\Lazarus_Group.md'},
{'source': 'documents\\Lazarus_Group.md'},
{'source': 'documents\\Lazarus_Group.md'},
{'source': 'documents\\Lazarus_Group.md'},
{'source': 'documents\\Lazarus_Group.md'},
{'source': 'documents\\Lazarus_Group.md'},
{'source': 'documents\\Lazarus_Group.md'},
{'source': 'documents\\Lazarus_Group.md'},
{'source': 'documents\\LazyScripter.md'},
{'source': 'documents\\LazyScripter.md'},
{'source': 'documents\\LazyScripter.md'},
{'source': 'documents\\Leafminer.md'},
{'source': 'documents\\Leafminer.md'},
{'source': 'documents\\Leafminer.md'},
{'source': 'documents\\Leviathan.md'},
{'source': 'documents\\Leviathan.md'},
{'source': 'documents\\Leviathan.md'},
{'source': 'documents\\Leviathan.md'},
{'source': 'documents\\Leviathan.md'},
{'source': 'documents\\Leviathan.md'},
{'source': 'documents\\Leviathan.md'},
{'source': 'documents\\LuminousMoth.md'},
{'source': 'documents\\LuminousMoth.md'},
{'source': 'documents\\LuminousMoth.md'},
{'source': 'documents\\LuminousMoth.md'},
{'source': 'documents\\LuminousMoth.md'},
{'source': 'documents\\Machete.md'},
{'source': 'documents\\Machete.md'},
{'source': 'documents\\Magic_Hound.md'},
{'source': 'documents\\Magic_Hound.md'},
{'source': 'documents\\Magic_Hound.md'},
{'source': 'documents\\Magic_Hound.md'},
{'source': 'documents\\Magic_Hound.md'},
{'source': 'documents\\Magic_Hound.md'},
{'source': 'documents\\Magic_Hound.md'},
{'source': 'documents\\Magic_Hound.md'},
{'source': 'documents\\Magic_Hound.md'},
{'source': 'documents\\Magic_Hound.md'},
{'source': 'documents\\Magic_Hound.md'},
{'source': 'documents\\Magic_Hound.md'},
{'source': 'documents\\menuPass.md'},
{'source': 'documents\\menuPass.md'},
{'source': 'documents\\menuPass.md'},
{'source': 'documents\\menuPass.md'},
{'source': 'documents\\menuPass.md'},
{'source': 'documents\\menuPass.md'},
{'source': 'documents\\menuPass.md'},
{'source': 'documents\\menuPass.md'},
{'source': 'documents\\Metador.md'},
{'source': 'documents\\Metador.md'},
{'source': 'documents\\Moafee.md'},
{'source': 'documents\\Mofang.md'},
{'source': 'documents\\Molerats.md'},
{'source': 'documents\\Molerats.md'},
{'source': 'documents\\Molerats.md'},
{'source': 'documents\\Moses_Staff.md'},
{'source': 'documents\\Moses_Staff.md'},
{'source': 'documents\\MuddyWater.md'},
{'source': 'documents\\MuddyWater.md'},
{'source': 'documents\\MuddyWater.md'},
{'source': 'documents\\MuddyWater.md'},
{'source': 'documents\\MuddyWater.md'},
{'source': 'documents\\MuddyWater.md'},
{'source': 'documents\\MuddyWater.md'},
{'source': 'documents\\MuddyWater.md'},
{'source': 'documents\\MuddyWater.md'},
{'source': 'documents\\MuddyWater.md'},
{'source': 'documents\\MuddyWater.md'},
{'source': 'documents\\Mustang_Panda.md'},
{'source': 'documents\\Mustang_Panda.md'},
{'source': 'documents\\Mustang_Panda.md'},
{'source': 'documents\\Mustang_Panda.md'},
{'source': 'documents\\Mustang_Panda.md'},
{'source': 'documents\\Mustang_Panda.md'},
{'source': 'documents\\Mustang_Panda.md'},
{'source': 'documents\\Naikon.md'},
{'source': 'documents\\Naikon.md'},
{'source': 'documents\\Nomadic_Octopus.md'},
{'source': 'documents\\Nomadic_Octopus.md'},
{'source': 'documents\\OilRig.md'},
{'source': 'documents\\OilRig.md'},
{'source': 'documents\\OilRig.md'},
{'source': 'documents\\OilRig.md'},
{'source': 'documents\\OilRig.md'},
{'source': 'documents\\OilRig.md'},
{'source': 'documents\\OilRig.md'},
{'source': 'documents\\OilRig.md'},
{'source': 'documents\\OilRig.md'},
{'source': 'documents\\OilRig.md'},
{'source': 'documents\\Orangeworm.md'},
{'source': 'documents\\Patchwork.md'},
{'source': 'documents\\Patchwork.md'},
{'source': 'documents\\Patchwork.md'},
{'source': 'documents\\Patchwork.md'},
{'source': 'documents\\Patchwork.md'},
{'source': 'documents\\Patchwork.md'},
{'source': 'documents\\Patchwork.md'},
{'source': 'documents\\PittyTiger.md'},
{'source': 'documents\\PLATINUM.md'},
{'source': 'documents\\PLATINUM.md'},
{'source': 'documents\\POLONIUM.md'},
{'source': 'documents\\POLONIUM.md'},
{'source': 'documents\\Poseidon_Group.md'},
{'source': 'documents\\Poseidon_Group.md'},
{'source': 'documents\\PROMETHIUM.md'},
{'source': 'documents\\PROMETHIUM.md'},
{'source': 'documents\\Putter_Panda.md'},
{'source': 'documents\\Rancor.md'},
{'source': 'documents\\Rocke.md'},
{'source': 'documents\\Rocke.md'},
{'source': 'documents\\Rocke.md'},
{'source': 'documents\\Rocke.md'},
{'source': 'documents\\Rocke.md'},
{'source': 'documents\\Rocke.md'},
{'source': 'documents\\RTM.md'},
{'source': 'documents\\Sandworm_Team.md'},
{'source': 'documents\\Sandworm_Team.md'},
{'source': 'documents\\Sandworm_Team.md'},
{'source': 'documents\\Sandworm_Team.md'},
{'source': 'documents\\Sandworm_Team.md'},
{'source': 'documents\\Sandworm_Team.md'},
{'source': 'documents\\Sandworm_Team.md'},
{'source': 'documents\\Sandworm_Team.md'},
{'source': 'documents\\Sandworm_Team.md'},
{'source': 'documents\\Sandworm_Team.md'},
{'source': 'documents\\Sandworm_Team.md'},
{'source': 'documents\\Sandworm_Team.md'},
{'source': 'documents\\Sandworm_Team.md'},
{'source': 'documents\\Sandworm_Team.md'},
{'source': 'documents\\Sandworm_Team.md'},
{'source': 'documents\\Sandworm_Team.md'},
{'source': 'documents\\Scarlet_Mimic.md'},
{'source': 'documents\\SideCopy.md'},
{'source': 'documents\\SideCopy.md'},
{'source': 'documents\\Sidewinder.md'},
{'source': 'documents\\Sidewinder.md'},
{'source': 'documents\\Sidewinder.md'},
{'source': 'documents\\Sidewinder.md'},
{'source': 'documents\\Sidewinder.md'},
{'source': 'documents\\Silence.md'},
{'source': 'documents\\Silence.md'},
{'source': 'documents\\Silence.md'},
{'source': 'documents\\Silence.md'},
{'source': 'documents\\Silent_Librarian.md'},
{'source': 'documents\\Silent_Librarian.md'},
{'source': 'documents\\Silent_Librarian.md'},
{'source': 'documents\\SilverTerrier.md'},
{'source': 'documents\\Sowbug.md'},
{'source': 'documents\\Sowbug.md'},
{'source': 'documents\\Stealth_Falcon.md'},
{'source': 'documents\\Stealth_Falcon.md'},
{'source': 'documents\\Stealth_Falcon.md'},
{'source': 'documents\\Strider.md'},
{'source': 'documents\\Suckfly.md'},
{'source': 'documents\\TA459.md'},
{'source': 'documents\\TA505.md'},
{'source': 'documents\\TA505.md'},
{'source': 'documents\\TA505.md'},
{'source': 'documents\\TA505.md'},
{'source': 'documents\\TA505.md'},
{'source': 'documents\\TA505.md'},
{'source': 'documents\\TA551.md'},
{'source': 'documents\\TA551.md'},
{'source': 'documents\\TeamTNT.md'},
{'source': 'documents\\TeamTNT.md'},
{'source': 'documents\\TeamTNT.md'},
{'source': 'documents\\TeamTNT.md'},
{'source': 'documents\\TeamTNT.md'},
{'source': 'documents\\TeamTNT.md'},
{'source': 'documents\\TeamTNT.md'},
{'source': 'documents\\TEMP.Veles.md'},
{'source': 'documents\\TEMP.Veles.md'},
{'source': 'documents\\TEMP.Veles.md'},
{'source': 'documents\\TEMP.Veles.md'},
{'source': 'documents\\The_White_Company.md'},
{'source': 'documents\\The_White_Company.md'},
{'source': 'documents\\Threat_Group-1314.md'},
{'source': 'documents\\Threat_Group-3390.md'},
{'source': 'documents\\Threat_Group-3390.md'},
{'source': 'documents\\Threat_Group-3390.md'},
{'source': 'documents\\Threat_Group-3390.md'},
{'source': 'documents\\Threat_Group-3390.md'},
{'source': 'documents\\Threat_Group-3390.md'},
{'source': 'documents\\Threat_Group-3390.md'},
{'source': 'documents\\Threat_Group-3390.md'},
{'source': 'documents\\Threat_Group-3390.md'},
{'source': 'documents\\Thrip.md'},
{'source': 'documents\\Tonto_Team.md'},
{'source': 'documents\\Tonto_Team.md'},
{'source': 'documents\\Tonto_Team.md'},
{'source': 'documents\\Transparent_Tribe.md'},
{'source': 'documents\\Transparent_Tribe.md'},
{'source': 'documents\\Transparent_Tribe.md'},
{'source': 'documents\\Tropic_Trooper.md'},
{'source': 'documents\\Tropic_Trooper.md'},
{'source': 'documents\\Tropic_Trooper.md'},
{'source': 'documents\\Tropic_Trooper.md'},
{'source': 'documents\\Tropic_Trooper.md'},
{'source': 'documents\\Tropic_Trooper.md'},
{'source': 'documents\\Turla.md'},
{'source': 'documents\\Turla.md'},
{'source': 'documents\\Turla.md'},
{'source': 'documents\\Turla.md'},
{'source': 'documents\\Turla.md'},
{'source': 'documents\\Turla.md'},
{'source': 'documents\\Turla.md'},
{'source': 'documents\\Turla.md'},
{'source': 'documents\\Turla.md'},
{'source': 'documents\\Volatile_Cedar.md'},
{'source': 'documents\\Whitefly.md'},
{'source': 'documents\\Whitefly.md'},
{'source': 'documents\\Windigo.md'},
{'source': 'documents\\Windigo.md'},
{'source': 'documents\\Windshift.md'},
{'source': 'documents\\Windshift.md'},
{'source': 'documents\\Windshift.md'},
{'source': 'documents\\Windshift.md'},
{'source': 'documents\\Windshift.md'},
{'source': 'documents\\Winnti_Group.md'},
{'source': 'documents\\Winnti_Group.md'},
{'source': 'documents\\WIRTE.md'},
{'source': 'documents\\WIRTE.md'},
{'source': 'documents\\Wizard_Spider.md'},
{'source': 'documents\\Wizard_Spider.md'},
{'source': 'documents\\Wizard_Spider.md'},
{'source': 'documents\\Wizard_Spider.md'},
{'source': 'documents\\Wizard_Spider.md'},
{'source': 'documents\\Wizard_Spider.md'},
{'source': 'documents\\Wizard_Spider.md'},
{'source': 'documents\\Wizard_Spider.md'},
{'source': 'documents\\Wizard_Spider.md'},
{'source': 'documents\\ZIRCONIUM.md'},
{'source': 'documents\\ZIRCONIUM.md'},
{'source': 'documents\\ZIRCONIUM.md'},
{'source': 'documents\\ZIRCONIUM.md'}],
'documents': ['admin@338 - G0018\n\nCreated: 2017-05-31T21:31:53.579Z\n\nModified: 2020-03-18T19:54:59.120Z\n\nContributors: Tatsuya Daitoku, Cyber Defense Institute, Inc.\n\nAliases\n\nadmin@338\n\nDescription\n\nadmin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. (Citation: FireEye admin@338)\n\nTechniques Used\n\nadmin@338 has sent emails with malicious Microsoft Office documents attached.(Citation: FireEye admin@338)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nadmin@338 has attempted to get victims to launch malicious Microsoft Word attachments delivered via spearphishing emails.(Citation: FireEye admin@338)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nadmin@338 has exploited client software vulnerabilities for execution, such as Microsoft Word CVE-2012-0158.(Citation: FireEye admin@338)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1087.001|Local Account|\n\nadmin@338 actors used the following commands following exploitation of a machine with\n\nLOWBALL malware to enumerate user accounts:\n\nadmin@338 actors used the following command to rename one of their tools to a benign file name:\n\nadmin@338 actors used the following command following exploitation of a machine with\n\nLOWBALL malware to list local groups:\n\nadmin@338 actors used the following commands after exploiting a machine with\n\nLOWBALL malware to obtain information about the OS:\n\nadmin@338 actors used the following command after exploiting a machine with\n\nLOWBALL malware to acquire information about local networks:\n\nadmin@338 actors used the following command following exploitation of a machine with\n\nLOWBALL malware to obtain information about services:\n\nadmin@338 actors used the following command following exploitation of a machine with\n\nLOWBALL malware to display network connections:\n\nadmin@338 actors used the following commands after exploiting a machine with',
'LOWBALL malware to obtain information about services:\n\nadmin@338 actors used the following command following exploitation of a machine with\n\nLOWBALL malware to display network connections:\n\nadmin@338 actors used the following commands after exploiting a machine with\n\nLOWBALL malware to obtain information about files and directories:\n\nLOWBALL malware,\n\nadmin@338 actors created a file containing a list of commands to be executed on the compromised computer.(Citation: FireEye admin@338)|',
'Ajax Security Team - G0130\n\nCreated: 2021-04-14T13:17:43.941Z\n\nModified: 2021-12-17T19:27:27.246Z\n\nContributors:\n\nAliases\n\nAjax Security Team,Operation Woolen-Goldfish,AjaxTM,Rocket Kitten,Flying Kitten,Operation Saffron Rose\n\nDescription\n\nAjax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.(Citation: FireEye Operation Saffron Rose 2013)\n\nTechniques Used\n\nAjax Security Team has used FireMalv custom-developed malware, which collected passwords from the Firefox browser storage.(Citation: Check Point Rocket Kitten)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|\n\nAjax Security Team has used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an infected system.(Citation: Check Point Rocket Kitten)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1566.003|Spearphishing via Service|\n\nAjax Security Team has used various social media channels to spearphish victims.(Citation: FireEye Operation Saffron Rose 2013)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nAjax Security Team has used personalized spearphishing attachments.(Citation: Check Point Rocket Kitten)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nAjax Security Team has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.(Citation: Check Point Rocket Kitten)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nAjax Security Team has lured victims into executing malicious files.(Citation: FireEye Operation Saffron Rose 2013)|',
"ALLANITE - G1000\n\nCreated: 2017-05-31T21:31:57.307Z\n\nModified: 2022-05-24T19:26:10.721Z\n\nContributors: Dragos Threat Intelligence\n\nAliases\n\nALLANITE,Palmetto Fusion\n\nDescription\n\nALLANITE is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to Dragonfly, although ALLANITEs technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. (Citation: Dragos)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|ics-attack|Human-Machine Interface|T0852|Screen Capture|ALLANITE has been identified to collect and distribute screenshots of ICS systems such as HMIs. (Citation: Dragos) (Citation: ICS-CERT October 2017)|\n|mitre-attack|ics-attack|None|T0817|Drive-by Compromise|ALLANITE leverages watering hole attacks to gain access into electric utilities. (Citation: Eduard Kovacs May 2018)|\n|mitre-attack|ics-attack|Engineering Workstation,Human-Machine Interface,Control Server,Data Historian|T0865|Spearphishing Attachment|ALLANITE utilized spear phishing to gain access into energy sector environments. (Citation: Jeff Jones May 2018)|\n|mitre-attack|ics-attack|Control Server,Data Historian,Engineering Workstation,Field Controller/RTU/PLC/IED,Human-Machine Interface,Input/Output Server,Safety Instrumented System/Protection Relay|T0859|Valid Accounts|ALLANITE utilized credentials collected through phishing and watering hole attacks. (Citation: Dragos)|",
"Andariel - G0138\n\nCreated: 2021-09-29T15:10:19.236Z\n\nModified: 2022-11-30T22:51:40.270Z\n\nContributors: Kyoung-ju Kwak (S2W)\n\nAliases\n\nAndariel,Silent Chollima\n\nDescription\n\nAndariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.(Citation: FSI Andariel Campaign Rifle July 2017)(Citation: IssueMakersLab Andariel GoldenAxe May 2017)(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)(Citation: TrendMicro New Andariel Tactics July 2018)(Citation: CrowdStrike Silent Chollima Adversary September 2021)\n\nAndariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau.(Citation: Treasury North Korean Cyber Groups September 2019)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.\n\nTechniques Used\n\nAndariel has limited its watering hole attacks to specific IP address ranges.(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nAndariel has used watering hole attacks, often with zero-day exploits, to gain initial access to victims within a specific IP range.(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)(Citation: TrendMicro New Andariel Tactics July 2018)|\n|mitre-attack|enterprise-attack|PRE|T1592.002|Software|",
'Andariel has inserted a malicious script within compromised websites to collect potential victim information such as browser type, system language, Flash Player version, and other data.(Citation: TrendMicro New Andariel Tactics July 2018)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1049|System Network Connections Discovery|\n\nAndariel has used the\n\nAndariel has attempted to lure victims into enabling malicious macros within email attachments.(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nAndariel has used\n\nAndariel has downloaded additional tools and malware onto compromised hosts.(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.003|Steganography|\n\nAndariel has hidden malicious executables within PNG files.(Citation: MalwareBytes Lazarus-Andariel Conceals Code April 2021)(Citation: Kaspersky Andariel Ransomware June 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nAndariel has collected large numbers of files from compromised network systems for later extraction.(Citation: FSI Andariel Campaign Rifle July 2017)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nAndariel has conducted spearphishing campaigns that included malicious Word or Excel attachments.(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)(Citation: MalwareBytes Lazarus-Andariel Conceals Code April 2021)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|',
'Andariel has exploited numerous ActiveX vulnerabilities, including zero-days.(Citation: FSI Andariel Campaign Rifle July 2017)(Citation: IssueMakersLab Andariel GoldenAxe May 2017)(Citation: TrendMicro New Andariel Tactics July 2018)|\n|mitre-attack|enterprise-attack|PRE|T1588.001|Malware|\n\nAndariel has used a variety of publicly-available remote access Trojans (RATs) for its operations.(Citation: FSI Andariel Campaign Rifle July 2017)|',
'Aoqin Dragon - G1007\n\nCreated: 2022-07-14T14:32:47.582Z\n\nModified: 2022-10-24T18:50:40.179Z\n\nContributors: Hiroki Nagahama, NEC Corporation,Pooja Natarajan, NEC Corporation India,Manikantan Srinivasan, NEC Corporation India\n\nAliases\n\nAoqin Dragon\n\nDescription\n\nAoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013. Aoqin Dragon has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between Aoqin Dragon and UNC94, based on malware, infrastructure, and targets.(Citation: SentinelOne Aoqin Dragon June 2022)\n\nTechniques Used\n\nAoqin Dragon has used a dropper that employs a worm infection strategy using a removable device to breach a secure network environment.(Citation: SentinelOne Aoqin Dragon June 2022)|\n|mitre-attack|enterprise-attack|PRE|T1587.001|Malware|\n\nAoqin Dragon has used custom malware, including\n\nMongall and\n\nHeyoka Backdoor, in their operations.(Citation: SentinelOne Aoqin Dragon June 2022)|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|\n\nAoqin Dragon obtained the Heyoka open source exfiltration tool and subsequently modified it for their operations.(Citation: SentinelOne Aoqin Dragon June 2022)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1027.002|Software Packing|\n\nAoqin Dragon has used the Themida packer to obfuscate malicious payloads.(Citation: SentinelOne Aoqin Dragon June 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1570|Lateral Tool Transfer|\n\nAoqin Dragon has spread malware in target networks by copying modules to folders masquerading as removable devices.(Citation: SentinelOne Aoqin Dragon June 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|',
'Aoqin Dragon has run scripts to identify file formats including Microsoft Word.(Citation: SentinelOne Aoqin Dragon June 2022)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nAoqin Dragon has exploited CVE-2012-0158 and CVE-2010-3333 for execution against targeted systems.(Citation: SentinelOne Aoqin Dragon June 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nAoqin Dragon has used fake icons including antivirus and external drives to disguise malicious payloads.(Citation: SentinelOne Aoqin Dragon June 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nAoqin Dragon has lured victims into opening weaponized documents, fake external drives, and fake antivirus to execute malicious payloads.(Citation: SentinelOne Aoqin Dragon June 2022)|',
'APT-C-36 - G0099\n\nCreated: 2020-05-05T18:53:08.166Z\n\nModified: 2021-05-26T20:17:53.085Z\n\nContributors: Jose Luis Sánchez Martinez\n\nAliases\n\nAPT-C-36,Blind Eagle\n\nDescription\n\nAPT-C-36 is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.(Citation: QiAnXin APT-C-36 Feb2019)\n\nTechniques Used\n\nAPT-C-36 obtained and used a modified variant of\n\nImminent Monitor.(Citation: QiAnXin APT-C-36 Feb2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nAPT-C-36 has downloaded binary data from a specified domain after the malicious document is opened.(Citation: QiAnXin APT-C-36 Feb2019)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nAPT-C-36 has embedded a VBScript within a malicious Word document which is executed upon the document opening.(Citation: QiAnXin APT-C-36 Feb2019)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1036.004|Masquerade Task or Service|\n\nAPT-C-36 has disguised its scheduled tasks as those used by Google.(Citation: QiAnXin APT-C-36 Feb2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1571|Non-Standard Port|\n\nAPT-C-36 has used port 4050 for C2 communications.(Citation: QiAnXin APT-C-36 Feb2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|',
'APT-C-36 has prompted victims to accept macros in order to execute the subsequent payload.(Citation: QiAnXin APT-C-36 Feb2019)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nAPT-C-36 has used a macro function to set scheduled tasks, disguised as those used by Google.(Citation: QiAnXin APT-C-36 Feb2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nAPT-C-36 has used ConfuserEx to obfuscate its variant of\n\nImminent Monitor, compressed payload and RAT packages, and password protected encrypted email attachments to avoid detection.(Citation: QiAnXin APT-C-36 Feb2019)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nAPT-C-36 has used spearphishing emails with password protected RAR attachment to avoid being detected by the email gateway.(Citation: QiAnXin APT-C-36 Feb2019) |',
'APT1 - G0006\n\nCreated: 2017-05-31T21:31:47.955Z\n\nModified: 2021-05-26T12:23:48.842Z\n\nContributors:\n\nAliases\n\nAPT1,Comment Crew,Comment Group,Comment Panda\n\nDescription\n\nAPT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)\n\nTechniques Used\n\nAPT1 has used various open-source tools for privilege escalation purposes.(Citation: Mandiant APT1)|\n|mitre-attack|enterprise-attack|PRE|T1588.001|Malware|\n\nAPT1 used publicly available malware for privilege escalation.(Citation: Mandiant APT1)|\n|mitre-attack|enterprise-attack|PRE|T1585.002|Email Accounts|\n\nAPT1 has created email accounts for later use in social engineering, phishing, and when registering domains.(Citation: Mandiant APT1)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nAPT1 has sent spearphishing emails containing malicious attachments.(Citation: Mandiant APT1)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nAPT1 has sent spearphishing emails containing hyperlinks to malicious files.(Citation: Mandiant APT1)|\n|mitre-attack|enterprise-attack|PRE|T1584.001|Domains|\n\nAPT1 hijacked FQDNs associated with legitimate websites hosted by hop points.(Citation: Mandiant APT1)|\n|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|\n\nAPT1 has registered hundreds of domains for use in operations.(Citation: Mandiant APT1)|\n|mitre-attack|enterprise-attack|Office 365,Windows,Google Workspace|T1114.002|Remote Email Collection|',
'APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. MAPIGET steals email still on Exchange servers that has not yet been archived.(Citation: Mandiant APT1)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nAPT1 gathered a list of running processes on the system using\n\nAPT1 listed connected network shares.(Citation: Mandiant APT1)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nAPT1 used the\n\nAPT1 used a batch script to perform a series of discovery techniques and saves it to a text file.(Citation: Mandiant APT1)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1087.001|Local Account|\n\nAPT1 used the commands\n\nAPT1 used the\n\nAPT1 used the commands\n\nAPT1 has collected files from a local victim.(Citation: Mandiant APT1)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|\n\nAPT1 has used RAR to compress files before moving them outside of the victim network.(Citation: Mandiant APT1)|\n|mitre-attack|enterprise-attack|Windows|T1021.001|Remote Desktop Protocol|The\n\nAPT1 group is known to have used RDP during operations.(Citation: FireEye PLA)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nAPT1 has been known to use credential dumping using\n\nMimikatz.(Citation: Mandiant APT1)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nAPT1 has used the Windows command shell to execute commands, and batch scripting to automate execution.(Citation: Mandiant APT1)|\n|mitre-attack|enterprise-attack|Windows|T1550.002|Pass the Hash|The',
"APT1 group is known to have used pass the hash.(Citation: Mandiant APT1)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by\n\nAPT1 as a name for malware.(Citation: Mandiant APT1)(Citation: Mandiant APT1 Appendix)|\n|mitre-attack|enterprise-attack|Windows|T1114.001|Local Email Collection|\n\nAPT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files.(Citation: Mandiant APT1)|",
'APT12 - G0005\n\nCreated: 2017-05-31T21:31:47.537Z\n\nModified: 2020-03-30T18:44:59.268Z\n\nContributors:\n\nAliases\n\nAPT12,IXESHE,DynCalc,Numbered Panda,DNSCALC\n\nDescription\n\nAPT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.(Citation: Meyers Numbered Panda)\n\nTechniques Used\n\nAPT12 has used multiple variants of\n\nDNS Calculation including multiplying the first two octets of an IP address and adding the third octet to that value in order to get a resulting command and control port.(Citation: Meyers Numbered Panda)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102.002|Bidirectional Communication|\n\nAPT12 has used blogs and WordPress for C2 infrastructure.(Citation: Meyers Numbered Panda)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nAPT12 has sent emails with malicious Microsoft Office documents and PDFs attached.(Citation: Moran 2014)(Citation: Trend Micro IXESHE 2012)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nAPT12 has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611).(Citation: Moran 2014)(Citation: Trend Micro IXESHE 2012)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nAPT12 has attempted to get victims to open malicious Microsoft Word and PDF attachment sent via spearphishing.(Citation: Moran 2014)(Citation: Trend Micro IXESHE 2012)|',
'APT16 - G0023\n\nCreated: 2017-05-31T21:31:56.270Z\n\nModified: 2022-07-26T23:33:26.354Z\n\nContributors:\n\nAliases\n\nAPT16\n\nDescription\n\nAPT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|PRE|T1584.004|Server|APT16 has compromised otherwise legitimate sites as staging servers for second-stage payloads.(Citation: FireEye EPS Awakens Part 2)|',
'APT17 - G0025\n\nCreated: 2017-05-31T21:31:57.307Z\n\nModified: 2020-10-13T22:33:14.018Z\n\nContributors:\n\nAliases\n\nAPT17,Deputy Dog\n\nDescription\n\nAPT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|PRE|T1585|Establish Accounts|APT17 has created and cultivated profile pages in Microsoft TechNet. To make profile pages appear more legitimate, APT17 has created biographical sections and posted in forum threads.(Citation: FireEye APT17)|\n|mitre-attack|enterprise-attack|PRE|T1583.006|Web Services|APT17 has created profile pages in Microsoft TechNet that were used as C2 infrastructure.(Citation: FireEye APT17)|',
'APT18 - G0026\n\nCreated: 2017-05-31T21:31:57.733Z\n\nModified: 2020-03-30T18:46:16.853Z\n\nContributors:\n\nAliases\n\nAPT18,TG-0416,Dynamite Panda,Threat Group-0416\n\nDescription\n\nAPT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. (Citation: Dell Lateral Movement)\n\nTechniques Used\n\nAPT18 uses DNS for C2 communications.(Citation: PaloAlto DNS Requests May 2016)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nAPT18 establishes persistence via the\n\nAPT18 obfuscates strings in the payload.(Citation: PaloAlto DNS Requests May 2016)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nAPT18 uses cmd.exe to execute commands on the victim’s machine.(Citation: PaloAlto DNS Requests May 2016)(Citation: Anomali Evasive Maneuvers July 2015)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nAPT18 can upload a file to the victim’s machine.(Citation: PaloAlto DNS Requests May 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nAPT18 can list files information for specific directories.(Citation: PaloAlto DNS Requests May 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nAPT18 uses HTTP for C2 communications.(Citation: PaloAlto DNS Requests May 2016)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|',
'APT18 can collect system information from the victim’s machine.(Citation: PaloAlto DNS Requests May 2016)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1053.002|At|\n\nAPT18 actors used the native\n\nat Windows task scheduler tool to use scheduled tasks for execution on a victim network.(Citation: Dell Lateral Movement)|\n|mitre-attack|enterprise-attack|Windows,Linux,Containers,macOS|T1133|External Remote Services|\n\nAPT18 actors leverage legitimate credentials to log into external remote services.(Citation: RSA2017 Detect and Respond Adair)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nAPT18 actors leverage legitimate credentials to log into external remote services.(Citation: RSA2017 Detect and Respond Adair)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nAPT18 actors deleted tools and batch files from victim systems.(Citation: Dell Lateral Movement)|',
"APT19 - G0073\n\nCreated: 2018-10-17T00:14:20.652Z\n\nModified: 2023-03-21T20:44:02.443Z\n\nContributors: FS-ISAC,Darren Spruell\n\nAliases\n\nAPT19,Codoso,C0d0so0,Codoso Team,Sunshop Group\n\nDescription\n\nAPT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. (Citation: FireEye APT19) Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same. (Citation: ICIT China's Espionage Jul 2016) (Citation: FireEye APT Groups) (Citation: Unit 42 C0d0so0 Jan 2016)\n\nTechniques Used\n\nAPT19 used Base64 to obfuscate executed commands.(Citation: FireEye APT19)|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|\n\nAPT19 has obtained and used publicly-available tools like\n\nEmpire.(Citation: NCSC Joint Report Public Tools)(Citation: FireEye APT19)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1564.003|Hidden Window|\n\nAPT19 used\n\nPowerShell windows by setting the WindowStyle parameter to hidden. (Citation: FireEye APT19)|\n|mitre-attack|enterprise-attack|Windows|T1218.011|Rundll32|\n\nAPT19 configured its payload to inject into the rundll32.exe.(Citation: FireEye APT19)|\n|mitre-attack|enterprise-attack|Windows|T1543.003|Windows Service|An\n\nAPT19 Port 22 malware variant registers itself as a service.(Citation: Unit 42 C0d0so0 Jan 2016)|\n|mitre-attack|enterprise-attack|Windows|T1574.002|DLL Side-Loading|",
'APT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.(Citation: Unit 42 C0d0so0 Jan 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nAPT19 attempted to get users to launch malicious attachments delivered via spearphishing emails.(Citation: FireEye APT19)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nAPT19 used Base64 to obfuscate payloads.(Citation: FireEye APT19)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|\n\nAPT19 used an HTTP malware variant and a Port 22 malware variant to collect the victim’s username.(Citation: Unit 42 C0d0so0 Jan 2016)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nAPT19 used PowerShell commands to execute payloads.(Citation: FireEye APT19)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network,Office 365,Azure AD,IaaS,Google Workspace|T1059|Command and Scripting Interpreter|\n\nAPT19 downloaded and launched code within a SCT file.(Citation: FireEye APT19)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nAPT19 sent spearphishing emails with malicious attachments in RTF and XLSM formats to deliver initial exploits.(Citation: FireEye APT19)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1132.001|Standard Encoding|An\n\nAPT19 HTTP malware variant used Base64 to encode communications to the C2 server.(Citation: Unit 42 C0d0so0 Jan 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nAPT19 used HTTP for C2 communications.',
'APT19 used HTTP for C2 communications.\n\nAPT19 also used an HTTP malware variant to communicate over HTTP for C2.(Citation: FireEye APT19)(Citation: Unit 42 C0d0so0 Jan 2016)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|An\n\nAPT19 HTTP malware variant decrypts strings using single-byte XOR keys.(Citation: Unit 42 C0d0so0 Jan 2016)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|An\n\nAPT19 HTTP malware variant establishes persistence by setting the Registry key\n\nAPT19 used Regsvr32 to bypass application control techniques.(Citation: FireEye APT19)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nAPT19 used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim’s machine.(Citation: Unit 42 C0d0so0 Jan 2016)|\n|mitre-attack|enterprise-attack|Windows|T1112|Modify Registry|\n\nAPT19 uses a Port 22 malware variant to modify several Registry keys.(Citation: Unit 42 C0d0so0 Jan 2016)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nAPT19 performed a watering hole attack on forbes.com in 2014 to compromise targets.(Citation: Unit 42 C0d0so0 Jan 2016)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nAPT19 collected system architecture information.\n\nAPT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine.(Citation: FireEye APT19)(Citation: Unit 42 C0d0so0 Jan 2016)|',
"APT28 - G0007\n\nCreated: 2017-05-31T21:31:48.664Z\n\nModified: 2023-03-26T17:51:20.401Z\n\nContributors: Sébastien Ruel, CGI,Drew Church, Splunk,Emily Ratliff, IBM,Richard Gold, Digital Shadows\n\nAliases\n\nAPT28,IRON TWILIGHT,SNAKEMACKEREL,Swallowtail,Group 74,Sednit,Sofacy,Pawn Storm,Fancy Bear,STRONTIUM,Tsar Team,Threat Group-4127,TG-4127\n\nDescription\n\nAPT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019)",
'APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.\n\nTechniques Used\n\nAPT28 has used newly-created Blogspot pages for credential harvesting operations.(Citation: Google TAG Ukraine Threat Landscape March 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|PRE|T1598.003|Spearphishing Link|\n\nAPT28 has conducted credential phishing campaigns with embedded links to attacker-controlled domains.(Citation: Google TAG Ukraine Threat Landscape March 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|PRE|T1586.002|Email Accounts|\n\nAPT28 has used compromised email accounts to send credential phishing emails.(Citation: Google TAG Ukraine Threat Landscape March 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nAPT28 has compromised targets via strategic web compromise utilizing custom exploit kits.(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|',
"APT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows,Containers|T1036|Masquerading|\n\nAPT28 has renamed the WinRAR utility to avoid detection.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,Linux,Containers,macOS|T1133|External Remote Services|\n\nAPT28 has used\n\nTor and a variety of commercial VPN services to route brute force authentication attempts.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1030|Data Transfer Size Limits|\n\nAPT28 has split archived exfiltration files into chunks smaller than 1MB.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1048.002|Exfiltration Over Asymmetric Encrypted Non-C2 Protocol|\n\nAPT28 has exfiltrated archives of collected data previously staged on a target's OWA server via HTTPS.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,Windows,macOS,SaaS,Office 365,Google Workspace,IaaS|T1213|Data from Information Repositories|\n\nAPT28 has collected files from various information repositories.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,IaaS,Linux,macOS|T1074.002|Remote Data Staging|",
"APT28 has staged archives of collected data on a target's Outlook Web Access (OWA) server.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|\n\nAPT28 has used a variety of utilities, including WinRAR, to archive collected data with password protection.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1039|Data from Network Shared Drive|\n\nAPT28 has collected files from network shared drives.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1003.003|NTDS|\n\nAPT28 has used the ntdsutil.exe utility to export the Active Directory database for credential access.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1021.002|SMB/Windows Admin Shares|\n\nAPT28 has mapped network drives using\n\nNet and administrator credentials.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,Office 365,Google Workspace|T1098.002|Additional Email Delegate Permissions|\n\nAPT28 has used a Powershell cmdlet to grant the\n\nAPT28 has used compromised Office 365 service accounts with Global Administrator privileges to collect email from user inboxes.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,Windows,macOS,Network|T1505.003|Web Shell|\n\nAPT28 has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target's Outlook Web Access (OWA) server.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|PRE|T1588.002|Tool|",
"APT28 has obtained and used open-source tools like\n\nKoadic,\n\nMimikatz, and\n\nResponder.(Citation: Palo Alto Sofacy 06-2018)(Citation: Securelist Sofacy Feb 2018)(Citation: FireEye APT28 Hospitality Aug 2017)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nAPT28 has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.(Citation: US District Court Indictment GRU Oct 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)|\n|mitre-attack|enterprise-attack,mobile-attack|PRE|T1589.001|Credentials|\n\nAPT28 has harvested user's login credentials.(Citation: Microsoft Targeting Elections September 2020)|\n|mitre-attack|enterprise-attack,mobile-attack|PRE|T1598|Phishing for Information|\n\nAPT28 has used spearphishing to compromise credentials.(Citation: Microsoft Targeting Elections September 2020)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1567|Exfiltration Over Web Service|\n\nAPT28 can exfiltrate data over Google Drive.(Citation: TrendMicro Pawn Storm Dec 2020) |\n|mitre-attack|enterprise-attack,mobile-attack|PRE|T1595.002|Vulnerability Scanning|\n\nAPT28 has performed large-scale scans in an attempt to find vulnerable servers.(Citation: TrendMicro Pawn Storm 2019)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows,Network|T1090.003|Multi-hop Proxy|\n\nAPT28 has routed traffic over\n\nTor and VPN servers to obfuscate their activities.(Citation: TrendMicro Pawn Storm Dec 2020)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|",
'APT28 has deployed malware that has copied itself to the startup directory for persistence.(Citation: TrendMicro Pawn Storm Dec 2020)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1102.002|Bidirectional Communication|\n\nAPT28 has used Google Drive for C2.(Citation: TrendMicro Pawn Storm Dec 2020)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1110|Brute Force|\n\nAPT28 can perform brute force attacks to obtain credentials.(Citation: TrendMicro Pawn Storm 2019)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Microsoft Targeting Elections September 2020)|\n|mitre-attack|enterprise-attack,mobile-attack|PRE|T1583.001|Domains|\n\nAPT28 registered domains imitating NATO, OSCE security websites, Caucasus information resources, and other organizations.(Citation: FireEye APT28)(Citation: US District Court Indictment GRU Oct 2018)(Citation: Google TAG Ukraine Threat Landscape March 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers|T1498|Network Denial of Service|In 2016,\n\nAPT28 conducted a distributed denial of service (DDoS) attack against the World Anti-Doping Agency.(Citation: US District Court Indictment GRU Oct 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|',
'APT28 has used a variety of public exploits, including CVE 2020-0688 and CVE 2020-17144, to gain execution on vulnerable Microsoft Exchange; they have also conducted SQL injection attacks against external websites.(Citation: US District Court Indictment GRU Oct 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1110.001|Password Guessing|\n\nAPT28 has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days.(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)\n\nAPT28 has also used a Kubernetes cluster to conduct distributed, large-scale password guessing attacks.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers|T1110.003|Password Spraying|\n\nAPT28 has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: Microsoft Targeting Elections September 2020)\n\nAPT28 has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,Linux,macOS|T1003|OS Credential Dumping|\n\nAPT28 regularly deploys both publicly available (ex:',
'APT28 regularly deploys both publicly available (ex:\n\nMimikatz) and custom password retrieval tools on victims.(Citation: ESET Sednit Part 2)(Citation: DOJ GRU Indictment Jul 2018)(Citation: US District Court Indictment GRU Oct 2018) |\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1071.001|Web Protocols|Later implants used by\n\nAPT28, such as\n\nCHOPSTICK, use a blend of HTTP, HTTPS, and other legitimate channels for C2, depending on module configuration.(Citation: FireEye APT28)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|macOS,Windows,Linux|T1564.003|Hidden Window|\n\nAPT28 has used the WindowStyle parameter to conceal\n\nPowerShell windows.(Citation: Palo Alto Sofacy 06-2018) (Citation: McAfee APT28 DDE1 Nov 2017)|\n|mitre-attack|enterprise-attack,mobile-attack|SaaS,Office 365,Azure AD,Google Workspace,Containers|T1528|Steal Application Access Token|\n\nAPT28 has used several malicious applications to steal user OAuth access tokens including applications masquerading as "Google Defender" "Google Email Protection," and "Google Scanner" for Gmail users. They also targeted Yahoo users with applications masquerading as "Delivery Service" and "McAfee Email Protection".(Citation: Trend Micro Pawn Storm OAuth 2017)|\n|mitre-attack|enterprise-attack,mobile-attack|Office 365,SaaS,Google Workspace,Containers,IaaS,Azure AD|T1550.001|Application Access Token|\n\nAPT28 has used several malicious applications that abused OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail.(Citation: Trend Micro Pawn Storm OAuth 2017)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,Windows,macOS|T1573.001|Symmetric Cryptography|',
'APT28 installed a Delphi backdoor that used a custom algorithm for C2 communications.(Citation: ESET Zebrocy May 2019)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1221|Template Injection|\n\nAPT28 used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro. (Citation: Unit42 Sofacy Dec 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nAPT28 has exploited Microsoft Office vulnerability CVE-2017-0262 for execution.(Citation: Securelist Sofacy Feb 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1014|Rootkit|\n\nAPT28 has used a UEFI (Unified Extensible Firmware Interface) rootkit known as\n\nLoJax.(Citation: Symantec APT28 Oct 2018)(Citation: ESET LoJax Sept 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1059.001|PowerShell|\n\nAPT28 downloads and executes PowerShell scripts and performs PowerShell commands.(Citation: Palo Alto Sofacy 06-2018)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1560|Archive Collected Data|\n\nAPT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.(Citation: DOJ GRU Indictment Jul 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Office 365,Windows,Google Workspace|T1114.002|Remote Email Collection|\n\nAPT28 has collected emails from victim Microsoft Exchange servers.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows,IaaS,SaaS|T1119|Automated Collection|',
'APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.(Citation: DOJ GRU Indictment Jul 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,SaaS,IaaS,Linux,macOS,Office 365|T1199|Trusted Relationship|Once\n\nAPT28 gained access to the DCCC network, the group then proceeded to use that access to compromise the DNC network.(Citation: DOJ GRU Indictment Jul 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nAPT28 sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites.(Citation: DOJ GRU Indictment Jul 2018)(Citation: ESET Zebrocy May 2019)(Citation: US District Court Indictment GRU Oct 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,macOS,Linux|T1564.001|Hidden Files and Directories|\n\nAPT28 has saved files with hidden file attributes.(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,Office 365|T1213.002|Sharepoint|\n\nAPT28 has collected information from Microsoft SharePoint services within target networks.(Citation: RSAC 2015 Abu Dhabi Stefano Maccaglia)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1204.002|Malicious File|',
'APT28 attempted to get users to click on Microsoft Office attachments containing malicious macro scripts.(Citation: Unit 42 Sofacy Feb 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1037.001|Logon Script (Windows)|An\n\nAPT28 loader Trojan adds the Registry key\n\nAPT28 has used CVE-2015-4902 to bypass security features.(Citation: Bitdefender APT28 Dec 2015)(Citation: Microsoft SIR Vol 19)|\n|mitre-attack|enterprise-attack,mobile-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nAPT28 sent spearphishing emails containing malicious Microsoft Office and RAR attachments.(Citation: Unit 42 Sofacy Feb 2018)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: DOJ GRU Indictment Jul 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nAPT28 has retrieved internal documents from machines inside victim environments, including by using\n\nForfiles to stage documents before exfiltration.(Citation: Überwachung APT28 Forfiles June 2015)(Citation: DOJ GRU Indictment Jul 2018)(Citation: TrendMicro Pawn Storm 2019)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|An\n\nAPT28 macro uses the command',
'APT28 macro uses the command\n\nAPT28 exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement.(Citation: FireEye APT28)(Citation: FireEye APT28 Hospitality Aug 2017)(Citation: MS17-010 March 2017)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1059.003|Windows Command Shell|An\n\nAPT28 loader Trojan uses a cmd.exe and batch script to run its payload.(Citation: Unit 42 Playbook Dec 2017) The group has also used macros to execute payloads.(Citation: Talos Seduploader Oct 2017)(Citation: Unit42 Cannon Nov 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: TrendMicro Pawn Storm Dec 2020)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows,Network,IaaS|T1040|Network Sniffing|\n\nAPT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.(Citation: FireEye APT28)(Citation: FireEye APT28 Hospitality Aug 2017)\n\nAPT28 close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials.(Citation: US District Court Indictment GRU Oct 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1559.002|Dynamic Data Exchange|\n\nAPT28 has delivered\n\nJHUHUGIT and\n\nKoadic by executing PowerShell commands through DDE in Word documents.(Citation: McAfee APT28 DDE1 Nov 2017)(Citation: McAfee APT28 DDE2 Nov 2017)(Citation: Palo Alto Sofacy 06-2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1134.001|Token Impersonation/Theft|',
"APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.(Citation: FireEye Op RussianDoll)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,Office 365|T1137.002|Office Test|\n\nAPT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key\n\nAPT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.(Citation: DOJ GRU Indictment Jul 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nAPT28 has used\n\nForfiles to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.(Citation: Überwachung APT28 Forfiles June 2015)(Citation: DOJ GRU Indictment Jul 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nAPT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder.(Citation: Trend Micro Pawn Storm April 2017)(Citation: DOJ GRU Indictment Jul 2018)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|An",
"APT28 loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.(Citation: Unit 42 Playbook Dec 2017)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1074.001|Local Data Staging|\n\nAPT28 has stored captured credential information in a file named pi.log.(Citation: Microsoft SIR Vol 19)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1550.002|Pass the Hash|\n\nAPT28 has used pass the hash for lateral movement.(Citation: Microsoft SIR Vol 19)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1025|Data from Removable Media|An\n\nAPT28 backdoor may collect the entire contents of an inserted USB device.(Citation: Microsoft SIR Vol 19)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1092|Communication Through Removable Media|\n\nAPT28 uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.(Citation: Microsoft SIR Vol 19)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,macOS,Linux|T1120|Peripheral Device Discovery|\n\nAPT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.(Citation: Microsoft SIR Vol 19)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nAPT28 encrypted a .dll payload using RTL and a custom encryption algorithm.",
'APT28 encrypted a .dll payload using RTL and a custom encryption algorithm.\n\nAPT28 has also obfuscated payloads with base64, XOR, and RC4.(Citation: Bitdefender APT28 Dec 2015)(Citation: Unit 42 Sofacy Feb 2018)(Citation: Palo Alto Sofacy 06-2018)(Citation: Talos Seduploader Oct 2017)(Citation: Accenture SNAKEMACKEREL Nov 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1113|Screen Capture|\n\nAPT28 has used tools to take screenshots from victims.(Citation: ESET Sednit Part 2)(Citation: XAgentOSX 2017)(Citation: DOJ GRU Indictment Jul 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,Windows|T1542.003|Bootkit|\n\nAPT28 has deployed a bootkit along with\n\nDowndelph to ensure its persistence on the victim. The bootkit shares code with some variants of\n\nBlackEnergy.(Citation: ESET Sednit Part 3)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1091|Replication Through Removable Media|\n\nAPT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.(Citation: Microsoft SIR Vol 19)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows,Containers|T1068|Exploitation for Privilege Escalation|\n\nAPT28 has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263 to escalate privileges.(Citation: Bitdefender APT28 Dec 2015)(Citation: Microsoft SIR Vol 19)(Citation: Securelist Sofacy Feb 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1546.015|Component Object Model Hijacking|\n\nAPT28 has used COM hijacking for persistence by replacing the legitimate',
'APT28 has used COM hijacking for persistence by replacing the legitimate\n\nAPT28 has used tools to perform keylogging.(Citation: Microsoft SIR Vol 19)(Citation: DOJ GRU Indictment Jul 2018)(Citation: TrendMicro Pawn Storm Dec 2020)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1003.001|LSASS Memory|\n\nAPT28 regularly deploys both publicly available (ex:\n\nMimikatz) and custom password retrieval tools on victims.(Citation: ESET Sednit Part 2)(Citation: DOJ GRU Indictment Jul 2018) They have also dumped the LSASS process memory using the MiniDump function.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nAPT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.(Citation: Bitdefender APT28 Dec 2015)(Citation: Unit 42 Playbook Dec 2017)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1070.001|Clear Windows Event Logs|\n\nAPT28 has cleared event logs, including by using the commands\n\nAPT28 has performed timestomping on victim files.(Citation: Crowdstrike DNC June 2016)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1071.003|Mail Protocols|\n\nAPT28 has used IMAP, POP3, and SMTP for a communication channel in various implants, including using self-registered Google Mail accounts and later compromised email servers of its victims.(Citation: FireEye APT28)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1090.002|External Proxy|',
'APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router.\n\nAPT28 has also used a machine to relay and obscure communications between\n\nCHOPSTICK and their server.(Citation: FireEye APT28)(Citation: Bitdefender APT28 Dec 2015)(Citation: DOJ GRU Indictment Jul 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1001.001|Junk Data|\n\nAPT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.(Citation: FireEye APT28)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1218.011|Rundll32|\n\nAPT28 executed\n\nCHOPSTICK by using rundll32 commands such as\n\nAPT28 also executed a .dll for a first stage dropper using rundll32.exe. An\n\nAPT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.(Citation: Crowdstrike DNC June 2016)(Citation: Bitdefender APT28 Dec 2015)(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit 42 Playbook Dec 2017)(Citation: ESET Zebrocy May 2019)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)|',
"APT29 - G0016\n\nCreated: 2017-05-31T21:31:52.748Z\n\nModified: 2023-04-16T22:25:01.191Z\n\nContributors: Daniyal Naeem, BT Security,Matt Brenton, Zurich Insurance Group,Katie Nickels, Red Canary,Joe Gumke, U.S. Bank\n\nAliases\n\nAPT29,IRON RITUAL,IRON HEMLOCK,NobleBaron,Dark Halo,StellarParticle,NOBELIUM,UNC2452,YTTRIUM,The Dukes,Cozy Bear,CozyDuke,SolarStorm,Blue Kitsune\n\nDescription\n\nAPT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)\n\nIn April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Unit 42 SolarStorm December 2020)\n\nTechniques Used",
"Techniques Used\n\nAPT29 has used residential proxies, including Azure Virtual Machines, to obfuscate their access to victim environments.(Citation: Mandiant APT29 Microsoft 365 2022)|\n|mitre-attack|enterprise-attack|Office 365,Windows,Google Workspace|T1114.002|Remote Email Collection|\n\nAPT29 has collected emails from targeted mailboxes within a compromised Azure AD tenant.(Citation: Mandiant APT29 Microsoft 365 2022)|\n|mitre-attack|enterprise-attack|Windows,Office 365,Google Workspace|T1098.002|Additional Email Delegate Permissions|\n\nAPT29 has used a compromised global administrator account in Azure AD to backdoor a service principal with\n\nAPT29 has gained access to a global administrator account in Azure AD.(Citation: Mandiant APT29 Microsoft 365 2022)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nAPT29 has used a compromised account to access an organization's VPN infrastructure.(Citation: Mandiant APT29 Microsoft 365 2022)|\n|mitre-attack|enterprise-attack|Azure AD,Windows,SaaS|T1098.005|Device Registration|\n\nAPT29 has enrolled a device in MFA to an Azure AD environment following a successful password guessing attack against a dormant account.(Citation: Mandiant APT29 Microsoft 365 2022)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1110.001|Password Guessing|\n\nAPT29 has successfully conducted password guessing attacks against a list of mailboxes.(Citation: Mandiant APT29 Microsoft 365 2022)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Containers,IaaS|T1562.001|Disable or Modify Tools|",
'APT29 has disabled Purview Audit on targeted accounts prior to stealing emails from Microsoft 365 tenants.(Citation: Mandiant APT29 Microsoft 365 2022)|\n|mitre-attack|enterprise-attack|IaaS,Azure AD,Office 365,SaaS,Google Workspace|T1059.009|Cloud API|\n\nAPT29 has leveraged the Microsoft Graph API to perform various actions across Azure and M365 environments. They have also utilized AADInternals PowerShell Modules to access the API (Citation: MSTIC Nobelium Toolset May 2021)|\n|mitre-attack|enterprise-attack|IaaS,Azure AD|T1651|Cloud Administration Command|\n\nAPT29 has used Azure Run Command and Azure Admin-on-Behalf-of (AOBO) to execute code on virtual machines.(Citation: MSTIC Nobelium Oct 2021)|\n|mitre-attack|enterprise-attack|Office 365,Azure AD,SaaS,IaaS,Google Workspace|T1021.007|Cloud Services|\n\nAPT29 has leveraged compromised high-privileged on-premises accounts synced to Office 365 to move laterally into a cloud environment, including through the use of Azure AD PowerShell.(Citation: Mandiant Remediation and Hardening Strategies for Microsoft 365)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,SaaS,Google Workspace,Office 365,IaaS|T1556.007|Hybrid Identity|\n\nAPT29 has edited the\n\nAPT29 has abused misconfigured AD CS certificate templates to impersonate admin users and create additional authentication certificates.(Citation: Mandiant APT29 Trello)|\n|mitre-attack|enterprise-attack|Windows,Office 365,Linux,macOS,IaaS,SaaS,Azure AD,Google Workspace|T1621|Multi-Factor Authentication Request Generation|\n\nAPT29 has used repeated MFA requests to gain access to victim accounts.(Citation: Suspected Russian Activity Targeting Government and Business Entities Around the Globe)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1027.006|HTML Smuggling|',
'APT29 has embedded an ISO file within an HTML attachment that contained JavaScript code to initiate malware execution.(Citation: ESET T3 Threat Report 2021) |\n|mitre-attack|enterprise-attack|PRE|T1586.002|Email Accounts|\n\nAPT29 has compromised email accounts to further enable phishing campaigns and taken control of dormant accounts.(Citation: ANSSI Nobelium Phishing December 2021)(Citation: Mandiant APT29 Microsoft 365 2022)|\n|mitre-attack|enterprise-attack|Azure AD,Office 365,SaaS,IaaS,Google Workspace|T1087.004|Cloud Account|\n\nAPT29 has conducted enumeration of Azure AD accounts.(Citation: MSTIC Nobelium Oct 2021)|\n|mitre-attack|enterprise-attack|Azure AD,Office 365,IaaS,Google Workspace,SaaS|T1136.003|Cloud Account|\n\nAPT29 can create new users through Azure AD.(Citation: MSTIC Nobelium Oct 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1573|Encrypted Channel|\n\nAPT29 has used multiple layers of encryption within malware to protect C2 communication.(Citation: Secureworks IRON HEMLOCK Profile)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1068|Exploitation for Privilege Escalation|\n\nAPT29 has exploited CVE-2021-36934 to escalate privileges on a compromised host.(Citation: ESET T3 Threat Report 2021)|\n|mitre-attack|enterprise-attack|Windows|T1553.005|Mark-of-the-Web Bypass|\n\nAPT29 has embedded ISO images and VHDX files in HTML to evade Mark-of-the-Web.(Citation: ESET T3 Threat Report 2021)|\n|mitre-attack|enterprise-attack|Windows|T1218.005|Mshta|\n\nAPT29 has use\n\nAPT29 has obtained and used a variety of tools including\n\nMimikatz,\n\nSDelete,\n\nTor,\n\nmeek, and',
'APT29 has use\n\nAPT29 has obtained and used a variety of tools including\n\nMimikatz,\n\nSDelete,\n\nTor,\n\nmeek, and\n\nCobalt Strike.(Citation: Mandiant No Easy Breach)(Citation: F-Secure The Dukes)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.001|Binary Padding|\n\nAPT29 used large size files to avoid detection by security solutions with hardcoded size limits.(Citation: SentinelOne NobleBaron June 2021)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers|T1110.003|Password Spraying|\n\nAPT29 has conducted brute force password spray attacks.(Citation: MSRC Nobelium June 2021)(Citation: MSTIC Nobelium Oct 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1566.003|Spearphishing via Service|\n\nAPT29 has used the legitimate mailing service Constant Contact to send phishing e-mails.(Citation: MSTIC NOBELIUM May 2021)|\n|mitre-attack|enterprise-attack|Windows,SaaS,IaaS,Linux,macOS,Office 365|T1199|Trusted Relationship|\n\nAPT29 has compromised IT, cloud services, and managed services providers to gain broad access to multiple customers for subsequent operations.(Citation: MSTIC Nobelium Oct 2021)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS,Network|T1505.003|Web Shell|\n\nAPT29 has installed web shells on exploited Microsoft Exchange servers.(Citation: Cybersecurity Advisory SVR TTP May 2021)|\n|mitre-attack|enterprise-attack|PRE|T1595.002|Vulnerability Scanning|\n\nAPT29 has conducted widespread scanning of target environments to identify vulnerabilities for exploit.(Citation: Cybersecurity Advisory SVR TTP May 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|',
'APT29 has used various forms of spearphishing attempting to get a user to click on a malicous link.(Citation: MSTIC NOBELIUM May 2021)(Citation: Secureworks IRON RITUAL USAID Phish May 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nAPT29 has downloaded additional tools and malware onto compromised networks.(Citation: Mandiant No Easy Breach)(Citation: PWC WellMess July 2020)(Citation: F-Secure The Dukes)|\n|mitre-attack|enterprise-attack|PRE|T1587.001|Malware|\n\nAPT29 has used unique malware in many of their operations.(Citation: F-Secure The Dukes)(Citation: Mandiant No Easy Breach)(Citation: MSTIC Nobelium Toolset May 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nAPT29 has renamed malicious DLLs with legitimate names to appear benign; they have also created an Azure AD certificate with a Common Name that matched the display name of the compromised service principal.(Citation: SentinelOne NobleBaron June 2021)(Citation: Mandiant APT29 Microsoft 365 2022)|\n|mitre-attack|enterprise-attack|Windows,Linux,Containers,macOS|T1133|External Remote Services|\n\nAPT29 has used compromised identities to access networks via VPNs and Citrix.(Citation: NCSC APT29 July 2020)(Citation: Mandiant APT29 Microsoft 365 2022)|\n|mitre-attack|enterprise-attack|PRE|T1587.003|Digital Certificates|\n\nAPT29 has created self-signed digital certificates to enable mutual TLS authentication for malware.(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)|\n|mitre-attack|enterprise-attack|PRE|T1583.006|Web Services|\n\nAPT29 has registered algorithmically generated Twitter handles that are used for C2 by malware, such as\n\nHAMMERTOSS.',
'APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware, such as\n\nHAMMERTOSS.\n\nAPT29 has also used legitimate web services such as Dropbox and Constant Contact in their operations.(Citation: FireEye APT29)(Citation: MSTIC NOBELIUM May 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|\n\nAPT29 has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access.(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: NCSC APT29 July 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1059.006|Python|\n\nAPT29 has developed malware variants written in Python.(Citation: Symantec Seaduke 2015)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nAPT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims.(Citation: F-Secure The Dukes)(Citation: MSTIC NOBELIUM May 2021)(Citation: ESET T3 Threat Report 2021)(Citation: Secureworks IRON HEMLOCK Profile)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nAPT29 has used multiple software exploits for common client software, like Microsoft Word, Exchange, and Adobe Reader, to gain code execution.(Citation: F-Secure The Dukes)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: MSTIC NOBELIUM May 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|',
'APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.(Citation: Mandiant No Easy Breach)(Citation: MSTIC NOBELIUM May 2021)(Citation: Secureworks IRON RITUAL USAID Phish May 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nAPT29 has used various forms of spearphishing attempting to get a user to open attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files. (Citation: F-Secure The Dukes)(Citation: ESET T3 Threat Report 2021)(Citation: Secureworks IRON HEMLOCK Profile)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1090.004|Domain Fronting|\n\nAPT29 has used the meek domain fronting plugin for\n\nTor to hide the destination of C2 traffic.(Citation: Mandiant No Easy Breach)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1090.003|Multi-hop Proxy|A backdoor used by\n\nAPT29 created a\n\nTor hidden service to forward traffic from the\n\nTor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network and has also used TOR.(Citation: Mandiant No Easy Breach)(Citation: MSTIC Nobelium Oct 2021)|\n|mitre-attack|enterprise-attack|Windows|T1548.002|Bypass User Account Control|\n\nAPT29 has bypassed UAC.(Citation: Mandiant No Easy Breach)|\n|mitre-attack|enterprise-attack|Windows|T1047|Windows Management Instrumentation|\n\nAPT29 used WMI to steal credentials and execute backdoors at a future time.(Citation: Mandiant No Easy Breach)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1027.002|Software Packing|',
'APT29 used UPX to pack files.(Citation: Mandiant No Easy Breach)|\n|mitre-attack|enterprise-attack|Windows|T1546.003|Windows Management Instrumentation Event Subscription|\n\nAPT29 has used WMI event subscriptions for persistence.(Citation: Mandiant No Easy Breach)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nAPT29 has used named and hijacked scheduled tasks to establish persistence.(Citation: Mandiant No Easy Breach)|\n|mitre-attack|enterprise-attack|Windows|T1546.008|Accessibility Features|\n\nAPT29 used sticky-keys to obtain unauthenticated, privileged console access.(Citation: Mandiant No Easy Breach)(Citation: FireEye APT29 Domain Fronting)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nAPT29 added Registry Run keys to establish persistence.(Citation: Mandiant No Easy Breach)|\n|mitre-attack|enterprise-attack|Windows|T1550.003|Pass the Ticket|\n\nAPT29 used Kerberos ticket attacks for lateral movement.(Citation: Mandiant No Easy Breach)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nAPT29 has used\n\nSDelete to remove artifacts from victim networks.(Citation: Mandiant No Easy Breach)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nAPT29 has used encoded PowerShell scripts uploaded to\n\nCozyCar installations to download and install\n\nSeaDuke.(Citation: Symantec Seaduke 2015)(Citation: Mandiant No Easy Breach)(Citation: ESET T3 Threat Report 2021)(Citation: Secureworks IRON HEMLOCK Profile)|',
"APT3 - G0022\n\nCreated: 2017-05-31T21:31:55.853Z\n\nModified: 2021-10-01T19:09:20.817Z\n\nContributors: Patrick Sungbahadoor\n\nAliases\n\nAPT3,Gothic Panda,Pirpi,UPS Team,Buckeye,Threat Group-0110,TG-0110\n\nDescription\n\nAPT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.(Citation: FireEye Clandestine Wolf)(Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.(Citation: Symantec Buckeye)\n\nIn 2017, MITRE developed an APT3 Adversary Emulation Plan.(Citation: APT3 Adversary Emulation Plan)\n\nTechniques Used\n\nAPT3 has sent spearphishing emails containing malicious links.(Citation: FireEye Clandestine Wolf)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nAPT3 has lured victims into clicking malicious links delivered through spearphishing.(Citation: FireEye Clandestine Wolf)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nAPT3 has exploited the Adobe Flash Player vulnerability CVE-2015-3113 and Internet Explorer vulnerability CVE-2014-1776.(Citation: FireEye Clandestine Wolf)(Citation: FireEye Clandestine Fox)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1555.003|Credentials from Web Browsers|\n\nAPT3 has used tools to dump passwords from browsers.(Citation: Symantec Buckeye)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1564.003|Hidden Window|\n\nAPT3 has been known to use",
'APT3 has been known to use\n\nPowerShell windows.(Citation: FireEye Operation Double Tap)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1090.002|External Proxy|An\n\nAPT3 downloader establishes SOCKS5 connections for its initial C2.(Citation: FireEye Operation Double Tap)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,IaaS,Linux,macOS,Google Workspace,SaaS,Network|T1098|Account Manipulation|\n\nAPT3 has been known to add created accounts to local admin groups to maintain elevated access.(Citation: aptsim)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,Azure AD,Network|T1110.002|Password Cracking|\n\nAPT3 has been known to brute force password hashes to be able to leverage plain text credentials.(Citation: APT3 Adversary Emulation Plan)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1027.002|Software Packing|\n\nAPT3 has been known to pack their tools.(Citation: APT3 Adversary Emulation Plan)(Citation: FireEye Clandestine Wolf) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.005|Indicator Removal from Tools|\n\nAPT3 has been known to remove indicators of compromise from tools.(Citation: APT3 Adversary Emulation Plan)|\n|mitre-attack|enterprise-attack|Windows|T1218.011|Rundll32|\n\nAPT3 has a tool that can run DLLs.(Citation: FireEye Clandestine Fox)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nAPT3 has a tool that looks for files and directories on the local file system.(Citation: FireEye Clandestine Fox)(Citation: evolution of pirpi)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|',
'APT3 has a tool that can copy files to remote machines.(Citation: FireEye Clandestine Fox)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1041|Exfiltration Over C2 Channel|\n\nAPT3 has a tool that exfiltrates data over the C2 channel.(Citation: FireEye Clandestine Fox)|\n|mitre-attack|enterprise-attack|Windows|T1546.008|Accessibility Features|\n\nAPT3 replaces the Sticky Keys binary\n\nAPT3 has a tool that can list out currently running processes.(Citation: FireEye Clandestine Fox)(Citation: evolution of pirpi)|\n|mitre-attack|enterprise-attack|Windows|T1543.003|Windows Service|\n\nAPT3 has a tool that creates a new service for persistence.(Citation: FireEye Operation Double Tap)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nAPT3 has a tool that can delete files.(Citation: FireEye Clandestine Fox)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1049|System Network Connections Discovery|\n\nAPT3 has a tool that can enumerate current network connections.(Citation: Symantec Buckeye)(Citation: FireEye Clandestine Fox)(Citation: evolution of pirpi)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|\n\nAPT3 has used tools to compress data before exfilling it.(Citation: aptsim)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1136.001|Local Account|\n\nAPT3 has been known to create or enable accounts, such as\n\nAPT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.(Citation: Symantec Buckeye)|\n|mitre-attack|enterprise-attack|Windows|T1021.001|Remote Desktop Protocol|\n\nAPT3 enables the Remote Desktop Protocol for persistence.(Citation: aptsim)',
"APT3 enables the Remote Desktop Protocol for persistence.(Citation: aptsim)\n\nAPT3 has also interacted with compromised systems to browse and copy files through RDP sessions.(Citation: Twitter Cglyer Status Update APT3 eml)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1078.002|Domain Accounts|\n\nAPT3 leverages valid accounts after gaining credentials for use within the victim domain.(Citation: Symantec Buckeye)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1074.001|Local Data Staging|\n\nAPT3 has been known to stage files for exfiltration in a single location.(Citation: aptsim)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nAPT3 will identify Microsoft Office documents on the victim's computer.(Citation: aptsim)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nAPT3 has a tool that can obtain information about the local system.(Citation: Symantec Buckeye)(Citation: evolution of pirpi)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers|T1552.001|Credentials In Files|\n\nAPT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.(Citation: Symantec Buckeye)|\n|mitre-attack|enterprise-attack|Windows|T1574.002|DLL Side-Loading|\n\nAPT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.(Citation: FireEye Clandestine Fox)(Citation: FireEye Clandestine Fox Part 2)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|",
'APT3 has a tool that can detect the existence of remote systems.(Citation: Symantec Buckeye)(Citation: FireEye Clandestine Fox)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers|T1069|Permission Groups Discovery|\n\nAPT3 has a tool that can enumerate the permissions associated with Windows groups.(Citation: Symantec Buckeye)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nAPT3 obfuscates files or information to help evade defensive measures.(Citation: Symantec Buckeye)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nAPT3 places scripts in the startup folder for persistence.(Citation: FireEye Operation Double Tap)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1087.001|Local Account|\n\nAPT3 has used a tool that can obtain info about local and global group users, power users, and administrators.(Citation: Symantec Buckeye)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nAPT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument "dig."(Citation: Symantec Buckeye)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|\n\nAPT3 has used a keylogging tool that records keystrokes in encrypted files.(Citation: Symantec Buckeye)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|A keylogging tool used by\n\nAPT3 gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.(Citation: Symantec Buckeye)(Citation: evolution of pirpi)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|An\n\nAPT3 downloader uses the Windows command',
'APT3 downloader uses the Windows command\n\nAPT3 downloader creates persistence by creating the following scheduled task:\n\nAPT3 has used PowerShell on victim systems to download and run payloads after exploitation.(Citation: FireEye Operation Double Tap)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|An\n\nAPT3 downloader uses the Windows command\n\nAPT3 downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81.(Citation: FireEye Operation Double Tap)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,Network|T1095|Non-Application Layer Protocol|An\n\nAPT3 downloader establishes SOCKS5 connections for its initial C2.(Citation: FireEye Operation Double Tap)|',
'APT30 - G0013\n\nCreated: 2017-05-31T21:31:51.026Z\n\nModified: 2020-07-29T19:34:28.999Z\n\nContributors:\n\nAliases\n\nAPT30\n\nDescription\n\nAPT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.(Citation: FireEye APT30)(Citation: Baumgartner Golovkin Naikon 2015)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|APT30 has used spearphishing emails with malicious DOC attachments.(Citation: FireEye APT30)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|APT30 has relied on users to execute malicious file attachments delivered via spearphishing emails.(Citation: FireEye APT30)|',
"APT32 - G0050\n\nCreated: 2017-12-14T16:46:06.044Z\n\nModified: 2023-03-21T21:04:18.158Z\n\nContributors: Romain Dumont, ESET\n\nAliases\n\nAPT32,SeaLotus,OceanLotus,APT-C-00\n\nDescription\n\nAPT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: ESET OceanLotus)\n\nTechniques Used\n\nAPT32's backdoor has stored its configuration in a registry key.(Citation: ESET OceanLotus Mar 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.010|Command Obfuscation|\n\nAPT32 has used the\n\nAPT32 has obtained and used tools such as\n\nMimikatz and\n\nCobalt Strike, and a variety of other open-source tools from GitHub.(Citation: FireEye APT32 May 2017)(Citation: Cybereason Oceanlotus May 2017)|\n|mitre-attack|enterprise-attack|PRE|T1608.001|Upload Malware|\n\nAPT32 has hosted malicious payloads in Dropbox, Amazon S3, and Google Drive for use during targeting.(Citation: Volexity Ocean Lotus November 2020)|\n|mitre-attack|enterprise-attack|PRE|T1608.004|Drive-by Target|\n\nAPT32 has stood up websites containing numerous articles and content scraped from the Internet to make them appear legitimate, but some of these pages include malicious JavaScript to profile the potential victim or infect them via a fake software update.(Citation: Volexity Ocean Lotus November 2020)|\n|mitre-attack|enterprise-attack|PRE|T1589|Gather Victim Identity Information|",
'APT32 has conducted targeted surveillance against activists and bloggers.(Citation: Amnesty Intl. Ocean Lotus February 2021)|\n|mitre-attack|enterprise-attack|PRE|T1589.002|Email Addresses|\n\nAPT32 has collected e-mail addresses for activists and bloggers in order to target them with spyware.(Citation: Amnesty Intl. Ocean Lotus February 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102|Web Service|\n\nAPT32 has used Dropbox, Amazon S3, and Google Drive to host malicious downloads.(Citation: Volexity Ocean Lotus November 2020)|\n|mitre-attack|enterprise-attack|PRE|T1598.003|Spearphishing Link|\n\nAPT32 has used malicious links to direct users to web pages designed to harvest credentials.(Citation: Volexity Ocean Lotus November 2020)|\n|mitre-attack|enterprise-attack|PRE|T1583.006|Web Services|\n\nAPT32 has set up Dropbox, Amazon S3, and Google Drive to host malicious downloads.(Citation: Volexity Ocean Lotus November 2020)|\n|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|\n\nAPT32 has set up and operated websites to gather information and deliver malware.(Citation: Volexity Ocean Lotus November 2020)|\n|mitre-attack|enterprise-attack|PRE|T1585.001|Social Media Accounts|\n\nAPT32 has set up Facebook pages in tandem with fake websites.(Citation: Volexity Ocean Lotus November 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.007|JavaScript|\n\nAPT32 has used JavaScript for drive-by downloads and C2 communications.(Citation: Cybereason Cobalt Kitty 2017)(Citation: Volexity Ocean Lotus November 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network,Office 365,Azure AD,IaaS,Google Workspace|T1059|Command and Scripting Interpreter|',
'APT32 has used COM scriptlets to download Cobalt Strike beacons.(Citation: Cybereason Cobalt Kitty 2017) |\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|\n\nAPT32 has abused the PasswordChangeNotify to monitor for and capture account password changes.(Citation: Cybereason Cobalt Kitty 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036|Masquerading|\n\nAPT32 has disguised a Cobalt Strike beacon as a Flash Installer.(Citation: Cybereason Cobalt Kitty 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nAPT32 has lured targets to download a Cobalt Strike beacon by including a malicious link within spearphishing emails.(Citation: Cybereason Cobalt Kitty 2017)(Citation: Volexity Ocean Lotus November 2020)(Citation: Amnesty Intl. Ocean Lotus February 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1055|Process Injection|\n\nAPT32 malware has injected a Cobalt Strike beacon into Rundll32.exe.(Citation: Cybereason Cobalt Kitty 2017)|\n|mitre-attack|enterprise-attack|Windows|T1218.011|Rundll32|\n\nAPT32 malware has used rundll32.exe to execute an initial infection process.(Citation: Cybereason Cobalt Kitty 2017)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1135|Network Share Discovery|\n\nAPT32 used the\n\nAPT32 has deployed tools after moving laterally using administrative accounts.(Citation: Cybereason Cobalt Kitty 2017) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1571|Non-Standard Port|An\n\nAPT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configuration.(Citation: ESET OceanLotus Mar 2019)|\n|mitre-attack|enterprise-attack|Windows|T1543.003|Windows Service|',
'APT32 modified Windows Services to ensure PowerShell scripts were loaded on the system.\n\nAPT32 also creates a Windows service to establish persistence.(Citation: ESET OceanLotus)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1003|OS Credential Dumping|\n\nAPT32 used GetPassword_x64 to harvest credentials.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)|\n|mitre-attack|enterprise-attack|Windows|T1552.002|Credentials in Registry|\n\nAPT32 used Outlook Credential Dumper to harvest credentials stored in Windows registry.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1087.001|Local Account|\n\nAPT32 enumerated administrative users using the commands\n\nAPT32 has moved and renamed pubprn.vbs to a .txt file to avoid detection.(Citation: Twitter ItsReallyNick APT32 pubprn Masquerade)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1036.004|Masquerade Task or Service|\n\nAPT32 has used hidden or non-printing characters to help masquerade service names, such as appending a Unicode no-break space character to a legitimate service name.\n\nAPT32 has also impersonated the legitimate Flash installer file name "install_flashplayer.exe".(Citation: FireEye APT32 May 2017)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nAPT32 has used macros, COM scriptlets, and VBS scripts.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.003|Mail Protocols|',
"APT32 has used email for C2 via an Office macro.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1048.003|Exfiltration Over Unencrypted Non-C2 Protocol|\n\nAPT32's backdoor can exfiltrate data by encoding it in the subdomain field of DNS packets.(Citation: ESET OceanLotus Mar 2019)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1564.003|Hidden Window|\n\nAPT32 has used the WindowStyle parameter to conceal\n\nPowerShell windows. (Citation: FireEye APT32 May 2017) (Citation: Cybereason Cobalt Kitty 2017)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nAPT32 has used cmd.exe for execution.(Citation: Cybereason Cobalt Kitty 2017) |\n|mitre-attack|enterprise-attack|macOS,Linux|T1222.002|Linux and Mac File and Directory Permissions Modification|\n\nAPT32's macOS backdoor changes the permission of the file it wants to execute to 755.(Citation: ESET OceanLotus macOS April 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nAPT32's macOS backdoor can receive a “delete” command.(Citation: ESET OceanLotus macOS April 2019)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1564.001|Hidden Files and Directories|\n\nAPT32's macOS backdoor hides the clientID file via a chflags function.(Citation: ESET OceanLotus macOS April 2019)|\n|mitre-attack|enterprise-attack|Windows|T1569.002|Service Execution|\n\nAPT32's backdoor has used Windows services as a way to execute its malicious payload. (Citation: ESET OceanLotus Mar 2019)|\n|mitre-attack|enterprise-attack|Windows|T1112|Modify Registry|",
"APT32's backdoor has modified the Windows Registry to store the backdoor's configuration. (Citation: ESET OceanLotus Mar 2019) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560|Archive Collected Data|\n\nAPT32's backdoor has used LZMA compression and RC4 encryption before exfiltration.(Citation: ESET OceanLotus Mar 2019)|\n|mitre-attack|enterprise-attack|Windows|T1012|Query Registry|\n\nAPT32's backdoor can query the Windows Registry to gather system information. (Citation: ESET OceanLotus Mar 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nAPT32's backdoor possesses the capability to list files and directories on a machine. (Citation: ESET OceanLotus Mar 2019)\n\nAPT32's backdoor has exfiltrated data using the already opened channel with its C&C server.(Citation: ESET OceanLotus Mar 2019)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nAPT32 has used RTF document that includes an exploit to execute malicious code. (CVE-2017-11882)(Citation: ESET OceanLotus Mar 2019)|\n|mitre-attack|enterprise-attack|Windows,Office 365|T1137|Office Application Startup|\n\nAPT32 have replaced Microsoft Outlook's VbaProject.OTM file to install a backdoor macro for persistence.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nAPT32 used Mimikatz and customized versions of Windows Credential Dumper to harvest credentials.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|",
'APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nAPT32 has sent spearphishing emails containing malicious links.(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: FireEye APT32 April 2020)(Citation: Volexity Ocean Lotus November 2020)(Citation: Amnesty Intl. Ocean Lotus February 2021)|\n|mitre-attack|enterprise-attack|Windows|T1218.005|Mshta|\n\nAPT32 has used mshta.exe for code execution.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nAPT32 used the\n\nAPT32 used the\n\nAPT32 has enumerated DC servers using the command\n\nAPT32 used NTFS alternate data streams to hide their payloads.(Citation: Cybereason Cobalt Kitty 2017)|\n|mitre-attack|enterprise-attack|Windows|T1047|Windows Management Instrumentation|\n\nAPT32 used WMI to deploy their tools on remote machines and to gather information about the Outlook process.(Citation: Cybereason Cobalt Kitty 2017)|\n|mitre-attack|enterprise-attack|Windows|T1550.002|Pass the Hash|\n\nAPT32 has used pass the hash for lateral movement.(Citation: Cybereason Cobalt Kitty 2017)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers,Network|T1046|Network Service Discovery|',
"APT32 performed network scanning on the network to search for open ports, services, OS finger-printing, and other vulnerabilities.(Citation: Cybereason Cobalt Kitty 2017)|\n|mitre-attack|enterprise-attack|Windows|T1550.003|Pass the Ticket|\n\nAPT32 successfully gained remote access by using pass the ticket.(Citation: Cybereason Cobalt Kitty 2017)|\n|mitre-attack|enterprise-attack|Windows|T1021.002|SMB/Windows Admin Shares|\n\nAPT32 used\n\nNet to use Windows' hidden network shares to copy their tools to remote machines for execution.(Citation: Cybereason Cobalt Kitty 2017)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nAPT32 has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server.\n\nAPT32 executed shellcode to identify the name of the infected host.(Citation: ESET OceanLotus)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019)(Citation: FireEye APT32 April 2020)|\n|mitre-attack|enterprise-attack|Windows|T1070.001|Clear Windows Event Logs|\n\nAPT32 has cleared select event log entries.(Citation: FireEye APT32 May 2017)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nAPT32 has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet.(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: FireEye APT32 April 2020)(Citation: Amnesty Intl. Ocean Lotus February 2021)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|",
"APT32 has infected victims by tricking them into visiting compromised watering hole websites.(Citation: ESET OceanLotus)(Citation: Volexity Ocean Lotus November 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nAPT32 has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment.(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: FireEye APT32 April 2020)(Citation: Amnesty Intl. Ocean Lotus February 2021)|\n|mitre-attack|enterprise-attack|Windows|T1574.002|DLL Side-Loading|\n\nAPT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder).(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.001|Binary Padding|\n\nAPT32 includes garbage code to mislead anti-malware software and researchers.(Citation: ESET OceanLotus)(Citation: ESET OceanLotus Mar 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|\n\nAPT32 collected the victim's username and executed the\n\nAPT32 executed shellcode to collect the username on the victim's machine. (Citation: FireEye APT32 April 2020)(Citation: ESET OceanLotus)(Citation: Cybereason Cobalt Kitty 2017)|\n|mitre-attack|enterprise-attack|Windows|T1216.001|PubPrn|",
'APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses.(Citation: Twitter ItsReallyNick Status Update APT32 PubPrn)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS,Network|T1505.003|Web Shell|\n\nAPT32 has used Web shells to maintain access to victim websites.(Citation: Volexity OceanLotus Nov 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nAPT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.(Citation: Volexity OceanLotus Nov 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nAPT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over HTTP.(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Cobalt Kitty 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1072|Software Deployment Tools|\n\nAPT32 compromised McAfee ePO to move laterally by distributing malware as a software deployment task.(Citation: FireEye APT32 May 2017)|\n|mitre-attack|enterprise-attack|Windows|T1218.010|Regsvr32|\n\nAPT32 created a\n\nScheduled Task/Job that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. The group has also used regsvr32 to run their backdoor.(Citation: ESET OceanLotus Mar 2019)(Citation: FireEye APT32 May 2017)(Citation: Cybereason Cobalt Kitty 2017) |\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|',
'APT32 has used scheduled tasks to persist on victim systems.(Citation: FireEye APT32 May 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nAPT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update.\n\nAPT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. (Citation: Cybereason Cobalt Kitty 2017)(Citation: Volexity Ocean Lotus November 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.006|Timestomp|\n\nAPT32 has used scheduled task raw XML with a backdated timestamp of June 2, 2016. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. Additionally,\n\nAPT32 has used a random value to modify the timestamp of the file storing the clientID.(Citation: FireEye APT32 May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nAPT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution.(Citation: FireEye APT32 May 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nAPT32 has performed code obfuscation, including encoding payloads using Base64 and using a framework called "Dont-Kill-My-Cat (DKMC).',
'APT32 has performed code obfuscation, including encoding payloads using Base64 and using a framework called "Dont-Kill-My-Cat (DKMC).\n\nAPT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.(Citation: FireEye APT32 May 2017)(Citation: GitHub Invoke-Obfuscation)(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1068|Exploitation for Privilege Escalation|\n\nAPT32 has used CVE-2016-7255 to escalate privileges.(Citation: FireEye APT32 May 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1078.003|Local Accounts|\n\nAPT32 has used legitimate local admin account credentials.(Citation: FireEye APT32 May 2017)|',
'APT33 - G0064\n\nCreated: 2018-04-18T17:59:24.739Z\n\nModified: 2023-03-08T22:07:25.123Z\n\nContributors: Dragos Threat Intelligence\n\nAliases\n\nAPT33,HOLMIUM,Elfin\n\nDescription\n\nAPT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)\n\nTechniques Used\n\nAPT33 has obtained and leveraged publicly-available tools for early intrusion activities.(Citation: FireEye APT33 Guardrail)(Citation: Symantec Elfin Mar 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1546.003|Windows Management Instrumentation Event Subscription|\n\nAPT33 has attempted to use WMI event subscriptions to establish persistence on compromised hosts.(Citation: Microsoft Holmium June 2020)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nAPT33 has sent spearphishing e-mails with archive attachments.(Citation: Microsoft Holmium June 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nAPT33 has used malicious e-mail attachments to lure victims into executing malware.(Citation: Microsoft Holmium June 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nAPT33 has used VBScript to initiate the delivery of payloads.(Citation: Microsoft Holmium June 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Azure AD,Office 365,SaaS,IaaS,Google Workspace|T1078.004|Cloud Accounts|\n\nAPT33 has used compromised Office 365 accounts in tandem with',
'APT33 has used compromised Office 365 accounts in tandem with\n\nRuler in an attempt to gain control of endpoints.(Citation: Microsoft Holmium June 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1571|Non-Standard Port|\n\nAPT33 has used HTTP over TCP ports 808 and 880 for command and control.(Citation: Symantec Elfin Mar 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1552.006|Group Policy Preferences|\n\nAPT33 has used a variety of publicly available tools like Gpppassword to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1555|Credentials from Password Stores|\n\nAPT33 has used a variety of publicly available tools like\n\nLaZagne to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1555.003|Credentials from Web Browsers|\n\nAPT33 has used a variety of publicly available tools like\n\nLaZagne to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1003.005|Cached Domain Credentials|\n\nAPT33 has used a variety of publicly available tools like\n\nLaZagne to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1003.004|LSA Secrets|\n\nAPT33 has used a variety of publicly available tools like\n\nLaZagne to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,IaaS,Linux,macOS,Containers|T1552.001|Credentials In Files|',
'APT33 has used a variety of publicly available tools like\n\nLaZagne to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers|T1110.003|Password Spraying|\n\nAPT33 has used password spraying to gain access to target systems.(Citation: FireEye APT33 Guardrail)(Citation: Microsoft Holmium June 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Containers|T1068|Exploitation for Privilege Escalation|\n\nAPT33 has used a publicly available exploit for CVE-2017-0213 to escalate privileges on a local system.(Citation: FireEye APT33 Guardrail)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,Windows,macOS|T1573.001|Symmetric Cryptography|\n\nAPT33 has used AES for encryption of command and control traffic.(Citation: FireEye APT33 Guardrail)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nAPT33 has used base64 to encode payloads.(Citation: FireEye APT33 Guardrail)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1132.001|Standard Encoding|\n\nAPT33 has used base64 to encode command and control traffic.(Citation: FireEye APT33 Guardrail)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1053.005|Scheduled Task|\n\nAPT33 has created a scheduled task to execute a .vbe file multiple times a day.(Citation: Symantec Elfin Mar 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1048.003|Exfiltration Over Unencrypted Non-C2 Protocol|',
'APT33 has used FTP to exfiltrate files (separately from the C2 channel).(Citation: Symantec Elfin Mar 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nAPT33 has used HTTP for command and control.(Citation: Symantec Elfin Mar 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nAPT33 has deployed a tool known as\n\nDarkComet to the Startup folder of a victim, and used Registry run keys to gain persistence.(Citation: Symantec Elfin Mar 2019)(Citation: Microsoft Holmium June 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1059.001|PowerShell|\n\nAPT33 has utilized PowerShell to download files from the C2 server and run various scripts. (Citation: Symantec Elfin Mar 2019)(Citation: Microsoft Holmium June 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nAPT33 has downloaded additional files and programs from its C2 server.(Citation: Symantec Elfin Mar 2019)(Citation: Microsoft Holmium June 2020)\n\nAPT33 has used WinRAR to compress data prior to exfil.(Citation: Symantec Elfin Mar 2019) \n|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1003.001|LSASS Memory|\n\nAPT33 has used a variety of publicly available tools like\n\nLaZagne,\n\nMimikatz, and ProcDump to dump credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network,IaaS|T1040|Network Sniffing|',
"APT33 has used SniffPass to collect credentials by sniffing network traffic.(Citation: Symantec Elfin Mar 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nAPT33 has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250), and attempted to gain remote code execution via a security bypass vulnerability (CVE-2017-11774).(Citation: Symantec Elfin Mar 2019)(Citation: Microsoft Holmium June 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nAPT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.(Citation: FireEye APT33 Sept 2017)(Citation: Symantec Elfin Mar 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nAPT33 has used valid accounts for initial access and privilege escalation.(Citation: FireEye APT33 Webinar Sept 2017)(Citation: FireEye APT33 Guardrail)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nAPT33 has sent spearphishing emails containing links to .hta files.(Citation: FireEye APT33 Sept 2017)(Citation: Symantec Elfin Mar 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Human-Machine Interface|T0852|Screen Capture|\n\nAPT33 utilize backdoors capable of capturing screenshots once installed on a system. (Citation: Jacqueline O'Leary et al. September 2017)(Citation: Junnosuke Yagi March 2017)|\n|mitre-attack|enterprise-attack,ics-attack|Engineering Workstation|T0853|Scripting|",
"APT33 utilized PowerShell scripts to establish command and control and install files for execution. (Citation: Symantec March 2019) (Citation: Dragos)|\n|mitre-attack|enterprise-attack,ics-attack|Engineering Workstation,Human-Machine Interface,Control Server,Data Historian|T0865|Spearphishing Attachment|\n\nAPT33 sent spear phishing emails containing links to HTML application files, which were embedded with malicious code. (Citation: Jacqueline O'Leary et al. September 2017)\n\nAPT33 has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies. (Citation: Andy Greenburg June 2019)|",
'APT37 - G0067\n\nCreated: 2018-04-18T17:59:24.739Z\n\nModified: 2021-10-15T16:54:01.193Z\n\nContributors: Valerii Marchuk, Cybersecurity Help s.r.o.\n\nAliases\n\nAPT37,Richochet Chollima,InkySquid,ScarCruft,Reaper,Group123,TEMP.Reaper\n\nDescription\n\nAPT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft Jun 2016)(Citation: Talos Group123)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.\n\nTechniques Used\n\nAPT37 has used Ruby scripts to execute payloads.(Citation: Volexity InkySquid RokRAT August 2021)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1059.006|Python|\n\nAPT37 has used Python scripts to execute payloads.(Citation: Volexity InkySquid RokRAT August 2021)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nAPT37 has created scheduled tasks to run malicious scripts on a compromised host.(Citation: Volexity InkySquid RokRAT August 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|',
'APT37 executes shellcode and a VBA script to decode Base64 strings.(Citation: Talos Group123)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.003|Steganography|\n\nAPT37 uses steganography to send images to users that are embedded with shellcode.(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1529|System Shutdown/Reboot|\n\nAPT37 has used malware that will issue the command\n\nAPT37 has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges.(Citation: Securelist ScarCruft May 2019)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1120|Peripheral Device Discovery|\n\nAPT37 has a Bluetooth device harvester, which uses Windows Bluetooth APIs to find information on connected Bluetooth devices. (Citation: Securelist ScarCruft May 2019)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nAPT37 collects the computer name, the BIOS model, and execution path.(Citation: Talos Group123)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|\n\nAPT37 identifies the victim username.(Citation: Talos Group123)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nAPT37 obfuscates strings and payloads.(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019)(Citation: Volexity InkySquid RokRAT August 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1106|Native API|',
"APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection.(Citation: Talos Group123)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nAPT37's Freenki malware lists running processes using the Microsoft Windows API.(Citation: Talos Group123)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1055|Process Injection|\n\nAPT37 injects its malware variant,\n\nROKRAT, into the cmd.exe process.(Citation: Talos Group123)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nAPT37 uses HTTPS to conceal C2 communications.(Citation: Talos Group123)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nAPT37 has used the command-line interface.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nAPT37 has used strategic web compromises, particularly of South Korean websites, to distribute malware. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim's web browser and deliver malicious code accordingly.(Citation: Securelist ScarCruft Jun 2016)(Citation: FireEye APT37 Feb 2018)(Citation: Volexity InkySquid BLUELIGHT August 2021)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|",
"APT37 has used exploits for Flash Player (CVE-2016-4117, CVE-2018-4878), Word (CVE-2017-0199), Internet Explorer (CVE-2020-1380 and CVE-2020-26411), and Microsoft Edge (CVE-2021-26411) for execution.(Citation: Securelist ScarCruft Jun 2016)(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)(Citation: Volexity InkySquid BLUELIGHT August 2021)|\n|mitre-attack|enterprise-attack|Windows|T1559.002|Dynamic Data Exchange|\n\nAPT37 has used Windows DDE for execution of commands and a malicious VBS.(Citation: Securelist ScarCruft Jun 2016)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nAPT37 delivers malware using spearphishing emails with malicious HWP attachments.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1123|Audio Capture|\n\nAPT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input.(Citation: FireEye APT37 Feb 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1555.003|Credentials from Web Browsers|\n\nAPT37 has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers.(Citation: FireEye APT37 Feb 2018)|\n|mitre-attack|enterprise-attack|macOS,Windows|T1036.001|Invalid Code Signature|\n\nAPT37 has signed its malware with an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited.”(Citation: Securelist ScarCruft Jun 2016)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nAPT37's has added persistence via the Registry key",
"APT37's has added persistence via the Registry key\n\nAPT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nAPT37 has collected data from victims' local systems.(Citation: FireEye APT37 Feb 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nAPT37 has sent spearphishing attachments attempting to get a user to open them.(Citation: FireEye APT37 Feb 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1561.002|Disk Structure Wipe|\n\nAPT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR).(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nAPT37 has downloaded second stage malware from compromised websites.(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft May 2019)(Citation: Volexity InkySquid BLUELIGHT August 2021)(Citation: Volexity InkySquid RokRAT August 2021)|",
'APT38 - G0082\n\nCreated: 2019-01-29T21:27:24.793Z\n\nModified: 2022-01-18T17:13:14.610Z\n\nContributors:\n\nAliases\n\nAPT38,NICKEL GLADSTONE,BeagleBoyz,Bluenoroff,Stardust Chollima\n\nDescription\n\nAPT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.\n\nTechniques Used\n\nAPT38 has used CHM files to move concealed payloads.(Citation: Kaspersky Lazarus Under The Hood APR 2017)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1588.002|Tool|\n\nAPT38 has obtained and used open-source tools such as\n\nMimikatz.(Citation: ESET Lazarus KillDisk April 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1070.006|Timestomp|',
'APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows,Linux|T1135|Network Share Discovery|\n\nAPT38 has enumerated network shares on a compromised host.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1110|Brute Force|\n\nAPT38 has used brute force techniques to attempt account access when passwords are unknown or when password hashes are unavailable.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|\n\nAPT38 has identified primary users, currently logged in users, sets of users that commonly use a system, or inactive users.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1543.003|Windows Service|\n\nAPT38 has installed a new Windows service to establish persistence.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nAPT38 has attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and service packs.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518.001|Security Software Discovery|',
'APT38 has identified security software, configurations, defensive tools, and sensors installed on a compromised system.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1562.003|Impair Command History Logging|\n\nAPT38 has prepended a space to all of their terminal commands to operate without leaving traces in the HISTCONTROL environment.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,Windows,macOS,Network|T1505.003|Web Shell|\n\nAPT38 has used web shells for persistence or to ensure redundant access.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nAPT38 have enumerated files and directories, or searched in specific locations within a compromised host.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,Windows,macOS|T1217|Browser Information Discovery|\n\nAPT38 has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1562.004|Disable or Modify System Firewall|\n\nAPT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|',
"APT38 has collected data from a compromised host.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1569.002|Service Execution|\n\nAPT38 has created new services or modified existing ones to run executables, commands, or scripts.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux|T1106|Native API|\n\nAPT38 has used the Windows API to execute code within a victim's system.(Citation: CISA AA20-239A BeagleBoyz August 2020) |\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nAPT38 has used VBScript to execute commands and other operational tasks.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1053.005|Scheduled Task|\n\nAPT38 has used Task Scheduler to run programs at system startup or on a scheduled basis for persistence.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1059.001|PowerShell|\n\nAPT38 has used PowerShell to execute commands and other operational tasks.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1218.011|Rundll32|\n\nAPT38 has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1204.002|Malicious File|",
"APT38 has attempted to lure victims into enabling malicious macros within email attachments.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS|T1053.003|Cron|\n\nAPT38 has used cron to create pre-scheduled and periodic background jobs on a Linux system.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nAPT38 has conducted spearphishing campaigns using malicious email attachments.(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1529|System Shutdown/Reboot|\n\nAPT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim's MBR.(Citation: FireEye APT38 Oct 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,IaaS,Linux,macOS,Network|T1049|System Network Connections Discovery|\n\nAPT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system.(Citation: FireEye APT38 Oct 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,IaaS,Linux,macOS|T1485|Data Destruction|\n\nAPT38 has used a custom secure delete function to make deleted files unrecoverable.(Citation: FireEye APT38 Oct 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,IaaS|T1486|Data Encrypted for Impact|\n\nAPT38 has used Hermes ransomware to encrypt files with AES256.(Citation: FireEye APT38 Oct 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1561.002|Disk Structure Wipe|",
'APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable.(Citation: FireEye APT38 Oct 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1565.001|Stored Data Manipulation|\n\nAPT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions.(Citation: FireEye APT38 Oct 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1565.002|Transmitted Data Manipulation|\n\nAPT38 has used DYEPACK to manipulate SWIFT messages en route to a printer.(Citation: FireEye APT38 Oct 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1565.003|Runtime Data Manipulation|\n\nAPT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user.(Citation: FireEye APT38 Oct 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nAPT38 has conducted watering holes schemes to gain initial access to victims.(Citation: FireEye APT38 Oct 2018)(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nAPT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.(Citation: FireEye APT38 Oct 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|\n\nAPT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.(Citation: FireEye APT38 Oct 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1059.003|Windows Command Shell|',
'APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.(Citation: FireEye APT38 Oct 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,Windows,macOS|T1115|Clipboard Data|\n\nAPT38 used a Trojan called KEYLIME to collect data from the clipboard.(Citation: FireEye APT38 Oct 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1112|Modify Registry|\n\nAPT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys.(Citation: FireEye APT38 Oct 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nAPT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.(Citation: FireEye APT38 Oct 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1070.001|Clear Windows Event Logs|\n\nAPT38 clears Window Event logs and Sysmon logs from the system.(Citation: FireEye APT38 Oct 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nAPT38 has used a utility called CLOSESHAVE that can securely delete a file from the system. They have also removed malware, tools, or other non-native files used during the intrusion to reduce their footprint or as part of the post-intrusion cleanup process.(Citation: FireEye APT38 Oct 2018)(Citation: CISA AA20-239A BeagleBoyz August 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nAPT38 leveraged Sysmon to understand the processes, services in the organization.(Citation: FireEye APT38 Oct 2018)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows,Linux|T1027.002|Software Packing|',
'APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.(Citation: FireEye APT38 Oct 2018)|',
'APT39 - G0087\n\nCreated: 2019-02-19T16:01:38.585Z\n\nModified: 2022-09-02T18:03:29.024Z\n\nContributors:\n\nAliases\n\nAPT39,ITG07,Chafer,Remix Kitten\n\nDescription\n\nAPT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)\n\nTechniques Used\n\nAPT39 has modified and used customized versions of publicly-available tools like PLINK and\n\nMimikatz.(Citation: BitDefender Chafer May 2020)(Citation: IBM ITG07 June 2019)|\n|mitre-attack|enterprise-attack|Windows|T1546.010|AppInit DLLs|\n\nAPT39 has used malware to set\n\nAPT39 has used malware to decrypt encrypted CAB files.(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS|T1553.006|Code Signing Policy Modification|\n\nAPT39 has used malware to turn off the\n\nAPT39 has used malware to delete files after they are deployed on a compromised host.(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nAPT39 has used malware to drop encrypted CAB files.(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1041|Exfiltration Over C2 Channel|',
'APT39 has exfiltrated stolen victim data through C2 communications.(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1074.001|Local Data Staging|\n\nAPT39 has utilized tools to aggregate data prior to exfiltration.(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Windows|T1197|BITS Jobs|\n\nAPT39 has used the BITS protocol to exfiltrate stolen data from a compromised host.(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nAPT39 has used tools with the ability to search for files on a compromised host.(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Windows|T1012|Query Registry|\n\nAPT39 has used various strains of malware to query the Registry.(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1056|Input Capture|\n\nAPT39 has utilized tools to capture mouse movements.(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nAPT39 has utilized malicious VBS scripts in malware.(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nAPT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|',
'APT39 has used SQL injection for initial compromise.(Citation: Symantec Chafer February 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1113|Screen Capture|\n\nAPT39 has used a screen capture utility to take screenshots on a compromised host.(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|\n\nAPT39 has used tools for capturing keystrokes.(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nAPT39 has used various tools to steal files from the compromised host.(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1115|Clipboard Data|\n\nAPT39 has used tools capable of stealing contents of the clipboard.(Citation: Symantec Chafer February 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nAPT39 has downloaded tools to compromised hosts.(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Windows|T1021.002|SMB/Windows Admin Shares|\n\nAPT39 has used SMB for lateral movement.(Citation: Symantec Chafer February 2018)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1003|OS Credential Dumping|\n\nAPT39 has used different versions of Mimikatz to obtain credentials.(Citation: BitDefender Chafer May 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|',
'APT39 has used HTTP in communications with C2.(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1059.006|Python|\n\nAPT39 has used a command line utility and a network scanner written in python.(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.004|DNS|\n\nAPT39 has used remote access tools that leverage DNS in communications with C2.(Citation: BitDefender Chafer May 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102.002|Bidirectional Communication|\n\nAPT39 has communicated with C2 through files uploaded to and downloaded from DropBox.(Citation: BitDefender Chafer May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nAPT39 has used PowerShell to execute malicious code.(Citation: BitDefender Chafer May 2020)(Citation: Symantec Chafer February 2018)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1135|Network Share Discovery|\n\nAPT39 has used the post exploitation tool\n\nCrackMapExec to enumerate network shares.(Citation: BitDefender Chafer May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1569.002|Service Execution|\n\nAPT39 has used post-exploitation tools including RemCom and the Non-sucking Service Manager (NSSM) to execute processes.(Citation: BitDefender Chafer May 2020)(Citation: Symantec Chafer February 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1136.001|Local Account|',
'APT39 has created accounts on multiple compromised hosts to perform actions within the network.(Citation: BitDefender Chafer May 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1090.002|External Proxy|\n\nAPT39 has used various tools to proxy C2 communications.(Citation: BitDefender Chafer May 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1555|Credentials from Password Stores|\n\nAPT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords.(Citation: BitDefender Chafer May 2020)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1110|Brute Force|\n\nAPT39 has used Ncrack to reveal credentials.(Citation: FireEye APT39 Jan 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nAPT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link.(Citation: FireEye APT39 Jan 2019)(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|\n\nAPT39 used\n\nRemexi to collect usernames from the system.(Citation: Symantec Chafer Dec 2015)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1027.002|Software Packing|\n\nAPT39 has packed tools with UPX, and has repacked a modified version of\n\nMimikatz to thwart anti-virus detection.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|',
'APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS,Network|T1505.003|Web Shell|\n\nAPT39 has installed ANTAK and ASPXSPY web shells.(Citation: FireEye APT39 Jan 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS|T1021.004|SSH|\n\nAPT39 used secure shell (SSH) to move laterally among their targets.(Citation: FireEye APT39 Jan 2019)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nAPT39 has used stolen credentials to compromise Outlook Web Access (OWA).(Citation: FireEye APT39 Jan 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network,Office 365,Azure AD,IaaS,Google Workspace|T1059|Command and Scripting Interpreter|\n\nAPT39 has utilized AutoIt and custom scripts to perform internal reconnaissance.(Citation: FireEye APT39 Jan 2019)(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers,Network|T1046|Network Service Discovery|\n\nAPT39 has used\n\nCrackMapExec and a custom port scanner known as BLUETORCH for network scanning.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|',
'APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials.(Citation: FireEye APT39 Jan 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1090.001|Internal Proxy|\n\nAPT39 used custom tools to create SOCK5 and custom protocol proxies between infected hosts.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|\n\nAPT39 has used WinRAR and 7-Zip to compress an archive stolen data.(Citation: FireEye APT39 Jan 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|\n\nAPT39 has used\n\nNBTscan and custom tools to discover remote systems.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)(Citation: Symantec Chafer February 2018)|\n|mitre-attack|enterprise-attack|Windows|T1547.009|Shortcut Modification|\n\nAPT39 has modified LNK shortcuts.(Citation: FireEye APT39 Jan 2019)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nAPT39 has created scheduled tasks for persistence.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|Windows|T1021.001|Remote Desktop Protocol|\n\nAPT39 has been seen using RDP for lateral movement and persistence, in some cases employing the rdpwinst tool for mangement of multiple sessions.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|',
'APT39 has maintained persistence using the startup folder.(Citation: FireEye APT39 Jan 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nAPT39 leveraged spearphishing emails with malicious links to initially compromise victims.(Citation: FireEye APT39 Jan 2019)(Citation: FBI FLASH APT39 September 2020)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nAPT39 leveraged spearphishing emails with malicious attachments to initially compromise victims.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020)|',
'APT41 - G0096\n\nCreated: 2019-09-23T13:43:36.945Z\n\nModified: 2023-03-23T15:45:58.846Z\n\nContributors: Kyaw Pyiyt Htet, @KyawPyiytHtet\n\nAliases\n\nAPT41,Wicked Panda\n\nDescription\n\nAPT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)\n\nTechniques Used\n\nAPT41 has added user accounts to the User and Admin groups.(Citation: FireEye APT41 Aug 2019) |\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|\n\nAPT41 has obtained and used tools such as\n\nMimikatz,\n\npwdump,\n\nPowerSploit, and\n\nWindows Credential Editor.(Citation: FireEye APT41 Aug 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nAPT41 has uploaded files and data from a compromised host.(Citation: Group IB APT 41 June 2021)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1036.004|Masquerade Task or Service|\n\nAPT41 has created services to appear as benign system tools.(Citation: Group IB APT 41 June 2021)|\n|mitre-attack|enterprise-attack|Windows|T1218.011|Rundll32|\n\nAPT41 has used rundll32.exe to execute a loader.(Citation: Crowdstrike GTR2020 Mar 2020)|\n|mitre-attack|enterprise-attack|Windows|T1574.001|DLL Search Order Hijacking|',
"APT41 has used search order hijacking to execute malicious payloads, such as Winnti RAT.(Citation: Crowdstrike GTR2020 Mar 2020)|\n|mitre-attack|enterprise-attack|Windows|T1021.002|SMB/Windows Admin Shares|\n\nAPT41 has transferred implant files using Windows Admin Shares.(Citation: Crowdstrike GTR2020 Mar 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS|T1574.006|Dynamic Linker Hijacking|\n\nAPT41 has configured payloads to load via LD_PRELOAD.(Citation: Crowdstrike GTR2020 Mar 2020) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1480.001|Environmental Keying|\n\nAPT41 has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines.\n\nAPT41 has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system's volume serial number.(Citation: Twitter ItsReallyNick APT41 EK)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nAPT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.(Citation: FireEye APT41 March 2020) |\n|mitre-attack|enterprise-attack|Windows|T1569.002|Service Execution|\n\nAPT41 used svchost.exe and\n\nNet to execute a system service installed to launch a\n\nCobalt Strike BEACON loader.(Citation: FireEye APT41 March 2020)(Citation: Group IB APT 41 June 2021)|\n|mitre-attack|enterprise-attack|macOS,Linux|T1059.004|Unix Shell|\n\nAPT41 executed\n\nAPT41 has executed\n\nAPT41 used exploit payloads that initiate download via\n\nftp.(Citation: FireEye APT41 March 2020)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|",
'APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.(Citation: FireEye APT41 March 2020)|\n|mitre-attack|enterprise-attack|Windows|T1197|BITS Jobs|\n\nAPT41 used\n\nBITSAdmin to download and install payloads.(Citation: FireEye APT41 March 2020)(Citation: Crowdstrike GTR2020 Mar 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1104|Multi-Stage Channels|\n\nAPT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor.(Citation: FireEye APT41 March 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nAPT41 used\n\ncertutil to download additional files.(Citation: FireEye APT41 March 2020)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Group IB APT 41 June 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nAPT41 used VMProtected binaries in multiple intrusions.(Citation: FireEye APT41 March 2020)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1135|Network Share Discovery|\n\nAPT41 used the\n\nAPT41 has enumerated IP addresses of network resources and used the\n\nAPT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396.(Citation: FireEye APT41 Aug 2019) |\n|mitre-attack|enterprise-attack|Windows|T1574.002|DLL Side-Loading|',
'APT41 used legitimate executables to perform DLL side-loading of their malware.(Citation: FireEye APT41 Aug 2019) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nAPT41 deleted files from the system.(Citation: FireEye APT41 Aug 2019) |\n|mitre-attack|enterprise-attack|Windows|T1218.001|Compiled HTML File|\n\nAPT41 used compiled HTML (.chm) files for targeting.(Citation: FireEye APT41 Aug 2019) |\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1008|Fallback Channels|\n\nAPT41 used the Steam community page as a fallback mechanism for C2.(Citation: FireEye APT41 Aug 2019) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1055|Process Injection|\n\nAPT41 malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process.(Citation: FireEye APT41 Aug 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.004|DNS|\n\nAPT41 used DNS for C2 communications.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nAPT41 collected MAC addresses from victim machines.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1136.001|Local Account|\n\nAPT41 has created user accounts.(Citation: FireEye APT41 Aug 2019) |\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|',
'APT41 has created user accounts.(Citation: FireEye APT41 Aug 2019) |\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nAPT41 used a compromised account to create a scheduled task on a system.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar 2020)|\n|mitre-attack|enterprise-attack|Windows|T1543.003|Windows Service|\n\nAPT41 modified legitimate Windows services to install malware backdoors.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)\n\nAPT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.(Citation: FireEye APT41 March 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1070.003|Clear Command History|\n\nAPT41 attempted to remove evidence of some of its activity by deleting Bash histories.(Citation: FireEye APT41 Aug 2019)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nAPT41 used\n\nAPT41 used a batch file to install persistence for the\n\nCobalt Strike BEACON loader.(Citation: FireEye APT41 March 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,IaaS|T1486|Data Encrypted for Impact|\n\nAPT41 used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.(Citation: FireEye APT41 Aug 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102.001|Dead Drop Resolver|\n\nAPT41 used legitimate websites for C2 through dead drop resolvers (DDR), including GitHub, Pastebin, and Microsoft TechNet.(Citation: FireEye APT41 Aug 2019)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers|T1496|Resource Hijacking|',
'APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.(Citation: FireEye APT41 Aug 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|\n\nAPT41 created a RAR archive of targeted files for exfiltration.(Citation: FireEye APT41 Aug 2019)|\n|mitre-attack|enterprise-attack|Windows|T1112|Modify Registry|\n\nAPT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)|\n|mitre-attack|enterprise-attack|Windows|T1070.001|Clear Windows Event Logs|\n\nAPT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.(Citation: FireEye APT41 Aug 2019)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nAPT41 created and modified startup files for persistence.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)\n\nAPT41 added a registry key in\n\nAPT41 used the WMIEXEC utility to execute\n\nAPT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via\n\nPowerSploit.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nAPT41 used compromised credentials to log on to other systems.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|',
'APT41 used a keylogger called GEARSHIFT on a target system.(Citation: FireEye APT41 Aug 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1195.002|Compromise Software Supply Chain|\n\nAPT41 gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users.(Citation: FireEye APT41 Aug 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1568.002|Domain Generation Algorithms|\n\nAPT41 has used DGAs to change their C2 servers monthly.(Citation: FireEye APT41 Aug 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1090|Proxy|\n\nAPT41 used a tool called CLASSFON to covertly proxy network communications.(Citation: FireEye APT41 Aug 2019)|\n|mitre-attack|enterprise-attack|Windows,Linux,Containers,macOS|T1133|External Remote Services|\n\nAPT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.(Citation: FireEye APT41 Aug 2019)\n|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nAPT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.(Citation: FireEye APT41 Aug 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nAPT41 attempted to masquerade their files as popular anti-virus software.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|',
'APT41 leveraged PowerShell to deploy malware families in victims’ environments.(Citation: FireEye APT41 Aug 2019)(Citation: FireEye APT41 March 2020)|\n|mitre-attack|enterprise-attack|Windows|T1546.008|Accessibility Features|\n\nAPT41 leveraged sticky keys to establish persistence.(Citation: FireEye APT41 Aug 2019) |\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nAPT41 has used hashdump,\n\nMimikatz, and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)|\n|mitre-attack|enterprise-attack|Windows|T1021.001|Remote Desktop Protocol|\n\nAPT41 used RDP for lateral movement.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar 2020)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers,Network|T1046|Network Service Discovery|\n\nAPT41 used a malware variant called WIDETONE to conduct port scans on specified subnets.(Citation: FireEye APT41 Aug 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,Azure AD,Network|T1110.002|Password Cracking|\n\nAPT41 performed password brute-force attacks on the local admin account.(Citation: FireEye APT41 Aug 2019)|\n|mitre-attack|enterprise-attack|Linux,Windows|T1542.003|Bootkit|\n\nAPT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.(Citation: FireEye APT41 Aug 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1014|Rootkit|',
'APT41 deployed rootkits on Linux systems.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar 2020)|\n|mitre-attack|enterprise-attack|macOS,Windows|T1553.002|Code Signing|\n\nAPT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)|',
'Aquatic Panda - G0143\n\nCreated: 2022-01-18T14:49:29.505Z\n\nModified: 2023-03-21T21:16:34.243Z\n\nContributors: NST Assure Research Team, NetSentries Technologies,Pooja Natarajan, NEC Corporation India,Hiroki Nagahama, NEC Corporation,Manikantan Srinivasan, NEC Corporation India\n\nAliases\n\nAquatic Panda\n\nDescription\n\nAquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.(Citation: CrowdStrike AQUATIC PANDA December 2021)\n\nTechniques Used\n\nAquatic Panda has acquired and used\n\nCobalt Strike in its operations.(Citation: CrowdStrike AQUATIC PANDA December 2021)|\n|mitre-attack|enterprise-attack|PRE|T1588.001|Malware|\n\nAquatic Panda has acquired and used\n\nnjRAT in its operations.(Citation: CrowdStrike AQUATIC PANDA December 2021)|\n|mitre-attack|enterprise-attack|Windows|T1574.001|DLL Search Order Hijacking|\n\nAquatic Panda has used DLL search-order hijacking to load\n\nAquatic Panda has encoded PowerShell commands in Base64.(Citation: CrowdStrike AQUATIC PANDA December 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nAquatic Panda has used native OS commands to understand privilege levels and system details.(Citation: CrowdStrike AQUATIC PANDA December 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1007|System Service Discovery|\n\nAquatic Panda has attempted to discover services for third party EDR products.(Citation: CrowdStrike AQUATIC PANDA December 2021)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nAquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to',
'Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to\n\nAquatic Panda has used WinRAR to compress memory dumps prior to exfiltration.(Citation: CrowdStrike AQUATIC PANDA December 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nAquatic Panda has deleted malicious executables from compromised machines.(Citation: CrowdStrike AQUATIC PANDA December 2021)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nAquatic Panda has attempted to harvest credentials through LSASS memory dumping.(Citation: CrowdStrike AQUATIC PANDA December 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nAquatic Panda has downloaded additional malware onto compromised hosts.(Citation: CrowdStrike AQUATIC PANDA December 2021)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nAquatic Panda has downloaded additional scripts and executed Base64 encoded commands in PowerShell.(Citation: CrowdStrike AQUATIC PANDA December 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Containers,IaaS|T1562.001|Disable or Modify Tools|\n\nAquatic Panda has attempted to stop endpoint detection and response (EDR) tools on compromised systems.(Citation: CrowdStrike AQUATIC PANDA December 2021)|\n|mitre-attack|enterprise-attack|PRE|T1595.002|Vulnerability Scanning|\n\nAquatic Panda has used publicly accessible DNS logging services to identify servers vulnerable to Log4j (CVE 2021-44228).(Citation: CrowdStrike AQUATIC PANDA December 2021)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518.001|Security Software Discovery|\n\nAquatic Panda has attempted to discover third party endpoint detection and response (EDR) tools on compromised systems.(Citation: CrowdStrike AQUATIC PANDA December 2021)|',
'Axiom - G0001\n\nCreated: 2017-05-31T21:31:45.629Z\n\nModified: 2023-03-20T22:03:44.661Z\n\nContributors:\n\nAliases\n\nAxiom,Group 72\n\nDescription\n\nAxiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015)\n\nTechniques Used\n\nAxiom has collected data from a compromised network.(Citation: Novetta-Axiom)|\n|mitre-attack|enterprise-attack|PRE|T1583.002|DNS Server|\n\nAxiom has acquired dynamic DNS services for use in the targeting of intended victims.(Citation: Novetta-Axiom)|\n|mitre-attack|enterprise-attack|PRE|T1583.003|Virtual Private Server|\n\nAxiom has used VPS hosting providers in targeting of intended victims.(Citation: Novetta-Axiom)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560|Archive Collected Data|\n\nAxiom has compressed and encrypted data prior to exfiltration.(Citation: Novetta-Axiom)|\n|mitre-attack|enterprise-attack|Windows|T1563.002|RDP Hijacking|\n\nAxiom has targeted victims with remote administration tools including RDP.(Citation: Novetta-Axiom)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nAxiom has used previously compromised administrative accounts to escalate privileges.(Citation: Novetta-Axiom)|\n|mitre-attack|enterprise-attack|PRE|T1584.005|Botnet|',
'Axiom has used previously compromised administrative accounts to escalate privileges.(Citation: Novetta-Axiom)|\n|mitre-attack|enterprise-attack|PRE|T1584.005|Botnet|\n\nAxiom has used large groups of compromised machines for use as proxy nodes.(Citation: Novetta-Axiom)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1553|Subvert Trust Controls|\n\nAxiom has used digital certificates to deliver malware.(Citation: Novetta-Axiom)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nAxiom has used watering hole attacks to gain access.(Citation: Cisco Group 72)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,SaaS,Office 365,Google Workspace|T1566|Phishing|\n\nAxiom has used spear phishing to initially compromise victims.(Citation: Cisco Group 72)(Citation: Novetta-Axiom)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nAxiom has used exploits for multiple vulnerabilities including CVE-2014-0322, CVE-2012-4792, CVE-2012-1889, and CVE-2013-3893.(Citation: Cisco Group 72)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1001.002|Steganography|\n\nAxiom has used steganography to hide its C2 communications.(Citation: Novetta-Axiom)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|\n\nAxiom has been observed using SQL injection to gain access to systems.(Citation: Novetta-Axiom)(Citation: Cisco Group 72)|\n|mitre-attack|enterprise-attack|Windows|T1546.008|Accessibility Features|',
'Axiom actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence.(Citation: Novetta-Axiom)|\n|mitre-attack|enterprise-attack|Windows|T1021.001|Remote Desktop Protocol|\n\nAxiom has used RDP during operations.(Citation: Novetta-Axiom)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1003|OS Credential Dumping|\n\nAxiom has been known to dump credentials.(Citation: Novetta-Axiom)|',
"BackdoorDiplomacy - G0135\n\nCreated: 2021-09-21T14:52:49.596Z\n\nModified: 2021-10-18T19:47:11.389Z\n\nContributors: Zaw Min Htun, @Z3TAE\n\nAliases\n\nBackdoorDiplomacy\n\nDescription\n\nBackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017. BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.(Citation: ESET BackdoorDiplomacy Jun 2021)\n\nTechniques Used\n\nBackdoorDiplomacy has used an executable to detect removable media, such as USB flash drives.(Citation: ESET BackdoorDiplomacy Jun 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1074.001|Local Data Staging|\n\nBackdoorDiplomacy has copied files of interest to the main drive's recycle bin.(Citation: ESET BackdoorDiplomacy Jun 2021)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS,Network|T1505.003|Web Shell|\n\nBackdoorDiplomacy has used web shells to establish an initial foothold and for lateral movement within a victim's system.(Citation: ESET BackdoorDiplomacy Jun 2021)|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|\n\nBackdoorDiplomacy has obtained a variety of open-source reconnaissance and red team tools for discovery and lateral movement.(Citation: ESET BackdoorDiplomacy Jun 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nBackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect.(Citation: ESET BackdoorDiplomacy Jun 2021)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,Network|T1095|Non-Application Layer Protocol|",
'BackdoorDiplomacy has used EarthWorm for network tunneling with a SOCKS5 server and port transfer functionalities.(Citation: ESET BackdoorDiplomacy Jun 2021)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1036.004|Masquerade Task or Service|\n\nBackdoorDiplomacy has disguised their backdoor droppers with naming conventions designed to blend into normal operations.(Citation: ESET BackdoorDiplomacy Jun 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|\n\nBackdoorDiplomacy has exploited CVE-2020-5902, an F5 BIP-IP vulnerability, to drop a Linux backdoor.\n\nBackdoorDiplomacy has also exploited mis-configured Plesk servers.(Citation: ESET BackdoorDiplomacy Jun 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1049|System Network Connections Discovery|\n\nBackdoorDiplomacy has used NetCat and PortQry to enumerate network connections and display the status of related TCP and UDP ports.(Citation: ESET BackdoorDiplomacy Jun 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nBackdoorDiplomacy has dropped implants in folders named for legitimate software.(Citation: ESET BackdoorDiplomacy Jun 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers,Network|T1046|Network Service Discovery|\n\nBackdoorDiplomacy has used SMBTouch, a vulnerability scanner, to determine whether a target is vulnerable to EternalBlue malware.(Citation: ESET BackdoorDiplomacy Jun 2021)|\n|mitre-attack|enterprise-attack|Windows|T1574.001|DLL Search Order Hijacking|',
'BackdoorDiplomacy has executed DLL search order hijacking.(Citation: ESET BackdoorDiplomacy Jun 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nBackdoorDiplomacy has downloaded additional files and tools onto a compromised host.(Citation: ESET BackdoorDiplomacy Jun 2021)|\n|mitre-attack|enterprise-attack|PRE|T1588.001|Malware|\n\nBackdoorDiplomacy has obtained and used leaked malware, including DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy, in its operations.(Citation: ESET BackdoorDiplomacy Jun 2021)|\n|mitre-attack|enterprise-attack|Windows|T1055.001|Dynamic-link Library Injection|\n\nBackdoorDiplomacy has dropped legitimate software onto a compromised host and used it to execute malicious DLLs.(Citation: ESET BackdoorDiplomacy Jun 2021)|',
'BITTER - G1002\n\nCreated: 2022-06-01T20:26:53.880Z\n\nModified: 2022-06-01T21:20:18.113Z\n\nContributors:\n\nAliases\n\nBITTER,T-APT-17\n\nDescription\n\nBITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has primarily targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)\n\nTechniques Used\n\nBITTER has registered domains to stage payloads.(Citation: Forcepoint BITTER Pakistan Oct 2016)|\n|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|\n\nBITTER has registered a variety of domains to host malicious payloads and for C2.(Citation: Forcepoint BITTER Pakistan Oct 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1068|Exploitation for Privilege Escalation|\n\nBITTER has exploited CVE-2021-1732 for privilege escalation.(Citation: DBAPPSecurity BITTER zero-day Feb 2021)(Citation: Microsoft CVE-2021-1732 Feb 2021)|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|\n\nBITTER has obtained tools such as PuTTY for use in their operations.(Citation: Forcepoint BITTER Pakistan Oct 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1568|Dynamic Resolution|\n\nBITTER has used DDNS for C2 communications.(Citation: Forcepoint BITTER Pakistan Oct 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1573|Encrypted Channel|\n\nBITTER has encrypted their C2 communications.(Citation: Forcepoint BITTER Pakistan Oct 2016)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,Network|T1095|Non-Application Layer Protocol|',
'BITTER has used TCP for C2 communications.(Citation: Forcepoint BITTER Pakistan Oct 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nBITTER has used HTTP POST requests for C2.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nBITTER has used a RAR SFX dropper to deliver malware.(Citation: Forcepoint BITTER Pakistan Oct 2016)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nBITTER has used scheduled tasks for persistence and execution.(Citation: Cisco Talos Bitter Bangladesh May 2022)|\n|mitre-attack|enterprise-attack|Windows|T1559.002|Dynamic Data Exchange|\n\nBITTER has executed OLE objects using Microsoft Equation Editor to download and run malicious payloads.(Citation: Cisco Talos Bitter Bangladesh May 2022) |\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1036.004|Masquerade Task or Service|\n\nBITTER has disguised malware as a Windows Security update service.(Citation: Cisco Talos Bitter Bangladesh May 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nBITTER has downloaded additional malware and tools onto a compromised host.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016) |\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|',
'BITTER has exploited Microsoft Office vulnerabilities CVE-2012-0158, CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nBITTER has attempted to lure victims into opening malicious attachments delivered via spearphishing.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nBITTER has sent spearphishing emails with a malicious RTF document or Excel spreadsheet.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)|',
"BlackOasis - G0063\n\nCreated: 2018-04-18T17:59:24.739Z\n\nModified: 2018-10-17T00:14:20.652Z\n\nContributors:\n\nAliases\n\nBlackOasis\n\nDescription\n\nBlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. (Citation: Securelist BlackOasis Oct 2017) (Citation: Securelist APT Trends Q2 2017) A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified. (Citation: CyberScoop BlackOasis Oct 2017)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|BlackOasis's first stage shellcode contains a NOP sled with alternative instructions that was likely designed to bypass antivirus tools.(Citation: Securelist BlackOasis Oct 2017)|",
'BlackTech - G0098\n\nCreated: 2020-05-05T18:36:45.970Z\n\nModified: 2022-04-06T13:14:27.477Z\n\nContributors: Tatsuya Daitoku, Cyber Defense Institute, Inc.,Hannah Simes, BT Security\n\nAliases\n\nBlackTech,Palmerworm\n\nDescription\n\nBlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.(Citation: TrendMicro BlackTech June 2017)(Citation: Symantec Palmerworm Sep 2020)(Citation: Reuters Taiwan BlackTech August 2020)\n\nTechniques Used\n\nBlackTech has obtained and used tools such as Putty, SNScan, and\n\nPsExec for its operations.(Citation: Symantec Palmerworm Sep 2020)|\n|mitre-attack|enterprise-attack|PRE|T1588.004|Digital Certificates|\n\nBlackTech has used valid, stolen digital certificates for some of their malware and tools.(Citation: ESET PLEAD Malware July 2018)|\n|mitre-attack|enterprise-attack|PRE|T1588.003|Code Signing Certificates|\n\nBlackTech has used stolen code-signing certificates for its malicious payloads.(Citation: Symantec Palmerworm Sep 2020)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers,Network|T1046|Network Service Discovery|\n\nBlackTech has used the SNScan tool to find other potential targets on victim networks.(Citation: Symantec Palmerworm Sep 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1106|Native API|\n\nBlackTech has used built-in API functions.(Citation: IronNet BlackTech Oct 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS|T1021.004|SSH|',
'BlackTech has used built-in API functions.(Citation: IronNet BlackTech Oct 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS|T1021.004|SSH|\n\nBlackTech has used Putty for remote access.(Citation: Symantec Palmerworm Sep 2020)|\n|mitre-attack|enterprise-attack|Windows|T1574.002|DLL Side-Loading|\n\nBlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.(Citation: Trend Micro Waterbear December 2019) |\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nBlackTech has used spearphishing e-mails with malicious password-protected archived files (ZIP or RAR) to deliver malware.(Citation: TrendMicro BlackTech June 2017)(Citation: NTT Security Flagpro new December 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nBlackTech has used e-mails with malicious documents to lure victims into installing malware.(Citation: TrendMicro BlackTech June 2017)(Citation: NTT Security Flagpro new December 2021) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nBlackTech has used spearphishing e-mails with links to cloud services to deliver malware.(Citation: TrendMicro BlackTech June 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nBlackTech has used e-mails with malicious links to lure victims into installing malware.(Citation: TrendMicro BlackTech June 2017) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1036.002|Right-to-Left Override|',
'BlackTech has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments.(Citation: TrendMicro BlackTech June 2017)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nBlackTech has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities CVE-2012-0158, CVE-2014-6352, CVE-2017-0199, and Adobe Flash CVE-2015-5119.(Citation: TrendMicro BlackTech June 2017)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|\n\nBlackTech has exploited a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0, CVE-2017-7269, in order to establish a new HTTP or command and control (C2) server.(Citation: TrendMicro BlackTech June 2017)|',
"Blue Mockingbird - G0108\n\nCreated: 2020-05-26T20:09:39.139Z\n\nModified: 2021-10-12T21:46:13.007Z\n\nContributors: Tony Lambert, Red Canary\n\nAliases\n\nBlue Mockingbird\n\nDescription\n\nBlue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.(Citation: RedCanary Mockingbird May 2020)\n\nTechniques Used\n\nBlue Mockingbird has obtained and used tools such as\n\nMimikatz.(Citation: RedCanary Mockingbird May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1574.012|COR_PROFILER|\n\nBlue Mockingbird has used wmic.exe and Windows Registry modifications to set the COR_PROFILER environment variable to execute a malicious DLL whenever a process loads the .NET CLR.(Citation: RedCanary Mockingbird May 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nBlue Mockingbird has obfuscated the wallet address in the payload binary.(Citation: RedCanary Mockingbird May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1047|Windows Management Instrumentation|\n\nBlue Mockingbird has used wmic.exe to set environment variables.(Citation: RedCanary Mockingbird May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1112|Modify Registry|\n\nBlue Mockingbird has used Windows Registry modifications to specify a DLL payload.(Citation: RedCanary Mockingbird May 2020) |\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nBlue Mockingbird has collected hardware details for the victim's system, including CPU and memory information.(Citation: RedCanary Mockingbird May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1543.003|Windows Service|",
'Blue Mockingbird has made their XMRIG payloads persistent as a Windows Service.(Citation: RedCanary Mockingbird May 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nBlue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file.(Citation: RedCanary Mockingbird May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1134|Access Token Manipulation|\n\nBlue Mockingbird has used JuicyPotato to abuse the\n\nBlue Mockingbird has used Mimikatz to retrieve credentials from LSASS memory.(Citation: RedCanary Mockingbird May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1021.001|Remote Desktop Protocol|\n\nBlue Mockingbird has used Remote Desktop to log on to servers interactively and manually copy files to remote hosts.(Citation: RedCanary Mockingbird May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1021.002|SMB/Windows Admin Shares|\n\nBlue Mockingbird has used Windows Explorer to manually copy malicious files to remote hosts over SMB.(Citation: RedCanary Mockingbird May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nBlue Mockingbird has used PowerShell reverse TCP shells to issue interactive commands over a network connection.(Citation: RedCanary Mockingbird May 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1090|Proxy|\n\nBlue Mockingbird has used frp, ssf, and Venom to establish SOCKS proxy connections.(Citation: RedCanary Mockingbird May 2020)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers|T1496|Resource Hijacking|',
'Blue Mockingbird has used XMRIG to mine cryptocurrency on victim systems.(Citation: RedCanary Mockingbird May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1546.003|Windows Management Instrumentation Event Subscription|\n\nBlue Mockingbird has used mofcomp.exe to establish WMI Event Subscription persistence mechanisms configured from a *.mof file.(Citation: RedCanary Mockingbird May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nBlue Mockingbird has used batch script files to automate execution and deployment of payloads.(Citation: RedCanary Mockingbird May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nBlue Mockingbird has used Windows Scheduled Tasks to establish persistence on local and remote hosts.(Citation: RedCanary Mockingbird May 2020)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|\n\nBlue Mockingbird has gained initial access by exploiting CVE-2019-18935, a vulnerability within Telerik UI for ASP.NET AJAX.(Citation: RedCanary Mockingbird May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1218.011|Rundll32|\n\nBlue Mockingbird has executed custom-compiled XMRIG miner DLLs using rundll32.exe.(Citation: RedCanary Mockingbird May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1218.010|Regsvr32|\n\nBlue Mockingbird has executed custom-compiled XMRIG miner DLLs using regsvr32.exe.(Citation: RedCanary Mockingbird May 2020) |\n|mitre-attack|enterprise-attack|Windows|T1569.002|Service Execution|\n\nBlue Mockingbird has executed custom-compiled XMRIG miner DLLs by configuring them to execute via the "wercplsupport" service.(Citation: RedCanary Mockingbird May 2020) |',
'BRONZE BUTLER - G0060\n\nCreated: 2018-01-16T16:13:52.465Z\n\nModified: 2021-10-12T19:42:16.869Z\n\nContributors: Trend Micro Incorporated\n\nAliases\n\nBRONZE BUTLER,REDBALDKNIGHT,Tick\n\nDescription\n\nBRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)\n\nTechniques Used\n\nBRONZE BUTLER has obtained and used open-source tools such as\n\nMimikatz,\n\ngsecdump, and\n\nWindows Credential Editor.(Citation: Symantec Tick Apr 2016)|\n|mitre-attack|enterprise-attack|Windows|T1574.002|DLL Side-Loading|\n\nBRONZE BUTLER has used legitimate applications to side-load malicious DLLs.(Citation: Trend Micro Tick November 2019)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1007|System Service Discovery|\n\nBRONZE BUTLER has used TROJ_GETVERSION to discover system services.(Citation: Trend Micro Tick November 2019)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Containers,IaaS|T1562.001|Disable or Modify Tools|\n\nBRONZE BUTLER has incorporated code into several tools that attempts to terminate anti-virus processes.(Citation: Trend Micro Tick November 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.003|Steganography|\n\nBRONZE BUTLER has used steganography in multiple operations to conceal malicious payloads.(Citation: Trend Micro Tick November 2019)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518|Software Discovery|',
'BRONZE BUTLER has used tools to enumerate software installed on an infected host.(Citation: Trend Micro Tick November 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036|Masquerading|\n\nBRONZE BUTLER has masked executables with document file icons including Word and Adobe PDF.(Citation: Trend Micro Tick November 2019)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1059.006|Python|\n\nBRONZE BUTLER has made use of Python-based remote access tools.(Citation: Trend Micro Tick November 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1036.002|Right-to-Left Override|\n\nBRONZE BUTLER has used Right-to-Left Override to deceive victims into executing several strains of malware.(Citation: Trend Micro Tick November 2019)|\n|mitre-attack|enterprise-attack|Windows,Office 365,SaaS,Linux,macOS|T1080|Taint Shared Content|\n\nBRONZE BUTLER has placed malware on file shares and given it the same name as legitimate documents on the share.(Citation: Secureworks BRONZE BUTLER Oct 2017)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nBRONZE BUTLER has used VBS and VBE scripts for execution.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nBRONZE BUTLER has used\n\nschtasks to register a scheduled task to execute malware during lateral movement.(Citation: Secureworks BRONZE BUTLER Oct 2017)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|',
"BRONZE BUTLER used spearphishing emails with malicious Microsoft Word attachments to infect victims.(Citation: Symantec Tick Apr 2016)(Citation: Trend Micro Tick November 2019)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nBRONZE BUTLER compromised three Japanese websites using a Flash exploit to perform watering hole attacks.(Citation: Symantec Tick Apr 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nBRONZE BUTLER has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails.(Citation: Symantec Tick Apr 2016)(Citation: Trend Micro Tick November 2019)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nBRONZE BUTLER has exploited Microsoft Office vulnerabilities CVE-2014-4114, CVE-2018-0802, and CVE-2018-0798 for execution.(Citation: Symantec Tick Apr 2016)(Citation: Trend Micro Tick November 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102.001|Dead Drop Resolver|\n\nBRONZE BUTLER's MSGET downloader uses a dead drop resolver to access malicious payloads.(Citation: Secureworks BRONZE BUTLER Oct 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|\n\nBRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)|\n|mitre-attack|enterprise-attack|Windows,Network|T1124|System Time Discovery|\n\nBRONZE BUTLER has used",
'BRONZE BUTLER has used\n\nBRONZE BUTLER tools encode data with base64 when posting it to a C2 server.(Citation: Secureworks BRONZE BUTLER Oct 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1087.002|Domain Account|\n\nBRONZE BUTLER has used\n\nBRONZE BUTLER has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic.\n\nBRONZE BUTLER has also used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server.(Citation: Secureworks BRONZE BUTLER Oct 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nBRONZE BUTLER malware has used HTTP for C2.(Citation: Secureworks BRONZE BUTLER Oct 2017)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1053.002|At|\n\nBRONZE BUTLER has used\n\nat to register a scheduled task to execute malware during lateral movement.(Citation: Secureworks BRONZE BUTLER Oct 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nBRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.(Citation: Secureworks BRONZE BUTLER Oct 2017)|\n|mitre-attack|enterprise-attack|Windows|T1548.002|Bypass User Account Control|\n\nBRONZE BUTLER has used a Windows 10 specific tool and xxmm to bypass UAC for privilege escalation.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|\n\nBRONZE BUTLER typically use',
'BRONZE BUTLER typically use\n\nNet to enumerate systems.(Citation: Secureworks BRONZE BUTLER Oct 2017)|\n|mitre-attack|enterprise-attack|Windows|T1550.003|Pass the Ticket|\n\nBRONZE BUTLER has created forged Kerberos Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) tickets to maintain administrative access.(Citation: Secureworks BRONZE BUTLER Oct 2017)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nBRONZE BUTLER has used batch scripts and the command-line interface for execution.(Citation: Secureworks BRONZE BUTLER Oct 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|The\n\nBRONZE BUTLER uploader or malware the uploader uses\n\nBRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.(Citation: Secureworks BRONZE BUTLER Oct 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1039|Data from Network Shared Drive|\n\nBRONZE BUTLER has exfiltrated files stolen from file shares.(Citation: Secureworks BRONZE BUTLER Oct 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.001|Binary Padding|\n\nBRONZE BUTLER downloader code has included "0" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|\n\nBRONZE BUTLER downloads encoded payloads and decodes them on the victim.(Citation: Secureworks BRONZE BUTLER Oct 2017)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|',
'BRONZE BUTLER has used PowerShell for execution.(Citation: Secureworks BRONZE BUTLER Oct 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nBRONZE BUTLER has exfiltrated files stolen from local systems.(Citation: Secureworks BRONZE BUTLER Oct 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nBRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).(Citation: Secureworks BRONZE BUTLER Oct 2017)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nBRONZE BUTLER has used various tools (such as Mimikatz and WCE) to perform credential dumping.(Citation: Secureworks BRONZE BUTLER Oct 2017)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nBRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence.(Citation: Secureworks BRONZE BUTLER Oct 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1113|Screen Capture|\n\nBRONZE BUTLER has used a tool to capture screenshots.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)|',
'Carbanak - G0008\n\nCreated: 2017-05-31T21:31:49.021Z\n\nModified: 2021-10-18T21:02:30.899Z\n\nContributors: Anastasios Pingios\n\nAliases\n\nCarbanak,Anunak\n\nDescription\n\nCarbanak is a cybercriminal group that has used\n\nCarbanak malware to target financial institutions since at least 2013.\n\nCarbanak may be linked to groups tracked separately as\n\nCobalt Group and\n\nFIN7 that have also used\n\nCarbanak malware.(Citation: Kaspersky Carbanak)(Citation: FireEye FIN7 April 2017)(Citation: Europol Cobalt Mar 2018)(Citation: Secureworks GOLD NIAGARA Threat Profile)(Citation: Secureworks GOLD KINGSWOOD Threat Profile)\n\nTechniques Used\n\nCarbanak has obtained and used open-source tools such as\n\nPsExec and\n\nMimikatz.(Citation: Kaspersky Carbanak)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1036.004|Masquerade Task or Service|\n\nCarbanak has copied legitimate service names to use for malicious services.(Citation: Kaspersky Carbanak)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1219|Remote Access Software|\n\nCarbanak used legitimate programs such as AmmyyAdmin and Team Viewer for remote interactive C2 to target systems.(Citation: Group-IB Anunak)|\n|mitre-attack|enterprise-attack|Windows|T1218.011|Rundll32|\n\nCarbanak installs VNC server software that executes through rundll32.(Citation: Kaspersky Carbanak)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1562.004|Disable or Modify System Firewall|\n\nCarbanak may use\n\nnetsh to add local firewall rule exceptions.(Citation: Group-IB Anunak)|\n|mitre-attack|enterprise-attack|Windows|T1543.003|Windows Service|',
'Carbanak may use\n\nnetsh to add local firewall rule exceptions.(Citation: Group-IB Anunak)|\n|mitre-attack|enterprise-attack|Windows|T1543.003|Windows Service|\n\nCarbanak malware installs itself as a service to provide persistence and SYSTEM privileges.(Citation: Kaspersky Carbanak)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102.002|Bidirectional Communication|\n\nCarbanak has used a VBScript named "ggldr" that uses Google Apps Script, Sheets, and Forms services for C2.(Citation: Forcepoint Carbanak Google C2)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nCarbanak has named malware "svchost.exe," which is the name of the Windows shared service host program.(Citation: Kaspersky Carbanak)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nCarbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars.(Citation: Kaspersky Carbanak)|',
"Chimera - G0114\n\nCreated: 2020-08-24T17:01:55.842Z\n\nModified: 2023-03-22T03:25:24.295Z\n\nContributors:\n\nAliases\n\nChimera\n\nDescription\n\nChimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)\n\nTechniques Used\n\nChimera has obtained and used tools such as\n\nBloodHound,\n\nCobalt Strike,\n\nMimikatz, and\n\nPsExec.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nChimera has performed file deletion to evade detection.(Citation: Cycraft Chimera April 2020) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1572|Protocol Tunneling|\n\nChimera has encapsulated\n\nCobalt Strike's C2 protocol in DNS and HTTPS.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1039|Data from Network Shared Drive|\n\nChimera has collected data of interest from network shares.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1007|System Service Discovery|\n\nChimera has used\n\nChimera has used\n\nChimera has used the\n\nChimera has used\n\nipconfig,\n\nPing, and\n\nChimera has used\n\nChimera has used\n\nChimera has queried Registry keys using\n\nChimera has used\n\nChimera has used custom DLLs for continuous retrieval of data from memory.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1087.001|Local Account|\n\nChimera has used",
"Chimera has used\n\nChimera has registered alternate phone numbers for compromised users to intercept 2FA codes sent via SMS.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Windows|T1550.002|Pass the Hash|\n\nChimera has dumped password hashes for use in pass the hash authentication attacks.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nChimera has used HTTPS for C2 communications.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nChimera has used the Windows Command Shell and batch scripts for execution on compromised hosts.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Windows|T1569.002|Service Execution|\n\nChimera has used\n\nPsExec to deploy beacons on compromised systems.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.004|DNS|\n\nChimera has used\n\nCobalt Strike to encapsulate C2 in DNS traffic.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Windows|T1574.002|DLL Side-Loading|\n\nChimera has used side loading to place malicious DLLs in memory.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1074.001|Local Data Staging|\n\nChimera has staged stolen data locally on compromised hosts.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Windows|T1114.001|Local Email Collection|\n\nChimera has harvested data from victim's e-mail including through execution of\n\nChimera has harvested data from remote mailboxes including through execution of",
"Chimera has harvested data from victim's e-mail including through execution of\n\nChimera has harvested data from remote mailboxes including through execution of\n\nChimera has collected documents from the victim's SharePoint.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1570|Lateral Tool Transfer|\n\nChimera has copied tools between compromised hosts using SMB.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Windows|T1021.006|Windows Remote Management|\n\nChimera has used WinRM for lateral movement.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers,Network|T1046|Network Service Discovery|\n\nChimera has used the\n\nChimera has used the NtdsAudit utility to collect information related to accounts and passwords.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1049|System Network Connections Discovery|\n\nChimera has used\n\nChimera has cleared event logs on compromised hosts.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.006|Timestomp|\n\nChimera has used a Windows version of the Linux\n\nChimera has used\n\nChimera has exfiltrated stolen data to OneDrive accounts.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS|T1074.002|Remote Data Staging|\n\nChimera has staged stolen data on designated servers in the target environment.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1041|Exfiltration Over C2 Channel|\n\nChimera has used",
"Chimera has used\n\nCobalt Strike C2 beacons for data exfiltration.(Citation: NCC Group Chimera January 2021) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nChimera has utilized multiple commands to identify data of interest in file and directory listings.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Windows|T1482|Domain Trust Discovery|\n\nChimera has\n\nChimera has utilized various scans and queries to find domain controllers and remote services in the target environment.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1135|Network Share Discovery|\n\nChimera has used\n\nChimera has used compromised domain accounts to gain access to the target environment.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers|T1110.003|Password Spraying|\n\nChimera has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|PRE|T1589.001|Credentials|\n\nChimera has collected credentials for the target organization from previous breaches for use in brute force attacks.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers|T1110.004|Credential Stuffing|\n\nChimera has used credential stuffing against victim's remote services to obtain valid accounts.(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Windows|T1021.002|SMB/Windows Admin Shares|",
"Chimera has used Windows admin shares to move laterally.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1106|Native API|\n\nChimera has used direct Windows system calls by leveraging Dumpert.(Citation: Cycraft Chimera April 2020)|\n|mitre-attack|enterprise-attack|Windows,Linux,Containers,macOS|T1133|External Remote Services|\n\nChimera has used legitimate credentials to login to an external VPN, Citrix, SSH, and other remote services.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nChimera has used scheduled tasks to invoke Cobalt Strike including through batch script\n\nChimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.010|Command Obfuscation|\n\nChimera has encoded PowerShell commands.(Citation: Cycraft Chimera April 2020) |\n|mitre-attack|enterprise-attack|Windows|T1556.001|Domain Controller Authentication|\n\nChimera's malware has altered the NTLM authentication program on domain controllers to allow\n\nChimera to login without a valid credential.(Citation: Cycraft Chimera April 2020) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nChimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.(Citation: Cycraft Chimera April 2020)|\n|mitre-attack|enterprise-attack|Windows|T1003.003|NTDS|",
'Chimera has gathered the SYSTEM registry and ntds.dit files from target systems.(Citation: Cycraft Chimera April 2020)\n\nChimera specifically has used the NtdsAudit tool to dump the password hashes of domain users via\n\nChimera has has used\n\nChimera has used WMIC to execute remote commands.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nChimera has used a valid account to maintain persistence via scheduled task.(Citation: Cycraft Chimera April 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nChimera has remotely copied tools and malware onto targeted systems.(Citation: Cycraft Chimera April 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|\n\nChimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)|\n|mitre-attack|enterprise-attack|Windows|T1021.001|Remote Desktop Protocol|\n\nChimera has used RDP to access targeted systems.(Citation: Cycraft Chimera April 2020)|',
'Cleaver - G0003\n\nCreated: 2017-05-31T21:31:46.390Z\n\nModified: 2022-07-22T18:37:22.178Z\n\nContributors:\n\nAliases\n\nCleaver,Threat Group 2889,TG-2889\n\nDescription\n\nCleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)\n\nTechniques Used\n\nCleaver has obtained and used open-source tools such as\n\nPsExec,\n\nWindows Credential Editor, and\n\nMimikatz.(Citation: Cylance Cleaver)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1557.002|ARP Cache Poisoning|\n\nCleaver has used custom tools to facilitate ARP cache poisoning.(Citation: Cylance Cleaver)|\n|mitre-attack|enterprise-attack|PRE|T1587.001|Malware|\n\nCleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.(Citation: Cylance Cleaver)|\n|mitre-attack|enterprise-attack|PRE|T1585.001|Social Media Accounts|\n\nCleaver has created fake LinkedIn profiles that included profile photos, details, and connections.(Citation: Dell Threat Group 2889)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nCleaver has been known to dump credentials using Mimikatz and Windows Credential Editor.(Citation: Cylance Cleaver)|',
'Cobalt Group - G0080\n\nCreated: 2018-10-17T00:14:20.652Z\n\nModified: 2023-03-22T03:28:29.415Z\n\nContributors:\n\nAliases\n\nCobalt Group,GOLD KINGSWOOD,Cobalt Gang,Cobalt Spider\n\nDescription\n\nCobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)(Citation: Proofpoint Cobalt June 2017)(Citation: RiskIQ Cobalt Nov 2017)(Citation: RiskIQ Cobalt Jan 2018) Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.(Citation: Europol Cobalt Mar 2018)\n\nTechniques Used\n\nCobalt Group has obtained and used a variety of tools including\n\nMimikatz,\n\nPsExec,\n\nCobalt Strike, and\n\nSDelete.(Citation: PTSecurity Cobalt Dec 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1195.002|Compromise Software Supply Chain|\n\nCobalt Group has compromised legitimate web browser updates to deliver a backdoor. (Citation: Crowdstrike GTR2020 Mar 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.007|JavaScript|',
"Cobalt Group has executed JavaScript scriptlets on the victim's machine.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: Group IB Cobalt Aug 2017)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nCobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands.(Citation: Morphisec Cobalt Gang Oct 2018) The group has used an exploit toolkit known as Threadkit that launches .bat files.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: Group IB Cobalt Aug 2017)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nCobalt Group has sent emails containing malicious links that require users to execute a file or macro to infect the victim machine.(Citation: Talos Cobalt Group July 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: Secureworks GOLD KINGSWOOD September 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.004|DNS|\n\nCobalt Group has used DNS tunneling for C2.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1572|Protocol Tunneling|",
"Cobalt Group has used the Plink utility to create SSH tunnels.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)|\n|mitre-attack|enterprise-attack|Windows|T1218.008|Odbcconf|\n\nCobalt Group has used\n\nCobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim's machine.(Citation: Morphisec Cobalt Gang Oct 2018)|\n|mitre-attack|enterprise-attack|Windows|T1037.001|Logon Script (Windows)|\n\nCobalt Group has added persistence by registering the file name for the next stage malware under\n\nCobalt Group has used Remote Desktop Protocol to conduct lateral movement.(Citation: Group IB Cobalt Aug 2017)|\n|mitre-attack|enterprise-attack|Windows|T1218.003|CMSTP|\n\nCobalt Group has used the command\n\nCobalt Group leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning.(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nCobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers.(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016) The group's JavaScript backdoor is also capable of downloading files.(Citation: Morphisec Cobalt Gang Oct 2018)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nCobalt Group has created Windows tasks to establish persistence.(Citation: Group IB Cobalt Aug 2017)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|",
'Cobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike.(Citation: Group IB Cobalt Aug 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1573.002|Asymmetric Cryptography|\n\nCobalt Group has used the Plink utility to create SSH tunnels.(Citation: Group IB Cobalt Aug 2017)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nCobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)(Citation: Proofpoint Cobalt June 2017)(Citation: RiskIQ Cobalt Nov 2017)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)|\n|mitre-attack|enterprise-attack|Windows|T1220|XSL Script Processing|\n\nCobalt Group used msxsl.exe to bypass AppLocker and to invoke Jscript code from an XSL file.(Citation: Talos Cobalt Group July 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nCobalt Group has sent emails with URLs pointing to malicious documents.(Citation: Talos Cobalt Group July 2018)(Citation: Secureworks GOLD KINGSWOOD September 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.010|Command Obfuscation|',
'Cobalt Group obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4.(Citation: Talos Cobalt Group July 2018)(Citation: Morphisec Cobalt Gang Oct 2018)|\n|mitre-attack|enterprise-attack|Windows|T1548.002|Bypass User Account Control|\n\nCobalt Group has bypassed UAC.(Citation: Group IB Cobalt Aug 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nCobalt Group has used HTTPS for C2.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nCobalt Group has sent emails containing malicious attachments that require users to execute a file or macro to infect the victim machine.(Citation: Talos Cobalt Group July 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)|\n|mitre-attack|enterprise-attack|Windows|T1559.002|Dynamic Data Exchange|\n\nCobalt Group has sent malicious Word OLE compound documents to victims.(Citation: Talos Cobalt Group July 2018)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|',
'Cobalt Group had exploited multiple vulnerabilities for execution, including Microsoft’s Equation Editor (CVE-2017-11882), an Internet Explorer vulnerability (CVE-2018-8174), CVE-2017-8570, CVE-2017-0199, and CVE-2017-8759.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Proofpoint Cobalt June 2017)(Citation: RiskIQ Cobalt Nov 2017)(Citation: RiskIQ Cobalt Jan 2018)(Citation: Crowdstrike Global Threat Report Feb 2018)(Citation: TrendMicro Cobalt Group Nov 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nCobalt Group deleted the DLL dropper from the victim’s machine to cover their tracks.(Citation: Talos Cobalt Group July 2018)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1219|Remote Access Software|\n\nCobalt Group used the Ammyy Admin tool as well as TeamViewer for remote access, including to preserve remote access if a Cobalt Strike module was lost.(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nCobalt Group has used powershell.exe to download and execute scripts.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)(Citation: RiskIQ Cobalt Jan 2018)(Citation: TrendMicro Cobalt Group Nov 2017)|\n|mitre-attack|enterprise-attack|Windows|T1218.010|Regsvr32|',
'Cobalt Group has used regsvr32.exe to execute scripts.(Citation: Talos Cobalt Group July 2018)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nCobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: Group IB Cobalt Aug 2017)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1055|Process Injection|\n\nCobalt Group has injected code into trusted processes.(Citation: Group IB Cobalt Aug 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1068|Exploitation for Privilege Escalation|\n\nCobalt Group has used exploits to increase their levels of rights and privileges.(Citation: Group IB Cobalt Aug 2017)|\n|mitre-attack|enterprise-attack|Windows|T1543.003|Windows Service|\n\nCobalt Group has created new services to establish persistence.(Citation: Group IB Cobalt Aug 2017)|',
'Confucius - G0142\n\nCreated: 2021-12-26T23:11:39.442Z\n\nModified: 2022-06-30T20:15:32.697Z\n\nContributors:\n\nAliases\n\nConfucius,Confucius APT\n\nDescription\n\nConfucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)\n\nTechniques Used\n\nConfucius has used mshta.exe to execute malicious VBScript.(Citation: TrendMicro Confucius APT Feb 2018) |\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nConfucius has used VBScript to execute malicious code.(Citation: TrendMicro Confucius APT Feb 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1567.002|Exfiltration to Cloud Storage|\n\nConfucius has exfiltrated victim data to cloud storage service accounts.(Citation: TrendMicro Confucius APT Feb 2018)|\n|mitre-attack|enterprise-attack|PRE|T1583.006|Web Services|\n\nConfucius has obtained cloud storage service accounts to host stolen data.(Citation: TrendMicro Confucius APT Feb 2018)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nConfucius has crafted and sent victims malicious attachments to gain initial access.(Citation: Uptycs Confucius APT Jan 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|',
'Confucius has sent malicious links to victims through email campaigns.(Citation: TrendMicro Confucius APT Aug 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nConfucius has lured victims into clicking on a malicious link sent through spearphishing.(Citation: TrendMicro Confucius APT Aug 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nConfucius has lured victims to execute malicious attachments included in crafted spearphishing emails related to current topics.(Citation: Uptycs Confucius APT Jan 2021)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nConfucius has used PowerShell to execute malicious files and payloads.(Citation: TrendMicro Confucius APT Aug 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nConfucius has used HTTP for C2 communications.(Citation: Uptycs Confucius APT Jan 2021)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nConfucius has exploited Microsoft Office vulnerabilities, including CVE-2015-1641, CVE-2017-11882, and CVE-2018-0802.(Citation: Uptycs Confucius APT Jan 2021)(Citation: TrendMicro Confucius APT Feb 2018)|\n|mitre-attack|enterprise-attack|Windows|T1221|Template Injection|\n\nConfucius has used a weaponized Microsoft Word document with an embedded RTF exploit.(Citation: Uptycs Confucius APT Jan 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|',
'Confucius has downloaded additional files and payloads onto a compromised host following initial access.(Citation: Uptycs Confucius APT Jan 2021)(Citation: TrendMicro Confucius APT Aug 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,IaaS,SaaS|T1119|Automated Collection|\n\nConfucius has used a file stealer to steal documents and images with the following extensions: txt, pdf, png, jpg, doc, xls, xlm, odp, ods, odt, rtf, ppt, xlsx, xlsm, docx, pptx, and jpeg.(Citation: TrendMicro Confucius APT Aug 2021)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nConfucius has created scheduled tasks to maintain persistence on a compromised host.(Citation: TrendMicro Confucius APT Aug 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1041|Exfiltration Over C2 Channel|\n\nConfucius has exfiltrated stolen files to its C2 server.(Citation: TrendMicro Confucius APT Aug 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nConfucius has used a file stealer that checks the Document, Downloads, Desktop, and Picture folders for documents and images with specific extensions.(Citation: TrendMicro Confucius APT Aug 2021)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nConfucius has dropped malicious files into the startup folder\n\nConfucius has used a file stealer that can examine system drives, including those other than the C drive.(Citation: TrendMicro Confucius APT Aug 2021)|',
'CopyKittens - G0052\n\nCreated: 2018-01-16T16:13:52.465Z\n\nModified: 2022-08-08T21:29:36.462Z\n\nContributors:\n\nAliases\n\nCopyKittens\n\nDescription\n\nCopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.(Citation: ClearSky CopyKittens March 2017)(Citation: ClearSky Wilted Tulip July 2017)(Citation: CopyKittens Nov 2015)\n\nTechniques Used\n\nCopyKittens has used the AirVPN service for operational activity.(Citation: Microsoft POLONIUM June 2022)|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|\n\nCopyKittens has used Metasploit,\n\nEmpire, and AirVPN for post-exploitation activities.(Citation: ClearSky and Trend Micro Operation Wilted Tulip July 2017)(Citation: Microsoft POLONIUM June 2022)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1564.003|Hidden Window|\n\nCopyKittens has used\n\nPowerShell windows. (Citation: ClearSky Wilted Tulip July 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.003|Archive via Custom Method|\n\nCopyKittens encrypts data with a substitute cipher prior to exfiltration.(Citation: CopyKittens Nov 2015)|\n|mitre-attack|enterprise-attack|Windows|T1218.011|Rundll32|\n\nCopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode.(Citation: ClearSky Wilted Tulip July 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|',
'CopyKittens uses ZPP, a .NET console program, to compress files with ZIP.(Citation: ClearSky Wilted Tulip July 2017)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nCopyKittens has used PowerShell Empire.(Citation: ClearSky Wilted Tulip July 2017)|\n|mitre-attack|enterprise-attack|macOS,Windows|T1553.002|Code Signing|\n\nCopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared.(Citation: ClearSky Wilted Tulip July 2017)|',
'CURIUM - G1012\n\nCreated: 2023-01-13T20:51:13.494Z\n\nModified: 2023-04-12T13:21:41.276Z\n\nContributors:\n\nAliases\n\nCURIUM\n\nDescription\n\nCURIUM is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|CURIUM has exfiltrated data from a compromised machine.(Citation: Microsoft Iranian Threat Actor Trends November 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1566.003|Spearphishing via Service|CURIUM has used social media to deliver malicious files to victims.(Citation: Microsoft Iranian Threat Actor Trends November 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|CURIUM has lured users into opening malicious files delivered via social media.(Citation: Microsoft Iranian Threat Actor Trends November 2021)|\n|mitre-attack|enterprise-attack|PRE|T1585.001|Social Media Accounts|CURIUM has established a network of fictitious social media accounts, including on Facebook and LinkedIn, to establish relationships with victims, often posing as an attractive woman.(Citation: Microsoft Iranian Threat Actor Trends November 2021)|',
"Darkhotel - G0012\n\nCreated: 2017-05-31T21:31:50.624Z\n\nModified: 2022-10-19T22:07:30.243Z\n\nContributors: Harry, CODEMIZE\n\nAliases\n\nDarkhotel,DUBNIUM\n\nDescription\n\nDarkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft Digital Defense FY20 Sept 2020)\n\nTechniques Used\n\nDarkhotel has used malware that repeatedly checks the mouse cursor position to determine if a real user is on the system.(Citation: Lastline DarkHotel Just In Time Decryption Nov 2015)|\n|mitre-attack|enterprise-attack|Windows,Network|T1124|System Time Discovery|\n\nDarkhotel malware can obtain system time from a compromised host.(Citation: Lastline DarkHotel Just In Time Decryption Nov 2015)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1497|Virtualization/Sandbox Evasion|\n\nDarkhotel malware has employed just-in-time decryption of strings to evade sandbox detection.(Citation: Lastline DarkHotel Just In Time Decryption Nov 2015)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nDarkhotel has used malware that is disguised as a Secure Shell (SSH) tool.(Citation: Microsoft DUBNIUM June 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1497.001|System Checks|\n\nDarkhotel malware has used a series of checks to determine if it's being analyzed; checks include the length of executable names, if a filename ends with",
"Darkhotel malware has used a series of checks to determine if it's being analyzed; checks include the length of executable names, if a filename ends with\n\nDarkhotel has exploited Adobe Flash vulnerability CVE-2015-8651 for execution.(Citation: Microsoft DUBNIUM June 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nDarkhotel has used first-stage payloads that download additional malware from C2 servers.(Citation: Microsoft DUBNIUM June 2016)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1573.001|Symmetric Cryptography|\n\nDarkhotel has used AES-256 and 3DES for C2 communications.(Citation: Microsoft DUBNIUM July 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nDarkhotel has used malware that searched for files with specific patterns.(Citation: Microsoft DUBNIUM July 2016)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nDarkhotel has sent spearphishing emails with malicious RAR and .LNK attachments.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nDarkhotel has collected the hostname, OS version, service pack version, and the processor architecture from the victim’s machine.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nDarkhotel has sent spearphishing emails in an attempt to lure users into clicking on a malicious attachments.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|",
'Darkhotel has decrypted strings and imports using RC4 during execution.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nDarkhotel used embedded iframes on hotel login portals to redirect selected victims to download malware.(Citation: Kaspersky Darkhotel)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nDarkhotel has collected the IP address and network adapter information from the victim’s machine.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nDarkhotel has obfuscated code using RC4, XOR, and RSA.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518.001|Security Software Discovery|\n\nDarkhotel has searched for anti-malware strings and anti-virus processes running on the system.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM June 2016) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nDarkhotel malware can collect a list of running processes on a system.(Citation: Securelist Darkhotel Aug 2015)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nDarkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.(Citation: Securelist Darkhotel Aug 2015)|\n|mitre-attack|enterprise-attack|Windows,Office 365,SaaS,Linux,macOS|T1080|Taint Shared Content|',
"Darkhotel used a virus that propagates by infecting executables stored on shared drives.(Citation: Kaspersky Darkhotel)|\n|mitre-attack|enterprise-attack|macOS,Windows|T1553.002|Code Signing|\n\nDarkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen.\n\nDarkhotel has also stolen certificates and signed backdoors and downloaders with them.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015)|\n|mitre-attack|enterprise-attack|Windows|T1091|Replication Through Removable Media|\n\nDarkhotel's selective infector modifies executables stored on removable media as a method of spreading across computers.(Citation: Kaspersky Darkhotel)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|\n\nDarkhotel has used a keylogger.(Citation: Kaspersky Darkhotel)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nDarkhotel has been known to establish persistence by adding programs to the Run Registry key.(Citation: Kaspersky Darkhotel)|",
'DarkHydrus - G0079\n\nCreated: 2018-10-17T00:14:20.652Z\n\nModified: 2021-10-12T19:52:22.454Z\n\nContributors: Oleg Skulkin, Group-IB\n\nAliases\n\nDarkHydrus\n\nDescription\n\nDarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. (Citation: Unit 42 DarkHydrus July 2018) (Citation: Unit 42 Playbook Dec 2017)\n\nTechniques Used\n\nDarkHydrus has obtained and used tools such as\n\nMimikatz,\n\nEmpire, and\n\nCobalt Strike.(Citation: Unit 42 DarkHydrus July 2018)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1564.003|Hidden Window|\n\nDarkHydrus has used\n\nPowerShell windows. (Citation: Unit 42 DarkHydrus July 2018)|\n|mitre-attack|enterprise-attack|Windows|T1187|Forced Authentication|\n\nDarkHydrus used\n\nTemplate Injection to launch an authentication window for users to enter their credentials.(Citation: Unit 42 Phishery Aug 2018)|\n|mitre-attack|enterprise-attack|Windows|T1221|Template Injection|\n\nDarkHydrus used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable\n\nForced Authentication.(Citation: Unit 42 Phishery Aug 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nDarkHydrus has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded.(Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit 42 Playbook Dec 2017)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|',
'DarkHydrus leveraged PowerShell to download and execute additional scripts for execution.(Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit 42 Playbook Dec 2017)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nDarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that contained malicious Microsoft Office documents that use the “attachedTemplate” technique to load a template from a remote server.(Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit 42 Phishery Aug 2018)(Citation: Unit 42 Playbook Dec 2017)|',
'DarkVishnya - G0105\n\nCreated: 2020-05-15T13:07:26.651Z\n\nModified: 2021-10-12T22:10:04.107Z\n\nContributors:\n\nAliases\n\nDarkVishnya\n\nDescription\n\nDarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.(Citation: Securelist DarkVishnya Dec 2018)\n\nTechniques Used\n\nDarkVishnya has obtained and used tools such as\n\nImpacket,\n\nWinexe, and\n\nPsExec.(Citation: Securelist DarkVishnya Dec 2018)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers,Network|T1046|Network Service Discovery|\n\nDarkVishnya performed port scanning to obtain the list of active services.(Citation: Securelist DarkVishnya Dec 2018)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1110|Brute Force|\n\nDarkVishnya used brute-force attack to obtain login data.(Citation: Securelist DarkVishnya Dec 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network,IaaS|T1040|Network Sniffing|\n\nDarkVishnya used network sniffing to obtain login data. (Citation: Securelist DarkVishnya Dec 2018)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1219|Remote Access Software|\n\nDarkVishnya used DameWare Mini Remote Control for lateral movement.(Citation: Securelist DarkVishnya Dec 2018)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nDarkVishnya used PowerShell to create shellcode loaders.(Citation: Securelist DarkVishnya Dec 2018)|\n|mitre-attack|enterprise-attack|Windows|T1543.003|Windows Service|',
'DarkVishnya used PowerShell to create shellcode loaders.(Citation: Securelist DarkVishnya Dec 2018)|\n|mitre-attack|enterprise-attack|Windows|T1543.003|Windows Service|\n\nDarkVishnya created new services for shellcode loaders distribution.(Citation: Securelist DarkVishnya Dec 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1571|Non-Standard Port|\n\nDarkVishnya used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2.(Citation: Securelist DarkVishnya Dec 2018)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1135|Network Share Discovery|\n\nDarkVishnya scanned the network for public shared folders.(Citation: Securelist DarkVishnya Dec 2018)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1200|Hardware Additions|\n\nDarkVishnya used Bash Bunny, Raspberry Pi, netbooks or inexpensive laptops to connect to the company’s local network.(Citation: Securelist DarkVishnya Dec 2018)|',
"Dark Caracal - G0070\n\nCreated: 2018-10-17T00:14:20.652Z\n\nModified: 2021-10-11T19:08:18.503Z\n\nContributors:\n\nAliases\n\nDark Caracal\n\nDescription\n\nDark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark Caracal Jan 2018)\n\nTechniques Used\n\nDark Caracal's version of\n\nBandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string “&&&”.(Citation: Lookout Dark Caracal Jan 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nDark Caracal makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it.(Citation: Lookout Dark Caracal Jan 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nDark Caracal has obfuscated strings in\n\nBandook by base64 encoding, and then encrypting them.(Citation: Lookout Dark Caracal Jan 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|macOS,Windows,Linux|T1027.002|Software Packing|\n\nDark Caracal has used UPX to pack\n\nBandook.(Citation: Lookout Dark Caracal Jan 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nDark Caracal leveraged a watering hole to serve up malicious code.(Citation: Lookout Dark Caracal Jan 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1113|Screen Capture|",
"Dark Caracal took screenshots using their Windows malware.(Citation: Lookout Dark Caracal Jan 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1566.003|Spearphishing via Service|\n\nDark Caracal spearphished victims via Facebook and Whatsapp.(Citation: Lookout Dark Caracal Jan 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nDark Caracal collected file listings of all default Windows directories.(Citation: Lookout Dark Caracal Jan 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nDark Caracal's version of\n\nBandook adds a registry key to\n\nDark Caracal has used macros in Word documents that would download a second stage if executed.(Citation: Lookout Dark Caracal Jan 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nDark Caracal collected complete contents of the 'Pictures' folder from compromised Windows systems.(Citation: Lookout Dark Caracal Jan 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1218.001|Compiled HTML File|\n\nDark Caracal leveraged a compiled HTML file that contained a command to download and run an executable.(Citation: Lookout Dark Caracal Jan 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Android,iOS|T1437.001|Web Protocols|\n\nDark Caracal controls implants using standard HTTP communication.(Citation: Lookout Dark Caracal Jan 2018) |",
"Deep Panda - G0009\n\nCreated: 2017-05-31T21:31:49.412Z\n\nModified: 2022-07-20T20:10:29.593Z\n\nContributors: Andrew Smith, @jakx_\n\nAliases\n\nDeep Panda,Shell Crew,WebMasters,KungFu Kittens,PinkPanther,Black Vine\n\nDescription\n\nDeep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. (Citation: Alperovitch 2014) The intrusion into healthcare company Anthem has been attributed to Deep Panda. (Citation: ThreatConnect Anthem) This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. (Citation: RSA Shell Crew) Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. (Citation: Symantec Black Vine) Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. (Citation: ICIT China's Espionage Jul 2016)\n\nTechniques Used\n\nDeep Panda has used\n\nPowerShell windows by setting the WindowStyle parameter to hidden. (Citation: Alperovitch 2014)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|\n\nDeep Panda has used ping to identify other machines of interest.(Citation: Alperovitch 2014)|\n|mitre-attack|enterprise-attack|Windows|T1546.008|Accessibility Features|\n\nDeep Panda has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions.(Citation: RSA Shell Crew)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nDeep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.(Citation: Alperovitch 2014)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS,Network|T1505.003|Web Shell|",
'Deep Panda uses Web shells on publicly accessible Web servers to access victim networks.(Citation: CrowdStrike Deep Panda Web Shells)|\n|mitre-attack|enterprise-attack|Windows|T1021.002|SMB/Windows Admin Shares|\n\nDeep Panda uses net.exe to connect to network shares using\n\nDeep Panda has used regsvr32.exe to execute a server variant of\n\nDerusbi in victim networks.(Citation: RSA Shell Crew)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.005|Indicator Removal from Tools|\n\nDeep Panda has updated and modified its malware, resulting in different hash values that evade detection.(Citation: Symantec Black Vine)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nDeep Panda uses the Microsoft\n\nTasklist utility to list processes running on systems.(Citation: Alperovitch 2014)|\n|mitre-attack|enterprise-attack|Windows|T1047|Windows Management Instrumentation|The\n\nDeep Panda group is known to utilize WMI for lateral movement.(Citation: Alperovitch 2014)|',
"Dragonfly - G0035\n\nCreated: 2017-05-31T21:32:05.217Z\n\nModified: 2023-03-08T22:03:28.170Z\n\nContributors: Dragos Threat Intelligence\n\nAliases\n\nDragonfly,TEMP.Isotope,DYMALLOY,Berserk Bear,TG-4192,Crouching Yeti,IRON LIBERTY,Energetic Bear\n\nDescription\n\nDragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)\n\nTechniques Used\n\nDragonfly has exploited a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory servers.(Citation: CISA AA20-296A Berserk Bear December 2020)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1583.001|Domains|\n\nDragonfly has registered domains for targeting intended victims.(Citation: CISA AA20-296A Berserk Bear December 2020)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1595.002|Vulnerability Scanning|",
'Dragonfly has scanned targeted systems for vulnerable Citrix and Microsoft Exchange services.(Citation: CISA AA20-296A Berserk Bear December 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1110|Brute Force|\n\nDragonfly has attempted to brute force credentials to gain access.(Citation: CISA AA20-296A Berserk Bear December 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|\n\nDragonfly has conducted SQL injection attacks, exploited vulnerabilities CVE-2019-19781 and CVE-2020-0688 for Citrix and MS Exchange, and CVE-2018-13379 for Fortinet VPNs.(Citation: CISA AA20-296A Berserk Bear December 2020)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1583.003|Virtual Private Server|\n\nDragonfly has acquired VPS infrastructure for use in malicious campaigns.(Citation: Gigamon Berserk Bear October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1584.004|Server|\n\nDragonfly has compromised legitimate websites to host C2 and malware modules.(Citation: Gigamon Berserk Bear October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1591.002|Business Relationships|\n\nDragonfly has collected open source information to identify relationships between organizations for targeting purposes.(Citation: Gigamon Berserk Bear October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nDragonfly has exploited CVE-2011-0611 in Adobe Flash Player to gain execution on a targeted system.(Citation: Gigamon Berserk Bear October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1608.004|Drive-by Target|',
'Dragonfly has compromised websites to redirect traffic and to host exploit kits.(Citation: Gigamon Berserk Bear October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nDragonfly has sent emails with malicious attachments to gain initial access.(Citation: Gigamon Berserk Bear October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nDragonfly has used various forms of spearphishing in attempts to get users to open malicious attachments.(Citation: Gigamon Berserk Bear October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nDragonfly has compromised user credentials and used valid accounts for operations.(Citation: US-CERT TA18-074A)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|\n\nDragonfly used the command\n\nDragonfly has injected SMB URLs into malicious Word spearphishing attachments to initiate\n\nForced Authentication.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1113|Screen Capture|\n\nDragonfly has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil).(Citation: US-CERT TA18-074A)(Citation: Symantec Dragonfly Sept 2017)(Citation: Gigamon Berserk Bear October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,Windows,macOS,Network|T1505.003|Web Shell|',
"Dragonfly has commonly created Web shells on victims' publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nDragonfly has used batch scripts to enumerate network information, including information about trusts, zones, and the domain.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|\n\nDragonfly has likely obtained a list of hosts in the victim environment.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1053.005|Scheduled Task|\n\nDragonfly has used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1012|Query Registry|\n\nDragonfly has queried the Registry to identify victim information.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1069.002|Domain Groups|\n\nDragonfly has used batch scripts to enumerate administrators and users in the domain.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1598.003|Spearphishing Link|\n\nDragonfly has used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1598.002|Spearphishing Attachment|\n\nDragonfly has used spearphishing with Microsoft Office attachments to enable harvesting of user credentials.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1021.001|Remote Desktop Protocol|",
'Dragonfly has moved laterally via RDP.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows,Linux|T1135|Network Share Discovery|\n\nDragonfly has identified and browsed file servers in the victim network, sometimes , viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1003.002|Security Account Manager|\n\nDragonfly has dropped and executed SecretsDump to dump password hashes.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1003.003|NTDS|\n\nDragonfly has dropped and executed SecretsDump to dump password hashes. They also obtained ntds.dit from domain controllers.(Citation: US-CERT TA18-074A)(Citation: Core Security Impacket)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1003.004|LSA Secrets|\n\nDragonfly has dropped and executed SecretsDump to dump password hashes.(Citation: US-CERT TA18-074A)(Citation: Core Security Impacket)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1070.001|Clear Windows Event Logs|\n\nDragonfly has cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nDragonfly has deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|',
'Dragonfly has copied and installed tools for operations once in the victim environment.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Containers|T1036|Masquerading|\n\nDragonfly has created accounts disguised as legitimate backup and service accounts as well as an email administration account.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1112|Modify Registry|\n\nDragonfly has modified the Registry to perform multiple techniques through the use of\n\nReg.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows,Linux|T1564.002|Hidden Users|\n\nDragonfly has modified the Registry to hide created user accounts.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1562.004|Disable or Modify System Firewall|\n\nDragonfly has disabled host-based firewalls. The group has also globally opened port 3389.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nDragonfly has used a batch script to gather folder and file names from victim hosts.(Citation: US-CERT TA18-074A)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1187|Forced Authentication|\n\nDragonfly has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems.(Citation: US-CERT TA18-074A)(Citation: Gigamon Berserk Bear October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1136.001|Local Account|',
'Dragonfly has created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nDragonfly has collected data from local victim systems.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1074.001|Local Data Staging|\n\nDragonfly has created a directory named "out" in the user\'s %AppData% folder and copied files to it.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Office 365,Windows,Google Workspace|T1114.002|Remote Email Collection|\n\nDragonfly has accessed email accounts using Outlook Web Access.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Linux,Containers,macOS|T1133|External Remote Services|\n\nDragonfly has used VPNs and Outlook Web Access (OWA) to maintain access to victim networks.(Citation: US-CERT TA18-074A)(Citation: CISA AA20-296A Berserk Bear December 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1059.003|Windows Command Shell|\n\nDragonfly has used various types of scripting to perform operations, including batch scripts.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,Windows,macOS|T1059.006|Python|\n\nDragonfly has used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1059.001|PowerShell|',
'Dragonfly has used PowerShell scripts for execution.(Citation: US-CERT TA18-074A)(Citation: Symantec Dragonfly Sept 2017)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network,Office 365,Azure AD,IaaS,Google Workspace|T1059|Command and Scripting Interpreter|\n\nDragonfly has used the command line for execution.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Office 365,Azure AD,Network|T1110.002|Password Cracking|\n\nDragonfly has dropped and executed tools used for password cracking, including Hydra and\n\nCrackMapExec.(Citation: US-CERT TA18-074A)(Citation: Kali Hydra)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1071|Application Layer Protocol|\n\nDragonfly has used SMB for C2.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1560|Archive Collected Data|\n\nDragonfly has compressed data into .zip files prior to exfiltration.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nDragonfly has added the registry value ntdll to the Registry Run key to establish persistence.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Azure AD,Office 365,IaaS,Linux,macOS,Google Workspace,SaaS,Network|T1098|Account Manipulation|\n\nDragonfly has added newly created accounts to the administrators group to maintain elevated access.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1087.002|Domain Account|',
'Dragonfly has used batch scripts to enumerate users on a victim domain controller.(Citation: US-CERT TA18-074A)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1588.002|Tool|\n\nDragonfly has obtained and used tools such as\n\nMimikatz,\n\nCrackMapExec, and\n\nPsExec.(Citation: Secureworks IRON LIBERTY July 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1195.002|Compromise Software Supply Chain|\n\nDragonfly has placed trojanized installers for control system software on legitimate vendor app stores.(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nDragonfly has compromised targets via strategic web compromise (SWC) utilizing a custom exploit kit.(Citation: Secureworks IRON LIBERTY July 2019)(Citation: US-CERT TA18-074A)(Citation: Gigamon Berserk Bear October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|None|T0817|Drive-by Compromise|\n\nDragonfly utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver\n\nBackdoor.Oldrea or\n\nTrojan.Karagany. (Citation: Symantec Security Response July 2014)|\n|mitre-attack|enterprise-attack,ics-attack|Control Server,Data Historian,Field Controller/RTU/PLC/IED,Human-Machine Interface,Input/Output Server,Safety Instrumented System/Protection Relay|T0862|Supply Chain Compromise|\n\nDragonfly trojanized legitimate ICS equipment providers software packages available for download on their websites.(Citation: Symantec Security Response July 2014)|',
"Earth Lusca - G1006\n\nCreated: 2022-07-01T20:12:30.184Z\n\nModified: 2022-10-17T19:51:56.531Z\n\nContributors:\n\nAliases\n\nEarth Lusca,TAG-22\n\nDescription\n\nEarth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)\n\nEarth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)\n\nTechniques Used\n\nEarth Lusca adopted Cloudflare as a proxy for compromised servers.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nEarth Lusca used VBA scripts.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nEarth Lusca required users to click on a malicious file for the loader to activate.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1567.002|Exfiltration to Cloud Storage|",
'Earth Lusca has used the megacmd tool to upload stolen files from a victim network to MEGA.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,Windows,macOS|T1210|Exploitation of Remote Services|\n\nEarth Lusca has used\n\nMimikatz to exploit a domain controller via the ZeroLogon exploit (CVE-2020-1472).(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1547.012|Print Processors|\n\nEarth Lusca has added the Registry key\n\nEarth Lusca has used PowerShell to execute commands.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,macOS,Linux|T1007|System Service Discovery|\n\nEarth Lusca has used\n\nTasklist to obtain information from a compromised host.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nEarth Lusca has used\n\nTasklist to obtain information from a compromised host.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1482|Domain Trust Discovery|\n\nEarth Lusca has used\n\nNltest to obtain information about domain controllers.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,IaaS,Network|T1098.004|SSH Authorized Keys|\n\nEarth Lusca has dropped an SSH-authorized key in the\n\nEarth Lusca has acquired and used a variety of open source tools.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|PRE|T1588.001|Malware|\n\nEarth Lusca has acquired and used a variety of malware, including',
'Earth Lusca has acquired and used a variety of malware, including\n\nCobalt Strike.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|PRE|T1583.006|Web Services|\n\nEarth Lusca has established GitHub accounts to host their malware.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|PRE|T1584.006|Web Services|\n\nEarth Lusca has compromised Google Drive repositories.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|PRE|T1608.001|Upload Malware|\n\nEarth Lusca has staged malware and malicious files on compromised web servers, GitHub, and Google Drive.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|PRE|T1583.001|Domains|\n\nEarth Lusca has registered domains, intended to look like legitimate target domains, that have been used in watering hole attacks.(Citation: TrendMicro EarthLusca 2022) |\n|mitre-attack|enterprise-attack,mobile-attack|PRE|T1584.004|Server|\n\nEarth Lusca has used compromised web servers as part of their operational infrastructure.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|PRE|T1583.004|Server|\n\nEarth Lusca has acquired multiple servers for some of their operations, using each server for a different role.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1027.003|Steganography|\n\nEarth Lusca has used steganography to hide shellcode in a BMP image file.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1204.001|Malicious Link|',
'Earth Lusca has sent spearphishing emails that required the user to click on a malicious link and subsequently open a decoy document with a malicious loader.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1047|Windows Management Instrumentation|\n\nEarth Lusca used a VBA script to execute WMI.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,Windows,macOS|T1059.006|Python|\n\nEarth Lusca used Python scripts for port scanning or building reverse shells.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|\n\nEarth Lusca has used WinRAR to compress stolen files into an archive prior to exfiltration.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1003.001|LSASS Memory|\n\nEarth Lusca has used ProcDump to obtain the hashes of credentials by dumping the memory of the LSASS process.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1003.006|DCSync|\n\nEarth Lusca has used a\n\nMimikatz to retrieve credentials from an exploited controller.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1548.002|Bypass User Account Control|\n\nEarth Lusca has used the Fodhelper UAC bypass technique to gain elevated privileges.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nEarth Lusca used the command\n\nEarth Lusca used the command',
'Earth Lusca used the command\n\nEarth Lusca used the command\n\nEarth Lusca has also used multiple scanning tools to discover other machines within the same compromised network.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,IaaS,Linux,macOS,Network|T1049|System Network Connections Discovery|\n\nEarth Lusca employed a PowerShell script called RDPConnectionParser to read and filter the Windows event log “Microsoft-Windows-TerminalServices-RDPClient/Operational”\n(Event ID 1024) to obtain network information from RDP connections.\n\nEarth Lusca has also used\n\nnetstat from a compromised system to obtain network connection information.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1574.002|DLL Side-Loading|\n\nEarth Lusca has placed a malicious payload in\n\nEarth Lusca modified the registry using the command\n\nEarth Lusca used the command\n\nEarth Lusca created a service using the command\n\nEarth Lusca used the command\n\nEarth Lusca collected information on user accounts via the\n\nEarth Lusca has compromised victims by directly exploiting vulnerabilities of public-facing servers, including those associated with Microsoft Exchange and Oracle GlassFish.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,macOS,Linux|T1059.007|JavaScript|\n\nEarth Lusca has manipulated legitimate websites to inject malicious JavaScript code as part of their watering hole operations.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nEarth Lusca has sent spearphishing emails to potential targets that contained a malicious link.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|',
'Earth Lusca used Base64 to encode strings.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|PRE|T1595.002|Vulnerability Scanning|\n\nEarth Lusca has scanned for vulnerabilities in the public-facing servers of their targets.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1218.005|Mshta|\n\nEarth Lusca has used\n\nEarth Lusca has used\n\ncertutil to decode a string into a cabinet file.(Citation: TrendMicro EarthLusca 2022)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nEarth Lusca has performed watering hole attacks.(Citation: TrendMicro EarthLusca 2022)|',
'Elderwood - G0066\n\nCreated: 2018-04-18T17:59:24.739Z\n\nModified: 2021-03-02T22:40:11.097Z\n\nContributors: Valerii Marchuk, Cybersecurity Help s.r.o.\n\nAliases\n\nElderwood,Elderwood Gang,Beijing Group,Sneaky Panda\n\nDescription\n\nElderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. (Citation: Security Affairs Elderwood Sept 2012) The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. (Citation: Symantec Elderwood Sept 2012) (Citation: CSM Elderwood Sept 2012)\n\nTechniques Used\n\nElderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1027.002|Software Packing|\n\nElderwood has packed malware payloads before delivery to victims.(Citation: Symantec Elderwood Sept 2012)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nElderwood has delivered zero-day exploits and malware to victims by injecting malicious code into specific public Web pages visited by targets within a particular sector.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012)(Citation: Security Affairs Elderwood Sept 2012)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nElderwood has used exploitation of endpoint software, including Microsoft Internet Explorer Adobe Flash vulnerabilities, to gain execution. They have also used zero-day exploits.(Citation: Symantec Elderwood Sept 2012)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|',
'Elderwood has encrypted documents and malicious executables.(Citation: Symantec Elderwood Sept 2012)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|The Ritsol backdoor trojan used by\n\nElderwood can download files onto a compromised host from a remote location.(Citation: Symantec Ristol May 2012)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nElderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open attachments.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nElderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nElderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012)|',
'Ember Bear - G1003\n\nCreated: 2022-06-09T14:49:57.704Z\n\nModified: 2023-03-22T03:40:53.311Z\n\nContributors: Hannah Simes, BT Security\n\nAliases\n\nEmber Bear,Saint Bear,UNC2589,UAC-0056,Lorec53,Lorec Bear,Bleeding Bear\n\nDescription\n\nEmber Bear is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021. Ember Bear has primarily focused their operations against Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations. Security researchers assess Ember Bear likely conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.(Citation: CrowdStrike Ember Bear Profile March 2022)(Citation: Mandiant UNC2589 March 2022)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )\n\nTechniques Used\n\nEmber Bear has obfuscated malicious scripts to help avoid detection.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|PRE|T1588.003|Code Signing Certificates|\n\nEmber Bear has stolen legitimate certificates to sign malicious payloads.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|Windows|T1218.002|Control Panel|\n\nEmber Bear has used control panel files (CPL), delivered via e-mail, for execution.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nEmber Bear has used tools to download malicious code.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|macOS,Windows|T1553.002|Code Signing|\n\nEmber Bear has used stolen certificates from Electrum Technologies GmbH to sign payloads.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|Windows|T1112|Modify Registry|',
"Ember Bear has used an open source batch script to modify Windows Defender registry keys.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.001|Binary Padding|\n\nEmber Bear has added extra spaces between JavaScript code characters to increase the overall file size.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|\n\nEmber Bear has obtained and used open source scripts from GitHub.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Containers,IaaS|T1562.001|Disable or Modify Tools|\n\nEmber Bear has executed a batch script designed to disable Windows Defender on a compromised host.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nEmber Bear has obfuscated malware to help avoid detection.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1027.002|Software Packing|\n\nEmber Bear has packed malware to help avoid detection.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102|Web Service|\n\nEmber Bear has used Discord's content delivery network (CDN) to deliver malware and malicious scripts to a compromised host.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nEmber Bear had used\n\nEmber Bear has used PowerShell to download and execute malicious code.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|",
"Ember Bear has exploited Microsoft Office vulnerability CVE-2017-11882.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.007|JavaScript|\n\nEmber Bear has used JavaScript to execute malicious code on a victim's machine.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nEmber Bear has sent spearphishing emails containing malicious links.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nEmber Bear has attempted to lure users to click on a malicious link within a spearphishing email.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nEmber Bear has attempted to lure victims into executing malicious files.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nEmber Bear has sent spearphishing emails containing malicious attachments in the form of PDFs, Word documents, JavaScript files, and Control Panel File (CPL) executables.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |",
'Equation - G0020\n\nCreated: 2017-05-31T21:31:54.697Z\n\nModified: 2020-06-29T01:39:22.044Z\n\nContributors:\n\nAliases\n\nEquation\n\nDescription\n\nEquation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. (Citation: Kaspersky Equation QA)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1564.005|Hidden File System|Equation has used an encrypted virtual file system stored in the Windows Registry.(Citation: Kaspersky Equation QA)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1542.002|Component Firmware|Equation is known to have the capability to overwrite the firmware on hard drives from some manufacturers.(Citation: Kaspersky Equation QA) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1480.001|Environmental Keying|Equation has been observed utilizing environmental keying in payload delivery.(Citation: Kaspersky Gauss Whitepaper)(Citation: Kaspersky Equation QA)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1120|Peripheral Device Discovery|Equation has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware.(Citation: Kaspersky Equation QA)|',
'Evilnum - G0120\n\nCreated: 2021-01-22T16:46:17.790Z\n\nModified: 2021-04-27T19:55:58.323Z\n\nContributors:\n\nAliases\n\nEvilnum\n\nDescription\n\nEvilnum is a financially motivated threat group that has been active since at least 2018.(Citation: ESET EvilNum July 2020)\n\nTechniques Used\n\nEvilnum can deploy additional components or tools as needed.(Citation: ESET EvilNum July 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1219|Remote Access Software|\n\nEVILNUM has used the malware variant, TerraTV, to run a legitimate TeamViewer application to connect to compromrised machines.(Citation: ESET EvilNum July 2020)|\n|mitre-attack|enterprise-attack|Windows|T1574.001|DLL Search Order Hijacking|\n\nEvilnum has used the malware variant, TerraTV, to load a malicious DLL placed in the TeamViewer directory, instead of the original Windows DLL located in a system folder.(Citation: ESET EvilNum July 2020) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1497.001|System Checks|\n\nEvilnum has used a component called TerraLoader to check certain hardware and file information to detect sandboxed environments. (Citation: ESET EvilNum July 2020)|\n|mitre-attack|enterprise-attack|Windows|T1548.002|Bypass User Account Control|\n\nEvilnum has used PowerShell to bypass UAC.(Citation: ESET EvilNum July 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nEvilnum has deleted files used during infection.(Citation: ESET EvilNum July 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.007|JavaScript|',
"Evilnum has deleted files used during infection.(Citation: ESET EvilNum July 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.007|JavaScript|\n\nEvilnum has used malicious JavaScript files on the victim's machine.(Citation: ESET EvilNum July 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1555|Credentials from Password Stores|\n\nEvilnum can collect email credentials from victims.(Citation: ESET EvilNum July 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nEvilnum has sent spearphishing emails designed to trick the recipient into opening malicious shortcut links which downloads a .LNK file.(Citation: ESET EvilNum July 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nEvilnum has sent spearphishing emails containing a link to a zip file hosted on Google Drive.(Citation: ESET EvilNum July 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1539|Steal Web Session Cookie|\n\nEvilnum can steal cookies and session information from browsers.(Citation: ESET EvilNum July 2020)|",
'EXOTIC LILY - G1011\n\nCreated: 2022-08-18T15:25:59.689Z\n\nModified: 2022-10-24T18:48:18.917Z\n\nContributors: Phill Taylor, BT Security\n\nAliases\n\nEXOTIC LILY\n\nDescription\n\nEXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.(Citation: Google EXOTIC LILY March 2022)\n\nTechniques Used\n\nEXOTIC LILY conducted an e-mail thread-hijacking campaign with malicious ISO attachments.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nEXOTIC LILY has used malicious links to lure users into executing malicious payloads.(Citation: Google EXOTIC LILY March 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1566.003|Spearphishing via Service|\n\nEXOTIC LILY has used the e-mail notification features of legitimate file sharing services for spearphishing.(Citation: Google EXOTIC LILY March 2022)|\n|mitre-attack|enterprise-attack|PRE|T1597|Search Closed Sources|\n\nEXOTIC LILY has searched for information on targeted individuals on business databases including RocketReach and CrunchBase.(Citation: Google EXOTIC LILY March 2022)|\n|mitre-attack|enterprise-attack|PRE|T1593.001|Social Media|\n\nEXOTIC LILY has copied data from social media sites to impersonate targeted individuals.(Citation: Google EXOTIC LILY March 2022)|\n|mitre-attack|enterprise-attack|PRE|T1585.001|Social Media Accounts|',
"EXOTIC LILY has established social media profiles to mimic employees of targeted companies.(Citation: Google EXOTIC LILY March 2022)|\n|mitre-attack|enterprise-attack|PRE|T1608.001|Upload Malware|\n\nEXOTIC LILY has uploaded malicious payloads to file-sharing services including TransferNow, TransferXL, WeTransfer, and OneDrive.(Citation: Google EXOTIC LILY March 2022)|\n|mitre-attack|enterprise-attack|PRE|T1594|Search Victim-Owned Websites|\n\nEXOTIC LILY has used contact forms on victim websites to generate phishing e-mails.(Citation: Google EXOTIC LILY March 2022)|\n|mitre-attack|enterprise-attack|PRE|T1589.002|Email Addresses|\n\nEXOTIC LILY has gathered targeted individuals' e-mail addresses through open source research and website contact forms.(Citation: Google EXOTIC LILY March 2022)|\n|mitre-attack|enterprise-attack|PRE|T1585.002|Email Accounts|\n\nEXOTIC LILY has created e-mail accounts to spoof targeted organizations.(Citation: Google EXOTIC LILY March 2022)|\n|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|\n\nEXOTIC LILY has registered domains to spoof targeted organizations by changing the top-level domain (TLD) to “.us”, “.co” or “.biz”.(Citation: Google EXOTIC LILY March 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102|Web Service|\n\nEXOTIC LILY has used file-sharing services including WeTransfer, TransferNow, and OneDrive to deliver payloads.(Citation: Google EXOTIC LILY March 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|",
'EXOTIC LILY has relied on victims to open malicious links in e-mails for execution.(Citation: Google EXOTIC LILY March 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nEXOTIC LILY has gained execution through victims clicking on malicious LNK files contained within ISO files, which can execute hidden DLLs within the ISO.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nEXOTIC LILY has used malicious documents containing exploits for CVE-2021-40444 affecting Microsoft MSHTML.(Citation: Google EXOTIC LILY March 2022)|',
'Ferocious Kitten - G0137\n\nCreated: 2021-09-28T17:41:12.950Z\n\nModified: 2021-10-25T14:28:10.337Z\n\nContributors: Pooja Natarajan, NEC Corporation India,Manikantan Srinivasan, NEC Corporation India,Hiroki Nagahama, NEC Corporation\n\nAliases\n\nFerocious Kitten\n\nDescription\n\nFerocious Kitten is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.(Citation: Kaspersky Ferocious Kitten Jun 2021)\n\nTechniques Used\n\nFerocious Kitten has obtained open source tools for its operations, including JsonCPP and Psiphon.(Citation: Kaspersky Ferocious Kitten Jun 2021)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nFerocious Kitten has conducted spearphishing campaigns containing malicious documents to lure victims to open the attachments.(Citation: Kaspersky Ferocious Kitten Jun 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nFerocious Kitten has named malicious files\n\nFerocious Kitten has used right-to-left override to reverse executables’ names to make them appear to have different file extensions, rather than their real ones.(Citation: Kaspersky Ferocious Kitten Jun 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nFerocious Kitten has attempted to convince victims to enable malicious content within a spearphishing email by including an odd decoy message.(Citation: Kaspersky Ferocious Kitten Jun 2021)|\n|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|\n\nFerocious Kitten has acquired domains imitating legitimate sites.(Citation: Kaspersky Ferocious Kitten Jun 2021)|',
'FIN10 - G0051\n\nCreated: 2017-12-14T16:46:06.044Z\n\nModified: 2021-05-26T12:35:39.400Z\n\nContributors:\n\nAliases\n\nFIN10\n\nDescription\n\nFIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. (Citation: FireEye FIN10 June 2017)\n\nTechniques Used\n\nFIN10 has relied on publicly-available software to gain footholds and establish persistence in victim environments.(Citation: FireEye FIN10 June 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1078.003|Local Accounts|\n\nFIN10 has moved laterally using the Local Administrator account.(Citation: FireEye FIN10 June 2017)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nFIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor.(Citation: FireEye FIN10 June 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nFIN10 has used batch scripts and scheduled tasks to delete critical system files.(Citation: FireEye FIN10 June 2017)|\n|mitre-attack|enterprise-attack|Windows|T1021.001|Remote Desktop Protocol|\n\nFIN10 has used RDP to move laterally to systems in the victim environment.(Citation: FireEye FIN10 June 2017)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nFIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.(Citation: FireEye FIN10 June 2017)(Citation: Github PowerShell Empire)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1570|Lateral Tool Transfer|',
'FIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally.(Citation: FireEye FIN10 June 2017)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nFIN10 has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.(Citation: FireEye FIN10 June 2017)(Citation: Github PowerShell Empire)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|\n\nFIN10 has used Meterpreter to enumerate users on remote systems.(Citation: FireEye FIN10 June 2017)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nFIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.(Citation: FireEye FIN10 June 2017)(Citation: Github PowerShell Empire)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nFIN10 has executed malicious .bat files containing PowerShell commands.(Citation: FireEye FIN10 June 2017)|',
'FIN4 - G0085\n\nCreated: 2019-01-31T02:01:45.129Z\n\nModified: 2023-02-01T21:27:44.778Z\n\nContributors:\n\nAliases\n\nFIN4\n\nDescription\n\nFIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye FIN4 Stealing Insider NOV 2014) FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)\n\nTechniques Used\n\nFIN4 has lured victims to click malicious links delivered via spearphishing emails (often sent from compromised accounts).(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)|\n|mitre-attack|enterprise-attack|Windows,Office 365,Linux,macOS,Google Workspace|T1564.008|Email Hiding Rules|\n\nFIN4 has created rules in victims\' Microsoft Outlook accounts to automatically delete emails containing words such as “hacked," "phish," and “malware" in a likely attempt to prevent organizations from communicating about their activities.(Citation: FireEye Hacking FIN4 Dec 2014)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nFIN4 has used spearphishing emails containing attachments (which are often stolen, legitimate documents sent from compromised accounts) with embedded malicious macros.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|',
'FIN4 has lured victims to launch malicious attachments delivered via spearphishing emails (often sent from compromised accounts).(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nFIN4 has used VBA macros to display a dialog box and collect victim credentials.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|\n\nFIN4 has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1056.002|GUI Input Capture|\n\nFIN4 has presented victims with spoofed Windows Authentication prompts to collect their credentials.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nFIN4 has used spearphishing emails (often sent from compromised accounts) containing malicious links.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)|\n|mitre-attack|enterprise-attack|Office 365,Windows,Google Workspace|T1114.002|Remote Email Collection|\n\nFIN4 has accessed and hijacked online email communications using stolen credentials.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1090.003|Multi-hop Proxy|',
"FIN4 has used Tor to log in to victims' email accounts.(Citation: FireEye Hacking FIN4 Dec 2014)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nFIN4 has used legitimate credentials to hijack email communications.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nFIN4 has used HTTP POST requests to transmit data.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)|",
'FIN5 - G0053\n\nCreated: 2018-01-16T16:13:52.465Z\n\nModified: 2021-10-16T19:48:37.809Z\n\nContributors: Walker Johnson\n\nAliases\n\nFIN5\n\nDescription\n\nFIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. (Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)\n\nTechniques Used\n\nFIN5 has obtained and used a customized version of\n\nPsExec, as well as use other tools such as\n\npwdump,\n\nSDelete, and\n\nWindows Credential Editor.(Citation: Mandiant FIN5 GrrCON Oct 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|\n\nFIN5 has used the open source tool Essential NetTools to map the network and build a list of targets.(Citation: Mandiant FIN5 GrrCON Oct 2016)|\n|mitre-attack|enterprise-attack|Windows,Linux,Containers,macOS|T1133|External Remote Services|\n\nFIN5 has used legitimate VPN, Citrix, or VNC credentials to maintain access to a victim environment.(Citation: FireEye Respond Webinar July 2017)(Citation: DarkReading FireEye FIN5 Oct 2015)(Citation: Mandiant FIN5 GrrCON Oct 2016)|\n|mitre-attack|enterprise-attack|Windows|T1070.001|Clear Windows Event Logs|\n\nFIN5 has cleared event logs from victims.(Citation: Mandiant FIN5 GrrCON Oct 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1090.002|External Proxy|\n\nFIN5 maintains access to victim environments by using',
'FIN5 maintains access to victim environments by using\n\nFLIPSIDE to create a proxy for a backup RDP tunnel.(Citation: Mandiant FIN5 GrrCON Oct 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nFIN5 uses\n\nSDelete to clean up the environment and attempt to prevent detection.(Citation: Mandiant FIN5 GrrCON Oct 2016)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nFIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment.(Citation: FireEye Respond Webinar July 2017)(Citation: DarkReading FireEye FIN5 Oct 2015)(Citation: Mandiant FIN5 GrrCON Oct 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1074.001|Local Data Staging|\n\nFIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.(Citation: Mandiant FIN5 GrrCON Oct 2016)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1110|Brute Force|\n\nFIN5 has has used the tool GET2 Penetrator to look for remote login and hard-coded credentials.(Citation: DarkReading FireEye FIN5 Oct 2015)(Citation: Mandiant FIN5 GrrCON Oct 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,IaaS,SaaS|T1119|Automated Collection|\n\nFIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.(Citation: Mandiant FIN5 GrrCON Oct 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network,Office 365,Azure AD,IaaS,Google Workspace|T1059|Command and Scripting Interpreter|',
'FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.(Citation: Mandiant FIN5 GrrCON Oct 2016)|',
'FIN6 - G0037\n\nCreated: 2017-05-31T21:32:06.015Z\n\nModified: 2023-03-22T03:50:17.471Z\n\nContributors: Center for Threat-Informed Defense (CTID),Drew Church, Splunk\n\nAliases\n\nFIN6,Magecart Group 6,ITG08,Skeleton Spider\n\nDescription\n\nFIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)\n\nTechniques Used\n\nFIN6 has obtained and used tools such as\n\nMimikatz,\n\nCobalt Strike, and\n\nAdFind.(Citation: Security Intelligence More Eggs Aug 2019)(Citation: FireEye FIN6 Apr 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1059.003|Windows Command Shell|\n\nFIN6 has used\n\nFIN6 has used Metasploit Bind and Reverse TCP stagers.(Citation: Trend Micro FIN6 October 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,Windows,macOS,SaaS,Office 365,Google Workspace,IaaS|T1213|Data from Information Repositories|\n\nFIN6 has collected schemas and user accounts from systems running SQL Server.(Citation: Visa FIN6 Feb 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1048.003|Exfiltration Over Unencrypted Non-C2 Protocol|\n\nFIN6 has sent stolen payment card data to remote servers via HTTP POSTs.(Citation: Trend Micro FIN6 October 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux|T1059.007|JavaScript|\n\nFIN6 has used malicious JavaScript to steal payment card data from e-commerce sites.(Citation: Trend Micro FIN6 October 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1070.004|File Deletion|',
'FIN6 has removed files from victim machines.(Citation: FireEye FIN6 April 2016)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1027.010|Command Obfuscation|\n\nFIN6 has used encoded PowerShell commands.(Citation: Visa FIN6 Feb 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1555|Credentials from Password Stores|\n\nFIN6 has used the Stealer One credential stealer to target e-mail and file transfer utilities including FTP.(Citation: Visa FIN6 Feb 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1555.003|Credentials from Web Browsers|\n\nFIN6 has used the Stealer One credential stealer to target web browsers.(Citation: Visa FIN6 Feb 2019)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nFIN6 has targeted victims with e-mails containing malicious attachments.(Citation: Visa FIN6 Feb 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nFIN6 has used malicious documents to lure victims into allowing execution of PowerShell scripts.(Citation: Visa FIN6 Feb 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nFIN6 has collected and exfiltrated payment card data from compromised systems.(Citation: Trend Micro FIN6 October 2019)(Citation: RiskIQ British Airways September 2018)(Citation: RiskIQ Newegg September 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux,Containers,IaaS|T1562.001|Disable or Modify Tools|\n\nFIN6 has deployed a utility script named',
"FIN6 has deployed a utility script named\n\nFIN6 has used has used Metasploit’s named-pipe impersonation technique to escalate privileges.(Citation: FireEye FIN6 Apr 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Office 365,Azure AD,Network|T1110.002|Password Cracking|\n\nFIN6 has extracted password hashes from ntds.dit to crack offline.(Citation: FireEye FIN6 April 2016)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1003.003|NTDS|\n\nFIN6 has used Metasploit’s\n\nPsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019) |\n|mitre-attack|enterprise-attack,ics-attack|Windows,IaaS,Linux,macOS|T1074.002|Remote Data Staging|\n\nFIN6 actors have compressed data from remote systems and moved it to another staging system before exfiltration.(Citation: FireEye FIN6 April 2016)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1566.003|Spearphishing via Service|\n\nFIN6 has used fake job advertisements sent via LinkedIn to spearphish targets.(Citation: Security Intelligence More Eggs Aug 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1047|Windows Management Instrumentation|\n\nFIN6 has used WMI to automate the remote execution of PowerShell scripts.(Citation: Security Intelligence More Eggs Aug 2019) |\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows|T1553.002|Code Signing|\n\nFIN6 has used Comodo code-signing certificates.(Citation: Security Intelligence More Eggs Aug 2019) |\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1569.002|Service Execution|",
'FIN6 has created Windows services to execute encoded PowerShell commands.(Citation: FireEye FIN6 Apr 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1102|Web Service|\n\nFIN6 has used Pastebin and Google Storage to host content for their operations.(Citation: FireEye FIN6 Apr 2019)\n\nFIN6 has renamed the "psexec" service name to "mstdc" to masquerade as a legitimate Windows service.(Citation: FireEye FIN6 Apr 2019) |\n|mitre-attack|enterprise-attack,ics-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|To move laterally on a victim network,\n\nFIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)(Citation: Visa FIN6 Feb 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1572|Protocol Tunneling|\n\nFIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.(Citation: FireEye FIN6 April 2016)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,IaaS,SaaS|T1119|Automated Collection|\n\nFIN6 has used a script to iterate through a list of compromised PoS systems, copy and remove data to a log file, and to bind to events from the submit payment button.(Citation: FireEye FIN6 April 2016)(Citation: Trend Micro FIN6 October 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1021.001|Remote Desktop Protocol|\n\nFIN6 used RDP to move laterally in victim networks.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1560.003|Archive via Custom Method|',
"FIN6 has encoded data gathered from the victim with a simple substitution cipher and single-byte XOR using the 0xAA key, and Base64 with character permutation.(Citation: FireEye FIN6 April 2016)(Citation: Trend Micro FIN6 October 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1560|Archive Collected Data|Following data collection,\n\nFIN6 has compressed log files into a ZIP archive prior to staging and exfiltration.(Citation: FireEye FIN6 April 2016)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1573.002|Asymmetric Cryptography|\n\nFIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.(Citation: FireEye FIN6 April 2016)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,IaaS,Linux,macOS,Containers,Network|T1046|Network Service Discovery|\n\nFIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.(Citation: FireEye FIN6 April 2016)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1053.005|Scheduled Task|\n\nFIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and\n\nFrameworkPOS.(Citation: FireEye FIN6 April 2016)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1003.001|LSASS Memory|\n\nFIN6 has used\n\nWindows Credential Editor for credential dumping.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)",
"FIN6 has used\n\nWindows Credential Editor for credential dumping.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)\n\nFIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.(Citation: FireEye FIN6 April 2016)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nFIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.(Citation: FireEye FIN6 April 2016)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1087.002|Domain Account|\n\nFIN6 has used Metasploit’s\n\nPsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.(Citation: FireEye FIN6 April 2016)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network,Office 365,Azure AD,IaaS,Google Workspace|T1059|Command and Scripting Interpreter|\n\nFIN6 has used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Containers|T1068|Exploitation for Privilege Escalation|\n\nFIN6 has used tools to exploit Windows vulnerabilities in order to escalate privileges. The tools targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local users to access kernel-level privileges.(Citation: FireEye FIN6 April 2016)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1059.001|PowerShell|",
"FIN6 has used PowerShell to gain access to merchant's networks, and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)(Citation: Visa FIN6 Feb 2019)|",
'FIN7 - G0046\n\nCreated: 2017-05-31T21:32:09.460Z\n\nModified: 2023-03-22T03:51:04.185Z\n\nContributors: Edward Millington\n\nAliases\n\nFIN7,GOLD NIAGARA,ITG14,Carbon Spider\n\nDescription\n\nFIN7 is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of\n\nFIN7 was run out of a front company called Combi Security. Since 2020\n\nFIN7 shifted operations to a big game hunting (BGH) approach including use of\n\nREvil ransomware and their own Ransomware as a Service (RaaS), Darkside.\n\nFIN7 may be linked to the\n\nCarbanak Group, but there appears to be several groups using\n\nCarbanak malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)\n\nTechniques Used\n\nFIN7 actors have mailed USB drives to potential victims containing malware that downloads and installs various backdoors, including in some cases for ransomware operations.(Citation: FBI Flash FIN7 USB)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nFIN7 has collected files and other sensitive information from a compromised network.(Citation: CrowdStrike Carbon Spider August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1567.002|Exfiltration to Cloud Storage|\n\nFIN7 has exfiltrated stolen data to the MEGA file sharing site.(Citation: CrowdStrike Carbon Spider August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1021.005|VNC|',
'FIN7 has used TightVNC to control compromised hosts.(Citation: CrowdStrike Carbon Spider August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,IaaS|T1486|Data Encrypted for Impact|\n\nFIN7 has encrypted virtual disk volumes on ESXi servers using a version of Darkside ransomware.(Citation: CrowdStrike Carbon Spider August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,Windows,macOS|T1210|Exploitation of Remote Services|\n\nFIN7 has exploited ZeroLogon (CVE-2020-1472) against vulnerable domain controllers.(Citation: CrowdStrike Carbon Spider August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1021.001|Remote Desktop Protocol|\n\nFIN7 has used RDP to move laterally in victim environments.(Citation: CrowdStrike Carbon Spider August 2021)\n|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS|T1021.004|SSH|\n\nFIN7 has used SSH to move laterally through victim environments.(Citation: CrowdStrike Carbon Spider August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nFIN7 has harvested valid administrative credentials for lateral movement.(Citation: CrowdStrike Carbon Spider August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1558.003|Kerberoasting|\n\nFIN7 has used Kerberoasting for credential access and to enable lateral movement.(Citation: CrowdStrike Carbon Spider August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|',
"FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.(Citation: CrowdStrike Carbon Spider August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nFIN7 has conducted broad phishing campaigns using malicious links.(Citation: CrowdStrike Carbon Spider August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nFIN7 has used malicious links to lure victims into downloading malware.(Citation: CrowdStrike Carbon Spider August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1047|Windows Management Instrumentation|\n\nFIN7 has used WMI to install malware on targeted systems.(Citation: eSentire FIN7 July 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1583.001|Domains|\n\nFIN7 has registered look-alike domains for use in phishing campaigns.(Citation: eSentire FIN7 July 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,Windows,macOS|T1008|Fallback Channels|\n\nFIN7's Harpy backdoor malware can use DNS as a backup channel for C2 if HTTP fails.(Citation: Crowdstrike GTR2020 Mar 2020)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1587.001|Malware|\n\nFIN7 has developed malware for use in operations, including the creation of infected removable media.(Citation: FBI Flash FIN7 USB)(Citation: FireEye FIN7 Oct 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux|T1059.007|JavaScript|",
"FIN7 used JavaScript scripts to help perform tasks on the victim's machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: FireEye FIN7 Aug 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1571|Non-Standard Port|\n\nFIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.(Citation: FireEye FIN7 Aug 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nFIN7 used VBS scripts to help perform tasks on the victim's machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: CrowdStrike Carbon Spider August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1059.003|Windows Command Shell|\n\nFIN7 used the command prompt to launch commands on the victim’s machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019) |\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1497.002|User Activity Based Checks|\n\nFIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.(Citation: FireEye FIN7 April 2017)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nFIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.(Citation: FireEye FIN7 April 2017)(Citation: eSentire FIN7 July 2021)(Citation: CrowdStrike Carbon Spider August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows|T1553.002|Code Signing|\n\nFIN7 has signed\n\nCarbanak payloads with legally purchased code signing certificates.",
"FIN7 has signed\n\nCarbanak payloads with legally purchased code signing certificates.\n\nFIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network,Office 365,Azure AD,IaaS,Google Workspace|T1059|Command and Scripting Interpreter|\n\nFIN7 used SQL scripts to help perform tasks on the victim's machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: FireEye FIN7 Aug 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1543.003|Windows Service|\n\nFIN7 created new Windows services and added them to the startup directories for persistence.(Citation: FireEye FIN7 Aug 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1102.002|Bidirectional Communication|\n\nFIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.(Citation: FireEye FIN7 Aug 2018)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nFIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.(Citation: FireEye FIN7 April 2017)(Citation: DOJ FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: eSentire FIN7 July 2021)(Citation: CrowdStrike Carbon Spider August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux|T1125|Video Capture|",
"FIN7 created a custom video recording capability that could be used to monitor operations in the victim's environment.(Citation: FireEye FIN7 Aug 2018)(Citation: DOJ FIN7 Aug 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1071.004|DNS|\n\nFIN7 has performed C2 using DNS via A, OPT, and TXT records.(Citation: FireEye FIN7 Aug 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1113|Screen Capture|\n\nFIN7 captured screenshots and desktop video recordings.(Citation: DOJ FIN7 Aug 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1027.010|Command Obfuscation|\n\nFIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1218.005|Mshta|\n\nFIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.(Citation: FireEye FIN7 April 2017)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1559.002|Dynamic Data Exchange|\n\nFIN7 spear phishing campaigns have included malicious Word documents with DDE execution.(Citation: CyberScoop FIN7 Oct 2017)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nFIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.(Citation: FireEye FIN7 April 2017)(Citation: DOJ FIN7 Aug 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1053.005|Scheduled Task|",
'FIN7 malware has created scheduled tasks to establish persistence.(Citation: FireEye FIN7 April 2017)(Citation: Morphisec FIN7 June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1546.011|Application Shimming|\n\nFIN7 has used application shim databases for persistence.(Citation: FireEye FIN7 Shim Databases)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nFIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.(Citation: FireEye FIN7 April 2017)(Citation: FireEye FIN7 Aug 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1059.001|PowerShell|\n\nFIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.(Citation: FireEye FIN7 April 2017)(Citation: Morphisec FIN7 June 2017)(Citation: FBI Flash FIN7 USB)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Linux,macOS|T1036.004|Masquerade Task or Service|\n\nFIN7 has created a scheduled task named “AdobeFlashSync” to establish persistence.(Citation: Morphisec FIN7 June 2017)|',
'FIN8 - G0061\n\nCreated: 2018-04-18T17:59:24.739Z\n\nModified: 2023-03-22T03:52:13.089Z\n\nContributors: Daniyal Naeem, BT Security\n\nAliases\n\nFIN8\n\nDescription\n\nFIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Fin8 May 2016)\n\nTechniques Used\n\nFIN8 has injected malicious code into a new svchost.exe process.(Citation: Bitdefender FIN8 July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nFIN8 has used HTTPS for command and control.(Citation: Bitdefender FIN8 July 2021)|\n|mitre-attack|enterprise-attack|Windows|T1546.003|Windows Management Instrumentation Event Subscription|\n\nFIN8 has used WMI event subscriptions for persistence.(Citation: Bitdefender FIN8 July 2021)|\n|mitre-attack|enterprise-attack|Windows|T1134.001|Token Impersonation/Theft|\n\nFIN8 has used a malicious framework designed to impersonate the lsass.exe/vmtoolsd.exe token.(Citation: Bitdefender FIN8 July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102|Web Service|\n\nFIN8 has used\n\nFIN8 has retrieved a list of trusted domains by using\n\nNltest.exe /domain_trusts\n\nFIN8 has used emails with malicious links to lure victims into installing malware.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)|\n|mitre-attack|enterprise-attack|Windows|T1021.001|Remote Desktop Protocol|\n\nFIN8 has used RDP for lateral movement.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)|\n|mitre-attack|enterprise-attack|Windows|T1021.002|SMB/Windows Admin Shares|',
"FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)|\n|mitre-attack|enterprise-attack|Windows|T1070.001|Clear Windows Event Logs|\n\nFIN8 has cleared logs during post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)|\n|mitre-attack|enterprise-attack|Windows|T1112|Modify Registry|\n\nFIN8 has deleted Registry keys during post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1573.002|Asymmetric Cryptography|\n\nFIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1048.003|Exfiltration Over Unencrypted Non-C2 Protocol|\n\nFIN8 has used FTP to exfiltrate collected data.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nFIN8 has used scheduled tasks to maintain RDP backdoors.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)|\n|mitre-attack|enterprise-attack|Windows|T1047|Windows Management Instrumentation|\n\nFIN8's malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution.\n\nFIN8 has also used WMIC for lateral movement as well as during and post compromise cleanup activities.(Citation: FireEye Obfuscation June 2017)(Citation: Bitdefender FIN8 July 2021)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|",
"FIN8 has deleted tmp and prefetch files during post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nFIN8 has distributed targeted emails containing Word documents with embedded malicious macros.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|\n\nFIN8 has used RAR to compress collected data before exfiltration.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nFIN8 has used remote code execution to download subsequent payloads.(Citation: FireEye Fin8 May 2016)(Citation: Bitdefender FIN8 July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.010|Command Obfuscation|\n\nFIN8 has used environment variables and standard input (stdin) to obfuscate command-line arguments.\n\nFIN8 also obfuscates malicious macros delivered as payloads.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Bitdefender FIN8 July 2021)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nFIN8's malicious spearphishing payloads are executed as\n\nPowerShell.\n\nFIN8 has also used\n\nPowerShell for lateral movement and credential access.(Citation: FireEye Obfuscation June 2017)(Citation: Bitdefender FIN8 July 2021)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|",
'FIN8 has distributed targeted emails containing links to malicious documents with embedded macros.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nFIN8 has used malicious e-mail attachments to lure victims into executing malware.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|\n\nFIN8 has used\n\ndsquery and other Active Directory utilities to enumerate hosts; they have also used\n\nFIN8 aggregates staged data from a network into a single location.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nFIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).(Citation: FireEye Know Your Enemy FIN8 Aug 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1068|Exploitation for Privilege Escalation|\n\nFIN8 has exploited the CVE-2016-0167 local vulnerability.(Citation: FireEye Fin8 May 2016)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nFIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)\n\nFIN8 has also executed commands remotely via\n\ncmd.(Citation: FireEye Obfuscation June 2017)(Citation: Bitdefender FIN8 July 2021)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518.001|Security Software Discovery|',
'FIN8 has used Registry keys to detect and avoid executing in potential sandboxes.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nFIN8 has used valid accounts for persistence and lateral movement.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)|',
'Fox Kitten - G0117\n\nCreated: 2020-12-21T21:49:47.307Z\n\nModified: 2023-03-22T03:53:37.888Z\n\nContributors:\n\nAliases\n\nFox Kitten,UNC757,Parisite,Pioneer Kitten\n\nDescription\n\nFox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.(Citation: ClearkSky Fox Kitten February 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: Dragos PARISITE )(Citation: ClearSky Pay2Kitten December 2020)\n\nTechniques Used\n\nFox Kitten has base64 encoded scripts to avoid detection.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102|Web Service|\n\nFox Kitten has used Amazon Web Services to host C2.(Citation: ClearSky Pay2Kitten December 2020)|\n|mitre-attack|enterprise-attack|PRE|T1585.001|Social Media Accounts|\n\nFox Kitten has used a Twitter account to communicate with ransomware victims.(Citation: ClearSky Pay2Kitten December 2020)|\n|mitre-attack|enterprise-attack|PRE|T1585|Establish Accounts|\n\nFox Kitten has created KeyBase accounts to communicate with ransomware victims.(Citation: ClearSky Pay2Kitten December 2020)(Citation: Check Point Pay2Key November 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1090|Proxy|',
"Fox Kitten has used the open source reverse proxy tools including FRPC and Go Proxy to establish connections from C2 to local servers.(Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: ClearSky Pay2Kitten December 2020)(Citation: Check Point Pay2Key November 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1136.001|Local Account|\n\nFox Kitten has created a local user account with administrator privileges.(Citation: ClearSky Pay2Kitten December 2020)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1110|Brute Force|\n\nFox Kitten has brute forced RDP credentials.(Citation: ClearSky Pay2Kitten December 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network,Office 365,Azure AD,IaaS,Google Workspace|T1059|Command and Scripting Interpreter|\n\nFox Kitten has used a Perl reverse shell to communicate with C2.(Citation: ClearSky Pay2Kitten December 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|\n\nFox Kitten has used 7-Zip to archive data.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nFox Kitten has downloaded additional tools including\n\nPsExec directly to endpoints.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|IaaS,SaaS|T1530|Data from Cloud Storage|\n\nFox Kitten has obtained files from the victim's cloud storage instances.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|",
'Fox Kitten has searched local system resources to access sensitive documents.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1039|Data from Network Shared Drive|\n\nFox Kitten has searched network shares to access sensitive documents.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS,SaaS,Office 365,Google Workspace,IaaS|T1213|Data from Information Repositories|\n\nFox Kitten has accessed victim security and IT environments and Microsoft Teams to mine valuable information.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1021.005|VNC|\n\nFox Kitten has installed TightVNC server and client on compromised servers and endpoints for lateral movement.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS|T1021.004|SSH|\n\nFox Kitten has used the PuTTY and Plink tools for lateral movement.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Windows|T1021.002|SMB/Windows Admin Shares|\n\nFox Kitten has used valid accounts to access SMB shares.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1217|Browser Information Discovery|\n\nFox Kitten has used Google Chrome bookmarks to identify internal resources and assets.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Windows|T1021.001|Remote Desktop Protocol|',
'Fox Kitten has used RDP to log in and move laterally in the target environment.(Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: ClearSky Pay2Kitten December 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1087.002|Domain Account|\n\nFox Kitten has used the Softerra LDAP browser to browse documentation on service accounts.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1087.001|Local Account|\n\nFox Kitten has accessed ntuser.dat and UserClass.dat on compromised hosts.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Windows|T1012|Query Registry|\n\nFox Kitten has accessed Registry hives ntuser.dat and UserClass.dat.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|\n\nFox Kitten has used Angry IP Scanner to detect remote systems.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nFox Kitten has used WizTree to obtain network files and directory listings.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Windows|T1003.003|NTDS|\n\nFox Kitten has used Volume Shadow Copy to access credential information from NTDS.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers|T1552.001|Credentials In Files|',
'Fox Kitten has accessed files to gain valid credentials.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1555.005|Password Managers|\n\nFox Kitten has used scripts to access credential information from the KeePass database.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nFox Kitten has used prodump to dump credentials from LSASS.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1036.004|Masquerade Task or Service|\n\nFox Kitten has named the task for a reverse proxy lpupdate to appear legitimate.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nFox Kitten has base64 encoded payloads to avoid detection.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nFox Kitten has used PowerShell scripts to access credential data.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nFox Kitten has named binaries and configuration files svhost and dllhost respectively to appear legitimate.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Windows|T1546.008|Accessibility Features|\n\nFox Kitten has used sticky keys to launch a command prompt.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|',
'Fox Kitten has used Scheduled Tasks for persistence and to load and execute a reverse proxy binary.(Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: ClearSky Pay2Kitten December 2020)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nFox Kitten has used cmd.exe likely as a password changing mechanism.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS,Network|T1505.003|Web Shell|\n\nFox Kitten has installed web shells on compromised hosts to maintain access.(Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: ClearSky Pay2Kitten December 2020)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nFox Kitten has used valid credentials with various services during lateral movement.(Citation: CISA AA20-259A Iran-Based Actor September 2020)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers,Network|T1046|Network Service Discovery|\n\nFox Kitten has used tools including NMAP to conduct broad scanning to identify open ports.(Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: ClearSky Pay2Kitten December 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1572|Protocol Tunneling|\n\nFox Kitten has used protocol tunneling for communication and RDP activity on compromised hosts through the use of open source tools such as\n\nNgrok and custom tool SSHMinion.(Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: ClearSky Pay2Kitten December 2020)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|',
'Fox Kitten has exploited known vulnerabilities in Fortinet, PulseSecure, and Palo Alto VPN appliances.(Citation: ClearkSky Fox Kitten February 2020)(Citation: Dragos PARISITE )(Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: ClearSky Pay2Kitten December 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1210|Exploitation of Remote Services|\n\nFox Kitten has exploited known vulnerabilities in remote services including RDP.(Citation: ClearkSky Fox Kitten February 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: ClearSky Pay2Kitten December 2020)|',
'GALLIUM - G0093\n\nCreated: 2019-07-18T20:47:50.050Z\n\nModified: 2022-08-12T21:26:22.303Z\n\nContributors: Daniyal Naeem, BT Security,Cybereason Nocturnus, @nocturnus\n\nAliases\n\nGALLIUM,Operation Soft Cell\n\nDescription\n\nGALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)(Citation: Unit 42 PingPull Jun 2022)\n\nTechniques Used\n\nGALLIUM has used Taiwan-based servers that appear to be exclusive to\n\nGALLIUM.(Citation: Microsoft GALLIUM December 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1570|Lateral Tool Transfer|\n\nGALLIUM has used\n\nPsExec to move laterally between hosts in the target network.(Citation: Microsoft GALLIUM December 2019)|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|\n\nGALLIUM has used a variety of widely-available tools, which in some cases they modified to add functionality and/or subvert antimalware solutions.(Citation: Microsoft GALLIUM December 2019)|\n|mitre-attack|enterprise-attack|macOS,Windows|T1553.002|Code Signing|\n\nGALLIUM has used stolen certificates to sign its tools including those from Whizzimo LLC.(Citation: Microsoft GALLIUM December 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1041|Exfiltration Over C2 Channel|\n\nGALLIUM used Web shells and',
"GALLIUM used Web shells and\n\nHTRAN for C2 and to exfiltrate data.(Citation: Cybereason Soft Cell June 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.005|Indicator Removal from Tools|\n\nGALLIUM ensured each payload had a unique hash, including by using different types of packers.(Citation: Cybereason Soft Cell June 2019)|\n|mitre-attack|enterprise-attack|Windows|T1550.002|Pass the Hash|\n\nGALLIUM used dumped hashes to authenticate to other machines via pass the hash.(Citation: Cybereason Soft Cell June 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nGALLIUM collected data from the victim's local system, including password hashes from the SAM hive in the Registry.(Citation: Cybereason Soft Cell June 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|\n\nGALLIUM used a modified version of\n\nNBTscan to identify available NetBIOS name servers over the network as well as\n\nGALLIUM has used VPN services, including SoftEther VPN, to access and maintain persistence in victim environments.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|\n\nGALLIUM used WinRAR to compress and encrypt stolen data prior to exfiltration.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1074.001|Local Data Staging|\n\nGALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.(Citation: Cybereason Soft Cell June 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|",
'GALLIUM used a modified version of\n\nHTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection.(Citation: Cybereason Soft Cell June 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1090.002|External Proxy|\n\nGALLIUM used a modified version of\n\nHTRAN to redirect connections between networks.(Citation: Cybereason Soft Cell June 2019)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1027.002|Software Packing|\n\nGALLIUM packed some payloads using different types of packers, both known and custom.(Citation: Cybereason Soft Cell June 2019)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nGALLIUM established persistence for\n\nPoisonIvy by created a scheduled task.(Citation: Cybereason Soft Cell June 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1036.003|Rename System Utilities|\n\nGALLIUM used a renamed cmd.exe file to evade detection.(Citation: Cybereason Soft Cell June 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nGALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and\n\nHTRAN.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|\n\nGALLIUM used\n\nGALLIUM used\n\nGALLIUM used\n\nNBTscan to identify available NetBIOS name servers.(Citation: Cybereason Soft Cell June 2019)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nGALLIUM used a modified version of\n\nMimikatz along with a PowerShell-based',
'GALLIUM used a modified version of\n\nMimikatz along with a PowerShell-based\n\nMimikatz to dump credentials on the victim machines.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)|\n|mitre-attack|enterprise-attack|Windows|T1003.002|Security Account Manager|\n\nGALLIUM used\n\nGALLIUM used the Windows command shell to execute commands.(Citation: Cybereason Soft Cell June 2019)|\n|mitre-attack|enterprise-attack|Windows|T1047|Windows Management Instrumentation|\n\nGALLIUM used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets.(Citation: Cybereason Soft Cell June 2019)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nGALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines.(Citation: Cybereason Soft Cell June 2019)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS,Network|T1505.003|Web Shell|\n\nGALLIUM used Web shells to persist in victim environments and assist in execution and exfiltration.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1136.002|Domain Account|\n\nGALLIUM created high-privileged domain user accounts to maintain access to victim networks.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nGALLIUM leveraged valid accounts to maintain access to a victim network.(Citation: Cybereason Soft Cell June 2019)|\n|mitre-attack|enterprise-attack|Windows|T1574.002|DLL Side-Loading|\n\nGALLIUM used DLL side-loading to covertly load',
'GALLIUM used DLL side-loading to covertly load\n\nPoisonIvy into memory on the victim machine.(Citation: Cybereason Soft Cell June 2019)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|\n\nGALLIUM exploited a publicly-facing servers including Wildfly/JBoss servers to gain access to the network.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)|',
'Gallmaker - G0084\n\nCreated: 2019-01-30T14:26:42.897Z\n\nModified: 2020-03-30T19:04:47.798Z\n\nContributors:\n\nAliases\n\nGallmaker\n\nDescription\n\nGallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.(Citation: Symantec Gallmaker Oct 2018)\n\nTechniques Used\n\nGallmaker has used WinZip, likely to archive data prior to exfiltration.(Citation: Symantec Gallmaker Oct 2018)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nGallmaker sent emails with malicious Microsoft Office documents attached.(Citation: Symantec Gallmaker Oct 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nGallmaker sent victims a lure document with a warning that asked victims to “enable content” for execution.(Citation: Symantec Gallmaker Oct 2018)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nGallmaker used PowerShell to download additional payloads and for execution.(Citation: Symantec Gallmaker Oct 2018)|\n|mitre-attack|enterprise-attack|Windows|T1559.002|Dynamic Data Exchange|\n\nGallmaker attempted to exploit Microsoft’s DDE protocol in order to gain access to victim machines and for execution.(Citation: Symantec Gallmaker Oct 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nGallmaker obfuscated shellcode used during execution.(Citation: Symantec Gallmaker Oct 2018)|',
'Gamaredon Group - G0047\n\nCreated: 2017-05-31T21:32:09.849Z\n\nModified: 2023-03-22T04:29:39.915Z\n\nContributors: ESET,Trend Micro Incorporated\n\nAliases\n\nGamaredon Group,IRON TILDEN,Primitive Bear,ACTINIUM,Armageddon,Shuckworm,DEV-0157\n\nDescription\n\nGamaredon Group is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013. The name Gamaredon Group comes from a misspelling of the word "Armageddon", which was detected in the adversary\'s early campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: Microsoft Actinium February 2022)\n\nIn November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia\'s Federal Security Service (FSB) Center 18.(Citation: Bleepingcomputer Gamardeon FSB November 2021)(Citation: Microsoft Actinium February 2022)\n\nTechniques Used\n\nGamaredon Group has used obfuscated or encrypted scripts.(Citation: ESET Gamaredon June 2020)(Citation: Microsoft Actinium February 2022)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1016.001|Internet Connection Discovery|\n\nGamaredon Group has tested connectivity between a compromised machine and a C2 server using\n\nPing with commands such as\n\nGamaredon Group has used\n\nGamaredon Group has used legitimate process names to hide malware including\n\nGamaredon Group has used\n\nGamaredon Group has incorporated dynamic DNS domains in its infrastructure.(Citation: Unit 42 Gamaredon February 2022)|\n|mitre-attack|enterprise-attack|PRE|T1608.001|Upload Malware|',
"Gamaredon Group has registered domains to stage payloads.(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022)|\n|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|\n\nGamaredon Group has registered multiple domains to facilitate payload staging and C2.(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nGamaredon Group has used obfuscated PowerShell scripts for staging.(Citation: Microsoft Actinium February 2022)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS|T1485|Data Destruction|\n\nGamaredon Group has used tools to delete files and folders from victims' desktops and profiles.(Citation: CERT-EE Gamaredon January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1491.001|Internal Defacement|\n\nGamaredon Group has left taunting images and messages on the victims' desktops as proof of system access.(Citation: CERT-EE Gamaredon January 2021)|\n|mitre-attack|enterprise-attack|Windows|T1047|Windows Management Instrumentation|\n\nGamaredon Group has used WMI to execute scripts used for discovery.(Citation: CERT-EE Gamaredon January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nGamaredon Group has used tools to enumerate processes on target hosts including Process Explorer.(Citation: Symantec Shuckworm January 2022)(Citation: Unit 42 Gamaredon February 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1021.005|VNC|",
"Gamaredon Group has used VNC tools, including UltraVNC, to remotely interact with compromised hosts.(Citation: Symantec Shuckworm January 2022)(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022)|\n|mitre-attack|enterprise-attack|Windows|T1218.011|Rundll32|\n\nGamaredon Group malware has used rundll32 to launch additional malicious components.(Citation: ESET Gamaredon June 2020)|\n|mitre-attack|enterprise-attack|Windows,Office 365,SaaS,Linux,macOS|T1080|Taint Shared Content|\n\nGamaredon Group has injected malicious macros into all Word and Excel documents on mapped network drives.(Citation: ESET Gamaredon June 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1039|Data from Network Shared Drive|\n\nGamaredon Group malware has collected Microsoft Office documents from mapped network drives.(Citation: ESET Gamaredon June 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,IaaS,SaaS|T1119|Automated Collection|\n\nGamaredon Group has deployed scripts on compromised systems that automatically scan for interesting documents.(Citation: ESET Gamaredon June 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1020|Automated Exfiltration|\n\nGamaredon Group has used modules that automatically upload gathered documents to the C2 server.(Citation: ESET Gamaredon June 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1106|Native API|\n\nGamaredon Group malware has used\n\nGamaredon Group has inserted malicious macros into existing documents, providing persistence when they are reopened.\n\nGamaredon Group has loaded the group's previously delivered VBA project by relaunching Microsoft Outlook with the\n\nGamaredon Group has delivered self-extracting 7z archive files within malicious document attachments.(Citation: ESET Gamaredon June 2020)|\n|mitre-attack|enterprise-attack|Windows|T1112|Modify Registry|",
"Gamaredon Group has removed security settings for VBA macro execution by changing registry values\n\nGamaredon Group has used an Outlook VBA module on infected systems to send phishing emails with malicious attachments to other employees within the organization.(Citation: ESET Gamaredon June 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Containers,IaaS|T1562.001|Disable or Modify Tools|\n\nGamaredon Group has delivered macros which can tamper with Microsoft Office security settings.(Citation: ESET Gamaredon June 2020) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nGamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros.\n\nGamaredon Group has also used its backdoors to automatically list interesting files (such as Office documents) found on a system.(Citation: ESET Gamaredon June 2020)(Citation: Unit 42 Gamaredon February 2022) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.001|Binary Padding|\n\nGamaredon Group has obfuscated .NET executables by inserting junk code.(Citation: ESET Gamaredon June 2020) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.004|Compile After Delivery|\n\nGamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in\n\nGamaredon Group has created scheduled tasks to launch executables after a designated number of minutes have passed.(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: Microsoft Actinium February 2022) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102|Web Service|\n\nGamaredon Group has used GitHub repositories for downloaders which will be obtained by the group's .NET executable on the compromised system.(Citation: ESET Gamaredon June 2020) |\n|mitre-attack|enterprise-attack|Windows|T1559.001|Component Object Model|",
"Gamaredon Group malware can insert malicious macros into documents using a\n\nGamaredon Group has collected files from infected systems and uploaded them to a C2 server.(Citation: ESET Gamaredon June 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1113|Screen Capture|\n\nGamaredon Group's malware can take screenshots of the compromised computer every minute.(Citation: ESET Gamaredon June 2020) |\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nGamaredon Group has delivered spearphishing emails with malicious attachments to targets.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022)(Citation: Secureworks IRON TILDEN Profile)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nGamaredon Group has attempted to get users to click on Office attachments with malicious macros embedded.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: CERT-EE Gamaredon January 2021)(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022)(Citation: Secureworks IRON TILDEN Profile)|\n|mitre-attack|enterprise-attack|Windows|T1221|Template Injection|\n\nGamaredon Group has used DOCX files to download malicious DOT document templates and has used RTF template injection to download malicious payloads.(Citation: Proofpoint RTF Injection)",
'Gamaredon Group has used DOCX files to download malicious DOT document templates and has used RTF template injection to download malicious payloads.(Citation: Proofpoint RTF Injection)\n\nGamaredon Group can also inject malicious macros or remote templates into documents already present on compromised systems.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022)(Citation: Secureworks IRON TILDEN Profile)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nGamaredon Group has embedded malicious macros in document templates, which executed VBScript.\n\nGamaredon Group has also delivered Microsoft Outlook VBA projects with embedded macros.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: Microsoft Actinium February 2022)(Citation: Secureworks IRON TILDEN Profile)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|\n\nGamaredon Group tools decrypted additional payloads from the C2.\n\nGamaredon Group has also decoded base64-encoded source code of a downloader.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nGamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|',
"Gamaredon Group tools can delete files used during an operation.(Citation: TrendMicro Gamaredon April 2020)(Citation: Symantec Shuckworm January 2022)(Citation: CERT-EE Gamaredon January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nGamaredon Group has used HTTP and HTTPS for C2 communications.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: CERT-EE Gamaredon January 2021)(Citation: Unit 42 Gamaredon February 2022)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nGamaredon Group has used various batch scripts to establish C2 and download additional files.\n\nGamaredon Group's backdoor malware has also been written to a batch file.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: Unit 42 Gamaredon February 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nGamaredon Group has downloaded additional malware and tools onto a compromised host.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Microsoft Actinium February 2022)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1120|Peripheral Device Discovery|\n\nGamaredon Group tools have contained an application to check performance of USB flash drives.",
"Gamaredon Group tools have contained an application to check performance of USB flash drives.\n\nGamaredon Group has also used malware to scan for removable drives.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: ESET Gamaredon June 2020)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|A\n\nGamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: CERT-EE Gamaredon January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|A\n\nGamaredon Group file stealer can gather the victim's username to send to a C2 server.(Citation: Palo Alto Gamaredon Feb 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1041|Exfiltration Over C2 Channel|A\n\nGamaredon Group file stealer can transfer collected files to a hardcoded C2 server.(Citation: Palo Alto Gamaredon Feb 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1025|Data from Removable Media|A\n\nGamaredon Group file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: ESET Gamaredon June 2020)|",
'GCMAN - G0036\n\nCreated: 2017-05-31T21:32:05.611Z\n\nModified: 2020-03-30T19:03:44.853Z\n\nContributors:\n\nAliases\n\nGCMAN\n\nDescription\n\nGCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services. (Citation: Securelist GCMAN)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1021.005|VNC|GCMAN uses VNC for lateral movement.(Citation: Securelist GCMAN)|\n|mitre-attack|enterprise-attack|Linux,macOS|T1021.004|SSH|GCMAN uses Putty for lateral movement.(Citation: Securelist GCMAN)|',
'GOLD SOUTHFIELD - G0115\n\nCreated: 2020-09-22T19:41:27.845Z\n\nModified: 2023-03-28T20:49:53.223Z\n\nContributors: Thijn Bukkems, Amazon\n\nAliases\n\nGOLD SOUTHFIELD,Pinchy Spider\n\nDescription\n\nGOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)\n\nTechniques Used\n\nGOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts.(Citation: Tetra Defense Sodinokibi March 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1027.010|Command Obfuscation|\n\nGOLD SOUTHFIELD has executed base64 encoded PowerShell scripts on compromised hosts.(Citation: Tetra Defense Sodinokibi March 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1113|Screen Capture|\n\nGOLD SOUTHFIELD has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim\'s machines.(Citation: Tetra Defense Sodinokibi March 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,Windows,macOS|T1219|Remote Access Software|\n\nGOLD SOUTHFIELD has used the cloud-based remote management and monitoring tool "ConnectWise Control" to deploy\n\nREvil.(Citation: Tetra Defense Sodinokibi March 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1195.002|Compromise Software Supply Chain|',
"GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|\n\nGOLD SOUTHFIELD has exploited Oracle WebLogic vulnerabilities for initial compromise.(Citation: Secureworks REvil September 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,SaaS,Office 365,Google Workspace|T1566|Phishing|\n\nGOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim's machines.(Citation: Secureworks REvil September 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,SaaS,IaaS,Linux,macOS,Office 365|T1199|Trusted Relationship|\n\nGOLD SOUTHFIELD has breached Managed Service Providers (MSP's) to deliver malware to MSP customers.(Citation: Secureworks REvil September 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Linux,Containers,macOS|T1133|External Remote Services|\n\nGOLD SOUTHFIELD has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines.(Citation: Secureworks REvil September 2019) |",
'Gorgon Group - G0078\n\nCreated: 2018-10-17T00:14:20.652Z\n\nModified: 2021-10-12T21:57:25.847Z\n\nContributors:\n\nAliases\n\nGorgon Group\n\nDescription\n\nGorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. (Citation: Unit 42 Gorgon Group Aug 2018)\n\nTechniques Used\n\nGorgon Group has obtained and used tools such as\n\nQuasarRAT and\n\nRemcos.(Citation: Unit 42 Gorgon Group Aug 2018)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1564.003|Hidden Window|\n\nGorgon Group has used\n\nPowerShell windows by setting the WindowStyle parameter to hidden. (Citation: Unit 42 Gorgon Group Aug 2018)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nGorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.(Citation: Unit 42 Gorgon Group Aug 2018)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nGorgon Group has used macros in\n\nSpearphishing Attachments as well as executed VBScripts on victim machines.(Citation: Unit 42 Gorgon Group Aug 2018)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nGorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine.(Citation: Unit 42 Gorgon Group Aug 2018)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|',
'Gorgon Group sent emails to victims with malicious Microsoft Office documents attached.(Citation: Unit 42 Gorgon Group Aug 2018)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Containers,IaaS|T1562.001|Disable or Modify Tools|\n\nGorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the\n\nGorgon Group malware can use process hollowing to inject one of its trojans into another process.(Citation: Unit 42 Gorgon Group Aug 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nGorgon Group malware can download additional files from C2 servers.(Citation: Unit 42 Gorgon Group Aug 2018)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|\n\nGorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file.(Citation: Unit 42 Gorgon Group Aug 2018)|\n|mitre-attack|enterprise-attack|Windows|T1112|Modify Registry|\n\nGorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under\n\nGorgon Group malware can download a remote access tool,\n\nShiftyBug, and inject into another process.(Citation: Unit 42 Gorgon Group Aug 2018)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1106|Native API|\n\nGorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution.(Citation: Unit 42 Gorgon Group Aug 2018)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nGorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.(Citation: Unit 42 Gorgon Group Aug 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|',
'Gorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails.(Citation: Unit 42 Gorgon Group Aug 2018)|\n|mitre-attack|enterprise-attack|Windows|T1547.009|Shortcut Modification|\n\nGorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.(Citation: Unit 42 Gorgon Group Aug 2018)|',
"Group5 - G0043\n\nCreated: 2017-05-31T21:32:08.304Z\n\nModified: 2020-03-30T19:07:39.812Z\n\nContributors:\n\nAliases\n\nGroup5\n\nDescription\n\nGroup5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|Group5 disguised its malicious binaries with several layers of obfuscation, including encrypting the files.(Citation: Citizen Lab Group5)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1113|Screen Capture|Malware used by Group5 is capable of watching the victim's screen.(Citation: Citizen Lab Group5)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|Malware used by Group5 is capable of capturing keystrokes.(Citation: Citizen Lab Group5)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|Malware used by Group5 is capable of remotely deleting files from victims.(Citation: Citizen Lab Group5)|",
'HAFNIUM - G0125\n\nCreated: 2021-03-03T19:40:47.280Z\n\nModified: 2023-04-10T21:54:46.756Z\n\nContributors: Daniyal Naeem, BT Security,Matt Brenton, Zurich Insurance Group,Mayuresh Dani, Qualys,Harshal Tupsamudre, Qualys,Vinayak Wadhwa, SAFE Security\n\nAliases\n\nHAFNIUM,Operation Exchange Marauder\n\nDescription\n\nHAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)\n\nTechniques Used\n\nHAFNIUM has collected data and files from a compromised machine.(Citation: Rapid7 HAFNIUM Mar 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1564.001|Hidden Files and Directories|\n\nHAFNIUM has hidden files on a compromised host.(Citation: Rapid7 HAFNIUM Mar 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nHAFNIUM has searched file contents on a compromised host.(Citation: Rapid7 HAFNIUM Mar 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nHAFNIUM has collected IP information via IPInfo.(Citation: Rapid7 HAFNIUM Mar 2021)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1016.001|Internet Connection Discovery|\n\nHAFNIUM has checked for network connectivity from a compromised host using\n\nHAFNIUM has used\n\nHAFNIUM has used\n\nHAFNIUM has enumerated domain controllers using',
'HAFNIUM has checked for network connectivity from a compromised host using\n\nHAFNIUM has used\n\nHAFNIUM has used\n\nHAFNIUM has enumerated domain controllers using\n\nHAFNIUM has granted privileges to domain accounts.(Citation: Volexity Exchange Marauder March 2021)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nHAFNIUM has used\n\nHAFNIUM has used\n\nHAFNIUM has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host.(Citation: Microsoft HAFNIUM March 2020)(Citation: Rapid7 HAFNIUM Mar 2021) |\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,Network|T1095|Non-Application Layer Protocol|\n\nHAFNIUM has used TCP for C2.(Citation: Microsoft HAFNIUM March 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1132.001|Standard Encoding|\n\nHAFNIUM has used ASCII encoding for C2 traffic.(Citation: Microsoft HAFNIUM March 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1078.003|Local Accounts|\n\nHAFNIUM has used the NT AUTHORITY\\SYSTEM account to create files on Exchange servers.(Citation: FireEye Exchange Zero Days March 2021)|\n|mitre-attack|enterprise-attack|PRE|T1590.005|IP Addresses|\n\nHAFNIUM has obtained IP addresses for publicly-accessible Exchange servers.(Citation: Volexity Exchange Marauder March 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1136.002|Domain Account|\n\nHAFNIUM has created domain accounts.(Citation: Volexity Exchange Marauder March 2021)|\n|mitre-attack|enterprise-attack|PRE|T1590|Gather Victim Network Information|',
"HAFNIUM has created domain accounts.(Citation: Volexity Exchange Marauder March 2021)|\n|mitre-attack|enterprise-attack|PRE|T1590|Gather Victim Network Information|\n\nHAFNIUM gathered the fully qualified domain names (FQDNs) for targeted Exchange servers in the victim's environment.(Citation: Volexity Exchange Marauder March 2021)|\n|mitre-attack|enterprise-attack|Windows|T1003.003|NTDS|\n\nHAFNIUM has stolen copies of the Active Directory database (NTDS.DIT).(Citation: Volexity Exchange Marauder March 2021)|\n|mitre-attack|enterprise-attack|PRE|T1589.002|Email Addresses|\n\nHAFNIUM has collected e-mail addresses for users they intended to target.(Citation: Volexity Exchange Marauder March 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|\n\nHAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nHAFNIUM has used the Exchange Power Shell module\n\nHAFNIUM has used web shells to export mailbox data.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nHAFNIUM has used\n\nHAFNIUM has deployed multiple web shells on compromised servers including SIMPLESEESHARP, SPORTSBALL,\n\nChina Chopper, and",
"HAFNIUM has used\n\nHAFNIUM has deployed multiple web shells on compromised servers including SIMPLESEESHARP, SPORTSBALL,\n\nChina Chopper, and\n\nASPXSpy.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)(Citation: FireEye Exchange Zero Days March 2021)(Citation: Tarrask scheduled task)(Citation: Rapid7 HAFNIUM Mar 2021) |\n|mitre-attack|enterprise-attack|PRE|T1583.003|Virtual Private Server|\n\nHAFNIUM has operated from leased virtual private servers (VPS) in the United States.(Citation: Microsoft HAFNIUM March 2020)|\n|mitre-attack|enterprise-attack|PRE|T1592.004|Client Configurations|\n\nHAFNIUM has interacted with Office 365 tenants to gather details regarding target's environments.(Citation: Microsoft HAFNIUM March 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1567.002|Exfiltration to Cloud Storage|\n\nHAFNIUM has exfiltrated data to file sharing sites, including MEGA.(Citation: Microsoft HAFNIUM March 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nHAFNIUM has used open-source C2 frameworks, including Covenant.(Citation: Microsoft HAFNIUM March 2020)|\n|mitre-attack|enterprise-attack|PRE|T1583.006|Web Services|\n\nHAFNIUM has acquired web services for use in C2 and exfiltration.(Citation: Microsoft HAFNIUM March 2020)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|",
'HAFNIUM has exploited CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to compromise on-premises versions of Microsoft Exchange Server, enabling access to email accounts and installation of additional malware.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)(Citation: FireEye Exchange Zero Days March 2021)(Citation: Tarrask scheduled task) |',
"HEXANE - G1001\n\nCreated: 2018-10-17T00:14:20.652Z\n\nModified: 2023-03-22T04:43:59.082Z\n\nContributors: Dragos Threat Intelligence,Mindaugas Gudzis, BT Security\n\nAliases\n\nHEXANE,Lyceum,Siamesekitten,Spirlin\n\nDescription\n\nHEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)\n\nTechniques Used\n\nHEXANE has acquired, and sometimes customized, open source tools such as\n\nMimikatz,\n\nEmpire, VNC remote access software, and DIG.net.(Citation: Kaspersky Lyceum October 2021)(Citation: SecureWorks August 2019)(Citation: Zscaler Lyceum DnsSystem June 2022)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518|Software Discovery|\n\nHEXANE has enumerated programs installed on an infected machine.(Citation: Kaspersky Lyceum October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nHEXANE has collected the hostname of a compromised machine.(Citation: Kaspersky Lyceum October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|",
'HEXANE has downloaded additional payloads and malicious scripts onto a compromised host.(Citation: Kaspersky Lyceum October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1102.002|Bidirectional Communication|\n\nHEXANE has used cloud services, including OneDrive, for C2.(Citation: Microsoft POLONIUM June 2022)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1567.002|Exfiltration to Cloud Storage|\n\nHEXANE has used cloud services, including OneDrive, for data exfiltration.(Citation: Microsoft POLONIUM June 2022)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1583.002|DNS Server|\n\nHEXANE has set up custom DNS servers to send commands to compromised hosts via TXT records.(Citation: Zscaler Lyceum DnsSystem June 2022)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|\n\nHEXANE has used\n\nHEXANE has used\n\nPing and\n\nHEXANE has used\n\nnetstat to monitor connections to specific ports.(Citation: Kaspersky Lyceum October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Linux,macOS|T1016.001|Internet Connection Discovery|\n\nHEXANE has used tools including\n\nBITSAdmin to test internet connectivity from compromised hosts.(Citation: Kaspersky Lyceum October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1053.005|Scheduled Task|\n\nHEXANE has used a scheduled task to establish persistence for a keylogger.(Citation: Kaspersky Lyceum October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nHEXANE has used a VisualBasic script named\n\nHEXANE has used a',
'HEXANE has used a VisualBasic script named\n\nHEXANE has used a\n\nMimikatz-based tool and a PowerShell script to steal passwords from Google Chrome.(Citation: Kaspersky Lyceum October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nHEXANE has enumerated processes on targeted systems.(Citation: Kaspersky Lyceum October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1069.001|Local Groups|\n\nHEXANE has run\n\nHEXANE has run\n\nHEXANE has run\n\nHEXANE has established email accounts for use in domain registration including for ProtonMail addresses.(Citation: Kaspersky Lyceum October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1027.010|Command Obfuscation|\n\nHEXANE has used Base64-encoded scripts.(Citation: Kaspersky Lyceum October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1608.001|Upload Malware|\n\nHEXANE has staged malware on fraudulent websites set up to impersonate targeted organizations.(Citation: ClearSky Siamesekitten August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1585.001|Social Media Accounts|\n\nHEXANE has established fraudulent LinkedIn accounts impersonating HR department employees to target potential victims with fake job offers.(Citation: ClearSky Siamesekitten August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux,Office 365,SaaS,Google Workspace|T1534|Internal Spearphishing|\n\nHEXANE has conducted internal spearphishing attacks against executives, HR, and IT personnel to gain information and access.(Citation: SecureWorks August 2019)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1589|Gather Victim Identity Information|',
'HEXANE has identified specific potential victims at targeted organizations.(Citation: ClearSky Siamesekitten August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1591.004|Identify Roles|\n\nHEXANE has identified executives, HR, and IT staff at victim organizations for further targeting.(Citation: SecureWorks August 2019)(Citation: ClearSky Siamesekitten August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1583.001|Domains|\n\nHEXANE has registered and operated domains for campaigns, often using a security or web technology theme or impersonating the targeted organization.(Citation: SecureWorks August 2019)(Citation: Dragos Hexane)(Citation: ClearSky Siamesekitten August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1589.002|Email Addresses|\n\nHEXANE has targeted executives, human resources staff, and IT personnel for spearphishing.(Citation: SecureWorks August 2019)(Citation: ClearSky Siamesekitten August 2021)\n|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1021.001|Remote Desktop Protocol|\n\nHEXANE has used remote desktop sessions for lateral movement.(Citation: SecureWorks August 2019)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows,Linux|T1010|Application Window Discovery|\n\nHEXANE has used a PowerShell-based keylogging tool to capture the window title.(Citation: SecureWorks August 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|\n\nHEXANE has used a PowerShell-based keylogger named\n\nHEXANE has used PowerShell-based tools and scripts for discovery and collection on compromised hosts.(Citation: SecureWorks August 2019)(Citation: Kaspersky APT Trends Q1 April 2021)(Citation: Kaspersky Lyceum October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1204.002|Malicious File|',
"HEXANE has relied on victim's executing malicious file attachments delivered via email or embedded within actor-controlled websites to deliver malware.(Citation: SecureWorks August 2019)(Citation: Dragos Hexane)(Citation: ClearSky Siamesekitten August 2021)(Citation: Zscaler Lyceum DnsSystem June 2022)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1586.002|Email Accounts|\n\nHEXANE has used compromised accounts to send spearphishing emails.(Citation: SecureWorks August 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1110|Brute Force|\n\nHEXANE has used brute force attacks to compromise valid credentials.(Citation: SecureWorks August 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers|T1110.003|Password Spraying|\n\nHEXANE has used password spraying attacks to obtain valid credentials.(Citation: SecureWorks August 2019)|",
"Higaisa - G0126\n\nCreated: 2021-03-05T18:54:56.267Z\n\nModified: 2021-04-22T02:12:43.892Z\n\nContributors: Daniyal Naeem, BT Security\n\nAliases\n\nHigaisa\n\nDescription\n\nHigaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)\n\nTechniques Used\n\nHigaisa has used VBScript code on the victim's machine.(Citation: PTSecurity Higaisa 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1106|Native API|\n\nHigaisa has called various native OS APIs.(Citation: Zscaler Higaisa 2020)|\n|mitre-attack|enterprise-attack|Windows|T1574.002|DLL Side-Loading|\n\nHigaisa’s JavaScript file used a legitimate Microsoft Office 2007 package to side-load the\n\nHigaisa used a payload that creates a hidden window.(Citation: PTSecurity Higaisa 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nHigaisa’s shellcode attempted to find the process ID of the current process.(Citation: Zscaler Higaisa 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1029|Scheduled Transfer|\n\nHigaisa sent the victim computer identifier in a User-Agent string back to the C2 server every 10 minutes.(Citation: PTSecurity Higaisa 2020)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|",
'Higaisa collected the system volume serial number, GUID, and computer name.(Citation: PTSecurity Higaisa 2020)(Citation: Malwarebytes Higaisa 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nHigaisa has exploited CVE-2018-0798 for execution.(Citation: PTSecurity Higaisa 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nHigaisa used malicious e-mail attachments to lure victims into executing LNK files.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nHigaisa dropped and added\n\nHigaisa has sent spearphishing emails containing malicious attachments.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020) |\n|mitre-attack|enterprise-attack|Windows,Network|T1124|System Time Discovery|\n\nHigaisa used a function to gather the current time.(Citation: Zscaler Higaisa 2020)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nHigaisa added a spoofed binary to the start-up folder for persistence.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nHigaisa used\n\nHigaisa used JavaScript to execute additional files.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1036.004|Masquerade Task or Service|\n\nHigaisa named a shellcode loader binary',
'Higaisa named a shellcode loader binary\n\nHigaisa used certutil to decode Base64 binaries at runtime and a 16-byte XOR key to decrypt data.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)|\n|mitre-attack|enterprise-attack|Windows|T1220|XSL Script Processing|\n\nHigaisa used an XSL file to run VBScript code.(Citation: PTSecurity Higaisa 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nHigaisa used Base64 encoded compressed payloads.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1090.001|Internal Proxy|\n\nHigaisa discovered system proxy settings and used them if available.(Citation: Zscaler Higaisa 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nHigaisa used HTTP and HTTPS to send data back to its C2 server.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1001.003|Protocol Impersonation|\n\nHigaisa used a FakeTLS session for C2 communications.(Citation: Zscaler Higaisa 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1573.001|Symmetric Cryptography|\n\nHigaisa used AES-128 to encrypt C2 traffic.(Citation: Zscaler Higaisa 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nHigaisa used',
'Higaisa used\n\nHigaisa exfiltrated data over its C2 channel.(Citation: Zscaler Higaisa 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.001|Binary Padding|\n\nHigaisa performed padding with null bytes before calculating its hash.(Citation: Zscaler Higaisa 2020)|',
'Inception - G0100\n\nCreated: 2020-05-08T17:01:04.058Z\n\nModified: 2021-10-12T23:21:06.480Z\n\nContributors: Oleg Skulkin, Group-IB\n\nAliases\n\nInception,Inception Framework,Cloud Atlas\n\nDescription\n\nInception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.(Citation: Unit 42 Inception November 2018)(Citation: Symantec Inception Framework March 2018)(Citation: Kaspersky Cloud Atlas December 2014)\n\nTechniques Used\n\nInception has obtained and used open-source tools such as\n\nLaZagne.(Citation: Kaspersky Cloud Atlas August 2019)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518|Software Discovery|\n\nInception has enumerated installed software on compromised systems.(Citation: Symantec Inception Framework March 2018)|\n|mitre-attack|enterprise-attack|Windows|T1218.005|Mshta|\n\nInception has used malicious HTA files to drop and execute malware.(Citation: Kaspersky Cloud Atlas August 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nInception used a file hunting plugin to collect .txt, .pdf, .xls or .doc files from the infected host.(Citation: Kaspersky Cloud Atlas August 2019)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nInception has used PowerShell to execute malicious commands and payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas December 2014)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|',
'Inception has used VBScript to execute malicious commands and payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas December 2014)|\n|mitre-attack|enterprise-attack|Windows|T1221|Template Injection|\n\nInception has used decoy documents to load malicious remote payloads via HTTP.(Citation: Unit 42 Inception November 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nInception has encrypted malware payloads dropped on victim machines with AES and RC4 encryption.(Citation: Kaspersky Cloud Atlas December 2014)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nInception used a file listing plugin to collect information about file and directories both on local and remote drives.(Citation: Symantec Inception Framework March 2018)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nInception has exploited CVE-2012-0158, CVE-2014-1761, CVE-2017-11882 and CVE-2018-0802 for execution.(Citation: Kaspersky Cloud Atlas August 2019)(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Symantec Inception Framework March 2018)(Citation: Unit 42 Inception November 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nInception has used HTTP, HTTPS, and WebDav in network communications.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Unit 42 Inception November 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1555.003|Credentials from Web Browsers|',
'Inception used a browser plugin to steal passwords and sessions from Internet Explorer, Chrome, Opera, Firefox, Torch, and Yandex.(Citation: Symantec Inception Framework March 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nInception lured victims into clicking malicious files for machine reconnaissance and to execute malware.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Kaspersky Cloud Atlas August 2019)(Citation: Symantec Inception Framework March 2018)(Citation: Unit 42 Inception November 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1090.003|Multi-hop Proxy|\n\nInception used chains of compromised routers to proxy C2 communications between them and cloud service providers.(Citation: Symantec Inception Framework March 2018)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nInception has maintained persistence by modifying Registry run key value\n\nInception has encrypted network communications with AES.(Citation: Kaspersky Cloud Atlas December 2014)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1069.002|Domain Groups|\n\nInception has used specific malware modules to gather domain membership.(Citation: Symantec Inception Framework March 2018)|\n|mitre-attack|enterprise-attack|Windows|T1218.010|Regsvr32|\n\nInception has ensured persistence at system boot by setting the value\n\nInception has incorporated at least five different cloud service providers into their C2 infrastructure including CloudMe.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Symantec Inception Framework March 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nInception has used a reconnaissance module to identify active processes and other associated loaded modules.(Citation: Symantec Inception Framework March 2018)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|',
'Inception has used a reconnaissance module to gather information about the operating system and hardware on the infected host.(Citation: Symantec Inception Framework March 2018)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nInception has used weaponized documents attached to spearphishing emails for reconnaissance and initial compromise.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Symantec Inception Framework March 2018)(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas August 2019)|',
'IndigoZebra - G0136\n\nCreated: 2021-09-24T21:41:34.797Z\n\nModified: 2021-10-16T02:06:06.404Z\n\nContributors: Pooja Natarajan, NEC Corporation India,Yoshihiro Kori, NEC Corporation,Manikantan Srinivasan, NEC Corporation India\n\nAliases\n\nIndigoZebra\n\nDescription\n\nIndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.(Citation: HackerNews IndigoZebra July 2021)(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)\n\nTechniques Used\n\nIndigoZebra has compromised legitimate email accounts to use in their spearphishing operations.(Citation: Checkpoint IndigoZebra July 2021)|\n|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|\n\nIndigoZebra has established domains, some of which were designed to look like official government domains, for their operations.(Citation: Checkpoint IndigoZebra July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nIndigoZebra has downloaded additional files and tools from its C2 server.(Citation: Checkpoint IndigoZebra July 2021)|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|\n\nIndigoZebra has acquired open source tools such as\n\nNBTscan and Meterpreter for their operations.(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nIndigoZebra sent spearphishing emails containing malicious attachments that urged recipients to review modifications in the file which would trigger the attack.(Citation: HackerNews IndigoZebra July 2021)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|',
'IndigoZebra sent spearphishing emails containing malicious password-protected RAR attachments.(Citation: HackerNews IndigoZebra July 2021)(Citation: Checkpoint IndigoZebra July 2021)|\n|mitre-attack|enterprise-attack|PRE|T1583.006|Web Services|\n\nIndigoZebra created Dropbox accounts for their operations.(Citation: HackerNews IndigoZebra July 2021)(Citation: Checkpoint IndigoZebra July 2021)|',
'Indrik Spider - G0119\n\nCreated: 2021-01-06T17:46:35.134Z\n\nModified: 2022-09-15T19:49:18.799Z\n\nContributors:\n\nAliases\n\nIndrik Spider,Evil Corp\n\nDescription\n\nIndrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)\n\nTechniques Used\n\nIndrik Spider has stored collected date in a .tmp file.(Citation: Symantec WastedLocker June 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nIndrik Spider has attempted to get users to click on a malicious zipped file.(Citation: Symantec WastedLocker June 2020) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|\n\nIndrik Spider has used PowerView to enumerate all Windows Server, Windows Server 2003, and Windows 7 instances in the Active Directory database.(Citation: Symantec WastedLocker June 2020)|\n|mitre-attack|enterprise-attack|Windows|T1070.001|Clear Windows Event Logs|\n\nIndrik Spider has used\n\nCobalt Strike to empty log files.(Citation: Symantec WastedLocker June 2020)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1489|Service Stop|\n\nIndrik Spider has used\n\nPsExec to stop services prior to the execution of ransomware.(Citation: Symantec WastedLocker June 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.007|JavaScript|',
"Indrik Spider has used malicious JavaScript files for several components of their attack.(Citation: Symantec WastedLocker June 2020)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nIndrik Spider used\n\nCobalt Strike to carry out credential dumping using ProcDump.(Citation: Symantec WastedLocker June 2020)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,IaaS,Linux,macOS,Google Workspace,Network|T1136|Create Account|\n\nIndrik Spider used\n\nIndrik Spider used\n\nPsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring.(Citation: Symantec WastedLocker June 2020)|\n|mitre-attack|enterprise-attack|Windows|T1047|Windows Management Instrumentation|\n\nIndrik Spider has used WMIC to execute commands on remote computers.(Citation: Symantec WastedLocker June 2020) |\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1007|System Service Discovery|\n\nIndrik Spider has used the win32_service WMI class to retrieve a list of services from the system.(Citation: Symantec WastedLocker June 2020) |\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nIndrik Spider has used batch scripts on victim's machines.(Citation: Crowdstrike Indrik November 2018) |\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nIndrik Spider has used PowerShell\n\nEmpire for execution of malware.(Citation: Crowdstrike Indrik November 2018)(Citation: Symantec WastedLocker June 2020) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1078.002|Domain Accounts|\n\nIndrik Spider has collected credentials from infected systems, including domain accounts.(Citation: Crowdstrike Indrik November 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|",
'Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host.(Citation: Crowdstrike Indrik November 2018)(Citation: Symantec WastedLocker June 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nIndrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.(Citation: Crowdstrike Indrik November 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,IaaS|T1486|Data Encrypted for Impact|\n\nIndrik Spider has encrypted domain-controlled systems using\n\nBitPaymer.(Citation: Crowdstrike Indrik November 2018)|\n|mitre-attack|enterprise-attack|Windows|T1484.001|Group Policy Modification|\n\nIndrik Spider has used Group Policy Objects to deploy batch scripts.(Citation: Crowdstrike Indrik November 2018)|\n|mitre-attack|enterprise-attack|PRE|T1584.004|Server|\n\nIndrik Spider has served fake updates via legitimate websites that have been compromised.(Citation: Crowdstrike Indrik November 2018) |',
'Ke3chang - G0004\n\nCreated: 2017-05-31T21:31:47.177Z\n\nModified: 2022-07-22T18:52:32.762Z\n\nContributors: Pooja Natarajan, NEC Corporation India,Manikantan Srinivasan, NEC Corporation India,Hiroki Nagahama, NEC Corporation\n\nAliases\n\nKe3chang,APT15,Mirage,Vixen Panda,GREF,Playful Dragon,RoyalAPT,NICKEL\n\nDescription\n\nKe3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)(Citation: Microsoft NICKEL December 2021)\n\nTechniques Used\n\nKe3chang has used implants to collect the system language ID of a compromised machine.(Citation: Microsoft NICKEL December 2021)|\n|mitre-attack|enterprise-attack|Azure AD,Office 365,SaaS,IaaS,Google Workspace|T1078.004|Cloud Accounts|\n\nKe3chang has used compromised credentials to sign into victims’ Microsoft 365 accounts.(Citation: Microsoft NICKEL December 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nKe3chang has used tools to download files to compromised machines.(Citation: Microsoft NICKEL December 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1020|Automated Exfiltration|\n\nKe3chang has performed frequent and scheduled data exfiltration from compromised networks.(Citation: Microsoft NICKEL December 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,IaaS,SaaS|T1119|Automated Collection|',
'Ke3chang has performed frequent and scheduled data collection from victim networks.(Citation: Microsoft NICKEL December 2021)|\n|mitre-attack|enterprise-attack|Windows|T1003.003|NTDS|\n\nKe3chang has used NTDSDump and other password dumping tools to gather credentials.(Citation: Microsoft NICKEL December 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|\n\nKe3chang has used implants capable of collecting the signed-in username.(Citation: Microsoft NICKEL December 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nKe3chang has dropped their malware into legitimate installed software paths including:\n\nKe3chang has used Base64-encoded shellcode strings.(Citation: Microsoft NICKEL December 2021)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|\n\nKe3chang has deobfuscated Base64-encoded shellcode strings prior to loading them.(Citation: Microsoft NICKEL December 2021)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nKe3chang has used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts.(Citation: Microsoft NICKEL December 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|\n\nKe3chang has compromised networks by exploiting Internet-facing applications, including vulnerable Microsoft Exchange and SharePoint servers.(Citation: Microsoft NICKEL December 2021)|\n|mitre-attack|enterprise-attack|PRE|T1587.001|Malware|\n\nKe3chang has developed custom malware that allowed them to maintain persistence on victim networks.(Citation: Microsoft NICKEL December 2021)|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|',
'Ke3chang has obtained and used tools such as\n\nMimikatz.(Citation: NCC Group APT15 Alive and Strong)|\n|mitre-attack|enterprise-attack|Windows|T1003.004|LSA Secrets|\n\nKe3chang has dumped credentials, including by using gsecdump.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)|\n|mitre-attack|enterprise-attack|Windows|T1003.002|Security Account Manager|\n\nKe3chang has dumped credentials, including by using gsecdump.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1087.001|Local Account|\n\nKe3chang performs account discovery using commands such as\n\nKe3chang malware RoyalDNS has used DNS for C2.(Citation: NCC Group APT15 Alive and Strong)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1036.002|Right-to-Left Override|\n\nKe3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files.(Citation: Mandiant Operation Ke3chang November 2014)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nKe3chang has used batch scripts in its malware to install persistence mechanisms.(Citation: NCC Group APT15 Alive and Strong)|\n|mitre-attack|enterprise-attack|Windows,Office 365|T1213.002|Sharepoint|\n\nKe3chang used a SharePoint enumeration and data dumping tool known as spwebmember.(Citation: NCC Group APT15 Alive and Strong)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|',
'Ke3chang malware including RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2.(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|\n\nKe3chang has used network scanning and enumeration tools, including\n\nPing.(Citation: NCC Group APT15 Alive and Strong)|\n|mitre-attack|enterprise-attack|Windows|T1543.003|Windows Service|\n\nKe3chang backdoor RoyalDNS established persistence through adding a service called\n\nKe3chang has used a tool known as RemoteExec (similar to\n\nPsExec) to remotely execute batch scripts and binaries.(Citation: NCC Group APT15 Alive and Strong)|\n|mitre-attack|enterprise-attack|Windows|T1558.001|Golden Ticket|\n\nKe3chang has used\n\nMimikatz to generate Kerberos golden tickets.(Citation: NCC Group APT15 Alive and Strong)|\n|mitre-attack|enterprise-attack|Office 365,Windows,Google Workspace|T1114.002|Remote Email Collection|\n\nKe3chang has used compromised credentials and a .NET tool to dump data from Microsoft Exchange mailboxes.(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021)|\n|mitre-attack|enterprise-attack|Windows,Linux,Containers,macOS|T1133|External Remote Services|\n\nKe3chang has gained access through VPNs including with compromised accounts and stolen VPN certificates.(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|\n\nKe3chang has used keyloggers.(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|Several',
'Ke3chang backdoors achieved persistence by adding a Run key.(Citation: NCC Group APT15 Alive and Strong)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nKe3chang gathered information and files from local directories for exfiltration.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: Microsoft NICKEL December 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1087.002|Domain Account|\n\nKe3chang performs account discovery using commands such as\n\nKe3chang actors have been known to copy files to the network shares of other computers to move laterally.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1069.002|Domain Groups|\n\nKe3chang performs discovery of permission groups\n\nKe3chang performs operating system information discovery using\n\nKe3chang group has been known to compress data before exfiltration.(Citation: Mandiant Operation Ke3chang November 2014)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|\n\nKe3chang is known to use 7Zip and RAR with passwords to encrypt data prior to exfiltration.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: Microsoft NICKEL December 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1007|System Service Discovery|\n\nKe3chang performs service discovery using\n\nKe3chang has performed local network configuration discovery using\n\nKe3chang has dumped credentials, including by using\n\nMimikatz.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1041|Exfiltration Over C2 Channel|',
'Ke3chang transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.(Citation: Mandiant Operation Ke3chang November 2014)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nKe3chang performs process discovery using\n\nKe3chang performs local network connection discovery using\n\nKe3chang uses command-line interaction to search files and directories.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: Microsoft NICKEL December 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network,Office 365,Azure AD,IaaS,Google Workspace|T1059|Command and Scripting Interpreter|Malware used by\n\nKe3chang can run commands on the command-line interface.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)|',
'Kimsuky - G0094\n\nCreated: 2019-08-26T15:03:02.577Z\n\nModified: 2022-11-30T22:53:00.875Z\n\nContributors: Taewoo Lee, KISA,Dongwook Kim, KISA\n\nAliases\n\nKimsuky,STOLEN PENCIL,Thallium,Black Banshee,Velvet Chollima\n\nDescription\n\nKimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.(Citation: EST Kimsuky April 2019)(Citation: BRI Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)\n\nKimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.\n\nTechniques Used\n\nKimsuky has used tools such as the MailFetch mail crawler to collect victim emails (excluding spam) from online services via IMAP.(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1567.002|Exfiltration to Cloud Storage|',
'Kimsuky has exfiltrated stolen files and data to actor-controlled Blogspot accounts.(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102.002|Bidirectional Communication|\n\nKimsuky has used Blogspot pages for C2.(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|Windows|T1012|Query Registry|\n\nKimsuky has obtained specific Registry keys and values on a compromised host.(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1136.001|Local Account|\n\nKimsuky has created accounts with\n\nKimsuky has added accounts to specific groups with\n\nKimsuky has run\n\nKimsuky has checked for the presence of antivirus software with\n\nKimsuky has executed malware with\n\nKimsuky has downloaded additional malware with scheduled tasks.(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1111|Multi-Factor Authentication Interception|\n\nKimsuky has used a proprietary tool to intercept one time passwords required for two-factor authentication.(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nKimsuky has renamed malware to legitimate names such as\n\nKimsuky has sent internal spearphishing emails for lateral movement after stealing victim information.(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|PRE|T1589.003|Employee Names|\n\nKimsuky has collected victim employee name information.(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|PRE|T1593.002|Search Engines|\n\nKimsuky has searched for vulnerabilities, tools, and geopolitical trends on Google to target victims.(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|PRE|T1591|Gather Victim Org Information|',
"Kimsuky has collected victim organization information including but not limited to organization hierarchy, functions, press releases, and others.(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|PRE|T1594|Search Victim-Owned Websites|\n\nKimsuky has searched for information on the target company's website.(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|PRE|T1585.002|Email Accounts|\n\nKimsuky has created email accounts for phishing operations.(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|PRE|T1583.004|Server|\n\nKimsuky has purchased hosting servers with virtual currency and prepaid cards.(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|PRE|T1587.001|Malware|\n\nKimsuky has developed its own unique malware such as MailFetch.py for use in operations.(Citation: KISA Operation Muzabi)(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|PRE|T1584.001|Domains|\n\nKimsuky has compromised legitimate sites and used them to distribute malware.(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|PRE|T1588.005|Exploits|\n\nKimsuky has obtained exploit code for various CVEs.(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nKimsuky has lured victims into clicking malicious links.(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|PRE|T1585.001|Social Media Accounts|\n\nKimsuky has created social media accounts to monitor news and security trends as well as potential targets.(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|",
"Kimsuky has exploited various vulnerabilities for initial access, including Microsoft Exchange vulnerability CVE-2020-0688.(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nKimsuky has executed Windows commands by using\n\nKimsuky has used\n\nKimsuky has used a file injector DLL to spawn a benign process on the victim's system and inject the malicious payload into it via process hollowing.(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036|Masquerading|\n\nKimsuky has disguised its C2 addresses as the websites of shopping malls, governments, universities, and others.(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nKimsuky has used\n\nKimsuky has used an information gathering module that will hide an AV software window from the victim.(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|PRE|T1608.001|Upload Malware|\n\nKimsuky has used Blogspot to host malicious content such as beacons, file exfiltrators, and implants.(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|PRE|T1583.006|Web Services|\n\nKimsuky has hosted content used for targeting efforts via web services such as Blogspot.(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nKimsuky has used HTTP GET and POST requests for C2.(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|",
"Kimsuky has decoded malicious VBScripts using Base64.(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|\n\nKimsuky has used QuickZip to archive stolen files before exfiltration.(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1007|System Service Discovery|\n\nKimsuky has used an instrumentor script to gather the names of all services running on a victim's system.(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nKimsuky can gather a list of all processes running on a victim's machine.(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|\n\nKimsuky has obtained and used tools such as Nirsoft WebBrowserPassVIew,\n\nMimikatz, and\n\nPsExec.(Citation: Netscout Stolen Pencil Dec 2018)(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|PRE|T1589.002|Email Addresses|\n\nKimsuky has collected valid email addresses that were subsequently used in spearphishing campaigns.(Citation: Malwarebytes Kimsuky June 2021)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1027.002|Software Packing|\n\nKimsuky has packed malware with UPX.(Citation: Malwarebytes Kimsuky June 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers|T1552.001|Credentials In Files|\n\nKimsuky has used tools that are capable of obtaining credentials from saved mail.(Citation: Netscout Stolen Pencil Dec 2018)|\n|mitre-attack|enterprise-attack|Windows|T1021.001|Remote Desktop Protocol|",
"Kimsuky has used RDP for direct remote point-and-click access.(Citation: Netscout Stolen Pencil Dec 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1078.003|Local Accounts|\n\nKimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.(Citation: Netscout Stolen Pencil Dec 2018)|\n|mitre-attack|enterprise-attack|PRE|T1593.001|Social Media|\n\nKimsuky has used Twitter to monitor potential victims and to prepare targeted phishing e-mails.(Citation: Malwarebytes Kimsuky June 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nKimsuky has downloaded additional scripts, tools, and malware onto victim systems.(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1074.001|Local Data Staging|\n\nKimsuky has staged collected data files under\n\nKimsuky has used pass the hash for authentication to remote access software used in C2.(Citation: CISA AA20-301A Kimsuky)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.006|Timestomp|\n\nKimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics.(Citation: Cybereason Kimsuky November 2020)|\n|mitre-attack|enterprise-attack|Office 365,Windows,Google Workspace,macOS,Linux|T1114.003|Email Forwarding Rule|\n\nKimsuky has set auto-forward rules on victim's e-mail accounts.(Citation: CISA AA20-301A Kimsuky)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.003|Mail Protocols|",
'Kimsuky has used e-mail to send exfiltrated data to C2 servers.(Citation: CISA AA20-301A Kimsuky)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1059.006|Python|\n\nKimsuky has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data.(Citation: CISA AA20-301A Kimsuky)(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network,IaaS|T1040|Network Sniffing|\n\nKimsuky has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols.(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Network|T1557|Adversary-in-the-Middle|\n\nKimsuky has used modified versions of PHProxy to examine web traffic between the victim and the accessed website.(Citation: CISA AA20-301A Kimsuky)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS,Network|T1505.003|Web Shell|\n\nKimsuky has used modified versions of open source PHP web shells to maintain access, often adding "Dinosaur" references within the code.(Citation: CISA AA20-301A Kimsuky)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nKimsuky has gathered credentials using\n\nMimikatz and ProcDump.(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|Windows|T1112|Modify Registry|',
'Kimsuky has modified Registry settings for default file associations to enable all macros and for persistence.(Citation: CISA AA20-301A Kimsuky)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|Windows,Linux,Containers,macOS|T1133|External Remote Services|\n\nKimsuky has used RDP to establish persistence.(Citation: CISA AA20-301A Kimsuky)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1036.004|Masquerade Task or Service|\n\nKimsuky has disguised services to appear as benign software or related to operating system functions.(Citation: CISA AA20-301A Kimsuky)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.007|JavaScript|\n\nKimsuky has used JScript for logging and downloading additional tools.(Citation: VirusBulletin Kimsuky October 2019)(Citation: CISA AA20-301A Kimsuky)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.002|File Transfer Protocols|\n\nKimsuky has used FTP to download additional malware to the target machine.(Citation: VirusBulletin Kimsuky October 2019)|\n|mitre-attack|enterprise-attack|PRE|T1598.003|Spearphishing Link|\n\nKimsuky has used links in e-mail to steal account information.(Citation: VirusBulletin Kimsuky October 2019)(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|PRE|T1586.002|Email Accounts|\n\nKimsuky has compromised email accounts to send spearphishing e-mails.(Citation: VirusBulletin Kimsuky October 2019)(Citation: Malwarebytes Kimsuky June 2021)|\n|mitre-attack|enterprise-attack|PRE|T1587|Develop Capabilities|',
'Kimsuky created and used a mailing toolkit to use in spearphishing attacks.(Citation: VirusBulletin Kimsuky October 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nKimsuky has obfuscated binary strings including the use of XOR encryption and Base64 encoding.(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)\n\nKimsuky has also modified the first byte of DLL implants targeting victims to prevent recognition of the executable file format.(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nKimsuky has used attempted to lure victims into opening malicious e-mail attachments.(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)(Citation: CISA AA20-301A Kimsuky)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nKimsuky has used Visual Basic to download malicious payloads.(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021)\n\nKimsuky has also used malicious VBA macros within maldocs disguised as forms that trigger when a victim types any content into the lure.(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|macOS,Windows|T1553.002|Code Signing|',
'Kimsuky has signed files with the name EGIS CO,. Ltd..(Citation: ThreatConnect Kimsuky September 2020)|\n|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|\n\nKimsuky has registered domains to spoof targeted organizations and trusted third parties.(Citation: ThreatConnect Kimsuky September 2020)(Citation: Zdnet Kimsuky Group September 2020)(Citation: CISA AA20-301A Kimsuky)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1562.004|Disable or Modify System Firewall|\n\nKimsuky has been observed disabling the system firewall.(Citation: Securelist Kimsuky Sept 2013)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nKimsuky has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain.(Citation: EST Kimsuky April 2019)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1041|Exfiltration Over C2 Channel|\n\nKimsuky has exfiltrated data over its C2 channel.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|Windows|T1543.003|Windows Service|\n\nKimsuky has created new services for persistence.(Citation: Securelist Kimsuky Sept 2013)(Citation: CISA AA20-301A Kimsuky)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|',
'Kimsuky has enumerated drives, OS type, OS version, and other information using a script or the "systeminfo" command.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Containers,IaaS|T1562.001|Disable or Modify Tools|\n\nKimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1055|Process Injection|\n\nKimsuky has used Win7Elevate to inject malicious code into explorer.exe.(Citation: Securelist Kimsuky Sept 2013)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.003|Archive via Custom Method|\n\nKimsuky has used RC4 encryption before exfil.(Citation: Securelist Kimsuky Sept 2013)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nKimsuky has placed scripts in the startup folder for persistence and modified the\n\nKimsuky has deleted the exfiltrated data on disk after transmission.\n\nKimsuky has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nKimsuky has the ability to enumerate all files and directories on an infected system.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|',
"Kimsuky has executed a variety of PowerShell scripts.(Citation: EST Kimsuky April 2019)(Citation: CISA AA20-301A Kimsuky)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1555.003|Credentials from Web Browsers|\n\nKimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers.\n\nKimsuky has also used Nirsoft's WebBrowserPassView tool to dump the passwords obtained from victims.(Citation: Zdnet Kimsuky Dec 2018)(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nKimsuky has collected Office, PDF, and HWP documents from its victims.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1176|Browser Extensions|\n\nKimsuky has used Google Chrome browser extensions to infect victims and to steal passwords and cookies.(Citation: Zdnet Kimsuky Dec 2018)(Citation: Netscout Stolen Pencil Dec 2018)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1219|Remote Access Software|\n\nKimsuky has used a modified TeamViewer client as a command and control channel.(Citation: Securelist Kimsuky Sept 2013)(Citation: Crowdstrike GTR2020 Mar 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|",
'Kimsuky has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes.(Citation: EST Kimsuky April 2019)(Citation: Securelist Kimsuky Sept 2013)(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|Windows|T1218.005|Mshta|\n\nKimsuky has used mshta.exe to run malicious scripts on the system.(Citation: EST Kimsuky April 2019)(Citation: CISA AA20-301A Kimsuky)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|Windows|T1546.001|Change Default File Association|\n\nKimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.(Citation: Securelist Kimsuky Sept 2013)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nKimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.(Citation: Zdnet Kimsuky Dec 2018)(Citation: Securelist Kimsuky Sept 2013)(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)|',
'LAPSUS$ - G1004\n\nCreated: 2022-06-09T19:14:31.327Z\n\nModified: 2023-04-11T00:01:29.232Z\n\nContributors: David Hughes, BT Security,Matt Brenton, Zurich Insurance Group,Flavio Costa, Cisco\n\nAliases\n\nLAPSUS$,DEV-0537\n\nDescription\n\nLAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.(Citation: BBC LAPSUS Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT 42 LAPSUS Mar 2022)\n\nTechniques Used\n\nLAPSUS$ has targeted various collaboration tools like Slack, Teams, JIRA, Confluence, and others to hunt for exposed credentials to support privilege escalation and lateral movement.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|PRE|T1586.002|Email Accounts|\n\nLAPSUS$ has payed employees, suppliers, and business partners of target organizations for credentials.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Windows,Office 365,Linux,macOS,IaaS,SaaS,Azure AD,Google Workspace|T1621|Multi-Factor Authentication Request Generation|\n\nLAPSUS$ has spammed target users with MFA prompts in the hope that the legitimate user will grant necessary approval.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1090|Proxy|\n\nLAPSUS$ has leverage NordVPN for its egress points when targeting intended victims.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|PRE|T1588.001|Malware|',
"LAPSUS$ acquired and used the Redline password stealer in their operations.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|PRE|T1589.002|Email Addresses|\n\nLAPSUS$ has gathered employee email addresses, including personal accounts, for social engineering and initial access efforts.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|PRE|T1591.002|Business Relationships|\n\nLAPSUS$ has gathered detailed knowledge of an organization's supply chain relationships.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|PRE|T1591.004|Identify Roles|\n\nLAPSUS$ has gathered detailed knowledge of team structures within a target organization.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS|T1485|Data Destruction|\n\nLAPSUS$ has deleted the target's systems and resources both on-premises and in the cloud.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Office 365,Windows,Google Workspace,macOS,Linux|T1114.003|Email Forwarding Rule|\n\nLAPSUS$ has set an Office 365 tenant level mail transport rule to send all mail in and out of the targeted organization to the newly created account.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS|T1531|Account Access Removal|\n\nLAPSUS$ has removed a targeted organization's global admin accounts to lock the organization out of all access.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Office 365,IaaS,SaaS,Google Workspace,Azure AD|T1098.003|Additional Cloud Roles|",
"LAPSUS$ has added the global admin role to accounts they have created in the targeted organization's cloud instances.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Azure AD,Office 365,IaaS,Google Workspace,SaaS|T1136.003|Cloud Account|\n\nLAPSUS$ has created global admin accounts in the targeted organization's cloud instances to gain persistence.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Azure AD,Office 365,SaaS,IaaS,Google Workspace|T1078.004|Cloud Accounts|\n\nLAPSUS$ has used compromised credentials to access cloud assets within a target organization.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|IaaS|T1578.003|Delete Cloud Instance|\n\nLAPSUS$ has deleted the target's systems and resources in the cloud to trigger the organization's incident and crisis response process.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|IaaS|T1578.002|Create Cloud Instance|\n\nLAPSUS$ has created new virtual machines within the target's cloud environment after leveraging credential access to cloud assets.(Citation: MSTIC DEV-0537 Mar 2022) |\n|mitre-attack|enterprise-attack|PRE|T1583.003|Virtual Private Server|\n\nLAPSUS$ has used VPS hosting providers for infrastructure.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|PRE|T1589|Gather Victim Identity Information|\n\nLAPSUS$ has gathered detailed information of target employees to enhance their social engineering lures.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS,IaaS,Containers|T1204|User Execution|\n\nLAPSUS$ has recruited target organization employees or contractors who provide credentials and approve an associated MFA prompt, or install remote management software onto a corporate workstation, allowing",
"LAPSUS$ has recruited target organization employees or contractors who provide credentials and approve an associated MFA prompt, or install remote management software onto a corporate workstation, allowing\n\nLAPSUS$ to take control of an authenticated system.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Windows|T1003.003|NTDS|\n\nLAPSUS$ has used Windows built-in tool\n\nLAPSUS$ has used DCSync attacks to gather credentials for privilege escalation routines.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nLAPSUS$ uploaded sensitive files, information, and credentials from a targeted organization for extortion or public release.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1069.002|Domain Groups|\n\nLAPSUS$ has used the AD Explorer tool to enumerate groups on a victim's network.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1087.002|Domain Account|\n\nLAPSUS$ has used the AD Explorer tool to enumerate users on a victim's network.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS,SaaS,Office 365,Google Workspace,IaaS|T1213|Data from Information Repositories|\n\nLAPSUS$ has searched a victim's network for organization collaboration channels like MS Teams or Slack to discover further high-privilege account credentials.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|SaaS|T1213.003|Code Repositories|\n\nLAPSUS$ has searched a victim's network for code repositories like GitLab and GitHub to discover further high-privilege account credentials.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Windows,Office 365|T1213.002|Sharepoint|",
"LAPSUS$ has searched a victim's network for collaboration platforms like SharePoint to discover further high-privilege account credentials.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|SaaS|T1213.001|Confluence|\n\nLAPSUS$ has searched a victim's network for collaboration platforms like Confluence and JIRA to discover further high-privilege account credentials.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1068|Exploitation for Privilege Escalation|\n\nLAPSUS$ has exploited unpatched vulnerabilities on internally accessible servers including JIRA, GitLab, and Confluence for privilege escalation.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1111|Multi-Factor Authentication Interception|\n\nLAPSUS$ has replayed stolen session token and passwords to trigger simple-approval MFA prompts in hope of the legitimate user will grant necessary approval.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nLAPSUS$ has used compromised credentials and/or session tokens to gain access into a victim's VPN, VDI, RDP, and IAMs.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Windows,Linux,Containers,macOS|T1133|External Remote Services|\n\nLAPSUS$ has gained access to internet-facing systems and applications, including virtual private network (VPN), remote desktop protocol (RDP), and virtual desktop infrastructure (VDI) including Citrix. (Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|PRE|T1593.003|Code Repositories|",
"LAPSUS$ has searched public code repositories for exposed credentials.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|PRE|T1597.002|Purchase Technical Data|\n\nLAPSUS$ has purchased credentials and session tokens from criminal underground forums.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1555.003|Credentials from Web Browsers|\n\nLAPSUS$ has obtained passwords and session tokens with the use of the Redline password stealer.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|Windows,SaaS,IaaS,Linux,macOS,Office 365|T1199|Trusted Relationship|\n\nLAPSUS$ has accessed internet-facing identity providers such as Azure Active Directory and Okta to target specific organizations.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|PRE|T1589.001|Credentials|\n\nLAPSUS$ has gathered user identities and credentials to gain initial access to a victim's organization; the group has also called an organization's help desk to reset a target's credentials.(Citation: MSTIC DEV-0537 Mar 2022)|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|\n\nLAPSUS$ has obtained tools such as AD Explorer inspection software for their operations.(Citation: MSTIC DEV-0537 Mar 2022)|",
'Lazarus Group - G0032\n\nCreated: 2017-05-31T21:32:03.807Z\n\nModified: 2023-03-30T19:01:41.451Z\n\nContributors: Kyaw Pyiyt Htet, @KyawPyiytHtet,Dragos Threat Intelligence\n\nAliases\n\nLazarus Group,Labyrinth Chollima,HIDDEN COBRA,Guardians of Peace,ZINC,NICKEL ACADEMY\n\nDescription\n\nLazarus Group is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups, such as Andariel, APT37, APT38, and Kimsuky.\n\nTechniques Used\n\nLazarus Group has used a custom hashing method to resolve APIs used in shellcode.(Citation: Lazarus APT January 2022)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Linux,macOS|T1036.004|Masquerade Task or Service|\n\nLazarus Group has used a scheduled task named\n\nLazarus Group has restored malicious\n\nKernelCallbackTable code to its original state after the process execution flow has been hijacked.(Citation: Lazarus APT January 2022)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Linux,Windows|T1620|Reflective Code Loading|\n\nLazarus Group has changed memory protection permissions then overwritten in memory DLL function code with shellcode, which was later executed via\n\nKernelCallbackTable hijacking.',
'Lazarus Group has changed memory protection permissions then overwritten in memory DLL function code with shellcode, which was later executed via\n\nKernelCallbackTable hijacking.\n\nLazarus Group has also used shellcode within macros to decrypt and manually map DLLs into memory at runtime.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|\n\nLazarus Group has used shellcode within macros to decrypt and manually map DLLs and shellcode into memory at runtime.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1104|Multi-Stage Channels|\n\nLazarus Group has used multi-stage malware components that inject later stages into separate processes.(Citation: Lazarus APT January 2022)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Linux,macOS|T1218|System Binary Proxy Execution|\n\nLazarus Group lnk files used for persistence have abused the Windows Update Client (\n\nLazarus Group has used GitHub as C2, pulling hosted image payloads then committing command execution output to files in specific directories.(Citation: Lazarus APT January 2022)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1218.005|Mshta|\n\nLazarus Group has used\n\nLazarus Group persistence mechanisms have used\n\nLazarus Group has renamed system utilities such as\n\nLazarus Group has replaced\n\nLazarus Group has abused the\n\nLazarus Group has routinely deleted log files on a compromised router, including automatic log deletion through the use of the logrotate utility.(Citation: Kaspersky ThreatNeedle Feb 2021) |\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1585.001|Social Media Accounts|',
'Lazarus Group has created new Twitter accounts to conduct social engineering against potential victims.(Citation: Google TAG Lazarus Jan 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1566.003|Spearphishing via Service|\n\nLazarus Group has used social media platforms, including LinkedIn and Twitter, to send spearphishing messages.(Citation: Google TAG Lazarus Jan 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1584.004|Server|\n\nLazarus Group has compromised servers to stage malicious tools.(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1591|Gather Victim Org Information|\n\nLazarus Group has studied publicly available information about a targeted organization to tailor spearphishing efforts against specific departments and/or individuals.(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1585.002|Email Accounts|\n\nLazarus Group has created new email accounts for spearphishing operations.(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1588.002|Tool|\n\nLazarus Group has obtained a variety of tools for their operations, including\n\nResponder and PuTTy PSCP.(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1589.002|Email Addresses|\n\nLazarus Group collected email addresses belonging to various departments of a targeted organization which were used in follow-on phishing campaigns.(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1218.011|Rundll32|\n\nLazarus Group has used rundll32 to execute malicious payloads on a compromised host.(Citation: ESET Twitter Ida Pro Nov 2021)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows|T1553.002|Code Signing|',
"Lazarus Group has digitally signed malware and utilities to evade detection.(Citation: Lazarus APT January 2022)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1557.001|LLMNR/NBT-NS Poisoning and SMB Relay|\n\nLazarus Group executed\n\nResponder using the command\n\nLazarus Group has sent malicious links to victims via email.(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,IaaS,Linux,macOS,Network|T1049|System Network Connections Discovery|\n\nLazarus Group has used\n\nLazarus Group has used nmap from a router VM to scan ports on systems within the restricted segment of an enterprise network.(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1053.005|Scheduled Task|\n\nLazarus Group has used\n\nLazarus Group has used administrator credentials to gain access to restricted network segments.(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nLazarus Group has used VBA and embedded macros in Word documents to execute malicious code.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1059.001|PowerShell|\n\nLazarus Group has used PowerShell to execute commands and malicious code.(Citation: Google TAG Lazarus Jan 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1090.001|Internal Proxy|\n\nLazarus Group has used a compromised router to serve as a proxy between a victim network's corporate and restricted segments.(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux|T1106|Native API|\n\nLazarus Group has used the Windows API",
"Lazarus Group has used the Windows API\n\nLazarus Group has also used various, often lesser known, functions to perform various types of Discovery and\n\nProcess Injection.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS|T1021.004|SSH|\n\nLazarus Group used SSH and the PuTTy PSCP utility to gain access to a restricted segment of a compromised network.(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nLazarus Group has renamed malicious code to disguise it as Microsoft's narrator and other legitimate files.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)(Citation: Qualys LolZarus)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1583.006|Web Services|\n\nLazarus Group has hosted malicious downloads on Github.(Citation: CISA AppleJeus Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1588.004|Digital Certificates|\n\nLazarus Group has obtained SSL certificates for their C2 domains.(Citation: CISA AppleJeus Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1587.001|Malware|\n\nLazarus Group has developed custom malware for use in their operations.(Citation: CISA AppleJeus Feb 2021)(Citation: Google TAG Lazarus Jan 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1583.001|Domains|\n\nLazarus Group has acquired domains related to their campaigns to act as distribution points and C2 channels.(Citation: CISA AppleJeus Feb 2021)(Citation: Google TAG Lazarus Jan 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1571|Non-Standard Port|Some",
'Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1560.003|Archive via Custom Method|A\n\nLazarus Group malware sample encrypts data using a simple byte based XOR operation prior to exfiltration.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1491.001|Internal Defacement|\n\nLazarus Group replaced the background wallpaper of systems with a threatening image after rendering the system unbootable with a\n\nDisk Structure Wipe.(Citation: Novetta Blockbuster Destructive Malware)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1562.004|Disable or Modify System Firewall|Various\n\nLazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using\n\nnetsh. (Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster Tools)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,Windows,macOS|T1001.003|Protocol Impersonation|\n\nLazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, potentially evading SSL traffic inspection/decryption.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1059.003|Windows Command Shell|',
'Lazarus Group malware uses cmd.exe to execute commands on a compromised host.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: US-CERT SHARPKNOT June 2018)(Citation: Qualys LolZarus) A Destover-like variant used by\n\nLazarus Group uses a batch file mechanism to delete its binaries from the system.(Citation: McAfee GhostSecret)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1529|System Shutdown/Reboot|\n\nLazarus Group has rebooted systems after destroying files and wiping the MBR on infected systems.(Citation: US-CERT SHARPKNOT June 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,IaaS,Linux,macOS|T1485|Data Destruction|\n\nLazarus Group has used a custom secure delete function to overwrite file contents with data from heap memory.(Citation: Novetta Blockbuster)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1561.001|Disk Content Wipe|\n\nLazarus Group has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory.(Citation: Novetta Blockbuster Destructive Malware)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1561.002|Disk Structure Wipe|',
"Lazarus Group malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine and has possessed MBR wiper malware since at least 2009.(Citation: US-CERT SHARPKNOT June 2018)(Citation: Novetta Blockbuster)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Linux,macOS|T1489|Service Stop|\n\nLazarus Group has stopped the MSExchangeIS service to render Exchange contents inaccessible to users.(Citation: Novetta Blockbuster Destructive Malware)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nLazarus Group has exploited Adobe Flash vulnerability CVE-2018-4878 for execution.(Citation: McAfee Bankshot)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Network|T1124|System Time Discovery|A Destover-like implant used by\n\nLazarus Group can obtain the current system time and send it to the C2 server.(Citation: McAfee GhostSecret)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nLazarus Group has targeted victims with spearphishing emails containing malicious Microsoft Word documents.(Citation: McAfee Bankshot)(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nLazarus Group has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.(Citation: McAfee Bankshot)(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nLazarus Group delivered",
'Lazarus Group delivered\n\nRATANKBA and other malicious code to victims via a compromised legitimate website.(Citation: RATANKBA)(Citation: Google TAG Lazarus Jan 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nLazarus Group has conducted C2 over HTTP and HTTPS.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)(Citation: ESET Twitter Ida Pro Nov 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1132.001|Standard Encoding|A\n\nLazarus Group malware sample encodes data with base64.(Citation: McAfee Lazarus Resurfaces Feb 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux|T1564.001|Hidden Files and Directories|\n\nLazarus Group has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Lazarus APT January 2022)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1547.009|Shortcut Modification|\n\nLazarus Group malware has maintained persistence on a system by creating a LNK shortcut in the user’s Startup folder.(Citation: McAfee Lazarus Resurfaces Feb 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1055.001|Dynamic-link Library Injection|A',
'Lazarus Group malware sample performs reflective DLL injection.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: Lazarus APT January 2022)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1090.002|External Proxy|\n\nLazarus Group has used multiple proxies to obfuscate network traffic from victims.(Citation: US-CERT FALLCHILL Nov 2017)(Citation: TrendMicro macOS Dacls May 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1134.002|Create Process with Token|\n\nLazarus Group keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call\n\nLazarus Group malware SierraCharlie uses RDP for propagation.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers|T1110.003|Password Spraying|\n\nLazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nLazarus Group has collected data and files from compromised networks.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|Various',
'Lazarus Group malware enumerates logged-on users.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: Lazarus APT January 2022)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,Windows|T1542.003|Bootkit|\n\nLazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1048.003|Exfiltration Over Unencrypted Non-C2 Protocol|\n\nLazarus Group malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,Windows,macOS|T1008|Fallback Channels|\n\nLazarus Group malware SierraAlfa sends data to one of the hard-coded C2 servers chosen at random, and if the transmission fails, chooses a new C2 server to attempt the transmission again.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1047|Windows Management Instrumentation|\n\nLazarus Group has used WMIC for discovery as well as to execute payloads for persistence and lateral movement.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: Qualys LolZarus)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|',
'Lazarus Group malware KiloAlfa contains keylogging functionality.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Tools)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1041|Exfiltration Over C2 Channel|\n\nLazarus Group has exfiltrated data and files over a C2 channel through its various tools and malware.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1021.002|SMB/Windows Admin Shares|\n\nLazarus Group malware SierraAlfa accesses the\n\nLazarus Group has compressed exfiltrated data with RAR and used RomeoDelta malware to archive specified directories in .zip format, encrypt the .zip file, and upload it to C2. (Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nLazarus Group has maintained persistence by loading malicious code into a startup folder or by adding a Registry Run key.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: Lazarus APT January 2022)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1074.001|Local Data Staging|\n\nLazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows,Linux|T1010|Application Window Discovery|',
'Lazarus Group malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster Tools)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|Several\n\nLazarus Group malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by\n\nLazarus Group also gathers process times.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Lazarus APT January 2022)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nLazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1560.002|Archive via Library|\n\nLazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|',
'Lazarus Group has downloaded files, malware, and tools from its C2 onto a compromised host.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: Google TAG Lazarus Jan 2021)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)(Citation: ESET Twitter Ida Pro Nov 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux,Containers,IaaS|T1562.001|Disable or Modify Tools|\n\nLazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally,\n\nLazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster Tools)(Citation: US-CERT SHARPKNOT June 2018). |\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1012|Query Registry|\n\nLazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another\n\nLazarus Group malware sample checks for the presence of the following Registry key:\n\nLazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee GhostSecret)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|',
'Lazarus Group malware can use a common function to identify target files by their extension, and some also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.(Citation: Novetta Blockbuster)(Citation: McAfee GhostSecret)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,Windows,macOS|T1573.001|Symmetric Cryptography|Several\n\nLazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another\n\nLazarus Group malware sample XORs C2 traffic. Other\n\nLazarus Group malware uses Caracachs encryption to encrypt C2 payloads.\n\nLazarus Group has also used AES to encrypt C2 traffic.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nLazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.\n\nLazarus Group also uses secure file deletion to delete files from the victim.(Citation: Novetta Blockbuster)(Citation: McAfee GhostSecret)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1543.003|Windows Service|Several\n\nLazarus Group malware families install themselves as new services.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Azure AD,Office 365,IaaS,Linux,macOS,Google Workspace,SaaS,Network|T1098|Account Manipulation|',
'Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|Several\n\nLazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by\n\nLazarus Group also collects disk space information and sends it to its C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)(Citation: Lazarus APT January 2022)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nLazarus Group has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for\n\nNative API function names.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)|\n|mitre-attack|enterprise-attack,ics-attack|Engineering Workstation,Human-Machine Interface,Control Server,Data Historian|T0865|Spearphishing Attachment|\n\nLazarus Group has been observed targeting organizations using spearphishing documents with embedded malicious payloads. (Citation: Novetta Threat Research Group February 2016) Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company. (Citation: Eduard Kovacs March 2018)|',
'LazyScripter - G0140\n\nCreated: 2021-11-24T19:26:27.305Z\n\nModified: 2023-03-22T04:49:29.731Z\n\nContributors: Manikantan Srinivasan, NEC Corporation India,Pooja Natarajan, NEC Corporation India,Hiroki Nagahama, NEC Corporation\n\nAliases\n\nLazyScripter\n\nDescription\n\nLazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.(Citation: MalwareBytes LazyScripter Feb 2021)\n\nTechniques Used\n\nLazyScripter has established GitHub accounts to host its toolsets.(Citation: MalwareBytes LazyScripter Feb 2021)|\n|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|\n\nLazyScripter has used dynamic DNS providers to create legitimate-looking subdomains for C2.(Citation: MalwareBytes LazyScripter Feb 2021)|\n|mitre-attack|enterprise-attack|PRE|T1608.001|Upload Malware|\n\nLazyScripter has hosted open-source remote access Trojans used in its operations in GitHub.(Citation: MalwareBytes LazyScripter Feb 2021)|\n|mitre-attack|enterprise-attack|PRE|T1588.001|Malware|\n\nLazyScripter has used a variety of open-source remote access Trojans for its operations.(Citation: MalwareBytes LazyScripter Feb 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nLazyScripter had downloaded additional tools to a compromised host.(Citation: MalwareBytes LazyScripter Feb 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nLazyScripter has relied upon users clicking on links to malicious files.(Citation: MalwareBytes LazyScripter Feb 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|',
'LazyScripter has lured users to open malicious email attachments.(Citation: MalwareBytes LazyScripter Feb 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.007|JavaScript|\n\nLazyScripter has used JavaScript in its attacks.(Citation: MalwareBytes LazyScripter Feb 2021) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036|Masquerading|\n\nLazyScripter has used several different security software icons to disguise executables.(Citation: MalwareBytes LazyScripter Feb 2021) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.004|DNS|\n\nLazyScripter has leveraged dynamic DNS providers for C2 communications.(Citation: MalwareBytes LazyScripter Feb 2021) |\n|mitre-attack|enterprise-attack|Windows|T1218.011|Rundll32|\n\nLazyScripter has used\n\nKoadic stagers.(Citation: MalwareBytes LazyScripter Feb 2021) |\n|mitre-attack|enterprise-attack|Windows|T1218.005|Mshta|\n\nLazyScripter has used\n\nKoadic stagers.(Citation: MalwareBytes LazyScripter Feb 2021) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102|Web Service|\n\nLazyScripter has used GitHub to host its payloads to operate spam campaigns.(Citation: MalwareBytes LazyScripter Feb 2021) |\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nLazyScripter has used VBScript to execute malicious code.(Citation: MalwareBytes LazyScripter Feb 2021)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nLazyScripter has used PowerShell scripts to execute malicious code.(Citation: MalwareBytes LazyScripter Feb 2021)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|',
'LazyScripter has achieved persistence via writing a PowerShell script to the autorun registry key.(Citation: MalwareBytes LazyScripter Feb 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.010|Command Obfuscation|\n\nLazyScripter has leveraged the BatchEncryption tool to perform advanced batch script obfuscation and encoding techniques.(Citation: MalwareBytes LazyScripter Feb 2021)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nLazyScripter has used batch files to deploy open-source and multi-stage RATs.(Citation: MalwareBytes LazyScripter Feb 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nLazyScripter has used spam emails that contain a link that redirects the victim to download a malicious document.(Citation: MalwareBytes LazyScripter Feb 2021)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nLazyScripter has used spam emails weaponized with archive or document files as its initial infection vector.(Citation: MalwareBytes LazyScripter Feb 2021)|',
'Leafminer - G0077\n\nCreated: 2018-10-17T00:14:20.652Z\n\nModified: 2023-03-22T04:50:51.782Z\n\nContributors:\n\nAliases\n\nLeafminer,Raspite\n\nDescription\n\nLeafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. (Citation: Symantec Leafminer July 2018)\n\nTechniques Used\n\nLeafminer has obtained and used tools such as\n\nLaZagne,\n\nMimikatz,\n\nPsExec, and\n\nMailSniper.(Citation: Symantec Leafminer July 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1555.003|Credentials from Web Browsers|\n\nLeafminer used several tools for retrieving login and password information, including LaZagne.(Citation: Symantec Leafminer July 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1555|Credentials from Password Stores|\n\nLeafminer used several tools for retrieving login and password information, including LaZagne.(Citation: Symantec Leafminer July 2018)|\n|mitre-attack|enterprise-attack|Windows|T1003.005|Cached Domain Credentials|\n\nLeafminer used several tools for retrieving login and password information, including LaZagne.(Citation: Symantec Leafminer July 2018)|\n|mitre-attack|enterprise-attack|Windows|T1003.004|LSA Secrets|\n\nLeafminer used several tools for retrieving login and password information, including LaZagne.(Citation: Symantec Leafminer July 2018)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers|T1552.001|Credentials In Files|\n\nLeafminer used several tools for retrieving login and password information, including LaZagne.(Citation: Symantec Leafminer July 2018)|\n|mitre-attack|enterprise-attack|Windows|T1055.013|Process Doppelgänging|\n\nLeafminer has used',
'Leafminer has used\n\nProcess Doppelgänging to evade security software while deploying tools on compromised systems.(Citation: Symantec Leafminer July 2018) |\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nLeafminer has infected victims using watering holes.(Citation: Symantec Leafminer July 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|\n\nLeafminer used Microsoft’s Sysinternals tools to gather detailed information about remote systems.(Citation: Symantec Leafminer July 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.010|Command Obfuscation|\n\nLeafminer obfuscated scripts that were used on victim machines.(Citation: Symantec Leafminer July 2018)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.007|JavaScript|\n\nLeafminer infected victims using JavaScript code.(Citation: Symantec Leafminer July 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nLeafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.(Citation: Symantec Leafminer July 2018)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers|T1110.003|Password Spraying|\n\nLeafminer used a tool called Total SMB BruteForcer to perform internal password spraying.(Citation: Symantec Leafminer July 2018)|\n|mitre-attack|enterprise-attack|Office 365,Windows,Google Workspace|T1114.002|Remote Email Collection|\n\nLeafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.(Citation: Symantec Leafminer July 2018)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|',
'Leafminer used several tools for retrieving login and password information, including LaZagne and Mimikatz.(Citation: Symantec Leafminer July 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1136.001|Local Account|\n\nLeafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.(Citation: Symantec Leafminer July 2018)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers,Network|T1046|Network Service Discovery|\n\nLeafminer scanned network services to search for vulnerabilities in the victim system.(Citation: Symantec Leafminer July 2018)|',
"Leviathan - G0065\n\nCreated: 2018-04-18T17:59:24.739Z\n\nModified: 2022-04-15T15:15:51.198Z\n\nContributors: Valerii Marchuk, Cybersecurity Help s.r.o.\n\nAliases\n\nLeviathan,MUDCARP,Kryptonite Panda,Gadolinium,BRONZE MOHAWK,TEMP.Jumper,APT40,TEMP.Periscope\n\nDescription\n\nLeviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.(Citation: CISA AA21-200A APT40 July 2021) Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)\n\nTechniques Used\n\nLeviathan has utilized techniques like reflective DLL loading to write a DLL into memory and load a shell that provides backdoor access to the victim.(Citation: Accenture MUDCARP March 2019)|\n|mitre-attack|enterprise-attack|Windows|T1559.002|Dynamic Data Exchange|\n\nLeviathan has utilized OLE as a method to insert malicious content inside various phishing documents. (Citation: Accenture MUDCARP March 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1041|Exfiltration Over C2 Channel|\n\nLeviathan has exfiltrated data over its C2 channel.(Citation: CISA AA21-200A APT40 July 2021)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|",
"Leviathan has infected victims using watering holes.(Citation: CISA AA21-200A APT40 July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1572|Protocol Tunneling|\n\nLeviathan has used protocol tunneling to further conceal C2 communications and infrastructure.(Citation: CISA AA21-200A APT40 July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1090.003|Multi-hop Proxy|\n\nLeviathan has used multi-hop proxies to disguise the source of their malicious traffic.(Citation: CISA AA21-200A APT40 July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560|Archive Collected Data|\n\nLeviathan has archived victim's data prior to exfiltration.(Citation: CISA AA21-200A APT40 July 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS|T1074.002|Remote Data Staging|\n\nLeviathan has staged data remotely prior to exfiltration.(Citation: CISA AA21-200A APT40 July 2021)|\n|mitre-attack|enterprise-attack|PRE|T1586.001|Social Media Accounts|\n\nLeviathan has compromised social media accounts to conduct social engineering attacks.(Citation: CISA AA21-200A APT40 July 2021)|\n|mitre-attack|enterprise-attack|Windows,Linux,Containers,macOS|T1133|External Remote Services|\n\nLeviathan has used external remote services such as virtual private networks (VPN) to gain initial access.(Citation: CISA AA21-200A APT40 July 2021)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|",
"Leviathan has obtained valid accounts to gain initial access.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Accenture MUDCARP March 2019)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Office 365,SaaS,Google Workspace|T1534|Internal Spearphishing|\n\nLeviathan has conducted internal spearphishing within the victim's environment for lateral movement.(Citation: CISA AA21-200A APT40 July 2021)|\n|mitre-attack|enterprise-attack|PRE|T1586.002|Email Accounts|\n\nLeviathan has compromised email accounts to conduct social engineering attacks.(Citation: CISA AA21-200A APT40 July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.003|Steganography|\n\nLeviathan has used steganography to hide stolen data inside other files stored on Github.(Citation: CISA AA21-200A APT40 July 2021)|\n|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|\n\nLeviathan has established domains that impersonate legitimate entities to use for targeting efforts. (Citation: CISA AA21-200A APT40 July 2021)(Citation: Accenture MUDCARP March 2019)|\n|mitre-attack|enterprise-attack|PRE|T1589.001|Credentials|\n\nLeviathan has collected compromised credentials to use for targeting efforts.(Citation: CISA AA21-200A APT40 July 2021)|\n|mitre-attack|enterprise-attack|PRE|T1585.001|Social Media Accounts|\n\nLeviathan has created new social media accounts for targeting efforts.(Citation: CISA AA21-200A APT40 July 2021)|\n|mitre-attack|enterprise-attack|PRE|T1585.002|Email Accounts|\n\nLeviathan has created new email accounts for targeting efforts.(Citation: CISA AA21-200A APT40 July 2021)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|",
"Leviathan has used publicly available tools to dump password hashes, including ProcDump and WCE.(Citation: FireEye APT40 March 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nLeviathan has sent spearphishing email links attempting to get a user to click.(Citation: Proofpoint Leviathan Oct 2017)(Citation: CISA AA21-200A APT40 July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1567.002|Exfiltration to Cloud Storage|\n\nLeviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS,Network|T1505.003|Web Shell|\n\nLeviathan relies on web shells for an initial foothold as well as persistence into the victim's systems.(Citation: FireEye APT40 March 2019)(Citation: CISA AA21-200A APT40 July 2021)|\n|mitre-attack|enterprise-attack|Windows|T1021.001|Remote Desktop Protocol|\n\nLeviathan has targeted RDP credentials and used it to move through the victim environment.(Citation: FireEye APT40 March 2019) |\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1003|OS Credential Dumping|\n\nLeviathan has used publicly available tools to dump password hashes, including\n\nHOMEFRY.(Citation: FireEye APT40 March 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS|T1021.004|SSH|\n\nLeviathan used ssh for internal reconnaissance.(Citation: FireEye APT40 March 2019)|\n|mitre-attack|enterprise-attack|Windows|T1218.010|Regsvr32|",
'Leviathan used ssh for internal reconnaissance.(Citation: FireEye APT40 March 2019)|\n|mitre-attack|enterprise-attack|Windows|T1218.010|Regsvr32|\n\nLeviathan has used regsvr32 for execution.(Citation: Proofpoint Leviathan Oct 2017)|\n|mitre-attack|enterprise-attack|Windows|T1197|BITS Jobs|\n\nLeviathan has used\n\nBITSAdmin to download additional tools.(Citation: FireEye Periscope March 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102.003|One-Way Communication|\n\nLeviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.(Citation: FireEye Periscope March 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nLeviathan has sent spearphishing attachments attempting to get a user to click.(Citation: Proofpoint Leviathan Oct 2017)(Citation: CISA AA21-200A APT40 July 2021)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nLeviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nLeviathan has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)(Citation: Accenture MUDCARP March 2019)|\n|mitre-attack|enterprise-attack|macOS,Windows|T1553.002|Code Signing|',
'Leviathan has used stolen code signing certificates to sign malware.(Citation: FireEye Periscope March 2018)(Citation: FireEye APT40 March 2019)|\n|mitre-attack|enterprise-attack|Windows|T1047|Windows Management Instrumentation|\n\nLeviathan has used WMI for execution.(Citation: Proofpoint Leviathan Oct 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nLeviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.(Citation: Proofpoint Leviathan Oct 2017)(Citation: CISA AA21-200A APT40 July 2021)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|\n\nLeviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.(Citation: Proofpoint Leviathan Oct 2017)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nLeviathan has used VBScript.(Citation: Proofpoint Leviathan Oct 2017)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nLeviathan has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files.(Citation: Proofpoint Leviathan Oct 2017)(Citation: CISA AA21-200A APT40 July 2021)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nLeviathan has used PowerShell for execution.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)(Citation: Accenture MUDCARP March 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|',
'Leviathan has downloaded additional scripts and files from adversary-controlled servers.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1074.001|Local Data Staging|\n\nLeviathan has used C:\\Windows\\Debug and C:\\Perflogs as staging directories.(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nLeviathan has obfuscated code using base64 and gzip compression.(Citation: Proofpoint Leviathan Oct 2017)|\n|mitre-attack|enterprise-attack|Windows|T1547.009|Shortcut Modification|\n\nLeviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.001|Binary Padding|\n\nLeviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.(Citation: Proofpoint Leviathan Oct 2017)|\n|mitre-attack|enterprise-attack|Windows|T1546.003|Windows Management Instrumentation Event Subscription|\n\nLeviathan has used WMI for persistence.(Citation: FireEye Periscope March 2018)|',
'LuminousMoth - G1014\n\nCreated: 2023-02-23T15:31:38.829Z\n\nModified: 2023-04-17T21:49:16.371Z\n\nContributors: Kyaw Pyiyt Htet, @KyawPyiytHtet,Zaw Min Htun, @Z3TAE\n\nAliases\n\nLuminousMoth\n\nDescription\n\nLuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. LuminousMoth has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between LuminousMoth and Mustang Panda based on similar targeting and TTPs, as well as network infrastructure overlaps.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)\n\nTechniques Used\n\nLuminousMoth has signed their malware with a valid digital signature.(Citation: Kaspersky LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|PRE|T1608.001|Upload Malware|\n\nLuminousMoth has hosted malicious payloads on Dropbox.(Citation: Kaspersky LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|PRE|T1608.005|Link Target|\n\nLuminousMoth has created a link to a Dropbox file that has been used in their spear-phishing operations.(Citation: Kaspersky LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|PRE|T1587.001|Malware|\n\nLuminousMoth has used unique malware for information theft and exfiltration.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|Windows|T1112|Modify Registry|',
'LuminousMoth has used malware that adds Registry keys for persistence.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1041|Exfiltration Over C2 Channel|\n\nLuminousMoth has used malware that exfiltrates stolen data to its C2 server.(Citation: Kaspersky LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nLuminousMoth has created scheduled tasks to establish persistence for their tools.(Citation: Bitdefender LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1030|Data Transfer Size Limits|\n\nLuminousMoth has split archived files into multiple parts to bypass a 5MB limit.(Citation: Bitdefender LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|\n\nLuminousMoth has used a malicious DLL to collect the username from compromised hosts.(Citation: Bitdefender LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nLuminousMoth has collected files and data from compromised machines.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nLuminousMoth has used malware that scans for files in the Documents, Desktop, and Download folders and in other drives.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|',
'LuminousMoth has obtained an ARP spoofing tool from GitHub.(Citation: Bitdefender LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560|Archive Collected Data|\n\nLuminousMoth has manually archived stolen files from victim machines before exfiltration.(Citation: Bitdefender LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|PRE|T1608.004|Drive-by Target|\n\nLuminousMoth has redirected compromised machines to an actor-controlled webpage through HTML injection.(Citation: Bitdefender LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1557.002|ARP Cache Poisoning|\n\nLuminousMoth has used ARP spoofing to redirect a compromised machine to an actor-controlled website.(Citation: Bitdefender LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1567.002|Exfiltration to Cloud Storage|\n\nLuminousMoth has exfiltrated data to Google Drive.(Citation: Bitdefender LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nLuminousMoth has downloaded additional malware and tools onto a compromised host.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nLuminousMoth has used HTTP for C2.(Citation: Kaspersky LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1564.001|Hidden Files and Directories|',
"LuminousMoth has used malware to store malicious binaries in hidden directories on victim's USB drives.(Citation: Kaspersky LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|Windows|T1091|Replication Through Removable Media|\n\nLuminousMoth has used malicious DLLs to spread malware to connected removable USB drives on infected machines.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1539|Steal Web Session Cookie|\n\nLuminousMoth has used an unnamed post-exploitation tool to steal cookies from the Chrome browser.(Citation: Kaspersky LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nLuminousMoth has disguised their exfiltration malware as\n\nLuminousMoth has used malicious DLLs that setup persistence in the Registry Key\n\nLuminousMoth has used legitimate executables such as\n\nLuminousMoth has lured victims into clicking malicious Dropbox download links delivered through spearphishing.(Citation: Kaspersky LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nLuminousMoth has sent spearphishing emails containing a malicious Dropbox download link.(Citation: Kaspersky LuminousMoth July 2021)|\n|mitre-attack|enterprise-attack|PRE|T1588.004|Digital Certificates|\n\nLuminousMoth has used a valid digital certificate for some of their malware.(Citation: Kaspersky LuminousMoth July 2021) |\n|mitre-attack|enterprise-attack|PRE|T1588.001|Malware|\n\nLuminousMoth has obtained and used malware such as",
'LuminousMoth has obtained and used malware such as\n\nCobalt Strike.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)|',
"Machete - G0095\n\nCreated: 2019-09-13T12:37:10.394Z\n\nModified: 2021-10-06T19:26:47.988Z\n\nContributors: Matias Nicolas Porolli, ESET\n\nAliases\n\nMachete,APT-C-43,El Machete\n\nDescription\n\nMachete is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. Machete generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020)\n\nTechniques Used\n\nMachete has distributed\n\nMachete through a fake blog website.(Citation: Securelist Machete Aug 2014)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nMachete has embedded malicious macros within spearphishing attachments to download additional files.(Citation: 360 Machete Sep 2020)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nMachete has used batch files to initiate additional downloads of malicious files.(Citation: 360 Machete Sep 2020)|\n|mitre-attack|enterprise-attack|Windows|T1218.007|Msiexec|\n\nMachete has used msiexec to install the\n\nMachete malware.(Citation: 360 Machete Sep 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nMachete's\n\nMachete MSI installer has masqueraded as a legitimate Adobe Acrobat Reader installer.(Citation: 360 Machete Sep 2020)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nMachete has created scheduled tasks to maintain",
"Machete has created scheduled tasks to maintain\n\nMachete's persistence.(Citation: 360 Machete Sep 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nMachete has has relied on users opening malicious links delivered through spearphishing to execute malware.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nMachete has relied on users opening malicious attachments delivered through spearphishing to execute malware.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1059.006|Python|\n\nMachete used multiple compiled Python scripts on the victim’s system.\n\nMachete's main backdoor\n\nMachete is also written in Python.(Citation: Cylance Machete Mar 2017)(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nMachete has sent phishing emails that contain a link to an external server with ZIP and RAR archives.(Citation: Cylance Machete Mar 2017)(Citation: ESET Machete July 2019)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nMachete has delivered spearphishing emails that contain a zipped file with malicious contents.(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020)|",
'Magic Hound - G0059\n\nCreated: 2018-01-16T16:13:52.465Z\n\nModified: 2023-01-13T21:18:18.077Z\n\nContributors: Anastasios Pingios,Bryan Lee,Daniyal Naeem, BT Security\n\nAliases\n\nMagic Hound,TA453,COBALT ILLUSION,Charming Kitten,ITG18,Phosphorus,Newscaster,APT35\n\nDescription\n\nMagic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Secureworks COBALT ILLUSION Threat Profile)(Citation: Proofpoint TA453 July2021)\n\nTechniques Used\n\nMagic Hound has used base64-encoded commands.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: Microsoft Iranian Threat Actor Trends November 2021)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,IaaS,Linux,macOS,Google Workspace,SaaS,Network|T1098|Account Manipulation|\n\nMagic Hound has added a user named DefaultAccount to the Administrators and Remote Desktop Users groups.(Citation: DFIR Report APT35 ProxyShell March 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1570|Lateral Tool Transfer|\n\nMagic Hound has copied tools within a compromised network using RDP.(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1016.001|Internet Connection Discovery|',
'Magic Hound has conducted a network call out to a specific website as part of their initial discovery activity.(Citation: DFIR Phosphorus November 2021) |\n|mitre-attack|enterprise-attack|PRE|T1591.001|Determine Physical Locations|\n\nMagic Hound has collected location information from visitors to their phishing sites.(Citation: Google Iran Threats October 2021)|\n|mitre-attack|enterprise-attack|Windows|T1562.002|Disable Windows Event Logging|\n\nMagic Hound has executed scripts to disable the event log service.(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|Windows|T1482|Domain Trust Discovery|\n\nMagic Hound has used a web shell to execute\n\nMagic Hound has used an encrypted http proxy in C2 communications.(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1036.004|Masquerade Task or Service|\n\nMagic Hound has named a malicious script CacheTask.bat to mimic a legitimate task.(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,IaaS|T1486|Data Encrypted for Impact|\n\nMagic Hound has used BitLocker and DiskCryptor to encrypt targeted workstations. (Citation: DFIR Phosphorus November 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers,Network|T1046|Network Service Discovery|\n\nMagic Hound has used KPortScan 3.0 to perform SMB, RDP, and LDAP scanning.(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1078.002|Domain Accounts|\n\nMagic Hound has used domain administrator accounts after dumping LSASS process memory.(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1090|Proxy|',
'Magic Hound has used Fast Reverse Proxy (FRP) for RDP traffic.(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1572|Protocol Tunneling|\n\nMagic Hound has used Plink to tunnel RDP over SSH.(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers|T1078.001|Default Accounts|\n\nMagic Hound enabled and used the default system managed account, DefaultAccount, via\n\nMagic Hound has used\n\nPing for discovery on targeted networks.(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|PRE|T1592.002|Software|\n\nMagic Hound has captured the user-agent strings from visitors to their phishing sites.(Citation: Google Iran Threats October 2021)|\n|mitre-attack|enterprise-attack|PRE|T1590.005|IP Addresses|\n\nMagic Hound has captured the IP addresses of visitors to their phishing sites.(Citation: Google Iran Threats October 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1567|Exfiltration Over Web Service|\n\nMagic Hound has used the Telegram API\n\nMagic Hound has used Remote Desktop Services to copy tools on targeted systems.(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1049|System Network Connections Discovery|\n\nMagic Hound has used quser.exe to identify existing RDP connections.(Citation: DFIR Report APT35 ProxyShell March 2022)|\n|mitre-attack|enterprise-attack|Windows|T1218.011|Rundll32|',
"Magic Hound has used rundll32.exe to execute MiniDump from comsvcs.dll when dumping LSASS memory.(Citation: DFIR Report APT35 ProxyShell March 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1136.001|Local Account|\n\nMagic Hound has created local accounts named\n\nMagic Hound has used Powershell to discover email accounts.(Citation: DFIR Report APT35 ProxyShell March 2022)|\n|mitre-attack|enterprise-attack|Windows|T1047|Windows Management Instrumentation|\n\nMagic Hound has used a tool to run\n\nMagic Hound has added the following rule to a victim's Windows firewall to allow RDP traffic -\n\nMagic Hound has modified Registry settings for security tools.(Citation: DFIR Report APT35 ProxyShell March 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1070.003|Clear Command History|\n\nMagic Hound has removed mailbox export requests from compromised Exchange servers.(Citation: DFIR Report APT35 ProxyShell March 2022)|\n|mitre-attack|enterprise-attack|Office 365,Windows,Google Workspace|T1114.002|Remote Email Collection|\n\nMagic Hound has exported emails from compromised Exchange servers including through use of the cmdlet\n\nMagic Hound has used a web shell to exfiltrate a ZIP file containing a dump of LSASS memory on a compromised machine.(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|Windows,Office 365,IaaS,Linux,macOS,Containers,Network|T1562|Impair Defenses|\n\nMagic Hound has disabled LSA protection on compromised hosts using\n\nMagic Hound has used\n\nMagic Hound has used scheduled tasks to establish persistence and execution.(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Containers,IaaS|T1562.001|Disable or Modify Tools|",
'Magic Hound has disabled antivirus services on targeted systems in order to upload malicious payloads.(Citation: DFIR Report APT35 ProxyShell March 2022)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS,Network|T1505.003|Web Shell|\n\nMagic Hound has used multiple web shells to gain execution.(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nMagic Hound has conducted watering-hole attacks through media and magazine websites.(Citation: ClearSky Kittens Back 3 August 2020)|\n|mitre-attack|enterprise-attack|PRE|T1583.006|Web Services|\n\nMagic Hound has acquired Amazon S3 buckets to use in C2.(Citation: Check Point APT35 CharmPower January 2022)|\n|mitre-attack|enterprise-attack|PRE|T1595.002|Vulnerability Scanning|\n\nMagic Hound has conducted widespread scanning to identify public-facing systems vulnerable to CVE-2021-44228 in Log4j and ProxyShell vulnerabilities; CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in on-premises MS Exchange Servers; and CVE-2018-13379 in Fortinet FortiOS SSL VPNs.(Citation: Check Point APT35 CharmPower January 2022)(Citation: Microsoft Iranian Threat Actor Trends November 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|',
'Magic Hound has exploited the Log4j utility (CVE-2021-44228), on-premises MS Exchange servers via "ProxyShell" (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and Fortios SSL VPNs (CVE-2018-13379).(Citation: Check Point APT35 CharmPower January 2022)(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: Cybereason PowerLess February 2022)(Citation: DFIR Phosphorus November 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021)|\n|mitre-attack|enterprise-attack|PRE|T1589.002|Email Addresses|\n\nMagic Hound has identified high-value email accounts in academia, journalism, NGO\'s, foreign policy, and national security for targeting.(Citation: Proofpoint TA453 July2021)(Citation: Google Iran Threats October 2021)|\n|mitre-attack|enterprise-attack|PRE|T1589|Gather Victim Identity Information|\n\nMagic Hound has acquired mobile phone numbers of potential targets, possibly for mobile malware or additional phishing operations.(Citation: Proofpoint TA453 July2021)|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|\n\nMagic Hound has obtained and used tools like\n\nHavij,\n\nsqlmap, Metasploit,\n\nMimikatz, and Plink.(Citation: Check Point Rocket Kitten)(Citation: FireEye APT35 2018)(Citation: Check Point APT35 CharmPower January 2022)(Citation: DFIR Phosphorus November 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nMagic Hound has attempted to lure victims into opening malicious links embedded in emails.(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|',
'Magic Hound has attempted to lure victims into opening malicious email attachments.(Citation: ClearSky Kittens Back 3 August 2020)|\n|mitre-attack|enterprise-attack|PRE|T1585.001|Social Media Accounts|\n\nMagic Hound has created fake LinkedIn and other social media accounts to contact targets and convince them--through messages and voice communications--to open malicious links.(Citation: ClearSky Kittens Back 3 August 2020)|\n|mitre-attack|enterprise-attack|PRE|T1584.001|Domains|\n\nMagic Hound has used compromised domains to host links targeted to specific phishing victims.(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Proofpoint TA453 July2021)(Citation: Certfa Charming Kitten January 2021)(Citation: Google Iran Threats October 2021)|\n|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|\n\nMagic Hound has registered fraudulent domains such as "mail-newyorker.com" and "news12.com.recover-session-service.site" to target specific victims with phishing attacks.(Citation: Certfa Charming Kitten January 2021)|\n|mitre-attack|enterprise-attack|PRE|T1598.003|Spearphishing Link|\n\nMagic Hound has used SMS and email messages with links designed to steal credentials or track victims.(Citation: Certfa Charming Kitten January 2021)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Proofpoint TA453 March 2021)(Citation: Proofpoint TA453 July2021)(Citation: Google Iran Threats October 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021)|\n|mitre-attack|enterprise-attack|Windows,Office 365,Google Workspace,macOS,Linux|T1114|Email Collection|\n\nMagic Hound has compromised email credentials in order to steal sensitive data.(Citation: Certfa Charming Kitten January 2021)|\n|mitre-attack|enterprise-attack|PRE|T1586.002|Email Accounts|',
"Magic Hound has compromised personal email accounts through the use of legitimate credentials and gathered additional victim information.(Citation: IBM ITG18 2020)|\n|mitre-attack|enterprise-attack|PRE|T1585.002|Email Accounts|\n\nMagic Hound has established email accounts using fake personas for spearphishing operations.(Citation: IBM ITG18 2020)(Citation: Proofpoint TA453 March 2021)|\n|mitre-attack|enterprise-attack|PRE|T1589.001|Credentials|\n\nMagic Hound gathered credentials from two victims that they then attempted to validate across 75 different websites.\n\nMagic Hound has also collected credentials from over 900 Fortinet VPN servers in the US, Europe, and Israel.(Citation: IBM ITG18 2020)(Citation: Microsoft Iranian Threat Actor Trends November 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1566.003|Spearphishing via Service|\n\nMagic Hound used various social media channels (such as LinkedIn) as well as messaging services (such as WhatsApp) to spearphish victims.(Citation: SecureWorks Mia Ash July 2017)(Citation: Microsoft Phosphorus Mar 2019)(Citation: ClearSky Kittens Back 3 August 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1571|Non-Standard Port|\n\nMagic Hound malware has communicated with its C2 server over TCP ports 4443 and 10151 using HTTP.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|Windows,Office 365,Google Workspace|T1098.002|Additional Email Delegate Permissions|\n\nMagic Hound granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim's OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations.(Citation: FireEye APT35 2018) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071|Application Layer Protocol|",
'Magic Hound malware has used IRC for C2.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1564.003|Hidden Window|\n\nMagic Hound malware has a function to determine whether the C2 server wishes to execute the newly dropped file in a hidden window.(Citation: Unit 42 Magic Hound Feb 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|\n\nMagic Hound has used gzip to archive dumped LSASS process memory and RAR to stage and compress local folders.(Citation: FireEye APT35 2018)(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|Windows|T1114.001|Local Email Collection|\n\nMagic Hound has collected .PST archives.(Citation: FireEye APT35 2018)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nMagic Hound has stolen domain credentials by dumping LSASS process memory using Task Manager, comsvcs.dll, and from a Microsoft Active Directory Domain Controller using\n\nMimikatz.(Citation: FireEye APT35 2018)(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nMagic Hound has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download',
"Magic Hound has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download\n\nPupy.(Citation: Secureworks Cobalt Gypsy Feb 2017)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nMagic Hound malware has used base64-encoded files and has also encrypted embedded strings with AES.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: Microsoft Iranian Threat Actor Trends November 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nMagic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.(Citation: Unit 42 Magic Hound Feb 2017)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nMagic Hound has used PowerShell for execution and privilege escalation.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: FireEye APT35 2018)(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102.002|Bidirectional Communication|\n\nMagic Hound malware can use a SOAP Web service to communicate with its C2 server.(Citation: Unit 42 Magic Hound Feb 2017)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|",
'Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|\n\nMagic Hound malware is capable of keylogging.(Citation: Unit 42 Magic Hound Feb 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1113|Screen Capture|\n\nMagic Hound malware can take a screenshot and upload the file to its C2 server.(Citation: Unit 42 Magic Hound Feb 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nMagic Hound has deleted and overwrote files to cover tracks.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: FireEye APT35 2018)(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nMagic Hound has downloaded additional code and files from servers onto victims.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nMagic Hound has used the command-line interface for code execution.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|',
"Magic Hound malware has used Registry Run keys to establish persistence.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Phosphorus November 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nMagic Hound malware has used VBS scripts for execution.(Citation: Unit 42 Magic Hound Feb 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|\n\nMagic Hound malware has obtained the victim username and sent it to the C2 server.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nMagic Hound malware gathers the victim's local IP address, MAC address, and external IP address.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nMagic Hound has used HTTP for C2.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nMagic Hound malware can list running processes.(Citation: Unit 42 Magic Hound Feb 2017)|",
"menuPass - G0045\n\nCreated: 2017-05-31T21:32:09.054Z\n\nModified: 2023-03-23T15:06:31.019Z\n\nContributors: Edward Millington,Michael Cox\n\nAliases\n\nmenuPass,Cicada,POTASSIUM,Stone Panda,APT10,Red Apollo,CVNX,HOGFISH\n\nDescription\n\nmenuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)\n\nmenuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.(Citation: Palo Alto menuPass Feb 2017)(Citation: Crowdstrike CrowdCast Oct 2013)(Citation: FireEye Poison Ivy)(Citation: PWC Cloud Hopper April 2017)(Citation: FireEye APT10 April 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)\n\nTechniques Used\n\nmenuPass has used\n\nWevtutil to remove PowerShell execution logs.(Citation: Securelist APT10 March 2021)|\n|mitre-attack|enterprise-attack|macOS,Windows|T1553.002|Code Signing|\n\nmenuPass has resized and added data to the certificate table to enable the signing of modified files with legitimate signatures.(Citation: Securelist APT10 March 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|",
'menuPass has leveraged vulnerabilities in Pulse Secure VPNs to hijack sessions.(Citation: Securelist APT10 March 2021)|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|\n\nmenuPass has used and modified open-source tools like\n\nImpacket,\n\nMimikatz, and\n\npwdump.(Citation: PWC Cloud Hopper Technical Annex April 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1568.001|Fast Flux DNS|\n\nmenuPass has used dynamic DNS service providers to host malicious domains.(Citation: District Court of NY APT10 Indictment December 2018)|\n|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|\n\nmenuPass has registered malicious domains for use in intrusion campaigns.(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nmenuPass has searched compromised systems for folders of interest including those related to HR, audit and expense, and meeting memos.(Citation: Symantec Cicada November 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1106|Native API|\n\nmenuPass has used native APIs including\n\nmenuPass has used Ntdsutil to dump credentials.(Citation: Symantec Cicada November 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1210|Exploitation of Remote Services|\n\nmenuPass has used tools to exploit the ZeroLogon vulnerability (CVE-2020-1472).(Citation: Symantec Cicada November 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,IaaS,SaaS|T1119|Automated Collection|\n\nmenuPass has used the Csvde tool to collect Active Directory files and data.(Citation: Symantec Cicada November 2020)|\n|mitre-attack|enterprise-attack|Windows|T1218.004|InstallUtil|\n\nmenuPass has used',
'menuPass has used\n\nmenuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Github AD-Pentest-Script)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1036.003|Rename System Utilities|\n\nmenuPass has renamed\n\ncertutil and moved it to a different location on the system to avoid detection based on use of the tool.(Citation: FireEye APT10 Sept 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036|Masquerading|\n\nmenuPass has used\n\nesentutl to change file extensions to their true type that were masquerading as .txt files.(Citation: FireEye APT10 Sept 2018) |\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS|T1074.002|Remote Data Staging|\n\nmenuPass has staged data on remote MSP systems or other victim networks prior to exfiltration.(Citation: PWC Cloud Hopper April 2017)(Citation: Symantec Cicada November 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|\n\nmenuPass has used key loggers to steal usernames and passwords.(Citation: District Court of NY APT10 Indictment December 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nmenuPass has collected various files from the compromised computers.(Citation: DOJ APT10 Dec 2018)(Citation: Symantec Cicada November 2020)\n|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560|Archive Collected Data|',
'menuPass has encrypted files and information before exfiltration.(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nmenuPass has been seen changing malicious files to appear legitimate.(Citation: District Court of NY APT10 Indictment December 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nmenuPass has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.(Citation: Accenture Hogfish April 2018)(Citation: FireEye APT10 Sept 2018)(Citation: Symantec Cicada November 2020)|\n|mitre-attack|enterprise-attack|Windows|T1055.012|Process Hollowing|\n\nmenuPass has used process hollowing in iexplore.exe to load the\n\nRedLeaves implant.(Citation: Accenture Hogfish April 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|A\n\nmenuPass macro deletes files after it has decoded and decompressed them.(Citation: Accenture Hogfish April 2018)(Citation: District Court of NY APT10 Indictment December 2018)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|\n\nmenuPass has used\n\ncertutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used\n\nUPPERCUT.(Citation: Accenture Hogfish April 2018)(Citation: FireEye APT10 Sept 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|',
'menuPass has attempted to get victims to open malicious files such as Windows Shortcuts (.lnk) and/or Microsoft Office documents, sent via email as part of spearphishing campaigns.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 April 2017)(Citation: Accenture Hogfish April 2018)(Citation: FireEye APT10 Sept 2018)(Citation: District Court of NY APT10 Indictment December 2018)|\n|mitre-attack|enterprise-attack|Windows,SaaS,IaaS,Linux,macOS,Office 365|T1199|Trusted Relationship|\n\nmenuPass has used legitimate access granted to Managed Service Providers in order to access victims of interest.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 April 2017)(Citation: Symantec Cicada November 2020)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nmenuPass has sent malicious Office documents via email as part of spearphishing campaigns as well as executables disguised as documents.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 April 2017)(Citation: FireEye APT10 Sept 2018)(Citation: District Court of NY APT10 Indictment December 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS|T1021.004|SSH|\n\nmenuPass has used Putty Secure Copy Client (PSCP) to transfer data.(Citation: PWC Cloud Hopper April 2017)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|',
'menuPass has used valid accounts including shared between Managed Service Providers and clients to move between the two environments.(Citation: PWC Cloud Hopper April 2017)(Citation: Symantec Cicada November 2020)(Citation: District Court of NY APT10 Indictment December 2018)(Citation: Securelist APT10 March 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1087.002|Domain Account|\n\nmenuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.(Citation: PWC Cloud Hopper Technical Annex April 2017)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nmenuPass uses\n\nPowerSploit to inject shellcode into PowerShell.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Symantec Cicada November 2020)|\n|mitre-attack|enterprise-attack|Windows|T1574.001|DLL Search Order Hijacking|\n\nmenuPass has used DLL search order hijacking.(Citation: PWC Cloud Hopper April 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nmenuPass has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions.(Citation: PWC Cloud Hopper Technical Annex April 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|\n\nmenuPass has compressed files before exfiltration using TAR and RAR.(Citation: PWC Cloud Hopper April 2017)(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Symantec Cicada November 2020)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers,Network|T1046|Network Service Discovery|\n\nmenuPass has used tcping.exe, similar to',
'menuPass has used tcping.exe, similar to\n\nPing, to probe port status on systems of interest.(Citation: PWC Cloud Hopper Technical Annex April 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nmenuPass has installed updates and new malware on victims.(Citation: PWC Cloud Hopper April 2017)(Citation: District Court of NY APT10 Indictment December 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1039|Data from Network Shared Drive|\n\nmenuPass has collected data from remote systems by mounting network shares with\n\nmenuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.(Citation: PWC Cloud Hopper April 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|\n\nmenuPass uses scripts to enumerate IP ranges on the victim network.\n\nmenuPass has also issued the command\n\nPlugX implant to gather information about remote systems on the network.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 April 2017)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nmenuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.(Citation: PWC Cloud Hopper April 2017)(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Github AD-Pentest-Script)(Citation: FireEye APT10 Sept 2018)\n\nmenuPass has used malicious macros embedded inside Office documents to execute files.(Citation: Accenture Hogfish April 2018)(Citation: FireEye APT10 Sept 2018)|\n|mitre-attack|enterprise-attack|Windows|T1047|Windows Management Instrumentation|',
"menuPass has used a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Github AD-Pentest-Script)(Citation: Symantec Cicada November 2020)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1049|System Network Connections Discovery|\n\nmenuPass has used\n\nmenuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as\n\nUPPERCUT.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 Sept 2018)(Citation: Symantec Cicada November 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1090.002|External Proxy|\n\nmenuPass has used a global service provider's IP as a proxy for C2 traffic from a victim.(Citation: FireEye APT10 April 2017)(Citation: FireEye APT10 Sept 2018)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nmenuPass has used a script (atexec.py) to execute a command on a target machine via Task Scheduler.(Citation: PWC Cloud Hopper Technical Annex April 2017)|\n|mitre-attack|enterprise-attack|Windows|T1003.002|Security Account Manager|\n\nmenuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Github AD-Pentest-Script)|\n|mitre-attack|enterprise-attack|Windows|T1021.001|Remote Desktop Protocol|\n\nmenuPass has used RDP connections to move across the victim network.(Citation: PWC Cloud Hopper April 2017)(Citation: District Court of NY APT10 Indictment December 2018)|",
'Metador - G1013\n\nCreated: 2023-01-25T23:57:51.818Z\n\nModified: 2023-04-14T12:25:35.434Z\n\nContributors: Massimiliano Romano, BT Security,Sittikorn Sangrattanapitak\n\nAliases\n\nMetador\n\nDescription\n\nMetador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group\'s malware samples and the expectation of Spanish-language responses from C2 servers.(Citation: SentinelLabs Metador Sept 2022)\n\nTechniques Used\n\nMetador has encrypted their payloads.(Citation: SentinelLabs Metador Sept 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nMetador has quickly deleted\n\nMetador has used Microsoft\'s Console Debugger in some of their operations.(Citation: SentinelLabs Metador Sept 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nMetador has downloaded tools and malware onto a compromised system.(Citation: SentinelLabs Metador Sept 2022)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nMetador has used the Windows command line to execute commands.(Citation: SentinelLabs Metador Sept 2022)|\n|mitre-attack|enterprise-attack|Windows|T1546.003|Windows Management Instrumentation Event Subscription|\n\nMetador has established persistence through the use of a WMI event subscription combined with unusual living-off-the-land binaries such as\n\nMetador has used unique malware in their operations, including\n\nmetaMain and\n\nMafalda.(Citation: SentinelLabs Metador Sept 2022)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,Network|T1095|Non-Application Layer Protocol|',
'Mafalda.(Citation: SentinelLabs Metador Sept 2022)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,Network|T1095|Non-Application Layer Protocol|\n\nMetador has used TCP for C2.(Citation: SentinelLabs Metador Sept 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nMetador has used HTTP for C2.(Citation: SentinelLabs Metador Sept 2022)|',
'Moafee - G0002\n\nCreated: 2017-05-31T21:31:46.025Z\n\nModified: 2020-03-30T19:09:42.298Z\n\nContributors:\n\nAliases\n\nMoafee\n\nDescription\n\nMoafee is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group DragonOK. (Citation: Haq 2014)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.001|Binary Padding|Moafee has been known to employ binary padding.(Citation: Haq 2014)|',
"Mofang - G0103\n\nCreated: 2020-05-12T21:23:59.021Z\n\nModified: 2020-05-29T03:30:39.739Z\n\nContributors:\n\nAliases\n\nMofang\n\nDescription\n\nMofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.(Citation: FOX-IT May 2016 Mofang)\n\nTechniques Used\n\nMofang delivered spearphishing emails with malicious links included.(Citation: FOX-IT May 2016 Mofang)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nMofang's spearphishing emails required a user to click the link to connect to a compromised website.(Citation: FOX-IT May 2016 Mofang)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nMofang delivered spearphishing emails with malicious documents, PDFs, or Excel files attached.(Citation: FOX-IT May 2016 Mofang)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nMofang's malicious spearphishing attachments required a user to open the file after receiving.(Citation: FOX-IT May 2016 Mofang)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nMofang has compressed the\n\nShimRat executable within malicious email attachments.\n\nMofang has also encrypted payloads before they are downloaded to victims.(Citation: FOX-IT May 2016 Mofang)|",
"Molerats - G0021\n\nCreated: 2017-05-31T21:31:55.093Z\n\nModified: 2021-04-27T20:16:16.057Z\n\nContributors:\n\nAliases\n\nMolerats,Operation Molerats,Gaza Cybergang\n\nDescription\n\nMolerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.(Citation: DustySky)(Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)(Citation: Cybereason Molerats Dec 2020)\n\nTechniques Used\n\nMolerats has used msiexec.exe to execute an MSI payload.(Citation: Unit42 Molerat Mar 2020) |\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nMolerats has created scheduled tasks to persistently run VBScripts.(Citation: Unit42 Molerat Mar 2020)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|\n\nMolerats decompresses ZIP files once on the victim machine.(Citation: Kaspersky MoleRATs April 2019)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nMolerats used PowerShell implants on target machines.(Citation: Kaspersky MoleRATs April 2019)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.007|JavaScript|\n\nMolerats used various implants, including those built with JS, on target machines.(Citation: Kaspersky MoleRATs April 2019) |\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|",
'Molerats used various implants, including those built with VBScript, on target machines.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nMolerats has sent phishing emails with malicious links included.(Citation: Kaspersky MoleRATs April 2019)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nMolerats has sent phishing emails with malicious Microsoft Word and PDF attachments.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020)(Citation: Cybereason Molerats Dec 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nMolerats has sent malicious files via email that tricked users into clicking Enable Content to run an embedded macro and to download malicious archives.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020)(Citation: Cybereason Molerats Dec 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nMolerats has sent malicious links via email trick users into opening a RAR archive and running an executable.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nMolerats has delivered compressed executables within ZIP files to victims.(Citation: Kaspersky MoleRATs April 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|',
'Molerats used executables to download malicious files from different sources.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020) |\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nMolerats saved malicious files within the AppData and Startup folders to maintain persistence.(Citation: Kaspersky MoleRATs April 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1555.003|Credentials from Web Browsers|\n\nMolerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.(Citation: DustySky)|\n|mitre-attack|enterprise-attack|macOS,Windows|T1553.002|Code Signing|\n\nMolerats has used forged Microsoft code-signing certificates on malware.(Citation: FireEye Operation Molerats)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nMolerats actors obtained a list of active processes on the victim and sent them to C2 servers.(Citation: DustySky)|',
"Moses Staff - G1009\n\nCreated: 2022-08-11T22:47:27.686Z\n\nModified: 2022-10-24T18:50:12.653Z\n\nContributors: Hiroki Nagahama, NEC Corporation,Pooja Natarajan, NEC Corporation India,Manikantan Srinivasan, NEC Corporation India\n\nAliases\n\nMoses Staff\n\nDescription\n\nMoses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.(Citation: Checkpoint MosesStaff Nov 2021)\n\nSecurity researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.(Citation: Cybereason StrifeWater Feb 2022)\n\nTechniques Used\n\nMoses Staff has used batch scripts that can disable the Windows firewall on specific remote machines.(Citation: Checkpoint MosesStaff Nov 2021)|\n|mitre-attack|enterprise-attack|Windows|T1021.002|SMB/Windows Admin Shares|\n\nMoses Staff has used batch scripts that can enable SMB on a compromised host.(Citation: Checkpoint MosesStaff Nov 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1087.001|Local Account|\n\nMoses Staff has collected the administrator username from a compromised host.(Citation: Checkpoint MosesStaff Nov 2021)|\n|mitre-attack|enterprise-attack|macOS,Windows|T1553.002|Code Signing|\n\nMoses Staff has used signed drivers from an open source tool called DiskCryptor to evade detection.(Citation: Checkpoint MosesStaff Nov 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nMoses Staff has downloaded and installed web shells to following path",
"Moses Staff has downloaded and installed web shells to following path\n\nMoses Staff collected information about the infected host, including the machine names and OS architecture.(Citation: Checkpoint MosesStaff Nov 2021)\n|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nMoses Staff has collected the domain name of a compromised network.(Citation: Checkpoint MosesStaff Nov 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nMoses Staff has used obfuscated web shells in their operations.(Citation: Checkpoint MosesStaff Nov 2021)|\n|mitre-attack|enterprise-attack|PRE|T1587.001|Malware|\n\nMoses Staff has built malware, such as\n\nDCSrv and\n\nPyDCrypt, for targeting victims' machines.(Citation: Checkpoint MosesStaff Nov 2021)|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|\n\nMoses Staff has used the commercial tool DiskCryptor.(Citation: Checkpoint MosesStaff Nov 2021)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS,Network|T1505.003|Web Shell|\n\nMoses Staff has dropped a web shell onto a compromised system.(Citation: Checkpoint MosesStaff Nov 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|\n\nMoses Staff has exploited known vulnerabilities in public-facing infrastructure such as Microsoft Exchange Servers.(Citation: Checkpoint MosesStaff Nov 2021)|",
"MuddyWater - G0069\n\nCreated: 2018-04-18T17:59:24.739Z\n\nModified: 2023-03-22T04:59:16.032Z\n\nContributors: Ozer Sarilar, @ozersarilar, STM,Daniyal Naeem, BT Security\n\nAliases\n\nMuddyWater,Earth Vetala,MERCURY,Static Kitten,Seedworm,TEMP.Zagros\n\nDescription\n\nMuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)\n\nTechniques Used\n\nMuddyWater maintains persistence on victim networks through side-loading dlls to trick legitimate programs into running malware.(Citation: DHS CISA AA22-055A MuddyWater February 2022)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1573.001|Symmetric Cryptography|\n\nMuddyWater has used AES to encrypt C2 responses.(Citation: Talos MuddyWater Jan 2022)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|\n\nMuddyWater has exploited the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688).(Citation: DHS CISA AA22-055A MuddyWater February 2022)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1210|Exploitation of Remote Services|",
"MuddyWater has exploited the Microsoft Netlogon vulnerability (CVE-2020-1472).(Citation: DHS CISA AA22-055A MuddyWater February 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1074.001|Local Data Staging|\n\nMuddyWater has stored a decoy PDF file within a victim's\n\nMuddyWater has used JavaScript files to execute its\n\nPOWERSTATS payload.(Citation: ClearSky MuddyWater Nov 2018)(Citation: FireEye MuddyWater Mar 2018)(Citation: DHS CISA AA22-055A MuddyWater February 2022)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Containers,IaaS|T1562.001|Disable or Modify Tools|\n\nMuddyWater can disable the system's local proxy settings.(Citation: Trend Micro Muddy Water March 2021)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1219|Remote Access Software|\n\nMuddyWater has used a legitimate application, ScreenConnect, to manage systems remotely and move laterally.(Citation: Trend Micro Muddy Water March 2021)(Citation: Anomali Static Kitten February 2021) |\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518|Software Discovery|\n\nMuddyWater has used a PowerShell backdoor to check for Skype connectivity on the target machine.(Citation: Trend Micro Muddy Water March 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1049|System Network Connections Discovery|\n\nMuddyWater has used a PowerShell backdoor to check for Skype connections on the target machine.(Citation: Trend Micro Muddy Water March 2021)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1059.006|Python|\n\nMuddyWater has used developed tools in Python including\n\nOut1.(Citation: Trend Micro Muddy Water March 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1087.002|Domain Account|",
'Out1.(Citation: Trend Micro Muddy Water March 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1087.002|Domain Account|\n\nMuddyWater has used\n\nMuddyWater has sent targeted spearphishing e-mails with malicious links.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nMuddyWater has distributed URLs in phishing e-mails that link to lure documents.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)|\n|mitre-attack|enterprise-attack|PRE|T1589.002|Email Addresses|\n\nMuddyWater has specifically targeted government agency employees with spearphishing e-mails.(Citation: Anomali Static Kitten February 2021) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102.002|Bidirectional Communication|\n\nMuddyWater has used web services including OneHub to distribute remote access tools.(Citation: Anomali Static Kitten February 2021)|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|MuddyWater has made use of legitimate tools ConnectWise and Remote Utilities to gain access to target environment.(Citation: Anomali Static Kitten February 2021)|\n|mitre-attack|enterprise-attack|PRE|T1583.006|Web Services|\n\nMuddyWater has used file sharing services including OneHub to distribute tools.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1041|Exfiltration Over C2 Channel|\n\nMuddyWater has used C2 infrastructure to receive exfiltrated data.(Citation: Reaqta MuddyWater November 2017)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|',
'MuddyWater has used scheduled tasks to establish persistence.(Citation: Reaqta MuddyWater November 2017)|\n|mitre-attack|enterprise-attack|Windows,Office 365|T1137.001|Office Template Macros|\n\nMuddyWater has used a Word Template, Normal.dotm, for persistence.(Citation: Reaqta MuddyWater November 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1132.001|Standard Encoding|\n\nMuddyWater has used tools to encode C2 communications including Base64 encoding.(Citation: ClearSky MuddyWater June 2019)(Citation: Trend Micro Muddy Water March 2021)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nMuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution.(Citation: ClearSky MuddyWater June 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nMuddyWater has used HTTP for C2 communications.(Citation: ClearSky MuddyWater June 2019)(Citation: Trend Micro Muddy Water March 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1555|Credentials from Password Stores|\n\nMuddyWater has performed credential dumping with\n\nLaZagne and other tools, including by dumping passwords saved in victim email.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: Trend Micro Muddy Water March 2021)|\n|mitre-attack|enterprise-attack|Windows|T1003.005|Cached Domain Credentials|\n\nMuddyWater has performed credential dumping with\n\nLaZagne.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)|\n|mitre-attack|enterprise-attack|Windows|T1003.004|LSA Secrets|\n\nMuddyWater has performed credential dumping with',
'MuddyWater has performed credential dumping with\n\nLaZagne.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nMuddyWater has used VBScript files to execute its\n\nPOWERSTATS payload, as well as macros.(Citation: FireEye MuddyWater Mar 2018)(Citation: MuddyWater TrendMicro June 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)(Citation: Talos MuddyWater Jan 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.003|Steganography|\n\nMuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.(Citation: ClearSky MuddyWater Nov 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1555.003|Credentials from Web Browsers|\n\nMuddyWater has run tools including Browser64 to steal passwords saved in victim web browsers.(Citation: Symantec MuddyWater Dec 2018)(Citation: Trend Micro Muddy Water March 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1104|Multi-Stage Channels|\n\nMuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back.(Citation: Talos MuddyWater May 2019) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.004|Compile After Delivery|',
'MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.(Citation: ClearSky MuddyWater Nov 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|\n\nMuddyWater has used malware that can collect the victim’s username.(Citation: Securelist MuddyWater Oct 2018)(Citation: Trend Micro Muddy Water March 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nMuddyWater has used malware to collect the victim’s IP address and domain name.(Citation: Securelist MuddyWater Oct 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1113|Screen Capture|\n\nMuddyWater has used malware that can capture screenshots of the victim’s machine.(Citation: Securelist MuddyWater Oct 2018)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518.001|Security Software Discovery|\n\nMuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.(Citation: Securelist MuddyWater Oct 2018)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nMuddyWater has used malware that can collect the victim’s OS version and machine name.(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)(Citation: Talos MuddyWater Jan 2022)|\n|mitre-attack|enterprise-attack|Windows|T1559.002|Dynamic Data Exchange|\n\nMuddyWater has used malware that can execute PowerShell scripts via DDE.(Citation: Securelist MuddyWater Oct 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|',
'MuddyWater has used malware to obtain a list of running processes on the system.(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater June 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nMuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET."(Citation: Securelist MuddyWater Oct 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nMuddyWater has used malware that can upload additional files to the victim’s machine.(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nMuddyWater has used a custom tool for creating reverse shells.(Citation: Symantec MuddyWater Dec 2018)|\n|mitre-attack|enterprise-attack|Windows|T1559.001|Component Object Model|\n\nMuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: DHS CISA AA22-055A MuddyWater February 2022)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers|T1552.001|Credentials In Files|\n\nMuddyWater has run a tool that steals passwords saved in victim email.(Citation: Symantec MuddyWater Dec 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|',
'MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.(Citation: Symantec MuddyWater Dec 2018)|\n|mitre-attack|enterprise-attack|Windows|T1047|Windows Management Instrumentation|\n\nMuddyWater has used malware that leveraged WMI for execution and querying host information.(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: Talos MuddyWater May 2019)(Citation: DHS CISA AA22-055A MuddyWater February 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1090.002|External Proxy|\n\nMuddyWater has controlled\n\nPOWERSTATS from behind a proxy network to obfuscate the C2 location.(Citation: Symantec MuddyWater Dec 2018)\n\nMuddyWater has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2).(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)|\n|mitre-attack|enterprise-attack|Windows|T1218.011|Rundll32|\n\nMuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.(Citation: Securelist MuddyWater Oct 2018)|\n|mitre-attack|enterprise-attack|Windows|T1548.002|Bypass User Account Control|\n\nMuddyWater uses various techniques to bypass UAC.(Citation: ClearSky MuddyWater Nov 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|',
'MuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022) |\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nMuddyWater has used PowerShell for execution.(Citation: FireEye MuddyWater Mar 2018)(Citation: MuddyWater TrendMicro June 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: Talos MuddyWater May 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)|\n|mitre-attack|enterprise-attack|Windows|T1218.005|Mshta|\n\nMuddyWater has used mshta.exe to execute its\n\nPOWERSTATS payload and to pass a PowerShell one-liner for execution.(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|',
'MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021) (Citation: DHS CISA AA22-055A MuddyWater February 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nMuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender.(Citation: FireEye MuddyWater Mar 2018)(Citation: Talos MuddyWater May 2019)(Citation: Anomali Static Kitten February 2021)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|\n\nMuddyWater decoded base64-encoded PowerShell commands using a VBS file.(Citation: FireEye MuddyWater Mar 2018)(Citation: MuddyWater TrendMicro June 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: Talos MuddyWater Jan 2022)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nMuddyWater has performed credential dumping with\n\nMimikatz and procdump64.exe.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: Trend Micro Muddy Water March 2021)|\n|mitre-attack|enterprise-attack|Windows|T1218.003|CMSTP|\n\nMuddyWater has used CMSTP.exe and a malicious INF to execute its\n\nPOWERSTATS payload.(Citation: FireEye MuddyWater Mar 2018)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nMuddyWater has added Registry Run key',
'MuddyWater has added Registry Run key\n\nMuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: GitHub Invoke-Obfuscation) The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)(Citation: ClearSky MuddyWater June 2019)(Citation: Trend Micro Muddy Water March 2021)(Citation: Talos MuddyWater Jan 2022)|',
'Mustang Panda - G0129\n\nCreated: 2021-04-12T15:56:28.861Z\n\nModified: 2023-03-22T22:01:13.781Z\n\nContributors: Kyaw Pyiyt Htet, @KyawPyiytHtet\n\nAliases\n\nMustang Panda,TA416,RedDelta,BRONZE PRESIDENT\n\nDescription\n\nMustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. Mustang Panda has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)\n\nTechniques Used\n\nMustang Panda has delivered web bugs to profile their intended targets.(Citation: Proofpoint TA416 Europe March 2022)|\n|mitre-attack|enterprise-attack|PRE|T1608.001|Upload Malware|\n\nMustang Panda has hosted malicious payloads on DropBox including\n\nPlugX.(Citation: Proofpoint TA416 Europe March 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102|Web Service|\n\nMustang Panda has used DropBox URLs to deliver variants of\n\nPlugX.(Citation: Proofpoint TA416 Europe March 2022)|\n|mitre-attack|enterprise-attack|PRE|T1585.002|Email Accounts|\n\nMustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.(Citation: Proofpoint TA416 Europe March 2022)|\n|mitre-attack|enterprise-attack|PRE|T1608|Stage Capabilities|\n\nMustang Panda has used servers under their control to validate tracking pixels sent to phishing victims.(Citation: Proofpoint TA416 Europe March 2022)|\n|mitre-attack|enterprise-attack|Windows|T1036.007|Double File Extension|',
'Mustang Panda has used an additional filename extension to hide the true file type.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.003|Archive via Custom Method|\n\nMustang Panda has encrypted documents with RC4 prior to exfiltration.(Citation: Avira Mustang Panda January 2020)|\n|mitre-attack|enterprise-attack|Windows|T1218.004|InstallUtil|\n\nMustang Panda has used\n\nMustang Panda has used a customized\n\nPlugX variant which could spread through USB connections.(Citation: Avira Mustang Panda January 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1052.001|Exfiltration over USB|\n\nMustang Panda has used a customized\n\nPlugX variant which could exfiltrate documents from air-gapped networks.(Citation: Avira Mustang Panda January 2020)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1049|System Network Connections Discovery|\n\nMustang Panda has used\n\nMustang Panda has gathered system information using\n\nMustang Panda has used spearphishing attachments to deliver initial access payloads.(Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 November 2020)(Citation: Google TAG Ukraine Threat Landscape March 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nMustang Panda has used names like\n\nPlugX, and a file named\n\nCobalt Strike payload.(Citation: Recorded Future REDDELTA July 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.001|Binary Padding|\n\nMustang Panda has used junk code within their DLL files to hinder analysis.(Citation: Avira Mustang Panda January 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nMustang Panda has used',
"Mustang Panda has used\n\nMustang Panda has encrypted C2 communications with RC4.(Citation: Recorded Future REDDELTA July 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nMustang Panda has used\n\nMustang Panda has downloaded additional executables following the initial infection stage.(Citation: Recorded Future REDDELTA July 2020)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nMustang Panda has created the registry key\n\nMustang Panda's\n\nPlugX variant has created a hidden folder on USB drives named\n\nMustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.(Citation: Avira Mustang Panda January 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nMustang Panda has delivered malicious links to their intended targets.(Citation: McAfee Dianxun March 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,IaaS,SaaS|T1119|Automated Collection|\n\nMustang Panda used custom batch scripts to collect files automatically from a targeted system.(Citation: Secureworks BRONZE PRESIDENT December 2019)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1219|Remote Access Software|\n\nMustang Panda has installed TeamViewer on targeted systems.(Citation: Secureworks BRONZE PRESIDENT December 2019)|\n|mitre-attack|enterprise-attack|Windows|T1003.003|NTDS|\n\nMustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file.\n\nMustang Panda has also used\n\nMustang Panda has stored collected credential files in",
"Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file.\n\nMustang Panda has also used\n\nMustang Panda has stored collected credential files in\n\nMustang Panda has also stored documents for exfiltration in a hidden folder on USB drives.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Avira Mustang Panda January 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nMustang Panda will delete their tools and files, and kill processes after their objectives are reached.(Citation: Secureworks BRONZE PRESIDENT December 2019)|\n|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|\n\nMustang Panda have acquired C2 domains prior to operations.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Recorded Future REDDELTA July 2020)(Citation: McAfee Dianxun March 2021)|\n|mitre-attack|enterprise-attack|Windows|T1546.003|Windows Management Instrumentation Event Subscription|\n\nMustang Panda's custom ORat tool uses a WMI event consumer to maintain persistence.(Citation: Secureworks BRONZE PRESIDENT December 2019)|\n|mitre-attack|enterprise-attack|Windows|T1218.005|Mshta|\n\nMustang Panda has used mshta.exe to launch collection scripts.(Citation: Secureworks BRONZE PRESIDENT December 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|\n\nMustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Avira Mustang Panda January 2020)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518|Software Discovery|\n\nMustang Panda has searched the victim system for the",
'Mustang Panda has searched the victim system for the\n\nMustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: McAfee Dianxun March 2021)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nMustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Avira Mustang Panda January 2020)|\n|mitre-attack|enterprise-attack|Windows|T1574.002|DLL Side-Loading|\n\nMustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 November 2020)|\n|mitre-attack|enterprise-attack|Windows|T1047|Windows Management Instrumentation|\n\nMustang Panda has executed PowerShell scripts via WMI.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nMustang Panda has communicated with its C2 via HTTP POST requests.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Recorded Future REDDELTA July 2020)(Citation: McAfee Dianxun March 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|',
'Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: McAfee Dianxun March 2021)(Citation: Proofpoint TA416 Europe March 2022)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nMustang Panda has exploited CVE-2017-0199 in Microsoft Word to execute code.(Citation: Crowdstrike MUSTANG PANDA June 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nMustang Panda has delivered initial payloads hidden using archives and encoding measures.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 November 2020)(Citation: Proofpoint TA416 Europe March 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nMustang Panda has sent malicious files requiring direct victim interaction to execute.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Avira Mustang Panda January 2020)(Citation: Recorded Future REDDELTA July 2020)(Citation: Google TAG Ukraine Threat Landscape March 2022)(Citation: Proofpoint TA416 Europe March 2022)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nMustang Panda has used malicious PowerShell scripts to enable execution.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|',
'Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)|',
"Naikon - G0019\n\nCreated: 2017-05-31T21:31:54.232Z\n\nModified: 2021-08-19T18:23:23.507Z\n\nContributors: Kyaw Pyiyt Htet, @KyawPyiytHtet\n\nAliases\n\nNaikon\n\nDescription\n\nNaikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).(Citation: CameraShy) Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).(Citation: CameraShy)(Citation: Baumgartner Naikon 2015)\n\nWhile Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.(Citation: Baumgartner Golovkin Naikon 2015)\n\nTechniques Used\n\nNaikon renamed a malicious service\n\nNaikon has modified a victim's Windows Run registry to establish persistence.(Citation: Bitdefender Naikon April 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nNaikon has disguised malicious programs as Google Chrome, Adobe, and VMware executables.(Citation: Bitdefender Naikon April 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers,Network|T1046|Network Service Discovery|\n\nNaikon has used the LadonGo scanner to scan target networks.(Citation: Bitdefender Naikon April 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|\n\nNaikon has used a netbios scanner for remote machine identification.(Citation: Bitdefender Naikon April 2021)|\n|mitre-attack|enterprise-attack|Windows|T1047|Windows Management Instrumentation|",
"Naikon has used a netbios scanner for remote machine identification.(Citation: Bitdefender Naikon April 2021)|\n|mitre-attack|enterprise-attack|Windows|T1047|Windows Management Instrumentation|\n\nNaikon has used WMIC.exe for lateral movement.(Citation: Bitdefender Naikon April 2021)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nNaikon has used schtasks.exe for lateral movement in compromised networks.(Citation: Bitdefender Naikon April 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1078.002|Domain Accounts|\n\nNaikon has used administrator credentials for lateral movement in compromised networks.(Citation: Bitdefender Naikon April 2021)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nNaikon has used malicious e-mail attachments to deliver malware.(Citation: CheckPoint Naikon May 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nNaikon has convinced victims to open malicious attachments to execute malware.(Citation: CheckPoint Naikon May 2020)|\n|mitre-attack|enterprise-attack|Windows,Office 365|T1137.006|Add-ins|\n\nNaikon has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.(Citation: CheckPoint Naikon May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1574.002|DLL Side-Loading|\n\nNaikon has used DLL side-loading to load malicious DLL's into legitimate executables.(Citation: CheckPoint Naikon May 2020)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518.001|Security Software Discovery|\n\nNaikon uses commands such as\n\nNaikon uses commands such as",
"Nomadic Octopus - G0133\n\nCreated: 2021-08-24T17:04:27.002Z\n\nModified: 2022-09-02T18:03:55.294Z\n\nContributors:\n\nAliases\n\nNomadic Octopus,DustSquad\n\nDescription\n\nNomadic Octopus is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. Nomadic Octopus has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.(Citation: Security Affairs DustSquad Oct 2018)(Citation: Securelist Octopus Oct 2018)(Citation: ESET Nomadic Octopus 2018)\n\nTechniques Used\n\nNomadic Octopus as attempted to lure victims into clicking on malicious attachments within spearphishing emails.(Citation: Securelist Octopus Oct 2018)(Citation: ESET Nomadic Octopus 2018)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1564.003|Hidden Window|\n\nNomadic Octopus executed PowerShell in a hidden window.(Citation: ESET Nomadic Octopus 2018) |\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nNomadic Octopus has used PowerShell for execution.(Citation: ESET Nomadic Octopus 2018) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nNomadic Octopus has used malicious macros to download additional files to the victim's machine.(Citation: ESET Nomadic Octopus 2018) |\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nNomadic Octopus used\n\nNomadic Octopus attempted to make\n\nOctopus appear as a Telegram Messenger with a Russian interface.(Citation: Securelist Octopus Oct 2018)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|",
'Nomadic Octopus has targeted victims with spearphishing emails containing malicious attachments.(Citation: Security Affairs DustSquad Oct 2018)(Citation: ESET Nomadic Octopus 2018)|',
'OilRig - G0049\n\nCreated: 2017-12-14T16:46:06.044Z\n\nModified: 2023-02-06T20:58:52.317Z\n\nContributors: Robert Falcone,Bryan Lee,Dragos Threat Intelligence\n\nAliases\n\nOilRig,COBALT GYPSY,IRN2,APT34,Helix Kitten,Evasive Serpens\n\nDescription\n\nOilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)\n\nTechniques Used\n\nOilRig has used tools to identify if a mouse is connected to a targeted system.(Citation: Check Point APT34 April 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nOilRig has used VBSscipt macros for execution on compromised hosts.(Citation: Check Point APT34 April 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1497.001|System Checks|\n\nOilRig has used macros to verify if a mouse is connected to a compromised machine.(Citation: Check Point APT34 April 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Containers|T1036|Masquerading|',
'OilRig has used .doc file extensions to mask malicious executables.(Citation: Check Point APT34 April 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1555.004|Windows Credential Manager|\n\nOilRig has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Manager.(Citation: FireEye APT34 July 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Office 365|T1137.004|Outlook Home Page|\n\nOilRig has abused the Outlook Home Page feature for persistence.\n\nOilRig has also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse.(Citation: FireEye Outlook Dec 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1059.003|Windows Command Shell|\n\nOilRig has used macros to deliver malware such as\n\nQUADAGENT and\n\nOopsIE.(Citation: FireEye APT34 Dec 2017)(Citation: OilRig ISMAgent July 2017)(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Unit42 OilRig Nov 2018)\n\nOilRig has used batch scripts.(Citation: FireEye APT34 Dec 2017)(Citation: OilRig ISMAgent July 2017)(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Unit42 OilRig Nov 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1555.003|Credentials from Web Browsers|\n\nOilRig has used credential dumping tools such as\n\nLaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019)',
'OilRig has also used tool named PICKPOCKET to dump passwords from web browsers.(Citation: FireEye APT34 July 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1555|Credentials from Password Stores|\n\nOilRig has used credential dumping tools such as\n\nLaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1003.005|Cached Domain Credentials|\n\nOilRig has used credential dumping tools such as\n\nLaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1003.004|LSA Secrets|\n\nOilRig has used credential dumping tools such as\n\nLaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1069.002|Domain Groups|\n\nOilRig has used\n\nOilRig has run',
'OilRig has used\n\nOilRig has run\n\nOilRig has delivered malicious links to achieve execution on the target system.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1071.004|DNS|\n\nOilRig has used DNS for C2 including the publicly available\n\nOilRig has used the Plink utility and other tools to create tunnels to C2 servers.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT34 July 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1566.003|Spearphishing via Service|\n\nOilRig has used LinkedIn to send spearphishing links.(Citation: FireEye APT34 July 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,IaaS,Linux,macOS,Containers|T1552.001|Credentials In Files|\n\nOilRig has used credential dumping tools such as\n\nLaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Linux,macOS,IaaS,Network|T1201|Password Policy Discovery|\n\nOilRig has used net.exe in a script with\n\nOilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment.(Citation: FireEye APT34 Webinar Dec 2017)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1113|Screen Capture|',
"OilRig has a tool called CANDYKING to capture a screenshot of user's desktop.(Citation: FireEye APT34 Webinar Dec 2017)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nOilRig has sent spearphising emails with malicious links to potential victims.(Citation: Unit 42 OopsIE! Feb 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|\n\nOilRig has used keylogging tools called KEYPUNCH and LONGWATCH.(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT34 July 2019)\n\nOilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.(Citation: FireEye APT34 Webinar Dec 2017)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nOilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1053.005|Scheduled Task|\n\nOilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 July 2019)(Citation: Check Point APT34 April 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1110|Brute Force|",
'OilRig has used brute force techniques to obtain credentials.(Citation: FireEye APT34 Webinar Dec 2017)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1573.002|Asymmetric Cryptography|\n\nOilRig used the Plink utility and other tools to create tunnels to C2 servers.(Citation: FireEye APT34 Webinar Dec 2017)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nOilRig can download remote files onto victims.(Citation: FireEye APT34 Dec 2017)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1218.001|Compiled HTML File|\n\nOilRig has used a CHM payload to load and execute another malicious file once delivered to a victim.(Citation: Palo Alto OilRig May 2016)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nOilRig has delivered macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)(Citation: Check Point APT34 April 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1047|Windows Management Instrumentation|\n\nOilRig has used WMI for execution.(Citation: FireEye APT34 Webinar Dec 2017)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS|T1021.004|SSH|\n\nOilRig has used Putty to access compromised systems.(Citation: Unit42 OilRig Playbook 2023)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1003.001|LSASS Memory|\n\nOilRig has used credential dumping tools such as',
'OilRig has used credential dumping tools such as\n\nMimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT35 2018)(Citation: FireEye APT34 July 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network,Office 365,Azure AD,IaaS,Google Workspace|T1059|Command and Scripting Interpreter|\n\nOilRig has used various types of scripting for execution.(Citation: FireEye APT34 Dec 2017)(Citation: OilRig ISMAgent July 2017)(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Unit42 OilRig Nov 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,IaaS,Linux,macOS,Network|T1049|System Network Connections Discovery|\n\nOilRig has used\n\nOilRig has run\n\nOilRig has run\n\nOilRig has used\n\nOilRig has exfiltrated data over FTP separately from its primary C2 channel over DNS.(Citation: Palo Alto OilRig Oct 2016)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1059.001|PowerShell|\n\nOilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.(Citation: FireEye APT34 Dec 2017)(Citation: OilRig New Delivery Oct 2017)(Citation: Crowdstrike Helix Kitten Nov 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|',
'OilRig has used compromised credentials to access other systems on a victim network.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: Crowdstrike GTR2020 Mar 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux|T1007|System Service Discovery|\n\nOilRig has used\n\nOilRig malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP.(Citation: OilRig ISMAgent July 2017)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nOilRig has encrypted and encoded data in its malware, including by using base64.(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Unit42 OilRig Playbook 2023)(Citation: Crowdstrike Helix Kitten Nov 2018)(Citation: Unit42 OilRig Nov 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1087.002|Domain Account|\n\nOilRig has run\n\nOilRig macro has run a PowerShell command to decode file contents.\n\nOilRig has also used\n\ncertutil to decode base64-encoded files on victims.(Citation: FireEye APT34 Dec 2017)(Citation: OilRig New Delivery Oct 2017)(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Crowdstrike GTR2020 Mar 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1071.001|Web Protocols|',
'OilRig has used HTTP for C2.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT34 July 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nOilRig has run\n\nOilRig has used automated collection.(Citation: Unit42 OilRig Playbook 2023)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nOilRig has deleted files associated with their payload after execution.(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 OopsIE! Feb 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nOilRig has run\n\nOilRig has used web shells, often to maintain access to a victim network.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: Crowdstrike GTR2020 Mar 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1012|Query Registry|\n\nOilRig has used\n\nOilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: Crowdstrike GTR2020 Mar 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1027.005|Indicator Removal from Tools|',
'OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.(Citation: Palo Alto OilRig April 2017)(Citation: Unit42 OilRig Nov 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Engineering Workstation,Human-Machine Interface,Control Server,Data Historian|T0865|Spearphishing Attachment|\n\nOilRig used spearphishing emails with malicious Microsoft Excel spreadsheet attachments. (Citation: Robert Falcone, Bryan Lee May 2016)|\n|mitre-attack|enterprise-attack,ics-attack|Engineering Workstation|T0853|Scripting|\n\nOilRig has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script.(Citation: Robert Falcone, Bryan Lee May 2016)|\n|mitre-attack|enterprise-attack,ics-attack|Control Server,Data Historian,Engineering Workstation,Field Controller/RTU/PLC/IED,Human-Machine Interface,Input/Output Server,Safety Instrumented System/Protection Relay|T0859|Valid Accounts|\n\nOilRig utilized stolen credentials to gain access to victim machines.(Citation: Dragos)|\n|mitre-attack|enterprise-attack,ics-attack|None|T0817|Drive-by Compromise|\n\nOilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks. (Citation: Eduard Kovacs May 2018)|\n|mitre-attack|enterprise-attack,ics-attack|Human-Machine Interface,Control Server,Data Historian,Engineering Workstation|T0869|Standard Application Layer Protocol|\n\nOilRig communicated with its command and control using HTTP requests. (Citation: Robert Falcone, Bryan Lee May 2016)|',
'Orangeworm - G0071\n\nCreated: 2018-10-17T00:14:20.652Z\n\nModified: 2021-10-26T22:29:09.327Z\n\nContributors: Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT Centre\n\nAliases\n\nOrangeworm\n\nDescription\n\nOrangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.(Citation: Symantec Orangeworm April 2018)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|Windows|T1021.002|SMB/Windows Admin Shares|Orangeworm has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS.(Citation: Symantec Orangeworm April 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|Orangeworm has used HTTP for C2.(Citation: Symantec Orangeworm IOCs April 2018)|',
'Patchwork - G0040\n\nCreated: 2017-05-31T21:32:07.145Z\n\nModified: 2023-03-22T05:08:20.780Z\n\nContributors:\n\nAliases\n\nPatchwork,Hangover Group,Dropping Elephant,Chinastrats,MONSOON,Operation Hangover\n\nDescription\n\nPatchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)\n\nTechniques Used\n\nPatchwork has used embedded image tags (known as web bugs) with unique, per-recipient tracking links in their emails for the purpose of identifying which recipients opened messages.(Citation: Volexity Patchwork June 2018)|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|\n\nPatchwork has obtained and used open-source tools such as\n\nQuasarRAT.(Citation: Volexity Patchwork June 2018)|\n|mitre-attack|enterprise-attack|PRE|T1587.002|Code Signing Certificates|\n\nPatchwork has created self-signed certificates from fictitious and spoofed legitimate software companies that were later used to sign malware.(Citation: Unit 42 BackConfig May 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|',
"Patchwork has used spearphishing with links to try to get users to click, download and open malicious files.(Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)(Citation: Unit 42 BackConfig May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1197|BITS Jobs|\n\nPatchwork has used BITS jobs to download malicious payloads.(Citation: Unit 42 BackConfig May 2020)|\n|mitre-attack|enterprise-attack|macOS,Windows|T1553.002|Code Signing|\n\nPatchwork has signed malware with self-signed certificates from fictitious and spoofed legitimate software companies.(Citation: Unit 42 BackConfig May 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nPatchwork used Visual Basic Scripts (VBS) on victim machines.(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nPatchwork embedded a malicious macro in a Word document and lured the victim to click on an icon to execute the malware.(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560|Archive Collected Data|\n\nPatchwork encrypted the collected files' path with AES and then encoded them with base64.(Citation: TrendMicro Patchwork Dec 2017)|\n|mitre-attack|enterprise-attack|Windows|T1112|Modify Registry|A\n\nPatchwork payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs.(Citation: TrendMicro Patchwork Dec 2017)|\n|mitre-attack|enterprise-attack|Windows|T1559.002|Dynamic Data Exchange|",
'Patchwork leveraged the DDE protocol to deliver their malware.(Citation: TrendMicro Patchwork Dec 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nPatchwork removed certain files and replaced them so they could not be retrieved.(Citation: TrendMicro Patchwork Dec 2017)|\n|mitre-attack|enterprise-attack|Windows|T1574.002|DLL Side-Loading|A\n\nPatchwork .dll that contains\n\nBADNEWS is loaded and executed using DLL side-loading.(Citation: TrendMicro Patchwork Dec 2017)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|A\n\nPatchwork file stealer can run a TaskScheduler DLL to add persistence.(Citation: TrendMicro Patchwork Dec 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.005|Indicator Removal from Tools|\n\nPatchwork apparently altered\n\nNDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.(Citation: TrendMicro Patchwork Dec 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,IaaS,SaaS|T1119|Automated Collection|\n\nPatchwork developed a file stealer to search C:\\ and collect files with certain extensions.\n\nPatchwork also executed a script to enumerate all drives, store them as a list, and upload generated files to the C2 server.(Citation: TrendMicro Patchwork Dec 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.010|Command Obfuscation|\n\nPatchwork has obfuscated a script with Crypto Obfuscator.(Citation: TrendMicro Patchwork Dec 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.001|Binary Padding|\n\nPatchwork apparently altered\n\nNDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.(Citation: TrendMicro Patchwork Dec 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1074.001|Local Data Staging|',
'Patchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server.(Citation: TrendMicro Patchwork Dec 2017)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nPatchwork uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, CVE-2017-11882, and CVE-2015-1641.(Citation: Cymmetria Patchwork)(Citation: Securelist Dropping Elephant)(Citation: Symantec Patchwork)(Citation: PaloAlto Patchwork Mar 2018)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)(Citation: Unit 42 BackConfig May 2020)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nPatchwork has used spearphishing with an attachment to deliver files with exploits to initial victims.(Citation: Cymmetria Patchwork)(Citation: Securelist Dropping Elephant)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nPatchwork has used spearphishing with links to deliver files with exploits to initial victims.(Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Unit 42 BackConfig May 2020)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nPatchwork has used watering holes to deliver files with exploits to initial victims.(Citation: Symantec Patchwork)(Citation: Volexity Patchwork June 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|A',
'Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.(Citation: Cymmetria Patchwork)(Citation: TrendMicro Patchwork Dec 2017)|\n|mitre-attack|enterprise-attack|Windows|T1055.012|Process Hollowing|A\n\nPatchwork payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe.(Citation: Cymmetria Patchwork)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102.001|Dead Drop Resolver|\n\nPatchwork hides base64-encoded and encrypted C2 server locations in comments on legitimate websites.(Citation: Securelist Dropping Elephant)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nPatchwork payloads download additional files from the C2 server.(Citation: Securelist Dropping Elephant)(Citation: TrendMicro Patchwork Dec 2017)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1027.002|Software Packing|A\n\nPatchwork payload was packed with UPX.(Citation: Securelist Dropping Elephant)|\n|mitre-attack|enterprise-attack|Windows|T1021.001|Remote Desktop Protocol|\n\nPatchwork attempted to use RDP to move laterally.(Citation: Cymmetria Patchwork)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|\n\nPatchwork collected the victim username and whether it was running as admin, then sent the information to its C2 server.(Citation: Cymmetria Patchwork)(Citation: TrendMicro Patchwork Dec 2017)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nPatchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server.',
'Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server.\n\nPatchwork also enumerated all available drives on the victim\'s machine.(Citation: Cymmetria Patchwork)(Citation: TrendMicro Patchwork Dec 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nPatchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as “Net Monitor."(Citation: Cymmetria Patchwork) They have also dropped\n\nQuasarRAT binaries as files named microsoft_network.exe and crome.exe.(Citation: Volexity Patchwork June 2018)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518.001|Security Software Discovery|\n\nPatchwork scanned the “Program Files” directories for a directory with the string “Total Security” (the installation path of the “360 Total Security” antivirus tool).(Citation: Cymmetria Patchwork)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1132.001|Standard Encoding|\n\nPatchwork used Base64 to encode C2 traffic.(Citation: Cymmetria Patchwork)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nPatchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key.(Citation: Cymmetria Patchwork)(Citation: TrendMicro Patchwork Dec 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1555.003|Credentials from Web Browsers|\n\nPatchwork dumped the login data database from\n\nPatchwork used',
"Patchwork dumped the login data database from\n\nPatchwork used\n\nPowerSploit to download payloads, run a reverse shell, and execute malware on the victim's machine.(Citation: Cymmetria Patchwork)(Citation: TrendMicro Patchwork Dec 2017)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nPatchwork ran a reverse shell with Meterpreter.(Citation: Cymmetria Patchwork)\n\nPatchwork used JavaScript code and .SCT files on victim machines.(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)|\n|mitre-attack|enterprise-attack|Windows|T1548.002|Bypass User Account Control|\n\nPatchwork bypassed User Access Control (UAC).(Citation: Cymmetria Patchwork)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nPatchwork collected and exfiltrated files from the infected system.(Citation: Cymmetria Patchwork)|",
'PittyTiger - G0011\n\nCreated: 2017-05-31T21:31:50.198Z\n\nModified: 2021-10-12T23:11:41.368Z\n\nContributors:\n\nAliases\n\nPittyTiger\n\nDescription\n\nPittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.(Citation: Bizeul 2014)(Citation: Villeneuve 2014)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|PittyTiger has obtained and used tools such as Mimikatz and gsecdump.(Citation: Bizeul 2014)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|PittyTiger attempts to obtain legitimate credentials during operations.(Citation: Bizeul 2014)|',
'PLATINUM - G0068\n\nCreated: 2018-04-18T17:59:24.739Z\n\nModified: 2021-04-22T00:39:49.529Z\n\nContributors: Ryan Becwar\n\nAliases\n\nPLATINUM\n\nDescription\n\nPLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. (Citation: Microsoft PLATINUM April 2016)\n\nTechniques Used\n\nPLATINUM has renamed rar.exe to avoid detection.(Citation: Twitter ItsReallyNick Platinum Masquerade)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nPLATINUM has used keyloggers that are also capable of dumping credentials.(Citation: Microsoft PLATINUM April 2016)|\n|mitre-attack|enterprise-attack|Windows|T1056.004|Credential API Hooking|\n\nPLATINUM is capable of using Windows hook interfaces for information gathering such as credential access.(Citation: Microsoft PLATINUM April 2016)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|\n\nPLATINUM has used several different keyloggers.(Citation: Microsoft PLATINUM April 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nPLATINUM has attempted to get users to open malicious files by sending spearphishing emails with attachments to victims.(Citation: Microsoft PLATINUM April 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nPLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.(Citation: Microsoft PLATINUM June 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1068|Exploitation for Privilege Escalation|',
'PLATINUM has leveraged a zero-day vulnerability to escalate privileges.(Citation: Microsoft PLATINUM April 2016)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,Network|T1095|Non-Application Layer Protocol|\n\nPLATINUM has used the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control.(Citation: Microsoft PLATINUM June 2017)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nPLATINUM has sent spearphishing emails with attachments to victims as its primary initial access vector.(Citation: Microsoft PLATINUM April 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1055|Process Injection|\n\nPLATINUM has used various methods of process injection including hot patching.(Citation: Microsoft PLATINUM April 2016)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nPLATINUM has sometimes used drive-by attacks against vulnerable browser plugins.(Citation: Microsoft PLATINUM April 2016)|',
'POLONIUM - G1005\n\nCreated: 2022-07-01T19:07:04.253Z\n\nModified: 2022-08-10T12:31:10.192Z\n\nContributors:\n\nAliases\n\nPOLONIUM\n\nDescription\n\nPOLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.(Citation: Microsoft POLONIUM June 2022)\n\nTechniques Used\n\nPOLONIUM has exfiltrated stolen data to\n\nPOLONIUM-owned OneDrive and Dropbox accounts.(Citation: Microsoft POLONIUM June 2022) |\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|\n\nPOLONIUM has obtained and used tools such as AirVPN and plink in their operations.(Citation: Microsoft POLONIUM June 2022) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102.002|Bidirectional Communication|\n\nPOLONIUM has used OneDrive and DropBox for C2.(Citation: Microsoft POLONIUM June 2022)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1090|Proxy|\n\nPOLONIUM has used the AirVPN service for operational activity.(Citation: Microsoft POLONIUM June 2022)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nPOLONIUM has used valid compromised credentials to gain access to victim environments.(Citation: Microsoft POLONIUM June 2022)|\n|mitre-attack|enterprise-attack|Windows,SaaS,IaaS,Linux,macOS,Office 365|T1199|Trusted Relationship|',
'POLONIUM has used compromised credentials from an IT company to target downstream customers including a law firm and aviation company.(Citation: Microsoft POLONIUM June 2022)|\n|mitre-attack|enterprise-attack|PRE|T1583.006|Web Services|\n\nPOLONIUM has created and used legitimate Microsoft OneDrive accounts for their operations.(Citation: Microsoft POLONIUM June 2022)|',
"Poseidon Group - G0033\n\nCreated: 2017-05-31T21:32:04.179Z\n\nModified: 2020-03-18T20:25:54.945Z\n\nContributors:\n\nAliases\n\nPoseidon Group\n\nDescription\n\nPoseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm. (Citation: Kaspersky Poseidon Group)\n\nTechniques Used\n\nPoseidon Group searches for administrator accounts on both the local victim machine and the network.(Citation: Kaspersky Poseidon Group)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nPoseidon Group tools attempt to spoof anti-virus processes as a means of self-defense.(Citation: Kaspersky Poseidon Group)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1087.002|Domain Account|\n\nPoseidon Group searches for administrator accounts on both the local victim machine and the network.(Citation: Kaspersky Poseidon Group)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|The\n\nPoseidon Group's Information Gathering Tool (IGT) includes PowerShell components.(Citation: Kaspersky Poseidon Group)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1007|System Service Discovery|After compromising a victim,\n\nPoseidon Group discovers all running services.(Citation: Kaspersky Poseidon Group)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1049|System Network Connections Discovery|\n\nPoseidon Group obtains and saves information about victim network interfaces and addresses.(Citation: Kaspersky Poseidon Group)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1003|OS Credential Dumping|",
'Poseidon Group conducts credential dumping on victims, with a focus on obtaining credentials belonging to domain and database servers.(Citation: Kaspersky Poseidon Group)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|After compromising a victim,\n\nPoseidon Group lists all running processes.(Citation: Kaspersky Poseidon Group)|',
'PROMETHIUM - G0056\n\nCreated: 2018-01-16T16:13:52.465Z\n\nModified: 2020-10-22T18:12:48.893Z\n\nContributors:\n\nAliases\n\nPROMETHIUM,StrongPity\n\nDescription\n\nPROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics.(Citation: Microsoft NEODYMIUM Dec 2016)(Citation: Microsoft SIR Vol 21)(Citation: Talos Promethium June 2020)\n\nTechniques Used\n\nPROMETHIUM has created self-signed certificates to sign malicious installers.(Citation: Bitdefender StrongPity June 2020)|\n|mitre-attack|enterprise-attack|PRE|T1587.003|Digital Certificates|\n\nPROMETHIUM has created self-signed digital certificates for use in HTTPS C2 traffic.(Citation: Talos Promethium June 2020)|\n|mitre-attack|enterprise-attack|Windows|T1543.003|Windows Service|\n\nPROMETHIUM has created new services and modified existing services for persistence.(Citation: Bitdefender StrongPity June 2020)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1036.004|Masquerade Task or Service|\n\nPROMETHIUM has named services to appear legitimate.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1078.003|Local Accounts|\n\nPROMETHIUM has created admin accounts on a compromised host.(Citation: Bitdefender StrongPity June 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1205.001|Port Knocking|',
'PROMETHIUM has used a script that configures the knockd service and firewall to only accept C2 connections from systems that use a specified sequence of knock ports.(Citation: Bitdefender StrongPity June 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nPROMETHIUM has attempted to get users to execute compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nPROMETHIUM has disguised malicious installer files by bundling them with legitimate software installers.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)|\n|mitre-attack|enterprise-attack|macOS,Windows|T1553.002|Code Signing|\n\nPROMETHIUM has signed code with self-signed certificates.(Citation: Bitdefender StrongPity June 2020)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nPROMETHIUM has used Registry run keys to establish persistence.(Citation: Talos Promethium June 2020)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nPROMETHIUM has used watering hole attacks to deliver malicious versions of legitimate installers.(Citation: Bitdefender StrongPity June 2020)|',
'Putter Panda - G0024\n\nCreated: 2017-05-31T21:31:56.785Z\n\nModified: 2020-03-30T19:15:04.771Z\n\nContributors:\n\nAliases\n\nPutter Panda,APT2,MSUpdater\n\nDescription\n\nPutter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). (Citation: CrowdStrike Putter Panda)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Containers,IaaS|T1562.001|Disable or Modify Tools|Malware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).(Citation: CrowdStrike Putter Panda)|\n|mitre-attack|enterprise-attack|Windows|T1055.001|Dynamic-link Library Injection|An executable dropped onto victims by Putter Panda aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe).(Citation: CrowdStrike Putter Panda)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|Droppers used by Putter Panda use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads.(Citation: CrowdStrike Putter Panda)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|A dropper used by Putter Panda installs itself into the ASEP Registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run with a value named McUpdate.(Citation: CrowdStrike Putter Panda)|',
'Rancor - G0075\n\nCreated: 2018-10-17T00:14:20.652Z\n\nModified: 2020-03-30T19:15:49.217Z\n\nContributors:\n\nAliases\n\nRancor\n\nDescription\n\nRancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents. (Citation: Rancor Unit42 June 2018)\n\nTechniques Used\n\nRancor has used VBS scripts as well as embedded macros for execution.(Citation: Rancor Unit42 June 2018)|\n|mitre-attack|enterprise-attack|Windows|T1218.007|Msiexec|\n\nRancor has used\n\nRancor has used cmd.exe to execute commmands.(Citation: Rancor Unit42 June 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nRancor attempted to get users to click on an embedded macro within a Microsoft Office Excel document to launch their malware.(Citation: Rancor Unit42 June 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nRancor has downloaded additional malware, including by using\n\ncertutil.(Citation: Rancor Unit42 June 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nRancor has used HTTP for C2.(Citation: Rancor Unit42 June 2018)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nRancor has attached a malicious document to an email to gain initial access.(Citation: Rancor Unit42 June 2018)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nRancor launched a scheduled task to gain persistence using the',
'Rocke - G0106\n\nCreated: 2020-05-26T14:20:20.623Z\n\nModified: 2020-06-19T20:41:21.215Z\n\nContributors:\n\nAliases\n\nRocke\n\nDescription\n\nRocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.(Citation: Talos Rocke August 2018)\n\nTechniques Used\n\nRocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.(Citation: Anomali Rocke March 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071|Application Layer Protocol|\n\nRocke issued wget requests from infected systems to the C2.(Citation: Talos Rocke August 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102|Web Service|\n\nRocke has used Pastebin, Gitee, and GitLab for Command and Control.(Citation: Anomali Rocke March 2019)(Citation: Talos Rocke August 2018)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|\n\nRocke has extracted tar.gz files after downloading them from a C2 server.(Citation: Talos Rocke August 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nRocke has used shell scripts which download mining executables and saves them with the filename "java".(Citation: Talos Rocke August 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS|T1574.006|Dynamic Linker Hijacking|',
"Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.(Citation: Anomali Rocke March 2019) |\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1059.006|Python|\n\nRocke has used Python-based malware to install and spread their coinminer.(Citation: Anomali Rocke March 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nRocke has modified UPX headers after packing files to break unpackers.(Citation: Anomali Rocke March 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.004|Compile After Delivery|\n\nRocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).(Citation: Anomali Rocke March 2019) |\n|mitre-attack|enterprise-attack|Linux,macOS|T1021.004|SSH|\n\nRocke has spread its coinminer via SSH.(Citation: Anomali Rocke March 2019) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1552.004|Private Keys|\n\nRocke has used SSH private keys on the infected machine to spread its coinminer throughout a network.(Citation: Anomali Rocke March 2019)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nRocke has used uname -m to collect the name and information about the infected system's kernel.(Citation: Anomali Rocke March 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS|T1070.002|Clear Linux or Mac System Logs|\n\nRocke has cleared log files within the /var/log/ folder.(Citation: Anomali Rocke March 2019)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers|T1496|Resource Hijacking|",
'Rocke has distributed cryptomining malware.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|\n\nRocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nRocke used malware to download additional malicious files to the target system.(Citation: Talos Rocke August 2018) |\n|mitre-attack|enterprise-attack|macOS,Linux|T1059.004|Unix Shell|\n\nRocke used shell scripts to run commands which would obtain persistence and execute the cryptocurrency mining malware.(Citation: Talos Rocke August 2018) |\n|mitre-attack|enterprise-attack|Linux,macOS|T1053.003|Cron|\n\nRocke installed a cron job that downloaded and executed files from the C2.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)(Citation: Anomali Rocke March 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nRocke has executed wget and curl commands to Pastebin over the HTTPS protocol.(Citation: Anomali Rocke March 2019)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers,Network|T1046|Network Service Discovery|\n\nRocke conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers.(Citation: Talos Rocke August 2018)(Citation: Anomali Rocke March 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1562.004|Disable or Modify System Firewall|',
'Rocke used scripts which killed processes and added firewall rules to block traffic related to other cryptominers.(Citation: Talos Rocke August 2018) |\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518.001|Security Software Discovery|\n\nRocke used scripts which detected and uninstalled antivirus software.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Containers,IaaS|T1562.001|Disable or Modify Tools|\n\nRocke used scripts which detected and uninstalled antivirus software.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1564.001|Hidden Files and Directories|\n\nRocke downloaded a file "libprocesshider", which could hide files on the target system.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|\n\nRocke has looked for IP addresses in the known_hosts file on the infected system and attempted to SSH into them.(Citation: Talos Rocke August 2018) |\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nRocke\'s miner has created UPX-packed files in the Windows Start Menu Folder.(Citation: Talos Rocke August 2018) |\n|mitre-attack|enterprise-attack|Windows|T1055.002|Portable Executable Injection|\n\nRocke\'s miner, "TermsHost.exe", evaded defenses by injecting itself into Windows processes, including Notepad.exe.(Citation: Talos Rocke August 2018) |\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1027.002|Software Packing|',
'Rocke\'s miner has created UPX-packed files in the Windows Start Menu Folder.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)(Citation: Anomali Rocke March 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102.001|Dead Drop Resolver|\n\nRocke has used Pastebin to check the version of beaconing malware and redirect to another Pastebin hosting updated malware.(Citation: Anomali Rocke March 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nRocke has deleted files on infected machines.(Citation: Anomali Rocke March 2019) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nRocke can detect a running process\'s PID on the infected machine.(Citation: Anomali Rocke March 2019) |\n|mitre-attack|enterprise-attack|macOS,Linux|T1222.002|Linux and Mac File and Directory Permissions Modification|\n\nRocke has changed file permissions of files so they could not be modified.(Citation: Anomali Rocke March 2019) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.006|Timestomp|\n\nRocke has changed the time stamp of certain files.(Citation: Anomali Rocke March 2019) |\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1037|Boot or Logon Initialization Scripts|\n\nRocke has installed an "init.d" startup script to maintain persistence.(Citation: Anomali Rocke March 2019) |\n|mitre-attack|enterprise-attack|Linux|T1543.002|Systemd Service|\n\nRocke has installed a systemd service script to maintain persistence.(Citation: Anomali Rocke March 2019) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1571|Non-Standard Port|',
"Rocke's miner connects to a C2 server using port 51640.(Citation: Anomali Rocke March 2019) |",
'RTM - G0048\n\nCreated: 2017-05-31T21:32:10.206Z\n\nModified: 2020-05-12T22:16:44.650Z\n\nContributors: Oleg Skulkin, Group-IB\n\nAliases\n\nRTM\n\nDescription\n\nRTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM). (Citation: ESET RTM Feb 2017)\n\nTechniques Used\n\nRTM has attempted to lure victims into opening e-mail attachments to execute malicious code.(Citation: Group IB RTM August 2019)|\n|mitre-attack|enterprise-attack|Windows|T1574.001|DLL Search Order Hijacking|\n\nRTM has used search order hijacking to force TeamViewer to load a malicious DLL.(Citation: Group IB RTM August 2019)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1219|Remote Access Software|\n\nRTM has used a modified version of TeamViewer and Remote Utilities for remote access.(Citation: Group IB RTM August 2019)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nRTM has used Registry run keys to establish persistence for the\n\nRTM Trojan and other tools, such as a modified version of TeamViewer remote desktop software.(Citation: ESET RTM Feb 2017)(Citation: Group IB RTM August 2019)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nRTM has used spearphishing attachments to distribute its malware.(Citation: Group IB RTM August 2019)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nRTM has distributed its malware via the RIG and SUNDOWN exploit kits, as well as online advertising network\n\nRTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names.(Citation: ESET RTM Feb 2017)|',
"Sandworm Team - G0034\n\nCreated: 2017-05-31T21:32:04.588Z\n\nModified: 2023-03-08T22:12:31.238Z\n\nContributors: Dragos Threat Intelligence\n\nAliases\n\nSandworm Team,ELECTRUM,Telebots,IRON VIKING,BlackEnergy (Group),Quedagh,Voodoo Bear,IRIDIUM\n\nDescription\n\nSandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.(Citation: US District Court Indictment GRU Oct 2018)\n\nTechniques Used\n\nSandworm Team has used the commercially available tool RemoteExec for agentless remote code execution.(Citation: Microsoft Prestige ransomware October 2022)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows|T1027.010|Command Obfuscation|",
'Sandworm Team has used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.(Citation: ESET Telebots Dec 2016)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Windows|T1003.003|NTDS|\n\nSandworm Team has used\n\nSandworm Team has used\n\nPrestige ransomware to encrypt data at targeted organizations in transportation and related logistics industries in Ukraine and Poland.(Citation: Microsoft Prestige ransomware October 2022)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|PRE|T1584.005|Botnet|\n\nSandworm Team has used a large-scale botnet to target Small Office/Home Office (SOHO) network devices.(Citation: NCSC Cyclops Blink February 2022)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Windows|T1047|Windows Management Instrumentation|\n\nSandworm Team has used\n\nImpacket’s WMIexec module for remote code execution and VBScript to run WMI queries.(Citation: Dragos Crashoverride 2018)(Citation: Microsoft Prestige ransomware October 2022)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Windows|T1021.002|SMB/Windows Admin Shares|\n\nSandworm Team has copied payloads to the\n\nSandworm Team has used\n\nPrestige ransomware--to an Active Directory Domain Controller and distributed via the Default Domain Group Policy Object.(Citation: Dragos Crashoverride 2018)(Citation: Microsoft Prestige ransomware October 2022) |\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Windows,macOS,Linux|T1136.002|Domain Account|\n\nSandworm Team has created new domain accounts on an ICS access server.(Citation: Dragos Crashoverride 2018)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,Windows,macOS,Network|T1505.003|Web Shell|\n\nSandworm Team has used webshells including',
'Sandworm Team has used webshells including\n\nP.A.S. Webshell to maintain access to victim networks.(Citation: ANSSI Sandworm January 2021)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|PRE|T1589.002|Email Addresses|\n\nSandworm Team has obtained valid emails addresses while conducting research against target organizations that were subsequently used in spearphishing campaigns.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|PRE|T1589.003|Employee Names|\n\nSandworm Team\'s research of potential victim organizations included the identification and collection of employee information.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|PRE|T1598.003|Spearphishing Link|\n\nSandworm Team has crafted spearphishing emails with hyperlinks designed to trick unwitting recipients into revealing their account credentials.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|PRE|T1592.002|Software|\n\nSandworm Team has researched software code to enable supply-chain operations, most notably for the 2017\n\nNotPetya attack.\n\nSandworm Team also collected a list of computers using specific software as part of its targeting efforts.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|PRE|T1593|Search Open Websites/Domains|\n\nSandworm Team researched Ukraine\'s unique legal entity identifier (called an "EDRPOU" number), including running queries on the EDRPOU website, in preparation for the\n\nNotPetya attack.',
'Sandworm Team researched Ukraine\'s unique legal entity identifier (called an "EDRPOU" number), including running queries on the EDRPOU website, in preparation for the\n\nNotPetya attack.\n\nSandworm Team has also researched third-party websites to help it craft credible spearphishing emails.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nSandworm Team has exfiltrated internal documents, files, and other data from compromised hosts.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|\n\nSandworm Team has collected the username from a compromised host.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nSandworm Team has enumerated files on a compromised host.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Dragos Crashoverride 2018)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|PRE|T1591.002|Business Relationships|In preparation for its attack against the 2018 Winter Olympics,\n\nSandworm Team conducted online research of partner organizations listed on an official PyeongChang Olympics partnership site.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|PRE|T1595.002|Vulnerability Scanning|',
"Sandworm Team has scanned network infrastructure for vulnerabilities as part of its operational planning.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|PRE|T1588.006|Vulnerabilities|In 2017,\n\nSandworm Team conducted technical research related to vulnerabilities associated with websites used by the Korean Sport and Olympic Committee, a Korean power company, and a Korean airport.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|PRE|T1588.002|Tool|\n\nSandworm Team has acquired open-source tools for their operations, including\n\nInvoke-PSImage, which was used to establish an encrypted channel from a compromised host to\n\nSandworm Team's C2 server in preparation for the 2018 Winter Olympics attack, as well as\n\nImpacket and RemoteExec, which were used in their 2022\n\nPrestige operations.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Microsoft Prestige ransomware October 2022)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Windows|T1059.001|PowerShell|\n\nSandworm Team has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Dragos Crashoverride 2018) |\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Windows,IaaS,Linux,macOS,Network|T1049|System Network Connections Discovery|\n\nSandworm Team had gathered user, IP address, and server data related to RDP sessions on a compromised host. It has also accessed network diagram files useful for understanding how a host's network was configured.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Dragos Crashoverride 2018) |\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows|T1078.002|Domain Accounts|",
"Sandworm Team has used stolen credentials to access administrative accounts within the domain.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Microsoft Prestige ransomware October 2022)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|PRE|T1594|Search Victim-Owned Websites|\n\nSandworm Team has conducted research against potential victim websites as part of its operational planning.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Windows,IaaS,Linux,macOS|T1491.002|External Defacement|\n\nSandworm Team defaced approximately 15,000 websites belonging to Georgian government, non-government, and private sector organizations in 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|PRE|T1590.001|Domain Properties|\n\nSandworm Team conducted technical reconnaissance of the Parliament of Georgia's official internet domain prior to its 2019 attack.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers|T1499|Endpoint Denial of Service|\n\nSandworm Team temporarily disrupted service to Georgian government, non-government, and private sector websites after compromising a Georgian web hosting provider in 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|PRE|T1583.004|Server|\n\nSandworm Team has leased servers from resellers instead of leasing infrastructure directly from hosting companies to enable its operations.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|PRE|T1583.001|Domains|",
'Sandworm Team has registered domain names and created URLs that are often designed to mimic or spoof legitimate websites, such as email login pages, online file sharing and storage websites, and password reset pages.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nSandworm Team has crafted phishing emails containing malicious hyperlinks.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nSandworm Team has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Windows,SaaS,IaaS,Linux,macOS,Office 365|T1199|Trusted Relationship|\n\nSandworm Team has used dedicated network connections from one victim organization to gain unauthorized access to a separate organization.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|PRE|T1585.002|Email Accounts|\n\nSandworm Team has created email accounts that mimic legitimate organizations for its spearphishing operations.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|PRE|T1585.001|Social Media Accounts|\n\nSandworm Team has established social media accounts to disseminate victim internal-only documents and other sensitive data.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|PRE|T1587.001|Malware|\n\nSandworm Team has developed malware for its operations, including malicious mobile applications and destructive malware such as',
"Sandworm Team has developed malware for its operations, including malicious mobile applications and destructive malware such as\n\nNotPetya and\n\nOlympic Destroyer.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|\n\nSandworm Team has used a tool to query Active Directory using LDAP, discovering information about computers listed in AD.(Citation: ESET Telebots Dec 2016)(Citation: Dragos Crashoverride 2018) |\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Windows,Office 365,Google Workspace|T1087.003|Email Account|\n\nSandworm Team used malware to enumerate email settings, including usernames and passwords, from the M.E.Doc application.(Citation: ESET Telebots July 2017) |\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nSandworm Team used a backdoor to enumerate information about the infected system's operating system.(Citation: ESET Telebots July 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020) |\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Windows|T1218.011|Rundll32|\n\nSandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe.(Citation: ESET Telebots July 2017) |\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows|T1195.002|Compromise Software Supply Chain|\n\nSandworm Team has distributed",
"Sandworm Team has distributed\n\nNotPetya by compromising the legitimate Ukrainian accounting software M.E.Doc and replacing a legitimate software update with a malicious one.(Citation: Secureworks NotPetya June 2017)(Citation: ESET Telebots June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows|T1571|Non-Standard Port|\n\nSandworm Team has used port 6789 to accept connections on the group's SSH server.(Citation: ESET BlackEnergy Jan 2016)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,Windows,macOS|T1219|Remote Access Software|\n\nSandworm Team has used remote administration tools or remote industrial control system client software for execution and to maliciously release electricity breakers.(Citation: US-CERT Ukraine Feb 2016)(Citation: Microsoft Prestige ransomware October 2022)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Windows,Linux,Containers,macOS|T1133|External Remote Services|\n\nSandworm Team has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network.\n\nSandworm Team has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users.(Citation: ESET BlackEnergy Jan 2016)(Citation: ESET Telebots June 2017)(Citation: ANSSI Sandworm January 2021)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Windows,macOS,Linux|T1059.005|Visual Basic|",
"Sandworm Team has created VBScripts to run an SSH server.(Citation: ESET BlackEnergy Jan 2016)(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots June 2017)(Citation: Dragos Crashoverride 2018) |\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nSandworm Team have used previously acquired legitimate credentials prior to attacks.(Citation: US-CERT Ukraine Feb 2016)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows,Network|T1561.002|Disk Structure Wipe|\n\nSandworm Team has used the\n\nBlackEnergy KillDisk component to corrupt the infected system's master boot record.(Citation: US-CERT Ukraine Feb 2016)(Citation: ESET Telebots June 2017)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Windows,IaaS,Linux,macOS|T1485|Data Destruction|\n\nSandworm Team has used the\n\nBlackEnergy KillDisk component to overwrite files on Windows-based Human-Machine Interfaces. (Citation: US-CERT Ukraine Feb 2016)(Citation: ESET Telebots June 2017)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nSandworm Team has tricked unwitting recipients into clicking on spearphishing attachments and enabling malicious macros embedded within files.(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|",
"Sandworm Team has avoided detection by naming a malicious binary explorer.exe.(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows|T1102.002|Bidirectional Communication|\n\nSandworm Team has used the Telegram Bot API from Telegram Messenger to send and receive commands to its Python backdoor.\n\nSandworm Team also used legitimate M.E.Doc software update check requests for sending and receiving commands and hosted malicious payloads on putdrive.com.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots June 2017)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nSandworm Team has pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data.(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows|T1555.003|Credentials from Web Browsers|\n\nSandworm Team's CredRaptor tool can collect saved passwords from various internet browsers.(Citation: ESET Telebots Dec 2016)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Windows|T1003.001|LSASS Memory|\n\nSandworm Team has used its plainpwd tool, a modified version of\n\nMimikatz, and comsvcs.dll to dump Windows credentials from system memory.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots June 2017)(Citation: Microsoft Prestige ransomware October 2022) |\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|",
"Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.(Citation: ESET Telebots Dec 2016) |\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows,Network,IaaS|T1040|Network Sniffing|\n\nSandworm Team has used intercepter-NG to sniff passwords in network traffic.(Citation: ESET Telebots Dec 2016) |\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows|T1087.002|Domain Account|\n\nSandworm Team has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.(Citation: ESET Telebots Dec 2016) |\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows|T1041|Exfiltration Over C2 Channel|\n\nSandworm Team has sent system information to its C2 server using HTTP.(Citation: ESET Telebots Dec 2016) |\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|\n\nSandworm Team's VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots July 2017)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nSandworm Team has used backdoors that can delete files used in an attack from an infected system.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots July 2017)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows|T1071.001|Web Protocols|",
"Sandworm Team's BCS-server tool connects to the designated C2 server via HTTP.(Citation: ESET Telebots Dec 2016) |\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows,Network|T1090|Proxy|\n\nSandworm Team's BCS-server tool can create an internal proxy server to redirect traffic from the adversary-controlled C2 to internal servers which may not be connected to the internet, but are interconnected locally.(Citation: ESET Telebots Dec 2016) |\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows|T1132.001|Standard Encoding|\n\nSandworm Team's BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server.(Citation: ESET Telebots Dec 2016) |\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nSandworm Team has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Microsoft Word via crafted TIFF images (CVE-2013-3906).(Citation: iSight Sandworm Oct 2014)(Citation: TrendMicro Sandworm October 2014)(Citation: McAfee Sandworm November 2013)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nSandworm Team has delivered malicious Microsoft Office attachments via spearphishing emails.(Citation: iSight Sandworm Oct 2014)(Citation: US-CERT Ukraine Feb 2016)(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|",
'Sandworm Team has used Base64 encoding within malware variants.(Citation: iSight Sandworm Oct 2014)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Control Server,Data Historian,Engineering Workstation,Field Controller/RTU/PLC/IED,Human-Machine Interface,Input/Output Server,Safety Instrumented System/Protection Relay|T0859|Valid Accounts|In the Ukraine 2015 Incident,\n\nSandworm Team used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)(Citation: Dragos)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|None|T0884|Connection Proxy|\n\nSandworm Team establishes an internal proxy prior to the installation of backdoors within the network. (Citation: Dragos Inc. June 2017)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Engineering Workstation,Human-Machine Interface,Control Server,Data Historian|T0865|Spearphishing Attachment|In the Ukraine 2015 incident,\n\nSandworm Team sent spearphishing attachments to three energy distribution companies containing malware to gain access to victim systems. (Citation: UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA October 2020)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Safety Instrumented System/Protection Relay,Field Controller/RTU/PLC/IED,Input/Output Server|T0857|System Firmware|In the Ukraine 2015 Incident,\n\nSandworm Team developed and used malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Field Controller/RTU/PLC/IED,Device Configuration/Parameters|T0803|Block Command Message|In the Ukraine 2015 Incident,',
'Sandworm Team blocked command messages by using malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Field Controller/RTU/PLC/IED|T0816|Device Restart/Shutdown|In the 2015 attack on the Ukrainian power grid, the\n\nSandworm Team scheduled disconnects of uninterruptable power supply (UPS) systems so that when power was disconnected from the substations, the devices would shut down and service could not be recovered. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Human-Machine Interface|T0823|Graphical User Interface|In the Ukraine 2015 Incident,\n\nSandworm Team utilized HMI GUIs in the SCADA environment to open breakers. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Field Controller/RTU/PLC/IED|T0855|Unauthorized Command Message|In the Ukraine 2015 Incident,\n\nSandworm Team issued unauthorized commands to substation breakers after gaining control of operator workstations and accessing a distribution management system (DMS) client application. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Control Server,Input/Output Server|T0822|External Remote Services|In the Ukraine 2015 Incident,',
"Sandworm Team harvested VPN worker credentials and used them to remotely log into control system networks. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016) (Citation: Zetter, Kim March 2016) (Citation: ICS-CERT February 2016) (Citation: John Hultquist January 2016)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Field Controller/RTU/PLC/IED,Input/Output Server,Device Configuration/Parameters|T0804|Block Reporting Message|In the Ukraine 2015 Incident,\n\nSandworm Team blocked reporting messages by using malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Human-Machine Interface|T0819|Exploit Public-Facing Application|\n\nSandworm Team actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet. (Citation: ICS-CERT December 2014) (Citation: ICS CERT September 2018)|\n|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Control Server,Data Historian,Field Controller/RTU/PLC/IED,Human-Machine Interface,Input/Output Server|T0807|Command-Line Interface|\n\nSandworm Team uses the MS-SQL server xp_cmdshell command, and PowerShell to execute commands. (Citation: Dragos October 2018)|",
"Scarlet Mimic - G0029\n\nCreated: 2017-05-31T21:32:00.677Z\n\nModified: 2020-03-30T19:16:53.144Z\n\nContributors:\n\nAliases\n\nScarlet Mimic\n\nDescription\n\nScarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. (Citation: Scarlet Mimic Jan 2016)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1036.002|Right-to-Left Override|Scarlet Mimic has used the left-to-right override character in self-extracting RAR archive spearphishing attachment file names.(Citation: Scarlet Mimic Jan 2016)|",
"SideCopy - G1008\n\nCreated: 2022-08-07T13:52:07.791Z\n\nModified: 2022-10-24T18:51:09.213Z\n\nContributors: Pooja Natarajan, NEC Corporation India,Hiroki Nagahama, NEC Corporation,Manikantan Srinivasan, NEC Corporation India\n\nAliases\n\nSideCopy\n\nDescription\n\nSideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy's name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group.(Citation: MalwareBytes SideCopy Dec 2021)\n\nTechniques Used\n\nSideCopy has used compromised domains to host its malicious payloads.(Citation: MalwareBytes SideCopy Dec 2021)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518|Software Discovery|\n\nSideCopy has collected browser information from a compromised host.(Citation: MalwareBytes SideCopy Dec 2021)|\n|mitre-attack|enterprise-attack|PRE|T1598.002|Spearphishing Attachment|\n\nSideCopy has crafted generic lures for spam campaigns to collect emails and credentials for targeting efforts.(Citation: MalwareBytes SideCopy Dec 2021)|\n|mitre-attack|enterprise-attack|PRE|T1584.001|Domains|\n\nSideCopy has compromised domains for some of their infrastructure, including for C2 and staging malware.(Citation: MalwareBytes SideCopy Dec 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nSideCopy has identified the OS version of a compromised host.(Citation: MalwareBytes SideCopy Dec 2021)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,IaaS|T1614|System Location Discovery|",
'SideCopy has identified the country location of a compromised host.(Citation: MalwareBytes SideCopy Dec 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nSideCopy has identified the IP address of a compromised host.(Citation: MalwareBytes SideCopy Dec 2021)|\n|mitre-attack|enterprise-attack|Windows|T1218.005|Mshta|\n\nSideCopy has utilized\n\nSideCopy has executed malware by calling the API function\n\nSideCopy has used a legitimate DLL file name,\n\nSideCopy has used a malicious loader DLL file to execute the\n\nSideCopy uses a loader DLL file to collect AV product names from an infected host.(Citation: MalwareBytes SideCopy Dec 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nSideCopy has sent Microsoft Office Publisher documents to victims that have embedded malicious macros that execute an hta file via calling\n\nSideCopy has delivered trojanized executables via spearphishing emails that contacts actor-controlled servers to download malicious payloads.(Citation: MalwareBytes SideCopy Dec 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nSideCopy has attempted to lure victims into clicking on malicious embedded archive files sent via spearphishing campaigns.(Citation: MalwareBytes SideCopy Dec 2021)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nSideCopy has sent spearphishing emails with malicious hta file attachments.(Citation: MalwareBytes SideCopy Dec 2021)|',
'Sidewinder - G0121\n\nCreated: 2021-01-27T15:57:11.183Z\n\nModified: 2023-03-22T05:31:54.382Z\n\nContributors: Lacework Labs,Daniyal Naeem, BT Security\n\nAliases\n\nSidewinder,T-APT-04,Rattlesnake\n\nDescription\n\nSidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.(Citation: ATT Sidewinder January 2021)(Citation: Securelist APT Trends April 2018)(Citation: Cyble Sidewinder September 2020)\n\nTechniques Used\n\nSidewinder has used base64 encoding for scripts.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nSidewinder has named malicious files\n\nSidewinder has lured targets to click on malicious links to gain execution in the target environment.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)(Citation: Cyble Sidewinder September 2020)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518.001|Security Software Discovery|\n\nSidewinder has used the Windows service\n\nSidewinder has used the ActiveXObject utility to create OLE objects to obtain execution through Internet Explorer.(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)|\n|mitre-attack|enterprise-attack|Windows|T1218.005|Mshta|\n\nSidewinder has used',
'Sidewinder has used\n\nSidewinder has lured targets to click on malicious files to gain execution in the target environment.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)(Citation: Cyble Sidewinder September 2020)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nSidewinder has added paths to executables in the Registry to establish persistence.(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)(Citation: Cyble Sidewinder September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,IaaS,SaaS|T1119|Automated Collection|\n\nSidewinder has used tools to automatically collect system and network configuration information.(Citation: ATT Sidewinder January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1020|Automated Exfiltration|\n\nSidewinder has configured tools to automatically send collected files to attacker controlled servers.(Citation: ATT Sidewinder January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nSidewinder has used HTTP in C2 communications.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518|Software Discovery|\n\nSidewinder has used tools to enumerate software installed on an infected host.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|',
"Sidewinder has used malware to collect information on files and directories.(Citation: ATT Sidewinder January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1074.001|Local Data Staging|\n\nSidewinder has collected stolen files in a temporary folder in preparation for exfiltration.(Citation: ATT Sidewinder January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nSidewinder has used malware to collect information on network interfaces, including the MAC address.(Citation: ATT Sidewinder January 2021)|\n|mitre-attack|enterprise-attack|Windows,Network|T1124|System Time Discovery|\n\nSidewinder has used tools to obtain the current system time.(Citation: ATT Sidewinder January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nSidewinder has used tools to identify running processes on the victim's machine.(Citation: ATT Sidewinder January 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nSidewinder has used tools to collect the computer name, OS version, installed hotfixes, as well as information regarding the memory and processor on a compromised host.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder COVID-19 June 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|\n\nSidewinder has used tools to identify the user of a compromised host.(Citation: ATT Sidewinder January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|",
"Sidewinder has used base64 encoding and ECDH-P256 encryption for payloads.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Cyble Sidewinder September 2020)|\n|mitre-attack|enterprise-attack|Windows|T1574.002|DLL Side-Loading|\n\nSidewinder has used DLL side-loading to drop and execute malicious payloads including the hijacking of the legitimate Windows application file rekeywiz.exe.(Citation: ATT Sidewinder January 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.007|JavaScript|\n\nSidewinder has used JavaScript to drop and execute malware loaders.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder COVID-19 June 2020)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nSidewinder has used PowerShell to drop and execute malware loaders.(Citation: ATT Sidewinder January 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nSidewinder has used VBScript to drop and execute malware loaders.(Citation: ATT Sidewinder January 2021)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nSidewinder has exploited vulnerabilities to gain execution including CVE-2017-11882 and CVE-2020-0674.(Citation: ATT Sidewinder January 2021)(Citation: Cyble Sidewinder September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nSidewinder has used LNK files to download remote files to the victim's network.(Citation: ATT Sidewinder January 2021)(Citation: Cyble Sidewinder September 2020)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|",
'Sidewinder has sent e-mails with malicious attachments often crafted for specific targets.(Citation: ATT Sidewinder January 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nSidewinder has sent e-mails with malicious links often crafted for specific targets.(Citation: ATT Sidewinder January 2021)(Citation: Cyble Sidewinder September 2020)|\n|mitre-attack|enterprise-attack|PRE|T1598.002|Spearphishing Attachment|\n\nSidewinder has sent e-mails with malicious attachments that lead victims to credential harvesting websites.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Cyble Sidewinder September 2020)|\n|mitre-attack|enterprise-attack|PRE|T1598.003|Spearphishing Link|\n\nSidewinder has sent e-mails with malicious links to credential harvesting websites.(Citation: ATT Sidewinder January 2021)|',
"Silence - G0091\n\nCreated: 2019-05-24T17:57:36.491Z\n\nModified: 2023-03-22T05:34:46.346Z\n\nContributors: Oleg Skulkin, Group-IB\n\nAliases\n\nSilence,Whisper Spider\n\nDescription\n\nSilence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)\n\nTechniques Used\n\nSilence has obtained and modified versions of publicly-available tools like\n\nEmpire and\n\nPsExec.(Citation: Group IB Silence Aug 2019) (Citation: SecureList Silence Nov 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1571|Non-Standard Port|\n\nSilence has used port 444 when sending data about the system from the client to the server.(Citation: Group IB Silence Sept 2018) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1090.002|External Proxy|\n\nSilence has used ProxyBot, which allows the attacker to redirect traffic from the current node to the backconnect server via Sock4\\Socks5.(Citation: Group IB Silence Sept 2018) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1072|Software Deployment Tools|\n\nSilence has used RAdmin, a remote software tool used to remotely control workstations and ATMs.(Citation: Group IB Silence Sept 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1055|Process Injection|\n\nSilence has injected a DLL library containing a Trojan into the fwmain32.exe process.(Citation: Group IB Silence Sept 2018)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nSilence has used",
'Silence has used\n\nSilence has downloaded additional modules and malware to victim’s machines.(Citation: Group IB Silence Sept 2018) |\n|mitre-attack|enterprise-attack|Windows|T1021.001|Remote Desktop Protocol|\n\nSilence has used RDP for lateral movement.(Citation: Group IB Silence Sept 2018) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|\n\nSilence has used Nmap to scan the corporate network, build a network topology, and identify vulnerable hosts.(Citation: Group IB Silence Sept 2018) |\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nSilence has used the Farse6.1 utility (based on\n\nMimikatz) to extract credentials from lsass.exe.(Citation: Group IB Silence Sept 2018)|\n|mitre-attack|enterprise-attack|Windows|T1112|Modify Registry|\n\nSilence can create, delete, or modify a specified Registry key or value.(Citation: Group IB Silence Sept 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nSilence has named its backdoor "WINWORD.exe".(Citation: Group IB Silence Sept 2018)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nSilence has used compromised credentials to log on to other systems and escalate privileges.(Citation: Group IB Silence Sept 2018)|\n|mitre-attack|enterprise-attack|macOS,Windows|T1553.002|Code Signing|\n\nSilence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot).(Citation: Group IB Silence Aug 2019)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|',
'Silence has used PowerShell to download and execute payloads.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: Group IB Silence Sept 2018)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.007|JavaScript|\n\nSilence has used JS scripts.(Citation: Cyber Forensicator Silence Jan 2019)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nSilence has sent emails with malicious DOCX, CHM, LNK and ZIP attachments. (Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nSilence has used scheduled tasks to stage its operation.(Citation: Cyber Forensicator Silence Jan 2019)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nSilence has used VBS scripts.(Citation: Cyber Forensicator Silence Jan 2019)|\n|mitre-attack|enterprise-attack|Windows|T1569.002|Service Execution|\n\nSilence has used\n\nWinexe to install a service on the remote system.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nSilence has used Windows command-line to run commands.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nSilence attempts to get users to launch malicious attachments delivered via spearphishing emails.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)|\n|mitre-attack|enterprise-attack|Windows|T1218.001|Compiled HTML File|',
'Silence has weaponized CHM files in their phishing campaigns.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Aug 2019)(Citation: Group IB Silence Sept 2018)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1106|Native API|\n\nSilence has leveraged the Windows API, including using CreateProcess() or ShellExecute(), to perform a variety of tasks.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.010|Command Obfuscation|\n\nSilence has used environment variable string substitution for obfuscation.(Citation: Cyber Forensicator Silence Jan 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nSilence has deleted artifacts, including scheduled tasks, communicates files from the C2 and other logs.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: Group IB Silence Sept 2018) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1113|Screen Capture|\n\nSilence can capture victim screen activity.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1125|Video Capture|\n\nSilence has been observed making videos of victims to observe bank employees day to day activities.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)|',
"Silent Librarian - G0122\n\nCreated: 2021-02-03T16:36:38.145Z\n\nModified: 2021-04-21T12:02:00.278Z\n\nContributors:\n\nAliases\n\nSilent Librarian,TA407,COBALT DICKENS\n\nDescription\n\nSilent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of Silent Librarian are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).(Citation: DOJ Iran Indictments March 2018)(Citation: Phish Labs Silent Librarian)(Citation: Malwarebytes Silent Librarian October 2020)\n\nTechniques Used\n\nSilent Librarian has cloned victim organization login pages and staged them for later use in credential harvesting campaigns.\n\nSilent Librarian has also made use of a variety of URL shorteners for these staged websites.(Citation: Secureworks COBALT DICKENS September 2019)(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019)|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|\n\nSilent Librarian has obtained free and publicly available tools including SingleFile and HTTrack to copy login pages of targeted organizations.(Citation: Proofpoint TA407 September 2019)(Citation: Secureworks COBALT DICKENS September 2019)|\n|mitre-attack|enterprise-attack|PRE|T1588.004|Digital Certificates|\n\nSilent Librarian has obtained free Let's Encrypt SSL certificates for use on their phishing pages.(Citation: Phish Labs Silent Librarian)(Citation: Secureworks COBALT DICKENS September 2019)|\n|mitre-attack|enterprise-attack|PRE|T1585.002|Email Accounts|",
'Silent Librarian has established e-mail accounts to receive e-mails forwarded from compromised accounts.(Citation: DOJ Iran Indictments March 2018)|\n|mitre-attack|enterprise-attack|Windows,Office 365,Google Workspace,macOS,Linux|T1114|Email Collection|\n\nSilent Librarian has exfiltrated entire mailboxes from compromised accounts.(Citation: DOJ Iran Indictments March 2018)|\n|mitre-attack|enterprise-attack|Office 365,Windows,Google Workspace,macOS,Linux|T1114.003|Email Forwarding Rule|\n\nSilent Librarian has set up auto forwarding rules on compromised e-mail accounts.(Citation: DOJ Iran Indictments March 2018)|\n|mitre-attack|enterprise-attack|PRE|T1589.002|Email Addresses|\n\nSilent Librarian has collected e-mail addresses from targeted organizations from open Internet searches.(Citation: DOJ Iran Indictments March 2018)|\n|mitre-attack|enterprise-attack|PRE|T1589.003|Employee Names|\n\nSilent Librarian has collected lists of names for individuals from targeted organizations.(Citation: DOJ Iran Indictments March 2018)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers|T1110.003|Password Spraying|\n\nSilent Librarian has used collected lists of names and e-mail accounts to use in password spraying attacks against private sector targets.(Citation: DOJ Iran Indictments March 2018)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nSilent Librarian has used compromised credentials to obtain unauthorized access to online accounts.(Citation: DOJ Iran Indictments March 2018)|\n|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|',
"Silent Librarian has acquired domains to establish credential harvesting pages, often spoofing the target organization and using free top level domains .TK, .ML, .GA, .CF, and .GQ.(Citation: DOJ Iran Indictments March 2018)(Citation: Phish Labs Silent Librarian)(Citation: Secureworks COBALT DICKENS August 2018)(Citation: Proofpoint TA407 September 2019)(Citation: Secureworks COBALT DICKENS September 2019)(Citation: Malwarebytes Silent Librarian October 2020)|\n|mitre-attack|enterprise-attack|PRE|T1594|Search Victim-Owned Websites|\n\nSilent Librarian has searched victim's websites to identify the interests and academic areas of targeted individuals and to scrape source code, branding, and organizational contact information for phishing pages.(Citation: DOJ Iran Indictments March 2018)(Citation: Phish Labs Silent Librarian)(Citation: Proofpoint TA407 September 2019)|\n|mitre-attack|enterprise-attack|PRE|T1598.003|Spearphishing Link|\n\nSilent Librarian has used links in e-mails to direct victims to credential harvesting websites designed to appear like the targeted organization's login page.(Citation: DOJ Iran Indictments March 2018)(Citation: Phish Labs Silent Librarian)(Citation: Secureworks COBALT DICKENS August 2018)(Citation: Proofpoint TA407 September 2019)(Citation: Secureworks COBALT DICKENS September 2019)(Citation: Malwarebytes Silent Librarian October 2020)|",
'SilverTerrier - G0083\n\nCreated: 2019-01-29T21:36:59.793Z\n\nModified: 2020-05-19T23:26:11.780Z\n\nContributors:\n\nAliases\n\nSilverTerrier\n\nDescription\n\nSilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.(Citation: Unit42 SilverTerrier 2018)(Citation: Unit42 SilverTerrier 2016)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.002|File Transfer Protocols|SilverTerrier uses FTP for C2 communications.(Citation: Unit42 SilverTerrier 2018) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|SilverTerrier uses HTTP for C2 communications.(Citation: Unit42 SilverTerrier 2018) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.003|Mail Protocols|SilverTerrier uses SMTP for C2 communications.(Citation: Unit42 SilverTerrier 2018)|',
'Sowbug - G0054\n\nCreated: 2018-01-16T16:13:52.465Z\n\nModified: 2020-03-30T02:46:16.483Z\n\nContributors: Alan Neville, @abnev\n\nAliases\n\nSowbug\n\nDescription\n\nSowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. (Citation: Symantec Sowbug Nov 2017)\n\nTechniques Used\n\nSowbug has used keylogging tools.(Citation: Symantec Sowbug Nov 2017)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nSowbug has used command line during its intrusions.(Citation: Symantec Sowbug Nov 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1039|Data from Network Shared Drive|\n\nSowbug extracted Word documents from a file server on a victim network.(Citation: Symantec Sowbug Nov 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|\n\nSowbug extracted documents and bundled them into a RAR archive.(Citation: Symantec Sowbug Nov 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nSowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory\n\nSowbug obtained OS version and hardware configuration from a victim.(Citation: Symantec Sowbug Nov 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|',
'Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.(Citation: Symantec Sowbug Nov 2017)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1135|Network Share Discovery|\n\nSowbug listed remote shared drives that were accessible from a victim.(Citation: Symantec Sowbug Nov 2017)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1003|OS Credential Dumping|\n\nSowbug has used credential dumping tools.(Citation: Symantec Sowbug Nov 2017)|',
'Stealth Falcon - G0038\n\nCreated: 2017-05-31T21:32:06.390Z\n\nModified: 2020-11-23T18:57:19.208Z\n\nContributors:\n\nAliases\n\nStealth Falcon\n\nDescription\n\nStealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. (Citation: Citizen Lab Stealth Falcon May 2016)\n\nTechniques Used\n\nStealth Falcon malware gathers passwords from the Windows Credential Vault.(Citation: Citizen Lab Stealth Falcon May 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1555.003|Credentials from Web Browsers|\n\nStealth Falcon malware gathers passwords from multiple sources, including Internet Explorer, Firefox, and Chrome.(Citation: Citizen Lab Stealth Falcon May 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nStealth Falcon malware gathers a list of running processes.(Citation: Citizen Lab Stealth Falcon May 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nStealth Falcon malware gathers data from the local victim system.(Citation: Citizen Lab Stealth Falcon May 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network,Office 365,Azure AD,IaaS,Google Workspace|T1059|Command and Scripting Interpreter|\n\nStealth Falcon malware uses WMI to script data collection and command execution on the victim.(Citation: Citizen Lab Stealth Falcon May 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1555|Credentials from Password Stores|\n\nStealth Falcon malware gathers passwords from multiple sources, including Windows Credential Vault and Outlook.(Citation: Citizen Lab Stealth Falcon May 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1041|Exfiltration Over C2 Channel|After data is collected by',
'Stealth Falcon malware, it is exfiltrated over the existing C2 channel.(Citation: Citizen Lab Stealth Falcon May 2016)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nStealth Falcon malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server.(Citation: Citizen Lab Stealth Falcon May 2016)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1573.001|Symmetric Cryptography|\n\nStealth Falcon malware encrypts C2 traffic using RC4 with a hard-coded key.(Citation: Citizen Lab Stealth Falcon May 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nStealth Falcon malware gathers the Address Resolution Protocol (ARP) table from the victim.(Citation: Citizen Lab Stealth Falcon May 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nStealth Falcon malware communicates with its C2 server via HTTPS.(Citation: Citizen Lab Stealth Falcon May 2016)|\n|mitre-attack|enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nStealth Falcon malware creates a scheduled task entitled “IE Web Cache” to execute a malicious file hourly.(Citation: Citizen Lab Stealth Falcon May 2016)|\n|mitre-attack|enterprise-attack|Windows|T1047|Windows Management Instrumentation|\n\nStealth Falcon malware gathers system information via Windows Management Instrumentation (WMI).(Citation: Citizen Lab Stealth Falcon May 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|\n\nStealth Falcon malware gathers the registered user and primary owner name via WMI.(Citation: Citizen Lab Stealth Falcon May 2016)|\n|mitre-attack|enterprise-attack|Windows|T1012|Query Registry|',
'Stealth Falcon malware gathers the registered user and primary owner name via WMI.(Citation: Citizen Lab Stealth Falcon May 2016)|\n|mitre-attack|enterprise-attack|Windows|T1012|Query Registry|\n\nStealth Falcon malware attempts to determine the installed version of .NET by querying the Registry.(Citation: Citizen Lab Stealth Falcon May 2016)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nStealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory.(Citation: Citizen Lab Stealth Falcon May 2016)|',
'Strider - G0041\n\nCreated: 2017-05-31T21:32:07.541Z\n\nModified: 2020-06-29T01:43:19.374Z\n\nContributors:\n\nAliases\n\nStrider,ProjectSauron\n\nDescription\n\nStrider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.(Citation: Symantec Strider Blog)(Citation: Kaspersky ProjectSauron Blog)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1564.005|Hidden File System|Strider has used a hidden file system that is stored as a file on disk.(Citation: Kaspersky ProjectSauron Full Report)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1090.001|Internal Proxy|Strider has used local servers with both local network and Internet access to act as internal proxy nodes to exfiltrate data from other parts of the network without direct Internet access.(Citation: Kaspersky ProjectSauron Blog)|\n|mitre-attack|enterprise-attack|Windows|T1556.002|Password Filter DLL|Strider has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to acquire credentials any time a domain, local user, or administrator logs in or changes a password.(Citation: Kaspersky ProjectSauron Full Report)|',
"Suckfly - G0039\n\nCreated: 2017-05-31T21:32:06.777Z\n\nModified: 2022-04-15T16:27:38.682Z\n\nContributors:\n\nAliases\n\nSuckfly\n\nDescription\n\nSuckfly is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|Several tools used by Suckfly have been command-line driven.(Citation: Symantec Suckfly May 2016)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers,Network|T1046|Network Service Discovery|Suckfly the victim's internal network for hosts with ports 8080, 5900, and 40 open.(Citation: Symantec Suckfly May 2016)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1003|OS Credential Dumping|Suckfly used a signed credential-dumping tool to obtain victim account credentials.(Citation: Symantec Suckfly May 2016)|\n|mitre-attack|enterprise-attack|macOS,Windows|T1553.002|Code Signing|Suckfly has used stolen certificates to sign its malware.(Citation: Symantec Suckfly March 2016)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|Suckfly used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner.(Citation: Symantec Suckfly May 2016)|",
'TA459 - G0062\n\nCreated: 2018-04-18T17:59:24.739Z\n\nModified: 2020-03-30T19:22:32.962Z\n\nContributors: Valerii Marchuk, Cybersecurity Help s.r.o.\n\nAliases\n\nTA459\n\nDescription\n\nTA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. (Citation: Proofpoint TA459 April 2017)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|TA459 has used PowerShell for execution of a payload.(Citation: Proofpoint TA459 April 2017)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|TA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments.(Citation: Proofpoint TA459 April 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|TA459 has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing.(Citation: Proofpoint TA459 April 2017)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|TA459 has a VBScript for execution.(Citation: Proofpoint TA459 April 2017)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|TA459 has exploited Microsoft Word vulnerability CVE-2017-0199 for execution.(Citation: Proofpoint TA459 April 2017)|',
'TA505 - G0092\n\nCreated: 2019-05-28T15:54:17.213Z\n\nModified: 2023-03-22T05:38:20.381Z\n\nContributors:\n\nAliases\n\nTA505,Hive0065\n\nDescription\n\nTA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: NCC Group TA505)(Citation: Korean FSI TA505 2020)\n\nTechniques Used\n\nTA505 has used base64 encoded PowerShell commands.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Containers,IaaS|T1562.001|Disable or Modify Tools|\n\nTA505 has used malware to disable Windows Defender.(Citation: Korean FSI TA505 2020)|\n|mitre-attack|enterprise-attack|PRE|T1608.001|Upload Malware|\n\nTA505 has staged malware on actor-controlled domains.(Citation: Korean FSI TA505 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1106|Native API|\n\nTA505 has deployed payloads that use Windows API calls on a compromised host.(Citation: Korean FSI TA505 2020)|\n|mitre-attack|enterprise-attack|PRE|T1588.001|Malware|\n\nTA505 has used malware such as\n\nAzorult and\n\nCobalt Strike in their operations.(Citation: NCC Group TA505)|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|\n\nTA505 has used a variety of tools in their operations, including\n\nAdFind,\n\nBloodHound,\n\nMimikatz, and',
'TA505 has used a variety of tools in their operations, including\n\nAdFind,\n\nBloodHound,\n\nMimikatz, and\n\nPowerSploit.(Citation: NCC Group TA505)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|\n\nTA505 has decrypted packed DLLs with an XOR key.(Citation: NCC Group TA505)|\n|mitre-attack|enterprise-attack|Windows|T1112|Modify Registry|\n\nTA505 has used malware to disable Windows Defender through modification of the Registry.(Citation: Korean FSI TA505 2020)|\n|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|\n\nTA505 has registered domains to impersonate services such as Dropbox to distribute malware.(Citation: Korean FSI TA505 2020)|\n|mitre-attack|enterprise-attack|Windows|T1553.005|Mark-of-the-Web Bypass|\n\nTA505 has used .iso files to deploy malicious .lnk files.(Citation: TrendMicro TA505 Aug 2019)|\n|mitre-attack|enterprise-attack|Windows|T1055.001|Dynamic-link Library Injection|\n\nTA505 has been seen injecting a DLL into winword.exe.(Citation: IBM TA505 April 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nTA505 has used HTTP to communicate with C2 nodes.(Citation: IBM TA505 April 2020)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1027.002|Software Packing|\n\nTA505 has used UPX to obscure malicious code.(Citation: IBM TA505 April 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1078.002|Domain Accounts|\n\nTA505 has used stolen domain admin accounts to compromise additional hosts.(Citation: IBM TA505 April 2020)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers|T1069|Permission Groups Discovery|',
'TA505 has used TinyMet to enumerate members of privileged groups.(Citation: IBM TA505 April 2020)\n\nTA505 has also run\n\nTA505 has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.(Citation: Trend Micro TA505 June 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1568.001|Fast Flux DNS|\n\nTA505 has used fast flux to mask botnets by distributing payloads across multiple IPs.(Citation: Trend Micro TA505 June 2019)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nTA505 has executed commands using\n\nTA505 has used JavaScript for code execution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nTA505 has used lures to get users to click links in emails and attachments. For example,\n\nTA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. (Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1555.003|Credentials from Web Browsers|\n\nTA505 has used malware to gather credentials from Internet Explorer.(Citation: Proofpoint TA505 Sep 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|',
'TA505 has downloaded additional malware to execute on victim systems.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)(Citation: ProofPoint SettingContent-ms July 2018)|\n|mitre-attack|enterprise-attack|macOS,Windows|T1553.002|Code Signing|\n\nTA505 has signed payloads with code signing certificates from Thawte and Sectigo.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)(Citation: Trend Micro TA505 June 2019)|\n|mitre-attack|enterprise-attack|Windows|T1218.011|Rundll32|\n\nTA505 has leveraged\n\nTA505 has used\n\nTA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example,\n\nTA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. (Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nTA505 has password-protected malicious Word documents.(Citation: Proofpoint TA505 Sep 2017)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers|T1552.001|Credentials In Files|\n\nTA505 has used malware to gather credentials from FTP clients and Outlook.(Citation: Proofpoint TA505 Sep 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,IaaS|T1486|Data Encrypted for Impact|\n\nTA505 has used a wide variety of ransomware, such as',
'TA505 has used a wide variety of ransomware, such as\n\nClop, Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment.(Citation: Proofpoint TA505 Sep 2017)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nTA505 has used VBS for code execution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Trend Micro TA505 June 2019)(Citation: IBM TA505 April 2020)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nTA505 has used PowerShell to download and execute malware and reconnaissance scripts.(Citation: Proofpoint TA505 Sep 2017)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nTA505 has sent spearphishing emails containing malicious links.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 Jan 2019)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)|\n|mitre-attack|enterprise-attack|Windows|T1559.002|Dynamic Data Exchange|\n\nTA505 has leveraged malicious Word documents that abused DDE.(Citation: Proofpoint TA505 June 2018)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|',
'TA505 has used spearphishing emails with malicious attachments to initially compromise victims.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)|',
'TA551 - G0127\n\nCreated: 2021-03-19T21:04:00.692Z\n\nModified: 2023-03-22T05:40:21.255Z\n\nContributors: Shuhei Sasada, Cyber Defense Institute, Inc,Ryo Tamura, SecureBrain Corporation,Shotaro Hamamoto, NEC Solution Innovators, Ltd,Yusuke Niwa, ITOCHU Corporation,Takuma Matsumoto, LAC Co., Ltd\n\nAliases\n\nTA551,GOLD CABIN,Shathak\n\nDescription\n\nTA551 is a financially-motivated threat group that has been active since at least 2018. (Citation: Secureworks GOLD CABIN) The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. (Citation: Unit 42 TA551 Jan 2021)\n\nTechniques Used\n\nTA551 has used mshta.exe to execute malicious payloads.(Citation: Unit 42 TA551 Jan 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nTA551 has prompted users to enable macros within spearphishing attachments to install malware.(Citation: Unit 42 TA551 Jan 2021)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nTA551 has sent spearphishing attachments with password protected ZIP files.(Citation: Unit 42 Valak July 2020)(Citation: Unit 42 TA551 Jan 2021)(Citation: Secureworks GOLD CABIN)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nTA551 has used\n\nTA551 has used a DGA to generate URLs from executed macros.(Citation: Unit 42 TA551 Jan 2021)(Citation: Secureworks GOLD CABIN)|\n|mitre-attack|enterprise-attack|PRE|T1589.002|Email Addresses|',
'TA551 has used spoofed company emails that were acquired from email clients on previously infected hosts to target other individuals.(Citation: Unit 42 TA551 Jan 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nTA551 has retrieved DLLs and installer binaries for malware execution from C2.(Citation: Unit 42 TA551 Jan 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.003|Steganography|\n\nTA551 has hidden encoded data for malware DLLs in a PNG.(Citation: Unit 42 TA551 Jan 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nTA551 has used HTTP for C2 communications.(Citation: Unit 42 Valak July 2020)|\n|mitre-attack|enterprise-attack|Windows|T1218.011|Rundll32|\n\nTA551 has used rundll32.exe to load malicious DLLs.(Citation: Unit 42 TA551 Jan 2021)|\n|mitre-attack|enterprise-attack|Windows|T1218.010|Regsvr32|\n\nTA551 has used regsvr32.exe to load malicious DLLs.(Citation: Unit 42 Valak July 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1132.001|Standard Encoding|\n\nTA551 has used encoded ASCII text for initial C2 communications.(Citation: Unit 42 Valak July 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036|Masquerading|\n\nTA551 has masked malware DLLs as dat and jpg files.(Citation: Unit 42 TA551 Jan 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.010|Command Obfuscation|\n\nTA551 has used obfuscated variable names in a JavaScript configuration file.(Citation: Unit 42 Valak July 2020)|',
'TeamTNT - G0139\n\nCreated: 2021-10-01T01:57:31.229Z\n\nModified: 2022-10-19T21:35:03.147Z\n\nContributors: Will Thomas, Cyjax,Darin Smith, Cisco\n\nAliases\n\nTeamTNT\n\nDescription\n\nTeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.(Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer TeamTNT Explosion September 2021)\n\nTechniques Used\n\nTeamTNT has leveraged AWS CLI to enumerate cloud environments with compromised credentials.(Citation: Talos TeamTNT)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1569|System Services|\n\nTeamTNT has created system services to execute cryptocurrency mining software.(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|\n\nTeamTNT has used a script that decodes a Base64-encoded version of WeaveWorks Scope.(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nTeamTNT has used a script that checks\n\nTeamTNT has sent locally staged files with collected credentials to C2 servers using cURL.(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1074.001|Local Data Staging|',
"TeamTNT has aggregated collected credentials in text files before exfiltrating.(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1007|System Service Discovery|\n\nTeamTNT has searched for services such as Alibaba Cloud Security's aliyun service and BMC Helix Cloud Security's bmc-agent service in order to disable them.(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1120|Peripheral Device Discovery|\n\nTeamTNT has searched for attached VGA devices using lspci.(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nTeamTNT has replaced .dockerd and .dockerenv with their own scripts and cryptocurrency mining software.(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036|Masquerading|\n\nTeamTNT has disguised their scripts with docker-related file names.(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1552.004|Private Keys|\n\nTeamTNT has searched for unsecured SSH keys.(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Trend Micro TeamTNT)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nTeamTNT has the\n\nTeamTNT has developed custom malware such as\n\nHildegard.(Citation: Unit 42 Hildegard Malware)|\n|mitre-attack|enterprise-attack|Windows,Linux,Containers|T1611|Escape to Host|\n\nTeamTNT has deployed privileged containers that mount the filesystem of victim machine.(Citation: Intezer TeamTNT September 2020)(Citation: Aqua TeamTNT August 2020)|\n|mitre-attack|enterprise-attack|Containers|T1609|Container Administration Command|\n\nTeamTNT executed",
'TeamTNT executed\n\nHildegard through the kubelet API run command and by executing commands on running containers.(Citation: Unit 42 Hildegard Malware)|\n|mitre-attack|enterprise-attack|Windows,Linux,Containers,macOS|T1133|External Remote Services|\n\nTeamTNT has used open-source tools such as Weave Scope to target exposed Docker API ports and gain initial access to victim environments.(Citation: Intezer TeamTNT September 2020)(Citation: Cisco Talos Intelligence Group)\n\nTeamTNT has also targeted exposed kubelets for Kubernetes environments.(Citation: Unit 42 Hildegard Malware)|\n|mitre-attack|enterprise-attack|Linux,macOS|T1021.004|SSH|\n\nTeamTNT has used SSH to connect back to victim machines.(Citation: Intezer TeamTNT September 2020)\n\nTeamTNT has also used SSH to transfer tools and payloads onto victim hosts and execute them.(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers|T1496|Resource Hijacking|\n\nTeamTNT has deployed XMRig Docker images to mine cryptocurrency.(Citation: Lacework TeamTNT May 2021)(Citation: Cado Security TeamTNT Worm August 2020)\n\nTeamTNT has also infected Docker containers and Kubernetes clusters with XMRig, and used RainbowMiner and lolMiner for mining cryptocurrency.(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|PRE|T1608.001|Upload Malware|\n\nTeamTNT has uploaded backdoored Docker images to Docker Hub.(Citation: Lacework TeamTNT May 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1136.001|Local Account|\n\nTeamTNT has created local privileged users on victim machines.(Citation: Intezer TeamTNT September 2020)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers,Network|T1046|Network Service Discovery|',
'TeamTNT has used masscan to search for open Docker API ports and Kubernetes clusters.(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Cisco Talos Intelligence Group)\n\nTeamTNT has also used malware that utilizes zmap and zgrab to search for vulnerable services in cloud environments.(Citation: Palo Alto Black-T October 2020)|\n|mitre-attack|enterprise-attack|IaaS,Containers|T1204.003|Malicious Image|\n\nTeamTNT has relied on users to download and execute malicious Docker images.(Citation: Lacework TeamTNT May 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers|T1552.001|Credentials In Files|\n\nTeamTNT has searched for unsecured AWS credentials and Docker API credentials.(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1219|Remote Access Software|\n\nTeamTNT has established tmate sessions for C2 communications.(Citation: Unit 42 Hildegard Malware)(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|\n\nTeamTNT has obtained domains to host their payloads.(Citation: Palo Alto Black-T October 2020)|\n|mitre-attack|enterprise-attack|Containers|T1610|Deploy Container|\n\nTeamTNT has deployed different types of containers into victim environments to facilitate execution.(Citation: Intezer TeamTNT September 2020)(Citation: Trend Micro TeamTNT)\n\nTeamTNT has also transferred cryptocurrency mining software to Kubernetes clusters discovered within local IP address ranges.(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nTeamTNT has the',
'TeamTNT has the\n\nTeamTNT has also used a custom user agent HTTP header in shell scripts.(Citation: Trend Micro TeamTNT)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1070.003|Clear Command History|\n\nTeamTNT has cleared command history with\n\nTeamTNT has run\n\nTeamTNT has also used\n\nTeamTNT has checked for running containers with\n\nTeamTNT has also searched for Kubernetes pods running in a local network.(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|PRE|T1595.001|Scanning IP Blocks|\n\nTeamTNT has scanned specific lists of target IP addresses.(Citation: Trend Micro TeamTNT)|\n|mitre-attack|enterprise-attack|IaaS|T1552.005|Cloud Instance Metadata API|\n\nTeamTNT has queried the AWS instance metadata service for credentials.(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|Linux|T1543.002|Systemd Service|\n\nTeamTNT has established persistence through the creation of a cryptocurrency mining system service using\n\nTeamTNT has encrypted its binaries via AES and encoded files using Base64.(Citation: Trend Micro TeamTNT)(Citation: Aqua TeamTNT August 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nTeamTNT has searched for rival malware and removes it if found.(Citation: Trend Micro TeamTNT)\n\nTeamTNT has also searched for running processes containing the strings aliyun or liyun to identify machines running Alibaba Cloud Security tools.(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|PRE|T1595.002|Vulnerability Scanning|\n\nTeamTNT has scanned for vulnerabilities in IoT devices and other related resources such as the Docker API.(Citation: Trend Micro TeamTNT)|\n|mitre-attack|enterprise-attack|macOS,Linux|T1222.002|Linux and Mac File and Directory Permissions Modification|\n\nTeamTNT has modified the permissions on binaries with',
'TeamTNT has modified the permissions on binaries with\n\nTeamTNT has enumerated the host machine’s IP address.(Citation: Trend Micro TeamTNT)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1014|Rootkit|\n\nTeamTNT has used rootkits such as the open-source Diamorphine rootkit and their custom bots to hide cryptocurrency mining activities on the machine.(Citation: Trend Micro TeamTNT) (Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1027.002|Software Packing|\n\nTeamTNT has used UPX and Ezuri packer to pack its binaries.(Citation: Trend Micro TeamTNT)|\n|mitre-attack|enterprise-attack|macOS,Linux|T1059.004|Unix Shell|\n\nTeamTNT has used shell scripts for execution.(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|Windows|T1543.003|Windows Service|\n\nTeamTNT has used malware that adds cryptocurrency miners as a service.(Citation: ATT TeamTNT Chimaera September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071|Application Layer Protocol|\n\nTeamTNT has used an IRC bot for C2 communications.(Citation: Trend Micro TeamTNT)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nTeamTNT has used batch scripts to download tools and executing cryptocurrency miners.(Citation: ATT TeamTNT Chimaera September 2020)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nTeamTNT has executed PowerShell commands in batch scripts.(Citation: ATT TeamTNT Chimaera September 2020)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|',
'TeamTNT has added batch scripts to the startup folder.(Citation: ATT TeamTNT Chimaera September 2020)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518.001|Security Software Discovery|\n\nTeamTNT has searched for security products on infected machines.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nTeamTNT has searched for system version, architecture, disk partition, logical volume, and hostname information.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Containers,IaaS|T1562.001|Disable or Modify Tools|\n\nTeamTNT has disabled and uninstalled security tools such as Alibaba, Tencent, and BMC cloud monitoring agents on cloud-based infrastructure.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nTeamTNT has used a payload that removes itself after running.\n\nTeamTNT also has deleted locally staged files for collecting credentials or scan results for local IP addresses after exfiltrating them.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|Linux,macOS,IaaS,Network|T1098.004|SSH Authorized Keys|\n\nTeamTNT has added RSA keys in\n\nTeamTNT has leveraged iplogger.org to send collected data back to C2.(Citation: Aqua TeamTNT August 2020)(Citation: Cisco Talos Intelligence Group)|\n|mitre-attack|enterprise-attack|Linux,macOS|T1070.002|Clear Linux or Mac System Logs|\n\nTeamTNT has removed system logs from\n\nTeamTNT has disabled',
'TEMP.Veles - G0088\n\nCreated: 2019-04-16T15:14:38.533Z\n\nModified: 2022-11-30T22:46:40.135Z\n\nContributors: Dragos Threat Intelligence\n\nAliases\n\nTEMP.Veles,XENOTIME\n\nDescription\n\nTEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)\n\nTechniques Used\n\nTEMP.Veles has obtained and used tools such as\n\nMimikatz and\n\nPsExec.(Citation: FireEye TRITON 2019)|\n|mitre-attack|ics-attack,enterprise-attack|PRE|T1583.003|Virtual Private Server|\n\nTEMP.Veles has used Virtual Private Server (VPS) infrastructure.(Citation: FireEye TRITON 2019)|\n|mitre-attack|ics-attack,enterprise-attack|Linux,macOS,Windows|T1571|Non-Standard Port|\n\nTEMP.Veles has used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.(Citation: FireEye TRITON 2019)|\n|mitre-attack|ics-attack,enterprise-attack|Linux,macOS,Windows|T1027.005|Indicator Removal from Tools|\n\nTEMP.Veles has modified files based on the open-source project cryptcat in an apparent attempt to decrease AV detection rates.(Citation: FireEye TEMP.Veles 2018)|\n|mitre-attack|ics-attack,enterprise-attack|Windows|T1059.001|PowerShell|\n\nTEMP.Veles has used a publicly-available PowerShell-based tool, WMImplant.(Citation: FireEye TEMP.Veles 2018) The group has also used PowerShell to perform',
'TEMP.Veles has used a publicly-available PowerShell-based tool, WMImplant.(Citation: FireEye TEMP.Veles 2018) The group has also used PowerShell to perform\n\nTimestomping.(Citation: FireEye TRITON 2019)|\n|mitre-attack|ics-attack,enterprise-attack|Linux,Windows,macOS,Network|T1505.003|Web Shell|\n\nTEMP.Veles has planted Web shells on Outlook Exchange servers.(Citation: FireEye TRITON 2019)|\n|mitre-attack|ics-attack,enterprise-attack|Windows,Linux,Containers,macOS|T1133|External Remote Services|\n\nTEMP.Veles has used a VPN to persist in the victim environment.(Citation: FireEye TRITON 2019)|\n|mitre-attack|ics-attack,enterprise-attack|Windows|T1021.001|Remote Desktop Protocol|\n\nTEMP.Veles utilized RDP throughout an operation.(Citation: FireEye TRITON 2019) |\n|mitre-attack|ics-attack,enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nTEMP.Veles has used compromised VPN accounts.(Citation: FireEye TRITON 2019) |\n|mitre-attack|ics-attack,enterprise-attack|Linux,macOS|T1021.004|SSH|\n\nTEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.(Citation: FireEye TRITON 2019)|\n|mitre-attack|ics-attack,enterprise-attack|Linux,macOS,Windows|T1074.001|Local Data Staging|\n\nTEMP.Veles has created staging folders in directories that were infrequently used by legitimate users or processes.(Citation: FireEye TRITON 2019)|\n|mitre-attack|ics-attack,enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|',
'TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.(Citation: FireEye TRITON 2019)|\n|mitre-attack|ics-attack,enterprise-attack|Linux,macOS,Windows|T1070.006|Timestomp|\n\nTEMP.Veles used timestomping to modify the $STANDARD_INFORMATION attribute on tools.(Citation: FireEye TRITON 2019)|\n|mitre-attack|ics-attack,enterprise-attack|Windows|T1053.005|Scheduled Task|\n\nTEMP.Veles has used scheduled task XML triggers.(Citation: FireEye TRITON 2019)|\n|mitre-attack|ics-attack,enterprise-attack|Windows|T1546.012|Image File Execution Options Injection|\n\nTEMP.Veles has modified and added entries within\n\nTEMP.Veles has used\n\nMimikatz and a custom tool, SecHack, to harvest credentials. (Citation: FireEye TRITON 2019)|\n|mitre-attack|ics-attack,enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nTEMP.Veles has renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.(Citation: FireEye TRITON 2019)\n|\n|mitre-attack|ics-attack,enterprise-attack|Engineering Workstation,Human-Machine Interface,Control Server|T0886|Remote Services|\n\nTEMP.Veles utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment. (Citation: Dragos December 2017)|\n|mitre-attack|ics-attack,enterprise-attack|Control Server,Data Historian,Engineering Workstation,Field Controller/RTU/PLC/IED,Human-Machine Interface,Input/Output Server,Safety Instrumented System/Protection Relay|T0859|Valid Accounts|',
'TEMP.Veles used valid credentials when laterally moving through RDP jump boxes into the ICS environment. (Citation: Dragos December 2017)|\n|mitre-attack|ics-attack,enterprise-attack|Control Server,Data Historian,Field Controller/RTU/PLC/IED,Human-Machine Interface,Input/Output Server,Safety Instrumented System/Protection Relay|T0862|Supply Chain Compromise|\n\nTEMP.Veles targeted several ICS vendors and manufacturers. (Citation: Dragos Threat Intelligence August 2019)|\n|mitre-attack|ics-attack,enterprise-attack|None|T0817|Drive-by Compromise|\n\nTEMP.Veles utilizes watering hole websites to target industrial employees. (Citation: Chris Bing May 2018)|',
'The White Company - G0089\n\nCreated: 2019-05-02T00:08:18.314Z\n\nModified: 2020-03-30T19:24:52.290Z\n\nContributors:\n\nAliases\n\nThe White Company\n\nDescription\n\nThe White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.(Citation: Cylance Shaheen Nov 2018)\n\nTechniques Used\n\nThe White Company has sent phishing emails with malicious Microsoft Word attachments to victims.(Citation: Cylance Shaheen Nov 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nThe White Company has used phishing lure documents that trick users into opening them and infecting their computers.(Citation: Cylance Shaheen Nov 2018)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nThe White Company has taken advantage of a known vulnerability in Microsoft Word (CVE 2012-0158) to execute code.(Citation: Cylance Shaheen Nov 2018)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1027.002|Software Packing|\n\nThe White Company has obfuscated their payloads through packing.(Citation: Cylance Shaheen Nov 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nThe White Company has the ability to delete its malware entirely from the target system.(Citation: Cylance Shaheen Nov 2018)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518.001|Security Software Discovery|',
'The White Company has checked for specific antivirus products on the target’s computer, including Kaspersky, Quick Heal, AVG, BitDefender, Avira, Sophos, Avast!, and ESET.(Citation: Cylance Shaheen Nov 2018)|\n|mitre-attack|enterprise-attack|Windows,Network|T1124|System Time Discovery|\n\nThe White Company has checked the current date on the victim system.(Citation: Cylance Shaheen Nov 2018)|',
"Threat Group-1314 - G0028\n\nCreated: 2017-05-31T21:31:59.120Z\n\nModified: 2020-03-19T21:58:20.831Z\n\nContributors:\n\nAliases\n\nThreat Group-1314,TG-1314\n\nDescription\n\nThreat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. (Citation: Dell TG-1314)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.(Citation: Dell TG-1314)|\n|mitre-attack|enterprise-attack|Windows|T1021.002|SMB/Windows Admin Shares|Threat Group-1314 actors mapped network drives using net use.(Citation: Dell TG-1314)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1078.002|Domain Accounts|Threat Group-1314 actors used compromised domain credentials for the victim's endpoint management platform, Altiris, to move laterally.(Citation: Dell TG-1314)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1072|Software Deployment Tools|Threat Group-1314 actors used a victim's endpoint management platform, Altiris, for lateral movement.(Citation: Dell TG-1314)|",
'Threat Group-3390 - G0027\n\nCreated: 2017-05-31T21:31:58.518Z\n\nModified: 2023-03-29T16:53:17.235Z\n\nContributors: Daniyal Naeem, BT Security,Kyaw Pyiyt Htet, @KyawPyiytHtet\n\nAliases\n\nThreat Group-3390,Earth Smilodon,TG-3390,Emissary Panda,BRONZE UNION,APT27,Iron Tiger,LuckyMouse\n\nDescription\n\nThreat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Securelist LuckyMouse June 2018)(Citation: Trend Micro DRBControl February 2020)\n\nTechniques Used\n\nThreat Group-3390 has obtained stolen valid certificates, including from VMProtect and the Chinese instant messaging application Youdu, for their operations.(Citation: Lunghi Iron Tiger Linux)|\n|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|\n\nThreat Group-3390 has registered domains for C2.(Citation: Lunghi Iron Tiger Linux)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|\n\nThreat Group-3390 has exploited the Microsoft SharePoint vulnerability CVE-2019-0604 and CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in Exchange Server.(Citation: Trend Micro Iron Tiger April 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1555.005|Password Managers|\n\nThreat Group-3390 obtained a KeePass database from a compromised host.(Citation: Trend Micro DRBControl February 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|',
"Threat Group-3390 has used\n\nThreat Group-3390 has packed malware and tools, including using VMProtect.(Citation: Trend Micro DRBControl February 2020)(Citation: Trend Micro Iron Tiger April 2021)|\n|mitre-attack|enterprise-attack|PRE|T1608.001|Upload Malware|\n\nThreat Group-3390 has hosted malicious payloads on Dropbox.(Citation: Trend Micro DRBControl February 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1567.002|Exfiltration to Cloud Storage|\n\nThreat Group-3390 has exfiltrated stolen data to Dropbox.(Citation: Trend Micro DRBControl February 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1195.002|Compromise Software Supply Chain|\n\nThreat Group-3390 has compromised the Able Desktop installer to gain access to victim's environments.(Citation: Trend Micro Iron Tiger April 2021)|\n|mitre-attack|enterprise-attack|Windows,SaaS,IaaS,Linux,macOS,Office 365|T1199|Trusted Relationship|\n\nThreat Group-3390 has compromised third party service providers to gain access to victim's environments.(Citation: Profero APT27 December 2020)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nThreat Group-3390 has used e-mail to deliver malicious attachments to victims.(Citation: Trend Micro DRBControl February 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nThreat Group-3390 has lured victims into opening malicious files containing malware.(Citation: Trend Micro DRBControl February 2020)|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|\n\nThreat Group-3390 has obtained and used tools such as\n\nImpacket,\n\npwdump,\n\nMimikatz,\n\ngsecdump,\n\nNBTscan, and",
"Threat Group-3390 has obtained and used tools such as\n\nImpacket,\n\npwdump,\n\nMimikatz,\n\ngsecdump,\n\nNBTscan, and\n\nWindows Credential Editor.(Citation: Unit42 Emissary Panda May 2019)(Citation: Dell TG-3390)|\n|mitre-attack|enterprise-attack|PRE|T1608.002|Upload Tool|\n\nThreat Group-3390 has staged tools, including\n\ngsecdump and WCE, on previously compromised websites.(Citation: Dell TG-3390)|\n|mitre-attack|enterprise-attack|PRE|T1608.004|Drive-by Target|\n\nThreat Group-3390 has embedded malicious code into websites to screen a potential victim's IP address and then exploit their browser if they are of interest.(Citation: Gallagher 2015)|\n|mitre-attack|enterprise-attack|Windows|T1003.002|Security Account Manager|\n\nThreat Group-3390 actors have used\n\ngsecdump to dump credentials. They have also dumped credentials from domain controllers.(Citation: Dell TG-3390)(Citation: SecureWorks BRONZE UNION June 2017)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nThreat Group-3390 actors have used a modified version of\n\nMimikatz called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers.(Citation: Dell TG-3390)(Citation: SecureWorks BRONZE UNION June 2017)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS|T1074.002|Remote Data Staging|\n\nThreat Group-3390 has moved staged encrypted archives to Internet-facing servers that had previously been compromised with\n\nChina Chopper prior to exfiltration.(Citation: SecureWorks BRONZE UNION June 2017)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|",
"Threat Group-3390 has exploited CVE-2018-0798 in Equation Editor.(Citation: Trend Micro Iron Tiger April 2021)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1210|Exploitation of Remote Services|\n\nThreat Group-3390 has exploited MS17-010 to move laterally to other systems on the network.(Citation: Unit42 Emissary Panda May 2019) |\n|mitre-attack|enterprise-attack|Linux,Windows,macOS,Network|T1505.003|Web Shell|\n\nThreat Group-3390 has used a variety of Web shells.(Citation: Unit42 Emissary Panda May 2019)|\n|mitre-attack|enterprise-attack|Windows|T1548.002|Bypass User Account Control|A\n\nThreat Group-3390 tool can use a public UAC bypass method to elevate privileges.(Citation: Nccgroup Emissary Panda May 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|A\n\nThreat Group-3390 tool can encrypt payloads using XOR.\n\nThreat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.(Citation: Nccgroup Emissary Panda May 2018)(Citation: Securelist LuckyMouse June 2018)(Citation: Unit42 Emissary Panda May 2019)|\n|mitre-attack|enterprise-attack|Windows|T1055.012|Process Hollowing|A\n\nThreat Group-3390 tool can spawn\n\nThreat Group-3390 tool has created new Registry keys under\n\nThreat Group-3390 tool can read and decrypt stored Registry values.(Citation: Nccgroup Emissary Panda May 2018)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nThreat Group-3390's malware can add a Registry key to",
"Threat Group-3390's malware can add a Registry key to\n\nThreat Group-3390's malware can create a new service, sometimes naming it after the config information, to gain persistence.(Citation: Nccgroup Emissary Panda May 2018)(Citation: Lunghi Iron Tiger Linux)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|\n\nThreat Group-3390 has used the\n\nThreat Group-3390 tool can use WMI to execute a binary.(Citation: Nccgroup Emissary Panda May 2018)|\n|mitre-attack|enterprise-attack|Windows|T1574.001|DLL Search Order Hijacking|\n\nThreat Group-3390 has performed DLL search order hijacking to execute their payload.(Citation: Nccgroup Emissary Panda May 2018)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|During execution,\n\nThreat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.(Citation: Securelist LuckyMouse June 2018)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nThreat Group-3390 has extensively used strategic web compromises to target victims.(Citation: Dell TG-3390)(Citation: Securelist LuckyMouse June 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nThreat Group-3390 malware has used HTTP for C2.(Citation: Securelist LuckyMouse June 2018)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|",
"Threat Group-3390 malware has used HTTP for C2.(Citation: Securelist LuckyMouse June 2018)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nThreat Group-3390 has used command-line interfaces for execution.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Unit42 Emissary Panda May 2019)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1049|System Network Connections Discovery|\n\nThreat Group-3390 has used\n\nThreat Group-3390 has used\n\nThreat Group-3390 has used CVE-2014-6324 and CVE-2017-0213 to escalate privileges.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Profero APT27 December 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,IaaS,SaaS|T1119|Automated Collection|\n\nThreat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.(Citation: SecureWorks BRONZE UNION June 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nThreat Group-3390 has deleted existing logs and exfiltrated file archives from a victim.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Trend Micro DRBControl February 2020)|\n|mitre-attack|enterprise-attack|Windows|T1070.005|Network Share Connection Removal|\n\nThreat Group-3390 has detached network shares after exfiltrating files, likely to evade detection.(Citation: SecureWorks BRONZE UNION June 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nThreat Group-3390 actors use\n\nNBTscan to discover vulnerable systems.(Citation: Dell TG-3390)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|",
"Threat Group-3390 actors use\n\nNBTscan to discover vulnerable systems.(Citation: Dell TG-3390)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nThreat Group-3390 has used PowerShell for execution.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Trend Micro DRBControl February 2020)|\n|mitre-attack|enterprise-attack|Windows|T1021.006|Windows Remote Management|\n\nThreat Group-3390 has used WinRM to enable remote execution.(Citation: SecureWorks BRONZE UNION June 2017)|\n|mitre-attack|enterprise-attack|Windows|T1562.002|Disable Windows Event Logging|\n\nThreat Group-3390 has used appcmd.exe to disable logging on a victim server.(Citation: SecureWorks BRONZE UNION June 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nThreat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.(Citation: SecureWorks BRONZE UNION June 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.002|Archive via Library|\n\nThreat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration.(Citation: SecureWorks BRONZE UNION June 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1030|Data Transfer Size Limits|\n\nThreat Group-3390 actors have split RAR files for exfiltration into parts.(Citation: Dell TG-3390)|\n|mitre-attack|enterprise-attack|Windows,Linux,Containers,macOS|T1133|External Remote Services|\n\nThreat Group-3390 actors look for and use VPN profiles during an operation to access the network using external VPN services.(Citation: Dell TG-3390)",
'Threat Group-3390 actors look for and use VPN profiles during an operation to access the network using external VPN services.(Citation: Dell TG-3390)\n\nThreat Group-3390 has also obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network.(Citation: SecureWorks BRONZE UNION June 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1074.001|Local Data Staging|\n\nThreat Group-3390 has locally staged encrypted archives for later exfiltration efforts.(Citation: SecureWorks BRONZE UNION June 2017)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nThreat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks.(Citation: Dell TG-3390)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nThreat Group-3390 has downloaded additional malware and tools, including through the use of\n\nThreat Group-3390 actors use the Hunter tool to conduct network service discovery for vulnerable systems.(Citation: Dell TG-3390)(Citation: Unit42 Emissary Panda May 2019)|\n|mitre-attack|enterprise-attack|Windows|T1574.002|DLL Side-Loading|\n\nThreat Group-3390 has used DLL side-loading, including by using legitimate Kaspersky antivirus variants as well as\n\nThreat Group-3390 actors use\n\nat to schedule tasks to run self-extracting RAR archives, which install\n\nHTTPBrowser or\n\nPlugX on other victims on a network.(Citation: Dell TG-3390)|\n|mitre-attack|enterprise-attack|Windows|T1003.004|LSA Secrets|\n\nThreat Group-3390 actors have used',
'Threat Group-3390 actors have used\n\ngsecdump to dump credentials. They have also dumped credentials from domain controllers.(Citation: Dell TG-3390)(Citation: SecureWorks BRONZE UNION June 2017)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|\n\nThreat Group-3390 actors installed a credential logger on Microsoft Exchange servers.\n\nThreat Group-3390 also leveraged the reconnaissance framework, ScanBox, to capture keystrokes.(Citation: Dell TG-3390)(Citation: Hacker News LuckyMouse June 2018)(Citation: Securelist LuckyMouse June 2018)|',
'Thrip - G0076\n\nCreated: 2018-10-17T00:14:20.652Z\n\nModified: 2021-10-12T20:13:42.274Z\n\nContributors:\n\nAliases\n\nThrip\n\nDescription\n\nThrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques. (Citation: Symantec Thrip June 2018)\n\nTechniques Used\n\nThrip has obtained and used tools such as\n\nMimikatz and\n\nPsExec.(Citation: Symantec Thrip June 2018)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1219|Remote Access Software|\n\nThrip used a cloud-based remote access software called LogMeIn for their attacks.(Citation: Symantec Thrip June 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1048.003|Exfiltration Over Unencrypted Non-C2 Protocol|\n\nThrip has used WinSCP to exfiltrate data from a targeted organization over FTP.(Citation: Symantec Thrip June 2018)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nThrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance.(Citation: Symantec Thrip June 2018)|',
'Tonto Team - G0131\n\nCreated: 2021-05-05T17:18:25.987Z\n\nModified: 2022-01-27T17:51:41.433Z\n\nContributors:\n\nAliases\n\nTonto Team,Earth Akhlut,BRONZE HUNTLEY,CactusPete,Karma Panda\n\nDescription\n\nTonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).(Citation: Kaspersky CactusPete Aug 2020)(Citation: ESET Exchange Mar 2021)(Citation: FireEye Chinese Espionage October 2019)(Citation: ARS Technica China Hack SK April 2017)(Citation: Trend Micro HeartBeat Campaign January 2013)(Citation: Talos Bisonal 10 Years March 2020)\n\nTechniques Used\n\nTonto Team has routed their traffic through an external server in order to obfuscate their location.(Citation: TrendMicro Tonto Team October 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1068|Exploitation for Privilege Escalation|\n\nTonto Team has exploited CVE-2019-0803 and MS16-032 to escalate privileges.(Citation: TrendMicro Tonto Team October 2020)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1135|Network Share Discovery|\n\nTonto Team has used tools such as\n\nNBTscan to enumerate network shares.(Citation: TrendMicro Tonto Team October 2020)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1003|OS Credential Dumping|',
'NBTscan to enumerate network shares.(Citation: TrendMicro Tonto Team October 2020)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1003|OS Credential Dumping|\n\nTonto Team has used a variety of credential dumping tools.(Citation: TrendMicro Tonto Team October 2020) |\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1059.006|Python|\n\nTonto Team has used Python-based tools for execution.(Citation: TrendMicro Tonto Team October 2020) |\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|\n\nTonto Team has used keylogging tools in their operations.(Citation: TrendMicro Tonto Team October 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1210|Exploitation of Remote Services|\n\nTonto Team has used EternalBlue exploits for lateral movement.(Citation: TrendMicro Tonto Team October 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1069.001|Local Groups|\n\nTonto Team has used the\n\nTonto Team has used a first stage web shell after compromising a vulnerable Exchange server.(Citation: ESET Exchange Mar 2021)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nTonto Team has used PowerShell to download additional payloads.(Citation: ESET Exchange Mar 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nTonto Team has downloaded malicious DLLs which served as a\n\nShadowPad loader.(Citation: ESET Exchange Mar 2021)|\n|mitre-attack|enterprise-attack|Windows|T1574.001|DLL Search Order Hijacking|\n\nTonto Team abuses a legitimate and signed Microsoft executable to launch a malicious DLL.(Citation: ESET Exchange Mar 2021)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|',
'Tonto Team has delivered payloads via spearphishing attachments.(Citation: TrendMicro Tonto Team October 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nTonto Team has exploited Microsoft vulnerabilities, including CVE-2018-0798, CVE-2018-8174, CVE-2018-0802, CVE-2017-11882, CVE-2019-9489 CVE-2020-8468, and CVE-2018-0798 to enable execution of their delivered malicious payloads.(Citation: Kaspersky CactusPete Aug 2020)(Citation: TrendMicro Tonto Team October 2020)(Citation: Talos Bisonal Mar 2020)(Citation: Talos Bisonal 10 Years March 2020) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nTonto Team has relied on user interaction to open their malicious RTF documents.(Citation: TrendMicro Tonto Team October 2020)(Citation: Talos Bisonal Mar 2020) |',
'Transparent Tribe - G0134\n\nCreated: 2021-09-02T15:14:33.738Z\n\nModified: 2022-09-22T20:27:21.053Z\n\nContributors: Manikantan Srinivasan, NEC Corporation India,Pooja Natarajan, NEC Corporation India,Hiroki Nagahama, NEC Corporation\n\nAliases\n\nTransparent Tribe,COPPER FIELDSTONE,APT36,Mythic Leopard,ProjectM\n\nDescription\n\nTransparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Transparent Tribe May 2021)\n\nTechniques Used\n\nTransparent Tribe has used websites with malicious hyperlinks and iframes to infect targeted victims with\n\nCrimson,\n\nnjRAT, and other malicious tools.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Unit 42 ProjectM March 2016)(Citation: Talos Transparent Tribe May 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nTransparent Tribe has embedded links to malicious downloads in e-mails.(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nTransparent Tribe has directed users to open URLs hosting malicious content.(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1564.001|Hidden Files and Directories|\n\nTransparent Tribe can hide legitimate directories and replace them with malicious copies of the same name.(Citation: Kaspersky Transparent Tribe August 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|',
'Transparent Tribe can mimic legitimate Windows directories by using the same icons and names.(Citation: Kaspersky Transparent Tribe August 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1568|Dynamic Resolution|\n\nTransparent Tribe has used dynamic DNS services to set up C2.(Citation: Proofpoint Operation Transparent Tribe March 2016)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nTransparent Tribe has crafted VBS-based malicious documents.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020) |\n|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|\n\nTransparent Tribe has registered domains to mimic file sharing, government, defense, and research websites for use in targeted campaigns.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Talos Transparent Tribe May 2021)|\n|mitre-attack|enterprise-attack|PRE|T1584.001|Domains|\n\nTransparent Tribe has compromised domains for use in targeted malicious campaigns.(Citation: Proofpoint Operation Transparent Tribe March 2016)|\n|mitre-attack|enterprise-attack|PRE|T1608.004|Drive-by Target|\n\nTransparent Tribe has set up websites with malicious hyperlinks and iframes to infect targeted victims with\n\nCrimson,\n\nnjRAT, and other malicious tools.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Unit 42 ProjectM March 2016)(Citation: Talos Transparent Tribe May 2021)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nTransparent Tribe has sent spearphishing e-mails with attachments to deliver malicious payloads.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)(Citation: Unit 42 ProjectM March 2016) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|',
'Transparent Tribe has used weaponized documents in e-mail to compromise targeted systems.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)(Citation: Unit 42 ProjectM March 2016)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|\n\nTransparent Tribe has crafted malicious files to exploit CVE-2012-0158 and CVE-2010-3333 for execution.(Citation: Proofpoint Operation Transparent Tribe March 2016)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nTransparent Tribe has dropped encoded executables on compromised hosts.(Citation: Proofpoint Operation Transparent Tribe March 2016)|',
"Tropic Trooper - G0081\n\nCreated: 2019-01-29T20:17:48.717Z\n\nModified: 2021-04-26T14:15:15.610Z\n\nContributors: Edward Millington,Bart Parys\n\nAliases\n\nTropic Trooper,Pirate Panda,KeyBoy\n\nDescription\n\nTropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)\n\nTechniques Used\n\nTropic Trooper has deleted dropper files on an infected system using command scripts.(Citation: TrendMicro Tropic Trooper May 2020) |\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1049|System Network Connections Discovery|\n\nTropic Trooper has tested if the localhost network is available and other connection capability on an infected system using command scripts.(Citation: TrendMicro Tropic Trooper May 2020) |\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nTropic Trooper has used Windows command scripts.(Citation: TrendMicro Tropic Trooper May 2020) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nTropic Trooper has used scripts to collect the host's network topology.(Citation: TrendMicro Tropic Trooper May 2020) |\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nTropic Trooper has detected a target system’s OS version and system volume information.(Citation: TrendMicro TropicTrooper 2015)(Citation: TrendMicro Tropic Trooper May 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,IaaS,SaaS|T1119|Automated Collection|",
"Tropic Trooper has collected information automatically using the adversary's\n\nUSBferry attack.(Citation: TrendMicro Tropic Trooper May 2020) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nTropic Trooper has monitored files' modified time.(Citation: TrendMicro Tropic Trooper May 2020) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1052.001|Exfiltration over USB|\n\nTropic Trooper has exfiltrated data using USB storage devices.(Citation: TrendMicro Tropic Trooper May 2020) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1020|Automated Exfiltration|\n\nTropic Trooper has used a copy function to automatically exfiltrate sensitive data from air-gapped systems using USB storage.(Citation: TrendMicro Tropic Trooper May 2020) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1078.003|Local Accounts|\n\nTropic Trooper has used known administrator account credentials to execute the backdoor directly.(Citation: TrendMicro Tropic Trooper May 2020) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nTropic Trooper has hidden payloads in Flash directories and fake installer files.(Citation: TrendMicro Tropic Trooper May 2020)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518|Software Discovery|\n\nTropic Trooper's backdoor could list the infected system's installed software.(Citation: TrendMicro Tropic Trooper May 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.004|DNS|",
"Tropic Trooper's backdoor has communicated to the C2 over the DNS protocol.(Citation: TrendMicro Tropic Trooper May 2020) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1573|Encrypted Channel|\n\nTropic Trooper has encrypted traffic with the C2 to prevent network detection.(Citation: TrendMicro Tropic Trooper May 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1106|Native API|\n\nTropic Trooper has used multiple Windows APIs including HttpInitialize, HttpCreateHttpHandle, and HttpAddUrl.(Citation: TrendMicro Tropic Trooper May 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS,Network|T1505.003|Web Shell|\n\nTropic Trooper has started a web service in the target host and wait for the adversary to connect, acting as a web shell.(Citation: TrendMicro Tropic Trooper May 2020) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1132.001|Standard Encoding|\n\nTropic Trooper has used base64 encoding to hide command strings delivered from the C2.(Citation: TrendMicro Tropic Trooper May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1091|Replication Through Removable Media|\n\nTropic Trooper has attempted to transfer\n\nUSBferry from an infected USB device by copying an Autorun function to the target machine.(Citation: TrendMicro Tropic Trooper May 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nTropic Trooper has used a delivered trojan to download additional files.(Citation: TrendMicro Tropic Trooper May 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.003|Steganography|",
'Tropic Trooper has used JPG files with encrypted payloads to mask their backdoor routines and evade detection.(Citation: TrendMicro Tropic Trooper May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nTropic Trooper has created shortcuts in the Startup folder to establish persistence.(Citation: Anomali Pirate Panda April 2020)(Citation: TrendMicro Tropic Trooper May 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nTropic Trooper has used HTTP in communication with the C2.(Citation: Anomali Pirate Panda April 2020)(Citation: TrendMicro Tropic Trooper May 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nTropic Trooper has lured victims into executing malware via malicious e-mail attachments.(Citation: Anomali Pirate Panda April 2020)|\n|mitre-attack|enterprise-attack|Windows|T1543.003|Windows Service|\n\nTropic Trooper has installed a service pointing to a malicious DLL dropped to disk.(Citation: PWC KeyBoys Feb 2017)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|\n\nTropic Trooper used\n\nTropic Trooper used\n\nTropic Trooper used\n\nTropic Trooper has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools.(Citation: CitizenLab KeyBoy Nov 2016)(Citation: Anomali Pirate Panda April 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|',
'Tropic Trooper has executed commands through Microsoft security vulnerabilities, including CVE-2017-11882, CVE-2018-0802, and CVE-2012-0158.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)|\n|mitre-attack|enterprise-attack|Windows|T1055.001|Dynamic-link Library Injection|\n\nTropic Trooper has injected a DLL backdoor into dllhost.exe and svchost.exe.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: TrendMicro Tropic Trooper May 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nTropic Trooper has encrypted configuration files.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: TrendMicro Tropic Trooper May 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1573.002|Asymmetric Cryptography|\n\nTropic Trooper has used SSL to connect to C2 servers.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: TrendMicro Tropic Trooper May 2020)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nTropic Trooper sent spearphishing emails that contained malicious Microsoft Office and fake installer file attachments.(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro TropicTrooper 2015)(Citation: CitizenLab Tropic Trooper Aug 2018)(Citation: Anomali Pirate Panda April 2020)(Citation: TrendMicro Tropic Trooper May 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1564.001|Hidden Files and Directories|\n\nTropic Trooper has created a hidden directory under',
'Tropic Trooper has created a hidden directory under\n\nTropic Trooper delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document.(Citation: Unit 42 Tropic Trooper Nov 2016)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|\n\nTropic Trooper used shellcode with an XOR algorithm to decrypt a payload.\n\nTropic Trooper also decrypted image files which contained a payload.(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)|\n|mitre-attack|enterprise-attack|Windows|T1547.004|Winlogon Helper DLL|\n\nTropic Trooper has created the Registry key\n\nTropic Trooper is capable of enumerating the running processes on the system using\n\nTropic Trooper can search for anti-virus software running on the system.(Citation: Unit 42 Tropic Trooper Nov 2016)|',
'Turla - G0010\n\nCreated: 2017-05-31T21:31:49.816Z\n\nModified: 2023-03-22T05:41:28.428Z\n\nContributors: Matthieu Faou, ESET,Edward Millington\n\nAliases\n\nTurla,IRON HUNTER,Group 88,Belugasturgeon,Waterbug,WhiteBear,Snake,Krypton,Venomous Bear\n\nDescription\n\nTurla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. Turla is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. Turla’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)\n\nTechniques Used\n\nTurla has modify Registry values to store payloads.(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1090.001|Internal Proxy|\n\nTurla has compromised internal network systems to act as a proxy to forward traffic to C2.(Citation: Talos TinyTurla September 2021)|\n|mitre-attack|enterprise-attack|Windows|T1615|Group Policy Discovery|\n\nTurla surveys a system upon check-in to discover Group Policy details using the\n\nTurla has obtained and customized publicly-available tools like\n\nMimikatz.(Citation: Symantec Waterbug Jun 2019)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.007|JavaScript|',
'Mimikatz.(Citation: Symantec Waterbug Jun 2019)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.007|JavaScript|\n\nTurla has used various JavaScript-based backdoors.(Citation: ESET Turla Mosquito Jan 2018) |\n|mitre-attack|enterprise-attack|Windows,macOS|T1553.006|Code Signing Policy Modification|\n\nTurla has modified variables in kernel memory to turn off Driver Signature Enforcement after exploiting vulnerabilities that obtained kernel mode privileges.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla Driver Loader)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1016.001|Internet Connection Discovery|\n\nTurla has used\n\nTurla has exploited vulnerabilities in the VBoxDrv.sys driver to obtain kernel mode privileges.(Citation: Unit42 AcidBox June 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1059.006|Python|\n\nTurla has used IronPython scripts as part of the\n\nIronNetInjector toolchain to drop payloads.(Citation: Unit 42 IronNetInjector February 2021 )|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.003|Mail Protocols|\n\nTurla has used multiple backdoors which communicate with a C2 server via email attachments.(Citation: Crowdstrike GTR2020 Mar 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1078.003|Local Accounts|\n\nTurla has abused local accounts that have the same password across the victim’s network.(Citation: ESET Crutch December 2020)|\n|mitre-attack|enterprise-attack|PRE|T1583.006|Web Services|\n\nTurla has created web accounts including Dropbox and GitHub for C2 and document exfiltration.(Citation: ESET Crutch December 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102|Web Service|',
'Turla has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications.(Citation: Accenture HyperStack October 2020)(Citation: ESET Crutch December 2020)|\n|mitre-attack|enterprise-attack|PRE|T1587.001|Malware|\n\nTurla has developed its own unique malware for use in operations.(Citation: Recorded Future Turla Infra 2020)|\n|mitre-attack|enterprise-attack|PRE|T1584.004|Server|\n\nTurla has used compromised servers as infrastructure.(Citation: Recorded Future Turla Infra 2020)(Citation: Accenture HyperStack October 2020)(Citation: Talos TinyTurla September 2021)|\n|mitre-attack|enterprise-attack|PRE|T1584.006|Web Services|\n\nTurla has frequently used compromised WordPress sites for C2 infrastructure.(Citation: Recorded Future Turla Infra 2020)|\n|mitre-attack|enterprise-attack|PRE|T1584.003|Virtual Private Server|\n\nTurla has used the VPS infrastructure of compromised Iranian threat actors.(Citation: NSA NCSC Turla OilRig)|\n|mitre-attack|enterprise-attack|PRE|T1588.001|Malware|\n\nTurla has used malware obtained after compromising other threat actors, such as\n\nOilRig.(Citation: NSA NCSC Turla OilRig)(Citation: Recorded Future Turla Infra 2020)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518.001|Security Software Discovery|\n\nTurla has obtained information on security software, including security logging information that may indicate whether their malware has been detected.(Citation: ESET ComRAT May 2020)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|',
"Turla has infected victims using watering holes.(Citation: ESET ComRAT May 2020)(Citation: Secureworks IRON HUNTER Profile)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS,SaaS,Office 365,Google Workspace,IaaS|T1213|Data from Information Repositories|\n\nTurla has used a custom .NET tool to collect documents from an organization's internal central database.(Citation: ESET ComRAT May 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1120|Peripheral Device Discovery|\n\nTurla has used\n\nTurla has used\n\nTurla has used\n\nTurla has used\n\nTurla has used\n\nTurla has used\n\nTurla RPC backdoors can be used to transfer files to/from victim machines on the local network.(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019)|\n|mitre-attack|enterprise-attack|Windows|T1055.001|Dynamic-link Library Injection|\n\nTurla has used Metasploit to perform reflective DLL injection in order to escalate privileges.(Citation: ESET Turla Mosquito May 2018)(Citation: Github Rapid7 Meterpreter Elevate)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1560.001|Archive via Utility|\n\nTurla has encrypted files stolen from connected USB drives into a RAR file before exfiltration.(Citation: Symantec Waterbug Jun 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1567.002|Exfiltration to Cloud Storage|\n\nTurla has used WebDAV to upload stolen USB files to a cloud drive.(Citation: Symantec Waterbug Jun 2019)\n\nTurla has also exfiltrated stolen files to OneDrive and 4shared.(Citation: ESET ComRAT May 2020)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|",
'Turla has used VBS scripts throughout its operations.(Citation: Symantec Waterbug Jun 2019) |\n|mitre-attack|enterprise-attack|Windows|T1555.004|Windows Credential Manager|\n\nTurla has gathered credentials from the Windows Credential Manager tool.(Citation: Symantec Waterbug Jun 2019) |\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nTurla RPC backdoors have used cmd.exe to execute commands.(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nTurla RPC backdoors can upload files from victim machines.(Citation: ESET Turla PowerShell May 2019)|\n|mitre-attack|enterprise-attack|Windows|T1134.002|Create Process with Token|\n\nTurla RPC backdoors can impersonate or steal process tokens before executing commands.(Citation: ESET Turla PowerShell May 2019) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1025|Data from Removable Media|\n\nTurla RPC backdoors can collect files from USB thumb drives.(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1090|Proxy|\n\nTurla RPC backdoors have included local UPnP RPC proxies.(Citation: ESET Turla PowerShell May 2019) |\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|\n\nTurla has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or\n\nPowerShell Profile, to decode encrypted PowerShell payloads.(Citation: ESET Turla PowerShell May 2019)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Containers,IaaS|T1562.001|Disable or Modify Tools|',
"Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products.(Citation: ESET Turla PowerShell May 2019)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1106|Native API|\n\nTurla and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and/or named pipes.(Citation: ESET Turla PowerShell May 2019)|\n|mitre-attack|enterprise-attack|Windows|T1546.003|Windows Management Instrumentation Event Subscription|\n\nTurla has used WMI event filters and consumers to establish persistence.(Citation: ESET Turla PowerShell May 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.010|Command Obfuscation|\n\nTurla has used encryption (including salted 3DES via\n\nPowerSploit's\n\nTurla has used the Registry to store encrypted and encoded payloads.(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019)|\n|mitre-attack|enterprise-attack|Windows|T1546.013|PowerShell Profile|\n\nTurla has used PowerShell profiles to maintain persistence on an infected machine.(Citation: ESET Turla PowerShell May 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nTurla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.(Citation: ESET Turla Mosquito Jan 2018)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|A\n\nTurla Javascript backdoor added a local_update_check value under the Registry key",
"Turla Javascript backdoor added a local_update_check value under the Registry key\n\nTurla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence.(Citation: ESET Turla Mosquito Jan 2018)(Citation: ESET Turla Mosquito May 2018)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nTurla has used PowerShell to execute commands/scripts, in some cases via a custom executable or code from\n\nEmpire's PSInject.(Citation: ESET Turla Mosquito May 2018)(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019)\n\nTurla has also used PowerShell scripts to load and execute malware in memory.|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nTurla has used HTTP and HTTPS for C2 communications.(Citation: ESET Turla Mosquito Jan 2018)(Citation: ESET Turla Mosquito May 2018)|\n|mitre-attack|enterprise-attack|Windows|T1547.004|Winlogon Helper DLL|\n\nTurla established persistence by adding a Shell value under the Registry key\n\nTurla has used shellcode to download Meterpreter after compromising a victim.(Citation: ESET Turla Mosquito May 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102.002|Bidirectional Communication|A\n\nTurla JavaScript backdoor has used Google Apps Script as its C2 server.(Citation: ESET Turla Mosquito Jan 2018)(Citation: ESET Turla Mosquito May 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1055|Process Injection|\n\nTurla has also used\n\nPowerSploit's",
"Turla has also used\n\nPowerSploit's\n\nTurla has used spearphishing via a link to get users to download and run their malware.(Citation: ESET Turla Mosquito Jan 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027.005|Indicator Removal from Tools|Based on comparison of\n\nGazer versions,\n\nTurla made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe.(Citation: ESET Gazer Aug 2017)|\n|mitre-attack|enterprise-attack|Windows,Network|T1124|System Time Discovery|\n\nTurla surveys a system upon check-in to discover the system time by using the\n\nTurla used\n\nTurla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent.(Citation: Kaspersky Turla)(Citation: ESET ComRAT May 2020)\n\nTurla RPC backdoors have also searched for files matching the\n\nTurla surveys a system upon check-in to discover operating system configuration details using the\n\nTurla may attempt to connect to systems within a victim's network using\n\nTurla surveys a system upon check-in to discover active local network connections using the\n\nTurla RPC backdoors have also enumerated the IPv4 TCP connection table via the\n\nTurla surveys a system upon check-in to discover information in the Windows Registry with the\n\nTurla has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes .(Citation: ESET Turla PowerShell May 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|\n\nTurla surveys a system upon check-in to discover remote systems on a local network using the\n\nTurla has also used\n\nTurla surveys a system upon check-in to discover network configuration details using the\n\nNBTscan.(Citation: Kaspersky Turla)(Citation: Symantec Waterbug Jun 2019)(Citation: ESET ComRAT May 2020)",
'NBTscan.(Citation: Kaspersky Turla)(Citation: Symantec Waterbug Jun 2019)(Citation: ESET ComRAT May 2020)\n\nTurla RPC backdoors have also retrieved registered RPC interface information from process memory.(Citation: ESET Turla PowerShell May 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nTurla surveys a system upon check-in to discover running processes using the\n\nTurla RPC backdoors have also enumerated processes associated with specific open ports or named pipes.(Citation: ESET Turla PowerShell May 2019)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1007|System Service Discovery|\n\nTurla surveys a system upon check-in to discover running services and associated processes using the',
'Volatile Cedar - G0123\n\nCreated: 2021-02-08T20:30:30.578Z\n\nModified: 2022-04-20T20:08:15.870Z\n\nContributors:\n\nAliases\n\nVolatile Cedar,Lebanese Cedar\n\nDescription\n\nVolatile Cedar is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. Volatile Cedar has been operating since 2012 and is motivated by political and ideological interests.(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|PRE|T1595.003|Wordlist Scanning|Volatile Cedar has used DirBuster and GoBuster to brute force web directories and DNS subdomains.(Citation: ClearSky Lebanese Cedar Jan 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|Volatile Cedar can deploy additional tools.(Citation: ClearSky Lebanese Cedar Jan 2021)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|Volatile Cedar has targeted publicly facing web servers, with both automatic and manual vulnerability discovery.(Citation: CheckPoint Volatile Cedar March 2015) (Citation: ClearSky Lebanese Cedar Jan 2021) |\n|mitre-attack|enterprise-attack|Linux,Windows,macOS,Network|T1505.003|Web Shell|Volatile Cedar can inject web shell code into a server.(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021) |\n|mitre-attack|enterprise-attack|PRE|T1595.002|Vulnerability Scanning|Volatile Cedar has performed vulnerability scans of the target server.(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021)|',
'Whitefly - G0107\n\nCreated: 2020-05-26T16:55:09.674Z\n\nModified: 2021-10-12T21:43:24.133Z\n\nContributors:\n\nAliases\n\nWhitefly\n\nDescription\n\nWhitefly is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.(Citation: Symantec Whitefly March 2019)\n\nTechniques Used\n\nWhitefly has obtained and used tools such as\n\nMimikatz.(Citation: Symantec Whitefly March 2019)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nWhitefly has used\n\nMimikatz to obtain credentials.(Citation: Symantec Whitefly March 2019)|\n|mitre-attack|enterprise-attack|Windows|T1574.001|DLL Search Order Hijacking|\n\nWhitefly has used search order hijacking to run the loader Vcrodat.(Citation: Symantec Whitefly March 2019) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nWhitefly has named the malicious DLL the same name as DLLs belonging to legitimate software from various security vendors.(Citation: Symantec Whitefly March 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nWhitefly has encrypted the payload used for C2.(Citation: Symantec Whitefly March 2019) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nWhitefly has the ability to download additional tools from the C2.(Citation: Symantec Whitefly March 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|',
'Whitefly has used malicious .exe or .dll files disguised as documents or images.(Citation: Symantec Whitefly March 2019)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1068|Exploitation for Privilege Escalation|\n\nWhitefly has used an open-source tool to exploit a known Windows privilege escalation vulnerability (CVE-2016-0051) on unpatched computers.(Citation: Symantec Whitefly March 2019) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network,Office 365,Azure AD,IaaS,Google Workspace|T1059|Command and Scripting Interpreter|\n\nWhitefly has used a simple remote shell tool that will call back to the C2 server and wait for commands.(Citation: Symantec Whitefly March 2019)|',
'Windigo - G0124\n\nCreated: 2021-02-10T19:57:38.042Z\n\nModified: 2021-04-26T22:32:57.046Z\n\nContributors:\n\nAliases\n\nWindigo\n\nDescription\n\nThe Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, Windigo operators continued updating Ebury through 2019.(Citation: ESET Windigo Mar 2014)(Citation: CERN Windigo June 2019)\n\nTechniques Used\n\nWindigo has used a script to detect which Linux distribution and version is currently installed on the system.(Citation: ESET ForSSHe December 2018)|\n|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518|Software Discovery|\n\nWindigo has used a script to detect installed software on targeted systems.(Citation: ESET ForSSHe December 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network,Office 365,Azure AD,IaaS,Google Workspace|T1059|Command and Scripting Interpreter|\n\nWindigo has used a Perl script for information gathering.(Citation: ESET ForSSHe December 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nWindigo has used a script to check for the presence of files created by OpenSSH backdoors.(Citation: ESET ForSSHe December 2018)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|\n\nWindigo has used a script to gather credentials in files left on disk by OpenSSH backdoors.(Citation: ESET ForSSHe December 2018)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|',
'Windigo has distributed Windows malware via drive-by downloads.(Citation: ESET Windigo Mar 2014)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1090|Proxy|\n\nWindigo has delivered a generic Windows proxy Win32/Glubteta.M.\n\nWindigo has also used multiple reverse proxy chains as part of their C2 infrastructure.(Citation: ESET Windigo Mar 2014)|',
'Windshift - G0112\n\nCreated: 2020-06-25T17:16:39.168Z\n\nModified: 2021-04-26T14:37:33.234Z\n\nContributors:\n\nAliases\n\nWindshift,Bahamut\n\nDescription\n\nWindshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)\n\nTechniques Used\n\nWindshift has created LNK files in the Startup folder to establish persistence.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows|T1047|Windows Management Instrumentation|\n\nWindshift has used WMI to collect information about target machines.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nWindshift has used malware to identify the computer name of a compromised host.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|\n\nWindshift has used malware to identify the username on a compromised host.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|\n\nWindshift has used malware to enumerate active processes.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518|Software Discovery|\n\nWindshift has used malware to identify installed software.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|',
'Windshift has used malware to identify installed software.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nWindshift has used tools to deploy additional payloads to compromised hosts.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518.001|Security Software Discovery|\n\nWindshift has used malware to identify installed AV and commonly used forensic and malware analysis tools.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nWindshift has used Visual Basic 6 (VB6) payloads.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nWindshift has used tools that communicate with C2 over HTTP.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|\n\nWindshift has used string encoding with floating point calculations.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1566.003|Spearphishing via Service|\n\nWindshift has used fake personas on social media to engage and target victims.(Citation: SANS Windshift August 2018) |\n|mitre-attack|enterprise-attack,mobile-attack|Windows,Linux,macOS,SaaS|T1189|Drive-by Compromise|\n\nWindshift has used compromised websites to register custom URL schemes on a remote system.(Citation: objective-see windtail1 dec 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|macOS,Windows|T1036.001|Invalid Code Signature|',
'Windshift has used revoked certificates to sign malware.(Citation: objective-see windtail1 dec 2018)(Citation: SANS Windshift August 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nWindshift has sent spearphishing emails with attachment to harvest credentials and deliver malware.(Citation: SANS Windshift August 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nWindshift has sent spearphishing emails with links to harvest credentials and deliver malware.(Citation: SANS Windshift August 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows,Containers|T1036|Masquerading|\n\nWindshift has used icons mimicking MS Office files to mask malicious executables.(Citation: objective-see windtail1 dec 2018)\n\nWindshift has also attempted to hide executables by changing the file extension to ".scr" to mimic Windows screensavers.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nWindshift has used links embedded in e-mails to lure victims into executing malicious code.(Citation: SANS Windshift August 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nWindshift has used e-mail attachments to lure victims into executing malicious code.(Citation: SANS Windshift August 2018)|\n|mitre-attack|enterprise-attack,mobile-attack|Android,iOS|T1533|Data from Local System|\n\nWindshift has exfiltrated local account data and calendar information as part of Operation ROCK.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Android,iOS|T1512|Video Capture|',
'Windshift has included video recording in the malicious apps deployed as part of Operation BULL.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Android,iOS|T1407|Download New Code at Runtime|\n\nWindshift has included malware functionality capable of downloading new DEX files at runtime during Operation BULL.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Android,iOS|T1417.001|Keylogging|\n\nWindshift has included keylogging capabilities as part of Operation ROCK.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|iOS,Android|T1636.003|Contact List|\n\nWindshift has included contact list exfiltration in the malicious apps deployed as part of Operation BULL.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Android,iOS|T1406|Obfuscated Files or Information|\n\nWindshift has encrypted application strings using AES in ECB mode and Blowfish, and stored strings encoded in hex during Operation BULL. Further, in Operation BULL, encryption keys were stored within the application’s launcher icon file.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Android,iOS|T1636.004|SMS Messages|\n\nWindshift has included SMS message exfiltration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Android,iOS|T1521.001|Symmetric Cryptography|\n\nWindshift has encrypted C2 communications using AES in CBC mode during Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Android,iOS|T1632.001|Code Signing Policy Modification|\n\nWindshift has installed malicious MDM profiles on iOS devices as part of Operation ROCK.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Android,iOS|T1420|File and Directory Discovery|',
'Windshift has included file enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Android,iOS|T1430|Location Tracking|\n\nWindshift has included location tracking capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Android,iOS|T1426|System Information Discovery|\n\nWindshift has included system information enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Android,iOS|T1429|Audio Capture|\n\nWindshift has included phone call and audio recording capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Android,iOS|T1627.001|Geofencing|\n\nWindshift has region-locked their malicious applications during their Operation BULL campaign.(Citation: BlackBerry Bahamut)|\n|mitre-attack|enterprise-attack,mobile-attack|Android,iOS|T1633.001|System Checks|\n\nWindshift has deployed anti-analysis capabilities during their Operation BULL campaign.(Citation: BlackBerry Bahamut)|',
'Winnti Group - G0044\n\nCreated: 2017-05-31T21:32:08.682Z\n\nModified: 2023-03-20T22:02:53.982Z\n\nContributors: Edward Millington\n\nAliases\n\nWinnti Group,Blackfly\n\nDescription\n\nWinnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.(Citation: 401 TRG Winnti Umbrella May 2018)\n\nTechniques Used\n\nWinnti Group has downloaded an auxiliary program named ff.exe to infected machines.(Citation: Kaspersky Winnti April 2013)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|\n\nWinnti Group has used a program named ff.exe to search for specific documents on compromised hosts.(Citation: Kaspersky Winnti April 2013)|\n|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|\n\nWinnti Group has registered domains for C2 that mimicked sites of their intended targets.(Citation: Kaspersky Winnti April 2013)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1014|Rootkit|\n\nWinnti Group used a rootkit to modify typical server functionality.(Citation: Kaspersky Winnti April 2013)|\n|mitre-attack|enterprise-attack|macOS,Windows|T1553.002|Code Signing|\n\nWinnti Group used stolen certificates to sign its malware.(Citation: Kaspersky Winnti April 2013)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|',
'Winnti Group looked for a specific process running on infected servers.(Citation: Kaspersky Winnti April 2013)|',
'WIRTE - G0090\n\nCreated: 2019-05-24T17:02:44.226Z\n\nModified: 2022-04-15T19:50:19.478Z\n\nContributors: Lab52 by S2 Grupo\n\nAliases\n\nWIRTE\n\nDescription\n\nWIRTE is a threat group that has been active since at least August 2018. WIRTE has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.(Citation: Lab52 WIRTE Apr 2019)(Citation: Kaspersky WIRTE November 2021)\n\nTechniques Used\n\nWIRTE has used HTTPS over ports 2083 and 2087 for C2.(Citation: Kaspersky WIRTE November 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|\n\nWIRTE has named a first stage dropper\n\nWIRTE has attempted to lure users into opening malicious MS Word and Excel files to execute malicious payloads.(Citation: Kaspersky WIRTE November 2021)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|\n\nWIRTE has sent emails to intended victims with malicious MS Word and Excel attachments.(Citation: Kaspersky WIRTE November 2021)|\n|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|\n\nWIRTE has obtained and used\n\nEmpire for post-exploitation activities.(Citation: Lab52 WIRTE Apr 2019)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|\n\nWIRTE has used Base64 to decode malicious VBS script.(Citation: Lab52 WIRTE Apr 2019)|\n|mitre-attack|enterprise-attack|Windows|T1218.010|Regsvr32|\n\nWIRTE has used',
'WIRTE has used\n\nWIRTE has downloaded PowerShell code from the C2 server to be executed.(Citation: Lab52 WIRTE Apr 2019)|\n|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|\n\nWIRTE has used PowerShell for script execution.(Citation: Lab52 WIRTE Apr 2019)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|\n\nWIRTE has used VBScript in its operations.(Citation: Lab52 WIRTE Apr 2019) |\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nWIRTE has used HTTP for network communication.(Citation: Lab52 WIRTE Apr 2019) |',
'Wizard Spider - G0102\n\nCreated: 2020-05-12T18:15:29.396Z\n\nModified: 2023-03-22T05:44:27.289Z\n\nContributors: Edward Millington,Oleksiy Gayda\n\nAliases\n\nWizard Spider,UNC1878,TEMP.MixMaster,Grim Spider\n\nDescription\n\nWizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)\n\nTechniques Used\n\nWizard Spider has obtained and used publicly-available post-exploitation frameworks and tools like Metasploit,\n\nEmpire,\n\nMimikatz.(Citation: FireEye KEGTAP SINGLEMALT October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1087.002|Domain Account|\n\nWizard Spider has identified domain admins through the use of “net group ‘Domain admins’” commands.(Citation: DFIR Ryuk\'s Return October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nWizard Spider has used "ipconfig" to identify the network configuration of a victim machine.(Citation: Sophos New Ryuk Attack October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1222.001|Windows File and Directory Permissions Modification|\n\nWizard Spider has used the icacls command to modify access control to backup servers, providing them with full control of all the system folders.(Citation: Sophos New Ryuk Attack October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1588.003|Code Signing Certificates|',
"Wizard Spider obtained a code signing certificate signed by Digicert for some of its malware.(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows|T1553.002|Code Signing|\n\nWizard Spider has used Digicert code-signing certificates for some of its malware.(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1003.002|Security Account Manager|\n\nWizard Spider has acquired credentials from the SAM/SECURITY registry hives.(Citation: FireEye KEGTAP SINGLEMALT October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1547.004|Winlogon Helper DLL|\n\nWizard Spider has established persistence using Userinit by adding the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon.(Citation: FireEye KEGTAP SINGLEMALT October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518.001|Security Software Discovery|\n\nWizard Spider has used WMI to identify anti-virus products installed on a victim's machine.(Citation: DFIR Ryuk's Return October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,Windows,macOS|T1210|Exploitation of Remote Services|\n\nWizard Spider has exploited or attempted to exploit Zerologon (CVE-2020-1472) and EternalBlue (MS17-010) vulnerabilities.(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1557.001|LLMNR/NBT-NS Poisoning and SMB Relay|",
"Wizard Spider has used the Invoke-Inveigh PowerShell cmdlets, likely for name service poisoning.(Citation: FireEye KEGTAP SINGLEMALT October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1569.002|Service Execution|\n\nWizard Spider has used services.exe to execute scripts and executables during lateral movement within a victim network.(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1021.002|SMB/Windows Admin Shares|\n\nWizard Spider has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk's Return October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nWizard Spider has used “systeminfo” and similar commands to acquire detailed configuration information of a victim machine.(Citation: DFIR Ryuk's Return October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1059.003|Windows Command Shell|\n\nWizard Spider has used cmd.exe to execute commands on a victim's machine.(Citation: DFIR Ryuk's Return October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1048.003|Exfiltration Over Unencrypted Non-C2 Protocol|\n\nWizard Spider has exfiltrated victim information using FTP.(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Linux,macOS|T1489|Service Stop|",
'Wizard Spider has used taskkill.exe and net.exe to stop backup, catalog, cloud, and other services prior to network encryption.(Citation: DFIR Ryuk\'s Return October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Linux,Containers,macOS|T1133|External Remote Services|\n\nWizard Spider has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure.(Citation: FireEye KEGTAP SINGLEMALT October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1078.002|Domain Accounts|\n\nWizard Spider has used administrative accounts, including Domain Admin, to move laterally within a victim network.(Citation: FireEye KEGTAP SINGLEMALT October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|\n\nWizard Spider has used "whoami" to identify the local user and their privileges.(Citation: Sophos New Ryuk Attack October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nWizard Spider has established persistence via the Registry key HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run and a shortcut within the startup folder.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux,Containers,IaaS|T1562.001|Disable or Modify Tools|\n\nWizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk\'s Return October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows,Linux|T1135|Network Share Discovery|',
"Wizard Spider has used the “net view” command to locate mapped network shares.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1021.006|Windows Remote Management|\n\nWizard Spider has used Window Remote Management to move laterally through a victim network.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1558.003|Kerberoasting|\n\nWizard Spider has used Rubeus, MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet to steal AES hashes.(Citation: DFIR Ryuk's Return October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nWizard Spider has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nWizard Spider has lured victims into clicking a malicious link delivered through spearphishing.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1003.003|NTDS|\n\nWizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database.(Citation: FireEye KEGTAP SINGLEMALT October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1055.001|Dynamic-link Library Injection|",
"Wizard Spider has injected malicious DLLs into memory with read, write, and execute permissions.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1047|Windows Management Instrumentation|\n\nWizard Spider has used WMI and LDAP queries for network discovery and to move laterally.(Citation: CrowdStrike Grim Spider May 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1078|Valid Accounts|\n\nWizard Spider has used valid credentials for privileged accounts with the goal of accessing domain controllers.(Citation: CrowdStrike Grim Spider May 2019) |\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Network|T1018|Remote System Discovery|\n\nWizard Spider has used networkdll for network discovery and psfin specifically for financial and point of sale indicators.\n\nWizard Spider has also used\n\nAdFind and\n\nWizard Spider used Base64 encoding to obfuscate an\n\nEmpire service and PowerShell commands.(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: DFIR Ryuk's Return October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,IaaS,Linux,macOS|T1074|Data Staged|\n\nWizard Spider has collected and staged credentials and network enumeration information, using the networkdll and psfin\n\nTrickBot modules.(Citation: CrowdStrike Grim Spider May 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1071.001|Web Protocols|",
'TrickBot modules.(Citation: CrowdStrike Grim Spider May 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1071.001|Web Protocols|\n\nWizard Spider has used HTTP for network communications.(Citation: CrowdStrike Grim Spider May 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1041|Exfiltration Over C2 Channel|\n\nWizard Spider has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.(Citation: CrowdStrike Grim Spider May 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1021.001|Remote Desktop Protocol|\n\nWizard Spider has used RDP for lateral movement.(Citation: CrowdStrike Grim Spider May 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1570|Lateral Tool Transfer|\n\nWizard Spider has used stolen credentials to copy tools into the\n\nWizard Spider has installed\n\nTrickBot as a service named ControlServiceA in order to establish persistence.(Citation: CrowdStrike Grim Spider May 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1070.004|File Deletion|\n\nWizard Spider has used file deletion to remove some modules and configurations from an infected host after use.(Citation: CrowdStrike Grim Spider May 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1059.001|PowerShell|',
"Wizard Spider has used macros to execute PowerShell scripts to download malware on victim's machines.(Citation: CrowdStrike Grim Spider May 2019) It has also used PowerShell to execute commands and move laterally through a victim network.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1053.005|Scheduled Task|\n\nWizard Spider has used scheduled tasks establish persistence for\n\nTrickBot and other malware.(Citation: CrowdStrike Grim Spider May 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,Linux,macOS|T1036.004|Masquerade Task or Service|\n\nWizard Spider has used scheduled tasks to install\n\nTrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.(Citation: CrowdStrike Grim Spider May 2019) It has also used common document file names for other malware binaries.(Citation: FireEye KEGTAP SINGLEMALT October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1204.002|Malicious File|\n\nWizard Spider has lured victims to execute malware with spearphishing attachments containing macros to download either\n\nEmotet, Bokbot,\n\nTrickBot, or\n\nBazar.(Citation: CrowdStrike Grim Spider May 2019)(Citation: CrowdStrike Wizard Spider October 2020)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1112|Modify Registry|\n\nWizard Spider has modified the Registry key\n\nWizard Spider has used spearphishing attachments to deliver Microsoft documents containing macros or PDFs containing malicious links to download either\n\nEmotet, Bokbot,\n\nTrickBot, or",
'Wizard Spider has modified the Registry key\n\nWizard Spider has used spearphishing attachments to deliver Microsoft documents containing macros or PDFs containing malicious links to download either\n\nEmotet, Bokbot,\n\nTrickBot, or\n\nBazar.(Citation: CrowdStrike Grim Spider May 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)|',
"ZIRCONIUM - G0128\n\nCreated: 2021-03-24T15:48:17.731Z\n\nModified: 2023-03-22T22:10:43.732Z\n\nContributors:\n\nAliases\n\nZIRCONIUM,APT31\n\nDescription\n\nZIRCONIUM is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.(Citation: Microsoft Targeting Elections September 2020)(Citation: Check Point APT31 February 2021)\n\nTechniques Used\n\nZIRCONIUM has used web beacons in e-mails to track hits to attacker-controlled URL's.(Citation: Microsoft Targeting Elections September 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1016|System Network Configuration Discovery|\n\nZIRCONIUM has used a tool to enumerate proxy settings in the target environment.(Citation: Zscaler APT31 Covid-19 October 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1567.002|Exfiltration to Cloud Storage|\n\nZIRCONIUM has exfiltrated stolen data to Dropbox.(Citation: Zscaler APT31 Covid-19 October 2020)|\n|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1036.004|Masquerade Task or Service|\n\nZIRCONIUM has created a run key named\n\nZIRCONIUM has used the AES256 algorithm with a SHA1 derived key to decrypt exploit code.(Citation: Check Point APT31 February 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1068|Exploitation for Privilege Escalation|\n\nZIRCONIUM has exploited CVE-2017-0005 for local privilege escalation.(Citation: Check Point APT31 February 2021)|\n|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1027.002|Software Packing|",
'ZIRCONIUM has used multi-stage packers for exploit code.(Citation: Check Point APT31 February 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nZIRCONIUM has used tools to download malicious files to compromised hosts.(Citation: Zscaler APT31 Covid-19 October 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1041|Exfiltration Over C2 Channel|\n\nZIRCONIUM has exfiltrated files via the Dropbox API C2.(Citation: Zscaler APT31 Covid-19 October 2020)|\n|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|\n\nZIRCONIUM has used a tool to open a Windows Command Shell on a remote host.(Citation: Zscaler APT31 Covid-19 October 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1033|System Owner/User Discovery|\n\nZIRCONIUM has used a tool to capture the username on a compromised host in order to register it with C2.(Citation: Zscaler APT31 Covid-19 October 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1573.001|Symmetric Cryptography|\n\nZIRCONIUM has used AES encrypted communications in C2.(Citation: Zscaler APT31 Covid-19 October 2020)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|\n\nZIRCONIUM has used a tool to capture the processor architecture of a compromised host in order to register it with C2.(Citation: Zscaler APT31 Covid-19 October 2020)|\n|mitre-attack|enterprise-attack|Windows,Network|T1124|System Time Discovery|',
'ZIRCONIUM has used a tool to capture the time on a compromised host in order to register it with C2.(Citation: Zscaler APT31 Covid-19 October 2020)|\n|mitre-attack|enterprise-attack|Windows|T1012|Query Registry|\n\nZIRCONIUM has used a tool to query the Registry for proxy settings.(Citation: Zscaler APT31 Covid-19 October 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1555.003|Credentials from Web Browsers|\n\nZIRCONIUM has used a tool to steal credentials from installed web browsers including Microsoft Internet Explorer and Google Chrome.(Citation: Zscaler APT31 Covid-19 October 2020)|\n|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|\n\nZIRCONIUM has created a Registry Run key named\n\nZIRCONIUM has used the msiexec.exe command-line utility to download and execute malicious MSI files.(Citation: Zscaler APT31 Covid-19 October 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|\n\nZIRCONIUM has used malicious links in e-mails to lure victims into downloading malware.(Citation: Google Election Threats October 2020)(Citation: Zscaler APT31 Covid-19 October 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1036|Masquerading|\n\nZIRCONIUM has spoofed legitimate applications in phishing lures and changed file extensions to conceal installation of malware.(Citation: Google Election Threats October 2020)(Citation: Zscaler APT31 Covid-19 October 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1102.002|Bidirectional Communication|',
'ZIRCONIUM has used Dropbox for C2 allowing upload and download of files as well as execution of arbitrary commands.(Citation: Google Election Threats October 2020)(Citation: Zscaler APT31 Covid-19 October 2020)|\n|mitre-attack|enterprise-attack|PRE|T1598|Phishing for Information|\n\nZIRCONIUM targeted presidential campaign staffers with credential phishing e-mails.(Citation: Google Election Threats October 2020)|\n|mitre-attack|enterprise-attack|PRE|T1583.006|Web Services|\n\nZIRCONIUM has used GitHub to host malware linked in spearphishing e-mails.(Citation: Google Election Threats October 2020)(Citation: Zscaler APT31 Covid-19 October 2020)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1059.006|Python|\n\nZIRCONIUM has used Python-based implants to interact with compromised hosts.(Citation: Google Election Threats October 2020)(Citation: Zscaler APT31 Covid-19 October 2020)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|\n\nZIRCONIUM has used malicious links in e-mails to deliver malware.(Citation: Microsoft Targeting Elections September 2020)(Citation: Google Election Threats October 2020)(Citation: Zscaler APT31 Covid-19 October 2020)|\n|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|\n\nZIRCONIUM has purchased domains for use in targeted campaigns.(Citation: Microsoft Targeting Elections September 2020)|']}
Query ATT&CK Groups Knowledge Base#
Get OAI Key#
# Get your key: https://platform.openai.com/account/api-keys
load_dotenv()
openai.api_key = os.getenv("OPENAI_API_KEY")
Define Vector Store Retriever#
The retriever interface is a generic interface that makes it easy to combine documents with language models. This interface exposes a get_relevant_documents method which takes in a query (a string) and returns a list of documents.
retriever = db.as_retriever(search_kwargs={"k":5})
Get Relevant Documents#
Threat Actors Texting#
query = """
What threat actors sent text messages to their targets?
"""
print("[+] Getting relevant documents for query..")
relevant_docs = retriever.get_relevant_documents(query)
relevant_docs
[+] Getting relevant documents for query..
[Document(page_content='Lazarus Group has created new Twitter accounts to conduct social engineering against potential victims.(Citation: Google TAG Lazarus Jan 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1566.003|Spearphishing via Service|\n\nLazarus Group has used social media platforms, including LinkedIn and Twitter, to send spearphishing messages.(Citation: Google TAG Lazarus Jan 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1584.004|Server|\n\nLazarus Group has compromised servers to stage malicious tools.(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1591|Gather Victim Org Information|\n\nLazarus Group has studied publicly available information about a targeted organization to tailor spearphishing efforts against specific departments and/or individuals.(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1585.002|Email Accounts|\n\nLazarus Group has created new email accounts for spearphishing operations.(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1588.002|Tool|\n\nLazarus Group has obtained a variety of tools for their operations, including\n\nResponder and PuTTy PSCP.(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1589.002|Email Addresses|\n\nLazarus Group collected email addresses belonging to various departments of a targeted organization which were used in follow-on phishing campaigns.(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1218.011|Rundll32|\n\nLazarus Group has used rundll32 to execute malicious payloads on a compromised host.(Citation: ESET Twitter Ida Pro Nov 2021)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows|T1553.002|Code Signing|', metadata={'source': 'documents\\Lazarus_Group.md'}),
Document(page_content='CURIUM - G1012\n\nCreated: 2023-01-13T20:51:13.494Z\n\nModified: 2023-04-12T13:21:41.276Z\n\nContributors:\n\nAliases\n\nCURIUM\n\nDescription\n\nCURIUM is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|CURIUM has exfiltrated data from a compromised machine.(Citation: Microsoft Iranian Threat Actor Trends November 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1566.003|Spearphishing via Service|CURIUM has used social media to deliver malicious files to victims.(Citation: Microsoft Iranian Threat Actor Trends November 2021)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|CURIUM has lured users into opening malicious files delivered via social media.(Citation: Microsoft Iranian Threat Actor Trends November 2021)|\n|mitre-attack|enterprise-attack|PRE|T1585.001|Social Media Accounts|CURIUM has established a network of fictitious social media accounts, including on Facebook and LinkedIn, to establish relationships with victims, often posing as an attractive woman.(Citation: Microsoft Iranian Threat Actor Trends November 2021)|', metadata={'source': 'documents\\CURIUM.md'}),
Document(page_content="Group5 - G0043\n\nCreated: 2017-05-31T21:32:08.304Z\n\nModified: 2020-03-30T19:07:39.812Z\n\nContributors:\n\nAliases\n\nGroup5\n\nDescription\n\nGroup5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)\n\nTechniques Used\n\n|Matrix|Domain|Platform|Technique ID|Technique Name|Use|\n| :---| :---| :---| :---| :---| :---|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1027|Obfuscated Files or Information|Group5 disguised its malicious binaries with several layers of obfuscation, including encrypting the files.(Citation: Citizen Lab Group5)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1113|Screen Capture|Malware used by Group5 is capable of watching the victim's screen.(Citation: Citizen Lab Group5)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|Malware used by Group5 is capable of capturing keystrokes.(Citation: Citizen Lab Group5)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|Malware used by Group5 is capable of remotely deleting files from victims.(Citation: Citizen Lab Group5)|", metadata={'source': 'documents\\Group5.md'}),
Document(page_content='Ember Bear - G1003\n\nCreated: 2022-06-09T14:49:57.704Z\n\nModified: 2023-03-22T03:40:53.311Z\n\nContributors: Hannah Simes, BT Security\n\nAliases\n\nEmber Bear,Saint Bear,UNC2589,UAC-0056,Lorec53,Lorec Bear,Bleeding Bear\n\nDescription\n\nEmber Bear is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021. Ember Bear has primarily focused their operations against Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations. Security researchers assess Ember Bear likely conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.(Citation: CrowdStrike Ember Bear Profile March 2022)(Citation: Mandiant UNC2589 March 2022)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )\n\nTechniques Used\n\nEmber Bear has obfuscated malicious scripts to help avoid detection.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|PRE|T1588.003|Code Signing Certificates|\n\nEmber Bear has stolen legitimate certificates to sign malicious payloads.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|Windows|T1218.002|Control Panel|\n\nEmber Bear has used control panel files (CPL), delivered via e-mail, for execution.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|\n\nEmber Bear has used tools to download malicious code.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|macOS,Windows|T1553.002|Code Signing|\n\nEmber Bear has used stolen certificates from Electrum Technologies GmbH to sign payloads.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )|\n|mitre-attack|enterprise-attack|Windows|T1112|Modify Registry|', metadata={'source': 'documents\\Ember_Bear.md'}),
Document(page_content='Kimsuky has used e-mail to send exfiltrated data to C2 servers.(Citation: CISA AA20-301A Kimsuky)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1059.006|Python|\n\nKimsuky has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data.(Citation: CISA AA20-301A Kimsuky)(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network,IaaS|T1040|Network Sniffing|\n\nKimsuky has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols.(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)|\n|mitre-attack|enterprise-attack|Windows,macOS,Linux,Network|T1557|Adversary-in-the-Middle|\n\nKimsuky has used modified versions of PHProxy to examine web traffic between the victim and the accessed website.(Citation: CISA AA20-301A Kimsuky)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS,Network|T1505.003|Web Shell|\n\nKimsuky has used modified versions of open source PHP web shells to maintain access, often adding "Dinosaur" references within the code.(Citation: CISA AA20-301A Kimsuky)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nKimsuky has gathered credentials using\n\nMimikatz and ProcDump.(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: KISA Operation Muzabi)|\n|mitre-attack|enterprise-attack|Windows|T1112|Modify Registry|', metadata={'source': 'documents\\Kimsuky.md'})]
Question Answering#
from langchain.chains.question_answering import load_qa_chain
from langchain.llms import OpenAI
chain = load_qa_chain(OpenAI(temperature=0), chain_type="stuff")
chain.run(input_documents=relevant_docs, question=query)
'\nNone of the threat actors mentioned in the context sent text messages to their targets.'
Prompt Engineering#
query = """
What threat actors sent text messages to their targets
over social media accounts?
"""
print("[+] Getting relevant documents for query..")
relevant_docs = retriever.get_relevant_documents(query)
print("[+] Asking LLM..")
chain.run(input_documents=relevant_docs, question=query)
[+] Getting relevant documents for query..
[+] Asking LLM..
' Lazarus Group and CURIUM have both used social media accounts to send malicious files to their targets.'
Phishings Techniques used by Threat Actors#
query = "What are some phishing techniques used by threat actors?"
print("[+] Getting relevant documents for query..")
relevant_docs = retriever.get_relevant_documents(query)
relevant_docs
[+] Getting relevant documents for query..
[Document(page_content='Lazarus Group has created new Twitter accounts to conduct social engineering against potential victims.(Citation: Google TAG Lazarus Jan 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1566.003|Spearphishing via Service|\n\nLazarus Group has used social media platforms, including LinkedIn and Twitter, to send spearphishing messages.(Citation: Google TAG Lazarus Jan 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1584.004|Server|\n\nLazarus Group has compromised servers to stage malicious tools.(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1591|Gather Victim Org Information|\n\nLazarus Group has studied publicly available information about a targeted organization to tailor spearphishing efforts against specific departments and/or individuals.(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1585.002|Email Accounts|\n\nLazarus Group has created new email accounts for spearphishing operations.(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1588.002|Tool|\n\nLazarus Group has obtained a variety of tools for their operations, including\n\nResponder and PuTTy PSCP.(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1589.002|Email Addresses|\n\nLazarus Group collected email addresses belonging to various departments of a targeted organization which were used in follow-on phishing campaigns.(Citation: Kaspersky ThreatNeedle Feb 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1218.011|Rundll32|\n\nLazarus Group has used rundll32 to execute malicious payloads on a compromised host.(Citation: ESET Twitter Ida Pro Nov 2021)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows|T1553.002|Code Signing|', metadata={'source': 'documents\\Lazarus_Group.md'}),
Document(page_content="Threat Group-3390 has obtained and used tools such as\n\nImpacket,\n\npwdump,\n\nMimikatz,\n\ngsecdump,\n\nNBTscan, and\n\nWindows Credential Editor.(Citation: Unit42 Emissary Panda May 2019)(Citation: Dell TG-3390)|\n|mitre-attack|enterprise-attack|PRE|T1608.002|Upload Tool|\n\nThreat Group-3390 has staged tools, including\n\ngsecdump and WCE, on previously compromised websites.(Citation: Dell TG-3390)|\n|mitre-attack|enterprise-attack|PRE|T1608.004|Drive-by Target|\n\nThreat Group-3390 has embedded malicious code into websites to screen a potential victim's IP address and then exploit their browser if they are of interest.(Citation: Gallagher 2015)|\n|mitre-attack|enterprise-attack|Windows|T1003.002|Security Account Manager|\n\nThreat Group-3390 actors have used\n\ngsecdump to dump credentials. They have also dumped credentials from domain controllers.(Citation: Dell TG-3390)(Citation: SecureWorks BRONZE UNION June 2017)|\n|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|\n\nThreat Group-3390 actors have used a modified version of\n\nMimikatz called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers.(Citation: Dell TG-3390)(Citation: SecureWorks BRONZE UNION June 2017)|\n|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS|T1074.002|Remote Data Staging|\n\nThreat Group-3390 has moved staged encrypted archives to Internet-facing servers that had previously been compromised with\n\nChina Chopper prior to exfiltration.(Citation: SecureWorks BRONZE UNION June 2017)|\n|mitre-attack|enterprise-attack|Linux,Windows,macOS|T1203|Exploitation for Client Execution|", metadata={'source': 'documents\\Threat_Group-3390.md'}),
Document(page_content='HEXANE has identified specific potential victims at targeted organizations.(Citation: ClearSky Siamesekitten August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1591.004|Identify Roles|\n\nHEXANE has identified executives, HR, and IT staff at victim organizations for further targeting.(Citation: SecureWorks August 2019)(Citation: ClearSky Siamesekitten August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1583.001|Domains|\n\nHEXANE has registered and operated domains for campaigns, often using a security or web technology theme or impersonating the targeted organization.(Citation: SecureWorks August 2019)(Citation: Dragos Hexane)(Citation: ClearSky Siamesekitten August 2021)|\n|mitre-attack|enterprise-attack,ics-attack|PRE|T1589.002|Email Addresses|\n\nHEXANE has targeted executives, human resources staff, and IT personnel for spearphishing.(Citation: SecureWorks August 2019)(Citation: ClearSky Siamesekitten August 2021)\n|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1021.001|Remote Desktop Protocol|\n\nHEXANE has used remote desktop sessions for lateral movement.(Citation: SecureWorks August 2019)|\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows,Linux|T1010|Application Window Discovery|\n\nHEXANE has used a PowerShell-based keylogging tool to capture the window title.(Citation: SecureWorks August 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|\n\nHEXANE has used a PowerShell-based keylogger named\n\nHEXANE has used PowerShell-based tools and scripts for discovery and collection on compromised hosts.(Citation: SecureWorks August 2019)(Citation: Kaspersky APT Trends Q1 April 2021)(Citation: Kaspersky Lyceum October 2021)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1204.002|Malicious File|', metadata={'source': 'documents\\HEXANE.md'}),
Document(page_content='TA505 has used spearphishing emails with malicious attachments to initially compromise victims.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)|', metadata={'source': 'documents\\TA505.md'}),
Document(page_content="FIN6 has deployed a utility script named\n\nFIN6 has used has used Metasploit’s named-pipe impersonation technique to escalate privileges.(Citation: FireEye FIN6 Apr 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Office 365,Azure AD,Network|T1110.002|Password Cracking|\n\nFIN6 has extracted password hashes from ntds.dit to crack offline.(Citation: FireEye FIN6 April 2016)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1003.003|NTDS|\n\nFIN6 has used Metasploit’s\n\nPsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019) |\n|mitre-attack|enterprise-attack,ics-attack|Windows,IaaS,Linux,macOS|T1074.002|Remote Data Staging|\n\nFIN6 actors have compressed data from remote systems and moved it to another staging system before exfiltration.(Citation: FireEye FIN6 April 2016)|\n|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1566.003|Spearphishing via Service|\n\nFIN6 has used fake job advertisements sent via LinkedIn to spearphish targets.(Citation: Security Intelligence More Eggs Aug 2019)|\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1047|Windows Management Instrumentation|\n\nFIN6 has used WMI to automate the remote execution of PowerShell scripts.(Citation: Security Intelligence More Eggs Aug 2019) |\n|mitre-attack|enterprise-attack,ics-attack|macOS,Windows|T1553.002|Code Signing|\n\nFIN6 has used Comodo code-signing certificates.(Citation: Security Intelligence More Eggs Aug 2019) |\n|mitre-attack|enterprise-attack,ics-attack|Windows|T1569.002|Service Execution|", metadata={'source': 'documents\\FIN6.md'})]
Question Answering#
chain.run(input_documents=relevant_docs, question=query)
' Lazarus Group has used social media platforms, including LinkedIn and Twitter, to send spearphishing messages. HEXANE has targeted executives, human resources staff, and IT personnel for spearphishing. TA505 has used spearphishing emails with malicious attachments to initially compromise victims. FIN6 has used fake job advertisements sent via LinkedIn to spearphish targets.'