|Enterprise||T1087||Account Discovery||menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.|
|Enterprise||T1059||Command-Line Interface||menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.|
|Enterprise||T1090||Connection Proxy||menuPass has used a global service provider's IP as a proxy for C2 traffic from a victim.|
|Enterprise||T1003||Credential Dumping||menuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.|
|Enterprise||T1002||Data Compressed||menuPass has compressed files before exfiltration using TAR and RAR.|
|Enterprise||T1022||Data Encrypted||menuPass has encrypted files and information before exfiltration.|
|Enterprise||T1005||Data from Local System||menuPass has collected various files from the compromised computers.
|Enterprise||T1039||Data from Network Shared Drive||menuPass has collected data from remote systems by mounting network shares with |
net use and using Robocopy to transfer data.
|Enterprise||T1074||Data Staged||menuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.|
|Enterprise||T1140||Deobfuscate/Decode Files or Information||menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has used |
certutil -decode to decode files on the victim’s machine when dropping UPPERCUT.
|Enterprise||T1038||DLL Search Order Hijacking||menuPass has used DLL search order hijacking.|
|Enterprise||T1073||DLL Side-Loading||menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT.|
|Enterprise||T1107||File Deletion||A menuPass macro deletes files after it has decoded and decompressed them.|
|Enterprise||T1056||Input Capture||menuPass has used key loggers to steal usernames and passwords.|
|Enterprise||T1036||Masquerading||menuPass has been seen changing malicious files to appear legitimate. They have also renamed certutil and move it to a different location on system to avoid detection based on use of the tool.|
|Enterprise||T1046||Network Service Scanning||menuPass has used tcping.exe, similar to Ping, to probe port status on systems of interest.|
|Enterprise||T1027||Obfuscated Files or Information||menuPass has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.|
|Enterprise||T1086||PowerShell||menuPass uses PowerSploit to inject shellcode into PowerShell.|
|Enterprise||T1093||Process Hollowing||menuPass has used process hollowing in iexplore.exe to load the RedLeaves implant.|
|Enterprise||T1076||Remote Desktop Protocol||menuPass has used RDP connections to move across the victim network.|
|Enterprise||T1105||Remote File Copy||menuPass has installed updates and new malware on victims.|
|Enterprise||T1021||Remote Services||menuPass has used Putty Secure Copy Client (PSCP) to transfer data.|
|Enterprise||T1018||Remote System Discovery||menuPass uses scripts to enumerate IP ranges on the victim network. menuPass has also issued the command |
net view /domain to a PlugX implant to gather information about remote systems on the network.
|Enterprise||T1053||Scheduled Task||menuPass has used a script (atexec.py) to execute a command on a target machine via Task Scheduler.|
|Enterprise||T1064||Scripting||menuPass has used malicious macros embedded inside Office documents to execute files.|
|Enterprise||T1193||Spearphishing Attachment||menuPass has sent malicious Office documents via email as part of spearphishing campaigns as well as executables disguised as documents.|
|Enterprise||T1016||System Network Configuration Discovery||menuPass has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions.|
|Enterprise||T1049||System Network Connections Discovery||menuPass has used |
net use to conduct connectivity checks to machines.
|Enterprise||T1199||Trusted Relationship||menuPass has used legitimate access granted to Managed Service Providers in order to access victims of interest.|
|Enterprise||T1204||User Execution||menuPass has attempted to get victims to open malicious files sent via email as part of spearphishing campaigns.|
|Enterprise||T1078||Valid Accounts||menuPass has used valid accounts shared between Managed Service Providers and clients to move between the two environments.|
|Enterprise||T1047||Windows Management Instrumentation||menuPass uses a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI.|