Wizard Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]

ID: G0102
Associated Groups: UNC1878, TEMP.MixMaster, Grim Spider, FIN12, GOLD BLACKBURN, ITG23, Periwinkle Tempest, DEV-0193
Contributors: Edward Millington; Oleksiy Gayda
Version: 4.0
Created: 12 May 2020
Last Modified: 03 April 2024

Associated Group Descriptions

Name Description
UNC1878

[4]

TEMP.MixMaster

[5]

Grim Spider

[1][6]

FIN12

[7]

GOLD BLACKBURN

[8]

ITG23

[9]

Periwinkle Tempest

[10]

DEV-0193

[10]

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Wizard Spider has identified domain admins through the use of net group "Domain admins" /DOMAIN. Wizard Spider has also leveraged the PowerShell cmdlet Get-ADComputer to collect account names from Active Directory data.[11][7]

Enterprise T1557 .001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Wizard Spider has used the Invoke-Inveigh PowerShell cmdlets, likely for name service poisoning.[4]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Wizard Spider has used HTTP for network communications.[6]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Wizard Spider has archived data into ZIP files on compromised machines.[7]

Enterprise T1197 BITS Jobs

Wizard Spider has used batch scripts that utilizes WMIC to execute a BITSAdmin transfer of a ransomware payload to each compromised machine.[7]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Wizard Spider has established persistence via the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and a shortcut within the startup folder.[2][4]

.004 Boot or Logon Autostart Execution: Winlogon Helper DLL

Wizard Spider has established persistence using Userinit by adding the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.[4]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Wizard Spider has used macros to execute PowerShell scripts to download malware on victim's machines.[6] It has also used PowerShell to execute commands and move laterally through a victim network.[2][4][12][7]

.003 Command and Scripting Interpreter: Windows Command Shell

Wizard Spider has used cmd.exe to execute commands on a victim's machine.[11][7]

Enterprise T1136 .001 Create Account: Local Account

Wizard Spider has created local administrator accounts to maintain persistence in compromised networks.[7]

.002 Create Account: Domain Account

Wizard Spider has created and used new accounts within a victim's Active Directory environment to maintain persistence.[7]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Wizard Spider has installed TrickBot as a service named ControlServiceA in order to establish persistence.[6][7]

Enterprise T1555 .004 Credentials from Password Stores: Windows Credential Manager

Wizard Spider has used PowerShell cmdlet Invoke-WCMDump to enumerate Windows credentials in the Credential Manager in a compromised network.[7]

Enterprise T1005 Data from Local System

Wizard Spider has collected data from a compromised host prior to exfiltration.[7]

Enterprise T1074 Data Staged

Wizard Spider has collected and staged credentials and network enumeration information, using the networkdll and psfin TrickBot modules.[6]

.001 Local Data Staging

Wizard Spider has staged ZIP files in local directories such as, C:\PerfLogs\1\ and C:\User\1\ prior to exfiltration.[7]

Enterprise T1585 .002 Establish Accounts: Email Accounts

Wizard Spider has leveraged ProtonMail email addresses in ransom notes when delivering Ryuk ransomware.[7]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Wizard Spider has exfiltrated victim information using FTP.[11][13]

Enterprise T1041 Exfiltration Over C2 Channel

Wizard Spider has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.[6][7]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Wizard Spider has exfiltrated stolen victim data to various cloud storage providers.[7]

Enterprise T1210 Exploitation of Remote Services

Wizard Spider has exploited or attempted to exploit Zerologon (CVE-2020-1472) and EternalBlue (MS17-010) vulnerabilities.[4][11][14]

Enterprise T1133 External Remote Services

Wizard Spider has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure.[4]

Enterprise T1222 .001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Wizard Spider has used the icacls command to modify access control to backup servers, providing them with full control of all the system folders.[15]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.[2][4][11][7]

Enterprise T1070 .004 Indicator Removal: File Deletion

Wizard Spider has used file deletion to remove some modules and configurations from an infected host after use.[6]

Enterprise T1105 Ingress Tool Transfer

Wizard Spider can transfer malicious payloads such as ransomware to compromised machines.[7]

Enterprise T1490 Inhibit System Recovery

Wizard Spider has used WMIC and vssadmin to manually delete volume shadow copies. Wizard Spider has also used Conti ransomware to delete volume shadow copies automatically with the use of vssadmin.[7]

Enterprise T1570 Lateral Tool Transfer

Wizard Spider has used stolen credentials to copy tools into the %TEMP% directory of domain controllers.[6]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Wizard Spider has used scheduled tasks to install TrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.[6] It has also used common document file names for other malware binaries.[4]

Enterprise T1112 Modify Registry

Wizard Spider has modified the Registry key HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest by setting the UseLogonCredential registry value to 1 in order to force credentials to be stored in clear text in memory. Wizard Spider has also modified the WDigest registry key to allow plaintext credentials to be cached in memory.[6][7]

Enterprise T1135 Network Share Discovery

Wizard Spider has used the "net view" command to locate mapped network shares.[2]

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

Wizard Spider used Base64 encoding to obfuscate an Empire service and PowerShell commands.[5][11]

Enterprise T1588 .002 Obtain Capabilities: Tool

Wizard Spider has utilized tools such as Empire, Cobalt Strike, Cobalt Strike, Rubeus, AdFind, BloodHound, Metasploit, Advanced IP Scanner, Nirsoft PingInfoView, and SoftPerfect Network Scanner for targeting efforts.[4][7]

.003 Obtain Capabilities: Code Signing Certificates

Wizard Spider has obtained code signing certificates signed by DigiCert, GlobalSign, and COMOOD for malware payloads.[13][7]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Wizard Spider has dumped the lsass.exe memory to harvest credentials with the use of open-source tool LaZagne.[7]

.002 OS Credential Dumping: Security Account Manager

Wizard Spider has acquired credentials from the SAM/SECURITY registry hives.[4]

.003 OS Credential Dumping: NTDS

Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database. Wizard Spider has also created a volume shadow copy and used a batch script file to collect NTDS.dit with the use of the Windows utility, ntdsutil.[4][7]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Wizard Spider has used spearphishing attachments to deliver Microsoft documents containing macros or PDFs containing malicious links to download either Emotet, Bokbot, TrickBot, or Bazar.[6][12][7]

.002 Phishing: Spearphishing Link

Wizard Spider has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.[2][13]

Enterprise T1055 Process Injection

Wizard Spider has used process injection to execute payloads to escalate privileges.[7]

.001 Dynamic-link Library Injection

Wizard Spider has injected malicious DLLs into memory with read, write, and execute permissions.[2][13]

Enterprise T1021 Remote Services

Wizard Spider has used the WebDAV protocol to execute Ryuk payloads hosted on network file shares.[7]

.001 Remote Desktop Protocol

Wizard Spider has used RDP for lateral movement and to deploy ransomware interactively.[6][2][13][7]

.002 SMB/Windows Admin Shares

Wizard Spider has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.[13][11]

.006 Windows Remote Management

Wizard Spider has used Window Remote Management to move laterally through a victim network.[2]

Enterprise T1018 Remote System Discovery

Wizard Spider has used networkdll for network discovery and psfin specifically for financial and point of sale indicators. Wizard Spider has also used AdFind, nltest/dclist, and PowerShell script Get-DataInfo.ps1 to enumerate domain computers, including the domain controller.[5][6][4][12][11][7]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Wizard Spider has used scheduled tasks to establish persistence for TrickBot and other malware.[6][2][4][13][7]

Enterprise T1489 Service Stop

Wizard Spider has used taskkill.exe and net.exe to stop backup, catalog, cloud, and other services prior to network encryption.[11]

Enterprise T1518 Software Discovery

Wizard Spider has utilized the PowerShell script Get-DataInfo.ps1 to collect installed backup software information from a compromised machine.[7]

.001 Security Software Discovery

Wizard Spider has used WMI to identify anti-virus products installed on a victim's machine.[11]

Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

Wizard Spider has used Rubeus, MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet to steal AES hashes.[11][4][2][13][7]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Wizard Spider has used Digicert code-signing certificates for some of its malware.[13]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Wizard Spider has utilized rundll32.exe to deploy ransomware commands with the use of WebDAV.[7]

Enterprise T1082 System Information Discovery

Wizard Spider has used Systeminfo and similar commands to acquire detailed configuration information of a victim's machine. Wizard Spider has also utilized the PowerShell cmdlet Get-ADComputer to collect DNS hostnames, last logon dates, and operating system information from Active Directory.[11][7]

Enterprise T1016 System Network Configuration Discovery

Wizard Spider has used ipconfig to identify the network configuration of a victim machine. Wizard Spider has also used the PowerShell cmdlet Get-ADComputer to collect IP address data from Active Directory.[15][7]

Enterprise T1033 System Owner/User Discovery

Wizard Spider has used "whoami" to identify the local user and their privileges.[15]

Enterprise T1569 .002 System Services: Service Execution

Wizard Spider has used services.exe to execute scripts and executables during lateral movement within a victim's network. Wizard Spider has also used batch scripts that leverage PsExec to execute a previously transferred ransomware payload on a victim's network.[11][14][7]

Enterprise T1552 .006 Unsecured Credentials: Group Policy Preferences

Wizard Spider has used PowerShell cmdlets Get-GPPPassword and Find-GPOPassword to find unsecured credentials in a compromised network group policy.[7]

Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

Wizard Spider has used the Invoke-SMBExec PowerShell cmdlet to execute the pass-the-hash technique and utilized stolen password hashes to move laterally.[7]

Enterprise T1204 .001 User Execution: Malicious Link

Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing.[2]

.002 User Execution: Malicious File

Wizard Spider has lured victims to execute malware with spearphishing attachments containing macros to download either Emotet, Bokbot, TrickBot, or Bazar.[6][3][7]

Enterprise T1078 Valid Accounts

Wizard Spider has used valid credentials for privileged accounts with the goal of accessing domain controllers.[6][7]

.002 Domain Accounts

Wizard Spider has used administrative accounts, including Domain Admin, to move laterally within a victim network.[4]

Enterprise T1047 Windows Management Instrumentation

Wizard Spider has used WMI and LDAP queries for network discovery and to move laterally. Wizard Spider has also used batch scripts to leverage WMIC to deploy ransomware.[6][2][4][12][7]

Software

ID Name References Techniques
S0552 AdFind [5][11][13][12][7] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, System Network Configuration Discovery
S0504 Anchor [16] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Unix Shell, Create or Modify System Process: Windows Service, Execution Guardrails, Fallback Channels, Hide Artifacts: NTFS File Attributes, Indicator Removal: File Deletion, Ingress Tool Transfer, Non-Application Layer Protocol, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Remote Services: SMB/Windows Admin Shares, Scheduled Task/Job: Scheduled Task, Scheduled Task/Job: Cron, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, System Services: Service Execution
S0534 Bazar [3][16] Account Discovery: Domain Account, Account Discovery: Local Account, Application Layer Protocol: Web Protocols, BITS Jobs, Boot or Logon Autostart Execution: Winlogon Helper DLL, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data from Local System, Deobfuscate/Decode Files or Information, Domain Trust Discovery, Dynamic Resolution: Domain Generation Algorithms, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Fallback Channels, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Indicator Removal: Clear Persistence, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Masquerading: Masquerade Task or Service, Masquerading: Double File Extension, Multi-Stage Channels, Native API, Network Share Discovery, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Dynamic API Resolution, Obfuscated Files or Information: Software Packing, Phishing: Spearphishing Link, Process Discovery, Process Injection, Process Injection: Process Doppelgänging, Process Injection: Process Hollowing, Query Registry, Remote System Discovery, Scheduled Task/Job: Scheduled Task, Software Discovery: Security Software Discovery, Software Discovery, Subvert Trust Controls: Code Signing, System Information Discovery, System Location Discovery: System Language Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery, User Execution: Malicious Link, Virtualization/Sandbox Evasion, Virtualization/Sandbox Evasion: Time Based Evasion, Web Service, Windows Management Instrumentation
S0190 BITSAdmin [7] BITS Jobs, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S0521 BloodHound [2][4][15][7] Account Discovery: Domain Account, Account Discovery: Local Account, Archive Collected Data, Command and Scripting Interpreter: PowerShell, Domain Trust Discovery, Group Policy Discovery, Native API, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote System Discovery, System Owner/User Discovery
S0154 Cobalt Strike [4][2][11][13][14][15][3][7] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0575 Conti [3][7][16] Command and Scripting Interpreter: Windows Command Shell, Data Encrypted for Impact, Deobfuscate/Decode Files or Information, File and Directory Discovery, Inhibit System Recovery, Native API, Network Share Discovery, Obfuscated Files or Information, Process Discovery, Process Injection: Dynamic-link Library Injection, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, Service Stop, System Network Configuration Discovery, System Network Connections Discovery, Taint Shared Content
S0659 Diavol [16] Application Layer Protocol: Web Protocols, Data Destruction, Data Encrypted for Impact, Defacement: Internal Defacement, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Inhibit System Recovery, Native API, Network Share Discovery, Obfuscated Files or Information: Steganography, Obfuscated Files or Information, Process Discovery, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, Service Stop, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0024 Dyre [17][18][19] Application Layer Protocol: Web Protocols, Create or Modify System Process: Windows Service, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Ingress Tool Transfer, Obfuscated Files or Information: Software Packing, Process Injection: Dynamic-link Library Injection, Process Injection, Scheduled Task/Job: Scheduled Task, Software Discovery, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery, Virtualization/Sandbox Evasion: System Checks
S0367 Emotet [6][15] Access Token Manipulation: Token Impersonation/Theft, Account Discovery: Email Account, Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Brute Force: Password Guessing, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Email Collection, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, Exploitation of Remote Services, Lateral Tool Transfer, Masquerading: Masquerade Task or Service, Native API, Network Share Discovery, Network Sniffing, Non-Standard Port, Obfuscated Files or Information: Embedded Payloads, Obfuscated Files or Information: Command Obfuscation, Obfuscated Files or Information: Software Packing, OS Credential Dumping: LSASS Memory, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Process Discovery, Process Injection: Dynamic-link Library Injection, Reflective Code Loading, Remote Services: SMB/Windows Admin Shares, Scheduled Task/Job: Scheduled Task, System Network Configuration Discovery: Wi-Fi Discovery, System Owner/User Discovery, Unsecured Credentials: Credentials In Files, User Execution: Malicious File, User Execution: Malicious Link, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0363 Empire [6][2][4][7] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Browser Information Discovery, Clipboard Data, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain or Tenant Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Code Repository, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Dylib Hijacking, Hijack Execution Flow: DLL Search Order Hijacking, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0632 GrimAgent [20] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Junk Data, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal: Clear Persistence, Indicator Removal: File Deletion, Ingress Tool Transfer, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Binary Padding, Scheduled Task/Job: Scheduled Task, System Information Discovery, System Location Discovery: System Language Discovery, System Location Discovery, System Network Configuration Discovery, System Owner/User Discovery, Virtualization/Sandbox Evasion: Time Based Evasion
S0349 LaZagne [7] Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Keychain, OS Credential Dumping: LSA Secrets, OS Credential Dumping: /etc/passwd and /etc/shadow, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Cached Domain Credentials, OS Credential Dumping: Proc Filesystem, Unsecured Credentials: Credentials In Files
S0002 Mimikatz [4][2] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039 Net [1][12][4][11][13][14][15][7] Account Discovery: Domain Account, Account Discovery: Local Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0359 Nltest [4][11][13][14][15][12][7] Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery
S0097 Ping [11][2][14] Remote System Discovery
S0029 PsExec [6][4][7] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S1071 Rubeus [7] Domain Trust Discovery, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: AS-REP Roasting, Steal or Forge Kerberos Tickets: Golden Ticket
S0446 Ryuk [1][12][2][4][11][13][14][15][3][7][16] Access Token Manipulation, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Encrypted for Impact, File and Directory Discovery, File and Directory Permissions Modification: Windows File and Directory Permissions Modification, Impair Defenses: Disable or Modify Tools, Inhibit System Recovery, Loss of Productivity and Revenue, Masquerading: Match Legitimate Name or Location, Masquerading, Native API, Obfuscated Files or Information, Process Discovery, Process Injection, Remote Services: SMB/Windows Admin Shares, Scheduled Task/Job: Scheduled Task, Service Stop, System Information Discovery, System Location Discovery: System Language Discovery, System Network Configuration Discovery, Traffic Signaling, Valid Accounts: Domain Accounts
S0266 TrickBot [6][2][15][3][7][16] Account Discovery: Local Account, Account Discovery: Email Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Session Hijacking, Brute Force: Credential Stuffing, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Password Managers, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Domain Trust Discovery, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Exploitation of Remote Services, Fallback Channels, File and Directory Discovery, Firmware Corruption, Hide Artifacts: Hidden Window, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Input Capture: Credential API Hooking, Inter-Process Communication: Component Object Model, Masquerading, Modify Registry, Native API, Network Share Discovery, Non-Standard Port, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information: Encrypted/Encoded File, Permission Groups Discovery, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Pre-OS Boot: Bootkit, Process Discovery, Process Injection, Process Injection: Process Hollowing, Proxy: External Proxy, Remote Access Software, Remote Services: VNC, Remote System Discovery, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Credentials in Registry, User Execution: Malicious File, Virtualization/Sandbox Evasion: Time Based Evasion

References