Name | Description |
---|---|
Hive0065 |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .003 | Account Discovery: Email Account |
TA505 has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.[5] |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
TA505 has used PowerShell to download and execute malware and reconnaissance scripts.[1][6][7][8] |
.003 | Command and Scripting Interpreter: Windows Command Shell | |||
.005 | Command and Scripting Interpreter: Visual Basic | |||
.007 | Command and Scripting Interpreter: JavaScript | |||
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
TA505 has used malware to gather credentials from Internet Explorer.[1] |
Enterprise | T1486 | Data Encrypted for Impact |
TA505 has used a wide variety of ransomware, such as Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment.[1] |
|
Enterprise | T1568 | .001 | Dynamic Resolution: Fast Flux DNS |
TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs.[5] |
Enterprise | T1105 | Ingress Tool Transfer |
TA505 has downloaded additional malware to execute on victim systems.[7][8][6] |
|
Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
TA505 has leveraged malicious Word documents that abused DDE.[2] |
Enterprise | T1027 | Obfuscated Files or Information |
TA505 has password-protected malicious Word documents and used base64 encoded PowerShell commands.[1][7][8] |
|
.002 | Software Packing | |||
Enterprise | T1069 | Permission Groups Discovery |
TA505 has used TinyMet to enumerate members of privileged groups.[4] TA505 has also run |
|
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
TA505 has used spearphishing emails with malicious attachments to initially compromise victims.[1][2][3][7][6][9][5][10][4] |
.002 | Phishing: Spearphishing Link |
TA505 has sent spearphishing emails containing malicious links.[1][3][5][10] |
||
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection | |
Enterprise | T1218 | .007 | Signed Binary Proxy Execution: Msiexec |
TA505 has used |
.011 | Signed Binary Proxy Execution: Rundll32 |
TA505 has leveraged |
||
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
TA505 has signed payloads with code signing certificates from Thawte and Sectigo.[7][8][5] |
.005 | Subvert Trust Controls: Mark-of-the-Web Bypass |
TA505 has used .iso files to deploy malicious .lnk files.[11] |
||
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
TA505 has used malware to gather credentials from FTP clients and Outlook.[1] |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
TA505 has used lures to get users to click links in emails and attachments. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. [1][2][3][7][6][9][5][10] |
.002 | User Execution: Malicious File |
TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. [1][2][3][7][6][9][5][10][4] |
||
Enterprise | T1078 | .002 | Valid Accounts: Domain Accounts |
TA505 has used stolen domain admin accounts to compromise additional hosts.[4] |