Skip to content

G0102 Wizard Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.317

Item Value
ID G0102
Associated Names UNC1878, TEMP.MixMaster, Grim Spider, FIN12, GOLD BLACKBURN, ITG23, Periwinkle Tempest, DEV-0193
Version 4.0
Created 12 May 2020
Last Modified 12 March 2025
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
UNC1878 5
TEMP.MixMaster 2
Grim Spider 34
FIN12 9
GOLD BLACKBURN 8
ITG23 10
Periwinkle Tempest 6
DEV-0193 6

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account Wizard Spider has identified domain admins through the use of net group "Domain admins" /DOMAIN. Wizard Spider has also leveraged the PowerShell cmdlet Get-ADComputer to collect account names from Active Directory data.129
enterprise T1557 Adversary-in-the-Middle -
enterprise T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay Wizard Spider has used the Invoke-Inveigh PowerShell cmdlets, likely for name service poisoning.5
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Wizard Spider has used HTTP for network communications.4
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Wizard Spider has archived data into ZIP files on compromised machines.9
enterprise T1197 BITS Jobs Wizard Spider has used batch scripts that utilizes WMIC to execute a BITSAdmin transfer of a ransomware payload to each compromised machine.9
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Wizard Spider has established persistence via the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and a shortcut within the startup folder.15
enterprise T1547.004 Winlogon Helper DLL Wizard Spider has established persistence using Userinit by adding the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.5
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Wizard Spider has used macros to execute PowerShell scripts to download malware on victim’s machines.4 It has also used PowerShell to execute commands and move laterally through a victim network.15149
enterprise T1059.003 Windows Command Shell Wizard Spider has used cmd.exe to execute commands on a victim’s machine.129
enterprise T1136 Create Account -
enterprise T1136.001 Local Account Wizard Spider has created local administrator accounts to maintain persistence in compromised networks.9
enterprise T1136.002 Domain Account Wizard Spider has created and used new accounts within a victim’s Active Directory environment to maintain persistence.9
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Wizard Spider has installed TrickBot as a service named ControlServiceA in order to establish persistence.49
enterprise T1555 Credentials from Password Stores -
enterprise T1555.004 Windows Credential Manager Wizard Spider has used PowerShell cmdlet Invoke-WCMDump to enumerate Windows credentials in the Credential Manager in a compromised network.9
enterprise T1005 Data from Local System Wizard Spider has collected data from a compromised host prior to exfiltration.9
enterprise T1074 Data Staged Wizard Spider has collected and staged credentials and network enumeration information, using the networkdll and psfin TrickBot modules.4
enterprise T1074.001 Local Data Staging Wizard Spider has staged ZIP files in local directories such as, C:\PerfLogs\1\ and C:\User\1\ prior to exfiltration.9
enterprise T1585 Establish Accounts -
enterprise T1585.002 Email Accounts Wizard Spider has leveraged ProtonMail email addresses in ransom notes when delivering Ryuk ransomware.9
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Wizard Spider has exfiltrated victim information using FTP.1211
enterprise T1041 Exfiltration Over C2 Channel Wizard Spider has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.49
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage Wizard Spider has exfiltrated stolen victim data to various cloud storage providers.9
enterprise T1210 Exploitation of Remote Services Wizard Spider has exploited or attempted to exploit Zerologon (CVE-2020-1472) and EternalBlue (MS17-010) vulnerabilities.51213
enterprise T1133 External Remote Services Wizard Spider has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure.5
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.001 Windows File and Directory Permissions Modification Wizard Spider has used the icacls command to modify access control to backup servers, providing them with full control of all the system folders.15
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.15129
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Wizard Spider has used file deletion to remove some modules and configurations from an infected host after use.4
enterprise T1105 Ingress Tool Transfer Wizard Spider can transfer malicious payloads such as ransomware to compromised machines.9
enterprise T1490 Inhibit System Recovery Wizard Spider has used WMIC and vssadmin to manually delete volume shadow copies. Wizard Spider has also used Conti ransomware to delete volume shadow copies automatically with the use of vssadmin.9
enterprise T1570 Lateral Tool Transfer Wizard Spider has used stolen credentials to copy tools into the %TEMP% directory of domain controllers.4
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Wizard Spider has used scheduled tasks to install TrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.4 It has also used common document file names for other malware binaries.5
enterprise T1112 Modify Registry Wizard Spider has modified the Registry key HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest by setting the UseLogonCredential registry value to 1 in order to force credentials to be stored in clear text in memory. Wizard Spider has also modified the WDigest registry key to allow plaintext credentials to be cached in memory.49
enterprise T1135 Network Share Discovery Wizard Spider has used the “net view” command to locate mapped network shares.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation Wizard Spider used Base64 encoding to obfuscate an Empire service and PowerShell commands.212
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Wizard Spider has utilized tools such as Empire, Cobalt Strike, Cobalt Strike, Rubeus, AdFind, BloodHound, Metasploit, Advanced IP Scanner, Nirsoft PingInfoView, and SoftPerfect Network Scanner for targeting efforts.59
enterprise T1588.003 Code Signing Certificates Wizard Spider has obtained code signing certificates signed by DigiCert, GlobalSign, and COMOOD for malware payloads.119
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Wizard Spider has dumped the lsass.exe memory to harvest credentials with the use of open-source tool LaZagne.9
enterprise T1003.002 Security Account Manager Wizard Spider has acquired credentials from the SAM/SECURITY registry hives.5
enterprise T1003.003 NTDS Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database. Wizard Spider has also created a volume shadow copy and used a batch script file to collect NTDS.dit with the use of the Windows utility, ntdsutil.59
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Wizard Spider has used spearphishing attachments to deliver Microsoft documents containing macros or PDFs containing malicious links to download either Emotet, Bokbot, TrickBot, or Bazar.4149
enterprise T1566.002 Spearphishing Link Wizard Spider has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.111
enterprise T1055 Process Injection Wizard Spider has used process injection to execute payloads to escalate privileges.9
enterprise T1055.001 Dynamic-link Library Injection Wizard Spider has injected malicious DLLs into memory with read, write, and execute permissions.111
enterprise T1021 Remote Services Wizard Spider has used the WebDAV protocol to execute Ryuk payloads hosted on network file shares.9
enterprise T1021.001 Remote Desktop Protocol Wizard Spider has used RDP for lateral movement and to deploy ransomware interactively.41119
enterprise T1021.002 SMB/Windows Admin Shares Wizard Spider has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.1112
enterprise T1021.006 Windows Remote Management Wizard Spider has used Window Remote Management to move laterally through a victim network.1
enterprise T1018 Remote System Discovery Wizard Spider has used networkdll for network discovery and psfin specifically for financial and point of sale indicators. Wizard Spider has also used AdFind, nltest/dclist, and PowerShell script Get-DataInfo.ps1 to enumerate domain computers, including the domain controller.24514129
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Wizard Spider has used scheduled tasks to establish persistence for TrickBot and other malware.415119
enterprise T1489 Service Stop Wizard Spider has used taskkill.exe and net.exe to stop backup, catalog, cloud, and other services prior to network encryption.12
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Wizard Spider has used WMI to identify anti-virus products installed on a victim’s machine.12
enterprise T1518.002 Backup Software Discovery Wizard Spider has utilized the PowerShell script Get-DataInfo.ps1 to collect installed backup software information from a compromised machine.9
enterprise T1558 Steal or Forge Kerberos Tickets -
enterprise T1558.003 Kerberoasting Wizard Spider has used Rubeus, MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet to steal AES hashes.1251119
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Wizard Spider has used Digicert code-signing certificates for some of its malware.11
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Wizard Spider has utilized rundll32.exe to deploy ransomware commands with the use of WebDAV.9
enterprise T1082 System Information Discovery Wizard Spider has used Systeminfo and similar commands to acquire detailed configuration information of a victim’s machine. Wizard Spider has also utilized the PowerShell cmdlet Get-ADComputer to collect DNS hostnames, last logon dates, and operating system information from Active Directory.129
enterprise T1016 System Network Configuration Discovery Wizard Spider has used ipconfig to identify the network configuration of a victim machine. Wizard Spider has also used the PowerShell cmdlet Get-ADComputer to collect IP address data from Active Directory.159
enterprise T1033 System Owner/User Discovery Wizard Spider has used “whoami” to identify the local user and their privileges.15
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Wizard Spider has used services.exe to execute scripts and executables during lateral movement within a victim’s network. Wizard Spider has also used batch scripts that leverage PsExec to execute a previously transferred ransomware payload on a victim’s network.12139
enterprise T1552 Unsecured Credentials -
enterprise T1552.006 Group Policy Preferences Wizard Spider has used PowerShell cmdlets Get-GPPPassword and Find-GPOPassword to find unsecured credentials in a compromised network group policy.9
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.002 Pass the Hash Wizard Spider has used the Invoke-SMBExec PowerShell cmdlet to execute the pass-the-hash technique and utilized stolen password hashes to move laterally.9
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing.1
enterprise T1204.002 Malicious File Wizard Spider has lured victims to execute malware with spearphishing attachments containing macros to download either Emotet, Bokbot, TrickBot, or Bazar.479
enterprise T1078 Valid Accounts Wizard Spider has used valid credentials for privileged accounts with the goal of accessing domain controllers.49
enterprise T1078.002 Domain Accounts Wizard Spider has used administrative accounts, including Domain Admin, to move laterally within a victim network.5
enterprise T1047 Windows Management Instrumentation Wizard Spider has used WMI and LDAP queries for network discovery and to move laterally. Wizard Spider has also used batch scripts to leverage WMIC to deploy ransomware.415149

Software

ID Name References Techniques
S0552 AdFind 21211149 Domain Account:Account Discovery Domain Trust Discovery Domain Groups:Permission Groups Discovery Remote System Discovery System Network Configuration Discovery
S0504 Anchor 16 Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Unix Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Execution Guardrails Fallback Channels NTFS File Attributes:Hide Artifacts File Deletion:Indicator Removal Ingress Tool Transfer Non-Application Layer Protocol Obfuscated Files or Information Software Packing:Obfuscated Files or Information SMB/Windows Admin Shares:Remote Services Scheduled Task:Scheduled Task/Job Cron:Scheduled Task/Job Code Signing:Subvert Trust Controls System Information Discovery System Network Configuration Discovery Service Execution:System Services
S0534 Bazar 716 Domain Account:Account Discovery Local Account:Account Discovery Web Protocols:Application Layer Protocol BITS Jobs Winlogon Helper DLL:Boot or Logon Autostart Execution Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Data from Local System Deobfuscate/Decode Files or Information Domain Trust Discovery Domain Generation Algorithms:Dynamic Resolution Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Fallback Channels File and Directory Discovery Disable or Modify Tools:Impair Defenses Clear Persistence:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Match Legitimate Resource Name or Location:Masquerading Masquerade Task or Service:Masquerading Double File Extension:Masquerading Multi-Stage Channels Native API Network Share Discovery Encrypted/Encoded File:Obfuscated Files or Information Dynamic API Resolution:Obfuscated Files or Information Software Packing:Obfuscated Files or Information Spearphishing Link:Phishing Process Discovery Process Injection Process Doppelgänging:Process Injection Process Hollowing:Process Injection Query Registry Remote System Discovery Scheduled Task:Scheduled Task/Job Security Software Discovery:Software Discovery Software Discovery Code Signing:Subvert Trust Controls System Information Discovery System Language Discovery:System Location Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery Malicious Link:User Execution Virtualization/Sandbox Evasion Time Based Checks:Virtualization/Sandbox Evasion Web Service Windows Management Instrumentation
S0190 BITSAdmin 9 BITS Jobs Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S0521 BloodHound 15159 Domain Account:Account Discovery Local Account:Account Discovery Archive Collected Data PowerShell:Command and Scripting Interpreter Domain Trust Discovery Group Policy Discovery Native API Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Remote System Discovery System Owner/User Discovery
S0154 Cobalt Strike 511211131579 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Domain Account:Account Discovery DNS:Application Layer Protocol Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking JavaScript:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Python:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol or Service Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Remote Desktop Protocol:Remote Services SSH:Remote Services Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0575 Conti 7916 Windows Command Shell:Command and Scripting Interpreter Data Encrypted for Impact Deobfuscate/Decode Files or Information File and Directory Discovery Inhibit System Recovery Native API Network Share Discovery Obfuscated Files or Information Process Discovery Dynamic-link Library Injection:Process Injection SMB/Windows Admin Shares:Remote Services Remote System Discovery Service Stop System Network Configuration Discovery System Network Connections Discovery Taint Shared Content
S0659 Diavol 16 Web Protocols:Application Layer Protocol Data Destruction Data Encrypted for Impact Internal Defacement:Defacement File and Directory Discovery Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Inhibit System Recovery Native API Network Share Discovery Steganography:Obfuscated Files or Information Obfuscated Files or Information Process Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery Service Stop System Information Discovery System Network Configuration Discovery System Owner/User Discovery
S0024 Dyre 181920 Web Protocols:Application Layer Protocol Windows Service:Create or Modify System Process Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel Ingress Tool Transfer Software Packing:Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Process Injection Scheduled Task:Scheduled Task/Job Software Discovery System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Service Discovery System Checks:Virtualization/Sandbox Evasion
S0367 Emotet 415 Token Impersonation/Theft:Access Token Manipulation Email Account:Account Discovery Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Password Guessing:Brute Force PowerShell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Email Collection Local Email Collection:Email Collection Symmetric Cryptography:Encrypted Channel Encrypted Channel Exfiltration Over C2 Channel Exploitation of Remote Services Ingress Tool Transfer Lateral Tool Transfer Masquerade Task or Service:Masquerading Native API Network Share Discovery Network Sniffing Non-Standard Port Binary Padding:Obfuscated Files or Information Embedded Payloads:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information Software Packing:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Spearphishing Link:Phishing Spearphishing Attachment:Phishing Process Discovery Process Hollowing:Process Injection Dynamic-link Library Injection:Process Injection Reflective Code Loading SMB/Windows Admin Shares:Remote Services Scheduled Task:Scheduled Task/Job Regsvr32:System Binary Proxy Execution Wi-Fi Discovery:System Network Configuration Discovery System Owner/User Discovery Credentials In Files:Unsecured Credentials Malicious File:User Execution Malicious Link:User Execution Local Accounts:Valid Accounts Windows Management Instrumentation
S0363 Empire 4159 Bypass User Account Control:Abuse Elevation Control Mechanism SID-History Injection:Access Token Manipulation Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Security Support Provider:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Shortcut Modification:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Local Account:Create Account Domain Account:Create Account Windows Service:Create or Modify System Process Keychain:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain or Tenant Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow DLL:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0632 GrimAgent 17 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Junk Data:Data Obfuscation Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Mutual Exclusion:Execution Guardrails Exfiltration Over C2 Channel File and Directory Discovery Clear Persistence:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Native API Obfuscated Files or Information Binary Padding:Obfuscated Files or Information Scheduled Task:Scheduled Task/Job System Information Discovery System Language Discovery:System Location Discovery System Location Discovery System Network Configuration Discovery System Owner/User Discovery Time Based Checks:Virtualization/Sandbox Evasion
S0349 LaZagne 9 Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Keychain:Credentials from Password Stores LSA Secrets:OS Credential Dumping /etc/passwd and /etc/shadow:OS Credential Dumping LSASS Memory:OS Credential Dumping Cached Domain Credentials:OS Credential Dumping Proc Filesystem:OS Credential Dumping Credentials In Files:Unsecured Credentials
S0002 Mimikatz 51 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0039 Net 3145121113159 Domain Account:Account Discovery Local Account:Account Discovery Additional Local or Domain Groups:Account Manipulation Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0359 Nltest 512111315149 Domain Trust Discovery Remote System Discovery System Network Configuration Discovery
S0097 Ping 12113 Remote System Discovery
S0029 PsExec 459 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S1071 Rubeus 9 Domain Trust Discovery Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets AS-REP Roasting:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets
S0446 Ryuk 31415121113157916 Access Token Manipulation Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Data Encrypted for Impact File and Directory Discovery Windows File and Directory Permissions Modification:File and Directory Permissions Modification Disable or Modify Tools:Impair Defenses Inhibit System Recovery Local Storage Discovery Loss of Productivity and Revenue Match Legitimate Resource Name or Location:Masquerading Masquerading Native API Obfuscated Files or Information Process Discovery Process Injection SMB/Windows Admin Shares:Remote Services Scheduled Task:Scheduled Task/Job Service Stop System Language Discovery:System Location Discovery System Network Configuration Discovery Traffic Signaling Domain Accounts:Valid Accounts
S0266 TrickBot 41157916 Local Account:Account Discovery Email Account:Account Discovery Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Session Hijacking Credential Stuffing:Brute Force PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Password Managers:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Deobfuscate/Decode Files or Information Domain Trust Discovery Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Exploitation of Remote Services Fallback Channels File and Directory Discovery Firmware Corruption Hidden Window:Hide Artifacts Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Credential API Hooking:Input Capture Component Object Model:Inter-Process Communication Masquerading Modify Registry Native API Network Share Discovery Non-Standard Port Obfuscated Files or Information Software Packing:Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information Permission Groups Discovery Spearphishing Link:Phishing Spearphishing Attachment:Phishing Bootkit:Pre-OS Boot Process Discovery Process Injection Process Hollowing:Process Injection External Proxy:Proxy Remote Access Tools VNC:Remote Services Remote System Discovery Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Service Discovery Credentials In Files:Unsecured Credentials Credentials in Registry:Unsecured Credentials Malicious File:User Execution Time Based Checks:Virtualization/Sandbox Evasion

References

  1. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. 

  2. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020. 

  3. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. 

  4. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. 

  5. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. 

  6. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. 

  7. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. 

  8. Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023. 

  9. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023. 

  10. Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023. 

  11. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. 

  12. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. 

  13. The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020. 

  14. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020. 

  15. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020. 

  16. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023. 

  17. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024. 

  18. Brewster, T. (2017, May 4). https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates/#601c77842a0a. Retrieved June 15, 2020. 

  19. Feeley, B. and Stone-Gross, B. (2019, March 20). New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration. Retrieved June 15, 2020. 

  20. Umawing, J. (2019, September 3). TrickBot adds new trick to its arsenal: tampering with trusted texts. Retrieved June 15, 2020.