Skip to content

T1047 Windows Management Instrumentation

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).3 Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.31

An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. 2 1

Item Value
ID T1047
Sub-techniques
Tactics TA0002
Platforms Windows
Version 1.3
Created 31 May 2017
Last Modified 07 April 2023

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack During the 2016 Ukraine Electric Power Attack, WMI in scripts were used for remote execution and system surveys. 102
S1028 Action RAT Action RAT can use WMI to gather AV products installed on an infected host.46
S0331 Agent Tesla Agent Tesla has used wmi queries to gather information from the system.63
G0016 APT29 APT29 used WMI to steal credentials and execute backdoors at a future time.105
G0050 APT32 APT32 used WMI to deploy their tools on remote machines and to gather information about the Outlook process.99
G0096 APT41 APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit.124125
S0373 Astaroth Astaroth uses WMIC to execute payloads. 47
S0640 Avaddon Avaddon uses wmic.exe to delete shadow copies.53
S0534 Bazar Bazar can execute a WMI query to gather information about the installed antivirus engine.7475
S1070 Black Basta Black Basta has used WMI to execute files over the network.35
S1068 BlackCat BlackCat can use wmic.exe to delete shadow copies on compromised networks.15
S0089 BlackEnergy A BlackEnergy 2 plug-in uses WMI to gather victim host details.33
G0108 Blue Mockingbird Blue Mockingbird has used wmic.exe to set environment variables.128
S1063 Brute Ratel C4 Brute Ratel C4 can use WMI to move laterally.8
S1039 Bumblebee Bumblebee can use WMI to gather system information and to spawn processes for code injection.616059
C0015 C0015 During C0015, the threat actors used wmic and rundll32 to load Cobalt Strike onto a target host.79
C0018 C0018 During C0018, the threat actors used WMIC to modify administrative settings on both a local and a remote host, likely as part of the first stages for their lateral movement; they also used WMI Provider Host (wmiprvse.exe) to execute a variety of encoded PowerShell scripts using the DownloadString method.137136
S0674 CharmPower CharmPower can use wmic to gather information from a system.39
G0114 Chimera Chimera has used WMIC to execute remote commands.100101
S0154 Cobalt Strike Cobalt Strike can use WMI to deliver a payload to a remote host.808179
S0488 CrackMapExec CrackMapExec can execute remote commands using Windows Management Instrumentation.7
S1066 DarkTortilla DarkTortilla can use WMI queries to obtain system information.90
S0673 DarkWatchman DarkWatchman can use WMI to execute commands.37
S0616 DEATHRANSOM DEATHRANSOM has the ability to use WMI to delete volume shadow copies.16
G0009 Deep Panda The Deep Panda group is known to utilize WMI for lateral movement.127
S0062 DustySky The DustySky dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active.24
G1006 Earth Lusca Earth Lusca used a VBA script to execute WMI.117
S0605 EKANS EKANS can use Windows Mangement Instrumentation (WMI) calls to execute operations.27
S0367 Emotet Emotet has used WMI to execute powershell.exe.65
S0363 Empire Empire can use WMI to deliver a payload to a remote host.14
S0396 EvilBunny EvilBunny has used WMI to gather information about the system.67
S0568 EVILNUM EVILNUM has used the Windows Management Instrumentation (WMI) tool to enumerate infected machines.55
S0267 FELIXROOT FELIXROOT uses WMI to query the Windows Registry.38
G0037 FIN6 FIN6 has used WMI to automate the remote execution of PowerShell scripts.118
G0046 FIN7 FIN7 has used WMI to install malware on targeted systems.110
G0061 FIN8 FIN8‘s malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. FIN8 has also used WMIC for lateral movement as well as during and post compromise cleanup activities.114116115
S0618 FIVEHANDS FIVEHANDS can use WMI to delete files on a target machine.1617
S0381 FlawedAmmyy FlawedAmmyy leverages WMI to enumerate anti-virus on the victim.54
C0001 Frankenstein During Frankenstein, the threat actors used WMI queries to check if various security applications were running as well as to determine the operating system version.138
S1044 FunnyDream FunnyDream can use WMI to open a Windows command shell on a remote machine.25
C0007 FunnyDream During FunnyDream, the threat actors used wmiexec.vbs to run remote commands.25
G0093 GALLIUM GALLIUM used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets.91
G0047 Gamaredon Group Gamaredon Group has used WMI to execute scripts used for discovery.92
S0237 GravityRAT GravityRAT collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed).82
S0151 HALFBAKED HALFBAKED can use WMI queries to gather system information.23
S0617 HELLOKITTY HELLOKITTY can use WMI to delete volume shadow copies.16
S0698 HermeticWizard HermeticWizard can use WMI to create a new process on a remote machine via C:\windows\system32\cmd.exe /c start C:\windows\system32\\regsvr32.exe /s /iC:\windows\<filename>.dll.88
S0376 HOPLIGHT HOPLIGHT has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository.41
S0483 IcedID IcedID has used WMI to execute binaries.34
S0357 Impacket Impacket‘s wmiexec module can be used to execute commands through WMI.9
G0119 Indrik Spider Indrik Spider has used WMIC to execute commands on remote computers.123
S0283 jRAT jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.58
S0265 Kazuar Kazuar obtains a list of running processes through WMI querying.48
S0250 Koadic Koadic can use WMI to execute commands.13
S0156 KOMPROGO KOMPROGO is capable of running WMI queries.31
G0032 Lazarus Group Lazarus Group has used WMIC for discovery as well as to execute payloads for persistence and lateral movement.130129132131
G0065 Leviathan Leviathan has used WMI for execution.106
S0532 Lucifer Lucifer can use WMI to log into remote machines for propagation.66
G0059 Magic Hound Magic Hound has used a tool to run cmd /c wmic computersystem get domain for discovery.104
S0449 Maze Maze has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization’s network.5657
G0045 menuPass menuPass has used a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI.107109108
S0688 Meteor Meteor can use wmic.exe as part of its effort to delete shadow copies.89
S0339 Micropsia Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI.7778
S0553 MoleNet MoleNet can perform WMI commands on the system.28
S0256 Mosquito Mosquito‘s installer uses WMI to search for antivirus display names.36
G0069 MuddyWater MuddyWater has used malware that leveraged WMI for execution and querying host information.95739394
G0129 Mustang Panda Mustang Panda has executed PowerShell scripts via WMI.9697
G0019 Naikon Naikon has used WMIC.exe for lateral movement.98
S0457 Netwalker Netwalker can use WMI to delete Shadow Volumes.32
S0368 NotPetya NotPetya can use wmic to help propagate itself across a network.1920
S0340 Octopus Octopus has used wmic.exe for local discovery information.40
G0049 OilRig OilRig has used WMI for execution.126
S0365 Olympic Destroyer Olympic Destroyer uses WMI to help propagate itself across a network.43
S0264 OopsIE OopsIE uses WMI to perform discovery techniques.71
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group used WMIC to executed a remote XSL script.139
C0014 Operation Wocao During Operation Wocao, threat actors has used WMI to execute commands.133
S0378 PoshC2 PoshC2 has a number of modules that use WMI to execute tasks.12
S0194 PowerSploit PowerSploit‘s Invoke-WmiCommand CodeExecution module uses WMI to execute and retrieve the output from a PowerShell payload.1011
S0223 POWERSTATS POWERSTATS can use WMI queries to retrieve data from compromised hosts.7273
S0184 POWRUNER POWRUNER may use WMI when collecting information about a victim.70
S0654 ProLock ProLock can use WMIC to execute scripts on targeted hosts.62
S1032 PyDCrypt PyDCrypt has attempted to execute with WMIC.42
S0650 QakBot QakBot can execute WMI queries to gather information.83
S0241 RATANKBA RATANKBA uses WMI to perform process monitoring.8586
S0375 Remexi Remexi executes received commands with wmic.exe (for WMI commands). 26
S0496 REvil REvil can use WMI to monitor for and kill specific processes listed in its configuration file.6869
S0270 RogueRobin RogueRobin uses various WMI queries to check if the sample is running in a sandbox.2122
G0034 Sandworm Team Sandworm Team has used Impacket’s WMIexec module for remote code execution and VBScript to run WMI queries.102103
S0546 SharpStage SharpStage can use WMI for execution.2829
S0589 Sibot Sibot has used WMI to discover network connections and configurations. Sibot has also used the Win32_Process class to execute a malicious DLL.87
S0692 SILENTTRINITY SILENTTRINITY can use WMI for lateral movement.6
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 used WMI for the remote execution of files for lateral movement.134135
G0038 Stealth Falcon Stealth Falcon malware gathers system information via Windows Management Instrumentation (WMI).113
S0380 StoneDrill StoneDrill has used the WMI command-line (WMIC) utility to run tasks.49
S0603 Stuxnet Stuxnet used WMI with an explorer.exe token to execute on a remote share.64
S0559 SUNBURST SUNBURST used the WMI query Select * From Win32_SystemDriver to retrieve a driver listing.30
S1064 SVCReady SVCReady can use WMI queries to detect the presence of a virtual machine environment.84
S0663 SysUpdate SysUpdate can use WMI for execution on a compromised host.45
G0027 Threat Group-3390 A Threat Group-3390 tool can use WMI to execute a binary.111
S0386 Ursnif Ursnif droppers have used WMI classes to execute PowerShell commands.18
S0476 Valak Valak can use wmic process call create in a scheduled task to launch plugins and for execution.44
S0366 WannaCry WannaCry utilizes wmic to delete shadow copies.505152
G0112 Windshift Windshift has used WMI to collect information about target machines.112
G0102 Wizard Spider Wizard Spider has used WMI and LDAP queries for network discovery and to move laterally.121120122119
S0251 Zebrocy One variant of Zebrocy uses WMI queries to gather information.76

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by WMI commands from running. Note: many legitimate tools and applications utilize WMI for command execution. 5
M1038 Execution Prevention Use application control configured to block execution of wmic.exe if it is not required for a given system or network to prevent potential misuse by adversaries. For example, in Windows 10 and Windows Server 2016 and above, Windows Defender Application Control (WDAC) policy rules may be applied to block the wmic.exe application and to prevent abuse.4
M1026 Privileged Account Management Prevent credential overlap across systems of administrator and privileged accounts. 1
M1018 User Account Management By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0029 Network Traffic Network Connection Creation
DS0009 Process Process Creation

References

  1. Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. 

  2. Devon Kerr. (2015). There’s Something About WMI. Retrieved May 4, 2020. 

  3. Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016. 

  4. Coulter, D. et al.. (2019, April 9). Microsoft recommended block rules. Retrieved August 12, 2021. 

  5. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021. 

  6. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  7. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020. 

  8. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. 

  9. SecureAuth. (n.d.). Retrieved January 15, 2019. 

  10. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. 

  11. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. 

  12. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019. 

  13. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018. 

  14. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  15. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022. 

  16. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. 

  17. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. 

  18. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019. 

  19. Chiu, A. (2016, June 27). New Ransomware Variant “Nyetya” Compromises Systems Worldwide. Retrieved March 26, 2019. 

  20. US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019. 

  21. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. 

  22. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019. 

  23. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. 

  24. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016. 

  25. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  26. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. 

  27. Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021. 

  28. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. 

  29. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. 

  30. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  31. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. 

  32. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. 

  33. Baumgartner, K. and Garnaeva, M.. (2015, February 17). BE2 extraordinary plugins, Siemens targeting, dev fails. Retrieved March 24, 2016. 

  34. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. 

  35. Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023. 

  36. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. 

  37. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  38. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. 

  39. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. 

  40. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. 

  41. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019. 

  42. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. 

  43. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019. 

  44. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020. 

  45. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  46. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. 

  47. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019. 

  48. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. 

  49. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019. 

  50. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019. 

  51. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019. 

  52. Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019. 

  53. Security Lab. (2020, June 5). Avaddon: From seeking affiliates to in-the-wild in 2 days. Retrieved August 19, 2021. 

  54. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019. 

  55. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021. 

  56. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020. 

  57. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020. 

  58. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018. 

  59. Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022. 

  60. Merriman, K. and Trouerbach, P. (2022, April 28). This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming. Retrieved August 22, 2022. 

  61. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. 

  62. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. 

  63. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020. 

  64. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22  

  65. Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019. 

  66. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. 

  67. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019. 

  68. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. 

  69. Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020. 

  70. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  71. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018. 

  72. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. 

  73. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. 

  74. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  75. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. 

  76. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019. 

  77. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018. 

  78. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018. 

  79. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. 

  80. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. 

  81. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  82. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018. 

  83. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  84. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022. 

  85. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018. 

  86. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018. 

  87. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  88. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. 

  89. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022. 

  90. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. 

  91. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. 

  92. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022. 

  93. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019. 

  94. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. 

  95. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. 

  96. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. 

  97. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. 

  98. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  99. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  100. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020. 

  101. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. 

  102. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. 

  103. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023. 

  104. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. 

  105. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016. 

  106. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. 

  107. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  108. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. 

  109. Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017. 

  110. eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.. Retrieved September 20, 2021. 

  111. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018. 

  112. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. 

  113. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016. 

  114. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018. 

  115. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  116. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021. 

  117. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  118. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. 

  119. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020. 

  120. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. 

  121. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. 

  122. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. 

  123. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021. 

  124. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  125. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021. 

  126. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. 

  127. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014. 

  128. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. 

  129. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016. 

  130. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  131. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. 

  132. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. 

  133. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  134. Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021. 

  135. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. 

  136. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023. 

  137. Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023. 

  138. Adamitis, D. et al. (2019, June 4). It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. 

  139. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.