Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Cobalt Strike

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.(Citation: cobaltstrike manual) In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.(Citation: cobaltstrike manual)
ID: S0154
Type: MALWARE
Platforms: Windows
Version: 1.13
Created: 14 Dec 2017
Last Modified: 25 Sep 2024

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Cobalt Strike can use a number of known techniques to bypass Windows UAC.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)

.002 Abuse Elevation Control Mechanism: Bypass User Account Control

Cobalt Strike can use a number of known techniques to bypass Windows UAC.(Citation: cobaltstrike manual)

.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Cobalt Strike can use sudo to run a command.(Citation: Cobalt Strike Manual 4.3 November 2020)

Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

Cobalt Strike can steal access tokens from exiting processes.(Citation: cobaltstrike manual)

.001 Access Token Manipulation: Token Impersonation/Theft

Cobalt Strike can steal access tokens from exiting processes.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)

.003 Access Token Manipulation: Make and Impersonate Token

Cobalt Strike can make tokens from known credentials.(Citation: cobaltstrike manual)

.003 Access Token Manipulation: Make and Impersonate Token

Cobalt Strike can make tokens from known credentials.(Citation: cobaltstrike manual)

.004 Access Token Manipulation: Parent PID Spoofing

Cobalt Strike can spawn processes with alternate PPIDs.(Citation: CobaltStrike Daddy May 2017)

.004 Access Token Manipulation: Parent PID Spoofing

Cobalt Strike can spawn processes with alternate PPIDs.(Citation: CobaltStrike Daddy May 2017)(Citation: Cobalt Strike Manual 4.3 November 2020)

Enterprise T1087 .002 Account Discovery: Domain Account

Cobalt Strike can determine if the user on an infected machine is in the admin or domain admin group.(Citation: Cyberreason Anchor December 2019)

.002 Account Discovery: Domain Account

Cobalt Strike can determine if the user on an infected machine is in the admin or domain admin group.(Citation: Cyberreason Anchor December 2019)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Cobalt Strike can use a custom command and control protocol that can be encapsulated in HTTP or HTTPS. All protocols use their standard assigned ports.(Citation: cobaltstrike manual)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)(Citation: Securelist APT10 March 2021)(Citation: Kaspersky ToddyCat Check Logs October 2023)

.001 Application Layer Protocol: Web Protocols

Cobalt Strike uses a custom command and control protocol that can be encapsulated in HTTP or HTTPS, or DNS. All protocols use their standard assigned ports.(Citation: cobaltstrike manual)

.002 Application Layer Protocol: File Transfer Protocols

Cobalt Strike can conduct peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.(Citation: cobaltstrike manual)(Citation: Talos Cobalt Strike September 2020)

.004 Application Layer Protocol: DNS

Cobalt Strike can use a custom command and control protocol that can be encapsulated in DNS. All protocols use their standard assigned ports.(Citation: cobaltstrike manual)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)

.004 Application Layer Protocol: DNS

Cobalt Strike uses a custom command and control protocol that can encapsulated in DNS. All protocols use their standard assigned ports.(Citation: cobaltstrike manual)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Cobalt Strike can execute a payload on a remote host with PowerShell. This technique does not write any data to disk.(Citation: cobaltstrike manual)(Citation: Cyberreason Anchor December 2019) Cobalt Strike can also use PowerSploit and other scripting frameworks to perform execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: CobaltStrike Daddy May 2017)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)

.001 Command and Scripting Interpreter: PowerShell

Cobalt Strike can execute a payload on a remote host with PowerShell. This technique does not write any data to disk.(Citation: cobaltstrike manual)(Citation: Cyberreason Anchor December 2019) Cobalt Strike can also use PowerSploit and other scripting frameworks to perform execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: CobaltStrike Daddy May 2017)

.003 Command and Scripting Interpreter: Windows Command Shell

Cobalt Strike uses a command-line interface to interact with systems.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)(Citation: Trend Micro Black Basta October 2022)

.003 Command and Scripting Interpreter: Windows Command Shell

Cobalt Strike uses a command-line interface to interact with systems.(Citation: Cobalt Strike TTPs Dec 2017)

.005 Command and Scripting Interpreter: Visual Basic

Cobalt Strike can use VBA to perform execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: CobaltStrike Daddy May 2017)

.005 Command and Scripting Interpreter: Visual Basic

Cobalt Strike can use VBA to perform execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: CobaltStrike Daddy May 2017)(Citation: Talos Cobalt Strike September 2020)

.006 Command and Scripting Interpreter: Python

Cobalt Strike can use Python to perform execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: CobaltStrike Daddy May 2017)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)

.006 Command and Scripting Interpreter: Python

Cobalt Strike can use Python to perform execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: CobaltStrike Daddy May 2017)

.007 Command and Scripting Interpreter: JavaScript

The Cobalt Strike System Profiler can use JavaScript to perform reconnaissance actions.(Citation: Talos Cobalt Strike September 2020)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Cobalt Strike can install a new service.(Citation: Cobalt Strike TTPs Dec 2017)

.003 Create or Modify System Process: Windows Service

Cobalt Strike can install a new service.(Citation: Cobalt Strike TTPs Dec 2017)

Enterprise T1132 .001 Data Encoding: Standard Encoding

Cobalt Strike can use Base64, URL-safe Base64, or NetBIOS encoding in its C2 traffic.(Citation: Cobalt Strike Manual 4.3 November 2020)

Enterprise T1001 .003 Data Obfuscation: Protocol or Service Impersonation

Cobalt Strike can leverage the HTTP protocol for C2 communication, while hiding the actual data in either an HTTP header, URI parameter, the transaction body, or appending it to the URI.(Citation: Cobalt Strike Manual 4.3 November 2020)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Cobalt Strike has the ability to use AES-256 symmetric encryption in CBC mode with HMAC-SHA-256 to encrypt task commands and XOR to encrypt shell code and configuration data.(Citation: Talos Cobalt Strike September 2020)

.002 Encrypted Channel: Asymmetric Cryptography

Cobalt Strike can use RSA asymmetric encryption with PKCS1 padding to encrypt data sent to the C2 server.(Citation: Talos Cobalt Strike September 2020)

Enterprise T1564 .010 Hide Artifacts: Process Argument Spoofing

Cobalt Strike can use spoof arguments in spawned processes that execute beacon commands.(Citation: Cobalt Strike Manual 4.3 November 2020)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Cobalt Strike has the ability to use Smart Applet attacks to disable the Java SecurityManager sandbox.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)

Enterprise T1070 .006 Indicator Removal: Timestomp

Cobalt Strike will timestomp any files or payloads placed on a target machine to help them blend in.(Citation: cobaltstrike manual)

.006 Indicator Removal: Timestomp

Cobalt Strike can timestomp any files or payloads placed on a target machine to help them blend in.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)

Enterprise T1056 .001 Input Capture: Keylogging

Cobalt Strike can track key presses with a keylogger module.(Citation: cobaltstrike manual)

.001 Input Capture: Keylogging

Cobalt Strike can track key presses with a keylogger module.(Citation: cobaltstrike manual)(Citation: Amnesty Intl. Ocean Lotus February 2021)(Citation: Cobalt Strike Manual 4.3 November 2020)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Cobalt Strike can spawn a job to inject into LSASS memory and dump password hashes.(Citation: Cobalt Strike Manual 4.3 November 2020)

.002 OS Credential Dumping: Security Account Manager

Cobalt Strike can recover hashed passwords.(Citation: cobaltstrike manual)

.002 OS Credential Dumping: Security Account Manager

Cobalt Strike can recover hashed passwords.(Citation: cobaltstrike manual)

Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

Cobalt Strike includes a capability to modify the "beacon" payload to eliminate known signatures or unpacking methods.(Citation: cobaltstrike manual)

.005 Obfuscated Files or Information: Indicator Removal from Tools

Cobalt Strike includes a capability to modify the Beacon payload to eliminate known signatures or unpacking methods.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)

Enterprise T1137 .001 Office Application Startup: Office Template Macros

Cobalt Strike has the ability to use an Excel Workbook to execute additional code by enabling Office to trust macros and execute code without user permission.(Citation: Talos Cobalt Strike September 2020)

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

Cobalt Strike can use net localgroup to list local groups on a system.(Citation: Cobalt Strike Manual 4.3 November 2020)

.002 Permission Groups Discovery: Domain Groups

Cobalt Strike can identify targets by querying account groups on a domain contoller.(Citation: Cobalt Strike Manual 4.3 November 2020)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Cobalt Strike has the ability to load DLLs via reflective injection.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)

.012 Process Injection: Process Hollowing

Cobalt Strike can use process hollowing for execution.(Citation: Cobalt Strike TTPs Dec 2017)

.012 Process Injection: Process Hollowing

Cobalt Strike can use process hollowing for execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: Cobalt Strike Manual 4.3 November 2020)

Enterprise T1090 .001 Proxy: Internal Proxy

Cobalt Strike can be configured to have commands relayed over a peer-to-peer network of infected hosts. This can be used to limit the number of egress points, or provide access to a host without direct internet access.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)

.001 Proxy: Internal Proxy

Cobalt Strike can be configured to have commands relayed over a peer-to-peer network of infected hosts. This can be used to limit the number of egress points, or provide access to a host without direct internet access.(Citation: cobaltstrike manual)

.004 Proxy: Domain Fronting

Cobalt Strike has the ability to accept a value for HTTP Host Header to enable domain fronting.(Citation: Cobalt Strike Manual 4.3 November 2020)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Cobalt Strike can start a VNC-based remote desktop server and tunnel the connection through the already established C2 channel.(Citation: cobaltstrike manual)

.001 Remote Services: Remote Desktop Protocol

Cobalt Strike can start a VNC-based remote desktop server and tunnel the connection through the already established C2 channel.(Citation: cobaltstrike manual)(Citation: Cybereason Bumblebee August 2022)

.002 Remote Services: SMB/Windows Admin Shares

Cobalt Strike can use Window admin shares (C$ and ADMIN$) for lateral movement.(Citation: Cobalt Strike TTPs Dec 2017)

.002 Remote Services: SMB/Windows Admin Shares

Cobalt Strike can use Window admin shares (C$ and ADMIN$) for lateral movement.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: Trend Micro Black Basta October 2022)

.003 Remote Services: Distributed Component Object Model

Cobalt Strike can deliver Beacon payloads for lateral movement by leveraging remote COM execution.(Citation: Cobalt Strike DCOM Jan 2017)

.003 Remote Services: Distributed Component Object Model

Cobalt Strike can deliver "beacon" payloads for lateral movement by leveraging remote COM execution.(Citation: Cobalt Strike DCOM Jan 2017)

.004 Remote Services: SSH

Cobalt Strike can SSH to a remote service.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: Cobalt Strike Manual 4.3 November 2020)

.004 Remote Services: SSH

Cobalt Strike can SSH to a remote service.(Citation: Cobalt Strike TTPs Dec 2017)

.006 Remote Services: Windows Remote Management

Cobalt Strike can use WinRM to execute a payload on a remote host.(Citation: cobaltstrike manual)

.006 Remote Services: Windows Remote Management

Cobalt Strike can use WinRM to execute a payload on a remote host.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Cobalt Strike can use self signed Java applets to execute signed applet attacks.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Cobalt Strike can use `rundll32.exe` to load DLL from the command line.(Citation: Cobalt Strike Manual 4.3 November 2020)(Citation: DFIR Conti Bazar Nov 2021)(Citation: Trend Micro Black Basta October 2022)

Enterprise T1569 .002 System Services: Service Execution

Cobalt Strike can use PsExec to execute a payload on a remote host. It can also use Service Control Manager to start new services.(Citation: cobaltstrike manual)(Citation: Cobalt Strike TTPs Dec 2017)

.002 System Services: Service Execution

Cobalt Strike can use PsExec to execute a payload on a remote host. It can also use Service Control Manager to start new services.(Citation: cobaltstrike manual)(Citation: Cobalt Strike TTPs Dec 2017)(Citation: Cobalt Strike Manual 4.3 November 2020)

Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

Cobalt Strike can perform pass the hash.(Citation: Cobalt Strike TTPs Dec 2017)

.002 Use Alternate Authentication Material: Pass the Hash

Cobalt Strike can perform pass the hash.(Citation: Cobalt Strike TTPs Dec 2017)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Cobalt Strike can use known credentials to run commands and spawn processes as a domain user account.(Citation: cobaltstrike manual)(Citation: CobaltStrike Daddy May 2017)

.002 Valid Accounts: Domain Accounts

Cobalt Strike can use known credentials to run commands and spawn processes as a domain user account.(Citation: cobaltstrike manual)(Citation: CobaltStrike Daddy May 2017)(Citation: Cobalt Strike Manual 4.3 November 2020)

.003 Valid Accounts: Local Accounts

Cobalt Strike can use known credentials to run commands and spawn processes as a local user account.(Citation: cobaltstrike manual)(Citation: CobaltStrike Daddy May 2017)

.003 Valid Accounts: Local Accounts

Cobalt Strike can use known credentials to run commands and spawn processes as a local user account.(Citation: cobaltstrike manual)(Citation: CobaltStrike Daddy May 2017)

Groups That Use This Software

ID Name References
G0079 DarkHydrus

(Citation: Unit 42 Playbook Dec 2017) (Citation: Unit 42 DarkHydrus July 2018)

(Citation: DFIR Conti Bazar Nov 2021)

G0096 APT41

(Citation: FireEye APT41 March 2020)

G0065 Leviathan

(Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018)

G0016 APT29

(Citation: FireEye APT29 Nov 2018)

G0118 UNC2452

(Citation: FireEye SUNBURST Backdoor December 2020)

G0129 Mustang Panda

(Citation: McAfee Dianxun March 2021) (Citation: Recorded Future REDDELTA July 2020) (Citation: Secureworks BRONZE PRESIDENT December 2019) (Citation: Anomali MUSTANG PANDA October 2019) (Citation: Crowdstrike MUSTANG PANDA June 2018)

G0027 Threat Group-3390

(Citation: Trend Micro DRBControl February 2020)

G0050 APT32

(Citation: FireEye APT32 May 2017) (Citation: Volexity OceanLotus Nov 2017) (Citation: Cybereason Oceanlotus May 2017) (Citation: Cybereason Cobalt Kitty 2017) (Citation: Volexity Ocean Lotus November 2020) (Citation: Amnesty Intl. Ocean Lotus February 2021) (Citation: Unit 42 KerrDown February 2019)

G0080 Cobalt Group

(Citation: RiskIQ Cobalt Nov 2017) (Citation: TrendMicro Cobalt Group Nov 2017) (Citation: Crowdstrike Global Threat Report Feb 2018) (Citation: RiskIQ Cobalt Jan 2018) (Citation: Proofpoint Cobalt June 2017) (Citation: Group IB Cobalt Aug 2017) (Citation: PTSecurity Cobalt Group Aug 2017) (Citation: Talos Cobalt Group July 2018)

(Citation: Google Cloud APT41 2024)

G1022 ToddyCat

(Citation: Kaspersky ToddyCat Check Logs October 2023)

(Citation: Mandiant APT41)

G0073 APT19

(Citation: FireEye APT19)

G0037 FIN6

(Citation: FireEye FIN6 Apr 2019)

G0052 CopyKittens

(Citation: ClearSky Wilted Tulip July 2017)

G0092 TA505

(Citation: NCC Group TA505)

G0052 CopyKittens

(Citation: ClearSky Wilted Tulip July 2017)

G0079 DarkHydrus

(Citation: Unit 42 Playbook Dec 2017) (Citation: Unit 42 DarkHydrus July 2018)

G0037 FIN6

(Citation: FireEye FIN6 Apr 2019)

G0073 APT19

(Citation: FireEye APT19)

G1040 Play

(Citation: Trend Micro Ransomware Spotlight Play July 2023)

G1006 Earth Lusca

(Citation: TrendMicro EarthLusca 2022)

G0046 FIN7

(Citation: Mandiant FIN7 Apr 2022) (Citation: CrowdStrike Carbon Spider August 2021) (Citation: FBI Flash FIN7 USB)

G1020 Mustard Tempest

(Citation: Microsoft Ransomware as a Service)

(Citation: FireEye APT29 Nov 2018) (Citation: Microsoft Unidentified Dec 2018)

G0050 APT32

(Citation: FireEye APT32 May 2017) (Citation: Cybereason Cobalt Kitty 2017) (Citation: Volexity OceanLotus Nov 2017) (Citation: Cybereason Oceanlotus May 2017)

(Citation: Cisco Talos Avos Jun 2022)

(Citation: FireEye SUNBURST Backdoor December 2020) (Citation: Cybersecurity Advisory SVR TTP May 2021)

G0096 APT41

(Citation: FireEye APT41 March 2020) (Citation: Group IB APT 41 June 2021)

G0045 menuPass

(Citation: Securelist APT10 March 2021)

G0143 Aquatic Panda

(Citation: CrowdStrike AQUATIC PANDA December 2021)

G0080 Cobalt Group

(Citation: Group IB Cobalt Aug 2017) (Citation: Talos Cobalt Group July 2018) (Citation: PTSecurity Cobalt Group Aug 2017) (Citation: Proofpoint Cobalt June 2017) (Citation: RiskIQ Cobalt Jan 2018) (Citation: RiskIQ Cobalt Nov 2017) (Citation: TrendMicro Cobalt Group Nov 2017) (Citation: Crowdstrike Global Threat Report Feb 2018)

G0034 Sandworm Team

(Citation: mandiant_apt44_unearthing_sandworm)

G0065 Leviathan

(Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018) (Citation: CISA AA21-200A APT40 July 2021)

G0016 APT29

(Citation: Secureworks IRON RITUAL Profile) (Citation: Secureworks IRON RITUAL USAID Phish May 2021) (Citation: Cybersecurity Advisory SVR TTP May 2021) (Citation: MSTIC NOBELIUM May 2021) (Citation: SentinelOne NobleBaron June 2021) (Citation: FireEye SUNBURST Backdoor December 2020) (Citation: ESET T3 Threat Report 2021) (Citation: MSTIC Nobelium Toolset May 2021)

G1021 Cinnamon Tempest

(Citation: Microsoft Ransomware as a Service) (Citation: Dell SecureWorks BRONZE STARLIGHT Profile)

G0067 APT37

(Citation: Volexity InkySquid BLUELIGHT August 2021)

G1014 LuminousMoth

(Citation: Bitdefender LuminousMoth July 2021) (Citation: Kaspersky LuminousMoth July 2021)

G0114 Chimera

(Citation: Cycraft Chimera April 2020) (Citation: NCC Group Chimera January 2021)

G0119 Indrik Spider

(Citation: Mandiant_UNC2165) (Citation: Crowdstrike EvilCorp March 2021) (Citation: Microsoft Ransomware as a Service)

G0102 Wizard Spider

(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: CrowdStrike Wizard Spider October 2020) (Citation: Sophos New Ryuk Attack October 2020) (Citation: Mandiant FIN12 Oct 2021) (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk in 5 Hours October 2020) (Citation: DFIR Ryuk's Return October 2020)

G0114 Chimera

(Citation: Cycraft Chimera April 2020)

References

  1. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  2. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  3. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  4. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  5. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  6. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  7. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  8. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.
  9. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  10. Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
  11. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  12. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  13. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  14. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  15. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  16. Mesa, M, et al. (2017, June 1). Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions. Retrieved October 10, 2018.
  17. Klijnsma, Y.. (2017, November 28). Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions. Retrieved October 10, 2018.
  18. Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018.
  19. CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.
  20. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
  21. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
  22. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  23. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  24. Mudge, R. (2017, January 24). Scripting Matt Nelson’s MMC20.Application Lateral Movement Technique. Retrieved November 21, 2017.
  25. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  26. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  27. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.
  28. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  29. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  30. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  31. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
  32. Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
  33. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  34. Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
  35. Strategic Cyber, LLC. (n.d.). Scripted Web Delivery. Retrieved January 23, 2018.
  36. Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
  37. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
  38. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  39. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
  40. Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021.
  41. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  42. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
  43. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.
  44. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  45. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  46. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  47. Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.
  48. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  49. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  50. Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
  51. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  52. The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.
  53. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  54. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.
  55. Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.
  56. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
  57. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  58. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  59. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
  60. Klijnsma, Y.. (2017, November 28). Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions. Retrieved October 10, 2018.
  61. Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018.
  62. Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.
  63. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  64. ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022.
  65. Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.
  66. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
  67. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  68. Secureworks CTU. (2021, May 28). USAID-Themed Phishing Campaign Leverages U.S. Elections Lure. Retrieved February 24, 2022.
  69. Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.
  70. SecureWorks. (n.d.). BRONZE STARLIGHT. Retrieved December 6, 2023.
  71. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  72. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
  73. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
  74. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020..
  75. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  76. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
  77. Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021.
  78. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  79. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  80. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  81. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
  82. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  83. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  84. The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.
  85. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.