AdFind
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .002 | Account Discovery: Domain Account |
AdFind can enumerate domain users.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: Cybereason Bumblebee August 2022)(Citation: Symantec Bumblebee June 2022) |
Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
AdFind can enumerate domain groups.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: Symantec Bumblebee June 2022) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0092 | TA505 |
(Citation: NCC Group TA505) |
G0102 | Wizard Spider |
(Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Mandiant FIN12 Oct 2021) (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk's Return October 2020) |
G0046 | FIN7 |
(Citation: CrowdStrike Carbon Spider August 2021) |
(Citation: DFIR Conti Bazar Nov 2021) |
||
G1040 | Play |
(Citation: CISA Play Ransomware Advisory December 2023) (Citation: Trend Micro Ransomware Spotlight Play July 2023) |
G0037 | FIN6 |
(Citation: FireEye FIN6 Apr 2019) |
G0118 | UNC2452 |
(Citation: Microsoft Analyzing Solorigate Dec 2020) |
G1024 | Akira |
(Citation: Arctic Wolf Akira 2023) |
G1032 | INC Ransom |
(Citation: Secureworks GOLD IONIC April 2024) |
(Citation: CrowdStrike StellarParticle January 2022) (Citation: Microsoft Analyzing Solorigate Dec 2020) |
||
G0016 | APT29 |
(Citation: Microsoft Analyzing Solorigate Dec 2020) (Citation: CrowdStrike StellarParticle January 2022) (Citation: ESET T3 Threat Report 2021) |
G0045 | menuPass |
(Citation: Symantec Cicada November 2020) |
References
- MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
- Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
- Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
- McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
- Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.
- Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
- The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
- The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
- Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
- DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
- Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
- CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.
- Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
- Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024.
- Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024.
- CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
- ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022.
- Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
- Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.