AdFind
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .002 | Account Discovery: Domain Account |
AdFind can enumerate domain users.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: Cybereason Bumblebee August 2022)(Citation: Symantec Bumblebee June 2022) |
| Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
AdFind can enumerate domain groups.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: Symantec Bumblebee June 2022) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0092 | TA505 |
(Citation: NCC Group TA505) |
| G0102 | Wizard Spider |
(Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk's Return October 2020) |
| G0046 | FIN7 |
(Citation: CrowdStrike Carbon Spider August 2021) |
|
(Citation: DFIR Conti Bazar Nov 2021) |
||
| G0037 | FIN6 |
(Citation: FireEye FIN6 Apr 2019) |
| G0118 | UNC2452 |
(Citation: Microsoft Analyzing Solorigate Dec 2020) |
| G0016 | APT29 |
(Citation: Microsoft Analyzing Solorigate Dec 2020) (Citation: CrowdStrike StellarParticle January 2022) (Citation: ESET T3 Threat Report 2021) |
| G0045 | menuPass |
(Citation: Symantec Cicada November 2020) |
References
- Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
- Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
- McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
- MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
- Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
- Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
- The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
- The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
- Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
- Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.
- DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
- CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
- ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022.
- Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.