Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Windows Management Instrumentation

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model and Windows Remote Management.(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI) An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as Execution of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., Inhibit System Recovery).(Citation: WMI 6) **Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by PowerShell as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)

ID: T1047
Tactic(s): Execution
Platforms: Windows
Data Sources: Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Version: 1.5
Created: 31 May 2017
Last Modified: 15 Oct 2024

Procedure Examples

Name Description
Sardonic

Sardonic can use WMI to execute PowerShell commands on a compromised machine.(Citation: Bitdefender Sardonic Aug 2021)

Meteor

Meteor can use `wmic.exe` as part of its effort to delete shadow copies.(Citation: Check Point Meteor Aug 2021)

Cinnamon Tempest

Cinnamon Tempest has used Impacket for lateral movement via WMI.(Citation: Microsoft Ransomware as a Service)(Citation: Sygnia Emperor Dragonfly October 2022)

RogueRobin

RogueRobin uses various WMI queries to check if the sample is running in a sandbox.(Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)

menuPass

menuPass has used a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Github AD-Pentest-Script)(Citation: Symantec Cicada November 2020)

SUNBURST

SUNBURST used the WMI query Select * From Win32_SystemDriver to retrieve a driver listing.(Citation: FireEye SUNBURST Backdoor December 2020)

During C0015, the threat actors used `wmic` and `rundll32` to load Cobalt Strike onto a target host.(Citation: DFIR Conti Bazar Nov 2021)

INC Ransom

INC Ransom has used WMIC to deploy ransomware.(Citation: Cybereason INC Ransomware November 2023)(Citation: Huntress INC Ransom Group August 2023)(Citation: SOCRadar INC Ransom January 2024)

BlackEnergy

A BlackEnergy 2 plug-in uses WMI to gather victim host details.(Citation: Securelist BlackEnergy Feb 2015)

FunnyDream

FunnyDream can use WMI to open a Windows command shell on a remote machine.(Citation: Bitdefender FunnyDream Campaign November 2020)

jRAT

jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.(Citation: jRAT Symantec Aug 2018)

Emotet

Emotet has used WMI to execute powershell.exe.(Citation: Carbon Black Emotet Apr 2019)

Gamaredon Group

Gamaredon Group has used WMI to execute scripts used for discovery and for determining the C2 IP address.(Citation: CERT-EE Gamaredon January 2021)(Citation: unit42_gamaredon_dec2022)

FIVEHANDS

FIVEHANDS can use WMI to delete files on a target machine.(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021)

Zebrocy

One variant of Zebrocy uses WMI queries to gather information.(Citation: Unit42 Sofacy Dec 2018)

APT32

APT32 used WMI to deploy their tools on remote machines and to gather information about the Outlook process.(Citation: Cybereason Cobalt Kitty 2017)

Mosquito

Mosquito's installer uses WMI to search for antivirus display names.(Citation: ESET Turla Mosquito Jan 2018)

Mustang Panda

Mustang Panda has executed PowerShell scripts via WMI.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)

MuddyWater

MuddyWater has used malware that leveraged WMI for execution and querying host information.(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: Talos MuddyWater May 2019)(Citation: DHS CISA AA22-055A MuddyWater February 2022)

Agent Tesla

Agent Tesla has used wmi queries to gather information from the system.(Citation: Bitdefender Agent Tesla April 2020)

PoshC2

PoshC2 has a number of modules that use WMI to execute tasks.(Citation: GitHub PoshC2)

Frankenstein

Frankenstein has used WMI queries to check if various security applications were running, as well as the operating system version.(Citation: Talos Frankenstein June 2019)

Bumblebee

Bumblebee can use WMI to gather system information and to spawn processes for code injection.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)(Citation: Cybereason Bumblebee August 2022)

Wizard Spider

Wizard Spider has used WMI and LDAP queries for network discovery and to move laterally. Wizard Spider has also used batch scripts to leverage WMIC to deploy ransomware.(Citation: CrowdStrike Grim Spider May 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: Mandiant FIN12 Oct 2021)

Leviathan

Leviathan has used WMI for execution.(Citation: Proofpoint Leviathan Oct 2017)

Action RAT

Action RAT can use WMI to gather AV products installed on an infected host.(Citation: MalwareBytes SideCopy Dec 2021)

Covenant

Covenant can utilize WMI to install new Grunt listeners through XSL files or command one-liners.(Citation: Github Covenant)

EvilBunny

EvilBunny has used WMI to gather information about the system.(Citation: Cyphort EvilBunny Dec 2014)

Stuxnet

Stuxnet used WMI with an explorer.exe token to execute on a remote share.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)

PowerSploit

PowerSploit's Invoke-WmiCommand CodeExecution module uses WMI to execute and retrieve the output from a PowerShell payload.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)

IMAPLoader

IMAPLoader uses WMI queries to query system information on victim hosts.(Citation: PWC Yellow Liderc 2023)

POWRUNER

POWRUNER may use WMI when collecting information about a victim.(Citation: FireEye APT34 Dec 2017)

SocGholish

SocGholish has used WMI calls for script execution and system profiling.(Citation: SocGholish-update)

FlawedAmmyy

FlawedAmmyy leverages WMI to enumerate anti-virus on the victim.(Citation: Proofpoint TA505 Mar 2018)

FIN7

FIN7 has used WMI to install malware on targeted systems.(Citation: eSentire FIN7 July 2021)

GALLIUM

GALLIUM used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets.(Citation: Cybereason Soft Cell June 2019)

Volt Typhoon

Volt Typhoon has leveraged WMIC for execution, remote system discovery, and to create and use temporary directories.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)

ProLock

ProLock can use WMIC to execute scripts on targeted hosts.(Citation: Group IB Ransomware September 2020)

POWERSTATS

POWERSTATS can use WMI queries to retrieve data from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)(Citation: ClearSky MuddyWater Nov 2018)

Akira

Akira will leverage COM objects accessed through WMI during execution to evade detection.(Citation: Kersten Akira 2023)

Blue Mockingbird

Blue Mockingbird has used wmic.exe to set environment variables.(Citation: RedCanary Mockingbird May 2020)

SILENTTRINITY

SILENTTRINITY can use WMI for lateral movement.(Citation: GitHub SILENTTRINITY Modules July 2019)

OopsIE

OopsIE uses WMI to perform discovery techniques.(Citation: Unit 42 OilRig Sept 2018)

Naikon

Naikon has used WMIC.exe for lateral movement.(Citation: Bitdefender Naikon April 2021)

Brute Ratel C4

Brute Ratel C4 can use WMI to move laterally.(Citation: Palo Alto Brute Ratel July 2022)

Koadic

Koadic can use WMI to execute commands.(Citation: Github Koadic)

INC Ransomware

INC Ransomware has the ability to use wmic.exe to spread to multiple endpoints within a compromised environment.(Citation: Huntress INC Ransom Group August 2023)(Citation: Secureworks GOLD IONIC April 2024)

Lazarus Group

Lazarus Group has used WMIC for discovery as well as to execute payloads for persistence and lateral movement.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: Qualys LolZarus)

Sibot

Sibot has used WMI to discover network connections and configurations. Sibot has also used the Win32_Process class to execute a malicious DLL.(Citation: MSTIC NOBELIUM Mar 2021)

DustySky

The DustySky dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active.(Citation: DustySky)

WannaCry

WannaCry utilizes wmic to delete shadow copies.(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)(Citation: SecureWorks WannaCry Analysis)

EKANS

EKANS can use Windows Mangement Instrumentation (WMI) calls to execute operations.(Citation: Dragos EKANS)

RATANKBA

RATANKBA uses WMI to perform process monitoring.(Citation: Lazarus RATANKBA)(Citation: RATANKBA)

MoleNet

MoleNet can perform WMI commands on the system.(Citation: Cybereason Molerats Dec 2020)

BlackCat

BlackCat can use `wmic.exe` to delete shadow copies on compromised networks.(Citation: Microsoft BlackCat Jun 2022)

NotPetya

NotPetya can use wmic to help propagate itself across a network.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)

HALFBAKED

HALFBAKED can use WMI queries to gather system information.(Citation: FireEye FIN7 April 2017)

Sandworm Team

Sandworm Team has used Impacket’s WMIexec module for remote code execution and VBScript to run WMI queries.(Citation: Dragos Crashoverride 2018)(Citation: Microsoft Prestige ransomware October 2022)

StoneDrill

StoneDrill has used the WMI command-line (WMIC) utility to run tasks.(Citation: Kaspersky StoneDrill 2017)

Remexi

Remexi executes received commands with wmic.exe (for WMI commands). (Citation: Securelist Remexi Jan 2019)

Earth Lusca

Earth Lusca used a VBA script to execute WMI.(Citation: TrendMicro EarthLusca 2022)

Empire

Empire can use WMI to deliver a payload to a remote host.(Citation: Github PowerShell Empire)

CrackMapExec

CrackMapExec can execute remote commands using Windows Management Instrumentation.(Citation: CME Github September 2018)

Impacket

Impacket's wmiexec module can be used to execute commands through WMI.(Citation: Impacket Tools)

Indrik Spider

Indrik Spider has used WMIC to execute commands on remote computers.(Citation: Symantec WastedLocker June 2020)

Snip3

Snip3 can query the WMI class `Win32_ComputerSystem` to gather information.(Citation: Morphisec Snip3 May 2021)

FELIXROOT

FELIXROOT uses WMI to query the Windows Registry.(Citation: ESET GreyEnergy Oct 2018)

Olympic Destroyer

Olympic Destroyer uses WMI to help propagate itself across a network.(Citation: Talos Olympic Destroyer 2018)

TA2541

TA2541 has used WMI to query targeted systems for security products.(Citation: Proofpoint TA2541 February 2022)

Raspberry Robin

Raspberry Robin can execute via LNK containing a command to run a legitimate executable, such as wmic.exe, to download a malicious Windows Installer (MSI) package.(Citation: TrendMicro RaspberryRobin 2022)

HermeticWizard

HermeticWizard can use WMI to create a new process on a remote machine via `C:\windows\system32\cmd.exe /c start C:\windows\system32\\regsvr32.exe /s /iC:\windows\.dll`.(Citation: ESET Hermetic Wizard March 2022)

HELLOKITTY

HELLOKITTY can use WMI to delete volume shadow copies.(Citation: FireEye FiveHands April 2021)

Operation Wocao

Operation Wocao has used WMI to execute commands.(Citation: FoxIT Wocao December 2019)

Stealth Falcon

Stealth Falcon malware gathers system information via Windows Management Instrumentation (WMI).(Citation: Citizen Lab Stealth Falcon May 2016)

IcedID

IcedID has used WMI to execute binaries.(Citation: Juniper IcedID June 2020)(Citation: DFIR_Sodinokibi_Ransomware)

Aquatic Panda

Aquatic Panda used WMI for lateral movement in victim environments.(Citation: Crowdstrike HuntReport 2022)

REvil

REvil can use WMI to monitor for and kill specific processes listed in its configuration file.(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Group IB Ransomware May 2020)

During Frankenstein, the threat actors used WMI queries to check if various security applications were running as well as to determine the operating system version.(Citation: Talos Frankenstein June 2019)

LunarWeb

LunarWeb can use WMI queries for discovery on the victim host.(Citation: ESET Turla Lunar toolset May 2024)

Astaroth

Astaroth uses WMIC to execute payloads. (Citation: Cofense Astaroth Sept 2018)

DarkTortilla

DarkTortilla can use WMI queries to obtain system information.(Citation: Secureworks DarkTortilla Aug 2022)

SVCReady

SVCReady can use `WMI` queries to detect the presence of a virtual machine environment.(Citation: HP SVCReady Jun 2022)

DarkWatchman

DarkWatchman can use WMI to execute commands.(Citation: Prevailion DarkWatchman 2021)

During C0027, Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.(Citation: Crowdstrike TELCO BPO Campaign December 2022)

APT29

APT29 used WMI to steal credentials and execute backdoors at a future time.(Citation: Mandiant No Easy Breach)

Black Basta

Black Basta has used WMI to execute files over the network.(Citation: NCC Group Black Basta June 2022)

During Operation Dream Job, Lazarus Group used WMIC to executed a remote XSL script.(Citation: ESET Lazarus Jun 2020)

Avaddon

Avaddon uses wmic.exe to delete shadow copies.(Citation: Hornet Security Avaddon June 2020)

Octopus

Octopus has used wmic.exe for local discovery information.(Citation: Securelist Octopus Oct 2018)

HOPLIGHT

HOPLIGHT has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository.(Citation: US-CERT HOPLIGHT Apr 2019)

During the 2016 Ukraine Electric Power Attack, WMI in scripts were used for remote execution and system surveys. (Citation: Dragos Crashoverride 2018)

PyDCrypt

PyDCrypt has attempted to execute with WMIC.(Citation: Checkpoint MosesStaff Nov 2021)

Maze

Maze has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization's network.(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020)

Cobalt Strike

Cobalt Strike can use WMI to deliver a payload to a remote host.(Citation: cobaltstrike manual)

OilRig

OilRig has used WMI for execution.(Citation: FireEye APT34 Webinar Dec 2017)

During Operation Wocao, threat actors has used WMI to execute commands.(Citation: FoxIT Wocao December 2019)

Windshift

Windshift has used WMI to collect information about target machines.(Citation: BlackBerry Bahamut)

During HomeLand Justice, threat actors used WMI to modify Windows Defender settings.(Citation: Microsoft Albanian Government Attacks September 2022)

FIN6

FIN6 has used WMI to automate the remote execution of PowerShell scripts.(Citation: Security Intelligence More Eggs Aug 2019)

DEATHRANSOM

DEATHRANSOM has the ability to use WMI to delete volume shadow copies.(Citation: FireEye FiveHands April 2021)

UNC2452

UNC2452 used WMI for the remote execution of files for lateral movement.(Citation: Microsoft 365 Defender Solorigate)(Citation: Microsoft Deep Dive Solorigate January 2021)

ToddyCat

ToddyCat has used WMI to execute scripts for post exploit document collection.(Citation: Kaspersky ToddyCat Check Logs October 2023)

Deep Panda

The Deep Panda group is known to utilize WMI for lateral movement.(Citation: Alperovitch 2014)

BADHATCH

BADHATCH can utilize WMI to collect system information, create new processes, and run malicious PowerShell scripts on a compromised machine.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)

Threat Group-3390

A Threat Group-3390 tool can use WMI to execute a binary.(Citation: Nccgroup Emissary Panda May 2018)

Ursnif

Ursnif droppers have used WMI classes to execute PowerShell commands.(Citation: Bromium Ursnif Mar 2017)

During the SolarWinds Compromise, APT29 used WMI for the remote execution of files for lateral movement.(Citation: Microsoft 365 Defender Solorigate)(Citation: Microsoft Deep Dive Solorigate January 2021)

Cobalt Strike

Cobalt Strike can use WMI to deliver a payload to a remote host.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)(Citation: DFIR Conti Bazar Nov 2021)

SharpStage

SharpStage can use WMI for execution.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)

QakBot

QakBot can execute WMI queries to gather information.(Citation: Kaspersky QakBot September 2021)

Micropsia

Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)

Ember Bear

Ember Bear has used WMI execution with password hashes for command execution and lateral movement.(Citation: CISA GRU29155 2024)

Bazar

Bazar can execute a WMI query to gather information about the installed antivirus engine.(Citation: Cybereason Bazar July 2020)(Citation: DFIR Ryuk's Return October 2020)

Chimera

Chimera has used WMIC to execute remote commands.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

Netwalker

Netwalker can use WMI to delete Shadow Volumes.(Citation: TrendMicro Netwalker May 2020)

During FunnyDream, the threat actors used `wmiexec.vbs` to run remote commands.(Citation: Bitdefender FunnyDream Campaign November 2020)

FIN13

FIN13 has utilized `WMI` to execute commands and move laterally on compromised Windows machines.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)

Latrodectus

Latrodectus has used WMI in malicious email infection chains to facilitate the installation of remotely-hosted files.(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)

KOMPROGO

KOMPROGO is capable of running WMI queries.(Citation: FireEye APT32 May 2017)

Valak

Valak can use wmic process call create in a scheduled task to launch plugins and for execution.(Citation: SentinelOne Valak June 2020)

EVILNUM

EVILNUM has used the Windows Management Instrumentation (WMI) tool to enumerate infected machines.(Citation: Prevailion EvilNum May 2020)

Magic Hound

Magic Hound has used a tool to run `cmd /c wmic computersystem get domain` for discovery.(Citation: DFIR Report APT35 ProxyShell March 2022)

SysUpdate

SysUpdate can use WMI for execution on a compromised host.(Citation: Trend Micro Iron Tiger April 2021)

CharmPower

CharmPower can use `wmic` to gather information from a system.(Citation: Check Point APT35 CharmPower January 2022)

Kazuar

Kazuar obtains a list of running processes through WMI querying.(Citation: Unit 42 Kazuar May 2017)

APT41

APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) APT41 has executed files through Windows Management Instrumentation (WMI).(Citation: apt41_dcsocytec_dec2022)

During C0018, the threat actors used WMIC to modify administrative settings on both a local and a remote host, likely as part of the first stages for their lateral movement; they also used WMI Provider Host (`wmiprvse.exe`) to execute a variety of encoded PowerShell scripts using the `DownloadString` method.(Citation: Cisco Talos Avos Jun 2022)(Citation: Costa AvosLocker May 2022)

Lucifer

Lucifer can use WMI to log into remote machines for propagation.(Citation: Unit 42 Lucifer June 2020)

FIN8

FIN8's malicious spearphishing payloads use WMI to launch malware and spawn `cmd.exe` execution. FIN8 has also used WMIC and the Impacket suite for lateral movement, as well as during and post compromise cleanup activities.(Citation: FireEye Obfuscation June 2017)(Citation: Bitdefender FIN8 July 2021)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Symantec FIN8 Jul 2023)

GravityRAT

GravityRAT collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed).(Citation: Talos GravityRAT)

Mitigations

Mitigation Description
Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Behavior Prevention on Endpoint

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

Detection

Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of "wmic" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015)

References

  1. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  2. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  3. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  4. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  5. Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.
  6. Microsoft. (2024, January 26). WMIC Deprecation. Retrieved February 13, 2024.
  7. Microsoft. (2023, March 7). Retrieved February 13, 2024.
  8. Microsoft. (2022, June 13). BlackCat. Retrieved February 13, 2024.
  9. Mandiant. (n.d.). Retrieved February 13, 2024.
  10. Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
  11. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
  12. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
  13. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  14. Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
  15. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  16. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  17. Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017.
  18. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  19. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  20. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  21. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  22. Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
  23. SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024.
  24. Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
  25. Baumgartner, K. and Garnaeva, M.. (2015, February 17). BE2 extraordinary plugins, Siemens targeting, dev fails. Retrieved March 24, 2016.
  26. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  27. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  28. Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
  29. Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024.
  30. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.
  31. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
  32. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  33. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
  34. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  35. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  36. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  37. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
  38. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  39. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  40. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  41. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
  42. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
  43. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  44. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
  45. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  46. Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
  47. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  48. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  49. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  50. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  51. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
  52. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  53. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  54. cobbr. (2021, April 21). Covenant. Retrieved September 4, 2024.
  55. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  56. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  57. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  58. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  59. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  60. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
  61. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  62. Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024.
  63. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  64. eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.. Retrieved September 20, 2021.
  65. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  66. NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
  67. Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
  68. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
  69. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  70. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
  71. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  72. Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.
  73. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  74. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  75. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  76. Coulter, D. et al.. (2019, April 9). Microsoft recommended block rules. Retrieved August 12, 2021.
  77. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  78. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  79. Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.
  80. Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024.
  81. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  82. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  83. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  84. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  85. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  86. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  87. Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.
  88. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
  89. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
  90. Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.
  91. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  92. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  93. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  94. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
  95. US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
  96. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  97. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  98. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
  99. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  100. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  101. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  102. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  103. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  104. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
  105. SecureAuth. (n.d.). Retrieved January 15, 2019.
  106. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  107. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
  108. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  109. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  110. Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
  111. Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
  112. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  113. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  114. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
  115. DFIR. (2021, March 29). Sodinokibi (aka REvil) Ransomware. Retrieved July 22, 2024.
  116. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
  117. Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020.
  118. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  119. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  120. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024.
  121. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  122. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
  123. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  124. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
  125. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
  126. Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.
  127. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  128. Security Lab. (2020, June 5). Avaddon: From seeking affiliates to in-the-wild in 2 days. Retrieved August 19, 2021.
  129. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  130. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  131. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  132. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
  133. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  134. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  135. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  136. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
  137. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
  138. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  139. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  140. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
  141. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
  142. Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.
  143. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  144. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
  145. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  146. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  147. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
  148. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  149. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  150. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
  151. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  152. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  153. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  154. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  155. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020..
  156. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  157. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
  158. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  159. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
  160. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
  161. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  162. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
  163. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.
  164. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  165. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  166. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  167. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  168. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  169. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  170. DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024.
  171. Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.
  172. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.
  173. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  174. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
  175. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
  176. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  177. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  178. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.