1. Home
  2. Groups
  3. Wizard Spider

Wizard Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]

ID: G0102
Associated Groups: UNC1878, TEMP.MixMaster, Grim Spider, FIN12, GOLD BLACKBURN, ITG23, Periwinkle Tempest, DEV-0193
Contributors: Edward Millington; Oleksiy Gayda
Version: 4.0
Created: 12 May 2020
Last Modified: 12 March 2025

Associated Group Descriptions

Name Description
UNC1878

[4]
TEMP.MixMaster

[5]
Grim Spider

[1][6]
FIN12

[7]
GOLD BLACKBURN

[8]
ITG23

[9]
Periwinkle Tempest

[10]
DEV-0193

[10]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1197 BITS任务

Wizard Spider has used batch scripts that utilizes WMIC to execute a BITSAdmin transfer of a ransomware payload to each compromised machine.[7]

Enterprise T1047 Windows管理规范

Wizard Spider has used WMI and LDAP queries for network discovery and to move laterally. Wizard Spider has also used batch scripts to leverage WMIC to deploy ransomware.[6][2][4][11][7]
Enterprise T1557 .001 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay

Wizard Spider has used the Invoke-Inveigh PowerShell cmdlets, likely for name service poisoning.[4]
Enterprise T1555 .004 从密码存储中获取凭证: Windows Credential Manager

Wizard Spider has used PowerShell cmdlet Invoke-WCMDump to enumerate Windows credentials in the Credential Manager in a compromised network.[7]
Enterprise T1005 从本地系统获取数据

Wizard Spider has collected data from a compromised host prior to exfiltration.[7]
Enterprise T1036 .004 伪装: Masquerade Task or Service

Wizard Spider has used scheduled tasks to install TrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.[6] It has also used common document file names for other malware binaries.[4]
Enterprise T1550 .002 使用备用认证材料: Pass the Hash

Wizard Spider has used the Invoke-SMBExec PowerShell cmdlet to execute the pass-the-hash technique and utilized stolen password hashes to move laterally.[7]
Enterprise T1112 修改注册表

Wizard Spider has modified the Registry key HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest by setting the UseLogonCredential registry value to 1 in order to force credentials to be stored in clear text in memory. Wizard Spider has also modified the WDigest registry key to allow plaintext credentials to be cached in memory.[6][7]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Wizard Spider has installed TrickBot as a service named ControlServiceA in order to establish persistence.[6][7]

Enterprise T1136 .001 创建账户: Local Account

Wizard Spider has created local administrator accounts to maintain persistence in compromised networks.[7]
.002 创建账户: Domain Account

Wizard Spider has created and used new accounts within a victim's Active Directory environment to maintain persistence.[7]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Wizard Spider has established persistence via the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and a shortcut within the startup folder.[2][4]
.004 启动或登录自动启动执行: Winlogon Helper DLL

Wizard Spider has established persistence using Userinit by adding the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.[4]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Wizard Spider has used macros to execute PowerShell scripts to download malware on victim's machines.[6] It has also used PowerShell to execute commands and move laterally through a victim network.[2][4][11][7]
.003 命令与脚本解释器: Windows Command Shell

Wizard Spider has used cmd.exe to execute commands on a victim's machine.[12][7]
Enterprise T1133 外部远程服务

Wizard Spider has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure.[4]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.[2][4][12][7]
Enterprise T1071 .001 应用层协议: Web Protocols

Wizard Spider has used HTTP for network communications.[6]
Enterprise T1585 .002 建立账户: Email Accounts

Wizard Spider has leveraged ProtonMail email addresses in ransom notes when delivering Ryuk ransomware.[7]
Enterprise T1560 .001 归档收集数据: Archive via Utility

Wizard Spider has archived data into ZIP files on compromised machines.[7]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

Wizard Spider has dumped the lsass.exe memory to harvest credentials with the use of open-source tool LaZagne.[7]
.002 操作系统凭证转储: Security Account Manager

Wizard Spider has acquired credentials from the SAM/SECURITY registry hives.[4]
.003 操作系统凭证转储: NTDS

Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database. Wizard Spider has also created a volume shadow copy and used a batch script file to collect NTDS.dit with the use of the Windows utility, ntdsutil.[4][7]
Enterprise T1074 数据分段

Wizard Spider has collected and staged credentials and network enumeration information, using the networkdll and psfin TrickBot modules.[6]
.001 Local Data Staging

Wizard Spider has staged ZIP files in local directories such as, C:\PerfLogs\1\ and C:\User\1\ prior to exfiltration.[7]
Enterprise T1222 .001 文件和目录权限修改: Windows File and Directory Permissions Modification

Wizard Spider has used the icacls command to modify access control to backup servers, providing them with full control of all the system folders.[13]
Enterprise T1048 .003 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol

Wizard Spider has exfiltrated victim information using FTP.[12][14]
Enterprise T1078 有效账户

Wizard Spider has used valid credentials for privileged accounts with the goal of accessing domain controllers.[6][7]
.002 Domain Accounts

Wizard Spider has used administrative accounts, including Domain Admin, to move laterally within a victim network.[4]
Enterprise T1489 服务停止

Wizard Spider has used taskkill.exe and net.exe to stop backup, catalog, cloud, and other services prior to network encryption.[12]
Enterprise T1552 .006 未加密凭证: Group Policy Preferences

Wizard Spider has used PowerShell cmdlets Get-GPPPassword and Find-GPOPassword to find unsecured credentials in a compromised network group policy.[7]
Enterprise T1570 横向工具传输

Wizard Spider has used stolen credentials to copy tools into the %TEMP% directory of domain controllers.[6]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

Wizard Spider used Base64 encoding to obfuscate an Empire service and PowerShell commands.[5][12]
Enterprise T1204 .001 用户执行: Malicious Link

Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing.[2]
.002 用户执行: Malicious File

Wizard Spider has lured victims to execute malware with spearphishing attachments containing macros to download either Emotet, Bokbot, TrickBot, or Bazar.[6][3][7]
Enterprise T1070 .004 移除指标: File Deletion

Wizard Spider has used file deletion to remove some modules and configurations from an infected host after use.[6]
Enterprise T1558 .003 窃取或伪造Kerberos票据: Kerberoasting

Wizard Spider has used Rubeus, MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet to steal AES hashes.[12][4][2][14][7]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

Wizard Spider has utilized rundll32.exe to deploy ransomware commands with the use of WebDAV.[7]
Enterprise T1082 系统信息发现

Wizard Spider has used Systeminfo and similar commands to acquire detailed configuration information of a victim's machine. Wizard Spider has also utilized the PowerShell cmdlet Get-ADComputer to collect DNS hostnames, last logon dates, and operating system information from Active Directory.[12][7]
Enterprise T1490 系统恢复抑制

Wizard Spider has used WMIC and vssadmin to manually delete volume shadow copies. Wizard Spider has also used Conti ransomware to delete volume shadow copies automatically with the use of vssadmin.[7]

Enterprise T1033 系统所有者/用户发现

Wizard Spider has used "whoami" to identify the local user and their privileges.[13]
Enterprise T1569 .002 系统服务: Service Execution

Wizard Spider has used services.exe to execute scripts and executables during lateral movement within a victim's network. Wizard Spider has also used batch scripts that leverage PsExec to execute a previously transferred ransomware payload on a victim's network.[12][15][7]
Enterprise T1016 系统网络配置发现

Wizard Spider has used ipconfig to identify the network configuration of a victim machine. Wizard Spider has also used the PowerShell cmdlet Get-ADComputer to collect IP address data from Active Directory.[13][7]
Enterprise T1135 网络共享发现

Wizard Spider has used the "net view" command to locate mapped network shares.[2]
Enterprise T1588 .002 获取能力: Tool

Wizard Spider has utilized tools such as Empire, Cobalt Strike, Cobalt Strike, Rubeus, AdFind, BloodHound, Metasploit, Advanced IP Scanner, Nirsoft PingInfoView, and SoftPerfect Network Scanner for targeting efforts.[4][7]
.003 获取能力: Code Signing Certificates

Wizard Spider has obtained code signing certificates signed by DigiCert, GlobalSign, and COMOOD for malware payloads.[14][7]
Enterprise T1087 .002 账号发现: Domain Account

Wizard Spider has identified domain admins through the use of net group "Domain admins" /DOMAIN. Wizard Spider has also leveraged the PowerShell cmdlet Get-ADComputer to collect account names from Active Directory data.[12][7]
Enterprise T1518 软件发现

Wizard Spider has utilized the PowerShell script Get-DataInfo.ps1 to collect installed backup software information from a compromised machine.[7]
.001 Security Software Discovery

Wizard Spider has used WMI to identify anti-virus products installed on a victim's machine.[12]
Enterprise T1105 输入工具传输

Wizard Spider can transfer malicious payloads such as ransomware to compromised machines.[7]
Enterprise T1055 进程注入

Wizard Spider has used process injection to execute payloads to escalate privileges.[7]
.001 Dynamic-link Library Injection

Wizard Spider has injected malicious DLLs into memory with read, write, and execute permissions.[2][14]
Enterprise T1021 远程服务

Wizard Spider has used the WebDAV protocol to execute Ryuk payloads hosted on network file shares.[7]
.001 Remote Desktop Protocol

Wizard Spider has used RDP for lateral movement and to deploy ransomware interactively.[6][2][14][7]
.002 SMB/Windows Admin Shares

Wizard Spider has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.[14][12]
.006 Windows Remote Management

Wizard Spider has used Window Remote Management to move laterally through a victim network.[2]
Enterprise T1210 远程服务漏洞利用

Wizard Spider has exploited or attempted to exploit Zerologon (CVE-2020-1472) and EternalBlue (MS17-010) vulnerabilities.[4][12][15]
Enterprise T1018 远程系统发现

Wizard Spider has used networkdll for network discovery and psfin specifically for financial and point of sale indicators. Wizard Spider has also used AdFind, nltest/dclist, and PowerShell script Get-DataInfo.ps1 to enumerate domain computers, including the domain controller.[5][6][4][11][12][7]
Enterprise T1041 通过C2信道渗出

Wizard Spider has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.[6][7]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

Wizard Spider has exfiltrated stolen victim data to various cloud storage providers.[7]

Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Wizard Spider has used spearphishing attachments to deliver Microsoft documents containing macros or PDFs containing malicious links to download either Emotet, Bokbot, TrickBot, or Bazar.[6][11][7]
.002 钓鱼: Spearphishing Link

Wizard Spider has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.[2][14]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Wizard Spider has used scheduled tasks to establish persistence for TrickBot and other malware.[6][2][4][14][7]
Enterprise T1553 .002 颠覆信任控制: Code Signing

Wizard Spider has used Digicert code-signing certificates for some of its malware.[14]

Software

ID Name References Techniques
S0552 AdFind [5][12][14][11][7] 域信任发现, 权限组发现: Domain Groups, 系统网络配置发现, 账号发现: Domain Account, 远程系统发现
S0504 Anchor [16] 创建或修改系统进程: Windows Service, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: Unix Shell, 回退信道, 应用层协议: Web Protocols, 应用层协议: DNS, 执行保护, 混淆文件或信息, 混淆文件或信息: Software Packing, 移除指标: File Deletion, 系统信息发现, 系统服务: Service Execution, 系统网络配置发现, 输入工具传输, 远程服务: SMB/Windows Admin Shares, 隐藏伪装: NTFS File Attributes, 非应用层协议, 预定任务/作业: Scheduled Task, 预定任务/作业: Cron, 颠覆信任控制: Code Signing
S0534 Bazar [3][16] BITS任务, Windows管理规范, 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 伪装: Masquerade Task or Service, 伪装: Double File Extension, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 动态解析: Domain Generation Algorithms, 反混淆/解码文件或信息, 启动或登录自动启动执行: Winlogon Helper DLL, 启动或登录自动启动执行: Shortcut Modification, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 回退信道, 域信任发现, 多阶段信道, 妨碍防御: Disable or Modify Tools, 应用层协议: Web Protocols, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Dynamic API Resolution, 混淆文件或信息: Software Packing, 用户执行: Malicious Link, 移除指标: Clear Persistence, 移除指标: File Deletion, 系统位置发现: System Language Discovery, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络配置发现, 网络共享发现, 网络服务, 虚拟化/沙盒规避, 虚拟化/沙盒规避: Time Based Evasion, 账号发现: Domain Account, 账号发现: Local Account, 软件发现: Security Software Discovery, 软件发现, 输入工具传输, 进程发现, 进程注入, 进程注入: Process Doppelgänging, 进程注入: Process Hollowing, 远程系统发现, 钓鱼: Spearphishing Link, 预定任务/作业: Scheduled Task, 颠覆信任控制: Code Signing
S0190 BITSAdmin [7] BITS任务, 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 横向工具传输, 输入工具传输
S0521 BloodHound [2][4][13][7] 命令与脚本解释器: PowerShell, 域信任发现, 密码策略发现, 归档收集数据, 本机API, 权限组发现: Domain Groups, 权限组发现: Local Groups, 系统所有者/用户发现, 组策略发现, 账号发现: Domain Account, 账号发现: Local Account, 远程系统发现
S0154 Cobalt Strike [4][2][12][14][15][13][3][7] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S0575 Conti [3][7][16] 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 数据加密以实现影响, 文件和目录发现, 服务停止, 本机API, 污染共享内容, 混淆文件或信息, 系统恢复抑制, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 进程发现, 进程注入: Dynamic-link Library Injection, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0659 Diavol [16] 妨碍防御: Disable or Modify Tools, 应用层协议: Web Protocols, 数据加密以实现影响, 数据销毁, 文件和目录发现, 服务停止, 本机API, 混淆文件或信息: Steganography, 混淆文件或信息, 篡改: Internal Defacement, 系统信息发现, 系统恢复抑制, 系统所有者/用户发现, 系统网络配置发现, 网络共享发现, 输入工具传输, 进程发现, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0024 Dyre [17][18][19] 创建或修改系统进程: Windows Service, 反混淆/解码文件或信息, 应用层协议: Web Protocols, 数据分段: Local Data Staging, 混淆文件或信息: Software Packing, 系统信息发现, 系统所有者/用户发现, 系统服务发现, 系统网络配置发现, 虚拟化/沙盒规避: System Checks, 软件发现, 输入工具传输, 进程注入: Dynamic-link Library Injection, 进程注入, 通过C2信道渗出, 预定任务/作业: Scheduled Task
S0367 Emotet [6][13] Windows管理规范, 从密码存储中获取凭证: Credentials from Web Browsers, 伪装: Masquerade Task or Service, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 加密通道, 反射性代码加载, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 操作系统凭证转储: LSASS Memory, 数据编码: Standard Encoding, 暴力破解: Password Guessing, 有效账户: Local Accounts, 未加密凭证: Credentials In Files, 本机API, 横向工具传输, 混淆文件或信息: Binary Padding, 混淆文件或信息: Embedded Payloads, 混淆文件或信息: Command Obfuscation, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Software Packing, 用户执行: Malicious File, 用户执行: Malicious Link, 电子邮件收集, 电子邮件收集: Local Email Collection, 系统二进制代理执行: Regsvr32, 系统所有者/用户发现, 系统网络配置发现: Wi-Fi Discovery, 网络共享发现, 网络嗅探, 访问令牌操控: Token Impersonation/Theft, 账号发现: Email Account, 进程发现, 进程注入: Process Hollowing, 进程注入: Dynamic-link Library Injection, 远程服务: SMB/Windows Admin Shares, 远程服务漏洞利用, 通过C2信道渗出, 钓鱼: Spearphishing Link, 钓鱼: Spearphishing Attachment, 非标准端口, 预定任务/作业: Scheduled Task
S0363 Empire [6][2][4][7] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 事件触发执行: Accessibility Features, 从密码存储中获取凭证: Credentials from Web Browsers, 使用备用认证材料: Pass the Hash, 创建或修改系统进程: Windows Service, 创建账户: Local Account, 创建账户: Domain Account, 剪贴板数据, 加密通道: Asymmetric Cryptography, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: Path Interception by Search Order Hijacking, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Dylib Hijacking, 劫持执行流: DLL Search Order Hijacking, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Security Support Provider, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器, 域信任发现, 域或租户策略修改: Group Policy Modification, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据, 操作系统凭证转储: LSASS Memory, 文件和目录发现, 未加密凭证: Credentials In Files, 未加密凭证: Private Keys, 本机API, 权限提升漏洞利用, 浏览器信息发现, 混淆文件或信息: Command Obfuscation, 滥用权限提升控制机制: Bypass User Account Control, 电子邮件收集: Local Email Collection, 移除指标: Timestomp, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络连接发现, 系统网络配置发现, 组策略发现, 网络共享发现, 网络嗅探, 网络服务: Bidirectional Communication, 网络服务发现, 自动化收集, 自动化渗出, 视频捕获, 访问令牌操控: SID-History Injection, 访问令牌操控, 访问令牌操控: Create Process with Token, 账号发现: Domain Account, 账号发现: Local Account, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 输入捕获: Credential API Hooking, 进程发现, 进程注入, 远程服务: Distributed Component Object Model, 远程服务: SSH, 远程服务漏洞利用, 通过C2信道渗出, 通过网络服务渗出: Exfiltration to Code Repository, 通过网络服务渗出: Exfiltration to Cloud Storage, 预定任务/作业: Scheduled Task
S0632 GrimAgent [20] 从本地系统获取数据, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 执行保护: Mutual Exclusion, 数据混淆: Junk Data, 数据编码: Standard Encoding, 文件和目录发现, 本机API, 混淆文件或信息, 混淆文件或信息: Binary Padding, 移除指标: Clear Persistence, 移除指标: File Deletion, 系统位置发现: System Language Discovery, 系统位置发现, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 虚拟化/沙盒规避: Time Based Evasion, 输入工具传输, 通过C2信道渗出, 预定任务/作业: Scheduled Task
S0349 LaZagne [7] 从密码存储中获取凭证: Windows Credential Manager, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 从密码存储中获取凭证: Keychain, 操作系统凭证转储: LSA Secrets, 操作系统凭证转储: /etc/passwd and /etc/shadow, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Cached Domain Credentials, 操作系统凭证转储: Proc Filesystem, 未加密凭证: Credentials In Files
S0002 Mimikatz [4][2] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0039 Net [1][11][4][12][14][15][13][7] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0359 Nltest [4][12][14][15][13][11][7] 域信任发现, 系统网络配置发现, 远程系统发现
S0097 Ping [12][2][15] 远程系统发现
S0029 PsExec [6][4][7] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S1071 Rubeus [7] 域信任发现, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造Kerberos票据: AS-REP Roasting, 窃取或伪造Kerberos票据: Golden Ticket
S0446 Ryuk [1][11][2][4][12][14][15][13][3][7][16] Loss of Productivity and Revenue, 伪装: Match Legitimate Name or Location, 伪装, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 数据加密以实现影响, 文件和目录发现, 文件和目录权限修改: Windows File and Directory Permissions Modification, 有效账户: Domain Accounts, 服务停止, 本机API, 流量激活, 混淆文件或信息, 系统位置发现: System Language Discovery, 系统信息发现, 系统恢复抑制, 系统网络配置发现, 访问令牌操控, 进程发现, 进程注入, 远程服务: SMB/Windows Admin Shares, 预定任务/作业: Scheduled Task
S0266 TrickBot [6][2][13][3][7][16] 从密码存储中获取凭证: Password Managers, 从密码存储中获取凭证: Credentials from Web Browsers, 从本地系统获取数据, 代理: External Proxy, 伪装, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 回退信道, 固件篡改, 域信任发现, 妨碍防御: Disable or Modify Tools, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 文件和目录发现, 暴力破解: Credential Stuffing, 未加密凭证: Credentials In Files, 未加密凭证: Credentials in Registry, 本机API, 权限组发现, 浏览器会话劫持, 混淆文件或信息, 混淆文件或信息: Software Packing, 混淆文件或信息: Encrypted/Encoded File, 用户执行: Malicious File, 系统信息发现, 系统所有者/用户发现, 系统服务发现, 系统网络配置发现, 网络共享发现, 虚拟化/沙盒规避: Time Based Evasion, 账号发现: Local Account, 账号发现: Email Account, 输入工具传输, 输入捕获: Credential API Hooking, 进程发现, 进程注入, 进程注入: Process Hollowing, 进程间通信: Component Object Model, 远程服务: VNC, 远程服务漏洞利用, 远程系统发现, 远程访问软件, 通过C2信道渗出, 钓鱼: Spearphishing Link, 钓鱼: Spearphishing Attachment, 隐藏伪装: Hidden Window, 非标准端口, 预定任务/作业: Scheduled Task, 预操作系统引导: Bootkit, 颠覆信任控制: Code Signing

References

  1. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  2. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  3. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  4. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  5. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
  6. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  7. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  8. Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.
  9. Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.
  10. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  1. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
  2. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  3. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
  4. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  5. The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.
  6. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  7. Brewster, T. (2017, May 4). https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates/#601c77842a0a. Retrieved June 15, 2020.
  8. Feeley, B. and Stone-Gross, B. (2019, March 20). New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration. Retrieved June 15, 2020.
  9. Umawing, J. (2019, September 3). TrickBot adds new trick to its arsenal: tampering with trusted texts. Retrieved June 15, 2020.
  10. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.