1. Home
  2. Techniques
  3. Enterprise
  4. 查询注册表

查询注册表

查询注册表是攻击者通过访问Windows注册表数据库获取系统配置、软件信息及安全策略的常见技术。注册表包含系统运行的关键参数,攻击者通常使用reg.exe命令行工具或API接口进行键值查询,为后续权限提升、防御规避等行为提供情报支撑。防御方可通过监控注册表敏感路径访问、分析异常进程的API调用序列以及审计管理工具使用日志等手段进行检测。

为规避传统检测方法对注册表操作行为特征的有效捕获,攻击者发展出高度隐蔽的注册表查询技术,通过内存驻留、工具劫持、数据分片等手法,将查询行为深度融入系统正常操作流,并破坏数据泄露过程的关联特征,形成"无痕化"信息收集能力。

现有注册表查询匿迹技术的核心逻辑聚焦于操作链的解耦与系统信任机制的滥用。攻击者通过寄生在合法进程或管理工具中,消除注册表访问行为的独立特征:内存驻留技术利用系统进程的信任背书,使恶意查询获得与合法操作相同的执行上下文;管理工具劫持通过复用系统管理接口,构建符合运维行为特征的查询模式;数据分片存储则通过破坏数据完整性,规避基于内容特征的检测。三类技术的共性在于突破传统注册表监控的单一维度检测,从操作主体(进程)、执行工具(管理接口)、数据形态(存储结构)三个层面实施全方位伪装,使得注册表查询行为在各个环节均呈现合法特征。

匿迹技术的演进导致传统基于命令行监控或敏感路径告警的防御体系面临失效风险,防御方需构建注册表操作上下文关联分析能力,结合进程行为链完整性校验、管理工具异常模式识别等技术,并引入数据流血缘追踪机制,实现对隐蔽注册表查询行为的深度检测。

ID: T1012
Sub-techniques:  No sub-techniques
Tactic: 环境测绘
Platforms: Windows
Version: 1.3
Created: 31 May 2017
Last Modified: 03 April 2023

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过完全复用系统管理工具(如PowerShell、WMI)的合法接口执行注册表查询,使操作指令在语法结构和工具特征层面与正常管理行为完全一致。同时利用进程注入技术将查询行为绑定到可信系统进程,实现操作主体的身份伪装。

数据遮蔽

采用分块加密机制对注册表查询结果进行处理,通过异或加密、Base64编码消除原始数据的语义特征。在数据传输阶段使用HTTPS协议封装,结合随机填充字节破坏网络载荷的规律性,使防御方无法通过内容检测识别敏感信息泄露。

时空释痕

将注册表查询操作拆分为多个微操作,分散在长达数小时甚至数天的周期内执行,单次操作频率低于检测阈值。查询结果分片存储在多个物理位置,利用系统临时文件自动清除机制实现数据残留时间的自主控制,破坏行为时序关联性。

Procedure Examples

ID Name Description
S0045 ADVSTORESHELL

ADVSTORESHELL can enumerate registry keys.[1][2]
G0050 APT32

APT32's backdoor can query the Windows Registry to gather system information. [3]
G0087 APT39

APT39 has used various strains of malware to query the Registry.[4]
G0096 APT41

APT41 queried registry values to determine items such as configured RDP ports and network configurations.[5]
S0438 Attor

Attor has opened the registry and performed query searches.[6]
S0344 Azorult

Azorult can check for installed software on the system under the Registry key Software\Microsoft\Windows\CurrentVersion\Uninstall.[7]
S0414 BabyShark

BabyShark has executed the reg query command for HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default.[8]

S0031 BACKSPACE

BACKSPACE is capable of enumerating and making modifications to an infected system's Registry.[9]
S0239 Bankshot

Bankshot searches for certain Registry keys to be configured before executing the payload.[10]
S0534 Bazar

Bazar can query Windows\CurrentVersion\Uninstall for installed applications.[11][12]
S0574 BendyBear

BendyBear can query the host's Registry key at HKEY_CURRENT_USER\Console\QuickEdit to retrieve data.[13]
S0268 Bisonal

Bisonal has used the RegQueryValueExA function to retrieve proxy information in the Registry.[14]
S0570 BitPaymer

BitPaymer can use the RegEnumKeyW to iterate through Registry keys.[15]

S0252 Brave Prince

Brave Prince gathers information about the Registry.[16]
S1039 Bumblebee

Bumblebee can check the Registry for specific keys.[17]
S0030 Carbanak

Carbanak checks the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings for proxy configurations information.[18]
S0484 Carberp

Carberp has searched the Image File Execution Options registry key for "Debugger" within every subkey.[19]
S0335 Carbon

Carbon enumerates values in the Registry.[20]
S0348 Cardinal RAT

Cardinal RAT contains watchdog functionality that periodically ensures HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load is set to point to its executable.[21]
S0674 CharmPower

CharmPower has the ability to enumerate Uninstall registry values.[22]
G0114 Chimera

Chimera has queried Registry keys using reg query \\HKU\\SOFTWARE\Microsoft\Terminal Server Client\Servers and reg query \\HKU\\Software\Microsoft\Windows\CurrentVersion\Internet Settings.[23]
S0023 CHOPSTICK

CHOPSTICK provides access to the Windows Registry, which can be used to gather information.[24]
S0660 Clambling

Clambling has the ability to enumerate Registry keys, including KEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt\strDataDir to search for a bitcoin wallet.[25][26]
S0154 Cobalt Strike

Cobalt Strike can query HKEY_CURRENT_USER\Software\Microsoft\Office\\Excel\Security\AccessVBOM\ to determine if the security setting for restricting default programmatic access is enabled.[27][28]
S0126 ComRAT

ComRAT can check the default browser by querying HKCR\http\shell\open\command.[29]
S0115 Crimson

Crimson can check the Registry for the presence of HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\last_edate to determine how long it has been installed on a host.[30]
G1034 Daggerfly

Daggerfly used Reg to dump the Security Account Manager (SAM), System, and Security Windows registry hives from victim machines.[31]
S0673 DarkWatchman

DarkWatchman can query the Registry to determine if it has already been installed on the system.[32]
S0354 Denis

Denis queries the Registry for keys and values.[33]
S0021 Derusbi

Derusbi is capable of enumerating Registry keys and values.[34]
S0186 DownPaper

DownPaper searches and reads the value of the Windows Update Registry Run key.[35]
G0035 Dragonfly

Dragonfly has queried the Registry to identify victim information.[36]
S0567 Dtrack

Dtrack can collect the RegisteredOwner, RegisteredOrganization, and InstallDate registry values.[37]
S1159 DUSTTRAP

DUSTTRAP can enumerate Registry items.[38]
S0091 Epic

Epic uses the rem reg query command to obtain values from Registry keys.[39]
S0512 FatDuke

FatDuke can get user agent strings for the default browser from HKCU\Software\Classes\http\shell\open\command.[40]
S0267 FELIXROOT

FELIXROOT queries the Registry for specific keys for potential privilege escalation and proxy information. FELIXROOT has also used WMI to query the Windows Registry.[41][42]
S0182 FinFisher

FinFisher queries Registry values as part of its anti-sandbox checks.[43][44]
G0117 Fox Kitten

Fox Kitten has accessed Registry hives ntuser.dat and UserClass.dat.[45]
S1044 FunnyDream

FunnyDream can check Software\Microsoft\Windows\CurrentVersion\Internet Settings to extract the ProxyServer string.[46]
S0666 Gelsemium

Gelsemium can open random files and Registry keys to obscure malware behavior from sandbox analysis.[47]
S0032 gh0st RAT

gh0st RAT has checked for the existence of a Service key to determine if it has already been installed on the system.[48]
S0249 Gold Dragon

Gold Dragon enumerates registry keys with the command regkeyenum and obtains information for the Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.[16]
S0376 HOPLIGHT

A variant of HOPLIGHT hooks lsass.exe, and lsass.exe then checks the Registry for the data value 'rdpproto' under the key SYSTEM\CurrentControlSet\Control\Lsa Name.[49]
S0203 Hydraq

Hydraq creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys.[50][51]
G0119 Indrik Spider

Indrik Spider has used a service account to extract copies of the Security Registry hive.[52]
S0604 Industroyer

Industroyer has a data wiper component that enumerates keys in the Registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.[53]
S0260 InvisiMole

InvisiMole can enumerate Registry values, keys, and data.[54]
S0201 JPIN

JPIN can enumerate Registry keys.[55]
G0094 Kimsuky

Kimsuky has obtained specific Registry keys and values on a compromised host.[56]
G0032 Lazarus Group

Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key:HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt.[57][58][59]
S0513 LiteDuke

LiteDuke can query the Registry to check for the presence of HKCU\Software\KasperskyLab.[40]
S0680 LitePower

LitePower can query the Registry for keys added to execute COM hijacking.[60]
S0532 Lucifer

Lucifer can check for existing stratum cryptomining information in HKLM\Software\Microsoft\Windows\CurrentVersion\spreadCpuXmr – %stratum info%.[61]
S1060 Mafalda

Mafalda can enumerate Registry keys with all subkeys and values.[62]
S1015 Milan

Milan can query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid to retrieve the machine GUID.[63]
S1047 Mori

Mori can read data from the Registry including from HKLM\Software\NFC\IPA andHKLM\Software\NFC\.[64]
S0385 njRAT

njRAT can read specific registry values.[65]
G0049 OilRig

OilRig has used reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" on a victim to query the Registry.[66]
C0014 Operation Wocao

During Operation Wocao, the threat actors executed /c cd /d c:\windows\temp\ & reg query HKEY_CURRENT_USER\Software\<username>\PuTTY\Sessions\ to detect recent PuTTY sessions, likely to further lateral movement.[67]
S0165 OSInfo

OSInfo queries the registry to look for information about Terminal Services.[68]
S1050 PcShare

PcShare can search the registry files of a compromised host.[46]
S0517 Pillowmint

Pillowmint has used shellcode which reads code stored in the registry keys \REGISTRY\SOFTWARE\Microsoft\DRM using the native Windows API as well as read HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces as part of its C2.[69]

S0013 PlugX

PlugX can enumerate and query for information contained within the Windows Registry.[70][71]
S0145 POWERSOURCE

POWERSOURCE queries Registry keys in preparation for setting Run keys to achieve persistence.[72]
S0194 PowerSploit

PowerSploit contains a collection of Privesc-PowerUp modules that can query Registry keys for potential opportunities.[73][74]
S0184 POWRUNER

POWRUNER may query the Registry by running reg query on a victim.[75]
S0238 Proxysvc

Proxysvc gathers product names from the Registry key: HKLM\Software\Microsoft\Windows NT\CurrentVersion ProductName and the processor description from the Registry key HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString.[76]
S0269 QUADAGENT

QUADAGENT checks if a value exists within a Registry key in the HKCU hive whose name is the same as the scheduled task it has created.[77]
S1076 QUIETCANARY

QUIETCANARY has the ability to retrieve information from the Registry.[78]
S1148 Raccoon Stealer

Raccoon Stealer queries the Windows Registry to fingerprint the infected host via the HKLM:\SOFTWARE\Microsoft\Cryptography\MachineGuid key.[79][80]
S0241 RATANKBA

RATANKBA uses the command reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings".[81]
S0172 Reaver

Reaver queries the Registry to determine the correct Startup path to use for persistence.[82]
S0075 Reg

Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface.[83]
S0496 REvil

REvil can query the Registry to get random file extensions to append to encrypted files.[84]
S0448 Rising Sun

Rising Sun has identified the OS product name from a compromised host by searching the registry for SOFTWARE\MICROSOFT\Windows NT\ CurrentVersion | ProductName.[85]
S0240 ROKRAT

ROKRAT can access the HKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosData Registry key to obtain the System manufacturer value to identify the machine type.[86]
S1018 Saint Bot

Saint Bot has used check_registry_keys as part of its environmental checks.[87]
S1099 Samurai

Samurai can query SOFTWARE\Microsoft\.NETFramework\policy\v2.0 for discovery.[88]
S0140 Shamoon

Shamoon queries several Registry keys to identify hard disk partitions to overwrite.[89]
S1019 Shark

Shark can query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid to retrieve the machine GUID.[63]
S0589 Sibot

Sibot has queried the registry for proxy server information.[90]
S0692 SILENTTRINITY

SILENTTRINITY can use the GetRegValue function to check Registry keys within HKCU\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated and HKLM\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated. It also contains additional modules that can check software AutoRun values and use the Win32 namespace to get values from HKCU, HKLM, HKCR, and HKCC hives.[91]
S0627 SodaMaster

SodaMaster has the ability to query the Registry to detect a key specific to VMware.[92]
G0038 Stealth Falcon

Stealth Falcon malware attempts to determine the installed version of .NET by querying the Registry.[93]
S0380 StoneDrill

StoneDrill has looked in the registry to find the default browser path.[94]
S0603 Stuxnet

Stuxnet searches the Registry for indicators of security programs.[95]
S0559 SUNBURST

SUNBURST collected the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid from compromised hosts.[96]
S1064 SVCReady

SVCReady can search for the HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System Registry key to gather system information.[97]
S0242 SynAck

SynAck enumerates Registry keys associated with event logs.[98]
S0011 Taidoor

Taidoor can query the Registry on compromised hosts using RegQueryValueExA.[99]
S0560 TEARDROP

TEARDROP checked that HKU\SOFTWARE\Microsoft\CTF existed before decoding its embedded payload.[96][100]

G0027 Threat Group-3390

A Threat Group-3390 tool can read and decrypt stored Registry values.[101]
S0668 TinyTurla

TinyTurla can query the Registry for its configuration information.[102]
G0010 Turla

Turla surveys a system upon check-in to discover information in the Windows Registry with the reg query command.[39] Turla has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes .[103]
S0022 Uroburos

Uroburos can query the Registry, typically HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds, to find the key and path to decrypt and load its kernel driver and kernel driver loader.[104]
S0386 Ursnif

Ursnif has used Reg to query the Registry for installed programs.[105][106]
S0476 Valak

Valak can use the Registry for code updates and to collect credentials.[107]
S0180 Volgmer

Volgmer checks the system for certain Registry keys.[108]
G1017 Volt Typhoon

Volt Typhoon has queried the Registry on compromised systems, reg query hklm\software\, for information on installed software including PuTTY.[109][110]
S0612 WastedLocker

WastedLocker checks for specific registry keys related to the UCOMIEnumConnections and IActiveScriptParseProcedure32 interfaces.[111]
S0579 Waterbear

Waterbear can query the Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\MTxOCI" to see if the value OracleOcilib exists.[112]
S0155 WINDSHIELD

WINDSHIELD can gather Registry values.[113]
S1065 Woody RAT

Woody RAT can search registry keys to identify antivirus programs on an compromised host.[114]
S0251 Zebrocy

Zebrocy executes the reg query command to obtain information in the Registry.[115]
S0330 Zeus Panda

Zeus Panda checks for the existence of a Registry key and if it contains certain values.[116]
G0128 ZIRCONIUM

ZIRCONIUM has used a tool to query the Registry for proxy settings.[117]
S0412 ZxShell

ZxShell can query the netsvc group value data located in the svchost group Registry key.[118]

S1013 ZxxZ

ZxxZ can search the registry of a compromised host.[119]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for actions that may interact with the Windows Registry to gather information about the system, configuration, and installed software.

Note: For PowerShell Module logging event id 4103, enable logging for module Microsoft.PowerShell.Management. The New-PSDrive PowerShell cmdlet creates temporary and persistent drives that are mapped to or associated with a location in a data store, such a registry key (PSProvider "Registry"). The the Get-ChildItem gets the items in one or more specified locations. By using both, you can enumerate COM objects in one or more specified locations.

Analytic 1 - Suspicious Commands

(sourcetype="WinEventLog:Microsoft-Windows-Powershell/Operational" EventCode="4103") | WHERE CommandLine LIKE "%New-PSDrive%" AND (CommandLine LIKE "%Registry%" OR CommandLine LIKE "%HKEY_CLASSES_ROOT%" OR CommandLine LIKE "%HKCR%")
DS0009 Process OS API Execution

Monitor for API calls (such as RegOpenKeyExA) that may interact with the Windows Registry to gather information about the system, configuration, and installed software. OS API calls associated with querying the Windows Registry are RegOpenKeyEx , RegOpenUserClassesRoot, RegQueryValueExA, and RegQueryValueExW. Execution of these functions might trigger security log ids such as 4663 (Microsoft Security Auditing). Also monitor for RegOpenUserClassesRoot api to retrieve a handle to the HKEY_CLASSES_ROOT key for a specified user. The returned key has a view of the registry that merges the contents of the HKEY_LOCAL_MACHINE\Software\Classes key with the contents of the Software\Classes keys in the user's registry hive.

Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls.
Process Creation

Monitor for newly executed processes that may interact with the Windows Registry to gather information about the system, configuration, and installed software.

Note: The New-PSDrive PowerShell cmdlet creates temporary and persistent drives that are mapped to or associated with a location in a data store, such a registry key (PSProvider "Registry"). The Get-ChildItem gets the items in one or more specified locations. By using both, you can enumerate COM objects in one or more specified locations.

Note for Analytic 3: Replace FilePathToLolbasProcessXX.exe with lolBAS process names that are used by your organization. The number_standard_deviations parameter should be tuned accordingly. Identifying outliers by comparing distance from a data point to the average value against a certain number of standard deviations is recommended for data values that are symmetrical distributed. If your data is not distributed, try a different algorithm such as the Interquartile Range (IQR).

Analytic 1 - Suspicious Processes with Registry keys

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") | search (CommandLine LIKE "%reg%" AND CommandLine LIKE "%query%") OR (CommandLine LIKE "%Registry%" AND (CommandLine LIKE "%HKEY_CLASSES_ROOT%" OR CommandLine "%HKCR%"))

Analytic 2 - reg.exe spawned from suspicious cmd.exe

((sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") | WHERE (Image LIKE "%reg.exe%" AND ParentImage LIKE "%cmd.exe%")| rename ProcessParentGuid as guid| join type=inner guid[ | search ((source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (Image LIKE "%cmd.exe%" AND ParentImage NOT LIKE "%explorer.exe%")| rename ProcessGuid as guid ]

Analytic 3 - Rare LolBAS command lines

((sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND Image IN ('FilePathToLolbasProcess01.exe','FilePathToLolbasProcess02.exe') AND number_standard_deviations = 1.5| select Image, ProcessCount, AVG(ProcessCount) Over() - STDEV(ProcessCount) Over() * number_standard_deviations AS LowerBound | WHERE ProcessCount < LowerBound
DS0024 Windows Registry Windows Registry Key Access

Monitor for unexpected process interactions with the Windows Registry (i.e. reads) that may be related to gathering information.

Note: For Security Auditing event ids 4656 and 4663, a System Access Control List (SACL) that controls the use of specific access rights such as Enumerate sub-keys and Query key value is required for event generation. Depending on the Registry key you are monitoring, the implementation of a new System Access Control List (SACL) might be required. Depending of Registry key used for the creation of a System Access Control List (SACL), the generation of event ids 4656 and 4663 might be noisy.

Analytic 1 - Suspicious Registry

(sourcetype="WinEventLog:Security" EventCode IN (4663, 4656)) AND ObjectType="Key" | WHERE ObjectName LIKE "%SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall%" AND (UserAccessList LIKE "%4435%" OR UserAccessList LIKE "%Enumerate sub-keys%" OR UserAccessList LIKE "%4432%" OR UserAccessList LIKE "%Query key value%") AND Image NOT IN ('FilePathToExpectedProcess01.exe','FilePathToExpectedProcess02.exe')

References

  1. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  2. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  3. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  4. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  5. Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.
  6. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  7. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  8. Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.
  9. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  10. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  11. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  12. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  13. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.
  14. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  15. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  16. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  17. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
  18. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  19. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024.
  20. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  21. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  22. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  23. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  24. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  25. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  26. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
  27. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
  28. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  29. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  30. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  31. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
  32. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  33. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  34. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  35. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
  36. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  37. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  38. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  39. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  40. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  41. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  42. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  43. FinFisher. (n.d.). Retrieved September 12, 2024.
  44. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  45. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  46. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  47. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  48. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  49. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  50. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  51. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  52. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
  53. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
  54. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  55. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  56. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  57. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  58. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  59. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  60. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  1. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  2. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  3. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
  4. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  5. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  6. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  7. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  8. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  9. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  10. Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
  11. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  12. Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
  13. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  14. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  15. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  16. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  17. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  18. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  19. Quentin Bourgue, Pierre le Bourhis, & Sekoia TDR. (2022, June 28). Raccoon Stealer v2 - Part 1: The return of the dead. Retrieved August 1, 2024.
  20. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  21. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  22. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
  23. Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.
  24. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  25. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  26. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  27. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
  28. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  29. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  30. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  31. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  32. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  33. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  34. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  35. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  36. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  37. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
  38. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  39. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  40. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  41. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  42. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  43. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  44. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  45. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  46. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
  47. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  48. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  49. NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
  50. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  51. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  52. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  53. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  54. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
  55. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  56. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  57. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
  58. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  59. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.