Wizard Spider | APT Profile

Description

[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)

Techniques Used (TTPs)

T1136.001 — Local Account (persistence)
T1588.003 — Code Signing Certificates (resource-development)
T1210 — Exploitation of Remote Services (lateral-movement)
T1560.001 — Archive via Utility (collection)
T1059.003 — Windows Command Shell (execution)
T1047 — Windows Management Instrumentation (execution)
T1588.002 — Tool (resource-development)
T1543.003 — Windows Service (persistence, privilege-escalation)
T1021.002 — SMB/Windows Admin Shares (lateral-movement)
T1074 — Data Staged (collection)
T1078.002 — Domain Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1055 — Process Injection (defense-evasion, privilege-escalation)
T1021 — Remote Services (lateral-movement)
T1021.001 — Remote Desktop Protocol (lateral-movement)
T1550.002 — Pass the Hash (defense-evasion, lateral-movement)
T1222.001 — Windows File and Directory Permissions Modification (defense-evasion)
T1570 — Lateral Tool Transfer (lateral-movement)
T1204.002 — Malicious File (execution)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1027.010 — Command Obfuscation (defense-evasion)
T1070.004 — File Deletion (defense-evasion)
T1552.006 — Group Policy Preferences (credential-access)
T1048.003 — Exfiltration Over Unencrypted Non-C2 Protocol (exfiltration)
T1518.001 — Security Software Discovery (discovery)
T1218.011 — Rundll32 (defense-evasion)
T1558.003 — Kerberoasting (credential-access)
T1059.001 — PowerShell (execution)
T1567.002 — Exfiltration to Cloud Storage (exfiltration)
T1112 — Modify Registry (defense-evasion, persistence)
T1490 — Inhibit System Recovery (impact)
T1133 — External Remote Services (persistence, initial-access)
T1547.004 — Winlogon Helper DLL (persistence, privilege-escalation)
T1036.004 — Masquerade Task or Service (defense-evasion)
T1087.002 — Domain Account (discovery)
T1518 — Software Discovery (discovery)
T1071.001 — Web Protocols (command-and-control)
T1553.002 — Code Signing (defense-evasion)
T1136.002 — Domain Account (persistence)
T1074.001 — Local Data Staging (collection)
T1557.001 — LLMNR/NBT-NS Poisoning and SMB Relay (credential-access, collection)
T1105 — Ingress Tool Transfer (command-and-control)
T1003.003 — NTDS (credential-access)
T1016 — System Network Configuration Discovery (discovery)
T1585.002 — Email Accounts (resource-development)
T1033 — System Owner/User Discovery (discovery)
T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1204.001 — Malicious Link (execution)
T1003.001 — LSASS Memory (credential-access)
T1041 — Exfiltration Over C2 Channel (exfiltration)
T1566.001 — Spearphishing Attachment (initial-access)
T1003.002 — Security Account Manager (credential-access)
T1489 — Service Stop (impact)
T1566.002 — Spearphishing Link (initial-access)
T1562.001 — Disable or Modify Tools (defense-evasion)
T1018 — Remote System Discovery (discovery)
T1005 — Data from Local System (collection)
T1082 — System Information Discovery (discovery)
T1555.004 — Windows Credential Manager (credential-access)
T1135 — Network Share Discovery (discovery)
T1569.002 — Service Execution (execution)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1021.006 — Windows Remote Management (lateral-movement)
T1055.001 — Dynamic-link Library Injection (defense-evasion, privilege-escalation)
T1197 — BITS Jobs (defense-evasion, persistence)

Total TTPs: 64

Malware & Tools

Malware: Anchor, Bazar, Cobalt Strike, Conti, Diavol, Dyre, Emotet, GrimAgent, Ryuk, TrickBot

Tools: AdFind, BITSAdmin, BloodHound, Empire, LaZagne, Mimikatz, Net, Nltest, Ping, PsExec, Rubeus

← Return to Home ← Back to APT Search