Understanding Threat Actors
Knowing your enemies to understand their behaviors and better protect your company.
Threat actors are individuals or groups that conduct malicious activities to exploit vulnerabilities and compromise the security of systems, networks, or data. Understanding the nature, motivations, and methods of threat actors is crucial for SOC analysts to effectively defend against cyber threats.
Threat Actors
Techniques
List of Threat Actors
Who is targeting you?
Ransomware Groups
Ransomware groups are organized cybercriminal entities that specialize in ransomware attacks. While these groups typically employ many similar sophisticated tactics, techniques, and procedures to compromise systems, encrypt data, and extort victims for financial gain, they also have their own specific methods and strategies.
Advanced Persistent Threats (APTs)
Advanced Persistent Threats (APTs) are organized cybercriminal entities or state-sponsored groups that specialize in prolonged and covert cyberattacks.
While these groups commonly employ sophisticated tactics, techniques, and procedures to infiltrate and maintain unauthorized access to target systems, exfiltrating sensitive data over extended periods, they also possess unique methods and strategies tailored to their specific objectives and targets.
Hacktivists
Hacktivist groups are organized entities that use hacking techniques to promote political agendas or social causes. While these groups often employ similar sophisticated tactics, techniques, and procedures to compromise systems, deface websites, and disrupt services, they also have their own specific methods and strategies tailored to their particular objectives and messages.
Hacktivists profiles will be available shortly.
Attack Techniques
Techniques used by Cybercriminals
MITRE ATT&CK TTPs
Threat Actors' most used TTPs
Ransomware Groups
While hacker groups typically employ many similar sophisticated tactics, techniques, and procedures to compromise systems, encrypt data, and extort victims for financial gain, they also have their own specific methods and strategies. Here are the most popular techniques and procedures used by cybercriminals:
TA0002: Execution
T1059: Command and Scripting Interpreter
TA0003: Persistence
T1136: Create Account
T1078: Valid Accounts
TA0004: Privilege Escalation
T1484: Domain Policy Modification
TA0007: Discovery
T1018: Remote System Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
TA0008: Lateral Movement
T1021: Remote Services
TA0009: Collection
T1560: Archive Collected Data
TA0010: Exfiltration
T1048: Exfiltration Over Alternative Protocol
TA0040: Impact
T1486: Data Encrypted for Impact
T1490: Inhibit System Recovery
T1657: Network Denial of Service
Tools
Tools used by Threat Actors
Threat emulation
Cobalt Strike
Cloud synchronization
MEGA Ltd MegaSync
Credential extraction
Mimikatz
Local server tunneling
Ngrok
Automation and scripting
PowerShell
Remote command execution
PsExec
Cloud storage management
Rclone
Network management
SoftPerfect
Remote desktop access
Splashtop
SFTP and FTP client
WinSCP
Active Directory information gathering
AdFind
Network scanning
Advanced IP Scanner
Active Directory analysis
Bloodhound
Network testing
Microsoft Nltest
System monitoring
PCHunter64
Process monitoring
Process Hacker
Remote desktop application
AnyDesk
Remote management
Fleetdeck.io
Project management
Level.io
Remote monitoring and management
Pulseway
Remote support
Screenconnect
Remote desktop access
Splashtop
Remote monitoring and management
Tactical.RMM
Remote control and support
Teamviewer
BITS transfer management
BITSAdmin
FTP client
FileZilla
Cloud synchronization
MEGA Ltd MegaSync
Cloud storage management
Rclone
File compression
WinRAR
SFTP and FTP client
WinSCP
Password retrieval
LaZagne
Credential extraction
Mimikatz
Web vulnerability scanning
Nekto / PriviCMD
Privilege escalation auditing
WinPEAS
Threat emulation
Cobalt Strike
Network protocol manipulation
Impacket
Local server tunneling
Ngrok
Automation and scripting
PowerShell
Remote command execution
PsExec
Command-line interface to PuTTY
PuTTY Link (Plink)
Proxy tool
Stowaway
VPN solution
Tailscale
Package management
Chocolatey
Rootkit detection
GMER
System optimization
IOBit
Rootkit removal
PowerTool
Process dump creation
ProcDump
Active Directory reconnaissance
Sharphound
Network management