Ĭhimera has collected data of interest from network shares. ĭata from Information Repositories: SharepointĬhimera has collected documents from the victim's SharePoint. Ĭommand and Scripting Interpreter: Windows Command ShellĬhimera has used the Windows Command Shell and batch scripts for execution on compromised hosts. Ĭommand and Scripting Interpreter: PowerShellĬhimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features. Ĭhimera has used credential stuffing against victim's remote services to obtain valid accounts. Ĭhimera has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts. Ĭhimera has used type \ \c$\Users\ \Favorites\Links\Bookmarks bar\Imported From IE*citrix* for bookmark discovery. Ĭhimera has used custom DLLs for continuous retrieval of data from memory. Īrchive Collected Data: Archive via UtilityĬhimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts. Ĭhimera has used Cobalt Strike to encapsulate C2 in DNS traffic. Īpplication Layer Protocol: Web ProtocolsĬhimera has used HTTPS for C2 communications.
Ĭhimera has has used net user /dom and net user Administrator to enumerate domain accounts including administrator accounts. Enterprise Layer download view Techniques Used DomainĬhimera has used net user for account discovery.