Ĭommand and Scripting Interpreter: PowerShellĬhimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features. Ĭhimera has used credential stuffing against victim's remote services to obtain valid accounts. Ĭhimera has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts. Ĭhimera has used type \ \c$\Users\ \Favorites\Links\Bookmarks bar\Imported From IE*citrix* for bookmark discovery. Ĭhimera has used custom DLLs for continuous retrieval of data from memory. Īrchive Collected Data: Archive via UtilityĬhimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts. Ĭhimera has used Cobalt Strike to encapsulate C2 in DNS traffic. Īpplication Layer Protocol: Web ProtocolsĬhimera has used HTTPS for C2 communications. Ĭhimera has has used net user /dom and net user Administrator to enumerate domain accounts including administrator accounts. Chimera has used net user for account discovery.
