Kimsuky

KimsukyBlack BansheeVelvet ChollimaEmerald SleetTHALLIUMAPT43TA427Springtail

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused collection on foreign policy and national security issues tied to the Korean Peni...

109

Techniques

Covered

Gaps

83%

Coverage

Coverage91/109

GAPS (18)

T1027.012LNK Icon Smuggling T1027.016Junk Code Insertion T1560.003Archive via Custom Method T1583.004Server T1585Establish Accounts T1585.001Social Media Accounts T1585.002Email Accounts T1586.002Email Accounts T1588.003Code Signing Certificates T1588.005Exploits T1589.003Employee Names T1591Gather Victim Org Information T1593Search Open Websites/Domains T1593.001Social Media T1593.002Search Engines T1594Search Victim-Owned Websites T1596Search Open Technical Databases T1680Local Storage Discovery

COVERED (91)

T1003.001LSASS Memory105 det.T1005Data from Local System46 det.T1007System Service Discovery11 det.T1012Query Registry22 det.T1016System Network Configuration Discovery35 det.T1021.001Remote Desktop Protocol51 det.T1027Obfuscated Files or Information525 det.T1027.001Binary Padding3 det.T1027.002Software Packing1 det.T1027.010Command Obfuscation31 det.T1036.004Masquerade Task or Service7 det.T1036.005Match Legitimate Resource Name or Location44 det.T1036.007Double File Extension4 det.T1040Network Sniffing15 det.T1041Exfiltration Over C2 Channel30 det.T1053.005Scheduled Task82 det.T1055Process Injection76 det.T1055.012Process Hollowing8 det.T1056.001Keylogging4 det.T1057Process Discovery18 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1059.005Visual Basic66 det.T1059.006Python43 det.T1059.007JavaScript58 det.T1070.004File Deletion40 det.T1070.006Timestomp9 det.T1071.001Web Protocols74 det.T1071.002File Transfer Protocols1 det.T1071.003Mail Protocols4 det.T1074.001Local Data Staging10 det.T1078.003Local Accounts23 det.T1082System Information Discovery80 det.T1083File and Directory Discovery48 det.T1098.007Additional Local or Domain Groups9 det.T1102.001Dead Drop Resolver7 det.T1102.002Bidirectional Communication14 det.T1105Ingress Tool Transfer170 det.T1111Multi-Factor Authentication Interception1 det.T1112Modify Registry197 det.T1113Screen Capture17 det.T1114.002Remote Email Collection18 det.T1114.003Email Forwarding Rule10 det.T1133External Remote Services72 det.T1136.001Local Account42 det.T1140Deobfuscate/Decode Files or Information55 det.T1176.001Browser Extensions5 det.T1185Browser Session Hijacking13 det.T1190Exploit Public-Facing Application208 det.T1204.001Malicious Link9 det.T1204.002Malicious File397 det.T1205Traffic Signaling1 det.T1218.005Mshta46 det.T1218.010Regsvr3241 det.T1218.011Rundll3273 det.T1219.002Remote Desktop Software48 det.T1505.003Web Shell57 det.T1518.001Security Software Discovery8 det.T1534Internal Spearphishing181 det.T1539Steal Web Session Cookie12 det.T1543.003Windows Service79 det.T1546.001Change Default File Association7 det.T1547.001Registry Run Keys / Startup Folder50 det.T1550.002Pass the Hash9 det.T1552.001Credentials In Files53 det.T1553.002Code Signing3 det.T1555.003Credentials from Web Browsers15 det.T1557Adversary-in-the-Middle27 det.T1560.001Archive via Utility24 det.T1562.001Disable or Modify Tools300 det.T1562.004Disable or Modify System Firewall45 det.T1564.002Hidden Users8 det.T1564.003Hidden Window11 det.T1566Phishing920 det.T1566.001Spearphishing Attachment850 det.T1566.002Spearphishing Link837 det.T1567.002Exfiltration to Cloud Storage27 det.T1583Acquire Infrastructure1 det.T1583.001Domains61 det.T1583.006Web Services1 det.T1584.001Domains3 det.T1587Develop Capabilities4 det.T1587.001Malware9 det.T1588.002Tool13 det.T1589.002Email Addresses2 det.T1598Phishing for Information843 det.T1598.003Spearphishing Link271 det.T1608.001Upload Malware2 det.T1620Reflective Code Loading12 det.T1656Impersonation172 det.T1657Financial Theft12 det.