Lazarus Group

Lazarus GroupLabyrinth ChollimaHIDDEN COBRAGuardians of PeaceZINCNICKEL ACADEMYDiamond Sleet

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber Groups September 2019) [Lazarus Group](https://attack.mitre.org/groups/G0032) has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) corre...

Techniques

Covered

Gaps

91%

Coverage

Coverage86/95

GAPS (9)

T1027.007Dynamic API Resolution T1104Multi-Stage Channels T1560.003Archive via Custom Method T1573.001Symmetric Cryptography T1584.004Server T1585.001Social Media Accounts T1585.002Email Accounts T1591Gather Victim Org Information T1680Local Storage Discovery

COVERED (86)

T1001.003Protocol or Service Impersonation2 det.T1005Data from Local System47 det.T1008Fallback Channels5 det.T1010Application Window Discovery1 det.T1012Query Registry24 det.T1016System Network Configuration Discovery39 det.T1021.001Remote Desktop Protocol53 det.T1021.002SMB/Windows Admin Shares73 det.T1021.004SSH34 det.T1027.009Embedded Payloads2 det.T1027.013Encrypted/Encoded File8 det.T1033System Owner/User Discovery61 det.T1036.003Rename Legitimate Utilities47 det.T1036.004Masquerade Task or Service7 det.T1036.005Match Legitimate Resource Name or Location44 det.T1041Exfiltration Over C2 Channel31 det.T1046Network Service Discovery51 det.T1047Windows Management Instrumentation87 det.T1048.003Exfiltration Over Unencrypted Non-C2 Protocol21 det.T1049System Network Connections Discovery22 det.T1053.005Scheduled Task99 det.T1055.001Dynamic-link Library Injection13 det.T1056.001Keylogging4 det.T1057Process Discovery20 det.T1059.001PowerShell368 det.T1059.003Windows Command Shell82 det.T1059.005Visual Basic68 det.T1070Indicator Removal62 det.T1070.003Clear Command History15 det.T1070.004File Deletion42 det.T1070.006Timestomp10 det.T1071.001Web Protocols80 det.T1074.001Local Data Staging10 det.T1078Valid Accounts280 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1090.001Internal Proxy10 det.T1090.002External Proxy6 det.T1098Account Manipulation213 det.T1102.002Bidirectional Communication15 det.T1105Ingress Tool Transfer183 det.T1106Native API29 det.T1110.003Password Spraying66 det.T1124System Time Discovery4 det.T1132.001Standard Encoding5 det.T1134.002Create Process with Token16 det.T1140Deobfuscate/Decode Files or Information58 det.T1189Drive-by Compromise10 det.T1202Indirect Command Execution58 det.T1203Exploitation for Client Execution75 det.T1204.002Malicious File425 det.T1218System Binary Proxy Execution245 det.T1218.005Mshta49 det.T1218.011Rundll3275 det.T1485Data Destruction91 det.T1489Service Stop57 det.T1491.001Internal Defacement4 det.T1529System Shutdown/Reboot18 det.T1542.003Bootkit4 det.T1543.003Windows Service79 det.T1547.001Registry Run Keys / Startup Folder53 det.T1547.009Shortcut Modification6 det.T1553.002Code Signing3 det.T1557.001Name Resolution Poisoning and SMB Relay23 det.T1560Archive Collected Data12 det.T1560.002Archive via Library1 det.T1561.001Disk Content Wipe2 det.T1561.002Disk Structure Wipe3 det.T1562.001Disable or Modify Tools311 det.T1562.004Disable or Modify System Firewall48 det.T1564.001Hidden Files and Directories25 det.T1566.001Spearphishing Attachment905 det.T1566.002Spearphishing Link904 det.T1566.003Spearphishing via Service88 det.T1571Non-Standard Port16 det.T1574.001DLL109 det.T1574.013KernelCallbackTable2 det.T1583.001Domains61 det.T1583.006Web Services1 det.T1587.001Malware10 det.T1588.002Tool13 det.T1588.004Digital Certificates1 det.T1589.002Email Addresses2 det.T1620Reflective Code Loading14 det.T1685Disable or Modify Tools278 det.T1686.003Windows Host Firewall20 det.