EXPLORE
Sign In
← Back to Actors

Lazarus Group

Lazarus GroupLabyrinth ChollimaHIDDEN COBRAGuardians of PeaceZINCNICKEL ACADEMYDiamond Sleet

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber Groups September 2019) [Lazarus Group](https://attack.mitre.org/groups/G0032) has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) corre...

93
Techniques
84
Covered
9
Gaps
90%
Coverage
Coverage84/93

GAPS (9)

T1027.007Dynamic API ResolutionT1104Multi-Stage ChannelsT1560.003Archive via Custom MethodT1573.001Symmetric CryptographyT1584.004ServerT1585.001Social Media AccountsT1585.002Email AccountsT1591Gather Victim Org InformationT1680Local Storage Discovery

COVERED (84)

T1001.003Protocol or Service Impersonation2 det.T1005Data from Local System46 det.T1008Fallback Channels5 det.T1010Application Window Discovery1 det.T1012Query Registry22 det.T1016System Network Configuration Discovery35 det.T1021.001Remote Desktop Protocol51 det.T1021.002SMB/Windows Admin Shares67 det.T1021.004SSH31 det.T1027.009Embedded Payloads1 det.T1027.013Encrypted/Encoded File7 det.T1033System Owner/User Discovery59 det.T1036.003Rename Legitimate Utilities47 det.T1036.004Masquerade Task or Service7 det.T1036.005Match Legitimate Resource Name or Location44 det.T1041Exfiltration Over C2 Channel30 det.T1046Network Service Discovery49 det.T1047Windows Management Instrumentation85 det.T1048.003Exfiltration Over Unencrypted Non-C2 Protocol20 det.T1049System Network Connections Discovery21 det.T1053.005Scheduled Task82 det.T1055.001Dynamic-link Library Injection11 det.T1056.001Keylogging4 det.T1057Process Discovery18 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1059.005Visual Basic66 det.T1070Indicator Removal56 det.T1070.003Clear Command History14 det.T1070.004File Deletion40 det.T1070.006Timestomp9 det.T1071.001Web Protocols74 det.T1074.001Local Data Staging10 det.T1078Valid Accounts252 det.T1082System Information Discovery80 det.T1083File and Directory Discovery48 det.T1090.001Internal Proxy10 det.T1090.002External Proxy6 det.T1098Account Manipulation186 det.T1102.002Bidirectional Communication14 det.T1105Ingress Tool Transfer170 det.T1106Native API27 det.T1110.003Password Spraying65 det.T1124System Time Discovery4 det.T1132.001Standard Encoding5 det.T1134.002Create Process with Token13 det.T1140Deobfuscate/Decode Files or Information55 det.T1189Drive-by Compromise10 det.T1202Indirect Command Execution56 det.T1203Exploitation for Client Execution71 det.T1204.002Malicious File397 det.T1218System Binary Proxy Execution227 det.T1218.005Mshta46 det.T1218.011Rundll3273 det.T1485Data Destruction90 det.T1489Service Stop54 det.T1491.001Internal Defacement4 det.T1529System Shutdown/Reboot18 det.T1542.003Bootkit3 det.T1543.003Windows Service79 det.T1547.001Registry Run Keys / Startup Folder50 det.T1547.009Shortcut Modification6 det.T1553.002Code Signing3 det.T1557.001LLMNR/NBT-NS Poisoning and SMB Relay22 det.T1560Archive Collected Data11 det.T1560.002Archive via Library1 det.T1561.001Disk Content Wipe1 det.T1561.002Disk Structure Wipe3 det.T1562.001Disable or Modify Tools300 det.T1562.004Disable or Modify System Firewall45 det.T1564.001Hidden Files and Directories23 det.T1566.001Spearphishing Attachment850 det.T1566.002Spearphishing Link837 det.T1566.003Spearphishing via Service85 det.T1571Non-Standard Port16 det.T1574.001DLL106 det.T1574.013KernelCallbackTable2 det.T1583.001Domains61 det.T1583.006Web Services1 det.T1587.001Malware9 det.T1588.002Tool13 det.T1588.004Digital Certificates1 det.T1589.002Email Addresses2 det.T1620Reflective Code Loading12 det.