EXPLORE
Sign In
← Back to Actors

Wizard Spider

Wizard SpiderUNC1878TEMP.MixMasterGrim SpiderFIN12GOLD BLACKBURNITG23Periwinkle TempestDEV-0193

[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020...

64
Techniques
61
Covered
3
Gaps
95%
Coverage
Coverage61/64

GAPS (3)

T1518.002Backup Software DiscoveryT1585.002Email AccountsT1588.003Code Signing Certificates

COVERED (61)

T1003.001LSASS Memory105 det.T1003.002Security Account Manager45 det.T1003.003NTDS34 det.T1005Data from Local System46 det.T1016System Network Configuration Discovery35 det.T1018Remote System Discovery46 det.T1021Remote Services94 det.T1021.001Remote Desktop Protocol51 det.T1021.002SMB/Windows Admin Shares67 det.T1021.006Windows Remote Management22 det.T1027.010Command Obfuscation31 det.T1033System Owner/User Discovery59 det.T1036.004Masquerade Task or Service7 det.T1041Exfiltration Over C2 Channel30 det.T1047Windows Management Instrumentation85 det.T1048.003Exfiltration Over Unencrypted Non-C2 Protocol20 det.T1053.005Scheduled Task82 det.T1055Process Injection76 det.T1055.001Dynamic-link Library Injection11 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1070.004File Deletion40 det.T1071.001Web Protocols74 det.T1074Data Staged12 det.T1074.001Local Data Staging10 det.T1078Valid Accounts252 det.T1078.002Domain Accounts26 det.T1082System Information Discovery80 det.T1087.002Domain Account55 det.T1105Ingress Tool Transfer170 det.T1112Modify Registry197 det.T1133External Remote Services72 det.T1135Network Share Discovery16 det.T1136.001Local Account42 det.T1136.002Domain Account9 det.T1197BITS Jobs23 det.T1204.001Malicious Link9 det.T1204.002Malicious File397 det.T1210Exploitation of Remote Services33 det.T1218.011Rundll3273 det.T1222.001Windows File and Directory Permissions Modification22 det.T1489Service Stop54 det.T1490Inhibit System Recovery56 det.T1518.001Security Software Discovery8 det.T1543.003Windows Service79 det.T1547.001Registry Run Keys / Startup Folder50 det.T1547.004Winlogon Helper DLL4 det.T1550.002Pass the Hash9 det.T1552.006Group Policy Preferences8 det.T1553.002Code Signing3 det.T1555.004Windows Credential Manager8 det.T1557.001LLMNR/NBT-NS Poisoning and SMB Relay22 det.T1558.003Kerberoasting31 det.T1560.001Archive via Utility24 det.T1562.001Disable or Modify Tools300 det.T1566.001Spearphishing Attachment850 det.T1566.002Spearphishing Link837 det.T1567.002Exfiltration to Cloud Storage27 det.T1569.002Service Execution63 det.T1570Lateral Tool Transfer20 det.T1588.002Tool13 det.