EXPLORE
Sign In
← Back to Actors

Wizard Spider

Wizard SpiderUNC1878TEMP.MixMasterGrim SpiderFIN12GOLD BLACKBURNITG23Periwinkle TempestDEV-0193Pistachio TempestDEV-0237

[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020...

65
Techniques
62
Covered
3
Gaps
95%
Coverage
Coverage62/65

GAPS (3)

T1518.002Backup Software DiscoveryT1585.002Email AccountsT1588.003Code Signing Certificates

COVERED (62)

T1003.001LSASS Memory111 det.T1003.002Security Account Manager49 det.T1003.003NTDS36 det.T1005Data from Local System47 det.T1016System Network Configuration Discovery39 det.T1018Remote System Discovery50 det.T1021Remote Services101 det.T1021.001Remote Desktop Protocol53 det.T1021.002SMB/Windows Admin Shares73 det.T1021.006Windows Remote Management22 det.T1027.010Command Obfuscation38 det.T1033System Owner/User Discovery61 det.T1036.004Masquerade Task or Service7 det.T1041Exfiltration Over C2 Channel31 det.T1047Windows Management Instrumentation87 det.T1048.003Exfiltration Over Unencrypted Non-C2 Protocol21 det.T1053.005Scheduled Task99 det.T1055Process Injection79 det.T1055.001Dynamic-link Library Injection13 det.T1059.001PowerShell368 det.T1059.003Windows Command Shell82 det.T1070.004File Deletion42 det.T1071.001Web Protocols80 det.T1074Data Staged12 det.T1074.001Local Data Staging10 det.T1078Valid Accounts280 det.T1078.002Domain Accounts28 det.T1082System Information Discovery86 det.T1087.002Domain Account57 det.T1105Ingress Tool Transfer183 det.T1112Modify Registry203 det.T1133External Remote Services72 det.T1135Network Share Discovery20 det.T1136.001Local Account43 det.T1136.002Domain Account11 det.T1197BITS Jobs25 det.T1204.001Malicious Link10 det.T1204.002Malicious File425 det.T1210Exploitation of Remote Services35 det.T1218.011Rundll3275 det.T1222.001Windows Permissions23 det.T1489Service Stop57 det.T1490Inhibit System Recovery59 det.T1518.001Security Software Discovery10 det.T1543.003Windows Service79 det.T1547.001Registry Run Keys / Startup Folder53 det.T1547.004Winlogon Helper DLL4 det.T1550.002Pass the Hash10 det.T1552.006Group Policy Preferences9 det.T1553.002Code Signing3 det.T1555.004Windows Credential Manager9 det.T1557.001Name Resolution Poisoning and SMB Relay23 det.T1558.003Kerberoasting34 det.T1560.001Archive via Utility26 det.T1562.001Disable or Modify Tools311 det.T1566.001Spearphishing Attachment905 det.T1566.002Spearphishing Link904 det.T1567.002Exfiltration to Cloud Storage29 det.T1569.002Service Execution64 det.T1570Lateral Tool Transfer22 det.T1588.002Tool13 det.T1685Disable or Modify Tools278 det.