Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0102: Wizard Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]

EnterpriseG0102GroupObject v4.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Wizard Spider matters because ATT&CK describes it as a financially motivated group associated with TrickBot and ransomware campaigns affecting major corporations and hospitals. For leaders, the practical issue is not a single malware name; it is whether the organization can detect and contain a Windows/Active Directory-centered intrusion path before credential theft, lateral movement tooling, and ransomware deployment create business disruption.

Executive priority

Prioritize this as an operational resilience and incident-readiness concern. The ATT&CK relationships connect Wizard Spider to credential dumping, Active Directory reconnaissance, remote execution/admin utilities, backdoors, downloaders, and ransomware families such as Ryuk, Conti, and Diavol. Executives should ask whether identity controls, endpoint visibility, backup recovery, ransomware playbooks, and healthcare or critical operations continuity evidence are tested together rather than managed as separate control areas.

Technical view

ATT&CK provides no group-level detection text or platforms, so teams should validate coverage through the related software and technique relationships. Emphasis should be on Windows and Active Directory telemetry where supported by related objects: LSASS access, Mimikatz/LaZagne/Rubeus-style credential activity, BloodHound/AdFind/Nltest/Net domain discovery, PsExec-style remote execution, BITSAdmin transfer activity, Cobalt Strike/Empire/SystemBC/Anchor/Bazar/TrickBot/Emotet-related execution or C2 indicators, and ransomware precursors associated with Ryuk, Conti, Diavol, and GrimAgent. Treat legitimate admin tools such as PsExec, Net, Ping, BITSAdmin, Nltest, and AdFind as high-context detections requiring baselines, user/process lineage, and change-window awareness.

Likely telemetry

  • Endpoint process creation and command-line logs on Windows systems
  • LSASS access and credential dumping alerts or EDR events
  • Windows authentication, Kerberos, and privileged logon events
  • Active Directory query and domain trust enumeration evidence
  • Remote service creation, admin share, and PsExec-like execution logs

Detection direction

  • Map detections to the related ATT&CK objects rather than relying on the Wizard Spider group object, because no official detection guidance is supplied.
  • Validate whether credential-access coverage includes LSASS memory access and known credential tools such as Mimikatz, LaZagne, and Rubeus.
  • Tune detections for living-off-the-land and dual-use utilities by correlating command line, parent process, user role, host criticality, and lateral movement context.
  • Baseline legitimate Active Directory administration so BloodHound, AdFind, Nltest, and Net-style enumeration stands out when performed by unusual users or hosts.
  • Correlate downloader/backdoor activity with follow-on lateral movement and ransomware staging instead of treating each alert as isolated.

Mitigation priorities

  • Harden identity first: reduce standing privilege, protect domain controllers, monitor privileged sessions, and restrict credential exposure on Windows endpoints.
  • Limit and monitor administrative remote execution paths, including PsExec-like behavior and administrative shares.
  • Control use of dual-use tools through allowlisting, least privilege, and logging rather than assuming all instances are malicious.
  • Strengthen endpoint prevention and response coverage on systems that can materially affect business continuity.
  • Segment critical services and validate that ransomware cannot easily propagate from user workstations into core operations.
Analyst notes and limits

This take is based on the ATT&CK Wizard Spider intrusion-set object and its supplied relationships. The group has many aliases, including UNC1878, TEMP.MixMaster, Grim Spider, FIN12, GOLD BLACKBURN, ITG23, Periwinkle Tempest, DEV-0193, Pistachio Tempest, and DEV-0237. The relationship set strongly emphasizes Windows, Active Directory, credential access, remote execution, downloaders/backdoors, and ransomware operations. Healthcare relevance is supported by the official description and DHS/CISA ransomware targeting healthcare reference, but local sector exposure must be assessed by the organization.

ATT&CK does not provide official detection text, group-level tactics, or group-level platforms for this object. Related software platforms indicate where defensive validation is likely relevant, but they do not prove activity in any specific environment. This summary does not assert current exploitation, customer exposure, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Wizard Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

60 rows
Domain ID Name Relationship / procedure
Enterprise T1136.001 Local Account Sub-technique

Wizard Spider has created local administrator accounts to maintain persistence in compromised networks.CitationMandiant FIN12 Oct 2021
Enterprise T1588.003 Code Signing Certificates Sub-technique

Wizard Spider has obtained code signing certificates signed by DigiCert, GlobalSign, and COMOOD for malware payloads.CitationDFIR Ryuk 2 Hour Speed Run November 2020CitationMandiant FIN12 Oct 2021
Enterprise T1210 Exploitation of Remote Services

Wizard Spider has exploited or attempted to exploit Zerologon (CVE-2020-1472) and EternalBlue (MS17-010) vulnerabilities.CitationFireEye KEGTAP SINGLEMALT October 2020CitationDFIR Ryuk's Return October 2020CitationDFIR Ryuk in 5 Hours October 2020
Enterprise T1560.001 Archive via Utility Sub-technique

Wizard Spider has archived data into ZIP files on compromised machines.CitationMandiant FIN12 Oct 2021
Enterprise T1059.003 Windows Command Shell Sub-technique

Wizard Spider has used `cmd.exe` to execute commands on a victim's machine.CitationDFIR Ryuk's Return October 2020CitationMandiant FIN12 Oct 2021
Enterprise T1047 Windows Management Instrumentation

Wizard Spider has used WMI and LDAP queries for network discovery and to move laterally. Wizard Spider has also used batch scripts to leverage WMIC to deploy ransomware.CitationCrowdStrike Grim Spider May 2019CitationDHS/CISA Ransomware Targeting Healthcare October 2020CitationFireEye KEGTAP SINGLEMALT October 2020CitationRed Canary Hospital Thwarted Ryuk October 2020CitationMandiant FIN12 Oct 2021
Enterprise T1588.002 Tool Sub-technique

Wizard Spider has utilized tools such as Empire, Cobalt Strike, Cobalt Strike, Rubeus, AdFind, BloodHound, Metasploit, Advanced IP Scanner, Nirsoft PingInfoView, and SoftPerfect Network Scanner for targeting efforts.CitationFireEye KEGTAP SINGLEMALT October 2020CitationMandiant FIN12 Oct 2021
Enterprise T1543.003 Windows Service Sub-technique

Wizard Spider has installed TrickBot as a service named ControlServiceA in order to establish persistence.CitationCrowdStrike Grim Spider May 2019CitationMandiant FIN12 Oct 2021
Enterprise T1021.002 SMB/Windows Admin Shares Sub-technique

Wizard Spider has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.CitationDFIR Ryuk 2 Hour Speed Run November 2020CitationDFIR Ryuk's Return October 2020
Enterprise T1074 Data Staged

Wizard Spider has collected and staged credentials and network enumeration information, using the networkdll and psfin TrickBot modules.CitationCrowdStrike Grim Spider May 2019
Enterprise T1078.002 Domain Accounts Sub-technique

Wizard Spider has used administrative accounts, including Domain Admin, to move laterally within a victim network.CitationFireEye KEGTAP SINGLEMALT October 2020
Enterprise T1055 Process Injection

Wizard Spider has used process injection to execute payloads to escalate privileges.CitationMandiant FIN12 Oct 2021
Enterprise T1021 Remote Services

Wizard Spider has used the WebDAV protocol to execute Ryuk payloads hosted on network file shares.CitationMandiant FIN12 Oct 2021
Enterprise T1021.001 Remote Desktop Protocol Sub-technique

Wizard Spider has used RDP for lateral movement and to deploy ransomware interactively.CitationCrowdStrike Grim Spider May 2019CitationDHS/CISA Ransomware Targeting Healthcare October 2020CitationDFIR Ryuk 2 Hour Speed Run November 2020CitationMandiant FIN12 Oct 2021
Enterprise T1550.002 Pass the Hash Sub-technique

Wizard Spider has used the `Invoke-SMBExec` PowerShell cmdlet to execute the pass-the-hash technique and utilized stolen password hashes to move laterally.CitationMandiant FIN12 Oct 2021
Enterprise T1222.001 Windows Permissions Sub-technique

Wizard Spider has used the icacls command to modify access control to backup servers, providing them with full control of all the system folders.CitationSophos New Ryuk Attack October 2020
Enterprise T1570 Lateral Tool Transfer

Wizard Spider has used stolen credentials to copy tools into the %TEMP% directory of domain controllers.CitationCrowdStrike Grim Spider May 2019
Enterprise T1204.002 Malicious File Sub-technique

Wizard Spider has lured victims to execute malware with spearphishing attachments containing macros to download either Emotet, Bokbot, TrickBot, or Bazar.CitationCrowdStrike Grim Spider May 2019CitationCrowdStrike Wizard Spider October 2020CitationMandiant FIN12 Oct 2021
Enterprise T1053.005 Scheduled Task Sub-technique

Wizard Spider has used scheduled tasks to establish persistence for TrickBot and other malware.CitationCrowdStrike Grim Spider May 2019CitationDHS/CISA Ransomware Targeting Healthcare October 2020CitationFireEye KEGTAP SINGLEMALT October 2020CitationDFIR Ryuk 2 Hour Speed Run November 2020CitationMandiant FIN12 Oct 2021
Enterprise T1027.010 Command Obfuscation Sub-technique

Wizard Spider used Base64 encoding to obfuscate an Empire service and PowerShell commands.CitationFireEye Ryuk and Trickbot January 2019CitationDFIR Ryuk's Return October 2020
Enterprise T1070.004 File Deletion Sub-technique

Wizard Spider has used file deletion to remove some modules and configurations from an infected host after use.CitationCrowdStrike Grim Spider May 2019
Enterprise T1552.006 Group Policy Preferences Sub-technique

Wizard Spider has used PowerShell cmdlets `Get-GPPPassword` and `Find-GPOPassword` to find unsecured credentials in a compromised network group policy.CitationMandiant FIN12 Oct 2021
Enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique

Wizard Spider has exfiltrated victim information using FTP.CitationDFIR Ryuk's Return October 2020CitationDFIR Ryuk 2 Hour Speed Run November 2020
Enterprise T1685 Disable or Modify Tools

Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.CitationDHS/CISA Ransomware Targeting Healthcare October 2020CitationFireEye KEGTAP SINGLEMALT October 2020CitationDFIR Ryuk's Return October 2020CitationMandiant FIN12 Oct 2021
Enterprise T1518.001 Security Software Discovery Sub-technique

Wizard Spider has used WMI to identify anti-virus products installed on a victim's machine.CitationDFIR Ryuk's Return October 2020
Enterprise T1218.011 Rundll32 Sub-technique

Wizard Spider has utilized `rundll32.exe` to deploy ransomware commands with the use of WebDAV.CitationMandiant FIN12 Oct 2021
Enterprise T1558.003 Kerberoasting Sub-technique

Wizard Spider has used Rubeus, MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet to steal AES hashes.CitationDFIR Ryuk's Return October 2020CitationFireEye KEGTAP SINGLEMALT October 2020CitationDHS/CISA Ransomware Targeting Healthcare October 2020CitationDFIR Ryuk 2 Hour Speed Run November 2020CitationMandiant FIN12 Oct 2021
Enterprise T1059.001 PowerShell Sub-technique

Wizard Spider has used macros to execute PowerShell scripts to download malware on victim's machines.CitationCrowdStrike Grim Spider May 2019 It has also used PowerShell to execute commands and move laterally through a victim network.CitationDHS/CISA Ransomware Targeting Healthcare October 2020CitationFireEye KEGTAP SINGLEMALT October 2020CitationRed Canary Hospital Thwarted Ryuk October 2020CitationMandiant FIN12 Oct 2021
Enterprise T1567.002 Exfiltration to Cloud Storage Sub-technique

Wizard Spider has exfiltrated stolen victim data to various cloud storage providers.CitationMandiant FIN12 Oct 2021
Enterprise T1112 Modify Registry

Wizard Spider has modified the Registry key HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest by setting the UseLogonCredential registry value to 1 in order to force credentials to be stored in clear text in memory. Wizard Spider has also modified the WDigest registry key to allow plaintext credentials to be cached in memory.CitationCrowdStrike Grim Spider May 2019CitationMandiant FIN12 Oct 2021
Enterprise T1490 Inhibit System Recovery

Wizard Spider has used WMIC and vssadmin to manually delete volume shadow copies. Wizard Spider has also used Conti ransomware to delete volume shadow copies automatically with the use of vssadmin.CitationMandiant FIN12 Oct 2021
Enterprise T1133 External Remote Services

Wizard Spider has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure.CitationFireEye KEGTAP SINGLEMALT October 2020
Enterprise T1547.004 Winlogon Helper DLL Sub-technique

Wizard Spider has established persistence using Userinit by adding the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.CitationFireEye KEGTAP SINGLEMALT October 2020
Enterprise T1036.004 Masquerade Task or Service Sub-technique

Wizard Spider has used scheduled tasks to install TrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.CitationCrowdStrike Grim Spider May 2019 It has also used common document file names for other malware binaries.CitationFireEye KEGTAP SINGLEMALT October 2020
Enterprise T1087.002 Domain Account Sub-technique

Wizard Spider has identified domain admins through the use of `net group "Domain admins" /DOMAIN`. Wizard Spider has also leveraged the PowerShell cmdlet `Get-ADComputer` to collect account names from Active Directory data.CitationDFIR Ryuk's Return October 2020CitationMandiant FIN12 Oct 2021
Enterprise T1518.002 Backup Software Discovery Sub-technique

Wizard Spider has utilized the PowerShell script `Get-DataInfo.ps1` to collect installed backup software information from a compromised machine.CitationMandiant FIN12 Oct 2021
Enterprise T1071.001 Web Protocols Sub-technique

Wizard Spider has used HTTP for network communications.CitationCrowdStrike Grim Spider May 2019
Enterprise T1553.002 Code Signing Sub-technique

Wizard Spider has used Digicert code-signing certificates for some of its malware.CitationDFIR Ryuk 2 Hour Speed Run November 2020
Enterprise T1136.002 Domain Account Sub-technique

Wizard Spider has created and used new accounts within a victim's Active Directory environment to maintain persistence.CitationMandiant FIN12 Oct 2021
Enterprise T1074.001 Local Data Staging Sub-technique

Wizard Spider has staged ZIP files in local directories such as, `C:\PerfLogs\1\` and `C:\User\1\` prior to exfiltration.CitationMandiant FIN12 Oct 2021
Enterprise T1557.001 Name Resolution Poisoning and SMB Relay Sub-technique

Wizard Spider has used the Invoke-Inveigh PowerShell cmdlets, likely for name service poisoning.CitationFireEye KEGTAP SINGLEMALT October 2020
Enterprise T1105 Ingress Tool Transfer

Wizard Spider can transfer malicious payloads such as ransomware to compromised machines.CitationMandiant FIN12 Oct 2021
Enterprise T1003.003 NTDS Sub-technique

Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database. Wizard Spider has also created a volume shadow copy and used a batch script file to collect NTDS.dit with the use of the Windows utility, ntdsutil.CitationFireEye KEGTAP SINGLEMALT October 2020CitationMandiant FIN12 Oct 2021
Enterprise T1016 System Network Configuration Discovery

Wizard Spider has used ipconfig to identify the network configuration of a victim machine. Wizard Spider has also used the PowerShell cmdlet `Get-ADComputer` to collect IP address data from Active Directory.CitationSophos New Ryuk Attack October 2020CitationMandiant FIN12 Oct 2021
Enterprise T1585.002 Email Accounts Sub-technique

Wizard Spider has leveraged ProtonMail email addresses in ransom notes when delivering Ryuk ransomware.CitationMandiant FIN12 Oct 2021
Enterprise T1033 System Owner/User Discovery

Wizard Spider has used "whoami" to identify the local user and their privileges.CitationSophos New Ryuk Attack October 2020
Enterprise T1078 Valid Accounts

Wizard Spider has used valid credentials for privileged accounts with the goal of accessing domain controllers.CitationCrowdStrike Grim Spider May 2019CitationMandiant FIN12 Oct 2021
Enterprise T1204.001 Malicious Link Sub-technique

Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing.CitationDHS/CISA Ransomware Targeting Healthcare October 2020
Enterprise T1003.001 LSASS Memory Sub-technique

Wizard Spider has dumped the lsass.exe memory to harvest credentials with the use of open-source tool LaZagne.CitationMandiant FIN12 Oct 2021
Enterprise T1041 Exfiltration Over C2 Channel

Wizard Spider has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.CitationCrowdStrike Grim Spider May 2019CitationMandiant FIN12 Oct 2021
Enterprise T1566.001 Spearphishing Attachment Sub-technique

Wizard Spider has used spearphishing attachments to deliver Microsoft documents containing macros or PDFs containing malicious links to download either Emotet, Bokbot, TrickBot, or Bazar.CitationCrowdStrike Grim Spider May 2019CitationRed Canary Hospital Thwarted Ryuk October 2020CitationMandiant FIN12 Oct 2021
Enterprise T1003.002 Security Account Manager Sub-technique

Wizard Spider has acquired credentials from the SAM/SECURITY registry hives.CitationFireEye KEGTAP SINGLEMALT October 2020
Enterprise T1489 Service Stop

Wizard Spider has used taskkill.exe and net.exe to stop backup, catalog, cloud, and other services prior to network encryption.CitationDFIR Ryuk's Return October 2020
Enterprise T1566.002 Spearphishing Link Sub-technique

Wizard Spider has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.CitationDHS/CISA Ransomware Targeting Healthcare October 2020CitationDFIR Ryuk 2 Hour Speed Run November 2020
Enterprise T1018 Remote System Discovery

Wizard Spider has used networkdll for network discovery and psfin specifically for financial and point of sale indicators. Wizard Spider has also used AdFind, nltest/dclist, and PowerShell script Get-DataInfo.ps1 to enumerate domain computers, including the domain controller.CitationFireEye Ryuk and Trickbot January 2019CitationCrowdStrike Grim Spider May 2019CitationFireEye KEGTAP SINGLEMALT October 2020CitationRed Canary Hospital Thwarted Ryuk October 2020CitationDFIR Ryuk's Return October 2020CitationMandiant FIN12 Oct 2021
Enterprise T1005 Data from Local System

Wizard Spider has collected data from a compromised host prior to exfiltration.CitationMandiant FIN12 Oct 2021
Enterprise T1082 System Information Discovery

Wizard Spider has used Systeminfo and similar commands to acquire detailed configuration information of a victim's machine. Wizard Spider has also utilized the PowerShell cmdlet `Get-ADComputer` to collect DNS hostnames, last logon dates, and operating system information from Active Directory.CitationDFIR Ryuk's Return October 2020CitationMandiant FIN12 Oct 2021
Enterprise T1555.004 Windows Credential Manager Sub-technique

Wizard Spider has used PowerShell cmdlet `Invoke-WCMDump` to enumerate Windows credentials in the Credential Manager in a compromised network.CitationMandiant FIN12 Oct 2021
Enterprise T1135 Network Share Discovery

Wizard Spider has used the “net view” command to locate mapped network shares.CitationDHS/CISA Ransomware Targeting Healthcare October 2020
Enterprise T1569.002 Service Execution Sub-technique

Wizard Spider has used `services.exe` to execute scripts and executables during lateral movement within a victim's network. Wizard Spider has also used batch scripts that leverage PsExec to execute a previously transferred ransomware payload on a victim's network.CitationDFIR Ryuk's Return October 2020CitationDFIR Ryuk in 5 Hours October 2020CitationMandiant FIN12 Oct 2021
Associated objects

Groups, software, and campaigns

Malware Enterprise

S0266: TrickBot

TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to Dyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns.[1][2][3][4]

Windows
Malware Enterprise

S9001: SystemBC

SystemBC is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.SystemBC executes a variety of tasks including setting up SOCKS5 proxies, maintaining persistence, ingesting malicious files, and handing C2 communication. SystemBC was first detected in 2018, and has been used by Wizard Spider since at least 2020, and by FIN7 since at least 2022.[1][2][3][4][5]

LinuxWindows
Tool Enterprise

S0097: Ping

Ping is an operating system utility commonly used to troubleshoot and verify network connections. [1]

Malware Enterprise

S0534: Bazar

Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.[1]

Windows
Tool Enterprise

S0349: LaZagne

LaZagne is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. LaZagne is publicly available on GitHub.[1]

LinuxmacOSWindows
Tool Enterprise

S0359: Nltest

Nltest is a Windows command-line utility used to list domain controllers and enumerate domain trusts.[1]

Windows
Malware Enterprise

S0446: Ryuk

Ryuk is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. Ryuk shares code similarities with Hermes ransomware.[1][2][3]

Windows
Relationship explorer

All related ATT&CK context

uses · Technique T1136.001: Local Account Enterprise uses · Technique T1588.003: Code Signing Certificates Enterprise uses · Malware S0266: TrickBot Enterprise uses · Technique T1210: Exploitation of Remote Services Enterprise uses · Technique T1560.001: Archive via Utility Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Tool S0552: AdFind Enterprise uses · Tool S0190: BITSAdmin Enterprise uses · Technique T1047: Windows Management Instrumentation Enterprise uses · Malware S9001: SystemBC Enterprise uses · Technique T1588.002: Tool Enterprise uses · Technique T1543.003: Windows Service Enterprise uses · Technique T1021.002: SMB/Windows Admin Shares Enterprise uses · Technique T1074: Data Staged Enterprise uses · Technique T1078.002: Domain Accounts Enterprise uses · Technique T1055: Process Injection Enterprise uses · Tool S0521: BloodHound Enterprise uses · Technique T1021: Remote Services Enterprise uses · Tool S0097: Ping Enterprise uses · Technique T1021.001: Remote Desktop Protocol Enterprise uses · Technique T1550.002: Pass the Hash Enterprise uses · Malware S0534: Bazar Enterprise uses · Tool S0349: LaZagne Enterprise uses · Technique T1222.001: Windows Permissions Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
4.1
Created
Modified
Raw hash
b5b0e2978bc05f29...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 4.1 Current bundle b5b0e2978bc0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    CrowdStrike Ryuk January 2019

    Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.

    Open source URL
  2. [2]
    DHS/CISA Ransomware Targeting Healthcare October 2020

    DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.

    Open source URL
  3. [3]
    CrowdStrike Wizard Spider October 2020

    Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.

    Open source URL
  4. [4]
    CrowdStrike Grim Spider May 2019

    John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.

    Open source URL
  5. [5]
    DEV-0193

    (Citation: Microsoft Threat Actor Naming July 2023)

  6. [6]
    DEV-0237

    (Citation: Microsoft_PistachioTempest_Jan2024)

  7. [7]
    FIN12

    (Citation: Mandiant FIN12 Oct 2021)

  8. [8]
    FireEye KEGTAP SINGLEMALT October 2020

    Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.

    Open source URL
  9. [9]
    FireEye Ryuk and Trickbot January 2019

    Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.

    Open source URL
  10. [10]
    GOLD BLACKBURN

    (Citation: Secureworks Gold Blackburn Mar 2022)

  11. [11]
    Grim Spider

    (Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)

  12. [12]
    IBM X-Force ITG23 Oct 2021

    Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.

    Open source URL
  13. [13]
    ITG23

    (Citation: IBM X-Force ITG23 Oct 2021)

  14. [14]
    Mandiant FIN12 Oct 2021

    Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.

    Open source URL
  15. [15]
    Microsoft Threat Actor Naming July 2023

    Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.

    Open source URL
  16. [16]
    Microsoft_PistachioTempest_Jan2024

    Microsoft. (2024, January 25). Financially Motivated Threat Actor Pistachio Tempest. Retrieved December 15, 2025.

    Open source URL
  17. [17]
    Periwinkle Tempest

    (Citation: Microsoft Threat Actor Naming July 2023)

  18. [18]
    Pistachio Tempest

    (Citation: Microsoft_PistachioTempest_Jan2024)

  19. [19]
    Secureworks Gold Blackburn Mar 2022

    Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.

    Open source URL
  20. [20]
    TEMP.MixMaster

    (Citation: FireEye Ryuk and Trickbot January 2019)

  21. [21]
    UNC1878

    (Citation: FireEye KEGTAP SINGLEMALT October 2020)

  22. [22]
    mitre-attack G0102
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use