^[5][2]

^[3][1][2]

^[2][5]

^[6]

^[6]

Fox Kitten has accessed ntuser.dat and UserClass.dat on compromised hosts.^[5]

Fox Kitten has used the Softerra LDAP browser to browse documentation on service accounts.^[5]

Fox Kitten has used 7-Zip to archive data.^[5]

Fox Kitten has used Google Chrome bookmarks to identify internal resources and assets.^[5]

Fox Kitten has brute forced RDP credentials.^[4]

Fox Kitten has used a Perl reverse shell to communicate with C2.^[4]

Fox Kitten has used PowerShell scripts to access credential data.^[5]

Fox Kitten has used cmd.exe likely as a password changing mechanism.^[5]

Fox Kitten has created a local user account with administrator privileges.^[4]

Fox Kitten has used scripts to access credential information from the KeePass database.^[5]

Fox Kitten has obtained files from the victim's cloud storage instances.^[5]

Fox Kitten has accessed victim security and IT environments and Microsoft Teams to mine valuable information.^[5]

Fox Kitten has searched local system resources to access sensitive documents.^[5]

Fox Kitten has searched network shares to access sensitive documents.^[5]

Fox Kitten has created KeyBase accounts to communicate with ransomware victims.^[4][7]

Fox Kitten has used a Twitter account to communicate with ransomware victims.^[4]

Fox Kitten has used sticky keys to launch a command prompt.^[5]

Fox Kitten has exploited known vulnerabilities in Fortinet, PulseSecure, and Palo Alto VPN appliances.^{[1][3][2][5][4]}

Fox Kitten has exploited known vulnerabilities in remote services including RDP.^[1][2][4]

Fox Kitten has used WizTree to obtain network files and directory listings.^[5]

Fox Kitten has downloaded additional tools includingPsExec directly to endpoints.^[5]

Fox Kitten has named the task for a reverse proxy lpupdate to appear legitimate.^[5]

Fox Kitten has named binaries and configuration files svhost and dllhost respectively to appear legitimate.^[5]

Fox Kitten has used tools including NMAP to conduct broad scanning to identify open ports.^[5][4]

Fox Kitten has base64 encoded scripts to avoid detection.^[5]

Fox Kitten has base64 encoded payloads to avoid detection.^[5]

Fox Kitten has used prodump to dump credentials from LSASS.^[5]

Fox Kitten has used Volume Shadow Copy to access credential information from NTDS.^[5]

Fox Kitten has used protocol tunneling for communication and RDP activity on compromised hosts through the use of open source tools such asngrok and custom tool SSHMinion.^[2][5][4]

Fox Kitten has used the open source reverse proxy tools including FRPC and Go Proxy to establish connections from C2 to local servers.^[5][4][7]

Fox Kitten has accessed Registry hives ntuser.dat and UserClass.dat.^[5]

Fox Kitten has used RDP to log in and move laterally in the target environment.^[5][4]

Fox Kitten has used valid accounts to access SMB shares.^[5]

Fox Kitten has used the PuTTY and Plink tools for lateral movement.^[5]

Fox Kitten has installed TightVNC server and client on compromised servers and endpoints for lateral movement.^[5]

Fox Kitten has used Angry IP Scanner to detect remote systems.^[5]

Fox Kitten has used Scheduled Tasks for persistence and to load and execute a reverse proxy binary.^[5][4]

Fox Kitten has installed web shells on compromised hosts to maintain access.^[5][4]

Fox Kitten has accessed files to gain valid credentials.^[5]

Fox Kitten has used valid credentials with various services during lateral movement.^[5]

Fox Kitten has used Amazon Web Services to host C2.^[4]