Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Axiom

Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015)
ID: G0001
Associated Groups: Group 72
Version: 2.0
Created: 31 May 2017
Last Modified: 20 Mar 2023

Associated Group Descriptions

Name Description
Group 72 (Citation: Cisco Group 72)

Techniques Used

Domain ID Name Use
Enterprise T1583 .002 Acquire Infrastructure: DNS Server

Axiom has acquired dynamic DNS services for use in the targeting of intended victims.(Citation: Novetta-Axiom)

.003 Acquire Infrastructure: Virtual Private Server

Axiom has used VPS hosting providers in targeting of intended victims.(Citation: Novetta-Axiom)

Enterprise T1584 .005 Compromise Infrastructure: Botnet

Axiom has used large groups of compromised machines for use as proxy nodes.(Citation: Novetta-Axiom)

Enterprise T1001 .002 Data Obfuscation: Steganography

Axiom has used steganography to hide its C2 communications.(Citation: Novetta-Axiom)

Enterprise T1546 .008 Event Triggered Execution: Accessibility Features

Axiom actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence.(Citation: Novetta-Axiom)

Enterprise T1563 .002 Remote Service Session Hijacking: RDP Hijacking

Axiom has targeted victims with remote administration tools including RDP.(Citation: Novetta-Axiom)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Axiom has used RDP during operations.(Citation: Novetta-Axiom)

Software

ID Name References Techniques
S0013 PlugX (Citation: CIRCL PlugX March 2013) (Citation: Cisco Group 72) (Citation: Dell TG-3390) (Citation: DestroyRAT) (Citation: FireEye Clandestine Fox Part 2) (Citation: Kaba) (Citation: Korplug) (Citation: Lastline PlugX Analysis) (Citation: New DragonOK) (Citation: Novetta-Axiom) (Citation: Sogu) (Citation: Thoper) (Citation: TVT) Modify Registry, File and Directory Discovery, Masquerade Task or Service, Hidden Files and Directories, Multiband Communication, Non-Application Layer Protocol, Keylogging, Dead Drop Resolver, DLL Side-Loading, Process Discovery, Query Registry, DLL Search Order Hijacking, Network Share Discovery, MSBuild, Web Protocols, Windows Service, Windows Command Shell, Ingress Tool Transfer, System Checks, System Network Connections Discovery, Match Legitimate Name or Location, Registry Run Keys / Startup Folder, Custom Command and Control Protocol, DNS, Screen Capture, Commonly Used Port, Symmetric Cryptography, Deobfuscate/Decode Files or Information, Native API, Obfuscated Files or Information
S0203 Hydraq (Citation: 9002 RAT) (Citation: ASERT Seven Pointed Dagger Aug 2015) (Citation: Aurora) (Citation: Cisco Group 72) (Citation: FireEye DeputyDog 9002 November 2013) (Citation: FireEye Sunshop Campaign May 2013) (Citation: HidraQ) (Citation: HomeUnix) (Citation: Homux) (Citation: HydraQ) (Citation: McRat) (Citation: MdmBot) (Citation: MicroFocus 9002 Aug 2016) (Citation: Novetta-Axiom) (Citation: PaloAlto 3102 Sept 2015) (Citation: ProofPoint GoT 9002 Aug 2017) (Citation: Roarur) (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Trojan.Hydraq Jan 2010) Query Registry, Shared Modules, Service Execution, System Network Configuration Discovery, System Information Discovery, Data from Local System, Modify Registry, Ingress Tool Transfer, Obfuscated Files or Information, Windows Service, Symmetric Cryptography, System Service Discovery, File Deletion, Process Discovery, Screen Capture, Clear Windows Event Logs, Exfiltration Over Alternative Protocol, File and Directory Discovery, Access Token Manipulation
S0032 gh0st RAT (Citation: Arbor Musical Chairs Feb 2018) (Citation: Cisco Group 72) (Citation: FireEye Hacking Team) (Citation: Moudoor) (Citation: Mydoor) (Citation: Nccgroup Gh0st April 2018) (Citation: Novetta-Axiom) Shared Modules, Modify Registry, Ingress Tool Transfer, Process Injection, Rundll32, Service Execution, DLL Side-Loading, Command and Scripting Interpreter, Query Registry, Deobfuscate/Decode Files or Information, Symmetric Cryptography, Non-Application Layer Protocol, Native API, Process Discovery, Windows Service, Registry Run Keys / Startup Folder, Clear Windows Event Logs, System Information Discovery, File Deletion, Screen Capture, Fast Flux DNS, Keylogging, Standard Encoding, Encrypted Channel
S0021 Derusbi (Citation: Cisco Group 72) (Citation: Fidelis Turbo) (Citation: FireEye Periscope March 2018) (Citation: Novetta-Axiom) (Citation: PHOTO) (Citation: ThreatConnect Anthem) Keylogging, Unix Shell, Regsvr32, System Information Discovery, Timestomp, Dynamic-link Library Injection, Custom Command and Control Protocol, File Deletion, Non-Standard Port, Symmetric Cryptography, System Owner/User Discovery, Audio Capture, File and Directory Discovery, Commonly Used Port, Fallback Channels, Non-Application Layer Protocol, Screen Capture, Video Capture, Process Discovery, Query Registry
S0009 Hikit (Citation: Cisco Group 72) (Citation: FireEye Hikit Rootkit) (Citation: Novetta-Axiom) Phishing, DLL Search Order Hijacking, Symmetric Cryptography, Code Signing Policy Modification, Windows Command Shell, Web Protocols, Install Root Certificate, Rootkit, Internal Proxy, Data from Local System, Ingress Tool Transfer
S0012 PoisonIvy (Citation: Breut) (Citation: Cisco Group 72) (Citation: Darkmoon) (Citation: FireEye Poison Ivy) (Citation: Novetta-Axiom) (Citation: Poison Ivy) (Citation: Symantec Darkmoon Aug 2005) (Citation: Symantec Darkmoon Sept 2014) (Citation: Symantec Elderwood Sept 2012) Windows Service, Modify Registry, Uncommonly Used Port, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Keylogging, Active Setup, Mutual Exclusion, Dynamic-link Library Injection, Local Data Staging, Windows Command Shell, Ingress Tool Transfer, Symmetric Cryptography, Data from Local System, Application Window Discovery, Rootkit
S0412 ZxShell (Citation: Cisco Group 72) (Citation: FireEye APT41 Aug 2019) (Citation: Sensocode) (Citation: Talos ZxShell Oct 2014) VNC, System Information Discovery, Commonly Used Port, Proxy, Web Protocols, Non-Standard Port, Uncommonly Used Port, Credential API Hooking, File and Directory Discovery, Screen Capture, Query Registry, Data from Local System, System Owner/User Discovery, Exploit Public-Facing Application, Process Discovery, Network Service Discovery, Modify Registry, Clear Windows Event Logs, File Deletion, Disable or Modify System Firewall, Windows Service, File Transfer Protocols, Dynamic-link Library Injection, Windows Command Shell, Remote Desktop Protocol, Create Process with Token, Video Capture, Rundll32, Disable or Modify Tools, Local Account, Endpoint Denial of Service, Native API, Service Execution, Keylogging, System Service Discovery, Ingress Tool Transfer
S0672 Zox (Citation: Gresim) (Citation: Novetta-Axiom) (Citation: ZoxPNG) (Citation: ZoxRPC) Encrypted/Encoded File, Steganography, Ingress Tool Transfer, File and Directory Discovery, SMB/Windows Admin Shares, Data from Local System, Process Discovery, Exploitation for Privilege Escalation, System Information Discovery

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.