Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Axiom

Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015)

ID: G0001

Associated Groups: Group 72

Version: 2.0

Created: 31 May 2017

Last Modified: 15 Apr 2022

Name	Description
Associated Group Descriptions
Group 72	(Citation: Cisco Group 72)

Domain	ID		Name	Use
Techniques Used
Enterprise	T1583	.002	Acquire Infrastructure: DNS Server	Axiom has acquired dynamic DNS services for use in the targeting of intended victims.(Citation: Novetta-Axiom)
		.003	Acquire Infrastructure: Virtual Private Server	Axiom has used VPS hosting providers in targeting of intended victims.(Citation: Novetta-Axiom)
Enterprise	T1584	.005	Compromise Infrastructure: Botnet	Axiom has used large groups of compromised machines for use as proxy nodes.(Citation: Novetta-Axiom)
Enterprise	T1001	.002	Data Obfuscation: Steganography	Axiom has used steganography to hide its C2 communications.(Citation: Novetta-Axiom)
Enterprise	T1546	.008	Event Triggered Execution: Accessibility Features	Axiom actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence.(Citation: Novetta-Axiom)
Enterprise	T1563	.002	Remote Service Session Hijacking: RDP Hijacking	Axiom has targeted victims with remote administration tools including RDP.(Citation: Novetta-Axiom)
Enterprise	T1021	.001	Remote Services: Remote Desktop Protocol	Axiom has used RDP during operations.(Citation: Novetta-Axiom)

ID	Name	References	Techniques
Software
S0013	PlugX	(Citation: CIRCL PlugX March 2013) (Citation: Cisco Group 72) (Citation: Dell TG-3390) (Citation: DestroyRAT) (Citation: FireEye Clandestine Fox Part 2) (Citation: Kaba) (Citation: Korplug) (Citation: Lastline PlugX Analysis) (Citation: New DragonOK) (Citation: Novetta-Axiom) (Citation: Sogu) (Citation: Thoper) (Citation: TVT)	Modify Registry, File and Directory Discovery, Masquerade Task or Service, Hidden Files and Directories, Multiband Communication, Non-Application Layer Protocol, Keylogging, Dead Drop Resolver, DLL Side-Loading, Process Discovery, Query Registry, DLL Search Order Hijacking, Network Share Discovery, MSBuild, Web Protocols, Windows Service, Windows Command Shell, Ingress Tool Transfer, System Checks, System Network Connections Discovery, Match Legitimate Name or Location, Registry Run Keys / Startup Folder, Custom Command and Control Protocol, DNS, Screen Capture, Commonly Used Port, Symmetric Cryptography, Deobfuscate/Decode Files or Information, Native API, Obfuscated Files or Information
S0203	Hydraq	(Citation: 9002 RAT) (Citation: ASERT Seven Pointed Dagger Aug 2015) (Citation: Aurora) (Citation: Cisco Group 72) (Citation: FireEye DeputyDog 9002 November 2013) (Citation: FireEye Sunshop Campaign May 2013) (Citation: HidraQ) (Citation: HomeUnix) (Citation: Homux) (Citation: HydraQ) (Citation: McRat) (Citation: MdmBot) (Citation: MicroFocus 9002 Aug 2016) (Citation: Novetta-Axiom) (Citation: PaloAlto 3102 Sept 2015) (Citation: ProofPoint GoT 9002 Aug 2017) (Citation: Roarur) (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Trojan.Hydraq Jan 2010)	Query Registry, Shared Modules, Service Execution, System Network Configuration Discovery, System Information Discovery, Data from Local System, Modify Registry, Ingress Tool Transfer, Obfuscated Files or Information, Windows Service, Symmetric Cryptography, System Service Discovery, File Deletion, Process Discovery, Screen Capture, Clear Windows Event Logs, Exfiltration Over Alternative Protocol, File and Directory Discovery, Access Token Manipulation
S0032	gh0st RAT	(Citation: Arbor Musical Chairs Feb 2018) (Citation: Cisco Group 72) (Citation: FireEye Hacking Team) (Citation: Moudoor) (Citation: Mydoor) (Citation: Nccgroup Gh0st April 2018) (Citation: Novetta-Axiom)	Shared Modules, Modify Registry, Ingress Tool Transfer, Process Injection, Rundll32, Service Execution, DLL Side-Loading, Command and Scripting Interpreter, Query Registry, Deobfuscate/Decode Files or Information, Symmetric Cryptography, Non-Application Layer Protocol, Native API, Process Discovery, Windows Service, Registry Run Keys / Startup Folder, Clear Windows Event Logs, System Information Discovery, File Deletion, Screen Capture, Fast Flux DNS, Keylogging, Standard Encoding, Encrypted Channel
S0021	Derusbi	(Citation: Cisco Group 72) (Citation: Fidelis Turbo) (Citation: FireEye Periscope March 2018) (Citation: Novetta-Axiom) (Citation: PHOTO) (Citation: ThreatConnect Anthem)	Keylogging, Unix Shell, Regsvr32, System Information Discovery, Timestomp, Dynamic-link Library Injection, Custom Command and Control Protocol, File Deletion, Non-Standard Port, Symmetric Cryptography, System Owner/User Discovery, Audio Capture, File and Directory Discovery, Commonly Used Port, Fallback Channels, Non-Application Layer Protocol, Screen Capture, Video Capture, Process Discovery, Query Registry
S0009	Hikit	(Citation: Cisco Group 72) (Citation: FireEye Hikit Rootkit) (Citation: Novetta-Axiom)	Phishing, DLL Search Order Hijacking, Symmetric Cryptography, Code Signing Policy Modification, Windows Command Shell, Web Protocols, Install Root Certificate, Rootkit, Internal Proxy, Data from Local System, Ingress Tool Transfer
S0012	PoisonIvy	(Citation: Breut) (Citation: Cisco Group 72) (Citation: Darkmoon) (Citation: FireEye Poison Ivy) (Citation: Novetta-Axiom) (Citation: Poison Ivy) (Citation: Symantec Darkmoon Aug 2005) (Citation: Symantec Darkmoon Sept 2014) (Citation: Symantec Elderwood Sept 2012)	Windows Service, Modify Registry, Uncommonly Used Port, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Keylogging, Active Setup, Dynamic-link Library Injection, Local Data Staging, Windows Command Shell, Ingress Tool Transfer, Symmetric Cryptography, Data from Local System, Application Window Discovery, Rootkit
S0412	ZxShell	(Citation: Cisco Group 72) (Citation: FireEye APT41 Aug 2019) (Citation: Sensocode) (Citation: Talos ZxShell Oct 2014)	VNC, System Information Discovery, Commonly Used Port, Proxy, Web Protocols, Non-Standard Port, Uncommonly Used Port, Credential API Hooking, File and Directory Discovery, Screen Capture, Query Registry, Data from Local System, System Owner/User Discovery, Exploit Public-Facing Application, Process Discovery, Network Service Discovery, Modify Registry, Clear Windows Event Logs, File Deletion, Disable or Modify System Firewall, Windows Service, File Transfer Protocols, Dynamic-link Library Injection, Windows Command Shell, Remote Desktop Protocol, Create Process with Token, Video Capture, Rundll32, Disable or Modify Tools, Local Account, Endpoint Denial of Service, Native API, Service Execution, Keylogging, System Service Discovery, Ingress Tool Transfer
S0672	Zox	(Citation: Gresim) (Citation: Novetta-Axiom) (Citation: ZoxPNG) (Citation: ZoxRPC)	Obfuscated Files or Information, Steganography, Ingress Tool Transfer, File and Directory Discovery, SMB/Windows Admin Shares, Data from Local System, Process Discovery, Exploitation for Privilege Escalation, System Information Discovery

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Axiom

Associated Group Descriptions

Techniques Used

Software

References