Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Axiom

Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015)

ID: G0001

Associated Groups: Group 72

Version: 2.0

Created: 31 May 2017

Last Modified: 16 Apr 2025

Name	Description
Associated Group Descriptions
Group 72	(Citation: Cisco Group 72)

Domain	ID		Name	Use
Techniques Used
Enterprise	T1583	.002	Acquire Infrastructure: DNS Server	Axiom has acquired dynamic DNS services for use in the targeting of intended victims.(Citation: Novetta-Axiom)
		.003	Acquire Infrastructure: Virtual Private Server	Axiom has used VPS hosting providers in targeting of intended victims.(Citation: Novetta-Axiom)
Enterprise	T1584	.005	Compromise Infrastructure: Botnet	Axiom has used large groups of compromised machines for use as proxy nodes.(Citation: Novetta-Axiom)
Enterprise	T1001	.002	Data Obfuscation: Steganography	Axiom has used steganography to hide its C2 communications.(Citation: Novetta-Axiom)
Enterprise	T1546	.008	Event Triggered Execution: Accessibility Features	Axiom actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence.(Citation: Novetta-Axiom)
Enterprise	T1563	.002	Remote Service Session Hijacking: RDP Hijacking	Axiom has targeted victims with remote administration tools including RDP.(Citation: Novetta-Axiom)
Enterprise	T1021	.001	Remote Services: Remote Desktop Protocol	Axiom has used RDP during operations.(Citation: Novetta-Axiom)

ID	Name	References	Techniques
Software
S0013	PlugX	(Citation: CIRCL PlugX March 2013) (Citation: Cisco Group 72) (Citation: Dell TG-3390) (Citation: DestroyRAT) (Citation: FireEye Clandestine Fox Part 2) (Citation: Kaba) (Citation: Korplug) (Citation: Lastline PlugX Analysis) (Citation: New DragonOK) (Citation: Novetta-Axiom) (Citation: Sogu) (Citation: TVT) (Citation: Thoper)	Screen Capture, Keylogging, DNS, Match Legitimate Resource Name or Location, Symmetric Cryptography, Windows Service, System Checks, DLL, Network Share Discovery, Native API, Deobfuscate/Decode Files or Information, Disable or Modify System Firewall, Modify Registry, File and Directory Discovery, Masquerade Task or Service, System Network Connections Discovery, Process Discovery, Multiband Communication, Registry Run Keys / Startup Folder, Non-Standard Port, Obfuscated Files or Information, Non-Application Layer Protocol, Query Registry, MSBuild, Windows Command Shell, Web Protocols, DLL Side-Loading, Ingress Tool Transfer, Hidden Files and Directories, Custom Command and Control Protocol, Dead Drop Resolver, Commonly Used Port
S0203	Hydraq	(Citation: 9002 RAT) (Citation: ASERT Seven Pointed Dagger Aug 2015) (Citation: Aurora) (Citation: Cisco Group 72) (Citation: FireEye DeputyDog 9002 November 2013) (Citation: FireEye Sunshop Campaign May 2013) (Citation: HidraQ) (Citation: HomeUnix) (Citation: Homux) (Citation: HydraQ) (Citation: McRat) (Citation: MdmBot) (Citation: MicroFocus 9002 Aug 2016) (Citation: Novetta-Axiom) (Citation: PaloAlto 3102 Sept 2015) (Citation: ProofPoint GoT 9002 Aug 2017) (Citation: Roarur) (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Trojan.Hydraq Jan 2010)	Screen Capture, Shared Modules, Symmetric Cryptography, Windows Service, System Service Discovery, System Information Discovery, Data from Local System, Modify Registry, Clear Windows Event Logs, System Network Configuration Discovery, File and Directory Discovery, Process Discovery, Exfiltration Over Alternative Protocol, Obfuscated Files or Information, Query Registry, File Deletion, Access Token Manipulation, Ingress Tool Transfer, Service Execution
S0032	gh0st RAT	(Citation: Arbor Musical Chairs Feb 2018) (Citation: Cisco Group 72) (Citation: FireEye Hacking Team) (Citation: Moudoor) (Citation: Mydoor) (Citation: Nccgroup Gh0st April 2018) (Citation: Novetta-Axiom)	Screen Capture, Rundll32, Standard Encoding, Keylogging, Shared Modules, Symmetric Cryptography, Windows Service, Fast Flux DNS, DLL, System Information Discovery, Native API, Deobfuscate/Decode Files or Information, Process Injection, Modify Registry, Clear Windows Event Logs, Command and Scripting Interpreter, Process Discovery, Registry Run Keys / Startup Folder, Encrypted Channel, Non-Application Layer Protocol, Query Registry, File Deletion, Ingress Tool Transfer, Service Execution
S0021	Derusbi	(Citation: Cisco Group 72) (Citation: Fidelis Turbo) (Citation: FireEye Periscope March 2018) (Citation: Novetta-Axiom) (Citation: PHOTO) (Citation: ThreatConnect Anthem)	Screen Capture, System Owner/User Discovery, Keylogging, Audio Capture, Symmetric Cryptography, System Information Discovery, Timestomp, Video Capture, File and Directory Discovery, Process Discovery, Unix Shell, Non-Standard Port, Regsvr32, Non-Application Layer Protocol, Query Registry, File Deletion, Fallback Channels, Dynamic-link Library Injection, Custom Command and Control Protocol, Commonly Used Port
S0009	Hikit	(Citation: Cisco Group 72) (Citation: FireEye Hikit Rootkit) (Citation: Novetta-Axiom)	Rootkit, Symmetric Cryptography, DLL, Data from Local System, Code Signing Policy Modification, Phishing, Install Root Certificate, Windows Command Shell, Web Protocols, Ingress Tool Transfer, Internal Proxy
S0012	PoisonIvy	(Citation: Breut) (Citation: Cisco Group 72) (Citation: Darkmoon) (Citation: FireEye Poison Ivy) (Citation: Novetta-Axiom) (Citation: Poison Ivy) (Citation: Symantec Darkmoon Aug 2005) (Citation: Symantec Darkmoon Sept 2014) (Citation: Symantec Elderwood Sept 2012)	Keylogging, Rootkit, Local Data Staging, Active Setup, Symmetric Cryptography, Windows Service, Data from Local System, Mutual Exclusion, Application Window Discovery, Modify Registry, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Uncommonly Used Port, Windows Command Shell, Ingress Tool Transfer, Dynamic-link Library Injection
S0412	ZxShell	(Citation: Cisco Group 72) (Citation: FireEye APT41 Aug 2019) (Citation: Sensocode) (Citation: Talos ZxShell Oct 2014)	VNC, Screen Capture, System Owner/User Discovery, Rundll32, Keylogging, Windows Service, System Service Discovery, System Information Discovery, Native API, Data from Local System, Exploit Public-Facing Application, Disable or Modify System Firewall, Modify Registry, Local Account, Clear Windows Event Logs, Create Process with Token, Video Capture, Proxy, File and Directory Discovery, Process Discovery, File Transfer Protocols, Disable or Modify Tools, Non-Standard Port, Query Registry, Endpoint Denial of Service, Uncommonly Used Port, Windows Command Shell, File Deletion, Web Protocols, Network Service Discovery, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Credential API Hooking, Commonly Used Port
S0672	Zox	(Citation: Gresim) (Citation: Novetta-Axiom) (Citation: ZoxPNG) (Citation: ZoxRPC)	Encrypted/Encoded File, System Information Discovery, Data from Local System, SMB/Windows Admin Shares, File and Directory Discovery, Process Discovery, Exploitation for Privilege Escalation, Ingress Tool Transfer, Steganography

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Axiom

Associated Group Descriptions

Techniques Used

Software

References