Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Ke3chang

Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)(Citation: Microsoft NICKEL December 2021)
ID: G0004
Associated Groups: RoyalAPT, NICKEL, APT15, Mirage, GREF, Vixen Panda, Playful Dragon
Version: 2.0
Created: 31 May 2017
Last Modified: 22 Jul 2022

Associated Group Descriptions

Name Description
RoyalAPT (Citation: APT15 Intezer June 2018)
NICKEL (Citation: Microsoft NICKEL December 2021)
APT15 (Citation: NCC Group APT15 Alive and Strong)
Mirage (Citation: NCC Group APT15 Alive and Strong)
GREF (Citation: NCC Group APT15 Alive and Strong)
Vixen Panda (Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)
Playful Dragon (Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Ke3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups.(Citation: Mandiant Operation Ke3chang November 2014)

.002 Account Discovery: Domain Account

Ke3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups.(Citation: Mandiant Operation Ke3chang November 2014)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Ke3chang malware including RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2.(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021)

.004 Application Layer Protocol: DNS

Ke3chang malware RoyalDNS has used DNS for C2.(Citation: NCC Group APT15 Alive and Strong)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Ke3chang is known to use 7Zip and RAR with passwords to encrypt data prior to exfiltration.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: Microsoft NICKEL December 2021)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Several Ke3chang backdoors achieved persistence by adding a Run key.(Citation: NCC Group APT15 Alive and Strong)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Ke3chang has used batch scripts in its malware to install persistence mechanisms.(Citation: NCC Group APT15 Alive and Strong)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Ke3chang backdoor RoyalDNS established persistence through adding a service called Nwsapagent.(Citation: NCC Group APT15 Alive and Strong)

Enterprise T1213 .002 Data from Information Repositories: Sharepoint

Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember.(Citation: NCC Group APT15 Alive and Strong)

Enterprise T1587 .001 Develop Capabilities: Malware

Ke3chang has developed custom malware that allowed them to maintain persistence on victim networks.(Citation: Microsoft NICKEL December 2021)

Enterprise T1114 .002 Email Collection: Remote Email Collection

Ke3chang has used compromised credentials and a .NET tool to dump data from Microsoft Exchange mailboxes.(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021)

Enterprise T1056 .001 Input Capture: Keylogging

Ke3chang has used keyloggers.(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021)

Enterprise T1036 .002 Masquerading: Right-to-Left Override

Ke3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files.(Citation: Mandiant Operation Ke3chang November 2014)

.005 Masquerading: Match Legitimate Name or Location

Ke3chang has dropped their malware into legitimate installed software paths including: `C:\ProgramFiles\Realtek\Audio\HDA\AERTSr.exe`, `C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitRdr64.exe`, `C:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstall.exe`, and `C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd64.exe`.(Citation: Microsoft NICKEL December 2021)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Ke3chang has dumped credentials, including by using Mimikatz.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021)

.002 OS Credential Dumping: Security Account Manager

Ke3chang has dumped credentials, including by using gsecdump.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)

.003 OS Credential Dumping: NTDS

Ke3chang has used NTDSDump and other password dumping tools to gather credentials.(Citation: Microsoft NICKEL December 2021)

.004 OS Credential Dumping: LSA Secrets

Ke3chang has dumped credentials, including by using gsecdump.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)

Enterprise T1588 .002 Obtain Capabilities: Tool

Ke3chang has obtained and used tools such as Mimikatz.(Citation: NCC Group APT15 Alive and Strong)

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

Ke3chang performs discovery of permission groups net group /domain.(Citation: Mandiant Operation Ke3chang November 2014)

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Ke3chang actors have been known to copy files to the network shares of other computers to move laterally.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)

Enterprise T1558 .001 Steal or Forge Kerberos Tickets: Golden Ticket

Ke3chang has used Mimikatz to generate Kerberos golden tickets.(Citation: NCC Group APT15 Alive and Strong)

Enterprise T1614 .001 System Location Discovery: System Language Discovery

Ke3chang has used implants to collect the system language ID of a compromised machine.(Citation: Microsoft NICKEL December 2021)

Enterprise T1569 .002 System Services: Service Execution

Ke3chang has used a tool known as RemoteExec (similar to PsExec) to remotely execute batch scripts and binaries.(Citation: NCC Group APT15 Alive and Strong)

Enterprise T1078 .004 Valid Accounts: Cloud Accounts

Ke3chang has used compromised credentials to sign into victims’ Microsoft 365 accounts.(Citation: Microsoft NICKEL December 2021)

Software

ID Name References Techniques
S0039 Net (Citation: Mandiant Operation Ke3chang November 2014) (Citation: Microsoft Net Utility) (Citation: NCC Group APT15 Alive and Strong) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Local Groups, SMB/Windows Admin Shares, Domain Account
S0100 ipconfig (Citation: Mandiant Operation Ke3chang November 2014) (Citation: NCC Group APT15 Alive and Strong) (Citation: TechNet Ipconfig) System Network Configuration Discovery
S0057 Tasklist (Citation: Microsoft Tasklist) (Citation: NCC Group APT15 Alive and Strong) Process Discovery, System Service Discovery, Security Software Discovery
S0227 spwebmember (Citation: NCC Group APT15 Alive and Strong) Sharepoint
S0104 netstat (Citation: Mandiant Operation Ke3chang November 2014) (Citation: NCC Group APT15 Alive and Strong) (Citation: TechNet Netstat) System Network Connections Discovery
S0439 Okrum (Citation: ESET Okrum July 2019) Cached Domain Credentials, Shortcut Modification, Archive via Utility, System Checks, User Activity Based Checks, Ingress Tool Transfer, Windows Command Shell, Time Based Evasion, Windows Service, System Network Configuration Discovery, Web Protocols, Scheduled Task, Steganography, Masquerade Task or Service, System Owner/User Discovery, System Information Discovery, Exfiltration Over C2 Channel, Standard Encoding, Service Execution, Token Impersonation/Theft, File and Directory Discovery, Hidden Files and Directories, External Proxy, Symmetric Cryptography, Deobfuscate/Decode Files or Information, File Deletion, Registry Run Keys / Startup Folder, System Network Connections Discovery, Archive via Custom Method, Keylogging, System Time Discovery, LSASS Memory, Protocol Impersonation
S0691 Neoichor (Citation: Microsoft NICKEL December 2021) Internet Connection Discovery, Ingress Tool Transfer, System Language Discovery, System Owner/User Discovery, Modify Registry, Data from Local System, System Network Configuration Discovery, System Information Discovery, Component Object Model, Web Protocols, Indicator Removal
S0096 Systeminfo (Citation: Mandiant Operation Ke3chang November 2014) (Citation: NCC Group APT15 Alive and Strong) (Citation: TechNet Systeminfo) System Information Discovery
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Microsoft NICKEL December 2021) (Citation: NCC Group APT15 Alive and Strong) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0097 Ping (Citation: NCC Group APT15 Alive and Strong) (Citation: TechNet Ping) Remote System Discovery
S0280 MirageFox (Citation: APT15 Intezer June 2018) System Information Discovery, DLL Search Order Hijacking, Commonly Used Port, Windows Command Shell, System Owner/User Discovery, Deobfuscate/Decode Files or Information