Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

APT1

APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)

ID: G0006

Associated Groups: Comment Crew, Comment Group, Comment Panda

Version: 1.4

Created: 31 May 2017

Last Modified: 26 May 2021

Name	Description
Associated Group Descriptions
Comment Crew	(Citation: Mandiant APT1)
Comment Group	(Citation: Mandiant APT1)
Comment Panda	(Citation: CrowdStrike Putter Panda)

Domain	ID		Name	Use
Techniques Used
Enterprise	T1087	.001	Account Discovery: Local Account	APT1 used the commands `net localgroup`,`net user`, and `net group` to find accounts on the system.(Citation: Mandiant APT1)
Enterprise	T1583	.001	Acquire Infrastructure: Domains	APT1 has registered hundreds of domains for use in operations.(Citation: Mandiant APT1)
Enterprise	T1560	.001	Archive Collected Data: Archive via Utility	APT1 has used RAR to compress files before moving them outside of the victim network.(Citation: Mandiant APT1)
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution.(Citation: Mandiant APT1)
Enterprise	T1584	.001	Compromise Infrastructure: Domains	APT1 hijacked FQDNs associated with legitimate websites hosted by hop points.(Citation: Mandiant APT1)
Enterprise	T1114	.001	Email Collection: Local Email Collection	APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files.(Citation: Mandiant APT1)
		.002	Email Collection: Remote Email Collection	APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. MAPIGET steals email still on Exchange servers that has not yet been archived.(Citation: Mandiant APT1)
Enterprise	T1585	.002	Establish Accounts: Email Accounts	APT1 has created email accounts for later use in social engineering, phishing, and when registering domains.(Citation: Mandiant APT1)
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware.(Citation: Mandiant APT1)(Citation: Mandiant APT1 Appendix)
Enterprise	T1003	.001	OS Credential Dumping: LSASS Memory	APT1 has been known to use credential dumping using Mimikatz.(Citation: Mandiant APT1)
Enterprise	T1588	.001	Obtain Capabilities: Malware	APT1 used publicly available malware for privilege escalation.(Citation: Mandiant APT1)
		.002	Obtain Capabilities: Tool	APT1 has used various open-source tools for privilege escalation purposes.(Citation: Mandiant APT1)
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	APT1 has sent spearphishing emails containing malicious attachments.(Citation: Mandiant APT1)
		.002	Phishing: Spearphishing Link	APT1 has sent spearphishing emails containing hyperlinks to malicious files.(Citation: Mandiant APT1)
Enterprise	T1021	.001	Remote Services: Remote Desktop Protocol	The APT1 group is known to have used RDP during operations.(Citation: FireEye PLA)
Enterprise	T1550	.002	Use Alternate Authentication Material: Pass the Hash	The APT1 group is known to have used pass the hash.(Citation: Mandiant APT1)

ID	Name	References	Techniques
Software
S0039	Net	(Citation: Mandiant APT1) (Citation: Microsoft Net Utility) (Citation: Savill 1999)	Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Local Groups, SMB/Windows Admin Shares, Domain Account
S0109	WEBC2	(Citation: Mandiant APT1 Appendix) (Citation: Mandiant APT1)	DLL Search Order Hijacking, Ingress Tool Transfer, Windows Command Shell
S0100	ipconfig	(Citation: Mandiant APT1) (Citation: TechNet Ipconfig)	System Network Configuration Discovery
S0057	Tasklist	(Citation: Mandiant APT1) (Citation: Microsoft Tasklist)	Process Discovery, System Service Discovery, Security Software Discovery
S0121	Lslsass	(Citation: Mandiant APT1)	LSASS Memory
S0123	xCmd	(Citation: Mandiant APT1 Appendix) (Citation: xCmd)	Service Execution
S0025	CALENDAR	(Citation: Mandiant APT1)	Windows Command Shell, Bidirectional Communication
S0006	pwdump	(Citation: Mandiant APT1) (Citation: Wikipedia pwdump)	Security Account Manager
S0122	Pass-The-Hash Toolkit	(Citation: Mandiant APT1)	Pass the Hash
S0002	Mimikatz	(Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Mandiant APT1)	DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0008	gsecdump	(Citation: Mandiant APT1) (Citation: TrueSec Gsecdump)	Security Account Manager, LSA Secrets
S0012	PoisonIvy	(Citation: Breut) (Citation: Darkmoon) (Citation: FireEye Poison Ivy) (Citation: Mandiant APT1) (Citation: Novetta-Axiom) (Citation: Poison Ivy) (Citation: Symantec Darkmoon Aug 2005) (Citation: Symantec Darkmoon Sept 2014) (Citation: Symantec Elderwood Sept 2012)	Windows Service, Modify Registry, Uncommonly Used Port, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Keylogging, Active Setup, Dynamic-link Library Injection, Local Data Staging, Windows Command Shell, Ingress Tool Transfer, Symmetric Cryptography, Data from Local System, Application Window Discovery, Rootkit
S0345	Seasalt	(Citation: Mandiant APT1 Appendix) (Citation: McAfee Oceansalt Oct 2018)	Windows Command Shell, File and Directory Discovery, Web Protocols, Process Discovery, Masquerade Task or Service, Custom Command and Control Protocol, Ingress Tool Transfer, Obfuscated Files or Information, Windows Service, File Deletion, Registry Run Keys / Startup Folder
S0017	BISCUIT	(Citation: Mandiant APT1 Appendix) (Citation: Mandiant APT1)	Screen Capture, Fallback Channels, System Information Discovery, Process Discovery, Ingress Tool Transfer, Custom Command and Control Protocol, Keylogging, Asymmetric Cryptography, System Owner/User Discovery, Windows Command Shell
S0119	Cachedump	(Citation: Mandiant APT1)	Cached Domain Credentials
S0026	GLOOXMAIL	(Citation: Mandiant APT1)	Bidirectional Communication
S0029	PsExec	(Citation: Mandiant APT1) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec)	SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

APT1

Associated Group Descriptions

Techniques Used

Software

References