Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Deep Panda

Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. (Citation: Alperovitch 2014) The intrusion into healthcare company Anthem has been attributed to Deep Panda. (Citation: ThreatConnect Anthem) This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. (Citation: RSA Shell Crew) Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. (Citation: Symantec Black Vine) Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. (Citation: ICIT China's Espionage Jul 2016)
ID: G0009
Associated Groups: Shell Crew, WebMasters, KungFu Kittens, PinkPanther, Black Vine
Version: 1.2
Created: 31 May 2017
Last Modified: 20 Jul 2022

Associated Group Descriptions

Name Description
Shell Crew (Citation: RSA Shell Crew)
WebMasters (Citation: RSA Shell Crew)
KungFu Kittens (Citation: RSA Shell Crew)
PinkPanther (Citation: RSA Shell Crew)
Black Vine (Citation: Symantec Black Vine)

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.(Citation: Alperovitch 2014)

Enterprise T1546 .008 Event Triggered Execution: Accessibility Features

Deep Panda has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions.(Citation: RSA Shell Crew)

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Deep Panda has used -w hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. (Citation: Alperovitch 2014)

Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

Deep Panda has updated and modified its malware, resulting in different hash values that evade detection.(Citation: Symantec Black Vine)

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Deep Panda uses net.exe to connect to network shares using net use commands with compromised credentials.(Citation: Alperovitch 2014)

Enterprise T1505 .003 Server Software Component: Web Shell

Deep Panda uses Web shells on publicly accessible Web servers to access victim networks.(Citation: CrowdStrike Deep Panda Web Shells)

Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Deep Panda has used regsvr32.exe to execute a server variant of Derusbi in victim networks.(Citation: RSA Shell Crew)

Software

ID Name References Techniques
S0039 Net (Citation: Alperovitch 2014) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Additional Local or Domain Groups, Local Groups, SMB/Windows Admin Shares, Domain Account
S0057 Tasklist (Citation: Alperovitch 2014) (Citation: Microsoft Tasklist) Process Discovery, System Service Discovery, Security Software Discovery
S0142 StreamEx (Citation: Cylance Shell Crew Feb 2017) Process Discovery, Rundll32, Windows Service, Modify Registry, System Information Discovery, File and Directory Discovery, Security Software Discovery, Obfuscated Files or Information, Windows Command Shell
S0021 Derusbi (Citation: Fidelis Turbo) (Citation: FireEye Periscope March 2018) (Citation: Novetta-Axiom) (Citation: PHOTO) (Citation: ThreatConnect Anthem) Keylogging, Unix Shell, Regsvr32, System Information Discovery, Timestomp, Dynamic-link Library Injection, Custom Command and Control Protocol, File Deletion, Non-Standard Port, Symmetric Cryptography, System Owner/User Discovery, Audio Capture, File and Directory Discovery, Commonly Used Port, Fallback Channels, Non-Application Layer Protocol, Screen Capture, Video Capture, Process Discovery, Query Registry
S0074 Sakula (Citation: Dell Sakula) (Citation: ThreatConnect Anthem) Encrypted/Encoded File, Ingress Tool Transfer, Registry Run Keys / Startup Folder, Web Protocols, Bypass User Account Control, Symmetric Cryptography, DLL Side-Loading, Windows Command Shell, Rundll32, Windows Service, File Deletion
S0097 Ping (Citation: Alperovitch 2014) (Citation: TechNet Ping) Remote System Discovery
S0080 Mivast (Citation: Symantec Backdoor.Mivast) (Citation: Symantec Black Vine) Registry Run Keys / Startup Folder, Commonly Used Port, Security Account Manager, Ingress Tool Transfer, Windows Command Shell

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.