Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Naikon

Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).(Citation: CameraShy) Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).(Citation: CameraShy)(Citation: Baumgartner Naikon 2015) While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.(Citation: Baumgartner Golovkin Naikon 2015)

ID: G0019

Associated Groups:

Version: 2.0

Created: 31 May 2017

Last Modified: 25 Apr 2025

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Naikon has modified a victim's Windows Run registry to establish persistence.(Citation: Bitdefender Naikon April 2021)
Enterprise	T1574	.001	Hijack Execution Flow: DLL	Naikon has used DLL side-loading to load malicious DLL's into legitimate executables.(Citation: CheckPoint Naikon May 2020)
Enterprise	T1036	.004	Masquerading: Masquerade Task or Service	Naikon renamed a malicious service `taskmgr` to appear to be a legitimate version of Task Manager.(Citation: Bitdefender Naikon April 2021)
		.005	Masquerading: Match Legitimate Resource Name or Location	Naikon has disguised malicious programs as Google Chrome, Adobe, and VMware executables.(Citation: Bitdefender Naikon April 2021)
Enterprise	T1137	.006	Office Application Startup: Add-ins	Naikon has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.(Citation: CheckPoint Naikon May 2020)
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	Naikon has used malicious e-mail attachments to deliver malware.(Citation: CheckPoint Naikon May 2020)
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	Naikon has used schtasks.exe for lateral movement in compromised networks.(Citation: Bitdefender Naikon April 2021)
Enterprise	T1518	.001	Software Discovery: Security Software Discovery	Naikon uses commands such as `netsh advfirewall firewall` to discover local firewall settings.(Citation: Baumgartner Naikon 2015)
Enterprise	T1204	.002	User Execution: Malicious File	Naikon has convinced victims to open malicious attachments to execute malware.(Citation: CheckPoint Naikon May 2020)
Enterprise	T1078	.002	Valid Accounts: Domain Accounts	Naikon has used administrator credentials for lateral movement in compromised networks.(Citation: Bitdefender Naikon April 2021)

ID	Name	References	Techniques
Software
S0061	HDoor	(Citation: Baumgartner Naikon 2015)	Disable or Modify Tools, Network Service Discovery
S0039	Net	(Citation: Baumgartner Naikon 2015) (Citation: Bitdefender Naikon April 2021) (Citation: Microsoft Net Utility) (Citation: Savill 1999)	Domain Account, Local Account, Domain Groups, System Service Discovery, Network Share Discovery, Additional Local or Domain Groups, SMB/Windows Admin Shares, Local Account, Domain Account, System Network Connections Discovery, Local Groups, Network Share Connection Removal, Password Policy Discovery, Remote System Discovery, Service Execution, System Time Discovery
S0059	WinMM	(Citation: Baumgartner Naikon 2015) (Citation: CameraShy)	System Owner/User Discovery, System Information Discovery, File and Directory Discovery, Process Discovery, Web Protocols, Fallback Channels
S0630	Nebulae	(Citation: Bitdefender Naikon April 2021)	Match Legitimate Resource Name or Location, Symmetric Cryptography, Windows Service, DLL, System Information Discovery, Native API, Data from Local System, File and Directory Discovery, Masquerade Task or Service, Process Discovery, Registry Run Keys / Startup Folder, Non-Application Layer Protocol, Windows Command Shell, File Deletion, Ingress Tool Transfer
S0629	RainyDay	(Citation: Bitdefender Naikon April 2021)	Scheduled Task, Screen Capture, Encrypted/Encoded File, Local Data Staging, Match Legitimate Resource Name or Location, Symmetric Cryptography, Windows Service, DLL, System Service Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Credentials from Web Browsers, Proxy, File and Directory Discovery, Masquerade Task or Service, Process Discovery, Exfiltration to Cloud Storage, Non-Application Layer Protocol, Windows Command Shell, Windows Credential Manager, File Deletion, Web Protocols, Ingress Tool Transfer, Fallback Channels
S0057	Tasklist	(Citation: Baumgartner Naikon 2015) (Citation: Microsoft Tasklist)	System Service Discovery, Process Discovery, Security Software Discovery
S0058	SslMM	(Citation: Baumgartner Naikon 2015) (Citation: CameraShy)	System Owner/User Discovery, Keylogging, Match Legitimate Resource Name or Location, System Information Discovery, Shortcut Modification, Registry Run Keys / Startup Folder, Disable or Modify Tools, Access Token Manipulation, Fallback Channels
S0456	Aria-body	(Citation: Bitdefender Naikon April 2021) (Citation: CheckPoint Naikon May 2020)	Screen Capture, System Owner/User Discovery, Encrypted/Encoded File, Domain Generation Algorithms, Data from Removable Media, System Information Discovery, Native API, Deobfuscate/Decode Files or Information, Application Window Discovery, Archive Collected Data, Create Process with Token, System Network Configuration Discovery, Proxy, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Process Discovery, Registry Run Keys / Startup Folder, Non-Application Layer Protocol, File Deletion, Web Protocols, Ingress Tool Transfer, Dynamic-link Library Injection
S0108	netsh	(Citation: Baumgartner Naikon 2015) (Citation: TechNet Netsh)	Disable or Modify System Firewall, Proxy, Security Software Discovery, Netsh Helper DLL
S0060	Sys10	(Citation: Baumgartner Naikon 2015)	System Owner/User Discovery, Symmetric Cryptography, System Information Discovery, System Network Configuration Discovery, Local Groups, Web Protocols
S0096	Systeminfo	(Citation: Baumgartner Naikon 2015) (Citation: TechNet Systeminfo)	System Information Discovery
S0055	RARSTONE	(Citation: Aquino RARSTONE) (Citation: Baumgartner Naikon 2015) (Citation: CameraShy)	File and Directory Discovery, Non-Application Layer Protocol, Ingress Tool Transfer, Dynamic-link Library Injection
S0097	Ping	(Citation: Baumgartner Naikon 2015) (Citation: Bitdefender Naikon April 2021) (Citation: TechNet Ping)	Remote System Discovery
S0095	ftp	(Citation: Baumgartner Naikon 2015) (Citation: Linux FTP) (Citation: Microsoft FTP)	Lateral Tool Transfer, Ingress Tool Transfer, Commonly Used Port, Exfiltration Over Unencrypted Non-C2 Protocol
S0029	PsExec	(Citation: Baumgartner Naikon 2015) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec)	Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Naikon

Associated Group Descriptions

Techniques Used

Software

References