Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Naikon

Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).(Citation: CameraShy) Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).(Citation: CameraShy)(Citation: Baumgartner Naikon 2015) While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.(Citation: Baumgartner Golovkin Naikon 2015)
ID: G0019
Associated Groups: 
Version: 2.0
Created: 31 May 2017
Last Modified: 19 Aug 2021

Associated Group Descriptions

Name Description

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Naikon has modified a victim's Windows Run registry to establish persistence.(Citation: Bitdefender Naikon April 2021)

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Naikon has used DLL side-loading to load malicious DLL's into legitimate executables.(Citation: CheckPoint Naikon May 2020)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Naikon renamed a malicious service taskmgr to appear to be a legitimate version of Task Manager.(Citation: Bitdefender Naikon April 2021)

.005 Masquerading: Match Legitimate Name or Location

Naikon has disguised malicious programs as Google Chrome, Adobe, and VMware executables.(Citation: Bitdefender Naikon April 2021)

Enterprise T1137 .006 Office Application Startup: Add-ins

Naikon has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.(Citation: CheckPoint Naikon May 2020)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Naikon has used malicious e-mail attachments to deliver malware.(Citation: CheckPoint Naikon May 2020)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Naikon has used schtasks.exe for lateral movement in compromised networks.(Citation: Bitdefender Naikon April 2021)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Naikon uses commands such as netsh advfirewall firewall to discover local firewall settings.(Citation: Baumgartner Naikon 2015)

Enterprise T1204 .002 User Execution: Malicious File

Naikon has convinced victims to open malicious attachments to execute malware.(Citation: CheckPoint Naikon May 2020)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Naikon has used administrator credentials for lateral movement in compromised networks.(Citation: Bitdefender Naikon April 2021)

Software

ID Name References Techniques
S0061 HDoor (Citation: Baumgartner Naikon 2015) Disable or Modify Tools, Network Service Discovery
S0039 Net (Citation: Baumgartner Naikon 2015) (Citation: Bitdefender Naikon April 2021) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Additional Local or Domain Groups, Local Groups, SMB/Windows Admin Shares, Domain Account
S0059 WinMM (Citation: Baumgartner Naikon 2015) (Citation: CameraShy) Process Discovery, File and Directory Discovery, System Information Discovery, Fallback Channels, Web Protocols, System Owner/User Discovery
S0630 Nebulae (Citation: Bitdefender Naikon April 2021) Ingress Tool Transfer, System Information Discovery, Data from Local System, Non-Application Layer Protocol, Registry Run Keys / Startup Folder, Process Discovery, Native API, Masquerade Task or Service, File Deletion, Windows Service, Match Legitimate Name or Location, DLL Side-Loading, Windows Command Shell, File and Directory Discovery, Symmetric Cryptography
S0629 RainyDay (Citation: Bitdefender Naikon April 2021) Match Legitimate Name or Location, Native API, File Deletion, Exfiltration to Cloud Storage, Ingress Tool Transfer, Deobfuscate/Decode Files or Information, Web Protocols, Masquerade Task or Service, System Service Discovery, Process Discovery, Local Data Staging, Credentials from Web Browsers, Encrypted/Encoded File, Fallback Channels, Windows Service, Windows Command Shell, Proxy, Screen Capture, File and Directory Discovery, Windows Credential Manager, Scheduled Task, Non-Application Layer Protocol, Symmetric Cryptography, DLL Side-Loading, Data from Local System
S0057 Tasklist (Citation: Baumgartner Naikon 2015) (Citation: Microsoft Tasklist) Process Discovery, System Service Discovery, Security Software Discovery
S0058 SslMM (Citation: Baumgartner Naikon 2015) (Citation: CameraShy) System Owner/User Discovery, Fallback Channels, Shortcut Modification, Registry Run Keys / Startup Folder, Keylogging, Access Token Manipulation, Disable or Modify Tools, Match Legitimate Name or Location, System Information Discovery
S0456 Aria-body (Citation: Bitdefender Naikon April 2021) (Citation: CheckPoint Naikon May 2020) Non-Application Layer Protocol, Process Discovery, Native API, Domain Generation Algorithms, Deobfuscate/Decode Files or Information, Data from Removable Media, System Network Configuration Discovery, Create Process with Token, Web Protocols, Screen Capture, System Owner/User Discovery, Application Window Discovery, System Information Discovery, File Deletion, Registry Run Keys / Startup Folder, Encrypted/Encoded File, Token Impersonation/Theft, Proxy, Ingress Tool Transfer, File and Directory Discovery, Dynamic-link Library Injection, Archive Collected Data, System Network Connections Discovery
S0108 netsh (Citation: Baumgartner Naikon 2015) (Citation: TechNet Netsh) Disable or Modify System Firewall, Netsh Helper DLL, Proxy, Security Software Discovery
S0060 Sys10 (Citation: Baumgartner Naikon 2015) Symmetric Cryptography, Local Groups, System Information Discovery, System Network Configuration Discovery, Web Protocols, System Owner/User Discovery
S0096 Systeminfo (Citation: Baumgartner Naikon 2015) (Citation: TechNet Systeminfo) System Information Discovery
S0055 RARSTONE (Citation: Aquino RARSTONE) (Citation: Baumgartner Naikon 2015) (Citation: CameraShy) Dynamic-link Library Injection, Non-Application Layer Protocol, File and Directory Discovery, Ingress Tool Transfer
S0097 Ping (Citation: Baumgartner Naikon 2015) (Citation: Bitdefender Naikon April 2021) (Citation: TechNet Ping) Remote System Discovery
S0095 ftp (Citation: Baumgartner Naikon 2015) (Citation: Linux FTP) (Citation: Microsoft FTP) Commonly Used Port, Lateral Tool Transfer, Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer
S0029 PsExec (Citation: Baumgartner Naikon 2015) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.