MITRE ATT&CK - Преступная группа Naikon

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

Naikon

Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).(Citation: CameraShy) Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).(Citation: CameraShy)(Citation: Baumgartner Naikon 2015) While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.(Citation: Baumgartner Golovkin Naikon 2015)

ID: G0019

Associated Groups:

Version: 2.0

Created: 31 May 2017

Last Modified: 19 Aug 2021

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Naikon has modified a victim's Windows Run registry to establish persistence.(Citation: Bitdefender Naikon April 2021)
Enterprise	T1574	.002	Hijack Execution Flow: DLL Side-Loading	Naikon has used DLL side-loading to load malicious DLL's into legitimate executables.(Citation: CheckPoint Naikon May 2020)
Enterprise	T1036	.004	Masquerading: Masquerade Task or Service	Naikon renamed a malicious service `taskmgr` to appear to be a legitimate version of Task Manager.(Citation: Bitdefender Naikon April 2021)
		.005	Masquerading: Match Legitimate Name or Location	Naikon has disguised malicious programs as Google Chrome, Adobe, and VMware executables.(Citation: Bitdefender Naikon April 2021)
Enterprise	T1137	.006	Office Application Startup: Add-ins	Naikon has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.(Citation: CheckPoint Naikon May 2020)
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	Naikon has used malicious e-mail attachments to deliver malware.(Citation: CheckPoint Naikon May 2020)
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	Naikon has used schtasks.exe for lateral movement in compromised networks.(Citation: Bitdefender Naikon April 2021)
Enterprise	T1518	.001	Software Discovery: Security Software Discovery	Naikon uses commands such as `netsh advfirewall firewall` to discover local firewall settings.(Citation: Baumgartner Naikon 2015)
Enterprise	T1204	.002	User Execution: Malicious File	Naikon has convinced victims to open malicious attachments to execute malware.(Citation: CheckPoint Naikon May 2020)
Enterprise	T1078	.002	Valid Accounts: Domain Accounts	Naikon has used administrator credentials for lateral movement in compromised networks.(Citation: Bitdefender Naikon April 2021)

ID	Name	References	Techniques
Software
S0061	HDoor	(Citation: Baumgartner Naikon 2015)	Disable or Modify Tools, Network Service Discovery
S0039	Net	(Citation: Baumgartner Naikon 2015) (Citation: Bitdefender Naikon April 2021) (Citation: Microsoft Net Utility) (Citation: Savill 1999)	Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Local Groups, SMB/Windows Admin Shares, Domain Account
S0059	WinMM	(Citation: Baumgartner Naikon 2015) (Citation: CameraShy)	Process Discovery, File and Directory Discovery, System Information Discovery, Fallback Channels, Web Protocols, System Owner/User Discovery
S0630	Nebulae	(Citation: Bitdefender Naikon April 2021)	Ingress Tool Transfer, System Information Discovery, Data from Local System, Non-Application Layer Protocol, Registry Run Keys / Startup Folder, Process Discovery, Native API, Masquerade Task or Service, File Deletion, Windows Service, Match Legitimate Name or Location, DLL Side-Loading, Windows Command Shell, File and Directory Discovery, Symmetric Cryptography
S0629	RainyDay	(Citation: Bitdefender Naikon April 2021)	Match Legitimate Name or Location, Native API, File Deletion, Exfiltration to Cloud Storage, Ingress Tool Transfer, Deobfuscate/Decode Files or Information, Web Protocols, Masquerade Task or Service, System Service Discovery, Process Discovery, Local Data Staging, Credentials from Web Browsers, Obfuscated Files or Information, Fallback Channels, Windows Service, Windows Command Shell, Proxy, Screen Capture, File and Directory Discovery, Windows Credential Manager, Scheduled Task, Non-Application Layer Protocol, Symmetric Cryptography, DLL Side-Loading, Data from Local System
S0057	Tasklist	(Citation: Baumgartner Naikon 2015) (Citation: Microsoft Tasklist)	Process Discovery, System Service Discovery, Security Software Discovery
S0058	SslMM	(Citation: Baumgartner Naikon 2015) (Citation: CameraShy)	System Owner/User Discovery, Fallback Channels, Shortcut Modification, Registry Run Keys / Startup Folder, Keylogging, Access Token Manipulation, Disable or Modify Tools, Match Legitimate Name or Location, System Information Discovery
S0456	Aria-body	(Citation: Bitdefender Naikon April 2021) (Citation: CheckPoint Naikon May 2020)	Non-Application Layer Protocol, Process Discovery, Native API, Domain Generation Algorithms, Deobfuscate/Decode Files or Information, Data from Removable Media, System Network Configuration Discovery, Create Process with Token, Web Protocols, Screen Capture, System Owner/User Discovery, Application Window Discovery, System Information Discovery, File Deletion, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Token Impersonation/Theft, Proxy, Ingress Tool Transfer, File and Directory Discovery, Dynamic-link Library Injection, Archive Collected Data, System Network Connections Discovery
S0108	netsh	(Citation: Baumgartner Naikon 2015) (Citation: TechNet Netsh)	Disable or Modify System Firewall, Netsh Helper DLL, Proxy, Security Software Discovery
S0060	Sys10	(Citation: Baumgartner Naikon 2015)	Symmetric Cryptography, Local Groups, System Information Discovery, System Network Configuration Discovery, Web Protocols, System Owner/User Discovery
S0096	Systeminfo	(Citation: Baumgartner Naikon 2015) (Citation: TechNet Systeminfo)	System Information Discovery
S0055	RARSTONE	(Citation: Aquino RARSTONE) (Citation: Baumgartner Naikon 2015) (Citation: CameraShy)	Dynamic-link Library Injection, Non-Application Layer Protocol, File and Directory Discovery, Ingress Tool Transfer
S0097	Ping	(Citation: Baumgartner Naikon 2015) (Citation: Bitdefender Naikon April 2021) (Citation: TechNet Ping)	Remote System Discovery
S0095	ftp	(Citation: Baumgartner Naikon 2015) (Citation: Linux FTP) (Citation: Microsoft FTP)	Commonly Used Port, Lateral Tool Transfer, Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer
S0029	PsExec	(Citation: Baumgartner Naikon 2015) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec)	SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Naikon

Associated Group Descriptions

Techniques Used

Software

References