Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

APT3

APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.(Citation: FireEye Clandestine Wolf)(Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.(Citation: Symantec Buckeye)
ID: G0022
Associated Groups: UPS Team, Pirpi, Gothic Panda, Threat Group-0110, TG-0110, Buckeye
Version: 1.4
Created: 31 May 2017
Last Modified: 16 Sep 2024

Associated Group Descriptions

Name Description
UPS Team (Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye)
Pirpi (Citation: PWC Pirpi Scanbox)
Gothic Panda (Citation: PWC Pirpi Scanbox) (Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye)
Threat Group-0110 (Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye)
TG-0110 (Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye)
Buckeye (Citation: Symantec Buckeye)

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.(Citation: Symantec Buckeye)

Enterprise T1098 .007 Account Manipulation: Additional Local or Domain Groups

APT3 has been known to add created accounts to local admin groups to maintain elevated access.(Citation: aptsim)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT3 has used tools to compress data before exfilling it.(Citation: aptsim)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT3 places scripts in the startup folder for persistence.(Citation: FireEye Operation Double Tap)

Enterprise T1110 .002 Brute Force: Password Cracking

APT3 has been known to brute force password hashes to be able to leverage plain text credentials.(Citation: APT3 Adversary Emulation Plan)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT3 has used PowerShell on victim systems to download and run payloads after exploitation.(Citation: FireEye Operation Double Tap)

.003 Command and Scripting Interpreter: Windows Command Shell

An APT3 downloader uses the Windows command "cmd.exe" /C whoami. The group also uses a tool to execute commands on remote computers.(Citation: FireEye Operation Double Tap)(Citation: Symantec Buckeye)

Enterprise T1136 .001 Create Account: Local Account

APT3 has been known to create or enable accounts, such as support_388945a0.(Citation: aptsim)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

APT3 has a tool that creates a new service for persistence.(Citation: FireEye Operation Double Tap)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

APT3 has used tools to dump passwords from browsers.(Citation: Symantec Buckeye)

Enterprise T1074 .001 Data Staged: Local Data Staging

APT3 has been known to stage files for exfiltration in a single location.(Citation: aptsim)

Enterprise T1546 .008 Event Triggered Execution: Accessibility Features

APT3 replaces the Sticky Keys binary C:\Windows\System32\sethc.exe for persistence.(Citation: aptsim)

Enterprise T1564 .003 Hide Artifacts: Hidden Window

APT3 has been known to use -WindowStyle Hidden to conceal PowerShell windows.(Citation: FireEye Operation Double Tap)

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.(Citation: FireEye Clandestine Fox)(Citation: FireEye Clandestine Fox Part 2)

Enterprise T1070 .004 Indicator Removal: File Deletion

APT3 has a tool that can delete files.(Citation: FireEye Clandestine Fox)

Enterprise T1056 .001 Input Capture: Keylogging

APT3 has used a keylogging tool that records keystrokes in encrypted files.(Citation: Symantec Buckeye)

Enterprise T1036 .010 Masquerading: Masquerade Account Name

APT3 has been known to create or enable accounts, such as support_388945a0.(Citation: aptsim)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

APT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument "dig."(Citation: Symantec Buckeye)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

APT3 has been known to pack their tools.(Citation: APT3 Adversary Emulation Plan)(Citation: FireEye Clandestine Wolf)

.005 Obfuscated Files or Information: Indicator Removal from Tools

APT3 has been known to remove indicators of compromise from tools.(Citation: APT3 Adversary Emulation Plan)

Enterprise T1566 .002 Phishing: Spearphishing Link

APT3 has sent spearphishing emails containing malicious links.(Citation: FireEye Clandestine Wolf)

Enterprise T1090 .002 Proxy: External Proxy

An APT3 downloader establishes SOCKS5 connections for its initial C2.(Citation: FireEye Operation Double Tap)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

APT3 enables the Remote Desktop Protocol for persistence.(Citation: aptsim) APT3 has also interacted with compromised systems to browse and copy files through RDP sessions.(Citation: Twitter Cglyer Status Update APT3 eml)

.002 Remote Services: SMB/Windows Admin Shares

APT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.(Citation: Symantec Buckeye)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

An APT3 downloader creates persistence by creating the following scheduled task: schtasks /create /tn "mysc" /tr C:\Users\Public\test.exe /sc ONLOGON /ru "System".(Citation: FireEye Operation Double Tap)

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

APT3 has a tool that can run DLLs.(Citation: FireEye Clandestine Fox)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.(Citation: Symantec Buckeye)

Enterprise T1204 .001 User Execution: Malicious Link

APT3 has lured victims into clicking malicious links delivered through spearphishing.(Citation: FireEye Clandestine Wolf)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

APT3 leverages valid accounts after gaining credentials for use within the victim domain.(Citation: Symantec Buckeye)

Software

ID Name References Techniques
S0166 RemoteCMD (Citation: Symantec Buckeye) Service Execution, Scheduled Task, Ingress Tool Transfer
S0063 SHOTPUT (Citation: Backdoor.APT.CookieCutter) (Citation: FireEye Clandestine Fox Part 2) (Citation: FireEye Clandestine Wolf) (Citation: Pirpi) Obfuscated Files or Information, File and Directory Discovery, Local Account, Remote System Discovery, System Network Connections Discovery, Process Discovery
S0013 PlugX (Citation: CIRCL PlugX March 2013) (Citation: Dell TG-3390) (Citation: DestroyRAT) (Citation: FireEye Clandestine Fox Part 2) (Citation: Kaba) (Citation: Korplug) (Citation: Lastline PlugX Analysis) (Citation: New DragonOK) (Citation: Novetta-Axiom) (Citation: Sogu) (Citation: Thoper) (Citation: TVT) Modify Registry, File and Directory Discovery, Masquerade Task or Service, Hidden Files and Directories, Multiband Communication, Non-Application Layer Protocol, Keylogging, Dead Drop Resolver, DLL Side-Loading, Process Discovery, Query Registry, DLL Search Order Hijacking, Network Share Discovery, MSBuild, Web Protocols, Windows Service, Windows Command Shell, Ingress Tool Transfer, System Checks, System Network Connections Discovery, Match Legitimate Name or Location, Registry Run Keys / Startup Folder, Custom Command and Control Protocol, DNS, Screen Capture, Commonly Used Port, Symmetric Cryptography, Deobfuscate/Decode Files or Information, Native API, Obfuscated Files or Information
S0349 LaZagne (Citation: GitHub LaZagne Dec 2018) (Citation: GitHub LaZange Dec 2018) (Citation: Symantec Buckeye) Credentials In Files, Windows Credential Manager, LSA Secrets, /etc/passwd and /etc/shadow, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials from Password Stores, Keychain, Proc Filesystem
S0111 schtasks (Citation: FireEye Operation Double Tap) (Citation: TechNet Schtasks) Scheduled Task
S0165 OSInfo (Citation: Symantec Buckeye) Local Account, Query Registry, System Information Discovery, System Network Connections Discovery, Remote System Discovery, Domain Groups, Domain Account, Local Groups, Network Share Discovery, System Network Configuration Discovery

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.