Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа APT18
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
APT18
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

APT18

APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. (Citation: Dell Lateral Movement)
ID: G0026
Associated Groups: TG-0416, Dynamite Panda, Threat Group-0416
Version: 2.1
Created: 31 May 2017
Last Modified: 30 Mar 2020

Associated Group Descriptions
Name Description
TG-0416 (Citation: ThreatStream Evasion Analysis)(Citation: Anomali Evasive Maneuvers July 2015)
Dynamite Panda (Citation: ThreatStream Evasion Analysis)(Citation: Anomali Evasive Maneuvers July 2015)
Threat Group-0416 (Citation: ThreatStream Evasion Analysis)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT18 uses HTTP for C2 communications.(Citation: PaloAlto DNS Requests May 2016)
.004 Application Layer Protocol: DNS

APT18 uses DNS for C2 communications.(Citation: PaloAlto DNS Requests May 2016)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key.(Citation: Anomali Evasive Maneuvers July 2015)(Citation: PaloAlto DNS Requests May 2016)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

APT18 uses cmd.exe to execute commands on the victim’s machine.(Citation: PaloAlto DNS Requests May 2016)(Citation: Anomali Evasive Maneuvers July 2015)
Enterprise T1070 .004 Indicator Removal: File Deletion

APT18 actors deleted tools and batch files from victim systems.(Citation: Dell Lateral Movement)
Enterprise T1053 .002 Scheduled Task/Job: At

APT18 actors used the native at Windows task scheduler tool to use scheduled tasks for execution on a victim network.(Citation: Dell Lateral Movement)

Software
ID Name References Techniques
S0032 gh0st RAT (Citation: Arbor Musical Chairs Feb 2018) (Citation: FireEye Hacking Team) (Citation: Moudoor) (Citation: Mydoor) (Citation: Nccgroup Gh0st April 2018) (Citation: Novetta-Axiom) (Citation: RSA2017 Detect and Respond Adair) Shared Modules, Modify Registry, Ingress Tool Transfer, Process Injection, Rundll32, Service Execution, DLL Side-Loading, Command and Scripting Interpreter, Query Registry, Deobfuscate/Decode Files or Information, Symmetric Cryptography, Non-Application Layer Protocol, Native API, Process Discovery, Windows Service, Registry Run Keys / Startup Folder, Clear Windows Event Logs, System Information Discovery, File Deletion, Screen Capture, Fast Flux DNS, Keylogging, Standard Encoding, Encrypted Channel
S0071 hcdLoader (Citation: Dell Lateral Movement) (Citation: ThreatStream Evasion Analysis) Windows Command Shell, Windows Service
S0124 Pisloader (Citation: Palo Alto DNS Requests) Registry Run Keys / Startup Folder, Windows Command Shell, Standard Encoding, System Network Configuration Discovery, DNS, Obfuscated Files or Information, Ingress Tool Transfer, System Information Discovery, File and Directory Discovery
S0106 cmd (Citation: Dell Lateral Movement) (Citation: TechNet Cmd) (Citation: TechNet Copy) (Citation: TechNet Del) (Citation: TechNet Dir) File and Directory Discovery, Ingress Tool Transfer, System Information Discovery, File Deletion, Windows Command Shell, Lateral Tool Transfer
S0070 HTTPBrowser (Citation: Dell TG-3390) (Citation: HttpDump) (Citation: RSA2017 Detect and Respond Adair) (Citation: ThreatConnect Anthem) (Citation: ThreatStream Evasion Analysis) Commonly Used Port, Ingress Tool Transfer, DLL Search Order Hijacking, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Windows Command Shell, Match Legitimate Name or Location, DLL Side-Loading, DNS, File and Directory Discovery, Keylogging, Web Protocols, File Deletion

References

  1. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  2. Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018.
  3. Adair, S. (2017, February 17). Detecting and Responding to Advanced Threats within Exchange Environments. Retrieved March 20, 2017.
  4. Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
  5. Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
  6. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.