Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

BRONZE BUTLER

BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)
ID: G0060
Associated Groups: REDBALDKNIGHT, Tick
Version: 1.3
Created: 16 Jan 2018
Last Modified: 12 Oct 2021

Associated Group Descriptions

Name Description
REDBALDKNIGHT (Citation: Trend Micro Daserf Nov 2017)(Citation: Trend Micro Tick November 2019)
Tick (Citation: Trend Micro Daserf Nov 2017)(Citation: Symantec Tick Apr 2016)(Citation: Trend Micro Tick November 2019)

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

BRONZE BUTLER has used a Windows 10 specific tool and xxmm to bypass UAC for privilege escalation.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)

Enterprise T1087 .002 Account Discovery: Domain Account

BRONZE BUTLER has used net user /domain to identify account information.(Citation: Secureworks BRONZE BUTLER Oct 2017)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

BRONZE BUTLER malware has used HTTP for C2.(Citation: Secureworks BRONZE BUTLER Oct 2017)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

BRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence.(Citation: Secureworks BRONZE BUTLER Oct 2017)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

BRONZE BUTLER has used PowerShell for execution.(Citation: Secureworks BRONZE BUTLER Oct 2017)

.003 Command and Scripting Interpreter: Windows Command Shell

BRONZE BUTLER has used batch scripts and the command-line interface for execution.(Citation: Secureworks BRONZE BUTLER Oct 2017)

.005 Command and Scripting Interpreter: Visual Basic

BRONZE BUTLER has used VBS and VBE scripts for execution.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)

.006 Command and Scripting Interpreter: Python

BRONZE BUTLER has made use of Python-based remote access tools.(Citation: Trend Micro Tick November 2019)

Enterprise T1132 .001 Data Encoding: Standard Encoding

Several BRONZE BUTLER tools encode data with base64 when posting it to a C2 server.(Citation: Secureworks BRONZE BUTLER Oct 2017)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

BRONZE BUTLER has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic. BRONZE BUTLER has also used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server.(Citation: Secureworks BRONZE BUTLER Oct 2017)

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

BRONZE BUTLER has used legitimate applications to side-load malicious DLLs.(Citation: Trend Micro Tick November 2019)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

BRONZE BUTLER has incorporated code into several tools that attempts to terminate anti-virus processes.(Citation: Trend Micro Tick November 2019)

Enterprise T1070 .004 Indicator Removal: File Deletion

The BRONZE BUTLER uploader or malware the uploader uses command to delete the RAR archives after they have been exfiltrated.(Citation: Secureworks BRONZE BUTLER Oct 2017)

Enterprise T1036 .002 Masquerading: Right-to-Left Override

BRONZE BUTLER has used Right-to-Left Override to deceive victims into executing several strains of malware.(Citation: Trend Micro Tick November 2019)

.005 Masquerading: Match Legitimate Name or Location

BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.(Citation: Secureworks BRONZE BUTLER Oct 2017)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

BRONZE BUTLER has used various tools (such as Mimikatz and WCE) to perform credential dumping.(Citation: Secureworks BRONZE BUTLER Oct 2017)

Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

BRONZE BUTLER downloader code has included "0" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)

.003 Obfuscated Files or Information: Steganography

BRONZE BUTLER has used steganography in multiple operations to conceal malicious payloads.(Citation: Trend Micro Tick November 2019)

Enterprise T1588 .002 Obtain Capabilities: Tool

BRONZE BUTLER has obtained and used open-source tools such as Mimikatz, gsecdump, and Windows Credential Editor.(Citation: Symantec Tick Apr 2016)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

BRONZE BUTLER used spearphishing emails with malicious Microsoft Word attachments to infect victims.(Citation: Symantec Tick Apr 2016)(Citation: Trend Micro Tick November 2019)

Enterprise T1053 .002 Scheduled Task/Job: At

BRONZE BUTLER has used at to register a scheduled task to execute malware during lateral movement.(Citation: Secureworks BRONZE BUTLER Oct 2017)

.005 Scheduled Task/Job: Scheduled Task

BRONZE BUTLER has used schtasks to register a scheduled task to execute malware during lateral movement.(Citation: Secureworks BRONZE BUTLER Oct 2017)

Enterprise T1550 .003 Use Alternate Authentication Material: Pass the Ticket

BRONZE BUTLER has created forged Kerberos Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) tickets to maintain administrative access.(Citation: Secureworks BRONZE BUTLER Oct 2017)

Enterprise T1204 .002 User Execution: Malicious File

BRONZE BUTLER has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails.(Citation: Symantec Tick Apr 2016)(Citation: Trend Micro Tick November 2019)

Enterprise T1102 .001 Web Service: Dead Drop Resolver

BRONZE BUTLER's MSGET downloader uses a dead drop resolver to access malicious payloads.(Citation: Secureworks BRONZE BUTLER Oct 2017)

Software

ID Name References Techniques
S0039 Net (Citation: Microsoft Net Utility) (Citation: Savill 1999) (Citation: Secureworks BRONZE BUTLER Oct 2017) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Additional Local or Domain Groups, Local Groups, SMB/Windows Admin Shares, Domain Account
S0110 at (Citation: Linux at) (Citation: Secureworks BRONZE BUTLER Oct 2017) (Citation: TechNet At) At
S0005 Windows Credential Editor (Citation: Amplia WCE) (Citation: Secureworks BRONZE BUTLER Oct 2017) (Citation: Symantec Tick Apr 2016) LSASS Memory
S0473 Avenger (Citation: Trend Micro Tick November 2019) Process Discovery, Security Software Discovery, Web Protocols, Encrypted/Encoded File, Deobfuscate/Decode Files or Information, File and Directory Discovery, System Network Configuration Discovery, Ingress Tool Transfer, Process Injection, Steganography, System Information Discovery
S0472 down_new (Citation: Trend Micro Tick November 2019) Ingress Tool Transfer, System Information Discovery, Standard Encoding, File and Directory Discovery, Process Discovery, Security Software Discovery, Web Protocols, Software Discovery, System Network Configuration Discovery, Symmetric Cryptography
S0469 ABK (Citation: Trend Micro Tick November 2019) Security Software Discovery, Deobfuscate/Decode Files or Information, Web Protocols, Process Injection, Ingress Tool Transfer, Steganography, Windows Command Shell
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Secureworks BRONZE BUTLER Oct 2017) (Citation: Symantec Tick Apr 2016) (Citation: Trend Micro Tick November 2019) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0008 gsecdump (Citation: Secureworks BRONZE BUTLER Oct 2017) (Citation: Symantec Tick Apr 2016) (Citation: TrueSec Gsecdump) Security Account Manager, LSA Secrets
S0187 Daserf (Citation: Muirim) (Citation: Nioupale) (Citation: Secureworks BRONZE BUTLER Oct 2017) (Citation: Symantec Tick Apr 2016) (Citation: Trend Micro Daserf Nov 2017) Windows Command Shell, Code Signing, Ingress Tool Transfer, Software Packing, Standard Encoding, Archive via Utility, Screen Capture, Obfuscated Files or Information, Steganography, Symmetric Cryptography, Match Legitimate Name or Location, Keylogging, Web Protocols, LSASS Memory, Archive Collected Data, Indicator Removal from Tools
S0106 cmd (Citation: Secureworks BRONZE BUTLER Oct 2017) (Citation: TechNet Cmd) (Citation: TechNet Copy) (Citation: TechNet Del) (Citation: TechNet Dir) File and Directory Discovery, Ingress Tool Transfer, System Information Discovery, File Deletion, Windows Command Shell, Lateral Tool Transfer
S0111 schtasks (Citation: Secureworks BRONZE BUTLER Oct 2017) (Citation: TechNet Schtasks) Scheduled Task
S0471 build_downer (Citation: Trend Micro Tick November 2019) Native API, Masquerade Task or Service, Registry Run Keys / Startup Folder, Steganography, System Time Discovery, Security Software Discovery, System Information Discovery, Ingress Tool Transfer
S0596 ShadowPad (Citation: FireEye APT41 Aug 2019) (Citation: Kaspersky ShadowPad Aug 2017) (Citation: POISONPLUG.SHADOW) (Citation: Recorded Future RedEcho Feb 2021) (Citation: Securelist ShadowPad Aug 2017) System Owner/User Discovery, Modify Registry, System Time Discovery, Indicator Removal, Deobfuscate/Decode Files or Information, Fileless Storage, Indicator Removal, System Network Configuration Discovery, Scheduled Transfer, Process Discovery, DNS, Non-Standard Encoding, File Transfer Protocols, Non-Application Layer Protocol, Obfuscated Files or Information, Web Protocols, Process Injection, System Information Discovery, Domain Generation Algorithms, Ingress Tool Transfer, Dynamic-link Library Injection
S0470 BBK (Citation: Trend Micro Tick November 2019) Process Injection, Steganography, Ingress Tool Transfer, Web Protocols, Deobfuscate/Decode Files or Information, Windows Command Shell, Native API

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.