Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Elderwood

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. (Citation: Security Affairs Elderwood Sept 2012) The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. (Citation: Symantec Elderwood Sept 2012) (Citation: CSM Elderwood Sept 2012)

ID: G0066

Associated Groups: Sneaky Panda, Elderwood Gang, Beijing Group

Version: 1.3

Created: 18 Apr 2018

Last Modified: 17 Nov 2024

Name	Description
Associated Group Descriptions
Sneaky Panda	(Citation: CSM Elderwood Sept 2012)
Elderwood Gang	(Citation: Symantec Elderwood Sept 2012) (Citation: CSM Elderwood Sept 2012)
Beijing Group	(Citation: CSM Elderwood Sept 2012)

Domain	ID		Name	Use
Techniques Used
Enterprise	T1027	.002	Obfuscated Files or Information: Software Packing	Elderwood has packed malware payloads before delivery to victims.(Citation: Symantec Elderwood Sept 2012)
		.013	Obfuscated Files or Information: Encrypted/Encoded File	Elderwood has encrypted documents and malicious executables.(Citation: Symantec Elderwood Sept 2012)
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012)
		.002	Phishing: Spearphishing Link	Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012)
Enterprise	T1204	.001	User Execution: Malicious Link	Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012)
		.002	User Execution: Malicious File	Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open attachments.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012)

ID	Name	References	Techniques
Software
S0206	Wiarp	(Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Wiarp May 2012)	Windows Service, Process Injection, Windows Command Shell, Ingress Tool Transfer, Commonly Used Port
S0205	Naid	(Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Naid June 2012)	Windows Service, System Information Discovery, Modify Registry, System Network Configuration Discovery, Custom Command and Control Protocol, Commonly Used Port
S0203	Hydraq	(Citation: 9002 RAT) (Citation: ASERT Seven Pointed Dagger Aug 2015) (Citation: Aurora) (Citation: FireEye DeputyDog 9002 November 2013) (Citation: FireEye Sunshop Campaign May 2013) (Citation: HidraQ) (Citation: HomeUnix) (Citation: Homux) (Citation: HydraQ) (Citation: McRat) (Citation: MdmBot) (Citation: MicroFocus 9002 Aug 2016) (Citation: Novetta-Axiom) (Citation: PaloAlto 3102 Sept 2015) (Citation: ProofPoint GoT 9002 Aug 2017) (Citation: Roarur) (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Trojan.Hydraq Jan 2010)	Screen Capture, Shared Modules, Symmetric Cryptography, Windows Service, System Service Discovery, System Information Discovery, Data from Local System, Modify Registry, Clear Windows Event Logs, System Network Configuration Discovery, File and Directory Discovery, Process Discovery, Exfiltration Over Alternative Protocol, Obfuscated Files or Information, Query Registry, File Deletion, Access Token Manipulation, Ingress Tool Transfer, Service Execution
S0204	Briba	(Citation: Symantec Briba May 2012) (Citation: Symantec Elderwood Sept 2012)	Rundll32, Windows Service, Registry Run Keys / Startup Folder, Ingress Tool Transfer, Commonly Used Port
S0012	PoisonIvy	(Citation: Breut) (Citation: Darkmoon) (Citation: FireEye Poison Ivy) (Citation: Novetta-Axiom) (Citation: Poison Ivy) (Citation: Symantec Darkmoon Aug 2005) (Citation: Symantec Darkmoon Sept 2014) (Citation: Symantec Elderwood Sept 2012)	Keylogging, Rootkit, Local Data Staging, Active Setup, Symmetric Cryptography, Windows Service, Data from Local System, Mutual Exclusion, Application Window Discovery, Modify Registry, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Uncommonly Used Port, Windows Command Shell, Ingress Tool Transfer, Dynamic-link Library Injection
S0210	Nerex	(Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Nerex May 2012)	Windows Service, Code Signing, Modify Registry, Ingress Tool Transfer
S0208	Pasam	(Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Pasam May 2012)	System Information Discovery, Data from Local System, File and Directory Discovery, Process Discovery, File Deletion, Ingress Tool Transfer, LSASS Driver, Commonly Used Port
S0211	Linfo	(Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Linfo May 2012)	System Information Discovery, Data from Local System, Scheduled Transfer, File and Directory Discovery, Process Discovery, Windows Command Shell, File Deletion, Ingress Tool Transfer, Fallback Channels
S0207	Vasport	(Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Vasport May 2012)	Proxy, Registry Run Keys / Startup Folder, Web Protocols, Ingress Tool Transfer

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Elderwood

Associated Group Descriptions

Techniques Used

Software

References