MITRE ATT&CK - Преступная группа Elderwood

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

Elderwood

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. (Citation: Security Affairs Elderwood Sept 2012) The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. (Citation: Symantec Elderwood Sept 2012) (Citation: CSM Elderwood Sept 2012)

ID: G0066

Associated Groups: Elderwood Gang, Beijing Group, Sneaky Panda

Version: 1.2

Created: 18 Apr 2018

Last Modified: 02 Mar 2021

Name	Description
Associated Group Descriptions
Elderwood Gang	(Citation: Symantec Elderwood Sept 2012) (Citation: CSM Elderwood Sept 2012)
Beijing Group	(Citation: CSM Elderwood Sept 2012)
Sneaky Panda	(Citation: CSM Elderwood Sept 2012)

Domain	ID		Name	Use
Techniques Used
Enterprise	T1027	.002	Obfuscated Files or Information: Software Packing	Elderwood has packed malware payloads before delivery to victims.(Citation: Symantec Elderwood Sept 2012)
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012)
		.002	Phishing: Spearphishing Link	Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012)
Enterprise	T1204	.001	User Execution: Malicious Link	Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012)
		.002	User Execution: Malicious File	Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open attachments.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012)

ID	Name	References	Techniques
Software
S0206	Wiarp	(Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Wiarp May 2012)	Ingress Tool Transfer, Windows Command Shell, Process Injection, Windows Service, Commonly Used Port
S0205	Naid	(Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Naid June 2012)	System Network Configuration Discovery, Commonly Used Port, System Information Discovery, Modify Registry, Windows Service, Custom Command and Control Protocol
S0203	Hydraq	(Citation: 9002 RAT) (Citation: ASERT Seven Pointed Dagger Aug 2015) (Citation: Aurora) (Citation: FireEye DeputyDog 9002 November 2013) (Citation: FireEye Sunshop Campaign May 2013) (Citation: HidraQ) (Citation: HomeUnix) (Citation: Homux) (Citation: HydraQ) (Citation: McRat) (Citation: MdmBot) (Citation: MicroFocus 9002 Aug 2016) (Citation: Novetta-Axiom) (Citation: PaloAlto 3102 Sept 2015) (Citation: ProofPoint GoT 9002 Aug 2017) (Citation: Roarur) (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Trojan.Hydraq Jan 2010)	Query Registry, Shared Modules, Service Execution, System Network Configuration Discovery, System Information Discovery, Data from Local System, Modify Registry, Ingress Tool Transfer, Obfuscated Files or Information, Windows Service, Symmetric Cryptography, System Service Discovery, File Deletion, Process Discovery, Screen Capture, Clear Windows Event Logs, Exfiltration Over Alternative Protocol, File and Directory Discovery, Access Token Manipulation
S0204	Briba	(Citation: Symantec Briba May 2012) (Citation: Symantec Elderwood Sept 2012)	Commonly Used Port, Windows Service, Rundll32, Ingress Tool Transfer, Registry Run Keys / Startup Folder
S0012	PoisonIvy	(Citation: Breut) (Citation: Darkmoon) (Citation: FireEye Poison Ivy) (Citation: Novetta-Axiom) (Citation: Poison Ivy) (Citation: Symantec Darkmoon Aug 2005) (Citation: Symantec Darkmoon Sept 2014) (Citation: Symantec Elderwood Sept 2012)	Windows Service, Modify Registry, Uncommonly Used Port, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Keylogging, Active Setup, Dynamic-link Library Injection, Local Data Staging, Windows Command Shell, Ingress Tool Transfer, Symmetric Cryptography, Data from Local System, Application Window Discovery, Rootkit
S0210	Nerex	(Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Nerex May 2012)	Ingress Tool Transfer, Code Signing, Windows Service, Modify Registry
S0208	Pasam	(Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Pasam May 2012)	Commonly Used Port, Process Discovery, Ingress Tool Transfer, File and Directory Discovery, LSASS Driver, System Information Discovery, File Deletion, Data from Local System
S0211	Linfo	(Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Linfo May 2012)	System Information Discovery, Fallback Channels, Ingress Tool Transfer, File and Directory Discovery, File Deletion, Scheduled Transfer, Windows Command Shell, Process Discovery, Data from Local System
S0207	Vasport	(Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Vasport May 2012)	Web Protocols, Ingress Tool Transfer, Registry Run Keys / Startup Folder, Proxy

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Elderwood

Associated Group Descriptions

Techniques Used

Software

References