Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Stolen Pencil
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Stolen Pencil
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Stolen Pencil

Stolen Pencil is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.(Citation: Netscout Stolen Pencil Dec 2018)
ID: G0086
Associated Groups: 
Version: 1.1
Created: 05 Feb 2019
Last Modified: 25 Apr 2025

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Stolen Pencil has used tools that are capable of obtaining credentials from web browsers.(Citation: Netscout Stolen Pencil Dec 2018)
Enterprise T1056 .001 Input Capture: Keylogging

Stolen Pencil has a tool to log keystrokes to %userprofile%\appdata\roaming\apach.{txt,log}. (Citation: Netscout Stolen Pencil Dec 2018)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Stolen Pencil gathers credentials using Mimikatz and Procdump. (Citation: Netscout Stolen Pencil Dec 2018)
Enterprise T1566 .002 Phishing: Spearphishing Link

Stolen Pencil sent spearphishing emails containing links to domains controlled by the threat actor.(Citation: Netscout Stolen Pencil Dec 2018)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Stolen Pencil utilized RDP for direct remote point-and-click access. (Citation: Netscout Stolen Pencil Dec 2018)
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Stolen Pencil has used tools that are capable of obtaining credentials from saved mail.(Citation: Netscout Stolen Pencil Dec 2018)
Enterprise T1078 .003 Valid Accounts: Local Accounts

Stolen Pencil has a tool to add a Windows admin account in order to allow them to ensure continued access via RDP. (Citation: Netscout Stolen Pencil Dec 2018)

Software
ID Name References Techniques
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Netscout Stolen Pencil Dec 2018) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0029 PsExec (Citation: Netscout Stolen Pencil Dec 2018) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution

References

  1. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.