MITRE ATT&CK - Преступная группа Stolen Pencil

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

Stolen Pencil

Stolen Pencil is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.(Citation: Netscout Stolen Pencil Dec 2018)

ID: G0086

Associated Groups:

Version: 1.1

Created: 05 Feb 2019

Last Modified: 07 Oct 2021

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1555	.003	Credentials from Password Stores: Credentials from Web Browsers	Stolen Pencil has used tools that are capable of obtaining credentials from web browsers.(Citation: Netscout Stolen Pencil Dec 2018)
Enterprise	T1056	.001	Input Capture: Keylogging	Stolen Pencil has a tool to log keystrokes to %userprofile%\appdata\roaming\apach.{txt,log}. (Citation: Netscout Stolen Pencil Dec 2018)
Enterprise	T1003	.001	OS Credential Dumping: LSASS Memory	Stolen Pencil gathers credentials using Mimikatz and Procdump. (Citation: Netscout Stolen Pencil Dec 2018)
Enterprise	T1566	.002	Phishing: Spearphishing Link	Stolen Pencil sent spearphishing emails containing links to domains controlled by the threat actor.(Citation: Netscout Stolen Pencil Dec 2018)
Enterprise	T1021	.001	Remote Services: Remote Desktop Protocol	Stolen Pencil utilized RDP for direct remote point-and-click access. (Citation: Netscout Stolen Pencil Dec 2018)
Enterprise	T1552	.001	Unsecured Credentials: Credentials In Files	Stolen Pencil has used tools that are capable of obtaining credentials from saved mail.(Citation: Netscout Stolen Pencil Dec 2018)
Enterprise	T1078	.003	Valid Accounts: Local Accounts	Stolen Pencil has a tool to add a Windows admin account in order to allow them to ensure continued access via RDP. (Citation: Netscout Stolen Pencil Dec 2018)

ID	Name	References	Techniques
Software
S0002	Mimikatz	(Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Netscout Stolen Pencil Dec 2018)	DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0029	PsExec	(Citation: Netscout Stolen Pencil Dec 2018) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec)	SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Stolen Pencil

Associated Group Descriptions

Techniques Used

Software

References