Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

TEMP.Veles

TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)
ID: G0088
Associated Groups: XENOTIME
Version: 1.4
Created: 16 Apr 2019
Last Modified: 17 Apr 2024

Associated Group Descriptions

Name Description
XENOTIME The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind TRITON.(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)

Techniques Used

Domain ID Name Use
Enterprise T1583 .003 Acquire Infrastructure: Virtual Private Server

TEMP.Veles has used Virtual Private Server (VPS) infrastructure.(Citation: FireEye TRITON 2019)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

TEMP.Veles has used a publicly-available PowerShell-based tool, WMImplant.(Citation: FireEye TEMP.Veles 2018) The group has also used PowerShell to perform Timestomping.(Citation: FireEye TRITON 2019)

Enterprise T1074 .001 Data Staged: Local Data Staging

TEMP.Veles has created staging folders in directories that were infrequently used by legitimate users or processes.(Citation: FireEye TRITON 2019)

Enterprise T1546 .012 Event Triggered Execution: Image File Execution Options Injection

TEMP.Veles has modified and added entries within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options to maintain persistence.(Citation: FireEye TRITON 2019)

Enterprise T1070 .004 Indicator Removal: File Deletion

TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.(Citation: FireEye TRITON 2019)

.006 Indicator Removal: Timestomp

TEMP.Veles used timestomping to modify the $STANDARD_INFORMATION attribute on tools.(Citation: FireEye TRITON 2019)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

TEMP.Veles has renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.(Citation: FireEye TRITON 2019)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

TEMP.Veles has used Mimikatz and a custom tool, SecHack, to harvest credentials. (Citation: FireEye TRITON 2019)

Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

TEMP.Veles has modified files based on the open-source project cryptcat in an apparent attempt to decrease AV detection rates.(Citation: FireEye TEMP.Veles 2018)

Enterprise T1588 .002 Obtain Capabilities: Tool

TEMP.Veles has obtained and used tools such as Mimikatz and PsExec.(Citation: FireEye TRITON 2019)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

TEMP.Veles utilized RDP throughout an operation.(Citation: FireEye TRITON 2019)

.004 Remote Services: SSH

TEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.(Citation: FireEye TRITON 2019)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

TEMP.Veles has used scheduled task XML triggers.(Citation: FireEye TRITON 2019)

Enterprise T1505 .003 Server Software Component: Web Shell

TEMP.Veles has planted Web shells on Outlook Exchange servers.(Citation: FireEye TRITON 2019)

Software

ID Name References Techniques
S0609 TRITON (Citation: CISA HatMan) (Citation: Dragos TRISIS) (Citation: FireEye TEMP.Veles 2018) (Citation: FireEye TRITON 2017) (Citation: FireEye TRITON 2018) Remote System Discovery, Masquerading, Python, Match Legitimate Name or Location, Obfuscated Files or Information
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: FireEye TRITON 2019) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0029 PsExec (Citation: Dragos Xenotime 2018) (Citation: FireEye TRITON 2019) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.