TEMP.Veles
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| XENOTIME | The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind TRITON .(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018 ) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .003 | Acquire Infrastructure: Virtual Private Server |
TEMP.Veles has used Virtual Private Server (VPS) infrastructure.(Citation: FireEye TRITON 2019) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
TEMP.Veles has used a publicly-available PowerShell-based tool, WMImplant.(Citation: FireEye TEMP.Veles 2018) The group has also used PowerShell to perform Timestomping.(Citation: FireEye TRITON 2019) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
TEMP.Veles has created staging folders in directories that were infrequently used by legitimate users or processes.(Citation: FireEye TRITON 2019) |
| Enterprise | T1546 | .012 | Event Triggered Execution: Image File Execution Options Injection |
TEMP.Veles has modified and added entries within |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.(Citation: FireEye TRITON 2019) |
| .006 | Indicator Removal: Timestomp |
TEMP.Veles used timestomping to modify the $STANDARD_INFORMATION attribute on tools.(Citation: FireEye TRITON 2019) |
||
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
TEMP.Veles has renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.(Citation: FireEye TRITON 2019) |
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
TEMP.Veles has used Mimikatz and a custom tool, SecHack, to harvest credentials. (Citation: FireEye TRITON 2019) |
| Enterprise | T1027 | .005 | Obfuscated Files or Information: Indicator Removal from Tools |
TEMP.Veles has modified files based on the open-source project cryptcat in an apparent attempt to decrease AV detection rates.(Citation: FireEye TEMP.Veles 2018) |
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
TEMP.Veles has obtained and used tools such as Mimikatz and PsExec.(Citation: FireEye TRITON 2019) |
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
TEMP.Veles utilized RDP throughout an operation.(Citation: FireEye TRITON 2019) |
| .004 | Remote Services: SSH |
TEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.(Citation: FireEye TRITON 2019) |
||
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
TEMP.Veles has used scheduled task XML triggers.(Citation: FireEye TRITON 2019) |
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
TEMP.Veles has planted Web shells on Outlook Exchange servers.(Citation: FireEye TRITON 2019) |
References
- Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
- FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.
- Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.
- Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.
- Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.