Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа WIRTE
Риски
Каталоги
MITRE ATT&CK
Преступная группа
WIRTE
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

WIRTE

WIRTE is a threat group that has been active since at least August 2018. WIRTE has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.(Citation: Lab52 WIRTE Apr 2019)(Citation: Kaspersky WIRTE November 2021)
ID: G0090
Associated Groups: 
Version: 2.0
Created: 24 May 2019
Last Modified: 16 Apr 2025

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

WIRTE has used HTTP for network communication.(Citation: Lab52 WIRTE Apr 2019)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

WIRTE has used PowerShell for script execution.(Citation: Lab52 WIRTE Apr 2019)
.005 Command and Scripting Interpreter: Visual Basic

WIRTE has used VBScript in its operations.(Citation: Lab52 WIRTE Apr 2019)

Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

WIRTE has named a first stage dropper `Kaspersky Update Agent` in order to appear legitimate.(Citation: Kaspersky WIRTE November 2021)
Enterprise T1588 .002 Obtain Capabilities: Tool

WIRTE has obtained and used Empire for post-exploitation activities.(Citation: Lab52 WIRTE Apr 2019)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

WIRTE has sent emails to intended victims with malicious MS Word and Excel attachments.(Citation: Kaspersky WIRTE November 2021)
Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

WIRTE has used `regsvr32.exe` to trigger the execution of a malicious script.(Citation: Lab52 WIRTE Apr 2019)
Enterprise T1204 .002 User Execution: Malicious File

WIRTE has attempted to lure users into opening malicious MS Word and Excel files to execute malicious payloads.(Citation: Kaspersky WIRTE November 2021)

Software
ID Name References Techniques
S0363 Empire (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: Lab52 WIRTE Apr 2019) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) Scheduled Task, Windows Management Instrumentation, Screen Capture, System Owner/User Discovery, Keylogging, Path Interception by PATH Environment Variable, Bypass User Account Control, Group Policy Discovery, Local Email Collection, Domain Account, Local Account, Windows Service, SSH, DLL, Automated Collection, Clipboard Data, Network Sniffing, Network Share Discovery, System Information Discovery, Native API, Process Injection, Timestomp, Shortcut Modification, Security Support Provider, Archive Collected Data, Credentials from Web Browsers, Path Interception by Search Order Hijacking, Group Policy Modification, Browser Information Discovery, Private Keys, Local Account, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Create Process with Token, Distributed Component Object Model, Video Capture, System Network Configuration Discovery, Accessibility Features, Command and Scripting Interpreter, Domain Account, Domain Trust Discovery, Golden Ticket, Automated Exfiltration, File and Directory Discovery, System Network Connections Discovery, Credentials In Files, Exfiltration to Code Repository, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Exploitation of Remote Services, Registry Run Keys / Startup Folder, Exploitation for Privilege Escalation, SID-History Injection, Bidirectional Communication, Asymmetric Cryptography, Exfiltration to Cloud Storage, Path Interception by Unquoted Path, MSBuild, Security Software Discovery, Windows Command Shell, Silver Ticket, Command Obfuscation, Access Token Manipulation, Web Protocols, Network Service Discovery, Pass the Hash, Ingress Tool Transfer, Service Execution, Kerberoasting, Credential API Hooking, Commonly Used Port, Dylib Hijacking
S0679 Ferocious (Citation: Kaspersky WIRTE November 2021) System Checks, Peripheral Device Discovery, System Information Discovery, Modify Registry, PowerShell, Component Object Model Hijacking, Security Software Discovery, File Deletion, Visual Basic
S0680 LitePower (Citation: Kaspersky WIRTE November 2021) Scheduled Task, Screen Capture, System Owner/User Discovery, System Information Discovery, Native API, Exfiltration Over C2 Channel, PowerShell, Query Registry, Security Software Discovery, Web Protocols, Ingress Tool Transfer

References

  1. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  2. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.