Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Inception

Inception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.(Citation: Unit 42 Inception November 2018)(Citation: Symantec Inception Framework March 2018)(Citation: Kaspersky Cloud Atlas December 2014)

ID: G0100

Associated Groups: Inception Framework, Cloud Atlas

Version: 1.1

Created: 08 May 2020

Last Modified: 12 Oct 2021

Name	Description
Associated Group Descriptions
Inception Framework	(Citation: Symantec Inception Framework March 2018)
Cloud Atlas	(Citation: Kaspersky Cloud Atlas December 2014)

Domain	ID		Name	Use
Techniques Used
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Inception has used HTTP, HTTPS, and WebDav in network communications.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Unit 42 Inception November 2018)
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Inception has maintained persistence by modifying Registry run key value `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\`.(Citation: Kaspersky Cloud Atlas December 2014)
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Inception has used PowerShell to execute malicious commands and payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas December 2014)
		.005	Command and Scripting Interpreter: Visual Basic	Inception has used VBScript to execute malicious commands and payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas December 2014)
Enterprise	T1555	.003	Credentials from Password Stores: Credentials from Web Browsers	Inception used a browser plugin to steal passwords and sessions from Internet Explorer, Chrome, Opera, Firefox, Torch, and Yandex.(Citation: Symantec Inception Framework March 2018)
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	Inception has encrypted network communications with AES.(Citation: Kaspersky Cloud Atlas December 2014)
Enterprise	T1588	.002	Obtain Capabilities: Tool	Inception has obtained and used open-source tools such as LaZagne.(Citation: Kaspersky Cloud Atlas August 2019)
Enterprise	T1069	.002	Permission Groups Discovery: Domain Groups	Inception has used specific malware modules to gather domain membership.(Citation: Symantec Inception Framework March 2018)
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	Inception has used weaponized documents attached to spearphishing emails for reconnaissance and initial compromise.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Symantec Inception Framework March 2018)(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas August 2019)
Enterprise	T1090	.003	Proxy: Multi-hop Proxy	Inception used chains of compromised routers to proxy C2 communications between them and cloud service providers.(Citation: Symantec Inception Framework March 2018)
Enterprise	T1218	.005	System Binary Proxy Execution: Mshta	Inception has used malicious HTA files to drop and execute malware.(Citation: Kaspersky Cloud Atlas August 2019)
		.010	System Binary Proxy Execution: Regsvr32	Inception has ensured persistence at system boot by setting the value `regsvr32 %path%\ctfmonrn.dll /s`.(Citation: Kaspersky Cloud Atlas December 2014)
Enterprise	T1204	.002	User Execution: Malicious File	Inception lured victims into clicking malicious files for machine reconnaissance and to execute malware.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Kaspersky Cloud Atlas August 2019)(Citation: Symantec Inception Framework March 2018)(Citation: Unit 42 Inception November 2018)

ID	Name	References	Techniques
Software
S0441	PowerShower	(Citation: Kaspersky Cloud Atlas August 2019) (Citation: Unit 42 Inception November 2018)	System Information Discovery, File Deletion, Process Discovery, PowerShell, Registry Run Keys / Startup Folder, Exfiltration Over C2 Channel, Standard Encoding, Web Protocols, Modify Registry, System Network Configuration Discovery, System Owner/User Discovery, Hidden Window, Archive via Utility, Visual Basic
S0442	VBShower	(Citation: Kaspersky Cloud Atlas August 2019)	Visual Basic, File Deletion, Registry Run Keys / Startup Folder, Web Protocols, Ingress Tool Transfer
S0349	LaZagne	(Citation: GitHub LaZagne Dec 2018) (Citation: Kaspersky Cloud Atlas August 2019)	Credentials In Files, Windows Credential Manager, LSA Secrets, /etc/passwd and /etc/shadow, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials from Password Stores, Keychain, Proc Filesystem

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Inception

Associated Group Descriptions

Techniques Used

Software

References