Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Inception

Inception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.(Citation: Unit 42 Inception November 2018)(Citation: Symantec Inception Framework March 2018)(Citation: Kaspersky Cloud Atlas December 2014)
ID: G0100
Associated Groups: Cloud Atlas, Inception Framework
Version: 1.2
Created: 08 May 2020
Last Modified: 11 Apr 2024

Associated Group Descriptions

Name Description
Cloud Atlas (Citation: Kaspersky Cloud Atlas December 2014)
Inception Framework (Citation: Symantec Inception Framework March 2018)

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Inception has used HTTP, HTTPS, and WebDav in network communications.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Unit 42 Inception November 2018)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Inception has maintained persistence by modifying Registry run key value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\.(Citation: Kaspersky Cloud Atlas December 2014)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Inception has used PowerShell to execute malicious commands and payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas December 2014)

.005 Command and Scripting Interpreter: Visual Basic

Inception has used VBScript to execute malicious commands and payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas December 2014)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Inception used a browser plugin to steal passwords and sessions from Internet Explorer, Chrome, Opera, Firefox, Torch, and Yandex.(Citation: Symantec Inception Framework March 2018)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Inception has encrypted network communications with AES.(Citation: Kaspersky Cloud Atlas December 2014)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Inception has encrypted malware payloads dropped on victim machines with AES and RC4 encryption.(Citation: Kaspersky Cloud Atlas December 2014)

Enterprise T1588 .002 Obtain Capabilities: Tool

Inception has obtained and used open-source tools such as LaZagne.(Citation: Kaspersky Cloud Atlas August 2019)

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

Inception has used specific malware modules to gather domain membership.(Citation: Symantec Inception Framework March 2018)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Inception has used weaponized documents attached to spearphishing emails for reconnaissance and initial compromise.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Symantec Inception Framework March 2018)(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas August 2019)

Enterprise T1090 .003 Proxy: Multi-hop Proxy

Inception used chains of compromised routers to proxy C2 communications between them and cloud service providers.(Citation: Symantec Inception Framework March 2018)

Enterprise T1218 .005 System Binary Proxy Execution: Mshta

Inception has used malicious HTA files to drop and execute malware.(Citation: Kaspersky Cloud Atlas August 2019)

.010 System Binary Proxy Execution: Regsvr32

Inception has ensured persistence at system boot by setting the value regsvr32 %path%\ctfmonrn.dll /s.(Citation: Kaspersky Cloud Atlas December 2014)

Enterprise T1204 .002 User Execution: Malicious File

Inception lured victims into clicking malicious files for machine reconnaissance and to execute malware.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Kaspersky Cloud Atlas August 2019)(Citation: Symantec Inception Framework March 2018)(Citation: Unit 42 Inception November 2018)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.