Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Chimera

Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)
ID: G0114
Associated Groups: 
Version: 2.2
Created: 24 Aug 2020
Last Modified: 12 Sep 2024

Associated Group Descriptions

Name Description

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Chimera has used net user for account discovery.(Citation: NCC Group Chimera January 2021)

.002 Account Discovery: Domain Account

Chimera has has used net user /dom and net user Administrator to enumerate domain accounts including administrator accounts.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Chimera has used HTTPS for C2 communications.(Citation: NCC Group Chimera January 2021)

.004 Application Layer Protocol: DNS

Chimera has used Cobalt Strike to encapsulate C2 in DNS traffic.(Citation: NCC Group Chimera January 2021)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Chimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

Enterprise T1110 .003 Brute Force: Password Spraying

Chimera has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts.(Citation: NCC Group Chimera January 2021)

.004 Brute Force: Credential Stuffing

Chimera has used credential stuffing against victim's remote services to obtain valid accounts.(Citation: NCC Group Chimera January 2021)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

.003 Command and Scripting Interpreter: Windows Command Shell

Chimera has used the Windows Command Shell and batch scripts for execution on compromised hosts.(Citation: NCC Group Chimera January 2021)

Enterprise T1074 .001 Data Staged: Local Data Staging

Chimera has staged stolen data locally on compromised hosts.(Citation: NCC Group Chimera January 2021)

.002 Data Staged: Remote Data Staging

Chimera has staged stolen data on designated servers in the target environment.(Citation: NCC Group Chimera January 2021)

Enterprise T1213 .002 Data from Information Repositories: Sharepoint

Chimera has collected documents from the victim's SharePoint.(Citation: NCC Group Chimera January 2021)

Enterprise T1114 .001 Email Collection: Local Email Collection

Chimera has harvested data from victim's e-mail including through execution of wmic /node: process call create "cmd /c copy c:\Users\\\backup.pst c:\windows\temp\backup.pst" copy "i:\\\My Documents\.pst" copy.(Citation: NCC Group Chimera January 2021)

.002 Email Collection: Remote Email Collection

Chimera has harvested data from remote mailboxes including through execution of \\\c$\Users\\AppData\Local\Microsoft\Outlook*.ost.(Citation: NCC Group Chimera January 2021)

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Chimera has exfiltrated stolen data to OneDrive accounts.(Citation: NCC Group Chimera January 2021)

Enterprise T1589 .001 Gather Victim Identity Information: Credentials

Chimera has collected credentials for the target organization from previous breaches for use in brute force attacks.(Citation: NCC Group Chimera January 2021)

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Chimera has used side loading to place malicious DLLs in memory.(Citation: NCC Group Chimera January 2021)

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Chimera has cleared event logs on compromised hosts.(Citation: NCC Group Chimera January 2021)

.004 Indicator Removal: File Deletion

Chimera has performed file deletion to evade detection.(Citation: Cycraft Chimera April 2020)

.006 Indicator Removal: Timestomp

Chimera has used a Windows version of the Linux touch command to modify the date and time stamp on DLLs.(Citation: NCC Group Chimera January 2021)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Chimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.(Citation: Cycraft Chimera April 2020)

Enterprise T1556 .001 Modify Authentication Process: Domain Controller Authentication

Chimera's malware has altered the NTLM authentication program on domain controllers to allow Chimera to login without a valid credential.(Citation: Cycraft Chimera April 2020)

Enterprise T1003 .003 OS Credential Dumping: NTDS

Chimera has gathered the SYSTEM registry and ntds.dit files from target systems.(Citation: Cycraft Chimera April 2020) Chimera specifically has used the NtdsAudit tool to dump the password hashes of domain users via msadcs.exe "NTDS.dit" -s "SYSTEM" -p RecordedTV_pdmp.txt --users-csv RecordedTV_users.csv and used ntdsutil to copy the Active Directory database.(Citation: NCC Group Chimera January 2021)

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

Chimera has encoded PowerShell commands.(Citation: Cycraft Chimera April 2020)

Enterprise T1588 .002 Obtain Capabilities: Tool

Chimera has obtained and used tools such as BloodHound, Cobalt Strike, Mimikatz, and PsExec.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

Chimera has used net localgroup administrators to identify accounts with local administrative rights.(Citation: NCC Group Chimera January 2021)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Chimera has used RDP to access targeted systems.(Citation: Cycraft Chimera April 2020)

.002 Remote Services: SMB/Windows Admin Shares

Chimera has used Windows admin shares to move laterally.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

.006 Remote Services: Windows Remote Management

Chimera has used WinRM for lateral movement.(Citation: NCC Group Chimera January 2021)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Chimera has used scheduled tasks to invoke Cobalt Strike including through batch script schtasks /create /ru "SYSTEM" /tn "update" /tr "cmd /c c:\windows\temp\update.bat" /sc once /f /st and to maintain persistence.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

Enterprise T1569 .002 System Services: Service Execution

Chimera has used PsExec to deploy beacons on compromised systems.(Citation: NCC Group Chimera January 2021)

Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

Chimera has dumped password hashes for use in pass the hash authentication attacks.(Citation: NCC Group Chimera January 2021)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Chimera has used compromised domain accounts to gain access to the target environment.(Citation: NCC Group Chimera January 2021)

Software

ID Name References Techniques
S0039 Net (Citation: Microsoft Net Utility) (Citation: NCC Group Chimera January 2021) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Additional Local or Domain Groups, Local Groups, SMB/Windows Admin Shares, Domain Account
S0521 BloodHound (Citation: CrowdStrike BloodHound April 2018) (Citation: Cycraft Chimera April 2020) (Citation: FoxIT Wocao December 2019) (Citation: GitHub Bloodhound) Domain Groups, Group Policy Discovery, Archive Collected Data, Password Policy Discovery, Local Groups, Domain Account, Local Account, System Owner/User Discovery, Remote System Discovery, Native API, PowerShell, Domain Trust Discovery
S0154 Cobalt Strike (Citation: cobaltstrike manual) (Citation: Cycraft Chimera April 2020) (Citation: NCC Group Chimera January 2021) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol or Service Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, File Transfer Protocols, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Cycraft Chimera April 2020) (Citation: Deply Mimikatz) (Citation: NCC Group Chimera January 2021) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0404 esentutl (Citation: Microsoft Esentutl) (Citation: NCC Group Chimera January 2021) Direct Volume Access, Lateral Tool Transfer, NTDS, NTFS File Attributes, Ingress Tool Transfer, Data from Local System
S0029 PsExec (Citation: NCC Group Chimera January 2021) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.