MITRE ATT&CK - Преступная группа Chimera

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

Chimera

Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

ID: G0114

Associated Groups:

Version: 2.1

Created: 24 Aug 2020

Last Modified: 25 Mar 2022

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1087	.001	Account Discovery: Local Account	Chimera has used `net user` for account discovery.(Citation: NCC Group Chimera January 2021)
		.002	Account Discovery: Domain Account	Chimera has has used `net user /dom` and `net user Administrator` to enumerate domain accounts including administrator accounts.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Chimera has used HTTPS for C2 communications.(Citation: NCC Group Chimera January 2021)
		.004	Application Layer Protocol: DNS	Chimera has used Cobalt Strike to encapsulate C2 in DNS traffic.(Citation: NCC Group Chimera January 2021)
Enterprise	T1560	.001	Archive Collected Data: Archive via Utility	Chimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)
Enterprise	T1110	.003	Brute Force: Password Spraying	Chimera has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts.(Citation: NCC Group Chimera January 2021)
		.004	Brute Force: Credential Stuffing	Chimera has used credential stuffing against victim's remote services to obtain valid accounts.(Citation: NCC Group Chimera January 2021)
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)
		.003	Command and Scripting Interpreter: Windows Command Shell	Chimera has used the Windows Command Shell and batch scripts for execution on compromised hosts.(Citation: NCC Group Chimera January 2021)
Enterprise	T1074	.001	Data Staged: Local Data Staging	Chimera has staged stolen data locally on compromised hosts.(Citation: NCC Group Chimera January 2021)
		.002	Data Staged: Remote Data Staging	Chimera has staged stolen data on designated servers in the target environment.(Citation: NCC Group Chimera January 2021)
Enterprise	T1213	.002	Data from Information Repositories: Sharepoint	Chimera has collected documents from the victim's SharePoint.(Citation: NCC Group Chimera January 2021)
Enterprise	T1114	.001	Email Collection: Local Email Collection	Chimera has harvested data from victim's e-mail including through execution of `wmic /node: process call create "cmd /c copy c:\Users\\\backup.pst c:\windows\temp\backup.pst" copy "i:\\\My Documents\.pst" copy`.(Citation: NCC Group Chimera January 2021)
		.002	Email Collection: Remote Email Collection	Chimera has harvested data from remote mailboxes including through execution of `\\\c$\Users\\AppData\Local\Microsoft\Outlook*.ost`.(Citation: NCC Group Chimera January 2021)
Enterprise	T1567	.002	Exfiltration Over Web Service: Exfiltration to Cloud Storage	Chimera has exfiltrated stolen data to OneDrive accounts.(Citation: NCC Group Chimera January 2021)
Enterprise	T1589	.001	Gather Victim Identity Information: Credentials	Chimera has collected credentials for the target organization from previous breaches for use in brute force attacks.(Citation: NCC Group Chimera January 2021)
Enterprise	T1574	.002	Hijack Execution Flow: DLL Side-Loading	Chimera has used side loading to place malicious DLLs in memory.(Citation: NCC Group Chimera January 2021)
Enterprise	T1070	.001	Indicator Removal: Clear Windows Event Logs	Chimera has cleared event logs on compromised hosts.(Citation: NCC Group Chimera January 2021)
		.004	Indicator Removal: File Deletion	Chimera has performed file deletion to evade detection.(Citation: Cycraft Chimera April 2020)
		.006	Indicator Removal: Timestomp	Chimera has used a Windows version of the Linux `touch` command to modify the date and time stamp on DLLs.(Citation: NCC Group Chimera January 2021)
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	Chimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.(Citation: Cycraft Chimera April 2020)
Enterprise	T1556	.001	Modify Authentication Process: Domain Controller Authentication	Chimera's malware has altered the NTLM authentication program on domain controllers to allow Chimera to login without a valid credential.(Citation: Cycraft Chimera April 2020)
Enterprise	T1003	.003	OS Credential Dumping: NTDS	Chimera has gathered the SYSTEM registry and ntds.dit files from target systems.(Citation: Cycraft Chimera April 2020) Chimera specifically has used the NtdsAudit tool to dump the password hashes of domain users via `msadcs.exe "NTDS.dit" -s "SYSTEM" -p RecordedTV_pdmp.txt --users-csv RecordedTV_users.csv` and used ntdsutil to copy the Active Directory database.(Citation: NCC Group Chimera January 2021)
Enterprise	T1588	.002	Obtain Capabilities: Tool	Chimera has obtained and used tools such as BloodHound, Cobalt Strike, Mimikatz, and PsExec.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)
Enterprise	T1069	.001	Permission Groups Discovery: Local Groups	Chimera has used `net localgroup administrators` to identify accounts with local administrative rights.(Citation: NCC Group Chimera January 2021)
Enterprise	T1021	.001	Remote Services: Remote Desktop Protocol	Chimera has used RDP to access targeted systems.(Citation: Cycraft Chimera April 2020)
		.002	Remote Services: SMB/Windows Admin Shares	Chimera has used Windows admin shares to move laterally.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)
		.006	Remote Services: Windows Remote Management	Chimera has used WinRM for lateral movement.(Citation: NCC Group Chimera January 2021)
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	Chimera has used scheduled tasks to invoke Cobalt Strike including through batch script `schtasks /create /ru "SYSTEM" /tn "update" /tr "cmd /c c:\windows\temp\update.bat" /sc once /f /st` and to maintain persistence.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)
Enterprise	T1569	.002	System Services: Service Execution	Chimera has used PsExec to deploy beacons on compromised systems.(Citation: NCC Group Chimera January 2021)
Enterprise	T1550	.002	Use Alternate Authentication Material: Pass the Hash	Chimera has dumped password hashes for use in pass the hash authentication attacks.(Citation: NCC Group Chimera January 2021)
Enterprise	T1078	.002	Valid Accounts: Domain Accounts	Chimera has used compromised domain accounts to gain access to the target environment.(Citation: NCC Group Chimera January 2021)

ID	Name	References	Techniques
Software
S0039	Net	(Citation: Microsoft Net Utility) (Citation: NCC Group Chimera January 2021) (Citation: Savill 1999)	Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Local Groups, SMB/Windows Admin Shares, Domain Account
S0521	BloodHound	(Citation: CrowdStrike BloodHound April 2018) (Citation: Cycraft Chimera April 2020) (Citation: FoxIT Wocao December 2019) (Citation: GitHub Bloodhound)	Domain Groups, Group Policy Discovery, Archive Collected Data, Password Policy Discovery, Local Groups, Domain Account, Local Account, System Owner/User Discovery, Remote System Discovery, Native API, PowerShell, Domain Trust Discovery
S0154	Cobalt Strike	(Citation: cobaltstrike manual) (Citation: Cycraft Chimera April 2020) (Citation: NCC Group Chimera January 2021)	Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, Application Layer Protocol, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0002	Mimikatz	(Citation: Adsecurity Mimikatz Guide) (Citation: Cycraft Chimera April 2020) (Citation: Deply Mimikatz) (Citation: NCC Group Chimera January 2021)	DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0404	esentutl	(Citation: Microsoft Esentutl) (Citation: NCC Group Chimera January 2021)	Lateral Tool Transfer, NTDS, NTFS File Attributes, Ingress Tool Transfer, Data from Local System
S0029	PsExec	(Citation: NCC Group Chimera January 2021) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec)	SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Chimera

Associated Group Descriptions

Techniques Used

Software

References