Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Chimera

Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)
ID: G0114
Associated Groups: 
Version: 2.2
Created: 24 Aug 2020
Last Modified: 12 Sep 2024

Associated Group Descriptions

Name Description

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Chimera has used net user for account discovery.(Citation: NCC Group Chimera January 2021)

.002 Account Discovery: Domain Account

Chimera has has used net user /dom and net user Administrator to enumerate domain accounts including administrator accounts.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Chimera has used HTTPS for C2 communications.(Citation: NCC Group Chimera January 2021)

.004 Application Layer Protocol: DNS

Chimera has used Cobalt Strike to encapsulate C2 in DNS traffic.(Citation: NCC Group Chimera January 2021)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Chimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

Enterprise T1110 .003 Brute Force: Password Spraying

Chimera has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts.(Citation: NCC Group Chimera January 2021)

.004 Brute Force: Credential Stuffing

Chimera has used credential stuffing against victim's remote services to obtain valid accounts.(Citation: NCC Group Chimera January 2021)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

.003 Command and Scripting Interpreter: Windows Command Shell

Chimera has used the Windows Command Shell and batch scripts for execution on compromised hosts.(Citation: NCC Group Chimera January 2021)

Enterprise T1074 .001 Data Staged: Local Data Staging

Chimera has staged stolen data locally on compromised hosts.(Citation: NCC Group Chimera January 2021)

.002 Data Staged: Remote Data Staging

Chimera has staged stolen data on designated servers in the target environment.(Citation: NCC Group Chimera January 2021)

Enterprise T1213 .002 Data from Information Repositories: Sharepoint

Chimera has collected documents from the victim's SharePoint.(Citation: NCC Group Chimera January 2021)

Enterprise T1114 .001 Email Collection: Local Email Collection

Chimera has harvested data from victim's e-mail including through execution of wmic /node: process call create "cmd /c copy c:\Users\\\backup.pst c:\windows\temp\backup.pst" copy "i:\\\My Documents\.pst" copy.(Citation: NCC Group Chimera January 2021)

.002 Email Collection: Remote Email Collection

Chimera has harvested data from remote mailboxes including through execution of \\\c$\Users\\AppData\Local\Microsoft\Outlook*.ost.(Citation: NCC Group Chimera January 2021)

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Chimera has exfiltrated stolen data to OneDrive accounts.(Citation: NCC Group Chimera January 2021)

Enterprise T1589 .001 Gather Victim Identity Information: Credentials

Chimera has collected credentials for the target organization from previous breaches for use in brute force attacks.(Citation: NCC Group Chimera January 2021)

Enterprise T1574 .001 Hijack Execution Flow: DLL

Chimera has used side loading to place malicious DLLs in memory.(Citation: NCC Group Chimera January 2021)

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Chimera has cleared event logs on compromised hosts.(Citation: NCC Group Chimera January 2021)

.004 Indicator Removal: File Deletion

Chimera has performed file deletion to evade detection.(Citation: Cycraft Chimera April 2020)

.006 Indicator Removal: Timestomp

Chimera has used a Windows version of the Linux touch command to modify the date and time stamp on DLLs.(Citation: NCC Group Chimera January 2021)

Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

Chimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.(Citation: Cycraft Chimera April 2020)

Enterprise T1556 .001 Modify Authentication Process: Domain Controller Authentication

Chimera's malware has altered the NTLM authentication program on domain controllers to allow Chimera to login without a valid credential.(Citation: Cycraft Chimera April 2020)

Enterprise T1003 .003 OS Credential Dumping: NTDS

Chimera has gathered the SYSTEM registry and ntds.dit files from target systems.(Citation: Cycraft Chimera April 2020) Chimera specifically has used the NtdsAudit tool to dump the password hashes of domain users via msadcs.exe "NTDS.dit" -s "SYSTEM" -p RecordedTV_pdmp.txt --users-csv RecordedTV_users.csv and used ntdsutil to copy the Active Directory database.(Citation: NCC Group Chimera January 2021)

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

Chimera has encoded PowerShell commands.(Citation: Cycraft Chimera April 2020)

Enterprise T1588 .002 Obtain Capabilities: Tool

Chimera has obtained and used tools such as BloodHound, Cobalt Strike, Mimikatz, and PsExec.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

Chimera has used net localgroup administrators to identify accounts with local administrative rights.(Citation: NCC Group Chimera January 2021)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Chimera has used RDP to access targeted systems.(Citation: Cycraft Chimera April 2020)

.002 Remote Services: SMB/Windows Admin Shares

Chimera has used Windows admin shares to move laterally.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

.006 Remote Services: Windows Remote Management

Chimera has used WinRM for lateral movement.(Citation: NCC Group Chimera January 2021)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Chimera has used scheduled tasks to invoke Cobalt Strike including through batch script schtasks /create /ru "SYSTEM" /tn "update" /tr "cmd /c c:\windows\temp\update.bat" /sc once /f /st and to maintain persistence.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

Enterprise T1569 .002 System Services: Service Execution

Chimera has used PsExec to deploy beacons on compromised systems.(Citation: NCC Group Chimera January 2021)

Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

Chimera has dumped password hashes for use in pass the hash authentication attacks.(Citation: NCC Group Chimera January 2021)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Chimera has used compromised domain accounts to gain access to the target environment.(Citation: NCC Group Chimera January 2021)

Software

ID Name References Techniques
S0039 Net (Citation: Microsoft Net Utility) (Citation: NCC Group Chimera January 2021) (Citation: Savill 1999) Domain Account, Local Account, Domain Groups, System Service Discovery, Network Share Discovery, Additional Local or Domain Groups, SMB/Windows Admin Shares, Local Account, Domain Account, System Network Connections Discovery, Local Groups, Network Share Connection Removal, Password Policy Discovery, Remote System Discovery, Service Execution, System Time Discovery
S0521 BloodHound (Citation: CrowdStrike BloodHound April 2018) (Citation: Cycraft Chimera April 2020) (Citation: FoxIT Wocao December 2019) (Citation: GitHub Bloodhound) System Owner/User Discovery, Group Policy Discovery, Domain Account, Local Account, Domain Groups, Native API, Archive Collected Data, Domain Trust Discovery, PowerShell, Local Groups, Password Policy Discovery, Remote System Discovery
S0154 Cobalt Strike (Citation: Cycraft Chimera April 2020) (Citation: NCC Group Chimera January 2021) (Citation: cobaltstrike manual) Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0154 Cobalt Strike (Citation: Cycraft Chimera April 2020) (Citation: cobaltstrike manual) Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Cycraft Chimera April 2020) (Citation: Deply Mimikatz) (Citation: NCC Group Chimera January 2021) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0404 esentutl (Citation: Microsoft Esentutl) (Citation: NCC Group Chimera January 2021) Direct Volume Access, Data from Local System, Lateral Tool Transfer, Ingress Tool Transfer, NTDS, NTFS File Attributes
S0029 PsExec (Citation: NCC Group Chimera January 2021) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.