Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Chimera

Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

ID: G0114

Associated Groups:

Version: 2.2

Created: 24 Aug 2020

Last Modified: 12 Sep 2024

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1087	.001	Account Discovery: Local Account	Chimera has used `net user` for account discovery.(Citation: NCC Group Chimera January 2021)
		.002	Account Discovery: Domain Account	Chimera has has used `net user /dom` and `net user Administrator` to enumerate domain accounts including administrator accounts.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Chimera has used HTTPS for C2 communications.(Citation: NCC Group Chimera January 2021)
		.004	Application Layer Protocol: DNS	Chimera has used Cobalt Strike to encapsulate C2 in DNS traffic.(Citation: NCC Group Chimera January 2021)
Enterprise	T1560	.001	Archive Collected Data: Archive via Utility	Chimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)
Enterprise	T1110	.003	Brute Force: Password Spraying	Chimera has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts.(Citation: NCC Group Chimera January 2021)
		.004	Brute Force: Credential Stuffing	Chimera has used credential stuffing against victim's remote services to obtain valid accounts.(Citation: NCC Group Chimera January 2021)
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)
		.003	Command and Scripting Interpreter: Windows Command Shell	Chimera has used the Windows Command Shell and batch scripts for execution on compromised hosts.(Citation: NCC Group Chimera January 2021)
Enterprise	T1074	.001	Data Staged: Local Data Staging	Chimera has staged stolen data locally on compromised hosts.(Citation: NCC Group Chimera January 2021)
		.002	Data Staged: Remote Data Staging	Chimera has staged stolen data on designated servers in the target environment.(Citation: NCC Group Chimera January 2021)
Enterprise	T1213	.002	Data from Information Repositories: Sharepoint	Chimera has collected documents from the victim's SharePoint.(Citation: NCC Group Chimera January 2021)
Enterprise	T1114	.001	Email Collection: Local Email Collection	Chimera has harvested data from victim's e-mail including through execution of `wmic /node: process call create "cmd /c copy c:\Users\\\backup.pst c:\windows\temp\backup.pst" copy "i:\\\My Documents\.pst" copy`.(Citation: NCC Group Chimera January 2021)
		.002	Email Collection: Remote Email Collection	Chimera has harvested data from remote mailboxes including through execution of `\\\c$\Users\\AppData\Local\Microsoft\Outlook*.ost`.(Citation: NCC Group Chimera January 2021)
Enterprise	T1567	.002	Exfiltration Over Web Service: Exfiltration to Cloud Storage	Chimera has exfiltrated stolen data to OneDrive accounts.(Citation: NCC Group Chimera January 2021)
Enterprise	T1589	.001	Gather Victim Identity Information: Credentials	Chimera has collected credentials for the target organization from previous breaches for use in brute force attacks.(Citation: NCC Group Chimera January 2021)
Enterprise	T1574	.001	Hijack Execution Flow: DLL	Chimera has used side loading to place malicious DLLs in memory.(Citation: NCC Group Chimera January 2021)
Enterprise	T1070	.001	Indicator Removal: Clear Windows Event Logs	Chimera has cleared event logs on compromised hosts.(Citation: NCC Group Chimera January 2021)
		.004	Indicator Removal: File Deletion	Chimera has performed file deletion to evade detection.(Citation: Cycraft Chimera April 2020)
		.006	Indicator Removal: Timestomp	Chimera has used a Windows version of the Linux `touch` command to modify the date and time stamp on DLLs.(Citation: NCC Group Chimera January 2021)
Enterprise	T1036	.005	Masquerading: Match Legitimate Resource Name or Location	Chimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.(Citation: Cycraft Chimera April 2020)
Enterprise	T1556	.001	Modify Authentication Process: Domain Controller Authentication	Chimera's malware has altered the NTLM authentication program on domain controllers to allow Chimera to login without a valid credential.(Citation: Cycraft Chimera April 2020)
Enterprise	T1003	.003	OS Credential Dumping: NTDS	Chimera has gathered the SYSTEM registry and ntds.dit files from target systems.(Citation: Cycraft Chimera April 2020) Chimera specifically has used the NtdsAudit tool to dump the password hashes of domain users via `msadcs.exe "NTDS.dit" -s "SYSTEM" -p RecordedTV_pdmp.txt --users-csv RecordedTV_users.csv` and used ntdsutil to copy the Active Directory database.(Citation: NCC Group Chimera January 2021)
Enterprise	T1027	.010	Obfuscated Files or Information: Command Obfuscation	Chimera has encoded PowerShell commands.(Citation: Cycraft Chimera April 2020)
Enterprise	T1588	.002	Obtain Capabilities: Tool	Chimera has obtained and used tools such as BloodHound, Cobalt Strike, Mimikatz, and PsExec.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)
Enterprise	T1069	.001	Permission Groups Discovery: Local Groups	Chimera has used `net localgroup administrators` to identify accounts with local administrative rights.(Citation: NCC Group Chimera January 2021)
Enterprise	T1021	.001	Remote Services: Remote Desktop Protocol	Chimera has used RDP to access targeted systems.(Citation: Cycraft Chimera April 2020)
		.002	Remote Services: SMB/Windows Admin Shares	Chimera has used Windows admin shares to move laterally.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)
		.006	Remote Services: Windows Remote Management	Chimera has used WinRM for lateral movement.(Citation: NCC Group Chimera January 2021)
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	Chimera has used scheduled tasks to invoke Cobalt Strike including through batch script `schtasks /create /ru "SYSTEM" /tn "update" /tr "cmd /c c:\windows\temp\update.bat" /sc once /f /st` and to maintain persistence.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)
Enterprise	T1569	.002	System Services: Service Execution	Chimera has used PsExec to deploy beacons on compromised systems.(Citation: NCC Group Chimera January 2021)
Enterprise	T1550	.002	Use Alternate Authentication Material: Pass the Hash	Chimera has dumped password hashes for use in pass the hash authentication attacks.(Citation: NCC Group Chimera January 2021)
Enterprise	T1078	.002	Valid Accounts: Domain Accounts	Chimera has used compromised domain accounts to gain access to the target environment.(Citation: NCC Group Chimera January 2021)

ID	Name	References	Techniques
Software
S0039	Net	(Citation: Microsoft Net Utility) (Citation: NCC Group Chimera January 2021) (Citation: Savill 1999)	Domain Account, Local Account, Domain Groups, System Service Discovery, Network Share Discovery, Additional Local or Domain Groups, SMB/Windows Admin Shares, Local Account, Domain Account, System Network Connections Discovery, Local Groups, Network Share Connection Removal, Password Policy Discovery, Remote System Discovery, Service Execution, System Time Discovery
S0521	BloodHound	(Citation: CrowdStrike BloodHound April 2018) (Citation: Cycraft Chimera April 2020) (Citation: FoxIT Wocao December 2019) (Citation: GitHub Bloodhound)	System Owner/User Discovery, Group Policy Discovery, Domain Account, Local Account, Domain Groups, Native API, Archive Collected Data, Domain Trust Discovery, PowerShell, Local Groups, Password Policy Discovery, Remote System Discovery
S0154	Cobalt Strike	(Citation: Cycraft Chimera April 2020) (Citation: NCC Group Chimera January 2021) (Citation: cobaltstrike manual)	Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0154	Cobalt Strike	(Citation: Cycraft Chimera April 2020) (Citation: cobaltstrike manual)	Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0002	Mimikatz	(Citation: Adsecurity Mimikatz Guide) (Citation: Cycraft Chimera April 2020) (Citation: Deply Mimikatz) (Citation: NCC Group Chimera January 2021)	Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0404	esentutl	(Citation: Microsoft Esentutl) (Citation: NCC Group Chimera January 2021)	Direct Volume Access, Data from Local System, Lateral Tool Transfer, Ingress Tool Transfer, NTDS, NTFS File Attributes
S0029	PsExec	(Citation: NCC Group Chimera January 2021) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec)	Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Chimera

Associated Group Descriptions

Techniques Used

Software

References