Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Fox Kitten

Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.(Citation: ClearkSky Fox Kitten February 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: Dragos PARISITE )(Citation: ClearSky Pay2Kitten December 2020)
ID: G0117
Associated Groups: UNC757, Pioneer Kitten, Parisite, RUBIDIUM, Lemon Sandstorm
Version: 2.0
Created: 21 Dec 2020
Last Modified: 08 Jan 2024

Associated Group Descriptions

Name Description
UNC757 (Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020)
Pioneer Kitten (Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: CISA AA20-259A Iran-Based Actor September 2020)
Parisite (Citation: Dragos PARISITE )(Citation: ClearkSky Fox Kitten February 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020)
RUBIDIUM (Citation: Microsoft Threat Actor Naming July 2023)
Lemon Sandstorm (Citation: Microsoft Threat Actor Naming July 2023)

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Fox Kitten has accessed ntuser.dat and UserClass.dat on compromised hosts.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

.002 Account Discovery: Domain Account

Fox Kitten has used the Softerra LDAP browser to browse documentation on service accounts.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Fox Kitten has used 7-Zip to archive data.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Fox Kitten has used PowerShell scripts to access credential data.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

.003 Command and Scripting Interpreter: Windows Command Shell

Fox Kitten has used cmd.exe likely as a password changing mechanism.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

Enterprise T1136 .001 Create Account: Local Account

Fox Kitten has created a local user account with administrator privileges.(Citation: ClearSky Pay2Kitten December 2020)

Enterprise T1555 .005 Credentials from Password Stores: Password Managers

Fox Kitten has used scripts to access credential information from the KeePass database.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

Enterprise T1213 .005 Data from Information Repositories: Messaging Applications

Fox Kitten has accessed victim security and IT environments and Microsoft Teams to mine valuable information.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

Enterprise T1585 .001 Establish Accounts: Social Media Accounts

Fox Kitten has used a Twitter account to communicate with ransomware victims.(Citation: ClearSky Pay2Kitten December 2020)

Enterprise T1546 .008 Event Triggered Execution: Accessibility Features

Fox Kitten has used sticky keys to launch a command prompt.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Fox Kitten has named the task for a reverse proxy lpupdate to appear legitimate.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

.005 Masquerading: Match Legitimate Name or Location

Fox Kitten has named binaries and configuration files svhost and dllhost respectively to appear legitimate.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Fox Kitten has used prodump to dump credentials from LSASS.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

.003 OS Credential Dumping: NTDS

Fox Kitten has used Volume Shadow Copy to access credential information from NTDS.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

Fox Kitten has base64 encoded scripts to avoid detection.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

.013 Obfuscated Files or Information: Encrypted/Encoded File

Fox Kitten has base64 encoded payloads to avoid detection.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Fox Kitten has used RDP to log in and move laterally in the target environment.(Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: ClearSky Pay2Kitten December 2020)

.002 Remote Services: SMB/Windows Admin Shares

Fox Kitten has used valid accounts to access SMB shares.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

.004 Remote Services: SSH

Fox Kitten has used the PuTTY and Plink tools for lateral movement.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

.005 Remote Services: VNC

Fox Kitten has installed TightVNC server and client on compromised servers and endpoints for lateral movement.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Fox Kitten has used Scheduled Tasks for persistence and to load and execute a reverse proxy binary.(Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: ClearSky Pay2Kitten December 2020)

Enterprise T1505 .003 Server Software Component: Web Shell

Fox Kitten has installed web shells on compromised hosts to maintain access.(Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: ClearSky Pay2Kitten December 2020)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Fox Kitten has accessed files to gain valid credentials.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

Software

ID Name References Techniques
S0508 ngrok (Citation: CrowdStrike PIONEER KITTEN August 2020) (Citation: Cyware Ngrok May 2019) (Citation: FireEye Maze May 2020) (Citation: MalwareBytes LazyScripter Feb 2021) (Citation: Zdnet Ngrok September 2018) Proxy, Exfiltration Over Web Service, Domain Generation Algorithms, Web Service, Protocol Tunneling
S0020 China Chopper (Citation: CISA AA20-259A Iran-Based Actor September 2020) (Citation: CISA AA21-200A APT40 July 2021) (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018) (Citation: Lee 2013) (Citation: Rapid7 HAFNIUM Mar 2021) Password Guessing, Data from Local System, Software Packing, Windows Command Shell, Web Protocols, Ingress Tool Transfer, Network Service Discovery, Timestomp, Web Shell, File and Directory Discovery
S0556 Pay2Key (Citation: Check Point Pay2Key November 2020) (Citation: ClearkSky Fox Kitten February 2020) Internal Proxy, Asymmetric Cryptography, Service Stop, File Deletion, Non-Application Layer Protocol, System Information Discovery, Data Encrypted for Impact, System Network Configuration Discovery
S9000 Ngrok (Citation: CrowdStrike PIONEER KITTEN August 2020) Protocol Tunneling, Domain Generation Algorithms, Exfiltration Over Web Service, Proxy, Web Service
S0029 PsExec (Citation: Check Point Pay2Key November 2020) (Citation: CISA AA20-259A Iran-Based Actor September 2020) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.