Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Sidewinder

Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.(Citation: ATT Sidewinder January 2021)(Citation: Securelist APT Trends April 2018)(Citation: Cyble Sidewinder September 2020)
ID: G0121
Associated Groups: T-APT-04, Rattlesnake
Version: 1.2
Created: 27 Jan 2021
Last Modified: 11 Apr 2024

Associated Group Descriptions

Name Description
T-APT-04 (Citation: Cyble Sidewinder September 2020)
Rattlesnake (Citation: Cyble Sidewinder September 2020)

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Sidewinder has used HTTP in C2 communications.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Sidewinder has added paths to executables in the Registry to establish persistence.(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)(Citation: Cyble Sidewinder September 2020)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Sidewinder has used PowerShell to drop and execute malware loaders.(Citation: ATT Sidewinder January 2021)

.005 Command and Scripting Interpreter: Visual Basic

Sidewinder has used VBScript to drop and execute malware loaders.(Citation: ATT Sidewinder January 2021)

.007 Command and Scripting Interpreter: JavaScript

Sidewinder has used JavaScript to drop and execute malware loaders.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder COVID-19 June 2020)

Enterprise T1074 .001 Data Staged: Local Data Staging

Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration.(Citation: ATT Sidewinder January 2021)

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Sidewinder has used DLL side-loading to drop and execute malicious payloads including the hijacking of the legitimate Windows application file rekeywiz.exe.(Citation: ATT Sidewinder January 2021)

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

Sidewinder has used the ActiveXObject utility to create OLE objects to obtain execution through Internet Explorer.(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Sidewinder has named malicious files rekeywiz.exe to match the name of a legitimate Windows executable.(Citation: Rewterz Sidewinder COVID-19 June 2020)

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

Sidewinder has used base64 encoding for scripts.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)

.013 Obfuscated Files or Information: Encrypted/Encoded File

Sidewinder has used base64 encoding and ECDH-P256 encryption for payloads.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Cyble Sidewinder September 2020)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Sidewinder has sent e-mails with malicious attachments often crafted for specific targets.(Citation: ATT Sidewinder January 2021)

.002 Phishing: Spearphishing Link

Sidewinder has sent e-mails with malicious links often crafted for specific targets.(Citation: ATT Sidewinder January 2021)(Citation: Cyble Sidewinder September 2020)

Enterprise T1598 .002 Phishing for Information: Spearphishing Attachment

Sidewinder has sent e-mails with malicious attachments that lead victims to credential harvesting websites.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Cyble Sidewinder September 2020)

.003 Phishing for Information: Spearphishing Link

Sidewinder has sent e-mails with malicious links to credential harvesting websites.(Citation: ATT Sidewinder January 2021)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Sidewinder has used the Windows service winmgmts:\\.\root\SecurityCenter2 to check installed antivirus products.(Citation: Rewterz Sidewinder APT April 2020)

Enterprise T1218 .005 System Binary Proxy Execution: Mshta

Sidewinder has used mshta.exe to execute malicious payloads.(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)

Enterprise T1204 .001 User Execution: Malicious Link

Sidewinder has lured targets to click on malicious links to gain execution in the target environment.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)(Citation: Cyble Sidewinder September 2020)

.002 User Execution: Malicious File

Sidewinder has lured targets to click on malicious files to gain execution in the target environment.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)(Citation: Cyble Sidewinder September 2020)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.