Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

HAFNIUM

HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)
ID: G0125
Associated Groups: Operation Exchange Marauder
Version: 1.2
Created: 03 Mar 2021
Last Modified: 06 Jul 2022

Associated Group Descriptions

Name Description
Operation Exchange Marauder (Citation: Volexity Exchange Marauder March 2021)

Techniques Used

Domain ID Name Use
Enterprise T1583 .003 Acquire Infrastructure: Virtual Private Server

HAFNIUM has operated from leased virtual private servers (VPS) in the United States.(Citation: Microsoft HAFNIUM March 2020)

.006 Acquire Infrastructure: Web Services

HAFNIUM has acquired web services for use in C2 and exfiltration.(Citation: Microsoft HAFNIUM March 2020)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

HAFNIUM has used open-source C2 frameworks, including Covenant.(Citation: Microsoft HAFNIUM March 2020)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

HAFNIUM has used the Exchange Power Shell module Set-OabVirtualDirectoryPowerShell to export mailbox data.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)

Enterprise T1136 .002 Create Account: Domain Account

HAFNIUM has created and granted privileges to domain accounts.(Citation: Volexity Exchange Marauder March 2021)

Enterprise T1132 .001 Data Encoding: Standard Encoding

HAFNIUM has used ASCII encoding for C2 traffic.(Citation: Microsoft HAFNIUM March 2020)

Enterprise T1114 .002 Email Collection: Remote Email Collection

HAFNIUM has used web shells to export mailbox data.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

HAFNIUM has exfiltrated data to file sharing sites, including MEGA.(Citation: Microsoft HAFNIUM March 2020)

Enterprise T1592 .004 Gather Victim Host Information: Client Configurations

HAFNIUM has interacted with Office 365 tenants to gather details regarding target's environments.(Citation: Microsoft HAFNIUM March 2020)

Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

HAFNIUM has collected e-mail addresses for users they intended to target.(Citation: Volexity Exchange Marauder March 2021)

Enterprise T1590 .005 Gather Victim Network Information: IP Addresses

HAFNIUM has obtained IP addresses for publicly-accessible Exchange servers.(Citation: Volexity Exchange Marauder March 2021)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

HAFNIUM has used procdump to dump the LSASS process memory.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)

.003 OS Credential Dumping: NTDS

HAFNIUM has stolen copies of the Active Directory database (NTDS.DIT).(Citation: Volexity Exchange Marauder March 2021)

Enterprise T1505 .003 Server Software Component: Web Shell

HAFNIUM has deployed multiple web shells on compromised servers including SIMPLESEESHARP, SPORTSBALL, China Chopper, and ASPXSpy.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)(Citation: FireEye Exchange Zero Days March 2021)(Citation: Tarrask scheduled task)

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

HAFNIUM has used rundll32 to load malicious DLLs.(Citation: Volexity Exchange Marauder March 2021)

Enterprise T1078 .003 Valid Accounts: Local Accounts

HAFNIUM has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.(Citation: FireEye Exchange Zero Days March 2021)

Software

ID Name References Techniques
S0357 Impacket (Citation: Impacket Tools) (Citation: Tarrask scheduled task) LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, Kerberoasting, NTDS, Service Execution, LSASS Memory, Windows Management Instrumentation, Security Account Manager, LSA Secrets
S0073 ASPXSpy (Citation: Dell TG-3390) (Citation: Volexity Exchange Marauder March 2021) Web Shell
S0020 China Chopper (Citation: CISA AA21-200A APT40 July 2021) (Citation: Dell TG-3390) (Citation: FireEye Exchange Zero Days March 2021) (Citation: FireEye Periscope March 2018) (Citation: Lee 2013) (Citation: Volexity Exchange Marauder March 2021) Password Guessing, Data from Local System, Software Packing, Windows Command Shell, Web Protocols, Ingress Tool Transfer, Network Service Discovery, Timestomp, Web Shell, File and Directory Discovery
S1011 Tarrask (Citation: Tarrask scheduled task) Match Legitimate Name or Location, Windows Command Shell, Token Impersonation/Theft, Masquerade Task or Service, Scheduled Task, Modify Registry, Hide Artifacts
S0029 PsExec (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) (Citation: Volexity Exchange Marauder March 2021) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account