Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Aquatic Panda

Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.(Citation: CrowdStrike AQUATIC PANDA December 2021)

ID: G0143

Associated Groups:

Version: 2.0

Created: 18 Jan 2022

Last Modified: 10 Oct 2024

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1595	.002	Active Scanning: Vulnerability Scanning	Aquatic Panda has used publicly accessible DNS logging services to identify servers vulnerable to Log4j (CVE 2021-44228).(Citation: CrowdStrike AQUATIC PANDA December 2021)
Enterprise	T1560	.001	Archive Collected Data: Archive via Utility	Aquatic Panda has used several publicly available tools, including WinRAR and 7zip, to compress collected files and memory dumps prior to exfiltration.(Citation: CrowdStrike AQUATIC PANDA December 2021)(Citation: Crowdstrike HuntReport 2022)
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Aquatic Panda has downloaded additional scripts and executed Base64 encoded commands in PowerShell.(Citation: CrowdStrike AQUATIC PANDA December 2021)
		.003	Command and Scripting Interpreter: Windows Command Shell	Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to `cmd /C`.(Citation: CrowdStrike AQUATIC PANDA December 2021)
		.004	Command and Scripting Interpreter: Unix Shell	Aquatic Panda used malicious shell scripts in Linux environments following access via SSH to install Linux versions of Winnti malware.(Citation: Crowdstrike HuntReport 2022)
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	Aquatic Panda created new Windows services for persistence that masqueraded as legitimate Windows services via name change.(Citation: Crowdstrike HuntReport 2022)
Enterprise	T1574	.001	Hijack Execution Flow: DLL	Aquatic Panda has used DLL search-order hijacking to load `exe`, `dll`, and `dat` files into memory.(Citation: CrowdStrike AQUATIC PANDA December 2021) Aquatic Panda loaded a malicious DLL into the legitimate Windows Security Health Service executable (`SecurityHealthService.exe`) to execute malicious code on victim systems.(Citation: Crowdstrike HuntReport 2022)
		.006	Hijack Execution Flow: Dynamic Linker Hijacking	Aquatic Panda modified the `ld.so` preload file in Linux environments to enable persistence for Winnti malware.(Citation: Crowdstrike HuntReport 2022)
Enterprise	T1562	.001	Impair Defenses: Disable or Modify Tools	Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools on compromised systems.(Citation: CrowdStrike AQUATIC PANDA December 2021)
Enterprise	T1070	.001	Indicator Removal: Clear Windows Event Logs	Aquatic Panda clears Windows Event Logs following activity to evade defenses.(Citation: Crowdstrike HuntReport 2022)
		.003	Indicator Removal: Clear Command History	Aquatic Panda cleared command history in Linux environments to remove traces of activity after operations.(Citation: Crowdstrike HuntReport 2022)
		.004	Indicator Removal: File Deletion	Aquatic Panda has deleted malicious executables from compromised machines.(Citation: CrowdStrike AQUATIC PANDA December 2021)(Citation: Crowdstrike HuntReport 2022)
Enterprise	T1036	.004	Masquerading: Masquerade Task or Service	Aquatic Panda created new, malicious services using names such as `Windows User Service` to attempt to blend in with legitimate items on victim systems.(Citation: Crowdstrike HuntReport 2022)
		.005	Masquerading: Match Legitimate Resource Name or Location	Aquatic Panda renamed or moved malicious binaries to legitimate locations to evade defenses and blend into victim environments.(Citation: Crowdstrike HuntReport 2022)
Enterprise	T1003	.001	OS Credential Dumping: LSASS Memory	Aquatic Panda has attempted to harvest credentials through LSASS memory dumping.(Citation: CrowdStrike AQUATIC PANDA December 2021)
Enterprise	T1027	.010	Obfuscated Files or Information: Command Obfuscation	Aquatic Panda has encoded PowerShell commands in Base64.(Citation: CrowdStrike AQUATIC PANDA December 2021)
Enterprise	T1588	.001	Obtain Capabilities: Malware	Aquatic Panda has acquired and used njRAT in its operations.(Citation: CrowdStrike AQUATIC PANDA December 2021)
		.002	Obtain Capabilities: Tool	Aquatic Panda has acquired and used Cobalt Strike in its operations.(Citation: CrowdStrike AQUATIC PANDA December 2021)
Enterprise	T1021	.001	Remote Services: Remote Desktop Protocol	Aquatic Panda leveraged stolen credentials to move laterally via RDP in victim environments.(Citation: Crowdstrike HuntReport 2022)
		.002	Remote Services: SMB/Windows Admin Shares	Aquatic Panda used remote shares to enable lateral movement in victim environments.(Citation: Crowdstrike HuntReport 2022)
		.004	Remote Services: SSH	Aquatic Panda used SSH with captured user credentials to move laterally in victim environments.(Citation: Crowdstrike HuntReport 2022)
Enterprise	T1518	.001	Software Discovery: Security Software Discovery	Aquatic Panda has attempted to discover third party endpoint detection and response (EDR) tools on compromised systems.(Citation: CrowdStrike AQUATIC PANDA December 2021)
Enterprise	T1218	.011	System Binary Proxy Execution: Rundll32	Aquatic Panda used rundll32.exe to proxy execution of a malicious DLL file identified as a keylogging binary.(Citation: Crowdstrike HuntReport 2022)
Enterprise	T1550	.002	Use Alternate Authentication Material: Pass the Hash	Aquatic Panda used a registry edit to enable a Windows feature called `RestrictedAdmin` in victim environments. This change allowed Aquatic Panda to leverage "pass the hash" mechanisms as the alteration allows for RDP connections with a valid account name and hash only, without possessing a cleartext password value.(Citation: Crowdstrike HuntReport 2022)
Enterprise	T1078	.002	Valid Accounts: Domain Accounts	Aquatic Panda used multiple mechanisms to capture valid user accounts for victim domains to enable lateral movement and access to additional hosts in victim environments.(Citation: Crowdstrike HuntReport 2022)

ID	Name	References	Techniques
Software
S0430	Winnti for Linux	(Citation: Chronicle Winnti for Linux May 2019) (Citation: Crowdstrike HuntReport 2022)	Encrypted/Encoded File, Rootkit, Symmetric Cryptography, Deobfuscate/Decode Files or Information, Traffic Signaling, Non-Application Layer Protocol, Web Protocols, Ingress Tool Transfer
S0154	Cobalt Strike	(Citation: CrowdStrike AQUATIC PANDA December 2021) (Citation: cobaltstrike manual)	Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0141	Winnti for Windows	(Citation: 401 TRG Winnti Umbrella May 2018) (Citation: Chronicle Winnti for Linux May 2019) (Citation: Crowdstrike HuntReport 2022) (Citation: Kaspersky Winnti April 2013) (Citation: Microsoft Winnti Jan 2017) (Citation: Novetta Winnti April 2015)	Rundll32, Encrypted/Encoded File, Bypass User Account Control, Match Legitimate Resource Name or Location, Symmetric Cryptography, Windows Service, System Information Discovery, Native API, Deobfuscate/Decode Files or Information, Timestomp, External Proxy, File and Directory Discovery, Process Discovery, Registry Run Keys / Startup Folder, Non-Application Layer Protocol, File Deletion, Web Protocols, Ingress Tool Transfer, Service Execution, Environmental Keying, Internal Proxy, Compression
S0385	njRAT	(Citation: Bladabindi) (Citation: CrowdStrike AQUATIC PANDA December 2021) (Citation: Fidelis njRAT June 2013) (Citation: FireEye Njw0rm Aug 2013) (Citation: LV) (Citation: Njw0rm) (Citation: Trend Micro njRAT 2018)	Screen Capture, System Owner/User Discovery, Standard Encoding, Keylogging, Encrypted/Encoded File, Fast Flux DNS, Peripheral Device Discovery, System Information Discovery, Native API, Replication Through Removable Media, Data from Local System, Application Window Discovery, Disable or Modify System Firewall, Modify Registry, Credentials from Web Browsers, Video Capture, Indicator Removal, File and Directory Discovery, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Registry Run Keys / Startup Folder, Non-Standard Port, Query Registry, Compile After Delivery, Uncommonly Used Port, Windows Command Shell, Clear Persistence, File Deletion, Web Protocols, Remote System Discovery, Ingress Tool Transfer, Remote Desktop Protocol, Custom Command and Control Protocol
S0596	ShadowPad	(Citation: Crowdstrike HuntReport 2022) (Citation: FireEye APT41 Aug 2019) (Citation: Kaspersky ShadowPad Aug 2017) (Citation: POISONPLUG.SHADOW) (Citation: Recorded Future RedEcho Feb 2021) (Citation: Securelist ShadowPad Aug 2017)	Fileless Storage, System Owner/User Discovery, Domain Generation Algorithms, DNS, System Information Discovery, Deobfuscate/Decode Files or Information, Process Injection, Scheduled Transfer, Modify Registry, System Network Configuration Discovery, Indicator Removal, Process Discovery, File Transfer Protocols, Obfuscated Files or Information, Non-Application Layer Protocol, Non-Standard Encoding, Web Protocols, Ingress Tool Transfer, System Time Discovery, Dynamic-link Library Injection
S0645	Wevtutil	(Citation: Crowdstrike HuntReport 2022) (Citation: Wevtutil Microsoft Documentation)	Data from Local System, Disable Windows Event Logging, Clear Windows Event Logs

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Aquatic Panda

Associated Group Descriptions

Techniques Used

Software

References