Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Aquatic Panda
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Aquatic Panda
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Aquatic Panda

Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.(Citation: CrowdStrike AQUATIC PANDA December 2021)
ID: G0143
Associated Groups: 
Version: 1.0
Created: 18 Jan 2022
Last Modified: 29 Jun 2022

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

Aquatic Panda has used publicly accessible DNS logging services to identify servers vulnerable to Log4j (CVE 2021-44228).(Citation: CrowdStrike AQUATIC PANDA December 2021)
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Aquatic Panda has used WinRAR to compress memory dumps prior to exfiltration.(Citation: CrowdStrike AQUATIC PANDA December 2021)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Aquatic Panda has downloaded additional scripts and executed Base64 encoded commands in PowerShell.(Citation: CrowdStrike AQUATIC PANDA December 2021)
.003 Command and Scripting Interpreter: Windows Command Shell

Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to cmd /C.(Citation: CrowdStrike AQUATIC PANDA December 2021)

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Aquatic Panda has used DLL search-order hijacking to load `exe`, `dll`, and `dat` files into memory.(Citation: CrowdStrike AQUATIC PANDA December 2021)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools on compromised systems.(Citation: CrowdStrike AQUATIC PANDA December 2021)
Enterprise T1070 .004 Indicator Removal: File Deletion

Aquatic Panda has deleted malicious executables from compromised machines.(Citation: CrowdStrike AQUATIC PANDA December 2021)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Aquatic Panda has attempted to harvest credentials through LSASS memory dumping.(Citation: CrowdStrike AQUATIC PANDA December 2021)
Enterprise T1588 .001 Obtain Capabilities: Malware

Aquatic Panda has acquired and used njRAT in its operations.(Citation: CrowdStrike AQUATIC PANDA December 2021)
.002 Obtain Capabilities: Tool

Aquatic Panda has acquired and used Cobalt Strike in its operations.(Citation: CrowdStrike AQUATIC PANDA December 2021)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Aquatic Panda has attempted to discover third party endpoint detection and response (EDR) tools on compromised systems.(Citation: CrowdStrike AQUATIC PANDA December 2021)

Software
ID Name References Techniques
S0154 Cobalt Strike (Citation: cobaltstrike manual) (Citation: CrowdStrike AQUATIC PANDA December 2021) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, Application Layer Protocol, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0385 njRAT (Citation: Bladabindi) (Citation: CrowdStrike AQUATIC PANDA December 2021) (Citation: Fidelis njRAT June 2013) (Citation: FireEye Njw0rm Aug 2013) (Citation: LV) (Citation: Njw0rm) (Citation: Trend Micro njRAT 2018) System Information Discovery, Credentials from Web Browsers, Application Window Discovery, Ingress Tool Transfer, File and Directory Discovery, Query Registry, Peripheral Device Discovery, Video Capture, Screen Capture, Native API, Remote System Discovery, File Deletion, PowerShell, Disable or Modify System Firewall, Obfuscated Files or Information, Standard Encoding, Compile After Delivery, Non-Standard Port, Replication Through Removable Media, System Owner/User Discovery, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Uncommonly Used Port, Custom Command and Control Protocol, Keylogging, Web Protocols, Clear Persistence, Modify Registry, Exfiltration Over C2 Channel, Process Discovery, Fast Flux DNS, Indicator Removal, Windows Command Shell, Data from Local System

References

  1. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.