Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа HEXANE
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
HEXANE
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

HEXANE

HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)
ID: G1001
Associated Groups: Spirlin, Siamesekitten, Lyceum
Version: 2.0
Created: 17 Oct 2018
Last Modified: 31 Aug 2022

Associated Group Descriptions
Name Description
Spirlin (Citation: Accenture Lyceum Targets November 2021)
Siamesekitten (Citation: ClearSky Siamesekitten August 2021)
Lyceum (Citation: SecureWorks August 2019)

Techniques Used
Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

HEXANE has registered and operated domains for campaigns, often using a security or web technology theme or impersonating the targeted organization.(Citation: SecureWorks August 2019)(Citation: Dragos Hexane)(Citation: ClearSky Siamesekitten August 2021)
.002 Acquire Infrastructure: DNS Server

HEXANE has set up custom DNS servers to send commands to compromised hosts via TXT records.(Citation: Zscaler Lyceum DnsSystem June 2022)

Enterprise T1110 .003 Brute Force: Password Spraying

HEXANE has used password spraying attacks to obtain valid credentials.(Citation: SecureWorks August 2019)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

HEXANE has used PowerShell-based tools and scripts for discovery and collection on compromised hosts.(Citation: SecureWorks August 2019)(Citation: Kaspersky APT Trends Q1 April 2021)(Citation: Kaspersky Lyceum October 2021)
.005 Command and Scripting Interpreter: Visual Basic

HEXANE has used a VisualBasic script named `MicrosoftUpdator.vbs` for execution of a PowerShell keylogger.(Citation: Kaspersky Lyceum October 2021)

Enterprise T1586 .002 Compromise Accounts: Email Accounts

HEXANE has used compromised accounts to send spearphishing emails.(Citation: SecureWorks August 2019)
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

HEXANE has used a Mimikatz-based tool and a PowerShell script to steal passwords from Google Chrome.(Citation: Kaspersky Lyceum October 2021)
Enterprise T1585 .001 Establish Accounts: Social Media Accounts

HEXANE has established fraudulent LinkedIn accounts impersonating HR department employees to target potential victims with fake job offers.(Citation: ClearSky Siamesekitten August 2021)
.002 Establish Accounts: Email Accounts

HEXANE has established email accounts for use in domain registration including for ProtonMail addresses.(Citation: Kaspersky Lyceum October 2021)

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

HEXANE has used cloud services, including OneDrive, for data exfiltration.(Citation: Microsoft POLONIUM June 2022)
Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

HEXANE has targeted executives, human resources staff, and IT personnel for spearphishing.(Citation: SecureWorks August 2019)(Citation: ClearSky Siamesekitten August 2021)

Enterprise T1591 .004 Gather Victim Org Information: Identify Roles

HEXANE has identified executives, HR, and IT staff at victim organizations for further targeting.(Citation: SecureWorks August 2019)(Citation: ClearSky Siamesekitten August 2021)
Enterprise T1056 .001 Input Capture: Keylogging

HEXANE has used a PowerShell-based keylogger named `kl.ps1`.(Citation: SecureWorks August 2019)(Citation: Kaspersky Lyceum October 2021)
Enterprise T1588 .002 Obtain Capabilities: Tool

HEXANE has acquired, and sometimes customized, open source tools such as Mimikatz, Empire, VNC remote access software, and DIG.net.(Citation: Kaspersky Lyceum October 2021)(Citation: SecureWorks August 2019)(Citation: Zscaler Lyceum DnsSystem June 2022)
Enterprise T1069 .001 Permission Groups Discovery: Local Groups

HEXANE has run `net localgroup` to enumerate local groups.(Citation: Kaspersky Lyceum October 2021)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

HEXANE has used remote desktop sessions for lateral movement.(Citation: SecureWorks August 2019)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

HEXANE has used a scheduled task to establish persistence for a keylogger.(Citation: Kaspersky Lyceum October 2021)
Enterprise T1608 .001 Stage Capabilities: Upload Malware

HEXANE has staged malware on fraudulent websites set up to impersonate targeted organizations.(Citation: ClearSky Siamesekitten August 2021)
Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

HEXANE has used tools including BITSAdmin to test internet connectivity from compromised hosts.(Citation: Kaspersky Lyceum October 2021)
Enterprise T1204 .002 User Execution: Malicious File

HEXANE has relied on victim's executing malicious file attachments delivered via email or embedded within actor-controlled websites to deliver malware.(Citation: SecureWorks August 2019)(Citation: Dragos Hexane)(Citation: ClearSky Siamesekitten August 2021)(Citation: Zscaler Lyceum DnsSystem June 2022)
Enterprise T1102 .002 Web Service: Bidirectional Communication

HEXANE has used cloud services, including OneDrive, for C2.(Citation: Microsoft POLONIUM June 2022)

Software
ID Name References Techniques
S0100 ipconfig (Citation: ClearSky Siamesekitten August 2021) (Citation: TechNet Ipconfig) (Citation: Zscaler Lyceum DnsSystem June 2022) System Network Configuration Discovery
S0363 Empire (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) (Citation: SecureWorks August 2019) Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Obfuscated Files or Information, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Bookmark Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL Search Order Hijacking, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket
S0104 netstat (Citation: Kaspersky Lyceum October 2021) (Citation: TechNet Netstat) System Network Connections Discovery
S0378 PoshC2 (Citation: GitHub PoshC2) (Citation: SecureWorks August 2019) System Network Configuration Discovery, Credentials In Files, LLMNR/NBT-NS Poisoning and SMB Relay, Web Protocols, Windows Management Instrumentation, System Network Connections Discovery, Exploitation for Privilege Escalation, System Service Discovery, Create Process with Token, Bypass User Account Control, Service Execution, Local Account, Automated Collection, System Information Discovery, Keylogging, Domain Account, Archive via Utility, Pass the Hash, Local Groups, File and Directory Discovery, Proxy, Brute Force, LSASS Memory, Process Injection, Exploitation of Remote Services, Domain Trust Discovery, Access Token Manipulation, Network Service Discovery, Credentials from Password Stores, Network Sniffing, Windows Management Instrumentation Event Subscription, Password Policy Discovery
S0190 BITSAdmin (Citation: Kaspersky Lyceum October 2021) (Citation: Microsoft BITSAdmin) Lateral Tool Transfer, Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, BITS Jobs
S1021 DnsSystem (Citation: Zscaler Lyceum DnsSystem June 2022) Standard Encoding, Exfiltration Over C2 Channel, Ingress Tool Transfer, DNS, Windows Command Shell, Registry Run Keys / Startup Folder, System Owner/User Discovery, Data from Local System, Malicious File
S1019 Shark (Citation: Accenture Lyceum Targets November 2021) (Citation: ClearSky Siamesekitten August 2021) (Citation: Kaspersky Lyceum October 2021) Ingress Tool Transfer, Exfiltration Over C2 Channel, Obfuscated Files or Information, Scheduled Transfer, Query Registry, System Information Discovery, Windows Command Shell, Fallback Channels, Data from Local System, System Checks, Match Legitimate Name or Location, File Deletion, Deobfuscate/Decode Files or Information, Web Protocols, DNS, Data Staged, Domain Generation Algorithms
S1015 Milan (Citation: Accenture Lyceum Targets November 2021) (Citation: ClearSky Siamesekitten August 2021) (Citation: James) (Citation: Kaspersky Lyceum October 2021) Scheduled Task, Local Data Staging, DNS, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Obfuscated Files or Information, Ingress Tool Transfer, Component Object Model, Web Protocols, Query Registry, Masquerading, Protocol Tunneling, Windows Command Shell, Native API, Data from Local System, Local Account, Domain Generation Algorithms, File Deletion, Double File Extension
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Kaspersky Lyceum October 2021) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0097 Ping (Citation: ClearSky Siamesekitten August 2021) (Citation: TechNet Ping) Remote System Discovery
S1014 DanBot (Citation: SecureWorks August 2019) Scheduled Task, Match Legitimate Name or Location, VNC, Obfuscated Files or Information, File Deletion, Malicious File, DNS, Data from Local System, Ingress Tool Transfer, Spearphishing Attachment, Web Protocols, Visual Basic, Windows Command Shell, Deobfuscate/Decode Files or Information
S1020 Kevin (Citation: Kaspersky Lyceum October 2021) DNS, Hidden Window, System Network Configuration Discovery, Standard Encoding, System Information Discovery, Ingress Tool Transfer, Exfiltration Over C2 Channel, Protocol Tunneling, Data Transfer Size Limits, File Deletion, Web Protocols, Native API, Data from Local System, Windows Command Shell, Junk Data, Obfuscated Files or Information, Data Staged, Fallback Channels, Virtualization/Sandbox Evasion, Rename System Utilities

References

  1. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  2. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  3. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  4. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
  5. Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.
  6. GReAT . (2021, April 27). APT trends report Q1 2021. Retrieved June 6, 2022.
  7. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
  8. Dragos. (n.d.). Hexane. Retrieved October 27, 2019.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.