Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа HEXANE
Риски
Каталоги
MITRE ATT&CK
Преступная группа
HEXANE
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

HEXANE

HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)
ID: G1001
Associated Groups: Siamesekitten, Lyceum, Spirlin
Version: 2.3
Created: 17 Oct 2018
Last Modified: 14 Aug 2024

Associated Group Descriptions
Name Description
Siamesekitten (Citation: ClearSky Siamesekitten August 2021)
Lyceum (Citation: SecureWorks August 2019)
Spirlin (Citation: Accenture Lyceum Targets November 2021)

Techniques Used
Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

HEXANE has registered and operated domains for campaigns, often using a security or web technology theme or impersonating the targeted organization.(Citation: SecureWorks August 2019)(Citation: Dragos Hexane)(Citation: ClearSky Siamesekitten August 2021)
.002 Acquire Infrastructure: DNS Server

HEXANE has set up custom DNS servers to send commands to compromised hosts via TXT records.(Citation: Zscaler Lyceum DnsSystem June 2022)

Enterprise T1110 .003 Brute Force: Password Spraying

HEXANE has used password spraying attacks to obtain valid credentials.(Citation: SecureWorks August 2019)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

HEXANE has used PowerShell-based tools and scripts for discovery and collection on compromised hosts.(Citation: SecureWorks August 2019)(Citation: Kaspersky APT Trends Q1 April 2021)(Citation: Kaspersky Lyceum October 2021)
.005 Command and Scripting Interpreter: Visual Basic

HEXANE has used a VisualBasic script named `MicrosoftUpdator.vbs` for execution of a PowerShell keylogger.(Citation: Kaspersky Lyceum October 2021)

Enterprise T1586 .002 Compromise Accounts: Email Accounts

HEXANE has used compromised accounts to send spearphishing emails.(Citation: SecureWorks August 2019)
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

HEXANE has used a Mimikatz-based tool and a PowerShell script to steal passwords from Google Chrome.(Citation: Kaspersky Lyceum October 2021)
Enterprise T1585 .001 Establish Accounts: Social Media Accounts

HEXANE has established fraudulent LinkedIn accounts impersonating HR department employees to target potential victims with fake job offers.(Citation: ClearSky Siamesekitten August 2021)
.002 Establish Accounts: Email Accounts

HEXANE has established email accounts for use in domain registration including for ProtonMail addresses.(Citation: Kaspersky Lyceum October 2021)

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

HEXANE has used WMI event subscriptions for persistence.(Citation: Kaspersky Lyceum October 2021)
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

HEXANE has used cloud services, including OneDrive, for data exfiltration.(Citation: Microsoft POLONIUM June 2022)
Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

HEXANE has targeted executives, human resources staff, and IT personnel for spearphishing.(Citation: SecureWorks August 2019)(Citation: ClearSky Siamesekitten August 2021)

Enterprise T1591 .004 Gather Victim Org Information: Identify Roles

HEXANE has identified executives, HR, and IT staff at victim organizations for further targeting.(Citation: SecureWorks August 2019)(Citation: ClearSky Siamesekitten August 2021)
Enterprise T1056 .001 Input Capture: Keylogging

HEXANE has used a PowerShell-based keylogger named `kl.ps1`.(Citation: SecureWorks August 2019)(Citation: Kaspersky Lyceum October 2021)
Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

HEXANE has used Base64-encoded scripts.(Citation: Kaspersky Lyceum October 2021)
Enterprise T1588 .002 Obtain Capabilities: Tool

HEXANE has acquired, and sometimes customized, open source tools such as Mimikatz, Empire, VNC remote access software, and DIG.net.(Citation: Kaspersky Lyceum October 2021)(Citation: SecureWorks August 2019)(Citation: Zscaler Lyceum DnsSystem June 2022)
Enterprise T1069 .001 Permission Groups Discovery: Local Groups

HEXANE has run `net localgroup` to enumerate local groups.(Citation: Kaspersky Lyceum October 2021)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

HEXANE has used remote desktop sessions for lateral movement.(Citation: SecureWorks August 2019)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

HEXANE has used a scheduled task to establish persistence for a keylogger.(Citation: Kaspersky Lyceum October 2021)
Enterprise T1608 .001 Stage Capabilities: Upload Malware

HEXANE has staged malware on fraudulent websites set up to impersonate targeted organizations.(Citation: ClearSky Siamesekitten August 2021)
Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

HEXANE has used tools including BITSAdmin to test internet connectivity from compromised hosts.(Citation: Kaspersky Lyceum October 2021)
Enterprise T1204 .002 User Execution: Malicious File

HEXANE has relied on victim's executing malicious file attachments delivered via email or embedded within actor-controlled websites to deliver malware.(Citation: SecureWorks August 2019)(Citation: Dragos Hexane)(Citation: ClearSky Siamesekitten August 2021)(Citation: Zscaler Lyceum DnsSystem June 2022)
Enterprise T1102 .002 Web Service: Bidirectional Communication

HEXANE has used cloud services, including OneDrive, for C2.(Citation: Microsoft POLONIUM June 2022)

Software
ID Name References Techniques
S0100 ipconfig (Citation: ClearSky Siamesekitten August 2021) (Citation: TechNet Ipconfig) (Citation: Zscaler Lyceum DnsSystem June 2022) System Network Configuration Discovery
S0363 Empire (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) (Citation: SecureWorks August 2019) Scheduled Task, Windows Management Instrumentation, Screen Capture, System Owner/User Discovery, Keylogging, Path Interception by PATH Environment Variable, Bypass User Account Control, Group Policy Discovery, Local Email Collection, Domain Account, Local Account, Windows Service, SSH, DLL, Automated Collection, Clipboard Data, Network Sniffing, Network Share Discovery, System Information Discovery, Native API, Process Injection, Timestomp, Shortcut Modification, Security Support Provider, Archive Collected Data, Credentials from Web Browsers, Path Interception by Search Order Hijacking, Group Policy Modification, Browser Information Discovery, Private Keys, Local Account, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Create Process with Token, Distributed Component Object Model, Video Capture, System Network Configuration Discovery, Accessibility Features, Command and Scripting Interpreter, Domain Account, Domain Trust Discovery, Golden Ticket, Automated Exfiltration, File and Directory Discovery, System Network Connections Discovery, Credentials In Files, Exfiltration to Code Repository, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Exploitation of Remote Services, Registry Run Keys / Startup Folder, Exploitation for Privilege Escalation, SID-History Injection, Bidirectional Communication, Asymmetric Cryptography, Exfiltration to Cloud Storage, Path Interception by Unquoted Path, MSBuild, Security Software Discovery, Windows Command Shell, Silver Ticket, Command Obfuscation, Access Token Manipulation, Web Protocols, Network Service Discovery, Pass the Hash, Ingress Tool Transfer, Service Execution, Kerberoasting, Credential API Hooking, Commonly Used Port, Dylib Hijacking
S0104 netstat (Citation: Kaspersky Lyceum October 2021) (Citation: TechNet Netstat) System Network Connections Discovery
S0378 PoshC2 (Citation: GitHub PoshC2) (Citation: SecureWorks August 2019) Archive via Utility, Windows Management Instrumentation, Keylogging, Bypass User Account Control, Domain Account, Local Account, Automated Collection, System Service Discovery, Network Sniffing, System Information Discovery, Credentials from Password Stores, Process Injection, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Create Process with Token, System Network Configuration Discovery, Proxy, Domain Trust Discovery, File and Directory Discovery, System Network Connections Discovery, Credentials In Files, Windows Management Instrumentation Event Subscription, Exploitation of Remote Services, Local Groups, Brute Force, Exploitation for Privilege Escalation, Password Policy Discovery, Access Token Manipulation, Web Protocols, Network Service Discovery, Pass the Hash, Service Execution
S0190 BITSAdmin (Citation: Kaspersky Lyceum October 2021) (Citation: Microsoft BITSAdmin) Lateral Tool Transfer, BITS Jobs, Ingress Tool Transfer, Exfiltration Over Unencrypted Non-C2 Protocol
S1021 DnsSystem (Citation: Zscaler Lyceum DnsSystem June 2022) System Owner/User Discovery, Standard Encoding, DNS, Malicious File, Data from Local System, Exfiltration Over C2 Channel, Registry Run Keys / Startup Folder, Windows Command Shell, Ingress Tool Transfer
S1019 Shark (Citation: Accenture Lyceum Targets November 2021) (Citation: ClearSky Siamesekitten August 2021) (Citation: Kaspersky Lyceum October 2021) Encrypted/Encoded File, Domain Generation Algorithms, DNS, Match Legitimate Resource Name or Location, System Checks, System Information Discovery, Data from Local System, Deobfuscate/Decode Files or Information, Scheduled Transfer, Data Staged, Exfiltration Over C2 Channel, Query Registry, Windows Command Shell, File Deletion, Web Protocols, Ingress Tool Transfer, Fallback Channels
S1015 Milan (Citation: Accenture Lyceum Targets November 2021) (Citation: ClearSky Siamesekitten August 2021) (Citation: James) (Citation: Kaspersky Lyceum October 2021) Scheduled Task, System Owner/User Discovery, Encrypted/Encoded File, Domain Generation Algorithms, Double File Extension, DNS, Local Data Staging, Local Account, Component Object Model, System Information Discovery, Native API, Data from Local System, Masquerading, Protocol Tunneling, System Network Configuration Discovery, Query Registry, Windows Command Shell, File Deletion, Web Protocols, Ingress Tool Transfer
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Kaspersky Lyceum October 2021) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0097 Ping (Citation: ClearSky Siamesekitten August 2021) (Citation: TechNet Ping) Remote System Discovery
S1014 DanBot (Citation: SecureWorks August 2019) Scheduled Task, VNC, Encrypted/Encoded File, DNS, Match Legitimate Resource Name or Location, Malicious File, Spearphishing Attachment, Data from Local System, Deobfuscate/Decode Files or Information, Windows Command Shell, File Deletion, Web Protocols, Visual Basic, Ingress Tool Transfer
S1020 Kevin (Citation: Kaspersky Lyceum October 2021) Standard Encoding, Encrypted/Encoded File, DNS, System Information Discovery, Native API, Data from Local System, Protocol Tunneling, System Network Configuration Discovery, Data Staged, Virtualization/Sandbox Evasion, Windows Management Instrumentation Event Subscription, Exfiltration Over C2 Channel, Rename Legitimate Utilities, Data Transfer Size Limits, Hidden Window, Windows Command Shell, File Deletion, Web Protocols, Ingress Tool Transfer, Fallback Channels, Junk Data

References

  1. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
  2. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  3. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
  4. GReAT . (2021, April 27). APT trends report Q1 2021. Retrieved June 6, 2022.
  5. Dragos. (n.d.). Hexane. Retrieved October 27, 2019.
  6. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  7. Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.
  8. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.