Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Cinnamon Tempest

Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. Cinnamon Tempest does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, Cinnamon Tempest may be motivated by intellectual property theft or cyberespionage rather than financial gain.(Citation: Microsoft Ransomware as a Service)(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Trend Micro Cheerscrypt May 2022)(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)

ID: G1021

Associated Groups: DEV-0401, Emperor Dragonfly, BRONZE STARLIGHT

Version: 1.0

Created: 06 Dec 2023

Last Modified: 04 Apr 2024

Name	Description
Associated Group Descriptions
DEV-0401	(Citation: Microsoft Threat Actor Naming July 2023)
Emperor Dragonfly	(Citation: Sygnia Emperor Dragonfly October 2022)
BRONZE STARLIGHT	(Citation: Dell SecureWorks BRONZE STARLIGHT Profile)

Domain	ID		Name	Use
Techniques Used
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Cinnamon Tempest has used PowerShell to communicate with C2, download files, and execute reconnaissance commands.(Citation: Sygnia Emperor Dragonfly October 2022)
		.003	Command and Scripting Interpreter: Windows Command Shell	Cinnamon Tempest has executed ransomware using batch scripts deployed via GPO.(Citation: Microsoft Ransomware as a Service)
		.006	Command and Scripting Interpreter: Python	Cinnamon Tempest has used a customized version of the Impacket wmiexec.py module to create renamed output files.(Citation: Microsoft Ransomware as a Service)
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	Cinnamon Tempest has created system services to establish persistence for deployed tooling.(Citation: Sygnia Emperor Dragonfly October 2022)
Enterprise	T1484	.001	Domain or Tenant Policy Modification: Group Policy Modification	Cinnamon Tempest has used Group Policy to deploy batch scripts for ransomware deployment.(Citation: Microsoft Ransomware as a Service)
Enterprise	T1567	.002	Exfiltration Over Web Service: Exfiltration to Cloud Storage	Cinnamon Tempest has uploaded captured keystroke logs to the Alibaba Cloud Object Storage Service, Aliyun OSS.(Citation: Sygnia Emperor Dragonfly October 2022)
Enterprise	T1574	.001	Hijack Execution Flow: DLL	Cinnamon Tempest has used search order hijacking to launch Cobalt Strike Beacons.(Citation: Microsoft Ransomware as a Service)(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022) Cinnamon Tempest has also abused legitimate executables to side-load weaponized DLLs.(Citation: Sygnia Emperor Dragonfly October 2022)
		.002	Hijack Execution Flow: DLL Side-Loading	Cinnamon Tempest has abused legitimate executables to side-load weaponized DLLs.(Citation: Sygnia Emperor Dragonfly October 2022)
Enterprise	T1588	.002	Obtain Capabilities: Tool	Cinnamon Tempest has used open-source tools including customized versions of the Iox proxy tool, NPS tunneling tool, Meterpreter, and a keylogger that uploads data to Alibaba cloud storage.(Citation: Sygnia Emperor Dragonfly October 2022)(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)
Enterprise	T1021	.002	Remote Services: SMB/Windows Admin Shares	Cinnamon Tempest has used SMBexec for lateral movement.(Citation: Sygnia Emperor Dragonfly October 2022)
Enterprise	T1078	.002	Valid Accounts: Domain Accounts	Cinnamon Tempest has obtained highly privileged credentials such as domain administrator in order to deploy malware.(Citation: Microsoft Ransomware as a Service)

ID	Name	References	Techniques
Software
S0633	Sliver	(Citation: Bishop Fox Sliver Framework August 2019) (Citation: Cybereason Sliver Undated) (Citation: Microsoft Ransomware as a Service)	Screen Capture, Standard Encoding, Encrypted/Encoded File, Bypass User Account Control, DNS, Symmetric Cryptography, Application Layer Protocol, Process Injection, LSASS Memory, System Network Configuration Discovery, Golden Ticket, File and Directory Discovery, System Network Connections Discovery, Exfiltration Over C2 Channel, PowerShell, Obfuscated Files or Information, Asymmetric Cryptography, Compile After Delivery, Access Token Manipulation, Web Protocols, Ingress Tool Transfer, Steganography, Internal Proxy
S0357	Impacket	(Citation: Impacket Tools) (Citation: Microsoft Ransomware as a Service) (Citation: Sygnia Emperor Dragonfly October 2022)	Windows Management Instrumentation, Security Account Manager, LSA Secrets, Network Sniffing, Ccache Files, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Lateral Tool Transfer, NTDS, Service Execution, Kerberoasting
S1097	HUI Loader	(Citation: Dell SecureWorks BRONZE STARLIGHT Profile) (Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)	DLL, Deobfuscate/Decode Files or Information, Indicator Blocking
S1040	Rclone	(Citation: DFIR Conti Bazar Nov 2021) (Citation: DarkSide Ransomware Gang) (Citation: Detecting Rclone) (Citation: Rclone Wars) (Citation: Rclone) (Citation: Sygnia Emperor Dragonfly October 2022)	Archive via Utility, File and Directory Discovery, Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, Exfiltration to Cloud Storage, Data Transfer Size Limits, Exfiltration Over Unencrypted Non-C2 Protocol
S1096	Cheerscrypt	(Citation: Sygnia Emperor Dragonfly October 2022) (Citation: Trend Micro Cheerscrypt May 2022)	Service Stop, Virtual Machine Discovery, File and Directory Discovery, Data Encrypted for Impact, Hypervisor CLI
S0013	PlugX	(Citation: CIRCL PlugX March 2013) (Citation: Dell SecureWorks BRONZE STARLIGHT Profile) (Citation: Dell TG-3390) (Citation: DestroyRAT) (Citation: FireEye Clandestine Fox Part 2) (Citation: Kaba) (Citation: Korplug) (Citation: Lastline PlugX Analysis) (Citation: New DragonOK) (Citation: Novetta-Axiom) (Citation: Sogu) (Citation: TVT) (Citation: Thoper)	Screen Capture, Keylogging, DNS, Match Legitimate Resource Name or Location, Symmetric Cryptography, Windows Service, System Checks, DLL, Network Share Discovery, Native API, Deobfuscate/Decode Files or Information, Disable or Modify System Firewall, Modify Registry, File and Directory Discovery, Masquerade Task or Service, System Network Connections Discovery, Process Discovery, Multiband Communication, Registry Run Keys / Startup Folder, Non-Standard Port, Obfuscated Files or Information, Non-Application Layer Protocol, Query Registry, MSBuild, Windows Command Shell, Web Protocols, DLL Side-Loading, Ingress Tool Transfer, Hidden Files and Directories, Custom Command and Control Protocol, Dead Drop Resolver, Commonly Used Port
S0664	Pandora	(Citation: Dell SecureWorks BRONZE STARLIGHT Profile) (Citation: Microsoft Ransomware as a Service) (Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022) (Citation: Sygnia Emperor Dragonfly October 2022) (Citation: Trend Micro Iron Tiger April 2021)	Symmetric Cryptography, Windows Service, DLL, Process Injection, Traffic Signaling, Code Signing Policy Modification, Modify Registry, Process Discovery, Exploitation for Privilege Escalation, Web Protocols, Ingress Tool Transfer, Service Execution, Compression
S0154	Cobalt Strike	(Citation: Dell SecureWorks BRONZE STARLIGHT Profile) (Citation: Microsoft Ransomware as a Service) (Citation: cobaltstrike manual)	Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Cinnamon Tempest

Associated Group Descriptions

Techniques Used

Software

References