Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

APT5

APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.(Citation: NSA APT5 Citrix Threat Hunting December 2022)(Citation: Microsoft East Asia Threats September 2023)(Citation: Mandiant Pulse Secure Zero-Day April 2021)(Citation: Mandiant Pulse Secure Update May 2021)(Citation: FireEye Southeast Asia Threat Landscape March 2015)(Citation: Mandiant Advanced Persistent Threats)
ID: G1023
Associated Groups: BRONZE FLEETWOOD, Keyhole Panda, MANGANESE, Mulberry Typhoon, UNC2630
Version: 1.1
Created: 05 Feb 2024
Last Modified: 04 Apr 2025

Associated Group Descriptions

Name Description
BRONZE FLEETWOOD (Citation: Secureworks BRONZE FLEETWOOD Profile)
Keyhole Panda (Citation: Microsoft Threat Actor Naming July 2023)(Citation: Secureworks BRONZE FLEETWOOD Profile)
MANGANESE (Citation: Microsoft Threat Actor Naming July 2023)(Citation: NSA APT5 Citrix Threat Hunting December 2022)
Mulberry Typhoon (Citation: Microsoft Threat Actor Naming July 2023)(Citation: Microsoft East Asia Threats September 2023)
UNC2630 (Citation: NSA APT5 Citrix Threat Hunting December 2022)

Techniques Used

Domain ID Name Use
Enterprise T1098 .007 Account Manipulation: Additional Local or Domain Groups

APT5 has created their own accounts with Local Administrator privileges to maintain access to systems with short-cycle credential rotation.(Citation: Mandiant Pulse Secure Update May 2021)

Enterprise T1583 .005 Acquire Infrastructure: Botnet

APT5 has acquired a network of compromised systems – specifically an ORB (operational relay box) network – for follow on activities.(Citation: ORB Mandiant)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT5 has used the JAR/ZIP file format for exfiltrated files.(Citation: Mandiant Pulse Secure Update May 2021)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT5 has used PowerShell to accomplish tasks within targeted environments.(Citation: Mandiant Pulse Secure Update May 2021)

.003 Command and Scripting Interpreter: Windows Command Shell

APT5 has used cmd.exe for execution on compromised systems.(Citation: Mandiant Pulse Secure Update May 2021)

Enterprise T1136 .001 Create Account: Local Account

APT5 has created Local Administrator accounts to maintain access to systems with short-cycle credential rotation.(Citation: Mandiant Pulse Secure Update May 2021)

Enterprise T1074 .001 Data Staged: Local Data Staging

APT5 has staged data on compromised systems prior to exfiltration often in `C:\Users\Public`.(Citation: Mandiant Pulse Secure Update May 2021)

Enterprise T1562 .006 Impair Defenses: Indicator Blocking

APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to prevent certain log events from occurring.(Citation: Mandiant Pulse Secure Update May 2021)

Enterprise T1070 .003 Indicator Removal: Clear Command History

APT5 has cleared the command history on targeted ESXi servers.(Citation: Mandiant Pulse Secure Update May 2021)

.004 Indicator Removal: File Deletion

APT5 has deleted scripts and web shells to evade detection.(Citation: Mandiant Pulse Secure Zero-Day April 2021)(Citation: Mandiant Pulse Secure Update May 2021)

.006 Indicator Removal: Timestomp

APT5 has modified file timestamps.(Citation: Mandiant Pulse Secure Update May 2021)

Enterprise T1056 .001 Input Capture: Keylogging

APT5 has used malware with keylogging capabilities to monitor the communications of targeted entities.(Citation: FireEye Southeast Asia Threat Landscape March 2015)(Citation: Mandiant Advanced Persistent Threats)

Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

APT5 has named exfiltration archives to mimic Windows Updates at times using filenames with a `KB.zip` pattern.(Citation: Mandiant Pulse Secure Update May 2021)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

APT5 has used the Task Manager process to target LSASS process memory in order to obtain NTLM password hashes. APT5 has also dumped clear text passwords and hashes from memory using Mimikatz hosted through an RDP mapped drive.(Citation: Mandiant Pulse Secure Update May 2021)

.002 OS Credential Dumping: Security Account Manager

APT5 has copied and exfiltrated the SAM Registry hive from targeted systems.(Citation: Mandiant Pulse Secure Update May 2021)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

APT5 has moved laterally throughout victim environments using RDP.(Citation: Mandiant Pulse Secure Update May 2021)

.004 Remote Services: SSH

APT5 has used SSH for lateral movement in compromised environments including for enabling access to ESXi host servers.(Citation: Mandiant Pulse Secure Update May 2021)

Enterprise T1053 .003 Scheduled Task/Job: Cron

APT5 has made modifications to the crontab file including in `/var/cron/tabs/`.(Citation: NSA APT5 Citrix Threat Hunting December 2022)

Enterprise T1505 .003 Server Software Component: Web Shell

APT5 has installed multiple web shells on compromised servers including on Pulse Secure VPN appliances.(Citation: Mandiant Pulse Secure Zero-Day April 2021)(Citation: Mandiant Pulse Secure Update May 2021)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

APT5 has used legitimate account credentials to move laterally through compromised environments.(Citation: Mandiant Pulse Secure Zero-Day April 2021)

.004 Valid Accounts: Cloud Accounts

APT5 has accessed Microsoft M365 cloud environments using stolen credentials. (Citation: Mandiant Pulse Secure Update May 2021)

Software

ID Name References Techniques
S0039 Net (Citation: Mandiant Pulse Secure Update May 2021) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Domain Account, Local Account, Domain Groups, System Service Discovery, Network Share Discovery, Additional Local or Domain Groups, SMB/Windows Admin Shares, Local Account, Domain Account, System Network Connections Discovery, Local Groups, Network Share Connection Removal, Password Policy Discovery, Remote System Discovery, Service Execution, System Time Discovery
S0057 Tasklist (Citation: Mandiant Pulse Secure Update May 2021) (Citation: Microsoft Tasklist) System Service Discovery, Process Discovery, Security Software Discovery
S1050 PcShare (Citation: Bitdefender FunnyDream Campaign November 2020) (Citation: GitHub PcShare 2014) (Citation: Secureworks BRONZE FLEETWOOD Profile) Screen Capture, Rundll32, Keylogging, Encrypted/Encoded File, Match Legitimate Resource Name or Location, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Modify Registry, Video Capture, System Network Configuration Discovery, Process Discovery, Exfiltration Over C2 Channel, Invalid Code Signature, Component Object Model Hijacking, Query Registry, Windows Command Shell, File Deletion, Web Protocols, Compression
S0104 netstat (Citation: Mandiant Pulse Secure Update May 2021) (Citation: TechNet Netstat) System Network Connections Discovery
S1109 PACEMAKER (Citation: Mandiant Pulse Secure Zero-Day April 2021) Local Data Staging, Automated Collection, Proc Filesystem, File and Directory Discovery, Unix Shell, Ptrace System Calls
S1113 RAPIDPULSE (Citation: Mandiant Pulse Secure Update May 2021) Encrypted/Encoded File, Data from Local System, Deobfuscate/Decode Files or Information, Web Shell
S0032 gh0st RAT (Citation: Arbor Musical Chairs Feb 2018) (Citation: FireEye Hacking Team) (Citation: Moudoor) (Citation: Mydoor) (Citation: Nccgroup Gh0st April 2018) (Citation: Novetta-Axiom) (Citation: Secureworks BRONZE FLEETWOOD Profile) Screen Capture, Rundll32, Standard Encoding, Keylogging, Shared Modules, Symmetric Cryptography, Windows Service, Fast Flux DNS, DLL, System Information Discovery, Native API, Deobfuscate/Decode Files or Information, Process Injection, Modify Registry, Clear Windows Event Logs, Command and Scripting Interpreter, Process Discovery, Registry Run Keys / Startup Folder, Encrypted Channel, Non-Application Layer Protocol, Query Registry, File Deletion, Ingress Tool Transfer, Service Execution
S0007 Skeleton Key (Citation: Dell Skeleton) (Citation: Secureworks BRONZE FLEETWOOD Profile) Domain Controller Authentication
S1108 PULSECHECK (Citation: Mandiant Pulse Secure Zero-Day April 2021) Standard Encoding, Web Shell, Unix Shell, Web Protocols
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Mandiant Pulse Secure Update May 2021) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0012 PoisonIvy (Citation: Breut) (Citation: Darkmoon) (Citation: FireEye Poison Ivy) (Citation: Mandiant Advanced Persistent Threats) (Citation: Novetta-Axiom) (Citation: Poison Ivy) (Citation: Symantec Darkmoon Aug 2005) (Citation: Symantec Darkmoon Sept 2014) (Citation: Symantec Elderwood Sept 2012) Keylogging, Rootkit, Local Data Staging, Active Setup, Symmetric Cryptography, Windows Service, Data from Local System, Mutual Exclusion, Application Window Discovery, Modify Registry, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Uncommonly Used Port, Windows Command Shell, Ingress Tool Transfer, Dynamic-link Library Injection
S1110 SLIGHTPULSE (Citation: Mandiant Pulse Secure Update May 2021) (Citation: Mandiant Pulse Secure Zero-Day April 2021) Standard Encoding, Local Data Staging, Symmetric Cryptography, Data from Local System, Deobfuscate/Decode Files or Information, Web Shell, Command and Scripting Interpreter, Web Protocols, Ingress Tool Transfer
S1104 SLOWPULSE (Citation: Mandiant Pulse Secure Zero-Day April 2021) Local Data Staging, Compromise Host Software Binary, Obfuscated Files or Information, Multi-Factor Authentication, Multi-Factor Authentication Interception, Network Device Authentication

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.