Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Agrius
Реестр СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Agrius
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Agrius

Agrius is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.(Citation: SentinelOne Agrius 2021)(Citation: CheckPoint Agrius 2023) Public reporting has linked Agrius to Iran's Ministry of Intelligence and Security (MOIS).(Citation: Microsoft Iran Cyber 2023)
ID: G1030
Associated Groups: BlackShadow, Pink Sandstorm, AMERICIUM, Agonizing Serpens
Created: 21 May 2024
Last Modified: 29 Aug 2024

Associated Group Descriptions
Name Description
BlackShadow (Citation: CheckPoint Agrius 2023)
Pink Sandstorm (Citation: Microsoft Threat Actor Naming July 2023)
AMERICIUM (Citation: Microsoft Threat Actor Naming July 2023)
Agonizing Serpens (Citation: Unit42 Agrius 2023)

Techniques Used
Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Agrius used 7zip to archive extracted data in preparation for exfiltration.(Citation: Unit42 Agrius 2023)
Enterprise T1110 .003 Brute Force: Password Spraying

Agrius engaged in password spraying via SMB in victim environments.(Citation: Unit42 Agrius 2023)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Agrius uses ASPXSpy web shells to enable follow-on command execution via cmd.exe.(Citation: SentinelOne Agrius 2021)
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Agrius has deployed IPsec Helper malware post-exploitation and registered it as a service for persistence.(Citation: SentinelOne Agrius 2021)
Enterprise T1074 .001 Data Staged: Local Data Staging

Agrius has used the folder, C:\\windows\\temp\\s\\, to stage data for exfiltration.(Citation: Unit42 Agrius 2023)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Agrius used several mechanisms to try to disable security tools. Agrius attempted to modify EDR-related services to disable auto-start on system reboot. Agrius used a publicly available driver, GMER64.sys typically used for anti-rootkit functionality, to selectively stop and remove security software processes.(Citation: Unit42 Agrius 2023)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Agrius used tools such as Mimikatz to dump LSASS memory to capture credentials in victim environments.(Citation: Unit42 Agrius 2023)
.002 OS Credential Dumping: Security Account Manager

Agrius dumped the SAM file on victim machines to capture credentials.(Citation: Unit42 Agrius 2023)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Agrius tunnels RDP traffic through deployed web shells to access victim environments via compromised accounts.(Citation: SentinelOne Agrius 2021) Agrius used the Plink tool to tunnel RDP connections for remote access and lateral movement in victim environments.(Citation: Unit42 Agrius 2023)
Enterprise T1505 .003 Server Software Component: Web Shell

Agrius typically deploys a variant of the ASPXSpy web shell following initial access via exploitation.(Citation: SentinelOne Agrius 2021)
Enterprise T1078 .002 Valid Accounts: Domain Accounts

Agrius attempted to acquire valid credentials for victim environments through various means to enable follow-on lateral movement.(Citation: Unit42 Agrius 2023)

Software
ID Name References Techniques
S1137 Moneybird (Citation: CheckPoint Agrius 2023) Embedded Payloads, Data Encrypted for Impact
S1133 Apostle (Citation: SentinelOne Agrius 2021) Process Discovery, System Shutdown/Reboot, Execution Guardrails, Clear Windows Event Logs, Scheduled Task, Disk Content Wipe, Data Encrypted for Impact, Data Destruction, File Deletion, Deobfuscate/Decode Files or Information
S0073 ASPXSpy (Citation: Dell TG-3390) (Citation: SentinelOne Agrius 2021) Web Shell
S1135 MultiLayer Wiper (Citation: Unit42 Agrius 2023) System Shutdown/Reboot, Indicator Removal, Stored Data Manipulation, Disable or Modify Tools, File Deletion, Data Destruction, Embedded Payloads, Windows Command Shell, Clear Windows Event Logs, Inhibit System Recovery, Scheduled Task, Timestomp, Disk Structure Wipe, File and Directory Discovery
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Unit42 Agrius 2023) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S1132 IPsec Helper (Citation: SentinelOne Agrius 2021) Indicator Removal, Lateral Tool Transfer, Process Discovery, Clear Persistence, Modify Registry, Encrypted/Encoded File, PowerShell, Visual Basic, Data from Local System, Windows Command Shell, Time Based Evasion, Web Protocols, Exfiltration Over C2 Channel, Service Execution, File Deletion
S0590 NBTscan (Citation: Debian nbtscan Nov 2019) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Symantec Waterbug Jun 2019) (Citation: Unit42 Agrius 2023) System Owner/User Discovery, System Network Configuration Discovery, Network Sniffing, Network Service Discovery, Remote System Discovery
S1136 BFG Agonizer (Citation: Unit42 Agrius 2023) System Shutdown/Reboot, Compromise Host Software Binary, Disk Structure Wipe, Inhibit System Recovery
S1134 DEADWOOD (Citation: SentinelOne Agrius 2021) Disk Content Wipe, Embedded Payloads, Data Destruction, Masquerade Task or Service, Encrypted/Encoded File, Service Execution, Deobfuscate/Decode Files or Information, System Time Discovery, Account Access Removal, Disk Structure Wipe

References

  1. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  2. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  3. Marc Salinas Fernandez & Jiri Vinopal. (2023, May 23). AGRIUS DEPLOYS MONEYBIRD IN TARGETED ATTACKS AGAINST ISRAELI ORGANIZATIONS. Retrieved May 21, 2024.
  4. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  5. Microsoft Threat Intelligence. (2023, May 2). Iran turning to cyber-enabled influence operations for greater effect. Retrieved May 21, 2024.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.