Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Play

Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)

ID: G1040

Associated Groups:

Created: 24 Sep 2024

Last Modified: 02 Oct 2024

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1560	.001	Archive Collected Data: Archive via Utility	Play has used WinRAR to compress files prior to exfiltration.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Play has used Base64-encoded PowerShell scripts to disable Microsoft Defender.(Citation: Trend Micro Ransomware Spotlight Play July 2023)
		.003	Command and Scripting Interpreter: Windows Command Shell	Play has used a batch script to remove indicators of its presence on compromised hosts.(Citation: Trend Micro Ransomware Spotlight Play July 2023)
Enterprise	T1587	.001	Develop Capabilities: Malware	Play developed and employ Playcrypt ransomware.(Citation: Trend Micro Ransomware Spotlight Play July 2023)(Citation: CISA Play Ransomware Advisory December 2023)
Enterprise	T1562	.001	Impair Defenses: Disable or Modify Tools	Play has used tools including GMER, IOBit, and PowerTool to disable antivirus software.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)
Enterprise	T1070	.001	Indicator Removal: Clear Windows Event Logs	Play has used tools to remove log files on targeted systems.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)
		.004	Indicator Removal: File Deletion	Play has used tools including Wevtutil to remove malicious files from compromised hosts.(Citation: Trend Micro Ransomware Spotlight Play July 2023)
Enterprise	T1003	.001	OS Credential Dumping: LSASS Memory	Play has used Mimikatz and the Windows Task Manager to dump LSASS process memory.(Citation: Trend Micro Ransomware Spotlight Play July 2023)
Enterprise	T1027	.010	Obfuscated Files or Information: Command Obfuscation	Play has used Base64-encoded PowerShell scripts for post exploit activities on compromised hosts.(Citation: Trend Micro Ransomware Spotlight Play July 2023)
Enterprise	T1588	.002	Obtain Capabilities: Tool	Play has used multiple tools for discovery and defense evasion purposes on compromised hosts.(Citation: CISA Play Ransomware Advisory December 2023)
Enterprise	T1021	.002	Remote Services: SMB/Windows Admin Shares	Play has used Cobalt Strike to move laterally via SMB.(Citation: Trend Micro Ransomware Spotlight Play July 2023)
Enterprise	T1518	.001	Software Discovery: Security Software Discovery	Play has used the information-stealing tool Grixba to scan for anti-virus software.(Citation: CISA Play Ransomware Advisory December 2023)
Enterprise	T1078	.002	Valid Accounts: Domain Accounts	Play has used valid domain accounts for access.(Citation: Trend Micro Ransomware Spotlight Play July 2023)
		.003	Valid Accounts: Local Accounts	Play has used valid local accounts to gain initial access.(Citation: Trend Micro Ransomware Spotlight Play July 2023)

ID	Name	References	Techniques
Software
S0521	BloodHound	(Citation: CrowdStrike BloodHound April 2018) (Citation: FoxIT Wocao December 2019) (Citation: GitHub Bloodhound) (Citation: Trend Micro Ransomware Spotlight Play July 2023)	Domain Groups, Group Policy Discovery, Archive Collected Data, Password Policy Discovery, Local Groups, Domain Account, Local Account, System Owner/User Discovery, Remote System Discovery, Native API, PowerShell, Domain Trust Discovery
S1162	Playcrypt	(Citation: CISA Play Ransomware Advisory December 2023) (Citation: Microsoft PlayCrypt August 2022) (Citation: Play) (Citation: Trend Micro Ransomware Spotlight Play July 2023)	Data Encrypted for Impact, Inhibit System Recovery, File and Directory Discovery
S0363	Empire	(Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) (Citation: Trend Micro Ransomware Spotlight Play July 2023)	Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Command Obfuscation, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Information Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL Search Order Hijacking, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket
S0359	Nltest	(Citation: Nltest Manual) (Citation: Trend Micro Ransomware Spotlight Play July 2023)	Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery
S0154	Cobalt Strike	(Citation: cobaltstrike manual) (Citation: Trend Micro Ransomware Spotlight Play July 2023)	Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol or Service Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, File Transfer Protocols, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0002	Mimikatz	(Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Trend Micro Ransomware Spotlight Play July 2023)	DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0552	AdFind	(Citation: CISA Play Ransomware Advisory December 2023) (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: Trend Micro Ransomware Spotlight Play July 2023)	Domain Trust Discovery, Domain Groups, System Network Configuration Discovery, Remote System Discovery, Domain Account
S0645	Wevtutil	(Citation: Trend Micro Ransomware Spotlight Play July 2023) (Citation: Wevtutil Microsoft Documentation)	Clear Windows Event Logs, Disable Windows Event Logging, Data from Local System
S0029	PsExec	(Citation: CISA Play Ransomware Advisory December 2023) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec)	SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Play

Associated Group Descriptions

Techniques Used

Software

References