Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Play
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Play
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Play

Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)
ID: G1040
Associated Groups: 
Version: 1.0
Created: 24 Sep 2024
Last Modified: 02 Oct 2024

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Play has used WinRAR to compress files prior to exfiltration.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Play has used Base64-encoded PowerShell scripts to disable Microsoft Defender.(Citation: Trend Micro Ransomware Spotlight Play July 2023)
.003 Command and Scripting Interpreter: Windows Command Shell

Play has used a batch script to remove indicators of its presence on compromised hosts.(Citation: Trend Micro Ransomware Spotlight Play July 2023)

Enterprise T1587 .001 Develop Capabilities: Malware

Play developed and employ Playcrypt ransomware.(Citation: Trend Micro Ransomware Spotlight Play July 2023)(Citation: CISA Play Ransomware Advisory December 2023)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Play has used tools including GMER, IOBit, and PowerTool to disable antivirus software.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Play has used tools to remove log files on targeted systems.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)
.004 Indicator Removal: File Deletion

Play has used tools including Wevtutil to remove malicious files from compromised hosts.(Citation: Trend Micro Ransomware Spotlight Play July 2023)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Play has used Mimikatz and the Windows Task Manager to dump LSASS process memory.(Citation: Trend Micro Ransomware Spotlight Play July 2023)
Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

Play has used Base64-encoded PowerShell scripts for post exploit activities on compromised hosts.(Citation: Trend Micro Ransomware Spotlight Play July 2023)
Enterprise T1588 .002 Obtain Capabilities: Tool

Play has used multiple tools for discovery and defense evasion purposes on compromised hosts.(Citation: CISA Play Ransomware Advisory December 2023)
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Play has used Cobalt Strike to move laterally via SMB.(Citation: Trend Micro Ransomware Spotlight Play July 2023)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Play has used the information-stealing tool Grixba to scan for anti-virus software.(Citation: CISA Play Ransomware Advisory December 2023)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Play has used valid domain accounts for access.(Citation: Trend Micro Ransomware Spotlight Play July 2023)
.003 Valid Accounts: Local Accounts

Play has used valid local accounts to gain initial access.(Citation: Trend Micro Ransomware Spotlight Play July 2023)

Software
ID Name References Techniques
S0521 BloodHound (Citation: CrowdStrike BloodHound April 2018) (Citation: FoxIT Wocao December 2019) (Citation: GitHub Bloodhound) (Citation: Trend Micro Ransomware Spotlight Play July 2023) System Owner/User Discovery, Group Policy Discovery, Domain Account, Local Account, Domain Groups, Native API, Archive Collected Data, Domain Trust Discovery, PowerShell, Local Groups, Password Policy Discovery, Remote System Discovery
S1162 Playcrypt (Citation: CISA Play Ransomware Advisory December 2023) (Citation: Microsoft PlayCrypt August 2022) (Citation: Play) (Citation: Trend Micro Ransomware Spotlight Play July 2023) File and Directory Discovery, Data Encrypted for Impact, Inhibit System Recovery
S0363 Empire (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) (Citation: Trend Micro Ransomware Spotlight Play July 2023) Scheduled Task, Windows Management Instrumentation, Screen Capture, System Owner/User Discovery, Keylogging, Path Interception by PATH Environment Variable, Bypass User Account Control, Group Policy Discovery, Local Email Collection, Domain Account, Local Account, Windows Service, SSH, DLL, Automated Collection, Clipboard Data, Network Sniffing, Network Share Discovery, System Information Discovery, Native API, Process Injection, Timestomp, Shortcut Modification, Security Support Provider, Archive Collected Data, Credentials from Web Browsers, Path Interception by Search Order Hijacking, Group Policy Modification, Browser Information Discovery, Private Keys, Local Account, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Create Process with Token, Distributed Component Object Model, Video Capture, System Network Configuration Discovery, Accessibility Features, Command and Scripting Interpreter, Domain Account, Domain Trust Discovery, Golden Ticket, Automated Exfiltration, File and Directory Discovery, System Network Connections Discovery, Credentials In Files, Exfiltration to Code Repository, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Exploitation of Remote Services, Registry Run Keys / Startup Folder, Exploitation for Privilege Escalation, SID-History Injection, Bidirectional Communication, Asymmetric Cryptography, Exfiltration to Cloud Storage, Path Interception by Unquoted Path, MSBuild, Security Software Discovery, Windows Command Shell, Silver Ticket, Command Obfuscation, Access Token Manipulation, Web Protocols, Network Service Discovery, Pass the Hash, Ingress Tool Transfer, Service Execution, Kerberoasting, Credential API Hooking, Commonly Used Port, Dylib Hijacking
S0359 Nltest (Citation: Nltest Manual) (Citation: Trend Micro Ransomware Spotlight Play July 2023) System Network Configuration Discovery, Domain Trust Discovery, Remote System Discovery
S0154 Cobalt Strike (Citation: Trend Micro Ransomware Spotlight Play July 2023) (Citation: cobaltstrike manual) Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Trend Micro Ransomware Spotlight Play July 2023) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0552 AdFind (Citation: CISA Play Ransomware Advisory December 2023) (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: Trend Micro Ransomware Spotlight Play July 2023) Domain Account, Domain Groups, System Network Configuration Discovery, Domain Trust Discovery, Remote System Discovery
S0645 Wevtutil (Citation: Trend Micro Ransomware Spotlight Play July 2023) (Citation: Wevtutil Microsoft Documentation) Data from Local System, Disable Windows Event Logging, Clear Windows Event Logs
S0029 PsExec (Citation: CISA Play Ransomware Advisory December 2023) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution

References

  1. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.
  2. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.