Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент PsExec
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
PsExec
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

PsExec

PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS PsExec)
ID: S0029
Type: TOOL
Platforms: Windows
Version: 1.7
Created: 31 May 2017
Last Modified: 25 Sep 2024

Techniques Used
Domain ID Name Use
Enterprise T1136 .002 Create Account: Domain Account

PsExec has the ability to remotely create accounts on target systems.(Citation: NCC Group Fivehands June 2021)
Enterprise T1543 .003 Create or Modify System Process: Windows Service

PsExec can leverage Windows services to escalate privileges from administrator to SYSTEM with the -s argument.(Citation: Russinovich Sysinternals)
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

PsExec, a tool that has been used by adversaries, writes programs to the ADMIN$ network share to execute commands on remote systems.(Citation: PsExec Russinovich)
Enterprise T1569 .002 System Services: Service Execution

Microsoft Sysinternals PsExec is a popular administration tool that can be used to execute binaries on remote systems using a temporary Windows service.(Citation: Russinovich Sysinternals)

Groups That Use This Software
ID Name References
G1017 Volt Typhoon

(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)

G0010 Turla

(Citation: Symantec Waterbug Jun 2019)

G0114 Chimera

(Citation: NCC Group Chimera January 2021)

G0006 APT1

(Citation: Mandiant APT1)

G0076 Thrip

(Citation: Symantec Thrip June 2018)

G1009 Moses Staff

(Citation: Checkpoint MosesStaff Nov 2021)

G0098 BlackTech

(Citation: Symantec Palmerworm Sep 2020)

G0003 Cleaver

(Citation: Cylance Cleaver)

G0105 DarkVishnya

(Citation: Securelist DarkVishnya Dec 2018)

G1032 INC Ransom

(Citation: Secureworks GOLD IONIC April 2024) (Citation: Cybereason INC Ransomware November 2023) (Citation: SOCRadar INC Ransom January 2024) (Citation: Huntress INC Ransom Group August 2023)

G0034 Sandworm Team

(Citation: Dragos Crashoverride 2018)

G0125 HAFNIUM

(Citation: Volexity Exchange Marauder March 2021)

G1024 Akira

(Citation: Arctic Wolf Akira 2023)

G0087 APT39

(Citation: FireEye APT39 Jan 2019) (Citation: Symantec Chafer February 2018) (Citation: BitDefender Chafer May 2020)

G1040 Play

(Citation: CISA Play Ransomware Advisory December 2023)

G0053 FIN5

(Citation: Mandiant FIN5 GrrCON Oct 2016)

(Citation: BlackBerry CostaRicto November 2020)

G0037 FIN6

(Citation: FireEye FIN6 April 2016) (Citation: FireEye FIN6 Apr 2019)

G0119 Indrik Spider

(Citation: Symantec WastedLocker June 2020)

G0088 TEMP.Veles

(Citation: FireEye TRITON 2019) (Citation: Dragos Xenotime 2018)

G0014 Night Dragon

(Citation: McAfee Night Dragon)

G0094 Kimsuky

(Citation: Netscout Stolen Pencil Dec 2018)

G0093 GALLIUM

(Citation: Microsoft GALLIUM December 2019) (Citation: Cybereason Soft Cell June 2019)

(Citation: McAfee Night Dragon)

G0074 Dragonfly 2.0

(Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017)

(Citation: FoxIT Wocao December 2019)

G0016 APT29

(Citation: F-Secure The Dukes) (Citation: ESET Dukes October 2019)

G1003 Ember Bear

(Citation: CISA GRU29155 2024)

G0008 Carbanak

(Citation: Kaspersky Carbanak)

G0077 Leafminer

(Citation: Symantec Leafminer July 2018)

G0061 FIN8

(Citation: Symantec FIN8 Jul 2023)

G0117 Fox Kitten

(Citation: CISA AA20-259A Iran-Based Actor September 2020) (Citation: Check Point Pay2Key November 2020)

G0035 Dragonfly

(Citation: Symantec Dragonfly Sept 2017) (Citation: Gigamon Berserk Bear October 2021) (Citation: US-CERT TA18-074A) (Citation: Secureworks IRON LIBERTY July 2019)

G0059 Magic Hound

(Citation: FireEye APT35 2018)

G0049 OilRig

(Citation: FireEye APT34 Webinar Dec 2017)

G0086 Stolen Pencil

(Citation: Netscout Stolen Pencil Dec 2018)

G0080 Cobalt Group

(Citation: PTSecurity Cobalt Group Aug 2017) (Citation: Group IB Cobalt Aug 2017)

(Citation: ESET Dukes October 2019)

G0019 Naikon

(Citation: Baumgartner Naikon 2015)

G0028 Threat Group-1314

(Citation: Dell TG-1314)

G0045 menuPass

(Citation: FireEye APT10 April 2017) (Citation: PWC Cloud Hopper Technical Annex April 2017)

G0102 Wizard Spider

(Citation: CrowdStrike Grim Spider May 2019) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: Mandiant FIN12 Oct 2021)

References

  1. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  2. Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.
  3. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  4. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  5. Pilkington, M. (2012, December 17). Protecting Privileged Domain Accounts: PsExec Deep-Dive. Retrieved August 17, 2016.
  6. Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015.
  7. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  8. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  9. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  10. Russinovich, M. (2004, June 28). PsExec. Retrieved December 17, 2015.
  11. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  12. Security Response Attack Investigation Team. (2018, June 19). Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies. Retrieved July 10, 2018.
  13. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  14. Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022.
  15. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  16. Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020.
  17. Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024.
  18. Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
  19. SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024.
  20. Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
  21. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  22. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
  23. Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024.
  24. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  25. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  26. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
  27. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.
  28. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  29. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  30. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  31. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  32. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  33. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  34. Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.
  35. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  36. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  37. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  38. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  39. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  40. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  41. Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.
  42. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  43. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  44. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  45. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
  46. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  47. Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.
  48. Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.
  49. Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.
  50. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
  51. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  52. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  53. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  54. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  55. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  56. Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016.
  57. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  58. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  59. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  60. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  61. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.