Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Crimson

Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)
ID: S0115
Associated Software: MSIL/Crimson
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 31 May 2017
Last Modified: 26 Mar 2023

Associated Software Descriptions

Name Description
MSIL/Crimson (Citation: Proofpoint Operation Transparent Tribe March 2016)

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Crimson can use a HTTP GET request to download its final payload.(Citation: Proofpoint Operation Transparent Tribe March 2016)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Crimson can add Registry run keys for persistence.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Crimson has the ability to execute commands with the COMSPEC environment variable.(Citation: Kaspersky Transparent Tribe August 2020)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Crimson contains a module to steal credentials from Web browsers on the victim machine.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)

Enterprise T1114 .001 Email Collection: Local Email Collection

Crimson contains a command to collect and exfiltrate emails from Outlook.(Citation: Proofpoint Operation Transparent Tribe March 2016)

Enterprise T1070 .004 Indicator Removal: File Deletion

Crimson has the ability to delete files from a compromised host.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)

Enterprise T1056 .001 Input Capture: Keylogging

Crimson can use a module to perform keylogging on compromised hosts.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Crimson contains a command to collect information about anti-virus software on the victim.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)

Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

Crimson can determine when it has been installed on a host for at least 15 days before downloading the final payload.(Citation: Proofpoint Operation Transparent Tribe March 2016)

Groups That Use This Software

ID Name References
G0134 Transparent Tribe

(Citation: Proofpoint Operation Transparent Tribe March 2016) (Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)

(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.