Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

AdFind

AdFind is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)
ID: S0552
Type: TOOL
Platforms: Windows
Version: 1.5
Created: 28 Dec 2020
Last Modified: 25 Sep 2024

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

AdFind can enumerate domain users.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: Cybereason Bumblebee August 2022)(Citation: Symantec Bumblebee June 2022)

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

AdFind can enumerate domain groups.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: Symantec Bumblebee June 2022)

Groups That Use This Software

ID Name References
G0092 TA505

(Citation: NCC Group TA505)

G0102 Wizard Spider

(Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Mandiant FIN12 Oct 2021) (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk's Return October 2020)

G0046 FIN7

(Citation: CrowdStrike Carbon Spider August 2021)

(Citation: DFIR Conti Bazar Nov 2021)

G1040 Play

(Citation: CISA Play Ransomware Advisory December 2023) (Citation: Trend Micro Ransomware Spotlight Play July 2023)

G0037 FIN6

(Citation: FireEye FIN6 Apr 2019)

G0118 UNC2452

(Citation: Microsoft Analyzing Solorigate Dec 2020)

G1024 Akira

(Citation: Arctic Wolf Akira 2023)

G1032 INC Ransom

(Citation: Secureworks GOLD IONIC April 2024)

(Citation: CrowdStrike StellarParticle January 2022) (Citation: Microsoft Analyzing Solorigate Dec 2020)

G0016 APT29

(Citation: Microsoft Analyzing Solorigate Dec 2020) (Citation: CrowdStrike StellarParticle January 2022) (Citation: ESET T3 Threat Report 2021)

G0045 menuPass

(Citation: Symantec Cicada November 2020)

References

  1. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  2. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
  3. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
  4. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  5. Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.
  6. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  7. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  8. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  9. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  10. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  11. Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
  12. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.
  13. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  14. Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024.
  15. Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024.
  16. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  17. ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022.
  18. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  19. Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.