Milan
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| James | (Citation: Accenture Lyceum Targets November 2021) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
Milan has run `C:\Windows\system32\cmd.exe /c cmd /c dir c:\users\ /s 2>&1` to discover local accounts.(Citation: ClearSky Siamesekitten August 2021) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Milan can use HTTPS for communication with C2.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021)(Citation: Accenture Lyceum Targets November 2021) |
| .004 | Application Layer Protocol: DNS |
Milan has the ability to use DNS for C2 communications.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021)(Citation: Accenture Lyceum Targets November 2021) |
||
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Milan can use `cmd.exe` for discovery actions on a targeted system.(Citation: ClearSky Siamesekitten August 2021) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Milan has saved files prior to upload from a compromised host to folders beginning with the characters `a9850d2f`.(Citation: ClearSky Siamesekitten August 2021) |
| Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms |
Milan can use hardcoded domains as an input for domain generation algorithms.(Citation: Accenture Lyceum Targets November 2021) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Milan can delete files via `C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 1 -w 3000 > Nul & rmdir /s /q`.(Citation: ClearSky Siamesekitten August 2021) |
| Enterprise | T1559 | .001 | Inter-Process Communication: Component Object Model |
Milan can use a COM component to generate scheduled tasks.(Citation: ClearSky Siamesekitten August 2021) |
| Enterprise | T1036 | .007 | Masquerading: Double File Extension |
Milan has used an executable named `companycatalog.exe.config` to appear benign.(Citation: ClearSky Siamesekitten August 2021) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Milan can establish persistence on a targeted host with scheduled tasks.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G1001 | HEXANE |
(Citation: Accenture Lyceum Targets November 2021) (Citation: Kaspersky Lyceum October 2021) |
References
- Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
- ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
- Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.