/
Deep Panda_G0009.json
1 lines (1 loc) · 2.91 KB
/
Deep Panda_G0009.json
1
{"description": "Enterprise techniques used by Deep Panda, ATT&CK group G0009 v1.0", "name": "Deep Panda (G0009)", "domain": "mitre-enterprise", "version": "2.2", "techniques": [{"score": 1, "techniqueID": "T1143", "techniqueName": "Hidden Window", "comment": "[Deep Panda](https://attack.mitre.org/groups/G0009) has used <code>-w hidden</code> to conceal [PowerShell](https://attack.mitre.org/techniques/T1086) windows by setting the WindowStyle parameter to hidden."}, {"score": 1, "techniqueID": "T1018", "techniqueName": "Remote System Discovery", "comment": "[Deep Panda](https://attack.mitre.org/groups/G0009) has used ping to identify other machines of interest."}, {"score": 1, "techniqueID": "T1015", "techniqueName": "Accessibility Features", "comment": "[Deep Panda](https://attack.mitre.org/groups/G0009) has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions."}, {"score": 1, "techniqueID": "T1117", "techniqueName": "Regsvr32", "comment": "[Deep Panda](https://attack.mitre.org/groups/G0009) has used regsvr32.exe to execute a server variant of [Derusbi](https://attack.mitre.org/software/S0021) in victim networks."}, {"score": 1, "techniqueID": "T1047", "techniqueName": "Windows Management Instrumentation", "comment": "The [Deep Panda](https://attack.mitre.org/groups/G0009) group is known to utilize WMI for lateral movement."}, {"score": 1, "techniqueID": "T1064", "techniqueName": "Scripting", "comment": "[Deep Panda](https://attack.mitre.org/groups/G0009) has used PowerShell scripts to download and execute programs in memory, without writing to disk."}, {"score": 1, "techniqueID": "T1077", "techniqueName": "Windows Admin Shares", "comment": "[Deep Panda](https://attack.mitre.org/groups/G0009) uses net.exe to connect to network shares using <code>net use</code> commands with compromised credentials."}, {"score": 1, "techniqueID": "T1066", "techniqueName": "Indicator Removal from Tools", "comment": "[Deep Panda](https://attack.mitre.org/groups/G0009) has updated and modified its malware, resulting in different hash values that evade detection."}, {"score": 1, "techniqueID": "T1086", "techniqueName": "PowerShell", "comment": "[Deep Panda](https://attack.mitre.org/groups/G0009) has used PowerShell scripts to download and execute programs in memory, without writing to disk."}, {"score": 1, "techniqueID": "T1100", "techniqueName": "Web Shell", "comment": "[Deep Panda](https://attack.mitre.org/groups/G0009) uses Web shells on publicly accessible Web servers to access victim networks."}, {"score": 1, "techniqueID": "T1057", "techniqueName": "Process Discovery", "comment": "[Deep Panda](https://attack.mitre.org/groups/G0009) uses the Microsoft [Tasklist](https://attack.mitre.org/software/S0057) utility to list processes running on systems."}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Deep Panda", "color": "#ff6666"}]}