/
Ke3chang_G0004.json
1 lines (1 loc) · 6.65 KB
/
Ke3chang_G0004.json
1
{"description": "Enterprise techniques used by Ke3chang, ATT&CK group G0004 v1.0", "name": "Ke3chang (G0004)", "domain": "mitre-enterprise", "version": "2.2", "techniques": [{"score": 1, "techniqueID": "T1036", "techniqueName": "Masquerading", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files."}, {"score": 1, "techniqueID": "T1097", "techniqueName": "Pass the Ticket", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) has used [Mimikatz](https://attack.mitre.org/software/S0002) to generate Kerberos golden tickets."}, {"score": 1, "techniqueID": "T1133", "techniqueName": "External Remote Services", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) regained access after eviction via the corporate VPN solution with a stolen VPN certificate, which they had extracted from a compromised host."}, {"score": 1, "techniqueID": "T1060", "techniqueName": "Registry Run Keys / Startup Folder", "comment": "Several [Ke3chang](https://attack.mitre.org/groups/G0004) backdoors achieved persistence by adding a Run key."}, {"score": 1, "techniqueID": "T1114", "techniqueName": "Email Collection", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) used a .NET tool to dump data from Microsoft Exchange mailboxes."}, {"score": 1, "techniqueID": "T1213", "techniqueName": "Data from Information Repositories", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) used a SharePoint enumeration and data dumping tool known as spwebmember."}, {"score": 1, "techniqueID": "T1018", "techniqueName": "Remote System Discovery", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) has used network scanning and enumeration tools, including [Ping](https://attack.mitre.org/software/S0097)."}, {"score": 1, "techniqueID": "T1071", "techniqueName": "Standard Application Layer Protocol", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) malware RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2. Additionally, [Ke3chang](https://attack.mitre.org/groups/G0004) malware RoyalDNS has used DNS for C2."}, {"score": 1, "techniqueID": "T1050", "techniqueName": "New Service", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) backdoor RoyalDNS established persistence through adding a service called <code>Nwsapagent</code>."}, {"score": 1, "techniqueID": "T1056", "techniqueName": "Input Capture", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) has used keyloggers."}, {"score": 1, "techniqueID": "T1064", "techniqueName": "Scripting", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) has used batch scripts in its malware to install persistence mechanisms."}, {"score": 1, "techniqueID": "T1035", "techniqueName": "Service Execution", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) has used a tool known as RemoteExec (similar to [PsExec](https://attack.mitre.org/software/S0029)) to remotely execute batch scripts and binaries."}, {"score": 1, "techniqueID": "T1005", "techniqueName": "Data from Local System", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) gathered information and files from local directories for exfiltration."}, {"score": 1, "techniqueID": "T1087", "techniqueName": "Account Discovery", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) performs account discovery using commands such as <code>net localgroup administrators</code> and <code>net group \"REDACTED\" /domain</code> on specific permissions groups."}, {"score": 1, "techniqueID": "T1077", "techniqueName": "Windows Admin Shares", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) actors have been known to copy files to the network shares of other computers to move laterally."}, {"score": 1, "techniqueID": "T1082", "techniqueName": "System Information Discovery", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) performs operating system information discovery using <code>systeminfo</code>."}, {"score": 1, "techniqueID": "T1007", "techniqueName": "System Service Discovery", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) performs service discovery using <code>net start</code> commands."}, {"score": 1, "techniqueID": "T1022", "techniqueName": "Data Encrypted", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) is known to use RAR with passwords to encrypt data prior to exfiltration."}, {"score": 1, "techniqueID": "T1069", "techniqueName": "Permission Groups Discovery", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) performs discovery of permission groups <code>net group /domain</code>."}, {"score": 1, "techniqueID": "T1016", "techniqueName": "System Network Configuration Discovery", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) performs local network configuration discovery using <code>ipconfig</code>."}, {"score": 1, "techniqueID": "T1083", "techniqueName": "File and Directory Discovery", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) uses command-line interaction to search files and directories."}, {"score": 1, "techniqueID": "T1003", "techniqueName": "Credential Dumping", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) has dumped credentials, including by using [Mimikatz](https://attack.mitre.org/software/S0002)."}, {"score": 1, "techniqueID": "T1057", "techniqueName": "Process Discovery", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) performs process discovery using <code>tasklist</code> commands."}, {"score": 1, "techniqueID": "T1041", "techniqueName": "Exfiltration Over Command and Control Channel", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations."}, {"score": 1, "techniqueID": "T1002", "techniqueName": "Data Compressed", "comment": "The [Ke3chang](https://attack.mitre.org/groups/G0004) group has been known to compress data before exfiltration."}, {"score": 1, "techniqueID": "T1049", "techniqueName": "System Network Connections Discovery", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) performs local network connection discovery using <code>netstat</code>."}, {"score": 1, "techniqueID": "T1059", "techniqueName": "Command-Line Interface", "comment": "Malware used by [Ke3chang](https://attack.mitre.org/groups/G0004) can run commands on the command-line interface."}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Ke3chang", "color": "#ff6666"}]}