/
APT3_G0022.json
1 lines (1 loc) · 11.3 KB
/
APT3_G0022.json
1
{"description": "Enterprise techniques used by APT3, ATT&CK group G0022 v1.0", "name": "APT3 (G0022)", "domain": "mitre-enterprise", "version": "3.0", "techniques": [{"score": 1, "techniqueID": "T1555.003", "techniqueName": "Credentials from Web Browsers", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has used tools to dump passwords from browsers.(Citation: Symantec Buckeye)"}, {"score": 1, "techniqueID": "T1564.003", "techniqueName": "Hidden Window", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has been known to use <code>-WindowStyle Hidden</code> to conceal [PowerShell](https://attack.mitre.org/techniques/T1086) windows.(Citation: FireEye Operation Double Tap)"}, {"score": 1, "techniqueID": "T1090.002", "techniqueName": "External Proxy", "comment": "An [APT3](https://attack.mitre.org/groups/G0022) downloader establishes SOCKS5 connections for its initial C2.(Citation: FireEye Operation Double Tap)"}, {"score": 1, "techniqueID": "T1098", "techniqueName": "Account Manipulation", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has been known to add created accounts to local admin groups to maintain elevated access.(Citation: aptsim)"}, {"score": 1, "techniqueID": "T1027.002", "techniqueName": "Software Packing", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has been known to pack their tools.(Citation: APT3 Adversary Emulation Plan)"}, {"score": 1, "techniqueID": "T1110.002", "techniqueName": "Password Cracking", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has been known to brute force password hashes to be able to leverage plain text credentials.(Citation: APT3 Adversary Emulation Plan)"}, {"score": 1, "techniqueID": "T1027.005", "techniqueName": "Indicator Removal from Tools", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has been known to remove indicators of compromise from tools.(Citation: APT3 Adversary Emulation Plan)"}, {"score": 1, "techniqueID": "T1021.001", "techniqueName": "Remote Desktop Protocol", "comment": "[APT3](https://attack.mitre.org/groups/G0022) enables the Remote Desktop Protocol for persistence.(Citation: aptsim) [APT3](https://attack.mitre.org/groups/G0022) has also interacted with compromised systems to browse and copy files through RDP sessions.(Citation: Twitter Cglyer Status Update APT3 eml)"}, {"score": 1, "techniqueID": "T1005", "techniqueName": "Data from Local System", "comment": "[APT3](https://attack.mitre.org/groups/G0022) will identify Microsoft Office documents on the victim's computer.(Citation: aptsim)"}, {"score": 1, "techniqueID": "T1546.008", "techniqueName": "Accessibility Features", "comment": "[APT3](https://attack.mitre.org/groups/G0022) replaces the Sticky Keys binary <code>C:\\Windows\\System32\\sethc.exe</code> for persistence.(Citation: aptsim)"}, {"score": 1, "techniqueID": "T1074.001", "techniqueName": "Local Data Staging", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has been known to stage files for exfiltration in a single location.(Citation: aptsim)"}, {"score": 1, "techniqueID": "T1083", "techniqueName": "File and Directory Discovery", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has a tool that looks for files and directories on the local file system.(Citation: FireEye Clandestine Fox)(Citation: evolution of pirpi)"}, {"score": 1, "techniqueID": "T1078.002", "techniqueName": "Domain Accounts", "comment": "[APT3](https://attack.mitre.org/groups/G0022) leverages valid accounts after gaining credentials for use within the victim domain.(Citation: Symantec Buckeye)"}, {"score": 1, "techniqueID": "T1105", "techniqueName": "Ingress Tool Transfer", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has a tool that can copy files to remote machines.(Citation: FireEye Clandestine Fox)"}, {"score": 1, "techniqueID": "T1057", "techniqueName": "Process Discovery", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has a tool that can list out currently running processes.(Citation: FireEye Clandestine Fox)(Citation: evolution of pirpi)"}, {"score": 1, "techniqueID": "T1018", "techniqueName": "Remote System Discovery", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has a tool that can detect the existence of remote systems.(Citation: Symantec Buckeye)(Citation: FireEye Clandestine Fox)"}, {"score": 1, "techniqueID": "T1069", "techniqueName": "Permission Groups Discovery", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has a tool that can enumerate the permissions associated with Windows groups.(Citation: Symantec Buckeye)"}, {"score": 1, "techniqueID": "T1543.003", "techniqueName": "Windows Service", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has a tool that creates a new service for persistence.(Citation: FireEye Operation Double Tap)"}, {"score": 1, "techniqueID": "T1049", "techniqueName": "System Network Connections Discovery", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has a tool that can enumerate current network connections.(Citation: Symantec Buckeye)(Citation: FireEye Clandestine Fox)(Citation: evolution of pirpi)"}, {"score": 1, "techniqueID": "T1218.011", "techniqueName": "Rundll32", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has a tool that can run DLLs.(Citation: FireEye Clandestine Fox)"}, {"score": 1, "techniqueID": "T1041", "techniqueName": "Exfiltration Over C2 Channel", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has a tool that exfiltrates data over the C2 channel.(Citation: FireEye Clandestine Fox)"}, {"score": 1, "techniqueID": "T1136.001", "techniqueName": "Local Account", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has been known to create or enable accounts, such as <code>support_388945a0</code>.(Citation: aptsim)"}, {"score": 1, "techniqueID": "T1070.004", "techniqueName": "File Deletion", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has a tool that can delete files.(Citation: FireEye Clandestine Fox)"}, {"score": 1, "techniqueID": "T1027", "techniqueName": "Obfuscated Files or Information", "comment": "[APT3](https://attack.mitre.org/groups/G0022) obfuscates files or information to help evade defensive measures.(Citation: Symantec Buckeye)"}, {"score": 1, "techniqueID": "T1560.001", "techniqueName": "Archive via Utility", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has used tools to compress data before exfilling it.(Citation: aptsim)"}, {"score": 1, "techniqueID": "T1043", "techniqueName": "Commonly Used Port", "comment": "[APT3](https://attack.mitre.org/groups/G0022) uses commonly used ports (like HTTPS/443) for command and control.(Citation: evolution of pirpi)"}, {"score": 1, "techniqueID": "T1547.001", "techniqueName": "Registry Run Keys / Startup Folder", "comment": "[APT3](https://attack.mitre.org/groups/G0022) places scripts in the startup folder for persistence.(Citation: FireEye Operation Double Tap)"}, {"score": 1, "techniqueID": "T1552.001", "techniqueName": "Credentials In Files", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.(Citation: Symantec Buckeye)"}, {"score": 1, "techniqueID": "T1021.002", "techniqueName": "SMB/Windows Admin Shares", "comment": "[APT3](https://attack.mitre.org/groups/G0022) will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.(Citation: Symantec Buckeye)"}, {"score": 1, "techniqueID": "T1082", "techniqueName": "System Information Discovery", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has a tool that can obtain information about the local system.(Citation: Symantec Buckeye)(Citation: evolution of pirpi)"}, {"score": 1, "techniqueID": "T1574.002", "techniqueName": "DLL Side-Loading", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has been known to side load DLLs with a valid version of Chrome with one of their tools.(Citation: FireEye Clandestine Fox)(Citation: FireEye Clandestine Fox Part 2)"}, {"score": 1, "techniqueID": "T1087.001", "techniqueName": "Local Account", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has used a tool that can obtain info about local and global group users, power users, and administrators.(Citation: Symantec Buckeye)"}, {"score": 1, "techniqueID": "T1056.001", "techniqueName": "Keylogging", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has used a keylogging tool that records keystrokes in encrypted files.(Citation: Symantec Buckeye)"}, {"score": 1, "techniqueID": "T1016", "techniqueName": "System Network Configuration Discovery", "comment": "A keylogging tool used by [APT3](https://attack.mitre.org/groups/G0022) gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.(Citation: Symantec Buckeye)(Citation: evolution of pirpi)"}, {"score": 1, "techniqueID": "T1003.001", "techniqueName": "LSASS Memory", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument \"dig.\"(Citation: Symantec Buckeye)"}, {"score": 1, "techniqueID": "T1053.005", "techniqueName": "Scheduled Task", "comment": "An [APT3](https://attack.mitre.org/groups/G0022) downloader creates persistence by creating the following scheduled task: <code>schtasks /create /tn \"mysc\" /tr C:\\Users\\Public\\test.exe /sc ONLOGON /ru \"System\"</code>.(Citation: FireEye Operation Double Tap)"}, {"score": 1, "techniqueID": "T1065", "techniqueName": "Uncommonly Used Port", "comment": "An [APT3](https://attack.mitre.org/groups/G0022) downloader establishes SOCKS5 connections to two separate IP addresses over TCP port 1913 and TCP port 81.(Citation: FireEye Operation Double Tap)"}, {"score": 1, "techniqueID": "T1059.003", "techniqueName": "Windows Command Shell", "comment": "An [APT3](https://attack.mitre.org/groups/G0022) downloader uses the Windows command <code>\"cmd.exe\" /C whoami</code>. The group also uses a tool to execute commands on remote computers.(Citation: FireEye Operation Double Tap)(Citation: Symantec Buckeye)"}, {"score": 1, "techniqueID": "T1104", "techniqueName": "Multi-Stage Channels", "comment": "An [APT3](https://attack.mitre.org/groups/G0022) downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81.(Citation: FireEye Operation Double Tap)"}, {"score": 1, "techniqueID": "T1033", "techniqueName": "System Owner/User Discovery", "comment": "An [APT3](https://attack.mitre.org/groups/G0022) downloader uses the Windows command <code>\"cmd.exe\" /C whoami</code> to verify that it is running with the elevated privileges of \u201cSystem.\u201d(Citation: FireEye Operation Double Tap)"}, {"score": 1, "techniqueID": "T1059.001", "techniqueName": "PowerShell", "comment": "[APT3](https://attack.mitre.org/groups/G0022) has used PowerShell on victim systems to download and run payloads after exploitation.(Citation: FireEye Operation Double Tap)"}, {"score": 1, "techniqueID": "T1095", "techniqueName": "Non-Application Layer Protocol", "comment": "An [APT3](https://attack.mitre.org/groups/G0022) downloader establishes SOCKS5 connections for its initial C2.(Citation: FireEye Operation Double Tap)"}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT3", "color": "#ff6666"}]}