/
Ke3chang_G0004.json
1 lines (1 loc) · 8.95 KB
/
Ke3chang_G0004.json
1
{"description": "Enterprise techniques used by Ke3chang, ATT&CK group G0004 v1.0", "name": "Ke3chang (G0004)", "domain": "mitre-enterprise", "version": "3.0", "techniques": [{"score": 1, "techniqueID": "T1003.004", "techniqueName": "LSA Secrets", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) has dumped credentials, including by using gsecdump.(Citation: Villeneuve et al 2014)(Citation: NCC Group APT15 Alive and Strong)"}, {"score": 1, "techniqueID": "T1003.002", "techniqueName": "Security Account Manager", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) has dumped credentials, including by using gsecdump.(Citation: Villeneuve et al 2014)(Citation: NCC Group APT15 Alive and Strong)"}, {"score": 1, "techniqueID": "T1087.001", "techniqueName": "Local Account", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) performs account discovery using commands such as <code>net localgroup administrators</code> and <code>net group \"REDACTED\" /domain</code> on specific permissions groups.(Citation: Villeneuve et al 2014)"}, {"score": 1, "techniqueID": "T1071.004", "techniqueName": "DNS", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) malware RoyalDNS has used DNS for C2.(Citation: NCC Group APT15 Alive and Strong)"}, {"score": 1, "techniqueID": "T1036.002", "techniqueName": "Right-to-Left Override", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files.(Citation: Villeneuve et al 2014)"}, {"score": 1, "techniqueID": "T1114.002", "techniqueName": "Remote Email Collection", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) used a .NET tool to dump data from Microsoft Exchange mailboxes.(Citation: NCC Group APT15 Alive and Strong)"}, {"score": 1, "techniqueID": "T1018", "techniqueName": "Remote System Discovery", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) has used network scanning and enumeration tools, including [Ping](https://attack.mitre.org/software/S0097).(Citation: NCC Group APT15 Alive and Strong)"}, {"score": 1, "techniqueID": "T1558.001", "techniqueName": "Golden Ticket", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) has used [Mimikatz](https://attack.mitre.org/software/S0002) to generate Kerberos golden tickets.(Citation: NCC Group APT15 Alive and Strong)"}, {"score": 1, "techniqueID": "T1133", "techniqueName": "External Remote Services", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) regained access after eviction via the corporate VPN solution with a stolen VPN certificate, which they had extracted from a compromised host.(Citation: NCC Group APT15 Alive and Strong)"}, {"score": 1, "techniqueID": "T1543.003", "techniqueName": "Windows Service", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) backdoor RoyalDNS established persistence through adding a service called <code>Nwsapagent</code>.(Citation: NCC Group APT15 Alive and Strong)"}, {"score": 1, "techniqueID": "T1213.002", "techniqueName": "Sharepoint", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) used a SharePoint enumeration and data dumping tool known as spwebmember.(Citation: NCC Group APT15 Alive and Strong)"}, {"score": 1, "techniqueID": "T1569.002", "techniqueName": "Service Execution", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) has used a tool known as RemoteExec (similar to [PsExec](https://attack.mitre.org/software/S0029)) to remotely execute batch scripts and binaries.(Citation: NCC Group APT15 Alive and Strong)"}, {"score": 1, "techniqueID": "T1547.001", "techniqueName": "Registry Run Keys / Startup Folder", "comment": "Several [Ke3chang](https://attack.mitre.org/groups/G0004) backdoors achieved persistence by adding a Run key.(Citation: NCC Group APT15 Alive and Strong)"}, {"score": 1, "techniqueID": "T1059.003", "techniqueName": "Windows Command Shell", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) has used batch scripts in its malware to install persistence mechanisms.(Citation: NCC Group APT15 Alive and Strong)"}, {"score": 1, "techniqueID": "T1071.001", "techniqueName": "Web Protocols", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) malware RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2.(Citation: NCC Group APT15 Alive and Strong)"}, {"score": 1, "techniqueID": "T1056.001", "techniqueName": "Keylogging", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) has used keyloggers.(Citation: NCC Group APT15 Alive and Strong)"}, {"score": 1, "techniqueID": "T1005", "techniqueName": "Data from Local System", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) gathered information and files from local directories for exfiltration.(Citation: Villeneuve et al 2014)"}, {"score": 1, "techniqueID": "T1021.002", "techniqueName": "SMB/Windows Admin Shares", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) actors have been known to copy files to the network shares of other computers to move laterally.(Citation: Villeneuve et al 2014)(Citation: NCC Group APT15 Alive and Strong)"}, {"score": 1, "techniqueID": "T1087.002", "techniqueName": "Domain Account", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) performs account discovery using commands such as <code>net localgroup administrators</code> and <code>net group \"REDACTED\" /domain</code> on specific permissions groups.(Citation: Villeneuve et al 2014)"}, {"score": 1, "techniqueID": "T1007", "techniqueName": "System Service Discovery", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) performs service discovery using <code>net start</code> commands.(Citation: Villeneuve et al 2014)"}, {"score": 1, "techniqueID": "T1560.001", "techniqueName": "Archive via Utility", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) is known to use RAR with passwords to encrypt data prior to exfiltration.(Citation: Villeneuve et al 2014)"}, {"score": 1, "techniqueID": "T1069.002", "techniqueName": "Domain Groups", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) performs discovery of permission groups <code>net group /domain</code>.(Citation: Villeneuve et al 2014)"}, {"score": 1, "techniqueID": "T1016", "techniqueName": "System Network Configuration Discovery", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) performs local network configuration discovery using <code>ipconfig</code>.(Citation: Villeneuve et al 2014)(Citation: NCC Group APT15 Alive and Strong)"}, {"score": 1, "techniqueID": "T1083", "techniqueName": "File and Directory Discovery", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) uses command-line interaction to search files and directories.(Citation: Villeneuve et al 2014)"}, {"score": 1, "techniqueID": "T1003.001", "techniqueName": "LSASS Memory", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) has dumped credentials, including by using [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: Villeneuve et al 2014)(Citation: NCC Group APT15 Alive and Strong)"}, {"score": 1, "techniqueID": "T1082", "techniqueName": "System Information Discovery", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) performs operating system information discovery using <code>systeminfo</code>.(Citation: Villeneuve et al 2014)(Citation: NCC Group APT15 Alive and Strong)"}, {"score": 1, "techniqueID": "T1057", "techniqueName": "Process Discovery", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) performs process discovery using <code>tasklist</code> commands.(Citation: Villeneuve et al 2014)(Citation: NCC Group APT15 Alive and Strong)"}, {"score": 1, "techniqueID": "T1041", "techniqueName": "Exfiltration Over C2 Channel", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.(Citation: Villeneuve et al 2014)"}, {"score": 1, "techniqueID": "T1049", "techniqueName": "System Network Connections Discovery", "comment": "[Ke3chang](https://attack.mitre.org/groups/G0004) performs local network connection discovery using <code>netstat</code>.(Citation: Villeneuve et al 2014)(Citation: NCC Group APT15 Alive and Strong)"}, {"score": 1, "techniqueID": "T1560", "techniqueName": "Archive Collected Data", "comment": "The [Ke3chang](https://attack.mitre.org/groups/G0004) group has been known to compress data before exfiltration.(Citation: Villeneuve et al 2014)"}, {"score": 1, "techniqueID": "T1059", "techniqueName": "Command and Scripting Interpreter", "comment": "Malware used by [Ke3chang](https://attack.mitre.org/groups/G0004) can run commands on the command-line interface.(Citation: Villeneuve et al 2014)(Citation: NCC Group APT15 Alive and Strong)"}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Ke3chang", "color": "#ff6666"}]}