TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. (Citation: Proofpoint TA459 April 2017)
Platform | Tactic | Technique | Description | Data Sources |
---|---|---|---|---|
Windows, macOS, Linux | initial-access | Spearphishing Attachment | TA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments. | File monitoring, Packet capture, Network intrusion detection system, Detonation chamber, Email gateway, Mail server |
Linux, Windows, macOS | execution | Exploitation for Client Execution | TA459 has exploited Microsoft Word vulnerability CVE-2017-0199 for execution. | Anti-virus, System calls, Process monitoring |
Linux, Windows, macOS | execution | User Execution | TA459 has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing. | Anti-virus, Process command-line parameters, Process monitoring |
Linux, macOS, Windows | defense-evasion, execution | Scripting | TA459 has a VBScript for execution. | Process monitoring, File monitoring, Process command-line parameters |
Windows | execution | PowerShell | TA459 has used PowerShell for execution of a payload. | PowerShell logs, Loaded DLLs, DLL monitoring, Windows Registry, File monitoring, Process monitoring, Process command-line parameters |