RAG - AutoGen and ATT&CK Groups#
Collaborators:
Roberto Rodriguez (@Cyb3rWard0g)
References:
Import Modules#
import autogen
from dotenv import load_dotenv
import os
Define Initial Variables#
current_directory = os.path.dirname("__file__")
chroma_db = os.path.join(current_directory, "../source-knowledge/chroma_db")
Set Up API Endpoint#
# Get your key: https://platform.openai.com/account/api-keys
load_dotenv()
# Set up AutoGen config list
config_list = autogen.config_list_from_models(
model_list=["gpt-4", "gpt-3.5-turbo"]
)
# Set up LLM Config
llm_config = {
"request_timeout" : 600,
"seed" : 42,
"config_list" : config_list,
"temperature" : 0
}
Construct agents for RetrieveChat#
from autogen.agentchat.contrib.retrieve_assistant_agent import RetrieveAssistantAgent
from autogen.agentchat.contrib.retrieve_user_proxy_agent import RetrieveUserProxyAgent
import chromadb
autogen.ChatCompletion.start_logging()
Create the RetrieveAssistantAgent#
assistant = RetrieveAssistantAgent(
name="assistant",
system_message="You are a helpful assistant.",
llm_config=llm_config,
)
Create the RetrieveUserProxyAgent#
ragproxyagent = RetrieveUserProxyAgent(
name="ragproxyagent",
human_input_mode="NEVER",
max_consecutive_auto_reply=5,
retrieve_config={
"task": "qa",
"collection_name": "groups_collection",
"model": config_list[0]["model"],
"client": chromadb.PersistentClient(path=chroma_db),
"embedding_model": "all-mpnet-base-v2", #Sentence-transformers model
},
)
Query ATT&CK Groups Knowledge Base#
qa_problem = "Describe the ATT&CK Group CURIUM"
ragproxyagent.initiate_chat(assistant, problem=qa_problem)
C:\Users\RobertoRodriguez\AppData\Local\Programs\Python\Python311\Lib\site-packages\tqdm\auto.py:21: TqdmWarning: IProgress not found. Please update jupyter and ipywidgets. See https://ipywidgets.readthedocs.io/en/stable/user_install.html
from .autonotebook import tqdm as notebook_tqdm
doc_ids: [['50b52dc3-6c5f-11ee-a92e-6479f0659de9', '50b5070b-6c5f-11ee-95d5-6479f0659de9', '50b50711-6c5f-11ee-8573-6479f0659de9', '50b507a0-6c5f-11ee-a94c-6479f0659de9', '50b5075b-6c5f-11ee-8a2d-6479f0659de9', '50b52df5-6c5f-11ee-b1f9-6479f0659de9', '50b507a2-6c5f-11ee-80fb-6479f0659de9', '50b50705-6c5f-11ee-8831-6479f0659de9', '50b52dbe-6c5f-11ee-bce4-6479f0659de9', '50b507a1-6c5f-11ee-a264-6479f0659de9', '50b52dc4-6c5f-11ee-bbb2-6479f0659de9', '50b507a4-6c5f-11ee-b040-6479f0659de9', '50b52d89-6c5f-11ee-a906-6479f0659de9', '50b506cb-6c5f-11ee-a5d7-6479f0659de9', '50b50761-6c5f-11ee-9e87-6479f0659de9', '50b50762-6c5f-11ee-9ac7-6479f0659de9', '50b50707-6c5f-11ee-a422-6479f0659de9', '50b52dc2-6c5f-11ee-b170-6479f0659de9', '50b5075c-6c5f-11ee-bc89-6479f0659de9', '50b50708-6c5f-11ee-baaa-6479f0659de9']]
Adding doc_id 50b52dc3-6c5f-11ee-a92e-6479f0659de9 to context.
Adding doc_id 50b5070b-6c5f-11ee-95d5-6479f0659de9 to context.
Adding doc_id 50b50711-6c5f-11ee-8573-6479f0659de9 to context.
Adding doc_id 50b507a0-6c5f-11ee-a94c-6479f0659de9 to context.
Adding doc_id 50b5075b-6c5f-11ee-8a2d-6479f0659de9 to context.
Adding doc_id 50b52df5-6c5f-11ee-b1f9-6479f0659de9 to context.
Adding doc_id 50b507a2-6c5f-11ee-80fb-6479f0659de9 to context.
Adding doc_id 50b50705-6c5f-11ee-8831-6479f0659de9 to context.
Adding doc_id 50b52dbe-6c5f-11ee-bce4-6479f0659de9 to context.
Adding doc_id 50b507a1-6c5f-11ee-a264-6479f0659de9 to context.
Adding doc_id 50b52dc4-6c5f-11ee-bbb2-6479f0659de9 to context.
Adding doc_id 50b507a4-6c5f-11ee-b040-6479f0659de9 to context.
Adding doc_id 50b52d89-6c5f-11ee-a906-6479f0659de9 to context.
Adding doc_id 50b506cb-6c5f-11ee-a5d7-6479f0659de9 to context.
ragproxyagent (to assistant):
You're a retrieve augmented chatbot. You answer user's questions based on your own knowledge and the
context provided by the user.
If you can't answer the question with or without the current context, you should reply exactly `UPDATE CONTEXT`.
You must give as short an answer as possible.
User's question is: Describe the ATT&CK Group CURIUM
Context is: TeamTNT has modified the permissions on binaries with
TeamTNT has enumerated the host machine’s IP address.(Citation: Trend Micro TeamTNT)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1014|Rootkit|
TeamTNT has used rootkits such as the open-source Diamorphine rootkit and their custom bots to hide cryptocurrency mining activities on the machine.(Citation: Trend Micro TeamTNT) (Citation: Cisco Talos Intelligence Group)|
|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1027.002|Software Packing|
TeamTNT has used UPX and Ezuri packer to pack its binaries.(Citation: Trend Micro TeamTNT)|
|mitre-attack|enterprise-attack|macOS,Linux|T1059.004|Unix Shell|
TeamTNT has used shell scripts for execution.(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group)|
|mitre-attack|enterprise-attack|Windows|T1543.003|Windows Service|
TeamTNT has used malware that adds cryptocurrency miners as a service.(Citation: ATT TeamTNT Chimaera September 2020)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071|Application Layer Protocol|
TeamTNT has used an IRC bot for C2 communications.(Citation: Trend Micro TeamTNT)|
|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|
TeamTNT has used batch scripts to download tools and executing cryptocurrency miners.(Citation: ATT TeamTNT Chimaera September 2020)|
|mitre-attack|enterprise-attack|Windows|T1059.001|PowerShell|
TeamTNT has executed PowerShell commands in batch scripts.(Citation: ATT TeamTNT Chimaera September 2020)|
|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|
Cobalt Group has used regsvr32.exe to execute scripts.(Citation: Talos Cobalt Group July 2018)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)|
|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.005|Visual Basic|
Cobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: Group IB Cobalt Aug 2017)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1055|Process Injection|
Cobalt Group has injected code into trusted processes.(Citation: Group IB Cobalt Aug 2017)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows,Containers|T1068|Exploitation for Privilege Escalation|
Cobalt Group has used exploits to increase their levels of rights and privileges.(Citation: Group IB Cobalt Aug 2017)|
|mitre-attack|enterprise-attack|Windows|T1543.003|Windows Service|
Cobalt Group has created new services to establish persistence.(Citation: Group IB Cobalt Aug 2017)|
CURIUM - G1012
Created: 2023-01-13T20:51:13.494Z
Modified: 2023-04-12T13:21:41.276Z
Contributors:
Aliases
CURIUM
Description
CURIUM is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
Techniques Used
|Matrix|Domain|Platform|Technique ID|Technique Name|Use|
| :---| :---| :---| :---| :---| :---|
|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|CURIUM has exfiltrated data from a compromised machine.(Citation: Microsoft Iranian Threat Actor Trends November 2021)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1566.003|Spearphishing via Service|CURIUM has used social media to deliver malicious files to victims.(Citation: Microsoft Iranian Threat Actor Trends November 2021)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|CURIUM has lured users into opening malicious files delivered via social media.(Citation: Microsoft Iranian Threat Actor Trends November 2021)|
|mitre-attack|enterprise-attack|PRE|T1585.001|Social Media Accounts|CURIUM has established a network of fictitious social media accounts, including on Facebook and LinkedIn, to establish relationships with victims, often posing as an attractive woman.(Citation: Microsoft Iranian Threat Actor Trends November 2021)|
Lazarus Group - G0032
Created: 2017-05-31T21:32:03.807Z
Modified: 2023-03-30T19:01:41.451Z
Contributors: Kyaw Pyiyt Htet, @KyawPyiytHtet,Dragos Threat Intelligence
Aliases
Lazarus Group,Labyrinth Chollima,HIDDEN COBRA,Guardians of Peace,ZINC,NICKEL ACADEMY
Description
Lazarus Group is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster)
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups, such as Andariel, APT37, APT38, and Kimsuky.
Techniques Used
Lazarus Group has used a custom hashing method to resolve APIs used in shellcode.(Citation: Lazarus APT January 2022)|
|mitre-attack|enterprise-attack,ics-attack|Windows,Linux,macOS|T1036.004|Masquerade Task or Service|
Lazarus Group has used a scheduled task named
Lazarus Group has restored malicious
KernelCallbackTable code to its original state after the process execution flow has been hijacked.(Citation: Lazarus APT January 2022)|
|mitre-attack|enterprise-attack,ics-attack|macOS,Linux,Windows|T1620|Reflective Code Loading|
Lazarus Group has changed memory protection permissions then overwritten in memory DLL function code with shellcode, which was later executed via
KernelCallbackTable hijacking.
GALLIUM - G0093
Created: 2019-07-18T20:47:50.050Z
Modified: 2022-08-12T21:26:22.303Z
Contributors: Daniyal Naeem, BT Security,Cybereason Nocturnus, @nocturnus
Aliases
GALLIUM,Operation Soft Cell
Description
GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)(Citation: Unit 42 PingPull Jun 2022)
Techniques Used
GALLIUM has used Taiwan-based servers that appear to be exclusive to
GALLIUM.(Citation: Microsoft GALLIUM December 2019)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1570|Lateral Tool Transfer|
GALLIUM has used
PsExec to move laterally between hosts in the target network.(Citation: Microsoft GALLIUM December 2019)|
|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|
GALLIUM has used a variety of widely-available tools, which in some cases they modified to add functionality and/or subvert antimalware solutions.(Citation: Microsoft GALLIUM December 2019)|
|mitre-attack|enterprise-attack|macOS,Windows|T1553.002|Code Signing|
GALLIUM has used stolen certificates to sign its tools including those from Whizzimo LLC.(Citation: Microsoft GALLIUM December 2019)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1041|Exfiltration Over C2 Channel|
GALLIUM used Web shells and
Winnti Group - G0044
Created: 2017-05-31T21:32:08.682Z
Modified: 2023-03-20T22:02:53.982Z
Contributors: Edward Millington
Aliases
Winnti Group,Blackfly
Description
Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.(Citation: 401 TRG Winnti Umbrella May 2018)
Techniques Used
Winnti Group has downloaded an auxiliary program named ff.exe to infected machines.(Citation: Kaspersky Winnti April 2013)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|
Winnti Group has used a program named ff.exe to search for specific documents on compromised hosts.(Citation: Kaspersky Winnti April 2013)|
|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|
Winnti Group has registered domains for C2 that mimicked sites of their intended targets.(Citation: Kaspersky Winnti April 2013)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1014|Rootkit|
Winnti Group used a rootkit to modify typical server functionality.(Citation: Kaspersky Winnti April 2013)|
|mitre-attack|enterprise-attack|macOS,Windows|T1553.002|Code Signing|
Winnti Group used stolen certificates to sign its malware.(Citation: Kaspersky Winnti April 2013)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1057|Process Discovery|
Lazarus Group has created new Twitter accounts to conduct social engineering against potential victims.(Citation: Google TAG Lazarus Jan 2021)|
|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1566.003|Spearphishing via Service|
Lazarus Group has used social media platforms, including LinkedIn and Twitter, to send spearphishing messages.(Citation: Google TAG Lazarus Jan 2021)|
|mitre-attack|enterprise-attack,ics-attack|PRE|T1584.004|Server|
Lazarus Group has compromised servers to stage malicious tools.(Citation: Kaspersky ThreatNeedle Feb 2021)|
|mitre-attack|enterprise-attack,ics-attack|PRE|T1591|Gather Victim Org Information|
Lazarus Group has studied publicly available information about a targeted organization to tailor spearphishing efforts against specific departments and/or individuals.(Citation: Kaspersky ThreatNeedle Feb 2021)|
|mitre-attack|enterprise-attack,ics-attack|PRE|T1585.002|Email Accounts|
Lazarus Group has created new email accounts for spearphishing operations.(Citation: Kaspersky ThreatNeedle Feb 2021)|
|mitre-attack|enterprise-attack,ics-attack|PRE|T1588.002|Tool|
Lazarus Group has obtained a variety of tools for their operations, including
Responder and PuTTy PSCP.(Citation: Kaspersky ThreatNeedle Feb 2021)|
|mitre-attack|enterprise-attack,ics-attack|PRE|T1589.002|Email Addresses|
Lazarus Group collected email addresses belonging to various departments of a targeted organization which were used in follow-on phishing campaigns.(Citation: Kaspersky ThreatNeedle Feb 2021)|
|mitre-attack|enterprise-attack,ics-attack|Windows|T1218.011|Rundll32|
Lazarus Group has used rundll32 to execute malicious payloads on a compromised host.(Citation: ESET Twitter Ida Pro Nov 2021)|
|mitre-attack|enterprise-attack,ics-attack|macOS,Windows|T1553.002|Code Signing|
Cobalt Group - G0080
Created: 2018-10-17T00:14:20.652Z
Modified: 2023-03-22T03:28:29.415Z
Contributors:
Aliases
Cobalt Group,GOLD KINGSWOOD,Cobalt Gang,Cobalt Spider
Description
Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)(Citation: Proofpoint Cobalt June 2017)(Citation: RiskIQ Cobalt Nov 2017)(Citation: RiskIQ Cobalt Jan 2018) Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.(Citation: Europol Cobalt Mar 2018)
Techniques Used
Cobalt Group has obtained and used a variety of tools including
Mimikatz,
PsExec,
Cobalt Strike, and
SDelete.(Citation: PTSecurity Cobalt Dec 2016)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1195.002|Compromise Software Supply Chain|
Cobalt Group has compromised legitimate web browser updates to deliver a backdoor. (Citation: Crowdstrike GTR2020 Mar 2020)|
|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.007|JavaScript|
TeamTNT - G0139
Created: 2021-10-01T01:57:31.229Z
Modified: 2022-10-19T21:35:03.147Z
Contributors: Will Thomas, Cyjax,Darin Smith, Cisco
Aliases
TeamTNT
Description
TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.(Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer TeamTNT Explosion September 2021)
Techniques Used
TeamTNT has leveraged AWS CLI to enumerate cloud environments with compromised credentials.(Citation: Talos TeamTNT)|
|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1569|System Services|
TeamTNT has created system services to execute cryptocurrency mining software.(Citation: Cisco Talos Intelligence Group)|
|mitre-attack|enterprise-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|
TeamTNT has used a script that decodes a Base64-encoded version of WeaveWorks Scope.(Citation: Cisco Talos Intelligence Group)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1083|File and Directory Discovery|
TeamTNT has used a script that checks
TeamTNT has sent locally staged files with collected credentials to C2 servers using cURL.(Citation: Cisco Talos Intelligence Group)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1074.001|Local Data Staging|
Lazarus Group has changed memory protection permissions then overwritten in memory DLL function code with shellcode, which was later executed via
KernelCallbackTable hijacking.
Lazarus Group has also used shellcode within macros to decrypt and manually map DLLs into memory at runtime.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)|
|mitre-attack|enterprise-attack,ics-attack|Windows,Linux,macOS|T1140|Deobfuscate/Decode Files or Information|
Lazarus Group has used shellcode within macros to decrypt and manually map DLLs and shellcode into memory at runtime.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)|
|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1104|Multi-Stage Channels|
Lazarus Group has used multi-stage malware components that inject later stages into separate processes.(Citation: Lazarus APT January 2022)|
|mitre-attack|enterprise-attack,ics-attack|Windows,Linux,macOS|T1218|System Binary Proxy Execution|
Lazarus Group lnk files used for persistence have abused the Windows Update Client (
Lazarus Group has used GitHub as C2, pulling hosted image payloads then committing command execution output to files in specific directories.(Citation: Lazarus APT January 2022)|
|mitre-attack|enterprise-attack,ics-attack|Windows|T1218.005|Mshta|
Lazarus Group has used
Lazarus Group persistence mechanisms have used
Lazarus Group has renamed system utilities such as
Lazarus Group has replaced
Lazarus Group has abused the
Lazarus Group has routinely deleted log files on a compromised router, including automatic log deletion through the use of the logrotate utility.(Citation: Kaspersky ThreatNeedle Feb 2021) |
|mitre-attack|enterprise-attack,ics-attack|PRE|T1585.001|Social Media Accounts|
TeamTNT has added batch scripts to the startup folder.(Citation: ATT TeamTNT Chimaera September 2020)|
|mitre-attack|enterprise-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace|T1518.001|Security Software Discovery|
TeamTNT has searched for security products on infected machines.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group)|
|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Network|T1082|System Information Discovery|
TeamTNT has searched for system version, architecture, disk partition, logical volume, and hostname information.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group)|
|mitre-attack|enterprise-attack|Windows,macOS,Linux,Containers,IaaS|T1562.001|Disable or Modify Tools|
TeamTNT has disabled and uninstalled security tools such as Alibaba, Tencent, and BMC cloud monitoring agents on cloud-based infrastructure.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1070.004|File Deletion|
TeamTNT has used a payload that removes itself after running.
TeamTNT also has deleted locally staged files for collecting credentials or scan results for local IP addresses after exfiltrating them.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group)|
|mitre-attack|enterprise-attack|Linux,macOS,IaaS,Network|T1098.004|SSH Authorized Keys|
TeamTNT has added RSA keys in
TeamTNT has leveraged iplogger.org to send collected data back to C2.(Citation: Aqua TeamTNT August 2020)(Citation: Cisco Talos Intelligence Group)|
|mitre-attack|enterprise-attack|Linux,macOS|T1070.002|Clear Linux or Mac System Logs|
TeamTNT has removed system logs from
TeamTNT has disabled
Lazarus Group has used the Windows API
Lazarus Group has also used various, often lesser known, functions to perform various types of Discovery and
Process Injection.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)|
|mitre-attack|enterprise-attack,ics-attack|Linux,macOS|T1021.004|SSH|
Lazarus Group used SSH and the PuTTy PSCP utility to gain access to a restricted segment of a compromised network.(Citation: Kaspersky ThreatNeedle Feb 2021)|
|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Containers|T1036.005|Match Legitimate Name or Location|
Lazarus Group has renamed malicious code to disguise it as Microsoft's narrator and other legitimate files.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)(Citation: Qualys LolZarus)|
|mitre-attack|enterprise-attack,ics-attack|PRE|T1583.006|Web Services|
Lazarus Group has hosted malicious downloads on Github.(Citation: CISA AppleJeus Feb 2021)|
|mitre-attack|enterprise-attack,ics-attack|PRE|T1588.004|Digital Certificates|
Lazarus Group has obtained SSL certificates for their C2 domains.(Citation: CISA AppleJeus Feb 2021)|
|mitre-attack|enterprise-attack,ics-attack|PRE|T1587.001|Malware|
Lazarus Group has developed custom malware for use in their operations.(Citation: CISA AppleJeus Feb 2021)(Citation: Google TAG Lazarus Jan 2021)|
|mitre-attack|enterprise-attack,ics-attack|PRE|T1583.001|Domains|
Lazarus Group has acquired domains related to their campaigns to act as distribution points and C2 channels.(Citation: CISA AppleJeus Feb 2021)(Citation: Google TAG Lazarus Jan 2021)|
|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1571|Non-Standard Port|Some
Rocke has distributed cryptomining malware.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)|
|mitre-attack|enterprise-attack|Windows,IaaS,Network,Linux,macOS,Containers|T1190|Exploit Public-Facing Application|
Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|
Rocke used malware to download additional malicious files to the target system.(Citation: Talos Rocke August 2018) |
|mitre-attack|enterprise-attack|macOS,Linux|T1059.004|Unix Shell|
Rocke used shell scripts to run commands which would obtain persistence and execute the cryptocurrency mining malware.(Citation: Talos Rocke August 2018) |
|mitre-attack|enterprise-attack|Linux,macOS|T1053.003|Cron|
Rocke installed a cron job that downloaded and executed files from the C2.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)(Citation: Anomali Rocke March 2019)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1071.001|Web Protocols|
Rocke has executed wget and curl commands to Pastebin over the HTTPS protocol.(Citation: Anomali Rocke March 2019)|
|mitre-attack|enterprise-attack|Windows,IaaS,Linux,macOS,Containers,Network|T1046|Network Service Discovery|
Rocke conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers.(Citation: Talos Rocke August 2018)(Citation: Anomali Rocke March 2019)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1562.004|Disable or Modify System Firewall|
APT38 - G0082
Created: 2019-01-29T21:27:24.793Z
Modified: 2022-01-18T17:13:14.610Z
Contributors:
Aliases
APT38,NICKEL GLADSTONE,BeagleBoyz,Bluenoroff,Stardust Chollima
Description
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
Techniques Used
APT38 has used CHM files to move concealed payloads.(Citation: Kaspersky Lazarus Under The Hood APR 2017)|
|mitre-attack|enterprise-attack,ics-attack|PRE|T1588.002|Tool|
APT38 has obtained and used open-source tools such as
Mimikatz.(Citation: ESET Lazarus KillDisk April 2018)|
|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1070.006|Timestomp|
--------------------------------------------------------------------------------
assistant (to ragproxyagent):
CURIUM is an Iranian threat group first reported in November 2021. They build relationships with potential targets via social media over months to establish trust before sending malware. They have demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to lower their security consciousness. They have used techniques such as exfiltrating data from a compromised machine, using social media to deliver malicious files to victims, and luring users into opening malicious files delivered via social media.
--------------------------------------------------------------------------------
# reset the assistant. Always reset the assistant before starting a new conversation.
assistant.reset()
qa_problem = "List the most used Phishing techniques across all threat actors"
ragproxyagent.initiate_chat(assistant, problem=qa_problem)
doc_ids: [['50b507ca-6c5f-11ee-9f30-6479f0659de9', '50b50778-6c5f-11ee-b752-6479f0659de9', '50b506f1-6c5f-11ee-909b-6479f0659de9', '50b5073b-6c5f-11ee-a971-6479f0659de9', '50b50779-6c5f-11ee-a428-6479f0659de9', '50b507a2-6c5f-11ee-80fb-6479f0659de9', '50b52dbc-6c5f-11ee-ab0e-6479f0659de9', '50b52d94-6c5f-11ee-a52f-6479f0659de9', '50b50743-6c5f-11ee-aaa3-6479f0659de9', '50b5074b-6c5f-11ee-b4b7-6479f0659de9', '50b52dcd-6c5f-11ee-84e2-6479f0659de9', '50b52dfd-6c5f-11ee-a5d4-6479f0659de9', '50b506fb-6c5f-11ee-9003-6479f0659de9', '50b50734-6c5f-11ee-bfff-6479f0659de9', '50b507cb-6c5f-11ee-a84c-6479f0659de9', '50b50738-6c5f-11ee-81b0-6479f0659de9', '50b50736-6c5f-11ee-8d9b-6479f0659de9', '50b50742-6c5f-11ee-bf76-6479f0659de9', '50b507e3-6c5f-11ee-bba3-6479f0659de9', '50b52d90-6c5f-11ee-8013-6479f0659de9']]
Adding doc_id 50b507ca-6c5f-11ee-9f30-6479f0659de9 to context.
Adding doc_id 50b50778-6c5f-11ee-b752-6479f0659de9 to context.
Adding doc_id 50b506f1-6c5f-11ee-909b-6479f0659de9 to context.
Adding doc_id 50b5073b-6c5f-11ee-a971-6479f0659de9 to context.
Adding doc_id 50b50779-6c5f-11ee-a428-6479f0659de9 to context.
Adding doc_id 50b507a2-6c5f-11ee-80fb-6479f0659de9 to context.
Adding doc_id 50b52dbc-6c5f-11ee-ab0e-6479f0659de9 to context.
Adding doc_id 50b52d94-6c5f-11ee-a52f-6479f0659de9 to context.
Adding doc_id 50b50743-6c5f-11ee-aaa3-6479f0659de9 to context.
Adding doc_id 50b5074b-6c5f-11ee-b4b7-6479f0659de9 to context.
Adding doc_id 50b52dcd-6c5f-11ee-84e2-6479f0659de9 to context.
Adding doc_id 50b52dfd-6c5f-11ee-a5d4-6479f0659de9 to context.
Adding doc_id 50b506fb-6c5f-11ee-9003-6479f0659de9 to context.
Adding doc_id 50b50734-6c5f-11ee-bfff-6479f0659de9 to context.
ragproxyagent (to assistant):
You're a retrieve augmented chatbot. You answer user's questions based on your own knowledge and the
context provided by the user.
If you can't answer the question with or without the current context, you should reply exactly `UPDATE CONTEXT`.
You must give as short an answer as possible.
User's question is: List the most used Phishing techniques across all threat actors
Context is: Magic Hound has attempted to lure victims into opening malicious email attachments.(Citation: ClearSky Kittens Back 3 August 2020)|
|mitre-attack|enterprise-attack|PRE|T1585.001|Social Media Accounts|
Magic Hound has created fake LinkedIn and other social media accounts to contact targets and convince them--through messages and voice communications--to open malicious links.(Citation: ClearSky Kittens Back 3 August 2020)|
|mitre-attack|enterprise-attack|PRE|T1584.001|Domains|
Magic Hound has used compromised domains to host links targeted to specific phishing victims.(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Proofpoint TA453 July2021)(Citation: Certfa Charming Kitten January 2021)(Citation: Google Iran Threats October 2021)|
|mitre-attack|enterprise-attack|PRE|T1583.001|Domains|
Magic Hound has registered fraudulent domains such as "mail-newyorker.com" and "news12.com.recover-session-service.site" to target specific victims with phishing attacks.(Citation: Certfa Charming Kitten January 2021)|
|mitre-attack|enterprise-attack|PRE|T1598.003|Spearphishing Link|
Magic Hound has used SMS and email messages with links designed to steal credentials or track victims.(Citation: Certfa Charming Kitten January 2021)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Proofpoint TA453 March 2021)(Citation: Proofpoint TA453 July2021)(Citation: Google Iran Threats October 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021)|
|mitre-attack|enterprise-attack|Windows,Office 365,Google Workspace,macOS,Linux|T1114|Email Collection|
Magic Hound has compromised email credentials in order to steal sensitive data.(Citation: Certfa Charming Kitten January 2021)|
|mitre-attack|enterprise-attack|PRE|T1586.002|Email Accounts|
HEXANE has identified specific potential victims at targeted organizations.(Citation: ClearSky Siamesekitten August 2021)|
|mitre-attack|enterprise-attack,ics-attack|PRE|T1591.004|Identify Roles|
HEXANE has identified executives, HR, and IT staff at victim organizations for further targeting.(Citation: SecureWorks August 2019)(Citation: ClearSky Siamesekitten August 2021)|
|mitre-attack|enterprise-attack,ics-attack|PRE|T1583.001|Domains|
HEXANE has registered and operated domains for campaigns, often using a security or web technology theme or impersonating the targeted organization.(Citation: SecureWorks August 2019)(Citation: Dragos Hexane)(Citation: ClearSky Siamesekitten August 2021)|
|mitre-attack|enterprise-attack,ics-attack|PRE|T1589.002|Email Addresses|
HEXANE has targeted executives, human resources staff, and IT personnel for spearphishing.(Citation: SecureWorks August 2019)(Citation: ClearSky Siamesekitten August 2021)
|
|mitre-attack|enterprise-attack,ics-attack|Windows|T1021.001|Remote Desktop Protocol|
HEXANE has used remote desktop sessions for lateral movement.(Citation: SecureWorks August 2019)|
|mitre-attack|enterprise-attack,ics-attack|macOS,Windows,Linux|T1010|Application Window Discovery|
HEXANE has used a PowerShell-based keylogging tool to capture the window title.(Citation: SecureWorks August 2019)|
|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux,Network|T1056.001|Keylogging|
HEXANE has used a PowerShell-based keylogger named
HEXANE has used PowerShell-based tools and scripts for discovery and collection on compromised hosts.(Citation: SecureWorks August 2019)(Citation: Kaspersky APT Trends Q1 April 2021)(Citation: Kaspersky Lyceum October 2021)|
|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1204.002|Malicious File|
BlackTech has used built-in API functions.(Citation: IronNet BlackTech Oct 2021)|
|mitre-attack|enterprise-attack|Linux,macOS|T1021.004|SSH|
BlackTech has used Putty for remote access.(Citation: Symantec Palmerworm Sep 2020)|
|mitre-attack|enterprise-attack|Windows|T1574.002|DLL Side-Loading|
BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.(Citation: Trend Micro Waterbear December 2019) |
|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|
BlackTech has used spearphishing e-mails with malicious password-protected archived files (ZIP or RAR) to deliver malware.(Citation: TrendMicro BlackTech June 2017)(Citation: NTT Security Flagpro new December 2021)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|
BlackTech has used e-mails with malicious documents to lure victims into installing malware.(Citation: TrendMicro BlackTech June 2017)(Citation: NTT Security Flagpro new December 2021) |
|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|
BlackTech has used spearphishing e-mails with links to cloud services to deliver malware.(Citation: TrendMicro BlackTech June 2017)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|
BlackTech has used e-mails with malicious links to lure victims into installing malware.(Citation: TrendMicro BlackTech June 2017) |
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1036.002|Right-to-Left Override|
FIN4 - G0085
Created: 2019-01-31T02:01:45.129Z
Modified: 2023-02-01T21:27:44.778Z
Contributors:
Aliases
FIN4
Description
FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye FIN4 Stealing Insider NOV 2014) FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)
Techniques Used
FIN4 has lured victims to click malicious links delivered via spearphishing emails (often sent from compromised accounts).(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)|
|mitre-attack|enterprise-attack|Windows,Office 365,Linux,macOS,Google Workspace|T1564.008|Email Hiding Rules|
FIN4 has created rules in victims' Microsoft Outlook accounts to automatically delete emails containing words such as “hacked," "phish," and “malware" in a likely attempt to prevent organizations from communicating about their activities.(Citation: FireEye Hacking FIN4 Dec 2014)|
|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|
FIN4 has used spearphishing emails containing attachments (which are often stolen, legitimate documents sent from compromised accounts) with embedded malicious macros.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|
HEXANE has relied on victim's executing malicious file attachments delivered via email or embedded within actor-controlled websites to deliver malware.(Citation: SecureWorks August 2019)(Citation: Dragos Hexane)(Citation: ClearSky Siamesekitten August 2021)(Citation: Zscaler Lyceum DnsSystem June 2022)|
|mitre-attack|enterprise-attack,ics-attack|PRE|T1586.002|Email Accounts|
HEXANE has used compromised accounts to send spearphishing emails.(Citation: SecureWorks August 2019)|
|mitre-attack|enterprise-attack,ics-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers,Network|T1110|Brute Force|
HEXANE has used brute force attacks to compromise valid credentials.(Citation: SecureWorks August 2019)|
|mitre-attack|enterprise-attack,ics-attack|Windows,Azure AD,Office 365,SaaS,IaaS,Linux,macOS,Google Workspace,Containers|T1110.003|Password Spraying|
HEXANE has used password spraying attacks to obtain valid credentials.(Citation: SecureWorks August 2019)|
Lazarus Group has created new Twitter accounts to conduct social engineering against potential victims.(Citation: Google TAG Lazarus Jan 2021)|
|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1566.003|Spearphishing via Service|
Lazarus Group has used social media platforms, including LinkedIn and Twitter, to send spearphishing messages.(Citation: Google TAG Lazarus Jan 2021)|
|mitre-attack|enterprise-attack,ics-attack|PRE|T1584.004|Server|
Lazarus Group has compromised servers to stage malicious tools.(Citation: Kaspersky ThreatNeedle Feb 2021)|
|mitre-attack|enterprise-attack,ics-attack|PRE|T1591|Gather Victim Org Information|
Lazarus Group has studied publicly available information about a targeted organization to tailor spearphishing efforts against specific departments and/or individuals.(Citation: Kaspersky ThreatNeedle Feb 2021)|
|mitre-attack|enterprise-attack,ics-attack|PRE|T1585.002|Email Accounts|
Lazarus Group has created new email accounts for spearphishing operations.(Citation: Kaspersky ThreatNeedle Feb 2021)|
|mitre-attack|enterprise-attack,ics-attack|PRE|T1588.002|Tool|
Lazarus Group has obtained a variety of tools for their operations, including
Responder and PuTTy PSCP.(Citation: Kaspersky ThreatNeedle Feb 2021)|
|mitre-attack|enterprise-attack,ics-attack|PRE|T1589.002|Email Addresses|
Lazarus Group collected email addresses belonging to various departments of a targeted organization which were used in follow-on phishing campaigns.(Citation: Kaspersky ThreatNeedle Feb 2021)|
|mitre-attack|enterprise-attack,ics-attack|Windows|T1218.011|Rundll32|
Lazarus Group has used rundll32 to execute malicious payloads on a compromised host.(Citation: ESET Twitter Ida Pro Nov 2021)|
|mitre-attack|enterprise-attack,ics-attack|macOS,Windows|T1553.002|Code Signing|
TA551 - G0127
Created: 2021-03-19T21:04:00.692Z
Modified: 2023-03-22T05:40:21.255Z
Contributors: Shuhei Sasada, Cyber Defense Institute, Inc,Ryo Tamura, SecureBrain Corporation,Shotaro Hamamoto, NEC Solution Innovators, Ltd,Yusuke Niwa, ITOCHU Corporation,Takuma Matsumoto, LAC Co., Ltd
Aliases
TA551,GOLD CABIN,Shathak
Description
TA551 is a financially-motivated threat group that has been active since at least 2018. (Citation: Secureworks GOLD CABIN) The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. (Citation: Unit 42 TA551 Jan 2021)
Techniques Used
TA551 has used mshta.exe to execute malicious payloads.(Citation: Unit 42 TA551 Jan 2021)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|
TA551 has prompted users to enable macros within spearphishing attachments to install malware.(Citation: Unit 42 TA551 Jan 2021)|
|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|
TA551 has sent spearphishing attachments with password protected ZIP files.(Citation: Unit 42 Valak July 2020)(Citation: Unit 42 TA551 Jan 2021)(Citation: Secureworks GOLD CABIN)|
|mitre-attack|enterprise-attack|Windows|T1059.003|Windows Command Shell|
TA551 has used
TA551 has used a DGA to generate URLs from executed macros.(Citation: Unit 42 TA551 Jan 2021)(Citation: Secureworks GOLD CABIN)|
|mitre-attack|enterprise-attack|PRE|T1589.002|Email Addresses|
Sandworm Team has registered domain names and created URLs that are often designed to mimic or spoof legitimate websites, such as email login pages, online file sharing and storage websites, and password reset pages.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|
|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|
Sandworm Team has crafted phishing emails containing malicious hyperlinks.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|
|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Linux,macOS,Windows|T1204.001|Malicious Link|
Sandworm Team has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|
|mitre-attack|ics-attack,enterprise-attack,mobile-attack|Windows,SaaS,IaaS,Linux,macOS,Office 365|T1199|Trusted Relationship|
Sandworm Team has used dedicated network connections from one victim organization to gain unauthorized access to a separate organization.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|
|mitre-attack|ics-attack,enterprise-attack,mobile-attack|PRE|T1585.002|Email Accounts|
Sandworm Team has created email accounts that mimic legitimate organizations for its spearphishing operations.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|
|mitre-attack|ics-attack,enterprise-attack,mobile-attack|PRE|T1585.001|Social Media Accounts|
Sandworm Team has established social media accounts to disseminate victim internal-only documents and other sensitive data.(Citation: US District Court Indictment GRU Unit 74455 October 2020)|
|mitre-attack|ics-attack,enterprise-attack,mobile-attack|PRE|T1587.001|Malware|
Sandworm Team has developed malware for its operations, including malicious mobile applications and destructive malware such as
FIN6 has deployed a utility script named
FIN6 has used has used Metasploit’s named-pipe impersonation technique to escalate privileges.(Citation: FireEye FIN6 Apr 2019)|
|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Office 365,Azure AD,Network|T1110.002|Password Cracking|
FIN6 has extracted password hashes from ntds.dit to crack offline.(Citation: FireEye FIN6 April 2016)|
|mitre-attack|enterprise-attack,ics-attack|Windows|T1003.003|NTDS|
FIN6 has used Metasploit’s
PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019) |
|mitre-attack|enterprise-attack,ics-attack|Windows,IaaS,Linux,macOS|T1074.002|Remote Data Staging|
FIN6 actors have compressed data from remote systems and moved it to another staging system before exfiltration.(Citation: FireEye FIN6 April 2016)|
|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1566.003|Spearphishing via Service|
FIN6 has used fake job advertisements sent via LinkedIn to spearphish targets.(Citation: Security Intelligence More Eggs Aug 2019)|
|mitre-attack|enterprise-attack,ics-attack|Windows|T1047|Windows Management Instrumentation|
FIN6 has used WMI to automate the remote execution of PowerShell scripts.(Citation: Security Intelligence More Eggs Aug 2019) |
|mitre-attack|enterprise-attack,ics-attack|macOS,Windows|T1553.002|Code Signing|
FIN6 has used Comodo code-signing certificates.(Citation: Security Intelligence More Eggs Aug 2019) |
|mitre-attack|enterprise-attack,ics-attack|Windows|T1569.002|Service Execution|
FIN7 used JavaScript scripts to help perform tasks on the victim's machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: FireEye FIN7 Aug 2018)|
|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1571|Non-Standard Port|
FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.(Citation: FireEye FIN7 Aug 2018)|
|mitre-attack|enterprise-attack,ics-attack|Windows,macOS,Linux|T1059.005|Visual Basic|
FIN7 used VBS scripts to help perform tasks on the victim's machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: CrowdStrike Carbon Spider August 2021)|
|mitre-attack|enterprise-attack,ics-attack|Windows|T1059.003|Windows Command Shell|
FIN7 used the command prompt to launch commands on the victim’s machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019) |
|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1497.002|User Activity Based Checks|
FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.(Citation: FireEye FIN7 April 2017)|
|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1204.002|Malicious File|
FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.(Citation: FireEye FIN7 April 2017)(Citation: eSentire FIN7 July 2021)(Citation: CrowdStrike Carbon Spider August 2021)|
|mitre-attack|enterprise-attack,ics-attack|macOS,Windows|T1553.002|Code Signing|
FIN7 has signed
Carbanak payloads with legally purchased code signing certificates.
Threat Group-3390 has used
Threat Group-3390 has packed malware and tools, including using VMProtect.(Citation: Trend Micro DRBControl February 2020)(Citation: Trend Micro Iron Tiger April 2021)|
|mitre-attack|enterprise-attack|PRE|T1608.001|Upload Malware|
Threat Group-3390 has hosted malicious payloads on Dropbox.(Citation: Trend Micro DRBControl February 2020)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1567.002|Exfiltration to Cloud Storage|
Threat Group-3390 has exfiltrated stolen data to Dropbox.(Citation: Trend Micro DRBControl February 2020)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1195.002|Compromise Software Supply Chain|
Threat Group-3390 has compromised the Able Desktop installer to gain access to victim's environments.(Citation: Trend Micro Iron Tiger April 2021)|
|mitre-attack|enterprise-attack|Windows,SaaS,IaaS,Linux,macOS,Office 365|T1199|Trusted Relationship|
Threat Group-3390 has compromised third party service providers to gain access to victim's environments.(Citation: Profero APT27 December 2020)|
|mitre-attack|enterprise-attack|macOS,Windows,Linux|T1566.001|Spearphishing Attachment|
Threat Group-3390 has used e-mail to deliver malicious attachments to victims.(Citation: Trend Micro DRBControl February 2020)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.002|Malicious File|
Threat Group-3390 has lured victims into opening malicious files containing malware.(Citation: Trend Micro DRBControl February 2020)|
|mitre-attack|enterprise-attack|PRE|T1588.002|Tool|
Threat Group-3390 has obtained and used tools such as
Impacket,
pwdump,
Mimikatz,
gsecdump,
NBTscan, and
Wizard Spider has used the “net view” command to locate mapped network shares.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)|
|mitre-attack|enterprise-attack,ics-attack|Windows|T1021.006|Windows Remote Management|
Wizard Spider has used Window Remote Management to move laterally through a victim network.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)|
|mitre-attack|enterprise-attack,ics-attack|Windows|T1558.003|Kerberoasting|
Wizard Spider has used Rubeus, MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet to steal AES hashes.(Citation: DFIR Ryuk's Return October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)|
|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|
Wizard Spider has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)|
|mitre-attack|enterprise-attack,ics-attack|Linux,macOS,Windows|T1204.001|Malicious Link|
Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)|
|mitre-attack|enterprise-attack,ics-attack|Windows|T1003.003|NTDS|
Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database.(Citation: FireEye KEGTAP SINGLEMALT October 2020)|
|mitre-attack|enterprise-attack,ics-attack|Windows|T1055.001|Dynamic-link Library Injection|
BRONZE BUTLER has used PowerShell for execution.(Citation: Secureworks BRONZE BUTLER Oct 2017)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows,Network|T1005|Data from Local System|
BRONZE BUTLER has exfiltrated files stolen from local systems.(Citation: Secureworks BRONZE BUTLER Oct 2017)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1105|Ingress Tool Transfer|
BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).(Citation: Secureworks BRONZE BUTLER Oct 2017)|
|mitre-attack|enterprise-attack|Windows|T1003.001|LSASS Memory|
BRONZE BUTLER has used various tools (such as Mimikatz and WCE) to perform credential dumping.(Citation: Secureworks BRONZE BUTLER Oct 2017)|
|mitre-attack|enterprise-attack|Windows|T1547.001|Registry Run Keys / Startup Folder|
BRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence.(Citation: Secureworks BRONZE BUTLER Oct 2017)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1113|Screen Capture|
BRONZE BUTLER has used a tool to capture screenshots.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)|
Evilnum has deleted files used during infection.(Citation: ESET EvilNum July 2020)|
|mitre-attack|enterprise-attack|Windows,macOS,Linux|T1059.007|JavaScript|
Evilnum has used malicious JavaScript files on the victim's machine.(Citation: ESET EvilNum July 2020)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1555|Credentials from Password Stores|
Evilnum can collect email credentials from victims.(Citation: ESET EvilNum July 2020)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows|T1204.001|Malicious Link|
Evilnum has sent spearphishing emails designed to trick the recipient into opening malicious shortcut links which downloads a .LNK file.(Citation: ESET EvilNum July 2020)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1566.002|Spearphishing Link|
Evilnum has sent spearphishing emails containing a link to a zip file hosted on Google Drive.(Citation: ESET EvilNum July 2020)|
|mitre-attack|enterprise-attack|Linux,macOS,Windows,Office 365,SaaS,Google Workspace|T1539|Steal Web Session Cookie|
Evilnum can steal cookies and session information from browsers.(Citation: ESET EvilNum July 2020)|
--------------------------------------------------------------------------------
assistant (to ragproxyagent):
The most used phishing techniques across all threat actors include:
1. Luring victims into opening malicious email attachments.
2. Creating fake social media accounts to contact targets and convince them to open malicious links.
3. Using compromised domains to host phishing links.
4. Registering fraudulent domains to target specific victims.
5. Using SMS and email messages with links designed to steal credentials or track victims.
6. Compromising email credentials to steal sensitive data.
7. Identifying specific potential victims at targeted organizations.
8. Using spearphishing emails with malicious attachments or links.
9. Using social engineering via social media platforms for spearphishing.
10. Compromising servers to stage malicious tools.
11. Using malicious payloads hosted on cloud storage.
12. Compromising software supply chain to gain access to victim's environments.
13. Using malicious links delivered through spearphishing.
14. Stealing credentials from password stores.
15. Stealing web session cookies from browsers.
--------------------------------------------------------------------------------