Name | Description |
---|---|
APT15 | |
Mirage | |
Vixen Panda | |
GREF | |
Playful Dragon | |
RoyalAPT |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
Ke3chang performs account discovery using commands such as |
.002 | Account Discovery: Domain Account |
Ke3chang performs account discovery using commands such as |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Ke3chang malware RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2.[2] |
.004 | Application Layer Protocol: DNS | |||
Enterprise | T1560 | Archive Collected Data |
The Ke3chang group has been known to compress data before exfiltration.[1] |
|
.001 | Archive via Utility |
Ke3chang is known to use RAR with passwords to encrypt data prior to exfiltration.[1] |
||
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Several Ke3chang backdoors achieved persistence by adding a Run key.[2] |
Enterprise | T1059 | Command and Scripting Interpreter |
Malware used by Ke3chang can run commands on the command-line interface.[1][2] |
|
.003 | Windows Command Shell |
Ke3chang has used batch scripts in its malware to install persistence mechanisms.[2] |
||
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Ke3chang backdoor RoyalDNS established persistence through adding a service called |
Enterprise | T1213 | .002 | Data from Information Repositories: Sharepoint |
Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember.[2] |
Enterprise | T1005 | Data from Local System |
Ke3chang gathered information and files from local directories for exfiltration.[1] |
|
Enterprise | T1114 | .002 | Email Collection: Remote Email Collection |
Ke3chang used a .NET tool to dump data from Microsoft Exchange mailboxes.[2] |
Enterprise | T1041 | Exfiltration Over C2 Channel |
Ke3chang transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.[1] |
|
Enterprise | T1133 | External Remote Services |
Ke3chang regained access after eviction via the corporate VPN solution with a stolen VPN certificate, which they had extracted from a compromised host.[2] |
|
Enterprise | T1083 | File and Directory Discovery |
Ke3chang uses command-line interaction to search files and directories.[1] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging | |
Enterprise | T1036 | .002 | Masquerading: Right-to-Left Override |
Ke3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files.[1] |
Enterprise | T1588 | .002 | Obtain Capabilities: Tool | |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Ke3chang has dumped credentials, including by using Mimikatz.[1][2] |
.002 | OS Credential Dumping: Security Account Manager |
Ke3chang has dumped credentials, including by using gsecdump.[1][2] |
||
.004 | OS Credential Dumping: LSA Secrets |
Ke3chang has dumped credentials, including by using gsecdump.[1][2] |
||
Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
Ke3chang performs discovery of permission groups |
Enterprise | T1057 | Process Discovery |
Ke3chang performs process discovery using |
|
Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
Ke3chang actors have been known to copy files to the network shares of other computers to move laterally.[1][2] |
Enterprise | T1018 | Remote System Discovery |
Ke3chang has used network scanning and enumeration tools, including Ping.[2] |
|
Enterprise | T1558 | .001 | Steal or Forge Kerberos Tickets: Golden Ticket |
Ke3chang has used Mimikatz to generate Kerberos golden tickets.[2] |
Enterprise | T1082 | System Information Discovery |
Ke3chang performs operating system information discovery using |
|
Enterprise | T1016 | System Network Configuration Discovery |
Ke3chang performs local network configuration discovery using |
|
Enterprise | T1049 | System Network Connections Discovery |
Ke3chang performs local network connection discovery using |
|
Enterprise | T1007 | System Service Discovery |
Ke3chang performs service discovery using |
|
Enterprise | T1569 | .002 | System Services: Service Execution |
Ke3chang has used a tool known as RemoteExec (similar to PsExec) to remotely execute batch scripts and binaries.[2] |