Chimera | APT Profile

Description

[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

Techniques Used (TTPs)

T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
T1074.002 — Remote Data Staging (collection)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1569.002 — Service Execution (execution)
T1041 — Exfiltration Over C2 Channel (exfiltration)
T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1550.002 — Pass the Hash (defense-evasion, lateral-movement)
T1071.001 — Web Protocols (command-and-control)
T1106 — Native API (execution)
T1556.001 — Domain Controller Authentication (credential-access, defense-evasion, persistence)
T1070.001 — Clear Windows Event Logs (defense-evasion)
T1071.004 — DNS (command-and-control)
T1482 — Domain Trust Discovery (discovery)
T1560.001 — Archive via Utility (collection)
T1021.006 — Windows Remote Management (lateral-movement)
T1083 — File and Directory Discovery (discovery)
T1087.002 — Domain Account (discovery)
T1057 — Process Discovery (discovery)
T1021.002 — SMB/Windows Admin Shares (lateral-movement)
T1059.001 — PowerShell (execution)
T1003.003 — NTDS (credential-access)
T1074.001 — Local Data Staging (collection)
T1213.002 — Sharepoint (collection)
T1135 — Network Share Discovery (discovery)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1570 — Lateral Tool Transfer (lateral-movement)
T1007 — System Service Discovery (discovery)
T1027.010 — Command Obfuscation (defense-evasion)
T1016 — System Network Configuration Discovery (discovery)
T1046 — Network Service Discovery (discovery)
T1033 — System Owner/User Discovery (discovery)
T1087.001 — Local Account (discovery)
T1572 — Protocol Tunneling (command-and-control)
T1078.002 — Domain Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1069.001 — Local Groups (discovery)
T1124 — System Time Discovery (discovery)
T1201 — Password Policy Discovery (discovery)
T1049 — System Network Connections Discovery (discovery)
T1059.003 — Windows Command Shell (execution)
T1070.004 — File Deletion (defense-evasion)
T1110.003 — Password Spraying (credential-access)
T1114.001 — Local Email Collection (collection)
T1039 — Data from Network Shared Drive (collection)
T1119 — Automated Collection (collection)
T1133 — External Remote Services (persistence, initial-access)
T1110.004 — Credential Stuffing (credential-access)
T1082 — System Information Discovery (discovery)
T1114.002 — Remote Email Collection (collection)
T1012 — Query Registry (discovery)
T1588.002 — Tool (resource-development)
T1567.002 — Exfiltration to Cloud Storage (exfiltration)
T1070.006 — Timestomp (defense-evasion)
T1018 — Remote System Discovery (discovery)
T1589.001 — Credentials (reconnaissance)
T1047 — Windows Management Instrumentation (execution)
T1021.001 — Remote Desktop Protocol (lateral-movement)
T1111 — Multi-Factor Authentication Interception (credential-access)
T1217 — Browser Information Discovery (discovery)
T1105 — Ingress Tool Transfer (command-and-control)

Total TTPs: 59

Malware & Tools

Malware: Cobalt Strike

Tools: BloodHound, Mimikatz, Net, PsExec, esentutl

← Return to Home ← Back to APT Search