Ke3chang | APT Profile

Description

[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)(Citation: Microsoft NICKEL December 2021)

Techniques Used (TTPs)

T1114.002 — Remote Email Collection (collection)
T1105 — Ingress Tool Transfer (command-and-control)
T1087.001 — Local Account (discovery)
T1033 — System Owner/User Discovery (discovery)
T1614.001 — System Language Discovery (discovery)
T1087.002 — Domain Account (discovery)
T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
T1558.001 — Golden Ticket (credential-access)
T1021.002 — SMB/Windows Admin Shares (lateral-movement)
T1041 — Exfiltration Over C2 Channel (exfiltration)
T1119 — Automated Collection (collection)
T1083 — File and Directory Discovery (discovery)
T1133 — External Remote Services (persistence, initial-access)
T1018 — Remote System Discovery (discovery)
T1003.002 — Security Account Manager (credential-access)
T1016 — System Network Configuration Discovery (discovery)
T1588.002 — Tool (resource-development)
T1020 — Automated Exfiltration (exfiltration)
T1007 — System Service Discovery (discovery)
T1543.003 — Windows Service (persistence, privilege-escalation)
T1190 — Exploit Public-Facing Application (initial-access)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1569.002 — Service Execution (execution)
T1005 — Data from Local System (collection)
T1071.004 — DNS (command-and-control)
T1213.002 — Sharepoint (collection)
T1027 — Obfuscated Files or Information (defense-evasion)
T1059 — Command and Scripting Interpreter (execution)
T1036.002 — Right-to-Left Override (defense-evasion)
T1560 — Archive Collected Data (collection)
T1069.002 — Domain Groups (discovery)
T1560.001 — Archive via Utility (collection)
T1003.003 — NTDS (credential-access)
T1057 — Process Discovery (discovery)
T1003.001 — LSASS Memory (credential-access)
T1587.001 — Malware (resource-development)
T1071.001 — Web Protocols (command-and-control)
T1059.003 — Windows Command Shell (execution)
T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1583.005 — Botnet (resource-development)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1049 — System Network Connections Discovery (discovery)
T1056.001 — Keylogging (collection, credential-access)
T1003.004 — LSA Secrets (credential-access)
T1078.004 — Cloud Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1082 — System Information Discovery (discovery)

Total TTPs: 46

Malware & Tools

Malware: MirageFox, Neoichor, Okrum

Tools: Mimikatz, Net, Ping, Systeminfo, Tasklist, ipconfig, netstat, spwebmember

← Return to Home ← Back to APT Search