1. Home
  2. Groups
  3. PittyTiger

PittyTiger

PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.[1][2]

ID: G0011
Version: 1.2
Created: 31 May 2017
Last Modified: 12 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1078 有效账户

PittyTiger attempts to obtain legitimate credentials during operations.[1]
Enterprise T1588 .002 获取能力: Tool

PittyTiger has obtained and used tools such as Mimikatz and gsecdump.[1]

Software

ID Name References Techniques
S0032 gh0st RAT [1][2] 修改注册表, 共享模块, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 加密通道, 动态解析: Fast Flux DNS, 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器, 屏幕捕获, 数据编码: Standard Encoding, 本机API, 查询注册表, 移除指标: Clear Windows Event Logs, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 系统服务: Service Execution, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入, 非应用层协议
S0008 gsecdump [1] 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSA Secrets
S0010 Lurid [2] 加密通道: Symmetric Cryptography, 归档收集数据
S0002 Mimikatz [1] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0012 PoisonIvy [2] Rootkit, 从本地系统获取数据, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Active Setup, 命令与脚本解释器: Windows Command Shell, 应用窗口发现, 执行保护: Mutual Exclusion, 数据分段: Local Data Staging, 混淆文件或信息, 输入工具传输, 输入捕获: Keylogging, 进程注入: Dynamic-link Library Injection

References

  1. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015.
  1. Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015.