Inception
Associated Group Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers |
Inception used a browser plugin to steal passwords and sessions from Internet Explorer, Chrome, Opera, Firefox, Torch, and Yandex.[2] |
| Enterprise | T1005 | 从本地系统获取数据 |
Inception used a file hunting plugin to collect .txt, .pdf, .xls or .doc files from the infected host.[4] |
|
| Enterprise | T1090 | .003 | 代理: Multi-hop Proxy |
Inception used chains of compromised routers to proxy C2 communications between them and cloud service providers.[2] |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography | |
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Inception has maintained persistence by modifying Registry run key value |
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
Inception has used PowerShell to execute malicious commands and payloads.[1][3] |
| .005 | 命令与脚本解释器: Visual Basic |
Inception has used VBScript to execute malicious commands and payloads.[1][3] |
||
| Enterprise | T1203 | 客户端执行漏洞利用 |
Inception has exploited CVE-2012-0158, CVE-2014-1761, CVE-2017-11882 and CVE-2018-0802 for execution.[4][3][2][1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Inception has used HTTP, HTTPS, and WebDav in network communications.[3][1] |
| Enterprise | T1083 | 文件和目录发现 |
Inception used a file listing plugin to collect information about file and directories both on local and remote drives.[2] |
|
| Enterprise | T1069 | .002 | 权限组发现: Domain Groups |
Inception has used specific malware modules to gather domain membership.[2] |
| Enterprise | T1221 | 模板注入 |
Inception has used decoy documents to load malicious remote payloads via HTTP.[1] |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
Inception has encrypted malware payloads dropped on victim machines with AES and RC4 encryption.[3] |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
Inception lured victims into clicking malicious files for machine reconnaissance and to execute malware.[3][4][2][1] |
| Enterprise | T1218 | .005 | 系统二进制代理执行: Mshta |
Inception has used malicious HTA files to drop and execute malware.[4] |
| .010 | 系统二进制代理执行: Regsvr32 |
Inception has ensured persistence at system boot by setting the value |
||
| Enterprise | T1082 | 系统信息发现 |
Inception has used a reconnaissance module to gather information about the operating system and hardware on the infected host.[2] |
|
| Enterprise | T1102 | 网络服务 |
Inception has incorporated at least five different cloud service providers into their C2 infrastructure including CloudMe.[3][2] |
|
| Enterprise | T1588 | .002 | 获取能力: Tool |
Inception has obtained and used open-source tools such as LaZagne.[4] |
| Enterprise | T1518 | 软件发现 |
Inception has enumerated installed software on compromised systems.[2] |
|
| Enterprise | T1057 | 进程发现 |
Inception has used a reconnaissance module to identify active processes and other associated loaded modules.[2] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Inception has used weaponized documents attached to spearphishing emails for reconnaissance and initial compromise.[3][2][1][4] |