Axiom

Axiom is a cyber espionage group suspected to be associated with the Chinese government. It is responsible for the Operation SMN campaign. ^[1] Though both this group and Winnti Group use the malware Winnti for Windows, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. ^[2] ^[3] ^[4]

ID: G0001

Associated Groups: Group 72

Version: 1.2

Created: 31 May 2017

Last Modified: 30 March 2020

Version Permalink

Live Version

Associated Group Descriptions

Name	Description
Group 72	^[5]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1001		Data Obfuscation	The Axiom group has used other forms of obfuscation, include commingling legitimate traffic with communications traffic so that network streams appear legitimate.
		.002	Steganography	Some malware that has been used by Axiom also uses steganography to hide communication in PNG image files.^[1]
Enterprise	T1546	.008	Event Triggered Execution: Accessibility Features	Axiom actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence.^[1]
Enterprise	T1190		Exploit Public-Facing Application	Axiom has been observed using SQL injection to gain access to systems.^[1]^[5]
Enterprise	T1003		OS Credential Dumping	Axiom has been known to dump credentials.^[1]
Enterprise	T1021	.001	Remote Services: Remote Desktop Protocol	The Axiom group is known to have used RDP during operations.^[1]

Software

ID	Name	References	Techniques
S0021	Derusbi	^[1]	Audio Capture, Command and Scripting Interpreter: Unix Shell, Commonly Used Port, Encrypted Channel: Symmetric Cryptography, Fallback Channels, File and Directory Discovery, Indicator Removal on Host: Timestomp, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Non-Application Layer Protocol, Non-Standard Port, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Screen Capture, Signed Binary Proxy Execution: Regsvr32, System Information Discovery, System Owner/User Discovery, Video Capture
S0009	Hikit	^[1]	Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Symmetric Cryptography, Hijack Execution Flow: DLL Search Order Hijacking, Proxy: Internal Proxy, Rootkit, Subvert Trust Controls: Install Root Certificate
S0203	Hydraq	^[1]	Access Token Manipulation, Create or Modify System Process: Windows Service, Data from Local System, Encrypted Channel: Symmetric Cryptography, Exfiltration Over Alternative Protocol, File and Directory Discovery, Indicator Removal on Host: File Deletion, Indicator Removal on Host: Clear Windows Event Logs, Ingress Tool Transfer, Modify Registry, Obfuscated Files or Information, Process Discovery, Query Registry, Screen Capture, Shared Modules, System Information Discovery, System Network Configuration Discovery, System Service Discovery, System Services: Service Execution
S0412	ZxShell	^[6]	Access Token Manipulation: Create Process with Token, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create Account: Local Account, Create or Modify System Process: Windows Service, Endpoint Denial of Service, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Impair Defenses: Disable or Modify System Firewall, Indicator Removal on Host: File Deletion, Indicator Removal on Host: Clear Windows Event Logs, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Network Service Scanning, Process Discovery, Process Injection: Dynamic-link Library Injection, Proxy, Query Registry, Remote Services: Remote Desktop Protocol, Remote Services: VNC, Screen Capture, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Owner/User Discovery, System Service Discovery, Video Capture

Axiom

Associated Group Descriptions

Enterprise Layer

Techniques Used

Software

References