JUST RELEASED: ATT&CK for Industrial Control Systems


Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted several industries, including oil, government, military, and more. [1] [2] [3]

ID: G0004
Associated Groups: APT15, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT
Version: 1.1
Created: 31 May 2017
Last Modified: 22 April 2019

Associated Group Descriptions

Name Description
APT15 [2]
Mirage [2]
Vixen Panda [2] [3]
GREF [2]
Playful Dragon [2] [3]
RoyalAPT [3]

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery

Ke3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups.[1]

Enterprise T1059 Command-Line Interface

Malware used by Ke3chang can run commands on the command-line interface.[1][2]

Enterprise T1003 Credential Dumping

Ke3chang has dumped credentials, including by using Mimikatz.[1][2]

Enterprise T1002 Data Compressed

The Ke3chang group has been known to compress data before exfiltration.[1]

Enterprise T1022 Data Encrypted

Ke3chang is known to use RAR with passwords to encrypt data prior to exfiltration.[1]

Enterprise T1213 Data from Information Repositories

Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember.[2]

Enterprise T1005 Data from Local System

Ke3chang gathered information and files from local directories for exfiltration.[1]

Enterprise T1114 Email Collection

Ke3chang used a .NET tool to dump data from Microsoft Exchange mailboxes.[2]

Enterprise T1041 Exfiltration Over Command and Control Channel

Ke3chang transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.[1]

Enterprise T1133 External Remote Services

Ke3chang regained access after eviction via the corporate VPN solution with a stolen VPN certificate, which they had extracted from a compromised host.[2]

Enterprise T1083 File and Directory Discovery

Ke3chang uses command-line interaction to search files and directories.[1]

Enterprise T1056 Input Capture

Ke3chang has used keyloggers.[2]

Enterprise T1036 Masquerading

Ke3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files.[1]

Enterprise T1050 New Service

Ke3chang backdoor RoyalDNS established persistence through adding a service called Nwsapagent.[2]

Enterprise T1097 Pass the Ticket

Ke3chang has used Mimikatz to generate Kerberos golden tickets.[2]

Enterprise T1069 Permission Groups Discovery

Ke3chang performs discovery of permission groups net group /domain.[1]

Enterprise T1057 Process Discovery

Ke3chang performs process discovery using tasklist commands.[1][2]

Enterprise T1060 Registry Run Keys / Startup Folder

Several Ke3chang backdoors achieved persistence by adding a Run key.[2]

Enterprise T1018 Remote System Discovery

Ke3chang has used network scanning and enumeration tools, including Ping.[2]

Enterprise T1064 Scripting

Ke3chang has used batch scripts in its malware to install persistence mechanisms.[2]

Enterprise T1035 Service Execution

Ke3chang has used a tool known as RemoteExec (similar to PsExec) to remotely execute batch scripts and binaries.[2]

Enterprise T1071 Standard Application Layer Protocol

Ke3chang malware RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2. Additionally, Ke3chang malware RoyalDNS has used DNS for C2.[2]

Enterprise T1082 System Information Discovery

Ke3chang performs operating system information discovery using systeminfo.[1][2]

Enterprise T1016 System Network Configuration Discovery

Ke3chang performs local network configuration discovery using ipconfig.[1][2]

Enterprise T1049 System Network Connections Discovery

Ke3chang performs local network connection discovery using netstat.[1][2]

Enterprise T1007 System Service Discovery

Ke3chang performs service discovery using net start commands.[1]

Enterprise T1077 Windows Admin Shares

Ke3chang actors have been known to copy files to the network shares of other computers to move laterally.[1][2]


ID Name References Techniques
S0100 ipconfig [1] [2] System Network Configuration Discovery
S0002 Mimikatz [2] Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0280 MirageFox [3] Command-Line Interface, Commonly Used Port, Deobfuscate/Decode Files or Information, DLL Search Order Hijacking, System Information Discovery, System Owner/User Discovery
S0039 Net [1] [2] Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0104 netstat [1] [2] System Network Connections Discovery
S0097 Ping [2] Remote System Discovery
S0227 spwebmember [2] Data from Information Repositories
S0096 Systeminfo [1] [2] System Information Discovery
S0057 Tasklist [2] Process Discovery, Security Software Discovery, System Service Discovery