Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted several industries, including oil, government, military, and more. [1] [2] [3]

ID: G0004
Version: 1.1

Associated Group Descriptions

Vixen Panda[2] [3]
Playful Dragon[2] [3]

Techniques Used

EnterpriseT1087Account DiscoveryKe3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups.[1]
EnterpriseT1059Command-Line InterfaceMalware used by Ke3chang can run commands on the command-line interface.[1][2]
EnterpriseT1003Credential DumpingKe3chang has dumped credentials, including by using Mimikatz.[1][2]
EnterpriseT1002Data CompressedThe Ke3chang group has been known to compress data before exfiltration.[1]
EnterpriseT1022Data EncryptedKe3chang is known to use RAR with passwords to encrypt data prior to exfiltration.[1]
EnterpriseT1213Data from Information RepositoriesKe3chang used a SharePoint enumeration and data dumping tool known as spwebmember.[2]
EnterpriseT1005Data from Local SystemKe3chang gathered information and files from local directories for exfiltration.[1]
EnterpriseT1114Email CollectionKe3chang used a .NET tool to dump data from Microsoft Exchange mailboxes.[2]
EnterpriseT1041Exfiltration Over Command and Control ChannelKe3chang transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.[1]
EnterpriseT1133External Remote ServicesKe3chang regained access after eviction via the corporate VPN solution with a stolen VPN certificate, which they had extracted from a compromised host.[2]
EnterpriseT1083File and Directory DiscoveryKe3chang uses command-line interaction to search files and directories.[1]
EnterpriseT1056Input CaptureKe3chang has used keyloggers.[2]
EnterpriseT1036MasqueradingKe3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files.[1]
EnterpriseT1050New ServiceKe3chang backdoor RoyalDNS established persistence through adding a service called Nwsapagent.[2]
EnterpriseT1097Pass the TicketKe3chang has used Mimikatz to generate Kerberos golden tickets.[2]
EnterpriseT1069Permission Groups DiscoveryKe3chang performs discovery of permission groups net group /domain.[1]
EnterpriseT1057Process DiscoveryKe3chang performs process discovery using tasklist commands.[1][2]
EnterpriseT1060Registry Run Keys / Startup FolderSeveral Ke3chang backdoors achieved persistence by adding a Run key.[2]
EnterpriseT1018Remote System DiscoveryKe3chang has used network scanning and enumeration tools, including Ping.[2]
EnterpriseT1064ScriptingKe3chang has used batch scripts in its malware to install persistence mechanisms.[2]
EnterpriseT1035Service ExecutionKe3chang has used a tool known as RemoteExec (similar to PsExec) to remotely execute batch scripts and binaries.[2]
EnterpriseT1071Standard Application Layer ProtocolKe3chang malware RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2. Additionally, Ke3chang malware RoyalDNS has used DNS for C2.[2]
EnterpriseT1082System Information DiscoveryKe3chang performs operating system information discovery using systeminfo.[1][2]
EnterpriseT1016System Network Configuration DiscoveryKe3chang performs local network configuration discovery using ipconfig.[1][2]
EnterpriseT1049System Network Connections DiscoveryKe3chang performs local network connection discovery using netstat.[1][2]
EnterpriseT1007System Service DiscoveryKe3chang performs service discovery using net start commands.[1]
EnterpriseT1077Windows Admin SharesKe3chang actors have been known to copy files to the network shares of other computers to move laterally.[1][2]


S0100ipconfig[1][2]System Network Configuration Discovery
S0002Mimikatz[2]Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0280MirageFox[3]Command-Line Interface, Commonly Used Port, Deobfuscate/Decode Files or Information, DLL Search Order Hijacking, System Information Discovery, System Owner/User Discovery
S0039Net[1][2]Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0104netstat[1][2]System Network Connections Discovery
S0097Ping[2]Remote System Discovery
S0227spwebmember[2]Data from Information Repositories
S0096Systeminfo[1][2]System Information Discovery
S0057Tasklist[2]Process Discovery, Security Software Discovery, System Service Discovery