ATT&CKcon 4.0 will be held on Oct 24-25 in McLean, VA. Click here for more details and to register.

PittyTiger

PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.^[1]^[2]

ID: G0011

Version: 1.2

Created: 31 May 2017

Last Modified: 12 October 2021

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1588	.002	Obtain Capabilities: Tool	PittyTiger has obtained and used tools such as Mimikatz and gsecdump.^[1]
Enterprise	T1078		Valid Accounts	PittyTiger attempts to obtain legitimate credentials during operations.^[1]

Software

ID	Name	References	Techniques
S0032	gh0st RAT	^[1]^[2]	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Fast Flux DNS, Encrypted Channel: Symmetric Cryptography, Encrypted Channel, Hijack Execution Flow: DLL Side-Loading, Indicator Removal: Clear Windows Event Logs, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Process Discovery, Process Injection, Query Registry, Screen Capture, Shared Modules, System Binary Proxy Execution: Rundll32, System Information Discovery, System Services: Service Execution
S0008	gsecdump	^[1]	OS Credential Dumping: LSA Secrets, OS Credential Dumping: Security Account Manager
S0010	Lurid	^[2]	Archive Collected Data, Encrypted Channel: Symmetric Cryptography
S0002	Mimikatz	^[1]	Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores: Credentials from Web Browsers, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Ticket, Use Alternate Authentication Material: Pass the Hash
S0012	PoisonIvy	^[2]	Application Window Discovery, Boot or Logon Autostart Execution: Active Setup, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit

References

Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015.

Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015.