PittyTiger

PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control. [1] [2]

ID: G0011
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1078 Valid Accounts

PittyTiger attempts to obtain legitimate credentials during operations.[1]

Software

ID Name References Techniques
S0032 gh0st RAT

[1][2]

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Commonly Used Port, Create or Modify System Process: Windows Service, Encrypted Channel: Symmetric Cryptography, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: Clear Windows Event Logs, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Process Discovery, Screen Capture, Signed Binary Proxy Execution: Rundll32
S0008 gsecdump

[1]

OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets
S0010 Lurid

[2]

Archive Collected Data, Encrypted Channel: Symmetric Cryptography
S0002 Mimikatz

[1]

Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0012 PoisonIvy

[2]

Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit

References