Naikon

Naikon is a threat group that has focused on targets around the South China Sea. [1] The group has been attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). [2] While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches. [3]

ID: G0019
Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1063Security Software DiscoveryNaikon uses commands such as netsh advfirewall firewall to discover local firewall settings.[1]
EnterpriseT1016System Network Configuration DiscoveryNaikon uses commands such as netsh interface show to discover network interface settings.[1]

Software

IDNameReferencesTechniques
S0095FTP[1]Commonly Used Port, Exfiltration Over Alternative Protocol
S0061HDoor[1]Disabling Security Tools, Network Service Scanning
S0039Net[1]Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0108netsh[1]Connection Proxy, Disabling Security Tools, Netsh Helper DLL, Security Software Discovery
S0097Ping[1]Remote System Discovery
S0029PsExec[1]Service Execution, Windows Admin Shares
S0055RARSTONE[1][2]File and Directory Discovery, Process Injection, Remote File Copy, Standard Application Layer Protocol
S0058SslMM[1][2]Access Token Manipulation, Disabling Security Tools, Fallback Channels, Input Capture, Masquerading, Registry Run Keys / Startup Folder, Shortcut Modification, System Information Discovery, System Owner/User Discovery
S0060Sys10[1]Custom Cryptographic Protocol, Permission Groups Discovery, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0096Systeminfo[1]System Information Discovery
S0057Tasklist[1]Process Discovery, Security Software Discovery, System Service Discovery
S0059WinMM[1][2]Fallback Channels, File and Directory Discovery, Process Discovery, Standard Application Layer Protocol, System Information Discovery, System Owner/User Discovery

References