Group: Ke3chang

From enterprise
Jump to: navigation, search
Ke3chang
Group
ID G0004
Aliases Ke3chang

Ke3chang is a threat group attributed to actors operating out of China.1

Techniques Used

  • Data Compressed - The Ke3chang group has been known to compress data before exfiltration.1
  • Data Encrypted - Ke3chang is known to use RAR with passwords to encrypt data prior to exfiltration.1
  • Windows Admin Shares - Ke3chang actors have been known to copy files to the network shares of other computers to move laterally.1
  • Account Discovery - Ke3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups.1

Software