Gamaredon Group

Gamaredon GroupIRON TILDENPrimitive BearACTINIUMArmageddonShuckwormDEV-0157Aqua BlizzardNastyShrew

[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name [Gamaredon Group](https://attack.mitre.org/groups/G0047) derives from a misspelling of the word "Armageddon," found in early campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: Microsoft Actinium February 2022) In November...

Techniques

Covered

Gaps

96%

Coverage

Coverage68/71

GAPS (3)

T1027.016Junk Code Insertion T1568.001Fast Flux DNS T1583.003Virtual Private Server

COVERED (68)

T1001Data Obfuscation2 det.T1005Data from Local System47 det.T1012Query Registry24 det.T1016.001Internet Connection Discovery6 det.T1020Automated Exfiltration20 det.T1021.005VNC2 det.T1025Data from Removable Media3 det.T1027Obfuscated Files or Information561 det.T1027.004Compile After Delivery10 det.T1027.010Command Obfuscation38 det.T1027.012LNK Icon Smuggling1 det.T1027.015Compression2 det.T1033System Owner/User Discovery61 det.T1036.005Match Legitimate Resource Name or Location44 det.T1039Data from Network Shared Drive6 det.T1041Exfiltration Over C2 Channel31 det.T1047Windows Management Instrumentation87 det.T1053.005Scheduled Task99 det.T1055Process Injection79 det.T1057Process Discovery20 det.T1059.001PowerShell368 det.T1059.003Windows Command Shell82 det.T1059.005Visual Basic68 det.T1070.004File Deletion42 det.T1071.001Web Protocols80 det.T1080Taint Shared Content2 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1090Proxy46 det.T1090.003Multi-hop Proxy9 det.T1091Replication Through Removable Media8 det.T1095Non-Application Layer Protocol23 det.T1102Web Service34 det.T1102.002Bidirectional Communication15 det.T1102.003One-Way Communication4 det.T1105Ingress Tool Transfer183 det.T1106Native API29 det.T1112Modify Registry203 det.T1113Screen Capture18 det.T1119Automated Collection12 det.T1120Peripheral Device Discovery4 det.T1137Office Application Startup18 det.T1140Deobfuscate/Decode Files or Information58 det.T1204.001Malicious Link10 det.T1204.002Malicious File425 det.T1218.005Mshta49 det.T1218.011Rundll3275 det.T1221Template Injection1 det.T1480Execution Guardrails1 det.T1491.001Internal Defacement4 det.T1497.001System Checks6 det.T1518.001Security Software Discovery10 det.T1534Internal Spearphishing193 det.T1547.001Registry Run Keys / Startup Folder53 det.T1559.001Component Object Model17 det.T1561.001Disk Content Wipe2 det.T1562.001Disable or Modify Tools311 det.T1564.003Hidden Window11 det.T1566.001Spearphishing Attachment905 det.T1568Dynamic Resolution10 det.T1571Non-Standard Port16 det.T1583.001Domains61 det.T1583.006Web Services1 det.T1587.003Digital Certificates1 det.T1588.002Tool13 det.T1608.001Upload Malware3 det.T1620Reflective Code Loading14 det.T1685Disable or Modify Tools278 det.