ioc[.]one - OSINT Cyber Threat Intelligence Database

Russia/Ukraine Update - November 2022

Tags

cmtmf-attack-pattern:	Acquire Infrastructure Active Scanning Application Layer Protocol Boot Or Logon Autostart Execution Command And Scripting Interpreter Compromise Accounts Compromise Infrastructure Develop Capabilities Endpoint Denial Of Service Masquerading Network Denial Of Service Obfuscated Files Or Information Obtain Capabilities Process Injection Scheduled Task/Job Supply Chain Compromise Trusted Relationship
country:	Brazil China Cuba France Georgia India Lithuania Philippines Russia Ukraine United States Of America
maec-delivery-vectors:	Watering Hole
attack-pattern:	Acquire Infrastructure Data Direct /Etc/Passwd And /Etc/Shadow - T1003.008 Account Access Removal - T1640 Account Access Removal - T1531 Acquire Infrastructure - T1583 Active Scanning - T1595 Additional Cloud Credentials - T1098.001 Application Access Token - T1550.001 Application Access Token - T1527 Software Discovery - T1418 Application Layer Protocol - T1437 Archive Collected Data - T1560 Archive Collected Data - T1532 Archive Via Utility - T1560.001 Bash History - T1552.003 Boot Or Logon Autostart Execution - T1547 Botnet - T1583.005 Botnet - T1584.005 Clear Windows Event Logs - T1070.001 Cloud Service Discovery - T1526 Code Repositories - T1213.003 Code Repositories - T1593.003 Code Signing Certificates - T1587.002 Code Signing Certificates - T1588.003 Command And Scripting Interpreter - T1623 Compromise Accounts - T1586 Compromise Infrastructure - T1584 Compromise Software Supply Chain - T1195.002 Compromise Software Supply Chain - T1474.003 Credentials - T1589.001 Credentials From Password Stores - T1555 Credentials In Files - T1552.001 Data Destruction - T1662 Data Destruction - T1485 Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 Data From Local System - T1533 Dcsync - T1003.006 Default Accounts - T1078.001 Develop Capabilities - T1587 Digital Certificates - T1596.003 Digital Certificates - T1587.003 Digital Certificates - T1588.004 Direct Network Flood - T1498.001 Disable Or Modify Tools - T1562.001 Disable Or Modify Tools - T1629.003 Disable Windows Event Logging - T1562.002 Disk Content Wipe - T1561.001 Disk Content Wipe - T1488 Disk Structure Wipe - T1561.002 Disk Structure Wipe - T1487 Disk Wipe - T1561 Distributed Component Object Model - T1021.003 Dns - T1071.004 Dns - T1590.002 Domain Accounts - T1078.002 Domain Generation Algorithms - T1637.001 Domain Generation Algorithms - T1568.002 Domain Generation Algorithms - T1520 Domain Generation Algorithms - T1483 Domains - T1583.001 Domains - T1584.001 Dynamic Resolution - T1637 Dynamic Resolution - T1568 Dynamic-Link Library Injection - T1055.001 Encrypted Channel - T1521 Encrypted Channel - T1573 Endpoint Denial Of Service - T1642 Endpoint Denial Of Service - T1499 Escape To Host - T1611 Execution Guardrails - T1480 Execution Guardrails - T1627 Exfiltration Over C2 Channel - T1646 Exfiltration Over Web Service - T1567 Exfiltration To Code Repository - T1567.001 Exploitation For Client Execution - T1658 Exploits - T1587.004 Exploits - T1588.005 File And Directory Discovery - T1420 Forge Web Credentials - T1606 Group Policy Preferences - T1552.006 Hijack Execution Flow - T1625 Hijack Execution Flow - T1574 Impair Defenses - T1562 Impair Defenses - T1629 Indicator Removal From Tools - T1027.005 Internet Connection Discovery - T1016.001 Internet Connection Discovery - T1422.001 Ip Addresses - T1590.005 Network Denial Of Service - T1464 Javascript - T1059.007 Kerberoasting - T1558.003 Keylogging - T1056.001 Keylogging - T1417.001 Lateral Tool Transfer - T1570 System Network Configuration Discovery - T1422 Malicious File - T1204.002 Malicious Link - T1204.001 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Match Legitimate Name Or Location - T1036.005 Match Legitimate Name Or Location - T1655.001 Obfuscated Files Or Information - T1406 Mshta - T1218.005 Multi-Hop Proxy - T1090.003 Native Api - T1575 Network Denial Of Service - T1498 Non-Standard Port - T1509 Non-Standard Port - T1571 Ntds - T1003.003 Obtain Capabilities - T1588 Password Managers - T1555.005 Password Spraying - T1110.003 Path Interception By Search Order Hijacking - T1574.008 Phishing - T1660 Phishing - T1566 Portable Executable Injection - T1055.002 Powershell - T1059.001 Private Keys - T1552.004 Process Injection - T1631 Remote Desktop Protocol - T1021.001 Remote Email Collection - T1114.002 Rundll32 - T1218.011 Saml Tokens - T1606.002 Scheduled Task/Job - T1603 Search Open Websites/Domains - T1593 Server - T1583.004 Server - T1584.004 Service Execution - T1569.002 Service Exhaustion Flood - T1499.002 Service Stop - T1489 Sharepoint - T1213.002 Shortcut Modification - T1547.009 Smb/Windows Admin Shares - T1021.002 Software - T1592.002 Software Discovery - T1518 Spearphishing Attachment - T1566.001 Spearphishing Attachment - T1598.002 Spearphishing Link - T1566.002 Spearphishing Link - T1598.003 Ssh - T1021.004 Steal Or Forge Kerberos Tickets - T1558 Steganography - T1001.002 Steganography - T1406.001 Steganography - T1027.003 Supply Chain Compromise - T1474 Symmetric Cryptography - T1521.001 Symmetric Cryptography - T1573.001 System Services - T1569 Windows Command Shell - T1059.003 Timestomp - T1070.006 Trusted Developer Utilities Proxy Execution - T1127 Token Impersonation/Theft - T1134.001 Trust Modification - T1484.002 Virtualization/Sandbox Evasion - T1497 Time Based Evasion - T1497.003 Windows Service - T1543.003 Use Alternate Authentication Material - T1550 Unsecured Credentials - T1552 Virtual Private Server - T1583.003 Virtual Private Server - T1584.003 Tool - T1588.002 Vulnerabilities - T1588.006 Vulnerability Scanning - T1595.002 Web Cookies - T1606.001 Virtualization/Sandbox Evasion - T1633 Access Token Manipulation - T1134 Account Manipulation - T1098 Standard Application Layer Protocol - T1071 Bash History - T1139 Brute Force - T1110 Command-Line Interface - T1059 Distributed Component Object Model - T1175 Connection Proxy - T1090 Credential Dumping - T1003 Credentials In Files - T1081 Data From Information Repositories - T1213 Data From Local System - T1005 Data From Network Shared Drive - T1039 Data Staged - T1074 Data Transfer Size Limits - T1030 Email Collection - T1114 Execution Through Api - T1106 Exfiltration Over Command And Control Channel - T1041 Exploit Public-Facing Application - T1190 Exploitation For Client Execution - T1203 Exploitation For Credential Access - T1212 External Remote Services - T1133 File And Directory Discovery - T1083 Indicator Removal On Host - T1070 Indicator Removal From Tools - T1066 Kerberoasting - T1208 Masquerading - T1036 Mshta - T1170 Two-Factor Authentication Interception - T1111 Multi-Hop Proxy - T1188 Network Service Scanning - T1046 Network Share Discovery - T1135 Obfuscated Files Or Information - T1027 Peripheral Device Discovery - T1120 Powershell - T1086 Private Keys - T1145 Process Injection - T1055 Remote Desktop Protocol - T1076 Remote Services - T1021 Remote System Discovery - T1018 Rundll32 - T1085 Scheduled Task - T1053 Service Execution - T1035 Shortcut Modification - T1023 Signed Binary Proxy Execution - T1218 Third-Party Software - T1072 Spearphishing Attachment - T1193 Spearphishing Link - T1192 Supply Chain Compromise - T1195 System Network Configuration Discovery - T1016 Windows Management Instrumentation - T1047 Valid Accounts - T1078 Timestomp - T1099 Trusted Relationship - T1199 User Execution - T1204 Data Destruction Data From Information Repositories Denial Of Service External Remote Services Masquerading Remote System Discovery Service Stop Spearphishing Attachment Supply Chain Compromise Valid Accounts User Execution

Show in Graph

Common Information

Type	Value
UUID	9565f84c-d506-41d7-b118-8f17d4c26bda
Fingerprint	87102d594f298ea1
Analysis status	DONE
Considered CTI value	2
Text language
Published	Nov. 29, 2022, midnight
Added to db	Nov. 9, 2023, 12:46 a.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	Russia/Ukraine Update - November 2022
Title	Russia/Ukraine Update - November 2022
Detected Hints/Tags/Attributes	485/4/132

Source URLs

	Redirection	Url
Details	Source	https://www.optiv.com/insights/discover/blog/russiaukraine-update-november-2022

URL Provider

Details	Provider	Source level domain
Details	optiv.com	www.optiv.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	346	✔	Optiv Blog	https://www.optiv.com/resources/blog/feed	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	CERT Ukraine	21	UAC-0082
Details	CERT Ukraine	19	UAC-0028
Details	CERT Ukraine	49	UAC-0056
Details	CERT Ukraine	23	UAC-0098
Details	CERT Ukraine	3	UAC-0118
Details	CVE	172	cve-2022-30190
Details	Domain	182	www.mandiant.com
Details	Domain	262	www.welivesecurity.com
Details	Domain	133	www.infosecurity-magazine.com
Details	Domain	83	cert.gov.ua
Details	Domain	255	www.optiv.com
Details	File	3	empntdrv.sys
Details	File	384	www.inf
Details	File	263	www.opt
Details	Mandiant Uncategorized Groups	37	UNC2589
Details	Mandiant Uncategorized Groups	97	UNC2452
Details	MITRE ATT&CK Techniques	17	T1593
Details	MITRE ATT&CK Techniques	56	T1595.002
Details	MITRE ATT&CK Techniques	62	T1583.003
Details	MITRE ATT&CK Techniques	17	T1584.005
Details	MITRE ATT&CK Techniques	36	T1586
Details	MITRE ATT&CK Techniques	26	T1587.003
Details	MITRE ATT&CK Techniques	59	T1588.002
Details	MITRE ATT&CK Techniques	33	T1588.003
Details	MITRE ATT&CK Techniques	306	T1078
Details	MITRE ATT&CK Techniques	71	T1078.002
Details	MITRE ATT&CK Techniques	191	T1133
Details	MITRE ATT&CK Techniques	542	T1190
Details	MITRE ATT&CK Techniques	36	T1195.002
Details	MITRE ATT&CK Techniques	52	T1199
Details	MITRE ATT&CK Techniques	409	T1566
Details	MITRE ATT&CK Techniques	310	T1566.001
Details	MITRE ATT&CK Techniques	183	T1566.002
Details	MITRE ATT&CK Techniques	50	T1072
Details	MITRE ATT&CK Techniques	695	T1059
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	333	T1059.003
Details	MITRE ATT&CK Techniques	93	T1059.007
Details	MITRE ATT&CK Techniques	239	T1106
Details	MITRE ATT&CK Techniques	245	T1203
Details	MITRE ATT&CK Techniques	420	T1204
Details	MITRE ATT&CK Techniques	106	T1204.001
Details	MITRE ATT&CK Techniques	365	T1204.002
Details	MITRE ATT&CK Techniques	174	T1569.002
Details	MITRE ATT&CK Techniques	480	T1053
Details	MITRE ATT&CK Techniques	112	T1098
Details	MITRE ATT&CK Techniques	15	T1098.001
Details	MITRE ATT&CK Techniques	30	T1547.009
Details	MITRE ATT&CK Techniques	6	T1574.008
Details	MITRE ATT&CK Techniques	40	T1055.002
Details	MITRE ATT&CK Techniques	41	T1078.001
Details	MITRE ATT&CK Techniques	44	T1134.001
Details	MITRE ATT&CK Techniques	13	T1484.002
Details	MITRE ATT&CK Techniques	12	T1611
Details	MITRE ATT&CK Techniques	26	T1027.003
Details	MITRE ATT&CK Techniques	42	T1027.005
Details	MITRE ATT&CK Techniques	183	T1036.005
Details	MITRE ATT&CK Techniques	59	T1055.001
Details	MITRE ATT&CK Techniques	247	T1070
Details	MITRE ATT&CK Techniques	92	T1070.001
Details	MITRE ATT&CK Techniques	93	T1070.006
Details	MITRE ATT&CK Techniques	23	T1127
Details	MITRE ATT&CK Techniques	59	T1218.005
Details	MITRE ATT&CK Techniques	119	T1218.011
Details	MITRE ATT&CK Techniques	48	T1480
Details	MITRE ATT&CK Techniques	238	T1497
Details	MITRE ATT&CK Techniques	57	T1497.003
Details	MITRE ATT&CK Techniques	10	T1550.001
Details	MITRE ATT&CK Techniques	298	T1562.001
Details	MITRE ATT&CK Techniques	20	T1562.002
Details	MITRE ATT&CK Techniques	289	T1003
Details	MITRE ATT&CK Techniques	67	T1003.003
Details	MITRE ATT&CK Techniques	27	T1003.006
Details	MITRE ATT&CK Techniques	15	T1003.008
Details	MITRE ATT&CK Techniques	125	T1110
Details	MITRE ATT&CK Techniques	49	T1110.003
Details	MITRE ATT&CK Techniques	25	T1111
Details	MITRE ATT&CK Techniques	44	T1212
Details	MITRE ATT&CK Techniques	89	T1552.001
Details	MITRE ATT&CK Techniques	26	T1552.004
Details	MITRE ATT&CK Techniques	8	T1552.006
Details	MITRE ATT&CK Techniques	8	T1555.005
Details	MITRE ATT&CK Techniques	27	T1558
Details	MITRE ATT&CK Techniques	36	T1558.003
Details	MITRE ATT&CK Techniques	14	T1606.001
Details	MITRE ATT&CK Techniques	11	T1606.002
Details	MITRE ATT&CK Techniques	42	T1016.001
Details	MITRE ATT&CK Techniques	243	T1018
Details	MITRE ATT&CK Techniques	168	T1046
Details	MITRE ATT&CK Techniques	585	T1083
Details	MITRE ATT&CK Techniques	188	T1120
Details	MITRE ATT&CK Techniques	176	T1135
Details	MITRE ATT&CK Techniques	185	T1518
Details	MITRE ATT&CK Techniques	12	T1526
Details	MITRE ATT&CK Techniques	139	T1021.002
Details	MITRE ATT&CK Techniques	10	T1021.003
Details	MITRE ATT&CK Techniques	118	T1570
Details	MITRE ATT&CK Techniques	534	T1005
Details	MITRE ATT&CK Techniques	67	T1039
Details	MITRE ATT&CK Techniques	67	T1074
Details	MITRE ATT&CK Techniques	89	T1114
Details	MITRE ATT&CK Techniques	56	T1213
Details	MITRE ATT&CK Techniques	16	T1213.002
Details	MITRE ATT&CK Techniques	9	T1213.003
Details	MITRE ATT&CK Techniques	116	T1560.001
Details	MITRE ATT&CK Techniques	444	T1071
Details	MITRE ATT&CK Techniques	52	T1071.004
Details	MITRE ATT&CK Techniques	48	T1090.003
Details	MITRE ATT&CK Techniques	25	T1568.002
Details	MITRE ATT&CK Techniques	115	T1571
Details	MITRE ATT&CK Techniques	130	T1573.001
Details	MITRE ATT&CK Techniques	36	T1030
Details	MITRE ATT&CK Techniques	422	T1041
Details	MITRE ATT&CK Techniques	126	T1567
Details	MITRE ATT&CK Techniques	7	T1567.001
Details	MITRE ATT&CK Techniques	93	T1485
Details	MITRE ATT&CK Techniques	472	T1486
Details	MITRE ATT&CK Techniques	58	T1498
Details	MITRE ATT&CK Techniques	9	T1498.001
Details	MITRE ATT&CK Techniques	9	T1499.002
Details	MITRE ATT&CK Techniques	26	T1531
Details	MITRE ATT&CK Techniques	8	T1561.001
Details	MITRE ATT&CK Techniques	15	T1561.002
Details	Threat Actor Identifier - APT	783	APT28
Details	Threat Actor Identifier - APT	665	APT29
Details	Url	1	https://www.malwarebytes.com/blog/threat-intelligence/2022/06/russias-apt28-uses-fear-of-nuclear-war-to-spread-follina-docs-in-ukraine
Details	Url	2	https://www.mandiant.com/resources/blog/unc2452-merged-into-apt29
Details	Url	1	https://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew
Details	Url	1	https://www.malwarebytes.com/blog/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room
Details	Url	1	https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine
Details	Url	1	https://www.infosecurity-magazine.com/news/ukraine-warns-of-cuba-ransomware
Details	Url	1	https://cert.gov.ua/article/2724253