Skip to content

G0011 PittyTiger

PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.12

Item Value
ID G0011
Associated Names
Version 1.2
Created 31 May 2017
Last Modified 12 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool PittyTiger has obtained and used tools such as Mimikatz and gsecdump.1
enterprise T1078 Valid Accounts PittyTiger attempts to obtain legitimate credentials during operations.1

Software

ID Name References Techniques
S0032 gh0st RAT 12 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Fast Flux DNS:Dynamic Resolution Symmetric Cryptography:Encrypted Channel Encrypted Channel DLL Side-Loading:Hijack Execution Flow Clear Windows Event Logs:Indicator Removal on Host File Deletion:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Application Layer Protocol Process Discovery Process Injection Query Registry Screen Capture Shared Modules Rundll32:System Binary Proxy Execution System Information Discovery Service Execution:System Services
S0008 gsecdump - LSA Secrets:OS Credential Dumping Security Account Manager:OS Credential Dumping
S0010 Lurid - Archive Collected Data Symmetric Cryptography:Encrypted Channel
S0002 Mimikatz - SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores LSA Secrets:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Rogue Domain Controller Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0012 PoisonIvy - Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Active Setup:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Rootkit

References

Back to top