Skip to content

G0052 CopyKittens

CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. 1 2 3

Item Value
ID G0052
Associated Names
Version 1.5
Created 16 January 2018
Last Modified 26 May 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility CopyKittens uses ZPP, a .NET console program, to compress files with ZIP.2
enterprise T1560.003 Archive via Custom Method CopyKittens encrypts data with a substitute cipher prior to exfiltration.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell CopyKittens has used PowerShell Empire.2
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window CopyKittens has used -w hidden and -windowstyle hidden to conceal PowerShell windows. 2
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool CopyKittens has used Metasploit and Empire for post-exploitation activities.4
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing CopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode.2

Software

ID Name References Techniques
S0154 Cobalt Strike - Bypass User Account Control:Abuse Elevation Control Mechanism Sudo and Sudo Caching:Abuse Elevation Control Mechanism Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Domain Account:Account Discovery Application Layer Protocol DNS:Application Layer Protocol Web Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking Python:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Modify Registry Multiband Communication Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services Remote Desktop Protocol:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services SSH:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0363 Empire - Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Shortcut Modification:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Bookmark Discovery Clipboard Data Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Commonly Used Port Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Cloud Storage:Exfiltration Over Web Service Exfiltration to Code Repository:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Timestomp:Indicator Removal on Host Ingress Tool Transfer Credential API Hooking:Input Capture Keylogging:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Golden Ticket:Steal or Forge Kerberos Tickets Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Private Keys:Unsecured Credentials Credentials In Files:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0167 Matryoshka - DNS:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Command and Scripting Interpreter Credentials from Password Stores Keylogging:Input Capture Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Scheduled Task:Scheduled Task/Job Screen Capture Rundll32:System Binary Proxy Execution
S0164 TDTESS - Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Timestomp:Indicator Removal on Host File Deletion:Indicator Removal on Host Ingress Tool Transfer

References

Back to top