Skip to content

G0088 TEMP.Veles

TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.324

Item Value
ID G0088
Associated Names XENOTIME
Version 1.3
Created 16 April 2019
Last Modified 30 November 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
XENOTIME The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind TRITON.1532

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.003 Virtual Private Server TEMP.Veles has used Virtual Private Server (VPS) infrastructure.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell TEMP.Veles has used a publicly-available PowerShell-based tool, WMImplant.2 The group has also used PowerShell to perform Timestomping.3
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging TEMP.Veles has created staging folders in directories that were infrequently used by legitimate users or processes.3
enterprise T1546 Event Triggered Execution -
enterprise T1546.012 Image File Execution Options Injection TEMP.Veles has modified and added entries within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options to maintain persistence.3
enterprise T1133 External Remote Services TEMP.Veles has used a VPN to persist in the victim environment.3
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.3
enterprise T1070.006 Timestomp TEMP.Veles used timestomping to modify the $STANDARD_INFORMATION attribute on tools.3
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location TEMP.Veles has renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.3
enterprise T1571 Non-Standard Port TEMP.Veles has used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.3
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.005 Indicator Removal from Tools TEMP.Veles has modified files based on the open-source project cryptcat in an apparent attempt to decrease AV detection rates.2
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool TEMP.Veles has obtained and used tools such as Mimikatz and PsExec.3
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory TEMP.Veles has used Mimikatz and a custom tool, SecHack, to harvest credentials. 3
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol TEMP.Veles utilized RDP throughout an operation.3
enterprise T1021.004 SSH TEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.3
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task TEMP.Veles has used scheduled task XML triggers.3
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell TEMP.Veles has planted Web shells on Outlook Exchange servers.3
enterprise T1078 Valid Accounts TEMP.Veles has used compromised VPN accounts.3
ics T0817 Drive-by Compromise TEMP.Veles utilizes watering hole websites to target industrial employees. 7
ics T0886 Remote Services TEMP.Veles utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment. 6
ics T0862 Supply Chain Compromise TEMP.Veles targeted several ICS vendors and manufacturers. 8
ics T0859 Valid Accounts TEMP.Veles used valid credentials when laterally moving through RDP jump boxes into the ICS environment. 6

Software

ID Name References Techniques
S0002 Mimikatz 3 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0029 PsExec 31 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S1009 Triton 1 Change Operating Mode Commonly Used Port Detect Operating Mode Execution through API Exploitation for Evasion Exploitation for Privilege Escalation Hooking Indicator Removal on Host Loss of Safety Masquerading Modify Controller Tasking Native API Program Download Program Upload Remote System Discovery Scripting Standard Application Layer Protocol System Firmware

References