Skip to content

G0141 Gelsemium

Gelsemium is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in Eastern Asia and the Middle East.1

Item Value
ID G0141
Associated Names
Version 1.0
Created 30 November 2021
Last Modified 02 December 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.004 Server Gelsemium has established infrastructure through renting servers at multiple providers worldwide.1
enterprise T1568 Dynamic Resolution Gelsemium has used dynamic DNS in its C2 infrastructure.1
enterprise T1195 Supply Chain Compromise -
enterprise T1195.002 Compromise Software Supply Chain Gelsemium has compromised software supply chains to gain access to victims.1

Software

ID Name References Techniques
S0666 Gelsemium - Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Archive via Library:Archive Collected Data Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Print Processors:Boot or Logon Autostart Execution Deobfuscate/Decode Files or Information File and Directory Discovery Timestomp:Indicator Removal on Host File Deletion:Indicator Removal on Host Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Modify Registry Non-Application Layer Protocol Obfuscated Files or Information Binary Padding:Obfuscated Files or Information Process Discovery Dynamic-link Library Injection:Process Injection Security Software Discovery:Software Discovery System Information Discovery System Owner/User Discovery
S0002 Mimikatz - SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores LSA Secrets:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Rogue Domain Controller Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material

References

Back to top