Group description: PLATINUM

PLATINUM, Group G0068 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups PLATINUM PLATINUM PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. [1] ID: G0068 Contributors : Ryan Becwar Version : 1.3 Created: 18 April 2018 Last Modified: 25 April 2025 Version Permalink Live Version ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1189 Drive-by Compromise PLATINUM has sometimes used drive-by attacks against vulnerable browser plugins. [1] Enterprise T1068 Exploitation for Privilege Escalation PLATINUM has leveraged a zero-day vulnerability to escalate privileges. [1] Enterprise T1105 Ingress Tool Transfer PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel. [2] Enterprise T1056 .001 Input Capture : Keylogging PLATINUM has used several different keyloggers. [1] .004 Input Capture : Credential API Hooking PLATINUM is capable of using Windows hook interfaces for information gathering such as credential access. [1] Enterprise T1036 Masquerading PLATINUM has renamed rar.exe to avoid detection. [3] Enterprise T1095 Non-Application Layer Protocol PLATINUM has used the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control. [2] Enterprise T1003 .001 OS Credential Dumping : LSASS Memory PLATINUM has used keyloggers that are also capable of dumping credentials. [1] Enterprise T1566 .001 Phishing : Spearphishing Attachment PLATINUM has sent spearphishing emails with attachments to victims as its primary initial access vector. [1] Enterprise T1055 Process Injection PLATINUM has used various methods of process injection including hot patching. [1] Enterprise T1204 .002 User Execution : Malicious File PLATINUM has attempted to get users to open malicious files by sending spearphishing emails with attachments to victims. [1] Software ID Name References Techniques S0202 adbupd [1] Command and Scripting Interpreter : Windows Command Shell , Encrypted Channel : Asymmetric Cryptography , Event Triggered Execution : Windows Management Instrumentation Event Subscription S0200 Dipsind [1] Application Layer Protocol : Web Protocols , Boot or Logon Autostart Execution : Winlogon Helper DLL , Command and Scripting Interpreter : Windows Command Shell , Data Encoding : Standard Encoding , Encrypted Channel : Symmetric Cryptography , Ingress Tool Transfer , Scheduled Transfer S0201 JPIN [1] Application Layer Protocol : Mail Protocols , Application Layer Protocol : File Transfer Protocols , BITS Jobs , Command and Scripting Interpreter : Windows Command Shell , File and Directory Discovery , File and Directory Permissions Modification : Windows File and Directory Permissions Modification , Impair Defenses : Disable or Modify Tools , Indicator Removal : File Deletion , Ingress Tool Transfer , Input Capture : Keylogging , Obfuscated Files or Information , Permission Groups Discovery : Local Groups , Process Discovery , Process Injection , Query Registry , Software Discovery : Security Software Discovery , System Information Discovery , System Network Configuration Discovery , System Owner/User Discovery , System Service Discovery References Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018. Carr, N.. (2018, October 25). Nick Carr Status Update. Retrieved September 12, 2024. × load more results