Honeybee
Associated Group Descriptions |
|
| Name | Description |
|---|---|
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Honeybee uses a combination of NTWDBLIB.dll and cliconfg.exe to bypass UAC protections using DLL hijacking.(Citation: McAfee Honeybee) |
| Enterprise | T1071 | .002 | Application Layer Protocol: File Transfer Protocols |
Honeybee uses FTP for command and control.(Citation: McAfee Honeybee) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Honeybee uses a batch file that configures the ComSysApp service to autostart in order to establish persistence.(Citation: McAfee Honeybee) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Several commands are supported by the Honeybee's implant via the command-line interface and there’s also a utility to execute any custom command on an infected endpoint.(Citation: McAfee Honeybee) Honeybee used batch scripting.(Citation: McAfee Honeybee) |
| .005 | Command and Scripting Interpreter: Visual Basic |
Honeybee embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened.(Citation: McAfee Honeybee) |
||
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Honeybee has batch files that modify the system service COMSysApp to load a malicious DLL.(Citation: McAfee Honeybee) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.(Citation: McAfee Honeybee) |
| Enterprise | T1546 | .009 | Event Triggered Execution: AppCert DLLs |
Honeybee's service-based DLL implant can execute a downloaded file with parameters specified using |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Honeybee removes batch files to reduce fingerprint on the system as well as deletes the CAB file that gets encoded upon infection.(Citation: McAfee Honeybee) |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Honeybee uses a dropper called MaoCheng that harvests a stolen digital signature from Adobe Systems.(Citation: McAfee Honeybee) |
| Enterprise | T1569 | .002 | System Services: Service Execution |
Honeybee launches a DLL file that gets executed as a service using svchost.exe(Citation: McAfee Honeybee) |
Software |
|||
| ID | Name | References | Techniques |
|---|---|---|---|
| S0057 | Tasklist | (Citation: McAfee Honeybee) (Citation: Microsoft Tasklist) | Process Discovery, System Service Discovery, Security Software Discovery |
| S0096 | Systeminfo | (Citation: McAfee Honeybee) (Citation: TechNet Systeminfo) | System Information Discovery |
| S0106 | cmd | (Citation: McAfee Honeybee) (Citation: TechNet Cmd) (Citation: TechNet Copy) (Citation: TechNet Del) (Citation: TechNet Dir) | File and Directory Discovery, Ingress Tool Transfer, System Information Discovery, File Deletion, Windows Command Shell, Lateral Tool Transfer |
| S0075 | Reg | (Citation: McAfee Honeybee) (Citation: Microsoft Reg) (Citation: Windows Commands JPCERT) | Credentials in Registry, Query Registry, Modify Registry |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.