Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Blue Mockingbird

Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.(Citation: RedCanary Mockingbird May 2020)

ID: G0108

Associated Groups:

Version: 1.3

Created: 26 May 2020

Last Modified: 10 Jul 2024

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Blue Mockingbird has used PowerShell reverse TCP shells to issue interactive commands over a network connection.(Citation: RedCanary Mockingbird May 2020)
		.003	Command and Scripting Interpreter: Windows Command Shell	Blue Mockingbird has used batch script files to automate execution and deployment of payloads.(Citation: RedCanary Mockingbird May 2020)
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	Blue Mockingbird has made their XMRIG payloads persistent as a Windows Service.(Citation: RedCanary Mockingbird May 2020)
Enterprise	T1546	.003	Event Triggered Execution: Windows Management Instrumentation Event Subscription	Blue Mockingbird has used mofcomp.exe to establish WMI Event Subscription persistence mechanisms configured from a *.mof file.(Citation: RedCanary Mockingbird May 2020)
Enterprise	T1574	.012	Hijack Execution Flow: COR_PROFILER	Blue Mockingbird has used wmic.exe and Windows Registry modifications to set the COR_PROFILER environment variable to execute a malicious DLL whenever a process loads the .NET CLR.(Citation: RedCanary Mockingbird May 2020)
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file.(Citation: RedCanary Mockingbird May 2020)
Enterprise	T1003	.001	OS Credential Dumping: LSASS Memory	Blue Mockingbird has used Mimikatz to retrieve credentials from LSASS memory.(Citation: RedCanary Mockingbird May 2020)
Enterprise	T1027	.013	Obfuscated Files or Information: Encrypted/Encoded File	Blue Mockingbird has obfuscated the wallet address in the payload binary.(Citation: RedCanary Mockingbird May 2020)
Enterprise	T1588	.002	Obtain Capabilities: Tool	Blue Mockingbird has obtained and used tools such as Mimikatz.(Citation: RedCanary Mockingbird May 2020)
Enterprise	T1021	.001	Remote Services: Remote Desktop Protocol	Blue Mockingbird has used Remote Desktop to log on to servers interactively and manually copy files to remote hosts.(Citation: RedCanary Mockingbird May 2020)
		.002	Remote Services: SMB/Windows Admin Shares	Blue Mockingbird has used Windows Explorer to manually copy malicious files to remote hosts over SMB.(Citation: RedCanary Mockingbird May 2020)
Enterprise	T1496	.001	Resource Hijacking: Compute Hijacking	Blue Mockingbird has used XMRIG to mine cryptocurrency on victim systems.(Citation: RedCanary Mockingbird May 2020)
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	Blue Mockingbird has used Windows Scheduled Tasks to establish persistence on local and remote hosts.(Citation: RedCanary Mockingbird May 2020)
Enterprise	T1218	.010	System Binary Proxy Execution: Regsvr32	Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using regsvr32.exe.(Citation: RedCanary Mockingbird May 2020)
		.011	System Binary Proxy Execution: Rundll32	Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using rundll32.exe.(Citation: RedCanary Mockingbird May 2020)
Enterprise	T1569	.002	System Services: Service Execution	Blue Mockingbird has executed custom-compiled XMRIG miner DLLs by configuring them to execute via the "wercplsupport" service.(Citation: RedCanary Mockingbird May 2020)

ID	Name	References	Techniques
Software
S1144	FRP	(Citation: DFIR Phosphorus November 2021) (Citation: FRP GitHub) (Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023) (Citation: RedCanary Mockingbird May 2020)	Non-Application Layer Protocol, JavaScript, Proxy, Protocol Tunneling, Asymmetric Cryptography, Network Service Discovery, System Network Connections Discovery, Multi-hop Proxy, Symmetric Cryptography, Web Protocols
S0002	Mimikatz	(Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: RedCanary Mockingbird May 2020)	DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets

References

Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Blue Mockingbird

Associated Group Descriptions

Techniques Used

Software

References