Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Blue Mockingbird
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Blue Mockingbird
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Blue Mockingbird

Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.(Citation: RedCanary Mockingbird May 2020)
ID: G0108
Associated Groups: 
Version: 1.1
Created: 26 May 2020
Last Modified: 12 Oct 2021

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Blue Mockingbird has used PowerShell reverse TCP shells to issue interactive commands over a network connection.(Citation: RedCanary Mockingbird May 2020)
.003 Command and Scripting Interpreter: Windows Command Shell

Blue Mockingbird has used batch script files to automate execution and deployment of payloads.(Citation: RedCanary Mockingbird May 2020)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Blue Mockingbird has made their XMRIG payloads persistent as a Windows Service.(Citation: RedCanary Mockingbird May 2020)
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Blue Mockingbird has used mofcomp.exe to establish WMI Event Subscription persistence mechanisms configured from a *.mof file.(Citation: RedCanary Mockingbird May 2020)
Enterprise T1574 .012 Hijack Execution Flow: COR_PROFILER

Blue Mockingbird has used wmic.exe and Windows Registry modifications to set the COR_PROFILER environment variable to execute a malicious DLL whenever a process loads the .NET CLR.(Citation: RedCanary Mockingbird May 2020)
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file.(Citation: RedCanary Mockingbird May 2020)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Blue Mockingbird has used Mimikatz to retrieve credentials from LSASS memory.(Citation: RedCanary Mockingbird May 2020)
Enterprise T1588 .002 Obtain Capabilities: Tool

Blue Mockingbird has obtained and used tools such as Mimikatz.(Citation: RedCanary Mockingbird May 2020)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Blue Mockingbird has used Remote Desktop to log on to servers interactively and manually copy files to remote hosts.(Citation: RedCanary Mockingbird May 2020)
.002 Remote Services: SMB/Windows Admin Shares

Blue Mockingbird has used Windows Explorer to manually copy malicious files to remote hosts over SMB.(Citation: RedCanary Mockingbird May 2020)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Blue Mockingbird has used Windows Scheduled Tasks to establish persistence on local and remote hosts.(Citation: RedCanary Mockingbird May 2020)
Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using regsvr32.exe.(Citation: RedCanary Mockingbird May 2020)

.011 System Binary Proxy Execution: Rundll32

Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using rundll32.exe.(Citation: RedCanary Mockingbird May 2020)

Enterprise T1569 .002 System Services: Service Execution

Blue Mockingbird has executed custom-compiled XMRIG miner DLLs by configuring them to execute via the "wercplsupport" service.(Citation: RedCanary Mockingbird May 2020)

Software
ID Name References Techniques
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: RedCanary Mockingbird May 2020) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets

References

  1. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.