Duqu
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
The discovery modules used with Duqu can collect information on accounts and permissions.(Citation: Symantec W32.Duqu) |
| Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
Modules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.(Citation: Symantec W32.Duqu) |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Duqu creates a new service that loads a malicious driver when the system starts. When Duqu is active, the operating system believes that the driver is legitimate, as it has been signed with a valid private key.(Citation: Symantec W32.Duqu) |
| Enterprise | T1001 | .002 | Data Obfuscation: Steganography |
When the Duqu command and control is operating over HTTP or HTTPS, Duqu uploads data to its controller by appending it to a blank JPG file.(Citation: Symantec W32.Duqu) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Modules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.(Citation: Symantec W32.Duqu) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
The Duqu command and control protocol's data stream can be encrypted with AES-CBC.(Citation: Symantec W32.Duqu) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Duqu can track key presses with a keylogger module.(Citation: Symantec W32.Duqu) |
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Duqu will inject itself into different processes to evade detection. The selection of the target process is influenced by the security software that is installed on the system (Duqu will inject into different processes depending on which security suite is installed on the infected host).(Citation: Symantec W32.Duqu) |
| .012 | Process Injection: Process Hollowing |
Duqu is capable of loading executable code via process hollowing.(Citation: Symantec W32.Duqu) |
||
| Enterprise | T1090 | .001 | Proxy: Internal Proxy |
Duqu can be configured to have commands relayed over a peer-to-peer network of infected hosts if some of the hosts do not have Internet access.(Citation: Symantec W32.Duqu) |
| Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.(Citation: Symantec W32.Duqu) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.(Citation: Symantec W32.Duqu) |
| Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec |
Duqu has used |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.