SeaDuke
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
SeaDuke uses HTTP and HTTPS for C2.(Citation: F-Secure The Dukes) |
Enterprise | T1560 | .002 | Archive Collected Data: Archive via Library |
SeaDuke compressed data with zlib prior to sending it over C2.(Citation: Mandiant No Easy Breach) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
SeaDuke is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory.(Citation: Unit 42 SeaDuke 2015) |
.009 | Boot or Logon Autostart Execution: Shortcut Modification |
SeaDuke is capable of persisting via a .lnk file stored in the Startup directory.(Citation: Unit 42 SeaDuke 2015) |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket.(Citation: Symantec Seaduke 2015) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
SeaDuke is capable of executing commands.(Citation: Unit 42 SeaDuke 2015) |
||
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
SeaDuke C2 traffic is base64-encoded.(Citation: Unit 42 SeaDuke 2015) |
Enterprise | T1114 | .002 | Email Collection: Remote Email Collection |
Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.(Citation: Symantec Seaduke 2015) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
SeaDuke C2 traffic has been encrypted with RC4 and AES.(Citation: Mandiant No Easy Breach)(Citation: Unit 42 SeaDuke 2015) |
Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
SeaDuke uses an event filter in WMI code to execute a previously dropped executable shortly after system startup.(Citation: FireEye WMI 2015) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
SeaDuke can securely delete files, including deleting itself from the victim.(Citation: Symantec Seaduke 2015) |
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
SeaDuke has been packed with the UPX packer.(Citation: Unit 42 SeaDuke 2015) |
Enterprise | T1550 | .003 | Use Alternate Authentication Material: Pass the Ticket |
Some SeaDuke samples have a module to use pass the ticket with Kerberos for authentication.(Citation: Symantec Seaduke 2015) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0016 | APT29 |
(Citation: F-Secure The Dukes) (Citation: Secureworks IRON HEMLOCK Profile) (Citation: Symantec Seaduke 2015) |
References
- F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
- Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
- Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.
- Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.