OwaAuth
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
OwaAuth uses incoming HTTP requests with a username keyword and commands and handles them as instructions to perform actions.(Citation: Dell TG-3390) |
| Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
OwaAuth DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log file.(Citation: Dell TG-3390) |
| Enterprise | T1070 | .006 | Indicator Removal: Timestomp |
OwaAuth has a command to timestop a file or directory.(Citation: Dell TG-3390) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
OwaAuth captures and DES-encrypts credentials before writing the username and password to a log file, |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
OwaAuth uses the filename owaauth.dll, which is a legitimate file that normally resides in |
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
OwaAuth is a Web shell that appears to be exclusively used by Threat Group-3390. It is installed as an ISAPI filter on Exchange servers and shares characteristics with the China Chopper Web shell.(Citation: Dell TG-3390) |
| .004 | Server Software Component: IIS Components |
OwaAuth has been loaded onto Exchange servers and disguised as an ISAPI filter (owaauth.dll). The IIS w3wp.exe process then loads the malicious DLL.(Citation: Dell TG-3390) |
||
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.