Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Sakula

Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. (Citation: Dell Sakula)

ID: S0074

Type: MALWARE

Platforms: Windows

Version: 1.1

Created: 31 May 2017

Last Modified: 30 Mar 2020

Domain	ID		Name	Use
Techniques Used
Enterprise	T1548	.002	Abuse Elevation Control Mechanism: Bypass User Account Control	Sakula contains UAC bypass code for both 32- and 64-bit systems.(Citation: Dell Sakula)
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Sakula uses HTTP for C2.(Citation: Dell Sakula)
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Most Sakula samples maintain persistence by setting the Registry Run key `SOFTWARE\Microsoft\Windows\CurrentVersion\Run\` in the HKLM or HKCU hive, with the Registry value and file name varying by sample.(Citation: Dell Sakula)
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell.(Citation: Dell Sakula)
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	Some Sakula samples install themselves as services for persistence by calling WinExec with the `net start` argument.(Citation: Dell Sakula)
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	Sakula encodes C2 traffic with single-byte XOR keys.(Citation: Dell Sakula)
Enterprise	T1574	.002	Hijack Execution Flow: DLL Side-Loading	Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files.(Citation: Dell Sakula)
Enterprise	T1070	.004	Indicator Removal: File Deletion	Some Sakula samples use cmd.exe to delete temporary files.(Citation: Dell Sakula)
Enterprise	T1218	.011	System Binary Proxy Execution: Rundll32	Sakula calls cmd.exe to run various DLL files via rundll32.(Citation: Dell Sakula)

ID	Name	References
Groups That Use This Software
G0009	Deep Panda	(Citation: ThreatConnect Anthem)

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Sakula

Techniques Used

Groups That Use This Software

References