Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Shamoon

Shamoon is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk and Filerase to carry out data wiping tasks. Analysis has linked Shamoon with Kwampirs based on multiple shared artifacts and coding patterns.(Citation: Cylera Kwampirs 2022) The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)
ID: S0140
Associated Software: Disttrack
Type: MALWARE
Platforms: Windows
Version: 2.2
Created: 31 May 2017
Last Modified: 08 Feb 2024

Associated Software Descriptions

Name Description
Disttrack (Citation: Palo Alto Shamoon Nov 2016)

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Shamoon attempts to disable UAC remote restrictions by modifying the Registry.(Citation: Palo Alto Shamoon Nov 2016)

Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

Shamoon can impersonate tokens using LogonUser, ImpersonateLoggedOnUser, and ImpersonateNamedPipeClient.(Citation: McAfee Shamoon December 2018)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Shamoon has used HTTP for C2.(Citation: Palo Alto Shamoon Nov 2016)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Shamoon creates a new service named “ntssrv” to execute the payload. Newer versions create the "MaintenaceSrv" and "hdv_725x" services.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)

Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

Shamoon has been seen overwriting features of disk structure such as the MBR.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)

Enterprise T1070 .006 Indicator Removal: Timestomp

Shamoon can change the modified time for files to evade forensic detection.(Citation: McAfee Shamoon December 2018)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Shamoon creates a new service named “ntssrv” that attempts to appear legitimate; the service's display name is “Microsoft Network Realtime Inspection Service” and its description is “Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols.” Newer versions create the "MaintenaceSrv" service, which misspells the word "maintenance."(Citation: Palo Alto Shamoon Nov 2016)(Citation: McAfee Shamoon December 2018)

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Shamoon accesses network share(s), enables share access to the target device, copies an executable payload to the target system, and uses a Scheduled Task/Job to execute the malware.(Citation: FireEye Shamoon Nov 2016)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Shamoon copies an executable payload to the target system by using SMB/Windows Admin Shares and then scheduling an unnamed task to execute the malware.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)

Enterprise T1569 .002 System Services: Service Execution

Shamoon creates a new service named “ntssrv” to execute the payload. Shamoon can also spread via PsExec.(Citation: Palo Alto Shamoon Nov 2016)(Citation: McAfee Shamoon December19 2018)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

If Shamoon cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion.(Citation: FireEye Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.