Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Bankshot

Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. (Citation: McAfee Bankshot)

ID: S0239

Associated Software: Trojan Manuscript

Type: MALWARE

Platforms: Windows

Version: 1.1

Created: 17 Oct 2018

Last Modified: 30 Mar 2020

Name	Description
Associated Software Descriptions
Trojan Manuscript	(Citation: McAfee Bankshot)

Domain	ID		Name	Use
Techniques Used
Enterprise	T1134	.002	Access Token Manipulation: Create Process with Token	Bankshot grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user.(Citation: McAfee Bankshot)
Enterprise	T1087	.001	Account Discovery: Local Account	Bankshot gathers domain and account names/information through process monitoring.(Citation: McAfee Bankshot)
		.002	Account Discovery: Domain Account	Bankshot gathers domain and account names/information through process monitoring.(Citation: McAfee Bankshot)
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Bankshot uses HTTP for command and control communication.(Citation: McAfee Bankshot)
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	Bankshot uses the command-line interface to execute arbitrary commands.(Citation: McAfee Bankshot)(Citation: US-CERT Bankshot Dec 2017)
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	Bankshot can terminate a specific process by its process id.(Citation: McAfee Bankshot)(Citation: US-CERT Bankshot Dec 2017)
Enterprise	T1132	.002	Data Encoding: Non-Standard Encoding	Bankshot encodes commands from the control server using a range of characters and gzip.(Citation: McAfee Bankshot)
Enterprise	T1001	.003	Data Obfuscation: Protocol Impersonation	Bankshot generates a false TLS handshake using a public certificate to disguise C2 network communications.(Citation: US-CERT Bankshot Dec 2017)
Enterprise	T1070	.004	Indicator Removal: File Deletion	Bankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system.(Citation: McAfee Bankshot)
		.006	Indicator Removal: Timestomp	Bankshot modifies the time of a file as specified by the control server.(Citation: McAfee Bankshot)

ID	Name	References
Groups That Use This Software
G0032	Lazarus Group	(Citation: McAfee Bankshot)

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Bankshot

Associated Software Descriptions

Techniques Used

Groups That Use This Software

References