Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

GreyEnergy

GreyEnergy is a backdoor written in C and compiled in Visual Studio. GreyEnergy shares similarities with the BlackEnergy malware and is thought to be the successor of it.(Citation: ESET GreyEnergy Oct 2018)

ID: S0342

Type: MALWARE

Platforms: Windows

Version: 1.1

Created: 30 Jan 2019

Last Modified: 30 Mar 2020

Domain	ID		Name	Use
Techniques Used
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	GreyEnergy uses HTTP and HTTPS for C2 communications.(Citation: ESET GreyEnergy Oct 2018)
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	GreyEnergy uses cmd.exe to execute itself in-memory.(Citation: ESET GreyEnergy Oct 2018)
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	GreyEnergy chooses a service, drops a DLL file, and writes it to that serviceDLL Registry key.(Citation: ESET GreyEnergy Oct 2018)
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	GreyEnergy encrypts communications using AES256.(Citation: ESET GreyEnergy Oct 2018)
		.002	Encrypted Channel: Asymmetric Cryptography	GreyEnergy encrypts communications using RSA-2048.(Citation: ESET GreyEnergy Oct 2018)
Enterprise	T1070	.004	Indicator Removal: File Deletion	GreyEnergy can securely delete a file by hooking into the DeleteFileA and DeleteFileW functions in the Windows API.(Citation: ESET GreyEnergy Oct 2018)
Enterprise	T1056	.001	Input Capture: Keylogging	GreyEnergy has a module to harvest pressed keystrokes.(Citation: ESET GreyEnergy Oct 2018)
Enterprise	T1003	.001	OS Credential Dumping: LSASS Memory	GreyEnergy has a module for Mimikatz to collect Windows credentials from the victim’s machine.(Citation: ESET GreyEnergy Oct 2018)
Enterprise	T1027	.002	Obfuscated Files or Information: Software Packing	GreyEnergy is packed for obfuscation.(Citation: ESET GreyEnergy Oct 2018)
Enterprise	T1055	.002	Process Injection: Portable Executable Injection	GreyEnergy has a module to inject a PE binary into a remote process.(Citation: ESET GreyEnergy Oct 2018)
Enterprise	T1090	.003	Proxy: Multi-hop Proxy	GreyEnergy has used Tor relays for Command and Control servers.(Citation: ESET GreyEnergy Oct 2018)
Enterprise	T1553	.002	Subvert Trust Controls: Code Signing	GreyEnergy digitally signs the malware with a code-signing certificate.(Citation: ESET GreyEnergy Oct 2018)
Enterprise	T1218	.011	System Binary Proxy Execution: Rundll32	GreyEnergy uses PsExec locally in order to execute rundll32.exe at the highest privileges (NTAUTHORITY\SYSTEM).(Citation: ESET GreyEnergy Oct 2018)

ID	Name	References
Groups That Use This Software
G0034	Sandworm Team	(Citation: Secureworks IRON VIKING )

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

GreyEnergy

Techniques Used

Groups That Use This Software

References