Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

NOKKI

NOKKI is a modular remote access tool. The earliest observed attack using NOKKI was in January 2018. NOKKI has significant code overlap with the KONNI malware family. There is some evidence potentially linking NOKKI to APT37.(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)

ID: S0353

Type: MALWARE

Platforms: Windows

Version: 1.1

Created: 30 Jan 2019

Last Modified: 18 Mar 2020

Domain	ID		Name	Use
Techniques Used
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	NOKKI has used HTTP for C2 communications.(Citation: Unit 42 NOKKI Sept 2018)
		.002	Application Layer Protocol: File Transfer Protocols	NOKKI has used FTP for C2 communications.(Citation: Unit 42 NOKKI Sept 2018)
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	NOKKI has established persistence by writing the payload to the Registry key `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`.(Citation: Unit 42 NOKKI Sept 2018)
Enterprise	T1074	.001	Data Staged: Local Data Staging	NOKKI can collect data from the victim and stage it in `LOCALAPPDATA%\MicroSoft Updatea\uplog.tmp`.(Citation: Unit 42 NOKKI Sept 2018)
Enterprise	T1070	.004	Indicator Removal: File Deletion	NOKKI can delete files to cover tracks.(Citation: Unit 42 NOKKI Sept 2018)
Enterprise	T1056	.004	Input Capture: Credential API Hooking	NOKKI uses the Windows call SetWindowsHookEx and begins injecting it into every GUI process running on the victim's machine.(Citation: Unit 42 NOKKI Sept 2018)
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	NOKKI is written to %LOCALAPPDATA%\MicroSoft Updatea\svServiceUpdate.exe prior being executed in a new process in an apparent attempt to masquerade as a legitimate folder and file.(Citation: Unit 42 NOKKI Sept 2018)
Enterprise	T1218	.011	System Binary Proxy Execution: Rundll32	NOKKI has used rundll32 for execution.(Citation: Unit 42 NOKKI Sept 2018)

ID	Name	References
Groups That Use This Software
G0094	Kimsuky	(Citation: Crowdstrike GTR2020 Mar 2020)

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

NOKKI

Techniques Used

Groups That Use This Software

References