Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

NotPetya

NotPetya is malware that was used by Sandworm Team in a worldwide attack starting on June 27, 2017. While NotPetya appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: ESET Telebots June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)
ID: S0368
Associated Software: ExPetr Diskcoder.C GoldenEye Nyetya Petrwrap
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 26 Mar 2019
Last Modified: 08 Mar 2023

Associated Software Descriptions

Name Description
ExPetr (Citation: ESET Telebots June 2017)
Diskcoder.C (Citation: ESET Telebots June 2017)
GoldenEye (Citation: Talos Nyetya June 2017)
Nyetya (Citation: Talos Nyetya June 2017)
Petrwrap (Citation: Talos Nyetya June 2017)(Citation: ESET Telebots June 2017)

Techniques Used

Domain ID Name Use
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

NotPetya uses wevtutil to clear the Windows event logs.(Citation: Talos Nyetya June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

NotPetya contains a modified version of Mimikatz to help gather credentials that are later used for lateral movement.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: NCSC Joint Report Public Tools)

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

NotPetya can use PsExec, which interacts with the ADMIN$ network share to execute commands on remote systems.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: PsExec Russinovich)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

NotPetya creates a task to reboot the system one hour after infection.(Citation: Talos Nyetya June 2017)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

NotPetya determines if specific antivirus programs are running on an infected host machine.(Citation: US District Court Indictment GRU Unit 74455 October 2020)

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

NotPetya uses rundll32.exe to install itself on remote systems when accessed via PsExec or wmic.(Citation: Talos Nyetya June 2017)

Enterprise T1569 .002 System Services: Service Execution

NotPetya can use PsExec to help propagate itself across a network.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)

Enterprise T1078 .003 Valid Accounts: Local Accounts

NotPetya can use valid credentials with PsExec or wmic to spread itself to remote systems.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)

Groups That Use This Software

ID Name References
G0034 Sandworm Team

(Citation: Trend Micro Cyclops Blink March 2022) (Citation: NCSC Sandworm Feb 2020) (Citation: mandiant_apt44_unearthing_sandworm) (Citation: US District Court Indictment GRU Unit 74455 October 2020) (Citation: Secureworks IRON VIKING ) (Citation: UK NCSC Olympic Attacks October 2020)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.