Netwalker
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Netwalker has been written in PowerShell and executed directly in memory, avoiding detection.(Citation: TrendMicro Netwalker May 2020)(Citation: Sophos Netwalker May 2020) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Operators deploying Netwalker have used batch scripts to retrieve the Netwalker payload.(Citation: Sophos Netwalker May 2020) |
||
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Netwalker can detect and terminate active security software-related processes on infected systems.(Citation: TrendMicro Netwalker May 2020)(Citation: Sophos Netwalker May 2020) |
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
The Netwalker DLL has been injected reflectively into the memory of a legitimate running process.(Citation: TrendMicro Netwalker May 2020) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Netwalker can detect and terminate active security software-related processes on infected systems.(Citation: TrendMicro Netwalker May 2020) |
| Enterprise | T1569 | .002 | System Services: Service Execution |
Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload.(Citation: Sophos Netwalker May 2020) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.