Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Netwalker

Netwalker is fileless ransomware written in PowerShell and executed directly in memory.(Citation: TrendMicro Netwalker May 2020)
ID: S0457
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 26 May 2020
Last Modified: 22 Mar 2023

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Netwalker has been written in PowerShell and executed directly in memory, avoiding detection.(Citation: TrendMicro Netwalker May 2020)(Citation: Sophos Netwalker May 2020)

.003 Command and Scripting Interpreter: Windows Command Shell

Operators deploying Netwalker have used batch scripts to retrieve the Netwalker payload.(Citation: Sophos Netwalker May 2020)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Netwalker can detect and terminate active security software-related processes on infected systems.(Citation: TrendMicro Netwalker May 2020)(Citation: Sophos Netwalker May 2020)

Enterprise T1027 .009 Obfuscated Files or Information: Embedded Payloads

Netwalker's DLL has been embedded within the PowerShell script in hex format.(Citation: TrendMicro Netwalker May 2020)

.010 Obfuscated Files or Information: Command Obfuscation

Netwalker's PowerShell script has been obfuscated with multiple layers including base64 and hexadecimal encoding and XOR-encryption, as well as obfuscated PowerShell functions and variables.(Citation: TrendMicro Netwalker May 2020)(Citation: Sophos Netwalker May 2020)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

The Netwalker DLL has been injected reflectively into the memory of a legitimate running process.(Citation: TrendMicro Netwalker May 2020)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Netwalker can detect and terminate active security software-related processes on infected systems.(Citation: TrendMicro Netwalker May 2020)

Enterprise T1569 .002 System Services: Service Execution

Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload.(Citation: Sophos Netwalker May 2020)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.