WindTail
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
WindTail has the ability to use HTTP for C2 communications.(Citation: objective-see windtail2 jan 2019) |
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
WindTail has the ability to use the macOS built-in zip utility to archive files.(Citation: objective-see windtail2 jan 2019) |
Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
WindTail can use the |
Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
WindTail has the ability to automatically exfiltrate files using the macOS built-in utility /usr/bin/curl.(Citation: objective-see windtail2 jan 2019) |
Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
WindTail can instruct the OS to execute an application without a dock icon or menu.(Citation: objective-see windtail1 dec 2018) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
WindTail has the ability to receive and execute a self-delete command.(Citation: objective-see windtail2 jan 2019) |
Enterprise | T1036 | .001 | Masquerading: Invalid Code Signature |
WindTail has been incompletely signed with revoked certificates.(Citation: objective-see windtail1 dec 2018) |
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
WindTail can be delivered as a compressed, encrypted, and encoded payload.(Citation: objective-see windtail2 jan 2019) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0112 | Windshift |
(Citation: SANS Windshift August 2018) (Citation: objective-see windtail1 dec 2018) (Citation: objective-see windtail2 jan 2019) |
References
- Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020.
- Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.
- Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.