Anchor
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| Anchor_DNS | (Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Anchor has used HTTP and HTTPS in C2 communications.(Citation: Cyberreason Anchor December 2019) |
| .004 | Application Layer Protocol: DNS |
Variants of Anchor can use DNS tunneling to communicate with C2.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020) |
||
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Anchor has used cmd.exe to run its self deletion routine.(Citation: Cyberreason Anchor December 2019) |
| .004 | Command and Scripting Interpreter: Unix Shell |
Anchor can execute payloads via shell scripting.(Citation: Medium Anchor DNS July 2020) |
||
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Anchor can establish persistence by creating a service.(Citation: Cyberreason Anchor December 2019) |
| Enterprise | T1564 | .004 | Hide Artifacts: NTFS File Attributes |
Anchor has used NTFS to hide files.(Citation: Cyberreason Anchor December 2019) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Anchor can self delete its dropper after the malware is successfully deployed.(Citation: Cyberreason Anchor December 2019) |
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Anchor has come with a packed payload.(Citation: Cyberreason Anchor December 2019) |
| Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
Anchor can support windows execution via SMB shares.(Citation: Medium Anchor DNS July 2020) |
| Enterprise | T1053 | .003 | Scheduled Task/Job: Cron |
Anchor can install itself as a cron job.(Citation: Medium Anchor DNS July 2020) |
| .005 | Scheduled Task/Job: Scheduled Task |
Anchor can create a scheduled task for persistence.(Citation: Cyberreason Anchor December 2019) |
||
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Anchor has been signed with valid certificates to evade detection by security tools.(Citation: Cyberreason Anchor December 2019) |
| Enterprise | T1569 | .002 | System Services: Service Execution |
Anchor can create and execute services to load its payload.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.