Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Egregor

Egregor is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between Egregor and Sekhmet ransomware, as well as Maze ransomware.(Citation: NHS Digital Egregor Nov 2020)(Citation: Cyble Egregor Oct 2020)(Citation: Security Boulevard Egregor Oct 2020)
ID: S0554
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 29 Dec 2020
Last Modified: 14 Oct 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Egregor has communicated with its C2 servers via HTTPS protocol.(Citation: Intrinsec Egregor Nov 2020)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Egregor has used an encoded PowerShell command by a service created by Cobalt Strike for lateral movement.(Citation: Intrinsec Egregor Nov 2020)

.003 Command and Scripting Interpreter: Windows Command Shell

Egregor has used batch files for execution and can launch Internet Explorer from cmd.exe.(Citation: JoeSecurity Egregor 2020)(Citation: Cybereason Egregor Nov 2020)

Enterprise T1484 .001 Domain or Tenant Policy Modification: Group Policy Modification

Egregor can modify the GPO to evade detection.(Citation: Cybereason Egregor Nov 2020) (Citation: Intrinsec Egregor Nov 2020)

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Egregor has used DLL side-loading to execute its payload.(Citation: Cyble Egregor Oct 2020)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Egregor has disabled Windows Defender to evade protections.(Citation: Intrinsec Egregor Nov 2020)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Egregor has masqueraded the svchost.exe process to exfiltrate data.(Citation: Intrinsec Egregor Nov 2020)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Egregor's payloads are custom-packed, archived and encrypted to prevent analysis.(Citation: NHS Digital Egregor Nov 2020)(Citation: Cyble Egregor Oct 2020)

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

Egregor can conduct Active Directory reconnaissance using tools such as Sharphound or AdFind.(Citation: Intrinsec Egregor Nov 2020)

Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Egregor has used regsvr32.exe to execute malicious DLLs.(Citation: JoeSecurity Egregor 2020)

.011 System Binary Proxy Execution: Rundll32

Egregor has used rundll32 during execution.(Citation: Cybereason Egregor Nov 2020)

Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

Egregor can perform a long sleep (greater than or equal to 3 minutes) to evade detection.(Citation: JoeSecurity Egregor 2020)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.