Egregor
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Egregor has communicated with its C2 servers via HTTPS protocol.(Citation: Intrinsec Egregor Nov 2020) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Egregor has used an encoded PowerShell command by a service created by Cobalt Strike for lateral movement.(Citation: Intrinsec Egregor Nov 2020) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Egregor has used batch files for execution and can launch Internet Explorer from cmd.exe.(Citation: JoeSecurity Egregor 2020)(Citation: Cybereason Egregor Nov 2020) |
||
| Enterprise | T1484 | .001 | Domain Policy Modification: Group Policy Modification |
Egregor can modify the GPO to evade detection.(Citation: Cybereason Egregor Nov 2020) (Citation: Intrinsec Egregor Nov 2020) |
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Egregor has used DLL side-loading to execute its payload.(Citation: Cyble Egregor Oct 2020) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Egregor has disabled Windows Defender to evade protections.(Citation: Intrinsec Egregor Nov 2020) |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Egregor has masqueraded the svchost.exe process to exfiltrate data.(Citation: Intrinsec Egregor Nov 2020) |
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Egregor's payloads are custom-packed, archived and encrypted to prevent analysis.(Citation: NHS Digital Egregor Nov 2020)(Citation: Cyble Egregor Oct 2020) |
| Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
Egregor can conduct Active Directory reconnaissance using tools such as Sharphound or AdFind.(Citation: Intrinsec Egregor Nov 2020) |
| Enterprise | T1218 | .010 | System Binary Proxy Execution: Regsvr32 |
Egregor has used regsvr32.exe to execute malicious DLLs.(Citation: JoeSecurity Egregor 2020) |
| .011 | System Binary Proxy Execution: Rundll32 |
Egregor has used rundll32 during execution.(Citation: Cybereason Egregor Nov 2020) |
||
| Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Egregor can perform a long sleep (greater than or equal to 3 minutes) to evade detection.(Citation: JoeSecurity Egregor 2020) |
References
- NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.
- Cybleinc. (2020, October 31). Egregor Ransomware – A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020.
- Meskauskas, T.. (2020, October 29). Egregor: Sekhmet’s Cousin. Retrieved January 6, 2021.
- Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved January 6, 2021.
- Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021.
- Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.