Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Stuxnet
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Stuxnet
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Stuxnet

Stuxnet was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) Stuxnet was discovered in 2010, with some components being used as early as November 2008.(Citation: Symantec W.32 Stuxnet Dossier)
ID: S0603
Associated Software: W32.Stuxnet
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 14 Dec 2020
Last Modified: 20 Oct 2022

Associated Software Descriptions
Name Description
W32.Stuxnet (Citation: Symantec W.32 Stuxnet Dossier)

Techniques Used
Domain ID Name Use
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

Stuxnet attempts to impersonate an anonymous token to enumerate bindings in the service control manager.(Citation: Symantec W.32 Stuxnet Dossier)
Enterprise T1087 .001 Account Discovery: Local Account

Stuxnet enumerates user accounts of the local host.(Citation: Symantec W.32 Stuxnet Dossier)
.002 Account Discovery: Domain Account

Stuxnet enumerates user accounts of the domain.(Citation: Symantec W.32 Stuxnet Dossier)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Stuxnet uses HTTP to communicate with a command and control server. (Citation: Symantec W.32 Stuxnet Dossier)
Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

Stuxnet encrypts exfiltrated data via C2 with static 31-byte long XOR keys.(Citation: Symantec W.32 Stuxnet Dossier)
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Stuxnet uses a driver registered as a boot start service as the main load-point.(Citation: Symantec W.32 Stuxnet Dossier)
Enterprise T1132 .001 Data Encoding: Standard Encoding

Stuxnet transforms encrypted binary data into an ASCII string in order to use it as a URL parameter value.(Citation: Symantec W.32 Stuxnet Dossier)
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Stuxnet encodes the payload of system information sent to the command and control servers using a one byte 0xFF XOR key. Stuxnet also uses a 31-byte long static byte string to XOR data sent to command and control servers. The servers use a different static key to encrypt replies to the implant.(Citation: Symantec W.32 Stuxnet Dossier)

Enterprise T1070 .004 Indicator Removal: File Deletion

Stuxnet uses an RPC server that contains a routine for file deletion and also removes itself from the system through a DLL export by deleting specific files.(Citation: Symantec W.32 Stuxnet Dossier)
.006 Indicator Removal: Timestomp

Stuxnet extracts and writes driver files that match the times of other legitimate files.(Citation: Symantec W.32 Stuxnet Dossier)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Stuxnet injects an entire DLL into an existing, newly created, or preselected trusted process.(Citation: Symantec W.32 Stuxnet Dossier)
Enterprise T1090 .001 Proxy: Internal Proxy

Stuxnet installs an RPC server for P2P communications.(Citation: Symantec W.32 Stuxnet Dossier)
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Stuxnet propagates to available network shares.(Citation: Symantec W.32 Stuxnet Dossier)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Stuxnet schedules a network job to execute two minutes after host infection.(Citation: Symantec W.32 Stuxnet Dossier)
Enterprise T1505 .001 Server Software Component: SQL Stored Procedures

Stuxnet used xp_cmdshell to store and execute SQL code.(Citation: Symantec W.32 Stuxnet Dossier)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Stuxnet enumerates the currently running processes related to a variety of security products.(Citation: Symantec W.32 Stuxnet Dossier)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Stuxnet used a digitally signed driver with a compromised Realtek certificate.(Citation: Symantec W.32 Stuxnet Dossier)
Enterprise T1078 .001 Valid Accounts: Default Accounts

Stuxnet infected WinCC machines via a hardcoded database server password.(Citation: Symantec W.32 Stuxnet Dossier)
.002 Valid Accounts: Domain Accounts

Stuxnet attempts to access network resources with a domain account’s credentials.(Citation: Symantec W.32 Stuxnet Dossier)

References

  1. CISA. (2010, September 10). ICS Advisory (ICSA-10-272-01). Retrieved December 7, 2020.
  2. Matrosov, A., Rodionov, E., Harley, D., Malcho, J.. (n.d.). Stuxnet Under the Microscope. Retrieved December 7, 2020.
  3. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.
  4. Ralph Langner. (2013, November). Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.