RainyDay
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
RainyDay can use HTTP in C2 communications.(Citation: Bitdefender Naikon April 2021) |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
RainyDay can use the Windows Command Shell for execution.(Citation: Bitdefender Naikon April 2021) |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
RainyDay can use services to establish persistence.(Citation: Bitdefender Naikon April 2021) |
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
RainyDay can use tools to collect credentials from web browsers.(Citation: Bitdefender Naikon April 2021) |
.004 | Credentials from Password Stores: Windows Credential Manager |
RainyDay can use the QuarksPwDump tool to obtain local passwords and domain cached credentials.(Citation: Bitdefender Naikon April 2021) |
||
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
RainyDay can use a file exfiltration tool to copy files to |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
RainyDay can use RC4 to encrypt C2 communications.(Citation: Bitdefender Naikon April 2021) |
Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
RainyDay can use a file exfiltration tool to upload specific files to Dropbox.(Citation: Bitdefender Naikon April 2021) |
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
RainyDay can use side-loading to run malicious executables.(Citation: Bitdefender Naikon April 2021) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
RainyDay has the ability to uninstall itself by deleting its service and files.(Citation: Bitdefender Naikon April 2021) |
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
RainyDay has named services and scheduled tasks to appear benign including "ChromeCheck" and "googleupdate."(Citation: Bitdefender Naikon April 2021) |
.005 | Masquerading: Match Legitimate Name or Location |
RainyDay has used names to mimic legitimate software including "vmtoolsd.exe" to spoof Vmtools.(Citation: Bitdefender Naikon April 2021) |
||
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
RainyDay has downloaded as a XOR-encrypted payload.(Citation: Bitdefender Naikon April 2021) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
RainyDay can use scheduled tasks to achieve persistence.(Citation: Bitdefender Naikon April 2021) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.