SMOKEDHAM
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
SMOKEDHAM has used |
Enterprise | T1098 | .007 | Account Manipulation: Additional Local or Domain Groups |
SMOKEDHAM has added user accounts to local Admin groups.(Citation: FireEye SMOKEDHAM June 2021) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
SMOKEDHAM has communicated with its C2 servers via HTTPS and HTTP POST requests.(Citation: FireEye SMOKEDHAM June 2021) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
SMOKEDHAM has used |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
SMOKEDHAM can execute Powershell commands sent from its C2 server.(Citation: FireEye SMOKEDHAM June 2021) |
Enterprise | T1136 | .001 | Create Account: Local Account |
SMOKEDHAM has created user accounts.(Citation: FireEye SMOKEDHAM June 2021) |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
SMOKEDHAM has encoded its C2 traffic with Base64.(Citation: FireEye SMOKEDHAM June 2021) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
SMOKEDHAM has encrypted its C2 traffic with RC4.(Citation: FireEye SMOKEDHAM June 2021) |
Enterprise | T1564 | .002 | Hide Artifacts: Hidden Users |
SMOKEDHAM has modified the Registry to hide created user accounts from the Windows logon screen. (Citation: FireEye SMOKEDHAM June 2021) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
SMOKEDHAM can continuously capture keystrokes.(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021) |
Enterprise | T1027 | .009 | Obfuscated Files or Information: Embedded Payloads |
The SMOKEDHAM source code is embedded in the dropper as an encrypted string.(Citation: FireEye SMOKEDHAM June 2021) |
Enterprise | T1598 | .003 | Phishing for Information: Spearphishing Link |
SMOKEDHAM has been delivered via malicious links in phishing emails.(Citation: FireEye Shining A Light on DARKSIDE May 2021) |
Enterprise | T1090 | .004 | Proxy: Domain Fronting |
SMOKEDHAM has used a fronted domain to obfuscate its hard-coded C2 server domain.(Citation: FireEye SMOKEDHAM June 2021) |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
SMOKEDHAM has relied upon users clicking on a malicious link delivered through phishing.(Citation: FireEye Shining A Light on DARKSIDE May 2021) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.