Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

SMOKEDHAM

SMOKEDHAM is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used by at least one ransomware-as-a-service affiliate.(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021)
ID: S0649
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 22 Sep 2021
Last Modified: 14 Apr 2023

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

SMOKEDHAM has used net.exe user and net.exe users to enumerate local accounts on a compromised host.(Citation: FireEye SMOKEDHAM June 2021)

Enterprise T1098 .007 Account Manipulation: Additional Local or Domain Groups

SMOKEDHAM has added user accounts to local Admin groups.(Citation: FireEye SMOKEDHAM June 2021)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

SMOKEDHAM has communicated with its C2 servers via HTTPS and HTTP POST requests.(Citation: FireEye SMOKEDHAM June 2021)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

SMOKEDHAM has used reg.exe to create a Registry Run key.(Citation: FireEye SMOKEDHAM June 2021)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

SMOKEDHAM can execute Powershell commands sent from its C2 server.(Citation: FireEye SMOKEDHAM June 2021)

Enterprise T1136 .001 Create Account: Local Account

SMOKEDHAM has created user accounts.(Citation: FireEye SMOKEDHAM June 2021)

Enterprise T1132 .001 Data Encoding: Standard Encoding

SMOKEDHAM has encoded its C2 traffic with Base64.(Citation: FireEye SMOKEDHAM June 2021)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

SMOKEDHAM has encrypted its C2 traffic with RC4.(Citation: FireEye SMOKEDHAM June 2021)

Enterprise T1564 .002 Hide Artifacts: Hidden Users

SMOKEDHAM has modified the Registry to hide created user accounts from the Windows logon screen. (Citation: FireEye SMOKEDHAM June 2021)

Enterprise T1056 .001 Input Capture: Keylogging

SMOKEDHAM can continuously capture keystrokes.(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021)

Enterprise T1027 .009 Obfuscated Files or Information: Embedded Payloads

The SMOKEDHAM source code is embedded in the dropper as an encrypted string.(Citation: FireEye SMOKEDHAM June 2021)

Enterprise T1598 .003 Phishing for Information: Spearphishing Link

SMOKEDHAM has been delivered via malicious links in phishing emails.(Citation: FireEye Shining A Light on DARKSIDE May 2021)

Enterprise T1090 .004 Proxy: Domain Fronting

SMOKEDHAM has used a fronted domain to obfuscate its hard-coded C2 server domain.(Citation: FireEye SMOKEDHAM June 2021)

Enterprise T1204 .001 User Execution: Malicious Link

SMOKEDHAM has relied upon users clicking on a malicious link delivered through phishing.(Citation: FireEye Shining A Light on DARKSIDE May 2021)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.