Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

SMOKEDHAM

SMOKEDHAM is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used by at least one ransomware-as-a-service affiliate.(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021)

ID: S0649

Type: MALWARE

Platforms: Windows

Version: 1.1

Created: 22 Sep 2021

Last Modified: 18 Oct 2022

Domain	ID		Name	Use
Techniques Used
Enterprise	T1087	.001	Account Discovery: Local Account	SMOKEDHAM has used `net.exe user` and `net.exe users` to enumerate local accounts on a compromised host.(Citation: FireEye SMOKEDHAM June 2021)
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	SMOKEDHAM has communicated with its C2 servers via HTTPS and HTTP POST requests.(Citation: FireEye SMOKEDHAM June 2021)
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	SMOKEDHAM has used `reg.exe` to create a Registry Run key.(Citation: FireEye SMOKEDHAM June 2021)
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	SMOKEDHAM can execute Powershell commands sent from its C2 server.(Citation: FireEye SMOKEDHAM June 2021)
Enterprise	T1136	.001	Create Account: Local Account	SMOKEDHAM has created user accounts and added them to local Admin groups.(Citation: FireEye SMOKEDHAM June 2021)
Enterprise	T1132	.001	Data Encoding: Standard Encoding	SMOKEDHAM has encoded its C2 traffic with Base64.(Citation: FireEye SMOKEDHAM June 2021)
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	SMOKEDHAM has encrypted its C2 traffic with RC4.(Citation: FireEye SMOKEDHAM June 2021)
Enterprise	T1564	.002	Hide Artifacts: Hidden Users	SMOKEDHAM has modified the Registry to hide created user accounts from the Windows logon screen. (Citation: FireEye SMOKEDHAM June 2021)
Enterprise	T1056	.001	Input Capture: Keylogging	SMOKEDHAM can continuously capture keystrokes.(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021)
Enterprise	T1027	.009	Obfuscated Files or Information: Embedded Payloads	The SMOKEDHAM source code is embedded in the dropper as an encrypted string.(Citation: FireEye SMOKEDHAM June 2021)
Enterprise	T1598	.003	Phishing for Information: Spearphishing Link	SMOKEDHAM has been delivered via malicious links in phishing emails.(Citation: FireEye Shining A Light on DARKSIDE May 2021)
Enterprise	T1090	.004	Proxy: Domain Fronting	SMOKEDHAM has used a fronted domain to obfuscate its hard-coded C2 server domain.(Citation: FireEye SMOKEDHAM June 2021)
Enterprise	T1204	.001	User Execution: Malicious Link	SMOKEDHAM has relied upon users clicking on a malicious link delivered through phishing.(Citation: FireEye Shining A Light on DARKSIDE May 2021)

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

SMOKEDHAM

Techniques Used

References