RCSession
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
RCSession can bypass UAC to escalate privileges.(Citation: Trend Micro DRBControl February 2020) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
RCSession can use HTTP in C2 communications.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
RCSession has the ability to modify a Registry Run key to establish persistence.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020) |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
RCSession can use `cmd.exe` for execution on compromised hosts.(Citation: Trend Micro DRBControl February 2020) |
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
RCSession can be installed via DLL side-loading.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
RCSession can remove files from a targeted system.(Citation: Profero APT27 December 2020) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
RCSession has the ability to capture keystrokes on a compromised host.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020) |
Enterprise | T1027 | .011 | Obfuscated Files or Information: Fileless Storage |
RCSession can store its obfuscated configuration file in the Registry under `HKLM\SOFTWARE\Plus` or `HKCU\SOFTWARE\Plus`.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020) |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
RCSession can compress and obfuscate its strings to evade detection on a compromised host.(Citation: Trend Micro DRBControl February 2020) |
||
Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
RCSession can launch itself from a hollowed svchost.exe process.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020) |
Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec |
RCSession has the ability to execute inside the msiexec.exe process.(Citation: Profero APT27 December 2020) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0027 | Threat Group-3390 |
(Citation: Profero APT27 December 2020) (Citation: Trend Micro Iron Tiger April 2021) (Citation: Trend Micro DRBControl February 2020) |
G0129 | Mustang Panda |
(Citation: Secureworks BRONZE PRESIDENT December 2019) |
References
- Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
- Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
- Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
- Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.