Meteor
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Meteor can use PowerShell commands to disable the network adapters on a victim machines.(Citation: Check Point Meteor Aug 2021) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Meteor can run `set.bat`, `update.bat`, `cache.bat`, `bcd.bat`, `msrun.bat`, and similar scripts.(Citation: Check Point Meteor Aug 2021) |
||
Enterprise | T1491 | .001 | Defacement: Internal Defacement |
Meteor can change both the desktop wallpaper and the lock screen image to a custom image.(Citation: Check Point Meteor Aug 2021) |
Enterprise | T1484 | .001 | Domain or Tenant Policy Modification: Group Policy Modification |
Meteor can use group policy to push a scheduled task from the AD to all network machines.(Citation: Check Point Meteor Aug 2021) |
Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
Meteor can hide its console window upon execution to decrease its visibility to a victim.(Citation: Check Point Meteor Aug 2021) |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Meteor can attempt to uninstall Kaspersky Antivirus or remove the Kaspersky license; it can also add all files and folders related to the attack to the Windows Defender exclusion list.(Citation: Check Point Meteor Aug 2021) |
Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
Meteor can use Wevtutil to remove Security, System and Application Event Viewer logs.(Citation: Check Point Meteor Aug 2021) |
.004 | Indicator Removal: File Deletion |
Meteor will delete the folder containing malicious scripts if it detects the hostname as `PIS-APP`, `PIS-MOB`, `WSUSPROXY`, or `PIS-DB`.(Citation: Check Point Meteor Aug 2021) |
||
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Meteor has been disguised as the Windows Power Efficiency Diagnostics report tool.(Citation: Check Point Meteor Aug 2021) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Meteor execution begins from a scheduled task named `Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeAll` and it creates a separate scheduled task called `mstask` to run the wiper only once at 23:55:00.(Citation: Check Point Meteor Aug 2021) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Meteor has the ability to search for Kaspersky Antivirus on a victim's machine.(Citation: Check Point Meteor Aug 2021) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.