Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

PcShare

PcShare is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.(Citation: Bitdefender FunnyDream Campaign November 2020)(Citation: GitHub PcShare 2014)
ID: S1050
Type: TOOL
Platforms: Windows
Version: 1.1
Created: 13 Oct 2022
Last Modified: 11 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

PcShare has used HTTP for C2 communication.(Citation: Bitdefender FunnyDream Campaign November 2020)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

PcShare can execute `cmd` commands on a compromised host.(Citation: Bitdefender FunnyDream Campaign November 2020)

Enterprise T1546 .015 Event Triggered Execution: Component Object Model Hijacking

PcShare has created the `HKCU\\Software\\Classes\\CLSID\\{42aedc87-2188-41fd-b9a3-0c966feabec1}\\InprocServer32` Registry key for persistence.(Citation: Bitdefender FunnyDream Campaign November 2020)

Enterprise T1070 .004 Indicator Removal: File Deletion

PcShare has deleted its files and components from a compromised host.(Citation: Bitdefender FunnyDream Campaign November 2020)

Enterprise T1056 .001 Input Capture: Keylogging

PcShare has the ability to capture keystrokes.(Citation: Bitdefender FunnyDream Campaign November 2020)

Enterprise T1036 .001 Masquerading: Invalid Code Signature

PcShare has used an invalid certificate in attempt to appear legitimate.(Citation: Bitdefender FunnyDream Campaign November 2020)

.005 Masquerading: Match Legitimate Name or Location

PcShare has been named `wuauclt.exe` to appear as the legitimate Windows Update AutoUpdate Client.(Citation: Bitdefender FunnyDream Campaign November 2020)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

PcShare has been encrypted with XOR using different 32-long Base16 strings and compressed with LZW algorithm.(Citation: Bitdefender FunnyDream Campaign November 2020)

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

PcShare has used `rundll32.exe` for execution.(Citation: Bitdefender FunnyDream Campaign November 2020)

Groups That Use This Software

ID Name References
G1023 APT5

(Citation: Secureworks BRONZE FLEETWOOD Profile)

(Citation: Bitdefender FunnyDream Campaign November 2020)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.