Software Discovery
Sub-techniques (1)
ID | Name |
---|---|
.001 | Security Software Discovery |
Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to Exploitation for Privilege Escalation.
Procedure Examples |
|
Name | Description |
---|---|
Metamorfo |
Metamorfo has searched the compromised system for banking applications.(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019) |
XCSSET |
XCSSET uses |
Siloscape |
Siloscape searches for the kubectl binary.(Citation: Unit 42 Siloscape Jun 2021) |
CharmPower |
CharmPower can list the installed applications on a compromised host.(Citation: Check Point APT35 CharmPower January 2022) |
ShimRatReporter |
ShimRatReporter gathered a list of installed software on the infected host.(Citation: FOX-IT May 2016 Mofang) |
DustySky |
DustySky lists all installed software for the infected machine.(Citation: Kaspersky MoleRATs April 2019) |
SUGARDUMP |
SUGARDUMP can identify Chrome, Opera, Edge Chromium, and Firefox browsers, including version number, on a compromised host.(Citation: Mandiant UNC3890 Aug 2022) |
ComRAT |
ComRAT can check the victim's default browser to determine which process to inject its communications module into.(Citation: ESET ComRAT May 2020) |
Cobalt Strike |
The Cobalt Strike System Profiler can discover applications through the browser and identify the version of Java the target has.(Citation: Cobalt Strike Manual 4.3 November 2020) |
Windigo |
Windigo has used a script to detect installed software on targeted systems.(Citation: ESET ForSSHe December 2018) |
Inception |
Inception has enumerated installed software on compromised systems.(Citation: Symantec Inception Framework March 2018) |
Dridex |
Dridex has collected a list of installed software on the system.(Citation: Checkpoint Dridex Jan 2021) |
SpicyOmelette |
SpicyOmelette can enumerate running software on a targeted system.(Citation: Secureworks GOLD KINGSWOOD September 2018) |
BRONZE BUTLER |
BRONZE BUTLER has used tools to enumerate software installed on an infected host.(Citation: Trend Micro Tick November 2019) |
Orz |
Orz can gather the victim's Internet Explorer version.(Citation: Proofpoint Leviathan Oct 2017) |
Windshift |
Windshift has used malware to identify installed software.(Citation: BlackBerry Bahamut) |
MuddyWater |
MuddyWater has used a PowerShell backdoor to check for Skype connectivity on the target machine.(Citation: Trend Micro Muddy Water March 2021) |
Bazar |
Bazar can query the Registry for installed applications.(Citation: Cybereason Bazar July 2020) |
TajMahal |
TajMahal has the ability to identify the Internet Explorer (IE) version on an infected host.(Citation: Kaspersky TajMahal April 2019) |
P.A.S. Webshell |
P.A.S. Webshell can list PHP server configuration details.(Citation: ANSSI Sandworm January 2021) |
Bundlore |
Bundlore has the ability to enumerate what browser is being used as well as version information for Safari.(Citation: MacKeeper Bundlore Apr 2019) |
SideCopy |
SideCopy has collected browser information from a compromised host.(Citation: MalwareBytes SideCopy Dec 2021) |
Sidewinder |
Sidewinder has used tools to enumerate software installed on an infected host.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020) |
Mustang Panda |
Mustang Panda has searched the victim system for the |
InvisiMole |
InvisiMole can collect information about installed software used by specific users, software executed on user login, and software executed by each system.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020) |
Operation Wocao |
Operation Wocao has collected a list of installed software on the infected system.(Citation: FoxIT Wocao December 2019) |
During Operation Dust Storm, the threat actors deployed a file called `DeployJava.js` to fingerprint installed software on a victim system prior to exploit delivery.(Citation: Cylance Dust Storm) |
|
down_new |
down_new has the ability to gather information on installed applications.(Citation: Trend Micro Tick November 2019) |
HotCroissant |
HotCroissant can retrieve a list of applications from the |
MarkiRAT |
MarkiRAT can check for the Telegram installation directory by enumerating the files on disk.(Citation: Kaspersky Ferocious Kitten Jun 2021) |
HEXANE |
HEXANE has enumerated programs installed on an infected machine.(Citation: Kaspersky Lyceum October 2021) |
KGH_SPY |
KGH_SPY can collect information on installed applications.(Citation: Cybereason Kimsuky November 2020) |
QakBot |
QakBot can enumerate a list of installed programs.(Citation: Group IB Ransomware September 2020) |
Dyre |
Dyre has the ability to identify installed programs on a compromised host.(Citation: Malwarebytes Dyreza November 2015) |
During Operation Wocao, threat actors collected a list of installed software on the infected system.(Citation: FoxIT Wocao December 2019) |
|
RTM |
RTM can scan victim drives to look for specific banking software on the machine to determine next actions.(Citation: ESET RTM Feb 2017) |
Tropic Trooper |
Tropic Trooper's backdoor could list the infected system's installed software.(Citation: TrendMicro Tropic Trooper May 2020) |
Detection
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
References
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
- ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
- Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
- Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
- Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
- Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
- Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
- Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
- Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
- Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
- Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
- GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
- Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
- Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
- Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
- Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
- CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.
- The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
- Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
- Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
- ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
- Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
- Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
- Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
- hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
- GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
- Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
- Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
- Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.
- Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
- Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
- Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
- Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
- Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.