Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Протоколы эл. почты
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Протоколы эл. почты
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Application Layer Protocol:  Протоколы эл. почты

ID Название
.001 Веб-протоколы
.002 Протоколы передачи файлов
.003 Протоколы эл. почты
.004 DNS
.005 Publish/Subscribe Protocols

Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: FireEye APT28)

ID: T1071.003
Относится к технике:  T1071
Тактика(-и): Command and Control
Платформы: Linux, Network Devices, Windows, macOS
Источники данных: Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Версия: 1.2
Дата создания: 15 Mar 2020
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
PowerExchange

PowerExchange can receive and send back the results of executed C2 commands through email.(Citation: Symantec Crambus OCT 2023)
OLDBAIT

OLDBAIT can use SMTP for C2.(Citation: FireEye APT28)
IMAPLoader

IMAPLoader uses the IMAP email protocol for command and control purposes.(Citation: PWC Yellow Liderc 2023)
RDAT

RDAT can use email attachments for C2 communications.(Citation: Unit42 RDAT July 2020)
NavRAT

NavRAT uses the email platform, Naver, for C2 communications, leveraging SMTP.(Citation: Talos NavRAT May 2018)
CORESHELL

CORESHELL can communicate over SMTP and POP3 for C2.(Citation: FireEye APT28)(Citation: Microsoft SIR Vol 19)
Remsec

Remsec is capable of using SMTP for C2.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report)(Citation: Kaspersky ProjectSauron Technical Analysis)(Citation: Threatpost Sauron)
LightNeuron

LightNeuron uses SMTP for C2.(Citation: ESET LightNeuron May 2019)
Agent Tesla

Agent Tesla has used SMTP for C2 communications.(Citation: Cofense Agent Tesla)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020)
Uroburos

Uroburos can use custom communications protocols that ride over SMTP.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
NightClub

NightClub can use emails for C2 communications.(Citation: MoustachedBouncer ESET August 2023)
BadPatch

BadPatch uses SMTP for C2.(Citation: Unit 42 BadPatch Oct 2017)
SUGARDUMP

A SUGARDUMP variant used SMTP for C2.(Citation: Mandiant UNC3890 Aug 2022)
Zebrocy

Zebrocy uses SMTP and POP3 for C2.(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: ESET Zebrocy May 2019)
LunarMail

LunarMail can communicates with C2 using email messages via the Outlook Messaging API (MAPI).(Citation: ESET Turla Lunar toolset May 2024)
CHOPSTICK

Various implementations of CHOPSTICK communicate with C2 over SMTP and POP3.(Citation: ESET Sednit Part 2)
Cannon

Cannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails.(Citation: Unit42 Cannon Nov 2018)
ComRAT

ComRAT can use email attachments for command and control.(Citation: ESET ComRAT May 2020)
JPIN

JPIN can send email over SMTP.(Citation: Microsoft PLATINUM April 2016)
Goopy

Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.(Citation: Cybereason Cobalt Kitty 2017)

APT28

APT28 has used IMAP, POP3, and SMTP for a communication channel in various implants, including using self-registered Google Mail accounts and later compromised email servers of its victims.(Citation: FireEye APT28)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
Turla

Turla has used multiple backdoors which communicate with a C2 server via email attachments.(Citation: Crowdstrike GTR2020 Mar 2020)
APT32

APT32 has used email for C2 via an Office macro.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)
Kimsuky

Kimsuky has used e-mail to send exfiltrated data to C2 servers.(Citation: CISA AA20-301A Kimsuky)
SilverTerrier

SilverTerrier uses SMTP for C2 communications.(Citation: Unit42 SilverTerrier 2018)

Контрмеры
Контрмера Описание
Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Обнаружение

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)

Ссылки

  1. Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
  2. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  3. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  4. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  5. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  6. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  7. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  8. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  9. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  10. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  11. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  12. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  13. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  14. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  15. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  16. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  17. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
  18. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  19. Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.
  20. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  21. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
  22. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  23. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
  24. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  25. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  26. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  27. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  28. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  29. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  30. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
  31. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  32. James Arndt. (2023, February 21). The Rise of Agent Tesla: Understanding the Notorious Keylogger. Retrieved January 10, 2024.
  33. Michael Mimoso. (2016, August 8). ProjectSauron APT On Par With Equation, Flame, Duqu. Retrieved January 10, 2024.
  34. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.