Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Исследование средств защиты
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Исследование средств защиты
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Software Discovery:  Исследование средств защиты

ID Название
.001 Исследование средств защиты

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Example commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software. Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the DescribeSecurityGroups action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud)

ID: T1518.001
Относится к технике:  T1518
Тактика(-и): Discovery
Платформы: Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Источники данных: Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Версия: 1.3
Дата создания: 21 Feb 2020
Последнее изменение: 11 Apr 2022

Примеры процедур
Название Описание
Darkhotel

Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM June 2016)

Clop

Clop can search for processes with antivirus and antimalware product names.(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)
ABK

ABK has the ability to identify the installed anti-virus product on the compromised host.(Citation: Trend Micro Tick November 2019)

During Operation Wocao, threat actors used scripts to detect security software.(Citation: FoxIT Wocao December 2019)
Sidewinder

Sidewinder has used the Windows service winmgmts:\\.\root\SecurityCenter2 to check installed antivirus products.(Citation: Rewterz Sidewinder APT April 2020)
Metamorfo

Metamorfo collects a list of installed antivirus software from the victim’s system.(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019)

QakBot

QakBot can identify the installed antivirus product on a targeted system.(Citation: Crowdstrike Qakbot October 2020)(Citation: ATT QakBot April 2021)(Citation: ATT QakBot April 2021)(Citation: Kaspersky QakBot September 2021)
Micropsia

Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)
SideCopy

SideCopy uses a loader DLL file to collect AV product names from an infected host.(Citation: MalwareBytes SideCopy Dec 2021)
Crimson

Crimson contains a command to collect information about anti-virus software on the victim.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)
Zeus Panda

Zeus Panda checks to see if anti-virus, anti-spyware, or firewall products are installed in the victim’s environment.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)
Windshift

Windshift has used malware to identify installed AV and commonly used forensic and malware analysis tools.(Citation: BlackBerry Bahamut)
APT38

APT38 has identified security software, configurations, defensive tools, and sensors installed on a compromised system.(Citation: CISA AA20-239A BeagleBoyz August 2020)
FIN8

FIN8 has used Registry keys to detect and avoid executing in potential sandboxes.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
Amadey

Amadey has checked for a variety of antivirus products.(Citation: Korean FSI TA505 2020)(Citation: BlackBerry Amadey 2020)
Comnie

Comnie attempts to detect several anti-virus products.(Citation: Palo Alto Comnie)
The White Company

The White Company has checked for specific antivirus products on the target’s computer, including Kaspersky, Quick Heal, AVG, BitDefender, Avira, Sophos, Avast!, and ESET.(Citation: Cylance Shaheen Nov 2018)
Naikon

Naikon uses commands such as netsh advfirewall firewall to discover local firewall settings.(Citation: Baumgartner Naikon 2015)
Bazar

Bazar can identify the installed antivirus engine.(Citation: Cybereason Bazar July 2020)
Cobalt Group

Cobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim's machine.(Citation: Morphisec Cobalt Gang Oct 2018)
CozyCar

The main CozyCar dropper checks whether the victim has an anti-virus product installed. If the installed product is on a predetermined list, the dropper will exit.(Citation: F-Secure CozyDuke)
ZxxZ

ZxxZ can search a compromised host to determine if it is running Windows Defender or Kasperky antivirus.(Citation: Cisco Talos Bitter Bangladesh May 2022)
PUNCHBUGGY

PUNCHBUGGY can gather AVs registered in the system.(Citation: Morphisec ShellTea June 2019)

POWERSTATS

POWERSTATS has detected security tools.(Citation: FireEye MuddyWater Mar 2018)
FELIXROOT

FELIXROOT checks for installed security software like antivirus and firewall.(Citation: ESET GreyEnergy Oct 2018)
TajMahal

TajMahal has the ability to identify which anti-virus products, firewalls, and anti-spyware products are in use.(Citation: Kaspersky TajMahal April 2019)
Mosquito

Mosquito's installer searches the Registry and system to see if specific antivirus tools are installed on the system.(Citation: ESET Turla Mosquito Jan 2018)
VERMIN

VERMIN uses WMI to check for anti-virus software installed on the system.(Citation: Unit 42 VERMIN Jan 2018)
Valak

Valak can determine if a compromised host has security products installed.(Citation: Cybereason Valak May 2020)
Skidmap

Skidmap has the ability to check if /usr/sbin/setenforce exists. This file controls what mode SELinux is in.(Citation: Trend Micro Skidmap)

Flame

Flame identifies security software such as antivirus through the Security module.(Citation: Kaspersky Flame)(Citation: Kaspersky Flame Functionality)
Astaroth

Astaroth checks for the presence of Avast antivirus in the C:\Program\Files\ folder. (Citation: Cofense Astaroth Sept 2018)
Bumblebee

Bumblebee can identify specific analytical tools based on running processes.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)(Citation: Medium Ali Salem Bumblebee April 2022)
Avenger

Avenger has the ability to identify installed anti-virus products on a compromised host.(Citation: Trend Micro Tick November 2019)
POWRUNER

POWRUNER may collect information on the victim's anti-virus software.(Citation: FireEye APT34 Dec 2017)

During Frankenstein, the threat actors used WMI queries to determine if analysis tools were running on a compromised system.(Citation: Talos Frankenstein June 2019)
BLUELIGHT

BLUELIGHT can collect a list of anti-virus products installed on a machine.(Citation: Volexity InkySquid BLUELIGHT August 2021)
NotPetya

NotPetya determines if specific antivirus programs are running on an infected host machine.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
YAHOYAH

YAHOYAH checks for antimalware solution processes on the system.(Citation: TrendMicro TropicTrooper 2015)
Wizard Spider

Wizard Spider has used WMI to identify anti-virus products installed on a victim's machine.(Citation: DFIR Ryuk's Return October 2020)
Netwalker

Netwalker can detect and terminate active security software-related processes on infected systems.(Citation: TrendMicro Netwalker May 2020)

Patchwork

Patchwork scanned the “Program Files” directories for a directory with the string “Total Security” (the installation path of the “360 Total Security” antivirus tool).(Citation: Cymmetria Patchwork)
MarkiRAT

MarkiRAT can check for running processes on the victim’s machine to look for Kaspersky and Bitdefender antivirus products.(Citation: Kaspersky Ferocious Kitten Jun 2021)
MuddyWater

MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.(Citation: Securelist MuddyWater Oct 2018)
Ferocious

Ferocious has checked for AV software as part of its persistence process.(Citation: Kaspersky WIRTE November 2021)
Grandoreiro

Grandoreiro can list installed security products including the Trusteer and Diebold Warsaw GAS Tecnologia online banking protections.(Citation: ESET Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)
T9000

T9000 performs checks for various antivirus and security products during installation.(Citation: Palo Alto T9000 Feb 2016)
CHOPSTICK

CHOPSTICK checks for antivirus and forensics software.(Citation: FireEye APT28)
down_new

down_new has the ability to detect anti-virus products and processes on a compromised host.(Citation: Trend Micro Tick November 2019)
build_downer

build_downer has the ability to detect if the infected host is running an anti-virus process.(Citation: Trend Micro Tick November 2019)
FlawedAmmyy

FlawedAmmyy will attempt to detect anti-virus products during the initial infection.(Citation: Proofpoint TA505 Mar 2018)
WhisperGate

WhisperGate can recognize the presence of monitoring tools on a target system.(Citation: Unit 42 WhisperGate January 2022)
StrongPity

StrongPity can identify if ESET or BitDefender antivirus are installed before dropping its payload.(Citation: Talos Promethium June 2020)
StoneDrill

StoneDrill can check for antivirus and antimalware programs.(Citation: Kaspersky StoneDrill 2017)

Tasklist

Tasklist can be used to enumerate security software currently running on a system by process name of known products.(Citation: Microsoft Tasklist)
Carberp

Carberp has queried the infected system's registry searching for specific registry keys associated with antivirus products.(Citation: Prevx Carberp March 2011)
Aquatic Panda

Aquatic Panda has attempted to discover third party endpoint detection and response (EDR) tools on compromised systems.(Citation: CrowdStrike AQUATIC PANDA December 2021)
xCaon

xCaon has checked for the existence of Kaspersky antivirus software on the system.(Citation: Checkpoint IndigoZebra July 2021)
Felismus

Felismus checks for processes associated with anti-virus vendors.(Citation: Forcepoint Felismus Mar 2017)
Kimsuky

Kimsuky has checked for the presence of antivirus software with powershell Get-CimInstance -Namespace root/securityCenter2 – classname antivirusproduct.(Citation: KISA Operation Muzabi)
Gelsemium

Gelsemium can check for the presence of specific security products.(Citation: ESET Gelsemium June 2021)
TeamTNT

TeamTNT has searched for security products on infected machines.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group)
jRAT

jRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.(Citation: jRAT Symantec Aug 2018)(Citation: Kaspersky Adwind Feb 2016)
Kasidet

Kasidet has the ability to identify any anti-virus installed on the infected system.(Citation: Zscaler Kasidet)
Prikormka

A module in Prikormka collects information from the victim about installed anti-virus software.(Citation: ESET Operation Groundbait)
RogueRobin

RogueRobin enumerates running processes to search for Wireshark and Windows Sysinternals suite.(Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)
Waterbear

Waterbear can find the presence of a specific security software.(Citation: Trend Micro Waterbear December 2019)
Stuxnet

Stuxnet enumerates the currently running processes related to a variety of security products.(Citation: Symantec W.32 Stuxnet Dossier)
JPIN

JPIN checks for the presence of certain security-related processes and deletes its installer/uninstaller component if it identifies any of them.(Citation: Microsoft PLATINUM April 2016)
DustySky

DustySky checks for the existence of anti-virus.(Citation: DustySky)
Turla

Turla has obtained information on security software, including security logging information that may indicate whether their malware has been detected.(Citation: ESET ComRAT May 2020)
Wingbird

Wingbird checks for the presence of Bitdefender security software.(Citation: Microsoft SIR Vol 21)
Lizar

Lizar can search for processes associated with an anti-virus product from list.(Citation: BiZone Lizar May 2021)

XCSSET

XCSSET searches firewall configuration files located in /Library/Preferences/ and uses csrutil status to determine if System Integrity Protection is enabled.(Citation: trendmicro xcsset xcode project 2020)
More_eggs

More_eggs can obtain information on installed anti-malware programs.(Citation: Talos Cobalt Group July 2018)
Empire

Empire can enumerate antivirus software on the target.(Citation: Github PowerShell Empire)
CookieMiner

CookieMiner has checked for the presence of "Little Snitch", macOS network monitoring and application firewall software, stopping and exiting if it is found.(Citation: Unit42 CookieMiner Jan 2019)
LiteDuke

LiteDuke has the ability to check for the presence of Kaspersky security software.(Citation: ESET Dukes October 2019)
BadPatch

BadPatch uses WMI to enumerate installed security products in the victim’s environment.(Citation: Unit 42 BadPatch Oct 2017)
Tropic Trooper

Tropic Trooper can search for anti-virus software running on the system.(Citation: Unit 42 Tropic Trooper Nov 2016)
EVILNUM

EVILNUM can search for anti-virus products on the system.(Citation: Prevailion EvilNum May 2020)
SUNBURST

SUNBURST checked for a variety of antivirus/endpoint detection agents prior to execution.(Citation: Microsoft Analyzing Solorigate Dec 2020)(Citation: FireEye SUNBURST Additional Details Dec 2020)
ThiefQuest

ThiefQuest uses the kill_unwanted function to get a list of running processes, compares each process with an encrypted list of “unwanted” security related programs, and kills the processes for security related programs.(Citation: wardle evilquest parti)
Operation Wocao

Operation Wocao has used scripts to detect security software.(Citation: FoxIT Wocao December 2019)
Epic

Epic searches for anti-malware services running on the victim’s machine and terminates itself if it finds them.(Citation: Kaspersky Turla)
RTM

RTM can obtain information about security software on the victim.(Citation: ESET RTM Feb 2017)
DarkWatchman

DarkWatchman can search for anti-virus products on the system.(Citation: Prevailion DarkWatchman 2021)
FinFisher

FinFisher probes the system to check for antimalware processes.(Citation: FinFisher Citation)(Citation: Securelist BlackOasis Oct 2017)
InvisiMole

InvisiMole can check for the presence of network sniffers, AV, and BitDefender firewall.(Citation: ESET InvisiMole June 2020)
Gold Dragon

Gold Dragon checks for anti-malware products and processes.(Citation: McAfee Gold Dragon)
StreamEx

StreamEx has the ability to scan for security tools such as firewalls and antivirus tools.(Citation: Cylance Shell Crew Feb 2017)
AuTo Stealer

AuTo Stealer has the ability to collect information about installed AV products from an infected host.(Citation: MalwareBytes SideCopy Dec 2021)
Meteor

Meteor has the ability to search for Kaspersky Antivirus on a victim's machine.(Citation: Check Point Meteor Aug 2021)
Action RAT

Action RAT can identify AV products on an infected host using the following command: `cmd.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List`.(Citation: MalwareBytes SideCopy Dec 2021)
EvilBunny

EvilBunny has been observed querying installed antivirus software.(Citation: Cyphort EvilBunny Dec 2014)
SpicyOmelette

SpicyOmelette can check for the presence of 29 different antivirus tools.(Citation: Secureworks GOLD KINGSWOOD September 2018)
Remsec

Remsec has a plugin to detect active drivers of some security products.(Citation: Kaspersky ProjectSauron Technical Analysis)
FunnyDream

FunnyDream can identify the processes for Bkav antivirus.(Citation: Bitdefender FunnyDream Campaign November 2020)
MoleNet

MoleNet can use WMI commands to check the system for firewall and antivirus software.(Citation: Cybereason Molerats Dec 2020)
netsh

netsh can be used to discover system firewall settings.(Citation: TechNet Netsh)(Citation: TechNet Netsh Firewall)
SILENTTRINITY

SILENTTRINITY can determine if an anti-virus product is installed through the resolution of the service's virtual SID.(Citation: Security Affairs SILENTTRINITY July 2019)
PipeMon

PipeMon can check for the presence of ESET and Kaspersky security software.(Citation: ESET PipeMon May 2020)
Frankenstein

Frankenstein has used WMI queries to detect if virtualization environments or analysis tools were running on the system.(Citation: Talos Frankenstein June 2019)
LitePower

LitePower can identify installed AV software.(Citation: Kaspersky WIRTE November 2021)
Rocke

Rocke used scripts which detected and uninstalled antivirus software.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)

Обнаружение

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud environments, additionally monitor logs for the usage of APIs that may be used to gather information about security software configurations within the environment.

Ссылки

  1. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  2. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  3. Amazon Web Services, Inc. . (2022). DescribeSecurityGroups. Retrieved January 28, 2022.
  4. A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.
  5. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  6. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  7. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  8. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  9. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  10. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  11. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  12. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  13. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  14. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  15. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  16. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  17. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  18. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  19. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.
  20. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  21. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  22. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.
  23. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  24. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
  25. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  26. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  27. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  28. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  29. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  30. Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021.
  31. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  32. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  33. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  34. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.
  35. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  36. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  37. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  38. Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021.
  39. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
  40. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  41. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
  42. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  43. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  44. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  45. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
  46. Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
  47. FinFisher. (n.d.). Retrieved December 20, 2017.
  48. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
  49. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  50. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  51. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  52. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  53. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  54. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  55. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  56. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  57. Microsoft. (2009, June 3). Netsh Commands for Windows Firewall. Retrieved April 20, 2016.
  58. Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017.
  59. Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.
  60. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
  61. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  62. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  63. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  64. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  65. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  66. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  67. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  68. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  69. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  70. AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.
  71. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.
  72. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.
  73. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  74. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  75. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  76. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  77. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.
  78. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  79. Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020.
  80. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  81. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  82. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  83. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
  84. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  85. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  86. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  87. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
  88. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  89. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  90. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  91. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
  92. Stephen Eckels, Jay Smith, William Ballenthin. (2020, December 24). SUNBURST Additional Technical Details. Retrieved January 6, 2021.
  93. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  94. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  95. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  96. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.
  97. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  98. Paganini, P. (2019, July 7). Croatia government agencies targeted with news SilentTrinity malware. Retrieved March 23, 2022.
  99. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  100. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.
  101. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
  102. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  103. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
  104. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  105. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  106. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
  107. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  108. Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
  109. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.
  110. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  111. Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.
  112. Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuice…. Retrieved March 1, 2017.
  113. Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
  114. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  115. Microsoft. (n.d.). Tasklist. Retrieved December 23, 2015.
  116. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  117. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  118. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  119. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.