Sowbug
ID: G0054
Contributors: Alan Neville, @abnev
Version: 1.1
Created: 16 January 2018
Last Modified: 30 March 2020
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1039 | 从网络共享驱动器获取数据 |
Sowbug extracted Word documents from a file server on a victim network.[1] |
|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| Enterprise | T1560 | .001 | 归档收集数据: Archive via Utility |
Sowbug extracted documents and bundled them into a RAR archive.[1] |
| Enterprise | T1003 | 操作系统凭证转储 | ||
| Enterprise | T1083 | 文件和目录发现 |
Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.[1] |
|
| Enterprise | T1082 | 系统信息发现 |
Sowbug obtained OS version and hardware configuration from a victim.[1] |
|
| Enterprise | T1135 | 网络共享发现 |
Sowbug listed remote shared drives that were accessible from a victim.[1] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging | |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S0171 | Felismus | [1] | 伪装: Match Legitimate Name or Location, 加密通道: Symmetric Cryptography, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 软件发现: Security Software Discovery, 输入工具传输 |
| S0188 | Starloader | [1] | 伪装: Match Legitimate Name or Location, 反混淆/解码文件或信息 |