PinchDuke
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | 从密码存储中获取凭证 |
PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as The Bat!, Yahoo!, Mail.ru, Passport.Net, Google Talk, and Microsoft Outlook.[1] |
|
| .003 | Credentials from Web Browsers |
PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as Netscape Navigator, Mozilla Firefox, Mozilla Thunderbird, and Internet Explorer. [1] |
||
| Enterprise | T1005 | 从本地系统获取数据 |
PinchDuke collects user files from the compromised host based on predefined file extensions.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
PinchDuke transfers files from the compromised host via HTTP or HTTPS to a C2 server.[1] |
| Enterprise | T1003 | 操作系统凭证转储 |
PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated many sources such as WinInet Credential Cache, and Lightweight Directory Access Protocol (LDAP).[1] |
|
| Enterprise | T1083 | 文件和目录发现 |
PinchDuke searches for files created within a certain timeframe and whose file extension matches a predefined list.[1] |
|
| Enterprise | T1082 | 系统信息发现 | ||