WindTail
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | 伪装 |
WindTail has used icons mimicking MS Office files to mask payloads.[2] |
|
| .001 | Invalid Code Signature |
WindTail has been incompletely signed with revoked certificates.[2] |
||
| Enterprise | T1140 | 反混淆/解码文件或信息 |
WindTail has the ability to decrypt strings using hard-coded AES keys.[2] |
|
| Enterprise | T1059 | .004 | 命令与脚本解释器: Unix Shell |
WindTail can use the |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
WindTail has the ability to use HTTP for C2 communications.[3] |
| Enterprise | T1560 | .001 | 归档收集数据: Archive via Utility |
WindTail has the ability to use the macOS built-in zip utility to archive files.[3] |
| Enterprise | T1083 | 文件和目录发现 |
WindTail has the ability to enumerate the users home directory and the path to its own application bundle.[2][3] |
|
| Enterprise | T1048 | .003 | 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol |
WindTail has the ability to automatically exfiltrate files using the macOS built-in utility /usr/bin/curl.[3] |
| Enterprise | T1106 | 本机API |
WindTail can invoke Apple APIs |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
WindTail can be delivered as a compressed, encrypted, and encoded payload.[3] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
WindTail has the ability to receive and execute a self-delete command.[3] |
| Enterprise | T1124 | 系统时间发现 |
WindTail has the ability to generate the current date and time.[2] |
|
| Enterprise | T1119 | 自动化收集 |
WindTail can identify and add files that possess specific file extensions to an array for archiving.[3] |
|
| Enterprise | T1564 | .003 | 隐藏伪装: Hidden Window |
WindTail can instruct the OS to execute an application without a dock icon or menu.[2] |