Kessel
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1554 | 主机软件二进制文件妥协 |
Kessel has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.[1] |
|
| Enterprise | T1090 | 代理 |
Kessel can use a proxy during exfiltration if set in the configuration.[1] |
|
| Enterprise | T1556 | 修改身份验证过程 |
Kessel has trojanized the |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Kessel has decrypted the binary's configuration once the |
|
| Enterprise | T1059 | 命令与脚本解释器 |
Kessel can create a reverse shell between the infected host and a specified system.[1] |
|
| Enterprise | T1560 | 归档收集数据 |
Kessel can RC4-encrypt credentials before sending to the C2.[1] |
|
| Enterprise | T1030 | 数据传输大小限制 |
Kessel can split the data to be exilftrated into chunks that will fit in subdomains of DNS queries.[1] |
|
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
Kessel has exfiltrated data via hexadecimal-encoded subdomain fields of DNS queries.[1] |
| Enterprise | T1048 | .003 | 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol |
Kessel can exfiltrate credentials and other information via HTTP POST request, TCP, and DNS.[1] |
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
Kessel's configuration is hardcoded and RC4 encrypted within the binary.[1] |
| Enterprise | T1082 | 系统信息发现 |
Kessel has collected the system architecture, OS version, and MAC address information.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Kessel has collected the DNS address of the infected host.[1] |
|
| Enterprise | T1105 | 输入工具传输 |
Kessel can download additional modules from the C2 server.[1] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
Kessel has exfiltrated information gathered from the infected system to the C2 server.[1] |
|