SharpDisco
SharpDisco is a dropper developed in C# that has been used by MoustachedBouncer since at least 2020 to load malicious plugins.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
SharpDisco has dropped a recent-files stealer plugin to |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
SharpDisco can use |
| Enterprise | T1120 | 外围设备发现 |
SharpDisco has dropped a plugin to monitor external drives to |
|
| Enterprise | T1071 | .002 | 应用层协议: File Transfer Protocols |
SharpDisco has the ability to transfer data between SMB shares.[1] |
| Enterprise | T1083 | 文件和目录发现 |
SharpDisco can identify recently opened files by using an LNK format parser to extract the original file path from LNK files found in either |
|
| Enterprise | T1106 | 本机API |
SharpDisco can leverage Native APIs through plugins including |
|
| Enterprise | T1082 | 系统信息发现 |
SharpDisco can use a plugin to enumerate system drives.[1] |
|
| Enterprise | T1105 | 输入工具传输 |
SharpDisco has been used to download a Python interpreter to |
|
| Enterprise | T1041 | 通过C2信道渗出 |
SharpDisco can load a plugin to exfiltrate stolen files to SMB shares also used in C2.[1] |
|
| Enterprise | T1564 | .003 | 隐藏伪装: Hidden Window |
SharpDisco can hide windows using |
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
SharpDisco can create scheduled tasks to execute reverse shells that read and write data to and from specified SMB shares.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1019 | MoustachedBouncer |