ĭuring Operation Dream Job, Lazarus Group queried compromised victim's active directory servers to obtain the list of employees including administrator accounts. Lazarus Group keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call CreateProcessAsUserA under that user's context. ICS Layer download view Techniques Used DomainĪccess Token Manipulation: Create Process with Token Virtualization/Sandbox Evasion: System Checks, Virtualization/Sandbox Evasion: Time Based Evasion, System Location Discovery: System Language Discovery, Server Software Component: IIS Components, Search Open Websites/Domains: Social Media, Obtain Capabilities: Code Signing Certificates,
Obfuscated Files or Information: Software Packing, Gather Victim Org Information: Identify Roles,
Lazarus group mac based attack archive#
Īpplication Layer Protocol: Web Protocols,Īrchive Collected Data: Archive via Utility,īoot or Logon Autostart Execution: Registry Run Keys / Startup Folder,Ĭommand and Scripting Interpreter: PowerShell,Ĭommand and Scripting Interpreter: Windows Command Shell,Ĭommand and Scripting Interpreter: Visual Basic,ĭevelop Capabilities: Code Signing Certificates,Įncrypted Channel: Symmetric Cryptography,Įstablish Accounts: Social Media Accounts,Įxfiltration Over Web Service: Exfiltration to Cloud Storage, Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.
Live Version Associated Group Descriptions Name
0 kommentar(er)
