PowerDuke
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
PowerDuke achieves persistence by using various Registry Run keys.[1] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
PowerDuke runs |
| Enterprise | T1010 | 应用窗口发现 |
PowerDuke has a command to get text of the current foreground window.[1] |
|
| Enterprise | T1485 | 数据销毁 |
PowerDuke has a command to write random data across a file and delete it.[1] |
|
| Enterprise | T1083 | 文件和目录发现 |
PowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space.[1] |
|
| Enterprise | T1027 | .003 | 混淆文件或信息: Steganography |
PowerDuke uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA).[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
PowerDuke has a command to write random data across a file and delete it.[1] |
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 | |
| Enterprise | T1082 | 系统信息发现 |
PowerDuke has commands to get information about the victim's name, build, version, serial number, and memory usage.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
PowerDuke has commands to get the current user's name and SID.[1] |
|
| Enterprise | T1124 | 系统时间发现 |
PowerDuke has commands to get the time the machine was built, the time, and the time zone.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
PowerDuke has a command to get the victim's domain and NetBIOS name.[1] |
|
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1564 | .004 | 隐藏伪装: NTFS File Attributes |
PowerDuke hides many of its backdoor payloads in an alternate data stream (ADS).[1] |