POSHSPY
ID: S0150
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.2
Created: 14 December 2017
Last Modified: 30 March 2020
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1546 | .003 | 事件触发执行: Windows Management Instrumentation Event Subscription |
POSHSPY uses a WMI event subscription to establish persistence.[1] |
| Enterprise | T1573 | .002 | 加密通道: Asymmetric Cryptography | |
| Enterprise | T1568 | .002 | 动态解析: Domain Generation Algorithms |
POSHSPY uses a DGA to derive command and control URLs from a word list.[1] |
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
POSHSPY uses PowerShell to execute various commands, one to execute its payload.[1] |
| Enterprise | T1030 | 数据传输大小限制 | ||
| Enterprise | T1027 | 混淆文件或信息 |
POSHSPY appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download.[1] |
|
| Enterprise | T1070 | .006 | 移除指标: Timestomp |
POSHSPY modifies timestamps of all downloaded executables to match a randomly selected file created prior to 2013.[1] |
| Enterprise | T1105 | 输入工具传输 |
POSHSPY downloads and executes additional PowerShell code and Windows binaries.[1] |
|