Wingbird
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
Wingbird uses services.exe to register a new autostart service named "Audit Service" using a copy of the local lsass.exe file.[1][3] |
| Enterprise | T1574 | .002 | 劫持执行流: DLL Side-Loading |
Wingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.[1][3] |
| Enterprise | T1547 | .008 | 启动或登录自动启动执行: LSASS Driver |
Wingbird drops a malicious file (sspisrv.dll) alongside a copy of lsass.exe, which is used to register a service that loads sspisrv.dll as a driver. The payload of the malicious driver (located in its entry-point function) is executed when loaded by lsass.exe before the spoofed service becomes unstable and crashes.[1][3] |
| Enterprise | T1068 | 权限提升漏洞利用 |
Wingbird exploits CVE-2016-4117 to allow an executable to gain escalated privileges.[1] |
|
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Wingbird deletes its payload along with the payload's parent process after it finishes copying files.[1] |
| Enterprise | T1082 | 系统信息发现 |
Wingbird checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit.[1] |
|
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
Wingbird uses services.exe to register a new autostart service named "Audit Service" using a copy of the local lsass.exe file.[1][3] |
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
Wingbird checks for the presence of Bitdefender security software.[1] |
| Enterprise | T1055 | 进程注入 |
Wingbird performs multiple process injections to hijack system processes and execute malicious code.[1] |
|