Comnie
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
Comnie encrypts command and control communications with RC4.[1] |
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Comnie achieves persistence by adding a shortcut of itself to the startup path in the Registry.[1] |
| .009 | 启动或登录自动启动执行: Shortcut Modification |
Comnie establishes persistence via a .lnk file in the victim’s startup path.[1] |
||
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| .005 | 命令与脚本解释器: Visual Basic | |||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1027 | 混淆文件或信息 | ||
| .001 | Binary Padding |
Comnie appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.[1] |
||
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 | |
| Enterprise | T1082 | 系统信息发现 | ||
| Enterprise | T1007 | 系统服务发现 |
Comnie runs the command: |
|
| Enterprise | T1049 | 系统网络连接发现 | ||
| Enterprise | T1016 | 系统网络配置发现 |
Comnie uses |
|
| Enterprise | T1102 | .002 | 网络服务: Bidirectional Communication |
Comnie uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server.[1] |
| Enterprise | T1119 | 自动化收集 |
Comnie executes a batch script to store discovery information in %TEMP%\info.dat and then uploads the temporarily file to the remote C2 server.[1] |
|
| Enterprise | T1087 | .001 | 账号发现: Local Account | |
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery | |
| Enterprise | T1057 | 进程发现 |
Comnie uses the |
|
| Enterprise | T1018 | 远程系统发现 |
Comnie runs the |
|