Kazuar
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
Kazuar obtains a list of running processes through WMI querying.[1] |
|
| Enterprise | T1005 | 从本地系统获取数据 |
Kazuar uploads files from a specified directory to the C2 server.[1] |
|
| Enterprise | T1090 | .001 | 代理: Internal Proxy |
Kazuar has used internal nodes on the compromised network for C2 communications.[2] |
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service | |
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder | |
| .009 | 启动或登录自动启动执行: Shortcut Modification | |||
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Kazuar uses cmd.exe to execute commands on the victim’s machine.[1] |
| .004 | 命令与脚本解释器: Unix Shell |
Kazuar uses /bin/bash to execute commands on the victim’s machine.[1] |
||
| Enterprise | T1008 | 回退信道 | ||
| Enterprise | T1113 | 屏幕捕获 | ||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Kazuar uses HTTP and HTTPS to communicate with the C2 server. Kazuar can also act as a webserver and listen for inbound HTTP requests through an exposed API.[1] |
| .002 | 应用层协议: File Transfer Protocols |
Kazuar uses FTP and FTPS to communicate with the C2 server.[1] |
||
| Enterprise | T1010 | 应用窗口发现 | ||
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
Kazuar stages command output and collected data in files before exfiltration.[1] |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
Kazuar encodes communications to the C2 server in Base64.[1] |
| Enterprise | T1485 | 数据销毁 |
Kazuar can overwrite files with random data before deleting them.[1] |
|
| Enterprise | T1083 | 文件和目录发现 |
Kazuar finds a specified directory, lists the files and metadata about those files.[1] |
|
| Enterprise | T1069 | .001 | 权限组发现: Local Groups |
Kazuar gathers information about local groups and members.[1] |
| Enterprise | T1027 | 混淆文件或信息 |
Kazuar is obfuscated using the open source ConfuserEx protector. Kazuar also obfuscates the name of created files/folders/mutexes and encrypts debug messages written to log files using the Rijndael cipher.[1] |
|
| Enterprise | T1070 | .004 | 移除指标: File Deletion | |
| Enterprise | T1082 | 系统信息发现 |
Kazuar gathers information on the system and local drives.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 | ||
| Enterprise | T1016 | 系统网络配置发现 | ||
| Enterprise | T1102 | .002 | 网络服务: Bidirectional Communication |
Kazuar has used compromised WordPress blogs as C2 servers.[1] |
| Enterprise | T1125 | 视频捕获 | ||
| Enterprise | T1087 | .001 | 账号发现: Local Account |
Kazuar gathers information on local groups and members on the victim’s machine.[1] |
| Enterprise | T1105 | 输入工具传输 |
Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary.[1] |
|
| Enterprise | T1057 | 进程发现 |
Kazuar obtains a list of running processes through WMI querying and the |
|
| Enterprise | T1055 | .001 | 进程注入: Dynamic-link Library Injection |
If running in a Windows environment, Kazuar saves a DLL to disk that is injected into the explorer.exe process to execute the payload. Kazuar can also be configured to inject and execute within specific processes.[1] |
| Enterprise | T1029 | 预定传输 |
Kazuar can sleep for a specific time and be set to communicate at specific intervals.[1] |
|