HAWKBALL
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
HAWKBALL has created a cmd.exe reverse shell, executed commands, and uploaded output via the command line.[1] |
| Enterprise | T1203 | 客户端执行漏洞利用 |
HAWKBALL has exploited Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802 to deliver the payload.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
HAWKBALL has used HTTP to communicate with a single hard-coded C2 server.[1] |
| Enterprise | T1560 | .003 | 归档收集数据: Archive via Custom Method |
HAWKBALL has encrypted data with XOR before sending it over the C2 channel.[1] |
| Enterprise | T1106 | 本机API |
HAWKBALL has leveraged several Windows API calls to create processes, gather disk information, and detect debugger activity.[1] |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
HAWKBALL has encrypted the payload with an XOR-based algorithm.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion | |
| Enterprise | T1082 | 系统信息发现 |
HAWKBALL can collect the OS version, architecture information, and computer name.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 | ||
| Enterprise | T1559 | .002 | 进程间通信: Dynamic Data Exchange |
HAWKBALL has used an OLE object that uses Equation Editor to drop the embedded shellcode.[1] |
| Enterprise | T1041 | 通过C2信道渗出 |
HAWKBALL has sent system information and files over the C2 channel.[1] |
|