Anchor
Associated Software Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service | |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Anchor has used cmd.exe to run its self deletion routine.[1] |
| .004 | 命令与脚本解释器: Unix Shell | |||
| Enterprise | T1008 | 回退信道 |
Anchor can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| .004 | 应用层协议: DNS |
Variants of Anchor can use DNS tunneling to communicate with C2.[1][2] |
||
| Enterprise | T1480 | 执行保护 |
Anchor can terminate itself if specific execution flags are not present.[1] |
|
| Enterprise | T1027 | 混淆文件或信息 |
Anchor has obfuscated code with stack strings and string encryption.[1] |
|
| .002 | Software Packing | |||
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Anchor can self delete its dropper after the malware is successfully deployed.[1] |
| Enterprise | T1082 | 系统信息发现 |
Anchor can determine the hostname and linux version on a compromised host.[2] |
|
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
Anchor can create and execute services to load its payload.[1][2] |
| Enterprise | T1016 | 系统网络配置发现 |
Anchor can determine the public IP and location of a compromised host.[2] |
|
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1021 | .002 | 远程服务: SMB/Windows Admin Shares | |
| Enterprise | T1564 | .004 | 隐藏伪装: NTFS File Attributes | |
| Enterprise | T1095 | 非应用层协议 | ||
| Enterprise | T1053 | .003 | 预定任务/作业: Cron | |
| .005 | 预定任务/作业: Scheduled Task | |||
| Enterprise | T1553 | .002 | 颠覆信任控制: Code Signing |
Anchor has been signed with valid certificates to evade detection by security tools.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0102 | Wizard Spider |