SoreFang
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1190 | 利用公开应用程序漏洞 |
SoreFang can gain access by exploiting a Sangfor SSL VPN vulnerability that allows for the placement and delivery of malicious update binaries.[2] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
SoreFang can decode and decrypt exfiltrated data sent to C2.[2] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1083 | 文件和目录发现 | ||
| Enterprise | T1069 | .002 | 权限组发现: Domain Groups |
SoreFang can enumerate domain groups by executing |
| Enterprise | T1027 | 混淆文件或信息 |
SoreFang has the ability to encode and RC6 encrypt data sent to C2.[2] |
|
| Enterprise | T1082 | 系统信息发现 |
SoreFang can collect the hostname, operating system configuration, product ID, and disk space on victim machines by executing Systeminfo.[2] |
|
| Enterprise | T1016 | 系统网络配置发现 |
SoreFang can collect the TCP/IP, DNS, DHCP, and network adapter configuration on a compromised host via |
|
| Enterprise | T1087 | .001 | 账号发现: Local Account |
SoreFang can collect usernames from the local system via |
| .002 | 账号发现: Domain Account |
SoreFang can enumerate domain accounts via |
||
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1057 | 进程发现 |
SoreFang can enumerate processes on a victim machine through use of Tasklist.[2] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
SoreFang can gain persistence through use of scheduled tasks.[2] |