Kerrdown
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1574 | .002 | 劫持执行流: DLL Side-Loading |
Kerrdown can use DLL side-loading to load malicious DLLs.[2] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Kerrdown can decode, decrypt, and decompress multiple layers of shellcode.[2] |
|
| Enterprise | T1059 | .005 | 命令与脚本解释器: Visual Basic |
Kerrdown can use a VBS base64 decoder function published by Motobit.[2] |
| Enterprise | T1027 | 混淆文件或信息 |
Kerrdown can encrypt, encode, and compress multiple layers of shellcode.[2] |
|
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
Kerrdown has gained execution through victims opening malicious links.[1] |
| .002 | 用户执行: Malicious File |
Kerrdown has gained execution through victims opening malicious files.[1][2] |
||
| Enterprise | T1082 | 系统信息发现 |
Kerrdown has the ability to determine if the compromised host is running a 32 or 64 bit OS architecture.[2] |
|
| Enterprise | T1105 | 输入工具传输 |
Kerrdown can download specific payloads to a compromised host based on OS architecture.[2] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Kerrdown has been distributed through malicious e-mail attachments.[1] |
| .002 | 钓鱼: Spearphishing Link |
Kerrdown has been distributed via e-mails containing a malicious link.[1] |
||