Kinsing
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .004 | 命令与脚本解释器: Unix Shell |
Kinsing has used Unix shell scripts to execute commands in the victim environment.[1] |
| Enterprise | T1133 | 外部远程服务 |
Kinsing was executed in an Ubuntu container deployed via an open Docker daemon API.[1] |
|
| Enterprise | T1609 | 容器管理命令 |
Kinsing was executed with an Ubuntu container entry point that runs shell scripts.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1083 | 文件和目录发现 |
Kinsing has used the find command to search for specific files.[1] |
|
| Enterprise | T1222 | .002 | 文件和目录权限修改: Linux and Mac File and Directory Permissions Modification |
Kinsing has used chmod to modify permissions on key files for use.[1] |
| Enterprise | T1110 | 暴力破解 | ||
| Enterprise | T1078 | 有效账户 |
Kinsing has used valid SSH credentials to access remote hosts.[1] |
|
| Enterprise | T1552 | .003 | 未加密凭证: Bash History | |
| .004 | 未加密凭证: Private Keys | |||
| Enterprise | T1496 | .001 | 资源劫持: Compute Hijacking |
Kinsing has created and run a Bitcoin cryptocurrency miner.[1][2] |
| Enterprise | T1105 | 输入工具传输 |
Kinsing has downloaded additional lateral movement scripts from C2.[1] |
|
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1021 | .004 | 远程服务: SSH | |
| Enterprise | T1018 | 远程系统发现 |
Kinsing has used a script to parse files like |
|
| Enterprise | T1610 | 部署容器 | ||
| Enterprise | T1053 | .003 | 预定任务/作业: Cron |
Kinsing has used crontab to download and run shell scripts every minute to ensure persistence.[1] |