Siloscape
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1090 | .003 | 代理: Multi-hop Proxy | |
| Enterprise | T1190 | 利用公开应用程序漏洞 |
Siloscape is executed after the attacker gains initial access to a Windows container using a known vulnerability.[1] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Siloscape has decrypted the password of the C2 server with a simple byte by byte XOR. Siloscape also writes both an archive of Tor and the |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| Enterprise | T1609 | 容器管理命令 |
Siloscape can send kubectl commands to victim clusters through an IRC channel and can run kubectl locally to spread once within a victim cluster.[1] |
|
| Enterprise | T1071 | 应用层协议 | ||
| Enterprise | T1083 | 文件和目录发现 |
Siloscape searches for the Kubernetes config file and other related files using a regular expression.[1] |
|
| Enterprise | T1106 | 本机API | ||
| Enterprise | T1068 | 权限提升漏洞利用 |
Siloscape has leveraged a vulnerability in Windows containers to perform an Escape to Host.[1] |
|
| Enterprise | T1069 | 权限组发现 | ||
| Enterprise | T1027 | 混淆文件或信息 |
Siloscape itself is obfuscated and uses obfuscated API calls.[1] |
|
| Enterprise | T1134 | .001 | 访问令牌操控: Token Impersonation/Theft |
Siloscape impersonates the main thread of |
| Enterprise | T1518 | 软件发现 | ||
| Enterprise | T1611 | 逃逸至主机 |
Siloscape maps the host’s C drive to the container by creating a global symbolic link to the host through the calling of |
|