Shark
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 | ||
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Shark binaries have been named |
| Enterprise | T1568 | .002 | 动态解析: Domain Generation Algorithms |
Shark can send DNS C2 communications using a unique domain generation algorithm.[1][2] |
| Enterprise | T1140 | 反混淆/解码文件或信息 | ||
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| Enterprise | T1008 | 回退信道 |
Shark can update its configuration to use a different C2 server.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Shark has the ability to use HTTP in C2 communications.[1][2] |
| .004 | 应用层协议: DNS | |||
| Enterprise | T1074 | 数据分段 |
Shark has stored information in folders named |
|
| Enterprise | T1012 | 查询注册表 |
Shark can query |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
Shark can use encrypted and encoded files for C2 configuration.[1][2] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Shark can delete files downloaded to the compromised host.[1] |
| Enterprise | T1082 | 系统信息发现 | ||
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
Shark can stop execution if the screen width of the targeted machine is not over 600 pixels.[1] |
| Enterprise | T1105 | 输入工具传输 |
Shark can download additional files from its C2 via HTTP or DNS.[1][2] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
Shark has the ability to upload files from the compromised host over a DNS or HTTP C2 channel.[1] |
|
| Enterprise | T1029 | 预定传输 | ||