Ĭommand and Scripting Interpreter: Visual Basic Turla RPC backdoors have used cmd.exe to execute commands. Turla has also used PowerShell scripts to load and execute malware in memory.Ĭommand and Scripting Interpreter: Windows Command Shell Turla has used PowerShell to execute commands/scripts, in some cases via a custom executable or code from Empire's PSInject. Ĭommand and Scripting Interpreter: PowerShell Turla may attempt to connect to systems within a victim's network using net use commands and a predefined list or collection of passwords. Turla established persistence by adding a Shell value under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. īoot or Logon Autostart Execution: Winlogon Helper DLL Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence. īoot or Logon Autostart Execution: Registry Run Keys / Startup FolderĪ Turla Javascript backdoor added a local_update_check value under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence. Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration. Īrchive Collected Data: Archive via Utility Turla has used multiple backdoors which communicate with a C2 server via email attachments. Īpplication Layer Protocol: Mail Protocols Turla has used HTTP and HTTPS for C2 communications. Īpplication Layer Protocol: Web Protocols Turla has created web accounts including Dropbox and GitHub for C2 and document exfiltration. Turla has used net user /domain to enumerate domain accounts. Turla has used net user to enumerate local accounts on the system. Turla RPC backdoors can impersonate or steal process tokens before executing commands. Enterprise Layer download view Techniques Used DomainĪccess Token Manipulation: Create Process with Token
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |