Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Groups
  3. DarkHydrus

DarkHydrus

DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks.[1][2]

ID: G0079
Contributors: Oleg Skulkin, Group-IB
Version: 1.3
Created: 17 October 2018
Last Modified: 25 April 2025
Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1059.001Command and Scripting Interpreter:PowerShell

DarkHydrus leveraged PowerShell to download and execute additional scripts for execution.[1][2]

EnterpriseT1187Forced Authentication

DarkHydrus usedTemplate Injection to launch an authentication window for users to enter their credentials.[3]

EnterpriseT1564.003Hide Artifacts:Hidden Window

DarkHydrus has used-WindowStyle Hidden to concealPowerShell windows.[1]

EnterpriseT1588.002Obtain Capabilities:Tool

DarkHydrus has obtained and used tools such asMimikatz,Empire, andCobalt Strike.[1]

EnterpriseT1566.001Phishing:Spearphishing Attachment

DarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that contained malicious Microsoft Office documents that use the "attachedTemplate" technique to load a template from a remote server.[1][3][2]

EnterpriseT1221Template Injection

DarkHydrus used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enableForced Authentication.[3]

EnterpriseT1204.002User Execution:Malicious File

DarkHydrus has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded.[1][2]

Software

IDNameReferencesTechniques
S0154Cobalt Strike[1][2]Abuse Elevation Control Mechanism:Sudo and Sudo Caching,Abuse Elevation Control Mechanism:Bypass User Account Control,Access Token Manipulation:Parent PID Spoofing,Access Token Manipulation:Token Impersonation/Theft,Access Token Manipulation:Make and Impersonate Token,Account Discovery:Domain Account,Application Layer Protocol:DNS,Application Layer Protocol:Web Protocols,Application Layer Protocol:File Transfer Protocols,BITS Jobs,Browser Session Hijacking,Command and Scripting Interpreter:JavaScript,Command and Scripting Interpreter:Visual Basic,Command and Scripting Interpreter:PowerShell,Command and Scripting Interpreter:Python,Command and Scripting Interpreter:Windows Command Shell,Create or Modify System Process:Windows Service,Data Encoding:Standard Encoding,Data from Local System,Data Obfuscation:Protocol or Service Impersonation,Data Transfer Size Limits,Deobfuscate/Decode Files or Information,Encrypted Channel:Asymmetric Cryptography,Encrypted Channel:Symmetric Cryptography,Exploitation for Client Execution,Exploitation for Privilege Escalation,File and Directory Discovery,Hide Artifacts:Process Argument Spoofing,Impair Defenses:Disable or Modify Tools,Indicator Removal:Timestomp,Ingress Tool Transfer,Input Capture:Keylogging,Modify Registry,Native API,Network Service Discovery,Network Share Discovery,Non-Application Layer Protocol,Obfuscated Files or Information:Indicator Removal from Tools,Obfuscated Files or Information,Office Application Startup:Office Template Macros,OS Credential Dumping:LSASS Memory,OS Credential Dumping:Security Account Manager,Permission Groups Discovery:Domain Groups,Permission Groups Discovery:Local Groups,Process Discovery,Process Injection:Dynamic-link Library Injection,Process Injection:Process Hollowing,Process Injection,Protocol Tunneling,Proxy:Domain Fronting,Proxy:Internal Proxy,Query Registry,Reflective Code Loading,Remote Services:Remote Desktop Protocol,Remote Services:SSH,Remote Services:Windows Remote Management,Remote Services:SMB/Windows Admin Shares,Remote Services:Distributed Component Object Model,Remote System Discovery,Scheduled Transfer,Screen Capture,Software Discovery,Subvert Trust Controls:Code Signing,System Binary Proxy Execution:Rundll32,System Network Configuration Discovery,System Network Connections Discovery,System Service Discovery,System Services:Service Execution,Use Alternate Authentication Material:Pass the Hash,Valid Accounts:Domain Accounts,Valid Accounts:Local Accounts,Windows Management Instrumentation
S0002Mimikatz[1][2]Access Token Manipulation:SID-History Injection,Account Manipulation,Boot or Logon Autostart Execution:Security Support Provider,Credentials from Password Stores,Credentials from Password Stores:Credentials from Web Browsers,Credentials from Password Stores:Windows Credential Manager,OS Credential Dumping:DCSync,OS Credential Dumping:Security Account Manager,OS Credential Dumping:LSASS Memory,OS Credential Dumping:LSA Secrets,Rogue Domain Controller,Steal or Forge Authentication Certificates,Steal or Forge Kerberos Tickets:Golden Ticket,Steal or Forge Kerberos Tickets:Silver Ticket,Unsecured Credentials:Private Keys,Use Alternate Authentication Material:Pass the Hash,Use Alternate Authentication Material:Pass the Ticket
S0270RogueRobin[1][4]Boot or Logon Autostart Execution:Shortcut Modification,Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder,Command and Scripting Interpreter:Windows Command Shell,Command and Scripting Interpreter:PowerShell,Data Encoding:Standard Encoding,Deobfuscate/Decode Files or Information,Ingress Tool Transfer,Obfuscated Files or Information:Command Obfuscation,Process Discovery,Screen Capture,Software Discovery:Security Software Discovery,System Binary Proxy Execution:Regsvr32,System Information Discovery,System Network Configuration Discovery,System Owner/User Discovery,Virtualization/Sandbox Evasion:System Checks,Web Service:Bidirectional Communication,Windows Management Instrumentation

References

×
[8]ページ先頭
©2009-2026 Movatter.jp