SeaDuke
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | |
| Enterprise | T1560 | .002 | Archive Collected Data:Archive via Library | SeaDuke compressed data with zlib prior to sending it over C2.[2] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder | SeaDuke is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory.[3] |
| .009 | Boot or Logon Autostart Execution:Shortcut Modification | SeaDuke is capable of persisting via a .lnk file stored in the Startup directory.[3] | ||
| Enterprise | T1059 | .001 | Command and Scripting Interpreter:PowerShell | SeaDuke uses a module to execute Mimikatz with PowerShell to performPass the Ticket.[4] |
| .003 | Command and Scripting Interpreter:Windows Command Shell | |||
| Enterprise | T1132 | .001 | Data Encoding:Standard Encoding | |
| Enterprise | T1114 | .002 | Email Collection:Remote Email Collection | SomeSeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.[4] |
| Enterprise | T1573 | .001 | Encrypted Channel:Symmetric Cryptography | SeaDuke C2 traffic has been encrypted with RC4 and AES.[2][3] |
| Enterprise | T1546 | .003 | Event Triggered Execution:Windows Management Instrumentation Event Subscription | SeaDuke uses an event filter in WMI code to execute a previously dropped executable shortly after system startup.[5] |
| Enterprise | T1070 | .004 | Indicator Removal:File Deletion | SeaDuke can securely delete files, including deleting itself from the victim.[4] |
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1027 | .002 | Obfuscated Files or Information:Software Packing | |
| Enterprise | T1550 | .003 | Use Alternate Authentication Material:Pass the Ticket | SomeSeaDuke samples have a module to use pass the ticket with Kerberos for authentication.[4] |
| Enterprise | T1078 | Valid Accounts | SomeSeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.[4] | |
Groups That Use This Software
References
- F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
- Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
- Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
- Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
- Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.