• Home
  • Attack
  • Dataset
  • Contact Us
        • T1-24–01–S–N–CL
        • T2-24–01–S–N–CL
        • T3-24–01–S–N–CL
        • T4-24–01–S–E–M
        • T5-24–01–S–E–LM
        • T6-24–01–S–E–FH
        • T7-24–01–M–NE–CLM
        • T8-24–01–M–NE–CFHL
        • T9-24–01–M–NE–CLM
        • T1-24–02–S–N–CIKM
        • T2-24–02–S–N–CL
        • T3-24–02–S–N–CL
        • T4-24-02-S-E-M
        • T5-24-02-S-E-DL
        • T6-24-02-S-E-DEGN
        • T7-24-02-M-NE-CDEGLN
        • T8-24-02-M-NE-CDL
        • T9-24-02-M-NE-CLH
  • T7-24-02-M-NE-CDEGLN

  • SMBGhost + Tedy Spyware

    This attack is a combination of T2-24-01-S-N-CL and T6-24-02-S-E-DEGN, and two logs are collected: pcap and log.

    1. Reverse Shell Connection by exploiting SMBGhost Vulnerability
    2. Download and execute Spyware on Malware Hosting Server
    3. Change System Settings and Use PowerShell Script to Collect Information

    The attacker performs a reverse shell connection via the Windows 10 SMB vulnerability using a T2-24-01-S-N-CL attack. Using curl commands the attacker downloads and exectes Tedy Spyware in T6-24-02-S-E-DEGN. To evade Window Defender detection, the spyware uses PowerShell scripts to perform system setup and information gathering, excluding itself.

    •  


  • OS IP Software Log collection
    time    		 Program
    runtime
    Attacker Windows 11 192.168.56.1 - 170 sec 200 sec
    Victim Windows 10 192.168.56.112 SMB

  • Installing
  • python3 -m pip install -r requirements.txt

  • Using
  • python3 run.py

  • MITRE ATT&CK Framework
  • Attack Tactic
    Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion
    Credential Discovery Lateral Movement Collection Command and Control Exfiltration Impact

  • Logs
  • ./log/2024_02_T7_{time}.pcap # YYmmdd_HHMMSS
    ./log/2024_02_T7_{time}.evtx # YYmmdd_HHMMSS



  • References
  • [1] NIST [CVE-2020-0796]
    [2] ZecOps [CVE-2020-0796 Remote Code Execution POC]
    [3] ESTSECURITY [No.181 2024.10 ESRC 보안동향보고서]
    [4] VirusTotal [28AB56D70469C88E4DDE1241C1A2F742202757D4C7AC5259C4308DDD74337045]
    [5] CTX [28AB56D70469C88E4DDE1241C1A2F742202757D4C7AC5259C4308DDD74337045]

  • ※ Click on the attack name to see a description and scenario for the attack
    • 2024 02
    • T1-24–02–S–N–CIKM
    • T2-24–02–S–N–CL
    • T3-24–02–S–N–CL
    • T4-24-02-S-E-M
    • T5-24-02-S-E-DL
    • T6-24-02-S-E-DEGN
    • T7-24-02-M-NE-CDEGLN
    • T8-24-02-M-NE-CDL
    • T9-24-02-M-NE-CLH
  • Copyright(C) 2024, KAIST Cyber Security Reserch Center. All Rights Reserved.