Associated Software: SeaDaddy, SeaDesk
|Enterprise||T1059||Command-Line Interface||SeaDuke is capable of executing commands.|
|Enterprise||T1002||Data Compressed||SeaDuke compressed data with zlib prior to sending it over C2.|
|Enterprise||T1132||Data Encoding||SeaDuke C2 traffic is base64-encoded.|
|Enterprise||T1114||Email Collection||Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.|
|Enterprise||T1107||File Deletion||SeaDuke can securely delete files, including deleting itself from the victim.|
|Enterprise||T1097||Pass the Ticket||Some SeaDuke samples have a module to use pass the ticket with Kerberos for authentication.|
|Enterprise||T1086||PowerShell||SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket.|
|Enterprise||T1060||Registry Run Keys / Startup Folder||SeaDuke is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory.|
|Enterprise||T1105||Remote File Copy||SeaDuke is capable of uploading and downloading files.|
|Enterprise||T1064||Scripting||SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket.|
|Enterprise||T1023||Shortcut Modification||SeaDuke is capable of persisting via a .lnk file stored in the Startup directory.|
|Enterprise||T1045||Software Packing||SeaDuke has been packed with the UPX packer.|
|Enterprise||T1071||Standard Application Layer Protocol||SeaDuke uses HTTP and HTTPS for C2.|
|Enterprise||T1032||Standard Cryptographic Protocol||SeaDuke C2 traffic has been encrypted with RC4 and AES.|
|Enterprise||T1078||Valid Accounts||Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.|
|Enterprise||T1084||Windows Management Instrumentation Event Subscription||SeaDuke uses an event filter in WMI code to execute a previously dropped executable shortly after system startup.|
Groups that use this software:APT29
- F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.