NDiskMonitor
NDiskMonitor is a custom backdoor written in .NET that appears to be unique to Patchwork. [1]
ID: S0272
Aliases: NDiskMonitor
Type: MALWARE
Platforms: Windows
Version: 1.0
Alias Descriptions
Name | Description |
---|---|
NDiskMonitor | [1] |
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
Enterprise | T1083 | File and Directory Discovery | NDiskMonitor can obtain a list of all files and directories as well as logical drives.[1] |
Enterprise | T1105 | Remote File Copy | NDiskMonitor can download and execute a file from given URL.[1] |
Enterprise | T1032 | Standard Cryptographic Protocol | NDiskMonitor uses AES to encrypt certain information sent over its C2 channel.[1] |
Enterprise | T1082 | System Information Discovery | NDiskMonitor obtains the victim computer name and encrypts the information to send over its C2 channel.[1] |
Enterprise | T1033 | System Owner/User Discovery | NDiskMonitor obtains the victim username and encrypts the information to send over its C2 channel.[1] |
Groups
Groups that use this software:
Patchwork