AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.[1]
Name | Description |
---|---|
Roptimizer |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
AuditCred can open a reverse shell on the system to execute commands.[1] |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service | |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
AuditCred uses XOR and RC4 to perform decryption on the code functions.[1] |
|
Enterprise | T1083 | File and Directory Discovery |
AuditCred can search through folders and files on the system.[1] |
|
Enterprise | T1070 | .004 | Indicator Removal: File Deletion | |
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File | |
Enterprise | T1055 | Process Injection |
AuditCred can inject code from files to other running processes.[1] |
|
Enterprise | T1090 | Proxy |
ID | Name | References |
---|---|---|
G0032 | Lazarus Group |