Register to stream ATT&CKcon 2.0 October 29-30


AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.[1]

ID: S0347
Associated Software: Roptimizer
Platforms: Windows
Version: 1.0

Associated Software Descriptions

Name Description
Roptimizer [1]

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface AuditCred can open a reverse shell on the system to execute commands. [1]
Enterprise T1043 Commonly Used Port AuditCred has used Port Number 443 for C2 communications. [1]
Enterprise T1090 Connection Proxy AuditCred can utilize proxy for communications. [1]
Enterprise T1140 Deobfuscate/Decode Files or Information AuditCred uses XOR and RC4 to perform decryption on the code functions. [1]
Enterprise T1083 File and Directory Discovery AuditCred can search through folders and files on the system. [1]
Enterprise T1107 File Deletion AuditCred can delete files from the system. [1]
Enterprise T1050 New Service AuditCred is installed as a new service on the system. [1]
Enterprise T1027 Obfuscated Files or Information AuditCred encrypts the configuration. [1]
Enterprise T1055 Process Injection AuditCred can inject code from files to other running processes. [1]
Enterprise T1105 Remote File Copy AuditCred can download files and additional malware. [1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group [1]