Group: Turla, Waterbug

From ATT&CK
Jump to: navigation, search
Turla, Waterbug
Group
ID G0010
Aliases Turla, Waterbug

Turla is a threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies.1

Techniques Used

  • Process Discovery - Turla surveys a system upon check-in to discover running processes using the tasklist /v command.1
  • System Service Discovery - Turla surveys a system upon check-in to discover running services and associated processes using the tasklist /svc command.1
  • Local Network Connections Discovery - Turla surveys a system upon check-in to discover active local network connections using the netstat -an, net use, net file, and net session commands.1
  • Remote System Discovery - Turla surveys a system upon check-in to discover remote systems on a local network using the net view and net view /DOMAIN commands.1
  • System Information Discovery - Turla surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands.1
  • Query Registry - Turla surveys a system upon check-in to discover information in the Windows Registry with the reg query command.1
  • File and Directory Discovery - Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, and in the Program Files directory.1
  • Brute Force - Turla may attempt to connect to systems within a victim's network using net use commands and a predefined list or collection of passwords.1
  • System Time Discovery - Turla surveys a system upon check-in to discover the system time by using the net time command.1

Software