{"description": "Enterprise techniques used by Ebury, ATT&CK software S0377 (v2.0)", "name": "Ebury (S0377)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.004", "comment": "[Ebury](https://attack.mitre.org/software/S0377) has used DNS requests over UDP port 53 for C2.(Citation: ESET Ebury Feb 2014)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1020", "comment": "If credentials are not collected for two weeks, [Ebury](https://attack.mitre.org/software/S0377) encrypts the credentials using a public key and sends them via UDP to an IP address located in the DNS TXT record.(Citation: ESET Windigo Mar 2014)(Citation: ESET Ebury May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[Ebury](https://attack.mitre.org/software/S0377) can use the commands `Xcsh` or `Xcls` to open a shell with [Ebury](https://attack.mitre.org/software/S0377) level permissions and `Xxsh` to open a shell with root level.(Citation: ESET Ebury May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[Ebury](https://attack.mitre.org/software/S0377) has used Python to implement its DGA.(Citation: ESET Ebury Oct 2017)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1554", "comment": "[Ebury](https://attack.mitre.org/software/S0377) modifies the `keyutils` library to add malicious behavior to the OpenSSH client and the curl library.(Citation: ESET Ebury Feb 2014)(Citation: ESET Ebury May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Ebury](https://attack.mitre.org/software/S0377) has encoded C2 traffic in hexadecimal format.(Citation: ESET Ebury Feb 2014)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Ebury](https://attack.mitre.org/software/S0377) has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key.(Citation: ESET Ebury Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "showSubtechniques": true}, {"techniqueID": "T1568.002", "comment": "[Ebury](https://attack.mitre.org/software/S0377) has used a DGA to generate a domain name for C2.(Citation: ESET Ebury Feb 2014)(Citation: ESET Ebury Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Ebury](https://attack.mitre.org/software/S0377) has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.(Citation: ESET Ebury Feb 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Ebury](https://attack.mitre.org/software/S0377) exfiltrates a list of outbound and inbound SSH sessions using OpenSSH's `known_host` files and `wtmp` records. [Ebury](https://attack.mitre.org/software/S0377) can exfiltrate SSH credentials through custom DNS queries or use the command `Xcat` to send the process's ssh session's credentials to the C2 server.(Citation: ESET Windigo Mar 2014)(Citation: ESET Ebury May 2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1008", "comment": "[Ebury](https://attack.mitre.org/software/S0377) has implemented a fallback mechanism to begin using a DGA when the attacker hasn't connected to the infected system for three days.(Citation: ESET Ebury Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.006", "comment": "When [Ebury](https://attack.mitre.org/software/S0377) is running as an OpenSSH server, it uses LD_PRELOAD to inject its malicious shared module in to programs launched by SSH sessions. [Ebury](https://attack.mitre.org/software/S0377) hooks the following functions from `libc` to inject into subprocesses;  `system`, `popen`, `execve`, `execvpe`, `execv`, `execvp`, and `execl`.(Citation: ESET Ebury Oct 2017)(Citation: ESET Ebury May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Ebury](https://attack.mitre.org/software/S0377) can disable SELinux Role-Based Access Control and deactivate PAM modules.(Citation: ESET Ebury Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562.006", "comment": "[Ebury](https://attack.mitre.org/software/S0377) hooks system functions to prevent the user from seeing malicious files (`readdir`, `realpath`, `readlink`, `stat`, `open`, and variants), hide process activity (`ps` and `readdir64`), and socket activity (`open` and `fopen`).(Citation: ESET Ebury Feb 2014)(Citation: ESET Ebury May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562.012", "comment": "[Ebury](https://attack.mitre.org/software/S0377) disables OpenSSH, system (`systemd`), and audit logs (`/sbin/auditd`) when the backdoor is active.(Citation: ESET Ebury May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556", "comment": "[Ebury](https://attack.mitre.org/software/S0377) can intercept private keys using a trojanized ssh-add function.(Citation: ESET Ebury Feb 2014)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1556.003", "comment": "[Ebury](https://attack.mitre.org/software/S0377) can deactivate PAM modules to tamper with the sshd configuration.(Citation: ESET Ebury Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "comment": "[Ebury](https://attack.mitre.org/software/S0377) has obfuscated its strings with a simple XOR encryption with a static key.(Citation: ESET Ebury Feb 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1014", "comment": "[Ebury](https://attack.mitre.org/software/S0377) acts as a user land rootkit using the SSH service.(Citation: ESET Ebury Oct 2017)(Citation: ESET Ebury May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1129", "comment": "[Ebury](https://attack.mitre.org/software/S0377) is executed through hooking the keyutils.so file used by legitimate versions of `OpenSSH` and `libcurl`.(Citation: ESET Ebury May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[Ebury](https://attack.mitre.org/software/S0377) has installed a self-signed RPM package mimicking the original system package on RPM based systems.(Citation: ESET Ebury Feb 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.004", "comment": "[Ebury](https://attack.mitre.org/software/S0377) has intercepted unencrypted private keys as well as private key pass-phrases.(Citation: ESET Ebury Feb 2014)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Ebury", "color": "#66b1ff"}]}