| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.001 |
PowerShell |
Netwalker has been written in PowerShell and executed directly in memory, avoiding detection. |
| enterprise |
T1059.003 |
Windows Command Shell |
Operators deploying Netwalker have used batch scripts to retrieve the Netwalker payload. |
| enterprise |
T1486 |
Data Encrypted for Impact |
Netwalker can encrypt files on infected machines to extort victims. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
Netwalker‘s PowerShell script can decode and decrypt multiple layers of obfuscation, leading to the Netwalker DLL being loaded into memory. |
| enterprise |
T1562 |
Impair Defenses |
- |
| enterprise |
T1562.001 |
Disable or Modify Tools |
Netwalker can detect and terminate active security software-related processes on infected systems. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload. |
| enterprise |
T1490 |
Inhibit System Recovery |
Netwalker can delete the infected system’s Shadow Volumes to prevent recovery. |
| enterprise |
T1570 |
Lateral Tool Transfer |
Operators deploying Netwalker have used psexec to copy the Netwalker payload across accessible systems. |
| enterprise |
T1112 |
Modify Registry |
Netwalker can add the following registry entry: HKEY_CURRENT_USER\SOFTWARE{8 random characters}. |
| enterprise |
T1106 |
Native API |
Netwalker can use Windows API functions to inject the ransomware DLL. |
| enterprise |
T1027 |
Obfuscated Files or Information |
- |
| enterprise |
T1027.009 |
Embedded Payloads |
Netwalker‘s DLL has been embedded within the PowerShell script in hex format. |
| enterprise |
T1027.010 |
Command Obfuscation |
Netwalker‘s PowerShell script has been obfuscated with multiple layers including base64 and hexadecimal encoding and XOR-encryption, as well as obfuscated PowerShell functions and variables. |
| enterprise |
T1055 |
Process Injection |
- |
| enterprise |
T1055.001 |
Dynamic-link Library Injection |
The Netwalker DLL has been injected reflectively into the memory of a legitimate running process. |
| enterprise |
T1489 |
Service Stop |
Netwalker can terminate system processes and services, some of which relate to backup software. |
| enterprise |
T1518 |
Software Discovery |
- |
| enterprise |
T1518.001 |
Security Software Discovery |
Netwalker can detect and terminate active security software-related processes on infected systems. |
| enterprise |
T1082 |
System Information Discovery |
Netwalker can determine the system architecture it is running on to choose which version of the DLL to use. |
| enterprise |
T1569 |
System Services |
- |
| enterprise |
T1569.002 |
Service Execution |
Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload. |
| enterprise |
T1047 |
Windows Management Instrumentation |
Netwalker can use WMI to delete Shadow Volumes. |