Skip to content

S1024 CreepySnail

CreepySnail is a custom PowerShell implant that has been used by POLONIUM since at least 2022.1

Item Value
ID S1024
Associated Names
Version 1.0
Created 08 July 2022
Last Modified 08 August 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols CreepySnail can use HTTP for C2.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell CreepySnail can use PowerShell for execution, including the cmdlets Invoke-WebRequst and Invoke-Expression.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding CreepySnail can use Base64 to encode its C2 traffic.1
enterprise T1041 Exfiltration Over C2 Channel CreepySnail can connect to C2 for data exfiltration.1
enterprise T1016 System Network Configuration Discovery CreepySnail can use getmac and Get-NetIPAddress to enumerate network settings.1
enterprise T1033 System Owner/User Discovery CreepySnail can execute getUsername on compromised systems.1
enterprise T1078 Valid Accounts -
enterprise T1078.002 Domain Accounts CreepySnail can use stolen credentials to authenticate on target networks.1

Groups That Use This Software

ID Name References