The KeyBoys are back in town
概要
The analysis starts with a Microsoft Word document named 2017 Q4 Work Plan.docx (with a hash of 292843976600e8ad2130224d70356bfc), which was created on 2017-10-11 by a user called “Admin’’, and first uploaded to VirusTotal, a website and file scanning service, on the same day, by a user in South Africa.
Curiously, the Word document does not contain any macros, or even an exploit. Rather, it uses a technique recently reported on by SensePost, which allows an attacker to craft a specifically created Microsoft Word document, which uses the Dynamic Data Exchange (DDE) protocol. DDE traditionally allows for the sending of messages between applications that share data, for example from Word to Excel or vice versa. In the case reported on by SensePost, this allowed for the fetching or downloading of remote payloads, using PowerShell for example.
Created: 2026-02-23
Indicators
類似Pulses
このPulseに関連する脅威アクター (事実ベース)
Score: 12.99
Matched TTPs:
- T1044 - File System Permissions Weakness
- T1087.002 - Domain Account
- T1562.001 - Disable or Modify Tools
- T1547.008 - LSASS Driver
- T1556 - Modify Authentication Process
MITREへのリンク →
Score: 8.99
Matched TTPs:
- T1206 - Sudo Caching
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1573 - Encrypted Channel
- T1622 - Debugger Evasion
MITREへのリンク →
Score: 20.41
Matched TTPs:
- T1206 - Sudo Caching
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1011.001 - Exfiltration Over Bluetooth
- T1588.001 - Malware
- T1562.001 - Disable or Modify Tools
- T1573 - Encrypted Channel
- T1547.002 - Authentication Package
- T1622 - Debugger Evasion
MITREへのリンク →
Score: 14.97
Matched TTPs:
- T1206 - Sudo Caching
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1558.001 - Golden Ticket
- T1547.002 - Authentication Package
- T1059.013 - Container CLI/API
MITREへのリンク →
Score: 6.60
Matched TTPs:
- T1206 - Sudo Caching
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1487 - Disk Structure Wipe
MITREへのリンク →
Score: 31.43
Matched TTPs:
- T1206 - Sudo Caching
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1487 - Disk Structure Wipe
- T1204.003 - Malicious Image
- T1547.002 - Authentication Package
- T1197 - BITS Jobs
- T1059.012 - Hypervisor CLI
- T1200 - Hardware Additions
- T1668 - Exclusive Control
- T1588.003 - Code Signing Certificates
- T1055.008 - Ptrace System Calls
MITREへのリンク →
Score: 8.57
Matched TTPs:
- T1206 - Sudo Caching
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1547.002 - Authentication Package
- T1059.012 - Hypervisor CLI
MITREへのリンク →
Score: 4.41
Matched TTPs:
- T1206 - Sudo Caching
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
MITREへのリンク →
Score: 10.97
Matched TTPs:
- T1206 - Sudo Caching
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1059.012 - Hypervisor CLI
- T1622 - Debugger Evasion
- T1546.017 - Udev Rules
MITREへのリンク →
Score: 6.50
Matched TTPs:
- T1206 - Sudo Caching
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1588.001 - Malware
MITREへのリンク →
Score: 4.41
Matched TTPs:
- T1206 - Sudo Caching
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
MITREへのリンク →
Score: 13.29
Matched TTPs:
- T1206 - Sudo Caching
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1487 - Disk Structure Wipe
- T1059.012 - Hypervisor CLI
- T1622 - Debugger Evasion
- T1008 - Fallback Channels
MITREへのリンク →
Score: 4.06
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1547.002 - Authentication Package
MITREへのリンク →
Score: 24.07
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1588.001 - Malware
- T1204.003 - Malicious Image
- T1547.002 - Authentication Package
- T1197 - BITS Jobs
- T1668 - Exclusive Control
- T1622 - Debugger Evasion
- T1003.003 - NTDS
- T1008 - Fallback Channels
MITREへのリンク →
Score: 3.43
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1059.012 - Hypervisor CLI
MITREへのリンク →
Score: 3.43
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1059.012 - Hypervisor CLI
MITREへのリンク →
Score: 3.43
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1059.012 - Hypervisor CLI
MITREへのリンク →
Score: 13.82
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1204.003 - Malicious Image
- T1573 - Encrypted Channel
- T1059.012 - Hypervisor CLI
- T1200 - Hardware Additions
- T1622 - Debugger Evasion
MITREへのリンク →
Score: 4.06
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1562.001 - Disable or Modify Tools
MITREへのリンク →
Score: 6.71
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1059.012 - Hypervisor CLI
- T1008 - Fallback Channels
MITREへのリンク →
Score: 6.16
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1588.001 - Malware
- T1562.001 - Disable or Modify Tools
MITREへのリンク →
Score: 5.95
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1059.012 - Hypervisor CLI
- T1547.008 - LSASS Driver
MITREへのリンク →
Score: 7.00
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1487 - Disk Structure Wipe
- T1200 - Hardware Additions
MITREへのリンク →
Score: 5.08
Matched TTPs:
- T1087.002 - Domain Account
- T1059.012 - Hypervisor CLI
- T1547.008 - LSASS Driver
MITREへのリンク →
Score: 3.85
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1487 - Disk Structure Wipe
MITREへのリンク →
Score: 4.81
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1200 - Hardware Additions
MITREへのリンク →
Score: 3.43
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1059.012 - Hypervisor CLI
MITREへのリンク →
Score: 5.50
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1487 - Disk Structure Wipe
- T1622 - Debugger Evasion
MITREへのリンク →
Score: 4.83
Matched TTPs:
- T1087.002 - Domain Account
- T1547.002 - Authentication Package
- T1622 - Debugger Evasion
MITREへのリンク →
Score: 6.06
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1622 - Debugger Evasion
- T1556 - Modify Authentication Process
MITREへのリンク →
Score: 11.70
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1487 - Disk Structure Wipe
- T1573 - Encrypted Channel
- T1059.012 - Hypervisor CLI
- T1546.017 - Udev Rules
MITREへのリンク →
Score: 4.65
Matched TTPs:
- T1087.002 - Domain Account
- T1588.001 - Malware
- T1059.012 - Hypervisor CLI
MITREへのリンク →
Score: 5.71
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1547.002 - Authentication Package
- T1622 - Debugger Evasion
MITREへのリンク →
Score: 4.33
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1204.003 - Malicious Image
MITREへのリンク →
Score: 6.91
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1588.001 - Malware
- T1546.017 - Udev Rules
MITREへのリンク →
Score: 10.90
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1588.001 - Malware
- T1668 - Exclusive Control
- T1622 - Debugger Evasion
- T1556 - Modify Authentication Process
MITREへのリンク →
Score: 15.30
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1487 - Disk Structure Wipe
- T1592.002 - Software
- T1622 - Debugger Evasion
- T1547.008 - LSASS Driver
- T1556 - Modify Authentication Process
MITREへのリンク →
Score: 9.39
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1562.001 - Disable or Modify Tools
- T1573 - Encrypted Channel
- T1547.002 - Authentication Package
MITREへのリンク →
Score: 16.28
Matched TTPs:
- T1087.002 - Domain Account
- T1588.001 - Malware
- T1562.001 - Disable or Modify Tools
- T1204.003 - Malicious Image
- T1547.002 - Authentication Package
- T1059.012 - Hypervisor CLI
- T1622 - Debugger Evasion
- T1547.008 - LSASS Driver
MITREへのリンク →
Score: 4.33
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1204.003 - Malicious Image
MITREへのリンク →
Score: 3.31
Matched TTPs:
- T1087.002 - Domain Account
- T1547.008 - LSASS Driver
MITREへのリンク →
Score: 4.81
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1200 - Hardware Additions
MITREへのリンク →
Score: 4.19
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1547.008 - LSASS Driver
MITREへのリンク →
Score: 4.19
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1547.008 - LSASS Driver
MITREへのリンク →
Score: 17.24
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1588.001 - Malware
- T1562.001 - Disable or Modify Tools
- T1547.002 - Authentication Package
- T1059.012 - Hypervisor CLI
- T1622 - Debugger Evasion
- T1547.008 - LSASS Driver
- T1556 - Modify Authentication Process
MITREへのリンク →
Score: 12.86
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1487 - Disk Structure Wipe
- T1588.001 - Malware
- T1622 - Debugger Evasion
- T1547.008 - LSASS Driver
- T1556 - Modify Authentication Process
MITREへのリンク →
Score: 10.55
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1573 - Encrypted Channel
- T1197 - BITS Jobs
- T1547.008 - LSASS Driver
MITREへのリンク →
Score: 3.43
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1059.012 - Hypervisor CLI
MITREへのリンク →
Score: 4.81
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1546.017 - Udev Rules
MITREへのリンク →
Score: 4.81
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1546.017 - Udev Rules
MITREへのリンク →
Score: 3.43
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1059.012 - Hypervisor CLI
MITREへのリンク →
Score: 10.56
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1592.004 - Client Configurations
- T1059.012 - Hypervisor CLI
- T1008 - Fallback Channels
MITREへのリンク →
Score: 3.43
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1059.012 - Hypervisor CLI
MITREへのリンク →
Score: 8.30
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1552.002 - Credentials in Registry
- T1588.001 - Malware
MITREへのリンク →
Score: 11.13
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1487 - Disk Structure Wipe
- T1169 - Sudo
- T1556 - Modify Authentication Process
MITREへのリンク →
Score: 4.81
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1546.017 - Udev Rules
MITREへのリンク →
Score: 22.70
Matched TTPs:
- T1087.002 - Domain Account
- T1069.002 - Domain Groups
- T1598.003 - Spearphishing Link
- T1487 - Disk Structure Wipe
- T1562.001 - Disable or Modify Tools
- T1547.002 - Authentication Package
- T1059.013 - Container CLI/API
- T1200 - Hardware Additions
- T1546.017 - Udev Rules
MITREへのリンク →
Score: 3.43
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1059.012 - Hypervisor CLI
MITREへのリンク →
Score: 21.39
Matched TTPs:
- T1087.002 - Domain Account
- T1069.002 - Domain Groups
- T1598.003 - Spearphishing Link
- T1592.004 - Client Configurations
- T1588.001 - Malware
- T1562.001 - Disable or Modify Tools
- T1059.012 - Hypervisor CLI
- T1668 - Exclusive Control
- T1556 - Modify Authentication Process
MITREへのリンク →
Score: 6.81
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1562.001 - Disable or Modify Tools
- T1556 - Modify Authentication Process
MITREへのリンク →
Score: 5.71
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1562.001 - Disable or Modify Tools
- T1622 - Debugger Evasion
MITREへのリンク →
Score: 6.28
Matched TTPs:
- T1087.002 - Domain Account
- T1498 - Network Denial of Service
- T1622 - Debugger Evasion
MITREへのリンク →
Score: 10.70
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1592.004 - Client Configurations
- T1204.003 - Malicious Image
- T1547.008 - LSASS Driver
MITREへのリンク →
Score: 7.00
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1487 - Disk Structure Wipe
- T1200 - Hardware Additions
MITREへのリンク →
Score: 5.95
Matched TTPs:
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1059.012 - Hypervisor CLI
- T1547.008 - LSASS Driver
MITREへのリンク →
Score: 17.71
Matched TTPs:
- T1598.003 - Spearphishing Link
- T1588.001 - Malware
- T1573 - Encrypted Channel
- T1002 - Data Compressed
- T1668 - Exclusive Control
- T1622 - Debugger Evasion
- T1008 - Fallback Channels
MITREへのリンク →
Score: 6.92
Matched TTPs:
- T1598.003 - Spearphishing Link
- T1487 - Disk Structure Wipe
- T1588.001 - Malware
- T1059.012 - Hypervisor CLI
MITREへのリンク →
Score: 10.12
Matched TTPs:
- T1598.003 - Spearphishing Link
- T1487 - Disk Structure Wipe
- T1204.003 - Malicious Image
- T1668 - Exclusive Control
- T1622 - Debugger Evasion
MITREへのリンク →
Score: 11.46
Matched TTPs:
- T1487 - Disk Structure Wipe
- T1562.001 - Disable or Modify Tools
- T1668 - Exclusive Control
- T1003.003 - NTDS
MITREへのリンク →
Score: 4.85
Matched TTPs:
- T1487 - Disk Structure Wipe
- T1204.003 - Malicious Image
MITREへのリンク →
Score: 8.99
Matched TTPs:
- T1487 - Disk Structure Wipe
- T1204.003 - Malicious Image
- T1055.008 - Ptrace System Calls
MITREへのリンク →
Score: 3.83
Matched TTPs:
- T1487 - Disk Structure Wipe
- T1622 - Debugger Evasion
MITREへのリンク →
Score: 9.25
Matched TTPs:
- T1487 - Disk Structure Wipe
- T1204.003 - Malicious Image
- T1668 - Exclusive Control
- T1622 - Debugger Evasion
MITREへのリンク →
Score: 6.49
Matched TTPs:
- T1588.001 - Malware
- T1668 - Exclusive Control
- T1622 - Debugger Evasion
MITREへのリンク →
Score: 4.49
Matched TTPs:
- T1588.001 - Malware
- T1547.002 - Authentication Package
MITREへのリンク →
Score: 6.49
Matched TTPs:
- T1588.001 - Malware
- T1668 - Exclusive Control
- T1622 - Debugger Evasion
MITREへのリンク →
Score: 7.59
Matched TTPs:
- T1588.001 - Malware
- T1622 - Debugger Evasion
- T1588.005 - Exploits
MITREへのリンク →
Score: 7.93
Matched TTPs:
- T1588.001 - Malware
- T1547.002 - Authentication Package
- T1197 - BITS Jobs
MITREへのリンク →
Score: 9.30
Matched TTPs:
- T1562.001 - Disable or Modify Tools
- T1059.013 - Container CLI/API
- T1008 - Fallback Channels
MITREへのリンク →
Score: 4.43
Matched TTPs:
- T1204.003 - Malicious Image
- T1059.012 - Hypervisor CLI
MITREへのリンク →
Score: 4.69
Matched TTPs:
- T1573 - Encrypted Channel
- T1059.012 - Hypervisor CLI
MITREへのリンク →
Score: 4.16
Matched TTPs:
- T1547.002 - Authentication Package
- T1059.012 - Hypervisor CLI
MITREへのリンク →
Score: 3.62
Matched TTPs:
- T1059.013 - Container CLI/API
MITREへのリンク →
Score: 12.78
Matched TTPs:
- T1197 - BITS Jobs
- T1498 - Network Denial of Service
- T1622 - Debugger Evasion
- T1588.005 - Exploits
MITREへのリンク →
Score: 3.41
Matched TTPs:
- T1059.012 - Hypervisor CLI
- T1622 - Debugger Evasion
MITREへのリンク →
Score: 4.13
Matched TTPs:
- T1130 - Install Root Certificate
MITREへのリンク →
Score: 4.13
Matched TTPs:
- T1130 - Install Root Certificate
MITREへのリンク →
Score: 6.59
Matched TTPs:
- T1498 - Network Denial of Service
- T1556 - Modify Authentication Process
MITREへのリンク →
このPulseに関連する脅威アクター (推論ベース)
Score: 0.80
Matched TTPs:
- T1197 - BITS Jobs
- T1087.002 - Domain Account
- T1487 - Disk Structure Wipe
- T1598.003 - Spearphishing Link
- T1200 - Hardware Additions
- T1547.002 - Authentication Package
- T1668 - Exclusive Control
- T1059.012 - Hypervisor CLI
- T1588.003 - Code Signing Certificates
- T1055.008 - Ptrace System Calls
- T1206 - Sudo Caching
- T1204.003 - Malicious Image
MITREへのリンク →
Score: 0.60
Matched TTPs:
- T1197 - BITS Jobs
- T1087.002 - Domain Account
- T1008 - Fallback Channels
- T1598.003 - Spearphishing Link
- T1547.002 - Authentication Package
- T1668 - Exclusive Control
- T1588.001 - Malware
- T1003.003 - NTDS
- T1622 - Debugger Evasion
- T1204.003 - Malicious Image
MITREへのリンク →
Score: 0.59
Matched TTPs:
- T1087.002 - Domain Account
- T1487 - Disk Structure Wipe
- T1069.002 - Domain Groups
- T1598.003 - Spearphishing Link
- T1562.001 - Disable or Modify Tools
- T1546.017 - Udev Rules
- T1200 - Hardware Additions
- T1547.002 - Authentication Package
- T1059.013 - Container CLI/API
MITREへのリンク →
Score: 0.57
Matched TTPs:
- T1087.002 - Domain Account
- T1069.002 - Domain Groups
- T1598.003 - Spearphishing Link
- T1562.001 - Disable or Modify Tools
- T1059.012 - Hypervisor CLI
- T1556 - Modify Authentication Process
- T1668 - Exclusive Control
- T1588.001 - Malware
- T1592.004 - Client Configurations
MITREへのリンク →
Score: 0.56
Matched TTPs:
- T1011.001 - Exfiltration Over Bluetooth
- T1087.002 - Domain Account
- T1598.003 - Spearphishing Link
- T1562.001 - Disable or Modify Tools
- T1573 - Encrypted Channel
- T1547.002 - Authentication Package
- T1588.001 - Malware
- T1622 - Debugger Evasion
- T1206 - Sudo Caching
MITREへのリンク →
Related CVEs
このPulseに見つかったCVEはありません。
Pulse – 脅威アクター グラフ
← Pulse一覧に戻る
Trusted Design