- Home
- Techniques
- PRE-ATT&CK
- Obtain/re-use payloads
Obtain/re-use payloads
A payload is the part of the malware which performs a malicious action. The adversary may re-use payloads when the needed capability is already available. [1]
Procedure Examples
Name | Description |
---|---|
APT1 | |
APT28 |
APT28 reused the SOURFACE downloader as the payload of a lure document.[3] |
Detection
Detectable by Common Defenses (Yes/No/Partial): No
Explanation: Adversary will likely use code repositories, but detecting an adversary acquiring a payload would require the defender to be monitoring the code repository where the payload is stored. If the adversary re-uses payloads, this allows the defender to create signatures to detect using these known indicators of compromise (e.g., hashes).
Difficulty for the Adversary
Easy for the Adversary (Yes/No): Yes
Explanation: Several exploit repositories and tool suites exist for re-use and tailoring.
References
- Kurt Baumgartner. (2014, December 4). Sony/Destover: mystery North Korean actor’s destructive and past network activity. Retrieved March 9, 2017.
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.