Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. (Citation: Symantec Sowbug Nov 2017)
| Platform | Tactic | Technique | Description | Data Sources |
|---|---|---|---|---|
| Linux, macOS, Windows | collection, credential-access | Input Capture | Sowbug has used keylogging tools. | Windows Registry, Kernel drivers, Process monitoring, API monitoring |
| Linux, macOS, Windows | collection | Data from Network Shared Drive | Sowbug extracted Word documents from a file server on a victim network. | File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows, AWS, GCP, Azure | discovery | System Information Discovery | Sowbug obtained OS version and hardware configuration from a victim. | Azure activity logs, Stackdriver logs, AWS CloudTrail logs, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | discovery | File and Directory Discovery | Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim. | File monitoring, Process monitoring, Process command-line parameters |
| Windows, Linux, macOS | credential-access | Credential Dumping | Sowbug has used credential dumping tools. | API monitoring, Process monitoring, PowerShell logs, Process command-line parameters |
| Linux, Windows, macOS | exfiltration | Data Compressed | Sowbug extracted documents and bundled them into a RAR archive. | Binary file metadata, File monitoring, Process command-line parameters, Process monitoring |
| macOS, Windows, AWS, GCP, Azure | discovery | Network Share Discovery | Sowbug listed remote shared drives that were accessible from a victim. | Process monitoring, Process command-line parameters, Network protocol analysis, Process use of network |
| Linux, macOS, Windows | execution | Command-Line Interface | Sowbug has used command line during its intrusions. | Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | defense-evasion | Masquerading | Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory CSIDL_APPDATA\microsoft\security. |
File monitoring, Process monitoring, Binary file metadata |