CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)

CreepySnail is a custom PowerShell implant that has been used by POLONIUM since at least 2022.(Citation: Microsoft POLONIUM June 2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	1
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	1
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	1
CreepySnail - S1024 (d23de441-f9cf-4802-b1ff-f588a11a896b)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2