Rocke

[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between [Rocke](https://attack.mitre.org/groups/G0106) and the Iron Cybercrime Group, though this attribution has not been confirmed.(Citation: Talos Rocke August 2018)

Techniques

Covered

Gaps

100%

Coverage

Coverage36/36

COVERED (36)

T1014Rootkit29 det.T1018Remote System Discovery46 det.T1021.004SSH31 det.T1027Obfuscated Files or Information525 det.T1027.002Software Packing1 det.T1027.004Compile After Delivery9 det.T1036.005Match Legitimate Resource Name or Location44 det.T1037Boot or Logon Initialization Scripts25 det.T1046Network Service Discovery49 det.T1053.003Cron28 det.T1055.002Portable Executable Injection6 det.T1057Process Discovery18 det.T1059.004Unix Shell149 det.T1059.006Python43 det.T1070.002Clear Linux or Mac System Logs8 det.T1070.004File Deletion40 det.T1070.006Timestomp9 det.T1071Application Layer Protocol100 det.T1071.001Web Protocols74 det.T1082System Information Discovery80 det.T1102Web Service33 det.T1102.001Dead Drop Resolver7 det.T1105Ingress Tool Transfer170 det.T1140Deobfuscate/Decode Files or Information55 det.T1190Exploit Public-Facing Application208 det.T1222.002Linux and Mac File and Directory Permissions Modification17 det.T1496.001Compute Hijacking2 det.T1518.001Security Software Discovery8 det.T1543.002Systemd Service12 det.T1547.001Registry Run Keys / Startup Folder50 det.T1552.004Private Keys20 det.T1562.001Disable or Modify Tools300 det.T1562.004Disable or Modify System Firewall45 det.T1564.001Hidden Files and Directories23 det.T1571Non-Standard Port16 det.T1574.006Dynamic Linker Hijacking24 det.