| enterprise |
T1548 |
Abuse Elevation Control Mechanism |
- |
| enterprise |
T1548.002 |
Bypass User Account Control |
During Operation Honeybee, the threat actors used the malicious NTWDBLIB.DLL and cliconfig.exe to bypass UAC protections. |
| enterprise |
T1583 |
Acquire Infrastructure |
- |
| enterprise |
T1583.001 |
Domains |
During Operation Honeybee, threat actors registered domains for C2. |
| enterprise |
T1583.004 |
Server |
For Operation Honeybee, at least one identified persona was used to register for a free account for a control server. |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.002 |
File Transfer Protocols |
During Operation Honeybee, the threat actors had the ability to use FTP for C2. |
| enterprise |
T1560 |
Archive Collected Data |
- |
| enterprise |
T1560.001 |
Archive via Utility |
During Operation Honeybee, the threat actors uses zip to pack collected files before exfiltration. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
During Operation Honeybee, the threat actors used batch files that allowed them to establish persistence by adding the following Registry key: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v COMSysApp /t REG_MULTI_SZ /d "COMSysApp" /f. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
During Operation Honeybee, various implants used batch scripting and cmd.exe for execution. |
| enterprise |
T1059.005 |
Visual Basic |
For Operation Honeybee, the threat actors used a Visual Basic script embedded within a Word document to download an implant. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.003 |
Windows Service |
During Operation Honeybee, threat actors installed DLLs and backdoors as Windows services. |
| enterprise |
T1005 |
Data from Local System |
During Operation Honeybee, the threat actors collected data from compromised hosts. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
During Operation Honeybee, stolen data was copied into a text file using the format From <COMPUTER-NAME> (<Month>-<Day> <Hour>-<Minute>-<Second>).txt prior to compression, encoding, and exfiltration. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
During Operation Honeybee, malicious files were decoded prior to execution. |
| enterprise |
T1585 |
Establish Accounts |
- |
| enterprise |
T1585.002 |
Email Accounts |
During Operation Honeybee, attackers created email addresses to register for a free account for a control server used for the implants. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
During Operation Honeybee, the threat actors uploaded stolen files to their C2 servers. |
| enterprise |
T1083 |
File and Directory Discovery |
During Operation Honeybee, the threat actors used a malicious DLL to search for files with specific keywords. |
| enterprise |
T1574 |
Hijack Execution Flow |
- |
| enterprise |
T1574.011 |
Services Registry Permissions Weakness |
During Operation Honeybee, the threat actors used a batch file that modified the COMSysApp service to load a malicious ipnet.dll payload and to load a DLL into the svchost.exe process. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
During Operation Honeybee, the threat actors used batch files that reduced their fingerprint on a compromised system by deleting malware-related files. |
| enterprise |
T1105 |
Ingress Tool Transfer |
During Operation Honeybee, the threat actors downloaded additional malware and malicious scripts onto a compromised host. |
| enterprise |
T1036 |
Masquerading |
During Operation Honeybee, the threat actors modified the MaoCheng dropper so its icon appeared as a Word document. |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
During Operation Honeybee, the threat actors used a legitimate Windows executable and secure directory for their payloads to bypass UAC. |
| enterprise |
T1112 |
Modify Registry |
During Operation Honeybee, the threat actors used batch files that modified registry keys. |
| enterprise |
T1106 |
Native API |
During Operation Honeybee, the threat actors deployed malware that used API calls, including CreateProcessAsUser. |
| enterprise |
T1027 |
Obfuscated Files or Information |
During Operation Honeybee, the threat actors used Base64 to encode files with a custom key. |
| enterprise |
T1588 |
Obtain Capabilities |
- |
| enterprise |
T1588.004 |
Digital Certificates |
For Operation Honeybee, the threat actors stole a digital signature from Adobe Systems to use with their MaoCheng dropper. |
| enterprise |
T1057 |
Process Discovery |
During Operation Honeybee, the threat actors obtained a list of running processes on a victim machine using cmd /c tasklist > %temp%\temp.ini. |
| enterprise |
T1553 |
Subvert Trust Controls |
- |
| enterprise |
T1553.002 |
Code Signing |
During Operation Honeybee, the threat actors deployed the MaoCheng dropper with a stolen Adobe Systems digital signature. |
| enterprise |
T1082 |
System Information Discovery |
During Operation Honeybee, the threat actors collected the computer name, OS, and other system information using cmd /c systeminfo > %temp%\ temp.ini. |
| enterprise |
T1569 |
System Services |
- |
| enterprise |
T1569.002 |
Service Execution |
During Operation Honeybee, threat actors ran sc start to start the COMSysApp as part of the service hijacking and sc stop to stop and reconfigure the COMSysApp. |
| enterprise |
T1204 |
User Execution |
- |
| enterprise |
T1204.002 |
Malicious File |
During Operation Honeybee, threat actors relied on a victim to enable macros within a malicious Word document. |