| enterprise |
T1548 |
Abuse Elevation Control Mechanism |
- |
| enterprise |
T1548.002 |
Bypass User Account Control |
Honeybee uses a combination of NTWDBLIB.dll and cliconfg.exe to bypass UAC protections using DLL hijacking. |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.002 |
File Transfer Protocols |
Honeybee uses FTP for command and control. |
| enterprise |
T1560 |
Archive Collected Data |
Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server. |
| enterprise |
T1020 |
Automated Exfiltration |
Honeybee performs data exfiltration is accomplished through the following command-line command: from (- --).txt. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
Honeybee uses a batch file that configures the ComSysApp service to autostart in order to establish persistence. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
Several commands are supported by the Honeybee‘s implant via the command-line interface and there’s also a utility to execute any custom command on an infected endpoint. Honeybee used batch scripting. |
| enterprise |
T1059.005 |
Visual Basic |
Honeybee embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.003 |
Windows Service |
Honeybee has batch files that modify the system service COMSysApp to load a malicious DLL. |
| enterprise |
T1005 |
Data from Local System |
Honeybee collects data from the local victim system. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
Honeybee drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro. |
| enterprise |
T1546 |
Event Triggered Execution |
- |
| enterprise |
T1546.009 |
AppCert DLLs |
Honeybee‘s service-based DLL implant can execute a downloaded file with parameters specified using CreateProcessAsUser. |
| enterprise |
T1083 |
File and Directory Discovery |
Honeybee‘s service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords. |
| enterprise |
T1070 |
Indicator Removal on Host |
- |
| enterprise |
T1070.004 |
File Deletion |
Honeybee removes batch files to reduce fingerprint on the system as well as deletes the CAB file that gets encoded upon infection. |
| enterprise |
T1112 |
Modify Registry |
Honeybee uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process. |
| enterprise |
T1027 |
Obfuscated Files or Information |
Honeybee drops files with base64-encoded data. |
| enterprise |
T1057 |
Process Discovery |
Honeybee gathers a list of processes using the tasklist command and then is sent back to the control server. |
| enterprise |
T1055 |
Process Injection |
Honeybee uses a batch file to load a DLL into the svchost.exe process. |
| enterprise |
T1553 |
Subvert Trust Controls |
- |
| enterprise |
T1553.002 |
Code Signing |
Honeybee uses a dropper called MaoCheng that harvests a stolen digital signature from Adobe Systems. |
| enterprise |
T1082 |
System Information Discovery |
Honeybee gathers computer name and information using the systeminfo command. |
| enterprise |
T1569 |
System Services |
- |
| enterprise |
T1569.002 |
Service Execution |
Honeybee launches a DLL file that gets executed as a service using svchost.exe |