| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
Crimson can use a HTTP GET request to download its final payload. |
| enterprise |
T1123 |
Audio Capture |
Crimson can perform audio surveillance using microphones. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
Crimson can add Registry run keys for persistence. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
Crimson has the ability to execute commands with the COMSPEC environment variable. |
| enterprise |
T1555 |
Credentials from Password Stores |
- |
| enterprise |
T1555.003 |
Credentials from Web Browsers |
Crimson contains a module to steal credentials from Web browsers on the victim machine. |
| enterprise |
T1025 |
Data from Removable Media |
Crimson contains a module to collect data from removable drives. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
Crimson can decode its encoded PE file prior to execution. |
| enterprise |
T1114 |
Email Collection |
- |
| enterprise |
T1114.001 |
Local Email Collection |
Crimson contains a command to collect and exfiltrate emails from Outlook. |
| enterprise |
T1083 |
File and Directory Discovery |
Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list. |
| enterprise |
T1070 |
Indicator Removal on Host |
- |
| enterprise |
T1070.004 |
File Deletion |
Crimson has the ability to delete files from a compromised host. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Crimson contains a command to retrieve files from its C2 server. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.001 |
Keylogging |
Crimson can use a module to perform keylogging on compromised hosts. |
| enterprise |
T1112 |
Modify Registry |
Crimson can set a Registry key to determine how long it has been installed and possibly to indicate the version number. |
| enterprise |
T1095 |
Non-Application Layer Protocol |
Crimson uses a custom TCP protocol for C2. |
| enterprise |
T1120 |
Peripheral Device Discovery |
Crimson has the ability to discover pluggable/removable drives to extract files from. |
| enterprise |
T1057 |
Process Discovery |
Crimson contains a command to list processes. |
| enterprise |
T1012 |
Query Registry |
Crimson can check the Registry for the presence of HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\last_edate to determine how long it has been installed on a host. |
| enterprise |
T1091 |
Replication Through Removable Media |
Crimson can spread across systems by infecting removable media. |
| enterprise |
T1113 |
Screen Capture |
Crimson contains a command to perform screen captures. |
| enterprise |
T1518 |
Software Discovery |
- |
| enterprise |
T1518.001 |
Security Software Discovery |
Crimson contains a command to collect information about anti-virus software on the victim. |
| enterprise |
T1082 |
System Information Discovery |
Crimson contains a command to collect the victim PC name, disk drive information, and operating system. |
| enterprise |
T1614 |
System Location Discovery |
Crimson can identify the geographical location of a victim host. |
| enterprise |
T1016 |
System Network Configuration Discovery |
Crimson contains a command to collect the victim MAC address and LAN IP. |
| enterprise |
T1033 |
System Owner/User Discovery |
Crimson can identify the user on a targeted system. |
| enterprise |
T1124 |
System Time Discovery |
Crimson has the ability to determine the date and time on a compromised host. |
| enterprise |
T1125 |
Video Capture |
Crimson can capture webcam video on targeted systems. |
| enterprise |
T1497 |
Virtualization/Sandbox Evasion |
- |
| enterprise |
T1497.003 |
Time Based Evasion |
Crimson can determine when it has been installed on a host for at least 15 days before downloading the final payload. |