| enterprise |
T1134 |
Access Token Manipulation |
- |
| enterprise |
T1134.002 |
Create Process with Token |
Bankshot grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user. |
| enterprise |
T1087 |
Account Discovery |
- |
| enterprise |
T1087.001 |
Local Account |
Bankshot gathers domain and account names/information through process monitoring. |
| enterprise |
T1087.002 |
Domain Account |
Bankshot gathers domain and account names/information through process monitoring. |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
Bankshot uses HTTP for command and control communication. |
| enterprise |
T1119 |
Automated Collection |
Bankshot recursively generates a list of files within a directory and sends them back to the control server. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
Bankshot uses the command-line interface to execute arbitrary commands. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.003 |
Windows Service |
Bankshot can terminate a specific process by its process id. |
| enterprise |
T1132 |
Data Encoding |
- |
| enterprise |
T1132.002 |
Non-Standard Encoding |
Bankshot encodes commands from the control server using a range of characters and gzip. |
| enterprise |
T1005 |
Data from Local System |
Bankshot collects files from the local system. |
| enterprise |
T1001 |
Data Obfuscation |
- |
| enterprise |
T1001.003 |
Protocol Impersonation |
Bankshot generates a false TLS handshake using a public certificate to disguise C2 network communications. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
Bankshot decodes embedded XOR strings. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
Bankshot exfiltrates data over its C2 channel. |
| enterprise |
T1203 |
Exploitation for Client Execution |
Bankshot leverages a known zero-day vulnerability in Adobe Flash to execute the implant into the victims’ machines. |
| enterprise |
T1083 |
File and Directory Discovery |
Bankshot searches for files on the victim’s machine. |
| enterprise |
T1070 |
Indicator Removal |
Bankshot deletes all artifacts associated with the malware from the infected machine. |
| enterprise |
T1070.004 |
File Deletion |
Bankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system. |
| enterprise |
T1070.006 |
Timestomp |
Bankshot modifies the time of a file as specified by the control server. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Bankshot uploads files and secondary payloads to the victim’s machine. |
| enterprise |
T1112 |
Modify Registry |
Bankshot writes data into the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pniumj. |
| enterprise |
T1106 |
Native API |
Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA(). |
| enterprise |
T1571 |
Non-Standard Port |
Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method. |
| enterprise |
T1057 |
Process Discovery |
Bankshot identifies processes and collects the process ids. |
| enterprise |
T1012 |
Query Registry |
Bankshot searches for certain Registry keys to be configured before executing the payload. |
| enterprise |
T1082 |
System Information Discovery |
Bankshot gathers system information, network addresses, disk type, disk free space, and the operation system version. |