| enterprise |
T1087 |
Account Discovery |
- |
| enterprise |
T1087.001 |
Local Account |
Comnie uses the net user command. |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
Comnie uses HTTP for C2 communication. |
| enterprise |
T1119 |
Automated Collection |
Comnie executes a batch script to store discovery information in %TEMP%\info.dat and then uploads the temporarily file to the remote C2 server. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
Comnie achieves persistence by adding a shortcut of itself to the startup path in the Registry. |
| enterprise |
T1547.009 |
Shortcut Modification |
Comnie establishes persistence via a .lnk file in the victim’s startup path. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
Comnie executes BAT scripts. |
| enterprise |
T1059.005 |
Visual Basic |
Comnie executes VBS scripts. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.001 |
Symmetric Cryptography |
Comnie encrypts command and control communications with RC4. |
| enterprise |
T1027 |
Obfuscated Files or Information |
Comnie uses RC4 and Base64 to obfuscate strings. |
| enterprise |
T1027.001 |
Binary Padding |
Comnie appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk. |
| enterprise |
T1057 |
Process Discovery |
Comnie uses the tasklist to view running processes on the victim’s machine. |
| enterprise |
T1018 |
Remote System Discovery |
Comnie runs the net view command |
| enterprise |
T1518 |
Software Discovery |
- |
| enterprise |
T1518.001 |
Security Software Discovery |
Comnie attempts to detect several anti-virus products. |
| enterprise |
T1218 |
System Binary Proxy Execution |
- |
| enterprise |
T1218.011 |
Rundll32 |
Comnie uses Rundll32 to load a malicious DLL. |
| enterprise |
T1082 |
System Information Discovery |
Comnie collects the hostname of the victim machine. |
| enterprise |
T1016 |
System Network Configuration Discovery |
Comnie uses ipconfig /all and route PRINT to identify network adapter and interface information. |
| enterprise |
T1049 |
System Network Connections Discovery |
Comnie executes the netstat -ano command. |
| enterprise |
T1007 |
System Service Discovery |
Comnie runs the command: net start >> %TEMP%\info.dat on a victim. |
| enterprise |
T1102 |
Web Service |
- |
| enterprise |
T1102.002 |
Bidirectional Communication |
Comnie uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server. |