| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
QUADAGENT uses HTTPS and HTTP for C2 communications. |
| enterprise |
T1071.004 |
DNS |
QUADAGENT uses DNS for C2 communications. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.001 |
PowerShell |
QUADAGENT uses PowerShell scripts for execution. |
| enterprise |
T1059.003 |
Windows Command Shell |
QUADAGENT uses cmd.exe to execute scripts and commands on the victim’s machine. |
| enterprise |
T1059.005 |
Visual Basic |
QUADAGENT uses VBScripts. |
| enterprise |
T1132 |
Data Encoding |
- |
| enterprise |
T1132.001 |
Standard Encoding |
QUADAGENT encodes C2 communications with base64. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
QUADAGENT uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts. |
| enterprise |
T1008 |
Fallback Channels |
QUADAGENT uses multiple protocols (HTTPS, HTTP, DNS) for its C2 server as fallback channels if communication with one is unsuccessful. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
QUADAGENT has a command to delete its Registry key and scheduled task. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
QUADAGENT used the PowerShell filenames Office365DCOMCheck.ps1 and SystemDiskClean.ps1. |
| enterprise |
T1112 |
Modify Registry |
QUADAGENT modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications. |
| enterprise |
T1027 |
Obfuscated Files or Information |
- |
| enterprise |
T1027.010 |
Command Obfuscation |
QUADAGENT was likely obfuscated using Invoke-Obfuscation. |
| enterprise |
T1027.011 |
Fileless Storage |
QUADAGENT stores a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications within a Registry key (such as HKCU\Office365DCOMCheck) in the HKCU hive. |
| enterprise |
T1012 |
Query Registry |
QUADAGENT checks if a value exists within a Registry key in the HKCU hive whose name is the same as the scheduled task it has created. |
| enterprise |
T1053 |
Scheduled Task/Job |
- |
| enterprise |
T1053.005 |
Scheduled Task |
QUADAGENT creates a scheduled task to maintain persistence on the victim’s machine. |
| enterprise |
T1016 |
System Network Configuration Discovery |
QUADAGENT gathers the current domain the victim system belongs to. |
| enterprise |
T1033 |
System Owner/User Discovery |
QUADAGENT gathers the victim username. |