S0269 QUADAGENT
QUADAGENT is a PowerShell backdoor used by OilRig. 1
| Item | Value |
|---|---|
| ID | S0269 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 17 October 2018 |
| Last Modified | 28 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | QUADAGENT uses HTTPS and HTTP for C2 communications.1 |
| enterprise | T1071.004 | DNS | QUADAGENT uses DNS for C2 communications.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | QUADAGENT uses PowerShell scripts for execution.1 |
| enterprise | T1059.003 | Windows Command Shell | QUADAGENT uses cmd.exe to execute scripts and commands on the victim’s machine.1 |
| enterprise | T1059.005 | Visual Basic | QUADAGENT uses VBScripts.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | QUADAGENT encodes C2 communications with base64.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | QUADAGENT uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts.1 |
| enterprise | T1008 | Fallback Channels | QUADAGENT uses multiple protocols (HTTPS, HTTP, DNS) for its C2 server as fallback channels if communication with one is unsuccessful.1 |
| enterprise | T1070 | Indicator Removal on Host | - |
| enterprise | T1070.004 | File Deletion | QUADAGENT has a command to delete its Registry key and scheduled task.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | QUADAGENT used the PowerShell filenames Office365DCOMCheck.ps1 and SystemDiskClean.ps1.1 |
| enterprise | T1112 | Modify Registry | QUADAGENT modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications.1 |
| enterprise | T1027 | Obfuscated Files or Information | QUADAGENT was likely obfuscated using Invoke-Obfuscation.12 |
| enterprise | T1012 | Query Registry | QUADAGENT checks if a value exists within a Registry key in the HKCU hive whose name is the same as the scheduled task it has created.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | QUADAGENT creates a scheduled task to maintain persistence on the victim’s machine.1 |
| enterprise | T1016 | System Network Configuration Discovery | QUADAGENT gathers the current domain the victim system belongs to.1 |
| enterprise | T1033 | System Owner/User Discovery | QUADAGENT gathers the victim username.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0049 | OilRig | 1 |