Skip to content

S0273 Socksbot

Socksbot is a backdoor that abuses Socket Secure (SOCKS) proxies. 1

Item Value
ID S0273
Associated Names
Type MALWARE
Version 1.1
Created 17 October 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Socksbot can write and execute PowerShell scripts.1
enterprise T1057 Process Discovery Socksbot can list all running processes.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Socksbot creates a suspended svchost process and injects its DLL into it.1
enterprise T1090 Proxy Socksbot can start SOCKS proxy threads.1
enterprise T1113 Screen Capture Socksbot can take screenshots.1

References