S0273 Socksbot
Socksbot is a backdoor that abuses Socket Secure (SOCKS) proxies. 1
| Item | Value |
|---|---|
| ID | S0273 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 17 October 2018 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Socksbot can write and execute PowerShell scripts.1 |
| enterprise | T1057 | Process Discovery | Socksbot can list all running processes.1 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | Socksbot creates a suspended svchost process and injects its DLL into it.1 |
| enterprise | T1090 | Proxy | Socksbot can start SOCKS proxy threads.1 |
| enterprise | T1113 | Screen Capture | Socksbot can take screenshots.1 |