| enterprise |
T1123 |
Audio Capture |
Revenge RAT has a plugin for microphone interception. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
Revenge RAT creates a Registry key at HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell to survive a system reboot. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.001 |
PowerShell |
Revenge RAT uses the PowerShell command Reflection.Assembly to load itself into memory to aid in execution. |
| enterprise |
T1059.003 |
Windows Command Shell |
Revenge RAT uses cmd.exe to execute commands and run scripts on the victim’s machine. |
| enterprise |
T1132 |
Data Encoding |
- |
| enterprise |
T1132.001 |
Standard Encoding |
Revenge RAT uses Base64 to encode information sent to the C2 server. |
| enterprise |
T1202 |
Indirect Command Execution |
Revenge RAT uses the Forfiles utility to execute commands on the system. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Revenge RAT has the ability to upload and download files. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.001 |
Keylogging |
Revenge RAT has a plugin for keylogging. |
| enterprise |
T1003 |
OS Credential Dumping |
Revenge RAT has a plugin for credential harvesting. |
| enterprise |
T1021 |
Remote Services |
- |
| enterprise |
T1021.001 |
Remote Desktop Protocol |
Revenge RAT has a plugin to perform RDP access. |
|
|
|
|
| enterprise |
T1053 |
Scheduled Task/Job |
- |
| enterprise |
T1053.005 |
Scheduled Task |
Revenge RAT schedules tasks to run malicious scripts at different intervals. |
| enterprise |
T1113 |
Screen Capture |
Revenge RAT has a plugin for screen capture. |
| enterprise |
T1218 |
System Binary Proxy Execution |
- |
| enterprise |
T1218.005 |
Mshta |
Revenge RAT uses mshta.exe to run malicious scripts on the system. |
| enterprise |
T1082 |
System Information Discovery |
Revenge RAT collects the CPU information, OS information, and system language. |
| enterprise |
T1016 |
System Network Configuration Discovery |
Revenge RAT collects the IP address and MAC address from the system. |
| enterprise |
T1033 |
System Owner/User Discovery |
Revenge RAT gathers the username from the system. |
| enterprise |
T1125 |
Video Capture |
Revenge RAT has the ability to access the webcam. |
| enterprise |
T1102 |
Web Service |
- |
| enterprise |
T1102.002 |
Bidirectional Communication |
Revenge RAT used blogpost.com as its primary command and control server during a campaign. |