Skip to content


RDFSNIFFER is a module loaded by BOOSTWRITE which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.1

Item Value
ID S0416
Associated Names
Version 1.0
Created 11 October 2019
Last Modified 16 October 2019
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion RDFSNIFFER has the capability of deleting local files.1
enterprise T1056 Input Capture -
enterprise T1056.004 Credential API Hooking RDFSNIFFER hooks several Win32 API functions to hijack elements of the remote system management user-interface.1
enterprise T1106 Native API RDFSNIFFER has used several Win32 API functions to interact with the victim machine.1

Groups That Use This Software

ID Name References
G0046 FIN7 1