| enterprise |
T1134 |
Access Token Manipulation |
- |
| enterprise |
T1134.001 |
Token Impersonation/Theft |
Aria-body has the ability to duplicate a token from ntprint.exe. |
| enterprise |
T1134.002 |
Create Process with Token |
Aria-body has the ability to execute a process using runas. |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
Aria-body has used HTTP in C2 communications. |
| enterprise |
T1010 |
Application Window Discovery |
Aria-body has the ability to identify the titles of running windows on a compromised host. |
| enterprise |
T1560 |
Archive Collected Data |
Aria-body has used ZIP to compress data gathered on a compromised host. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
Aria-body has established persistence via the Startup folder or Run Registry key. |
| enterprise |
T1025 |
Data from Removable Media |
Aria-body has the ability to collect data from USB devices. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
Aria-body has the ability to decrypt the loader configuration and payload DLL. |
| enterprise |
T1568 |
Dynamic Resolution |
- |
| enterprise |
T1568.002 |
Domain Generation Algorithms |
Aria-body has the ability to use a DGA for C2 communications. |
| enterprise |
T1083 |
File and Directory Discovery |
Aria-body has the ability to gather metadata from a file and to search for file and directory names. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
Aria-body has the ability to delete files and directories on compromised hosts. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Aria-body has the ability to download additional payloads from C2. |
| enterprise |
T1106 |
Native API |
Aria-body has the ability to launch files using ShellExecute. |
| enterprise |
T1095 |
Non-Application Layer Protocol |
Aria-body has used TCP in C2 communications. |
| enterprise |
T1027 |
Obfuscated Files or Information |
Aria-body has used an encrypted configuration file for its loader. |
| enterprise |
T1057 |
Process Discovery |
Aria-body has the ability to enumerate loaded modules for a process.. |
| enterprise |
T1055 |
Process Injection |
- |
| enterprise |
T1055.001 |
Dynamic-link Library Injection |
Aria-body has the ability to inject itself into another process such as rundll32.exe and dllhost.exe. |
| enterprise |
T1090 |
Proxy |
Aria-body has the ability to use a reverse SOCKS proxy module. |
| enterprise |
T1113 |
Screen Capture |
Aria-body has the ability to capture screenshots on compromised hosts. |
| enterprise |
T1082 |
System Information Discovery |
Aria-body has the ability to identify the hostname, computer name, Windows version, processor speed, machine GUID, and disk information on a compromised host. |
| enterprise |
T1016 |
System Network Configuration Discovery |
Aria-body has the ability to identify the location, public IP address, and domain name on a compromised host. |
| enterprise |
T1049 |
System Network Connections Discovery |
Aria-body has the ability to gather TCP and UDP table status listings. |
| enterprise |
T1033 |
System Owner/User Discovery |
Aria-body has the ability to identify the username on a compromised host. |