enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
SDBbot has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege. |
enterprise |
T1059 |
Command and Scripting Interpreter |
- |
enterprise |
T1059.003 |
Windows Command Shell |
SDBbot has the ability to use the command shell to execute commands on a compromised host. |
enterprise |
T1005 |
Data from Local System |
SDBbot has the ability to access the file system on a compromised host. |
enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
SDBbot has the ability to decrypt and decompress its payload to enable code execution. |
enterprise |
T1546 |
Event Triggered Execution |
- |
enterprise |
T1546.011 |
Application Shimming |
SDBbot has the ability to use application shimming for persistence if it detects it is running as admin on Windows XP or 7, by creating a shim database to patch services.exe. |
enterprise |
T1546.012 |
Image File Execution Options Injection |
SDBbot has the ability to use image file execution options for persistence if it detects it is running with admin privileges on a Windows version newer than Windows 7. |
enterprise |
T1083 |
File and Directory Discovery |
SDBbot has the ability to get directory listings or drive information on a compromised host. |
enterprise |
T1070 |
Indicator Removal on Host |
SDBbot has the ability to clean up and remove data structures from a compromised host. |
enterprise |
T1070.004 |
File Deletion |
SDBbot has the ability to delete files from a compromised host. |
enterprise |
T1105 |
Ingress Tool Transfer |
SDBbot has the ability to download a DLL from C2 to a compromised host. |
enterprise |
T1095 |
Non-Application Layer Protocol |
SDBbot has the ability to communicate with C2 with TCP over port 443. |
enterprise |
T1027 |
Obfuscated Files or Information |
SDBbot has the ability to XOR the strings for its installer component with a hardcoded 128 byte key. |
enterprise |
T1027.002 |
Software Packing |
SDBbot has used a packed installer file. |
enterprise |
T1055 |
Process Injection |
- |
enterprise |
T1055.001 |
Dynamic-link Library Injection |
SDBbot has the ability to inject a downloaded DLL into a newly created rundll32.exe process. |
enterprise |
T1090 |
Proxy |
SDBbot has the ability to use port forwarding to establish a proxy between a target host and C2. |
enterprise |
T1021 |
Remote Services |
- |
enterprise |
T1021.001 |
Remote Desktop Protocol |
SDBbot has the ability to use RDP to connect to victim’s machines. |
enterprise |
T1082 |
System Information Discovery |
SDBbot has the ability to identify the OS version, country code, and computer name. |
enterprise |
T1016 |
System Network Configuration Discovery |
SDBbot has the ability to determine the domain name and whether a proxy is configured on a compromised host. |
enterprise |
T1033 |
System Owner/User Discovery |
SDBbot has the ability to identify the user on a compromised host. |
enterprise |
T1125 |
Video Capture |
SDBbot has the ability to record video on a compromised host. |