| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
StrongPity can use HTTP and HTTPS in C2 communications. |
| enterprise |
T1560 |
Archive Collected Data |
- |
| enterprise |
T1560.003 |
Archive via Custom Method |
StrongPity can compress and encrypt archived files into multiple .sft files with a repeated xor encryption scheme. |
| enterprise |
T1119 |
Automated Collection |
StrongPity has a file searcher component that can automatically collect and archive files based on a predefined list of file extensions. |
| enterprise |
T1020 |
Automated Exfiltration |
StrongPity can automatically exfiltrate collected documents to the C2 server. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
StrongPity can use the HKCU\Software\Microsoft\Windows\CurrentVersion\Run Registry key for persistence. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.001 |
PowerShell |
StrongPity can use PowerShell to add files to the Windows Defender exclusions list. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.003 |
Windows Service |
StrongPity has created new services and modified existing services for persistence. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.002 |
Asymmetric Cryptography |
StrongPity has encrypted C2 traffic using SSL/TLS. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
StrongPity can exfiltrate collected documents through C2 channels. |
| enterprise |
T1083 |
File and Directory Discovery |
StrongPity can parse the hard drive on a compromised host to identify specific file extensions. |
| enterprise |
T1564 |
Hide Artifacts |
- |
| enterprise |
T1564.003 |
Hidden Window |
StrongPity has the ability to hide the console window for its document search module from the user. |
| enterprise |
T1562 |
Impair Defenses |
- |
| enterprise |
T1562.001 |
Disable or Modify Tools |
StrongPity can add directories used by the malware to the Windows Defender exclusions list to prevent detection. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
StrongPity can delete previously exfiltrated files from the compromised host. |
| enterprise |
T1105 |
Ingress Tool Transfer |
StrongPity can download files to specified targets. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.004 |
Masquerade Task or Service |
StrongPity has named services to appear legitimate. |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
StrongPity has been bundled with legitimate software installation files for disguise. |
| enterprise |
T1571 |
Non-Standard Port |
|
| StrongPity has used HTTPS over port 1402 in C2 communication. |
|
|
|
| enterprise |
T1027 |
Obfuscated Files or Information |
StrongPity has used encrypted strings in its dropper component. |
| enterprise |
T1057 |
Process Discovery |
StrongPity can determine if a user is logged in by checking to see if explorer.exe is running. |
| enterprise |
T1090 |
Proxy |
- |
| enterprise |
T1090.003 |
Multi-hop Proxy |
StrongPity can use multiple layers of proxy servers to hide terminal nodes in its infrastructure. |
| enterprise |
T1518 |
Software Discovery |
- |
| enterprise |
T1518.001 |
Security Software Discovery |
StrongPity can identify if ESET or BitDefender antivirus are installed before dropping its payload. |
| enterprise |
T1553 |
Subvert Trust Controls |
- |
| enterprise |
T1553.002 |
Code Signing |
StrongPity has been signed with self-signed certificates. |
| enterprise |
T1082 |
System Information Discovery |
StrongPity can identify the hard disk volume serial number on a compromised host. |
| enterprise |
T1016 |
System Network Configuration Discovery |
StrongPity can identify the IP address of a compromised host. |
| enterprise |
T1569 |
System Services |
- |
| enterprise |
T1569.002 |
Service Execution |
StrongPity can install a service to execute itself as a service. |
| enterprise |
T1204 |
User Execution |
- |
| enterprise |
T1204.002 |
Malicious File |
StrongPity has been executed via compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities. |