Skip to content

S0500 MCMD

MCMD is a remote access tool that provides remote command shell capability used by Dragonfly 2.0.1

Item Value
ID S0500
Associated Names
Version 1.1
Created 13 August 2020
Last Modified 29 July 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols MCMD can use HTTPS in communication with C2 web servers.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder MCMD can use Registry Run Keys for persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell MCMD can launch a console process (cmd.exe) with redirected standard input and output.1
enterprise T1005 Data from Local System MCMD has the ability to upload files from an infected device.1
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window MCMD can modify processes to prevent them from being visible on the desktop.1
enterprise T1070 Indicator Removal -
enterprise T1070.009 Clear Persistence MCMD has the ability to remove set Registry Keys, including those used for persistence.1
enterprise T1105 Ingress Tool Transfer MCMD can upload additional files to a compromised host.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location MCMD has been named Readme.txt to appear legitimate.1
enterprise T1027 Obfuscated Files or Information MCMD can Base64 encode output strings prior to sending to C2.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task MCMD can use scheduled tasks for persistence.1

Groups That Use This Software

ID Name References
G0035 Dragonfly 1