| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
KGH_SPY can send data to C2 with HTTP POST requests. |
| enterprise |
T1037 |
Boot or Logon Initialization Scripts |
- |
| enterprise |
T1037.001 |
Logon Script (Windows) |
KGH_SPY has the ability to set the HKCU\Environment\UserInitMprLogonScript Registry key to execute logon scripts. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.001 |
PowerShell |
KGH_SPY can execute PowerShell commands on the victim’s machine. |
| enterprise |
T1059.003 |
Windows Command Shell |
KGH_SPY has the ability to set a Registry key to run a cmd.exe command. |
| enterprise |
T1555 |
Credentials from Password Stores |
KGH_SPY can collect credentials from WINSCP. |
| enterprise |
T1555.003 |
Credentials from Web Browsers |
KGH_SPY has the ability to steal data from the Chrome, Edge, Firefox, Thunderbird, and Opera browsers. |
| enterprise |
T1555.004 |
Windows Credential Manager |
KGH_SPY can collect credentials from the Windows Credential Manager. |
| enterprise |
T1005 |
Data from Local System |
KGH_SPY can send a file containing victim system information to C2. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
KGH_SPY can save collected system information to a file named “info” before exfiltration. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
KGH_SPY can decrypt encrypted strings and write them to a newly created folder. |
| enterprise |
T1114 |
Email Collection |
- |
| enterprise |
T1114.001 |
Local Email Collection |
KGH_SPY can harvest data from mail clients. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
KGH_SPY can exfiltrate collected information from the host to the C2 server. |
| enterprise |
T1083 |
File and Directory Discovery |
KGH_SPY can enumerate files and directories on a compromised host. |
| enterprise |
T1105 |
Ingress Tool Transfer |
KGH_SPY has the ability to download and execute code from remote servers. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.001 |
Keylogging |
KGH_SPY can perform keylogging by polling the GetAsyncKeyState() function. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
KGH_SPY has masqueraded as a legitimate Windows tool. |
| enterprise |
T1027 |
Obfuscated Files or Information |
KGH_SPY has used encrypted strings in its installer. |
| enterprise |
T1518 |
Software Discovery |
KGH_SPY can collect information on installed applications. |
| enterprise |
T1082 |
System Information Discovery |
KGH_SPY can collect drive information from a compromised host. |
| enterprise |
T1204 |
User Execution |
- |
| enterprise |
T1204.002 |
Malicious File |
KGH_SPY has been spread through Word documents containing malicious macros. |