| enterprise |
T1134 |
Access Token Manipulation |
AppleSeed can gain system level privilege by passing SeDebugPrivilege to the AdjustTokenPrivilege API. |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
AppleSeed has the ability to communicate with C2 over HTTP. |
| enterprise |
T1560 |
Archive Collected Data |
AppleSeed has compressed collected data before exfiltration. |
| enterprise |
T1560.001 |
Archive via Utility |
AppleSeed can zip and encrypt data collected on a target system. |
| enterprise |
T1119 |
Automated Collection |
AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
AppleSeed has the ability to create the Registry key name EstsoftAutoUpdate at HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce to establish persistence. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.001 |
PowerShell |
AppleSeed has the ability to execute its payload via PowerShell. |
| enterprise |
T1059.007 |
JavaScript |
AppleSeed has the ability to use JavaScript to execute PowerShell. |
| enterprise |
T1005 |
Data from Local System |
AppleSeed can collect data on a compromised host. |
| enterprise |
T1025 |
Data from Removable Media |
AppleSeed can find and collect data from removable media devices. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
AppleSeed can stage files in a central location prior to exfiltration. |
| enterprise |
T1030 |
Data Transfer Size Limits |
AppleSeed has divided files if the size is 0x1000000 bytes or more. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
AppleSeed can decode its payload prior to execution. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
AppleSeed can exfiltrate files via the C2 channel. |
| enterprise |
T1567 |
Exfiltration Over Web Service |
AppleSeed has exfiltrated files using web services. |
| enterprise |
T1008 |
Fallback Channels |
AppleSeed can use a second channel for C2 when the primary channel is in upload mode. |
| enterprise |
T1083 |
File and Directory Discovery |
AppleSeed has the ability to search for .txt, .ppt, .hwp, .pdf, and .doc files in specified directories. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
AppleSeed can delete files from a compromised host after they are exfiltrated. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.001 |
Keylogging |
AppleSeed can use GetKeyState and GetKeyboardState to capture keystrokes on the victim’s machine. |
| enterprise |
T1036 |
Masquerading |
AppleSeed can disguise JavaScript files as PDFs. |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
AppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity. |
| enterprise |
T1106 |
Native API |
AppleSeed has the ability to use multiple dynamically resolved API calls. |
| enterprise |
T1027 |
Obfuscated Files or Information |
AppleSeed has the ability to Base64 encode its payload and custom encrypt API calls. |
| enterprise |
T1027.002 |
Software Packing |
AppleSeed has used UPX packers for its payload DLL. |
| enterprise |
T1566 |
Phishing |
- |
| enterprise |
T1566.001 |
Spearphishing Attachment |
AppleSeed has been distributed to victims through malicious e-mail attachments. |
| enterprise |
T1057 |
Process Discovery |
AppleSeed can enumerate the current process on a compromised host. |
| enterprise |
T1113 |
Screen Capture |
AppleSeed can take screenshots on a compromised host by calling a series of APIs. |
| enterprise |
T1218 |
System Binary Proxy Execution |
- |
| enterprise |
T1218.010 |
Regsvr32 |
AppleSeed can call regsvr32.exe for execution. |
| enterprise |
T1082 |
System Information Discovery |
AppleSeed can identify the OS version of a targeted system. |
| enterprise |
T1016 |
System Network Configuration Discovery |
AppleSeed can identify the IP of a targeted system. |
| enterprise |
T1124 |
System Time Discovery |
AppleSeed can pull a timestamp from the victim’s machine. |
| enterprise |
T1204 |
User Execution |
- |
| enterprise |
T1204.002 |
Malicious File |
AppleSeed can achieve execution through users running malicious file attachments distributed via email. |