| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
GrimAgent has the ability to use HTTP for C2 communications. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
GrimAgent can set persistence with a Registry run key. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
GrimAgent can use the Windows Command Shell to execute commands, including its own removal. |
| enterprise |
T1132 |
Data Encoding |
- |
| enterprise |
T1132.001 |
Standard Encoding |
GrimAgent can base64 encode C2 replies. |
| enterprise |
T1005 |
Data from Local System |
GrimAgent can collect data and files from a compromised host. |
| enterprise |
T1001 |
Data Obfuscation |
- |
| enterprise |
T1001.001 |
Junk Data |
GrimAgent can pad C2 messages with random generated values. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
GrimAgent can use a decryption algorithm for strings based on Rotate on Right (RoR) and Rotate on Left (RoL) functionality. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.001 |
Symmetric Cryptography |
GrimAgent can use an AES key to encrypt C2 communications. |
| enterprise |
T1573.002 |
Asymmetric Cryptography |
GrimAgent can use a hardcoded server public RSA key to encrypt the first request to C2. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
GrimAgent has sent data related to a compromise host over its C2 channel. |
| enterprise |
T1083 |
File and Directory Discovery |
GrimAgent has the ability to enumerate files and directories on a compromised host. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
GrimAgent can delete old binaries on a compromised host. |
| enterprise |
T1070.009 |
Clear Persistence |
GrimAgent can delete previously created tasks on a compromised host. |
| enterprise |
T1105 |
Ingress Tool Transfer |
GrimAgent has the ability to download and execute additional payloads. |
| enterprise |
T1106 |
Native API |
GrimAgent can use Native API including GetProcAddress and ShellExecuteW. |
| enterprise |
T1027 |
Obfuscated Files or Information |
GrimAgent has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings. |
| enterprise |
T1027.001 |
Binary Padding |
GrimAgent has the ability to add bytes to change the file hash. |
| enterprise |
T1053 |
Scheduled Task/Job |
- |
| enterprise |
T1053.005 |
Scheduled Task |
GrimAgent has the ability to set persistence using the Task Scheduler. |
| enterprise |
T1082 |
System Information Discovery |
GrimAgent can collect the OS, and build version on a compromised host. |
| enterprise |
T1614 |
System Location Discovery |
GrimAgent can identify the country code on a compromised host. |
| enterprise |
T1614.001 |
System Language Discovery |
GrimAgent has used Accept-Language to identify hosts in the United Kingdom, United States, France, and Spain. |
| enterprise |
T1016 |
System Network Configuration Discovery |
GrimAgent can enumerate the IP and domain of a target system. |
| enterprise |
T1033 |
System Owner/User Discovery |
GrimAgent can identify the user id on a target machine. |
| enterprise |
T1497 |
Virtualization/Sandbox Evasion |
- |
| enterprise |
T1497.003 |
Time Based Evasion |
GrimAgent can sleep for 195 - 205 seconds after payload execution and before deleting its task. |