|Application Layer Protocol
|GrimAgent has the ability to use HTTP for C2 communications.
|Boot or Logon Autostart Execution
|Registry Run Keys / Startup Folder
|GrimAgent can set persistence with a Registry run key.
|Command and Scripting Interpreter
|Windows Command Shell
|GrimAgent can use the Windows Command Shell to execute commands, including its own removal.
|GrimAgent can base64 encode C2 replies.
|Data from Local System
|GrimAgent can collect data and files from a compromised host.
|GrimAgent can pad C2 messages with random generated values.
|Deobfuscate/Decode Files or Information
|GrimAgent can use a decryption algorithm for strings based on Rotate on Right (RoR) and Rotate on Left (RoL) functionality.
|GrimAgent can use an AES key to encrypt C2 communications.
|GrimAgent can use a hardcoded server public RSA key to encrypt the first request to C2.
|Exfiltration Over C2 Channel
|GrimAgent has sent data related to a compromise host over its C2 channel.
|File and Directory Discovery
|GrimAgent has the ability to enumerate files and directories on a compromised host.
|GrimAgent can delete old binaries on a compromised host.
|GrimAgent can delete previously created tasks on a compromised host.
|Ingress Tool Transfer
|GrimAgent has the ability to download and execute additional payloads.
|GrimAgent can use Native API including
|Obfuscated Files or Information
|GrimAgent has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings.
|GrimAgent has the ability to add bytes to change the file hash.
|GrimAgent has the ability to set persistence using the Task Scheduler.
|System Information Discovery
|GrimAgent can collect the OS, and build version on a compromised host.
|System Location Discovery
|GrimAgent can identify the country code on a compromised host.
|System Language Discovery
|GrimAgent has used
Accept-Language to identify hosts in the United Kingdom, United States, France, and Spain.
|System Network Configuration Discovery
|GrimAgent can enumerate the IP and domain of a target system.
|System Owner/User Discovery
|GrimAgent can identify the user id on a target machine.
|Time Based Evasion
|GrimAgent can sleep for 195 - 205 seconds after payload execution and before deleting its task.