| enterprise |
T1087 |
Account Discovery |
- |
| enterprise |
T1087.002 |
Domain Account |
BoomBox has the ability to execute an LDAP query to enumerate the distinguished name, SAM account name, and display name for all domain users. |
| enterprise |
T1087.003 |
Email Account |
BoomBox can execute an LDAP query to discover e-mail accounts for domain users. |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
BoomBox has used HTTP POST requests for C2. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
BoomBox can establish persistence by writing the Registry value MicroNativeCacheSvc to HKCU\Software\Microsoft\Windows\CurrentVersion\Run. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
BoomBox can decrypt AES-encrypted files downloaded from C2. |
| enterprise |
T1480 |
Execution Guardrails |
BoomBox can check its current working directory and for the presence of a specific file and terminate if specific values are not found. |
| enterprise |
T1567 |
Exfiltration Over Web Service |
- |
| enterprise |
T1567.002 |
Exfiltration to Cloud Storage |
BoomBox can upload data to dedicated per-victim folders in Dropbox. |
| enterprise |
T1083 |
File and Directory Discovery |
BoomBox can search for specific files and directories on a machine. |
| enterprise |
T1105 |
Ingress Tool Transfer |
BoomBox has the ability to download next stage malware components to a compromised system. |
| enterprise |
T1036 |
Masquerading |
BoomBox has the ability to mask malicious data strings as PDF files. |
| enterprise |
T1027 |
Obfuscated Files or Information |
BoomBox can encrypt data using AES prior to exfiltration. |
| enterprise |
T1218 |
System Binary Proxy Execution |
- |
| enterprise |
T1218.011 |
Rundll32 |
BoomBox can use RunDLL32 for execution. |
| enterprise |
T1082 |
System Information Discovery |
BoomBox can enumerate the hostname, domain, and IP of a compromised host. |
| enterprise |
T1033 |
System Owner/User Discovery |
BoomBox can enumerate the username on a compromised host. |
| enterprise |
T1204 |
User Execution |
- |
| enterprise |
T1204.002 |
Malicious File |
BoomBox has gained execution through user interaction with a malicious file. |
| enterprise |
T1102 |
Web Service |
BoomBox can download files from Dropbox using a hardcoded access token. |