| enterprise |
T1548 |
Abuse Elevation Control Mechanism |
- |
| enterprise |
T1548.002 |
Bypass User Account Control |
Gelsemium can bypass UAC to elevate process privileges on a compromised host. |
| enterprise |
T1134 |
Access Token Manipulation |
Gelsemium can use token manipulation to bypass UAC on Windows7 systems. |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
Gelsemium can use HTTP/S in C2 communications. |
| enterprise |
T1071.004 |
DNS |
Gelsemium has the ability to use DNS in communication with C2. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
Gelsemium can set persistence with a Registry run key. |
| enterprise |
T1547.012 |
Print Processors |
Gelsemium can drop itself in C:\Windows\System32\spool\prtprocs\x64\winprint.dll to be loaded automatically by the spoolsv Windows service. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
Gelsemium can use a batch script to delete itself. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.003 |
Windows Service |
Gelsemium can drop itself in C:\Windows\System32\spool\prtprocs\x64\winprint.dll as an alternative Print Processor to be loaded automatically when the spoolsv Windows service starts. |
| enterprise |
T1005 |
Data from Local System |
Gelsemium can collect data from a compromised host. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
Gelsemium can decompress and decrypt DLLs and shellcode. |
| enterprise |
T1568 |
Dynamic Resolution |
Gelsemium can use dynamic DNS domain names in C2. |
| enterprise |
T1008 |
Fallback Channels |
Gelsemium can use multiple domains and protocols in C2. |
| enterprise |
T1083 |
File and Directory Discovery |
Gelsemium can retrieve data from specific Windows directories, as well as open random files as part of Virtualization/Sandbox Evasion. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
Gelsemium can delete its dropper component from the targeted system. |
| enterprise |
T1070.006 |
Timestomp |
Gelsemium has the ability to perform timestomping of files on targeted systems. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Gelsemium can download additional plug-ins to a compromised host. |
| enterprise |
T1559 |
Inter-Process Communication |
- |
| enterprise |
T1559.001 |
Component Object Model |
Gelsemium can use the IARPUinstallerStringLauncher COM interface are part of its UAC bypass process. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.001 |
Invalid Code Signature |
Gelsemium has used unverified signatures on malicious DLLs. |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
Gelsemium has named malicious binaries serv.exe, winprint.dll, and chrome_elf.dll and has set its persistence in the Registry with the key value Chrome Update to appear legitimate. |
| enterprise |
T1112 |
Modify Registry |
Gelsemium can modify the Registry to store its components. |
| enterprise |
T1106 |
Native API |
Gelsemium has the ability to use various Windows API functions to perform tasks. |
| enterprise |
T1095 |
Non-Application Layer Protocol |
Gelsemium has the ability to use TCP and UDP in C2 communications. |
| enterprise |
T1027 |
Obfuscated Files or Information |
Gelsemium has the ability to compress its components. |
| enterprise |
T1027.001 |
Binary Padding |
Gelsemium can use junk code to hide functions and evade detection. |
| enterprise |
T1027.011 |
Fileless Storage |
Gelsemium can store its components in the Registry. |
| enterprise |
T1057 |
Process Discovery |
Gelsemium can enumerate running processes. |
| enterprise |
T1055 |
Process Injection |
- |
| enterprise |
T1055.001 |
Dynamic-link Library Injection |
Gelsemium has the ability to inject DLLs into specific processes. |
| enterprise |
T1012 |
Query Registry |
Gelsemium can open random files and Registry keys to obscure malware behavior from sandbox analysis. |
| enterprise |
T1620 |
Reflective Code Loading |
Gelsemium can use custom shellcode to map embedded DLLs into memory. |
| enterprise |
T1518 |
Software Discovery |
- |
| enterprise |
T1518.001 |
Security Software Discovery |
Gelsemium can check for the presence of specific security products. |
| enterprise |
T1082 |
System Information Discovery |
Gelsemium can determine the operating system and whether a targeted machine has a 32 or 64 bit architecture. |
| enterprise |
T1033 |
System Owner/User Discovery |
Gelsemium has the ability to distinguish between a standard user and an administrator on a compromised host. |
| enterprise |
T1497 |
Virtualization/Sandbox Evasion |
Gelsemium can use junk code to generate random activity to obscure malware behavior. |