| enterprise |
T1548 |
Abuse Elevation Control Mechanism |
- |
| enterprise |
T1548.002 |
Bypass User Account Control |
Gelsemium can bypass UAC to elevate process privileges on a compromised host. |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
Gelsemium can use HTTP/S in C2 communications. |
| enterprise |
T1560 |
Archive Collected Data |
- |
| enterprise |
T1560.002 |
Archive via Library |
Gelsemium can compress embedded executables with the zlib library. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
Gelsemium can set persistence with a Registry run key. |
| enterprise |
T1547.012 |
Print Processors |
Gelsemium can drop itself in C:\Windows\System32\spool\prtprocs\x64\winprint.dll to be loaded automatically by the spoolsv Windows service. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
Gelsemium can decompress and decrypt DLLs and shellcode. |
| enterprise |
T1083 |
File and Directory Discovery |
Gelsemium can retrieve specific Windows directories. |
| enterprise |
T1070 |
Indicator Removal on Host |
- |
| enterprise |
T1070.004 |
File Deletion |
Gelsemium can delete its dropper component from the targeted system. |
| enterprise |
T1070.006 |
Timestomp |
Gelsemium has the ability to perform timestomping on targeted systems. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Gelsemium can download additional plug-ins to a compromised host. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
Gelsemium can set its persistence in the Registry with the key value Chrome Update to appear legitimate. |
| enterprise |
T1112 |
Modify Registry |
Gelsemium has the ability to store its components in the Registry. |
| enterprise |
T1095 |
Non-Application Layer Protocol |
Gelsemium has the ability to use TCP and UDP in C2 communications. |
| enterprise |
T1027 |
Obfuscated Files or Information |
Gelsemium has the ability to compress its components. |
| enterprise |
T1027.001 |
Binary Padding |
Gelsemium can use junk code to hide functions and evade detection. |
| enterprise |
T1057 |
Process Discovery |
Gelsemium can enumerate running processes. |
| enterprise |
T1055 |
Process Injection |
- |
| enterprise |
T1055.001 |
Dynamic-link Library Injection |
Gelsemium has the ability to inject DLLs into specific processes. |
| enterprise |
T1518 |
Software Discovery |
- |
| enterprise |
T1518.001 |
Security Software Discovery |
Gelsemium can check for the presence of specific security products. |
| enterprise |
T1082 |
System Information Discovery |
Gelsemium can determine the operating system and whether a targeted machine has a 32 or 64 bit architecture. |
| enterprise |
T1033 |
System Owner/User Discovery |
Gelsemium has the ability to distinguish between a standard user and an administrator on a compromised host. |