| enterprise |
T1548 |
Abuse Elevation Control Mechanism |
- |
| enterprise |
T1548.002 |
Bypass User Account Control |
KOCTOPUS will perform UAC bypass either through fodhelper.exe or eventvwr.exe. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
KOCTOPUS can set the AutoRun Registry key with a PowerShell command. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.001 |
PowerShell |
KOCTOPUS has used PowerShell commands to download additional files. |
| enterprise |
T1059.003 |
Windows Command Shell |
KOCTOPUS has used cmd.exe and batch files for execution. |
| enterprise |
T1059.005 |
Visual Basic |
KOCTOPUS has used VBScript to call wscript to execute a PowerShell command. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
KOCTOPUS has deobfuscated itself before executing its commands. |
| enterprise |
T1564 |
Hide Artifacts |
- |
| enterprise |
T1564.003 |
Hidden Window |
KOCTOPUS has used -WindowsStyle Hidden to hide the command window. |
| enterprise |
T1562 |
Impair Defenses |
- |
| enterprise |
T1562.001 |
Disable or Modify Tools |
KOCTOPUS will attempt to delete or disable all Registry keys and scheduled tasks related to Microsoft Security Defender and Security Essentials. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.009 |
Clear Persistence |
KOCTOPUS can delete created registry keys used for persistence as part of its cleanup procedure. |
| enterprise |
T1105 |
Ingress Tool Transfer |
KOCTOPUS has executed a PowerShell command to download a file to the system. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
KOCTOPUS has been disguised as legitimate software programs associated with the travel and airline industries. |
| enterprise |
T1112 |
Modify Registry |
KOCTOPUS has added and deleted keys from the Registry. |
| enterprise |
T1106 |
Native API |
KOCTOPUS can use the LoadResource and CreateProcessW APIs for execution. |
| enterprise |
T1027 |
Obfuscated Files or Information |
- |
| enterprise |
T1027.010 |
Command Obfuscation |
KOCTOPUS has obfuscated scripts with the BatchEncryption tool. |
| enterprise |
T1566 |
Phishing |
- |
| enterprise |
T1566.001 |
Spearphishing Attachment |
KOCTOPUS has been distributed via spearphishing emails with malicious attachments. |
| enterprise |
T1566.002 |
Spearphishing Link |
KOCTOPUS has been distributed as a malicious link within an email. |
| enterprise |
T1090 |
Proxy |
KOCTOPUS has deployed a modified version of Invoke-Ngrok to expose open local ports to the Internet. |
| enterprise |
T1082 |
System Information Discovery |
KOCTOPUS has checked the OS version using wmic.exe and the find command. |
| enterprise |
T1204 |
User Execution |
- |
| enterprise |
T1204.001 |
Malicious Link |
KOCTOPUS has relied on victims clicking on a malicious link delivered via email. |
| enterprise |
T1204.002 |
Malicious File |
KOCTOPUS has relied on victims clicking a malicious document for execution. |