| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
DarkWatchman uses HTTPS for command and control. |
| enterprise |
T1010 |
Application Window Discovery |
DarkWatchman reports window names along with keylogger information to provide application context. |
| enterprise |
T1217 |
Browser Information Discovery |
DarkWatchman can retrieve browser history. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.001 |
PowerShell |
DarkWatchman can execute PowerShell commands and has used PowerShell to execute a keylogger. |
| enterprise |
T1059.003 |
Windows Command Shell |
DarkWatchman can use cmd.exe to execute commands. |
| enterprise |
T1059.007 |
JavaScript |
DarkWatchman uses JavaScript to perform its core functionalities. |
| enterprise |
T1132 |
Data Encoding |
- |
| enterprise |
T1132.001 |
Standard Encoding |
DarkWatchman encodes data using hexadecimal representation before sending it to the C2 server. |
| enterprise |
T1005 |
Data from Local System |
DarkWatchman can collect files from a compromised host. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
DarkWatchman can stage local data in the Windows Registry. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
DarkWatchman has the ability to self-extract as a RAR archive. |
| enterprise |
T1568 |
Dynamic Resolution |
- |
| enterprise |
T1568.002 |
Domain Generation Algorithms |
DarkWatchman has used a DGA to generate a domain name for C2. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.002 |
Asymmetric Cryptography |
DarkWatchman can use TLS to encrypt its C2 channel. |
| enterprise |
T1083 |
File and Directory Discovery |
DarkWatchman has the ability to enumerate file and folder names. |
| enterprise |
T1070 |
Indicator Removal |
DarkWatchman can uninstall malicious components from the Registry, stop processes, and clear the browser history. |
| enterprise |
T1070.004 |
File Deletion |
DarkWatchman has been observed deleting its original launcher after installation. |
| enterprise |
T1490 |
Inhibit System Recovery |
DarkWatchman can delete shadow volumes using vssadmin.exe. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.001 |
Keylogging |
DarkWatchman can track key presses with a keylogger module. |
| enterprise |
T1036 |
Masquerading |
DarkWatchman has used an icon mimicking a text file to mask a malicious executable. |
| enterprise |
T1112 |
Modify Registry |
DarkWatchman can modify Registry values to store configuration strings, keylogger, and output of components. |
| enterprise |
T1027 |
Obfuscated Files or Information |
DarkWatchman has been delivered as compressed RAR payloads in ZIP files to victims. |
| enterprise |
T1027.004 |
Compile After Delivery |
DarkWatchman has used the csc.exe tool to compile a C# executable. |
| enterprise |
T1027.010 |
Command Obfuscation |
DarkWatchman has used Base64 to encode PowerShell commands. |
| enterprise |
T1027.011 |
Fileless Storage |
DarkWatchman can store configuration strings, keylogger, and output of components in the Registry. |
| enterprise |
T1120 |
Peripheral Device Discovery |
DarkWatchman can list signed PnP drivers for smartcard readers. |
| enterprise |
T1566 |
Phishing |
- |
| enterprise |
T1566.001 |
Spearphishing Attachment |
DarkWatchman has been delivered via spearphishing emails that contain a malicious zip file. |
| enterprise |
T1012 |
Query Registry |
DarkWatchman can query the Registry to determine if it has already been installed on the system. |
| enterprise |
T1053 |
Scheduled Task/Job |
- |
| enterprise |
T1053.005 |
Scheduled Task |
DarkWatchman has created a scheduled task for persistence. |
| enterprise |
T1129 |
Shared Modules |
DarkWatchman can load DLLs. |
| enterprise |
T1518 |
Software Discovery |
- |
| enterprise |
T1518.001 |
Security Software Discovery |
DarkWatchman can search for anti-virus products on the system. |
| enterprise |
T1082 |
System Information Discovery |
DarkWatchman can collect the OS version, system architecture, uptime, and computer name. |
| enterprise |
T1614 |
System Location Discovery |
DarkWatchman can identity the OS locale of a compromised host. |
| enterprise |
T1033 |
System Owner/User Discovery |
DarkWatchman has collected the username from a victim machine. |
| enterprise |
T1124 |
System Time Discovery |
DarkWatchman can collect the time zone information from the system. |
| enterprise |
T1047 |
Windows Management Instrumentation |
DarkWatchman can use WMI to execute commands. |