Skip to content

S0673 DarkWatchman

DarkWatchman is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.1

Item Value
ID S0673
Associated Names
Version 1.1
Created 10 January 2022
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols DarkWatchman uses HTTPS for command and control.1
enterprise T1010 Application Window Discovery DarkWatchman reports window names along with keylogger information to provide application context.1
enterprise T1217 Browser Information Discovery DarkWatchman can retrieve browser history.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell DarkWatchman can execute PowerShell commands and has used PowerShell to execute a keylogger.1
enterprise T1059.003 Windows Command Shell DarkWatchman can use cmd.exe to execute commands.1
enterprise T1059.007 JavaScript DarkWatchman uses JavaScript to perform its core functionalities.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding DarkWatchman encodes data using hexadecimal representation before sending it to the C2 server.1
enterprise T1005 Data from Local System DarkWatchman can collect files from a compromised host.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging DarkWatchman can stage local data in the Windows Registry.1
enterprise T1140 Deobfuscate/Decode Files or Information DarkWatchman has the ability to self-extract as a RAR archive.1
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms DarkWatchman has used a DGA to generate a domain name for C2.1
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography DarkWatchman can use TLS to encrypt its C2 channel.1
enterprise T1083 File and Directory Discovery DarkWatchman has the ability to enumerate file and folder names.1
enterprise T1070 Indicator Removal DarkWatchman can uninstall malicious components from the Registry, stop processes, and clear the browser history.1
enterprise T1070.004 File Deletion DarkWatchman has been observed deleting its original launcher after installation.1
enterprise T1490 Inhibit System Recovery DarkWatchman can delete shadow volumes using vssadmin.exe.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging DarkWatchman can track key presses with a keylogger module.1
enterprise T1036 Masquerading DarkWatchman has used an icon mimicking a text file to mask a malicious executable.1
enterprise T1112 Modify Registry DarkWatchman can modify Registry values to store configuration strings, keylogger, and output of components.1
enterprise T1027 Obfuscated Files or Information DarkWatchman has been delivered as compressed RAR payloads in ZIP files to victims.1
enterprise T1027.004 Compile After Delivery DarkWatchman has used the csc.exe tool to compile a C# executable.1
enterprise T1027.010 Command Obfuscation DarkWatchman has used Base64 to encode PowerShell commands.1
enterprise T1027.011 Fileless Storage DarkWatchman can store configuration strings, keylogger, and output of components in the Registry.1
enterprise T1120 Peripheral Device Discovery DarkWatchman can list signed PnP drivers for smartcard readers.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment DarkWatchman has been delivered via spearphishing emails that contain a malicious zip file.1
enterprise T1012 Query Registry DarkWatchman can query the Registry to determine if it has already been installed on the system.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task DarkWatchman has created a scheduled task for persistence.1
enterprise T1129 Shared Modules DarkWatchman can load DLLs.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery DarkWatchman can search for anti-virus products on the system.1
enterprise T1082 System Information Discovery DarkWatchman can collect the OS version, system architecture, uptime, and computer name.1
enterprise T1614 System Location Discovery DarkWatchman can identity the OS locale of a compromised host.1
enterprise T1033 System Owner/User Discovery DarkWatchman has collected the username from a victim machine.1
enterprise T1124 System Time Discovery DarkWatchman can collect the time zone information from the system.1
enterprise T1047 Windows Management Instrumentation DarkWatchman can use WMI to execute commands.1