| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
CharmPower can use HTTP to communicate with C2. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.001 |
PowerShell |
CharmPower can use PowerShell for payload execution and C2 communication. |
| enterprise |
T1059.003 |
Windows Command Shell |
The C# implementation of the CharmPower command execution module can use cmd. |
| enterprise |
T1132 |
Data Encoding |
- |
| enterprise |
T1132.001 |
Standard Encoding |
CharmPower can send additional modules over C2 encoded with base64. |
| enterprise |
T1005 |
Data from Local System |
CharmPower can collect data and files from a compromised host. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
CharmPower can decrypt downloaded modules prior to execution. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.001 |
Symmetric Cryptography |
CharmPower can send additional modules over C2 encrypted with a simple substitution cipher. |
| enterprise |
T1048 |
Exfiltration Over Alternative Protocol |
- |
| enterprise |
T1048.003 |
Exfiltration Over Unencrypted Non-C2 Protocol |
CharmPower can send victim data via FTP with credentials hardcoded in the script. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
CharmPower can exfiltrate gathered data to a hardcoded C2 URL via HTTP POST. |
| enterprise |
T1008 |
Fallback Channels |
CharmPower can change its C2 channel once every 360 loops by retrieving a new domain from the actors’ S3 bucket. |
| enterprise |
T1083 |
File and Directory Discovery |
CharmPower can enumerate drives and list the contents of the C: drive on a victim’s computer. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
CharmPower can delete created files from a compromised system. |
| enterprise |
T1105 |
Ingress Tool Transfer |
CharmPower has the ability to download additional modules to a compromised host. |
| enterprise |
T1112 |
Modify Registry |
CharmPower can remove persistence-related artifacts from the Registry. |
| enterprise |
T1057 |
Process Discovery |
CharmPower has the ability to list running processes through the use of tasklist. |
| enterprise |
T1012 |
Query Registry |
CharmPower has the ability to enumerate Uninstall registry values. |
| enterprise |
T1113 |
Screen Capture |
CharmPower has the ability to capture screenshots. |
| enterprise |
T1518 |
Software Discovery |
CharmPower can list the installed applications on a compromised host. |
| enterprise |
T1082 |
System Information Discovery |
CharmPower can enumerate the OS version and computer name on a targeted system. |
| enterprise |
T1016 |
System Network Configuration Discovery |
CharmPower has the ability to use ipconfig to enumerate system network settings. |
| enterprise |
T1049 |
System Network Connections Discovery |
CharmPower can use netsh wlan show profiles to list specific Wi-Fi profile details. |
| enterprise |
T1102 |
Web Service |
CharmPower can download additional modules from actor-controlled Amazon S3 buckets. |
| enterprise |
T1102.001 |
Dead Drop Resolver |
CharmPower can retrieve C2 domain information from actor-controlled S3 buckets. |
| enterprise |
T1047 |
Windows Management Instrumentation |
CharmPower can use wmic to gather information from a system. |