| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
Flagpro can communicate with its C2 using HTTP. |
| enterprise |
T1010 |
Application Window Discovery |
Flagpro can check the name of the window displayed on the system. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
Flagpro has dropped an executable file to the startup directory. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
Flagpro can use cmd.exe to execute commands received from C2. |
| enterprise |
T1059.005 |
Visual Basic |
Flagpro can execute malicious VBA macros embedded in .xlsm files. |
| enterprise |
T1132 |
Data Encoding |
- |
| enterprise |
T1132.001 |
Standard Encoding |
Flagpro has encoded bidirectional data communications between a target system and C2 server using Base64. |
| enterprise |
T1005 |
Data from Local System |
Flagpro can collect data from a compromised host, including Windows authentication information. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
Flagpro has exfiltrated data to the C2 server. |
| enterprise |
T1070 |
Indicator Removal |
Flagpro can close specific Windows Security and Internet Explorer dialog boxes to mask external connections. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Flagpro can download additional malware from the C2 server. |
| enterprise |
T1036 |
Masquerading |
Flagpro can download malicious files with a .tmp extension and append them with .exe prior to execution. |
| enterprise |
T1106 |
Native API |
Flagpro can use Native API to enable obfuscation including GetLastError and GetTickCount. |
| enterprise |
T1135 |
Network Share Discovery |
Flagpro has been used to execute net view to discover mapped network shares. |
| enterprise |
T1027 |
Obfuscated Files or Information |
Flagpro has been delivered within ZIP or RAR password-protected archived files. |
| enterprise |
T1069 |
Permission Groups Discovery |
- |
| enterprise |
T1069.001 |
Local Groups |
Flagpro has been used to execute the net localgroup administrators command on a targeted system. |
| enterprise |
T1566 |
Phishing |
- |
| enterprise |
T1566.001 |
Spearphishing Attachment |
Flagpro has been distributed via spearphishing as an email attachment. |
| enterprise |
T1057 |
Process Discovery |
Flagpro has been used to run the tasklist command on a compromised system. |
| enterprise |
T1018 |
Remote System Discovery |
Flagpro has been used to execute net view on a targeted system. |
| enterprise |
T1029 |
Scheduled Transfer |
Flagpro has the ability to wait for a specified time interval between communicating with and executing commands from C2. |
| enterprise |
T1614 |
System Location Discovery |
- |
| enterprise |
T1614.001 |
System Language Discovery |
Flagpro can check whether the target system is using Japanese, Taiwanese, or English through detection of specific Windows Security and Internet Explorer dialog. |
| enterprise |
T1016 |
System Network Configuration Discovery |
Flagpro has been used to execute the ipconfig /all command on a victim system. |
| enterprise |
T1049 |
System Network Connections Discovery |
Flagpro has been used to execute netstat -ano on a compromised host. |
| enterprise |
T1033 |
System Owner/User Discovery |
Flagpro has been used to run the whoami command on the system. |
| enterprise |
T1204 |
User Execution |
- |
| enterprise |
T1204.002 |
Malicious File |
Flagpro has relied on users clicking a malicious attachment delivered through spearphishing. |