| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
Variants of Kevin can communicate with C2 over HTTP. |
| enterprise |
T1071.004 |
DNS |
Variants of Kevin can communicate over DNS through queries to the server for constructed domain names with embedded information. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
Kevin can use a renamed image of cmd.exe for execution. |
| enterprise |
T1132 |
Data Encoding |
- |
| enterprise |
T1132.001 |
Standard Encoding |
Kevin can Base32 encode chunks of output files during exfiltration. |
| enterprise |
T1005 |
Data from Local System |
Kevin can upload logs and other data from a compromised host. |
| enterprise |
T1001 |
Data Obfuscation |
- |
| enterprise |
T1001.001 |
Junk Data |
Kevin can generate a sequence of dummy HTTP C2 requests to obscure traffic. |
| enterprise |
T1074 |
Data Staged |
Kevin can create directories to store logs and other collected data. |
| enterprise |
T1030 |
Data Transfer Size Limits |
Kevin can exfiltrate data to the C2 server in 27-character chunks. |
| enterprise |
T1546 |
Event Triggered Execution |
- |
| enterprise |
T1546.003 |
Windows Management Instrumentation Event Subscription |
Kevin can compile randomly-generated MOF files into the WMI repository to persistently run malware. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
Kevin can send data from the victim host through a DNS C2 channel. |
| enterprise |
T1008 |
Fallback Channels |
Kevin can assign hard-coded fallback domains for C2. |
| enterprise |
T1564 |
Hide Artifacts |
- |
| enterprise |
T1564.003 |
Hidden Window |
Kevin can hide the current window from the targeted user via the ShowWindow API function. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
Kevin can delete files created on the victim’s machine. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Kevin can download files to the compromised host. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.003 |
Rename Legitimate Utilities |
Kevin has renamed an image of cmd.exe with a random name followed by a .tmpl extension. |
| enterprise |
T1106 |
Native API |
Kevin can use the ShowWindow API to avoid detection. |
| enterprise |
T1027 |
Obfuscated Files or Information |
- |
| enterprise |
T1027.013 |
Encrypted/Encoded File |
Kevin has Base64-encoded its configuration file. |
| enterprise |
T1572 |
Protocol Tunneling |
Kevin can use a custom protocol tunneled through DNS or HTTP. |
| enterprise |
T1082 |
System Information Discovery |
Kevin can enumerate the OS version and hostname of a targeted machine. |
| enterprise |
T1016 |
System Network Configuration Discovery |
Kevin can collect the MAC address and other information from a victim machine using ipconfig/all. |
| enterprise |
T1497 |
Virtualization/Sandbox Evasion |
Kevin can sleep for a time interval between C2 communication attempts. |