| enterprise |
T1087 |
Account Discovery |
Woody RAT can identify administrator accounts on an infected machine. |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
Woody RAT can communicate with its C2 server using HTTP requests. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.001 |
PowerShell |
Woody RAT can execute PowerShell commands and scripts with the use of .NET DLL, WoodyPowerSession. |
| enterprise |
T1059.003 |
Windows Command Shell |
Woody RAT can execute commands using cmd.exe. |
| enterprise |
T1005 |
Data from Local System |
Woody RAT can collect information from a compromised host. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
Woody RAT can deobfuscate Base64-encoded strings and scripts. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.001 |
Symmetric Cryptography |
Woody RAT can use AES-CBC to encrypt data sent to its C2 server. |
| enterprise |
T1573.002 |
Asymmetric Cryptography |
Woody RAT can use RSA-4096 to encrypt data sent to its C2 server. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
Woody RAT can exfiltrate files from an infected machine to its C2 server. |
| enterprise |
T1203 |
Exploitation for Client Execution |
Woody RAT has relied on CVE-2022-30190 (Follina) for execution during delivery. |
| enterprise |
T1083 |
File and Directory Discovery |
Woody RAT can list all files and their associated attributes, including filename, type, owner, creation time, last access time, last write time, size, and permissions. |
| enterprise |
T1562 |
Impair Defenses |
- |
| enterprise |
T1562.006 |
Indicator Blocking |
Woody RAT has suppressed all error reporting by calling SetErrorMode with 0x8007 as a parameter. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
Woody RAT has the ability to delete itself from disk by creating a suspended notepad process and writing shellcode to delete a file into the suspended process using NtWriteVirtualMemory. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Woody RAT can download files from its C2 server, including the .NET DLLs, WoodySharpExecutor and WoodyPowerSession. |
| enterprise |
T1106 |
Native API |
Woody RAT can use multiple native APIs, including WriteProcessMemory, CreateProcess, and CreateRemoteThread for process injection. |
| enterprise |
T1027 |
Obfuscated Files or Information |
Woody RAT has used Base64 encoded strings and scripts. |
| enterprise |
T1566 |
Phishing |
- |
| enterprise |
T1566.001 |
Spearphishing Attachment |
Woody RAT has been delivered via malicious Word documents and archive files. |
| enterprise |
T1057 |
Process Discovery |
Woody RAT can call NtQuerySystemProcessInformation with SystemProcessInformation to enumerate all running processes, including associated information such as PID, parent PID, image name, and owner. |
| enterprise |
T1055 |
Process Injection |
Woody RAT can inject code into a targeted process by writing to the remote memory of an infected system and then create a remote thread. |
| enterprise |
T1055.012 |
Process Hollowing |
Woody RAT can create a suspended notepad process and write shellcode to delete a file into the suspended process using NtWriteVirtualMemory. |
| enterprise |
T1012 |
Query Registry |
Woody RAT can search registry keys to identify antivirus programs on an compromised host. |
| enterprise |
T1113 |
Screen Capture |
Woody RAT has the ability to take a screenshot of the infected host desktop using Windows GDI+. |
| enterprise |
T1518 |
Software Discovery |
Woody RAT can collect .NET, PowerShell, and Python information from an infected host. |
| enterprise |
T1518.001 |
Security Software Discovery |
Woody RAT can detect Avast Software, Doctor Web, Kaspersky, AVG, ESET, and Sophos antivirus programs. |
| enterprise |
T1082 |
System Information Discovery |
Woody RAT can retrieve the following information from an infected machine: OS, architecture, computer name, OS build version, environment variables, and storage drives. |
| enterprise |
T1016 |
System Network Configuration Discovery |
Woody RAT can retrieve network interface and proxy information. |
| enterprise |
T1016.001 |
Internet Connection Discovery |
Woody RAT can make Ping GET HTTP requests to its C2 server at regular intervals for network connectivity checks. |
| enterprise |
T1033 |
System Owner/User Discovery |
Woody RAT can retrieve a list of user accounts and usernames from an infected machine. |
| enterprise |
T1204 |
User Execution |
- |
| enterprise |
T1204.002 |
Malicious File |
Woody RAT has relied on users opening a malicious email attachment for execution. |