| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.001 |
PowerShell |
Sardonic has the ability to execute PowerShell commands on a compromised machine. |
| enterprise |
T1059.003 |
Windows Command Shell |
Sardonic has the ability to run cmd.exe or other interactive processes on a compromised computer. |
| enterprise |
T1132 |
Data Encoding |
- |
| enterprise |
T1132.001 |
Standard Encoding |
Sardonic can encode client ID data in 32 uppercase hex characters and transfer to the actor-controlled C2 server. |
| enterprise |
T1005 |
Data from Local System |
Sardonic has the ability to collect data from a compromised machine to deliver to the attacker. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
Sardonic can first decrypt with the RC4 algorithm using a hardcoded decryption key before decompressing. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.001 |
Symmetric Cryptography |
Sardonic has the ability to use an RC4 key to encrypt communications to and from actor-controlled C2 servers. |
| enterprise |
T1573.002 |
Asymmetric Cryptography |
Sardonic has the ability to send a random 64-byte RC4 key to communicate with actor-controlled C2 servers by using an RSA public key. |
| enterprise |
T1546 |
Event Triggered Execution |
- |
| enterprise |
T1546.003 |
Windows Management Instrumentation Event Subscription |
Sardonic can use a WMI event filter to invoke a command-line event consumer to gain persistence. |
| enterprise |
T1070 |
Indicator Removal |
Sardonic has the ability to delete created WMI objects to evade detections. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Sardonic has the ability to upload additional malicious files to a compromised machine. |
| enterprise |
T1680 |
Local Storage Discovery |
Sardonic has the ability to collect the C:\ drive serial number from a compromised machine. |
| enterprise |
T1106 |
Native API |
Sardonic has the ability to call Win32 API functions to determine if powershell.exe is running. |
| enterprise |
T1135 |
Network Share Discovery |
Sardonic has the ability to execute the net view command. |
| enterprise |
T1095 |
Non-Application Layer Protocol |
Sardonic can communicate with actor-controlled C2 servers by using a custom little-endian binary protocol. |
| enterprise |
T1571 |
Non-Standard Port |
Sardonic has the ability to connect with actor-controlled C2 servers using a custom binary protocol over port 443. |
| enterprise |
T1027 |
Obfuscated Files or Information |
Sardonic can use certain ConfuserEx features for obfuscation and can be encoded in a base64 string. |
| enterprise |
T1027.010 |
Command Obfuscation |
Sardonic PowerShell scripts can be encrypted with RC4 and compressed using Gzip. |
| enterprise |
T1057 |
Process Discovery |
Sardonic has the ability to execute the tasklist command. |
| enterprise |
T1055 |
Process Injection |
- |
| enterprise |
T1055.004 |
Asynchronous Procedure Call |
Sardonic can use the QueueUserAPC API to execute shellcode on a compromised machine. |
| enterprise |
T1620 |
Reflective Code Loading |
Sardonic has a plugin system that can load specially made DLLs into memory and execute their functions. |
| enterprise |
T1082 |
System Information Discovery |
Sardonic has the ability to collect the computer name, and CPU manufacturer name from a compromised machine. Sardonic also has the ability to execute the ver and systeminfo commands. |
| enterprise |
T1016 |
System Network Configuration Discovery |
Sardonic has the ability to execute the ipconfig command. |
| enterprise |
T1049 |
System Network Connections Discovery |
Sardonic has the ability to execute the netstat command. |
| enterprise |
T1007 |
System Service Discovery |
Sardonic has the ability to execute the net start command. |
| enterprise |
T1047 |
Windows Management Instrumentation |
Sardonic can use WMI to execute PowerShell commands on a compromised machine. |