| enterprise |
T1087 |
Account Discovery |
- |
| enterprise |
T1087.001 |
Local Account |
DUSTTRAP can enumerate local user accounts. |
| enterprise |
T1087.002 |
Domain Account |
DUSTTRAP can enumerate domain accounts. |
| enterprise |
T1010 |
Application Window Discovery |
DUSTTRAP can enumerate running application windows. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
DUSTTRAP can execute commands via cmd.exe. |
| enterprise |
T1005 |
Data from Local System |
DUSTTRAP can gather data from infected systems. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
DUSTTRAP deobfuscates embedded payloads. |
| enterprise |
T1482 |
Domain Trust Discovery |
DUSTTRAP can identify Active Directory information and related items. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
DUSTTRAP can exfiltrate collected data over C2 channels. |
| enterprise |
T1083 |
File and Directory Discovery |
DUSTTRAP can enumerate files and directories. |
| enterprise |
T1615 |
Group Policy Discovery |
DUSTTRAP can identify victim environment Group Policy information. |
| enterprise |
T1070 |
Indicator Removal |
DUSTTRAP restores the .text section of compromised DLLs after malicious code is loaded into memory and before the file is closed. |
| enterprise |
T1070.001 |
Clear Windows Event Logs |
DUSTTRAP can delete infected system log information. |
| enterprise |
T1070.005 |
Network Share Connection Removal |
DUSTTRAP can remove network shares from infected systems. |
| enterprise |
T1105 |
Ingress Tool Transfer |
DUSTTRAP can retrieve and load additional payloads. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.001 |
Keylogging |
DUSTTRAP can perform keylogging operations. |
| enterprise |
T1654 |
Log Enumeration |
DUSTTRAP can identify infected system log information. |
| enterprise |
T1135 |
Network Share Discovery |
DUSTTRAP can identify and enumerate victim system network shares. |
| enterprise |
T1027 |
Obfuscated Files or Information |
- |
| enterprise |
T1027.009 |
Embedded Payloads |
DUSTTRAP contains additional embedded DLLs and configuration files that are loaded into memory during execution. |
| enterprise |
T1027.013 |
Encrypted/Encoded File |
DUSTTRAP begins with an initial launcher that decrypts an AES-128-CFB encrypted file on disk and executes it in memory. |
| enterprise |
T1057 |
Process Discovery |
DUSTTRAP can enumerate running processes. |
| enterprise |
T1055 |
Process Injection |
DUSTTRAP compromises the .text section of a legitimate system DLL in %windir% to hold the contents of retrieved plug-ins. |
| enterprise |
T1012 |
Query Registry |
DUSTTRAP can enumerate Registry items. |
| enterprise |
T1018 |
Remote System Discovery |
DUSTTRAP can use ping to identify remote hosts within the victim network. |
| enterprise |
T1113 |
Screen Capture |
DUSTTRAP can capture screenshots. |
| enterprise |
T1518 |
Software Discovery |
- |
| enterprise |
T1518.001 |
Security Software Discovery |
DUSTTRAP can identify security software. |
| enterprise |
T1082 |
System Information Discovery |
DUSTTRAP reads the value of the infected system’s HKLM\SYSTEM\Microsoft\Cryptography\MachineGUID value. |
| enterprise |
T1016 |
System Network Configuration Discovery |
DUSTTRAP can enumerate infected system network information. |
| enterprise |
T1124 |
System Time Discovery |
DUSTTRAP reads the infected system’s current time and writes it to a log file during execution. |
| enterprise |
T1497 |
Virtualization/Sandbox Evasion |
- |
| enterprise |
T1497.001 |
System Checks |
DUSTTRAP decryption relies on the infected machine’s HKLM\SOFTWARE\Microsoft\Cryptography\MachineGUID value. |