TSCookie
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers |
TSCookie has the ability to steal saved passwords from the Internet Explorer, Edge, Firefox, and Chrome browsers.[1] |
| Enterprise | T1090 | 代理 |
TSCookie has the ability to proxy communications with command and control (C2) servers.[2] |
|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography | |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
TSCookie has the ability to decrypt, load, and execute a DLL and its resources.[1] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
TSCookie has the ability to execute shell commands on the infected host.[1] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
TSCookie can multiple protocols including HTTP and HTTPS in communication with command and control (C2) servers.[2][1] |
| Enterprise | T1083 | 文件和目录发现 |
TSCookie has the ability to discover drive information on the infected host.[1] |
|
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
TSCookie has been executed via malicious links embedded in e-mails spoofing the Ministries of Education, Culture, Sports, Science and Technology of Japan.[1] |
| Enterprise | T1016 | 系统网络配置发现 |
TSCookie has the ability to identify the IP of the infected host.[1] |
|
| Enterprise | T1105 | 输入工具传输 |
TSCookie has the ability to upload and download files to and from the infected host.[1] |
|
| Enterprise | T1057 | 进程发现 |
TSCookie has the ability to list processes on the infected host.[1] |
|
| Enterprise | T1055 | 进程注入 |
TSCookie has the ability to inject code into the svchost.exe, iexplorer.exe, explorer.exe, and default browser processes.[2] |
|
| Enterprise | T1095 | 非应用层协议 |
TSCookie can use ICMP to receive information on the destination server.[2] |
|