SDBbot
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1546 | .011 | 事件触发执行: Application Shimming |
SDBbot has the ability to use application shimming for persistence if it detects it is running as admin on Windows XP or 7, by creating a shim database to patch services.exe.[1] |
| .012 | 事件触发执行: Image File Execution Options Injection |
SDBbot has the ability to use image file execution options for persistence if it detects it is running with admin privileges on a Windows version newer than Windows 7.[1] |
||
| Enterprise | T1005 | 从本地系统获取数据 |
SDBbot has the ability to access the file system on a compromised host.[1] |
|
| Enterprise | T1090 | 代理 |
SDBbot has the ability to use port forwarding to establish a proxy between a target host and C2.[1] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
SDBbot has the ability to decrypt and decompress its payload to enable code execution.[1][2] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
SDBbot has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege. [1][2] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
SDBbot has the ability to use the command shell to execute commands on a compromised host.[1] |
| Enterprise | T1083 | 文件和目录发现 |
SDBbot has the ability to get directory listings or drive information on a compromised host.[1] |
|
| Enterprise | T1027 | 混淆文件或信息 |
SDBbot has the ability to XOR the strings for its installer component with a hardcoded 128 byte key.[1] |
|
| .002 | Software Packing | |||
| Enterprise | T1070 | 移除指标 |
SDBbot has the ability to clean up and remove data structures from a compromised host.[1] |
|
| .004 | File Deletion |
SDBbot has the ability to delete files from a compromised host.[1] |
||
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 | |
| Enterprise | T1614 | 系统位置发现 |
SDBbot can collected the country code of a compromised machine.[3] |
|
| Enterprise | T1082 | 系统信息发现 |
SDBbot has the ability to identify the OS version, OS bit information and computer name.[1][3] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
SDBbot has the ability to identify the user on a compromised host.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
SDBbot has the ability to determine the domain name and whether a proxy is configured on a compromised host.[1] |
|
| Enterprise | T1125 | 视频捕获 |
SDBbot has the ability to record video on a compromised host.[1][2] |
|
| Enterprise | T1105 | 输入工具传输 |
SDBbot has the ability to download a DLL from C2 to a compromised host.[1] |
|
| Enterprise | T1057 | 进程发现 |
SDBbot can enumerate a list of running processes on a compromised machine.[3] |
|
| Enterprise | T1055 | .001 | 进程注入: Dynamic-link Library Injection |
SDBbot has the ability to inject a downloaded DLL into a newly created rundll32.exe process.[1] |
| Enterprise | T1021 | .001 | 远程服务: Remote Desktop Protocol |
SDBbot has the ability to use RDP to connect to victim's machines.[1] |
| Enterprise | T1041 | 通过C2信道渗出 |
SDBbot has sent collected data from a compromised host to its C2 servers.[3] |
|
| Enterprise | T1095 | 非应用层协议 |
SDBbot has the ability to communicate with C2 with TCP over port 443.[1] |
|