EVILNUM
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
EVILNUM has used the Windows Management Instrumentation (WMI) tool to enumerate infected machines.[2] |
|
| Enterprise | T1112 | 修改注册表 |
EVILNUM can make modifications to the Regsitry for persistence.[2] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
EVILNUM can achieve persistence through the Registry Run key.[1][2] |
| Enterprise | T1070 | 移除指标 |
EVILNUM has a function called "DeleteLeftovers" to remove certain artifacts of the attack.[2] |
|
| .006 | Timestomp | |||
| Enterprise | T1539 | 窃取Web会话Cookie |
EVILNUM can harvest cookies and upload them to the C2 server.[2] |
|
| Enterprise | T1218 | .010 | 系统二进制代理执行: Regsvr32 |
EVILNUM can run a remote scriptlet that drops a file and executes it via regsvr32.exe.[1] |
| .011 | 系统二进制代理执行: Rundll32 |
EVILNUM can execute commands and scripts through rundll32.[2] |
||
| Enterprise | T1082 | 系统信息发现 |
EVILNUM can obtain the computer name from the victim's system.[2] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
EVILNUM can obtain the username from the victim's machine.[2] |
|
| Enterprise | T1102 | .003 | 网络服务: One-Way Communication |
EVILNUM has used a one-way communication method via GitLab and Digital Point to perform C2.[2] |
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
EVILNUM can search for anti-virus products on the system.[2] |
| Enterprise | T1105 | 输入工具传输 |
EVILNUM can download and upload files to the victim's computer.[1][2] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
EVILNUM can upload files over the C2 channel from the infected host.[2] |
|