BadPatch
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
BadPatch uses HTTP for C2.(Citation: Unit 42 BadPatch Oct 2017) |
| .003 | Application Layer Protocol: Mail Protocols |
BadPatch uses SMTP for C2.(Citation: Unit 42 BadPatch Oct 2017) |
||
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
BadPatch establishes a foothold by adding a link to the malware executable in the startup folder.(Citation: Unit 42 BadPatch Oct 2017) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
BadPatch stores collected data in log files before exfiltration.(Citation: Unit 42 BadPatch Oct 2017) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
BadPatch has a keylogging capability.(Citation: Unit 42 BadPatch Oct 2017) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
BadPatch uses WMI to enumerate installed security products in the victim’s environment.(Citation: Unit 42 BadPatch Oct 2017) |
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
BadPatch attempts to detect if it is being run in a Virtual Machine (VM) using a WMI query for disk drive name, BIOS, and motherboard information. (Citation: Unit 42 BadPatch Oct 2017) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.