Attor
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .002 | Application Layer Protocol: File Transfer Protocols |
Attor has used FTP protocol for C2 communication.(Citation: ESET Attor Oct 2019) |
| Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
Attor encrypts collected data with a custom implementation of Blowfish and RSA ciphers.(Citation: ESET Attor Oct 2019) |
| Enterprise | T1037 | .001 | Boot or Logon Initialization Scripts: Logon Script (Windows) |
Attor's dispatcher can establish persistence via adding a Registry key with a logon script |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Attor's dispatcher can establish persistence by registering a new service.(Citation: ESET Attor Oct 2019) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Attor has staged collected data in a central upload directory prior to exfiltration.(Citation: ESET Attor Oct 2019) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Attor has encrypted data symmetrically using a randomly generated Blowfish (OFB) key which is encrypted with a public RSA key.(Citation: ESET Attor Oct 2019) |
| .002 | Encrypted Channel: Asymmetric Cryptography |
Attor's Blowfish key is encrypted with a public RSA key.(Citation: ESET Attor Oct 2019) |
||
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Attor can set attributes of log files and directories to HIDDEN, SYSTEM, ARCHIVE, or a combination of those.(Citation: ESET Attor Oct 2019) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Attor’s plugin deletes the collected files and log files after exfiltration.(Citation: ESET Attor Oct 2019) |
| .006 | Indicator Removal: Timestomp |
Attor has manipulated the time of last access to files and registry keys after they have been created or modified.(Citation: ESET Attor Oct 2019) |
||
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
One of Attor's plugins can collect user credentials via capturing keystrokes and can capture keystrokes pressed within the window of the injected process.(Citation: ESET Attor Oct 2019) |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Attor's dispatcher disguises itself as a legitimate task (i.e., the task name and description appear legitimate).(Citation: ESET Attor Oct 2019) |
| Enterprise | T1055 | .004 | Process Injection: Asynchronous Procedure Call |
Attor performs the injection by attaching its code into the APC queue using NtQueueApcThread API.(Citation: ESET Attor Oct 2019) |
| Enterprise | T1090 | .003 | Proxy: Multi-hop Proxy |
Attor has used Tor for C2 communication.(Citation: ESET Attor Oct 2019) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Attor's installer plugin can schedule a new task that loads the dispatcher on boot/logon.(Citation: ESET Attor Oct 2019) |
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
Attor's installer plugin can schedule rundll32.exe to load the dispatcher.(Citation: ESET Attor Oct 2019) |
| Enterprise | T1569 | .002 | System Services: Service Execution |
Attor's dispatcher can be executed as a service.(Citation: ESET Attor Oct 2019) |
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Attor can detect whether it is executed in some virtualized or emulated environment by searching for specific artifacts, such as communication with I/O ports and using VM-specific instructions.(Citation: ESET Attor Oct 2019) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.