BackConfig
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
BackConfig has the ability to use HTTPS for C2 communiations.(Citation: Unit 42 BackConfig May 2020) |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
BackConfig can download and run batch files to execute commands on a compromised host.(Citation: Unit 42 BackConfig May 2020) |
.005 | Command and Scripting Interpreter: Visual Basic |
BackConfig has used VBS to install its downloader component and malicious documents with VBA macro code.(Citation: Unit 42 BackConfig May 2020) |
||
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
BackConfig has the ability to set folders or files to be hidden from the Windows Explorer default view.(Citation: Unit 42 BackConfig May 2020) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
BackConfig has the ability to remove files and folders related to previous infections.(Citation: Unit 42 BackConfig May 2020) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
BackConfig has hidden malicious payloads in |
Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation |
BackConfig has used compressed and decimal encoded VBS scripts.(Citation: Unit 42 BackConfig May 2020) |
Enterprise | T1137 | .001 | Office Application Startup: Office Template Macros |
BackConfig has the ability to use hidden columns in Excel spreadsheets to store executable files or commands for VBA macros.(Citation: Unit 42 BackConfig May 2020) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
BackConfig has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host.(Citation: Unit 42 BackConfig May 2020) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
BackConfig has been signed with self signed digital certificates mimicking a legitimate software company.(Citation: Unit 42 BackConfig May 2020) |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
BackConfig has compromised victims via links to URLs hosting malicious content.(Citation: Unit 42 BackConfig May 2020) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.