WarzoneRAT

WarzoneRAT can use `sdclt.exe` to bypass UAC in Windows 10 to escalate privileges; for older Windows versions WarzoneRAT can use the IFileOperation exploit to bypass the UAC module.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)

WarzoneRAT can add itself to the `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` and `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UIF2IS20VK` Registry keys.(Citation: Check Point Warzone Feb 2020)

WarzoneRAT can use PowerShell to download files and execute commands.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)

WarzoneRAT has the capability to grab passwords from numerous web browsers as well as from Outlook and Thunderbird email clients.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)

WarzoneRAT can encrypt its C2 with RC4 with the password `warzone160\x00`.(Citation: Check Point Warzone Feb 2020)

WarzoneRAT can perform COM hijacking by setting the path to itself to the `HKCU\Software\Classes\Folder\shell\open\command` key with a `DelegateExecute` parameter.(Citation: Check Point Warzone Feb 2020)

WarzoneRAT can disarm Windows Defender during the UAC process to evade detection.(Citation: Check Point Warzone Feb 2020)

WarzoneRAT has the capability to install a live and offline keylogger, including through the use of the `GetAsyncKeyState` Windows API.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)

WarzoneRAT has been distributed as a malicious attachment within an email.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Confucius APT Jan 2021)

WarzoneRAT has the ability to control an infected PC using RDP.(Citation: Check Point Warzone Feb 2020)

WarzoneRAT has relied on a victim to open a malicious attachment within an email for execution.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Confucius APT Jan 2021)