BADHATCH
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
BADHATCH can utilize the CMSTPLUA COM interface and the SilentCleanup task to bypass UAC.(Citation: BitDefender BADHATCH Mar 2021) |
Enterprise | T1134 | .001 | Access Token Manipulation: Token Impersonation/Theft |
BADHATCH can impersonate a `lsass.exe` or `vmtoolsd.exe` token.(Citation: BitDefender BADHATCH Mar 2021) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
BADHATCH can use HTTP and HTTPS over port 443 to communicate with actor-controlled C2 servers.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021) |
.002 | Application Layer Protocol: File Transfer Protocols |
BADHATCH can emulate an FTP server to connect to actor-controlled C2 servers.(Citation: BitDefender BADHATCH Mar 2021) |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
BADHATCH can utilize `powershell.exe` to execute commands on a compromised host.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
BADHATCH can use `cmd.exe` to execute commands on a compromised host.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021) |
||
Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
BADHATCH can beacon to a hardcoded C2 IP address using TLS encryption every 5 minutes.(Citation: Gigamon BADHATCH Jul 2019) |
Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
BADHATCH can use WMI event subscriptions for persistence.(Citation: BitDefender BADHATCH Mar 2021) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
BADHATCH has the ability to delete PowerShell scripts from a compromised machine.(Citation: Gigamon BADHATCH Jul 2019) |
Enterprise | T1027 | .009 | Obfuscated Files or Information: Embedded Payloads |
BADHATCH has an embedded second stage DLL payload within the first stage of the malware.(Citation: Gigamon BADHATCH Jul 2019) |
.010 | Obfuscated Files or Information: Command Obfuscation |
BADHATCH malicious PowerShell commands can be encoded with base64.(Citation: BitDefender BADHATCH Mar 2021) |
||
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
BADHATCH can be compressed with the ApLib algorithm.(Citation: BitDefender BADHATCH Mar 2021) |
||
Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
BADHATCH can use `net.exe group "domain admins" /domain` to identify Domain Administrators.(Citation: BitDefender BADHATCH Mar 2021) |
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
BADHATCH has the ability to execute a malicious DLL by injecting into `explorer.exe` on a compromised machine.(Citation: Gigamon BADHATCH Jul 2019) |
.004 | Process Injection: Asynchronous Procedure Call |
BADHATCH can inject itself into a new `svchost.exe -k netsvcs` process using the asynchronous procedure call (APC) queue.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021) |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
BADHATCH can use `schtasks.exe` to gain persistence.(Citation: BitDefender BADHATCH Mar 2021) |
Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
BADHATCH can perform pass the hash on compromised machines with x64 versions.(Citation: BitDefender BADHATCH Mar 2021) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.