SDBbot, Software S0461 | MITRE ATT&CK® (original) (raw)
Enterprise
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
SDBbot has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege. [1][2]
Enterprise
Command and Scripting Interpreter: Windows Command Shell
SDBbot has the ability to use the command shell to execute commands on a compromised host.[1]
Enterprise
SDBbot has the ability to access the file system on a compromised host.[1]
Enterprise
Deobfuscate/Decode Files or Information
SDBbot has the ability to decrypt and decompress its payload to enable code execution.[1][2]
Enterprise
Event Triggered Execution: Application Shimming
SDBbot has the ability to use application shimming for persistence if it detects it is running as admin on Windows XP or 7, by creating a shim database to patch services.exe.[1]
Event Triggered Execution: Image File Execution Options Injection
SDBbot has the ability to use image file execution options for persistence if it detects it is running with admin privileges on a Windows version newer than Windows 7.[1]
Enterprise
SDBbot has sent collected data from a compromised host to its C2 servers.[3]
Enterprise
SDBbot has the ability to get directory listings or drive information on a compromised host.[1]
Enterprise
SDBbot has the ability to clean up and remove data structures from a compromised host.[1]
SDBbot has the ability to delete files from a compromised host.[1]
Enterprise
SDBbot has the ability to download a DLL from C2 to a compromised host.[1]
Enterprise
Non-Application Layer Protocol
SDBbot has the ability to communicate with C2 with TCP over port 443.[1]
Enterprise
Obfuscated Files or Information
SDBbot has the ability to XOR the strings for its installer component with a hardcoded 128 byte key.[1]
SDBbot has used a packed installer file.[2]
Enterprise
SDBbot can enumerate a list of running processes on a compromised machine.[3]
Enterprise
Process Injection: Dynamic-link Library Injection
SDBbot has the ability to inject a downloaded DLL into a newly created rundll32.exe process.[1]
Enterprise
SDBbot has the ability to use port forwarding to establish a proxy between a target host and C2.[1]
Enterprise
Remote Services: Remote Desktop Protocol
SDBbot has the ability to use RDP to connect to victim's machines.[1]
Enterprise
System Binary Proxy Execution: Rundll32
SDBbot has used rundll32.exe to execute DLLs.[3]
Enterprise
SDBbot has the ability to identify the OS version, OS bit information and computer name.[1][3]
Enterprise
SDBbot can collected the country code of a compromised machine.[3]
Enterprise
System Network Configuration Discovery
SDBbot has the ability to determine the domain name and whether a proxy is configured on a compromised host.[1]
Enterprise
SDBbot has the ability to identify the user on a compromised host.[1]
Enterprise
SDBbot has the ability to record video on a compromised host.[1][2]