Rover
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1025 | 从可移动介质获取数据 |
Rover searches for files on attached removable drives based on a predefined list of file extensions every five seconds.[1] |
|
| Enterprise | T1005 | 从本地系统获取数据 |
Rover searches for files on local drives based on a predefined list of file extensions.[1] |
|
| Enterprise | T1112 | 修改注册表 |
Rover has functionality to remove Registry Run key persistence as a cleanup procedure.[1] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Rover persists by creating a Registry entry in |
| Enterprise | T1113 | 屏幕捕获 |
Rover takes screenshots of the compromised system's desktop and saves them to |
|
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging | |
| Enterprise | T1083 | 文件和目录发现 |
Rover automatically searches for files on local drives based on a predefined list of file extensions.[1] |
|
| Enterprise | T1119 | 自动化收集 |
Rover automatically collects files from the local system and removable drives based on a predefined list of file extensions on a regular timeframe.[1] |
|
| Enterprise | T1020 | 自动化渗出 |
Rover automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes. Rover also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe.[1] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging | |