QUADAGENT
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
QUADAGENT used the PowerShell filenames |
| Enterprise | T1112 | 修改注册表 |
QUADAGENT modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications.[1] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
QUADAGENT uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts.[1] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell | |
| .003 | 命令与脚本解释器: Windows Command Shell |
QUADAGENT uses cmd.exe to execute scripts and commands on the victim’s machine.[1] |
||
| .005 | 命令与脚本解释器: Visual Basic | |||
| Enterprise | T1008 | 回退信道 |
QUADAGENT uses multiple protocols (HTTPS, HTTP, DNS) for its C2 server as fallback channels if communication with one is unsuccessful.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| .004 | 应用层协议: DNS | |||
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding | |
| Enterprise | T1012 | 查询注册表 |
QUADAGENT checks if a value exists within a Registry key in the HKCU hive whose name is the same as the scheduled task it has created.[1] |
|
| Enterprise | T1027 | .010 | 混淆文件或信息: Command Obfuscation |
QUADAGENT was likely obfuscated using |
| .011 | 混淆文件或信息: Fileless Storage |
QUADAGENT stores a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications within a Registry key (such as |
||
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
QUADAGENT has a command to delete its Registry key and scheduled task.[1] |
| Enterprise | T1033 | 系统所有者/用户发现 | ||
| Enterprise | T1016 | 系统网络配置发现 |
QUADAGENT gathers the current domain the victim system belongs to.[1] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
QUADAGENT creates a scheduled task to maintain persistence on the victim’s machine.[1] |