Aria-body
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1025 | 从可移动介质获取数据 |
Aria-body has the ability to collect data from USB devices.[1] |
|
| Enterprise | T1090 | 代理 |
Aria-body has the ability to use a reverse SOCKS proxy module.[1] |
|
| Enterprise | T1568 | .002 | 动态解析: Domain Generation Algorithms |
Aria-body has the ability to use a DGA for C2 communications.[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Aria-body has the ability to decrypt the loader configuration and payload DLL.[1] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Aria-body has established persistence via the Startup folder or Run Registry key.[1] |
| Enterprise | T1113 | 屏幕捕获 |
Aria-body has the ability to capture screenshots on compromised hosts.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1010 | 应用窗口发现 |
Aria-body has the ability to identify the titles of running windows on a compromised host.[1] |
|
| Enterprise | T1560 | 归档收集数据 |
Aria-body has used ZIP to compress data gathered on a compromised host.[1] |
|
| Enterprise | T1083 | 文件和目录发现 |
Aria-body has the ability to gather metadata from a file and to search for file and directory names.[1] |
|
| Enterprise | T1106 | 本机API |
Aria-body has the ability to launch files using |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
Aria-body has used an encrypted configuration file for its loader.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Aria-body has the ability to delete files and directories on compromised hosts.[1] |
| Enterprise | T1082 | 系统信息发现 |
Aria-body has the ability to identify the hostname, computer name, Windows version, processor speed, machine GUID, and disk information on a compromised host.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Aria-body has the ability to identify the username on a compromised host.[1] |
|
| Enterprise | T1049 | 系统网络连接发现 |
Aria-body has the ability to gather TCP and UDP table status listings.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Aria-body has the ability to identify the location, public IP address, and domain name on a compromised host.[1] |
|
| Enterprise | T1134 | .001 | 访问令牌操控: Token Impersonation/Theft |
Aria-body has the ability to duplicate a token from ntprint.exe.[1] |
| .002 | 访问令牌操控: Create Process with Token |
Aria-body has the ability to execute a process using |
||
| Enterprise | T1105 | 输入工具传输 |
Aria-body has the ability to download additional payloads from C2.[1] |
|
| Enterprise | T1057 | 进程发现 |
Aria-body has the ability to enumerate loaded modules for a process.[1]. |
|
| Enterprise | T1055 | .001 | 进程注入: Dynamic-link Library Injection |
Aria-body has the ability to inject itself into another process such as rundll32.exe and dllhost.exe.[1] |
| Enterprise | T1095 | 非应用层协议 | ||