AppleSeed
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1025 | 从可移动介质获取数据 |
AppleSeed can find and collect data from removable media devices.[1][2] |
|
| Enterprise | T1005 | 从本地系统获取数据 | ||
| Enterprise | T1036 | 伪装 | ||
| .005 | Match Legitimate Name or Location |
AppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity.[1] |
||
| Enterprise | T1140 | 反混淆/解码文件或信息 | ||
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
AppleSeed has the ability to create the Registry key name |
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
AppleSeed has the ability to execute its payload via PowerShell.[1] |
| .007 | 命令与脚本解释器: JavaScript |
AppleSeed has the ability to use JavaScript to execute PowerShell.[1] |
||
| Enterprise | T1008 | 回退信道 |
AppleSeed can use a second channel for C2 when the primary channel is in upload mode.[1] |
|
| Enterprise | T1113 | 屏幕捕获 |
AppleSeed can take screenshots on a compromised host by calling a series of APIs.[1][2] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
AppleSeed has the ability to communicate with C2 over HTTP.[1][2] |
| Enterprise | T1560 | 归档收集数据 |
AppleSeed has compressed collected data before exfiltration.[2] |
|
| .001 | Archive via Utility |
AppleSeed can zip and encrypt data collected on a target system.[1] |
||
| Enterprise | T1030 | 数据传输大小限制 |
AppleSeed has divided files if the size is 0x1000000 bytes or more.[2] |
|
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
AppleSeed can stage files in a central location prior to exfiltration.[1] |
| Enterprise | T1083 | 文件和目录发现 |
AppleSeed has the ability to search for .txt, .ppt, .hwp, .pdf, and .doc files in specified directories.[1] |
|
| Enterprise | T1106 | 本机API |
AppleSeed has the ability to use multiple dynamically resolved API calls.[1] |
|
| Enterprise | T1027 | 混淆文件或信息 |
AppleSeed has the ability to Base64 encode its payload and custom encrypt API calls.[1] |
|
| .002 | Software Packing | |||
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
AppleSeed can achieve execution through users running malicious file attachments distributed via email.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
AppleSeed can delete files from a compromised host after they are exfiltrated.[1] |
| Enterprise | T1218 | .010 | 系统二进制代理执行: Regsvr32 | |
| Enterprise | T1082 | 系统信息发现 |
AppleSeed can identify the OS version of a targeted system.[1] |
|
| Enterprise | T1124 | 系统时间发现 |
AppleSeed can pull a timestamp from the victim's machine.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 | ||
| Enterprise | T1119 | 自动化收集 |
AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration.[2] |
|
| Enterprise | T1134 | 访问令牌操控 |
AppleSeed can gain system level privilege by passing |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
AppleSeed can use |
| Enterprise | T1057 | 进程发现 |
AppleSeed can enumerate the current process on a compromised host.[1] |
|
| Enterprise | T1041 | 通过C2信道渗出 | ||
| Enterprise | T1567 | 通过网络服务渗出 | ||
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
AppleSeed has been distributed to victims through malicious e-mail attachments.[1] |