EnvyScout
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
EnvyScout can collect sensitive NTLM material from a compromised host.[1] |
|
| Enterprise | T1036 | 伪装 |
EnvyScout has used folder icons for malicious files to lure victims into opening them.[1] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
EnvyScout can deobfuscate and write malicious ISO files to disk.[1] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
EnvyScout can use cmd.exe to execute malicious files on compromised hosts.[1] |
| .007 | 命令与脚本解释器: JavaScript |
EnvyScout can write files to disk with JavaScript using a modified version of the open-source tool FileSaver.[1] |
||
| Enterprise | T1187 | 强制身份验证 |
EnvyScout can use protocol handlers to coax the operating system to send NTLMv2 authentication responses to attacker-controlled infrastructure.[1] |
|
| Enterprise | T1480 | 执行保护 |
EnvyScout can call |
|
| Enterprise | T1027 | .006 | 混淆文件或信息: HTML Smuggling |
EnvyScout contains JavaScript code that can extract an encoded blob from its HTML body and write it to disk.[1] |
| .013 | 混淆文件或信息: Encrypted/Encoded File | |||
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
EnvyScout has been executed through malicious files attached to e-mails.[1] |
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 |
EnvyScout has the ability to proxy execution of malicious files with Rundll32.[1] |
| Enterprise | T1082 | 系统信息发现 |
EnvyScout can determine whether the ISO payload was received by a Windows or iOS device.[1] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
EnvyScout has been distributed via spearphishing as an email attachment.[1] |
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories |
EnvyScout can use hidden directories and files to hide malicious executables.[1] |