Donut
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1620 | 反射性代码加载 |
Donut can generate code modules that enable in-memory execution of VBScript, JScript, EXE, DLL, and dotNET payloads.[1] |
|
| Enterprise | T1059 | 命令与脚本解释器 |
Donut can generate shellcode outputs that execute via Ruby.[1] |
|
| .001 | PowerShell |
Donut can generate shellcode outputs that execute via PowerShell.[1] |
||
| .005 | Visual Basic |
Donut can generate shellcode outputs that execute via VBScript.[1] |
||
| .006 | Python |
Donut can generate shellcode outputs that execute via Python.[1] |
||
| .007 | JavaScript |
Donut can generate shellcode outputs that execute via JavaScript or JScript.[1] |
||
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
Donut can patch Antimalware Scan Interface (AMSI), Windows Lockdown Policy (WLDP), as well as exit-related Native API functions to avoid process termination.[1] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Donut can use HTTP to download previously staged shellcode payloads.[1] |
| Enterprise | T1106 | 本机API |
Donut code modules use various API functions to load and inject code.[1] |
|
| Enterprise | T1027 | 混淆文件或信息 |
Donut can generate encrypted, compressed/encoded, or otherwise obfuscated code modules.[1] |
|
| .002 | Software Packing | |||
| Enterprise | T1070 | 移除指标 |
Donut can erase file references to payloads in-memory after being reflectively loaded and executed.[1] |
|
| Enterprise | T1105 | 输入工具传输 |
Donut can download and execute previously staged shellcode payloads.[1] |
|
| Enterprise | T1057 | 进程发现 |
Donut includes subprojects that enumerate and identify information about Process Injection candidates.[1] |
|
| Enterprise | T1055 | 进程注入 |
Donut includes a subproject |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0119 | Indrik Spider |