BADHATCH
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
BADHATCH can utilize WMI to collect system information, create new processes, and run malicious PowerShell scripts on a compromised machine.[1][2] |
|
| Enterprise | T1546 | .003 | 事件触发执行: Windows Management Instrumentation Event Subscription |
BADHATCH can use WMI event subscriptions for persistence.[2] |
| Enterprise | T1090 | 代理 |
BADHATCH can use SOCKS4 and SOCKS5 proxies to connect to actor-controlled C2 servers. BADHATCH can also emulate a reverse proxy on a compromised machine to connect with actor-controlled C2 servers.[2] |
|
| Enterprise | T1550 | .002 | 使用备用认证材料: Pass the Hash |
BADHATCH can perform pass the hash on compromised machines with x64 versions.[2] |
| Enterprise | T1573 | .002 | 加密通道: Asymmetric Cryptography |
BADHATCH can beacon to a hardcoded C2 IP address using TLS encryption every 5 minutes.[1] |
| Enterprise | T1620 | 反射性代码加载 |
BADHATCH can copy a large byte array of 64-bit shellcode into process memory and execute it with a call to |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
BADHATCH can utilize |
| .003 | 命令与脚本解释器: Windows Command Shell |
BADHATCH can use |
||
| Enterprise | T1482 | 域信任发现 |
BADHATCH can use |
|
| Enterprise | T1113 | 屏幕捕获 |
BADHATCH can take screenshots and send them to an actor-controlled C2 server.[2] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
BADHATCH can use HTTP and HTTPS over port 443 to communicate with actor-controlled C2 servers.[1][2] |
| .002 | 应用层协议: File Transfer Protocols |
BADHATCH can emulate an FTP server to connect to actor-controlled C2 servers.[2] |
||
| Enterprise | T1106 | 本机API |
BADHATCH can utilize Native API functions such as, |
|
| Enterprise | T1069 | .002 | 权限组发现: Domain Groups |
BADHATCH can use |
| Enterprise | T1027 | .009 | 混淆文件或信息: Embedded Payloads |
BADHATCH has an embedded second stage DLL payload within the first stage of the malware.[1] |
| .010 | 混淆文件或信息: Command Obfuscation |
BADHATCH malicious PowerShell commands can be encoded with base64.[2] |
||
| .013 | 混淆文件或信息: Encrypted/Encoded File | |||
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control |
BADHATCH can utilize the CMSTPLUA COM interface and the SilentCleanup task to bypass UAC.[2] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
BADHATCH has the ability to delete PowerShell scripts from a compromised machine.[1] |
| Enterprise | T1082 | 系统信息发现 |
BADHATCH can obtain current system information from a compromised machine such as the |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
BADHATCH can obtain logged user information from a compromised machine and can execute the command |
|
| Enterprise | T1124 | 系统时间发现 |
BADHATCH can obtain the |
|
| Enterprise | T1049 | 系统网络连接发现 |
BADHATCH can execute |
|
| Enterprise | T1135 | 网络共享发现 |
BADHATCH can check a user's access to the C$ share on a compromised machine.[2] |
|
| Enterprise | T1102 | 网络服务 |
BADHATCH can be utilized to abuse |
|
| Enterprise | T1046 | 网络服务发现 |
BADHATCH can check for open ports on a computer by establishing a TCP connection.[2] |
|
| Enterprise | T1134 | .001 | 访问令牌操控: Token Impersonation/Theft |
BADHATCH can impersonate a |
| Enterprise | T1105 | 输入工具传输 |
BADHATCH has the ability to load a second stage malicious DLL file onto a compromised machine.[1] |
|
| Enterprise | T1057 | 进程发现 |
BADHATCH can retrieve a list of running processes from a compromised machine.[2] |
|
| Enterprise | T1055 | 进程注入 |
BADHATCH can inject itself into an existing explorer.exe process by using |
|
| .001 | Dynamic-link Library Injection |
BADHATCH has the ability to execute a malicious DLL by injecting into |
||
| .004 | Asynchronous Procedure Call |
BADHATCH can inject itself into a new |
||
| Enterprise | T1018 | 远程系统发现 |
BADHATCH can use a PowerShell object such as, |
|
| Enterprise | T1041 | 通过C2信道渗出 | ||
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task | |