Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Taidoor has modified the |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
Enterprise | T1005 | Data from Local System |
Taidoor can upload data and files from a victim's machine.[2] |
|
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Taidoor can use a stream cipher to decrypt stings used by the malware.[1] |
|
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Taidoor uses RC4 to encrypt the message body of HTTP content.[2][1] |
Enterprise | T1083 | File and Directory Discovery | ||
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
Taidoor can use |
Enterprise | T1105 | Ingress Tool Transfer |
Taidoor has downloaded additional files onto a compromised host.[2] |
|
Enterprise | T1112 | Modify Registry |
Taidoor has the ability to modify the Registry on compromised hosts using |
|
Enterprise | T1106 | Native API |
Taidoor has the ability to use native APIs for execution including |
|
Enterprise | T1095 | Non-Application Layer Protocol | ||
Enterprise | T1027 | Obfuscated Files or Information | ||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment | |
Enterprise | T1057 | Process Discovery |
Taidoor can use |
|
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection | |
Enterprise | T1012 | Query Registry |
Taidoor can query the Registry on compromised hosts using |
|
Enterprise | T1016 | System Network Configuration Discovery |
Taidoor has collected the MAC address of a compromised host; it can also use |
|
Enterprise | T1124 | System Time Discovery |
Taidoor can use |
|
Enterprise | T1204 | .002 | User Execution: Malicious File |
Taidoor has relied upon a victim to click on a malicious email attachment.[2] |