Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
gh0st RAT has added a Registry Run key to establish persistence.[3][4] |
Enterprise | T1059 | Command and Scripting Interpreter |
gh0st RAT is able to open a remote shell to execute commands.[1][3] |
|
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
gh0st RAT can create a new service to establish persistence.[3][4] |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
gh0st RAT has used Zlib to compress C2 communications data before encrypting it.[4] |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
gh0st RAT has decrypted and loaded the gh0st RAT DLL into memory, once the initial dropper executable is launched.[4] |
|
Enterprise | T1568 | .001 | Dynamic Resolution: Fast Flux DNS |
gh0st RAT operators have used dynamic DNS to mask the true location of their C2 behind rapidly changing IP addresses.[4] |
Enterprise | T1573 | Encrypted Channel |
gh0st RAT has encrypted TCP communications to evade detection.[4] |
|
.001 | Symmetric Cryptography | |||
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading | |
Enterprise | T1070 | .001 | Indicator Removal on Host: Clear Windows Event Logs | |
.004 | Indicator Removal on Host: File Deletion | |||
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1056 | .001 | Input Capture: Keylogging | |
Enterprise | T1112 | Modify Registry | ||
Enterprise | T1106 | Native API |
gh0st RAT has used the InterlockedExchange, SeShutdownPrivilege, and ExitWindowsEx Windows API functions.[4] |
|
Enterprise | T1095 | Non-Application Layer Protocol |
gh0st RAT has used an encrypted protocol within TCP segments to communicate with the C2.[4] |
|
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1055 | Process Injection |
gh0st RAT can inject malicious code into process created by the "Command_Create&Inject" function.[4] |
|
Enterprise | T1012 | Query Registry |
gh0st RAT has checked for the existence of a Service key to determine if it has already been installed on the system.[4] |
|
Enterprise | T1113 | Screen Capture | ||
Enterprise | T1129 | Shared Modules | ||
Enterprise | T1218 | .011 | Signed Binary Proxy Execution: Rundll32 | |
Enterprise | T1082 | System Information Discovery |
gh0st RAT has gathered system architecture, processor, OS configuration, and installed hardware information.[4] |
|
Enterprise | T1569 | .002 | System Services: Service Execution |
gh0st RAT can execute its service if the Service key exists. If the key does not exist, gh0st RAT will create and run the service.[4] |
ID | Name | References |
---|---|---|
G0062 | TA459 | |
G0026 | APT18 | |
G0011 | PittyTiger | |
G0096 | APT41 | |
G0027 | Threat Group-3390 | |
G0126 | Higaisa | |
G0065 | Leviathan | |
G0138 | Andariel |