Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Carbon establishes persistence by creating a service and naming it based off the operating system version running on the current machine.[1] |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Carbon creates a base directory that contains the files and folders that are collected.[1] |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Carbon decrypts task and configuration files for execution.[1][3] |
|
Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography | |
Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | |
Enterprise | T1095 | Non-Application Layer Protocol | ||
Enterprise | T1027 | Obfuscated Files or Information |
Carbon encrypts configuration files and tasks for the malware to complete using CAST-128 algorithm.[1][3] |
|
Enterprise | T1069 | Permission Groups Discovery | ||
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection | |
Enterprise | T1012 | Query Registry | ||
Enterprise | T1018 | Remote System Discovery | ||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Carbon creates several tasks for later execution to continue persistence on the victim’s machine.[1] |
Enterprise | T1016 | System Network Configuration Discovery |
Carbon can collect the IP address of the victims and other computers on the network using the commands: |
|
Enterprise | T1049 | System Network Connections Discovery | ||
Enterprise | T1124 | System Time Discovery |
Carbon uses the command |
|
Enterprise | T1102 | Web Service |
ID | Name | References |
---|---|---|
G0010 | Turla |