SDBbot
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
SDBbot has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege. [1][2] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
SDBbot has the ability to use the command shell to execute commands on a compromised host.[1] |
| Enterprise | T1005 | Data from Local System |
SDBbot has the ability to access the file system on a compromised host.[1] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
SDBbot has the ability to decrypt and decompress its payload to enable code execution.[1][2] |
|
| Enterprise | T1546 | .011 | Event Triggered Execution: Application Shimming |
SDBbot has the ability to use application shimming for persistence if it detects it is running as admin on Windows XP or 7, by creating a shim database to patch services.exe.[1] |
| .012 | Event Triggered Execution: Image File Execution Options Injection |
SDBbot has the ability to use image file execution options for persistence if it detects it is running with admin privileges on a Windows version newer than Windows 7.[1] |
||
| Enterprise | T1083 | File and Directory Discovery |
SDBbot has the ability to get directory listings or drive information on a compromised host.[1] |
|
| Enterprise | T1070 | Indicator Removal on Host |
SDBbot has the ability to clean up and remove data structures from a compromised host.[1] |
|
| .004 | File Deletion |
SDBbot has the ability to delete files from a compromised host.[1] |
||
| Enterprise | T1105 | Ingress Tool Transfer |
SDBbot has the ability to download a DLL from C2 to a compromised host.[1] |
|
| Enterprise | T1095 | Non-Application Layer Protocol |
SDBbot has the ability to communicate with C2 with TCP over port 443.[1] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
SDBbot has the ability to XOR the strings for its installer component with a hardcoded 128 byte key.[1] |
|
| .002 | Software Packing | |||
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
SDBbot has the ability to inject a downloaded DLL into a newly created rundll32.exe process.[1] |
| Enterprise | T1090 | Proxy |
SDBbot has the ability to use port forwarding to establish a proxy between a target host and C2.[1] |
|
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
SDBbot has the ability to use RDP to connect to victim's machines.[1] |
| Enterprise | T1082 | System Information Discovery |
SDBbot has the ability to identify the OS version, country code, and computer name.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
SDBbot has the ability to determine the domain name and whether a proxy is configured on a compromised host.[1] |
|
| Enterprise | T1033 | System Owner/User Discovery |
SDBbot has the ability to identify the user on a compromised host.[1] |
|
| Enterprise | T1125 | Video Capture |
SDBbot has the ability to record video on a compromised host.[1][2] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0092 | TA505 |