Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1560 | Archive Collected Data |
Kessel can RC4-encrypt credentials before sending to the C2.[1] |
|
Enterprise | T1059 | Command and Scripting Interpreter |
Kessel can create a reverse shell between the infected host and a specified system.[1] |
|
Enterprise | T1554 | Compromise Client Software Binary |
Kessel has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.[1] |
|
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Kessel has exfiltrated data via hexadecimal-encoded subdomain fields of DNS queries.[1] |
Enterprise | T1030 | Data Transfer Size Limits |
Kessel can split the data to be exilftrated into chunks that will fit in subdomains of DNS queries.[1] |
|
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Kessel has decrypted the binary's configuration once the |
|
Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
Kessel can exfiltrate credentials and other information via HTTP POST request, TCP, and DNS.[1] |
Enterprise | T1041 | Exfiltration Over C2 Channel |
Kessel has exfiltrated information gathered from the infected system to the C2 server.[1] |
|
Enterprise | T1105 | Ingress Tool Transfer |
Kessel can download additional modules from the C2 server.[1] |
|
Enterprise | T1556 | Modify Authentication Process |
Kessel has trojanized the |
|
Enterprise | T1027 | Obfuscated Files or Information |
Kessel's configuration is hardcoded and RC4 encrypted within the binary.[1] |
|
Enterprise | T1090 | Proxy |
Kessel can use a proxy during exfiltration if set in the configuration.[1] |
|
Enterprise | T1082 | System Information Discovery |
Kessel has collected the system architecture, OS version, and MAC address information.[1] |
|
Enterprise | T1016 | System Network Configuration Discovery |
Kessel has collected the DNS address of the infected host.[1] |