Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
SMOKEDHAM has used |
Enterprise | T1098 | Account Manipulation |
SMOKEDHAM has added created user accounts to local Admin groups.[2] |
|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
SMOKEDHAM has communicated with its C2 servers via HTTPS and HTTP POST requests.[2] |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
SMOKEDHAM can execute Powershell commands sent from its C2 server.[2] |
Enterprise | T1136 | .001 | Create Account: Local Account |
SMOKEDHAM has created user accounts and added them to local Admin groups.[2] |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding | |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography | |
Enterprise | T1041 | Exfiltration Over C2 Channel | ||
Enterprise | T1564 | .002 | Hide Artifacts: Hidden Users |
SMOKEDHAM has modified the Registry to hide created user accounts from the Windows logon screen. [2] |
Enterprise | T1105 | Ingress Tool Transfer |
SMOKEDHAM has used Powershell to download UltraVNC and Ngrok from third-party file sharing sites.[2] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging | |
Enterprise | T1112 | Modify Registry |
SMOKEDHAM has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP.[2] |
|
Enterprise | T1027 | Obfuscated Files or Information |
The SMOKEDHAM source code is embedded in the dropper as an encrypted string.[2] |
|
Enterprise | T1598 | .003 | Phishing for Information: Spearphishing Link |
SMOKEDHAM has been delivered via malicious links in phishing emails.[1] |
Enterprise | T1090 | .004 | Proxy: Domain Fronting |
SMOKEDHAM has used a fronted domain to obfuscate its hard-coded C2 server domain.[2] |
Enterprise | T1113 | Screen Capture |
SMOKEDHAM can capture screenshots of the victim’s desktop.[1][2] |
|
Enterprise | T1082 | System Information Discovery |
SMOKEDHAM has used the |
|
Enterprise | T1033 | System Owner/User Discovery |
SMOKEDHAM has used |
|
Enterprise | T1204 | .001 | User Execution: Malicious Link |
SMOKEDHAM has relied upon users clicking on a malicious link delivered through phishing.[1] |
Enterprise | T1102 | Web Service |
SMOKEDHAM has used Google Drive and Dropbox to host files downloaded by victims via malicious links.[1] |