Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1197 | BITS Jobs |
ProLock can use BITS jobs to download its malicious payload.[1] |
|
Enterprise | T1486 | Data Encrypted for Impact |
ProLock can encrypt files on a compromised host with RC6, and encrypts the key with RSA-1024.[1] |
|
Enterprise | T1068 | Exploitation for Privilege Escalation |
ProLock can use CVE-2019-0859 to escalate privileges on a compromised host.[1] |
|
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
ProLock can remove files containing its payload after they are executed.[1] |
Enterprise | T1490 | Inhibit System Recovery |
ProLock can use vssadmin.exe to remove volume shadow copies.[1] |
|
Enterprise | T1027 | .003 | Obfuscated Files or Information: Steganography |
ProLock can use .jpg and .bmp files to store its payload.[1] |
Enterprise | T1047 | Windows Management Instrumentation |
ProLock can use WMIC to execute scripts on targeted hosts.[1] |