|Enterprise||T1087||Account Discovery||OilRig has run |
net user /domain,
net group “domain admins” /domain, and
net group “Exchange Trusted Subsystem” /domain to get account listings on a victim.
|Enterprise||T1119||Automated Collection||OilRig has used automated collection.|
|Enterprise||T1110||Brute Force||OilRig has used brute force techniques to obtain credentials.|
|Enterprise||T1059||Command-Line Interface||OilRig has used the command-line interface for execution.|
|Enterprise||T1223||Compiled HTML File||OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim.|
|Enterprise||T1003||Credential Dumping||OilRig has used credential dumping tools such as Mimikatz and Lazagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.|
|Enterprise||T1094||Custom Command and Control Protocol||OilRig has used custom DNS Tunneling protocols for C2.|
|Enterprise||T1140||Deobfuscate/Decode Files or Information||A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims.|
|Enterprise||T1048||Exfiltration Over Alternative Protocol||OilRig has exfiltrated data over FTP separately from its primary C2 channel over DNS.|
|Enterprise||T1133||External Remote Services||OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment.|
|Enterprise||T1008||Fallback Channels||OilRig malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP.|
|Enterprise||T1107||File Deletion||OilRig has deleted files associated with their payload after execution.|
|Enterprise||T1066||Indicator Removal from Tools||OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.|
|Enterprise||T1056||Input Capture||OilRig has used a keylogging tool called KEYPUNCH.|
|Enterprise||T1046||Network Service Scanning||OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.|
|Enterprise||T1027||Obfuscated Files or Information||OilRig has encrypted and encoded data in its malware, including by using base64.|
|Enterprise||T1201||Password Policy Discovery||OilRig has used net.exe in a script with |
net accounts /domain to find the password policy of a domain.
|Enterprise||T1069||Permission Groups Discovery||OilRig has used |
net group /domain,
net localgroup administrators,
net group “domain admins” /domain, and
net group “Exchange Trusted Subsystem” /domain to find group permission settings on a victim.
|Enterprise||T1086||PowerShell||OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.|
|Enterprise||T1057||Process Discovery||OilRig has run |
tasklist on a victim's machine.
|Enterprise||T1012||Query Registry||OilRig has used |
reg query “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” on a victim to query the Registry.
|Enterprise||T1108||Redundant Access||OilRig has used RGDoor via Web shell to establish redundant access. The group has also used harvested credentials to gain access to Internet-accessible resources such as Outlook Web Access, which could be used for redundant access.|
|Enterprise||T1076||Remote Desktop Protocol||OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.|
|Enterprise||T1105||Remote File Copy||OilRig can download remote files onto victims.|
|Enterprise||T1021||Remote Services||OilRig has used Putty to access compromised systems.|
|Enterprise||T1053||Scheduled Task||OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.|
|Enterprise||T1113||Screen Capture||OilRig has a tool called CANDYKING to capture a screenshot of user's desktop.|
|Enterprise||T1064||Scripting||OilRig has used various types of scripting for execution, including .bat and .vbs scripts. The group has also used macros to deliver malware such as QUADAGENT and OopsIE.|
|Enterprise||T1193||Spearphishing Attachment||OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts.|
|Enterprise||T1192||Spearphishing Link||OilRig has sent spearphising emails with malicious links to potential victims.|
|Enterprise||T1071||Standard Application Layer Protocol||OilRig has used HTTP and DNS for C2. The group has also used the Plink utility and other tools to create tunnels to C2 servers.|
|Enterprise||T1032||Standard Cryptographic Protocol||OilRig used the Plink utility and other tools to create tunnels to C2 servers.|
|Enterprise||T1082||System Information Discovery||OilRig has run |
systeminfo on a victim.
|Enterprise||T1016||System Network Configuration Discovery||OilRig has run |
ipconfig /all on a victim.
|Enterprise||T1049||System Network Connections Discovery||OilRig has used |
netstat -an on a victim to get a listing of network connections.
|Enterprise||T1033||System Owner/User Discovery||OilRig has run |
whoami on a victim.
|Enterprise||T1007||System Service Discovery||OilRig has used |
sc query on a victim to gather information about services.
|Enterprise||T1204||User Execution||OilRig has delivered malicious links and macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system.|
|Enterprise||T1078||Valid Accounts||OilRig has used compromised credentials to access other systems on a victim network.|
|Enterprise||T1100||Web Shell||OilRig has used Web shells, often to maintain access to a victim network.|
|Enterprise||T1047||Windows Management Instrumentation||OilRig has used WMI for execution.|