|Enterprise||T1560||.001||Archive Collected Data: Archive via Utility||
Sowbug extracted documents and bundled them into a RAR archive.
|Enterprise||T1059||.003||Command and Scripting Interpreter: Windows Command Shell|
|Enterprise||T1039||Data from Network Shared Drive||
Sowbug extracted Word documents from a file server on a victim network.
|Enterprise||T1083||File and Directory Discovery||
Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.
|Enterprise||T1056||.001||Input Capture: Keylogging|
|Enterprise||T1036||.005||Masquerading: Match Legitimate Name or Location||
Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory
|Enterprise||T1135||Network Share Discovery||
Sowbug listed remote shared drives that were accessible from a victim.
|Enterprise||T1003||OS Credential Dumping|
|Enterprise||T1082||System Information Discovery||
Sowbug obtained OS version and hardware configuration from a victim.
|S0171||Felismus||||Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Software Discovery: Security Software Discovery, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery|
|S0188||Starloader||||Deobfuscate/Decode Files or Information, Masquerading: Match Legitimate Name or Location|