|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols||
Inception has used HTTP, HTTPS, and WebDav in network communications.
|Enterprise||T1547||.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder||
Inception has maintained persistence by modifying Registry run key value
|Enterprise||T1059||.001||Command and Scripting Interpreter: PowerShell||
Inception has used PowerShell to execute malicious commands and payloads.
|.005||Command and Scripting Interpreter: Visual Basic||
Inception has used VBScript to execute malicious commands and payloads.
|Enterprise||T1555||.003||Credentials from Password Stores: Credentials from Web Browsers||
Inception used a browser plugin to steal passwords and sessions from Internet Explorer, Chrome, Opera, Firefox, Torch, and Yandex.
|Enterprise||T1005||Data from Local System||
Inception used a file hunting plugin to collect .txt, .pdf, .xls or .doc files from the infected host.
|Enterprise||T1573||.001||Encrypted Channel: Symmetric Cryptography|
|Enterprise||T1203||Exploitation for Client Execution||
Inception has exploited CVE-2012-0158, CVE-2014-1761, CVE-2017-11882 and CVE-2018-0802 for execution.
|Enterprise||T1083||File and Directory Discovery||
Inception used a file listing plugin to collect information about file and directories both on local and remote drives.
|Enterprise||T1027||Obfuscated Files or Information||
Inception has encrypted malware payloads dropped on victim machines with AES and RC4 encryption.
|Enterprise||T1588||.002||Obtain Capabilities: Tool||
Inception has obtained and used open-source tools such as LaZagne.
|Enterprise||T1069||.002||Permission Groups Discovery: Domain Groups||
Inception has used specific malware modules to gather domain membership.
|Enterprise||T1566||.001||Phishing: Spearphishing Attachment||
Inception has used weaponized documents attached to spearphishing emails for reconnaissance and initial compromise.
Inception has used a reconnaissance module to identify active processes and other associated loaded modules.
|Enterprise||T1090||.003||Proxy: Multi-hop Proxy||
Inception used chains of compromised routers to proxy C2 communications between them and cloud service providers.
Inception has enumerated installed software on compromised systems.
|Enterprise||T1218||.005||System Binary Proxy Execution: Mshta||
Inception has used malicious HTA files to drop and execute malware.
|.010||System Binary Proxy Execution: Regsvr32||
Inception has ensured persistence at system boot by setting the value
|Enterprise||T1082||System Information Discovery||
Inception has used a reconnaissance module to gather information about the operating system and hardware on the infected host.
Inception has used decoy documents to load malicious remote payloads via HTTP.
|Enterprise||T1204||.002||User Execution: Malicious File||
Inception lured victims into clicking malicious files for machine reconnaissance and to execute malware.
Inception has incorporated at least five different cloud service providers into their C2 infrastructure including CloudMe.
|S0349||LaZagne||||Credentials from Password Stores: Keychain, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores: Credentials from Web Browsers, OS Credential Dumping: /etc/passwd and /etc/shadow, OS Credential Dumping: LSA Secrets, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Proc Filesystem, OS Credential Dumping: Cached Domain Credentials, Unsecured Credentials: Credentials In Files|
|S0441||PowerShower||||Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Data Encoding: Standard Encoding, Exfiltration Over C2 Channel, Hide Artifacts: Hidden Window, Indicator Removal: File Deletion, Modify Registry, Process Discovery, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery|
|S0442||VBShower||||Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Visual Basic, Indicator Removal: File Deletion, Ingress Tool Transfer|