Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Ixeshe can achieve persistence by adding itself to the |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Ixeshe uses custom Base64 encoding schemes to obfuscate command and control traffic in the message body of HTTP requests.[1][2] |
Enterprise | T1005 | Data from Local System | ||
Enterprise | T1083 | File and Directory Discovery | ||
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Ixeshe sets its own executable file's attributes to hidden.[2] |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion | |
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Ixeshe has used registry values and file names associated with Adobe software, such as AcroRd32.exe.[2] |
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1082 | System Information Discovery |
Ixeshe collects the computer name of the victim's system during the initial infection.[2] |
|
Enterprise | T1016 | System Network Configuration Discovery |
Ixeshe enumerates the IP address, network proxy settings, and domain name from a victim's system.[2] |
|
Enterprise | T1033 | System Owner/User Discovery | ||
Enterprise | T1007 | System Service Discovery |