Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | Application Layer Protocol |
Adversaries can also use NETEAGLE to establish an RDP connection with a controller over TCP/7519. |
|
.001 | Web Protocols |
NETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request. NETEAGLE will also use HTTP to download resources that contain an IP address and Port Number pair to connect to for further C2.[1] |
||
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
The "SCOUT" variant of NETEAGLE achieves persistence by adding itself to the |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
NETEAGLE allows adversaries to execute shell commands on the infected host.[1] |
Enterprise | T1568 | Dynamic Resolution |
NETEAGLE can use HTTP to download resources that contain an IP address and port number pair to connect to for C2.[1] |
|
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
NETEAGLE will decrypt resources it downloads with HTTP requests by using RC4 with the key "ScoutEagle."[1] |
Enterprise | T1041 | Exfiltration Over C2 Channel |
NETEAGLE is capable of reading files over the C2 channel.[1] |
|
Enterprise | T1008 | Fallback Channels |
NETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request; otherwise it will send beacons via UDP/6000.[1] |
|
Enterprise | T1083 | File and Directory Discovery |
NETEAGLE allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.[1] |
|
Enterprise | T1095 | Non-Application Layer Protocol |
If NETEAGLE does not detect a proxy configured on the infected machine, it will send beacons via UDP/6000. Also, after retrieving a C2 IP address and Port Number, NETEAGLE will initiate a TCP connection to this socket. The ensuing connection is a plaintext C2 channel in which commands are specified by DWORDs.[1] |
|
Enterprise | T1057 | Process Discovery |