SHOTPUT
ID: S0063
Aliases: SHOTPUT, Backdoor.APT.CookieCutter, Pirpi
Type: MALWARE
Platforms: Windows
Version: 1.0
Alias Descriptions
Name | Description |
---|---|
Backdoor.APT.CookieCutter | [3] |
Pirpi | [3] |
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
Enterprise | T1087 | Account Discovery | SHOTPUT has a command to retrieve information about connected users.[2] |
Enterprise | T1083 | File and Directory Discovery | SHOTPUT has a command to obtain a directory listing.[2] |
Enterprise | T1027 | Obfuscated Files or Information | SHOTPUT is obscured using XOR encoding and appended to a valid GIF file.[1][2] |
Enterprise | T1057 | Process Discovery | SHOTPUT has a command to obtain a process listing.[2] |
Enterprise | T1018 | Remote System Discovery | SHOTPUT has a command to list all servers in the domain, as well as one to locate domain controllers on a domain.[2] |
Enterprise | T1049 | System Network Connections Discovery | SHOTPUT uses netstat to list TCP connection status.[2] |
Groups
Groups that use this software:
APT3