|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
|.003||Application Layer Protocol: Mail Protocols|
|Enterprise||T1059||.001||Command and Scripting Interpreter: PowerShell|
|.003||Command and Scripting Interpreter: Windows Command Shell|
|Enterprise||T1140||Deobfuscate/Decode Files or Information||
ComRAT has used unique per machine passwords to decrypt the orchestrator payload and a hardcoded XOR key to decrypt its communications module. ComRAT has also used a unique password to decrypt the file used for its hidden file system.
|Enterprise||T1573||.002||Encrypted Channel: Asymmetric Cryptography|
|Enterprise||T1546||.015||Event Triggered Execution: Component Object Model Hijacking||
ComRAT samples have been seen which hijack COM objects for persistence by replacing the path to shell32.dll in registry location
|Enterprise||T1564||.005||Hide Artifacts: Hidden File System|
|Enterprise||T1036||.004||Masquerading: Masquerade Task or Service|
|Enterprise||T1027||Obfuscated Files or Information||
ComRAT has used encryption and base64 to obfuscate its orchestrator code in the Registry. ComRAT has also embedded an XOR encrypted communications module inside the orchestrator module. ComRAT has encrypted its virtual file system using AES-256 in XTS mode and has encoded PowerShell scripts.
|Enterprise||T1055||.001||Process Injection: Dynamic-link Library Injection||
ComRAT has injected its orchestrator DLL into explorer.exe. ComRAT has also injected its communications module into the victim's default browser to make C2 connections appear less suspicious as all network connections will be initiated by the browser process.
|Enterprise||T1053||.005||Scheduled Task/Job: Scheduled Task|
|Enterprise||T1124||System Time Discovery|
|Enterprise||T1102||.002||Web Service: Bidirectional Communication|