Contributors: Christiaan Beek, @ChristiaanBeek; Ryan Becwar
|Enterprise||T1059||Command-Line Interface||TURNEDUP is capable of creating a reverse shell.|
|Enterprise||T1055||Process Injection||TURNEDUP is capable of injecting code into the APC queue of a created Rundll32 process as part of an "Early Bird injection."|
|Enterprise||T1060||Registry Run Keys / Startup Folder||TURNEDUP is capable of writing to a Registry Run key to establish.|
|Enterprise||T1105||Remote File Copy||TURNEDUP is capable of downloading additional files.|
|Enterprise||T1113||Screen Capture||TURNEDUP is capable of taking screenshots.|
|Enterprise||T1082||System Information Discovery||TURNEDUP is capable of gathering system information.|
Groups that use this software:APT33
- O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
- Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.