Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
Enterprise | T1123 | Audio Capture |
DarkComet can listen in to victims' conversations through the system’s microphone.[1][2] |
|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
DarkComet adds several Registry entries to enable automatic execution at every system startup.[1][2] |
Enterprise | T1115 | Clipboard Data | ||
Enterprise | T1059 | Command and Scripting Interpreter |
DarkComet can execute various types of scripts on the victim’s machine.[2] |
|
.003 | Windows Command Shell |
DarkComet can launch a remote shell to execute commands on the victim’s machine.[2] |
||
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
DarkComet can disable Security Center functions like anti-virus.[1][2] |
.004 | Impair Defenses: Disable or Modify System Firewall |
DarkComet can disable Security Center functions like the Windows Firewall.[1][2] |
||
Enterprise | T1105 | Ingress Tool Transfer |
DarkComet can load any files onto the infected machine to execute.[1][2] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging | |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
DarkComet has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as a legitimate file.[1] |
Enterprise | T1112 | Modify Registry |
DarkComet adds a Registry value for its installation routine to the Registry Key |
|
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
DarkComet has the option to compress its payload using UPX or MPRESS.[2] |
Enterprise | T1057 | Process Discovery |
DarkComet can list active processes running on the victim’s machine.[2] |
|
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
DarkComet can open an active screen of the victim’s machine and take control of the mouse and keyboard.[2] |
Enterprise | T1082 | System Information Discovery |
DarkComet can collect the computer name, RAM used, and operating system version from the victim’s machine.[1][2] |
|
Enterprise | T1033 | System Owner/User Discovery |
DarkComet gathers the username from the victim’s machine.[1] |
|
Enterprise | T1125 | Video Capture |
DarkComet can access the victim’s webcam to take pictures.[1][2] |
ID | Name | References |
---|---|---|
G0134 | Transparent Tribe | |
G0083 | SilverTerrier | |
G0082 | APT38 |