Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1123 | Audio Capture | ||
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
NanoCore creates a RunOnce key in the Registry to execute its VBS scripts each time the user logs on to the machine.[2] |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
NanoCore can open a remote command-line interface and execute commands.[3] NanoCore uses JavaScript files.[2] |
.005 | Command and Scripting Interpreter: Visual Basic | |||
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography | |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools | |
.004 | Impair Defenses: Disable or Modify System Firewall | |||
Enterprise | T1105 | Ingress Tool Transfer |
NanoCore has the capability to download and activate additional modules for execution.[1][3] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging | |
Enterprise | T1112 | Modify Registry | ||
Enterprise | T1027 | Obfuscated Files or Information |
NanoCore’s plugins were obfuscated with Eazfuscater.NET 3.3.[3] |
|
Enterprise | T1016 | System Network Configuration Discovery |
NanoCore gathers the IP address from the victim’s machine.[1] |
|
Enterprise | T1125 | Video Capture |
NanoCore can access the victim's webcam and capture data.[1][3] |