Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
SoreFang can collect usernames from the local system via |
.002 | Account Discovery: Domain Account |
SoreFang can enumerate domain accounts via |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
SoreFang can decode and decrypt exfiltrated data sent to C2.[2] |
|
Enterprise | T1190 | Exploit Public-Facing Application |
SoreFang can gain access by exploiting a Sangfor SSL VPN vulnerability that allows for the placement and delivery of malicious update binaries.[2] |
|
Enterprise | T1083 | File and Directory Discovery | ||
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1027 | Obfuscated Files or Information |
SoreFang has the ability to encode and RC6 encrypt data sent to C2.[2] |
|
Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
SoreFang can enumerate domain groups by executing |
Enterprise | T1057 | Process Discovery |
SoreFang can enumerate processes on a victim machine through use of Tasklist.[2] |
|
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
SoreFang can gain persistence through use of scheduled tasks.[2] |
Enterprise | T1082 | System Information Discovery |
SoreFang can collect the hostname, operating system configuration, product ID, and disk space on victim machines by executing Systeminfo.[2] |
|
Enterprise | T1016 | System Network Configuration Discovery |
SoreFang can collect the TCP/IP, DNS, DHCP, and network adapter configuration on a compromised host via |