Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
LookBack’s C2 proxy tool sends data to a C2 server over HTTP.[1] |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
LookBack sets up a Registry Run key to establish a persistence mechanism.[1] |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
.005 | Command and Scripting Interpreter: Visual Basic |
LookBack has used VBA macros in Microsoft Word attachments to drop additional files to the host.[1] |
||
Enterprise | T1140 | Deobfuscate/Decode Files or Information | ||
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
LookBack uses a modified version of RC4 for data transfer.[1] |
Enterprise | T1083 | File and Directory Discovery |
LookBack can retrieve file listings from the victim machine.[1] |
|
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
LookBack side loads its communications module as a DLL into the |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
LookBack removes itself after execution and can delete files on the system.[1] |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
LookBack has a C2 proxy tool that masquerades as |
Enterprise | T1095 | Non-Application Layer Protocol |
LookBack uses a custom binary protocol over sockets for C2 communications.[1] |
|
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1113 | Screen Capture | ||
Enterprise | T1489 | Service Stop | ||
Enterprise | T1007 | System Service Discovery | ||
Enterprise | T1529 | System Shutdown/Reboot |