SideTwist
ID: S0610
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.0
Created: 06 May 2021
Last Modified: 13 October 2021
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
SideTwist has used HTTP GET and POST requests over port 443 for C2.[1] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
SideTwist can execute shell commands on a compromised host.[1] |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding | |
| Enterprise | T1005 | Data from Local System |
SideTwist has the ability to upload files from a compromised host.[1] |
|
| Enterprise | T1001 | Data Obfuscation |
SideTwist can embed C2 responses in the source code of a fake Flickr webpage.[1] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
SideTwist can decode and decrypt messages received from C2.[1] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
SideTwist can encrypt C2 communications with a randomly generated key.[1] |
| Enterprise | T1041 | Exfiltration Over C2 Channel | ||
| Enterprise | T1008 | Fallback Channels |
SideTwist has primarily used port 443 for C2 but can use port 80 as a fallback.[1] |
|
| Enterprise | T1083 | File and Directory Discovery | ||
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1106 | Native API |
SideTwist can use |
|
| Enterprise | T1082 | System Information Discovery |
SideTwist can collect the computer name of a targeted system.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
SideTwist has the ability to collect the domain name on a compromised host.[1] |
|
| Enterprise | T1033 | System Owner/User Discovery | ||