Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .002 | Account Discovery: Domain Account |
BoomBox has the ability to execute an LDAP query to enumerate the distinguished name, SAM account name, and display name for all domain users.[1] |
.003 | Account Discovery: Email Account |
BoomBox can execute an LDAP query to discover e-mail accounts for domain users.[1] |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
BoomBox can establish persistence by writing the Registry value |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
BoomBox can decrypt AES-encrypted files downloaded from C2.[1] |
|
Enterprise | T1480 | Execution Guardrails |
BoomBox can check its current working directory and for the presence of a specific file and terminate if specific values are not found.[1] |
|
Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
BoomBox can upload data to dedicated per-victim folders in Dropbox.[1] |
Enterprise | T1083 | File and Directory Discovery |
BoomBox can search for specific files and directories on a machine.[1] |
|
Enterprise | T1105 | Ingress Tool Transfer |
BoomBox has the ability to download next stage malware components to a compromised system.[1] |
|
Enterprise | T1036 | Masquerading |
BoomBox has the ability to mask malicious data strings as PDF files.[1] |
|
Enterprise | T1027 | Obfuscated Files or Information |
BoomBox can encrypt data using AES prior to exfiltration.[1] |
|
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 | |
Enterprise | T1082 | System Information Discovery |
BoomBox can enumerate the hostname, domain, and IP of a compromised host.[1] |
|
Enterprise | T1033 | System Owner/User Discovery |
BoomBox can enumerate the username on a compromised host.[1] |
|
Enterprise | T1204 | .002 | User Execution: Malicious File |
BoomBox has gained execution through user interaction with a malicious file.[1] |
Enterprise | T1102 | Web Service |
BoomBox can download files from Dropbox using a hardcoded access token.[1] |