Sardonic
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Sardonic has the ability to execute PowerShell commands on a compromised machine.[1] |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Sardonic has the ability to run |
||
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Sardonic can encode client ID data in 32 uppercase hex characters and transfer to the actor-controlled C2 server.[1] |
| Enterprise | T1005 | Data from Local System |
Sardonic has the ability to collect data from a compromised machine to deliver to the attacker.[2] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Sardonic can first decrypt with the RC4 algorithm using a hardcoded decryption key before decompressing.[2] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Sardonic has the ability to use an RC4 key to encrypt communications to and from actor-controlled C2 servers.[1] |
| .002 | Encrypted Channel: Asymmetric Cryptography |
Sardonic has the ability to send a random 64-byte RC4 key to communicate with actor-controlled C2 servers by using an RSA public key.[1] |
||
| Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
Sardonic can use a WMI event filter to invoke a command-line event consumer to gain persistence.[1] |
| Enterprise | T1070 | Indicator Removal |
Sardonic has the ability to delete created WMI objects to evade detections.[1] |
|
| Enterprise | T1105 | Ingress Tool Transfer |
Sardonic has the ability to upload additional malicious files to a compromised machine.[1] |
|
| Enterprise | T1106 | Native API |
Sardonic has the ability to call Win32 API functions to determine if |
|
| Enterprise | T1135 | Network Share Discovery |
Sardonic has the ability to execute the |
|
| Enterprise | T1095 | Non-Application Layer Protocol |
Sardonic can communicate with actor-controlled C2 servers by using a custom little-endian binary protocol.[1] |
|
| Enterprise | T1571 | Non-Standard Port |
Sardonic has the ability to connect with actor-controlled C2 servers using a custom binary protocol over port 443.[1] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
Sardonic can use certain ConfuserEx features for obfuscation and can be encoded in a base64 string.[2] |
|
| .010 | Command Obfuscation |
Sardonic PowerShell scripts can be encrypted with RC4 and compressed using Gzip.[1] |
||
| Enterprise | T1057 | Process Discovery |
Sardonic has the ability to execute the |
|
| Enterprise | T1055 | .004 | Process Injection: Asynchronous Procedure Call |
Sardonic can use the |
| Enterprise | T1620 | Reflective Code Loading |
Sardonic has a plugin system that can load specially made DLLs into memory and execute their functions.[1][2] |
|
| Enterprise | T1082 | System Information Discovery |
Sardonic has the ability to collect the computer name, CPU manufacturer name, and C:\ drive serial number from a compromised machine. Sardonic also has the ability to execute the |
|
| Enterprise | T1016 | System Network Configuration Discovery |
Sardonic has the ability to execute the |
|
| Enterprise | T1049 | System Network Connections Discovery | ||
| Enterprise | T1007 | System Service Discovery |
Sardonic has the ability to execute the |
|
| Enterprise | T1047 | Windows Management Instrumentation |
Sardonic can use WMI to execute PowerShell commands on a compromised machine.[1] |
|