Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
MgBot includes modules for identifying local administrator accounts on victim systems.[4] |
.002 | Account Discovery: Domain Account |
MgBot includes modules for collecting information on Active Directory domain accounts.[4] |
||
Enterprise | T1123 | Audio Capture |
MgBot can capture input and output audio streams from infected devices.[2][4] |
|
Enterprise | T1115 | Clipboard Data | ||
Enterprise | T1555 | Credentials from Password Stores |
MgBot includes modules for stealing stored credentials from Outlook and Foxmail email client software.[2][4] |
|
.003 | Credentials from Web Browsers |
MgBot includes modules for stealing credentials from various browsers and applications, including Chrome, Opera, Firefox, Foxmail, QQBrowser, FileZilla, and WinSCP.[2][4] |
||
Enterprise | T1213 | Data from Information Repositories |
MgBot includes a module capable of stealing content from the Tencent QQ database storing user QQ message history on infected devices.[2] |
|
Enterprise | T1005 | Data from Local System |
MgBot includes modules for collecting files from local systems based on a given set of properties and filenames.[2] |
|
Enterprise | T1025 | Data from Removable Media |
MgBot includes modules capable of gathering information from USB thumb drives and CD-ROMs on the victim machine given a list of provided criteria.[2] |
|
Enterprise | T1482 | Domain Trust Discovery |
MgBot includes modules for collecting information on local domain users and permissions.[4] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging |
MgBot includes keylogger payloads focused on the QQ chat application.[2][4] |
Enterprise | T1046 | Network Service Discovery |
MgBot includes modules for performing HTTP and server service scans.[4] |
|
Enterprise | T1003 | OS Credential Dumping |
MgBot includes modules for dumping and capturing credentials from process memory.[4] |
|
Enterprise | T1057 | Process Discovery |
MgBot includes a module for establishing a process watchdog for itself, identifying if the MgBot process is still running.[4] |
|
Enterprise | T1018 | Remote System Discovery |
MgBot includes modules for performing ARP scans of local connected systems.[4] |
|
Enterprise | T1539 | Steal Web Session Cookie |
MgBot includes modules that can steal cookies from Firefox, Chrome, and Edge web browsers.[2] |
|
Enterprise | T1033 | System Owner/User Discovery |
MgBot includes modules for identifying local users and administrators on victim machines.[4] |
ID | Name | References |
---|---|---|
G1034 | Daggerfly |
Daggerfly is uniquely associated with the use of MgBot since at least 2012.[2] |