Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account | |
.002 | Account Discovery: Domain Account | |||
Enterprise | T1010 | Application Window Discovery | ||
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
Enterprise | T1005 | Data from Local System | ||
Enterprise | T1140 | Deobfuscate/Decode Files or Information | ||
Enterprise | T1482 | Domain Trust Discovery |
DUSTTRAP can identify Active Directory information and related items.[1] |
|
Enterprise | T1041 | Exfiltration Over C2 Channel | ||
Enterprise | T1083 | File and Directory Discovery | ||
Enterprise | T1615 | Group Policy Discovery |
DUSTTRAP can identify victim environment Group Policy information.[1] |
|
Enterprise | T1070 | Indicator Removal |
DUSTTRAP restores the |
|
.001 | Clear Windows Event Logs | |||
.005 | Network Share Connection Removal |
DUSTTRAP can remove network shares from infected systems.[1] |
||
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1056 | .001 | Input Capture: Keylogging | |
Enterprise | T1654 | Log Enumeration | ||
Enterprise | T1135 | Network Share Discovery |
DUSTTRAP can identify and enumerate victim system network shares.[1] |
|
Enterprise | T1027 | .009 | Obfuscated Files or Information: Embedded Payloads |
DUSTTRAP contains additional embedded DLLs and configuration files that are loaded into memory during execution.[1] |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
DUSTTRAP begins with an initial launcher that decrypts an AES-128-CFB encrypted file on disk and executes it in memory.[1] |
||
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1055 | Process Injection |
DUSTTRAP compromises the |
|
Enterprise | T1012 | Query Registry | ||
Enterprise | T1018 | Remote System Discovery |
DUSTTRAP can use |
|
Enterprise | T1113 | Screen Capture | ||
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery | |
Enterprise | T1082 | System Information Discovery |
DUSTTRAP reads the value of the infected system's |
|
Enterprise | T1016 | System Network Configuration Discovery |
DUSTTRAP can enumerate infected system network information.[1] |
|
Enterprise | T1124 | System Time Discovery |
DUSTTRAP reads the infected system's current time and writes it to a log file during execution.[1] |
|
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
DUSTTRAP decryption relies on the infected machine's |
ID | Name | Description |
---|---|---|
C0040 | APT41 DUST |
DUSTTRAP was used during APT41 DUST.[1] |