Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Downdelph bypasses UAC to escalate privileges by using a custom "RedirectEXE" shim database.[1] |
Enterprise | T1001 | .001 | Data Obfuscation: Junk Data |
Downdelph inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them.[1] |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography | |
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
Downdelph uses search order hijacking of the Windows executable sysprep.exe to escalate privileges.[1] |
Enterprise | T1105 | Ingress Tool Transfer |
After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.[1] |
ID | Name | References |
---|---|---|
G0007 | APT28 |