Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account | |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
Enterprise | T1119 | Automated Collection |
Comnie executes a batch script to store discovery information in %TEMP%\info.dat and then uploads the temporarily file to the remote C2 server.[1] |
|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Comnie achieves persistence by adding a shortcut of itself to the startup path in the Registry.[1] |
.009 | Boot or Logon Autostart Execution: Shortcut Modification |
Comnie establishes persistence via a .lnk file in the victim’s startup path.[1] |
||
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
.005 | Command and Scripting Interpreter: Visual Basic | |||
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Comnie encrypts command and control communications with RC4.[1] |
Enterprise | T1027 | Obfuscated Files or Information | ||
.001 | Binary Padding |
Comnie appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.[1] |
||
Enterprise | T1057 | Process Discovery |
Comnie uses the |
|
Enterprise | T1018 | Remote System Discovery |
Comnie runs the |
|
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery | |
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 | |
Enterprise | T1082 | System Information Discovery | ||
Enterprise | T1016 | System Network Configuration Discovery |
Comnie uses |
|
Enterprise | T1049 | System Network Connections Discovery | ||
Enterprise | T1007 | System Service Discovery |
Comnie runs the command: |
|
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
Comnie uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server.[1] |