Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
Enterprise | T1037 | .001 | Boot or Logon Initialization Scripts: Logon Script (Windows) |
KGH_SPY has the ability to set the |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
KGH_SPY can execute PowerShell commands on the victim's machine.[1] |
.003 | Command and Scripting Interpreter: Windows Command Shell |
KGH_SPY has the ability to set a Registry key to run a cmd.exe command.[1] |
||
Enterprise | T1555 | Credentials from Password Stores | ||
.003 | Credentials from Web Browsers |
KGH_SPY has the ability to steal data from the Chrome, Edge, Firefox, Thunderbird, and Opera browsers.[1] |
||
.004 | Windows Credential Manager |
KGH_SPY can collect credentials from the Windows Credential Manager.[1] |
||
Enterprise | T1005 | Data from Local System |
KGH_SPY can send a file containing victim system information to C2.[1] |
|
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
KGH_SPY can save collected system information to a file named "info" before exfiltration.[1] |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
KGH_SPY can decrypt encrypted strings and write them to a newly created folder.[1] |
|
Enterprise | T1114 | .001 | Email Collection: Local Email Collection | |
Enterprise | T1041 | Exfiltration Over C2 Channel |
KGH_SPY can exfiltrate collected information from the host to the C2 server.[1] |
|
Enterprise | T1083 | File and Directory Discovery |
KGH_SPY can enumerate files and directories on a compromised host.[1] |
|
Enterprise | T1105 | Ingress Tool Transfer |
KGH_SPY has the ability to download and execute code from remote servers.[1] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging |
KGH_SPY can perform keylogging by polling the |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location | |
Enterprise | T1027 | Obfuscated Files or Information | ||
Enterprise | T1518 | Software Discovery |
KGH_SPY can collect information on installed applications.[1] |
|
Enterprise | T1082 | System Information Discovery |
KGH_SPY can collect drive information from a compromised host.[1] |
|
Enterprise | T1204 | .002 | User Execution: Malicious File |
KGH_SPY has been spread through Word documents containing malicious macros.[1] |
ID | Name | References |
---|---|---|
G0094 | Kimsuky |