amadey | 01022e210af142ecdfb8f85212aa90f39e1fe326a56e3e9c9ae53ef147b23547

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	2a8339c3dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	2a8339c3dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	2a8339c3dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	2a8339c3dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	2a8339c3dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	2a8339c3dc.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2a8339c3dc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	01022e210af142ecdfb8f85212aa90f39e1fe326a56e3e9c9ae53ef147b23547.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	remcos_a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3e0ba677a4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	remcos.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	433d9ac964.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	433d9ac964.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2a8339c3dc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	01022e210af142ecdfb8f85212aa90f39e1fe326a56e3e9c9ae53ef147b23547.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	remcos.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2a8339c3dc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	01022e210af142ecdfb8f85212aa90f39e1fe326a56e3e9c9ae53ef147b23547.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	remcos_a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	remcos_a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	remcos.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3e0ba677a4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	433d9ac964.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3e0ba677a4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	01022e210af142ecdfb8f85212aa90f39e1fe326a56e3e9c9ae53ef147b23547.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	remcos_a.exe

Executes dropped EXE 9 IoCs

pid	Process
1300	skotes.exe
3544	remcos_a.exe
4800	remcos.exe
460	3e0ba677a4.exe
4448	433d9ac964.exe
4984	skotes.exe
212	2a8339c3dc.exe
4400	skotes.exe
2324	skotes.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	3e0ba677a4.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	433d9ac964.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	01022e210af142ecdfb8f85212aa90f39e1fe326a56e3e9c9ae53ef147b23547.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	remcos_a.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	remcos.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	2a8339c3dc.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	2a8339c3dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	2a8339c3dc.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-A34JIZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-A34JIZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3e0ba677a4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004500001\\3e0ba677a4.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\433d9ac964.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004501001\\433d9ac964.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2a8339c3dc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004503001\\2a8339c3dc.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-A34JIZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos_a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-A34JIZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos_a.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
5056	01022e210af142ecdfb8f85212aa90f39e1fe326a56e3e9c9ae53ef147b23547.exe
1300	skotes.exe
3544	remcos_a.exe
4800	remcos.exe
460	3e0ba677a4.exe
4448	433d9ac964.exe
4984	skotes.exe
212	2a8339c3dc.exe
4400	skotes.exe
2324	skotes.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1300 set thread context of 4984	1300	skotes.exe	112

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	01022e210af142ecdfb8f85212aa90f39e1fe326a56e3e9c9ae53ef147b23547.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4972	460	WerFault.exe	103
1848	460	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e0ba677a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	433d9ac964.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a8339c3dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01022e210af142ecdfb8f85212aa90f39e1fe326a56e3e9c9ae53ef147b23547.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
5056	01022e210af142ecdfb8f85212aa90f39e1fe326a56e3e9c9ae53ef147b23547.exe
5056	01022e210af142ecdfb8f85212aa90f39e1fe326a56e3e9c9ae53ef147b23547.exe
1300	skotes.exe
1300	skotes.exe
3544	remcos_a.exe
3544	remcos_a.exe
4800	remcos.exe
4800	remcos.exe
460	3e0ba677a4.exe
460	3e0ba677a4.exe
4448	433d9ac964.exe
4448	433d9ac964.exe
4984	skotes.exe
4984	skotes.exe
212	2a8339c3dc.exe
212	2a8339c3dc.exe
212	2a8339c3dc.exe
212	2a8339c3dc.exe
212	2a8339c3dc.exe
4400	skotes.exe
4400	skotes.exe
2324	skotes.exe
2324	skotes.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	2a8339c3dc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5056	01022e210af142ecdfb8f85212aa90f39e1fe326a56e3e9c9ae53ef147b23547.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4800	remcos.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 1300	5056	01022e210af142ecdfb8f85212aa90f39e1fe326a56e3e9c9ae53ef147b23547.exe	86
PID 5056 wrote to memory of 1300	5056	01022e210af142ecdfb8f85212aa90f39e1fe326a56e3e9c9ae53ef147b23547.exe	86
PID 5056 wrote to memory of 1300	5056	01022e210af142ecdfb8f85212aa90f39e1fe326a56e3e9c9ae53ef147b23547.exe	86
PID 1300 wrote to memory of 3544	1300	skotes.exe	97
PID 1300 wrote to memory of 3544	1300	skotes.exe	97
PID 1300 wrote to memory of 3544	1300	skotes.exe	97
PID 3544 wrote to memory of 4800	3544	remcos_a.exe	98
PID 3544 wrote to memory of 4800	3544	remcos_a.exe	98
PID 3544 wrote to memory of 4800	3544	remcos_a.exe	98
PID 1300 wrote to memory of 460	1300	skotes.exe	103
PID 1300 wrote to memory of 460	1300	skotes.exe	103
PID 1300 wrote to memory of 460	1300	skotes.exe	103
PID 1300 wrote to memory of 4448	1300	skotes.exe	111
PID 1300 wrote to memory of 4448	1300	skotes.exe	111
PID 1300 wrote to memory of 4448	1300	skotes.exe	111
PID 1300 wrote to memory of 4984	1300	skotes.exe	112
PID 1300 wrote to memory of 4984	1300	skotes.exe	112
PID 1300 wrote to memory of 4984	1300	skotes.exe	112
PID 1300 wrote to memory of 4984	1300	skotes.exe	112
PID 1300 wrote to memory of 4984	1300	skotes.exe	112
PID 1300 wrote to memory of 4984	1300	skotes.exe	112
PID 1300 wrote to memory of 4984	1300	skotes.exe	112
PID 1300 wrote to memory of 4984	1300	skotes.exe	112
PID 1300 wrote to memory of 4984	1300	skotes.exe	112
PID 1300 wrote to memory of 4984	1300	skotes.exe	112
PID 1300 wrote to memory of 4984	1300	skotes.exe	112
PID 1300 wrote to memory of 4984	1300	skotes.exe	112
PID 1300 wrote to memory of 212	1300	skotes.exe	113
PID 1300 wrote to memory of 212	1300	skotes.exe	113
PID 1300 wrote to memory of 212	1300	skotes.exe	113

C:\Users\Admin\AppData\Local\Temp\01022e210af142ecdfb8f85212aa90f39e1fe326a56e3e9c9ae53ef147b23547.exe
"C:\Users\Admin\AppData\Local\Temp\01022e210af142ecdfb8f85212aa90f39e1fe326a56e3e9c9ae53ef147b23547.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Users\Admin\AppData\Local\Temp\1004494001\remcos_a.exe
    "C:\Users\Admin\AppData\Local\Temp\1004494001\remcos_a.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4800
- - C:\Users\Admin\AppData\Local\Temp\1004500001\3e0ba677a4.exe
    "C:\Users\Admin\AppData\Local\Temp\1004500001\3e0ba677a4.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:460
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 1468
      4⤵
      Program crash
      PID:4972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 1484
      4⤵
      Program crash
      PID:1848
- - C:\Users\Admin\AppData\Local\Temp\1004501001\433d9ac964.exe
    "C:\Users\Admin\AppData\Local\Temp\1004501001\433d9ac964.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4448
- - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4984
- - C:\Users\Admin\AppData\Local\Temp\1004503001\2a8339c3dc.exe
    "C:\Users\Admin\AppData\Local\Temp\1004503001\2a8339c3dc.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Windows security modification
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 460 -ip 460
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 460 -ip 460
1⤵
PID:3808

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4400

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion